@movevom/9t 0.1.0 → 0.1.1

package/cli-9t/index.mjs

@@ -1,84 +1,1742 @@
-import { readFileSync, writeFileSync, mkdirSync, readdirSync, statSync, rmSync, existsSync } from "fs";
-import { join, resolve, dirname, isAbsolute, sep } from "path";
-import { exec, execFile } from "child_process";
+#!/usr/bin/env node
+import {
+  readFileSync,
+  writeFileSync,
+  mkdirSync,
+  readdirSync,
+  renameSync,
+  statSync,
+  rmSync,
+  existsSync,
+  realpathSync
+} from "fs";
+import { join, resolve, dirname, isAbsolute, sep, basename, extname } from "path";
+import { exec, execFile, spawn } from "child_process";
 import readline from "readline";
 import { homedir } from "os";
 
 const rootDir = resolve(dirname(new URL(import.meta.url).pathname), "..");
 const legacyProviderPath = join(rootDir, "config", "provider.json");
-const workspaceRoot = join(rootDir, "workspace");
+let workspaceRoot = join(rootDir, "workspace");
 
 const toolsMeta = [
   { name: "read", args: "{ path, offset?, limit? }", desc: "读取文件" },
   { name: "edit", args: "{ path, find, replace }", desc: "局部替换" },
   { name: "create", args: '{ path, type?: "file"|"dir", content? }', desc: "创建文件/目录" },
   { name: "delete", args: "{ path }", desc: "删除文件/目录" },
+  { name: "move", args: "{ from, to }", desc: "移动/重命名" },
+  { name: "rename", args: "{ from, to }", desc: "移动/重命名" },
+  { name: "stat", args: "{ path }", desc: "文件信息" },
+  { name: "diff", args: "{ path_a, path_b }", desc: "文本差异" },
+  { name: "patch", args: "{ path, diff }", desc: "应用补丁" },
   { name: "ls", args: "{ path? }", desc: "列目录" },
   { name: "grep", args: "{ pattern, path? }", desc: "搜索内容" },
   { name: "glob", args: "{ pattern, path? }", desc: "按模式匹配文件" },
-  { name: "execute", args: "{ cmd, cwd? }", desc: "执行命令" },
-  { name: "open", args: "{ target }", desc: "打开文件/URL" }
+  { name: "execute", args: "{ cmd, cwd?, timeout_ms?, max_output_chars?, pty? }", desc: "执行命令" },
+  {
+    name: "execute_detached",
+    args: "{ cmd, cwd?, task_id?, log_path, output_path, max_output_chars?, pty? }",
+    desc: "后台执行命令"
+  },
+  {
+    name: "process",
+    args: '{ action: "list"|"poll"|"log"|"send"|"kill"|"remove", session_id?, offset?, limit?, input? }',
+    desc: "进程管理/输出回放"
+  },
+  { name: "wait_process", args: "{ session_id }", desc: "查询后台进程状态" },
+  { name: "read_process_log", args: "{ session_id, offset?, limit? }", desc: "读取进程日志" },
+  { name: "read_process_output", args: "{ session_id?, output_path? }", desc: "读取进程结果文件" },
+  { name: "web_fetch", args: "{ url, extract_mode?, max_chars? }", desc: "抓取网页" },
+  { name: "web_search", args: "{ query, count?, country?, search_lang?, ui_lang?, freshness? }", desc: "网页搜索" },
+  { name: "ask_user", args: "{ question, options? }", desc: "向用户提问" },
+  { name: "browser", args: '{ action: "open", url, output_path }', desc: "浏览器执行" },
+  { name: "open", args: "{ path }", desc: "打开文件" },
+  { name: "open_url", args: "{ url }", desc: "打开URL" },
+  { name: "task_create", args: "{ title, parent_id?, depends_on?, status? }", desc: "创建任务" },
+  {
+    name: "task_update",
+    args: "{ task_id, title?, status?, parent_id?, depends_on?, inputs?, outputs?, last_error? }",
+    desc: "更新任务"
+  },
+  { name: "task_get", args: "{ task_id }", desc: "获取任务" },
+  { name: "task_list", args: "{ status?, parent_id? }", desc: "列出任务" },
+  { name: "task_tree", args: "{ root_id? }", desc: "任务树" },
+  { name: "task_log_list", args: "{ task_id?, limit? }", desc: "任务日志" },
+  { name: "task_replay", args: "{ }", desc: "任务回放" },
+  { name: "todo_list", args: "{ scope?, status? }", desc: "列出待办" },
+  { name: "todo_add", args: "{ text, scope?, source? }", desc: "新增待办" },
+  { name: "todo_start", args: "{ todo_id }", desc: "开始待办" },
+  { name: "todo_done", args: "{ todo_id }", desc: "完成待办" },
+  { name: "todo_patch", args: "{ todo_id, text, scope?, source? }", desc: "创建补丁待办" },
+  { name: "todo_clear", args: "{ scope? }", desc: "清理待办" }
 ];
 
-const systemToolsText = toolsMeta.map((t) => `${t.name}: ${t.args}`).join("\n");
 const helpToolsText = toolsMeta.map((t) => `${t.name} ${t.desc}`).join("；");
 
-const SYSTEM_PROMPT = `你是 9T 工具代理。你只能输出 JSON，不要输出其它文字。
-格式：
-{"tool":"create","args":{...}} 或 {"tools":[{"tool":"create","args":{...}}, ...]} 或 {"final":"..."}
-可用工具与参数：
-${systemToolsText}
-所有 path 必须为相对 workspace 的路径，不要使用绝对路径或 ..`;
+const systemPromptPath = join(rootDir, "prompts", "system", "SYSTEM_PROMPT.md");
+const toolDocPath = join(rootDir, "prompts", "system", "TOOLS.md");
+const taskDocPath = join(rootDir, "prompts", "system", "TASK_MANAGER.md");
+const memoryDocPath = join(rootDir, "prompts", "system", "MEMORY.md");
+const sessionDocPath = join(rootDir, "prompts", "system", "SESSION.md");
+const securityDocPath = join(rootDir, "prompts", "system", "SECURITY.md");
+const auditDocPath = join(rootDir, "prompts", "system", "AUDIT.md");
+const executionDocPath = join(rootDir, "prompts", "system", "EXECUTION.md");
+const sandboxDocPath = join(rootDir, "prompts", "system", "SANDBOX.md");
+
+const getSystemPrompt = () => {
+  const base = readFileSync(systemPromptPath, "utf-8").trim();
+  const indexText = [
+    `1. 9t tool -> ${toolDocPath}`,
+    `2. 9t task manager -> ${taskDocPath}`,
+    `3. 9t memory -> ${memoryDocPath}`,
+    `4. 9t session -> ${sessionDocPath}`,
+    `5. 9t security -> ${securityDocPath}`,
+    `6. 9t audit -> ${auditDocPath}`,
+    `7. 9t execution -> ${executionDocPath}`,
+    `8. 9t sandbox -> ${sandboxDocPath}`
+  ].join("\n");
+  return `${base}\n\n系统内置文档路径索引：\n${indexText}`;
+};
 
 const MAX_STEPS = 8;
+const DEFAULT_EXEC_TIMEOUT_MS = 60_000;
+const MAX_EXEC_TIMEOUT_MS = 10 * 60_000;
+const DEFAULT_EXEC_MAX_OUTPUT_CHARS = 20_000;
+const MAX_EXEC_OUTPUT_CHARS = 200_000;
+const EXEC_MAX_BUFFER_BYTES = 2 * 1024 * 1024;
+const DEFAULT_WEB_FETCH_MAX_CHARS = 50_000;
+const MAX_WEB_FETCH_MAX_CHARS = 200_000;
+const DEFAULT_WEB_FETCH_TIMEOUT_MS = 30_000;
+const DEFAULT_WEB_SEARCH_TIMEOUT_MS = 30_000;
+const DEFAULT_WEB_SEARCH_COUNT = 5;
+const MAX_WEB_SEARCH_COUNT = 10;
+const DEFAULT_LOOP_EVERY_MS = 60_000;
+const DEFAULT_LOOP_MAX_RUNS = 0;
+const DEFAULT_LOOP_MAX_DURATION_MS = 0;
+const DEFAULT_LOOP_MAX_RETRIES = 2;
+const DEFAULT_LOOP_RETRY_DELAY_MS = 5_000;
+const DEFAULT_LOOP_MAX_RETRY_DELAY_MS = 60_000;
+const DEFAULT_LOOP_BACKOFF = "fixed";
+const testPrompt = "使用9T工具创建文件夹 demo ，在其中创建 test.md，内容为：山高月小，水落石出。";
+const toolHelpText = `可用工具与用途：${helpToolsText}`;
+const aboutText =
+  "9T-Movevom 是一个最小可用的 CLI 工具代理，支持可切换模型提供商，通过工具调用完成文件与命令操作。默认工作区为 Movevom/workspace，可通过配置覆盖。";
+const helpText =
+  "可用指令：/help /about /tools /? /exit /keystatus /provider /model /task /tasks /todo。交互用法：进入交互模式后直接输入 /help /tools 等斜杠命令；也可输入 --test 触发测试提示词。命令参数：--interactive/-i --test --key-status --mode strict|allow|open --allow-mode strict|allow|open --roots \"<abs1,abs2>\" --workspace <path> --allow-risk delete,execute,open --allow-risk-ttl-hours <n> --execute-allowlist \"<cmd1,cmd2>\" --open-url-allowlist \"<host1,host2>\" --open-file-allowlist \"<ext1,ext2>\" --deny-file-names \"<name1,name2>\" --deny-file-exts \"<ext1,ext2>\" --deny-dirs \"<abs1,abs2>\" --sandbox off|os|container --loop \"<prompt>\" --schedule-loop \"<prompt>\" --task-loop \"<prompt>\" --daemon-loop \"<prompt>\" --loop-every <ms> --loop-max-runs <n> --loop-max-duration <ms> --loop-retry <n> --loop-retry-delay <ms> --loop-max-retry-delay <ms> --loop-backoff fixed|linear|exponential --loop-stop-on-fail。模式说明：strict 仅 workspace 且风险工具拒绝；allow workspace + allowlist 且风险工具需确认或显式允许；open workspace + allowlist 且风险工具直接执行。/provider 列出可用 provider 与模型并标记当前；/model <provider> [model] 切换 provider（可选覆盖 model）。";
+
+const getConfigDir = () => {
+  const custom = process.env["9T_CONFIG_HOME"];
+  if (custom) return custom;
+  const home = homedir();
+  if (process.platform === "darwin") return join(home, "Library", "Application Support", "9T");
+  if (process.platform === "win32") {
+    const appData = process.env["APPDATA"] || join(home, "AppData", "Roaming");
+    return join(appData, "9T");
+  }
+  return join(process.env["XDG_CONFIG_HOME"] || join(home, ".config"), "9t");
+};
+
+const providerPath = join(getConfigDir(), "provider.json");
+const accessConfigPath = join(getConfigDir(), "config.json");
+const tasksConfigPath = join(getConfigDir(), "tasks.json");
+const tasksLogPath = join(getConfigDir(), "tasks-log.jsonl");
+const sessionLogPath = join(getConfigDir(), "sessions.jsonl");
+const evidenceLogPath = join(getConfigDir(), "evidence-log.jsonl");
+
+const providerPresets = {
+  chatglm: {
+    base_url: "https://open.bigmodel.cn/api/anthropic",
+    model: "glm-5",
+    format: "anthropic",
+    api_key_env: "9T_CHATGLM_API_KEY"
+  },
+  deepseek: {
+    base_url: "https://api.deepseek.com/v1",
+    model: "deepseek-chat",
+    format: "openai",
+    api_key_env: "9T_DEEPSEEK_API_KEY"
+  },
+  kimi: {
+    base_url: "https://api.moonshot.cn/v1",
+    model: "moonshot-v1-8k",
+    format: "openai",
+    api_key_env: "9T_KIMI_API_KEY"
+  },
+  minimax: {
+    base_url: "https://api.minimax.chat/v1",
+    model: "abab6.5s",
+    format: "openai",
+    api_key_env: "9T_MINIMAX_API_KEY"
+  },
+  qwen: {
+    base_url: "https://dashscope.aliyuncs.com/compatible-mode/v1",
+    model: "qwen-plus",
+    format: "openai",
+    api_key_env: "9T_QWEN_API_KEY"
+  },
+  anthropic: {
+    base_url: "https://api.anthropic.com",
+    model: "claude-3-5-sonnet-20241022",
+    format: "anthropic",
+    api_key_env: "9T_ANTHROPIC_API_KEY"
+  },
+  gemini: {
+    base_url: "https://generativelanguage.googleapis.com/v1beta",
+    model: "gemini-1.5-pro",
+    format: "gemini",
+    api_key_env: "9T_GEMINI_API_KEY"
+  },
+  grok: {
+    base_url: "https://api.x.ai/v1",
+    model: "grok-2",
+    format: "openai",
+    api_key_env: "9T_GROK_API_KEY"
+  },
+  openai: {
+    base_url: "https://api.openai.com/v1",
+    model: "gpt-4o-mini",
+    format: "openai",
+    api_key_env: "9T_OPENAI_API_KEY"
+  }
+};
+
+const defaultProviderName = "chatglm";
+const defaultProvider = providerPresets[defaultProviderName];
+
+const normalizeProviderName = (value) => String(value || "").trim().toLowerCase();
+
+const getProviderPreset = (name) => providerPresets[normalizeProviderName(name)] || null;
+
+const listProviderNames = () => Object.keys(providerPresets);
+
+const loadProviderConfig = () => {
+  let rawCfg = {};
+  if (existsSync(providerPath)) {
+    const raw = readFileSync(providerPath, "utf-8");
+    rawCfg = JSON.parse(raw);
+  } else if (existsSync(legacyProviderPath)) {
+    const raw = readFileSync(legacyProviderPath, "utf-8");
+    rawCfg = JSON.parse(raw);
+  }
+  const provider = normalizeProviderName(rawCfg.provider) || defaultProviderName;
+  const preset = getProviderPreset(provider);
+  const base_url = String(rawCfg.base_url || preset?.base_url || defaultProvider.base_url).trim();
+  const model = String(rawCfg.model || preset?.model || defaultProvider.model).trim();
+  const format = String(rawCfg.format || preset?.format || defaultProvider.format || "anthropic").trim();
+  return { provider, base_url, model, format };
+};
+
+const saveProviderConfig = (cfg) => {
+  mkdirSync(dirname(providerPath), { recursive: true });
+  const safe = {
+    provider: normalizeProviderName(cfg.provider),
+    base_url: cfg.base_url,
+    model: cfg.model,
+    format: cfg.format
+  };
+  writeFileSync(providerPath, JSON.stringify(safe, null, 2));
+};
+
+const loadAccessConfig = () => {
+  if (!existsSync(accessConfigPath)) return {};
+  const raw = readFileSync(accessConfigPath, "utf-8");
+  return JSON.parse(raw);
+};
+
+const saveAccessConfig = (patch) => {
+  const current = loadAccessConfig();
+  const merged = { ...current, ...patch };
+  if (current.allow_risk_until || patch.allow_risk_until) {
+    merged.allow_risk_until = {
+      ...(current.allow_risk_until || {}),
+      ...(patch.allow_risk_until || {})
+    };
+  }
+  mkdirSync(dirname(accessConfigPath), { recursive: true });
+  writeFileSync(accessConfigPath, JSON.stringify(merged, null, 2));
+};
+
+const parseCsvList = (value) => {
+  if (!value) return [];
+  if (Array.isArray(value)) {
+    return value.map((v) => String(v).trim()).filter(Boolean);
+  }
+  return String(value)
+    .split(",")
+    .map((v) => v.trim())
+    .filter(Boolean);
+};
+
+const parseNonNegativeInt = (value, fallback) => {
+  if (value === "" || value == null) return fallback;
+  const num = Number.parseInt(String(value), 10);
+  return Number.isFinite(num) && num >= 0 ? num : fallback;
+};
+
+const normalizeLoopBackoff = (value) => {
+  const v = String(value || "").trim().toLowerCase();
+  if (v === "fixed" || v === "linear" || v === "exponential") return v;
+  return "";
+};
+
+const buildLoopOptions = (args, overrides) => {
+  const base = overrides || {};
+  const everyMs = parseNonNegativeInt(getArgValue(args, "--loop-every"), base.everyMs ?? DEFAULT_LOOP_EVERY_MS);
+  const maxRuns = parseNonNegativeInt(getArgValue(args, "--loop-max-runs"), base.maxRuns ?? DEFAULT_LOOP_MAX_RUNS);
+  const maxDurationMs = parseNonNegativeInt(
+    getArgValue(args, "--loop-max-duration"),
+    base.maxDurationMs ?? DEFAULT_LOOP_MAX_DURATION_MS
+  );
+  const maxRetries = parseNonNegativeInt(
+    getArgValue(args, "--loop-retry"),
+    base.maxRetries ?? DEFAULT_LOOP_MAX_RETRIES
+  );
+  const retryDelayMs = parseNonNegativeInt(
+    getArgValue(args, "--loop-retry-delay"),
+    base.retryDelayMs ?? DEFAULT_LOOP_RETRY_DELAY_MS
+  );
+  const maxRetryDelayMs = parseNonNegativeInt(
+    getArgValue(args, "--loop-max-retry-delay"),
+    base.maxRetryDelayMs ?? DEFAULT_LOOP_MAX_RETRY_DELAY_MS
+  );
+  const backoff = normalizeLoopBackoff(getArgValue(args, "--loop-backoff")) || DEFAULT_LOOP_BACKOFF;
+  const stopOnFail = hasFlag(args, "--loop-stop-on-fail");
+  return {
+    everyMs,
+    maxRuns,
+    maxDurationMs,
+    maxRetries,
+    retryDelayMs,
+    maxRetryDelayMs,
+    backoff,
+    stopOnFail
+  };
+};
+
+const normalizeMode = (value) => {
+  const v = String(value || "").trim();
+  if (v === "supervised") return "allow";
+  if (v === "strict" || v === "allow" || v === "open") return v;
+  return "";
+};
+
+const expandHome = (value) => {
+  const v = String(value || "").trim();
+  if (!v) return "";
+  if (v === "~") return homedir();
+  if (v.startsWith("~/") || v.startsWith("~\\")) return join(homedir(), v.slice(2));
+  return v;
+};
+
+const normalizeAbsolute = (value) => {
+  const expanded = expandHome(value);
+  if (!expanded) return "";
+  return isAbsolute(expanded) ? expanded : resolve(expanded);
+};
+
+const normalizeRoot = (value) => {
+  const abs = normalizeAbsolute(value);
+  if (!abs) return "";
+  if (existsSync(abs)) return realpathSync(abs);
+  return resolve(abs);
+};
+
+const normalizeSandboxMode = (value) => {
+  const v = String(value || "").trim();
+  if (v === "off" || v === "os" || v === "container") return v;
+  return "";
+};
+
+const defaultSandboxMode = () => {
+  if (process.platform === "darwin") {
+    return existsSync("/usr/bin/sandbox-exec") ? "os" : "off";
+  }
+  if (process.platform === "linux") {
+    const bwrap = findInPath("bwrap") || "/usr/bin/bwrap";
+    return existsSync(bwrap) ? "os" : "off";
+  }
+  return "off";
+};
+
+const findInPath = (name) => {
+  const envPath = process.env["PATH"] || "";
+  const parts = envPath.split(process.platform === "win32" ? ";" : ":");
+  for (const p of parts) {
+    const full = join(p, name);
+    if (existsSync(full)) return full;
+  }
+  return "";
+};
+
+const escapeForSingleQuotes = (value) => String(value || "").replace(/'/g, "'\"'\"'");
+
+const buildMacSandboxProfile = (roots) => {
+  const allowed = roots.map((r) => `(subpath "${r}")`).join(" ");
+  const lines = [
+    "(version 1)",
+    "(deny default)",
+    "(allow process*)",
+    "(allow file-read* (subpath \"/System\") (subpath \"/usr\") (subpath \"/bin\") (subpath \"/sbin\") (subpath \"/private\") (subpath \"/Library\"))",
+    allowed ? `(allow file-read* ${allowed})` : "",
+    allowed ? `(allow file-write* ${allowed})` : ""
+  ].filter(Boolean);
+  return lines.join("\n");
+};
+
+const buildLinuxSandboxCommand = (cmd, cwd, roots) => {
+  const bwrap = findInPath("bwrap") || "/usr/bin/bwrap";
+  if (!existsSync(bwrap)) throw new Error("sandbox not available");
+  const binds = roots.map((r) => `--bind "${r}" "${r}"`).join(" ");
+  const escapedCmd = escapeForSingleQuotes(cmd);
+  return `${bwrap} --ro-bind / / --dev /dev --proc /proc --die-with-parent --unshare-all --chdir "${cwd}" ${binds} -- /bin/sh -c '${escapedCmd}'`;
+};
+
+const buildContainerSandboxCommand = (cmd, cwd, roots) => {
+  if (process.platform === "win32") throw new Error("container sandbox not supported");
+  const runtime = findInPath("docker") || findInPath("podman");
+  if (!runtime) throw new Error("container runtime not available");
+  const image = "alpine:3.20";
+  const mounts = roots.map((r) => `-v "${r}:${r}"`).join(" ");
+  const escapedCmd = escapeForSingleQuotes(cmd);
+  return `${runtime} run --rm --network none -w "${cwd}" ${mounts} ${image} /bin/sh -c '${escapedCmd}'`;
+};
+
+const buildSandboxedCommand = (cmd, cwd, roots) => {
+  if (sandboxMode === "off") return cmd;
+  if (sandboxMode === "container") {
+    return buildContainerSandboxCommand(cmd, cwd, roots);
+  }
+  if (process.platform === "darwin") {
+    const sandboxExec = existsSync("/usr/bin/sandbox-exec") ? "/usr/bin/sandbox-exec" : "";
+    if (!sandboxExec) throw new Error("sandbox not available");
+    const profile = buildMacSandboxProfile(roots);
+    const escapedProfile = escapeForSingleQuotes(profile);
+    const escapedCmd = escapeForSingleQuotes(cmd);
+    return `${sandboxExec} -p '${escapedProfile}' /bin/sh -c '${escapedCmd}'`;
+  }
+  if (process.platform === "linux") {
+    return buildLinuxSandboxCommand(cmd, cwd, roots);
+  }
+  return cmd;
+};
+
+const defaultExecuteAllowlist = [
+  "ls",
+  "cat",
+  "pwd",
+  "whoami",
+  "git",
+  "node",
+  "npm",
+  "pnpm",
+  "yarn",
+  "python",
+  "python3"
+];
+
+const defaultOpenUrlAllowlist = ["localhost", "127.0.0.1"];
+const defaultOpenFileAllowlist = [];
+
+const defaultDenyFileNames = [
+  ".env",
+  ".npmrc",
+  ".bashrc",
+  ".zshrc",
+  ".ssh",
+  "id_rsa",
+  "id_ed25519",
+  "known_hosts",
+  "authorized_keys"
+];
+
+const defaultDenyFileExts = [
+  ".pem",
+  ".key",
+  ".p12",
+  ".pfx",
+  ".crt",
+  ".cer",
+  ".der",
+  ".kdbx",
+  ".sqlite",
+  ".db"
+];
+
+const getDefaultDenyDirsAbs = () => {
+  const home = homedir();
+  if (process.platform === "darwin") {
+    return [
+      "/System",
+      "/Library",
+      "/Applications",
+      "/private",
+      "/etc",
+      "/bin",
+      "/sbin",
+      "/usr",
+      "/var",
+      join(home, "Library", "Keychains")
+    ];
+  }
+  if (process.platform === "win32") {
+    const systemRoot = process.env["SystemRoot"] || "C:\\Windows";
+    return [
+      systemRoot,
+      "C:\\Windows",
+      "C:\\Program Files",
+      "C:\\Program Files (x86)"
+    ];
+  }
+  return ["/etc", "/bin", "/sbin", "/usr", "/var", "/proc", "/sys", "/dev"];
+};
+
+const defaultDenyDirSegments = [".ssh", ".gnupg", ".aws", ".kube", ".config"];
+
+const allowedRiskSet = new Set(["delete", "execute", "open"]);
+
+const parseAllowRisk = (value) =>
+  new Set(
+    parseCsvList(value)
+      .map((v) => String(v).trim().toLowerCase())
+      .filter((v) => allowedRiskSet.has(v))
+  );
+
+const parseHours = (value) => {
+  if (value == null || value === "") return 0;
+  const num = Number(value);
+  if (!Number.isFinite(num) || num <= 0) return 0;
+  return num;
+};
+
+const parseAllowRiskUntil = (value) => {
+  if (!value || typeof value !== "object") return {};
+  const now = Date.now();
+  const out = {};
+  for (const [tool, raw] of Object.entries(value)) {
+    if (!allowedRiskSet.has(tool)) continue;
+    let ts = 0;
+    if (typeof raw === "number") ts = raw;
+    else {
+      const parsed = Date.parse(String(raw));
+      ts = Number.isFinite(parsed) ? parsed : 0;
+    }
+    if (ts > now) out[tool] = ts;
+  }
+  return out;
+};
+
+const normalizeListLower = (items) =>
+  parseCsvList(items)
+    .map((v) => String(v).trim().toLowerCase())
+    .filter(Boolean);
+
+const normalizeExtList = (items) =>
+  parseCsvList(items)
+    .map((v) => {
+      const raw = String(v).trim().toLowerCase();
+      if (!raw) return "";
+      return raw.startsWith(".") ? raw : `.${raw}`;
+    })
+    .filter(Boolean);
+
+const normalizeAbsList = (items) =>
+  parseCsvList(items)
+    .map(normalizeRoot)
+    .filter(Boolean);
+
+const clampNumber = (value, min, max, fallback) => {
+  const num = Number(value);
+  if (!Number.isFinite(num)) return fallback;
+  return Math.max(min, Math.min(max, num));
+};
+
+const truncateText = (text, maxChars) => {
+  const raw = String(text ?? "");
+  if (raw.length <= maxChars) return { text: raw, truncated: false, total: raw.length };
+  return { text: raw.slice(0, maxChars), truncated: true, total: raw.length };
+};
+
+let cachedPtySpawn = null;
+let cachedPtySpawnChecked = false;
+
+const loadPtySpawn = async () => {
+  if (cachedPtySpawnChecked) return cachedPtySpawn;
+  cachedPtySpawnChecked = true;
+  try {
+    const module = await import("@lydell/node-pty");
+    cachedPtySpawn = module?.spawn || module?.default?.spawn || null;
+  } catch {
+    cachedPtySpawn = null;
+  }
+  return cachedPtySpawn;
+};
+
+const resolvePtyCommand = (cmd) => {
+  if (process.platform === "win32") {
+    const shell = process.env["ComSpec"] || "cmd.exe";
+    return { file: shell, args: ["/d", "/s", "/c", cmd] };
+  }
+  const shell = process.env["SHELL"] || "/bin/sh";
+  return { file: shell, args: ["-lc", cmd] };
+};
+
+const createToolError = (type, message, meta) => {
+  const err = new Error(message || "tool error");
+  err.code = type;
+  err.meta = meta;
+  return err;
+};
+
+const normalizeToolError = (err) => {
+  const rawMessage = String(err?.message || err || "tool error");
+  const message = rawMessage.trim() || "tool error";
+  const type = String(err?.code || "").toUpperCase();
+  if (type === "EXEC_TIMEOUT") {
+    return { code: 408, error_type: "exec_timeout", message, meta: err?.meta || null };
+  }
+  if (type === "EXEC_DENIED") {
+    return { code: 403, error_type: "exec_denied", message, meta: err?.meta || null };
+  }
+  if (type === "EXEC_OUTPUT_LIMIT") {
+    return { code: 413, error_type: "exec_output_limit", message, meta: err?.meta || null };
+  }
+  if (type === "EXEC_FAILED") {
+    const exitCode = Number(err?.meta?.exit_code || 0) || 500;
+    return { code: exitCode, error_type: "exec_failed", message, meta: err?.meta || null };
+  }
+  if (type === "INVALID_ARGS") {
+    return { code: 400, error_type: "invalid_args", message, meta: err?.meta || null };
+  }
+  if (type === "NOT_FOUND") {
+    return { code: 404, error_type: "not_found", message, meta: err?.meta || null };
+  }
+  const lower = message.toLowerCase();
+  if (lower.includes("not found")) return { code: 404, error_type: "not_found", message, meta: null };
+  if (lower.includes("required") || lower.includes("invalid")) {
+    return { code: 400, error_type: "invalid_args", message, meta: null };
+  }
+  if (
+    lower.includes("denied") ||
+    lower.includes("not allowed") ||
+    lower.includes("command not allowed") ||
+    lower.includes("risk tool")
+  ) {
+    return { code: 403, error_type: "forbidden", message, meta: null };
+  }
+  return { code: 500, error_type: "tool_error", message, meta: null };
+};
+
+const buildToolResult = ({ tool, ok, code, data, error, meta }) => ({
+  ok: Boolean(ok),
+  tool: String(tool || ""),
+  code: Number(code || 0),
+  data: data ?? null,
+  error: error || null,
+  meta: meta || null
+});
+
+const appendAuditEvent = (event) => {
+  mkdirSync(dirname(tasksLogPath), { recursive: true });
+  const line = JSON.stringify({ ts: nowIso(), type: "tool", ...event });
+  writeFileSync(tasksLogPath, line + "\n", { flag: "a" });
+};
+
+let currentSessionId = "";
+
+const createSessionId = () => `s-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+
+let sessionState = {
+  date: "",
+  dir: "",
+  recordPath: "",
+  round: 0
+};
+
+const formatDate = (d) => {
+  const year = d.getFullYear();
+  const month = String(d.getMonth() + 1).padStart(2, "0");
+  const day = String(d.getDate()).padStart(2, "0");
+  return `${year}-${month}-${day}`;
+};
+
+const initSessionState = () => {
+  const date = formatDate(new Date());
+  const dir = join(workspaceRoot, "session", date, currentSessionId);
+  mkdirSync(dir, { recursive: true });
+  sessionState = { date, dir, recordPath: "", round: 0 };
+};
+
+const buildSessionRecordFile = (round) =>
+  join(sessionState.dir, `${currentSessionId}-qa${round}-record.json`);
+
+const listSessionRecordFiles = () => {
+  const dir = sessionState.dir;
+  if (!dir || !existsSync(dir)) return [];
+  const pattern = new RegExp(`^${currentSessionId}-qa(\\d+)-record\\.json$`);
+  return readdirSync(dir)
+    .map((name) => {
+      const match = name.match(pattern);
+      if (!match) return null;
+      return { name, round: Number(match[1]) };
+    })
+    .filter(Boolean)
+    .sort((a, b) => a.round - b.round)
+    .map((entry) => entry.name);
+};
+
+const loadSessionRecords = () => {
+  const dir = sessionState.dir;
+  if (!dir || !existsSync(dir)) return [];
+  const files = listSessionRecordFiles();
+  const all = [];
+  for (const name of files) {
+    const full = join(dir, name);
+    if (!existsSync(full)) continue;
+    try {
+      const raw = readFileSync(full, "utf-8");
+      const parsed = JSON.parse(raw);
+      if (Array.isArray(parsed)) all.push(...parsed);
+      else if (parsed) all.push(parsed);
+    } catch {}
+  }
+  return all;
+};
+
+const saveSessionRecords = (round, records) => {
+  const recordPath = buildSessionRecordFile(round);
+  mkdirSync(dirname(recordPath), { recursive: true });
+  writeFileSync(recordPath, JSON.stringify(records, null, 2));
+};
+
+const listSessionSummaryFiles = () => {
+  const dir = sessionState.dir;
+  if (!dir || !existsSync(dir)) return [];
+  const prefix = `${currentSessionId}-`;
+  const files = readdirSync(dir).filter(
+    (f) => f.startsWith(prefix) && f.endsWith("-summary.md")
+  );
+  const rangeFiles = [];
+  const finalFiles = [];
+  for (const f of files) {
+    const name = f.slice(prefix.length);
+    const parts = name.split("-");
+    if (parts.length === 2 && parts[1] === "summary.md") {
+      finalFiles.push(f);
+      continue;
+    }
+    rangeFiles.push(f);
+  }
+  const toStart = (f) => {
+    const base = f.slice(prefix.length, -"-summary.md".length);
+    const segs = base.split("-");
+    const token = segs[0] || "";
+    const match = token.match(/^(\d+)to(\d+)$/) || token.match(/^(\d+)$/);
+    return match ? Number(match[1]) : 0;
+  };
+  rangeFiles.sort((a, b) => toStart(a) - toStart(b));
+  return rangeFiles.length ? rangeFiles : finalFiles;
+};
+
+const loadSessionSummaries = () => {
+  const files = listSessionSummaryFiles();
+  if (!files.length) return [];
+  return files
+    .map((f) => {
+      const full = join(sessionState.dir, f);
+      if (!existsSync(full)) return "";
+      return readFileSync(full, "utf-8").trim();
+    })
+    .filter(Boolean);
+};
+
+const buildSummaryMessage = (summaries) => {
+  const header =
+    "以下内容是历史对话的简要总结，如需细节请读取对应 session_id-qa序号-record.json。";
+  const body = summaries.join("\n\n");
+  const files = listSessionRecordFiles();
+  const list = files.length ? files.join(", ") : "无";
+  return `${header}\n\n记录文件：${list}\n\n${body}`;
+};
+
+const buildRecordsMessage = (records) => {
+  const header = "以下内容是历史对话记录摘要，请结合当前问题。";
+  const files = listSessionRecordFiles();
+  const list = files.length ? files.join(", ") : "无";
+  const body = JSON.stringify(records, null, 2);
+  return `${header}\n\n记录文件：${list}\n\n${body}`;
+};
+
+const appendSessionEvent = (event) => {
+  mkdirSync(dirname(sessionLogPath), { recursive: true });
+  const payload = {
+    ts: nowIso(),
+    type: "session",
+    session_id: currentSessionId || event?.session_id || "",
+    ...event
+  };
+  writeFileSync(sessionLogPath, JSON.stringify(payload) + "\n", { flag: "a" });
+};
+
+const startSession = (mode) => {
+  currentSessionId = createSessionId();
+  initSessionState();
+  appendSessionEvent({ event: "start", mode });
+  return currentSessionId;
+};
+
+let evidenceSeq = 0;
+
+const nextEvidenceId = () => {
+  evidenceSeq += 1;
+  return `e-${Date.now()}-${evidenceSeq}`;
+};
+
+const appendEvidenceLog = (record) => {
+  mkdirSync(dirname(evidenceLogPath), { recursive: true });
+  writeFileSync(evidenceLogPath, JSON.stringify(record) + "\n", { flag: "a" });
+};
+
+const buildEvidenceRecord = (input) => ({
+  evidence_id: input.evidence_id || nextEvidenceId(),
+  ts: input.ts || nowIso(),
+  tool: input.tool || "",
+  action: input.action || "",
+  target: input.target || "",
+  status: input.status || "",
+  output_path: input.output_path || "",
+  error: input.error || "",
+  meta: input.meta || null
+});
+
+const writeEvidenceFile = (outputPath, record) => {
+  const resolved = resolveWorkspacePath(outputPath);
+  mkdirSync(dirname(resolved), { recursive: true });
+  writeFileSync(resolved, JSON.stringify(record, null, 2));
+  return resolved;
+};
+
+const summarizeToolResult = (tool, data) => {
+  if (tool === "execute") {
+    return {
+      code: data?.code ?? null,
+      stdout_len: typeof data?.stdout === "string" ? data.stdout.length : 0,
+      stderr_len: typeof data?.stderr === "string" ? data.stderr.length : 0,
+      truncated: Boolean(data?.truncated),
+      timed_out: Boolean(data?.timed_out)
+    };
+  }
+  if (tool === "execute_detached") {
+    return {
+      session_id: data?.session_id ?? null,
+      status: data?.status ?? null,
+      pid: data?.pid ?? null
+    };
+  }
+  if (tool === "process") {
+    return {
+      action: data?.action ?? null,
+      session_id: data?.session_id ?? null,
+      status: data?.status ?? null
+    };
+  }
+  if (tool === "wait_process") {
+    return {
+      session_id: data?.session_id ?? null,
+      status: data?.status ?? null,
+      exit_code: data?.exit_code ?? null
+    };
+  }
+  if (tool === "read_process_log") {
+    return {
+      session_id: data?.session_id ?? null,
+      total: data?.total ?? null
+    };
+  }
+  if (tool === "read_process_output") {
+    return {
+      session_id: data?.session_id ?? null,
+      status: data?.output?.status ?? null
+    };
+  }
+  if (tool === "move" || tool === "rename") {
+    return { from: data?.from ?? null, to: data?.to ?? null };
+  }
+  if (tool === "stat") {
+    return { path: data?.path ?? null, type: data?.type ?? null };
+  }
+  if (tool === "diff") {
+    return { identical: Boolean(data?.identical), diff_len: data?.diff?.length ?? 0 };
+  }
+  if (tool === "patch") {
+    return { ok: Boolean(data?.ok), path: data?.path ?? null };
+  }
+  if (tool === "web_fetch") {
+    return { status: data?.status ?? null, truncated: Boolean(data?.truncated) };
+  }
+  if (tool === "web_search") {
+    return { query: data?.query ?? null, count: data?.count ?? null };
+  }
+  if (tool === "ask_user") {
+    return { question: data?.question ?? null };
+  }
+  if (tool === "browser") {
+    return {
+      action: data?.action ?? null,
+      status: data?.status ?? null
+    };
+  }
+  if (tool === "read") {
+    return { lines: data?.lines ?? null, offset: data?.offset ?? null };
+  }
+  if (tool === "grep" || tool === "glob") {
+    return { matches: Array.isArray(data?.matches) ? data.matches.length : 0 };
+  }
+  return null;
+};
+
+const processRegistry = new Map();
+let processLastId = 0;
+
+const nextProcessId = () => {
+  processLastId += 1;
+  return `p-${processLastId}`;
+};
+
+const appendProcessLog = (logPath, payload) => {
+  mkdirSync(dirname(logPath), { recursive: true });
+  writeFileSync(logPath, JSON.stringify(payload) + "\n", { flag: "a" });
+};
+
+const readProcessLogEntries = (logPath) => {
+  if (!existsSync(logPath)) return [];
+  const raw = readFileSync(logPath, "utf-8");
+  return raw
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter(Boolean)
+    .map((line) => {
+      try {
+        return JSON.parse(line);
+      } catch {
+        return null;
+      }
+    })
+    .filter(Boolean);
+};
+
+const keepTail = (current, next, maxChars) => {
+  const combined = String(current || "") + String(next || "");
+  if (combined.length <= maxChars) return combined;
+  return combined.slice(combined.length - maxChars);
+};
+
+const buildProcessOutput = (session) => ({
+  session_id: session.session_id,
+  task_id: session.task_id || null,
+  cmd: session.cmd,
+  cwd: session.cwd,
+  is_pty: Boolean(session.is_pty),
+  status: session.status,
+  pid: session.pid,
+  started_at: session.started_at,
+  ended_at: session.ended_at || null,
+  duration_ms: session.ended_at ? session.ended_at_ms - session.started_at_ms : null,
+  exit_code: session.exit_code ?? null,
+  signal: session.signal || null,
+  log_path: session.log_path,
+  output_path: session.output_path,
+  stdout_len: session.stdout_len || 0,
+  stderr_len: session.stderr_len || 0,
+  stdout_truncated: Boolean(session.stdout_truncated),
+  stderr_truncated: Boolean(session.stderr_truncated)
+});
+
+const writeProcessOutput = (session) => {
+  mkdirSync(dirname(session.output_path), { recursive: true });
+  writeFileSync(session.output_path, JSON.stringify(buildProcessOutput(session), null, 2));
+};
+
+const updateTaskForProcess = (taskId, updates) => {
+  if (!taskId) return null;
+  try {
+    const store = loadTaskStore();
+    const task = updateTask(store, { task_id: taskId, ...updates });
+    recordTaskUpdate(store, task, { source: "process" });
+    return task;
+  } catch {
+    return null;
+  }
+};
+
+const finalizeProcessSession = (session, status, code, signal, errorMessage) => {
+  if (session.status !== "running") return;
+  session.status = status;
+  session.exit_code = code;
+  session.signal = signal || "";
+  session.ended_at_ms = Date.now();
+  session.ended_at = nowIso();
+  appendProcessLog(session.log_path, {
+    ts: session.ended_at,
+    stream: "meta",
+    event: "exit",
+    session_id: session.session_id,
+    status: session.status,
+    exit_code: session.exit_code ?? null,
+    signal: session.signal || null,
+    error: errorMessage || null
+  });
+  writeProcessOutput(session);
+  if (session.task_id) {
+    const taskStatus = session.exit_code === 0 ? "completed" : "failed";
+    updateTaskForProcess(session.task_id, {
+      status: taskStatus,
+      last_error: taskStatus === "failed" ? errorMessage || "process failed" : "",
+      outputs: {
+        session_id: session.session_id,
+        log_path: session.log_path,
+        output_path: session.output_path,
+        exit_code: session.exit_code,
+        signal: session.signal || null,
+        status: session.status
+      }
+    });
+  }
+  if (session.removed) {
+    processRegistry.delete(session.session_id);
+  }
+};
+
+const getArgValue = (args, flag) => {
+  const index = args.indexOf(flag);
+  if (index === -1) return "";
+  return args[index + 1] || "";
+};
+
+const normalizeTaskStatus = (value) => {
+  const v = String(value || "").trim();
+  if (
+    v === "draft" ||
+    v === "queued" ||
+    v === "running" ||
+    v === "blocked" ||
+    v === "completed" ||
+    v === "cancelled" ||
+    v === "failed" ||
+    v === "retrying"
+  ) {
+    return v;
+  }
+  return "";
+};
+
+const normalizeTaskKind = (value) => {
+  const v = String(value || "").trim();
+  if (!v) return "";
+  return v;
+};
+
+const normalizeTodoSource = (value) => {
+  const v = String(value || "").trim().toLowerCase();
+  if (v === "user" || v === "ai") return v;
+  return "";
+};
+
+const normalizeTodoScope = (value) => {
+  const v = String(value || "").trim();
+  return v || "project";
+};
+
+const taskTransitions = {
+  draft: ["queued", "cancelled"],
+  queued: ["running", "cancelled"],
+  running: ["blocked", "completed", "failed", "retrying", "cancelled"],
+  blocked: ["running", "cancelled"],
+  failed: ["retrying", "cancelled"],
+  retrying: ["running", "cancelled"],
+  completed: [],
+  cancelled: []
+};
+
+const nowIso = () => new Date().toISOString();
+
+const loadTaskStore = () => {
+  if (!existsSync(tasksConfigPath)) {
+    return { last_id: 0, tasks: [] };
+  }
+  const raw = readFileSync(tasksConfigPath, "utf-8");
+  const parsed = JSON.parse(raw);
+  const tasks = Array.isArray(parsed.tasks) ? parsed.tasks : [];
+  const lastId = Number(parsed.last_id || 0) || 0;
+  return { last_id: lastId, tasks };
+};
+
+const saveTaskStore = (store) => {
+  mkdirSync(dirname(tasksConfigPath), { recursive: true });
+  const safe = { last_id: store.last_id || 0, tasks: store.tasks || [] };
+  writeFileSync(tasksConfigPath, JSON.stringify(safe, null, 2));
+};
+
+const appendTaskLog = (entry) => {
+  mkdirSync(dirname(tasksLogPath), { recursive: true });
+  const payload = {
+    ts: entry?.ts || nowIso(),
+    type: "task",
+    action: entry?.action || "update",
+    task: entry?.task || null,
+    meta: entry?.meta || null
+  };
+  const line = JSON.stringify(payload);
+  writeFileSync(tasksLogPath, line + "\n", { flag: "a" });
+};
+
+const loadTaskLogs = () => {
+  if (!existsSync(tasksLogPath)) return [];
+  const raw = readFileSync(tasksLogPath, "utf-8");
+  return raw
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter(Boolean)
+    .map((line) => {
+      try {
+        return JSON.parse(line);
+      } catch {
+        return null;
+      }
+    })
+    .filter(Boolean);
+};
+
+const getTaskIdNumber = (taskId) => {
+  const match = String(taskId || "").match(/^t-(\d+)$/);
+  if (!match) return 0;
+  return Number(match[1]) || 0;
+};
+
+const replayTaskLogs = (logs) => {
+  const map = new Map();
+  for (const log of logs) {
+    if (!log || !log.task || !log.task.task_id) continue;
+    map.set(log.task.task_id, log.task);
+  }
+  const tasks = Array.from(map.values()).sort((a, b) => getTaskIdNumber(a.task_id) - getTaskIdNumber(b.task_id));
+  const lastId = tasks.reduce((maxId, t) => Math.max(maxId, getTaskIdNumber(t.task_id)), 0);
+  const store = { last_id: lastId, tasks };
+  saveTaskStore(store);
+  return { tasks: tasks.length };
+};
+
+const getTaskById = (store, taskId) => store.tasks.find((t) => t.task_id === taskId);
+
+const ensureTaskExists = (store, taskId) => {
+  const task = getTaskById(store, taskId);
+  if (!task) throw new Error("task not found");
+  return task;
+};
+
+const normalizeDependencyType = (value) => (value === "soft" || value === "hard" ? value : "hard");
+
+const normalizeDependencyInput = (item) => {
+  if (typeof item === "string") {
+    const taskId = item.trim();
+    if (!taskId) return null;
+    return { task_id: taskId, type: "hard" };
+  }
+  if (item && typeof item === "object") {
+    const taskId = String(item.task_id || item.id || "").trim();
+    if (!taskId) return null;
+    return { task_id: taskId, type: normalizeDependencyType(item.type) };
+  }
+  return null;
+};
+
+const normalizeTaskDependencies = (store, dependsOn) => {
+  const list = Array.isArray(dependsOn) ? dependsOn : parseCsvList(dependsOn);
+  const uniq = new Map();
+  for (const item of list) {
+    const dep = normalizeDependencyInput(item);
+    if (!dep) continue;
+    ensureTaskExists(store, dep.task_id);
+    if (!uniq.has(dep.task_id)) uniq.set(dep.task_id, dep);
+  }
+  return Array.from(uniq.values());
+};
+
+const ensureNoCycle = (store, taskId, parentId) => {
+  if (!parentId) return;
+  if (taskId === parentId) throw new Error("parent loop");
+  let current = ensureTaskExists(store, parentId);
+  const seen = new Set([taskId]);
+  while (current) {
+    if (seen.has(current.task_id)) throw new Error("parent loop");
+    seen.add(current.task_id);
+    if (!current.parent_id) break;
+    current = getTaskById(store, current.parent_id);
+    if (!current) break;
+  }
+};
+
+const canTransition = (fromStatus, toStatus) => {
+  if (fromStatus === toStatus) return true;
+  const allowed = taskTransitions[fromStatus] || [];
+  return allowed.includes(toStatus);
+};
+
+const normalizeStoredDep = (dep) => {
+  if (typeof dep === "string") return { task_id: dep, type: "hard" };
+  if (dep && typeof dep === "object") return dep;
+  return null;
+};
+
+const getHardDeps = (dependsOn) =>
+  (Array.isArray(dependsOn) ? dependsOn : [])
+    .map((dep) => normalizeStoredDep(dep))
+    .filter((d) => d && d.type !== "soft");
+
+const ensureDepsCompleted = (store, dependsOn) => {
+  const pending = getHardDeps(dependsOn)
+    .map((dep) => dep.task_id)
+    .filter((id) => {
+      const t = getTaskById(store, id);
+      return t && t.status !== "completed";
+    });
+  if (pending.length) throw new Error(`hard dependencies not completed: ${pending.join(",")}`);
+};
+
+const propagateDependencyFailure = (store, task) => {
+  if (!task || !["failed", "cancelled"].includes(task.status)) return [];
+  const reason = `hard dependency ${task.task_id} ${task.status}`;
+  const affected = [];
+  for (const t of store.tasks) {
+    if (!t || t.task_id === task.task_id) continue;
+    const deps = Array.isArray(t.depends_on) ? t.depends_on : [];
+    const hasHard = deps.some((dep) => dep && dep.task_id === task.task_id && dep.type !== "soft");
+    if (!hasHard) continue;
+    let changed = false;
+    if (t.status === "running" && canTransition(t.status, "blocked")) {
+      t.status = "blocked";
+      changed = true;
+    }
+    if (!["completed", "cancelled"].includes(t.status)) {
+      t.last_error = reason;
+      changed = true;
+    }
+    if (changed) {
+      t.updated_at = nowIso();
+      affected.push(t);
+    }
+  }
+  return affected;
+};
+
+const recordTaskUpdate = (store, task, meta) => {
+  const affected = propagateDependencyFailure(store, task);
+  saveTaskStore(store);
+  appendTaskLog({ ts: nowIso(), action: "update", task, meta: meta || null });
+  for (const depTask of affected) {
+    appendTaskLog({
+      ts: nowIso(),
+      action: "update",
+      task: depTask,
+      meta: { source: "deps", caused_by: task.task_id }
+    });
+  }
+  return affected;
+};
+
+const createTask = (store, input) => {
+  const title = String(input.title || "").trim();
+  if (!title) throw new Error("title required");
+  const status = normalizeTaskStatus(input.status) || "draft";
+  const kind = normalizeTaskKind(input.kind) || "";
+  const nextId = store.last_id + 1;
+  const taskId = `t-${nextId}`;
+  const parentId = input.parent_id ? String(input.parent_id) : "";
+  if (parentId) ensureTaskExists(store, parentId);
+  const dependsOn = normalizeTaskDependencies(store, input.depends_on);
+  if (["running", "completed"].includes(status)) {
+    ensureDepsCompleted(store, dependsOn);
+  }
+  const now = nowIso();
+  const task = {
+    task_id: taskId,
+    title,
+    status,
+    kind: kind || null,
+    parent_id: parentId || null,
+    depends_on: dependsOn,
+    created_at: now,
+    updated_at: now,
+    inputs: input.inputs || null,
+    outputs: input.outputs || null,
+    retries: 0,
+    last_error: ""
+  };
+  store.last_id = nextId;
+  store.tasks.push(task);
+  return task;
+};
+
+const updateTask = (store, input) => {
+  const taskId = String(input.task_id || "").trim();
+  if (!taskId) throw new Error("task_id required");
+  const task = ensureTaskExists(store, taskId);
+  if (input.title != null) {
+    const title = String(input.title || "").trim();
+    if (!title) throw new Error("title required");
+    task.title = title;
+  }
+  if (input.parent_id !== undefined) {
+    const parentId = input.parent_id ? String(input.parent_id) : "";
+    if (parentId) ensureTaskExists(store, parentId);
+    ensureNoCycle(store, taskId, parentId);
+    task.parent_id = parentId || null;
+  }
+  if (input.depends_on !== undefined) {
+    task.depends_on = normalizeTaskDependencies(store, input.depends_on);
+  }
+  if (input.kind !== undefined) {
+    const kind = normalizeTaskKind(input.kind);
+    task.kind = kind || null;
+  }
+  if (input.status) {
+    const next = normalizeTaskStatus(input.status);
+    if (!next) throw new Error("invalid status");
+    if (!canTransition(task.status, next)) throw new Error("status transition not allowed");
+    if (["running", "completed"].includes(next)) {
+      ensureDepsCompleted(store, task.depends_on || []);
+    }
+    if (next === "retrying") {
+      task.retries = Number(task.retries || 0) + 1;
+    }
+    task.status = next;
+  }
+  if (input.inputs !== undefined) {
+    task.inputs = input.inputs || null;
+  }
+  if (input.outputs !== undefined) {
+    task.outputs = input.outputs || null;
+  }
+  if (input.last_error !== undefined) {
+    task.last_error = String(input.last_error || "");
+  }
+  task.updated_at = nowIso();
+  return task;
+};
+
+const listTasks = (store, filters) => {
+  const status = normalizeTaskStatus(filters?.status);
+  const parentId = filters?.parent_id ? String(filters.parent_id) : "";
+  return store.tasks.filter((t) => {
+    if (status && t.status !== status) return false;
+    if (parentId && String(t.parent_id || "") !== parentId) return false;
+    return true;
+  });
+};
+
+const buildTaskTree = (store, rootId) => {
+  const byParent = new Map();
+  for (const task of store.tasks) {
+    const key = task.parent_id || "";
+    const list = byParent.get(key) || [];
+    list.push(task);
+    byParent.set(key, list);
+  }
+  const buildNode = (task) => ({
+    ...task,
+    children: (byParent.get(task.task_id) || []).map(buildNode)
+  });
+  if (rootId) {
+    const root = ensureTaskExists(store, rootId);
+    return buildNode(root);
+  }
+  return (byParent.get("") || []).map(buildNode);
+};
+
+const formatTaskDeps = (deps) =>
+  (Array.isArray(deps) ? deps : [])
+    .map((dep) => normalizeStoredDep(dep))
+    .filter(Boolean)
+    .map((dep) => (dep.type === "soft" ? `${dep.task_id}:soft` : dep.task_id))
+    .join(",");
+
+const formatTaskLine = (task) =>
+  `${task.task_id} ${task.status} ${task.title}${task.parent_id ? ` parent=${task.parent_id}` : ""}${
+    task.depends_on?.length ? ` deps=${formatTaskDeps(task.depends_on)}` : ""
+  }`;
+
+const getTodoScope = (task) => {
+  const scope = task?.inputs?.scope ? String(task.inputs.scope) : "";
+  return normalizeTodoScope(scope);
+};
+
+const getTodoSource = (task) => {
+  const source = task?.inputs?.source ? String(task.inputs.source) : "";
+  return normalizeTodoSource(source) || "ai";
+};
+
+const isTodoTask = (task) => task && task.kind === "todo";
+
+const listTodos = (store, filters) => {
+  const status = normalizeTaskStatus(filters?.status);
+  const scopeRaw = filters?.scope ? String(filters.scope).trim() : "";
+  return store.tasks.filter((task) => {
+    if (!isTodoTask(task)) return false;
+    if (status && task.status !== status) return false;
+    if (scopeRaw && getTodoScope(task) !== scopeRaw) return false;
+    return true;
+  });
+};
+
+const findRunningTodo = (store, scope, exceptId) =>
+  store.tasks.find((task) => {
+    if (!isTodoTask(task)) return false;
+    if (task.status !== "running") return false;
+    if (scope && getTodoScope(task) !== scope) return false;
+    if (exceptId && task.task_id === exceptId) return false;
+    return true;
+  });
+
+const formatTodoLine = (task) =>
+  `${task.task_id} ${task.status} ${task.title} scope=${getTodoScope(task)} source=${getTodoSource(task)}`;
+
+const parseTodoArgs = (tokens) => {
+  const result = { scope: "", source: "", status: "", text: "" };
+  const textParts = [];
+  for (const token of tokens) {
+    if (token.startsWith("scope=")) {
+      result.scope = token.slice("scope=".length);
+      continue;
+    }
+    if (token.startsWith("source=")) {
+      result.source = token.slice("source=".length);
+      continue;
+    }
+    if (token.startsWith("status=")) {
+      result.status = token.slice("status=".length);
+      continue;
+    }
+    textParts.push(token);
+  }
+  result.text = textParts.join(" ").trim();
+  return result;
+};
 
-const testPrompt = "使用9T工具创建文件夹 demo ，在其中创建 test.md，内容为：山高月小，水落石出。";
-const toolHelpText = `可用工具与用途：${helpToolsText}`;
-const aboutText =
-  "9T-Movevom 是一个最小可用的 CLI 工具代理，使用 ChatGLM（glm-5）通过工具调用完成文件与命令操作。默认工作区为 Movevom/workspace。";
-const helpText =
-  "可用指令：/help /about /tools /? /exit /keystatus。输入自然语言任务可让 9T 调用工具执行。";
+const createTodo = (store, input) => {
+  const text = String(input.text || "").trim();
+  if (!text) throw new Error("text required");
+  const scope = normalizeTodoScope(input.scope);
+  const source = normalizeTodoSource(input.source) || input.defaultSource || "ai";
+  const task = createTask(store, {
+    title: text,
+    status: "draft",
+    kind: "todo",
+    inputs: { source, scope }
+  });
+  saveTaskStore(store);
+  appendTaskLog({ ts: nowIso(), action: "create", task, meta: { source: "todo" } });
+  return task;
+};
 
-const getConfigDir = () => {
-  const custom = process.env["9T_CONFIG_HOME"];
-  if (custom) return custom;
-  const home = homedir();
-  if (process.platform === "darwin") return join(home, "Library", "Application Support", "9T");
-  if (process.platform === "win32") {
-    const appData = process.env["APPDATA"] || join(home, "AppData", "Roaming");
-    return join(appData, "9T");
+const startTodo = (store, taskId, meta) => {
+  const task = ensureTaskExists(store, taskId);
+  if (!isTodoTask(task)) throw new Error("not a todo");
+  if (task.status === "completed") throw new Error("todo already completed");
+  const scope = getTodoScope(task);
+  const running = findRunningTodo(store, scope, taskId);
+  if (running) throw new Error(`running todo exists: ${running.task_id}`);
+  if (task.status === "draft") {
+    const queued = updateTask(store, { task_id: taskId, status: "queued" });
+    recordTaskUpdate(store, queued, meta);
   }
-  return join(process.env["XDG_CONFIG_HOME"] || join(home, ".config"), "9t");
+  if (task.status !== "running") {
+    const runningTask = updateTask(store, { task_id: taskId, status: "running" });
+    recordTaskUpdate(store, runningTask, meta);
+    return runningTask;
+  }
+  return task;
 };
 
-const providerPath = join(getConfigDir(), "provider.json");
+const doneTodo = (store, taskId, meta) => {
+  const task = ensureTaskExists(store, taskId);
+  if (!isTodoTask(task)) throw new Error("not a todo");
+  if (!["running", "blocked"].includes(task.status)) throw new Error("todo not running");
+  const completed = updateTask(store, { task_id: taskId, status: "completed" });
+  recordTaskUpdate(store, completed, meta);
+  return completed;
+};
 
-const defaultProvider = {
-  base_url: "https://open.bigmodel.cn/api/anthropic",
-  model: "glm-5"
+const patchTodo = (store, taskId, input) => {
+  const task = ensureTaskExists(store, taskId);
+  if (!isTodoTask(task)) throw new Error("not a todo");
+  const text = String(input.text || "").trim();
+  if (!text) throw new Error("text required");
+  const scope = normalizeTodoScope(input.scope || getTodoScope(task));
+  const source = normalizeTodoSource(input.source) || input.defaultSource || getTodoSource(task);
+  const patchTask = createTask(store, {
+    title: text,
+    status: "draft",
+    kind: "todo",
+    parent_id: taskId,
+    inputs: { source, scope, patch_of: taskId }
+  });
+  saveTaskStore(store);
+  appendTaskLog({ ts: nowIso(), action: "create", task: patchTask, meta: { source: "todo" } });
+  return patchTask;
 };
 
-const loadProviderConfig = () => {
-  if (existsSync(providerPath)) {
-    const raw = readFileSync(providerPath, "utf-8");
-    return JSON.parse(raw);
+const clearTodos = (store, scope, meta) => {
+  const scopeRaw = scope ? String(scope).trim() : "";
+  const targets = store.tasks.filter((task) => {
+    if (!isTodoTask(task)) return false;
+    if (scopeRaw && getTodoScope(task) !== scopeRaw) return false;
+    return !["completed", "cancelled"].includes(task.status);
+  });
+  for (const task of targets) {
+    const updated = updateTask(store, { task_id: task.task_id, status: "cancelled" });
+    recordTaskUpdate(store, updated, meta);
   }
-  if (existsSync(legacyProviderPath)) {
-    const raw = readFileSync(legacyProviderPath, "utf-8");
-    return JSON.parse(raw);
+  return targets.length;
+};
+
+const handleTaskCli = (input) => {
+  const trimmed = String(input || "").trim();
+  if (trimmed === "/tasks" || trimmed.startsWith("/tasks ")) {
+    const status = trimmed.split(/\s+/)[1] || "";
+    const store = loadTaskStore();
+    const tasks = listTasks(store, { status });
+    return tasks.length ? tasks.map(formatTaskLine).join("\n") : "no tasks";
+  }
+  if (trimmed === "/task" || trimmed.startsWith("/task ")) {
+    const parts = trimmed.split(/\s+/);
+    const action = parts[1] || "";
+    const store = loadTaskStore();
+    if (action === "new") {
+      const title = trimmed.slice(trimmed.indexOf("new") + 4).trim();
+      const task = createTask(store, { title });
+      saveTaskStore(store);
+      appendTaskLog({ ts: nowIso(), action: "create", task });
+      return formatTaskLine(task);
+    }
+    if (action === "show") {
+      const taskId = parts[2] || "";
+      if (!taskId) throw new Error("task_id required");
+      const task = ensureTaskExists(store, taskId);
+      return JSON.stringify(task, null, 2);
+    }
+    if (action === "status") {
+      const taskId = parts[2] || "";
+      const status = parts[3] || "";
+      const task = updateTask(store, { task_id: taskId, status });
+      recordTaskUpdate(store, task, null);
+      return formatTaskLine(task);
+    }
+    if (action === "deps") {
+      const taskId = parts[2] || "";
+      const deps = parts[3] || "";
+      const task = updateTask(store, { task_id: taskId, depends_on: deps });
+      recordTaskUpdate(store, task, null);
+      return formatTaskLine(task);
+    }
+    if (action === "parent") {
+      const taskId = parts[2] || "";
+      const parentId = parts[3] || "";
+      const task = updateTask(store, { task_id: taskId, parent_id: parentId || null });
+      recordTaskUpdate(store, task, null);
+      return formatTaskLine(task);
+    }
+    if (action === "log") {
+      const taskId = parts[2] || "";
+      const limit = Number(parts[3] || 50) || 50;
+      const logs = loadTaskLogs()
+        .filter((l) => (taskId ? l.task?.task_id === taskId : true))
+        .slice(-limit);
+      return logs.length ? JSON.stringify(logs, null, 2) : "no logs";
+    }
+    if (action === "replay") {
+      const logs = loadTaskLogs();
+      if (!logs.length) return "no logs";
+      const result = replayTaskLogs(logs);
+      return `replayed ${result.tasks} tasks`;
+    }
+    if (action === "tree") {
+      const rootId = parts[2] || "";
+      const tree = buildTaskTree(store, rootId);
+      return JSON.stringify(tree, null, 2);
+    }
+    return "task commands: /task new <title> | /task show <id> | /task status <id> <status> | /task deps <id> <dep1,dep2> | /task parent <id> <parentId> | /task log [id] [limit] | /task replay | /task tree [rootId]";
+  }
+  if (trimmed === "/todo" || trimmed.startsWith("/todo ")) {
+    const parts = trimmed.split(/\s+/);
+    const action = parts[1] || "list";
+    const store = loadTaskStore();
+    if (action === "list") {
+      const params = parseTodoArgs(parts.slice(2));
+      const todos = listTodos(store, { scope: params.scope || undefined, status: params.status || undefined });
+      return todos.length ? todos.map(formatTodoLine).join("\n") : "no todos";
+    }
+    if (action === "add") {
+      const params = parseTodoArgs(parts.slice(2));
+      const task = createTodo(store, { text: params.text, scope: params.scope, source: params.source, defaultSource: "user" });
+      return formatTodoLine(task);
+    }
+    if (action === "start") {
+      const todoId = parts[2] || "";
+      if (!todoId) throw new Error("todo_id required");
+      const task = startTodo(store, todoId, { source: "todo" });
+      return formatTodoLine(task);
+    }
+    if (action === "done") {
+      const todoId = parts[2] || "";
+      if (!todoId) throw new Error("todo_id required");
+      const task = doneTodo(store, todoId, { source: "todo" });
+      return formatTodoLine(task);
+    }
+    if (action === "patch") {
+      const todoId = parts[2] || "";
+      if (!todoId) throw new Error("todo_id required");
+      const params = parseTodoArgs(parts.slice(3));
+      const task = patchTodo(store, todoId, {
+        text: params.text,
+        scope: params.scope,
+        source: params.source,
+        defaultSource: "user"
+      });
+      return formatTodoLine(task);
+    }
+    if (action === "clear") {
+      const params = parseTodoArgs(parts.slice(2));
+      const count = clearTodos(store, params.scope, { source: "todo" });
+      return `cleared ${count} todos`;
+    }
+    return "todo commands: /todo list [scope=<scope>] [status=<status>] | /todo add <text> [scope=<scope>] [source=user|ai] | /todo start <id> | /todo done <id> | /todo patch <id> <text> [scope=<scope>] [source=user|ai] | /todo clear [scope=<scope>]";
   }
-  return { ...defaultProvider };
+  return "";
 };
 
-const saveProviderConfig = (cfg) => {
-  mkdirSync(dirname(providerPath), { recursive: true });
-  const safe = { base_url: cfg.base_url, model: cfg.model };
-  writeFileSync(providerPath, JSON.stringify(safe, null, 2));
+let accessMode = "strict";
+let allowRisk = new Set();
+let allowedRoots = [];
+let allowRiskUntil = {};
+let allowRiskTtlHours = 0;
+let executeAllowlist = [];
+let openUrlAllowlist = [];
+let openFileAllowlist = [];
+let denyFileNames = [];
+let denyFileExts = [];
+let denyDirsAbs = [];
+let denyDirSegments = [];
+let sandboxMode = "off";
+
+const buildAccessConfig = (args) => {
+  const fileCfg = loadAccessConfig();
+  const envCfg = {
+    mode: process.env["9T_MODE"],
+    allowed_dirs: process.env["9T_ALLOWED_DIRS"],
+    workspace: process.env["9T_WORKSPACE"],
+    allow_risk: process.env["9T_ALLOW_RISK"],
+    allow_risk_ttl_hours: process.env["9T_ALLOW_RISK_TTL_HOURS"],
+    execute_allowlist: process.env["9T_EXECUTE_ALLOWLIST"],
+    open_url_allowlist: process.env["9T_OPEN_URL_ALLOWLIST"],
+    open_file_allowlist: process.env["9T_OPEN_FILE_ALLOWLIST"],
+    deny_file_names: process.env["9T_DENY_FILE_NAMES"],
+    deny_file_exts: process.env["9T_DENY_FILE_EXTS"],
+    deny_dirs: process.env["9T_DENY_DIRS"],
+    sandbox: process.env["9T_SANDBOX"]
+  };
+  const cliCfg = {
+    mode: getArgValue(args, "--mode") || getArgValue(args, "--allow-mode"),
+    roots: getArgValue(args, "--roots"),
+    workspace: getArgValue(args, "--workspace"),
+    allow_risk: getArgValue(args, "--allow-risk"),
+    allow_risk_ttl_hours: getArgValue(args, "--allow-risk-ttl-hours"),
+    execute_allowlist: getArgValue(args, "--execute-allowlist"),
+    open_url_allowlist: getArgValue(args, "--open-url-allowlist"),
+    open_file_allowlist: getArgValue(args, "--open-file-allowlist"),
+    deny_file_names: getArgValue(args, "--deny-file-names"),
+    deny_file_exts: getArgValue(args, "--deny-file-exts"),
+    deny_dirs: getArgValue(args, "--deny-dirs"),
+    sandbox: getArgValue(args, "--sandbox")
+  };
+  const mode =
+    normalizeMode(cliCfg.mode) ||
+    normalizeMode(envCfg.mode) ||
+    normalizeMode(fileCfg.mode) ||
+    "allow";
+  const workspace =
+    normalizeAbsolute(cliCfg.workspace) ||
+    normalizeAbsolute(envCfg.workspace) ||
+    normalizeAbsolute(fileCfg.workspace) ||
+    workspaceRoot;
+  const roots =
+    parseCsvList(cliCfg.roots || envCfg.allowed_dirs || fileCfg.allowed_dirs).map(normalizeAbsolute);
+  const risk = parseAllowRisk(cliCfg.allow_risk || envCfg.allow_risk || fileCfg.allow_risk);
+  const ttlHours = parseHours(
+    cliCfg.allow_risk_ttl_hours || envCfg.allow_risk_ttl_hours || fileCfg.allow_risk_ttl_hours
+  );
+  const grants = parseAllowRiskUntil(fileCfg.allow_risk_until);
+  if (fileCfg.allow_risk_until && Object.keys(grants).length !== Object.keys(fileCfg.allow_risk_until).length) {
+    saveAccessConfig({ allow_risk_until: grants });
+  }
+  const execAllowlist = normalizeListLower(
+    cliCfg.execute_allowlist || envCfg.execute_allowlist || fileCfg.execute_allowlist
+  );
+  const urlAllowlist = normalizeListLower(
+    cliCfg.open_url_allowlist || envCfg.open_url_allowlist || fileCfg.open_url_allowlist
+  );
+  const fileOpenAllowlist = normalizeExtList(
+    cliCfg.open_file_allowlist || envCfg.open_file_allowlist || fileCfg.open_file_allowlist
+  );
+  const denyNames = normalizeListLower(
+    cliCfg.deny_file_names || envCfg.deny_file_names || fileCfg.deny_file_names
+  );
+  const denyExts = normalizeExtList(
+    cliCfg.deny_file_exts || envCfg.deny_file_exts || fileCfg.deny_file_exts
+  );
+  const denyDirs = normalizeAbsList(cliCfg.deny_dirs || envCfg.deny_dirs || fileCfg.deny_dirs);
+  const sandbox =
+    normalizeSandboxMode(cliCfg.sandbox) ||
+    normalizeSandboxMode(envCfg.sandbox) ||
+    normalizeSandboxMode(fileCfg.sandbox) ||
+    defaultSandboxMode();
+  return {
+    mode,
+    workspace,
+    roots: roots.filter(Boolean),
+    risk,
+    ttlHours,
+    grants,
+    execAllowlist,
+    urlAllowlist,
+    fileOpenAllowlist,
+    denyNames,
+    denyExts,
+    denyDirs,
+    sandbox,
+    cliProvided: {
+      mode: Boolean(cliCfg.mode),
+      roots: Boolean(cliCfg.roots),
+      workspace: Boolean(cliCfg.workspace),
+      allowRisk: Boolean(cliCfg.allow_risk),
+      allowRiskTtlHours: Boolean(cliCfg.allow_risk_ttl_hours),
+      executeAllowlist: Boolean(cliCfg.execute_allowlist),
+      openUrlAllowlist: Boolean(cliCfg.open_url_allowlist),
+      openFileAllowlist: Boolean(cliCfg.open_file_allowlist),
+      denyFileNames: Boolean(cliCfg.deny_file_names),
+      denyFileExts: Boolean(cliCfg.deny_file_exts),
+      denyDirs: Boolean(cliCfg.deny_dirs),
+      sandbox: Boolean(cliCfg.sandbox)
+    }
+  };
 };
 
 const config = loadProviderConfig();
-const baseUrl = String(config.base_url || defaultProvider.base_url).trim().replace(/\/$/, "");
-const model = String(config.model || defaultProvider.model).trim();
+let providerName = normalizeProviderName(config.provider) || defaultProviderName;
+const initialPreset = getProviderPreset(providerName);
+let providerFormat = String(config.format || initialPreset?.format || defaultProvider.format || "anthropic").trim();
+let baseUrl = String(config.base_url || initialPreset?.base_url || defaultProvider.base_url)
+  .trim()
+  .replace(/\/$/, "");
+let model = String(config.model || initialPreset?.model || defaultProvider.model).trim();
 let apiKey = "";
 
 if (!baseUrl || !model) {
@@ -86,6 +1744,28 @@ if (!baseUrl || !model) {
   process.exit(1);
 }
 
+const formatProviderLine = (name) => {
+  const preset = getProviderPreset(name);
+  if (!preset) return "";
+  const marker = name === providerName ? "*" : " ";
+  return `${marker} ${name} ${preset.format} ${preset.base_url} ${preset.model}`;
+};
+
+const formatProvidersList = () => listProviderNames().map(formatProviderLine).filter(Boolean).join("\n");
+
+const formatCurrentProvider = () => `current ${providerName} ${providerFormat} ${baseUrl} ${model}`;
+
+const applyProviderPreset = (name, modelOverride) => {
+  const preset = getProviderPreset(name);
+  if (!preset) throw new Error("provider not found");
+  providerName = normalizeProviderName(name);
+  providerFormat = preset.format;
+  baseUrl = String(preset.base_url || "").trim().replace(/\/$/, "");
+  model = String(modelOverride || preset.model || "").trim();
+  if (!baseUrl || !model) throw new Error("provider config invalid");
+  saveProviderConfig({ provider: providerName, base_url: baseUrl, model, format: providerFormat });
+};
+
 const keychainService = "9T-Movevom";
 const keychainAccount = "default";
 const isDarwin = process.platform === "darwin";
@@ -104,14 +1784,14 @@ const execFileAsync = (cmd, args, input) =>
     }
   });
 
-const getKeychainApiKeyDarwin = async () => {
+const getKeychainApiKeyDarwin = async (service) => {
   try {
     return await execFileAsync("security", [
       "find-generic-password",
       "-a",
       keychainAccount,
       "-s",
-      keychainService,
+      service,
       "-w"
     ]);
   } catch {
@@ -119,25 +1799,25 @@ const getKeychainApiKeyDarwin = async () => {
   }
 };
 
-const saveKeychainApiKeyDarwin = async (key) => {
+const saveKeychainApiKeyDarwin = async (service, key) => {
   await execFileAsync("security", [
     "add-generic-password",
     "-a",
     keychainAccount,
     "-s",
-    keychainService,
+    service,
     "-w",
     key,
     "-U"
   ]);
 };
 
-const getKeychainApiKeyLinux = async () => {
+const getKeychainApiKeyLinux = async (service) => {
   try {
     return await execFileAsync("secret-tool", [
       "lookup",
       "service",
-      keychainService,
+      service,
       "account",
       keychainAccount
     ]);
@@ -146,15 +1826,15 @@ const getKeychainApiKeyLinux = async () => {
   }
 };
 
-const saveKeychainApiKeyLinux = async (key) => {
+const saveKeychainApiKeyLinux = async (service, key) => {
   await execFileAsync(
     "secret-tool",
-    ["store", "--label", keychainService, "service", keychainService, "account", keychainAccount],
+    ["store", "--label", service, "service", service, "account", keychainAccount],
     key
   );
 };
 
-const getKeychainApiKeyWindows = async () => {
+const getKeychainApiKeyWindows = async (service) => {
   const script = `
 Add-Type -TypeDefinition @"
 using System;
@@ -181,7 +1861,7 @@ public class CredMan {
   public static extern bool CredFree(IntPtr credPtr);
 }
 "@;
-$target = "${keychainService}";
+$target = "${service}";
 $credPtr = [IntPtr]::Zero;
 if ([CredMan]::CredRead($target, 1, 0, [ref]$credPtr)) {
   $cred = [Runtime.InteropServices.Marshal]::PtrToStructure($credPtr, [type]::GetType("CredMan+CREDENTIAL"));
@@ -196,7 +1876,7 @@ if ([CredMan]::CredRead($target, 1, 0, [ref]$credPtr)) {
   }
 };
 
-const saveKeychainApiKeyWindows = async (key) => {
+const saveKeychainApiKeyWindows = async (service, key) => {
   const script = `
 Add-Type -TypeDefinition @"
 using System;
@@ -226,7 +1906,7 @@ $secret = $secret.Trim();
 $bytes = [Text.Encoding]::Unicode.GetBytes($secret);
 $cred = New-Object CredMan+CREDENTIAL;
 $cred.Type = 1;
-$cred.TargetName = "${keychainService}";
+$cred.TargetName = "${service}";
 $cred.UserName = "${keychainAccount}";
 $cred.CredentialBlobSize = $bytes.Length;
 $cred.CredentialBlob = [Runtime.InteropServices.Marshal]::AllocHGlobal($bytes.Length);
@@ -238,17 +1918,17 @@ $cred.Persist = 2;
   await execFileAsync("powershell", ["-NoProfile", "-Command", script], key);
 };
 
-const getStoredApiKey = async () => {
-  if (isDarwin) return await getKeychainApiKeyDarwin();
-  if (isLinux) return await getKeychainApiKeyLinux();
-  if (isWindows) return await getKeychainApiKeyWindows();
+const getStoredApiKey = async (service) => {
+  if (isDarwin) return await getKeychainApiKeyDarwin(service);
+  if (isLinux) return await getKeychainApiKeyLinux(service);
+  if (isWindows) return await getKeychainApiKeyWindows(service);
   return "";
 };
 
-const saveStoredApiKey = async (key) => {
-  if (isDarwin) return await saveKeychainApiKeyDarwin(key);
-  if (isLinux) return await saveKeychainApiKeyLinux(key);
-  if (isWindows) return await saveKeychainApiKeyWindows(key);
+const saveStoredApiKey = async (service, key) => {
+  if (isDarwin) return await saveKeychainApiKeyDarwin(service, key);
+  if (isLinux) return await saveKeychainApiKeyLinux(service, key);
+  if (isWindows) return await saveKeychainApiKeyWindows(service, key);
 };
 
 const promptHidden = (label) =>
@@ -285,17 +1965,36 @@ const promptHidden = (label) =>
     stdin.on("data", onData);
   });
 
-const ensureApiKey = async () => {
-  const envKey = String(process.env["9T_API_KEY"] || "").trim();
+const buildKeychainService = (provider) =>
+  provider ? `${keychainService}-${normalizeProviderName(provider)}` : keychainService;
+
+const resolveProviderApiKeyEnv = (provider) => {
+  const preset = getProviderPreset(provider);
+  const envName = preset?.api_key_env || "";
+  if (envName) {
+    const value = String(process.env[envName] || "").trim();
+    if (value) return value;
+  }
+  const fallback = String(process.env["9T_API_KEY"] || "").trim();
+  return fallback;
+};
+
+const ensureApiKey = async (provider) => {
+  const envKey = resolveProviderApiKeyEnv(provider);
   if (envKey) return envKey;
-  const keychainKey = await getStoredApiKey();
+  const service = buildKeychainService(provider);
+  const keychainKey = await getStoredApiKey(service);
   if (keychainKey) return keychainKey;
-  const input = await promptHidden("apikey: ");
+  if (provider) {
+    const fallback = await getStoredApiKey(keychainService);
+    if (fallback) return fallback;
+  }
+  const input = await promptHidden(`apikey(${provider || "default"}): `);
   if (!input) {
     throw new Error("api_key 不能为空");
   }
   try {
-    await saveStoredApiKey(input);
+    await saveStoredApiKey(service, input);
   } catch (e) {
     console.error("无法安全存储 api_key，请安装系统密钥存储后重试");
   }
@@ -305,24 +2004,222 @@ const ensureApiKey = async () => {
 const migratePlaintextApiKey = async () => {
   const fromFile = String(config.api_key || "").trim();
   if (!fromFile) return;
-  await saveStoredApiKey(fromFile);
+  const service = buildKeychainService(providerName);
+  await saveStoredApiKey(service, fromFile);
   delete config.api_key;
   saveProviderConfig(config);
 };
 
-mkdirSync(workspaceRoot, { recursive: true });
-saveProviderConfig({ base_url: baseUrl, model });
+saveProviderConfig({ provider: providerName, base_url: baseUrl, model, format: providerFormat });
+
+const normalizeTargetForCheck = (full) => {
+  if (existsSync(full)) return realpathSync(full);
+  const parent = dirname(full);
+  if (existsSync(parent)) {
+    const parentReal = realpathSync(parent);
+    return join(parentReal, full.slice(parent.length + 1));
+  }
+  return resolve(full);
+};
+
+const normalizeForCompare = (value) => {
+  const v = String(value || "");
+  return process.platform === "win32" ? v.toLowerCase() : v;
+};
+
+const isWithinRoot = (target, root) => {
+  const t = normalizeForCompare(target);
+  const r = normalizeForCompare(root);
+  return t === r || t.startsWith(r + sep);
+};
+
+const isDeniedByDir = (normalized) => {
+  if (denyDirsAbs.some((d) => isWithinRoot(normalized, d))) return true;
+  if (!denyDirSegments.length) return false;
+  const segments = normalizeForCompare(normalized).split(/[\\/]+/);
+  return segments.some((seg) => denyDirSegments.includes(seg));
+};
+
+const isDeniedByFile = (full) => {
+  const name = normalizeForCompare(basename(full));
+  if (denyFileNames.includes(name)) return true;
+  const ext = normalizeForCompare(extname(full));
+  if (denyFileExts.includes(ext)) return true;
+  return false;
+};
 
 const resolveWorkspacePath = (p) => {
   if (!p || typeof p !== "string") throw new Error("path required");
-  if (isAbsolute(p)) throw new Error("absolute path not allowed");
-  const full = resolve(workspaceRoot, p);
-  if (full !== workspaceRoot && !full.startsWith(workspaceRoot + sep)) {
+  const full = isAbsolute(p) ? resolve(p) : resolve(workspaceRoot, p);
+  const normalized = normalizeTargetForCheck(full);
+  if (isDeniedByDir(normalized) || isDeniedByFile(full)) {
+    throw new Error("path denied");
+  }
+  if (!allowedRoots.some((root) => isWithinRoot(normalized, root))) {
     throw new Error("path escape not allowed");
   }
   return full;
 };
 
+const confirmRiskAction = (label) =>
+  new Promise((resolvePromise) => {
+    if (!process.stdin.isTTY) return resolvePromise(false);
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(label, (answer) => {
+      rl.close();
+      resolvePromise(answer.trim().toLowerCase() === "y");
+    });
+  });
+
+const ensureRiskAllowed = async (toolName, target) => {
+  if (!allowedRiskSet.has(toolName)) return;
+  if (allowRiskUntil[toolName] && allowRiskUntil[toolName] > Date.now()) return;
+  if (accessMode === "open") return;
+  if (allowRisk.has(toolName)) return;
+  if (accessMode === "strict") throw new Error("risk tool not allowed in strict mode");
+  const label = target ? `确认执行 ${toolName} ${target} ? (y/N) ` : `确认执行 ${toolName} ? (y/N) `;
+  const ok = await confirmRiskAction(label);
+  if (!ok) throw new Error("risk tool denied");
+  if (allowRiskTtlHours > 0) {
+    const next = Date.now() + allowRiskTtlHours * 60 * 60 * 1000;
+    allowRiskUntil = { ...allowRiskUntil, [toolName]: next };
+    saveAccessConfig({ allow_risk_until: allowRiskUntil, allow_risk_ttl_hours: allowRiskTtlHours });
+  }
+};
+
+const getCommandName = (cmd) => {
+  const match = String(cmd || "").trim().match(/^([^\s]+)/);
+  return match ? match[1] : "";
+};
+
+const hasShellOperators = (cmd) => /[;&|]/.test(String(cmd || ""));
+
+const ensureExecuteAllowed = (cmd) => {
+  if (!cmd) throw new Error("cmd required");
+  if (hasShellOperators(cmd)) throw new Error("command chaining not allowed");
+  const name = normalizeForCompare(basename(getCommandName(cmd)));
+  if (!name) throw new Error("command not allowed");
+  const list = executeAllowlist.length ? executeAllowlist : defaultExecuteAllowlist;
+  if (!list.includes(name)) throw new Error("command not allowed");
+};
+
+const isUrlAllowed = (target) => {
+  const list = openUrlAllowlist.length ? openUrlAllowlist : defaultOpenUrlAllowlist;
+  if (list.includes("*")) return true;
+  try {
+    const url = new URL(target);
+    const host = normalizeForCompare(url.hostname);
+    return list.some((item) => host === item || host.endsWith(`.${item}`));
+  } catch {
+    return false;
+  }
+};
+
+const isOpenFileAllowed = (fullPath) => {
+  const list = openFileAllowlist.length ? openFileAllowlist : defaultOpenFileAllowlist;
+  if (!list.length) return true;
+  if (list.includes("*")) return true;
+  try {
+    const stat = statSync(fullPath);
+    if (stat.isDirectory()) return true;
+  } catch {}
+  const ext = normalizeExtList(extname(fullPath))[0] || "";
+  if (!ext) return false;
+  return list.includes(ext);
+};
+
+const formatOutputPath = (fullPath, baseRoot) => {
+  if (fullPath === baseRoot) return ".";
+  if (fullPath.startsWith(baseRoot + sep)) return fullPath.slice(baseRoot.length + 1);
+  if (fullPath === workspaceRoot) return ".";
+  if (fullPath.startsWith(workspaceRoot + sep)) return fullPath.slice(workspaceRoot.length + 1);
+  return fullPath;
+};
+
+const normalizeWebText = (text) => String(text || "").replace(/\r\n/g, "\n");
+
+const stripHtml = (html) => {
+  let text = String(html || "");
+  text = text.replace(/<script[\s\S]*?<\/script>/gi, "");
+  text = text.replace(/<style[\s\S]*?<\/style>/gi, "");
+  text = text.replace(/<\/p>/gi, "\n");
+  text = text.replace(/<br\s*\/?>/gi, "\n");
+  text = text.replace(/<\/h[1-6]>/gi, "\n");
+  text = text.replace(/<li[^>]*>/gi, "- ");
+  text = text.replace(/<\/li>/gi, "\n");
+  text = text.replace(/<\/(div|section|article|header|footer|main|ul|ol)>/gi, "\n");
+  text = text.replace(/<[^>]+>/g, "");
+  text = text.replace(/&nbsp;/gi, " ");
+  text = text.replace(/&amp;/gi, "&");
+  text = text.replace(/&lt;/gi, "<");
+  text = text.replace(/&gt;/gi, ">");
+  return normalizeWebText(text).replace(/\n{3,}/g, "\n\n").trim();
+};
+
+const fetchWithTimeout = async (url, init, timeoutMs) => {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    return await fetch(url, { ...init, signal: controller.signal });
+  } finally {
+    clearTimeout(timeout);
+  }
+};
+
+const buildSimpleDiff = (beforeText, afterText) => {
+  const beforeLines = normalizeWebText(beforeText).split("\n");
+  const afterLines = normalizeWebText(afterText).split("\n");
+  let start = 0;
+  while (start < beforeLines.length && start < afterLines.length) {
+    if (beforeLines[start] !== afterLines[start]) break;
+    start += 1;
+  }
+  let endBefore = beforeLines.length - 1;
+  let endAfter = afterLines.length - 1;
+  while (endBefore >= start && endAfter >= start) {
+    if (beforeLines[endBefore] !== afterLines[endAfter]) break;
+    endBefore -= 1;
+    endAfter -= 1;
+  }
+  const removed = beforeLines.slice(start, endBefore + 1);
+  const added = afterLines.slice(start, endAfter + 1);
+  if (!removed.length && !added.length) {
+    return { diff: "", identical: true };
+  }
+  const header = `@@ -${start + 1},${removed.length} +${start + 1},${added.length} @@`;
+  const body = [
+    header,
+    ...removed.map((line) => `-${line}`),
+    ...added.map((line) => `+${line}`)
+  ].join("\n");
+  return { diff: body, identical: false };
+};
+
+const applySimplePatch = (fileText, diffText) => {
+  const lines = normalizeWebText(fileText).split("\n");
+  const parts = normalizeWebText(diffText).split("\n");
+  const hunkIndex = parts.findIndex((line) => line.startsWith("@@"));
+  if (hunkIndex === -1) throw new Error("diff hunk missing");
+  const hunkHeader = parts[hunkIndex];
+  const match = hunkHeader.match(/@@\s*-(\d+),(\d+)\s+\+(\d+),(\d+)\s*@@/);
+  if (!match) throw new Error("diff header invalid");
+  const start = Number(match[1]) - 1;
+  const removeCount = Number(match[2]);
+  const hunkLines = parts.slice(hunkIndex + 1);
+  const removed = [];
+  const added = [];
+  for (const line of hunkLines) {
+    if (line.startsWith("-")) removed.push(line.slice(1));
+    else if (line.startsWith("+")) added.push(line.slice(1));
+  }
+  const current = lines.slice(start, start + removeCount);
+  if (removeCount && current.join("\n") !== removed.join("\n")) {
+    throw new Error("patch mismatch");
+  }
+  const next = [...lines.slice(0, start), ...added, ...lines.slice(start + removeCount)];
+  return normalizeWebText(next.join("\n"));
+};
+
 const toolRead = (args) => {
   const filePath = resolveWorkspacePath(args.path);
   const content = readFileSync(filePath, "utf-8");
@@ -358,12 +2255,63 @@ const toolCreate = (args) => {
   return { ok: true, type };
 };
 
-const toolDelete = (args) => {
+const toolDelete = async (args) => {
+  await ensureRiskAllowed("delete", args.path);
   const target = resolveWorkspacePath(args.path);
   rmSync(target, { recursive: true, force: true });
   return { ok: true };
 };
 
+const toolMove = (args) => {
+  const fromRaw = args?.from || args?.src || args?.path;
+  const toRaw = args?.to || args?.dest || args?.target;
+  if (!fromRaw || !toRaw) throw new Error("from/to required");
+  const fromPath = resolveWorkspacePath(String(fromRaw));
+  const toPath = resolveWorkspacePath(String(toRaw));
+  mkdirSync(dirname(toPath), { recursive: true });
+  renameSync(fromPath, toPath);
+  return {
+    ok: true,
+    from: formatOutputPath(fromPath, workspaceRoot),
+    to: formatOutputPath(toPath, workspaceRoot)
+  };
+};
+
+const toolStat = (args) => {
+  const target = resolveWorkspacePath(args.path);
+  const st = statSync(target);
+  return {
+    path: formatOutputPath(target, workspaceRoot),
+    type: st.isDirectory() ? "dir" : "file",
+    size: st.size,
+    mtime: st.mtime.toISOString(),
+    ctime: st.ctime.toISOString()
+  };
+};
+
+const toolDiff = (args) => {
+  const pathA = resolveWorkspacePath(args.path_a || args.a || args.from);
+  const pathB = resolveWorkspacePath(args.path_b || args.b || args.to);
+  const beforeText = readFileSync(pathA, "utf-8");
+  const afterText = readFileSync(pathB, "utf-8");
+  const result = buildSimpleDiff(beforeText, afterText);
+  return {
+    path_a: formatOutputPath(pathA, workspaceRoot),
+    path_b: formatOutputPath(pathB, workspaceRoot),
+    ...result
+  };
+};
+
+const toolPatch = (args) => {
+  const target = resolveWorkspacePath(args.path);
+  const diff = String(args.diff || "");
+  if (!diff) throw new Error("diff required");
+  const current = readFileSync(target, "utf-8");
+  const next = applySimplePatch(current, diff);
+  writeFileSync(target, next);
+  return { ok: true, path: formatOutputPath(target, workspaceRoot) };
+};
+
 const toolLs = (args) => {
   const target = resolveWorkspacePath(args?.path || ".");
   const entries = readdirSync(target, { withFileTypes: true }).map((e) => {
@@ -378,107 +2326,918 @@ const toolLs = (args) => {
   return { entries };
 };
 
-const walkFiles = (dir, out) => {
-  const items = readdirSync(dir, { withFileTypes: true });
-  for (const item of items) {
-    const full = join(dir, item.name);
-    if (item.isDirectory()) {
-      walkFiles(full, out);
-    } else {
-      out.push(full);
-    }
+const walkFiles = (dir, out) => {
+  const items = readdirSync(dir, { withFileTypes: true });
+  for (const item of items) {
+    const full = join(dir, item.name);
+    if (item.isDirectory()) {
+      walkFiles(full, out);
+    } else {
+      out.push(full);
+    }
+  }
+};
+
+const toolGrep = (args) => {
+  const base = resolveWorkspacePath(args?.path || ".");
+  const pattern = String(args.pattern || "");
+  if (!pattern) throw new Error("pattern required");
+  let regex;
+  try {
+    regex = new RegExp(pattern, "g");
+  } catch {
+    const escaped = pattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    regex = new RegExp(escaped, "g");
+  }
+  const files = [];
+  walkFiles(base, files);
+  const matches = [];
+  for (const f of files) {
+    const content = readFileSync(f, "utf-8");
+    const lines = content.split(/\r?\n/);
+    lines.forEach((line, i) => {
+      if (regex.test(line)) {
+        matches.push({ file: formatOutputPath(f, base), line: i + 1, text: line });
+      }
+      regex.lastIndex = 0;
+    });
+  }
+  return { matches };
+};
+
+const globToRegex = (pattern) => {
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&");
+  const regex = escaped
+    .replace(/\*\*/g, "###DOUBLESTAR###")
+    .replace(/\*/g, "[^/]*")
+    .replace(/\?/g, ".");
+  const withDouble = regex.replace(/###DOUBLESTAR###/g, ".*");
+  return new RegExp("^" + withDouble + "$");
+};
+
+const toolGlob = (args) => {
+  const base = resolveWorkspacePath(args?.path || ".");
+  const pattern = String(args.pattern || "");
+  if (!pattern) throw new Error("pattern required");
+  const files = [];
+  walkFiles(base, files);
+  const regex = globToRegex(pattern);
+  const matches = files
+    .map((f) => formatOutputPath(f, base))
+    .filter((p) => regex.test(p));
+  return { matches };
+};
+
+const runPtyExecute = async ({ cmd, cwd, timeoutMs, maxOutputChars }) => {
+  const spawn = await loadPtySpawn();
+  if (!spawn) throw createToolError("EXEC_FAILED", "pty unavailable");
+  const { file, args } = resolvePtyCommand(cmd);
+  return new Promise((resolvePromise, reject) => {
+    let stdout = "";
+    let stdoutLen = 0;
+    let truncated = false;
+    let timedOut = false;
+    let finished = false;
+    let timeoutId;
+    let pty;
+    try {
+      pty = spawn(file, args, {
+        cwd,
+        env: process.env,
+        name: process.env.TERM || "xterm-256color",
+        cols: 120,
+        rows: 30
+      });
+    } catch (e) {
+      return reject(
+        createToolError("EXEC_FAILED", "pty spawn failed", {
+          exit_code: 1,
+          stdout: "",
+          stderr: String(e?.message || e),
+          truncated: false
+        })
+      );
+    }
+    pty.onData((chunk) => {
+      const text = String(chunk || "");
+      if (!text) return;
+      stdoutLen += text.length;
+      stdout = keepTail(stdout, text, maxOutputChars);
+      if (stdoutLen > maxOutputChars) truncated = true;
+    });
+    timeoutId = setTimeout(() => {
+      timedOut = true;
+      try {
+        pty.kill("SIGTERM");
+      } catch {}
+      setTimeout(() => {
+        try {
+          pty.kill("SIGKILL");
+        } catch {}
+      }, 2000);
+    }, timeoutMs);
+    pty.onExit((event) => {
+      if (finished) return;
+      finished = true;
+      if (timeoutId) clearTimeout(timeoutId);
+      if (timedOut) {
+        return reject(
+          createToolError("EXEC_TIMEOUT", "execute timeout", {
+            stdout,
+            stderr: "",
+            truncated,
+            timed_out: true
+          })
+        );
+      }
+      const exitCode = typeof event?.exitCode === "number" ? event.exitCode : 1;
+      if (exitCode === 0) {
+        return resolvePromise({
+          code: 0,
+          stdout,
+          stderr: "",
+          truncated,
+          timed_out: false
+        });
+      }
+      return reject(
+        createToolError("EXEC_FAILED", "execute failed", {
+          exit_code: exitCode || 1,
+          stdout,
+          stderr: "",
+          truncated
+        })
+      );
+    });
+  });
+};
+
+const spawnPtyDetached = async ({ cmd, cwd, session, maxOutputChars }) => {
+  const spawn = await loadPtySpawn();
+  if (!spawn) throw createToolError("EXEC_FAILED", "pty unavailable");
+  const { file, args } = resolvePtyCommand(cmd);
+  let pty;
+  try {
+    pty = spawn(file, args, {
+      cwd,
+      env: process.env,
+      name: process.env.TERM || "xterm-256color",
+      cols: 120,
+      rows: 30
+    });
+  } catch (e) {
+    throw createToolError("EXEC_FAILED", "pty spawn failed", {
+      exit_code: 1,
+      stdout: "",
+      stderr: String(e?.message || e),
+      truncated: false
+    });
+  }
+  session.is_pty = true;
+  session.pty = pty;
+  session.pid = pty.pid || null;
+  pty.onData((chunk) => {
+    const text = String(chunk || "");
+    if (!text) return;
+    session.stdout_len += text.length;
+    session.stdout_tail = keepTail(session.stdout_tail, text, maxOutputChars);
+    session.stdout_truncated = session.stdout_len > maxOutputChars;
+    appendProcessLog(session.log_path, { ts: nowIso(), stream: "stdout", text });
+  });
+  pty.onExit((event) => {
+    const exitCode = typeof event?.exitCode === "number" ? event.exitCode : null;
+    const status =
+      session.kill_requested ? "killed" : exitCode === 0 && !event?.signal ? "completed" : "failed";
+    finalizeProcessSession(session, status, exitCode, event?.signal || "", "");
+  });
+  return pty;
+};
+
+const toolExecute = async (args) => {
+  const cmd = String(args.cmd || "");
+  if (!cmd) throw createToolError("INVALID_ARGS", "cmd required");
+  ensureExecuteAllowed(cmd);
+  await ensureRiskAllowed("execute", args.cmd);
+  const timeoutMs = clampNumber(
+    args?.timeout_ms,
+    1000,
+    MAX_EXEC_TIMEOUT_MS,
+    DEFAULT_EXEC_TIMEOUT_MS
+  );
+  const maxOutputChars = clampNumber(
+    args?.max_output_chars,
+    1000,
+    MAX_EXEC_OUTPUT_CHARS,
+    DEFAULT_EXEC_MAX_OUTPUT_CHARS
+  );
+  const cwd = args.cwd ? resolveWorkspacePath(args.cwd) : workspaceRoot;
+  const roots = allowedRoots.length ? allowedRoots : [workspaceRoot];
+  let execCmd = cmd;
+  try {
+    execCmd = buildSandboxedCommand(cmd, cwd, roots);
+  } catch (e) {
+    throw createToolError("EXEC_DENIED", String(e?.message || e));
+  }
+  const usePty = Boolean(args?.pty);
+  if (usePty) {
+    return runPtyExecute({ cmd: execCmd, cwd, timeoutMs, maxOutputChars });
+  }
+  return new Promise((resolvePromise, reject) => {
+    exec(
+      execCmd,
+      { cwd, maxBuffer: EXEC_MAX_BUFFER_BYTES, timeout: timeoutMs },
+      (err, stdout, stderr) => {
+        const out = truncateText(stdout || "", maxOutputChars);
+        const errOut = truncateText(stderr || "", maxOutputChars);
+        const truncated = out.truncated || errOut.truncated;
+        if (err) {
+          const rawMessage = String(err?.message || "");
+          const isTimeout =
+            err?.killed ||
+            err?.signal === "SIGTERM" ||
+            rawMessage.toLowerCase().includes("timed out");
+          if (isTimeout) {
+            return reject(
+              createToolError("EXEC_TIMEOUT", "execute timeout", {
+                stdout: out.text,
+                stderr: errOut.text,
+                truncated: truncated,
+                timed_out: true
+              })
+            );
+          }
+          if (err?.code === "ERR_CHILD_PROCESS_STDIO_MAXBUFFER") {
+            return reject(
+              createToolError("EXEC_OUTPUT_LIMIT", "execute output limit", {
+                stdout: out.text,
+                stderr: errOut.text,
+                truncated: true
+              })
+            );
+          }
+          return reject(
+            createToolError("EXEC_FAILED", "execute failed", {
+              exit_code: err?.code || 1,
+              stdout: out.text,
+              stderr: errOut.text,
+              truncated: truncated
+            })
+          );
+        }
+        resolvePromise({
+          code: 0,
+          stdout: out.text,
+          stderr: errOut.text,
+          truncated: truncated,
+          timed_out: false
+        });
+      }
+    );
+  });
+};
+
+const toolExecuteDetached = async (args) => {
+  const cmd = String(args.cmd || "");
+  if (!cmd) throw createToolError("INVALID_ARGS", "cmd required");
+  const logPathRaw = String(args.log_path || "");
+  const outputPathRaw = String(args.output_path || "");
+  if (!logPathRaw) throw createToolError("INVALID_ARGS", "log_path required");
+  if (!outputPathRaw) throw createToolError("INVALID_ARGS", "output_path required");
+  ensureExecuteAllowed(cmd);
+  await ensureRiskAllowed("execute", args.cmd);
+  const cwd = args.cwd ? resolveWorkspacePath(args.cwd) : workspaceRoot;
+  const logPath = resolveWorkspacePath(logPathRaw);
+  const outputPath = resolveWorkspacePath(outputPathRaw);
+  const roots = allowedRoots.length ? allowedRoots : [workspaceRoot];
+  const taskId = args.task_id ? String(args.task_id) : "";
+  const maxOutputChars = clampNumber(
+    args?.max_output_chars,
+    1000,
+    MAX_EXEC_OUTPUT_CHARS,
+    DEFAULT_EXEC_MAX_OUTPUT_CHARS
+  );
+  let execCmd = cmd;
+  try {
+    execCmd = buildSandboxedCommand(cmd, cwd, roots);
+  } catch (e) {
+    throw createToolError("EXEC_DENIED", String(e?.message || e));
+  }
+  const session_id = nextProcessId();
+  const started_at_ms = Date.now();
+  const session = {
+    session_id,
+    cmd,
+    cwd,
+    task_id: taskId || null,
+    log_path: logPath,
+    output_path: outputPath,
+    status: "running",
+    pid: null,
+    is_pty: false,
+    started_at: nowIso(),
+    started_at_ms,
+    ended_at: "",
+    ended_at_ms: 0,
+    exit_code: null,
+    signal: "",
+    stdout_tail: "",
+    stderr_tail: "",
+    stdout_len: 0,
+    stderr_len: 0,
+    stdout_truncated: false,
+    stderr_truncated: false,
+    max_output_chars: maxOutputChars,
+    removed: false,
+    kill_requested: false,
+    child: null,
+    pty: null
+  };
+  processRegistry.set(session_id, session);
+  appendProcessLog(logPath, {
+    ts: session.started_at,
+    stream: "meta",
+    event: "start",
+    session_id,
+    cmd,
+    cwd,
+    task_id: session.task_id
+  });
+  writeProcessOutput(session);
+  if (taskId) {
+    updateTaskForProcess(taskId, {
+      status: "running",
+      inputs: { cmd, cwd },
+      outputs: {
+        session_id,
+        log_path: logPath,
+        output_path: outputPath,
+        status: session.status
+      }
+    });
+  }
+  const usePty = Boolean(args?.pty);
+  if (usePty) {
+    try {
+      await spawnPtyDetached({ cmd: execCmd, cwd, session, maxOutputChars });
+    } catch (e) {
+      finalizeProcessSession(session, "failed", 1, "", String(e?.message || e));
+    }
+    return { session_id, status: session.status, pid: session.pid, log_path: logPath, output_path: outputPath };
+  }
+  let child;
+  try {
+    child = spawn(execCmd, { cwd, shell: true, detached: true });
+  } catch (e) {
+    finalizeProcessSession(session, "failed", 1, "", String(e?.message || e));
+    return { session_id, status: session.status, pid: session.pid, log_path: logPath, output_path: outputPath };
+  }
+  session.child = child;
+  session.pid = child.pid || null;
+  if (child.stdout) {
+    child.stdout.setEncoding("utf8");
+    child.stdout.on("data", (chunk) => {
+      const text = String(chunk || "");
+      if (!text) return;
+      session.stdout_len += text.length;
+      session.stdout_tail = keepTail(session.stdout_tail, text, maxOutputChars);
+      session.stdout_truncated = session.stdout_len > maxOutputChars;
+      appendProcessLog(logPath, { ts: nowIso(), stream: "stdout", text });
+    });
+  }
+  if (child.stderr) {
+    child.stderr.setEncoding("utf8");
+    child.stderr.on("data", (chunk) => {
+      const text = String(chunk || "");
+      if (!text) return;
+      session.stderr_len += text.length;
+      session.stderr_tail = keepTail(session.stderr_tail, text, maxOutputChars);
+      session.stderr_truncated = session.stderr_len > maxOutputChars;
+      appendProcessLog(logPath, { ts: nowIso(), stream: "stderr", text });
+    });
+  }
+  child.on("error", (err) => {
+    finalizeProcessSession(session, "failed", 1, "", String(err?.message || err));
+  });
+  child.on("exit", (code, signal) => {
+    const exitCode = typeof code === "number" ? code : null;
+    const status =
+      session.kill_requested ? "killed" : exitCode === 0 && !signal ? "completed" : "failed";
+    finalizeProcessSession(session, status, exitCode, signal, "");
+  });
+  child.unref();
+  return { session_id, status: session.status, pid: session.pid, log_path: logPath, output_path: outputPath };
+};
+
+const toolProcess = (args) => {
+  const action = String(args?.action || "").trim().toLowerCase();
+  if (!action) throw new Error("action required");
+  if (action === "list") {
+    const sessions = Array.from(processRegistry.values()).map((s) => ({
+      session_id: s.session_id,
+      status: s.status,
+      pid: s.pid,
+      is_pty: Boolean(s.is_pty),
+      cmd: s.cmd,
+      cwd: s.cwd,
+      task_id: s.task_id || null,
+      started_at: s.started_at,
+      ended_at: s.ended_at || null
+    }));
+    return { action, sessions };
+  }
+  const sessionId = String(args?.session_id || "").trim();
+  if (!sessionId) throw new Error("session_id required");
+  const session = processRegistry.get(sessionId);
+  if (!session) throw new Error("session not found");
+  if (action === "poll") {
+    return {
+      action,
+      session_id: session.session_id,
+      status: session.status,
+      pid: session.pid,
+      is_pty: Boolean(session.is_pty),
+      task_id: session.task_id || null,
+      exit_code: session.exit_code ?? null,
+      signal: session.signal || null,
+      stdout_tail: session.stdout_tail,
+      stderr_tail: session.stderr_tail,
+      stdout_truncated: Boolean(session.stdout_truncated),
+      stderr_truncated: Boolean(session.stderr_truncated),
+      log_path: session.log_path,
+      output_path: session.output_path
+    };
+  }
+  if (action === "log") {
+    const offset = Math.max(0, Number(args?.offset || 0));
+    const limit = Math.max(1, Number(args?.limit || 200));
+    const entries = readProcessLogEntries(session.log_path);
+    const slice = entries.slice(offset, offset + limit);
+    return {
+      action,
+      session_id: session.session_id,
+      offset,
+      limit,
+      total: entries.length,
+      logs: slice
+    };
+  }
+  if (action === "send") {
+    const input = String(args?.input ?? args?.data ?? args?.text ?? "");
+    if (!input) throw new Error("input required");
+    if (session.pty) {
+      try {
+        session.pty.write(input);
+      } catch {}
+    } else if (session.child?.stdin) {
+      try {
+        session.child.stdin.write(input);
+      } catch {}
+    }
+    appendProcessLog(session.log_path, {
+      ts: nowIso(),
+      stream: "stdin",
+      text: input
+    });
+    return { action, session_id: session.session_id, status: session.status };
+  }
+  if (action === "kill") {
+    session.kill_requested = true;
+    if (session.pty) {
+      try {
+        session.pty.kill("SIGTERM");
+      } catch {}
+    } else if (session.child) {
+      try {
+        session.child.kill("SIGTERM");
+      } catch {}
+    }
+    appendProcessLog(session.log_path, {
+      ts: nowIso(),
+      stream: "meta",
+      event: "kill",
+      session_id: session.session_id
+    });
+    writeProcessOutput(session);
+    return { action, session_id: session.session_id, status: session.status };
+  }
+  if (action === "remove") {
+    if (session.status === "running") {
+      session.removed = true;
+      session.kill_requested = true;
+      if (session.pty) {
+        try {
+          session.pty.kill("SIGTERM");
+        } catch {}
+      } else if (session.child) {
+        try {
+          session.child.kill("SIGTERM");
+        } catch {}
+      }
+      appendProcessLog(session.log_path, {
+        ts: nowIso(),
+        stream: "meta",
+        event: "remove_requested",
+        session_id: session.session_id
+      });
+      writeProcessOutput(session);
+      return { action, session_id: session.session_id, status: session.status };
+    }
+    processRegistry.delete(session.session_id);
+    return { action, session_id: session.session_id, status: session.status };
+  }
+  throw new Error("unknown action");
+};
+
+const toolWaitProcess = (args) => {
+  const sessionId = String(args?.session_id || "").trim();
+  if (!sessionId) throw new Error("session_id required");
+  return toolProcess({ action: "poll", session_id: sessionId });
+};
+
+const toolReadProcessLog = (args) => {
+  const sessionId = String(args?.session_id || "").trim();
+  if (!sessionId) throw new Error("session_id required");
+  const offset = Math.max(0, Number(args?.offset || 0));
+  const limit = Math.max(1, Number(args?.limit || 200));
+  return toolProcess({ action: "log", session_id: sessionId, offset, limit });
+};
+
+const toolReadProcessOutput = (args) => {
+  const sessionId = String(args?.session_id || "").trim();
+  let outputPath = args?.output_path ? String(args.output_path || "") : "";
+  if (!outputPath && sessionId) {
+    const session = processRegistry.get(sessionId);
+    if (!session) throw new Error("session not found");
+    outputPath = session.output_path;
+  }
+  if (!outputPath) throw new Error("output_path required");
+  const resolved = resolveWorkspacePath(outputPath);
+  if (!existsSync(resolved)) throw new Error("output file not found");
+  const raw = readFileSync(resolved, "utf-8");
+  let output;
+  try {
+    output = JSON.parse(raw);
+  } catch {
+    output = { raw };
   }
+  return { session_id: sessionId || null, output };
 };
 
-const toolGrep = (args) => {
-  const base = resolveWorkspacePath(args?.path || ".");
-  const pattern = String(args.pattern || "");
-  if (!pattern) throw new Error("pattern required");
-  let regex;
+const toolWebFetch = async (args) => {
+  const url = String(args?.url || "").trim();
+  if (!url) throw new Error("url required");
+  let parsed;
   try {
-    regex = new RegExp(pattern, "g");
+    parsed = new URL(url);
   } catch {
-    const escaped = pattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    regex = new RegExp(escaped, "g");
+    throw new Error("url invalid");
   }
-  const files = [];
-  walkFiles(base, files);
-  const matches = [];
-  for (const f of files) {
-    const content = readFileSync(f, "utf-8");
-    const lines = content.split(/\r?\n/);
-    lines.forEach((line, i) => {
-      if (regex.test(line)) {
-        matches.push({ file: f.replace(workspaceRoot + sep, ""), line: i + 1, text: line });
+  if (!["http:", "https:"].includes(parsed.protocol)) throw new Error("url not allowed");
+  if (!isUrlAllowed(url)) throw new Error("url not allowed");
+  await ensureRiskAllowed("open", url);
+  const maxChars = clampNumber(
+    args?.max_chars ?? args?.maxChars,
+    100,
+    MAX_WEB_FETCH_MAX_CHARS,
+    DEFAULT_WEB_FETCH_MAX_CHARS
+  );
+  const timeoutMs = clampNumber(args?.timeout_ms, 1000, 120_000, DEFAULT_WEB_FETCH_TIMEOUT_MS);
+  const extractMode = String(args?.extract_mode || args?.extractMode || "markdown")
+    .trim()
+    .toLowerCase();
+  const res = await fetchWithTimeout(
+    url,
+    {
+      method: "GET",
+      headers: {
+        "user-agent":
+          "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36",
+        accept: "text/markdown, text/html;q=0.9, text/plain;q=0.8, */*;q=0.1"
       }
-      regex.lastIndex = 0;
-    });
+    },
+    timeoutMs
+  );
+  if (!res.ok) {
+    throw createToolError("WEB_FETCH_FAILED", "web_fetch failed", { status: res.status });
   }
-  return { matches };
+  const contentType = String(res.headers.get("content-type") || "");
+  const raw = await res.text();
+  let content = raw;
+  if (contentType.includes("text/html")) {
+    content = stripHtml(raw);
+  } else {
+    content = normalizeWebText(raw);
+  }
+  if (extractMode === "text") {
+    content = stripHtml(content);
+  }
+  let truncated = false;
+  if (content.length > maxChars) {
+    content = content.slice(0, maxChars);
+    truncated = true;
+  }
+  return {
+    url,
+    final_url: res.url || url,
+    status: res.status,
+    content_type: contentType,
+    content,
+    truncated
+  };
 };
 
-const globToRegex = (pattern) => {
-  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&");
-  const regex = escaped
-    .replace(/\*\*/g, "###DOUBLESTAR###")
-    .replace(/\*/g, "[^/]*")
-    .replace(/\?/g, ".");
-  const withDouble = regex.replace(/###DOUBLESTAR###/g, ".*");
-  return new RegExp("^" + withDouble + "$");
+const toolWebSearch = async (args) => {
+  const query = String(args?.query || "").trim();
+  if (!query) throw new Error("query required");
+  const count = clampNumber(
+    args?.count,
+    1,
+    MAX_WEB_SEARCH_COUNT,
+    DEFAULT_WEB_SEARCH_COUNT
+  );
+  const apiKey = String(process.env["BRAVE_API_KEY"] || process.env["9T_BRAVE_API_KEY"] || "");
+  if (!apiKey) throw createToolError("MISSING_KEY", "BRAVE_API_KEY required");
+  await ensureRiskAllowed("open", "https://api.search.brave.com");
+  const params = new URLSearchParams({ q: query, count: String(count) });
+  if (args?.country) params.set("country", String(args.country));
+  if (args?.search_lang) params.set("search_lang", String(args.search_lang));
+  if (args?.ui_lang) params.set("ui_lang", String(args.ui_lang));
+  if (args?.freshness) params.set("freshness", String(args.freshness));
+  const url = `https://api.search.brave.com/res/v1/web/search?${params.toString()}`;
+  const res = await fetchWithTimeout(
+    url,
+    {
+      method: "GET",
+      headers: {
+        "x-subscription-token": apiKey,
+        accept: "application/json"
+      }
+    },
+    DEFAULT_WEB_SEARCH_TIMEOUT_MS
+  );
+  if (!res.ok) {
+    throw createToolError("WEB_SEARCH_FAILED", "web_search failed", { status: res.status });
+  }
+  const data = await res.json();
+  const results = Array.isArray(data?.web?.results)
+    ? data.web.results.map((item) => ({
+        title: item?.title || "",
+        url: item?.url || "",
+        snippet: item?.description || item?.snippet || ""
+      }))
+    : [];
+  return { query, count, results, source: "brave" };
 };
 
-const toolGlob = (args) => {
-  const base = resolveWorkspacePath(args?.path || ".");
-  const pattern = String(args.pattern || "");
-  if (!pattern) throw new Error("pattern required");
-  const files = [];
-  walkFiles(base, files);
-  const regex = globToRegex(pattern);
-  const matches = files
-    .map((f) => f.replace(workspaceRoot + sep, ""))
-    .filter((p) => regex.test(p));
-  return { matches };
+const toolAskUser = async (args) => {
+  const question = String(args?.question || "").trim();
+  if (!question) throw new Error("question required");
+  if (!process.stdin.isTTY) throw new Error("ask_user requires TTY");
+  const options = Array.isArray(args?.options) ? args.options.map((o) => String(o)) : [];
+  if (options.length) {
+    options.forEach((opt, i) => {
+      console.log(`[${i + 1}] ${opt}`);
+    });
+  }
+  const answer = await new Promise((resolvePromise) => {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(`${question} `, (input) => {
+      rl.close();
+      resolvePromise(String(input || "").trim());
+    });
+  });
+  if (!options.length) return { question, answer };
+  const index = Number.parseInt(answer, 10);
+  if (!Number.isNaN(index) && index >= 1 && index <= options.length) {
+    return { question, answer: options[index - 1], choice: index - 1 };
+  }
+  return { question, answer, choice: null };
 };
 
-const toolExecute = (args) =>
-  new Promise((resolvePromise, reject) => {
-    const cmd = String(args.cmd || "");
-    if (!cmd) return reject(new Error("cmd required"));
-    const cwd = args.cwd ? resolveWorkspacePath(args.cwd) : workspaceRoot;
-    exec(cmd, { cwd, maxBuffer: 1024 * 1024 }, (err, stdout, stderr) => {
-      if (err) {
-        resolvePromise({ ok: false, code: err.code || 1, stdout, stderr });
-      } else {
-        resolvePromise({ ok: true, code: 0, stdout, stderr });
-      }
+const toolBrowser = async (args) => {
+  const action = String(args?.action || "").trim().toLowerCase();
+  if (action !== "open") throw new Error("invalid action");
+  const url = String(args?.url || "").trim();
+  if (!url) throw new Error("url required");
+  if (!/^https?:\/\//i.test(url)) throw new Error("url not allowed");
+  const outputPathRaw = String(args?.output_path || "").trim();
+  if (!outputPathRaw) throw new Error("output_path required");
+  let status = "completed";
+  let error = "";
+  try {
+    const result = await toolOpen({ target: url });
+    status = result?.ok ? "completed" : "failed";
+    if (!result?.ok) {
+      error = String(result?.stderr || "open failed");
+    }
+  } catch (e) {
+    status = "denied";
+    error = String(e?.message || e);
+    const record = buildEvidenceRecord({
+      tool: "browser",
+      action,
+      target: url,
+      status,
+      error,
+      output_path: outputPathRaw
     });
+    appendEvidenceLog(record);
+    writeEvidenceFile(outputPathRaw, record);
+    throw e;
+  }
+  const record = buildEvidenceRecord({
+    tool: "browser",
+    action,
+    target: url,
+    status,
+    error,
+    output_path: outputPathRaw
   });
+  appendEvidenceLog(record);
+  const resolved = writeEvidenceFile(outputPathRaw, record);
+  return { action, url, status, output_path: resolved };
+};
 
-const toolOpen = (args) =>
+const runOpenCommand = (cmd, cwd, useSandbox) =>
   new Promise((resolvePromise, reject) => {
-    const target = String(args.target || "");
-    if (!target) return reject(new Error("target required"));
-    const platform = process.platform;
-    let cmd = "";
-    if (platform === "darwin") cmd = `open "${target}"`;
-    else if (platform === "win32") cmd = `start "" "${target}"`;
-    else cmd = `xdg-open "${target}"`;
-    exec(cmd, (err, stdout, stderr) => {
+    let execCmd = cmd;
+    if (useSandbox) {
+      try {
+        const roots = allowedRoots.length ? allowedRoots : [workspaceRoot];
+        execCmd = buildSandboxedCommand(cmd, cwd, roots);
+      } catch (e) {
+        return reject(new Error(String(e?.message || e)));
+      }
+    }
+    exec(execCmd, { cwd }, (err, stdout, stderr) => {
       if (err) resolvePromise({ ok: false, stdout, stderr });
       else resolvePromise({ ok: true, stdout, stderr });
     });
   });
 
+const toolOpenUrl = async (args) => {
+  const url = String(args?.url || "").trim();
+  if (!url) throw new Error("url required");
+  if (!/^https?:\/\//i.test(url)) throw new Error("url not allowed");
+  if (!isUrlAllowed(url)) throw new Error("url not allowed");
+  await ensureRiskAllowed("open", url);
+  const platform = process.platform;
+  let cmd = "";
+  if (platform === "darwin") cmd = `open "${url}"`;
+  else if (platform === "win32") cmd = `start "" "${url}"`;
+  else cmd = `xdg-open "${url}"`;
+  return await runOpenCommand(cmd, workspaceRoot, false);
+};
+
+const toolOpen = async (args) => {
+  const raw = String(args?.path || args?.target || "").trim();
+  if (!raw) throw new Error("path required");
+  if (/^https?:\/\//i.test(raw)) throw new Error("use open_url for url");
+  const openTarget = resolveWorkspacePath(raw);
+  if (!isOpenFileAllowed(openTarget)) {
+    throw new Error("file type not allowed");
+  }
+  await ensureRiskAllowed("open", openTarget);
+  const platform = process.platform;
+  let cmd = "";
+  if (platform === "darwin") cmd = `open "${openTarget}"`;
+  else if (platform === "win32") cmd = `start "" "${openTarget}"`;
+  else cmd = `xdg-open "${openTarget}"`;
+  const useSandbox = sandboxMode !== "off";
+  return await runOpenCommand(cmd, dirname(openTarget), useSandbox);
+};
+
+const toolTaskCreate = (args) => {
+  const store = loadTaskStore();
+  const task = createTask(store, args || {});
+  saveTaskStore(store);
+  appendTaskLog({ ts: nowIso(), action: "create", task });
+  return { task };
+};
+
+const toolTaskUpdate = (args) => {
+  const store = loadTaskStore();
+  const task = updateTask(store, args || {});
+  recordTaskUpdate(store, task, null);
+  return { task };
+};
+
+const toolTaskGet = (args) => {
+  const store = loadTaskStore();
+  const taskId = String(args.task_id || "").trim();
+  if (!taskId) throw new Error("task_id required");
+  const task = ensureTaskExists(store, taskId);
+  return { task };
+};
+
+const toolTaskList = (args) => {
+  const store = loadTaskStore();
+  const tasks = listTasks(store, args || {});
+  return { tasks };
+};
+
+const toolTaskTree = (args) => {
+  const store = loadTaskStore();
+  const rootId = args?.root_id ? String(args.root_id) : "";
+  const tree = buildTaskTree(store, rootId || "");
+  return { tree };
+};
+
+const toolTaskLogList = (args) => {
+  const taskId = args?.task_id ? String(args.task_id) : "";
+  const limit = Math.max(1, Number(args?.limit || 50));
+  const logs = loadTaskLogs().filter((l) => (taskId ? l.task?.task_id === taskId : true));
+  const sliced = logs.slice(-limit);
+  return { logs: sliced };
+};
+
+const toolTaskReplay = () => {
+  const logs = loadTaskLogs();
+  if (!logs.length) throw new Error("no task logs");
+  const result = replayTaskLogs(logs);
+  return { ok: true, ...result };
+};
+
+const toolTodoList = (args) => {
+  const store = loadTaskStore();
+  const todos = listTodos(store, args || {});
+  return { todos };
+};
+
+const toolTodoAdd = (args) => {
+  const store = loadTaskStore();
+  const task = createTodo(store, { ...(args || {}), defaultSource: "ai" });
+  return { todo: task };
+};
+
+const toolTodoStart = (args) => {
+  const todoId = String(args?.todo_id || "").trim();
+  if (!todoId) throw new Error("todo_id required");
+  const store = loadTaskStore();
+  const task = startTodo(store, todoId, { source: "todo" });
+  return { todo: task };
+};
+
+const toolTodoDone = (args) => {
+  const todoId = String(args?.todo_id || "").trim();
+  if (!todoId) throw new Error("todo_id required");
+  const store = loadTaskStore();
+  const task = doneTodo(store, todoId, { source: "todo" });
+  return { todo: task };
+};
+
+const toolTodoPatch = (args) => {
+  const todoId = String(args?.todo_id || "").trim();
+  if (!todoId) throw new Error("todo_id required");
+  const store = loadTaskStore();
+  const task = patchTodo(store, todoId, { ...(args || {}), defaultSource: "ai" });
+  return { todo: task };
+};
+
+const toolTodoClear = (args) => {
+  const store = loadTaskStore();
+  const count = clearTodos(store, args?.scope, { source: "todo" });
+  return { cleared: count };
+};
+
 const toolMap = {
   read: toolRead,
   edit: toolEdit,
   create: toolCreate,
   delete: toolDelete,
+  move: toolMove,
+  rename: toolMove,
+  stat: toolStat,
+  diff: toolDiff,
+  patch: toolPatch,
   ls: toolLs,
   grep: toolGrep,
   glob: toolGlob,
   execute: toolExecute,
-  open: toolOpen
+  execute_detached: toolExecuteDetached,
+  process: toolProcess,
+  wait_process: toolWaitProcess,
+  read_process_log: toolReadProcessLog,
+  read_process_output: toolReadProcessOutput,
+  web_fetch: toolWebFetch,
+  web_search: toolWebSearch,
+  ask_user: toolAskUser,
+  browser: toolBrowser,
+  open: toolOpen,
+  open_url: toolOpenUrl,
+  task_create: toolTaskCreate,
+  task_update: toolTaskUpdate,
+  task_get: toolTaskGet,
+  task_list: toolTaskList,
+  task_tree: toolTaskTree,
+  task_log_list: toolTaskLogList,
+  task_replay: toolTaskReplay,
+  todo_list: toolTodoList,
+  todo_add: toolTodoAdd,
+  todo_start: toolTodoStart,
+  todo_done: toolTodoDone,
+  todo_patch: toolTodoPatch,
+  todo_clear: toolTodoClear
 };
 
 const extractJson = (text) => {
@@ -498,7 +3257,22 @@ const extractJson = (text) => {
   throw new Error("no json found");
 };
 
-const callModel = async (messages) => {
+const buildOpenAIMessages = (systemPrompt, messages) => {
+  const base = [{ role: "system", content: systemPrompt }];
+  const mapped = messages.map((m) => ({
+    role: m.role === "assistant" ? "assistant" : "user",
+    content: String(m.content || "")
+  }));
+  return base.concat(mapped);
+};
+
+const buildGeminiContents = (messages) =>
+  messages.map((m) => ({
+    role: m.role === "assistant" ? "model" : "user",
+    parts: [{ text: String(m.content || "") }]
+  }));
+
+const callAnthropicModel = async (systemPrompt, messages, maxTokens) => {
   const res = await fetch(`${baseUrl}/v1/messages`, {
     method: "POST",
     headers: {
@@ -508,9 +3282,9 @@ const callModel = async (messages) => {
     },
     body: JSON.stringify({
       model,
-      max_tokens: 1024,
+      max_tokens: maxTokens,
       temperature: 0,
-      system: SYSTEM_PROMPT,
+      system: systemPrompt,
       messages
     })
   });
@@ -520,15 +3294,309 @@ const callModel = async (messages) => {
     throw new Error(msg);
   }
   const content = Array.isArray(data.content) ? data.content : [];
-  const text = content.map((c) => c.text || "").join("").trim();
-  return text;
+  return content.map((c) => c.text || "").join("").trim();
+};
+
+const callOpenAIModel = async (systemPrompt, messages, maxTokens) => {
+  const payload = {
+    model,
+    max_tokens: maxTokens,
+    temperature: 0,
+    messages: buildOpenAIMessages(systemPrompt, messages)
+  };
+  const res = await fetch(`${baseUrl}/chat/completions`, {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      authorization: `Bearer ${apiKey}`
+    },
+    body: JSON.stringify(payload)
+  });
+  const data = await res.json();
+  if (!res.ok) {
+    const msg = data?.error?.message || "request failed";
+    throw new Error(msg);
+  }
+  return String(data?.choices?.[0]?.message?.content || "").trim();
+};
+
+const callGeminiModel = async (systemPrompt, messages, maxTokens) => {
+  const payload = {
+    system_instruction: {
+      role: "system",
+      parts: [{ text: systemPrompt }]
+    },
+    contents: buildGeminiContents(messages),
+    generationConfig: {
+      temperature: 0,
+      maxOutputTokens: maxTokens
+    }
+  };
+  const url = `${baseUrl}/models/${encodeURIComponent(model)}:generateContent?key=${encodeURIComponent(
+    apiKey
+  )}`;
+  const res = await fetch(url, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(payload)
+  });
+  const data = await res.json();
+  if (!res.ok) {
+    const msg = data?.error?.message || "request failed";
+    throw new Error(msg);
+  }
+  const parts = data?.candidates?.[0]?.content?.parts || [];
+  return parts.map((p) => p.text || "").join("").trim();
+};
+
+const callLlm = async (systemPrompt, messages, maxTokens = 1024) => {
+  if (!apiKey) {
+    apiKey = await ensureApiKey(providerName);
+  }
+  if (providerFormat === "openai") {
+    return await callOpenAIModel(systemPrompt, messages, maxTokens);
+  }
+  if (providerFormat === "gemini") {
+    return await callGeminiModel(systemPrompt, messages, maxTokens);
+  }
+  return await callAnthropicModel(systemPrompt, messages, maxTokens);
+};
+
+const callModel = async (messages) => {
+  const systemPrompt = getSystemPrompt();
+  return await callLlm(systemPrompt, messages, 1024);
+};
+
+const callSummaryModel = async (records, rangeLabel) => {
+  const systemPrompt = "你是会话摘要器，只输出 Markdown，不调用工具。";
+  const recordFiles = listSessionRecordFiles();
+  const recordList = recordFiles.length ? recordFiles.join(", ") : "无";
+  const userContent = [
+    `摘要范围：${rangeLabel}`,
+    `记录文件：${recordList}`,
+    "请生成中文 Markdown 摘要，必须包含以下条目：",
+    "讨论主题、简要内容、关键词、提及术语、脚本与执行行为、文件变更清单（含路径）、访问与搜索的 URL 与简要描述。",
+    "若无相关内容，请写“无”。",
+    "记录内容：",
+    JSON.stringify(records, null, 2)
+  ].join("\n");
+  return await callLlm(systemPrompt, [{ role: "user", content: userContent }], 1024);
+};
+
+const normalizeRecordPath = (input) => {
+  if (!input) return "";
+  try {
+    const full = resolveWorkspacePath(String(input));
+    return formatOutputPath(full, workspaceRoot);
+  } catch {
+    return String(input);
+  }
+};
+
+const buildSessionSummaryFile = (startRound, endRound) => {
+  const base = `${currentSessionId}`;
+  if (startRound === endRound) {
+    return join(sessionState.dir, `${base}-${startRound}-summary.md`);
+  }
+  return join(sessionState.dir, `${base}-${startRound}to${endRound}-summary.md`);
+};
+
+const buildSessionFinalSummaryFile = () => {
+  return join(sessionState.dir, `${currentSessionId}-summary.md`);
+};
+
+const filterRecordsByRound = (records, startRound, endRound) =>
+  records.filter((r) => Number(r?.round || 0) >= startRound && Number(r?.round || 0) <= endRound);
+
+const writeSessionSummary = async (startRound, endRound) => {
+  const records = loadSessionRecords();
+  const slice = filterRecordsByRound(records, startRound, endRound);
+  if (!slice.length) return;
+  const rangeLabel = startRound === endRound ? `${startRound}` : `${startRound}-${endRound}`;
+  const text = await callSummaryModel(slice, rangeLabel);
+  const path = buildSessionSummaryFile(startRound, endRound);
+  if (existsSync(path)) return;
+  mkdirSync(dirname(path), { recursive: true });
+  writeFileSync(path, text || "");
+};
+
+const writeSessionFinalSummary = async () => {
+  const records = loadSessionRecords();
+  if (!records.length) return;
+  const text = await callSummaryModel(records, "full");
+  const path = buildSessionFinalSummaryFile();
+  if (existsSync(path)) return;
+  mkdirSync(dirname(path), { recursive: true });
+  writeFileSync(path, text || "");
+};
+
+const finalizeSessionSummaries = async () => {
+  const round = sessionState.round || 0;
+  if (!round) return;
+  const remainder = round % 3;
+  if (remainder !== 0) {
+    const start = round - remainder + 1;
+    await writeSessionSummary(start, round);
+  }
+  await writeSessionFinalSummary();
+};
+
+const sleep = (ms) => new Promise((resolvePromise) => setTimeout(resolvePromise, ms));
+
+const computeBackoffDelay = (policy, baseDelay, attempt, maxDelay) => {
+  const cappedBase = Math.max(0, Number(baseDelay || 0));
+  const cappedMax = Math.max(cappedBase, Number(maxDelay || 0));
+  if (policy === "linear") return Math.min(cappedMax, cappedBase * attempt);
+  if (policy === "exponential") return Math.min(cappedMax, cappedBase * Math.pow(2, attempt - 1));
+  return Math.min(cappedMax, cappedBase);
+};
+
+const runLoop = async (prompt, options, hooks) => {
+  const messages = [];
+  const startAt = Date.now();
+  let runIndex = 0;
+  let failureCount = 0;
+  const handlers = hooks || {};
+  while (true) {
+    if (options.maxRuns > 0 && runIndex >= options.maxRuns) break;
+    if (options.maxDurationMs > 0 && Date.now() - startAt >= options.maxDurationMs) break;
+    appendSessionEvent({ event: "loop_run_start", run: runIndex + 1 });
+    if (handlers.onRunStart) await handlers.onRunStart({ run: runIndex + 1 });
+    let attempt = 0;
+    let lastError = "";
+    while (true) {
+      try {
+        const out = await runPrompt(messages, prompt);
+        if (out !== undefined && out !== null) console.log(out);
+        appendSessionEvent({ event: "loop_run_end", run: runIndex + 1, ok: true });
+        if (handlers.onRunSuccess) await handlers.onRunSuccess({ run: runIndex + 1, output: out });
+        failureCount = 0;
+        lastError = "";
+        break;
+      } catch (e) {
+        attempt += 1;
+        failureCount += 1;
+        lastError = String(e?.message || e);
+        const willRetry = attempt <= options.maxRetries;
+        appendSessionEvent({
+          event: "loop_run_error",
+          run: runIndex + 1,
+          attempt,
+          error: lastError
+        });
+        if (handlers.onRunError) {
+          await handlers.onRunError({ run: runIndex + 1, attempt, error: lastError, willRetry });
+        }
+        if (!willRetry) {
+          appendSessionEvent({
+            event: "loop_run_end",
+            run: runIndex + 1,
+            ok: false,
+            error: lastError
+          });
+          break;
+        }
+        const delay = computeBackoffDelay(
+          options.backoff,
+          options.retryDelayMs,
+          attempt,
+          options.maxRetryDelayMs
+        );
+        if (delay > 0) await sleep(delay);
+        if (handlers.onRetryStart) {
+          await handlers.onRetryStart({ run: runIndex + 1, attempt: attempt + 1 });
+        }
+      }
+    }
+    if (handlers.onRunEnd) {
+      await handlers.onRunEnd({ run: runIndex + 1, ok: !lastError, error: lastError });
+    }
+    runIndex += 1;
+    if (lastError && options.stopOnFail) break;
+    if (options.everyMs > 0) {
+      await sleep(options.everyMs);
+    } else {
+      break;
+    }
+  }
+  appendSessionEvent({ event: "loop_end", runs: runIndex, failures: failureCount });
+  await finalizeSessionSummaries();
+  appendSessionEvent({ event: "end" });
+};
+
+const runTaskLoop = async (prompt, options) => {
+  const store = loadTaskStore();
+  const title = String(options.title || prompt).trim();
+  if (!title) throw new Error("task title required");
+  const task = createTask(store, {
+    title,
+    status: "queued",
+    inputs: { prompt, loop: "task" }
+  });
+  recordTaskUpdate(store, task, { source: "loop", mode: "task" });
+  const taskId = task.task_id;
+  const updateStatus = (status, patch, meta) => {
+    const payload = { task_id: taskId, status };
+    if (patch) Object.assign(payload, patch);
+    const latest = loadTaskStore();
+    const updated = updateTask(latest, payload);
+    recordTaskUpdate(latest, updated, meta);
+  };
+  const hooks = {
+    onRunStart: ({ run }) => {
+      updateStatus("running", null, { source: "loop", mode: "task", run });
+    },
+    onRunSuccess: ({ run, output }) => {
+      updateStatus(
+        "completed",
+        { outputs: { last_result: output, run, session_id: currentSessionId } },
+        { source: "loop", mode: "task", run, ok: true }
+      );
+    },
+    onRunError: ({ run, attempt, error, willRetry }) => {
+      if (willRetry) {
+        updateStatus(
+          "retrying",
+          { last_error: error },
+          { source: "loop", mode: "task", run, attempt, retry: true }
+        );
+      } else {
+        updateStatus(
+          "failed",
+          { last_error: error },
+          { source: "loop", mode: "task", run, attempt, retry: false }
+        );
+      }
+    },
+    onRetryStart: ({ run, attempt }) => {
+      updateStatus("running", null, { source: "loop", mode: "task", run, attempt });
+    }
+  };
+  await runLoop(prompt, options, hooks);
 };
 
 const runPrompt = async (messages, prompt) => {
-  messages.push({ role: "user", content: prompt });
+  const summaries = loadSessionSummaries();
+  const convo = [];
+  if (summaries.length > 0) {
+    convo.push({ role: "user", content: buildSummaryMessage(summaries) });
+  } else {
+    const records = loadSessionRecords();
+    if (records.length) {
+      convo.push({ role: "user", content: buildRecordsMessage(records) });
+    }
+  }
+  convo.push({ role: "user", content: prompt });
+  appendSessionEvent({ role: "user", content: prompt });
+  const round = sessionState.round + 1;
+  const roundTools = [];
+  const roundFiles = [];
+  const roundUrls = [];
+  const roundApiCalls = [];
   for (let step = 0; step < MAX_STEPS; step++) {
-    const text = await callModel(messages);
-    messages.push({ role: "assistant", content: text });
+    const text = await callModel(convo);
+    convo.push({ role: "assistant", content: text });
+    appendSessionEvent({ role: "assistant", content: text, step });
     let parsed;
     try {
       parsed = extractJson(text);
@@ -536,6 +3604,31 @@ const runPrompt = async (messages, prompt) => {
       throw new Error(`invalid model json: ${String(e.message || e)}`);
     }
     if (parsed.final) {
+      const records = [
+        {
+          ts: nowIso(),
+          session_id: currentSessionId,
+          round,
+          role: "user",
+          content: prompt
+        },
+        {
+          ts: nowIso(),
+          session_id: currentSessionId,
+          round,
+          role: "assistant",
+          content: parsed.final,
+          tools: roundTools,
+          files: roundFiles,
+          urls: roundUrls,
+          api_calls: roundApiCalls
+        }
+      ];
+      saveSessionRecords(round, records);
+      sessionState.round = round;
+      if (round % 3 === 0) {
+        await writeSessionSummary(round - 2, round);
+      }
       return parsed.final;
     }
     const calls = parsed.tools || (parsed.tool ? [parsed] : []);
@@ -546,14 +3639,124 @@ const runPrompt = async (messages, prompt) => {
       const name = call.tool;
       const args = call.args || {};
       const fn = toolMap[name];
-      if (!fn) throw new Error(`unknown tool: ${name}`);
-      const result = await fn(args);
-      messages.push({
+      let result;
+      if (!fn) {
+        const errInfo = normalizeToolError(createToolError("NOT_FOUND", `unknown tool: ${name}`));
+        result = buildToolResult({
+          tool: name,
+          ok: false,
+          code: errInfo.code,
+          error: errInfo.message,
+          meta: { error_type: errInfo.error_type, details: errInfo.meta || null }
+        });
+      } else {
+        try {
+          const data = await fn(args);
+          result = buildToolResult({ tool: name, ok: true, code: 0, data });
+        } catch (e) {
+          const errInfo = normalizeToolError(e);
+          result = buildToolResult({
+            tool: name,
+            ok: false,
+            code: errInfo.code,
+            error: errInfo.message,
+            meta: { error_type: errInfo.error_type, details: errInfo.meta || null }
+          });
+        }
+      }
+      appendAuditEvent({
+        tool: name,
+        ok: result.ok,
+        code: result.code,
+        error: result.error,
+        args,
+        summary: summarizeToolResult(name, result.data)
+      });
+      appendSessionEvent({
+        role: "tool",
+        tool: name,
+        ok: result.ok,
+        code: result.code,
+        summary: summarizeToolResult(name, result.data)
+      });
+      roundTools.push({
+        tool: name,
+        ok: result.ok,
+        code: result.code,
+        args,
+        summary: summarizeToolResult(name, result.data),
+        error: result.error || null
+      });
+      if (name === "create" || name === "edit" || name === "patch" || name === "delete") {
+        const path = normalizeRecordPath(args?.path);
+        if (path) roundFiles.push({ action: name, path });
+      }
+      if (name === "move" || name === "rename") {
+        const from = normalizeRecordPath(args?.from || args?.src || args?.path);
+        const to = normalizeRecordPath(args?.to || args?.dest || args?.target);
+        if (from || to) roundFiles.push({ action: name, from, to });
+      }
+      if (name === "execute" || name === "execute_detached") {
+        const cmd = String(args?.cmd || "");
+        if (cmd) roundApiCalls.push({ name, summary: cmd });
+      }
+      if (name === "web_fetch") {
+        const url = String(args?.url || "");
+        if (url) roundUrls.push({ url, summary: `status=${result.data?.status ?? ""}` });
+      }
+      if (name === "web_search") {
+        const query = String(args?.query || "");
+        if (query) roundApiCalls.push({ name, summary: `query=${query}` });
+        const results = Array.isArray(result.data?.results) ? result.data.results : [];
+        results.slice(0, 5).forEach((item) => {
+          if (item?.url) {
+            roundUrls.push({ url: item.url, summary: item?.snippet || "" });
+          }
+        });
+      }
+      if (name === "open") {
+        const path = String(args?.path || args?.target || "");
+        if (path) roundFiles.push({ action: name, path });
+      }
+      if (name === "open_url") {
+        const url = String(args?.url || "");
+        if (url) roundUrls.push({ url, summary: "open_url" });
+      }
+      if (name === "browser") {
+        const url = String(args?.url || "");
+        if (url) roundUrls.push({ url, summary: "browser" });
+      }
+      convo.push({
         role: "user",
         content: `TOOL_RESULT ${name} ${JSON.stringify(result)}`
       });
     }
   }
+  const records = [
+    {
+      ts: nowIso(),
+      session_id: currentSessionId,
+      round,
+      role: "user",
+      content: prompt
+    },
+    {
+      ts: nowIso(),
+      session_id: currentSessionId,
+      round,
+      role: "assistant",
+      content: "max steps reached",
+      tools: roundTools,
+      files: roundFiles,
+      urls: roundUrls,
+      api_calls: roundApiCalls
+    }
+  ];
+  saveSessionRecords(round, records);
+  sessionState.round = round;
+  if (round % 3 === 0) {
+    await writeSessionSummary(round - 2, round);
+  }
   return "max steps reached";
 };
 
@@ -567,10 +3770,20 @@ const runInteractive = async () => {
   const messages = [];
   const question = (q) => new Promise((resolve) => rl.question(q, resolve));
   console.log("9T 交互模式，输入 /exit 退出");
+  startSession("interactive");
   while (true) {
     const input = String(await question("> ")).trim();
     if (!input) continue;
     if (input === "/exit" || input === "/quit") break;
+    if (input.startsWith("/task") || input.startsWith("/tasks") || input.startsWith("/todo")) {
+      try {
+        const out = handleTaskCli(input);
+        if (out) console.log(out);
+      } catch (e) {
+        console.error(String(e?.message || e));
+      }
+      continue;
+    }
     if (input === "/tools" || input === "/?" || isToolHelpQuery(input)) {
       console.log(toolHelpText);
       continue;
@@ -583,14 +3796,44 @@ const runInteractive = async () => {
       console.log(aboutText);
       continue;
     }
+    if (input === "/provider") {
+      const currentLine = `current ${providerName} ${providerFormat} ${baseUrl} ${model}`;
+      const list = formatProvidersList();
+      console.log([currentLine, list].filter(Boolean).join("\n"));
+      continue;
+    }
+    if (input === "/model" || input.startsWith("/model ")) {
+      const parts = input.split(/\s+/).filter(Boolean);
+      const name = normalizeProviderName(parts[1] || "");
+      const nextModel = parts.slice(2).join(" ").trim();
+      if (!name) throw new Error("provider required");
+      applyProviderPreset(name, nextModel || "");
+      apiKey = await ensureApiKey(providerName);
+      console.log(formatCurrentProvider());
+      continue;
+    }
     if (input === "/keystatus") {
-      const envKey = String(process.env["9T_API_KEY"] || "").trim();
+      const envKey = resolveProviderApiKeyEnv(providerName);
       if (envKey) {
         console.log("api_key 已通过环境变量提供");
         continue;
       }
-      const stored = await getStoredApiKey();
-      console.log(stored ? "api_key 已安全存储" : "api_key 未存储");
+      const stored = await getStoredApiKey(buildKeychainService(providerName));
+      if (stored) {
+        console.log("api_key 已安全存储");
+        continue;
+      }
+      const fallbackStored = await getStoredApiKey(keychainService);
+      console.log(fallbackStored ? "api_key 已安全存储" : "api_key 未存储");
+      continue;
+    }
+    if (input === "--test") {
+      try {
+        const out = await runPrompt(messages, testPrompt);
+        if (out !== undefined && out !== null) console.log(out);
+      } catch (e) {
+        console.error(String(e?.message || e));
+      }
       continue;
     }
     try {
@@ -601,33 +3844,182 @@ const runInteractive = async () => {
     }
   }
   rl.close();
+  await finalizeSessionSummaries();
+  appendSessionEvent({ event: "end" });
 };
 
 const run = async () => {
   const args = process.argv.slice(2);
+  const access = buildAccessConfig(args);
+  accessMode = access.mode;
+  workspaceRoot = normalizeRoot(access.workspace) || workspaceRoot;
+  mkdirSync(workspaceRoot, { recursive: true });
+  allowedRoots = [workspaceRoot];
+  if (accessMode !== "strict") {
+    allowedRoots = allowedRoots.concat(access.roots.map(normalizeRoot).filter(Boolean));
+  }
+  allowRisk = access.risk;
+  allowRiskUntil = access.grants || {};
+  allowRiskTtlHours = access.ttlHours || 0;
+  executeAllowlist = access.execAllowlist.length
+    ? access.execAllowlist
+    : normalizeListLower(defaultExecuteAllowlist);
+  openUrlAllowlist = access.urlAllowlist.length
+    ? access.urlAllowlist
+    : normalizeListLower(defaultOpenUrlAllowlist);
+  openFileAllowlist = access.fileOpenAllowlist.length
+    ? access.fileOpenAllowlist
+    : normalizeExtList(defaultOpenFileAllowlist);
+  denyFileNames = access.denyNames.length
+    ? access.denyNames
+    : normalizeListLower(defaultDenyFileNames);
+  denyFileExts = access.denyExts.length
+    ? access.denyExts
+    : normalizeExtList(defaultDenyFileExts);
+  denyDirsAbs = normalizeAbsList(getDefaultDenyDirsAbs().concat(access.denyDirs || []));
+  denyDirSegments = normalizeListLower(defaultDenyDirSegments);
+  sandboxMode = access.sandbox || defaultSandboxMode();
+
+  if (
+    access.cliProvided.mode ||
+    access.cliProvided.roots ||
+    access.cliProvided.workspace ||
+    access.cliProvided.allowRisk ||
+    access.cliProvided.allowRiskTtlHours ||
+    access.cliProvided.executeAllowlist ||
+    access.cliProvided.openUrlAllowlist ||
+    access.cliProvided.openFileAllowlist ||
+    access.cliProvided.denyFileNames ||
+    access.cliProvided.denyFileExts ||
+    access.cliProvided.denyDirs ||
+    access.cliProvided.sandbox
+  ) {
+    const rootsText = accessMode === "strict" ? [] : access.roots;
+    const summary = [
+      `mode=${accessMode}`,
+      `workspace=${workspaceRoot}`,
+      `roots=${rootsText.length ? rootsText.join(",") : "[]"}`,
+      `allowRisk=${allowRisk.size ? Array.from(allowRisk).join(",") : "[]"}`,
+      `allowRiskTtlHours=${allowRiskTtlHours || 0}`,
+      `executeAllowlist=${executeAllowlist.join(",") || "[]"}`,
+      `openUrlAllowlist=${openUrlAllowlist.join(",") || "[]"}`,
+      `openFileAllowlist=${openFileAllowlist.join(",") || "[]"}`,
+      `sandbox=${sandboxMode}`
+    ].join(" ");
+    console.log(summary);
+  }
   const interactive = hasFlag(args, "--interactive") || hasFlag(args, "-i");
   const testMode = hasFlag(args, "--test");
   const keyStatusMode = hasFlag(args, "--key-status");
-  const filteredArgs = args.filter(
-    (a) => a !== "--interactive" && a !== "-i" && a !== "--test" && a !== "--key-status"
-  );
+  const taskLoopMode = hasFlag(args, "--task-loop");
+  const scheduleLoopMode = hasFlag(args, "--schedule-loop");
+  const daemonLoopMode = hasFlag(args, "--daemon-loop");
+  const loopMode = hasFlag(args, "--loop");
+  const filteredArgs = [];
+  for (let i = 0; i < args.length; i += 1) {
+    const arg = args[i];
+    if (arg === "--interactive" || arg === "-i" || arg === "--test" || arg === "--key-status") {
+      continue;
+    }
+    if (
+      arg === "--loop" ||
+      arg === "--task-loop" ||
+      arg === "--schedule-loop" ||
+      arg === "--daemon-loop" ||
+      arg === "--loop-every" ||
+      arg === "--loop-max-runs" ||
+      arg === "--loop-max-duration" ||
+      arg === "--loop-retry" ||
+      arg === "--loop-retry-delay" ||
+      arg === "--loop-max-retry-delay" ||
+      arg === "--loop-backoff" ||
+      arg === "--mode" ||
+      arg === "--allow-mode" ||
+      arg === "--roots" ||
+      arg === "--workspace" ||
+      arg === "--allow-risk" ||
+      arg === "--allow-risk-ttl-hours" ||
+      arg === "--execute-allowlist" ||
+      arg === "--open-url-allowlist" ||
+      arg === "--open-file-allowlist" ||
+      arg === "--deny-file-names" ||
+      arg === "--deny-file-exts" ||
+      arg === "--deny-dirs" ||
+      arg === "--sandbox"
+    ) {
+      i += 1;
+      continue;
+    }
+    if (arg === "--loop-stop-on-fail") {
+      continue;
+    }
+    filteredArgs.push(arg);
+  }
   await migratePlaintextApiKey();
   if (keyStatusMode) {
-    const envKey = String(process.env["9T_API_KEY"] || "").trim();
+    const envKey = resolveProviderApiKeyEnv(providerName);
     if (envKey) {
       console.log("api_key 已通过环境变量提供");
       return;
     }
-    const stored = await getStoredApiKey();
-    console.log(stored ? "api_key 已安全存储" : "api_key 未存储");
+    const stored = await getStoredApiKey(buildKeychainService(providerName));
+    if (stored) {
+      console.log("api_key 已安全存储");
+      return;
+    }
+    const fallbackStored = await getStoredApiKey(keychainService);
+    console.log(fallbackStored ? "api_key 已安全存储" : "api_key 未存储");
+    return;
+  }
+
+  const resolveLoopPrompt = (flag) => {
+    const raw = getArgValue(args, flag);
+    return (raw || filteredArgs.join(" ")).trim();
+  };
+
+  if (taskLoopMode) {
+    const loopPrompt = resolveLoopPrompt("--task-loop");
+    if (!loopPrompt) throw new Error("loop prompt required");
+    const options = buildLoopOptions(args);
+    startSession("task_loop");
+    await runTaskLoop(loopPrompt, { ...options, title: loopPrompt });
+    return;
+  }
+
+  if (scheduleLoopMode) {
+    const loopPrompt = resolveLoopPrompt("--schedule-loop");
+    if (!loopPrompt) throw new Error("loop prompt required");
+    const options = buildLoopOptions(args);
+    startSession("schedule_loop");
+    await runLoop(loopPrompt, options);
+    return;
+  }
+
+  if (daemonLoopMode) {
+    const loopPrompt = resolveLoopPrompt("--daemon-loop");
+    if (!loopPrompt) throw new Error("loop prompt required");
+    const options = buildLoopOptions(args);
+    startSession("daemon_loop");
+    await runLoop(loopPrompt, options);
+    return;
+  }
+
+  if (loopMode) {
+    const loopPrompt = resolveLoopPrompt("--loop");
+    if (!loopPrompt) throw new Error("loop prompt required");
+    const options = buildLoopOptions(args);
+    startSession("loop");
+    await runLoop(loopPrompt, options);
     return;
   }
-  apiKey = await ensureApiKey();
 
   if (testMode) {
+    startSession("test");
     const messages = [];
     const out = await runPrompt(messages, testPrompt);
     if (out !== undefined && out !== null) console.log(out);
+    await finalizeSessionSummaries();
+    appendSessionEvent({ event: "end" });
     return;
   }
 
@@ -641,9 +4033,28 @@ const run = async () => {
     await runInteractive();
     return;
   }
+  if (prompt === "/provider") {
+    const currentLine = `current ${providerName} ${providerFormat} ${baseUrl} ${model}`;
+    const list = formatProvidersList();
+    console.log([currentLine, list].filter(Boolean).join("\n"));
+    return;
+  }
+  if (prompt === "/model" || prompt.startsWith("/model ")) {
+    const parts = prompt.split(/\s+/).filter(Boolean);
+    const name = normalizeProviderName(parts[1] || "");
+    const nextModel = parts.slice(2).join(" ").trim();
+    if (!name) throw new Error("provider required");
+    applyProviderPreset(name, nextModel || "");
+    apiKey = await ensureApiKey(providerName);
+    console.log(formatCurrentProvider());
+    return;
+  }
   const messages = [];
+  startSession("single");
   const out = await runPrompt(messages, prompt);
   if (out !== undefined && out !== null) console.log(out);
+  await finalizeSessionSummaries();
+  appendSessionEvent({ event: "end" });
 };
 
 run().catch((e) => {