@nanhara/hara 0.48.0 → 0.62.0

package/dist/memory/store.js

@@ -3,9 +3,21 @@
 // project <root>/.hara/memory. Lexical search reuses recall.ts; no embeddings (local-first).
 import { homedir } from "node:os";
 import { join, dirname } from "node:path";
-import { readFileSync, writeFileSync, appendFileSync, mkdirSync, existsSync } from "node:fs";
+import { readFileSync, writeFileSync, appendFileSync, mkdirSync, existsSync, readdirSync } from "node:fs";
 import { findProjectRoot } from "../context/agents-md.js";
-const DIGEST_CAP = 4000; // chars of MEMORY/USER injected at session start (logs reached via search)
+// Per-source budgets for the frozen-snapshot digest (chars). Each source gets its own cap so a large
+// project MEMORY can't crowd out the (smaller but high-value) USER prefs — and each is cut at a line
+// boundary, never mid-entry. Anything beyond these is still reachable via memory_search. (hermes-style
+// per-file budgets; both PAI and hermes confirm lexical injection + capped snapshot beats a vector store.)
+const SOURCE_CAP = { memory: 2000, user: 1200, log: 0 };
+/** Truncate at a line boundary at/under `cap` (never mid-entry), with a pointer to search for the rest. */
+function capAtLine(text, cap) {
+    if (text.length <= cap)
+        return text;
+    const cut = text.slice(0, cap);
+    const nl = cut.lastIndexOf("\n");
+    return (nl > cap * 0.5 ? cut.slice(0, nl) : cut).trimEnd() + "\n…[truncated — memory_search for the rest]";
+}
 export function memoryDir(scope, cwd) {
     if (scope === "global")
         return process.env.HARA_MEMORY || join(homedir(), ".hara", "memory");
@@ -49,7 +61,9 @@ export function forgetMemory(scope, target, match, cwd) {
     writeFileSync(f, kept.join("\n"), "utf8");
     return lines.length - kept.length;
 }
-/** Capped MEMORY + USER digest (project + global) for frozen-snapshot injection at session start. */
+/** MEMORY + USER digest (project + global) for frozen-snapshot injection at session start. Each source is
+ *  capped independently (SOURCE_CAP) at a line boundary, so every source is represented (project memory
+ *  never starves USER prefs) and no entry is cut mid-line. Daily logs are reached via memory_search. */
 export function memoryDigest(cwd) {
     const sources = [
         ["project", "memory", "project MEMORY"],
@@ -64,14 +78,38 @@ export function memoryDigest(cwd) {
         try {
             const t = readFileSync(f, "utf8").trim();
             if (t)
-                parts.push(`## ${label}\n${t}`);
+                parts.push(`## ${label}\n${capAtLine(t, SOURCE_CAP[target])}`);
+        }
+        catch {
+            /* skip unreadable */
+        }
+    }
+    return parts.join("\n\n");
+}
+/** Concatenate the daily logs (`log/YYYY-MM-DD.md`) from the last `days` for one scope — the short-term
+ *  tier `hara memory distill` consolidates into evergreen MEMORY. Empty if there's no log dir. */
+export function readRecentLogs(scope, cwd, days) {
+    const dir = join(memoryDir(scope, cwd), "log");
+    if (!existsSync(dir))
+        return "";
+    const cutoff = Date.now() - days * 86_400_000;
+    const out = [];
+    for (const f of readdirSync(dir).sort()) {
+        if (!f.endsWith(".md"))
+            continue;
+        const m = /^(\d{4})-(\d{2})-(\d{2})\.md$/.exec(f);
+        if (m && new Date(Number(m[1]), Number(m[2]) - 1, Number(m[3])).getTime() < cutoff)
+            continue;
+        try {
+            const t = readFileSync(join(dir, f), "utf8").trim();
+            if (t)
+                out.push(`### ${f}\n${t}`);
         }
         catch {
             /* skip unreadable */
         }
     }
-    const out = parts.join("\n\n");
-    return out.length > DIGEST_CAP ? out.slice(0, DIGEST_CAP) + "\n…[memory truncated — use memory_search]" : out;
+    return out.join("\n\n");
 }
 /** Create memory dirs + seed files (global + project). Returns files written. */
 export function scaffoldMemory(cwd) {

package/dist/notify.js

@@ -0,0 +1,42 @@
+// Task-done notifications — ping the user when a turn finishes (or needs them) so they can walk away
+// during a long run (codex/Claude-Code parity). off = nothing; bell = terminal BEL; system = an OS
+// notification (best-effort, fire-and-forget) + bell. Gated on elapsed so quick turns you watched stay quiet.
+import { spawn } from "node:child_process";
+import { platform } from "node:os";
+export const NOTIFY_MODES = ["off", "bell", "system"];
+/** AppleScript double-quoted string (escape " and \). */
+const osaStr = (s) => '"' + s.replace(/[\\"]/g, "\\$&") + '"';
+/** Fire a notification for a finished/awaiting turn. No-op under `off` or when the turn was quicker than
+ *  `minMs` (default 8s) — you were watching those. `system` shells out without blocking and also rings the bell. */
+export function notifyDone(mode, opts) {
+    if (mode === "off")
+        return;
+    if (opts.elapsedMs < (opts.minMs ?? 8000))
+        return;
+    const bell = () => {
+        try {
+            process.stderr.write("\x07");
+        }
+        catch {
+            /* no tty */
+        }
+    };
+    if (mode === "bell")
+        return bell();
+    const title = (opts.title ?? "hara").slice(0, 80);
+    const msg = opts.message.slice(0, 200).replace(/\s*\n+\s*/g, " ").trim() || "done";
+    try {
+        const os = platform();
+        if (os === "darwin") {
+            spawn("osascript", ["-e", `display notification ${osaStr(msg)} with title ${osaStr(title)}`], { stdio: "ignore", detached: true }).unref();
+        }
+        else if (os === "linux") {
+            spawn("notify-send", ["-a", "hara", title, msg], { stdio: "ignore", detached: true }).unref();
+        }
+        // Windows (and any platform): the bell is the reliable cross-terminal signal; toast needs extra modules.
+    }
+    catch {
+        /* best-effort — a notification must never break the turn */
+    }
+    bell();
+}

package/dist/org/review-chain.js

@@ -0,0 +1,91 @@
+// Multi-role review chain — hara's "runs like an engineering org" move. After an implementer makes
+// changes, a reviewer role inspects the diff and either APPROVES or requests changes; requested changes
+// feed back to the implementer, looping until approved or a round cap. The orchestration lives in runOrg
+// (it needs runAgent + providers); these are the pure, testable pieces: verdict parsing, change capture,
+// and the prompts. Used by `hara org --review`.
+import { execFileSync } from "node:child_process";
+/** Fallback reviewer persona when the project has no `reviewer` role. Read-only by intent. */
+export const REVIEWER_SYSTEM = `You are a senior code reviewer reviewing changes made to accomplish a task.
+Inspect them for: correctness and bugs, security, missing edge cases, and whether they actually accomplish
+the task. Use read_file / grep / glob / ls to inspect context and any new files. Be concrete and specific —
+cite files. Block only on real problems (bugs, breakage, security), not style preferences.
+
+A script parses your final line, so it MUST be EXACTLY one of these two, verbatim, as the LAST line —
+the literal word APPROVED or CHANGES_REQUESTED. Do NOT paraphrase it (not "No issues found", not "LGTM"),
+do NOT bold it, do NOT add words after the token:
+VERDICT: APPROVED
+VERDICT: CHANGES_REQUESTED
+
+Use APPROVED only if the changes correctly and safely accomplish the task. If anything must be fixed, use
+CHANGES_REQUESTED and list the required fixes as a short numbered list ABOVE the verdict line — each one
+naming the file and exactly what to change.`;
+// Real models won't reliably emit the literal token — across live runs glm-5 wrote `VERDICT: APPROVED`,
+// `**VERDICT**: No issues found`, and `**VERDICT**: PASS`. So we anchor on the (markdown-tolerant) VERDICT
+// marker, then CLASSIFY the phrase after it: a "changes" signal vetoes (safer), an "approve" signal passes,
+// and anything ambiguous stays NOT approved — worst case is one extra review round, never a bad auto-commit.
+const CHANGES_RE = /\b(changes?[ _-]?request\w*|request\w*[ _-]?changes?|fail(ed|ure)?|reject\w*|block\w*|rework|needs?[ _-]?(work|fix\w*|change\w*)|must[ _-]?(fix|change)|not[ _-]?approv\w*)\b/i;
+const APPROVE_RE = /\b(approv\w*|passe?d?|lgtm|accept\w*|ship[ _-]?it|no[ _-]?(issues?|problems?|changes?|concerns?)|looks?[ _-]?good)\b/i;
+/** Parse a reviewer's reply into a verdict — see the note above for why it's lenient. Takes the LAST
+ *  VERDICT marker (the final call) and classifies the phrase after it; `issues` is the body before it. */
+export function parseVerdict(text) {
+    const markers = [...text.matchAll(/VERDICT\b[*_:\s]*/gi)];
+    const last = markers[markers.length - 1];
+    if (!last)
+        return { approved: false, issues: text.trim() };
+    const idx = last.index ?? 0;
+    const after = text.slice(idx + last[0].length, idx + last[0].length + 80); // the verdict phrase itself
+    const approved = !CHANGES_RE.test(after) && APPROVE_RE.test(after); // changes-signal vetoes; ambiguous = not approved
+    return { approved, issues: text.slice(0, idx).trim() };
+}
+/** Capture the working-tree changes vs HEAD (what to review). Non-destructive; empty for a non-git dir
+ *  or a repo with no commits. New (untracked) files are listed by name — the reviewer can read_file them. */
+export function captureChanges(cwd, cap = 100_000) {
+    const git = (args) => {
+        try {
+            return execFileSync("git", args, { cwd, encoding: "utf8", maxBuffer: 50_000_000 });
+        }
+        catch {
+            return "";
+        }
+    };
+    let diff = git(["diff", "HEAD"]).trim();
+    if (diff.length > cap)
+        diff = diff.slice(0, cap) + "\n…[diff truncated]";
+    const newFiles = git(["ls-files", "--others", "--exclude-standard"])
+        .split("\n")
+        .map((s) => s.trim())
+        .filter(Boolean)
+        .slice(0, 50);
+    return { diff, newFiles };
+}
+/** True only if the working tree is fully clean — no uncommitted changes. The `--commit` capstone uses
+ *  this as a guard: `git add -A` + commit is only safe to run when the tree was clean before the org ran,
+ *  so it captures THIS run's work and never sweeps up pre-existing WIP. False for a non-git dir. */
+export function isTreeClean(cwd) {
+    try {
+        return execFileSync("git", ["status", "--porcelain"], { cwd, encoding: "utf8", maxBuffer: 50_000_000 }).trim() === "";
+    }
+    catch {
+        return false; // not a git repo / git error → treat as "not clean" so we never auto-commit blindly
+    }
+}
+/** Strip a leading/trailing markdown code fence a model sometimes wraps a commit message in. */
+export function stripCommitFence(text) {
+    return text.trim().replace(/^```[a-z]*\n?/i, "").replace(/\n?```$/i, "").trim();
+}
+/** The reviewer's input: the task + the changes to review. */
+export function reviewPrompt(task, changes) {
+    const parts = [`Task that was implemented:\n${task}`, ""];
+    if (changes.diff)
+        parts.push("Changes (working tree vs HEAD):\n```diff\n" + changes.diff + "\n```");
+    if (changes.newFiles.length)
+        parts.push(`New files (use read_file to inspect): ${changes.newFiles.join(", ")}`);
+    if (!changes.diff && !changes.newFiles.length)
+        parts.push("(no diff captured — inspect the working tree with git / read_file)");
+    parts.push("\nReview these changes against the task. Finish with your VERDICT line.");
+    return parts.join("\n");
+}
+/** Feed the reviewer's requested changes back to the implementer. */
+export function fixPrompt(issues) {
+    return `A code reviewer reviewed your changes and requires these fixes before this can ship:\n\n${issues}\n\nMake these fixes now — edit the files directly; don't just explain.`;
+}

package/dist/org/roles.js

@@ -49,6 +49,17 @@ function parseFrontmatter(text) {
     }
     return { fm, body: m[2].trim() };
 }
+/** Tool filter for a fan-out sub-agent: ALWAYS read-only (sub-agents run full-auto + unconfirmed +
+ *  parallel), with a role allowed to narrow further but never to grant write/exec. `isReadonly` is the
+ *  read-kind predicate. This is the guard that keeps the `agent` tool from bypassing the approval gate. */
+export function subagentToolFilter(role, isReadonly) {
+    const roleFilter = role?.allowTools
+        ? (n) => role.allowTools.includes(n)
+        : role?.denyTools
+            ? (n) => !role.denyTools.includes(n)
+            : null;
+    return (n) => isReadonly(n) && (roleFilter ? roleFilter(n) : true);
+}
 export function loadRoles(cwd) {
     const byId = new Map();
     // lowest→highest precedence: plugins < global < .claude/agents < .hara/roles (project wins, same as memory/config)

package/dist/plugins/plugins.js

@@ -66,6 +66,20 @@ export function pluginMcpServers() {
         Object.assign(out, p.manifest.mcpServers ?? {});
     return out;
 }
+/** Lifecycle hooks contributed by enabled plugins (appended after user-config hooks). */
+export function pluginHooks() {
+    const out = { PreToolUse: [], PostToolUse: [] };
+    for (const p of enabledPlugins()) {
+        const h = p.manifest.hooks;
+        if (!h || typeof h !== "object")
+            continue;
+        if (Array.isArray(h.PreToolUse))
+            out.PreToolUse.push(...h.PreToolUse);
+        if (Array.isArray(h.PostToolUse))
+            out.PostToolUse.push(...h.PostToolUse);
+    }
+    return out;
+}
 /** Install a plugin from `file:<path>`, `github:<owner/repo>`, or `git:<url>` into ~/.hara/plugins/<name>. */
 export function installPlugin(source) {
     mkdirSync(pluginsDir(), { recursive: true });

package/dist/providers/anthropic.js

@@ -2,6 +2,19 @@ import Anthropic from "@anthropic-ai/sdk";
 import { imageToBase64 } from "../images.js";
 export function toAnthropic(history) {
     const msgs = [];
+    // Append a user message, merging into the previous one if it's also `user` — Anthropic requires
+    // alternating roles, and tool-results map to a user message, so a mid-turn-injected user message
+    // (type-ahead steering) lands right after one. Merging keeps the request valid; dormant otherwise.
+    const pushUser = (content) => {
+        const last = msgs[msgs.length - 1];
+        if (last && last.role === "user") {
+            const toBlocks = (c) => typeof c === "string" ? [{ type: "text", text: c }] : c;
+            last.content = [...toBlocks(last.content), ...toBlocks(content)];
+        }
+        else {
+            msgs.push({ role: "user", content });
+        }
+    };
     for (const m of history) {
         if (m.role === "user") {
             if (m.images?.length) {
@@ -13,10 +26,10 @@ export function toAnthropic(history) {
                     if (data)
                         blocks.push({ type: "image", source: { type: "base64", media_type: img.mediaType, data } });
                 }
-                msgs.push({ role: "user", content: blocks.length ? blocks : m.content });
+                pushUser(blocks.length ? blocks : m.content);
             }
             else {
-                msgs.push({ role: "user", content: m.content });
+                pushUser(m.content);
             }
         }
         else if (m.role === "assistant") {
@@ -28,15 +41,12 @@ export function toAnthropic(history) {
             msgs.push({ role: "assistant", content: content.length ? content : [{ type: "text", text: "(no output)" }] });
         }
         else {
-            msgs.push({
-                role: "user",
-                content: m.results.map((r) => ({
-                    type: "tool_result",
-                    tool_use_id: r.id,
-                    content: r.content,
-                    is_error: r.isError,
-                })),
-            });
+            pushUser(m.results.map((r) => ({
+                type: "tool_result",
+                tool_use_id: r.id,
+                content: r.content,
+                is_error: r.isError,
+            })));
         }
     }
     return msgs;

package/dist/providers/qwen-oauth.js

@@ -3,7 +3,7 @@
 import { createHash, randomBytes } from "node:crypto";
 import { homedir } from "node:os";
 import { join } from "node:path";
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { readFileSync, writeFileSync, existsSync, mkdirSync, chmodSync } from "node:fs";
 const BASE = "https://chat.qwen.ai";
 const DEVICE_CODE_URL = `${BASE}/api/v1/oauth2/device/code`;
 const TOKEN_URL = `${BASE}/api/v1/oauth2/token`;
@@ -28,7 +28,14 @@ export function loadQwenToken() {
 function saveQwenToken(t) {
     const p = tokenPath();
     mkdirSync(join(homedir(), ".hara"), { recursive: true });
-    writeFileSync(p, JSON.stringify(t, null, 2) + "\n", "utf8");
+    // 0600 — the file holds long-lived access + refresh tokens; don't leave it world-readable on shared boxes.
+    writeFileSync(p, JSON.stringify(t, null, 2) + "\n", { encoding: "utf8", mode: 0o600 });
+    try {
+        chmodSync(p, 0o600); // tighten an existing file that predated the mode
+    }
+    catch {
+        /* best-effort */
+    }
 }
 const b64url = (b) => b.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 function pkce() {

package/dist/sandbox.js

@@ -1,6 +1,10 @@
-// OS sandboxing for the bash tool. macOS = Seatbelt (sandbox-exec); other platforms run unsandboxed
-// (the approval gate + cwd-scoped file tools still apply). Only the `bash` shell is sandboxed —
-// hara's own file tools (write_file/edit_file) are in-process, explicit, and gated.
+// OS sandboxing for the bash tool — WRITE CONFINEMENT, not a security jail. macOS = Seatbelt
+// (sandbox-exec) restricting `file-write*` to the workspace (workspace-write) or to nothing outside
+// temp (read-only). Reads, network, and process exec are NOT restricted, and /private/tmp +
+// /private/var/folders stay writable in every mode — so this stops a stray `rm`/overwrite escaping the
+// project, NOT a determined exfiltration. Other platforms run UNSANDBOXED (a one-time warning is
+// emitted from runShell so every entry point — REPL, -p, org, cron — surfaces it). Only the `bash`
+// shell is sandboxed; hara's own file tools are in-process, explicit, and gated by the approval flow.
 import { spawn } from "node:child_process";
 import { writeFileSync, mkdtempSync } from "node:fs";
 import { tmpdir, platform } from "node:os";
@@ -23,6 +27,7 @@ function seatbeltProfile(cwd, mode) {
 export function sandboxSupported() {
     return platform() === "darwin";
 }
+let warnedUnsandboxed = false; // emit the "macOS-only" notice at most once per process
 /**
  * Run a shell command, sandboxed when mode != off and the platform supports it.
  * Streams output via `opts.onData` while capturing it for the resolved value.
@@ -39,6 +44,10 @@ export function runShell(command, cwd, mode, opts) {
         args = ["-f", profileFile, "/bin/bash", "-lc", command];
     }
     else {
+        if (mode !== "off" && !warnedUnsandboxed) {
+            warnedUnsandboxed = true;
+            process.stderr.write(`hara: --sandbox ${mode} is macOS-only — the shell runs UNSANDBOXED on ${platform()}.\n`);
+        }
         cmd = "/bin/sh";
         args = ["-c", command];
     }
@@ -47,20 +56,31 @@ export function runShell(command, cwd, mode, opts) {
         let stdout = "";
         let stderr = "";
         let timedOut = false;
+        let killedForSize = false;
         const grow = (cur, add) => (cur.length < opts.maxBuffer ? cur + add : cur);
         const timer = setTimeout(() => {
             timedOut = true;
             child.kill("SIGKILL");
         }, opts.timeout);
+        // Kill a runaway command once its total output passes maxBuffer — don't let it stream GBs to the UI
+        // until the timeout just because we stopped retaining the bytes.
+        const checkOverflow = () => {
+            if (!killedForSize && stdout.length + stderr.length >= opts.maxBuffer) {
+                killedForSize = true;
+                child.kill("SIGKILL");
+            }
+        };
         child.stdout.on("data", (d) => {
             const s = d.toString();
             stdout = grow(stdout, s);
             opts.onData?.(s);
+            checkOverflow();
         });
         child.stderr.on("data", (d) => {
             const s = d.toString();
             stderr = grow(stderr, s);
             opts.onData?.(s);
+            checkOverflow();
         });
         child.on("error", (e) => {
             clearTimeout(timer);
@@ -68,6 +88,8 @@ export function runShell(command, cwd, mode, opts) {
         });
         child.on("close", (code) => {
             clearTimeout(timer);
+            if (killedForSize)
+                return resolve({ stdout, stderr: stderr + `\n[output truncated — exceeded ${opts.maxBuffer} bytes; process killed]` });
             if (timedOut)
                 return reject(Object.assign(new Error(`timed out after ${opts.timeout}ms`), { stdout, stderr }));
             if (code !== 0)

package/dist/search/semindex.js

@@ -121,6 +121,13 @@ export async function buildIndex(name, chunks, embed, cwd, model = "embed") {
 export function indexExists(name, cwd) {
     return existsSync(indexPath(name, cwd));
 }
+// Never embed (and POST to an embedding provider, then persist in the index) a secret-bearing file —
+// the asset/skill/memory dirs aren't .gitignore-filtered, so a stray credentials.json/secrets.yaml/.env
+// there would otherwise leak. Defense-in-depth (the repo walk already respects .gitignore).
+const SECRET_FILE = /(^\.?env(\.|$)|secret|credential|password|apikey|api[_-]?key|\btoken|\.(pem|key|p12|pfx|keystore|crt)$|^\.netrc$|^\.npmrc$|id_(rsa|ed25519|ecdsa))/i;
+function looksSecret(rel) {
+    return SECRET_FILE.test(rel.split("/").pop() ?? rel);
+}
 /** Walk one knowledge directory (code-assets / skills / memory) and chunk its files. Files come back as
  *  absolute paths so recall/memory_search can read or open them directly. */
 export function collectDirChunks(dir, source) {
@@ -128,7 +135,7 @@ export function collectDirChunks(dir, source) {
         return [];
     const chunks = [];
     for (const rel of walkFiles(dir)) {
-        if (!CODE_RE.test(rel))
+        if (!CODE_RE.test(rel) || looksSecret(rel))
             continue;
         const abs = join(dir, rel);
         if (fileSize(abs) > 200_000)
@@ -150,7 +157,7 @@ export function collectDirChunks(dir, source) {
 export function collectRepoChunks(root) {
     const chunks = [];
     for (const rel of listProjectFiles(root)) {
-        if (!CODE_RE.test(rel))
+        if (!CODE_RE.test(rel) || looksSecret(rel))
             continue;
         const abs = join(root, rel);
         if (fileSize(abs) > 200_000)

package/dist/session/store.js

@@ -42,6 +42,8 @@ export function cleanSessionName(raw) {
  *  (unlike the ASCII-slug `cleanSessionName`), trims code/whitespace, caps length. Empty for blank input
  *  (callers fall back to the short id, never "new session"). */
 export function deriveTitle(text) {
+    if (typeof text !== "string")
+        return ""; // a malformed/hand-edited session may have a non-string content
     const t = text
         .replace(/^\/\S+\s*/, "") // drop a leading slash-command
         .replace(/```[\s\S]*?```/g, " ") // drop fenced code blocks
@@ -75,12 +77,18 @@ export function saveSession(meta, history) {
     const data = { meta, history };
     writeFileSync(sessionFile(meta.id), JSON.stringify(data, null, 2), "utf8");
 }
+/** True if a parsed object has the SessionData shape we can safely use (meta object + history array). */
+function isSessionData(d) {
+    const o = d;
+    return !!o && typeof o === "object" && !!o.meta && typeof o.meta === "object" && Array.isArray(o.history);
+}
 export function loadSession(id) {
     const p = sessionFile(id);
     if (!existsSync(p))
         return null;
     try {
-        return JSON.parse(readFileSync(p, "utf8"));
+        const d = JSON.parse(readFileSync(p, "utf8"));
+        return isSessionData(d) ? d : null; // a corrupt / hand-edited file resumes as "no session" instead of crashing
     }
     catch {
         return null;
@@ -93,7 +101,9 @@ export function listSessions(cwd) {
         if (!f.endsWith(".json"))
             continue;
         try {
-            metas.push(JSON.parse(readFileSync(join(sessionsDir(), f), "utf8")).meta);
+            const d = JSON.parse(readFileSync(join(sessionsDir(), f), "utf8"));
+            if (d?.meta && typeof d.meta === "object" && d.meta.id && d.meta.updatedAt)
+                metas.push(d.meta); // skip metaless/corrupt
         }
         catch {
             /* skip corrupt */

package/dist/tools/computer.js

@@ -12,15 +12,20 @@ import { registerTool } from "./registry.js";
 import { loadConfig } from "../config.js";
 const RANK = { off: 0, read: 1, click: 2, full: 3 };
 const ACTION_MIN = { screenshot: "read", find: "read", activate: "click", move: "click", click: "click", type: "full", key: "full" };
-// dangerous combos refused even at full tier (quit / close / delete / task-switch-kill)
+// dangerous combos refused even at full tier (quit / close / delete / task-switch-kill).
 const KEY_BLOCK = /(?:\b(cmd|command|ctrl|control|alt|option|win|super|meta)\b.*\+.*\b(q|w|delete|del|f4|escape|esc)\b)|ctrl\+alt\+(?:delete|del|backspace)/i;
+// Windows SendKeys spells modifiers as % (Alt) / ^ (Ctrl) with no modifier WORD, so the combo regex
+// above misses them: block Alt+F4 / Ctrl+F4 (close window) and Ctrl+W (close tab) in that syntax.
+const KEY_BLOCK_SENDKEYS = /[%^]\s*\{\s*f4\s*\}|\^\s*w\b/i;
+// Linux/X keysyms for logout / power-off (xdotool key XF86LogOff …) — not modifier combos.
+const KEY_BLOCK_KEYSYM = /\bxf86(logoff|poweroff|reboot|sleep)\b/i;
 /** Whether the configured tier permits the action. Exported for tests. */
 export function actionAllowed(tier, action) {
     return RANK[tier] >= RANK[ACTION_MIN[action] ?? "full"];
 }
 /** Whether a key combo is on the dangerous blocklist. Exported for tests. */
 export function keyIsBlocked(keys) {
-    return KEY_BLOCK.test(keys);
+    return KEY_BLOCK.test(keys) || KEY_BLOCK_SENDKEYS.test(keys) || KEY_BLOCK_KEYSYM.test(keys);
 }
 // Circuit breaker (learned from codex): bound consecutive screen-control failures so the agent can't loop
 // forever on a broken setup. Reset on any success; after FAIL_LIMIT in a row, return a clear stop + how to fix.
@@ -315,7 +320,7 @@ registerTool({
             const app = String(input.app ?? input.target ?? "");
             if (!app)
                 return "activate needs an `app` name (e.g. 'WeChat').";
-            if (!cfg.computerApps.some((a) => app.toLowerCase().includes(a.toLowerCase()) || a.toLowerCase().includes(app.toLowerCase())))
+            if (!cfg.computerApps.some((a) => a.toLowerCase() === app.toLowerCase()))
                 return `Refused: "${app}" isn't in your allowlist (${cfg.computerApps.join(", ") || "empty"}). Add it: \`hara config set computerApps "${app}"\`.`;
             const r = activateApp(app);
             return r.ok ? ok(`✓ ${r.msg} — now screenshot/find/click to act on it`) : fail(r.msg);
@@ -325,7 +330,7 @@ registerTool({
             if (!cfg.computerApps.length)
                 return "No apps allowlisted — set `hara config set computerApps \"App Name, …\"` before clicking/typing.";
             const app = frontmostApp();
-            const allowed = cfg.computerApps.some((a) => app.toLowerCase().includes(a.toLowerCase()) || a.toLowerCase().includes(app.toLowerCase()));
+            const allowed = cfg.computerApps.some((a) => a.toLowerCase() === app.toLowerCase());
             if (!allowed)
                 return `Refused: frontmost app "${app || "unknown"}" isn't in your allowlist (${cfg.computerApps.join(", ")}). Switch to an allowed app or update computerApps.`;
         }

package/dist/tools/patch.js

@@ -102,21 +102,40 @@ registerTool({
                 }
             }
         }
-        // PHASE 2 — commit all changes + show each diff.
-        const summary = [];
-        for (const pl of plans) {
-            if (pl.type === "delete") {
-                await unlink(pl.abs);
-                emitDiff(pl.path, pl.before, "", ctx.ui);
-                summary.push(`deleted ${pl.path}`);
+        // PHASE 2 — commit all changes. Truly all-or-nothing: if any write fails mid-way, roll back the ones
+        // already applied (restore updated/deleted files, remove created ones) so the tree is never half-patched.
+        const applied = [];
+        try {
+            for (const pl of plans) {
+                if (pl.type === "delete") {
+                    await unlink(pl.abs);
+                }
+                else {
+                    await mkdir(dirname(pl.abs), { recursive: true });
+                    await writeFile(pl.abs, pl.after, "utf8");
+                }
+                applied.push(pl);
             }
-            else {
-                await mkdir(dirname(pl.abs), { recursive: true });
-                await writeFile(pl.abs, pl.after, "utf8");
-                emitDiff(pl.path, pl.before, pl.after, ctx.ui);
-                summary.push(`${pl.type === "create" ? "created" : "updated"} ${pl.path}`);
+        }
+        catch (e) {
+            for (const pl of applied.reverse()) {
+                try {
+                    if (pl.type === "create" && !pl.existed)
+                        await unlink(pl.abs); // remove a file we created
+                    else
+                        await writeFile(pl.abs, pl.before, "utf8"); // restore an updated/deleted file's prior content
+                }
+                catch {
+                    /* best-effort rollback */
+                }
             }
+            return `Error: apply_patch failed writing a file (${e instanceof Error ? e.message : String(e)}) — rolled back, nothing left changed.`;
         }
+        // All writes succeeded → now show diffs + record the undo snapshot.
+        const summary = plans.map((pl) => {
+            emitDiff(pl.path, pl.before, pl.type === "delete" ? "" : pl.after, ctx.ui);
+            return pl.type === "delete" ? `deleted ${pl.path}` : `${pl.type === "create" ? "created" : "updated"} ${pl.path}`;
+        });
         recordEdit(plans.map((pl) => ({ path: pl.path, absPath: pl.abs, before: pl.existed ? pl.before : null })));
         return `apply_patch: ${plans.length} file(s) — ${summary.join("; ")}.`;
     },

package/dist/tools/todo.js

@@ -0,0 +1,51 @@
+// todo_write — an inline task checklist the agent maintains during a turn (like codex's update_plan /
+// Claude Code's TodoWrite). Keeps the model organized on multi-step work and shows the user live progress.
+// In-memory, replace-whole-list semantics; kind:"read" so it never prompts and is safe to call freely.
+import { registerTool } from "./registry.js";
+let todos = [];
+/** The current checklist (latest todo_write wins) — for a TUI/statusline to render. */
+export function currentTodos() {
+    return todos;
+}
+const MARK = { pending: "☐", in_progress: "▶", done: "☑" };
+export function renderTodos(list) {
+    if (!list.length)
+        return "(todo list cleared)";
+    const done = list.filter((t) => t.status === "done").length;
+    return `Todos (${done}/${list.length} done):\n` + list.map((t) => `  ${MARK[t.status]} ${t.text}`).join("\n");
+}
+registerTool({
+    name: "todo_write",
+    description: "Maintain a short task checklist for the CURRENT work. Use it to plan a multi-step task up front, then " +
+        "update it as you go: keep exactly one item 'in_progress', flip items to 'done' as you finish, add items " +
+        "you discover. Pass the FULL list each call (it replaces the previous). Skip it for trivial one-step tasks.",
+    input_schema: {
+        type: "object",
+        properties: {
+            todos: {
+                type: "array",
+                description: "the full checklist, in order",
+                items: {
+                    type: "object",
+                    properties: {
+                        text: { type: "string", description: "the task, a short imperative phrase" },
+                        status: { type: "string", enum: ["pending", "in_progress", "done"] },
+                    },
+                    required: ["text", "status"],
+                },
+            },
+        },
+        required: ["todos"],
+    },
+    kind: "read", // pure state + display: never prompts, parallel-safe
+    async run(input) {
+        const raw = Array.isArray(input.todos) ? input.todos : [];
+        todos = raw
+            .map((t) => ({
+            text: String(t?.text ?? "").trim(),
+            status: (["pending", "in_progress", "done"].includes(t?.status) ? t.status : "pending"),
+        }))
+            .filter((t) => t.text);
+        return renderTodos(todos);
+    },
+});