@nanhara/hara 0.53.0 → 0.62.0

package/dist/index.js

@@ -6,7 +6,7 @@ import { runTui } from "./tui/run.js";
 import { readClipboardImage } from "./images.js";
 import { describeImages, locateImage, classifyVision, SCREENSHOT_SYSTEM } from "./vision.js";
 import { setTheme } from "./tui/theme.js";
-import { memoryDigest, memoryDir } from "./memory/store.js";
+import { memoryDigest, memoryDir, readRecentLogs, scaffoldMemory } from "./memory/store.js";
 import { nextMode as cycleMode } from "./tui/InputBox.js";
 import { stdin, stdout } from "node:process";
 import { readFileSync, existsSync, writeFileSync, rmSync } from "node:fs";
@@ -16,6 +16,13 @@ import { dirname, join } from "node:path";
 import { loadConfig, configPath, readRawConfig, writeConfigValue, setModelVisionOverride, providerEnvKey, CONFIG_KEYS, APPROVAL_MODES, SANDBOX_MODES, } from "./config.js";
 import { runAgent } from "./agent/loop.js";
 import { notifyDone } from "./notify.js";
+import { startMcpServer, mcpServeToolNames } from "./mcp/server.js";
+import { completionScript } from "./completions.js";
+import { parseVerdict, captureChanges, reviewPrompt, fixPrompt, REVIEWER_SYSTEM, isTreeClean, stripCommitFence } from "./org/review-chain.js";
+import { parseSchedule, describeSchedule, nextRun } from "./cron/schedule.js";
+import { addJob, removeJob, setEnabled, resolveJob, loadJobs, recordRun, logPath } from "./cron/store.js";
+import { runTick, runJobOnce, selfArgv } from "./cron/runner.js";
+import { installScheduler, uninstallScheduler, isInstalled } from "./cron/install.js";
 import { getTools } from "./tools/registry.js";
 import { createAnthropicProvider } from "./providers/anthropic.js";
 import { createOpenAIProvider } from "./providers/openai.js";
@@ -26,7 +33,7 @@ import { collectRepoChunks, collectDirChunks, buildIndex, indexPath, indexExists
 import { searchHybrid } from "./search/hybrid.js";
 import { expandMentions, fileCandidates } from "./context/mentions.js";
 import { newSessionId, shortId, resolveSessionId, saveSession, loadSession, listSessions, latestForCwd, titleFrom, slugify, } from "./session/store.js";
-import { loadRoles, scaffoldRoles } from "./org/roles.js";
+import { loadRoles, scaffoldRoles, subagentToolFilter } from "./org/roles.js";
 import { loadSkillIndex, loadSkillBody, scaffoldSkills, globalSkillsDir } from "./skills/skills.js";
 import { installPlugin, uninstallPlugin, listInstalled, enabledPlugins, setPluginEnabled, pluginMcpServers, pluginHooks } from "./plugins/plugins.js";
 import { routeByKeywords, buildDispatchPrompt, parseRoleId } from "./org/router.js";
@@ -50,7 +57,19 @@ import "./tools/codebase.js"; // register codebase_search (repo as a knowledge b
 import "./tools/todo.js"; // register todo_write (inline task checklist)
 import { computerBackends } from "./tools/computer.js"; // register the computer tool + expose the backend probe
 const here = dirname(fileURLToPath(import.meta.url));
-const pkg = JSON.parse(readFileSync(join(here, "..", "package.json"), "utf8"));
+// Version: from a build-time define in the compiled single-binary (no package.json on its virtual FS),
+// else read package.json (npm install / `node dist`). The read is wrapped so the binary never hits it.
+const pkg = {
+    version: process.env.HARA_BUILD_VERSION ??
+        ((() => {
+            try {
+                return JSON.parse(readFileSync(join(here, "..", "package.json"), "utf8")).version;
+            }
+            catch {
+                return "0.0.0";
+            }
+        })()),
+};
 const maskKey = (v) => (v ? `${v.slice(0, 7)}…${v.slice(-4)}` : "(unset)");
 async function buildProvider(cfg) {
     if (cfg.provider === "qwen-oauth") {
@@ -75,6 +94,61 @@ async function runInit(provider, cwd, sandbox = "off") {
     const history = [{ role: "user", content: INIT_PROMPT }];
     await runAgent(history, { provider, ctx: { cwd, sandbox }, approval: "full-auto", confirm: async () => true });
 }
+/** Stage everything and commit with an AI-written message. Returns a one-line summary or "error: …".
+ *  Used by `hara org --commit`; the caller guards on a clean start tree so this only captures the run's work. */
+async function autoCommit(provider, cwd) {
+    try {
+        await runShell("git add -A", cwd, "off", { timeout: 30_000, maxBuffer: 1_000_000 });
+    }
+    catch {
+        /* fall through — empty diff is reported below */
+    }
+    let diff = "";
+    try {
+        diff = (await runShell("git diff --staged", cwd, "off", { timeout: 30_000, maxBuffer: 8_000_000 })).stdout;
+    }
+    catch (e) {
+        return `error: git diff failed (${e instanceof Error ? e.message : String(e)})`;
+    }
+    if (!diff.trim())
+        return "nothing to commit";
+    const r = await provider.turn({
+        system: COMMIT_SYSTEM,
+        history: [{ role: "user", content: `Write a commit message for these staged changes:\n\n\`\`\`diff\n${diff.slice(0, 120_000)}\n\`\`\`` }],
+        tools: [],
+        onText: () => { },
+    });
+    const msg = stripCommitFence(r.text);
+    if (!msg)
+        return "error: no commit message produced";
+    const tmp = join(tmpdir(), `hara-org-commit-${process.pid}.txt`);
+    writeFileSync(tmp, msg + "\n", "utf8");
+    try {
+        const res = await runShell(`git commit -F ${JSON.stringify(tmp)}`, cwd, "off", { timeout: 30_000, maxBuffer: 1_000_000 });
+        return (res.stdout || "").trim().split("\n")[0] || "committed";
+    }
+    catch (e) {
+        return `error: git commit failed (${e instanceof Error ? e.message : String(e)})`;
+    }
+    finally {
+        try {
+            rmSync(tmp);
+        }
+        catch {
+            /* best-effort cleanup */
+        }
+    }
+}
+/** Format an autoCommit result + emit it. */
+async function commitStep(provider, cwd) {
+    const r = await autoCommit(provider, cwd);
+    if (r.startsWith("error:"))
+        out(c.red(`✗ ${r}\n`));
+    else if (r === "nothing to commit")
+        out(c.dim("(nothing to commit)\n"));
+    else
+        out(c.green(`✓ committed · ${r.slice(0, 100)}\n`));
+}
 /** Dispatch a task to the owning role and run that role's agent (its persona + tool subset + model). */
 async function runOrg(task, o) {
     const roles = loadRoles(o.cwd);
@@ -115,7 +189,7 @@ async function runOrg(task, o) {
             ? (n) => !role.denyTools.includes(n)
             : undefined;
     const history = [{ role: "user", content: expandMentions(task, o.cwd) }];
-    await runAgent(history, {
+    const runImplementer = () => runAgent(history, {
         provider: roleProvider,
         ctx: { cwd: o.cwd, sandbox: o.sandbox },
         approval: o.approval,
@@ -126,6 +200,61 @@ async function runOrg(task, o) {
         systemOverride: role.system,
         toolFilter,
     });
+    const wasClean = o.commit ? isTreeClean(o.cwd) : false; // capture BEFORE the implementer edits anything
+    const doCommit = async (ok) => {
+        if (!o.commit)
+            return;
+        if (!ok)
+            return void out(c.yellow("(not committing — review didn't approve; changes left in your working tree)\n"));
+        if (!wasClean)
+            return void out(c.yellow("(not auto-committing — the tree wasn't clean before this run; commit manually)\n"));
+        await commitStep(o.baseProvider, o.cwd);
+    };
+    await runImplementer();
+    if (!o.review) {
+        await doCommit(true);
+        return;
+    }
+    // Review chain: a reviewer role inspects the diff and APPROVES or sends it back, looping until clean.
+    const reviewer = roles.find((r) => r.id === "reviewer");
+    const revProvider = reviewer?.model && reviewer.model !== o.cfg.model ? ((await buildProvider({ ...o.cfg, model: reviewer.model })) ?? o.baseProvider) : o.baseProvider;
+    const revSystem = reviewer?.system ?? REVIEWER_SYSTEM;
+    const revTools = reviewer?.allowTools ? (n) => reviewer.allowTools.includes(n) : (n) => READONLY_TOOLS.has(n);
+    const maxRounds = Math.max(1, o.rounds ?? 3);
+    for (let round = 1; round <= maxRounds; round++) {
+        const changes = captureChanges(o.cwd);
+        if (!changes.diff && !changes.newFiles.length) {
+            out(c.dim("(no changes to review)\n"));
+            return;
+        }
+        out(c.dim(`🔍 reviewer · round ${round}/${maxRounds}\n`));
+        const rHist = [{ role: "user", content: reviewPrompt(task, changes) }];
+        await runAgent(rHist, {
+            provider: revProvider,
+            ctx: { cwd: o.cwd, sandbox: o.sandbox },
+            approval: "full-auto", // reviewer is read-only via revTools, so nothing to confirm
+            confirm: o.confirm,
+            projectContext: o.projectContext,
+            memory: memoryDigest(o.cwd),
+            stats: o.stats,
+            systemOverride: revSystem,
+            toolFilter: revTools,
+        });
+        const verdict = parseVerdict(lastAssistantText(rHist));
+        if (verdict.approved) {
+            out(c.green(`✓ reviewer approved after ${round} round(s)\n`));
+            await doCommit(true);
+            return;
+        }
+        if (round === maxRounds) {
+            out(c.yellow(`⚠ stopped after ${maxRounds} round(s) — reviewer still wants changes.\n`));
+            await doCommit(false);
+            return;
+        }
+        out(c.yellow(`✗ changes requested — back to ${role.id} (round ${round})\n`));
+        history.push({ role: "user", content: fixPrompt(verdict.issues) });
+        await runImplementer();
+    }
 }
 function lastAssistantText(history) {
     for (let i = history.length - 1; i >= 0; i--) {
@@ -312,6 +441,11 @@ const PLAN_SYSTEM = "You are in PLAN MODE. Investigate read-only (read_file / gr
     "End your message with the plan as a short numbered list.";
 const DISTILL_SYSTEM = "The session is ending. Reflect and persist only durable, reusable learnings: memory_write for facts / " +
     "conventions / the user's preferences, skill_create for reusable how-tos. Be selective — skip the trivial. Then reply DONE.";
+const MEMORY_DISTILL_SYSTEM = "You consolidate an agent's short-term daily memory logs into its durable long-term memory. You're given " +
+    "the current durable memory and recent daily logs. Extract ONLY durable, reusable facts / decisions / " +
+    "conventions / user preferences from the logs that are NOT already captured, and persist each with " +
+    "memory_write (target=memory, or target=user for preferences; pick the right scope=project|global). " +
+    "Skip the ephemeral, the one-off, and anything already known. Be terse and de-duplicated. Then reply DONE.";
 const COMPACT_SYSTEM = "Summarize the conversation so far into a concise but complete brief so the assistant can " +
     "continue seamlessly: the user's goal, key decisions, files changed, current state, and open next steps. " +
     "Be specific. Output only the summary.";
@@ -326,11 +460,10 @@ async function runSubagent(cfg, baseProvider, cwd, sandbox, projectContext, stat
     const roles = loadRoles(cwd);
     const role = roleId ? roles.find((r) => r.id === roleId) : undefined;
     const provider = role?.model && role.model !== cfg.model ? ((await buildProvider({ ...cfg, model: role.model })) ?? baseProvider) : baseProvider;
-    const toolFilter = role?.allowTools
-        ? (n) => role.allowTools.includes(n)
-        : role?.denyTools
-            ? (n) => !role.denyTools.includes(n)
-            : (n) => READONLY_TOOLS.has(n); // default sub-agent = read-only (safe to parallelize)
+    // A sub-agent runs full-auto + UNCONFIRMED + parallel, so it is ALWAYS read-only — a role may narrow
+    // further but can never GRANT write/exec to a fan-out sub-agent (that would bypass the approval gate).
+    // Write-capable roles run in the main loop via `hara org`, behind the user's gate.
+    const toolFilter = subagentToolFilter(role, (n) => READONLY_TOOLS.has(n));
     const subHistory = [{ role: "user", content: task }];
     await runAgent(subHistory, {
         provider,
@@ -377,9 +510,11 @@ function runDoctor(cfg) {
         `${dot} vision · ${c.bold(cfg.model)} ${vdesc}${cfg.visionModel ? c.dim(" · describer ") + c.bold(cfg.visionModel) : vcap === "text" ? c.yellow(" · set /vision <model>") : ""}`,
         `${dot} screen ${cfg.computerUse === "off" ? c.dim("off (hara config set computerUse read|click|full)") : c.bold(cfg.computerUse) + c.dim(` · ${computerBackends()}${cfg.computerApps.length ? " · apps: " + cfg.computerApps.join(", ") : " · no app allowlist"}`)}`,
         `${dot} plugins ${(() => { const inst = listInstalled(); const on = enabledPlugins().length; return inst.length ? c.dim(`${on}/${inst.length} enabled: ${inst.map((p) => p.name).slice(0, 6).join(", ")}`) : c.dim("none — hara plugin add <source>"); })()}`,
-        `${dot} mcp servers ${c.dim(String(Object.keys({ ...pluginMcpServers(), ...cfg.mcpServers }).length))}`,
+        `${dot} mcp ${c.dim(`client: ${Object.keys({ ...pluginMcpServers(), ...cfg.mcpServers }).length} server(s) · serve: ${mcpServeToolNames().length} read tools via \`hara mcp\``)}`,
         `${dot} hooks ${(() => { const ph = pluginHooks(); const pre = (cfg.hooks.PreToolUse ?? []).length + (ph.PreToolUse ?? []).length; const post = (cfg.hooks.PostToolUse ?? []).length + (ph.PostToolUse ?? []).length; return pre + post ? c.dim(`${pre} pre · ${post} post`) : c.dim("none — config.json \"hooks\""); })()}`,
         `${dot} notify ${cfg.notify === "off" ? c.dim("off — hara config set notify bell|system") : c.bold(cfg.notify)}`,
+        `${dot} cron ${(() => { const n = loadJobs().length; return n ? `${n} job(s) · ${isInstalled() ? c.green("scheduler installed") : c.yellow("scheduler off — hara cron install")}` : c.dim("no jobs — hara cron add"); })()}`,
+        `${dot} input ${cfg.vimMode ? c.bold("vim") + c.dim(" (modal)") : c.dim("default — hara config set vimMode true for vim keys")}`,
     ];
     return lines.join("\n");
 }
@@ -434,8 +569,11 @@ program
 });
 program
     .command("org <task...>")
-    .description("dispatch a task to the owning role and run it")
+    .description("dispatch a task to the owning role and run it (--review loops a reviewer until it approves)")
     .option("--role <id>", "force a specific role")
+    .option("--review", "after implementing, loop a reviewer role until it approves (implement → review → fix)")
+    .option("--rounds <n>", "max review rounds with --review (default 3)", (v) => parseInt(v, 10))
+    .option("--commit", "commit the result with an AI message (with --review: only after approval; needs a clean start tree)")
     .action(async (taskParts, opts2) => {
     const cfg = loadConfig();
     const provider = await buildProvider(cfg);
@@ -454,6 +592,9 @@ program
         projectContext: loadAgentsMd(cfg.cwd) || undefined,
         stats,
         forceRole: opts2.role,
+        review: opts2.review,
+        rounds: opts2.rounds,
+        commit: opts2.commit,
     });
     if (stats.input || stats.output)
         out(statusLine(cfg.model, stats.input, stats.output) + "\n");
@@ -555,6 +696,31 @@ program
     .command("doctor")
     .description("check your hara setup (provider / auth / model / node / assets / roles)")
     .action(() => out(runDoctor(loadConfig()) + "\n"));
+program
+    .command("completions <shell>")
+    .description("print a shell completion script: bash | zsh | fish (eval it in your shell rc)")
+    .action((shell) => {
+    const top = program.commands.map((cmd) => cmd.name()).filter((n) => n && n !== "completions").sort();
+    const subs = {};
+    for (const cmd of program.commands) {
+        const sub = cmd.commands.map((s) => s.name()).filter(Boolean);
+        if (sub.length)
+            subs[cmd.name()] = sub;
+    }
+    const script = completionScript(shell, { top, subs });
+    if (!script)
+        return void out(c.red(`Unsupported shell '${shell}'. Use: bash | zsh | fish\n`));
+    out(script);
+});
+program
+    .command("mcp")
+    .description("run hara as an MCP server (stdio) — expose its read/search tools (incl. codebase_search) to other MCP clients")
+    .action(async () => {
+    const cfg = loadConfig();
+    // stdout is the JSON-RPC transport — diagnostics MUST go to stderr only.
+    process.stderr.write(c.dim(`hara mcp · serving over stdio · cwd ${cfg.cwd}\n  tools: ${mcpServeToolNames().join(", ") || "(none)"}\n  (read-only by default; set HARA_MCP_TOOLS to override)\n`));
+    await startMcpServer(pkg.version, { cwd: cfg.cwd, sandbox: "read-only" });
+});
 program
     .command("review")
     .description("review your uncommitted changes (git diff) for bugs, security, and missing tests")
@@ -660,6 +826,154 @@ program
         }
     }
 });
+function renderCronJobs() {
+    const jobs = loadJobs();
+    const head = isInstalled() ? c.green("scheduler: installed") : c.yellow("scheduler: NOT installed — run `hara cron install`");
+    if (!jobs.length)
+        return head + "\n" + c.dim('No jobs. Add one:  hara cron add "every 1h" "<task>"\n');
+    const now = Date.now();
+    const lines = jobs.map((j) => {
+        const nxt = nextRun(j, now);
+        const status = j.lastStatus ? (j.lastStatus === "ok" ? c.green("ok") : c.red("err")) : c.dim("—");
+        return `${c.bold(j.id)} ${describeSchedule(j.schedule)} ${c.dim(`· ${j.mode} · next ${nxt ? new Date(nxt).toLocaleString() : "—"} · last ${status}`)}${j.enabled ? "" : c.dim(" [disabled]")}\n   ${c.dim(j.name)}`;
+    });
+    return head + "\n" + lines.join("\n") + "\n";
+}
+const cronCmd = program.command("cron").description("scheduled tasks — run a prompt/org task on a schedule (fired by your OS via `hara cron install`)");
+cronCmd
+    .command("add <schedule> <task...>")
+    .description('schedule a task — schedule = cron expr ("0 9 * * *"), "every 30m", "in 2h", or an ISO timestamp')
+    .option("--name <name>", "a label for the job")
+    .option("--org", "run via `hara org` (role routing + review) instead of a plain `hara -p` prompt")
+    .action((schedule, taskParts, opts) => {
+    const task = taskParts.join(" ");
+    const sched = parseSchedule(schedule, Date.now());
+    if ("error" in sched)
+        return void out(c.red(sched.error + "\n"));
+    const job = addJob({ name: opts.name || task.slice(0, 48), schedule: sched, task, mode: opts.org ? "org" : "print", cwd: process.cwd(), createdAt: Date.now() });
+    out(c.green(`✓ scheduled ${job.id}`) + c.dim(` · ${describeSchedule(sched)} · ${job.mode} · cwd ${job.cwd}\n`));
+    if (!isInstalled())
+        out(c.yellow("⚠ scheduler not installed yet — run `hara cron install` so jobs actually fire.\n"));
+});
+// Resolve an id/prefix to one job, printing a clear error for none / ambiguous (never act on a guess).
+const cronResolve = (id) => {
+    const r = resolveJob(id);
+    if (r === "ambiguous")
+        return void out(c.red(`ambiguous id "${id}" — matches multiple jobs; type more characters\n`)), null;
+    if (!r)
+        return void out(c.red(`no such job: ${id}\n`)), null;
+    return r;
+};
+cronCmd.command("list").alias("ls").description("list scheduled jobs").action(() => out(renderCronJobs()));
+cronCmd
+    .command("remove <id>")
+    .alias("rm")
+    .description("delete a job (by id or unique prefix)")
+    .action((id) => {
+    const j = cronResolve(id);
+    if (j)
+        out(removeJob(j.id) ? c.green(`✓ removed ${j.id}\n`) : c.red("no such job\n"));
+});
+cronCmd.command("enable <id>").description("enable a job").action((id) => {
+    const j = cronResolve(id);
+    if (j) {
+        setEnabled(j.id, true);
+        out(c.green(`✓ enabled ${j.id}\n`));
+    }
+});
+cronCmd.command("disable <id>").description("disable a job (keeps it, stops firing)").action((id) => {
+    const j = cronResolve(id);
+    if (j) {
+        setEnabled(j.id, false);
+        out(c.green(`✓ disabled ${j.id}\n`));
+    }
+});
+cronCmd
+    .command("run <id>")
+    .description("run a job right now, ignoring its schedule")
+    .action(async (id) => {
+    const job = cronResolve(id);
+    if (!job)
+        return;
+    out(c.dim(`running ${job.id} (${job.name})…\n`));
+    const r = await runJobOnce(job);
+    recordRun(job.id, Date.now(), r.ok ? "ok" : "error", r.error);
+    out((r.ok ? c.green("✓ done") : c.red(`✗ ${r.error}`)) + c.dim(` · log: ${logPath(job.id)}\n`));
+});
+cronCmd
+    .command("tick")
+    .description("run all due jobs now (your OS scheduler calls this every minute)")
+    .action(async () => {
+    const r = await runTick(Date.now());
+    if (r.skipped)
+        return void out(c.dim(`(skipped — ${r.skipped})\n`));
+    out(c.dim(r.ran.length ? `ran ${r.ran.length} job(s): ${r.ran.join(", ")}\n` : "(no jobs due)\n"));
+});
+cronCmd
+    .command("install")
+    .description("register the per-minute tick with your OS scheduler (launchd on macOS, crontab on Linux)")
+    .action(() => {
+    const r = installScheduler(selfArgv());
+    out((r.ok ? c.green("✓ ") : c.red("✗ ")) + r.msg + "\n");
+});
+cronCmd.command("uninstall").description("remove the OS scheduler entry").action(() => {
+    const r = uninstallScheduler();
+    out((r.ok ? c.green("✓ ") : c.red("✗ ")) + r.msg + "\n");
+});
+cronCmd
+    .command("logs <id>")
+    .description("show a job's recent run output")
+    .action((id) => {
+    const job = cronResolve(id);
+    if (!job)
+        return;
+    const p = logPath(job.id);
+    out(existsSync(p) ? readFileSync(p, "utf8").slice(-4000) + "\n" : c.dim("(no runs yet)\n"));
+});
+const memoryCmd = program.command("memory").description("inspect + consolidate hara's durable memory (~/.hara/memory + project .hara/memory)");
+memoryCmd.command("show").description("print the memory digest injected at session start").action(() => {
+    const d = memoryDigest(process.cwd());
+    out(d ? d + "\n" : c.dim("(memory is empty — `hara memory init`, or let the agent write via memory_write)\n"));
+});
+memoryCmd.command("init").description("scaffold the memory dirs + seed files (global + project)").action(() => {
+    const w = scaffoldMemory(process.cwd());
+    out(w.length ? c.green(`Scaffolded: ${w.join(", ")}\n`) : c.dim("Memory already scaffolded.\n"));
+});
+memoryCmd
+    .command("distill")
+    .description("consolidate recent daily logs into durable MEMORY (promote short-term → long-term)")
+    .option("--days <n>", "days of logs to consider (default 14)", (v) => parseInt(v, 10))
+    .option("--scope <s>", "global | project | all (default all)")
+    .action(async (opts) => {
+    const cfg = loadConfig();
+    const provider = await buildProvider(cfg);
+    if (!provider) {
+        out(c.red(`Not authenticated for provider '${cfg.provider}'.\n`) + authHint(cfg) + "\n");
+        process.exit(1);
+    }
+    const days = opts.days && opts.days > 0 ? opts.days : 14;
+    const scopes = opts.scope === "global" ? ["global"] : opts.scope === "project" ? ["project"] : ["project", "global"];
+    const logs = scopes
+        .map((s) => readRecentLogs(s, cfg.cwd, days))
+        .filter(Boolean)
+        .join("\n\n");
+    if (!logs.trim())
+        return void out(c.dim(`No daily logs in the last ${days} day(s) to distill. (The agent jots them via memory_write target=log.)\n`));
+    out(c.dim(`Distilling ${days}-day logs → durable memory…\n`));
+    const stats = { input: 0, output: 0, lastInput: 0 };
+    const history = [{ role: "user", content: `Current durable memory:\n\n${memoryDigest(cfg.cwd) || "(empty)"}\n\n---\n\nRecent daily logs (last ${days} days):\n\n${logs.slice(0, 80_000)}` }];
+    await runAgent(history, {
+        provider,
+        ctx: { cwd: cfg.cwd, sandbox: cfg.sandbox },
+        approval: "full-auto",
+        confirm: async () => true,
+        toolFilter: (n) => n === "memory_write" || READONLY_TOOLS.has(n),
+        systemOverride: MEMORY_DISTILL_SYSTEM,
+        stats,
+    });
+    if (stats.input || stats.output)
+        out(statusLine(cfg.model, stats.input, stats.output) + "\n");
+});
 const rolesCmd = program.command("roles").description("manage org roles (.hara/roles)");
 rolesCmd
     .command("init")
@@ -715,6 +1029,18 @@ pluginCmd
             m.mcpServers ? `${Object.keys(m.mcpServers).length} mcp server(s)` : "",
         ].filter(Boolean);
         out(c.green(`Installed ${p.name}@${p.version}${parts.length ? c.dim(" — " + parts.join(", ")) : ""}\n`));
+        // Surface the code-execution surface: a plugin's MCP servers + hooks run shell commands on every
+        // hara launch with no prompt. Installing a plugin = trusting its author to run code; show what.
+        const execs = [];
+        for (const [name, s] of Object.entries(m.mcpServers ?? {}))
+            execs.push(`mcp ${name}: ${[s.command, ...(s.args ?? [])].join(" ")}`);
+        for (const h of [...(m.hooks?.PreToolUse ?? []), ...(m.hooks?.PostToolUse ?? [])])
+            execs.push(`hook: ${h.command}`);
+        if (execs.length) {
+            out(c.yellow(`⚠ ${p.name} will run these commands on every hara launch (a plugin is code you run — review them):\n`) +
+                execs.map((e) => c.dim(`    ${e}`)).join("\n") +
+                c.dim(`\n    disable: hara plugin disable ${p.name}\n`));
+        }
     }
     catch (e) {
         out(c.red(`Install failed: ${e.message}\n`));
@@ -1272,6 +1598,7 @@ program.action(async (opts) => {
             header: { version: pkg.version, model: `${cfg.provider}:${cfg.model}`, cwd, vision: visionLine, session: meta.id, tip: `/help · @file attaches · shift+tab cycles modes · esc interrupts${projectContext ? " · AGENTS.md loaded" : ""}` },
             cycleApproval: (m) => cycleMode(m),
             onClipboardImage: readClipboardImage,
+            vim: cfg.vimMode,
             onSubmit: async (line, h, images) => {
                 if (line.startsWith("/")) {
                     const [nm, ...rest] = line.slice(1).split(/\s+/);
@@ -1420,6 +1747,49 @@ program.action(async (opts) => {
                         h.setApproval(m);
                         return void h.sink.notice(`(approval → ${m})`);
                     }
+                    if (nm === "diff") {
+                        try {
+                            const d = (await runShell(arg === "staged" ? "git diff --staged" : "git diff HEAD", cwd, "off", { timeout: 30_000, maxBuffer: 8_000_000 })).stdout.trim();
+                            if (!d)
+                                return void h.sink.notice(arg === "staged" ? "(nothing staged)" : "(no changes vs HEAD — /diff staged for the index)");
+                            return void h.sink.diff(d.length > 12_000 ? d.slice(0, 12_000) + "\n…[truncated]" : d);
+                        }
+                        catch {
+                            return void h.sink.notice("(git diff failed — is this a git repo?)");
+                        }
+                    }
+                    if (nm === "commit") {
+                        h.sink.notice("✻ writing a commit message…");
+                        const r = await autoCommit(provider, cwd); // stages all + commits with an AI message
+                        return void h.sink.notice(r.startsWith("error:") ? `✗ ${r}` : r === "nothing to commit" ? "(nothing to commit — make or stage changes first)" : `✓ committed · ${r.slice(0, 100)}`);
+                    }
+                    if (nm === "review") {
+                        let diff = "";
+                        try {
+                            diff = (await runShell("git diff HEAD", cwd, "off", { timeout: 30_000, maxBuffer: 8_000_000 })).stdout;
+                        }
+                        catch {
+                            /* not a git repo → empty */
+                        }
+                        if (!diff.trim())
+                            return void h.sink.notice("(nothing to review — no changes vs HEAD)");
+                        const rui = { text: h.sink.assistantDelta, reasoning: h.sink.reasoningDelta, tool: h.sink.tool, diff: h.sink.diff, notice: h.sink.notice };
+                        const xin = stats.input;
+                        const xout = stats.output;
+                        await runAgent([{ role: "user", content: `Review this diff:\n\n\`\`\`diff\n${diff.slice(0, 120_000)}\n\`\`\`` }], {
+                            provider,
+                            ctx: { cwd, sandbox, ui: rui },
+                            approval: "full-auto", // read-only via the tool filter, so nothing prompts
+                            confirm: h.confirm,
+                            toolFilter: (n) => READONLY_TOOLS.has(n),
+                            systemOverride: REVIEW_SYSTEM,
+                            memory: buildMemory(),
+                            stats,
+                            signal: h.signal,
+                        });
+                        h.sink.usage(stats.input - xin, stats.output - xout);
+                        return;
+                    }
                     if (byName.has(nm))
                         return void h.sink.notice(`/${nm} isn't wired into the TUI yet — use \`hara ${nm} …\` as a subcommand, or HARA_TUI=0.`);
                     const near = nearest(nm, [...byName.keys()]);

package/dist/mcp/server.js

@@ -0,0 +1,56 @@
+// MCP server — expose hara's safe read/search tools over stdio so other MCP clients (Claude Desktop,
+// Cursor, another hara, …) can use them. The high-value one is `codebase_search` over the current repo
+// (semantic if you've built an index, lexical otherwise). `hara mcp` runs this.
+//
+// Read-only by DEFAULT: no edit/write/bash/computer — an external client must not be able to mutate your
+// machine through hara. Override the exposed set with HARA_MCP_TOOLS (comma list) at your own risk.
+//
+// IMPORTANT: stdio is the JSON-RPC transport — this module must never write to stdout. Diagnostics go to
+// stderr (the `hara mcp` command handles that); tool output flows back through the protocol.
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { ListToolsRequestSchema, CallToolRequestSchema } from "@modelcontextprotocol/sdk/types.js";
+import { getTool, getTools } from "../tools/registry.js";
+/** Safe default: navigate + search the repo + the web. No state, no mutation, no privacy-sensitive memory. */
+const SAFE_TOOLS = ["read_file", "grep", "glob", "ls", "codebase_search", "web_fetch", "web_search"];
+/** Names to expose: HARA_MCP_TOOLS (comma list) if set, else the safe default — intersected with what's
+ *  actually registered. An unknown name in the override is silently dropped. */
+export function mcpServeToolNames() {
+    const env = process.env.HARA_MCP_TOOLS;
+    const want = env ? env.split(",").map((s) => s.trim()).filter(Boolean) : SAFE_TOOLS;
+    const have = new Set(getTools().map((t) => t.name));
+    return want.filter((n) => have.has(n));
+}
+/** The exposed tools in MCP `tools/list` shape. */
+export function mcpToolList() {
+    return mcpServeToolNames().map((n) => {
+        const t = getTool(n);
+        return { name: t.name, description: t.description, inputSchema: t.input_schema };
+    });
+}
+/** Run one exposed tool. Refuses anything outside the exposed set (defense in depth, even if a client
+ *  asks for a name it shouldn't know). Never throws — errors come back as `isError` results. */
+export async function mcpCallTool(name, args, ctx) {
+    if (!mcpServeToolNames().includes(name)) {
+        return { content: [{ type: "text", text: `Tool not exposed by \`hara mcp\`: ${name}` }], isError: true };
+    }
+    const tool = getTool(name);
+    if (!tool)
+        return { content: [{ type: "text", text: `Unknown tool: ${name}` }], isError: true };
+    try {
+        const out = await tool.run(args ?? {}, ctx);
+        return { content: [{ type: "text", text: String(out) }] };
+    }
+    catch (e) {
+        return { content: [{ type: "text", text: `Error: ${e instanceof Error ? e.message : String(e)}` }], isError: true };
+    }
+}
+/** Start the stdio MCP server and block (the transport keeps the process alive). */
+export async function startMcpServer(version, ctx) {
+    const server = new Server({ name: "hara", version }, { capabilities: { tools: {} } });
+    server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: mcpToolList() }));
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- SDK's result union has a task-augmented
+    // member TS can't narrow to; our {content,isError} shape is a valid CallToolResult (validated at runtime).
+    server.setRequestHandler(CallToolRequestSchema, async (req) => (await mcpCallTool(req.params.name, (req.params.arguments ?? {}), ctx)));
+    await server.connect(new StdioServerTransport());
+}

package/dist/memory/store.js

@@ -3,9 +3,21 @@
 // project <root>/.hara/memory. Lexical search reuses recall.ts; no embeddings (local-first).
 import { homedir } from "node:os";
 import { join, dirname } from "node:path";
-import { readFileSync, writeFileSync, appendFileSync, mkdirSync, existsSync } from "node:fs";
+import { readFileSync, writeFileSync, appendFileSync, mkdirSync, existsSync, readdirSync } from "node:fs";
 import { findProjectRoot } from "../context/agents-md.js";
-const DIGEST_CAP = 4000; // chars of MEMORY/USER injected at session start (logs reached via search)
+// Per-source budgets for the frozen-snapshot digest (chars). Each source gets its own cap so a large
+// project MEMORY can't crowd out the (smaller but high-value) USER prefs — and each is cut at a line
+// boundary, never mid-entry. Anything beyond these is still reachable via memory_search. (hermes-style
+// per-file budgets; both PAI and hermes confirm lexical injection + capped snapshot beats a vector store.)
+const SOURCE_CAP = { memory: 2000, user: 1200, log: 0 };
+/** Truncate at a line boundary at/under `cap` (never mid-entry), with a pointer to search for the rest. */
+function capAtLine(text, cap) {
+    if (text.length <= cap)
+        return text;
+    const cut = text.slice(0, cap);
+    const nl = cut.lastIndexOf("\n");
+    return (nl > cap * 0.5 ? cut.slice(0, nl) : cut).trimEnd() + "\n…[truncated — memory_search for the rest]";
+}
 export function memoryDir(scope, cwd) {
     if (scope === "global")
         return process.env.HARA_MEMORY || join(homedir(), ".hara", "memory");
@@ -49,7 +61,9 @@ export function forgetMemory(scope, target, match, cwd) {
     writeFileSync(f, kept.join("\n"), "utf8");
     return lines.length - kept.length;
 }
-/** Capped MEMORY + USER digest (project + global) for frozen-snapshot injection at session start. */
+/** MEMORY + USER digest (project + global) for frozen-snapshot injection at session start. Each source is
+ *  capped independently (SOURCE_CAP) at a line boundary, so every source is represented (project memory
+ *  never starves USER prefs) and no entry is cut mid-line. Daily logs are reached via memory_search. */
 export function memoryDigest(cwd) {
     const sources = [
         ["project", "memory", "project MEMORY"],
@@ -64,14 +78,38 @@ export function memoryDigest(cwd) {
         try {
             const t = readFileSync(f, "utf8").trim();
             if (t)
-                parts.push(`## ${label}\n${t}`);
+                parts.push(`## ${label}\n${capAtLine(t, SOURCE_CAP[target])}`);
+        }
+        catch {
+            /* skip unreadable */
+        }
+    }
+    return parts.join("\n\n");
+}
+/** Concatenate the daily logs (`log/YYYY-MM-DD.md`) from the last `days` for one scope — the short-term
+ *  tier `hara memory distill` consolidates into evergreen MEMORY. Empty if there's no log dir. */
+export function readRecentLogs(scope, cwd, days) {
+    const dir = join(memoryDir(scope, cwd), "log");
+    if (!existsSync(dir))
+        return "";
+    const cutoff = Date.now() - days * 86_400_000;
+    const out = [];
+    for (const f of readdirSync(dir).sort()) {
+        if (!f.endsWith(".md"))
+            continue;
+        const m = /^(\d{4})-(\d{2})-(\d{2})\.md$/.exec(f);
+        if (m && new Date(Number(m[1]), Number(m[2]) - 1, Number(m[3])).getTime() < cutoff)
+            continue;
+        try {
+            const t = readFileSync(join(dir, f), "utf8").trim();
+            if (t)
+                out.push(`### ${f}\n${t}`);
         }
         catch {
             /* skip unreadable */
         }
     }
-    const out = parts.join("\n\n");
-    return out.length > DIGEST_CAP ? out.slice(0, DIGEST_CAP) + "\n…[memory truncated — use memory_search]" : out;
+    return out.join("\n\n");
 }
 /** Create memory dirs + seed files (global + project). Returns files written. */
 export function scaffoldMemory(cwd) {