@nanhara/hara 0.53.0 → 0.62.0

package/dist/org/review-chain.js

@@ -0,0 +1,91 @@
+// Multi-role review chain — hara's "runs like an engineering org" move. After an implementer makes
+// changes, a reviewer role inspects the diff and either APPROVES or requests changes; requested changes
+// feed back to the implementer, looping until approved or a round cap. The orchestration lives in runOrg
+// (it needs runAgent + providers); these are the pure, testable pieces: verdict parsing, change capture,
+// and the prompts. Used by `hara org --review`.
+import { execFileSync } from "node:child_process";
+/** Fallback reviewer persona when the project has no `reviewer` role. Read-only by intent. */
+export const REVIEWER_SYSTEM = `You are a senior code reviewer reviewing changes made to accomplish a task.
+Inspect them for: correctness and bugs, security, missing edge cases, and whether they actually accomplish
+the task. Use read_file / grep / glob / ls to inspect context and any new files. Be concrete and specific —
+cite files. Block only on real problems (bugs, breakage, security), not style preferences.
+
+A script parses your final line, so it MUST be EXACTLY one of these two, verbatim, as the LAST line —
+the literal word APPROVED or CHANGES_REQUESTED. Do NOT paraphrase it (not "No issues found", not "LGTM"),
+do NOT bold it, do NOT add words after the token:
+VERDICT: APPROVED
+VERDICT: CHANGES_REQUESTED
+
+Use APPROVED only if the changes correctly and safely accomplish the task. If anything must be fixed, use
+CHANGES_REQUESTED and list the required fixes as a short numbered list ABOVE the verdict line — each one
+naming the file and exactly what to change.`;
+// Real models won't reliably emit the literal token — across live runs glm-5 wrote `VERDICT: APPROVED`,
+// `**VERDICT**: No issues found`, and `**VERDICT**: PASS`. So we anchor on the (markdown-tolerant) VERDICT
+// marker, then CLASSIFY the phrase after it: a "changes" signal vetoes (safer), an "approve" signal passes,
+// and anything ambiguous stays NOT approved — worst case is one extra review round, never a bad auto-commit.
+const CHANGES_RE = /\b(changes?[ _-]?request\w*|request\w*[ _-]?changes?|fail(ed|ure)?|reject\w*|block\w*|rework|needs?[ _-]?(work|fix\w*|change\w*)|must[ _-]?(fix|change)|not[ _-]?approv\w*)\b/i;
+const APPROVE_RE = /\b(approv\w*|passe?d?|lgtm|accept\w*|ship[ _-]?it|no[ _-]?(issues?|problems?|changes?|concerns?)|looks?[ _-]?good)\b/i;
+/** Parse a reviewer's reply into a verdict — see the note above for why it's lenient. Takes the LAST
+ *  VERDICT marker (the final call) and classifies the phrase after it; `issues` is the body before it. */
+export function parseVerdict(text) {
+    const markers = [...text.matchAll(/VERDICT\b[*_:\s]*/gi)];
+    const last = markers[markers.length - 1];
+    if (!last)
+        return { approved: false, issues: text.trim() };
+    const idx = last.index ?? 0;
+    const after = text.slice(idx + last[0].length, idx + last[0].length + 80); // the verdict phrase itself
+    const approved = !CHANGES_RE.test(after) && APPROVE_RE.test(after); // changes-signal vetoes; ambiguous = not approved
+    return { approved, issues: text.slice(0, idx).trim() };
+}
+/** Capture the working-tree changes vs HEAD (what to review). Non-destructive; empty for a non-git dir
+ *  or a repo with no commits. New (untracked) files are listed by name — the reviewer can read_file them. */
+export function captureChanges(cwd, cap = 100_000) {
+    const git = (args) => {
+        try {
+            return execFileSync("git", args, { cwd, encoding: "utf8", maxBuffer: 50_000_000 });
+        }
+        catch {
+            return "";
+        }
+    };
+    let diff = git(["diff", "HEAD"]).trim();
+    if (diff.length > cap)
+        diff = diff.slice(0, cap) + "\n…[diff truncated]";
+    const newFiles = git(["ls-files", "--others", "--exclude-standard"])
+        .split("\n")
+        .map((s) => s.trim())
+        .filter(Boolean)
+        .slice(0, 50);
+    return { diff, newFiles };
+}
+/** True only if the working tree is fully clean — no uncommitted changes. The `--commit` capstone uses
+ *  this as a guard: `git add -A` + commit is only safe to run when the tree was clean before the org ran,
+ *  so it captures THIS run's work and never sweeps up pre-existing WIP. False for a non-git dir. */
+export function isTreeClean(cwd) {
+    try {
+        return execFileSync("git", ["status", "--porcelain"], { cwd, encoding: "utf8", maxBuffer: 50_000_000 }).trim() === "";
+    }
+    catch {
+        return false; // not a git repo / git error → treat as "not clean" so we never auto-commit blindly
+    }
+}
+/** Strip a leading/trailing markdown code fence a model sometimes wraps a commit message in. */
+export function stripCommitFence(text) {
+    return text.trim().replace(/^```[a-z]*\n?/i, "").replace(/\n?```$/i, "").trim();
+}
+/** The reviewer's input: the task + the changes to review. */
+export function reviewPrompt(task, changes) {
+    const parts = [`Task that was implemented:\n${task}`, ""];
+    if (changes.diff)
+        parts.push("Changes (working tree vs HEAD):\n```diff\n" + changes.diff + "\n```");
+    if (changes.newFiles.length)
+        parts.push(`New files (use read_file to inspect): ${changes.newFiles.join(", ")}`);
+    if (!changes.diff && !changes.newFiles.length)
+        parts.push("(no diff captured — inspect the working tree with git / read_file)");
+    parts.push("\nReview these changes against the task. Finish with your VERDICT line.");
+    return parts.join("\n");
+}
+/** Feed the reviewer's requested changes back to the implementer. */
+export function fixPrompt(issues) {
+    return `A code reviewer reviewed your changes and requires these fixes before this can ship:\n\n${issues}\n\nMake these fixes now — edit the files directly; don't just explain.`;
+}

package/dist/org/roles.js

@@ -49,6 +49,17 @@ function parseFrontmatter(text) {
     }
     return { fm, body: m[2].trim() };
 }
+/** Tool filter for a fan-out sub-agent: ALWAYS read-only (sub-agents run full-auto + unconfirmed +
+ *  parallel), with a role allowed to narrow further but never to grant write/exec. `isReadonly` is the
+ *  read-kind predicate. This is the guard that keeps the `agent` tool from bypassing the approval gate. */
+export function subagentToolFilter(role, isReadonly) {
+    const roleFilter = role?.allowTools
+        ? (n) => role.allowTools.includes(n)
+        : role?.denyTools
+            ? (n) => !role.denyTools.includes(n)
+            : null;
+    return (n) => isReadonly(n) && (roleFilter ? roleFilter(n) : true);
+}
 export function loadRoles(cwd) {
     const byId = new Map();
     // lowest→highest precedence: plugins < global < .claude/agents < .hara/roles (project wins, same as memory/config)

package/dist/providers/qwen-oauth.js

@@ -3,7 +3,7 @@
 import { createHash, randomBytes } from "node:crypto";
 import { homedir } from "node:os";
 import { join } from "node:path";
-import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { readFileSync, writeFileSync, existsSync, mkdirSync, chmodSync } from "node:fs";
 const BASE = "https://chat.qwen.ai";
 const DEVICE_CODE_URL = `${BASE}/api/v1/oauth2/device/code`;
 const TOKEN_URL = `${BASE}/api/v1/oauth2/token`;
@@ -28,7 +28,14 @@ export function loadQwenToken() {
 function saveQwenToken(t) {
     const p = tokenPath();
     mkdirSync(join(homedir(), ".hara"), { recursive: true });
-    writeFileSync(p, JSON.stringify(t, null, 2) + "\n", "utf8");
+    // 0600 — the file holds long-lived access + refresh tokens; don't leave it world-readable on shared boxes.
+    writeFileSync(p, JSON.stringify(t, null, 2) + "\n", { encoding: "utf8", mode: 0o600 });
+    try {
+        chmodSync(p, 0o600); // tighten an existing file that predated the mode
+    }
+    catch {
+        /* best-effort */
+    }
 }
 const b64url = (b) => b.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 function pkce() {

package/dist/sandbox.js

@@ -1,6 +1,10 @@
-// OS sandboxing for the bash tool. macOS = Seatbelt (sandbox-exec); other platforms run unsandboxed
-// (the approval gate + cwd-scoped file tools still apply). Only the `bash` shell is sandboxed —
-// hara's own file tools (write_file/edit_file) are in-process, explicit, and gated.
+// OS sandboxing for the bash tool — WRITE CONFINEMENT, not a security jail. macOS = Seatbelt
+// (sandbox-exec) restricting `file-write*` to the workspace (workspace-write) or to nothing outside
+// temp (read-only). Reads, network, and process exec are NOT restricted, and /private/tmp +
+// /private/var/folders stay writable in every mode — so this stops a stray `rm`/overwrite escaping the
+// project, NOT a determined exfiltration. Other platforms run UNSANDBOXED (a one-time warning is
+// emitted from runShell so every entry point — REPL, -p, org, cron — surfaces it). Only the `bash`
+// shell is sandboxed; hara's own file tools are in-process, explicit, and gated by the approval flow.
 import { spawn } from "node:child_process";
 import { writeFileSync, mkdtempSync } from "node:fs";
 import { tmpdir, platform } from "node:os";
@@ -23,6 +27,7 @@ function seatbeltProfile(cwd, mode) {
 export function sandboxSupported() {
     return platform() === "darwin";
 }
+let warnedUnsandboxed = false; // emit the "macOS-only" notice at most once per process
 /**
  * Run a shell command, sandboxed when mode != off and the platform supports it.
  * Streams output via `opts.onData` while capturing it for the resolved value.
@@ -39,6 +44,10 @@ export function runShell(command, cwd, mode, opts) {
         args = ["-f", profileFile, "/bin/bash", "-lc", command];
     }
     else {
+        if (mode !== "off" && !warnedUnsandboxed) {
+            warnedUnsandboxed = true;
+            process.stderr.write(`hara: --sandbox ${mode} is macOS-only — the shell runs UNSANDBOXED on ${platform()}.\n`);
+        }
         cmd = "/bin/sh";
         args = ["-c", command];
     }
@@ -47,20 +56,31 @@ export function runShell(command, cwd, mode, opts) {
         let stdout = "";
         let stderr = "";
         let timedOut = false;
+        let killedForSize = false;
         const grow = (cur, add) => (cur.length < opts.maxBuffer ? cur + add : cur);
         const timer = setTimeout(() => {
             timedOut = true;
             child.kill("SIGKILL");
         }, opts.timeout);
+        // Kill a runaway command once its total output passes maxBuffer — don't let it stream GBs to the UI
+        // until the timeout just because we stopped retaining the bytes.
+        const checkOverflow = () => {
+            if (!killedForSize && stdout.length + stderr.length >= opts.maxBuffer) {
+                killedForSize = true;
+                child.kill("SIGKILL");
+            }
+        };
         child.stdout.on("data", (d) => {
             const s = d.toString();
             stdout = grow(stdout, s);
             opts.onData?.(s);
+            checkOverflow();
         });
         child.stderr.on("data", (d) => {
             const s = d.toString();
             stderr = grow(stderr, s);
             opts.onData?.(s);
+            checkOverflow();
         });
         child.on("error", (e) => {
             clearTimeout(timer);
@@ -68,6 +88,8 @@ export function runShell(command, cwd, mode, opts) {
         });
         child.on("close", (code) => {
             clearTimeout(timer);
+            if (killedForSize)
+                return resolve({ stdout, stderr: stderr + `\n[output truncated — exceeded ${opts.maxBuffer} bytes; process killed]` });
             if (timedOut)
                 return reject(Object.assign(new Error(`timed out after ${opts.timeout}ms`), { stdout, stderr }));
             if (code !== 0)

package/dist/search/semindex.js

@@ -121,6 +121,13 @@ export async function buildIndex(name, chunks, embed, cwd, model = "embed") {
 export function indexExists(name, cwd) {
     return existsSync(indexPath(name, cwd));
 }
+// Never embed (and POST to an embedding provider, then persist in the index) a secret-bearing file —
+// the asset/skill/memory dirs aren't .gitignore-filtered, so a stray credentials.json/secrets.yaml/.env
+// there would otherwise leak. Defense-in-depth (the repo walk already respects .gitignore).
+const SECRET_FILE = /(^\.?env(\.|$)|secret|credential|password|apikey|api[_-]?key|\btoken|\.(pem|key|p12|pfx|keystore|crt)$|^\.netrc$|^\.npmrc$|id_(rsa|ed25519|ecdsa))/i;
+function looksSecret(rel) {
+    return SECRET_FILE.test(rel.split("/").pop() ?? rel);
+}
 /** Walk one knowledge directory (code-assets / skills / memory) and chunk its files. Files come back as
  *  absolute paths so recall/memory_search can read or open them directly. */
 export function collectDirChunks(dir, source) {
@@ -128,7 +135,7 @@ export function collectDirChunks(dir, source) {
         return [];
     const chunks = [];
     for (const rel of walkFiles(dir)) {
-        if (!CODE_RE.test(rel))
+        if (!CODE_RE.test(rel) || looksSecret(rel))
             continue;
         const abs = join(dir, rel);
         if (fileSize(abs) > 200_000)
@@ -150,7 +157,7 @@ export function collectDirChunks(dir, source) {
 export function collectRepoChunks(root) {
     const chunks = [];
     for (const rel of listProjectFiles(root)) {
-        if (!CODE_RE.test(rel))
+        if (!CODE_RE.test(rel) || looksSecret(rel))
             continue;
         const abs = join(root, rel);
         if (fileSize(abs) > 200_000)

package/dist/session/store.js

@@ -42,6 +42,8 @@ export function cleanSessionName(raw) {
  *  (unlike the ASCII-slug `cleanSessionName`), trims code/whitespace, caps length. Empty for blank input
  *  (callers fall back to the short id, never "new session"). */
 export function deriveTitle(text) {
+    if (typeof text !== "string")
+        return ""; // a malformed/hand-edited session may have a non-string content
     const t = text
         .replace(/^\/\S+\s*/, "") // drop a leading slash-command
         .replace(/```[\s\S]*?```/g, " ") // drop fenced code blocks
@@ -75,12 +77,18 @@ export function saveSession(meta, history) {
     const data = { meta, history };
     writeFileSync(sessionFile(meta.id), JSON.stringify(data, null, 2), "utf8");
 }
+/** True if a parsed object has the SessionData shape we can safely use (meta object + history array). */
+function isSessionData(d) {
+    const o = d;
+    return !!o && typeof o === "object" && !!o.meta && typeof o.meta === "object" && Array.isArray(o.history);
+}
 export function loadSession(id) {
     const p = sessionFile(id);
     if (!existsSync(p))
         return null;
     try {
-        return JSON.parse(readFileSync(p, "utf8"));
+        const d = JSON.parse(readFileSync(p, "utf8"));
+        return isSessionData(d) ? d : null; // a corrupt / hand-edited file resumes as "no session" instead of crashing
     }
     catch {
         return null;
@@ -93,7 +101,9 @@ export function listSessions(cwd) {
         if (!f.endsWith(".json"))
             continue;
         try {
-            metas.push(JSON.parse(readFileSync(join(sessionsDir(), f), "utf8")).meta);
+            const d = JSON.parse(readFileSync(join(sessionsDir(), f), "utf8"));
+            if (d?.meta && typeof d.meta === "object" && d.meta.id && d.meta.updatedAt)
+                metas.push(d.meta); // skip metaless/corrupt
         }
         catch {
             /* skip corrupt */

package/dist/tools/computer.js

@@ -12,15 +12,20 @@ import { registerTool } from "./registry.js";
 import { loadConfig } from "../config.js";
 const RANK = { off: 0, read: 1, click: 2, full: 3 };
 const ACTION_MIN = { screenshot: "read", find: "read", activate: "click", move: "click", click: "click", type: "full", key: "full" };
-// dangerous combos refused even at full tier (quit / close / delete / task-switch-kill)
+// dangerous combos refused even at full tier (quit / close / delete / task-switch-kill).
 const KEY_BLOCK = /(?:\b(cmd|command|ctrl|control|alt|option|win|super|meta)\b.*\+.*\b(q|w|delete|del|f4|escape|esc)\b)|ctrl\+alt\+(?:delete|del|backspace)/i;
+// Windows SendKeys spells modifiers as % (Alt) / ^ (Ctrl) with no modifier WORD, so the combo regex
+// above misses them: block Alt+F4 / Ctrl+F4 (close window) and Ctrl+W (close tab) in that syntax.
+const KEY_BLOCK_SENDKEYS = /[%^]\s*\{\s*f4\s*\}|\^\s*w\b/i;
+// Linux/X keysyms for logout / power-off (xdotool key XF86LogOff …) — not modifier combos.
+const KEY_BLOCK_KEYSYM = /\bxf86(logoff|poweroff|reboot|sleep)\b/i;
 /** Whether the configured tier permits the action. Exported for tests. */
 export function actionAllowed(tier, action) {
     return RANK[tier] >= RANK[ACTION_MIN[action] ?? "full"];
 }
 /** Whether a key combo is on the dangerous blocklist. Exported for tests. */
 export function keyIsBlocked(keys) {
-    return KEY_BLOCK.test(keys);
+    return KEY_BLOCK.test(keys) || KEY_BLOCK_SENDKEYS.test(keys) || KEY_BLOCK_KEYSYM.test(keys);
 }
 // Circuit breaker (learned from codex): bound consecutive screen-control failures so the agent can't loop
 // forever on a broken setup. Reset on any success; after FAIL_LIMIT in a row, return a clear stop + how to fix.
@@ -315,7 +320,7 @@ registerTool({
             const app = String(input.app ?? input.target ?? "");
             if (!app)
                 return "activate needs an `app` name (e.g. 'WeChat').";
-            if (!cfg.computerApps.some((a) => app.toLowerCase().includes(a.toLowerCase()) || a.toLowerCase().includes(app.toLowerCase())))
+            if (!cfg.computerApps.some((a) => a.toLowerCase() === app.toLowerCase()))
                 return `Refused: "${app}" isn't in your allowlist (${cfg.computerApps.join(", ") || "empty"}). Add it: \`hara config set computerApps "${app}"\`.`;
             const r = activateApp(app);
             return r.ok ? ok(`✓ ${r.msg} — now screenshot/find/click to act on it`) : fail(r.msg);
@@ -325,7 +330,7 @@ registerTool({
             if (!cfg.computerApps.length)
                 return "No apps allowlisted — set `hara config set computerApps \"App Name, …\"` before clicking/typing.";
             const app = frontmostApp();
-            const allowed = cfg.computerApps.some((a) => app.toLowerCase().includes(a.toLowerCase()) || a.toLowerCase().includes(app.toLowerCase()));
+            const allowed = cfg.computerApps.some((a) => a.toLowerCase() === app.toLowerCase());
             if (!allowed)
                 return `Refused: frontmost app "${app || "unknown"}" isn't in your allowlist (${cfg.computerApps.join(", ")}). Switch to an allowed app or update computerApps.`;
         }

package/dist/tools/patch.js

@@ -102,21 +102,40 @@ registerTool({
                 }
             }
         }
-        // PHASE 2 — commit all changes + show each diff.
-        const summary = [];
-        for (const pl of plans) {
-            if (pl.type === "delete") {
-                await unlink(pl.abs);
-                emitDiff(pl.path, pl.before, "", ctx.ui);
-                summary.push(`deleted ${pl.path}`);
+        // PHASE 2 — commit all changes. Truly all-or-nothing: if any write fails mid-way, roll back the ones
+        // already applied (restore updated/deleted files, remove created ones) so the tree is never half-patched.
+        const applied = [];
+        try {
+            for (const pl of plans) {
+                if (pl.type === "delete") {
+                    await unlink(pl.abs);
+                }
+                else {
+                    await mkdir(dirname(pl.abs), { recursive: true });
+                    await writeFile(pl.abs, pl.after, "utf8");
+                }
+                applied.push(pl);
             }
-            else {
-                await mkdir(dirname(pl.abs), { recursive: true });
-                await writeFile(pl.abs, pl.after, "utf8");
-                emitDiff(pl.path, pl.before, pl.after, ctx.ui);
-                summary.push(`${pl.type === "create" ? "created" : "updated"} ${pl.path}`);
+        }
+        catch (e) {
+            for (const pl of applied.reverse()) {
+                try {
+                    if (pl.type === "create" && !pl.existed)
+                        await unlink(pl.abs); // remove a file we created
+                    else
+                        await writeFile(pl.abs, pl.before, "utf8"); // restore an updated/deleted file's prior content
+                }
+                catch {
+                    /* best-effort rollback */
+                }
             }
+            return `Error: apply_patch failed writing a file (${e instanceof Error ? e.message : String(e)}) — rolled back, nothing left changed.`;
         }
+        // All writes succeeded → now show diffs + record the undo snapshot.
+        const summary = plans.map((pl) => {
+            emitDiff(pl.path, pl.before, pl.type === "delete" ? "" : pl.after, ctx.ui);
+            return pl.type === "delete" ? `deleted ${pl.path}` : `${pl.type === "create" ? "created" : "updated"} ${pl.path}`;
+        });
         recordEdit(plans.map((pl) => ({ path: pl.path, absPath: pl.abs, before: pl.existed ? pl.before : null })));
         return `apply_patch: ${plans.length} file(s) — ${summary.join("; ")}.`;
     },

package/dist/tools/web.js

@@ -1,7 +1,67 @@
 // web_fetch — fetch an http(s) URL and return readable text (HTML reduced to text). Read-only.
-// Uses Node's global fetch (Node >=20). NOT sandboxed (network egress is in-process, not via bash).
+// Uses Node's global fetch (Node >=20). NOT sandboxed (network egress is in-process, not via bash) —
+// so it carries an SSRF guard: private/loopback/link-local targets are refused, re-checked on every
+// redirect hop, and the body is read under a hard byte ceiling.
 import { registerTool } from "./registry.js";
+import { lookup } from "node:dns/promises";
+import { isIP } from "node:net";
 const MAX = 60_000;
+/** True for loopback / private / link-local / ULA / CGNAT addresses we must not let web_fetch reach. */
+export function isPrivateIp(ip) {
+    const host = ip.replace(/^\[|\]$/g, "");
+    if (isIP(host) === 4) {
+        const p = host.split(".").map(Number);
+        return p[0] === 0 || p[0] === 10 || p[0] === 127 || (p[0] === 172 && p[1] >= 16 && p[1] <= 31) || (p[0] === 192 && p[1] === 168) || (p[0] === 169 && p[1] === 254) || (p[0] === 100 && p[1] >= 64 && p[1] <= 127);
+    }
+    const l = host.toLowerCase();
+    if (l === "::1" || l === "::")
+        return true;
+    if (l.startsWith("fe80") || l.startsWith("fc") || l.startsWith("fd"))
+        return true; // link-local + unique-local
+    const m = /^::ffff:(\d+\.\d+\.\d+\.\d+)$/.exec(l); // IPv4-mapped IPv6
+    return m ? isPrivateIp(m[1]) : false;
+}
+/** Refuse to fetch a host that is (or resolves to) a private/internal address — defeats metadata-endpoint
+ *  / localhost SSRF. Throws (caught by the caller) on a blocked or unresolvable host. */
+async function assertPublicHost(hostname) {
+    const host = hostname.replace(/^\[|\]$/g, "");
+    if (isIP(host)) {
+        if (isPrivateIp(host))
+            throw new Error(`refusing to fetch ${host} (private/loopback address)`);
+        return;
+    }
+    const addrs = await lookup(host, { all: true });
+    for (const a of addrs)
+        if (isPrivateIp(a.address))
+            throw new Error(`refusing to fetch ${host} — resolves to a private/internal address (${a.address})`);
+}
+/** Read a fetch Response body up to `maxBytes`, then stop (avoids materializing a huge / bomb body). */
+async function readCapped(res, maxBytes) {
+    if (!res.body)
+        return res.text();
+    const reader = res.body.getReader();
+    const chunks = [];
+    let total = 0;
+    for (;;) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        if (value) {
+            chunks.push(value);
+            total += value.length;
+        }
+        if (total >= maxBytes) {
+            try {
+                await reader.cancel();
+            }
+            catch {
+                /* already closing */
+            }
+            break;
+        }
+    }
+    return Buffer.concat(chunks).toString("utf8");
+}
 /** Strip HTML to a readable-ish plain-text approximation (no dependency). */
 export function htmlToText(html) {
     return html
@@ -148,17 +208,30 @@ registerTool({
         const ctrl = new AbortController();
         const timer = setTimeout(() => ctrl.abort(), 30_000);
         try {
-            const res = await fetch(url, {
-                signal: ctrl.signal,
-                redirect: "follow",
-                headers: { "user-agent": "hara-cli", accept: "text/html,text/plain,application/json,*/*" },
-            });
+            // Follow redirects manually so the SSRF guard runs on EVERY hop (a public URL can 30x to 169.254…).
+            let current = url;
+            let res;
+            for (let hop = 0;; hop++) {
+                await assertPublicHost(current.hostname);
+                res = await fetch(current, {
+                    signal: ctrl.signal,
+                    redirect: "manual",
+                    headers: { "user-agent": "hara-cli", accept: "text/html,text/plain,application/json,*/*" },
+                });
+                const loc = res.status >= 300 && res.status < 400 ? res.headers.get("location") : null;
+                if (!loc || hop >= 5)
+                    break;
+                const next = new URL(loc, current);
+                if (next.protocol !== "http:" && next.protocol !== "https:")
+                    return "Error: redirect to a non-http(s) URL was blocked.";
+                current = next;
+            }
             const ct = res.headers.get("content-type") ?? "";
-            const raw = await res.text();
+            const raw = await readCapped(res, cap * 4); // byte ceiling (HTML→text shrinks; cap*4 leaves headroom)
             let text = /html/i.test(ct) ? htmlToText(raw) : raw;
             if (text.length > cap)
                 text = text.slice(0, cap) + `\n…[truncated ${text.length - cap} chars]`;
-            return `# ${url.href} (HTTP ${res.status})\n\n${text || "(empty body)"}`;
+            return `# ${current.href} (HTTP ${res.status})\n\n${text || "(empty body)"}`;
         }
         catch (e) {
             return `Error fetching ${url.href}: ${e?.name === "AbortError" ? "timed out (30s)" : (e?.message ?? e)}`;

package/dist/tui/App.js

@@ -62,7 +62,7 @@ function Working() {
     const frames = "⠋⠙⠹⠸⠼⠴⠦⠧⠇⠏";
     return (_jsxs(Box, { marginTop: 1, children: [_jsx(Text, { color: "yellow", children: frames[n % frames.length] }), _jsx(Text, { dimColor: true, children: ` working ${Math.floor(n / 10)}s · esc to interrupt` })] }));
 }
-export function App({ initialStatus, model, cwd, header, onSubmit, cycleApproval, onClipboardImage }) {
+export function App({ initialStatus, model, cwd, header, onSubmit, cycleApproval, onClipboardImage, vim }) {
     const { exit } = useApp();
     const [history, setHistory] = useState([]);
     const [current, setCurrent] = useState([]);
@@ -209,5 +209,5 @@ export function App({ initialStatus, model, cwd, header, onSubmit, cycleApproval
         else if (key.tab && key.shift && cycleApproval)
             setStatus((s) => ({ ...s, approval: cycleApproval(s.approval) }));
     });
-    return (_jsxs(Box, { flexDirection: "column", children: [_jsx(Static, { items: header ? [{ id: -1, kind: "notice", text: "" }, ...history] : history, children: (item) => (item.id === -1 ? _jsx(HeaderCard, { ...header }, "hdr") : _jsx(Block, { item: item }, item.id)) }), current.map((item) => (_jsx(Block, { item: item, open: reasoningOpen }, item.id))), working && !prompt && _jsx(Working, {}), prompt && (_jsxs(Box, { flexDirection: "column", marginTop: 1, children: [_jsx(Text, { color: "yellow", children: `  ${stripAnsi(prompt.title)}` }), prompt.options.map((o, i) => (_jsx(Text, { color: i === promptSel ? "cyan" : undefined, bold: i === promptSel, children: (i === promptSel ? " ❯ " : "   ") + `${i + 1}. ` + o.label }, i))), _jsx(Text, { dimColor: true, children: `   ↑↓ or 1–${prompt.options.length} to choose · Enter · Esc cancels` })] })), pool.length > 0 && !prompt && (_jsx(Box, { flexDirection: "column", children: pool.map((l, i) => (_jsx(Text, { color: accent(), children: `  › ${l.length > 72 ? l.slice(0, 72) + "…" : l}` }, i))) })), _jsx(InputBox, { status: status, cwd: cwd, isActive: !prompt, working: working, queued: pool.length, onSubmit: handleSubmit, onClipboardImage: onClipboardImage })] }));
+    return (_jsxs(Box, { flexDirection: "column", children: [_jsx(Static, { items: header ? [{ id: -1, kind: "notice", text: "" }, ...history] : history, children: (item) => (item.id === -1 ? _jsx(HeaderCard, { ...header }, "hdr") : _jsx(Block, { item: item }, item.id)) }), current.map((item) => (_jsx(Block, { item: item, open: reasoningOpen }, item.id))), working && !prompt && _jsx(Working, {}), prompt && (_jsxs(Box, { flexDirection: "column", marginTop: 1, children: [_jsx(Text, { color: "yellow", children: `  ${stripAnsi(prompt.title)}` }), prompt.options.map((o, i) => (_jsx(Text, { color: i === promptSel ? "cyan" : undefined, bold: i === promptSel, children: (i === promptSel ? " ❯ " : "   ") + `${i + 1}. ` + o.label }, i))), _jsx(Text, { dimColor: true, children: `   ↑↓ or 1–${prompt.options.length} to choose · Enter · Esc cancels` })] })), pool.length > 0 && !prompt && (_jsx(Box, { flexDirection: "column", children: pool.map((l, i) => (_jsx(Text, { color: accent(), children: `  › ${l.length > 72 ? l.slice(0, 72) + "…" : l}` }, i))) })), _jsx(InputBox, { status: status, cwd: cwd, isActive: !prompt, working: working, queued: pool.length, vim: vim, onSubmit: handleSubmit, onClipboardImage: onClipboardImage })] }));
 }

package/dist/tui/InputBox.js

@@ -7,6 +7,7 @@ import { Box, Text, useInput, useStdout } from "ink";
 import { useMemo, useState } from "react";
 import { fileCandidates } from "../context/mentions.js";
 import { imagePathFromPaste } from "../images.js";
+import { vimNormal } from "./vim.js";
 export const MODES = ["suggest", "auto-edit", "full-auto", "plan"];
 export const nextMode = (m) => MODES[(MODES.indexOf(m) + 1) % MODES.length];
 const tok = (n) => (n >= 1000 ? `${(n / 1000).toFixed(1)}k` : `${n}`);
@@ -84,7 +85,7 @@ function InputLine({ value, cursor }) {
     return _jsx(Text, { children: nodes });
 }
 /** Top border (session) + prompt line + bottom border (usage) + ModeBar, with an @path popup. */
-export function InputBox({ status, cwd, width, onSubmit, onClipboardImage, isActive = true, working = false, queued = 0, placeholder = "Type a task · /help · @file · Ctrl+V paste image · shift+tab mode · Esc interrupts", }) {
+export function InputBox({ status, cwd, width, onSubmit, onClipboardImage, isActive = true, working = false, queued = 0, vim = false, placeholder = "Type a task · /help · @file · Ctrl+V paste image · shift+tab mode · Esc interrupts", }) {
     const { stdout } = useStdout();
     const w = width ?? stdout?.columns ?? 80;
     const [value, setValue] = useState("");
@@ -92,6 +93,9 @@ export function InputBox({ status, cwd, width, onSubmit, onClipboardImage, isAct
     const [sel, setSel] = useState(0);
     const [dismissed, setDismissed] = useState(false);
     const [images, setImages] = useState([]);
+    const [mode, setMode] = useState("insert"); // vim only
+    const [pending, setPending] = useState(""); // vim operator-pending (d/c/g)
+    const [register, setRegister] = useState(""); // vim yank/delete register
     const set = (v, c) => {
         setValue(v);
         setCursor(c);
@@ -116,6 +120,8 @@ export function InputBox({ status, cwd, width, onSubmit, onClipboardImage, isAct
         onSubmit?.(text, images.length ? images : undefined);
         set("", 0);
         setImages([]);
+        setMode("insert"); // a fresh prompt starts in insert
+        setPending("");
     };
     const mention = activeMention(value, cursor);
     const candidates = useMemo(() => (isActive && mention && !dismissed ? fileCandidates(cwd, mention.query, 8) : []), [cwd, isActive, dismissed, mention?.query, mention?.start]);
@@ -143,8 +149,36 @@ export function InputBox({ status, cwd, width, onSubmit, onClipboardImage, isAct
             return;
         }
         if (key.escape) {
-            if (popupOpen)
+            if (popupOpen) {
                 setDismissed(true);
+                return;
+            }
+            if (vim && mode === "insert") {
+                setMode("normal");
+                setPending("");
+            }
+            return;
+        }
+        // vim NORMAL mode: printable keys are commands, not text (Enter/arrows/backspace still navigate/submit)
+        if (vim && mode === "normal") {
+            if (key.return)
+                return submit(value);
+            if (key.leftArrow)
+                return setCursor((c) => Math.max(0, c - 1));
+            if (key.rightArrow)
+                return setCursor((c) => Math.min(value.length, c + 1));
+            if (key.backspace || key.delete)
+                return setCursor((c) => Math.max(0, c - 1));
+            if (input && !key.ctrl && !key.meta) {
+                const st = vimNormal({ value, cursor, mode, pending, register }, input);
+                setValue(st.value);
+                setCursor(st.cursor);
+                setMode(st.mode);
+                setPending(st.pending);
+                setRegister(st.register);
+                setSel(0);
+                setDismissed(false);
+            }
             return;
         }
         if (key.return) {
@@ -204,5 +238,5 @@ export function InputBox({ status, cwd, width, onSubmit, onClipboardImage, isAct
             set(value.slice(0, cursor) + input + value.slice(cursor), cursor + input.length);
         }
     }, { isActive });
-    return (_jsxs(Box, { flexDirection: "column", children: [_jsx(TopBorder, { name: status.sessionName || "session", width: w }), _jsxs(Box, { children: [_jsx(Text, { color: "cyan", children: "› " }), value.length === 0 ? (_jsxs(Text, { children: [_jsx(Text, { inverse: true, children: " " }), _jsx(Text, { dimColor: true, children: placeholder })] })) : (_jsx(InputLine, { value: value, cursor: cursor }))] }), _jsx(BottomBorder, { s: status, width: w }), working ? _jsx(Text, { dimColor: true, children: `  ⌨ working — Enter queues your message${queued ? ` · ${queued} queued` : ""} · Esc interrupts` }) : null, popupOpen ? _jsx(MentionPopup, { items: candidates, selected: selIdx, query: mention.query }) : null, _jsx(ModeBar, { approval: status.approval })] }));
+    return (_jsxs(Box, { flexDirection: "column", children: [_jsx(TopBorder, { name: status.sessionName || "session", width: w }), _jsxs(Box, { children: [_jsx(Text, { color: vim ? (mode === "normal" ? "yellow" : "green") : "cyan", children: vim && mode === "normal" ? "◆ " : "› " }), value.length === 0 ? (_jsxs(Text, { children: [_jsx(Text, { inverse: true, children: " " }), _jsx(Text, { dimColor: true, children: placeholder })] })) : (_jsx(InputLine, { value: value, cursor: cursor }))] }), vim ? _jsx(Text, { dimColor: true, children: mode === "normal" ? "  -- NORMAL --  i/a insert · h l 0 $ w b e move · x dd D cw p edit" : "  -- INSERT --  Esc → normal" }) : null, _jsx(BottomBorder, { s: status, width: w }), working ? _jsx(Text, { dimColor: true, children: `  ⌨ working — Enter queues your message${queued ? ` · ${queued} queued` : ""} · Esc interrupts` }) : null, popupOpen ? _jsx(MentionPopup, { items: candidates, selected: selIdx, query: mention.query }) : null, _jsx(ModeBar, { approval: status.approval })] }));
 }