@neolio42/pixel-office 0.1.0

package/src/lib/pty-manager.ts

@@ -0,0 +1,267 @@
+import { spawn as ptySpawn, IPty } from 'node-pty';
+import { execSync } from 'child_process';
+
+/** Resolve full path to claude binary so node-pty can find it regardless of server PATH */
+function resolveClaudePath(): string {
+  // Try common locations first (fastest, no shell needed)
+  const candidates = ['/opt/homebrew/bin/claude', '/usr/local/bin/claude', '/usr/bin/claude'];
+  for (const c of candidates) {
+    try {
+      execSync(`test -x "${c}"`, { stdio: 'ignore' });
+      return c;
+    } catch { /* continue */ }
+  }
+  // Fall back to shell lookup (may fail if shell doesn't source profile)
+  try {
+    // Use login shell to source PATH properly
+    const shell = process.env.SHELL || '/bin/zsh';
+    return execSync(`${shell} -lc "which claude"`, { encoding: 'utf8' }).trim();
+  } catch { /* continue */ }
+  return 'claude';
+}
+
+declare global {
+  // eslint-disable-next-line no-var
+  var __claudePath: string | undefined;
+}
+
+function getClaudePath(): string {
+  if (!globalThis.__claudePath) {
+    globalThis.__claudePath = resolveClaudePath();
+    console.log(`[PTY] Resolved claude binary: ${globalThis.__claudePath}`);
+  }
+  return globalThis.__claudePath;
+}
+
+// Force re-resolve on module reload (HMR)
+globalThis.__claudePath = undefined;
+
+export interface PtyEntry {
+  ptyId: string;
+  pty: IPty;
+  ttyPath: string;
+  sessionId?: string;
+  cwd: string;
+  cols: number;
+  rows: number;
+  spawnedAt: number;
+  scrollback: string[];
+  scrollbackBytes: number;
+  exited: boolean;
+  exitCode?: number;
+}
+
+const MAX_SCROLLBACK_BYTES = 1_000_000; // ~1MB cap
+
+declare global {
+  // eslint-disable-next-line no-var
+  var __ptyRegistry: Map<string, PtyEntry> | undefined;
+  // eslint-disable-next-line no-var
+  var __ptyCounter: number | undefined;
+}
+
+function getRegistry(): Map<string, PtyEntry> {
+  if (!globalThis.__ptyRegistry) {
+    globalThis.__ptyRegistry = new Map();
+  }
+  return globalThis.__ptyRegistry;
+}
+
+function getPtyCounter(): number {
+  if (globalThis.__ptyCounter === undefined) {
+    let max = 0;
+    for (const entry of getRegistry().values()) {
+      const n = parseInt(entry.ptyId.split('-')[1] || '0', 10);
+      if (n > max) max = n;
+    }
+    globalThis.__ptyCounter = max;
+  }
+  return globalThis.__ptyCounter;
+}
+
+/**
+ * Callbacks wired by ws-server to send terminal output to subscribers only.
+ * Stored on globalThis so HMR doesn't reset them.
+ */
+declare global {
+  // eslint-disable-next-line no-var
+  var __ptyOutputHandler: ((ptyId: string, data: string) => void) | undefined;
+  // eslint-disable-next-line no-var
+  var __ptyExitHandler: ((ptyId: string, exitCode: number) => void) | undefined;
+}
+
+export function setPtyOutputHandler(handler: (ptyId: string, data: string) => void) {
+  globalThis.__ptyOutputHandler = handler;
+}
+
+export function setPtyExitHandler(handler: (ptyId: string, exitCode: number) => void) {
+  globalThis.__ptyExitHandler = handler;
+}
+
+export function spawnSession(cwd: string, cols = 120, rows = 30): PtyEntry {
+  globalThis.__ptyCounter = getPtyCounter() + 1;
+  const ptyId = `pty-${globalThis.__ptyCounter}-${Date.now()}`;
+
+  const pty = ptySpawn(getClaudePath(), [], {
+    name: 'xterm-256color',
+    cols,
+    rows,
+    cwd,
+    env: {
+      ...process.env,
+      TERM: 'xterm-256color',
+      // Ensure homebrew paths are in PATH for child processes
+      PATH: `/opt/homebrew/bin:/usr/local/bin:${process.env.PATH || '/usr/bin:/bin'}`,
+    } as Record<string, string>,
+  });
+
+  // Get the tty path from node-pty's internal _pty field (the slave PTY device)
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const ttyPath: string = (pty as any)._pty || '';
+
+  const entry: PtyEntry = {
+    ptyId,
+    pty,
+    ttyPath,
+    cwd,
+    cols,
+    rows,
+    spawnedAt: Date.now(),
+    scrollback: [],
+    scrollbackBytes: 0,
+    exited: false,
+  };
+
+  pty.onData((data: string) => {
+    // Buffer scrollback
+    entry.scrollback.push(data);
+    entry.scrollbackBytes += data.length;
+    // Trim if over cap
+    while (entry.scrollbackBytes > MAX_SCROLLBACK_BYTES && entry.scrollback.length > 0) {
+      const removed = entry.scrollback.shift()!;
+      entry.scrollbackBytes -= removed.length;
+    }
+    if (entry.scrollback.length === 0) entry.scrollbackBytes = 0;
+    // Send to subscribers
+    globalThis.__ptyOutputHandler?.(ptyId, data);
+  });
+
+  pty.onExit(({ exitCode }) => {
+    entry.exited = true;
+    entry.exitCode = exitCode;
+    globalThis.__ptyExitHandler?.(ptyId, exitCode);
+  });
+
+  getRegistry().set(ptyId, entry);
+  console.log(`[PTY] Spawned ${ptyId} (pid=${pty.pid}, tty=${ttyPath}, cwd=${cwd})`);
+  return entry;
+}
+
+export function writeToPty(ptyId: string, data: string): boolean {
+  const entry = getRegistry().get(ptyId);
+  if (!entry || entry.exited) return false;
+  entry.pty.write(data);
+  return true;
+}
+
+export function resizePty(ptyId: string, cols: number, rows: number): boolean {
+  const entry = getRegistry().get(ptyId);
+  if (!entry || entry.exited) return false;
+  entry.pty.resize(cols, rows);
+  entry.cols = cols;
+  entry.rows = rows;
+  return true;
+}
+
+export function killPty(ptyId: string): boolean {
+  const entry = getRegistry().get(ptyId);
+  if (!entry) return false;
+  if (!entry.exited) {
+    entry.pty.kill('SIGHUP');
+  }
+  getRegistry().delete(ptyId);
+  console.log(`[PTY] Killed ${ptyId}`);
+  return true;
+}
+
+export function unlinkSessionFromPty(ptyId: string): boolean {
+  const entry = getRegistry().get(ptyId);
+  if (!entry) return false;
+  entry.sessionId = undefined;
+  return true;
+}
+
+export function linkSessionToPty(sessionId: string, ptyId: string): boolean {
+  const entry = getRegistry().get(ptyId);
+  if (!entry) return false;
+  entry.sessionId = sessionId;
+  console.log(`[PTY] Linked session ${sessionId} → ${ptyId}`);
+  return true;
+}
+
+/** Normalize tty path to canonical form /dev/ttysNNN */
+function normalizeTty(tty: string): string {
+  if (!tty) return '';
+  // Already canonical: /dev/ttys008
+  if (tty.startsWith('/dev/tty')) return tty;
+  // Just the device name: ttys008
+  if (tty.startsWith('tty')) return `/dev/${tty}`;
+  // Short form: s008
+  if (/^s\d+$/.test(tty)) return `/dev/tty${tty}`;
+  // /dev/sNNN → /dev/ttysNNN
+  if (/^\/dev\/s\d+$/.test(tty)) return `/dev/tty${tty.slice(5)}`;
+  if (tty.startsWith('/dev/')) return tty;
+  return tty;
+}
+
+export function findPtyByTty(ttyPath: string): PtyEntry | undefined {
+  if (!ttyPath) return undefined;
+  const normalized = normalizeTty(ttyPath);
+  for (const entry of getRegistry().values()) {
+    if (!entry.sessionId && !entry.exited && entry.ttyPath) {
+      if (entry.ttyPath === normalized || normalizeTty(entry.ttyPath) === normalized) {
+        return entry;
+      }
+    }
+  }
+  return undefined;
+}
+
+/** Find an unlinked PTY by matching cwd — fallback when tty matching fails.
+ *  Only matches PTYs spawned within the last 30s to prevent external sessions
+ *  from accidentally linking to an embedded PTY with the same cwd. */
+export function findPtyByCwd(cwd: string): PtyEntry | undefined {
+  if (!cwd) return undefined;
+  const cutoff = Date.now() - 30_000;
+  for (const entry of getRegistry().values()) {
+    if (!entry.sessionId && !entry.exited && entry.cwd === cwd && entry.spawnedAt > cutoff) {
+      return entry;
+    }
+  }
+  return undefined;
+}
+
+export function getPtyEntry(ptyId: string): PtyEntry | undefined {
+  return getRegistry().get(ptyId);
+}
+
+export function getScrollback(ptyId: string): string {
+  const entry = getRegistry().get(ptyId);
+  if (!entry) return '';
+  return entry.scrollback.join('');
+}
+
+export function getAllPtyEntries(): PtyEntry[] {
+  return [...getRegistry().values()];
+}
+
+export function cleanupOrphanedPtys(activePtyIds: Set<string>): string[] {
+  const removed: string[] = [];
+  for (const [ptyId, entry] of getRegistry()) {
+    if (entry.exited && !activePtyIds.has(ptyId)) {
+      getRegistry().delete(ptyId);
+      removed.push(ptyId);
+    }
+  }
+  return removed;
+}

package/src/lib/store.ts

@@ -0,0 +1,181 @@
+import { Session, WorkerState } from './types';
+
+// Use globalThis so the same sessions Map is shared across
+// Next.js App Router module instances and the custom server.ts
+declare global {
+  // eslint-disable-next-line no-var
+  var __sessions: Map<string, Session> | undefined;
+}
+
+function getSessions(): Map<string, Session> {
+  if (!globalThis.__sessions) {
+    globalThis.__sessions = new Map();
+  }
+  return globalThis.__sessions;
+}
+
+const MAX_DESKS = 5;
+
+function getNextDeskIndex(): number {
+  const sessions = getSessions();
+  const taken = new Set([...sessions.values()].map(s => s.deskIndex));
+  for (let i = 0; i < MAX_DESKS; i++) {
+    if (!taken.has(i)) return i;
+  }
+  return 0;
+}
+
+export function addSession(sessionId: string, cwd: string, tty = '', transcriptPath?: string): Session {
+  const sessions = getSessions();
+  const now = Date.now();
+  const session: Session = {
+    sessionId,
+    deskIndex: getNextDeskIndex(),
+    state: 'walking',
+    currentTool: null,
+    cwd,
+    tty: tty.startsWith('/dev/') ? tty : '',
+    startedAt: now,
+    lastSeen: now,
+    recentTools: [],
+    transcriptPath,
+  };
+  sessions.set(sessionId, session);
+  return session;
+}
+
+export function updateSessionTty(sessionId: string, tty: string): void {
+  const session = getSessions().get(sessionId);
+  if (session && tty && tty.startsWith('/dev/')) {
+    session.tty = tty;
+  }
+}
+
+export function updateSession(sessionId: string, state: WorkerState, tool: string | null): Session | null {
+  const session = getSessions().get(sessionId);
+  if (!session) return null;
+  session.state = state;
+  session.currentTool = tool;
+  session.lastSeen = Date.now();
+  return session;
+}
+
+export function cleanupStaleSessions(maxAgeMs = 60_000, isAlivePtyId?: (ptyId: string) => boolean): string[] {
+  const sessions = getSessions();
+  const cutoff = Date.now() - maxAgeMs;
+  const removed: string[] = [];
+  for (const [id, session] of sessions) {
+    if (session.lastSeen < cutoff) {
+      // Don't remove sessions with a live embedded PTY — the terminal is still open
+      if (session.ptyId && isAlivePtyId?.(session.ptyId)) continue;
+      sessions.delete(id);
+      removed.push(id);
+    }
+  }
+  return removed;
+}
+
+export function removeSession(sessionId: string): boolean {
+  return getSessions().delete(sessionId);
+}
+
+export function getSession(sessionId: string): Session | undefined {
+  return getSessions().get(sessionId);
+}
+
+export function getAllSessions(): Session[] {
+  return [...getSessions().values()];
+}
+
+export function setSessionTask(sessionId: string, task: string): Session | null {
+  const session = getSessions().get(sessionId);
+  if (!session) return null;
+  session.task = task;
+  return session;
+}
+
+export function setSessionFocus(sessionId: string, focus: string): Session | null {
+  const session = getSessions().get(sessionId);
+  if (!session) return null;
+  session.currentFocus = focus;
+  return session;
+}
+
+export function setSessionPlanMode(sessionId: string, inPlanMode: boolean): Session | null {
+  const session = getSessions().get(sessionId);
+  if (!session) return null;
+  session.inPlanMode = inPlanMode;
+  return session;
+}
+
+function getToolSummary(toolName: string, toolInput: Record<string, unknown>): string {
+  switch (toolName) {
+    case 'Read': {
+      const p = toolInput.file_path as string | undefined;
+      return p ? `Reading ${p.split('/').pop()}` : 'Reading file';
+    }
+    case 'Edit':
+    case 'Write':
+    case 'MultiEdit': {
+      const p = toolInput.file_path as string | undefined;
+      return p ? `Editing ${p.split('/').pop()}` : 'Editing file';
+    }
+    case 'Grep': {
+      const pattern = toolInput.pattern as string | undefined;
+      return pattern ? `Searching: ${pattern.slice(0, 50)}` : 'Searching';
+    }
+    case 'Glob': {
+      const pattern = toolInput.pattern as string | undefined;
+      return pattern ? `Globbing: ${pattern.slice(0, 50)}` : 'Globbing';
+    }
+    case 'Bash': {
+      const cmd = toolInput.command as string | undefined;
+      return cmd ? `Running: ${cmd.slice(0, 60)}` : 'Running command';
+    }
+    case 'WebFetch':
+    case 'WebSearch': {
+      const url = (toolInput.url ?? toolInput.query) as string | undefined;
+      return url ? `Fetching: ${url.slice(0, 50)}` : 'Web request';
+    }
+    case 'Agent': return 'Delegating task';
+    case 'TodoWrite': return 'Updating tasks';
+    case 'ToolSearch': return 'Loading tools';
+    case 'Skill': return 'Running skill';
+    default: {
+      // Clean up MCP tool names: mcp__server__action → Server: action
+      if (toolName.startsWith('mcp__')) {
+        const match = toolName.match(/^mcp__([^_]+(?:_[^_]+)*)__(.+)$/);
+        if (match) {
+          const server = match[1].replace(/[-_]+/g, ' ').replace(/\b\w/g, c => c.toUpperCase());
+          const action = match[2].replace(/[-_]+/g, ' ');
+          // For well-known servers, shorten and use toolInput for details
+          const shortServer = server.toLowerCase();
+          // Browser tools: use the action param (screenshot, left_click, etc.)
+          if (shortServer.includes('chrome') || shortServer.includes('browser')) {
+            const act = toolInput.action as string | undefined;
+            if (act) return `Browser: ${act.replace(/_/g, ' ')}`;
+            return `Browser: ${action.replace(/_/g, ' ').slice(0, 30)}`;
+          }
+          if (shortServer.includes('clickup')) return `ClickUp: ${action.replace(/_/g, ' ').slice(0, 30)}`;
+          if (shortServer.includes('calendar')) return `Calendar: ${action.replace(/_/g, ' ').slice(0, 30)}`;
+          return `${server}: ${action.replace(/_/g, ' ').slice(0, 30)}`;
+        }
+      }
+      // Generic: grab first string value from input
+      const first = Object.values(toolInput).find(v => typeof v === 'string') as string | undefined;
+      return first ? `${toolName}: ${first.slice(0, 50)}` : toolName;
+    }
+  }
+}
+
+export function addToolCall(sessionId: string, toolName: string, toolInput: Record<string, unknown>): void {
+  const session = getSessions().get(sessionId);
+  if (!session) return;
+
+  const summary = getToolSummary(toolName, toolInput);
+  session.recentTools.push({ toolName, summary, timestamp: Date.now() });
+  if (session.recentTools.length > 10) {
+    session.recentTools = session.recentTools.slice(-10);
+  }
+  session.lastSeen = Date.now();
+}

package/src/lib/tool-classifier.ts

@@ -0,0 +1,224 @@
+import { WorkerState } from './types';
+import { execSync } from 'child_process';
+
+interface Classification {
+  state: WorkerState;
+  needsApproval: boolean;
+}
+
+const READING_TOOLS = new Set(['Read', 'Grep', 'Glob', 'LS', 'WebFetch', 'WebSearch', 'ListMcpResourcesTool', 'ReadMcpResourceTool', 'ToolSearch']);
+const TYPING_TOOLS = new Set(['Edit', 'Write', 'MultiEdit', 'NotebookEdit']);
+const AGENT_TOOLS = new Set(['Agent', 'TodoWrite', 'AskUserQuestion', 'Skill', 'EnterPlanMode', 'ExitPlanMode']);
+
+// Commands that are always safe regardless of arguments
+const SAFE_COMMANDS = new Set([
+  'ls', 'pwd', 'echo', 'cat', 'head', 'tail', 'wc', 'sort', 'uniq',
+  'date', 'whoami', 'which', 'type', 'file', 'stat', 'du', 'df',
+  'grep', 'rg', 'find', 'sed', 'awk', 'tr', 'cut', 'paste',
+  'node', 'npx', 'pnpm', 'yarn', 'bun', 'deno',
+  'tsc', 'eslint', 'prettier', 'jest', 'vitest', 'mocha', 'playwright',
+  'python', 'python3', 'cargo', 'go', 'rustc', 'gcc', 'g++', 'make', 'cmake',
+  'mkdir', 'cp', 'mv', 'touch', 'ln',
+  'tar', 'zip', 'unzip', 'gzip', 'gunzip',
+  'curl', 'wget', 'http',
+  'jq', 'yq', 'xargs', 'tee', 'diff', 'patch',
+  'docker', 'brew', 'apt', 'apk',
+  'sleep', 'true', 'false', 'test', '[',
+  'printf', 'read', 'set', 'export', 'source', '.',
+  'cd', 'pushd', 'popd', 'dirs',
+  'shfmt', 'shellcheck',
+]);
+
+// Git subcommands that are safe (read-only or local-only)
+const SAFE_GIT = new Set([
+  'status', 'log', 'diff', 'add', 'commit', 'branch', 'show',
+  'stash', 'fetch', 'checkout', 'switch', 'merge', 'rebase',
+  'tag', 'blame', 'bisect', 'cherry-pick', 'am', 'format-patch',
+  'rev-parse', 'ls-files', 'ls-tree', 'config', 'remote',
+  'describe', 'shortlog', 'reflog', 'worktree',
+]);
+
+// npm/pip subcommands that are safe
+const SAFE_NPM = new Set(['run', 'test', 'start', 'build', 'exec', 'init', 'info', 'ls', 'list', 'outdated', 'audit', 'pack', 'version', 'why']);
+
+// Commands that need boss approval (not auto-deny — boss decides)
+const RISKY_COMMANDS = new Set([
+  'rm', 'rmdir', 'sudo', 'su',
+  'chmod', 'chown', 'chgrp',
+  'dd', 'mkfs', 'fdisk',
+  'reboot', 'shutdown', 'halt', 'poweroff',
+  'iptables', 'ufw', 'systemctl',
+]);
+
+// Shell metacharacters that indicate compound commands
+const COMPOUND_CHARS = /[|&;$`(){}]/;
+
+/**
+ * Extract all command names from a compound bash command using shfmt AST.
+ * Returns null if shfmt isn't available or parsing fails (fallback to simple).
+ */
+function extractCommandsViaAST(command: string): string[][] | null {
+  try {
+    const ast = execSync(
+      `echo ${JSON.stringify(command)} | shfmt --tojson 2>/dev/null`,
+      { encoding: 'utf-8', timeout: 2000 }
+    );
+    const parsed = JSON.parse(ast);
+
+    // Recursively extract all CallExpr nodes — each is a command invocation
+    const commands: string[][] = [];
+
+    function walk(node: unknown): void {
+      if (!node || typeof node !== 'object') return;
+      const obj = node as Record<string, unknown>;
+
+      if (obj.Type === 'CallExpr' && Array.isArray(obj.Args)) {
+        // Extract all argument parts as a single command line
+        const args: string[] = [];
+        for (const arg of obj.Args as Array<{ Parts?: Array<{ Value?: string }> }>) {
+          if (arg.Parts) {
+            for (const part of arg.Parts) {
+              if (part.Value) args.push(part.Value);
+            }
+          }
+        }
+        if (args.length > 0) commands.push(args);
+      }
+
+      // Recurse into all object values and arrays
+      for (const value of Object.values(obj)) {
+        if (Array.isArray(value)) {
+          for (const item of value) walk(item);
+        } else if (typeof value === 'object' && value !== null) {
+          walk(value);
+        }
+      }
+    }
+
+    walk(parsed);
+    return commands.length > 0 ? commands : null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check if a single command (as array of args) is risky.
+ * Returns 'safe', 'risky', or 'unknown'.
+ */
+function classifySingleCommand(args: string[]): 'safe' | 'risky' | 'unknown' {
+  const cmd = args[0];
+  if (!cmd) return 'unknown';
+
+  // Strip path prefix (e.g., /usr/bin/ls → ls)
+  const base = cmd.split('/').pop() || cmd;
+
+  // Check deny list first (deny > allow)
+  if (RISKY_COMMANDS.has(base)) return 'risky';
+
+  // Git: find the subcommand (skip flags like -C, --no-pager, etc.)
+  if (base === 'git') {
+    // Git flags that take a value argument: skip both the flag and its value
+    const GIT_VALUE_FLAGS = new Set(['-C', '-c', '--git-dir', '--work-tree', '--namespace']);
+    let sub: string | undefined;
+    for (let i = 1; i < args.length; i++) {
+      const a = args[i];
+      if (GIT_VALUE_FLAGS.has(a)) { i++; continue; } // skip flag + its value
+      if (a.startsWith('-')) continue; // skip other flags (--no-pager, --bare, etc.)
+      sub = a;
+      break;
+    }
+    if (!sub) return 'safe'; // bare `git` is fine
+    if (sub === 'push') return 'risky';
+    if (sub === 'reset' && args.includes('--hard')) return 'risky';
+    if (sub === 'clean' && args.includes('-f')) return 'risky';
+    if (SAFE_GIT.has(sub)) return 'safe';
+    return 'unknown';
+  }
+
+  // npm/pip: check subcommand
+  if (base === 'npm' || base === 'pip' || base === 'pip3') {
+    const sub = args[1];
+    if (sub === 'install' || sub === 'i' || sub === 'uninstall' || sub === 'remove') return 'risky';
+    if (base === 'npm' && SAFE_NPM.has(sub || '')) return 'safe';
+    return 'unknown';
+  }
+
+  // Check --force / --no-verify flags on any command
+  if (args.some(a => a === '--force' || a === '--no-verify' || a === '-f' && base === 'git')) {
+    return 'risky';
+  }
+
+  // Bash/sh -c: the inner command matters, not the shell itself
+  if ((base === 'bash' || base === 'sh' || base === 'zsh') && args.includes('-c')) {
+    return 'unknown'; // can't easily parse the inner command
+  }
+
+  // Check safe list
+  if (SAFE_COMMANDS.has(base)) return 'safe';
+
+  return 'unknown';
+}
+
+/**
+ * Classify a bash command — uses shfmt AST for compound commands,
+ * simple parsing for single commands.
+ */
+function classifyBashCommand(command: string): { needsApproval: boolean } {
+  const trimmed = command.trim();
+
+  // For compound commands, try AST parsing
+  if (COMPOUND_CHARS.test(trimmed)) {
+    const commands = extractCommandsViaAST(trimmed);
+
+    if (commands) {
+      // Deny > Allow: if ANY command is risky, the whole thing is risky
+      let allSafe = true;
+      for (const args of commands) {
+        const result = classifySingleCommand(args);
+        if (result !== 'safe') {
+          allSafe = false;
+          break;
+        }
+      }
+      return { needsApproval: !allSafe };
+    }
+    // shfmt failed — fall through to simple parsing
+  }
+
+  // Simple command — split on whitespace
+  const args = trimmed.split(/\s+/);
+  const result = classifySingleCommand(args);
+  return { needsApproval: result !== 'safe' };
+}
+
+export function classifyTool(toolName: string, toolInput: Record<string, unknown>): Classification {
+  // MCP tools — auto-approve all (browser automation, ClickUp, calendar, etc.)
+  if (toolName.startsWith('mcp__')) {
+    return { state: 'typing', needsApproval: false };
+  }
+
+  if (READING_TOOLS.has(toolName)) {
+    return { state: 'reading', needsApproval: false };
+  }
+
+  if (TYPING_TOOLS.has(toolName)) {
+    return { state: 'typing', needsApproval: false };
+  }
+
+  if (AGENT_TOOLS.has(toolName)) {
+    return { state: 'typing', needsApproval: false };
+  }
+
+  if (toolName === 'Bash' || toolName === 'BashOutput') {
+    const command = String(toolInput.command || '');
+    const { needsApproval } = classifyBashCommand(command);
+    return {
+      state: needsApproval ? 'waiting' : 'typing',
+      needsApproval,
+    };
+  }
+
+  // Unknown tool — needs approval
+  return { state: 'waiting', needsApproval: true };
+}