@oh-my-pi/pi-coding-agent 15.4.3 → 15.5.0

package/CHANGELOG.md

@@ -2,11 +2,38 @@
 
 ## [Unreleased]
 
+## [15.5.0] - 2026-05-26
+
+### Added
+
+- Added per-tool approval declarations so each built-in, custom, or extension tool can declare its capability tier and approval prompt details.
+- Added `OMP_MCP_TIMEOUT_MS` environment variable to override MCP client request timeout for every server (in milliseconds); set to `0` to disable client-side timeouts. Invalid (negative or non-numeric) values are ignored with a warning and fall back to the per-server timeout or default 30s ([#1415](https://github.com/can1357/oh-my-pi/pull/1415)).
+- Added `omp auth-broker list` (with `--json` for machine-readable output) to enumerate supported OAuth providers, replacing `bunx @oh-my-pi/pi-ai list`.
+- Added interactive provider selection to `omp auth-broker login` and `omp auth-broker logout` when invoked without a provider argument (replacing the equivalent `bunx @oh-my-pi/pi-ai login`/`logout` flows). The logout picker is sourced from stored credentials so it only lists providers the user is actually signed in to.
+- Added directory matches to the `find` tool: glob searches now return directories alongside files, with directory hits emitted with a trailing `/` marker. `find` for `**/tests` no longer requires a follow-up `read` to surface a directory hit; tool prompt and output docs were updated to reflect that paths may be either kind.
+- Added the RFC 8414 §3.1 path-ful issuer form (`/.well-known/oauth-authorization-server<issuer-path>`) as a third candidate in MCP OAuth discovery, after origin-root and path-prefixed well-known URLs, so deployments that publish authorization-server metadata at the path-ful location resolve correctly. Single-segment authorization URLs (e.g. `https://gateway/my-service`) are now treated as the gateway prefix instead of being dropped back to the origin root.
+
+### Changed
+
+- Changed tool-approval prompts to use an explicit `Approve`/`Deny` selector and surface the denial reason as contextual help text instead of a bare confirm/cancel toggle.
+- Changed approval safety overrides to prompt even in `yolo` / `--auto-approve` sessions, so critical tool-declared patterns no longer run unattended.
+- Changed `omp auth-broker login` to drive the per-provider OAuth/API-key flow in-process via `AuthStorage.login()` instead of spawning the `pi-ai` CLI subprocess. The `pi-ai` bin is being removed; the same login surface now lives entirely inside `omp`.
+- Changed the default per-line truncation cap for search/grep output (`DEFAULT_MAX_COLUMN`) from `1024` to `512` characters to keep wide minified single-line bundles from blowing out the model's context.
+- Changed `edit.hashlineAutoDropPureInsertDuplicates` to also fire on `A-B:payload` replacement ops when a single non-structural boundary payload line duplicates the line immediately above the deleted range (prefix) or immediately below it (suffix). Catches the common mistake of `A-B:foo` where the user meant `A-B!` but typed a payload that happens to match adjacent context. The existing 2+-line block absorb and balance-validated structural single-line absorb already covered the multi-line and structural-delimiter cases; this closes the single-line non-structural gap.
+
+### Fixed
+
+- Fixed the agent loop and bash executor busy-spinning when scheduler waits returned early. napi `uv_async_send` callbacks can wake the event loop after only ~1–2 ms even when the caller asked for a longer sleep, so `yieldIfDue()` now compensates by retrying `Bun.sleep()` until the requested wall-clock duration has elapsed, and the bash executor wraps its `runPromise`/timeout/abort race in an `ExponentialYield` (20 ms → 10 s) so long-running commands stop hot-looping on the race. Yields are additionally throttled by a module-level 50 ms gate, and losing timers in the race are aborted via `AbortSignal` so they don't keep firing after a winner is selected ([#1396](https://github.com/can1357/oh-my-pi/pull/1396) by [@hezhiyang2000](https://github.com/hezhiyang2000), closes [#1384](https://github.com/can1357/oh-my-pi/issues/1384)).
+- Fixed streaming edit previews going blank for inline-payload ops. `LINE↓payload` / `A-B:payload` are valid single-line writes, but the natural-order preview was skipping the entire op token until a newline arrived — so the first character the model typed after the sigil only appeared after the next line ended, and the renderer would fall back to rendering the raw `A-B: bla bla bla` input. Inline-body content on `op-insert` and `op-replace` tokens is now emitted as a `+payload` line on the same op tick.
+- Fixed `/usage` and the status-line reset countdown rendering stale negative deltas after a Codex window had elapsed: Codex keeps reporting the prior window's `reset_at` until a new request opens a fresh window, which turned the `resets in …` suffix into a meaningless negative duration. `formatDuration` now clamps non-positive, NaN, and infinite inputs to `0ms`, and both renderers suppress the `resets in …` suffix entirely once `resetsAt <= now`.
+- Fixed auto-handoff race at the context threshold: when `compaction.strategy = handoff` fired at `agent_end` with an active checkpoint or incomplete todos, the deferred handoff post-prompt task and the rewind/todo-completion path both scheduled work concurrently, so a fresh `agent.continue()` streamed a new assistant turn alongside the handoff LLM call (visible as the "Auto-handoff" loader plus an assistant message still streaming, with the chat container then rebuilt mid-stream). `#checkCompaction` now reports whether it deferred a handoff and the `agent_end` handler short-circuits the rewind/todo passes; `#scheduleAgentContinue` also skips when `isCompacting || isGeneratingHandoff`. The pre-prompt `#checkCompaction` call now forces inline execution (`allowDefer = false`) so the new turn cannot begin until the maintenance settles.
+- Fixed `/exit` and Ctrl+C-double-tap hanging when a deferred handoff was mid-flight: `AgentSession.dispose()` now aborts retry/compaction (auto-compaction + handoff) and the agent stream before draining `#cancelPostPromptTasks`, so the post-prompt task awaiting `generateHandoff` rejects and `Promise.allSettled` can resolve. Tool work (bash/eval/python) is intentionally still left for the existing dispose paths so shared kernels continue to survive across session dispose.
+
 ## [15.4.3] - 2026-05-26
 
 ### Fixed
 
-- Fixed Google Vertex cached project discovery replacing the bundled fallback catalog so `/models` does not keep showing outdated Gemini entries after authoritative Vertex discovery ([#1412](https://github.com/can1357/oh-my-pi/issues/1412)).
+- Fixed Google Vertex cached project discovery replacing the bundled fallback catalog so `/models` does not keep showing outdated Gemini entries after authoritative Vertex discovery, while keeping the bundled fallback in place when the cached snapshot is stale or non-authoritative (e.g. after an ADC discovery failure) ([#1412](https://github.com/can1357/oh-my-pi/issues/1412)).
 
 ## [15.4.2] - 2026-05-26
 
@@ -17,12 +44,10 @@
 ## [15.4.1] - 2026-05-26
 
 ### Breaking Changes
-
 - The `vim` edit mode option is no longer available; configurations using `edit.mode: vim` will be automatically mapped to `hashline` mode
 - Hashline payload semantics are now strictly inline-first: the first payload line is whatever follows the sigil on the op line itself, and subsequent lines append after it. A newline immediately after `↑`/`↓`/`:` is no longer a free separator — it produces a blank first payload line. Use `LINE↓content` for a one-line insert, `LINE↓firstline\nsecondline` for two lines; bare `LINE↓` / `LINE↑` / `LINE:` (no inline payload) still insert/replace with one blank line as before.
 
 ### Added
-
 - Added `irc.timeoutMs` setting to configure IRC message timeout duration with a default of 120 seconds
 - Added timeout enforcement for IRC send operations to prevent indefinite hangs when recipients are unresponsive
 - Added evaluator state inheritance for `task`-spawned subagents so JavaScript and Python variables are visible between a parent agent and its child sessions
@@ -35,6 +60,9 @@
 - Added file-read snapshot caching with multi-snapshot ring per path for recovery from agent's own writes
 - Added delete operation (`!`) support to hashline grammar for explicit line deletion
 - Added structural bracket/brace balance warnings when deleting lines with unclosed constructs
+- Added resource metadata URL (RFC 9728) support to OAuth discovery for chaining authorization server resolution from protected-resource metadata ([1407](https://github.com/can1357/oh-my-pi/pull/1407) by [@faizhasim](https://github.com/faizhasim))
+- Added path-prefixed well-known URL fallback in OAuth discovery to support authorization servers behind gateways with sub-path routing ([1407](https://github.com/can1357/oh-my-pi/pull/1407) by [@faizhasim](https://github.com/faizhasim))
+- Added relative URL resolution for `Mcp-Auth-Server` header values against the server URL ([1407](https://github.com/can1357/oh-my-pi/pull/1407) by [@faizhasim](https://github.com/faizhasim))
 
 ### Changed
 
@@ -62,9 +90,11 @@
 - Modified hashline grammar to accept optional file hash in headers and removed hash requirements from line anchors
 - Changed hashline diff preview format to use `LINE:content` instead of `LINE+HASH|content`
 - Updated prompt documentation to reflect new `¶PATH#HASH` header and bare line-number syntax
+- Updated `discoverOAuthEndpoints` to accept `resourceMetadataUrl` parameter and prioritize the resource-metadata chain ([1407](https://github.com/can1357/oh-my-pi/pull/1407) by [@faizhasim](https://github.com/faizhasim))
+- Updated `parseMcpAuthServerUrl` and `extractMcpAuthServerUrl` to accept optional `serverUrl` for relative URL resolution ([1407](https://github.com/can1357/oh-my-pi/pull/1407) by [@faizhasim](https://github.com/faizhasim))
+- Updated `MCPOAuthFlow.#resolveRegistrationEndpoint` to try origin-root well-known first, then fall back to path-prefixed well-known ([1407](https://github.com/can1357/oh-my-pi/pull/1407) by [@faizhasim](https://github.com/faizhasim))
 
 ### Removed
-
 - Removed the `installH2Fetch()` activation from CLI startup; HTTPS fetches now use Bun's default transport
 - Removed the `vim` edit mode along with the `VimTool` module, prompt, and supporting buffer/engine/renderer stack
 - Removed per-line hash anchors (2-letter bigram hashes) from hashline format
@@ -76,6 +106,7 @@
 
 ### Fixed
 
+- Fixed missing `await` on `#tryWellKnownForRegistration` call in `#resolveRegistrationEndpoint` that caused path-prefixed well-known fallback to never actually execute, returning the unresolved Promise object instead of the registration endpoint ([1407](https://github.com/can1357/oh-my-pi/pull/1407) by [@faizhasim](https://github.com/faizhasim))
 - Fixed JavaScript module reloading to refresh local re-exports when transitive dependency files are edited
 - Fixed Python tool calls in warm kernels to initialize once bridge environment variables appear after startup and to return a clear `tool bridge is unavailable` error when missing
 - Fixed IRC `send` handling to preserve recipient incoming messages when auto-reply timeouts instead of dropping them
@@ -83,7 +114,6 @@
 - Fixed JavaScript `eval` imports to preserve module-level singletons across re-imports of unchanged local files and reload them only after edits
 - Fixed concurrent Python evaluator tool calls to use per-run identifiers so tool responses and output are routed to the correct execution
 - Fixed the `search` tool argument validation to accept a single string `paths` value as a one-path search.
-
 ## [15.4.0] - 2026-05-26
 
 ### Breaking Changes
@@ -92,9 +122,24 @@
 
 ### Added
 
+- Added resolved subagent model badge to the task widget status line showing `<provider>/<id>` (with optional `:<thinkingLevel>` suffix when thinking is set explicitly), opt-in via `task.showResolvedModelBadge` Appearance setting (default off)
 - Added `codex` and `gemini` to the web search provider settings so users can configure OpenAI and Gemini web search directly from provider selection
 - Added OpenAI (`codex`) and Gemini web search options with updated setup descriptions for `omp /login openai-codex` and Gemini OAuth login
 - Added pretty-printing for wide JSON `data:` payloads in the raw provider-stream debug viewer so streamed event bodies expand across multiple `data:` lines instead of getting clipped by the per-line truncator, and updated the viewer header to read `raw provider stream (SSE + WS)` now that Codex WebSocket frames also flow through the buffer
+- Added per-tool approval policies with a `--auto-approve` (alias `--yolo`) CLI flag to bypass confirmation prompts for automation. Each tool call resolves a policy of `allow` / `deny` / `prompt` via a six-level lookup: overriding action exceptions, validated user config, non-overriding action exceptions, built-in defaults, validated user `_default`, and a system `prompt` fallback.
+- Added `tools.approval.<toolName>: allow | deny | prompt` user config support via the settings schema. Invalid values (non-strings, unknown literals) are now ignored and fall through to the built-in default instead of being silently honoured — preventing a typo from locking the user out of a tool or bypassing approval for one.
+- Added action-based exception registry covering LSP read-only actions (`diagnostics`/`definition`/`references`/etc. → `allow`), DAP debug inspection actions (`threads`/`stack_trace`/`variables`/`scopes`/`read_memory`/etc. → `allow`), and critical bash patterns (`rm -rf /`, `sudo rm`, fork bombs, `chmod -R 777 /`, `chown -R user /`, `curl ... | bash`, `bash <(curl ...)`, writes to `/etc/passwd|shadow|sudoers`, `shutdown`/`reboot`/`halt`/`init 0`/`kill -9 1`, `nc -e`/`nc -c` reverse shells → always `prompt`, even when bash is user-allowed).
+- Added approval check in `ExtensionToolWrapper.execute()` ahead of extension `tool_call` handlers, with an actionable error in non-interactive sessions (`--auto-approve` / `tools.approval.<tool>: allow` guidance).
+- Added MCP-tool labelling and bash/ssh command truncation in the approval prompt so `mcp__<server>__<tool>` calls are tagged as MCP server tools and a heredoc-sized command body doesn't blow out the confirmation dialog.
+- Added `docs/approval-mode.md` user guide and a 57-case unit suite covering the resolution order, every critical-bash pattern (with benign-keyword negatives to lock false-positives out), user-config validation, and prompt formatting.
+- Added `tools.approvalMode` global setting (Interaction tab in `/settings`) with values `auto` | `prompt` | `custom`. Defaults to `auto` so the agent runs every tool call without interruption — matching the `--auto-approve` / `--yolo` CLI flag. `prompt` uses built-in per-tool defaults only (read/find/search auto-allow; bash/edit/write/eval/ssh require confirmation; `tools.approval.<tool>` config is ignored). `custom` makes the `tools.approval.<tool>` config the source of truth — your settings win over built-in defaults, which fall back only for tools you haven't configured. CLI `--auto-approve` always wins. Critical safety patterns (e.g. `rm -rf /`, `curl … | bash`, fork bombs) keep prompting even when the tool is user-allowed.
+- Extended `CRITICAL_BASH_PATTERNS` to cover `source <(curl …)` / `. <(curl …)` and `eval "$(curl …)"` / `eval $(curl …)` / ``eval `curl …` `` (all common remote-fetch-then-execute shapes that the original `bash <(curl …)` regex missed), `chmod -R` symbolic modes (`u+x`, `u+rwx,o+w`) targeting filesystem root, and `tee` / `tee -a` writes to `/etc/{passwd,shadow,sudoers}`. Benign forms (`source ./local.sh`, `find . -name foo`, `chmod -R u+x ./build`, `tee /var/log/app.log`, `eval "$VAR"`) are pinned negative in the suite so future expansion can't regress false-positive rate.
+- Extended `formatApprovalPrompt` with payload previews for `eval` (language + first cell's code), `task` (agent + first task's id + assignment), `ast_edit` (first op's pattern / replacement / paths), `browser` (action + tab + url + code), and `write` content (alongside path). Previously these all rendered as bare `Allow tool: <name>` lines, giving the user no signal about what they were authorizing.
+- Decoupled the per-tool approval gate from extension-loading state: `ExtensionRunner` and the `ExtensionToolWrapper` per-tool gate are now constructed unconditionally in `createAgentSession`, regardless of whether any extensions are loaded. Previously the runner was created only when `extensionsResult.extensions.length > 0`, which silently disabled the entire approval system if no extensions (including `createAutoresearchExtension`) were loaded; a regression test in `approval-mode.test.ts` now locks the invariant.
+
+### Fixed
+
+- Fixed `isMcpToolName` over-matching any tool name containing `__` (an extension legally named `my__feature` or `pkg__util__do` was getting falsely labelled `Origin: MCP server tool` in the approval prompt). Restricted to the canonical `mcp__` prefix only.
 
 ### Changed
 
@@ -112,9 +157,34 @@
 - Fixed web search OAuth-backed providers (including Codex and Gemini) to use broker-managed token retrieval and account metadata, avoiding direct token-store refresh behavior that could cause search authentication failures
 - Updated Tavily missing-credential feedback to prompt users to configure an API-key provider setting instead of referencing `agent.db` directly
 - Refreshed expired OpenAI Codex OAuth tokens during `web_search` execution and persisted the updated credentials so searches continue working after token expiry
+- Fixed the browser tool's existing-tab re-navigation path (`tab-supervisor.acquireTab`) still defaulting to `waitUntil: "networkidle2"` while the new-tab worker switched to `"load"`. Identical `acquireTab({url})` calls behaved differently depending on whether the named tab was fresh or being reused — fresh tabs returned quickly, second invocations hung on dev servers with persistent WebSocket / HMR connections. Both paths now agree on `"load"`.
+- Fixed the `patch` tool's post-write verification `ToolError` embedding the absolute `resolvedPath` in its user-facing message; the outer composer in `executeSinglePathEntries` then prepended `Error editing ${path}: …`, double-embedding the path and leaking `$HOME` into the TUI. The error message now uses the caller-supplied relative `path` (matching the success branches); `resolvedPath` is retained only in the structured `context` metadata for log correlation.
+- Fixed `splitInternalUrlSel` keeping `mcp://` resource URIs fully opaque, including selector-shaped suffixes like `:raw`, `:1-50`, and `/:raw`. `McpProtocolHandler` resolves resources by verbatim URI match (`r.uri === uri`), so peeling before resource lookup can make valid server-defined resource IDs unreachable. MCP read-selector support now requires a future resolver-aware path that can try the exact URI before interpreting any suffix as a selector; non-MCP internal URL selectors are unchanged.
+- Fixed three correctness issues in the `find` tool. (1) `onMatch` guard checked the outer task `signal?.aborted` instead of `combinedSignal.aborted` (which also includes the per-call timeout signal), so late matches accumulated past the timeout. (2) Timeout-drained partial results were emitted in insertion order while the normal path sorts by mtime descending; callers relying on "most recently modified first" got an inconsistent ordering when the call timed out. The timeout drain now tracks per-entry mtime in a parallel array and applies the same comparator. (3) `validateFindPathInputs` now skips backslash-escaped commas (`\,`) when checking for top-level commas, matching `search.ts:containsTopLevelComma`.
+- Fixed `throwPreferredDapStartError` using a single `await Promise.resolve()` (one microtask) to let a concurrent launch/attach rejection settle before deciding which error to surface. That worked for synchronous-rejection test fakes but not real adapter I/O: the launch failure arrives via socket and lands several ticks after the `configurationDone` failure. `DapStartRequestFailure` now carries a `settled?: Promise<void>` that resolves when the underlying request settles either way, and `throwPreferredDapStartError` races against it with a 50 ms ceiling. The preferred error message (the underlying launch/attach failure rather than the cascade) now surfaces under real I/O.
+- Fixed `adapter: "debugpy"` over-promising in the `debug` tool. `resolveAdapter("debugpy", cwd)` only checks for `python` in `PATH`; it does not verify that the `debugpy` module is importable. Both failure modes — `python` missing and `debugpy` module missing — used to collapse onto a generic `"No suitable debug adapter found"` error. The launch/attach action now throws a targeted `ToolError` naming `python` when `resolveAdapter` returns null for an explicit `adapter: "debugpy"`, and the `DapSessionManager` spawn-catch detects `"No module named debugpy"` in adapter stderr and surfaces a `pip install debugpy` hint. The Python debug tool documentation lists the install hint so the prompt and runtime diagnostics agree.
+- Fixed the LSP symbol-resolver `BARE_IDENTIFIER_RE` (`/^[A-Za-z_][\w]*$/`) rejecting `$`-prefixed identifiers (`$store`, `$count`, RxJS observables, Svelte stores, Angular signals). Without the word-boundary check, searching for `$store` on a line containing `bar$store` returned the offset inside the compound identifier rather than the standalone occurrence, feeding a wrong column to the LSP server. Pattern now `/^[$A-Za-z_][\w$]*$/`; the companion `IDENTIFIER_CHAR_RE` already contained `$`.
+- Fixed `applyWorkspaceEdit` writing all text edits before walking `documentChanges` for resource operations. LSP §3.16.2 requires clients to apply `documentChanges` in declared order, so any server emitting `{kind: "create", uri: X}` followed by a `TextDocumentEdit` for `X` (e.g. "Extract to new file" code actions, some rename responses) broke: the edit ran against a non-existent file, then the create happened. `applyWorkspaceEdit` now walks `documentChanges` once in declared order; per-URI text edits are coalesced into a pending Map and flushed immediately before any subsequent resource op for the same URI. Legacy `changes`-map-only payloads are unchanged. Folder-level `rename`/`delete` ops now flush every pending URI under the affected subtree (not just the exact target) so child-file edits queued before a parent-folder move land at the original location instead of dangling against a non-existent path on the final flush. Rename ops additionally flush pending edits queued against `renameOp.newUri` (and its descendants) **before** `fs.rename` runs, so edits intended for the pre-rename target file are applied before the rename clobbers or replaces it (relevant under `options.overwrite`/`options.ignoreIfExists`). When a `WorkspaceEdit` payload supplies both `changes` and `documentChanges`, the `documentChanges` arm is now used exclusively per LSP §3.16.2 ("if documentChanges are supplied … servers should use them in preference to changes"); previously the two were merged.
+
+### Fixed
+
 - Fixed built-in `explore` agent failing every invocation with `schema_violation: files.0.ref: must not be present` on releases prior to 15.3.2 by renaming the `files[].ref` property to `files[].path` in the agent's output schema; `ref` is a JTD-reserved keyword (RFC 8927) and collides with JSON Type Definition's schema-reference form, so the converter previously dropped it from the generated JSON Schema. Defense-in-depth alongside the 15.3.2 converter fix ([#1379](https://github.com/can1357/oh-my-pi/issues/1379)).
 - Increased the `yield` tool's schema-validation retry budget from 1 to 3 so subagents whose first structured-output attempt mismatches the declared output schema get up to three retries before the parent's post-mortem `schema_violation` check hard-fails the task. The tool now also surfaces remaining retry attempts and an explicit "call yield again with the corrected shape" directive in each rejection message, giving the model the context it needs to converge — particularly helpful for models like GLM that tend to invent per-element field names instead of following the declared schema.
 - Fixed CLI PDF file arguments being decoded as raw bytes for local vision models; `.pdf` and other supported document files now go through the same Markit conversion path as the `read` tool before entering the prompt ([#1401](https://github.com/can1357/oh-my-pi/issues/1401)).
+- Fixed the `bash` tool hanging until the 305 s hard timeout when a command writes a file via heredoc on Windows (bodies > ~4 KiB) or macOS (bodies > 16-64 KiB). Root cause was in the embedded brush shell; see `@oh-my-pi/pi-natives` changelog for the underlying fix.
+
+### Fixed
+
+- Fixed `/review` custom prompt orchestration text to use static prompt templates and consistently instruct reviewer task delegation.
+- Fixed `/review` custom-instructions submission on terminals that cannot distinguish Ctrl+Enter by using prompt-style input where Enter submits and Shift+Enter inserts a newline.
+- Fixed hook editor submissions sending large-paste placeholders such as `[paste #1 +27 lines]` instead of the pasted content.
+- Added per-tool approval policies with a `--auto-approve` (alias `--yolo`) CLI flag to bypass confirmation prompts for automation. Each tool call resolves a policy of `allow` / `deny` / `prompt` via a six-level lookup: overriding action exceptions, validated user config, non-overriding action exceptions, built-in defaults, validated user `_default`, and a system `prompt` fallback.
+- Added `tools.approval.<toolName>: allow | deny | prompt` user config support via the settings schema. Invalid values (non-strings, unknown literals) are now ignored and fall through to the built-in default instead of being silently honoured — preventing a typo from locking the user out of a tool or bypassing approval for one.
+- Added action-based exception registry covering LSP read-only actions (`diagnostics`/`definition`/`references`/etc. → `allow`), DAP debug inspection actions (`threads`/`stack_trace`/`variables`/`scopes`/`read_memory`/etc. → `allow`), and critical bash patterns (`rm -rf /`, `sudo rm`, fork bombs, `chmod -R 777 /`, `chown -R user /`, `curl ... | bash`, `bash <(curl ...)`, writes to `/etc/passwd|shadow|sudoers`, `shutdown`/`reboot`/`halt`/`init 0`/`kill -9 1`, `nc -e`/`nc -c` reverse shells → always `prompt`, even when bash is user-allowed).
+- Added approval check in `ExtensionToolWrapper.execute()` ahead of extension `tool_call` handlers, with an actionable error in non-interactive sessions (`--auto-approve` / `tools.approval.<tool>: allow` guidance).
+- Added MCP-tool labelling and bash/ssh command truncation in the approval prompt so `mcp__<server>__<tool>` calls are tagged as MCP server tools and a heredoc-sized command body doesn't blow out the confirmation dialog.
+- Added `docs/approval-mode.md` user guide and a 57-case unit suite covering the resolution order, every critical-bash pattern (with benign-keyword negatives to lock false-positives out), user-config validation, and prompt formatting.
+- Added `tools.approvalMode` global setting (Interaction tab in `/settings`) with values `auto` | `prompt` | `custom`. Defaults to `auto` so the agent runs every tool call without interruption — matching the `--auto-approve` / `--yolo` CLI flag. `prompt` uses built-in per-tool defaults only (read/find/search auto-allow; bash/edit/write/eval/ssh require confirmation; `tools.approval.<tool>` config is ignored). `custom` makes the `tools.approval.<tool>` config the source of truth — your settings win over built-in defaults, which fall back only for tools you haven't configured. CLI `--auto-approve` always wins. Critical safety patterns (e.g. `rm -rf /`, `curl … | bash`, fork bombs) keep prompting even when the tool is user-allowed.
 
 ## [15.3.2] - 2026-05-25
 ### Added

package/dist/types/cli/args.d.ts

@@ -40,6 +40,8 @@ export interface Args {
     noRules?: boolean;
     listModels?: string | true;
     noTitle?: boolean;
+    autoApprove?: boolean;
+    approvalMode?: "always-ask" | "write" | "yolo";
     messages: string[];
     fileArgs: string[];
     /** Unknown flags (potentially extension flags) - map of flag name to value */

package/dist/types/cli/auth-broker-cli.d.ts

@@ -1,4 +1,4 @@
-export type AuthBrokerAction = "serve" | "token" | "login" | "logout" | "status" | "import" | "migrate";
+export type AuthBrokerAction = "serve" | "token" | "login" | "logout" | "status" | "import" | "migrate" | "list";
 export interface AuthBrokerCommandArgs {
     action: AuthBrokerAction;
     flags: {

package/dist/types/commands/launch.d.ts

@@ -111,6 +111,14 @@ export default class Index extends Command {
         "no-title": import("@oh-my-pi/pi-utils/cli").FlagDescriptor<"boolean"> & {
             description: string;
         };
+        "auto-approve": import("@oh-my-pi/pi-utils/cli").FlagDescriptor<"boolean"> & {
+            aliases: string[];
+            description: string;
+        };
+        "approval-mode": import("@oh-my-pi/pi-utils/cli").FlagDescriptor<"string"> & {
+            options: string[];
+            description: string;
+        };
     };
     static examples: string[];
     static strict: boolean;

package/dist/types/config/settings-schema.d.ts

@@ -1924,7 +1924,7 @@ export declare const SETTINGS_SCHEMA: {
         readonly ui: {
             readonly tab: "editing";
             readonly label: "Hashline Duplicate Insert Drop";
-            readonly description: "Drop 2+ pure-insert payload lines that duplicate adjacent file context";
+            readonly description: "Drop payload lines that duplicate adjacent file context \u2014 2+-line context echoes on `\u2191`/`\u2193` inserts, and a single boundary line at either edge of an `A-B:` replacement";
         };
     };
     readonly "edit.blockAutoGenerated": {
@@ -2135,6 +2135,38 @@ export declare const SETTINGS_SCHEMA: {
             readonly description: "Whether to keep IPython kernel alive across calls";
         };
     };
+    readonly "tools.approval": {
+        readonly type: "record";
+        readonly default: {};
+        readonly ui: {
+            readonly tab: "tools";
+            readonly label: "Tool Approval Policies";
+            readonly description: "Per-tool approval policies. Set to 'allow' to auto-approve, 'prompt' to require confirmation, or 'deny' to block. Overrides are honored in every approval mode.";
+        };
+    };
+    readonly "tools.approvalMode": {
+        readonly type: "enum";
+        readonly values: readonly ["always-ask", "write", "yolo"];
+        readonly default: "yolo";
+        readonly ui: {
+            readonly tab: "interaction";
+            readonly label: "Tool Approval";
+            readonly description: "Default approval behaviour for tool calls. 'Always ask' auto-approves read-only tools only. 'Write' auto-approves read and workspace-write tools. 'Yolo' auto-approves every tier unless a tool declares a safety override. `tools.approval.<tool>` overrides are honored in every mode.";
+            readonly options: readonly [{
+                readonly value: "always-ask";
+                readonly label: "Always ask";
+                readonly description: "Auto-approve read-only tools; require confirmation for write and exec tools.";
+            }, {
+                readonly value: "write";
+                readonly label: "Write";
+                readonly description: "Auto-approve read-only and write tools; require confirmation for exec tools such as bash, eval, browser, task, recipe, and ssh.";
+            }, {
+                readonly value: "yolo";
+                readonly label: "Yolo";
+                readonly description: "Auto-approve read, write, and exec tools. Safety overrides declared by tools (for example critical bash patterns) still require confirmation.";
+            }];
+        };
+    };
     readonly "todo.enabled": {
         readonly type: "boolean";
         readonly default: true;
@@ -2887,6 +2919,15 @@ export declare const SETTINGS_SCHEMA: {
             }];
         };
     };
+    readonly "task.showResolvedModelBadge": {
+        readonly type: "boolean";
+        readonly default: false;
+        readonly ui: {
+            readonly tab: "appearance";
+            readonly label: "Show Resolved Model Badge";
+            readonly description: "Display the actual model ID used by each subagent in the task widget status line";
+        };
+    };
     readonly "skills.enabled": {
         readonly type: "boolean";
         readonly default: true;

package/dist/types/edit/index.d.ts

@@ -22,6 +22,8 @@ type EditParams = ReplaceParams | PatchParams | HashlineParams | ApplyPatchParam
 export declare class EditTool implements AgentTool<TInput> {
     #private;
     private readonly session;
+    readonly approval: (args: unknown) => "read" | "write";
+    readonly formatApprovalDetails: (args: unknown) => string[];
     readonly name = "edit";
     readonly label = "Edit";
     readonly loadMode = "essential";

package/dist/types/extensibility/custom-tools/types.d.ts

@@ -4,7 +4,7 @@
  * Custom tools are TypeScript modules that define additional tools for the agent.
  * They can provide custom rendering for tool calls and results in the TUI.
  */
-import type { AgentToolResult, AgentToolUpdateCallback } from "@oh-my-pi/pi-agent-core";
+import type { AgentToolResult, AgentToolUpdateCallback, ToolApproval, ToolApprovalDecision, ToolTier } from "@oh-my-pi/pi-agent-core";
 import type { CompactionResult } from "@oh-my-pi/pi-agent-core/compaction";
 import type { Model, Static, TSchema } from "@oh-my-pi/pi-ai";
 import type { Component } from "@oh-my-pi/pi-tui";
@@ -20,7 +20,7 @@ import type { TodoItem } from "../../tools/todo-write";
 export type CustomToolUIContext = HookUIContext;
 export type { ExecOptions, ExecResult } from "../../exec/exec";
 /** Re-export for custom tools to use in execute signature */
-export type { AgentToolResult, AgentToolUpdateCallback };
+export type { AgentToolResult, AgentToolUpdateCallback, ToolApproval, ToolApprovalDecision, ToolTier };
 /** Pending action entry consumed by the hidden resolve tool */
 export interface CustomToolPendingAction {
     /** Human-readable preview label shown in resolve flow */
@@ -74,6 +74,8 @@ export interface CustomToolContext {
     abort(): void;
     /** Settings instance for the current session. Prefer over the global singleton. */
     settings?: Settings;
+    /** Whether to auto-approve all destructive tool operations (--auto-approve CLI flag) */
+    autoApprove?: boolean;
 }
 /** Session event passed to onSession callback */
 export type CustomToolSessionEvent = {
@@ -174,6 +176,10 @@ export interface CustomTool<TParams extends TSchema = TSchema, TDetails = any> {
     mcpServerName?: string;
     /** Original MCP tool name for discovery/search metadata. */
     mcpToolName?: string;
+    /** Capability tier declaration used by approval gates. Omitted means "exec". */
+    approval?: ToolApproval;
+    /** Lines appended after the standard approval prompt header. */
+    formatApprovalDetails?: (args: unknown) => string | string[] | undefined;
     /**
      * Execute the tool.
      * @param toolCallId - Unique ID for this tool call

package/dist/types/extensibility/hooks/types.d.ts

@@ -90,10 +90,14 @@ export interface HookUIContext {
      * Supports Ctrl+G to open external editor ($VISUAL or $EDITOR).
      * @param title - Title describing what is being edited
      * @param prefill - Optional initial text
+     * @param options - Optional dialog controls such as an abort signal
+     * @param editorOptions - Optional editor behavior; `promptStyle` makes Enter submit and Shift+Enter insert a newline
      * @returns Edited text, or undefined if cancelled (Escape)
      */
     editor(title: string, prefill?: string, options?: {
         signal?: AbortSignal;
+    }, editorOptions?: {
+        promptStyle?: boolean;
     }): Promise<string | undefined>;
     /**
      * Get the current theme for styling text with ANSI codes.

package/dist/types/lsp/index.d.ts

@@ -1,4 +1,4 @@
-import type { AgentTool, AgentToolContext, AgentToolResult, AgentToolUpdateCallback } from "@oh-my-pi/pi-agent-core";
+import type { AgentTool, AgentToolContext, AgentToolResult, AgentToolUpdateCallback, ToolApprovalDecision } from "@oh-my-pi/pi-agent-core";
 import type { BunFile } from "bun";
 import { type Theme } from "../modes/theme/theme";
 import type { ToolSession } from "../tools";
@@ -7,6 +7,12 @@ import { renderCall, renderResult } from "./render";
 import { type LspParams, type LspToolDetails, lspSchema } from "./types";
 export type { LspServerStatus } from "./client";
 export type { LspToolDetails } from "./types";
+/**
+ * LSP actions that do not mutate the workspace or language-server state.
+ * Anything not in this set (rename, code_actions with apply, rename_file,
+ * reload, raw request, etc.) is classified as write-tier.
+ */
+export declare const LSP_READONLY_ACTIONS: ReadonlySet<string>;
 export interface LspStartupServerInfo {
     name: string;
     status: "connecting" | "ready" | "error";
@@ -89,6 +95,8 @@ export declare function createLspWritethrough(cwd: string, options?: Writethroug
 export declare class LspTool implements AgentTool<typeof lspSchema, LspToolDetails, Theme> {
     private readonly session;
     readonly name = "lsp";
+    readonly approval: (args: unknown) => ToolApprovalDecision;
+    readonly formatApprovalDetails: (args: unknown) => string[];
     readonly label = "LSP";
     readonly loadMode = "discoverable";
     readonly summary = "Query LSP (language server) for diagnostics, hover info, and references";

package/dist/types/mcp/client.d.ts

@@ -1,7 +1,8 @@
 import type { MCPGetPromptResult, MCPPrompt, MCPRequestOptions, MCPResource, MCPResourceReadResult, MCPResourceTemplate, MCPServerCapabilities, MCPServerConfig, MCPServerConnection, MCPToolCallResult, MCPToolDefinition } from "./types";
 /**
  * Connect to an MCP server.
- * Has a 30 second timeout to prevent blocking startup.
+ * Has a 30 second timeout by default to prevent blocking startup.
+ * Set OMP_MCP_TIMEOUT_MS=0 to disable MCP client-side timeouts.
  */
 export declare function connectToServer(name: string, config: MCPServerConfig, options?: {
     signal?: AbortSignal;

package/dist/types/mcp/oauth-discovery.d.ts

@@ -15,9 +15,10 @@ export interface AuthDetectionResult {
     authType?: "oauth" | "apikey" | "unknown";
     oauth?: OAuthEndpoints;
     authServerUrl?: string;
+    resourceMetadataUrl?: string;
     message?: string;
 }
-export declare function extractMcpAuthServerUrl(error: Error): string | undefined;
+export declare function extractMcpAuthServerUrl(error: Error, serverUrl?: string): string | undefined;
 /**
  * Detect if an error indicates authentication is required.
  * Checks for common auth error patterns.
@@ -32,9 +33,9 @@ export declare function extractOAuthEndpoints(error: Error): OAuthEndpoints | nu
  * Analyze an error to determine authentication requirements.
  * Returns structured info about what auth is needed.
  */
-export declare function analyzeAuthError(error: Error): AuthDetectionResult;
+export declare function analyzeAuthError(error: Error, serverUrl?: string): AuthDetectionResult;
 /**
  * Try to discover OAuth endpoints by querying the server's well-known endpoints.
  * This is a fallback when error responses don't include OAuth metadata.
  */
-export declare function discoverOAuthEndpoints(serverUrl: string, authServerUrl?: string): Promise<OAuthEndpoints | null>;
+export declare function discoverOAuthEndpoints(serverUrl: string, authServerUrl?: string, resourceMetadataUrl?: string): Promise<OAuthEndpoints | null>;

package/dist/types/mcp/timeout.d.ts

@@ -0,0 +1,9 @@
+export declare function resolveMCPTimeoutMs(configTimeout?: number): number;
+export declare function isMCPTimeoutEnabled(timeoutMs: number): boolean;
+export declare function describeMCPTimeout(timeoutMs: number): string;
+export declare function getNeverAbortSignal(): AbortSignal;
+export declare function createMCPTimeout(timeoutMs: number, signal?: AbortSignal): {
+    signal?: AbortSignal;
+    clear: () => void;
+    isTimeoutAbort: (error: unknown) => boolean;
+};

package/dist/types/mcp/types.d.ts

@@ -45,7 +45,7 @@ export interface MCPAuthConfig {
 interface MCPServerConfigBase {
     /** Whether this server is enabled (default: true) */
     enabled?: boolean;
-    /** Connection timeout in milliseconds (default: 30000) */
+    /** MCP request timeout in milliseconds (default: 30000, 0 to disable) */
     timeout?: number;
     /** Authentication configuration (optional) */
     auth?: MCPAuthConfig;

package/dist/types/sdk.d.ts

@@ -125,6 +125,8 @@ export interface CreateAgentSessionOptions {
      * `@opentelemetry/api` package returns a no-op tracer in that case.
      */
     telemetry?: AgentTelemetryConfig;
+    /** Whether to auto-approve all tool calls (--auto-approve CLI flag). Default: false */
+    autoApprove?: boolean;
 }
 /** Result from createAgentSession */
 export interface CreateAgentSessionResult {

package/dist/types/session/streaming-output.d.ts

@@ -1,7 +1,7 @@
 import type { AgentToolUpdateCallback } from "@oh-my-pi/pi-agent-core";
 export declare const DEFAULT_MAX_LINES = 3000;
 export declare const DEFAULT_MAX_BYTES: number;
-export declare const DEFAULT_MAX_COLUMN = 1024;
+export declare const DEFAULT_MAX_COLUMN = 512;
 export interface OutputSummary {
     output: string;
     truncated: boolean;

package/dist/types/task/index.d.ts

@@ -20,6 +20,8 @@ export declare class TaskTool implements AgentTool<TaskToolSchemaInstance, TaskT
     #private;
     private readonly session;
     readonly name = "task";
+    readonly approval: "exec";
+    readonly formatApprovalDetails: (args: unknown) => string[];
     readonly label = "Task";
     readonly summary = "Spawn a subagent to complete a parallel task";
     readonly strict = true;

package/dist/types/task/types.d.ts

@@ -188,6 +188,8 @@ export interface AgentProgress {
     cost: number;
     durationMs: number;
     modelOverride?: string | string[];
+    /** Resolved model display string in the form `<provider>/<id>`, optionally suffixed with `:<thinkingLevel>` when the level was set explicitly. Undefined when the model could not be resolved. */
+    resolvedModel?: string;
     /** Data extracted by registered subprocess tool handlers (keyed by tool name) */
     extractedToolData?: Record<string, unknown[]>;
     /**
@@ -245,6 +247,8 @@ export interface SingleResult {
     /** Model's context window in tokens, when known. */
     contextWindow?: number;
     modelOverride?: string | string[];
+    /** Resolved model display string in the form `<provider>/<id>`, optionally suffixed with `:<thinkingLevel>` when the level was set explicitly. Omitted from tool-result JSON when undefined to keep wire payloads small. */
+    resolvedModel?: string;
     error?: string;
     aborted?: boolean;
     abortReason?: string;

package/dist/types/tools/approval.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Tool approval resolution.
+ *
+ * Approval policy is declared by each tool. This module only knows how to:
+ * - normalize user `tools.approval.<tool>: allow | deny | prompt` overrides,
+ * - compare a tool capability tier against the active approval mode,
+ * - format the generic approval prompt body.
+ */
+import type { AgentTool, ToolTier } from "@oh-my-pi/pi-agent-core";
+export type { ToolApproval, ToolApprovalDecision, ToolTier } from "@oh-my-pi/pi-agent-core";
+export type ApprovalPolicy = "allow" | "deny" | "prompt";
+export type ApprovalMode = "always-ask" | "write" | "yolo";
+type ApprovalSubject = Pick<AgentTool, "name" | "approval" | "formatApprovalDetails">;
+export interface ResolvedApproval {
+    policy: ApprovalPolicy;
+    tier: ToolTier;
+    reason?: string;
+    override: boolean;
+}
+/**
+ * Resolve approval policy for a tool call.
+ *
+ * Resolution order:
+ *  1. Tool `approval(args)` decision, defaulting to tier "exec" when omitted.
+ *  2. User per-tool override, if set and valid.
+ *  3. Active mode tier comparison.
+ *
+ * Tool decisions with `override: true` force a prompt in every mode unless the
+ * user explicitly denies the tool; deny remains the strongest policy.
+ */
+export declare function resolveApproval(tool: ApprovalSubject, args: unknown, mode: ApprovalMode, userConfig?: Record<string, unknown>): ResolvedApproval;
+/**
+ * Check if a tool call requires user approval.
+ *
+ * @throws Error if policy is 'deny'
+ * @returns Object with required flag and optional reason for the prompt
+ */
+export declare function requiresApproval(tool: ApprovalSubject, args: unknown, mode: ApprovalMode, userConfig?: Record<string, unknown>): {
+    required: boolean;
+    reason?: string;
+};
+export declare function truncateForPrompt(value: string, maxChars?: number): string;
+/**
+ * Format the approval prompt body shown to the user.
+ */
+export declare function formatApprovalPrompt(tool: ApprovalSubject, args: unknown, reason?: string): string;

package/dist/types/tools/ask.d.ts

@@ -61,6 +61,7 @@ export declare class AskTool implements AgentTool<typeof askSchema, AskToolDetai
     #private;
     private readonly session;
     readonly name = "ask";
+    readonly approval: "read";
     readonly label = "Ask";
     readonly summary = "Ask the user a clarifying question";
     readonly description: string;

package/dist/types/tools/ast-edit.d.ts

@@ -38,6 +38,8 @@ export interface AstEditToolDetails {
 export declare class AstEditTool implements AgentTool<typeof astEditSchema, AstEditToolDetails> {
     private readonly session;
     readonly name = "ast_edit";
+    readonly approval: (args: unknown) => "read" | "write";
+    readonly formatApprovalDetails: (args: unknown) => string[];
     readonly label = "AST Edit";
     readonly summary = "Perform AST-aware code edits (structural refactoring)";
     readonly description: string;

package/dist/types/tools/ast-grep.d.ts

@@ -35,6 +35,7 @@ export interface AstGrepToolDetails {
 export declare class AstGrepTool implements AgentTool<typeof astGrepSchema, AstGrepToolDetails> {
     private readonly session;
     readonly name = "ast_grep";
+    readonly approval: "read";
     readonly label = "AST Grep";
     readonly summary = "Search code with AST patterns (structural grep)";
     readonly description: string;

package/dist/types/tools/bash.d.ts

@@ -1,4 +1,4 @@
-import type { AgentTool, AgentToolContext, AgentToolResult, AgentToolUpdateCallback } from "@oh-my-pi/pi-agent-core";
+import type { AgentTool, AgentToolContext, AgentToolResult, AgentToolUpdateCallback, ToolApprovalDecision } from "@oh-my-pi/pi-agent-core";
 import type { Component } from "@oh-my-pi/pi-tui";
 import * as z from "zod/v4";
 import type { RenderResultOptions } from "../extensibility/custom-tools/types";
@@ -6,6 +6,14 @@ import { type Theme } from "../modes/theme/theme";
 import type { ToolSession } from ".";
 import { type OutputMeta } from "./output-meta";
 export declare const BASH_DEFAULT_PREVIEW_LINES = 10;
+/**
+ * Bash patterns that force an approval prompt even in yolo mode.
+ *
+ * Kept intentionally tight — the cost of a false positive is one extra prompt;
+ * the cost of a false negative is data loss or a compromised host. New patterns
+ * should target shapes that are virtually never legitimate in automation.
+ */
+export declare const CRITICAL_BASH_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
 declare const bashSchemaBase: z.ZodObject<{
     command: z.ZodString;
     env: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
@@ -52,6 +60,8 @@ export declare class BashTool implements AgentTool<BashToolSchema, BashToolDetai
     #private;
     private readonly session;
     readonly name = "bash";
+    readonly approval: (args: unknown) => ToolApprovalDecision;
+    readonly formatApprovalDetails: (args: unknown) => string[];
     readonly label = "Bash";
     readonly loadMode = "essential";
     readonly description: string;

package/dist/types/tools/browser.d.ts

@@ -68,6 +68,8 @@ export declare class BrowserTool implements AgentTool<typeof browserSchema, Brow
     #private;
     private readonly session;
     readonly name = "browser";
+    readonly approval: "exec";
+    readonly formatApprovalDetails: (args: unknown) => string[];
     readonly label = "Browser";
     readonly loadMode = "discoverable";
     readonly summary = "Control a headless browser to navigate and interact with web pages";

package/dist/types/tools/calculator.d.ts

@@ -27,6 +27,7 @@ type CalculatorParams = z.infer<typeof calculatorSchema>;
  */
 export declare class CalculatorTool implements AgentTool<typeof calculatorSchema, CalculatorToolDetails> {
     readonly name = "calc";
+    readonly approval: "read";
     readonly label = "Calc";
     readonly summary = "Evaluate a mathematical expression";
     readonly loadMode = "discoverable";

package/dist/types/tools/checkpoint.d.ts

@@ -31,6 +31,7 @@ export interface RewindToolDetails {
 export declare class CheckpointTool implements AgentTool<typeof checkpointSchema, CheckpointToolDetails> {
     private readonly session;
     readonly name = "checkpoint";
+    readonly approval: "read";
     readonly label = "Checkpoint";
     readonly summary = "Create a git-based checkpoint to save and restore session state";
     readonly description: string;
@@ -47,6 +48,7 @@ export declare class CheckpointTool implements AgentTool<typeof checkpointSchema
 export declare class RewindTool implements AgentTool<typeof rewindSchema, RewindToolDetails> {
     private readonly session;
     readonly name = "rewind";
+    readonly approval: "read";
     readonly label = "Rewind";
     readonly summary = "Rewind to a previously created checkpoint";
     readonly description: string;