@parallel-cli/parallel 0.4.3 → 0.4.5

package/CHANGELOG.md

@@ -2,6 +2,64 @@
 
 All notable changes to Parallel are documented here.
 
+## 0.4.5 - 2026-06-23
+
+### 0.4.5 Added
+
+- Added explicit hub, focus, and attach input contexts with context-specific hints and filtered command suggestions.
+- Added agent argument autocomplete for `/focus`, `/send`, `/attach`, `/pause`, `/resume`, `/stop`, `/restore`, and `/commit`.
+- Added attach-terminal routing for `@all`, `@agent`, and `/send`, so dedicated terminals can broadcast or steer another agent through the main session.
+- Added richer hub rows using latest useful agent signals, specialist badges, context percentage, and responsive timeline widths.
+- Added durable session memory for claims, recent diff excerpts, file activity, work-map warnings, agent aliases, provider/model metadata, specialist, and context usage.
+- Added shell mutation tracking: files changed by `run_command` now appear in live diffs, file activity, and agent commit ownership.
+- Added a non-blocking work map that surfaces overlapping claims and repeated co-edit conflicts in `/board` and agent context.
+
+### 0.4.5 Changed
+
+- Clarified agent naming around `Name: task` syntax in README examples.
+- Made `/raw` visible only when it affects the active focus view.
+- Reset focus scroll follow-tail behavior when switching focused agents.
+- Improved session restore so `/restore` can target saved agents by name, alias, or id when their conversation is available.
+
+### 0.4.5 Fixed
+
+- Fixed attach-terminal `@all` being treated as plain text to the attached agent.
+- Fixed restored note ids drifting by resynchronizing blackboard note and change sequences after loading session data.
+- Fixed shell-created edits being invisible to `/diff`, `/board`, and `/commit`.
+
+## 0.4.4 - 2026-06-23
+
+### 0.4.4 Added
+
+- Added tool-level safeguards for `/ask` and `/plan`: ask agents cannot mutate project state, and plan agents must get explicit approval before mutating files or running risky shell commands.
+- Added session-only provider setup for `/settings-session`, with an explicit choice between temporary session use and saving globally.
+- Expanded `/doctor` into actionable readiness diagnostics for provider, model, key, local endpoints, attach socket, `git`, and `gh`.
+- Added scrolling/windowing budgets to long TUI views such as board, notes, diffs, cost, skills, specialists, and sessions.
+- Added saved-session restore hints and clearer `/restore` errors.
+
+### 0.4.4 Changed
+
+- Reworked the README to render consistently on both GitHub and npm.
+- Replaced wide Markdown tables and fixed-width command blocks with npm-friendly lists.
+- Removed provider-specific environment variable guidance from the public README so provider setup remains neutral.
+- Documented DeepSeek only as one provider preset in the Chinese provider group, not as a special standalone setup path.
+- Made `@all` steer active agents directly instead of only posting a passive note.
+- Made `/plan` timeouts safe by requiring manual approval before mutations are unlocked.
+- Increased the saved sessions list window from 8 to 20 and shows `/save [name]` labels in `/sessions`.
+- Bumped the TUI header version to `0.4.4`.
+
+### 0.4.4 Fixed
+
+- Fixed `/commit message...` with exactly one agent so the first word is treated as part of the message, not as a missing agent name.
+- Fixed `/project` and `/wizard` transitions by warning when active agents are running unless `--force` is passed.
+- Fixed local/custom provider setup so localhost endpoints do not require an API key and placeholder models are not considered ready.
+- Fixed stale focus after agents disappear through clear, stop, project switch, session load, or restore.
+- Fixed `/settings-session` key entry so provider setup reaches the session-only vs global-save choice instead of returning early.
+- Fixed first-run custom provider setup so it reviews/edits endpoints and skips API keys for localhost endpoints.
+- Fixed filesystem boundary checks so agent tools reject sibling paths with a shared project-root prefix.
+- Fixed TUI clipping risks by budgeting the hub by rendered rows and applying body-height windowing to notes/diffs.
+- Fixed Settings Escape handling so typed inputs clear before navigating back.
+
 ## 0.4.3 - 2026-06-23
 
 ### 0.4.3 Added
@@ -32,7 +90,7 @@ All notable changes to Parallel are documented here.
 - Fixed session settings accidentally behaving like global provider mutation in several flows.
 - Fixed bare model IDs containing `:` such as `qwen3-coder:480b`.
 - Fixed stale default provider normalization during config load and provider removal.
-- Fixed `DEEPSEEK_API_KEY` overriding whichever provider happened to be default; it now targets DeepSeek only.
+- Fixed provider-specific environment overrides leaking into whichever provider happened to be default.
 - Fixed local endpoints being blocked by missing API keys.
 - Fixed sensitive `/key ...` entries being stored in input history.
 - Fixed tiny pseudo-TTY dimensions causing negative string repeat values in the TUI header.
@@ -49,7 +107,7 @@ All notable changes to Parallel are documented here.
 
 ### 0.4.2 Changed
 
-- Reworked the README provider section to be provider-agnostic instead of DeepSeek-centered.
+- Reworked the README provider section to be provider-agnostic.
 - Updated provider tables, endpoint documentation, and model catalog references.
 - Removed internal docs from remote tracking and kept them out of the public package.
 

package/README.md

@@ -16,9 +16,12 @@ Parallel lets you run several AI coding agents on the same repository at the sam
 - Run multiple agents in parallel on one project.
 - Choose explicit modes: `/ask`, `/task`, and `/plan`.
 - Type plain text to launch a task agent immediately.
+- Use context-aware input in the hub, focus view, and attached agent terminals.
 - Steer one agent with `@a1 ...` or broadcast with `@all ...`.
 - Open dedicated agent terminals with native scrollback.
+- See a richer live hub with latest agent signals, mode badges, context usage, and responsive timelines.
 - Review agents, notes, file activity, diffs, cost, skills, specialists, and saved sessions from the TUI.
+- Track shell-created file mutations in the same live diff feed as agent edits.
 - Configure OpenAI-compatible providers through a guided wizard and settings panel.
 - Use 29 provider presets across Western, Chinese, Gateway, Inference, and Local categories.
 - Support local no-key endpoints such as Ollama and vLLM/SGLang.
@@ -79,9 +82,9 @@ Plain text launches a `/task` agent. You can launch another agent while the firs
 Use explicit modes when intent matters:
 
 ```text
-/ask reviewer should we split the CLI parser?
-/plan migration propose the safest rollout for the config change
-/task builder implement the approved plan
+/ask Reviewer: should we split the CLI parser?
+/plan Migration: propose the safest rollout for the config change
+/task Builder: implement the approved plan
 ```
 
 Steer a running agent:
@@ -96,13 +99,13 @@ Broadcast to every agent:
 @all stop changing public interfaces until the test agent finishes
 ```
 
+`@all` steers active agents in real time. Finished, stopped, or errored agents are not relaunched by a broadcast.
+
 ## Agent Modes
 
-| Mode | Use it for | Behavior |
-| --- | --- | --- |
-| `/ask` | Questions, reviews, audits, tradeoffs | Answers and advises without editing files. |
-| `/task` | Implementation work | Executes, edits, validates, and summarizes. |
-| `/plan` | Risky or unclear work | Inspects first, presents a plan, then edits only after approval. |
+- `/ask`: questions, reviews, audits, and tradeoffs. The agent answers and advises; mutating tools and shell commands are blocked.
+- `/task`: implementation work. The agent can execute, edit, validate, and summarize.
+- `/plan`: risky or unclear work. The agent inspects first, presents a plan, then edits only after explicit approval. A timeout does not approve the plan.
 
 Aliases:
 
@@ -122,29 +125,42 @@ The main TUI is the Parallel hub. It is designed to answer:
 - what changed in the project
 - what model, provider, shell mode, and cost are active
 
-Common hub commands:
+Input has three explicit contexts:
+
+- Hub: plain text launches a new `/task` agent. Slash suggestions show hub commands and agent arguments autocomplete for `/focus`, `/send`, `/attach`, `/pause`, `/resume`, `/stop`, `/restore`, and `/commit`.
+- Focus: after `/focus a1`, plain text talks to the focused agent instead of spawning a new one. `/raw` affects this view only.
+- Attach: in `parallel attach a1`, plain text steers the attached agent. `/task`, `/ask`, and `/plan` spawn new agents from that terminal, while `@all ...`, `@a2 ...`, and `/send ...` route instructions through the main session.
+
+Use `Name: task` when naming an agent:
 
 ```text
-/agents              agent overview
-/focus a1            inspect and steer one agent
-/raw                 toggle raw detail in focus view
-/board               shared blackboard, claims, notes, file activity
-/diff                live diff history
-/cost                token and cost breakdown
-/sessions            saved sessions
-/settings            global settings
-/settings-session    session-only settings
-/project [folder]    change project folder
-/wizard              rerun setup wizard
+/task Tests: add regression coverage for the auth middleware
+/plan Migration: outline the safest database rollout
 ```
 
+Common hub commands:
+
+- `/agents`: agent overview.
+- `/focus a1`: inspect and steer one agent.
+- `/raw`: toggle raw detail in focus view.
+- `/board`: shared blackboard, claims, notes, and file activity.
+- `/diff`: live diff history.
+- `/cost`: token and cost breakdown.
+- `/sessions`: saved sessions.
+- `/settings`: global settings.
+- `/settings-session`: session-only settings.
+- `/project [folder]`: change project folder.
+- `/wizard`: rerun setup wizard.
+
+Commands are typed in the control room input. When a long view is open, use Escape to return to the agents view/input.
+
 Keyboard behavior:
 
 - `/` opens slash command suggestions.
 - Up/Down selects suggestions when a suggestion menu is open.
 - Enter accepts the selected suggestion.
 - Tab or Right accepts the best completion.
-- Up/Down scrolls long views such as `/help`.
+- PgUp/PgDn scrolls the hub or focus view even while the input is active. Up/Down scrolls long views and navigates suggestions/history.
 - Escape returns to the agents view or clears the input.
 
 Best terminal size is around `120x34`. Parallel adapts to smaller terminals, but the hub is most readable with enough width for model, folder, status, and agent summaries.
@@ -170,9 +186,12 @@ From an attached terminal:
 
 ```text
 plain text sends a message to this agent
-/task write parser regression tests
-/ask is this result safe to merge?
-/plan prepare a migration plan
+@all pause public interface changes until tests finish
+@a2 re-read the API client before editing it
+/send a2 check the new parser contract
+/task Tests: write parser regression tests
+/ask Reviewer: is this result safe to merge?
+/plan Migration: prepare a migration plan
 /raw
 /quit
 ```
@@ -202,101 +221,93 @@ Provider setup is guided in both the first-run wizard and `/settings`:
 4. Enter the provider API key if the provider requires one.
 5. Save globally or use the provider/model for the current session.
 
-Local providers such as Ollama and vLLM/SGLang do not require an API key. You can still review and edit their endpoints.
+Local providers such as Ollama, vLLM/SGLang, and custom localhost OpenAI-compatible endpoints do not require an API key. You can still review and edit their endpoints. Ollama/local OpenAI-compatible endpoints can detect models from `/models`; vLLM/SGLang requires replacing the `your-model-here` placeholder before it is considered ready.
 
 Useful settings commands:
 
-```text
-/settings            global language, providers, keys, defaults, approvals
-/settings-session    temporary model, provider, approvals, sound
-/model               show current session model
-/model provider:id   switch model for this session
-/doctor              check provider/model/API key readiness
-```
+- `/settings`: global language, providers, keys, defaults, and approvals.
+- `/settings-session`: temporary model, provider, approvals, and sound. New providers can be used for this session only or saved globally.
+- `/model`: show the current session model.
+- `/model provider:id`: switch model for this session.
+- `/doctor`: check provider, model, API key, local endpoint reachability, attach socket, `git`, and `gh`.
 
 Configuration is stored in `~/.parallel/config.json`.
 
 Environment variables:
 
-| Variable | Purpose |
-| --- | --- |
-| `PARALLEL_API_KEY` | API key for the current default provider. |
-| `DEEPSEEK_API_KEY` | API key for the DeepSeek provider only. |
-| `PARALLEL_BASE_URL` | Override the default provider base URL. |
-| `PARALLEL_MODEL` | Override the session model. |
-| `PARALLEL_NO_ALT_SCREEN=1` | Disable the alternate terminal screen. |
+- `PARALLEL_API_KEY`: API key for the current default provider.
+- `PARALLEL_BASE_URL`: override the default provider base URL.
+- `PARALLEL_MODEL`: override the session model.
+- `PARALLEL_NO_ALT_SCREEN=1`: disable the alternate terminal screen.
 
 ## Commands
 
 ### Create Agents
 
-| Command | Description |
-| --- | --- |
-| `/ask [Name:] <question> [--model=m]` | Launch an ask-only agent. |
-| `/task [Name:] <task> [--model=m] [#skill]` | Launch a task agent. Plain text does the same. |
-| `/plan [Name:] <task> [--model=m]` | Launch a plan-first agent. |
-| `/issue <n>` | Spawn a task from a GitHub issue using the `gh` CLI. |
-| `/specialist <name> <task>` | Spawn with a specialist persona. |
-| `/specialist new <name> [global]` | Create a specialist template. |
-| `/skill new <name> [global]` | Create a skill template. |
+- `/ask [Name:] <question> [--model=m]`: launch an ask-only agent.
+- `/task [Name:] <task> [--model=m] [#skill]`: launch a task agent. Plain text does the same.
+- `/plan [Name:] <task> [--model=m]`: launch a plan-first agent. It cannot mutate files or run risky shell commands until you manually approve the plan.
+- `/issue <n>`: spawn a task from a GitHub issue. Requires the `gh` CLI, a GitHub repository, and `gh auth login`.
+- `/specialist <name> <task>`: spawn with a specialist persona.
+- `/specialist new <name> [global]`: create a specialist template.
+- `/skill new <name> [global]`: create a skill template.
 
 ### Steer Agents
 
-| Command | Description |
-| --- | --- |
-| `@agent <message>` | Send a live instruction to one agent. |
-| `@all <message>` | Broadcast an instruction to all agents. |
-| `/send <agent\|all> <message>` | Command form of live steering. |
-| `/attach <agent\|on\|off>` | Open an agent terminal or toggle automatic terminals. |
-| `/focus <agent\|off>` | Route plain input to one agent instead of spawning new agents. |
-| `/pause <agent\|all>` | Pause at the next action boundary. |
-| `/resume <agent\|all>` | Resume paused agents. |
-| `/stop <agent\|all>` | Stop running agents. |
-| `/clear` | Remove finished agents from the current display. |
-| `/raw` | Toggle conversation-raw view. |
-| `/copy` | Copy the latest completed result to clipboard. |
+- `@agent <message>`: send a live instruction to one agent.
+- `@all <message>`: broadcast an instruction to all agents.
+- `/send <agent|all> <message>`: command form of live steering.
+- `/attach <agent|on|off>`: open an agent terminal or toggle automatic terminals.
+- `/focus <agent|off>`: route plain input to one agent instead of spawning new agents.
+- `/pause <agent|all>`: pause at the next action boundary.
+- `/resume <agent|all>`: resume paused agents.
+- `/stop <agent|all>`: stop running agents.
+- `/clear`: remove finished agents from the current display.
+- `/raw`: toggle conversation-raw view.
+- `/copy`: copy the latest completed result to clipboard.
 
 ### Git Safety
 
-| Command | Description |
-| --- | --- |
-| `/undo [agent]` | Revert the last file change made by an agent, with conflict detection. |
-| `/commit [agent\|all] [message]` | Commit files touched by an agent or by all agents. |
-| `/autocommit <on\|off>` | Commit each agent's changes automatically when it finishes. |
+- `/undo [agent]`: revert the last file change made by an agent, with conflict detection.
+- `/commit [agent|all] [message]`: commit only files touched by the selected agent or by all agents. It does not run `git add -A`. With exactly one agent, `/commit message...` uses that agent and treats the rest as the message.
+- `/autocommit <on|off>`: commit each agent's touched files automatically when it finishes. This is session-only.
 
 ### Views And Sessions
 
-| Command | Description |
-| --- | --- |
-| `/agents` | Agent overview. |
-| `/board` | Shared blackboard, file activity, claims, and notes. |
-| `/notes` | Full notes history. |
-| `/diff` | Live diff history. |
-| `/cost` | Token and cost breakdown. |
-| `/status` | Session model, approval mode, agents, cost snapshot. |
-| `/skills` | Available skills. |
-| `/specialists` | Available specialists. |
-| `/save [name]` | Save the current session. |
-| `/sessions` | List saved sessions. |
-| `/session <n\|latest>` | Restore a saved session. |
-| `/restore <agent>` | Relaunch a restored agent with its conversation history. |
+- `/agents`: agent overview.
+- `/board`: shared blackboard, file activity, claims, and notes.
+- `/notes`: full notes history.
+- `/diff`: live diff history.
+- `/cost`: token and cost breakdown.
+- `/status`: session model, approval mode, agents, and cost snapshot.
+- `/skills`: available skills.
+- `/specialists`: available specialists.
+- `/save [name]`: save the current session.
+- `/sessions`: list saved sessions.
+- `/session <n|latest>`: load a saved session snapshot. If active agents are running, use `/session <n|latest> --force` after saving/stopping what you need.
+- `/restore <agent>`: relaunch a restored agent by name, alias, or saved id when its conversation history is still available.
+
+Session memory has two layers:
+
+- Live memory: active agents see statuses, notes, claims, work-map warnings, file activity, and recent diffs before every model action.
+- Durable memory: `/save` and autosave persist notes, claims, recent diff excerpts, file activity, work-map warnings, agent aliases, model/provider metadata, context usage, and conversation paths for restore.
+
+Restore is best effort and explicit. `/session` reloads coordination memory into the blackboard; `/restore <agent>` relaunches an agent only when the saved conversation file still exists. Restored agents keep their prior task, mode, model, specialist, and conversation when available.
 
 ### Settings And Exit
 
-| Command | Description |
-| --- | --- |
-| `/model [[provider:]model]` | Show or switch the session model. |
-| `/approvals <ask\|auto\|auto-safe\|yolo>` | Set shell approvals for this session. |
-| `/sound <on\|off>` | Toggle terminal bell notifications. |
-| `/settings` | Edit global language, providers, keys, defaults, and approvals. |
-| `/settings-session` | Edit session-only model, approvals, and sound. |
-| `/project [folder]` | Change project folder or reopen the folder picker. |
-| `/folder [folder]` | Alias for `/project`. |
-| `/wizard` | Relaunch the setup wizard. |
-| `/setup` | Alias for `/wizard`. |
-| `/doctor` | Check provider, key, and model configuration. |
-| `/help` | Full command reference. |
-| `/quit` | Save the session and exit. |
+- `/model [[provider:]model]`: show or switch the session model.
+- `/approvals <ask|auto|auto-safe|yolo>`: set shell approvals for this session.
+- `/sound <on|off>`: toggle terminal bell notifications.
+- `/settings`: edit global language, providers, keys, defaults, and approvals.
+- `/settings-session`: edit session-only model, provider, approvals, and sound.
+- `/project [folder]`: change project folder or reopen the folder picker. If agents are active, use `/project [folder] --force` after saving/stopping what you need.
+- `/folder [folder]`: alias for `/project`.
+- `/wizard`: relaunch the setup wizard. If agents are active, use `/wizard --force` after saving/stopping what you need.
+- `/setup`: alias for `/wizard`.
+- `/doctor`: run local readiness diagnostics for provider, key, model, endpoint, attach socket, and Git tooling.
+- `/help`: full command reference.
+- `/quit`: save the session and exit.
 
 When there is exactly one agent, commands such as `/undo`, `/focus`, `/pause`, `/resume`, `/stop`, and `/commit` can omit the agent name.
 
@@ -310,11 +321,9 @@ Parallel separates agent modes from shell approval behavior.
 /approvals yolo
 ```
 
-| Mode | Behavior |
-| --- | --- |
-| `ask` | Ask before shell commands unless explicitly allowed. |
-| `auto-safe` | Auto-approve safe inspection/build/test commands and ask for risky commands. |
-| `yolo` | Auto-approve every shell command. Intended for trusted/headless usage only. |
+- `ask`: ask before shell commands unless explicitly allowed.
+- `auto-safe`: auto-approve safe inspection/build/test commands and ask for risky commands.
+- `yolo`: auto-approve every shell command. Intended for trusted/headless usage only.
 
 `auto` is accepted as a compatibility spelling for `auto-safe`.
 
@@ -353,6 +362,10 @@ When an agent writes a file:
 
 This keeps agents moving without allowing silent overwrites.
 
+Commands run through `run_command` are also snapshotted before and after execution. If a shell command edits, creates, or deletes tracked project files, Parallel records those mutations in `/diff`, `/board`, and `/commit` ownership just like tool-based edits.
+
+The work map is advisory, not a lock. Agents can declare claims with `claim_files`; Parallel detects overlapping claims and repeated conflicts, then shows non-blocking warnings in `/board` and injects them into agent context so agents can coordinate before collisions become expensive.
+
 ## Headless Mode
 
 For CI and scripts, run without the TUI:

package/dist/agents/agent.js

@@ -27,7 +27,7 @@ ${mode === 'ask'
 - Explore first with read-only tools.
 - Before modifying any file or running mutating commands, call ask_user with a concrete implementation plan.
 - The plan must include steps, files you expect to touch, risks, and validation.
-- Use options ["Approve", "Revise"], recommended "Approve".
+- Use options ["Approve", "Revise"], recommended "Revise" so timeout never approves changes.
 - Start editing only after explicit "Approve".
 - Finish with task_complete using this user-facing structure in ${userLang}: "Plan appliqué", "Ce que j’ai modifié", "Validation", "Risques restants".`
         : `TASK MODE:
@@ -97,7 +97,7 @@ export class Agent {
         this.llm = opts.llm;
         this.board = opts.board;
         this.maxSteps = opts.maxSteps;
-        this.executor = new ToolExecutor(opts.board, opts.id, opts.name, opts.projectRoot, opts.requestApproval, opts.requestQuestion, opts.skills);
+        this.executor = new ToolExecutor(opts.board, opts.id, opts.name, opts.projectRoot, opts.requestApproval, opts.requestQuestion, opts.skills, opts.mode);
         const info = {
             id: opts.id,
             name: opts.name,

package/dist/agents/tools.js

@@ -2,8 +2,21 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { exec } from 'node:child_process';
 import * as Diff from 'diff';
-const IGNORED = new Set(['node_modules', '.git', '.parallel', 'dist', '__pycache__', '.venv', 'venv']);
+const IGNORED = new Set(['node_modules', '.git', '.parallel', '.cursor', 'dist', '__pycache__', '.venv', 'venv']);
 const MAX_OUTPUT = 12_000;
+const MUTATING_TOOLS = new Set(['write_file', 'edit_file', 'claim_files', 'remember']);
+function isMutatingShell(command) {
+    const c = command.toLowerCase();
+    if (/\b(rm|mv|cp|chmod|chown|mkdir|touch|truncate)\b/.test(c))
+        return true;
+    if (/\b(git\s+(add|commit|push|pull|merge|rebase|checkout|switch|reset|clean|stash|tag))\b/.test(c))
+        return true;
+    if (/\b(npm|pnpm|yarn)\s+(install|add|remove|update|audit\s+fix)\b/.test(c))
+        return true;
+    if (/[>|]\s*(sh|bash)\b/.test(c) || /\b(curl|wget)\b.*\|\s*(sh|bash)/.test(c))
+        return true;
+    return false;
+}
 export const TOOL_DEFINITIONS = [
     {
         type: 'function',
@@ -228,11 +241,13 @@ export class ToolExecutor {
     requestApproval;
     requestQuestion;
     skills;
+    mode;
     /** Last content this agent has seen for each file — basis of adaptive merging. */
     lastRead = new Map();
     /** Questions already asked — capped at 3 per task. */
     questionsAsked = 0;
-    constructor(board, agentId, agentName, projectRoot, requestApproval, requestQuestion, skills) {
+    planApproved = false;
+    constructor(board, agentId, agentName, projectRoot, requestApproval, requestQuestion, skills, mode = 'task') {
         this.board = board;
         this.agentId = agentId;
         this.agentName = agentName;
@@ -240,10 +255,13 @@ export class ToolExecutor {
         this.requestApproval = requestApproval;
         this.requestQuestion = requestQuestion;
         this.skills = skills;
+        this.mode = mode;
     }
     resolve(rel) {
-        const abs = path.resolve(this.projectRoot, rel);
-        if (!abs.startsWith(path.resolve(this.projectRoot))) {
+        const root = path.resolve(this.projectRoot);
+        const abs = path.resolve(root, rel);
+        const relative = path.relative(root, abs);
+        if (relative.startsWith('..') || path.isAbsolute(relative)) {
             throw new Error(`Path outside the project refused: ${rel}`);
         }
         return abs;
@@ -251,8 +269,65 @@ export class ToolExecutor {
     relOf(p) {
         return path.relative(this.projectRoot, this.resolve(p)) || '.';
     }
+    snapshotProject() {
+        const snapshot = new Map();
+        const walk = (dir, depth) => {
+            if (depth > 8)
+                return;
+            let entries;
+            try {
+                entries = fs.readdirSync(dir, { withFileTypes: true });
+            }
+            catch {
+                return;
+            }
+            for (const e of entries) {
+                if (IGNORED.has(e.name) || e.name.startsWith('.git'))
+                    continue;
+                const full = path.join(dir, e.name);
+                const relPath = path.relative(this.projectRoot, full);
+                if (e.isDirectory()) {
+                    walk(full, depth + 1);
+                    continue;
+                }
+                if (!e.isFile())
+                    continue;
+                try {
+                    const stat = fs.statSync(full);
+                    if (stat.size > 750_000)
+                        continue;
+                    snapshot.set(relPath, fs.readFileSync(full, 'utf8'));
+                }
+                catch {
+                    /* binary/unreadable files are ignored for diff tracking */
+                }
+            }
+        };
+        walk(this.projectRoot, 0);
+        return snapshot;
+    }
+    recordShellMutations(before) {
+        const after = this.snapshotProject();
+        const paths = new Set([...before.keys(), ...after.keys()]);
+        let count = 0;
+        for (const relPath of [...paths].sort()) {
+            const oldContent = before.get(relPath);
+            const newContent = after.get(relPath);
+            if (oldContent === newContent)
+                continue;
+            this.board.addChange(this.agentId, relPath, oldContent ?? '', newContent ?? '');
+            this.board.recordActivity(relPath, this.agentId, 'shell');
+            count++;
+        }
+        if (count > 0)
+            this.board.log(this.agentId, 'tool', `✏ shell changed ${count} file${count === 1 ? '' : 's'}`);
+        return count;
+    }
     async execute(name, args) {
         try {
+            const guard = this.guardTool(name, args);
+            if (guard)
+                return guard;
             switch (name) {
                 case 'list_files':
                     return this.listFiles(args?.path ?? '.');
@@ -293,6 +368,22 @@ export class ToolExecutor {
             return `ERROR: ${err?.message ?? String(err)}`;
         }
     }
+    guardTool(name, args) {
+        if (this.mode === 'ask') {
+            if (MUTATING_TOOLS.has(name) || name === 'run_command') {
+                return `DENIED: this agent is in /ask mode. It can inspect and advise, but cannot modify files, run shell commands, claim files, or write memory.`;
+            }
+        }
+        if (this.mode === 'plan' && !this.planApproved) {
+            if (MUTATING_TOOLS.has(name)) {
+                return `DENIED: this agent is in /plan mode and the plan has not been approved yet. Present the plan with ask_user and wait for "Approve" before modifying project state.`;
+            }
+            if (name === 'run_command' && isMutatingShell(String(args?.command ?? ''))) {
+                return `DENIED: this shell command looks mutating. In /plan mode, run only read-only inspection before approval; ask_user for plan approval first.`;
+            }
+        }
+        return null;
+    }
     /**
      * Ask the user a multiple-choice question. NEVER blocks forever: the UI shows
      * a visible 30s countdown and falls back to the recommended option (auto-run).
@@ -312,9 +403,14 @@ export class ToolExecutor {
         this.questionsAsked++;
         this.board.setAgentState(this.agentId, 'waiting', `question: ${question.slice(0, 60)}`);
         this.board.log(this.agentId, 'note', `❓ ${question}`);
-        const answer = await this.requestQuestion(this.agentId, question, options, recommended);
+        const response = await this.requestQuestion(this.agentId, question, options, recommended);
+        const answer = response.answer;
+        if (this.mode === 'plan' && !response.auto && answer.trim().toLowerCase().startsWith('approve')) {
+            this.planApproved = true;
+        }
         this.board.setAgentState(this.agentId, 'working');
-        return `The user answered: "${answer}". Act on this choice now (${3 - this.questionsAsked} question(s) left for this task).`;
+        const source = response.auto ? 'The timeout auto-selected' : 'The user answered';
+        return `${source}: "${answer}". Act on this choice now (${3 - this.questionsAsked} question(s) left for this task).`;
     }
     /** Declare (advisory) work areas — visible to the user and the other agents. */
     claimFiles(args) {
@@ -550,6 +646,7 @@ export class ToolExecutor {
         }
         this.board.setAgentState(this.agentId, 'working', `$ ${command.slice(0, 60)}`);
         this.board.log(this.agentId, 'tool', `$ ${command}`);
+        const before = this.snapshotProject();
         return new Promise((resolve) => {
             exec(command, { cwd: this.projectRoot, timeout: 120_000, maxBuffer: 4 * 1024 * 1024 }, (err, stdout, stderr) => {
                 let out = '';
@@ -564,8 +661,9 @@ export class ToolExecutor {
                 if (out.length > MAX_OUTPUT)
                     out = out.slice(0, MAX_OUTPUT) + '\n... (output truncated)';
                 const result = out || '(no output, success)';
+                const changed = this.recordShellMutations(before);
                 this.board.log(this.agentId, 'tool_result', result);
-                resolve(result);
+                resolve(changed > 0 ? `${result}\n\nTracked shell mutations: ${changed} file${changed === 1 ? '' : 's'}.` : result);
             });
         });
     }