@paths.design/caws-cli 9.2.0 → 9.3.0

package/templates/.caws/tools/scope-guard.js

@@ -1,208 +1,152 @@
 #!/usr/bin/env node
 
 /**
- * @fileoverview CAWS Scope Guard
- * Enforces that experimental code stays within designated sandbox areas
+ * @fileoverview CAWS Scope Guard (file-level)
+ * Checks whether a given file path is within scope of active specs.
+ * Used by Cursor hooks for scope validation on file attachments.
  * @author @darianrosebrook
  */
 
 const fs = require('fs');
-const { execSync } = require('child_process');
+const path = require('path');
 
 /**
- * Check if experimental code is properly contained
- * @param {string} workingSpecPath - Path to working spec file
- * @returns {Object} Scope validation results
+ * Convert a glob pattern to a RegExp, handling **, *, ?, [abc], {a,b}
  */
-function checkExperimentalContainment(workingSpecPath = '.caws/working-spec.yaml') {
-  try {
-    if (!fs.existsSync(workingSpecPath)) {
-      console.error('❌ Working spec not found:', workingSpecPath);
-      return { valid: false, errors: ['Working spec not found'] };
-    }
-
-    const yaml = require('js-yaml');
-    const spec = yaml.load(fs.readFileSync(workingSpecPath, 'utf8'));
-
-    const results = {
-      valid: true,
-      errors: [],
-      warnings: [],
-      experimentalFiles: [],
-      nonExperimentalFiles: [],
-    };
-
-    // Only check if experimental mode is enabled
-    if (!spec.experimental_mode?.enabled) {
-      console.log('ℹ️  Experimental mode not enabled - skipping containment check');
-      return results;
+function globToRegex(pattern) {
+  let i = 0, re = '';
+  while (i < pattern.length) {
+    const c = pattern[i];
+    if (c === '*' && pattern[i + 1] === '*') {
+      re += '.*'; i += 2;
+      if (pattern[i] === '/') i++; // skip trailing slash after **
+    } else if (c === '*') {
+      re += '[^/]*'; i++;
+    } else if (c === '?') {
+      re += '[^/]'; i++;
+    } else if (c === '[') {
+      const end = pattern.indexOf(']', i);
+      if (end > i) { re += pattern.slice(i, end + 1); i = end + 1; }
+      else { re += '\\['; i++; }
+    } else if (c === '{') {
+      const end = pattern.indexOf('}', i);
+      if (end > i) {
+        const alts = pattern.slice(i + 1, end).split(',').map(a => a.trim());
+        re += '(?:' + alts.join('|') + ')'; i = end + 1;
+      } else { re += '\\{'; i++; }
+    } else if ('.+^$|()'.includes(c)) {
+      re += '\\' + c; i++;
+    } else {
+      re += c; i++;
     }
+  }
+  return new RegExp(re);
+}
 
-    const sandboxLocation = spec.experimental_mode.sandbox_location || 'experimental/';
-    console.log(`🔍 Checking containment for experimental code in: ${sandboxLocation}`);
+const TERMINAL = new Set(['completed', 'closed', 'archived']);
 
-    // Get list of changed files (this would typically come from git diff)
-    const changedFiles = getChangedFiles();
+/**
+ * Check if a file is within scope of active specs.
+ * @param {string} filePath - Relative path from project root
+ * @param {string} projectDir - Project root directory
+ * @returns {{inScope: boolean, reason: string}}
+ */
+function checkFileScope(filePath, projectDir) {
+  // Smart allowlist: root-level files, .caws/, .claude/ always pass
+  if (!filePath.includes('/') || filePath.startsWith('.caws/') || filePath.startsWith('.claude/')) {
+    return { inScope: true, reason: 'allowlisted path' };
+  }
 
-    if (changedFiles.length === 0) {
-      console.log('ℹ️  No files changed - skipping scope check');
-      return results;
-    }
+  const specFile = path.join(projectDir, '.caws/working-spec.yaml');
+  const specsDir = path.join(projectDir, '.caws/specs');
 
-    // Check each changed file
-    changedFiles.forEach((file) => {
-      const isInSandbox =
-        file.startsWith(sandboxLocation) ||
-        file.includes(`/${sandboxLocation}`) ||
-        file.includes(sandboxLocation);
-
-      if (isInSandbox) {
-        results.experimentalFiles.push(file);
-        console.log(`✅ Experimental file properly contained: ${file}`);
-      } else {
-        results.nonExperimentalFiles.push(file);
-        results.valid = false;
-        results.errors.push(`Experimental code found outside sandbox: ${file}`);
-        console.error(`❌ Experimental code outside sandbox: ${file}`);
-      }
-    });
-
-    // Check if experimental files actually exist
-    results.experimentalFiles.forEach((file) => {
-      if (!fs.existsSync(file)) {
-        results.warnings.push(`Experimental file not found (may have been deleted): ${file}`);
-        console.warn(`⚠️  Experimental file not found: ${file}`);
-      }
-    });
+  if (!fs.existsSync(specFile) && !fs.existsSync(specsDir)) {
+    return { inScope: true, reason: 'no specs found' };
+  }
 
-    return results;
-  } catch (error) {
-    console.error('❌ Error checking experimental containment:', error.message);
-    return { valid: false, errors: [error.message] };
+  // Load all active specs
+  let yaml;
+  try { yaml = require('js-yaml'); } catch (_) {
+    return { inScope: true, reason: 'js-yaml not available' };
   }
-}
 
-/**
- * Get list of changed files from git
- * @returns {Array} List of changed file paths
- */
-function getChangedFiles() {
-  try {
-    // Get files that are staged or modified
-    const staged = execSync('git diff --cached --name-only', { encoding: 'utf8' })
-      .split('\n')
-      .filter((file) => file.trim());
-
-    const modified = execSync('git diff --name-only', { encoding: 'utf8' })
-      .split('\n')
-      .filter((file) => file.trim());
-
-    // Combine and deduplicate
-    const allFiles = [...new Set([...staged, ...modified])];
-
-    // Filter out deleted files (they might still be in the diff)
-    return allFiles.filter((file) => {
-      try {
-        return fs.existsSync(file);
-      } catch {
-        return false;
+  const specs = [];
+
+  if (fs.existsSync(specFile)) {
+    try {
+      const s = yaml.load(fs.readFileSync(specFile, 'utf8'));
+      if (s && !TERMINAL.has(s.status)) {
+        specs.push({ source: 'working-spec', spec: s });
       }
-    });
-  } catch (error) {
-    console.warn('⚠️  Could not get changed files from git:', error.message);
-    return [];
+    } catch (_) {}
   }
-}
 
-/**
- * Validate that experimental code follows containment rules
- * @param {string} workingSpecPath - Path to working spec file
- */
-function validateExperimentalScope(workingSpecPath = '.caws/working-spec.yaml') {
-  console.log('🔍 Validating experimental code containment...');
-
-  const results = checkExperimentalContainment(workingSpecPath);
-
-  if (!results.valid) {
-    console.error('\n❌ Experimental containment validation failed:');
-    results.errors.forEach((error) => {
-      console.error(`   - ${error}`);
-    });
-
-    if (results.warnings.length > 0) {
-      console.warn('\n⚠️  Warnings:');
-      results.warnings.forEach((warning) => {
-        console.warn(`   - ${warning}`);
-      });
+  if (fs.existsSync(specsDir)) {
+    for (const f of fs.readdirSync(specsDir).filter(f => f.endsWith('.yaml') || f.endsWith('.yml'))) {
+      try {
+        const s = yaml.load(fs.readFileSync(path.join(specsDir, f), 'utf8'));
+        if (s && !TERMINAL.has(s.status)) {
+          specs.push({ source: f, spec: s });
+        }
+      } catch (_) {}
     }
+  }
 
-    console.error('\n💡 To fix containment issues:');
-    console.error('   1. Move experimental code to the designated sandbox location');
-    console.error('   2. Update the sandbox_location in your working spec');
-    console.error('   3. Or disable experimental mode if this is production code');
+  if (specs.length === 0) {
+    return { inScope: true, reason: 'no active specs' };
+  }
 
-    process.exit(1);
+  // Check scope.out — any match blocks
+  for (const { source, spec } of specs) {
+    for (const pattern of (spec.scope?.out || [])) {
+      if (globToRegex(pattern).test(filePath)) {
+        return { inScope: false, reason: `out-of-scope in ${source} (pattern: ${pattern})` };
+      }
+    }
   }
 
-  if (results.warnings.length > 0) {
-    console.warn('\n⚠️  Experimental containment warnings:');
-    results.warnings.forEach((warning) => {
-      console.warn(`   - ${warning}`);
-    });
+  // Union all scope.in — must match at least one
+  const allIn = specs.flatMap(({ spec }) => spec.scope?.in || []);
+  if (allIn.length > 0) {
+    const found = allIn.some(pattern => globToRegex(pattern).test(filePath));
+    if (!found) {
+      return { inScope: false, reason: 'not in any active spec scope.in' };
+    }
   }
 
-  console.log('✅ Experimental code containment validated');
-  console.log(`   - Files in sandbox: ${results.experimentalFiles.length}`);
-  console.log(`   - Files outside sandbox: ${results.nonExperimentalFiles.length}`);
+  return { inScope: true, reason: 'in scope' };
 }
 
 // CLI interface
 if (require.main === module) {
   const command = process.argv[2];
-  const specPath = process.argv[3] || '.caws/working-spec.yaml';
-
-  switch (command) {
-    case 'validate':
-      validateExperimentalScope(specPath);
-      break;
-
-    case 'check':
-      const results = checkExperimentalContainment(specPath);
-      console.log('\n📊 Containment Check Results:');
-      console.log(`   Valid: ${results.valid}`);
-      console.log(`   Experimental files: ${results.experimentalFiles.length}`);
-      console.log(`   Non-experimental files: ${results.nonExperimentalFiles.length}`);
-      console.log(`   Errors: ${results.errors.length}`);
-      console.log(`   Warnings: ${results.warnings.length}`);
-
-      if (results.errors.length > 0) {
-        console.log('\n❌ Errors:');
-        results.errors.forEach((error) => console.log(`   - ${error}`));
-      }
-
-      if (results.warnings.length > 0) {
-        console.log('\n⚠️  Warnings:');
-        results.warnings.forEach((warning) => console.log(`   - ${warning}`));
-      }
-
-      process.exit(results.valid ? 0 : 1);
-      break;
-
-    default:
-      console.log('CAWS Scope Guard');
-      console.log('Usage:');
-      console.log('  node scope-guard.js validate [spec-path]');
-      console.log('  node scope-guard.js check [spec-path]');
-      console.log('');
-      console.log('Examples:');
-      console.log('  node scope-guard.js validate');
-      console.log('  node scope-guard.js check .caws/working-spec.yaml');
+  const filePath = process.argv[3];
+
+  if (command === 'check' && filePath) {
+    // Resolve relative to cwd
+    const projectDir = process.cwd();
+    const rel = filePath.startsWith(projectDir)
+      ? filePath.slice(projectDir.length + 1)
+      : filePath;
+
+    const result = checkFileScope(rel, projectDir);
+    if (result.inScope) {
+      console.log(`in_scope: ${result.reason}`);
+      process.exit(0);
+    } else {
+      console.error(`out_of_scope: ${result.reason}`);
       process.exit(1);
+    }
+  } else {
+    console.log('CAWS Scope Guard');
+    console.log('Usage:');
+    console.log('  node scope-guard.js check <file-path>');
+    console.log('');
+    console.log('Examples:');
+    console.log('  node scope-guard.js check src/index.js');
+    console.log('  node scope-guard.js check packages/cli/lib/main.ts');
+    process.exit(1);
   }
 }
 
-module.exports = {
-  checkExperimentalContainment,
-  validateExperimentalScope,
-  getChangedFiles,
-};
+module.exports = { checkFileScope, globToRegex };

package/templates/.claude/hooks/audit.sh

@@ -88,6 +88,31 @@ case "$EVENT_TYPE" in
     ;;
 esac
 
+# --- Log rotation ---
+# Keep main audit.log under 10MB; keep date-logs for 30 days
+rotate_logs() {
+  # Rotate main audit.log at 10MB
+  if [[ -f "$LOG_FILE" ]]; then
+    local size
+    size=$(wc -c < "$LOG_FILE" 2>/dev/null | tr -d ' ')
+    if [[ "$size" -gt 10485760 ]]; then
+      # Keep last rotated copy, discard older
+      [[ -f "${LOG_FILE}.1" ]] && rm -f "${LOG_FILE}.1"
+      mv "$LOG_FILE" "${LOG_FILE}.1"
+    fi
+  fi
+
+  # Prune date-based logs older than 30 days
+  if [[ -d "$LOG_DIR" ]]; then
+    find "$LOG_DIR" -name 'audit-*.log' -type f -mtime +30 -delete 2>/dev/null || true
+  fi
+}
+
+# Run rotation check ~1% of the time (avoid stat overhead on every tool call)
+if [[ $(( RANDOM % 100 )) -eq 0 ]]; then
+  rotate_logs
+fi
+
 # Append to log files
 echo "$LOG_ENTRY" >> "$LOG_FILE"
 echo "$LOG_ENTRY" >> "$DATE_LOG_FILE"

package/templates/.claude/hooks/block-dangerous.sh

@@ -75,6 +75,8 @@ DANGEROUS_PATTERNS=(
   'git clean -f'
   'git checkout \.'
   'git restore \.'
+  '(^|&&|\|\||;|\|)\s*git rebase'
+  '(^|&&|\|\||;|\|)\s*git cherry-pick'
 
   # Virtual environment creation (prevents venv sprawl)
   'python -m venv'
@@ -91,6 +93,43 @@ for pattern in "${DANGEROUS_PATTERNS[@]}"; do
       continue
     fi
 
+    # Allow git rebase/cherry-pick only when no worktrees are active
+    if [[ "$pattern" == *"git rebase"* ]] || [[ "$pattern" == *"git cherry-pick"* ]]; then
+      PROJECT_DIR="${CLAUDE_PROJECT_DIR:-.}"
+      # Resolve to main repo root if we're in a worktree
+      if command -v git >/dev/null 2>&1; then
+        GIT_COMMON=$(cd "$PROJECT_DIR" && git rev-parse --git-common-dir 2>/dev/null || echo "")
+        if [[ -n "$GIT_COMMON" ]] && [[ "$GIT_COMMON" != ".git" ]]; then
+          CANDIDATE=$(cd "$PROJECT_DIR" && cd "$GIT_COMMON/.." 2>/dev/null && pwd || echo "")
+          if [[ -n "$CANDIDATE" ]] && [[ -d "$CANDIDATE/.caws" ]]; then
+            PROJECT_DIR="$CANDIDATE"
+          fi
+        fi
+      fi
+      WT_FILE="$PROJECT_DIR/.caws/worktrees.json"
+      if [[ -f "$WT_FILE" ]] && command -v node >/dev/null 2>&1; then
+        ACTIVE_COUNT=$(node -e "
+          try {
+            var r = JSON.parse(require('fs').readFileSync('$WT_FILE','utf8'));
+            var c = Object.values(r.worktrees||{}).filter(function(w){return w.status==='active';}).length;
+            console.log(c);
+          } catch(e) { console.log(0); }
+        " 2>/dev/null || echo "0")
+        if [[ "$ACTIVE_COUNT" -gt 0 ]]; then
+          # Extract the specific git subcommand for the message
+          GIT_SUBCMD="git operation"
+          [[ "$pattern" == *"git rebase"* ]] && GIT_SUBCMD="git rebase"
+          [[ "$pattern" == *"git cherry-pick"* ]] && GIT_SUBCMD="git cherry-pick"
+          echo "BLOCKED: $GIT_SUBCMD is forbidden while $ACTIVE_COUNT worktree(s) are active." >&2
+          echo "This can replay or rewrite commits across worktree boundaries." >&2
+          echo "Command was: $COMMAND" >&2
+          exit 2
+        fi
+      fi
+      # No active worktrees — allow
+      continue
+    fi
+
     # Allow venv commands if target matches designated venv path from scope.json
     if echo "$pattern" | grep -qE '(python.*venv|virtualenv|conda create)'; then
       PROJECT_DIR="${CLAUDE_PROJECT_DIR:-.}"

package/templates/.claude/hooks/lite-sprawl-check.sh

@@ -49,9 +49,37 @@ if command -v node >/dev/null 2>&1; then
       const basename = '$BASENAME';
       const banned = scope.bannedPatterns || {};
 
+      function globToRegex(pattern) {
+        let i = 0, re = '';
+        while (i < pattern.length) {
+          const c = pattern[i];
+          if (c === '*' && pattern[i+1] === '*') {
+            re += '.*'; i += 2;
+            if (pattern[i] === '/') i++;
+          } else if (c === '*') {
+            re += '[^/]*'; i++;
+          } else if (c === '?') {
+            re += '[^/]'; i++;
+          } else if (c === '[') {
+            const end = pattern.indexOf(']', i);
+            if (end > i) { re += pattern.slice(i, end + 1); i = end + 1; }
+            else { re += '\\\\['; i++; }
+          } else if (c === '{') {
+            const end = pattern.indexOf('}', i);
+            if (end > i) {
+              const alts = pattern.slice(i + 1, end).split(',').map(a => a.trim());
+              re += '(?:' + alts.join('|') + ')'; i = end + 1;
+            } else { re += '\\\\{'; i++; }
+          } else if ('.+^$|()'.includes(c)) {
+            re += '\\\\' + c; i++;
+          } else {
+            re += c; i++;
+          }
+        }
+        return new RegExp('^' + re + '$');
+      }
       function matchGlob(str, pattern) {
-        const regex = new RegExp('^' + pattern.replace(/\\*/g, '.*').replace(/\\?/g, '.') + '$');
-        return regex.test(str);
+        return globToRegex(pattern).test(str);
       }
 
       // Check banned file patterns

package/templates/.claude/hooks/naming-check.sh

@@ -51,9 +51,12 @@ BANNED_MODIFIERS=(
 # Convert filename to lowercase for checking
 FILENAME_LOWER=$(echo "$FILENAME" | tr '[:upper:]' '[:lower:]')
 
-# Check for banned modifiers
+# Check for banned modifiers (word-boundary aware)
 for modifier in "${BANNED_MODIFIERS[@]}"; do
-  if [[ "$FILENAME_LOWER" == *"$modifier"* ]]; then
+  # Match modifier preceded by start-of-string, hyphen, underscore, or dot
+  # and followed by end-of-string, hyphen, underscore, or dot
+  # Prevents false positives like "old" in "gold_oracle" or "new" in "renewable"
+  if [[ "$FILENAME_LOWER" =~ (^|[-_.])"$modifier"([-_.]|$) ]]; then
     # Special case: allow test files that follow conventions
     if [[ "$modifier" == "test-" ]] || [[ "$modifier" == "-test" ]] || [[ "$modifier" == "_test" ]]; then
       if [[ "$FILENAME_LOWER" =~ \.(test|spec)\.(js|ts|jsx|tsx|py|go|rs)$ ]]; then

package/templates/.claude/hooks/scope-guard.sh

@@ -44,6 +44,37 @@ if [[ ! -f "$SPEC_FILE" ]] && [[ -f "$SCOPE_FILE" ]]; then
     LITE_CHECK=$(node -e "
       const fs = require('fs');
       const path = require('path');
+
+      function globToRegex(pattern) {
+        let i = 0, re = '';
+        while (i < pattern.length) {
+          const c = pattern[i];
+          if (c === '*' && pattern[i+1] === '*') {
+            re += '.*'; i += 2;
+            if (pattern[i] === '/') i++;
+          } else if (c === '*') {
+            re += '[^/]*'; i++;
+          } else if (c === '?') {
+            re += '[^/]'; i++;
+          } else if (c === '[') {
+            const end = pattern.indexOf(']', i);
+            if (end > i) { re += pattern.slice(i, end + 1); i = end + 1; }
+            else { re += '\\\\['; i++; }
+          } else if (c === '{') {
+            const end = pattern.indexOf('}', i);
+            if (end > i) {
+              const alts = pattern.slice(i + 1, end).split(',').map(a => a.trim());
+              re += '(?:' + alts.join('|') + ')'; i = end + 1;
+            } else { re += '\\\\{'; i++; }
+          } else if ('.+^$|()'.includes(c)) {
+            re += '\\\\' + c; i++;
+          } else {
+            re += c; i++;
+          }
+        }
+        return new RegExp(re);
+      }
+
       try {
         const scope = JSON.parse(fs.readFileSync('$SCOPE_FILE', 'utf8'));
         const filePath = '$REL_PATH';
@@ -54,7 +85,7 @@ if [[ ! -f "$SPEC_FILE" ]] && [[ -f "$SCOPE_FILE" ]]; then
         const basename = path.basename(filePath);
         const bannedFiles = banned.files || [];
         for (const pattern of bannedFiles) {
-          const regex = new RegExp(pattern.replace(/\\*/g, '.*').replace(/\\?/g, '.'));
+          const regex = globToRegex(pattern);
           if (regex.test(basename)) {
             console.log('banned:' + pattern);
             process.exit(0);
@@ -64,7 +95,7 @@ if [[ ! -f "$SPEC_FILE" ]] && [[ -f "$SCOPE_FILE" ]]; then
         // Check banned doc patterns
         const bannedDocs = banned.docs || [];
         for (const pattern of bannedDocs) {
-          const regex = new RegExp(pattern.replace(/\\*/g, '.*').replace(/\\?/g, '.'));
+          const regex = globToRegex(pattern);
           if (regex.test(basename)) {
             console.log('banned:' + pattern);
             process.exit(0);
@@ -129,6 +160,37 @@ if command -v node >/dev/null 2>&1; then
     const fs = require('fs');
     const path = require('path');
 
+    // Convert glob pattern to regex, handling **, *, ?, [abc], {a,b}
+    function globToRegex(pattern) {
+      let i = 0, re = '';
+      while (i < pattern.length) {
+        const c = pattern[i];
+        if (c === '*' && pattern[i+1] === '*') {
+          re += '.*'; i += 2;
+          if (pattern[i] === '/') i++; // skip trailing slash after **
+        } else if (c === '*') {
+          re += '[^/]*'; i++;
+        } else if (c === '?') {
+          re += '[^/]'; i++;
+        } else if (c === '[') {
+          const end = pattern.indexOf(']', i);
+          if (end > i) { re += pattern.slice(i, end + 1); i = end + 1; }
+          else { re += '\\\\['; i++; }
+        } else if (c === '{') {
+          const end = pattern.indexOf('}', i);
+          if (end > i) {
+            const alts = pattern.slice(i + 1, end).split(',').map(a => a.trim());
+            re += '(?:' + alts.join('|') + ')'; i = end + 1;
+          } else { re += '\\\\{'; i++; }
+        } else if ('.+^$|()'.includes(c)) {
+          re += '\\\\' + c; i++;
+        } else {
+          re += c; i++;
+        }
+      }
+      return new RegExp(re);
+    }
+
     try {
       const filePath = '$REL_PATH';
 
@@ -177,7 +239,7 @@ if command -v node >/dev/null 2>&1; then
       // Check scope.out across ALL active specs — any match blocks
       for (const { source, spec } of specs) {
         for (const pattern of (spec.scope?.out || [])) {
-          const regex = new RegExp(pattern.replace(/\\*/g, '.*').replace(/\\?/g, '.'));
+          const regex = globToRegex(pattern);
           if (regex.test(filePath)) {
             console.log('out_of_scope:' + source + ':' + pattern);
             process.exit(0);
@@ -190,7 +252,7 @@ if command -v node >/dev/null 2>&1; then
       if (allInScope.length > 0) {
         let found = false;
         for (const pattern of allInScope) {
-          const regex = new RegExp(pattern.replace(/\\*/g, '.*').replace(/\\?/g, '.'));
+          const regex = globToRegex(pattern);
           if (regex.test(filePath)) {
             found = true;
             break;

package/templates/.claude/hooks/session-log.sh

@@ -157,6 +157,33 @@ def rel(path):
         return path[len(cwd) + 1:]
     return path or ""
 
+def decode_structured_text_payload(raw):
+    """Decode JSON-escaped text payloads (e.g., Agent/Task tool outputs)."""
+    if not isinstance(raw, str):
+        return raw
+    payload = raw.strip()
+    if not payload or payload[0] not in "[{":
+        return raw
+    try:
+        parsed = json.loads(payload)
+    except Exception:
+        return raw
+
+    text_blocks = []
+    if isinstance(parsed, dict):
+        parsed = [parsed]
+    if isinstance(parsed, list):
+        for item in parsed:
+            if not isinstance(item, dict):
+                continue
+            text = item.get("text")
+            if isinstance(text, str) and text.strip():
+                text_blocks.append(text)
+
+    if text_blocks:
+        return "\n\n".join(text_blocks)
+    return raw
+
 # ---- Accumulate turns as chronological event timelines ----
 turns = []
 # Each turn: {user, timeline: [{kind, ...}, ...], edits, reads, searches, commands}
@@ -242,18 +269,24 @@ for line in sys.stdin:
         tool_info = pending_tools.get(tid, {})
         name = tool_info.get("name", "unknown")
 
-        # Decide if this result is notable enough to show inline
-        # Task results are always notable (subagent did substantive work)
-        notable = is_error or name == "Task"
+        # Always capture tool results for Bash, Task, Agent.
+        # For Read/Write/Edit, only capture if notable (errors, test output, etc.)
+        # to avoid dumping entire file contents into turn logs.
+        always_capture = name in ("Bash", "Task", "Agent")
+        notable = is_error
         if not notable and content:
             content_lower = content.lower()
             notable = any(kw.lower() in content_lower for kw in NOTABLE_KW)
 
-        if notable and content:
+        if (always_capture or notable) and content:
             # Cap file-content tools (full file reads/writes blow out turn files)
             display = content
             if name in ("Read", "Write", "Edit") and len(content) > 2000:
                 display = content[:2000] + "\n...(file content truncated)"
+            elif name in ("Task", "Agent"):
+                display = decode_structured_text_payload(content)
+            elif name == "Bash" and len(content) > 5000:
+                display = content[:5000] + "\n...(output truncated at 5000 chars)"
             # Graft result onto the original tool_call entry (not a separate timeline item)
             if tool_info:
                 tool_info["output"] = display
@@ -281,7 +314,7 @@ for i, turn in enumerate(turns):
     md_lines = [f"# Turn {num}", ""]
 
     if turn["user"]:
-        md_lines.extend([f"> ---user---\n{turn['user']}\n---/user---", ""])
+        md_lines.extend([f"> ---user---\n{turn['user']}\n---\/user---", ""])
 
     for event in turn["timeline"]:
         kind = event["kind"]