@phren/agent 0.1.1 → 0.1.3

package/dist/multi/tui-multi.js

@@ -93,11 +93,11 @@ function formatToolEnd(toolName, input, output, isError, durationMs) {
     const icon = isError ? s.red("x") : s.green("ok");
     const preview = JSON.stringify(input).slice(0, 50);
     const header = s.dim(`  ${toolName}(${preview})`) + ` ${icon} ${s.dim(dur)}`;
-    const outputLines = output.split("\n").slice(0, 4);
+    const allLines = output.split("\n");
     const w = cols();
-    const body = outputLines.map((l) => s.dim(`  | ${l.slice(0, w - 6)}`)).join("\n");
-    const more = output.split("\n").length > 4 ? s.dim(`  | ... (${output.split("\n").length} lines)`) : "";
-    return `${header}\n${body}${more ? "\n" + more : ""}`;
+    const body = allLines.slice(0, 4).map((l) => s.dim(`  | ${l.slice(0, w - 6)}`)).join("\n");
+    const more = allLines.length > 4 ? `\n${s.dim(`  | ... (${allLines.length} lines)`)}` : "";
+    return `${header}\n${body}${more}`;
 }
 // ── Main TUI ─────────────────────────────────────────────────────────────────
 export async function startMultiTui(spawner, config) {
@@ -603,8 +603,6 @@ export async function startMultiTui(spawner, config) {
         });
         // Handle terminal resize
         process.stdout.on("resize", () => render());
-        // Initial render
-        render();
         // Register panes for any agents that already exist
         for (const agent of spawner.listAgents()) {
             getOrCreatePane(agent.id);

package/dist/permissions/allowlist.js

@@ -58,7 +58,3 @@ export function addAllow(toolName, input, scope) {
 export function clearAllowlist() {
     sessionAllowlist.length = 0;
 }
-/** Get a snapshot of the current allowlist (for display). */
-export function getAllowlist() {
-    return sessionAllowlist;
-}

package/dist/permissions/privacy.js

@@ -0,0 +1,248 @@
+/**
+ * Privacy safeguards — scrub sensitive data from tool outputs, findings, and LLM context.
+ *
+ * Prevents accidental leakage of:
+ * - API keys and tokens in tool output (e.g., from reading .env files)
+ * - Passwords and connection strings
+ * - PII patterns (emails, IPs shown in logs)
+ * - Private keys and certificates
+ *
+ * Applied at three layers:
+ * 1. Tool output → before sending to LLM (scrubToolOutput)
+ * 2. Findings → before saving to phren (scrubFinding)
+ * 3. Session summaries → before persisting (scrubSummary)
+ */
+// ── Secret patterns ──────────────────────────────────────────────────────
+/** Patterns that match common API key/token formats. */
+const SECRET_PATTERNS = [
+    // Generic API keys (long hex/base64 strings prefixed by common env var names)
+    { pattern: /(?:api[_-]?key|api[_-]?secret|api[_-]?token)\s*[:=]\s*["']?([A-Za-z0-9_\-/.+=]{20,})["']?/gi, label: "API_KEY" },
+    // AWS keys
+    { pattern: /AKIA[0-9A-Z]{16}/g, label: "AWS_ACCESS_KEY" },
+    { pattern: /(?:aws[_-]?secret[_-]?access[_-]?key)\s*[:=]\s*["']?([A-Za-z0-9/+=]{30,})["']?/gi, label: "AWS_SECRET" },
+    // Bearer tokens
+    { pattern: /Bearer\s+[A-Za-z0-9_\-/.+=]{20,}/g, label: "BEARER_TOKEN" },
+    // GitHub tokens
+    { pattern: /gh[pousr]_[A-Za-z0-9_]{36,}/g, label: "GITHUB_TOKEN" },
+    // Anthropic keys
+    { pattern: /sk-ant-[A-Za-z0-9_\-]{20,}/g, label: "ANTHROPIC_KEY" },
+    // OpenAI keys
+    { pattern: /sk-[A-Za-z0-9]{20,}/g, label: "OPENAI_KEY" },
+    // Generic password assignments
+    { pattern: /(?:password|passwd|pwd)\s*[:=]\s*["']?([^\s"']{8,})["']?/gi, label: "PASSWORD" },
+    // Connection strings with passwords
+    { pattern: /:\/\/[^:]+:([^@\s]{8,})@/g, label: "CONNECTION_PASSWORD" },
+    // Private key blocks
+    { pattern: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----[\s\S]*?-----END\s+(?:RSA\s+)?PRIVATE\s+KEY-----/g, label: "PRIVATE_KEY" },
+    // JWT tokens
+    { pattern: /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g, label: "JWT" },
+    // Slack tokens
+    { pattern: /xox[bpras]-[0-9]{10,}-[A-Za-z0-9-]+/g, label: "SLACK_TOKEN" },
+    // Env variable assignments with secret-ish names
+    { pattern: /(?:SECRET|TOKEN|PASSWORD|PRIVATE_KEY|AUTH|CREDENTIAL)[A-Z_]*\s*=\s*["']?([^\s"']{8,})["']?/gi, label: "SECRET_VAR" },
+];
+/** Patterns for PII that shouldn't be stored in findings. */
+const PII_PATTERNS = [
+    // Email addresses (only redact in contexts where they're likely PII, not code)
+    { pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g, label: "EMAIL" },
+    // IP addresses (v4) — only in log-like contexts
+    { pattern: /\b(?:25[0-5]|2[0-4]\d|[01]?\d\d?)(?:\.(?:25[0-5]|2[0-4]\d|[01]?\d\d?)){3}\b/g, label: "IP_ADDRESS" },
+];
+// ── Scrubbing functions ──────────────────────────────────────────────────
+/**
+ * Scrub sensitive data from tool output before it's sent to the LLM.
+ * This is the primary privacy gate — catches secrets in file reads, command output, etc.
+ */
+export function scrubToolOutput(toolName, output) {
+    // Don't scrub short outputs (unlikely to contain full secrets)
+    if (output.length < 20)
+        return output;
+    let scrubbed = output;
+    for (const { pattern, label } of SECRET_PATTERNS) {
+        // Reset regex state for global patterns
+        pattern.lastIndex = 0;
+        scrubbed = scrubbed.replace(pattern, `[REDACTED:${label}]`);
+    }
+    return scrubbed;
+}
+/**
+ * Check if a string contains likely secrets. Returns true if secrets detected.
+ * Use this as a gate before saving to persistent storage.
+ */
+export function containsSecrets(text) {
+    for (const { pattern } of SECRET_PATTERNS) {
+        pattern.lastIndex = 0;
+        if (pattern.test(text))
+            return true;
+    }
+    return false;
+}
+/**
+ * Scrub sensitive data from a finding before saving to phren.
+ * More aggressive than tool output scrubbing — also catches PII.
+ */
+export function scrubFinding(finding) {
+    let scrubbed = finding;
+    // Secret patterns
+    for (const { pattern, label } of SECRET_PATTERNS) {
+        pattern.lastIndex = 0;
+        scrubbed = scrubbed.replace(pattern, `[REDACTED:${label}]`);
+    }
+    // PII patterns (only in findings, not tool outputs where they may be needed)
+    for (const { pattern, label } of PII_PATTERNS) {
+        pattern.lastIndex = 0;
+        scrubbed = scrubbed.replace(pattern, `[REDACTED:${label}]`);
+    }
+    return scrubbed;
+}
+/**
+ * Scrub a session summary before persisting.
+ */
+export function scrubSummary(summary) {
+    return scrubFinding(summary);
+}
+/**
+ * Check if tool output looks like it came from reading a sensitive file
+ * (e.g., .env, credentials). Returns true if the content appears to be
+ * mostly key-value secrets.
+ */
+export function looksLikeSecretsFile(output) {
+    const lines = output.split("\n").filter(l => l.trim() && !l.startsWith("#"));
+    if (lines.length < 2)
+        return false;
+    let secretLines = 0;
+    for (const line of lines) {
+        // Count lines that look like KEY=secret_value
+        if (/^[A-Z_]{2,}=\S+/.test(line)) {
+            for (const { pattern } of SECRET_PATTERNS) {
+                pattern.lastIndex = 0;
+                if (pattern.test(line)) {
+                    secretLines++;
+                    break;
+                }
+            }
+        }
+    }
+    // If >50% of non-comment lines are secrets, it's probably a secrets file
+    return secretLines / lines.length > 0.5;
+}
+/**
+ * Validate that a finding doesn't contain obvious secrets before saving.
+ * Returns an error message if the finding should be rejected, null if OK.
+ */
+export function validateFindingSafety(finding) {
+    if (containsSecrets(finding)) {
+        return "Finding contains detected secrets (API keys, tokens, passwords). Secrets should never be stored in findings. The sensitive values have been redacted.";
+    }
+    return null;
+}
+/**
+ * Patterns that indicate prompt injection — text trying to override AI instructions.
+ * Each entry: [regex, flag label].
+ */
+const PROMPT_INJECTION_PATTERNS = [
+    // Direct instruction override attempts
+    [/\b(?:ignore|disregard|forget|override)\s+(?:all\s+)?(?:previous|prior|above|earlier|your|the|safety|system)\b/i, "prompt_injection:instruction_override"],
+    [/\byou\s+(?:must|should|shall|will|are\s+(?:now|required\s+to))\b/i, "prompt_injection:directive"],
+    [/\byour\s+new\s+(?:instructions?|role|purpose|directive)\b/i, "prompt_injection:role_reassignment"],
+    [/\bas\s+an?\s+(?:AI|language\s+model|assistant|LLM)\b/i, "prompt_injection:identity_framing"],
+    [/\bforget\s+everything\b/i, "prompt_injection:memory_wipe"],
+    // System prompt markers (ChatML, Llama, etc.)
+    [/\[INST\]|\[\/INST\]/i, "prompt_injection:chatml_inst"],
+    [/<<SYS>>|<<\/SYS>>/i, "prompt_injection:llama_sys"],
+    [/<\|im_start\|>|<\|im_end\|>/i, "prompt_injection:chatml_marker"],
+    [/^system\s*:/im, "prompt_injection:system_prefix"],
+    [/SYSTEM\s*:\s*you\s+are/i, "prompt_injection:system_role"],
+    // Jailbreak-style keywords
+    [/\b(?:DAN|do\s+anything\s+now|jailbreak)\b/i, "prompt_injection:jailbreak_keyword"],
+];
+/**
+ * Patterns for dangerous executable instructions embedded in findings.
+ */
+const DANGEROUS_COMMAND_PATTERNS = [
+    // Pipe-to-shell patterns
+    [/\bcurl\s+[^\s|]*\s*\|\s*(?:sh|bash|zsh|eval)\b/i, "dangerous_command:curl_pipe_shell"],
+    [/\bwget\s+[^\s|]*\s*\|\s*(?:sh|bash|zsh|eval)\b/i, "dangerous_command:wget_pipe_shell"],
+    // Dangerous eval/exec
+    [/\beval\s*\(\s*['"`].*['"`]\s*\)/i, "dangerous_command:eval_literal"],
+    [/\bexec\s*\(\s*['"`].*['"`]\s*\)/i, "dangerous_command:exec_literal"],
+    // Destructive commands
+    [/\brm\s+-rf\s+[/~]/i, "dangerous_command:rm_rf_root"],
+    [/\bdd\s+.*\bof=\/dev\//i, "dangerous_command:dd_device"],
+    [/\bmkfs\b/i, "dangerous_command:mkfs"],
+    // Instructions to always run dangerous commands
+    [/\b(?:always|first)\s+run\s+[`"'].*(?:curl|wget|rm\s+-rf|chmod\s+777|sudo)/i, "dangerous_command:instruction_to_run"],
+];
+/**
+ * Patterns for authority/permission escalation claims.
+ */
+const AUTHORITY_ESCALATION_PATTERNS = [
+    [/\b(?:user|admin|owner)\s+has\s+(?:authorized|approved|granted|confirmed)\b/i, "authority_escalation:false_authorization"],
+    [/\bfull\s+(?:access|permission|control)\s+(?:granted|given|enabled)\b/i, "authority_escalation:false_access"],
+    [/\bskip\s+(?:validation|verification|safety|security|auth)\b/i, "authority_escalation:skip_safety"],
+    [/\bno\s+need\s+to\s+(?:ask|confirm|verify|validate|check)\b/i, "authority_escalation:skip_confirmation"],
+    [/\bauto[-\s]?(?:approve|accept|confirm)\s+(?:all|every)\b/i, "authority_escalation:auto_approve"],
+    [/\bdisable\s+(?:safety|security|protection|guard|check|filter)\b/i, "authority_escalation:disable_safety"],
+];
+/**
+ * Patterns for self-replication — findings that instruct saving more findings.
+ */
+const SELF_REPLICATION_PATTERNS = [
+    [/\b(?:save|add|create|write|store|append)\s+(?:this\s+)?(?:finding|memory|memories|findings)\b/i, "self_replication:save_finding"],
+    [/\badd_finding\b/i, "self_replication:tool_invocation"],
+    [/\bremember\s+to\s+always\b/i, "self_replication:persistent_instruction"],
+    [/\b(?:when|if)\s+you\s+see\s+this\b/i, "self_replication:conditional_trigger"],
+    [/\bspread\s+(?:this|the)\s+(?:message|finding|memory)\b/i, "self_replication:spread_instruction"],
+];
+/**
+ * Check a finding for integrity issues — prompt injection, dangerous commands,
+ * authority escalation, and self-replication attempts.
+ *
+ * Returns a structured result with risk level and triggered flags.
+ * Risk levels:
+ * - "none": no issues detected
+ * - "low": one minor flag, likely benign but noted
+ * - "medium": multiple flags or a single concerning pattern
+ * - "high": strong prompt injection or dangerous command pattern
+ */
+export function checkFindingIntegrity(finding) {
+    const flags = [];
+    // Check all pattern categories
+    for (const [pattern, flag] of PROMPT_INJECTION_PATTERNS) {
+        pattern.lastIndex = 0;
+        if (pattern.test(finding))
+            flags.push(flag);
+    }
+    for (const [pattern, flag] of DANGEROUS_COMMAND_PATTERNS) {
+        pattern.lastIndex = 0;
+        if (pattern.test(finding))
+            flags.push(flag);
+    }
+    for (const [pattern, flag] of AUTHORITY_ESCALATION_PATTERNS) {
+        pattern.lastIndex = 0;
+        if (pattern.test(finding))
+            flags.push(flag);
+    }
+    for (const [pattern, flag] of SELF_REPLICATION_PATTERNS) {
+        pattern.lastIndex = 0;
+        if (pattern.test(finding))
+            flags.push(flag);
+    }
+    if (flags.length === 0) {
+        return { safe: true, risk: "none", flags: [] };
+    }
+    // Determine risk level based on count and severity
+    const hasHighSeverity = flags.some(f => f.startsWith("prompt_injection:") || f.startsWith("dangerous_command:") || f.startsWith("authority_escalation:disable_safety"));
+    const hasMediumSeverity = flags.some(f => f.startsWith("authority_escalation:") || f.startsWith("self_replication:"));
+    let risk;
+    if (hasHighSeverity || flags.length >= 3) {
+        risk = "high";
+    }
+    else if (hasMediumSeverity || flags.length >= 2) {
+        risk = "medium";
+    }
+    else {
+        risk = "low";
+    }
+    return { safe: risk !== "high", risk, flags };
+}

package/dist/permissions/shell-safety.js

@@ -11,6 +11,14 @@ const DANGEROUS_PATTERNS = [
     { pattern: /\bnohup\b/i, reason: "Detached process may outlive session", severity: "block" },
     { pattern: /\bdisown\b/i, reason: "Detached process may outlive session", severity: "block" },
     { pattern: /\bsetsid\b/i, reason: "Detached process may outlive session", severity: "block" },
+    // Block: Windows-specific destructive commands
+    { pattern: /\bformat\s+[a-z]:/i, reason: "Disk format command", severity: "block" },
+    { pattern: /\bdel\s+\/[sq]/i, reason: "Recursive or quiet delete", severity: "block" },
+    { pattern: /\brd\s+\/s/i, reason: "Recursive directory removal", severity: "block" },
+    { pattern: /\brmdir\s+\/s/i, reason: "Recursive directory removal", severity: "block" },
+    { pattern: /\breg\s+delete\b/i, reason: "Registry deletion", severity: "block" },
+    { pattern: /\bpowershell\b.*\b-enc\b/i, reason: "Encoded PowerShell command (obfuscation)", severity: "block" },
+    { pattern: /\bcmd\b.*\/c.*\bdel\s+\/[sq]/i, reason: "Recursive or quiet delete via cmd", severity: "block" },
     // Warn: potentially dangerous
     { pattern: /\beval\b/i, reason: "Dynamic code execution via eval", severity: "warn" },
     { pattern: /\$\(.*\)/, reason: "Command substitution", severity: "warn" },

package/dist/providers/anthropic.js

@@ -4,28 +4,15 @@ export class AnthropicProvider {
     maxOutputTokens;
     apiKey;
     model;
-    constructor(apiKey, model, maxOutputTokens) {
+    cacheEnabled;
+    constructor(apiKey, model, maxOutputTokens, cacheEnabled = true) {
         this.apiKey = apiKey;
         this.model = model ?? "claude-sonnet-4-20250514";
         this.maxOutputTokens = maxOutputTokens ?? 8192;
+        this.cacheEnabled = cacheEnabled;
     }
     async chat(system, messages, tools) {
-        const body = {
-            model: this.model,
-            system,
-            messages: messages.map((m) => ({
-                role: m.role,
-                content: m.content,
-            })),
-            max_tokens: this.maxOutputTokens,
-        };
-        if (tools.length > 0) {
-            body.tools = tools.map((t) => ({
-                name: t.name,
-                description: t.description,
-                input_schema: t.input_schema,
-            }));
-        }
+        const body = this.buildRequestBody(system, messages, tools);
         const res = await fetch("https://api.anthropic.com/v1/messages", {
             method: "POST",
             headers: {
@@ -45,6 +32,7 @@ export class AnthropicProvider {
             : data.stop_reason === "max_tokens" ? "max_tokens"
                 : "end_turn";
         const usage = data.usage;
+        logCacheUsage(usage);
         return {
             content,
             stop_reason: stop_reason,
@@ -52,20 +40,8 @@ export class AnthropicProvider {
         };
     }
     async *chatStream(system, messages, tools) {
-        const body = {
-            model: this.model,
-            system,
-            messages: messages.map((m) => ({ role: m.role, content: m.content })),
-            max_tokens: this.maxOutputTokens,
-            stream: true,
-        };
-        if (tools.length > 0) {
-            body.tools = tools.map((t) => ({
-                name: t.name,
-                description: t.description,
-                input_schema: t.input_schema,
-            }));
-        }
+        const body = this.buildRequestBody(system, messages, tools);
+        body.stream = true;
         const res = await fetch("https://api.anthropic.com/v1/messages", {
             method: "POST",
             headers: {
@@ -129,6 +105,7 @@ export class AnthropicProvider {
             else if (type === "message_start") {
                 const u = data.message?.usage;
                 if (u) {
+                    logCacheUsage(u);
                     usage = {
                         input_tokens: u.input_tokens ?? 0,
                         output_tokens: u.output_tokens ?? 0,
@@ -138,6 +115,66 @@ export class AnthropicProvider {
         }
         yield { type: "done", stop_reason: stopReason, usage };
     }
+    /** Build the request body with optional prompt caching breakpoints. */
+    buildRequestBody(system, messages, tools) {
+        const cache = { cache_control: { type: "ephemeral" } };
+        // System prompt: use content array format with cache_control on the text block
+        const systemValue = this.cacheEnabled
+            ? [{ type: "text", text: system, ...cache }]
+            : system;
+        const mappedMessages = messages.map((m) => ({ role: m.role, content: m.content }));
+        // Mark the last 2 user messages with cache_control for recent-context caching
+        if (this.cacheEnabled) {
+            let marked = 0;
+            for (let i = mappedMessages.length - 1; i >= 0 && marked < 2; i--) {
+                if (mappedMessages[i].role !== "user")
+                    continue;
+                const c = mappedMessages[i].content;
+                if (typeof c === "string") {
+                    mappedMessages[i] = {
+                        role: "user",
+                        content: [{ type: "text", text: c, ...cache }],
+                    };
+                }
+                else if (Array.isArray(c) && c.length > 0) {
+                    // Add cache_control to the last block of the content array
+                    const blocks = [...c];
+                    blocks[blocks.length - 1] = { ...blocks[blocks.length - 1], ...cache };
+                    mappedMessages[i] = { role: "user", content: blocks };
+                }
+                marked++;
+            }
+        }
+        const body = {
+            model: this.model,
+            system: systemValue,
+            messages: mappedMessages,
+            max_tokens: this.maxOutputTokens,
+        };
+        if (tools.length > 0) {
+            const mappedTools = tools.map((t) => ({
+                name: t.name,
+                description: t.description,
+                input_schema: t.input_schema,
+            }));
+            // Cache the last tool definition — Anthropic uses it as the breakpoint for the entire tools block
+            if (this.cacheEnabled) {
+                mappedTools[mappedTools.length - 1] = { ...mappedTools[mappedTools.length - 1], ...cache };
+            }
+            body.tools = mappedTools;
+        }
+        return body;
+    }
+}
+/** Log cache hit/creation stats to stderr (visible in verbose mode). */
+function logCacheUsage(usage) {
+    if (!usage)
+        return;
+    const created = usage.cache_creation_input_tokens;
+    const read = usage.cache_read_input_tokens;
+    if (created || read) {
+        process.stderr.write(`[cache] created=${created ?? 0} read=${read ?? 0} input=${usage.input_tokens ?? 0}\n`);
+    }
 }
 /** Parse SSE stream from a fetch Response. */
 async function* parseSSE(res) {

package/dist/providers/codex.js

@@ -194,73 +194,129 @@ export class CodexProvider {
             body.tools = toResponsesTools(tools);
             body.tool_choice = "auto";
         }
-        const res = await fetch(CODEX_API, {
-            method: "POST",
+        // Use WebSocket for true token-by-token streaming (matches Codex CLI behavior).
+        // The HTTP SSE endpoint batches the entire response before flushing.
+        yield* this.chatStreamWs(accessToken, body);
+    }
+    /** WebSocket streaming — sends request, yields deltas as they arrive. */
+    async *chatStreamWs(accessToken, body) {
+        const wsUrl = CODEX_API.replace(/^https:/, "wss:").replace(/^http:/, "ws:");
+        // Queue for events received from the WebSocket before the consumer pulls them
+        const queue = [];
+        let resolve = null;
+        let done = false;
+        const push = (item) => {
+            queue.push(item);
+            if (resolve) {
+                resolve();
+                resolve = null;
+            }
+        };
+        // Node.js (undici) WebSocket accepts headers in the second argument object,
+        // but the DOM typings only allow string | string[]. Cast to bypass.
+        const ws = new WebSocket(wsUrl, {
             headers: {
-                "Content-Type": "application/json",
                 Authorization: `Bearer ${accessToken}`,
             },
-            body: JSON.stringify(body),
         });
-        if (!res.ok) {
-            const text = await res.text();
-            throw new Error(`Codex API error ${res.status}: ${text}`);
-        }
-        // Parse SSE stream
-        if (!res.body)
-            throw new Error("Provider returned empty response body");
-        const reader = res.body.getReader();
-        const decoder = new TextDecoder();
-        let buffer = "";
         let activeToolCallId = "";
-        while (true) {
-            const { done, value } = await reader.read();
-            if (done)
-                break;
-            buffer += decoder.decode(value, { stream: true });
-            const lines = buffer.split("\n");
-            buffer = lines.pop();
-            for (const line of lines) {
-                if (!line.startsWith("data: "))
-                    continue;
-                const data = line.slice(6).trim();
-                if (data === "[DONE]")
-                    return;
-                let event;
+        ws.addEventListener("open", () => {
+            // Wrap the request body in a response.create envelope (Codex WS protocol)
+            const wsRequest = { type: "response.create", ...body };
+            ws.send(JSON.stringify(wsRequest));
+        });
+        ws.addEventListener("message", (evt) => {
+            const data = typeof evt.data === "string" ? evt.data : String(evt.data);
+            let event;
+            try {
+                event = JSON.parse(data);
+            }
+            catch {
+                return;
+            }
+            const type = event.type;
+            // Handle server-side errors
+            if (type === "error") {
+                const err = event.error;
+                const msg = err?.message ?? "Codex WebSocket error";
+                const status = event.status;
+                push(new Error(`Codex WS error${status ? ` ${status}` : ""}: ${msg}`));
+                done = true;
                 try {
-                    event = JSON.parse(data);
-                }
-                catch {
-                    continue;
+                    ws.close();
                 }
-                const type = event.type;
-                if (type === "response.output_text.delta") {
-                    yield { type: "text_delta", text: event.delta };
-                }
-                else if (type === "response.output_item.added") {
-                    if (event.item?.type === "function_call") {
-                        const item = event.item;
-                        activeToolCallId = item.call_id;
-                        yield { type: "tool_use_start", id: activeToolCallId, name: item.name };
-                    }
+                catch { /* ignore */ }
+                return;
+            }
+            if (type === "response.output_text.delta") {
+                const delta = event.delta;
+                if (delta)
+                    push({ type: "text_delta", text: delta });
+            }
+            else if (type === "response.output_item.added") {
+                if (event.item?.type === "function_call") {
+                    const item = event.item;
+                    activeToolCallId = item.call_id;
+                    push({ type: "tool_use_start", id: activeToolCallId, name: item.name });
                 }
-                else if (type === "response.function_call_arguments.delta") {
-                    yield { type: "tool_use_delta", id: activeToolCallId, json: event.delta };
+            }
+            else if (type === "response.function_call_arguments.delta") {
+                push({ type: "tool_use_delta", id: activeToolCallId, json: event.delta });
+            }
+            else if (type === "response.function_call_arguments.done") {
+                push({ type: "tool_use_end", id: activeToolCallId });
+            }
+            else if (type === "response.completed") {
+                const response = event.response;
+                const usage = response?.usage;
+                const output = response?.output;
+                const hasToolCalls = output?.some((o) => o.type === "function_call");
+                push({
+                    type: "done",
+                    stop_reason: hasToolCalls ? "tool_use" : "end_turn",
+                    usage: usage ? { input_tokens: usage.input_tokens ?? 0, output_tokens: usage.output_tokens ?? 0 } : undefined,
+                });
+                done = true;
+                try {
+                    ws.close();
                 }
-                else if (type === "response.function_call_arguments.done") {
-                    yield { type: "tool_use_end", id: activeToolCallId };
+                catch { /* ignore */ }
+            }
+        });
+        ws.addEventListener("error", () => {
+            if (!done) {
+                push(new Error("Codex WebSocket connection error"));
+                done = true;
+            }
+        });
+        ws.addEventListener("close", () => {
+            if (!done) {
+                push(new Error("Codex WebSocket closed before response.completed"));
+                done = true;
+            }
+        });
+        // Async iteration: drain the queue, wait for new events
+        try {
+            while (true) {
+                while (queue.length > 0) {
+                    const item = queue.shift();
+                    if (item instanceof Error)
+                        throw item;
+                    yield item;
+                    if (item.type === "done")
+                        return;
                 }
-                else if (type === "response.completed") {
-                    const response = event.response;
-                    const usage = response?.usage;
-                    const output = response?.output;
-                    const hasToolCalls = output?.some((o) => o.type === "function_call");
-                    yield {
-                        type: "done",
-                        stop_reason: hasToolCalls ? "tool_use" : "end_turn",
-                        usage: usage ? { input_tokens: usage.input_tokens ?? 0, output_tokens: usage.output_tokens ?? 0 } : undefined,
-                    };
+                if (done)
+                    return;
+                await new Promise((r) => { resolve = r; });
+            }
+        }
+        finally {
+            if (ws.readyState === WebSocket.OPEN || ws.readyState === WebSocket.CONNECTING) {
+                try {
+                    ws.close();
                 }
+                catch { /* ignore */ }
             }
         }
     }

package/dist/repl.js

@@ -82,7 +82,7 @@ export async function startRepl(config) {
             rl.prompt();
             continue;
         }
-        if (handleCommand(trimmed, { session, contextLimit, undoStack: [] })) {
+        if (handleCommand(trimmed, { session, contextLimit, undoStack: [], phrenCtx: config.phrenCtx })) {
             rl.prompt();
             continue;
         }
@@ -118,7 +118,7 @@ export async function startRepl(config) {
                     process.stderr.write(`${YELLOW}Input mode: ${inputMode}${RESET}\n`);
                 }
                 else {
-                    handleCommand(queued, { session, contextLimit, undoStack: [] });
+                    handleCommand(queued, { session, contextLimit, undoStack: [], phrenCtx: config.phrenCtx });
                 }
                 break;
             }