@pixelzx/genesis 2026.6.4 → 2026.6.5

package/dist/bash-tools-tnj1gSbO.js

@@ -0,0 +1,2824 @@
+import { i as formatErrorMessage } from "./errors-CufR9eHH.js";
+import { a as normalizeLowercaseStringOrEmpty, c as normalizeOptionalString, s as normalizeOptionalLowercaseString } from "./string-coerce-DPP_aYVc.js";
+import { c as escapeRegExp } from "./utils-CWrkFsp0.js";
+import { s as sanitizeHostExecEnvWithDiagnostics } from "./host-env-security-PtrzxCxY.js";
+import { a as logWarn, r as logInfo } from "./logger-BbnBrdB_.js";
+import { K as getShellPathFromLoginShell, q as resolveShellEnvFallbackTimeoutMs } from "./io-B1sv_bx7.js";
+import { i as isCronSessionKey, o as isSubagentSessionKey, s as parseAgentSessionKey } from "./session-key-utils-DDwuwYKT.js";
+import { u as resolveAgentIdFromSessionKey } from "./session-key-Cj8Hd5K-.js";
+import { d as resolveApprovalAuditCandidatePath } from "./exec-safe-bin-trust-DMrCONj2.js";
+import { t as killProcessTree } from "./kill-tree-BbGiB2xY.js";
+import { c as isGatewayMessageChannel, u as normalizeMessageChannel } from "./message-channel-bhWoqTRw.js";
+import { i as normalizeDeliveryContext } from "./delivery-context.shared-XCrZuuA_.js";
+import { b as EXEC_TOOL_DISPLAY_SUMMARY, x as PROCESS_TOOL_DISPLAY_SUMMARY } from "./tool-policy-C7XoKUjK.js";
+import { C as formatExecDeniedUserMessage, T as parseExecApprovalResultText, u as sanitizeUserFacingText, w as isExecDeniedResultText } from "./sanitize-user-facing-text-ChBSMati.js";
+import { o as failedTextResult, v as textResult } from "./common-BtK-bRqD.js";
+import { t as callGatewayTool } from "./gateway-BB4hdlYm.js";
+import { t as splitShellArgs } from "./shell-argv-CwRfKQ3H.js";
+import { c as describeInterpreterInlineEval, f as analyzeShellCommand, l as detectInterpreterInlineEvalArgv, n as evaluateShellAllowlist, p as buildEnforcedShellCommand } from "./exec-approvals-allowlist-DS_mVZe-.js";
+import { r as resolveExecSafeBinRuntimePolicy } from "./exec-safe-bin-runtime-policy-BiPIYfgn.js";
+import { C as requiresExecApproval, D as resolveExecApprovalsFromFile, E as resolveExecApprovals, _ as normalizeExecTarget, a as addDurableCommandApproval, b as recordAllowlistMatchesUse, f as minSecurity, g as normalizeExecSecurity, l as loadExecApprovals, m as normalizeExecAsk, s as hasDurableExecApproval, u as maxAsk, v as persistAllowAlwaysPatterns, w as resolveExecApprovalAllowedDecisions } from "./exec-approvals-D46yYaX9.js";
+import { n as describeProcessTool, t as describeExecTool } from "./bash-tools.descriptions-DasjsITx.js";
+import { n as processSchema, t as execSchema } from "./bash-tools.schemas-Cx9btiFM.js";
+import "./delivery-context-Cpv6mL7R.js";
+import { i as resolveNodeIdFromList, t as listNodes } from "./nodes-utils-CsTqKwN9.js";
+import { t as sendMessage } from "./message-CRyNLXch.js";
+import { t as resolveExternalBestEffortDeliveryTarget } from "./best-effort-delivery-B6BoLJdq.js";
+import { n as getDiagnosticSessionState } from "./diagnostic-session-state-CUGPBjpU.js";
+import { t as formatDurationCompact } from "./format-duration-FMBoWUPM.js";
+import { a as coerceEnv, c as readEnvInt, d as sliceLogLines, f as truncateMiddle, i as clampWithDefault, l as resolveSandboxWorkdir, n as buildSandboxEnv, o as deriveSessionName, s as pad, u as resolveWorkdir } from "./bash-tools.shared-DAYOS6zQ.js";
+import { f as resolveExecApprovalInitiatingSurfaceState, s as buildExecApprovalUnavailableReplyPayload } from "./exec-approval-reply-B6NXyFFQ.js";
+import { i as normalizePathPrepend, t as applyPathPrepend } from "./path-prepend-D5aFWlB8.js";
+import { t as getProcessSupervisor } from "./supervisor-B-X6XVRv.js";
+import { C as setJobTtlMs, S as markExited, _ as getFinishedSession, a as DEFAULT_PENDING_MAX_OUTPUT, b as listRunningSessions, c as createApprovalSlug, f as resolveApprovalRunningNoticeMs, g as drainSession, h as deleteSession, i as DEFAULT_PATH, m as runExecProcess, n as DEFAULT_APPROVAL_TIMEOUT_MS, o as applyShellPath, p as resolveExecTarget, r as DEFAULT_MAX_OUTPUT, s as buildApprovalPendingMessage, t as DEFAULT_APPROVAL_REQUEST_TIMEOUT_MS, u as normalizeNotifyOutput, v as getSession, w as tail, x as markBackgrounded, y as listFinishedSessions } from "./bash-tools.exec-runtime-C3ZPwutq.js";
+import { t as parsePreparedSystemRunPayload } from "./system-run-approval-context-ZXLZrkB4.js";
+import { n as recordCommandPoll, r as resetCommandPollCount } from "./command-poll-backoff-BNTipivC.js";
+import path from "node:path";
+import crypto from "node:crypto";
+//#region src/agents/bash-tools.exec-approval-request.ts
+function buildExecApprovalRequestToolParams(params) {
+	return {
+		id: params.id,
+		...params.command ? { command: params.command } : {},
+		...params.commandArgv ? { commandArgv: params.commandArgv } : {},
+		systemRunPlan: params.systemRunPlan,
+		env: params.env,
+		cwd: params.cwd,
+		nodeId: params.nodeId,
+		host: params.host,
+		security: params.security,
+		ask: params.ask,
+		agentId: params.agentId,
+		resolvedPath: params.resolvedPath,
+		sessionKey: params.sessionKey,
+		turnSourceChannel: params.turnSourceChannel,
+		turnSourceTo: params.turnSourceTo,
+		turnSourceAccountId: params.turnSourceAccountId,
+		turnSourceThreadId: params.turnSourceThreadId,
+		timeoutMs: DEFAULT_APPROVAL_TIMEOUT_MS,
+		twoPhase: true
+	};
+}
+function parseDecision(value) {
+	if (!value || typeof value !== "object") return {
+		present: false,
+		value: null
+	};
+	if (!Object.hasOwn(value, "decision")) return {
+		present: false,
+		value: null
+	};
+	const decision = value.decision;
+	return {
+		present: true,
+		value: typeof decision === "string" ? decision : null
+	};
+}
+function parseString(value) {
+	return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
+}
+function parseExpiresAtMs(value) {
+	return typeof value === "number" && Number.isFinite(value) ? value : void 0;
+}
+async function registerExecApprovalRequest(params) {
+	const registrationResult = await callGatewayTool("exec.approval.request", { timeoutMs: DEFAULT_APPROVAL_REQUEST_TIMEOUT_MS }, buildExecApprovalRequestToolParams(params), { expectFinal: false });
+	const decision = parseDecision(registrationResult);
+	const id = parseString(registrationResult?.id) ?? params.id;
+	const expiresAtMs = parseExpiresAtMs(registrationResult?.expiresAtMs) ?? Date.now() + DEFAULT_APPROVAL_TIMEOUT_MS;
+	if (decision.present) return {
+		id,
+		expiresAtMs,
+		finalDecision: decision.value
+	};
+	return {
+		id,
+		expiresAtMs
+	};
+}
+async function waitForExecApprovalDecision(id) {
+	try {
+		return parseDecision(await callGatewayTool("exec.approval.waitDecision", { timeoutMs: DEFAULT_APPROVAL_REQUEST_TIMEOUT_MS }, { id })).value;
+	} catch (err) {
+		if (normalizeLowercaseStringOrEmpty(String(err)).includes("approval expired or not found")) return null;
+		throw err;
+	}
+}
+async function resolveRegisteredExecApprovalDecision(params) {
+	if (params.preResolvedDecision !== void 0) return params.preResolvedDecision ?? null;
+	return await waitForExecApprovalDecision(params.approvalId);
+}
+function buildExecApprovalRequesterContext(params) {
+	return {
+		agentId: params.agentId,
+		sessionKey: params.sessionKey
+	};
+}
+function buildExecApprovalTurnSourceContext(params) {
+	return {
+		turnSourceChannel: params.turnSourceChannel,
+		turnSourceTo: params.turnSourceTo,
+		turnSourceAccountId: params.turnSourceAccountId,
+		turnSourceThreadId: params.turnSourceThreadId
+	};
+}
+function buildHostApprovalDecisionParams(params) {
+	return {
+		id: params.approvalId,
+		command: params.command,
+		commandArgv: params.commandArgv,
+		systemRunPlan: params.systemRunPlan,
+		env: params.env,
+		cwd: params.workdir,
+		nodeId: params.nodeId,
+		host: params.host,
+		security: params.security,
+		ask: params.ask,
+		...buildExecApprovalRequesterContext({
+			agentId: params.agentId,
+			sessionKey: params.sessionKey
+		}),
+		resolvedPath: params.resolvedPath,
+		...buildExecApprovalTurnSourceContext(params)
+	};
+}
+async function registerExecApprovalRequestForHost(params) {
+	return await registerExecApprovalRequest(buildHostApprovalDecisionParams(params));
+}
+async function registerExecApprovalRequestForHostOrThrow(params) {
+	try {
+		return await registerExecApprovalRequestForHost(params);
+	} catch (err) {
+		throw new Error(`Exec approval registration failed: ${String(err)}`, { cause: err });
+	}
+}
+//#endregion
+//#region src/agents/bash-tools.exec-approval-followup.ts
+function buildExecDeniedFollowupPrompt(resultText) {
+	return [
+		"An async command did not run.",
+		"Do not run the command again.",
+		"There is no new command output.",
+		"Do not mention, summarize, or reuse output from any earlier run in this session.",
+		"",
+		"Exact completion details:",
+		resultText.trim(),
+		"",
+		"Reply to the user in a helpful way.",
+		"Explain that the command did not run and why.",
+		"Do not claim there is new command output."
+	].join("\n");
+}
+function formatUnknownError(error) {
+	if (error instanceof Error) return error.message;
+	if (typeof error === "string") return error;
+	try {
+		return JSON.stringify(error);
+	} catch {
+		return "unknown error";
+	}
+}
+function buildExecApprovalFollowupPrompt(resultText) {
+	const trimmed = resultText.trim();
+	if (isExecDeniedResultText(trimmed)) return buildExecDeniedFollowupPrompt(trimmed);
+	return [
+		"An async command the user already approved has completed.",
+		"Do not run the command again.",
+		"If the task requires more steps, continue from this result before replying to the user.",
+		"Only ask the user for help if you are actually blocked.",
+		"",
+		"Exact completion details:",
+		trimmed,
+		"",
+		"Continue the task if needed, then reply to the user in a helpful way.",
+		"If it succeeded, share the relevant output.",
+		"If it failed, explain what went wrong."
+	].join("\n");
+}
+function shouldSuppressExecDeniedFollowup(sessionKey) {
+	return isSubagentSessionKey(sessionKey) || isCronSessionKey(sessionKey);
+}
+function formatDirectExecApprovalFollowupText(resultText, opts = {}) {
+	const parsed = parseExecApprovalResultText(resultText);
+	if (parsed.kind === "other" && !parsed.raw) return null;
+	if (parsed.kind === "denied") return opts.allowDenied ? formatExecDeniedUserMessage(parsed.raw) : null;
+	if (parsed.kind === "finished") {
+		const metadata = normalizeLowercaseStringOrEmpty(parsed.metadata);
+		const body = sanitizeUserFacingText(parsed.body, { errorContext: !metadata.includes("code 0") }).trim();
+		let prefix = "";
+		if (!body) prefix = metadata.includes("code 0") ? "Background command finished." : metadata.includes("signal") ? "Background command stopped unexpectedly." : "Background command finished with an error.";
+		return body ? `${prefix ? `${prefix}\n\n` : ""}${body}` : prefix || null;
+	}
+	if (parsed.kind === "completed") return sanitizeUserFacingText(parsed.body, { errorContext: true }).trim() || "Background command finished.";
+	return sanitizeUserFacingText(parsed.raw, { errorContext: true }).trim() || null;
+}
+function buildSessionResumeFallbackPrefix() {
+	return "Automatic session resume failed, so sending the status directly.\n\n";
+}
+function canDirectSendDeniedFollowup(sessionError) {
+	return sessionError !== null;
+}
+function buildAgentFollowupArgs(params) {
+	const { deliveryTarget, sessionOnlyOriginChannel } = params;
+	return {
+		sessionKey: params.sessionKey,
+		message: buildExecApprovalFollowupPrompt(params.resultText),
+		deliver: deliveryTarget.deliver,
+		...deliveryTarget.deliver ? { bestEffortDeliver: true } : {},
+		channel: deliveryTarget.deliver ? deliveryTarget.channel : sessionOnlyOriginChannel,
+		to: deliveryTarget.deliver ? deliveryTarget.to : sessionOnlyOriginChannel ? params.turnSourceTo : void 0,
+		accountId: deliveryTarget.deliver ? deliveryTarget.accountId : sessionOnlyOriginChannel ? params.turnSourceAccountId : void 0,
+		threadId: deliveryTarget.deliver ? deliveryTarget.threadId : sessionOnlyOriginChannel ? params.turnSourceThreadId : void 0,
+		idempotencyKey: `exec-approval-followup:${params.approvalId}`
+	};
+}
+async function sendDirectFollowupFallback(params) {
+	const directText = formatDirectExecApprovalFollowupText(params.resultText, { allowDenied: canDirectSendDeniedFollowup(params.sessionError) });
+	if (!params.deliveryTarget.deliver || !directText) return false;
+	const prefix = params.sessionError ? buildSessionResumeFallbackPrefix() : "";
+	await sendMessage({
+		channel: params.deliveryTarget.channel,
+		to: params.deliveryTarget.to ?? "",
+		accountId: params.deliveryTarget.accountId,
+		threadId: params.deliveryTarget.threadId,
+		content: `${prefix}${directText}`,
+		agentId: void 0,
+		idempotencyKey: `exec-approval-followup:${params.approvalId}`
+	});
+	return true;
+}
+async function sendExecApprovalFollowup(params) {
+	const sessionKey = params.sessionKey?.trim();
+	const resultText = params.resultText.trim();
+	if (!resultText) return false;
+	const isDenied = isExecDeniedResultText(resultText);
+	if (isDenied && shouldSuppressExecDeniedFollowup(sessionKey)) return false;
+	const deliveryTarget = resolveExternalBestEffortDeliveryTarget({
+		channel: params.turnSourceChannel,
+		to: params.turnSourceTo,
+		accountId: params.turnSourceAccountId,
+		threadId: params.turnSourceThreadId
+	});
+	const normalizedTurnSourceChannel = normalizeMessageChannel(params.turnSourceChannel);
+	const sessionOnlyOriginChannel = normalizedTurnSourceChannel && isGatewayMessageChannel(normalizedTurnSourceChannel) ? normalizedTurnSourceChannel : void 0;
+	let sessionError = null;
+	if (sessionKey) try {
+		await callGatewayTool("agent", { timeoutMs: 6e4 }, buildAgentFollowupArgs({
+			approvalId: params.approvalId,
+			sessionKey,
+			resultText,
+			deliveryTarget,
+			sessionOnlyOriginChannel,
+			turnSourceTo: params.turnSourceTo,
+			turnSourceAccountId: params.turnSourceAccountId,
+			turnSourceThreadId: params.turnSourceThreadId
+		}), { expectFinal: true });
+		return true;
+	} catch (err) {
+		sessionError = err;
+	}
+	if (await sendDirectFollowupFallback({
+		approvalId: params.approvalId,
+		deliveryTarget,
+		resultText,
+		sessionError
+	})) return true;
+	if (sessionError) throw new Error(`Session followup failed: ${formatUnknownError(sessionError)}`);
+	if (isDenied) return false;
+	throw new Error("Session key or deliverable origin route is required");
+}
+const loggedExecApprovalFollowupFailures = /* @__PURE__ */ new Set();
+function rememberExecApprovalFollowupFailureKey(key) {
+	if (loggedExecApprovalFollowupFailures.has(key)) return false;
+	loggedExecApprovalFollowupFailures.add(key);
+	if (loggedExecApprovalFollowupFailures.size > 256) {
+		const oldestKey = loggedExecApprovalFollowupFailures.values().next().value;
+		if (typeof oldestKey === "string") loggedExecApprovalFollowupFailures.delete(oldestKey);
+	}
+	return true;
+}
+function isHeadlessExecTrigger(trigger) {
+	return trigger === "cron";
+}
+function createExecApprovalPendingState(params) {
+	return {
+		warningText: params.warnings.length ? `${params.warnings.join("\n")}\n\n` : "",
+		expiresAtMs: Date.now() + params.timeoutMs,
+		preResolvedDecision: void 0
+	};
+}
+function createExecApprovalRequestState(params) {
+	return {
+		...createExecApprovalPendingState({
+			warnings: params.warnings,
+			timeoutMs: params.timeoutMs
+		}),
+		noticeSeconds: Math.max(1, Math.round(params.approvalRunningNoticeMs / 1e3))
+	};
+}
+function createExecApprovalRequestContext(params) {
+	const approvalId = crypto.randomUUID();
+	return {
+		...createExecApprovalRequestState({
+			warnings: params.warnings,
+			timeoutMs: params.timeoutMs,
+			approvalRunningNoticeMs: params.approvalRunningNoticeMs
+		}),
+		approvalId,
+		approvalSlug: params.createApprovalSlug(approvalId),
+		contextKey: `exec:${approvalId}`
+	};
+}
+function createDefaultExecApprovalRequestContext(params) {
+	return createExecApprovalRequestContext({
+		warnings: params.warnings,
+		timeoutMs: DEFAULT_APPROVAL_TIMEOUT_MS,
+		approvalRunningNoticeMs: params.approvalRunningNoticeMs,
+		createApprovalSlug: params.createApprovalSlug
+	});
+}
+function resolveBaseExecApprovalDecision(params) {
+	if (params.decision === "deny") return {
+		approvedByAsk: false,
+		deniedReason: "user-denied",
+		timedOut: false
+	};
+	if (!params.decision) {
+		if (params.askFallback === "full") return {
+			approvedByAsk: true,
+			deniedReason: null,
+			timedOut: true
+		};
+		if (params.askFallback === "deny") return {
+			approvedByAsk: false,
+			deniedReason: "approval-timeout",
+			timedOut: true
+		};
+		return {
+			approvedByAsk: false,
+			deniedReason: null,
+			timedOut: true
+		};
+	}
+	return {
+		approvedByAsk: false,
+		deniedReason: null,
+		timedOut: false
+	};
+}
+function resolveExecHostApprovalContext(params) {
+	const approvals = resolveExecApprovals(params.agentId, {
+		security: params.security,
+		ask: params.ask
+	});
+	const hostSecurity = minSecurity(params.security, approvals.agent.security);
+	const hostAsk = maxAsk(params.ask, approvals.agent.ask);
+	const askFallback = minSecurity(hostSecurity, approvals.agent.askFallback);
+	if (hostSecurity === "deny") throw new Error(`exec denied: host=${params.host} security=deny`);
+	return {
+		approvals,
+		hostSecurity,
+		hostAsk,
+		askFallback
+	};
+}
+async function resolveApprovalDecisionOrUndefined(params) {
+	try {
+		return await resolveRegisteredExecApprovalDecision({
+			approvalId: params.approvalId,
+			preResolvedDecision: params.preResolvedDecision
+		});
+	} catch {
+		params.onFailure();
+		return;
+	}
+}
+function resolveExecApprovalUnavailableState(params) {
+	const initiatingSurface = resolveExecApprovalInitiatingSurfaceState({
+		channel: params.turnSourceChannel,
+		accountId: params.turnSourceAccountId
+	});
+	return {
+		initiatingSurface,
+		sentApproverDms: false,
+		unavailableReason: params.preResolvedDecision === null ? "no-approval-route" : initiatingSurface.kind === "disabled" ? "initiating-platform-disabled" : initiatingSurface.kind === "unsupported" ? "initiating-platform-unsupported" : null
+	};
+}
+async function createAndRegisterDefaultExecApprovalRequest(params) {
+	const { approvalId, approvalSlug, warningText, expiresAtMs: defaultExpiresAtMs, preResolvedDecision: defaultPreResolvedDecision } = createDefaultExecApprovalRequestContext({
+		warnings: params.warnings,
+		approvalRunningNoticeMs: params.approvalRunningNoticeMs,
+		createApprovalSlug: params.createApprovalSlug
+	});
+	const registration = await params.register(approvalId);
+	const preResolvedDecision = registration.finalDecision;
+	const { initiatingSurface, sentApproverDms, unavailableReason } = resolveExecApprovalUnavailableState({
+		turnSourceChannel: params.turnSourceChannel,
+		turnSourceAccountId: params.turnSourceAccountId,
+		preResolvedDecision
+	});
+	return {
+		approvalId,
+		approvalSlug,
+		warningText,
+		expiresAtMs: registration.expiresAtMs ?? defaultExpiresAtMs,
+		preResolvedDecision: registration.finalDecision === void 0 ? defaultPreResolvedDecision : registration.finalDecision,
+		initiatingSurface,
+		sentApproverDms,
+		unavailableReason
+	};
+}
+function buildDefaultExecApprovalRequestArgs(params) {
+	return {
+		warnings: params.warnings,
+		approvalRunningNoticeMs: params.approvalRunningNoticeMs,
+		createApprovalSlug: params.createApprovalSlug,
+		turnSourceChannel: params.turnSourceChannel,
+		turnSourceAccountId: params.turnSourceAccountId
+	};
+}
+function buildExecApprovalFollowupTarget(params) {
+	return {
+		approvalId: params.approvalId,
+		sessionKey: params.sessionKey,
+		turnSourceChannel: params.turnSourceChannel,
+		turnSourceTo: params.turnSourceTo,
+		turnSourceAccountId: params.turnSourceAccountId,
+		turnSourceThreadId: params.turnSourceThreadId
+	};
+}
+function createExecApprovalDecisionState(params) {
+	const baseDecision = resolveBaseExecApprovalDecision({
+		decision: params.decision ?? null,
+		askFallback: params.askFallback
+	});
+	return {
+		baseDecision,
+		approvedByAsk: baseDecision.approvedByAsk,
+		deniedReason: baseDecision.deniedReason
+	};
+}
+function enforceStrictInlineEvalApprovalBoundary(params) {
+	if (!params.baseDecision.timedOut || !params.requiresInlineEvalApproval || !params.approvedByAsk) return {
+		approvedByAsk: params.approvedByAsk,
+		deniedReason: params.deniedReason
+	};
+	return {
+		approvedByAsk: false,
+		deniedReason: params.deniedReason ?? "approval-timeout"
+	};
+}
+function shouldResolveExecApprovalUnavailableInline(params) {
+	return isHeadlessExecTrigger(params.trigger) && params.unavailableReason === "no-approval-route" && params.preResolvedDecision === null;
+}
+function buildHeadlessExecApprovalDeniedMessage(params) {
+	return [
+		`exec denied: ${params.trigger === "cron" ? "Cron runs" : "Headless runs"} cannot wait for interactive exec approval.`,
+		`Effective host exec policy: security=${params.security} ask=${params.ask} askFallback=${params.askFallback}`,
+		"Stricter values from tools.exec and ~/.genesis/exec-approvals.json both apply.",
+		"Fix one of these:",
+		"- align both files to security=\"full\" and ask=\"off\" for trusted local automation",
+		"- keep allowlist mode and add an explicit allowlist entry for this command",
+		"- enable Web UI, terminal UI, or chat exec approvals and rerun interactively",
+		"Tip: run \"genesis doctor\" and \"genesis approvals get --gateway\" to inspect the effective policy."
+	].join("\n");
+}
+async function sendExecApprovalFollowupResult(target, resultText, deps = {}) {
+	const send = deps.sendExecApprovalFollowup ?? sendExecApprovalFollowup;
+	const warn = deps.logWarn ?? logWarn;
+	await send({
+		approvalId: target.approvalId,
+		sessionKey: target.sessionKey,
+		turnSourceChannel: target.turnSourceChannel,
+		turnSourceTo: target.turnSourceTo,
+		turnSourceAccountId: target.turnSourceAccountId,
+		turnSourceThreadId: target.turnSourceThreadId,
+		resultText
+	}).catch((error) => {
+		const message = formatErrorMessage(error);
+		if (!rememberExecApprovalFollowupFailureKey(`${target.approvalId}:${message}`)) return;
+		warn(`exec approval followup dispatch failed (id=${target.approvalId}): ${message}`);
+	});
+}
+function buildExecApprovalPendingToolResult(params) {
+	const allowedDecisions = params.allowedDecisions ?? resolveExecApprovalAllowedDecisions();
+	return {
+		content: [{
+			type: "text",
+			text: params.unavailableReason !== null ? buildExecApprovalUnavailableReplyPayload({
+				warningText: params.warningText,
+				reason: params.unavailableReason,
+				channel: params.initiatingSurface.channel,
+				channelLabel: params.initiatingSurface.channelLabel,
+				accountId: params.initiatingSurface.accountId,
+				sentApproverDms: params.sentApproverDms
+			}).text ?? "" : buildApprovalPendingMessage({
+				warningText: params.warningText,
+				approvalSlug: params.approvalSlug,
+				approvalId: params.approvalId,
+				allowedDecisions,
+				command: params.command,
+				cwd: params.cwd,
+				host: params.host,
+				nodeId: params.nodeId
+			})
+		}],
+		details: params.unavailableReason !== null ? {
+			status: "approval-unavailable",
+			reason: params.unavailableReason,
+			channel: params.initiatingSurface.channel,
+			channelLabel: params.initiatingSurface.channelLabel,
+			accountId: params.initiatingSurface.accountId,
+			sentApproverDms: params.sentApproverDms,
+			host: params.host,
+			command: params.command,
+			cwd: params.cwd,
+			nodeId: params.nodeId,
+			warningText: params.warningText
+		} : {
+			status: "approval-pending",
+			approvalId: params.approvalId,
+			approvalSlug: params.approvalSlug,
+			expiresAtMs: params.expiresAtMs,
+			allowedDecisions,
+			host: params.host,
+			command: params.command,
+			cwd: params.cwd,
+			nodeId: params.nodeId,
+			warningText: params.warningText
+		}
+	};
+}
+//#endregion
+//#region src/agents/bash-tools.exec-host-gateway.ts
+function hasGatewayAllowlistMiss(params) {
+	return params.hostSecurity === "allowlist" && (!params.analysisOk || !params.allowlistSatisfied) && !params.durableApprovalSatisfied;
+}
+async function processGatewayAllowlist(params) {
+	const { approvals, hostSecurity, hostAsk, askFallback } = resolveExecHostApprovalContext({
+		agentId: params.agentId,
+		security: params.security,
+		ask: params.ask,
+		host: "gateway"
+	});
+	const allowlistEval = evaluateShellAllowlist({
+		command: params.command,
+		allowlist: approvals.allowlist,
+		safeBins: params.safeBins,
+		safeBinProfiles: params.safeBinProfiles,
+		cwd: params.workdir,
+		env: params.env,
+		platform: process.platform,
+		trustedSafeBinDirs: params.trustedSafeBinDirs
+	});
+	const allowlistMatches = allowlistEval.allowlistMatches;
+	const analysisOk = allowlistEval.analysisOk;
+	const allowlistSatisfied = hostSecurity === "allowlist" && analysisOk ? allowlistEval.allowlistSatisfied : false;
+	const durableApprovalSatisfied = hasDurableExecApproval({
+		analysisOk,
+		segmentAllowlistEntries: allowlistEval.segmentAllowlistEntries,
+		allowlist: approvals.allowlist,
+		commandText: params.command
+	});
+	const inlineEvalHit = params.strictInlineEval === true ? allowlistEval.segments.map((segment) => detectInterpreterInlineEvalArgv(segment.resolution?.effectiveArgv ?? segment.argv)).find((entry) => entry !== null) ?? null : null;
+	if (inlineEvalHit) params.warnings.push(`Warning: strict inline-eval mode requires explicit approval for ${describeInterpreterInlineEval(inlineEvalHit)}.`);
+	let enforcedCommand;
+	let allowlistPlanUnavailableReason = null;
+	if (hostSecurity === "allowlist" && analysisOk && allowlistSatisfied) {
+		const enforced = buildEnforcedShellCommand({
+			command: params.command,
+			segments: allowlistEval.segments,
+			platform: process.platform
+		});
+		if (!enforced.ok || !enforced.command) allowlistPlanUnavailableReason = enforced.reason ?? "unsupported platform";
+		else enforcedCommand = enforced.command;
+	}
+	const recordMatchedAllowlistUse = (resolvedPath) => recordAllowlistMatchesUse({
+		approvals: approvals.file,
+		agentId: params.agentId,
+		matches: allowlistMatches,
+		command: params.command,
+		resolvedPath
+	});
+	const hasHeredocSegment = allowlistEval.segments.some((segment) => segment.argv.some((token) => token.startsWith("<<")));
+	const requiresHeredocApproval = hostSecurity === "allowlist" && analysisOk && allowlistSatisfied && hasHeredocSegment;
+	const requiresInlineEvalApproval = inlineEvalHit !== null;
+	const requiresAllowlistPlanApproval = hostSecurity === "allowlist" && analysisOk && allowlistSatisfied && !enforcedCommand && allowlistPlanUnavailableReason !== null;
+	const requiresAsk = requiresExecApproval({
+		ask: hostAsk,
+		security: hostSecurity,
+		analysisOk,
+		allowlistSatisfied,
+		durableApprovalSatisfied
+	}) || requiresAllowlistPlanApproval || requiresHeredocApproval || requiresInlineEvalApproval;
+	if (requiresHeredocApproval) params.warnings.push("Warning: heredoc execution requires explicit approval in allowlist mode.");
+	if (requiresAllowlistPlanApproval) params.warnings.push(`Warning: allowlist auto-execution is unavailable on ${process.platform}; explicit approval is required.`);
+	if (requiresAsk) {
+		const requestArgs = buildDefaultExecApprovalRequestArgs({
+			warnings: params.warnings,
+			approvalRunningNoticeMs: params.approvalRunningNoticeMs,
+			createApprovalSlug,
+			turnSourceChannel: params.turnSourceChannel,
+			turnSourceAccountId: params.turnSourceAccountId
+		});
+		const registerGatewayApproval = async (approvalId) => await registerExecApprovalRequestForHostOrThrow({
+			approvalId,
+			command: params.command,
+			env: params.requestedEnv,
+			workdir: params.workdir,
+			host: "gateway",
+			security: hostSecurity,
+			ask: hostAsk,
+			...buildExecApprovalRequesterContext({
+				agentId: params.agentId,
+				sessionKey: params.sessionKey
+			}),
+			resolvedPath: resolveApprovalAuditCandidatePath(allowlistEval.segments[0]?.resolution ?? null, params.workdir),
+			...buildExecApprovalTurnSourceContext(params)
+		});
+		const { approvalId, approvalSlug, warningText, expiresAtMs, preResolvedDecision, initiatingSurface, sentApproverDms, unavailableReason } = await createAndRegisterDefaultExecApprovalRequest({
+			...requestArgs,
+			register: registerGatewayApproval
+		});
+		if (shouldResolveExecApprovalUnavailableInline({
+			trigger: params.trigger,
+			unavailableReason,
+			preResolvedDecision
+		})) {
+			const { baseDecision, approvedByAsk, deniedReason } = createExecApprovalDecisionState({
+				decision: preResolvedDecision,
+				askFallback
+			});
+			const strictInlineEvalDecision = enforceStrictInlineEvalApprovalBoundary({
+				baseDecision,
+				approvedByAsk,
+				deniedReason,
+				requiresInlineEvalApproval
+			});
+			if (strictInlineEvalDecision.deniedReason || !strictInlineEvalDecision.approvedByAsk) throw new Error(buildHeadlessExecApprovalDeniedMessage({
+				trigger: params.trigger,
+				host: "gateway",
+				security: hostSecurity,
+				ask: hostAsk,
+				askFallback
+			}));
+			recordMatchedAllowlistUse(resolveApprovalAuditCandidatePath(allowlistEval.segments[0]?.resolution ?? null, params.workdir));
+			return {
+				execCommandOverride: enforcedCommand,
+				allowWithoutEnforcedCommand: enforcedCommand === void 0
+			};
+		}
+		const resolvedPath = resolveApprovalAuditCandidatePath(allowlistEval.segments[0]?.resolution ?? null, params.workdir);
+		const effectiveTimeout = typeof params.timeoutSec === "number" ? params.timeoutSec : params.defaultTimeoutSec;
+		const followupTarget = buildExecApprovalFollowupTarget({
+			approvalId,
+			sessionKey: params.notifySessionKey ?? params.sessionKey,
+			turnSourceChannel: params.turnSourceChannel,
+			turnSourceTo: params.turnSourceTo,
+			turnSourceAccountId: params.turnSourceAccountId,
+			turnSourceThreadId: params.turnSourceThreadId
+		});
+		(async () => {
+			const decision = await resolveApprovalDecisionOrUndefined({
+				approvalId,
+				preResolvedDecision,
+				onFailure: () => void sendExecApprovalFollowupResult(followupTarget, `Exec denied (gateway id=${approvalId}, approval-request-failed): ${params.command}`)
+			});
+			if (decision === void 0) return;
+			const { baseDecision, approvedByAsk: initialApprovedByAsk, deniedReason: initialDeniedReason } = createExecApprovalDecisionState({
+				decision,
+				askFallback
+			});
+			let approvedByAsk = initialApprovedByAsk;
+			let deniedReason = initialDeniedReason;
+			if (baseDecision.timedOut && askFallback === "allowlist") if (!analysisOk || !allowlistSatisfied) deniedReason = "approval-timeout (allowlist-miss)";
+			else approvedByAsk = true;
+			else if (decision === "allow-once") approvedByAsk = true;
+			else if (decision === "allow-always") {
+				approvedByAsk = true;
+				if (!requiresInlineEvalApproval) {
+					if (persistAllowAlwaysPatterns({
+						approvals: approvals.file,
+						agentId: params.agentId,
+						segments: allowlistEval.segments,
+						cwd: params.workdir,
+						env: params.env,
+						platform: process.platform,
+						strictInlineEval: params.strictInlineEval === true
+					}).length === 0) addDurableCommandApproval(approvals.file, params.agentId, params.command);
+				}
+			}
+			({approvedByAsk, deniedReason} = enforceStrictInlineEvalApprovalBoundary({
+				baseDecision,
+				approvedByAsk,
+				deniedReason,
+				requiresInlineEvalApproval
+			}));
+			if (!approvedByAsk && hasGatewayAllowlistMiss({
+				hostSecurity,
+				analysisOk,
+				allowlistSatisfied,
+				durableApprovalSatisfied
+			})) deniedReason = deniedReason ?? "allowlist-miss";
+			if (deniedReason) {
+				await sendExecApprovalFollowupResult(followupTarget, `Exec denied (gateway id=${approvalId}, ${deniedReason}): ${params.command}`);
+				return;
+			}
+			recordMatchedAllowlistUse(resolvedPath ?? void 0);
+			let run = null;
+			try {
+				run = await runExecProcess({
+					command: params.command,
+					execCommand: enforcedCommand,
+					workdir: params.workdir,
+					env: params.env,
+					sandbox: void 0,
+					containerWorkdir: null,
+					usePty: params.pty,
+					warnings: params.warnings,
+					maxOutput: params.maxOutput,
+					pendingMaxOutput: params.pendingMaxOutput,
+					notifyOnExit: false,
+					notifyOnExitEmptySuccess: false,
+					scopeKey: params.scopeKey,
+					sessionKey: params.notifySessionKey ?? params.sessionKey,
+					timeoutSec: effectiveTimeout
+				});
+			} catch {
+				await sendExecApprovalFollowupResult(followupTarget, `Exec denied (gateway id=${approvalId}, spawn-failed): ${params.command}`);
+				return;
+			}
+			markBackgrounded(run.session);
+			const outcome = await run.promise;
+			const output = normalizeNotifyOutput(tail(outcome.aggregated || "", 400));
+			const exitLabel = outcome.timedOut ? "timeout" : `code ${outcome.exitCode ?? "?"}`;
+			await sendExecApprovalFollowupResult(followupTarget, output ? `Exec finished (gateway id=${approvalId}, session=${run.session.id}, ${exitLabel})\n${output}` : `Exec finished (gateway id=${approvalId}, session=${run.session.id}, ${exitLabel})`);
+		})();
+		return { pendingResult: buildExecApprovalPendingToolResult({
+			host: "gateway",
+			command: params.command,
+			cwd: params.workdir,
+			warningText,
+			approvalId,
+			approvalSlug,
+			expiresAtMs,
+			initiatingSurface,
+			sentApproverDms,
+			unavailableReason,
+			allowedDecisions: resolveExecApprovalAllowedDecisions({ ask: hostAsk })
+		}) };
+	}
+	if (hasGatewayAllowlistMiss({
+		hostSecurity,
+		analysisOk,
+		allowlistSatisfied,
+		durableApprovalSatisfied
+	})) throw new Error("exec denied: allowlist miss");
+	recordMatchedAllowlistUse(resolveApprovalAuditCandidatePath(allowlistEval.segments[0]?.resolution ?? null, params.workdir));
+	return { execCommandOverride: enforcedCommand };
+}
+//#endregion
+//#region src/infra/node-shell.ts
+function buildNodeShellCommand(command, platform) {
+	if (normalizeLowercaseStringOrEmpty((platform ?? "").trim()).startsWith("win")) return [
+		"cmd.exe",
+		"/d",
+		"/s",
+		"/c",
+		command
+	];
+	return [
+		"/bin/sh",
+		"-lc",
+		command
+	];
+}
+//#endregion
+//#region src/agents/bash-tools.exec-host-node.ts
+async function executeNodeHostCommand(params) {
+	const { hostSecurity, hostAsk, askFallback } = resolveExecHostApprovalContext({
+		agentId: params.agentId,
+		security: params.security,
+		ask: params.ask,
+		host: "node"
+	});
+	if (params.boundNode && params.requestedNode && params.boundNode !== params.requestedNode) throw new Error(`exec node not allowed (bound to ${params.boundNode})`);
+	const nodeQuery = params.boundNode || params.requestedNode;
+	const nodes = await listNodes({});
+	if (nodes.length === 0) throw new Error("exec host=node requires a paired node (none available). This requires a companion app or node host.");
+	let nodeId;
+	try {
+		nodeId = resolveNodeIdFromList(nodes, nodeQuery, !nodeQuery);
+	} catch (err) {
+		if (!nodeQuery && String(err).includes("node required")) throw new Error("exec host=node requires a node id when multiple nodes are available (set tools.exec.node or exec.node).", { cause: err });
+		throw err;
+	}
+	const nodeInfo = nodes.find((entry) => entry.nodeId === nodeId);
+	if (!(Array.isArray(nodeInfo?.commands) ? nodeInfo?.commands?.includes("system.run") : false)) throw new Error("exec host=node requires a node that supports system.run (companion app or node host).");
+	const argv = buildNodeShellCommand(params.command, nodeInfo?.platform);
+	const prepared = parsePreparedSystemRunPayload((await callGatewayTool("node.invoke", { timeoutMs: 15e3 }, {
+		nodeId,
+		command: "system.run.prepare",
+		params: {
+			command: argv,
+			rawCommand: params.command,
+			...params.workdir != null ? { cwd: params.workdir } : {},
+			agentId: params.agentId,
+			sessionKey: params.sessionKey
+		},
+		idempotencyKey: crypto.randomUUID()
+	}))?.payload);
+	if (!prepared) throw new Error("invalid system.run.prepare response");
+	const runArgv = prepared.plan.argv;
+	const runRawCommand = prepared.plan.commandText;
+	const runCwd = prepared.plan.cwd ?? params.workdir;
+	const runAgentId = prepared.plan.agentId ?? params.agentId;
+	const runSessionKey = prepared.plan.sessionKey ?? params.sessionKey;
+	const nodeEnv = params.requestedEnv ? { ...params.requestedEnv } : void 0;
+	const baseAllowlistEval = evaluateShellAllowlist({
+		command: params.command,
+		allowlist: [],
+		safeBins: /* @__PURE__ */ new Set(),
+		cwd: params.workdir,
+		env: params.env,
+		platform: nodeInfo?.platform,
+		trustedSafeBinDirs: params.trustedSafeBinDirs
+	});
+	let analysisOk = baseAllowlistEval.analysisOk;
+	let allowlistSatisfied = false;
+	let durableApprovalSatisfied = false;
+	const inlineEvalHit = params.strictInlineEval === true ? baseAllowlistEval.segments.map((segment) => detectInterpreterInlineEvalArgv(segment.resolution?.effectiveArgv ?? segment.argv)).find((entry) => entry !== null) ?? null : null;
+	if (inlineEvalHit) params.warnings.push(`Warning: strict inline-eval mode requires explicit approval for ${describeInterpreterInlineEval(inlineEvalHit)}.`);
+	if ((hostAsk === "always" || hostSecurity === "allowlist") && analysisOk) try {
+		const approvalsSnapshot = await callGatewayTool("exec.approvals.node.get", { timeoutMs: 1e4 }, { nodeId });
+		const approvalsFile = approvalsSnapshot && typeof approvalsSnapshot === "object" ? approvalsSnapshot.file : void 0;
+		if (approvalsFile && typeof approvalsFile === "object") {
+			const resolved = resolveExecApprovalsFromFile({
+				file: approvalsFile,
+				agentId: params.agentId,
+				overrides: { security: "full" }
+			});
+			const allowlistEval = evaluateShellAllowlist({
+				command: params.command,
+				allowlist: resolved.allowlist,
+				safeBins: /* @__PURE__ */ new Set(),
+				cwd: params.workdir,
+				env: params.env,
+				platform: nodeInfo?.platform,
+				trustedSafeBinDirs: params.trustedSafeBinDirs
+			});
+			durableApprovalSatisfied = hasDurableExecApproval({
+				analysisOk: allowlistEval.analysisOk,
+				segmentAllowlistEntries: allowlistEval.segmentAllowlistEntries,
+				allowlist: resolved.allowlist,
+				commandText: runRawCommand
+			});
+			allowlistSatisfied = allowlistEval.allowlistSatisfied;
+			analysisOk = allowlistEval.analysisOk;
+		}
+	} catch {}
+	const requiresAsk = requiresExecApproval({
+		ask: hostAsk,
+		security: hostSecurity,
+		analysisOk,
+		allowlistSatisfied,
+		durableApprovalSatisfied
+	}) || inlineEvalHit !== null;
+	const invokeTimeoutMs = Math.max(1e4, (typeof params.timeoutSec === "number" ? params.timeoutSec : params.defaultTimeoutSec) * 1e3 + 5e3);
+	const buildInvokeParams = (approvedByAsk, approvalDecision, runId, suppressNotifyOnExit) => ({
+		nodeId,
+		command: "system.run",
+		params: {
+			command: runArgv,
+			rawCommand: runRawCommand,
+			systemRunPlan: prepared.plan,
+			cwd: runCwd,
+			env: nodeEnv,
+			timeoutMs: typeof params.timeoutSec === "number" ? params.timeoutSec * 1e3 : void 0,
+			agentId: runAgentId,
+			sessionKey: runSessionKey,
+			approved: approvedByAsk,
+			approvalDecision: approvalDecision === "allow-always" && inlineEvalHit !== null ? "allow-once" : approvalDecision ?? void 0,
+			runId: runId ?? void 0,
+			suppressNotifyOnExit: suppressNotifyOnExit === true || params.notifyOnExit === false ? true : void 0
+		},
+		idempotencyKey: crypto.randomUUID()
+	});
+	let inlineApprovedByAsk = false;
+	let inlineApprovalDecision = null;
+	let inlineApprovalId;
+	if (requiresAsk) {
+		const requestArgs = buildDefaultExecApprovalRequestArgs({
+			warnings: params.warnings,
+			approvalRunningNoticeMs: params.approvalRunningNoticeMs,
+			createApprovalSlug,
+			turnSourceChannel: params.turnSourceChannel,
+			turnSourceAccountId: params.turnSourceAccountId
+		});
+		const registerNodeApproval = async (approvalId) => await registerExecApprovalRequestForHostOrThrow({
+			approvalId,
+			systemRunPlan: prepared.plan,
+			env: nodeEnv,
+			workdir: runCwd,
+			host: "node",
+			nodeId,
+			security: hostSecurity,
+			ask: hostAsk,
+			...buildExecApprovalRequesterContext({
+				agentId: runAgentId,
+				sessionKey: runSessionKey
+			}),
+			...buildExecApprovalTurnSourceContext(params)
+		});
+		const { approvalId, approvalSlug, warningText, expiresAtMs, preResolvedDecision, initiatingSurface, sentApproverDms, unavailableReason } = await createAndRegisterDefaultExecApprovalRequest({
+			...requestArgs,
+			register: registerNodeApproval
+		});
+		if (shouldResolveExecApprovalUnavailableInline({
+			trigger: params.trigger,
+			unavailableReason,
+			preResolvedDecision
+		})) {
+			const { baseDecision, approvedByAsk, deniedReason } = createExecApprovalDecisionState({
+				decision: preResolvedDecision,
+				askFallback
+			});
+			const strictInlineEvalDecision = enforceStrictInlineEvalApprovalBoundary({
+				baseDecision,
+				approvedByAsk,
+				deniedReason,
+				requiresInlineEvalApproval: inlineEvalHit !== null
+			});
+			if (strictInlineEvalDecision.deniedReason || !strictInlineEvalDecision.approvedByAsk) throw new Error(buildHeadlessExecApprovalDeniedMessage({
+				trigger: params.trigger,
+				host: "node",
+				security: hostSecurity,
+				ask: hostAsk,
+				askFallback
+			}));
+			inlineApprovedByAsk = strictInlineEvalDecision.approvedByAsk;
+			inlineApprovalDecision = strictInlineEvalDecision.approvedByAsk ? "allow-once" : null;
+			inlineApprovalId = approvalId;
+		} else {
+			const followupTarget = buildExecApprovalFollowupTarget({
+				approvalId,
+				sessionKey: params.notifySessionKey ?? params.sessionKey,
+				turnSourceChannel: params.turnSourceChannel,
+				turnSourceTo: params.turnSourceTo,
+				turnSourceAccountId: params.turnSourceAccountId,
+				turnSourceThreadId: params.turnSourceThreadId
+			});
+			(async () => {
+				const decision = await resolveApprovalDecisionOrUndefined({
+					approvalId,
+					preResolvedDecision,
+					onFailure: () => void sendExecApprovalFollowupResult(followupTarget, `Exec denied (node=${nodeId} id=${approvalId}, approval-request-failed): ${params.command}`)
+				});
+				if (decision === void 0) return;
+				const { baseDecision, approvedByAsk: initialApprovedByAsk, deniedReason: initialDeniedReason } = createExecApprovalDecisionState({
+					decision,
+					askFallback
+				});
+				let approvedByAsk = initialApprovedByAsk;
+				let approvalDecision = null;
+				let deniedReason = initialDeniedReason;
+				if (baseDecision.timedOut && askFallback === "full" && approvedByAsk) approvalDecision = "allow-once";
+				else if (decision === "allow-once") {
+					approvedByAsk = true;
+					approvalDecision = "allow-once";
+				} else if (decision === "allow-always") {
+					approvedByAsk = true;
+					approvalDecision = "allow-always";
+				}
+				({approvedByAsk, deniedReason} = enforceStrictInlineEvalApprovalBoundary({
+					baseDecision,
+					approvedByAsk,
+					deniedReason,
+					requiresInlineEvalApproval: inlineEvalHit !== null
+				}));
+				if (deniedReason) approvalDecision = null;
+				if (deniedReason) {
+					await sendExecApprovalFollowupResult(followupTarget, `Exec denied (node=${nodeId} id=${approvalId}, ${deniedReason}): ${params.command}`);
+					return;
+				}
+				try {
+					const raw = await callGatewayTool("node.invoke", { timeoutMs: invokeTimeoutMs }, buildInvokeParams(approvedByAsk, approvalDecision, approvalId, true));
+					const payload = raw?.payload && typeof raw.payload === "object" ? raw.payload : {};
+					const output = normalizeNotifyOutput([
+						payload.stdout,
+						payload.stderr,
+						payload.error
+					].filter(Boolean).join("\n").slice(-400));
+					const exitLabel = payload.timedOut ? "timeout" : `code ${payload.exitCode ?? "?"}`;
+					await sendExecApprovalFollowupResult(followupTarget, output ? `Exec finished (node=${nodeId} id=${approvalId}, ${exitLabel})\n${output}` : `Exec finished (node=${nodeId} id=${approvalId}, ${exitLabel})`);
+				} catch {
+					await sendExecApprovalFollowupResult(followupTarget, `Exec denied (node=${nodeId} id=${approvalId}, invoke-failed): ${params.command}`);
+				}
+			})();
+			return buildExecApprovalPendingToolResult({
+				host: "node",
+				command: params.command,
+				cwd: params.workdir,
+				warningText,
+				approvalId,
+				approvalSlug,
+				expiresAtMs,
+				initiatingSurface,
+				sentApproverDms,
+				unavailableReason,
+				allowedDecisions: resolveExecApprovalAllowedDecisions({ ask: hostAsk }),
+				nodeId
+			});
+		}
+	}
+	const startedAt = Date.now();
+	const raw = await callGatewayTool("node.invoke", { timeoutMs: invokeTimeoutMs }, buildInvokeParams(inlineApprovedByAsk, inlineApprovalDecision, inlineApprovalId));
+	const payload = raw && typeof raw === "object" ? raw.payload : void 0;
+	const payloadObj = payload && typeof payload === "object" ? payload : {};
+	const stdout = typeof payloadObj.stdout === "string" ? payloadObj.stdout : "";
+	const stderr = typeof payloadObj.stderr === "string" ? payloadObj.stderr : "";
+	const errorText = typeof payloadObj.error === "string" ? payloadObj.error : "";
+	const success = typeof payloadObj.success === "boolean" ? payloadObj.success : false;
+	const exitCode = typeof payloadObj.exitCode === "number" ? payloadObj.exitCode : null;
+	return {
+		content: [{
+			type: "text",
+			text: stdout || stderr || errorText || ""
+		}],
+		details: {
+			status: success ? "completed" : "failed",
+			exitCode,
+			durationMs: Date.now() - startedAt,
+			aggregated: [
+				stdout,
+				stderr,
+				errorText
+			].filter(Boolean).join("\n"),
+			cwd: params.workdir
+		}
+	};
+}
+//#endregion
+//#region src/agents/bash-tools.exec.ts
+function buildExecForegroundResult(params) {
+	const warningText = params.warningText?.trim() ? `${params.warningText}\n\n` : "";
+	if (params.outcome.status === "failed") return failedTextResult(`${warningText}${params.outcome.reason}`, {
+		status: "failed",
+		exitCode: params.outcome.exitCode ?? null,
+		durationMs: params.outcome.durationMs,
+		aggregated: params.outcome.aggregated,
+		timedOut: params.outcome.timedOut,
+		cwd: params.cwd
+	});
+	return textResult(`${warningText}${params.outcome.aggregated || "(no output)"}`, {
+		status: "completed",
+		exitCode: params.outcome.exitCode,
+		durationMs: params.outcome.durationMs,
+		aggregated: params.outcome.aggregated,
+		cwd: params.cwd
+	});
+}
+const PREFLIGHT_ENV_OPTIONS_WITH_VALUES = new Set([
+	"-C",
+	"-S",
+	"-u",
+	"--argv0",
+	"--block-signal",
+	"--chdir",
+	"--default-signal",
+	"--ignore-signal",
+	"--split-string",
+	"--unset"
+]);
+const SKIPPABLE_SCRIPT_PREFLIGHT_FS_ERROR_CODES = new Set([
+	"EACCES",
+	"EISDIR",
+	"ELOOP",
+	"EINVAL",
+	"ENAMETOOLONG",
+	"ENOENT",
+	"ENOTDIR",
+	"EPERM"
+]);
+function getNodeErrorCode(error) {
+	if (typeof error !== "object" || error === null || !("code" in error)) return;
+	return String(error.code);
+}
+let fsSafeModulePromise;
+async function loadFsSafeModule() {
+	fsSafeModulePromise ??= import("./fs-safe-BzoHPPeT.js");
+	return await fsSafeModulePromise;
+}
+function shouldSkipScriptPreflightPathError(error, SafeOpenError) {
+	if (error instanceof SafeOpenError) return true;
+	const errorCode = getNodeErrorCode(error);
+	return !!(errorCode && SKIPPABLE_SCRIPT_PREFLIGHT_FS_ERROR_CODES.has(errorCode));
+}
+function resolvePreflightRelativePath(params) {
+	const root = path.resolve(params.rootDir);
+	const candidate = path.resolve(params.absPath);
+	const relative = path.relative(root, candidate);
+	if (/^\.\.(?:[\\/]|$)/u.test(relative) || path.isAbsolute(relative)) return null;
+	return /^~(?:$|[\\/])/u.test(relative) ? `.${path.sep}${relative}` : relative;
+}
+function isShellEnvAssignmentToken(token) {
+	return /^[A-Za-z_][A-Za-z0-9_]*=.*$/u.test(token);
+}
+function isEnvExecutableToken(token) {
+	if (!token) return false;
+	const base = normalizeOptionalLowercaseString(token.split(/[\\/]/u).at(-1)) ?? "";
+	return (base.endsWith(".exe") ? base.slice(0, -4) : base) === "env";
+}
+function stripPreflightEnvPrefix(argv) {
+	if (argv.length === 0) return argv;
+	let idx = 0;
+	while (idx < argv.length && isShellEnvAssignmentToken(argv[idx])) idx += 1;
+	if (!isEnvExecutableToken(argv[idx])) return argv;
+	idx += 1;
+	while (idx < argv.length) {
+		const token = argv[idx];
+		if (token === "--") {
+			idx += 1;
+			break;
+		}
+		if (isShellEnvAssignmentToken(token)) {
+			idx += 1;
+			continue;
+		}
+		if (!token.startsWith("-") || token === "-") break;
+		idx += 1;
+		const option = token.split("=", 1)[0];
+		if (PREFLIGHT_ENV_OPTIONS_WITH_VALUES.has(option) && !token.includes("=") && idx < argv.length) idx += 1;
+	}
+	return argv.slice(idx);
+}
+function findFirstPythonScriptArg(tokens) {
+	const optionsWithSeparateValue = new Set([
+		"-W",
+		"-X",
+		"-Q",
+		"--check-hash-based-pycs"
+	]);
+	for (let i = 0; i < tokens.length; i += 1) {
+		const token = tokens[i];
+		if (token === "--") {
+			const next = tokens[i + 1];
+			return normalizeLowercaseStringOrEmpty(next).endsWith(".py") ? next : null;
+		}
+		if (token === "-") return null;
+		if (token === "-c" || token === "-m") return null;
+		if ((token.startsWith("-c") || token.startsWith("-m")) && token.length > 2) return null;
+		if (optionsWithSeparateValue.has(token)) {
+			i += 1;
+			continue;
+		}
+		if (token.startsWith("-")) continue;
+		return normalizeLowercaseStringOrEmpty(token).endsWith(".py") ? token : null;
+	}
+	return null;
+}
+function findNodeScriptArgs(tokens) {
+	const optionsWithSeparateValue = new Set([
+		"-r",
+		"--require",
+		"--import"
+	]);
+	const preloadScripts = [];
+	let entryScript = null;
+	let hasInlineEvalOrPrint = false;
+	for (let i = 0; i < tokens.length; i += 1) {
+		const token = tokens[i];
+		if (token === "--") {
+			if (!hasInlineEvalOrPrint && !entryScript) {
+				const next = tokens[i + 1];
+				if (normalizeLowercaseStringOrEmpty(next).endsWith(".js")) entryScript = next;
+			}
+			break;
+		}
+		if (token === "-e" || token === "-p" || token === "--eval" || token === "--print" || token.startsWith("--eval=") || token.startsWith("--print=") || (token.startsWith("-e") || token.startsWith("-p")) && token.length > 2) {
+			hasInlineEvalOrPrint = true;
+			if (token === "-e" || token === "-p" || token === "--eval" || token === "--print") i += 1;
+			continue;
+		}
+		if (optionsWithSeparateValue.has(token)) {
+			const next = tokens[i + 1];
+			if (normalizeLowercaseStringOrEmpty(next).endsWith(".js")) preloadScripts.push(next);
+			i += 1;
+			continue;
+		}
+		if (token.startsWith("-r") && token.length > 2 || token.startsWith("--require=") || token.startsWith("--import=")) {
+			const inlineValue = token.startsWith("-r") ? token.slice(2) : token.slice(token.indexOf("=") + 1);
+			if (normalizeLowercaseStringOrEmpty(inlineValue).endsWith(".js")) preloadScripts.push(inlineValue);
+			continue;
+		}
+		if (token.startsWith("-")) continue;
+		if (!hasInlineEvalOrPrint && !entryScript && normalizeLowercaseStringOrEmpty(token).endsWith(".js")) entryScript = token;
+		break;
+	}
+	const targets = [...preloadScripts];
+	if (entryScript) targets.push(entryScript);
+	return targets;
+}
+function extractInterpreterScriptTargetFromArgv(argv) {
+	if (!argv || argv.length === 0) return null;
+	let commandIdx = 0;
+	while (commandIdx < argv.length && /^[A-Za-z_][A-Za-z0-9_]*=.*$/u.test(argv[commandIdx])) commandIdx += 1;
+	const executable = normalizeOptionalLowercaseString(argv[commandIdx]);
+	if (!executable) return null;
+	const args = argv.slice(commandIdx + 1);
+	if (/^python(?:3(?:\.\d+)?)?$/i.test(executable)) {
+		const script = findFirstPythonScriptArg(args);
+		if (script) return {
+			kind: "python",
+			relOrAbsPaths: [script]
+		};
+		return null;
+	}
+	if (executable === "node") {
+		const scripts = findNodeScriptArgs(args);
+		if (scripts.length > 0) return {
+			kind: "node",
+			relOrAbsPaths: scripts
+		};
+		return null;
+	}
+	return null;
+}
+function extractInterpreterScriptPathsFromSegment(rawSegment) {
+	const argv = splitShellArgs(rawSegment.trim());
+	if (!argv || argv.length === 0) return [];
+	return extractInterpreterScriptTargetFromArgv(stripPreflightEnvPrefix(/^(?:if|then|do|elif|else|while|until|time)$/i.test(argv[0] ?? "") ? argv.slice(1) : argv))?.relOrAbsPaths ?? [];
+}
+function extractScriptTargetFromCommand(command) {
+	const raw = command.trim();
+	const splitShellArgsPreservingBackslashes = (value) => {
+		const tokens = [];
+		let buf = "";
+		let inSingle = false;
+		let inDouble = false;
+		const pushToken = () => {
+			if (buf.length > 0) {
+				tokens.push(buf);
+				buf = "";
+			}
+		};
+		for (let i = 0; i < value.length; i += 1) {
+			const ch = value[i];
+			if (inSingle) {
+				if (ch === "'") inSingle = false;
+				else buf += ch;
+				continue;
+			}
+			if (inDouble) {
+				if (ch === "\"") inDouble = false;
+				else buf += ch;
+				continue;
+			}
+			if (ch === "'") {
+				inSingle = true;
+				continue;
+			}
+			if (ch === "\"") {
+				inDouble = true;
+				continue;
+			}
+			if (/\s/.test(ch)) {
+				pushToken();
+				continue;
+			}
+			buf += ch;
+		}
+		if (inSingle || inDouble) return null;
+		pushToken();
+		return tokens;
+	};
+	const candidateArgv = process.platform === "win32" && /(?:^|[\s"'`])(?:[A-Za-z]:\\|\\\\|[^\s"'`|&;()<>]+\\[^\s"'`|&;()<>]+)/.test(raw) ? [splitShellArgsPreservingBackslashes(raw)] : [splitShellArgs(raw)];
+	for (const argv of candidateArgv) {
+		const attempts = [argv, argv ? stripPreflightEnvPrefix(argv) : null];
+		for (const attempt of attempts) {
+			const target = extractInterpreterScriptTargetFromArgv(attempt);
+			if (target) return target;
+		}
+	}
+	return null;
+}
+function extractUnquotedShellText(raw) {
+	let out = "";
+	let inSingle = false;
+	let inDouble = false;
+	let escaped = false;
+	for (let i = 0; i < raw.length; i += 1) {
+		const ch = raw[i];
+		if (escaped) {
+			if (!inSingle && !inDouble) out += `\\${ch}`;
+			escaped = false;
+			continue;
+		}
+		if (!inSingle && ch === "\\") {
+			escaped = true;
+			continue;
+		}
+		if (inSingle) {
+			if (ch === "'") inSingle = false;
+			continue;
+		}
+		if (inDouble) {
+			const next = raw[i + 1];
+			if (ch === "\\" && next && /[\\'"$`\n\r]/.test(next)) {
+				i += 1;
+				continue;
+			}
+			if (ch === "\"") inDouble = false;
+			continue;
+		}
+		if (ch === "'") {
+			inSingle = true;
+			continue;
+		}
+		if (ch === "\"") {
+			inDouble = true;
+			continue;
+		}
+		out += ch;
+	}
+	if (escaped || inSingle || inDouble) return null;
+	return out;
+}
+function splitShellSegmentsOutsideQuotes(rawText, params) {
+	const segments = [];
+	let buf = "";
+	let inSingle = false;
+	let inDouble = false;
+	let escaped = false;
+	const pushSegment = () => {
+		if (buf.trim().length > 0) segments.push(buf);
+		buf = "";
+	};
+	for (let i = 0; i < rawText.length; i += 1) {
+		const ch = rawText[i];
+		const next = rawText[i + 1];
+		if (escaped) {
+			buf += ch;
+			escaped = false;
+			continue;
+		}
+		if (!inSingle && ch === "\\") {
+			buf += ch;
+			escaped = true;
+			continue;
+		}
+		if (inSingle) {
+			buf += ch;
+			if (ch === "'") inSingle = false;
+			continue;
+		}
+		if (inDouble) {
+			buf += ch;
+			if (ch === "\"") inDouble = false;
+			continue;
+		}
+		if (ch === "'") {
+			inSingle = true;
+			buf += ch;
+			continue;
+		}
+		if (ch === "\"") {
+			inDouble = true;
+			buf += ch;
+			continue;
+		}
+		if (ch === "\n" || ch === "\r") {
+			pushSegment();
+			continue;
+		}
+		if (ch === ";") {
+			pushSegment();
+			continue;
+		}
+		if (ch === "&" && next === "&") {
+			pushSegment();
+			i += 1;
+			continue;
+		}
+		if (ch === "|" && next === "|") {
+			pushSegment();
+			i += 1;
+			continue;
+		}
+		if (params.splitPipes && ch === "|") {
+			pushSegment();
+			continue;
+		}
+		buf += ch;
+	}
+	pushSegment();
+	return segments;
+}
+function isInterpreterExecutable(executable) {
+	if (!executable) return false;
+	return /^python(?:3(?:\.\d+)?)?$/i.test(executable) || executable === "node";
+}
+function hasUnescapedSequence(raw, sequence) {
+	if (sequence.length === 0) return false;
+	let escaped = false;
+	for (let i = 0; i < raw.length; i += 1) {
+		const ch = raw[i];
+		if (escaped) {
+			escaped = false;
+			continue;
+		}
+		if (ch === "\\") {
+			escaped = true;
+			continue;
+		}
+		if (raw.startsWith(sequence, i)) return true;
+	}
+	return false;
+}
+function hasUnquotedScriptHint(raw) {
+	let inSingle = false;
+	let inDouble = false;
+	let escaped = false;
+	let token = "";
+	const flushToken = () => {
+		const normalizedToken = normalizeLowercaseStringOrEmpty(token);
+		if (normalizedToken.endsWith(".py") || normalizedToken.endsWith(".js")) return true;
+		token = "";
+		return false;
+	};
+	for (let i = 0; i < raw.length; i += 1) {
+		const ch = raw[i];
+		if (escaped) {
+			if (!inSingle && !inDouble) token += ch;
+			escaped = false;
+			continue;
+		}
+		if (!inSingle && ch === "\\") {
+			escaped = true;
+			continue;
+		}
+		if (inSingle) {
+			if (ch === "'") inSingle = false;
+			continue;
+		}
+		if (inDouble) {
+			if (ch === "\"") inDouble = false;
+			continue;
+		}
+		if (ch === "'") {
+			if (flushToken()) return true;
+			inSingle = true;
+			continue;
+		}
+		if (ch === "\"") {
+			if (flushToken()) return true;
+			inDouble = true;
+			continue;
+		}
+		if (/\s/u.test(ch) || "|&;()<>".includes(ch)) {
+			if (flushToken()) return true;
+			continue;
+		}
+		token += ch;
+	}
+	return flushToken();
+}
+function resolveLeadingShellSegmentExecutable(rawSegment) {
+	const argv = splitShellArgs((extractUnquotedShellText(rawSegment) ?? rawSegment).trim());
+	if (!argv || argv.length === 0) return;
+	const withoutLeadingKeyword = /^(?:if|then|do|elif|else|while|until|time)$/i.test(argv[0] ?? "") ? argv.slice(1) : argv;
+	if (withoutLeadingKeyword.length === 0) return;
+	const normalizedArgv = stripPreflightEnvPrefix(withoutLeadingKeyword);
+	let commandIdx = 0;
+	while (commandIdx < normalizedArgv.length && /^[A-Za-z_][A-Za-z0-9_]*=.*$/u.test(normalizedArgv[commandIdx] ?? "")) commandIdx += 1;
+	return normalizeOptionalLowercaseString(normalizedArgv[commandIdx]);
+}
+function analyzeInterpreterHeuristicsFromUnquoted(raw) {
+	const hasPython = splitShellSegmentsOutsideQuotes(raw, { splitPipes: true }).some((segment) => /^python(?:3(?:\.\d+)?)?$/i.test(resolveLeadingShellSegmentExecutable(segment) ?? ""));
+	const hasNode = splitShellSegmentsOutsideQuotes(raw, { splitPipes: true }).some((segment) => resolveLeadingShellSegmentExecutable(segment) === "node");
+	const hasProcessSubstitution = hasUnescapedSequence(raw, "<(") || hasUnescapedSequence(raw, ">(");
+	return {
+		hasPython,
+		hasNode,
+		hasComplexSyntax: hasUnescapedSequence(raw, "|") || hasUnescapedSequence(raw, "&&") || hasUnescapedSequence(raw, "||") || hasUnescapedSequence(raw, ";") || raw.includes("\n") || raw.includes("\r") || hasUnescapedSequence(raw, "$(") || hasUnescapedSequence(raw, "`") || hasProcessSubstitution,
+		hasProcessSubstitution,
+		hasScriptHint: hasUnquotedScriptHint(raw)
+	};
+}
+function extractShellWrappedCommandPayload(executable, args) {
+	if (!executable) return null;
+	const executableBase = normalizeOptionalLowercaseString(executable.split(/[\\/]/u).at(-1)) ?? "";
+	const normalizedExecutable = executableBase.endsWith(".exe") ? executableBase.slice(0, -4) : executableBase;
+	if (!/^(?:bash|dash|fish|ksh|sh|zsh)$/i.test(normalizedExecutable)) return null;
+	const shortOptionsWithSeparateValue = new Set(["-O", "-o"]);
+	for (let i = 0; i < args.length; i += 1) {
+		const arg = args[i];
+		if (arg === "--") return null;
+		if (arg === "-c") return args[i + 1] ?? null;
+		if (/^-[A-Za-z]+$/u.test(arg)) {
+			if (arg.includes("c")) return args[i + 1] ?? null;
+			if (shortOptionsWithSeparateValue.has(arg)) i += 1;
+			continue;
+		}
+		if (/^--[A-Za-z0-9][A-Za-z0-9-]*(?:=.*)?$/u.test(arg)) {
+			if (!arg.includes("=")) {
+				const next = args[i + 1];
+				if (next && next !== "--" && !next.startsWith("-")) i += 1;
+			}
+			continue;
+		}
+		return null;
+	}
+	return null;
+}
+function shouldFailClosedInterpreterPreflight(command) {
+	const raw = command.trim();
+	const rawArgv = splitShellArgs(raw);
+	const argv = rawArgv ? stripPreflightEnvPrefix(rawArgv) : null;
+	let commandIdx = 0;
+	if (argv) while (commandIdx < argv.length && /^[A-Za-z_][A-Za-z0-9_]*=.*$/u.test(argv[commandIdx] ?? "")) commandIdx += 1;
+	const directExecutable = normalizeOptionalLowercaseString(argv?.[commandIdx]);
+	const args = argv ? argv.slice(commandIdx + 1) : [];
+	const isDirectInterpreterCommand = Boolean(directExecutable && /^python(?:3(?:\.\d+)?)?$/i.test(directExecutable)) || directExecutable === "node";
+	const topLevel = analyzeInterpreterHeuristicsFromUnquoted(extractUnquotedShellText(raw) ?? raw);
+	const shellWrappedPayload = extractShellWrappedCommandPayload(directExecutable, args);
+	const nestedUnquoted = shellWrappedPayload ? extractUnquotedShellText(shellWrappedPayload) ?? shellWrappedPayload : "";
+	const nested = shellWrappedPayload ? analyzeInterpreterHeuristicsFromUnquoted(nestedUnquoted) : {
+		hasPython: false,
+		hasNode: false,
+		hasComplexSyntax: false,
+		hasProcessSubstitution: false,
+		hasScriptHint: false
+	};
+	const hasInterpreterInvocationInSegment = (rawSegment) => isInterpreterExecutable(resolveLeadingShellSegmentExecutable(rawSegment));
+	const isScriptExecutingInterpreterCommand = (rawCommand) => {
+		const argv = splitShellArgs(rawCommand.trim());
+		if (!argv || argv.length === 0) return false;
+		const withoutLeadingKeyword = /^(?:if|then|do|elif|else|while|until|time)$/i.test(argv[0] ?? "") ? argv.slice(1) : argv;
+		if (withoutLeadingKeyword.length === 0) return false;
+		const normalizedArgv = stripPreflightEnvPrefix(withoutLeadingKeyword);
+		let commandIdx = 0;
+		while (commandIdx < normalizedArgv.length && /^[A-Za-z_][A-Za-z0-9_]*=.*$/u.test(normalizedArgv[commandIdx] ?? "")) commandIdx += 1;
+		const executable = normalizeOptionalLowercaseString(normalizedArgv[commandIdx]);
+		if (!executable) return false;
+		const args = normalizedArgv.slice(commandIdx + 1);
+		if (/^python(?:3(?:\.\d+)?)?$/i.test(executable)) {
+			const pythonInfoOnlyFlags = new Set([
+				"-V",
+				"--version",
+				"-h",
+				"--help"
+			]);
+			if (args.some((arg) => pythonInfoOnlyFlags.has(arg))) return false;
+			if (args.some((arg) => arg === "-c" || arg === "-m" || arg.startsWith("-c") || arg.startsWith("-m") || arg === "--check-hash-based-pycs")) return false;
+			return true;
+		}
+		if (executable === "node") {
+			const nodeInfoOnlyFlags = new Set([
+				"-v",
+				"--version",
+				"-h",
+				"--help",
+				"-c",
+				"--check"
+			]);
+			if (args.some((arg) => nodeInfoOnlyFlags.has(arg))) return false;
+			if (args.some((arg) => arg === "-e" || arg === "-p" || arg === "--eval" || arg === "--print" || arg.startsWith("--eval=") || arg.startsWith("--print=") || (arg.startsWith("-e") || arg.startsWith("-p")) && arg.length > 2)) return false;
+			return true;
+		}
+		return false;
+	};
+	const hasScriptHintInSegment = (segment) => extractInterpreterScriptPathsFromSegment(segment).length > 0 || hasUnquotedScriptHint(segment);
+	const hasInterpreterAndScriptHintInSameSegment = (rawText) => {
+		return splitShellSegmentsOutsideQuotes(rawText, { splitPipes: true }).some((segment) => {
+			if (!isScriptExecutingInterpreterCommand(segment)) return false;
+			return hasScriptHintInSegment(segment);
+		});
+	};
+	const hasInterpreterPipelineScriptHintInSameSegment = (rawText) => {
+		return splitShellSegmentsOutsideQuotes(rawText, { splitPipes: false }).some((segment) => {
+			if (!splitShellSegmentsOutsideQuotes(segment, { splitPipes: true }).slice(1).some((pipelineCommand) => isScriptExecutingInterpreterCommand(pipelineCommand))) return false;
+			return hasScriptHintInSegment(segment);
+		});
+	};
+	const hasInterpreterSegmentScriptHint = hasInterpreterAndScriptHintInSameSegment(raw) || shellWrappedPayload !== null && hasInterpreterAndScriptHintInSameSegment(shellWrappedPayload);
+	const hasInterpreterPipelineScriptHint = hasInterpreterPipelineScriptHintInSameSegment(raw) || shellWrappedPayload !== null && hasInterpreterPipelineScriptHintInSameSegment(shellWrappedPayload);
+	const hasShellWrappedInterpreterSegmentScriptHint = shellWrappedPayload !== null && hasInterpreterAndScriptHintInSameSegment(shellWrappedPayload);
+	const hasShellWrappedInterpreterInvocation = (nested.hasPython || nested.hasNode) && (hasShellWrappedInterpreterSegmentScriptHint || nested.hasScriptHint || nested.hasComplexSyntax || nested.hasProcessSubstitution);
+	const hasTopLevelInterpreterInvocation = splitShellSegmentsOutsideQuotes(raw, { splitPipes: true }).some((segment) => hasInterpreterInvocationInSegment(segment));
+	return {
+		hasInterpreterInvocation: isDirectInterpreterCommand || hasShellWrappedInterpreterInvocation || hasTopLevelInterpreterInvocation,
+		hasComplexSyntax: topLevel.hasComplexSyntax || hasShellWrappedInterpreterInvocation,
+		hasProcessSubstitution: topLevel.hasProcessSubstitution || nested.hasProcessSubstitution,
+		hasInterpreterSegmentScriptHint,
+		hasInterpreterPipelineScriptHint,
+		isDirectInterpreterCommand
+	};
+}
+async function validateScriptFileForShellBleed(params) {
+	const target = extractScriptTargetFromCommand(params.command);
+	if (!target) {
+		const { hasInterpreterInvocation, hasComplexSyntax, hasProcessSubstitution, hasInterpreterSegmentScriptHint, hasInterpreterPipelineScriptHint, isDirectInterpreterCommand } = shouldFailClosedInterpreterPreflight(params.command);
+		if (hasInterpreterInvocation && hasComplexSyntax && (hasInterpreterSegmentScriptHint || hasInterpreterPipelineScriptHint || hasProcessSubstitution && isDirectInterpreterCommand)) throw new Error("exec preflight: complex interpreter invocation detected; refusing to run without script preflight validation. Use a direct `python <file>.py` or `node <file>.js` command.");
+		return;
+	}
+	const { SafeOpenError, readFileWithinRoot } = await loadFsSafeModule();
+	for (const relOrAbsPath of target.relOrAbsPaths) {
+		const absPath = path.isAbsolute(relOrAbsPath) ? path.resolve(relOrAbsPath) : path.resolve(params.workdir, relOrAbsPath);
+		const relativePath = resolvePreflightRelativePath({
+			rootDir: params.workdir,
+			absPath
+		});
+		if (!relativePath) continue;
+		let content;
+		try {
+			content = (await readFileWithinRoot({
+				rootDir: params.workdir,
+				relativePath,
+				nonBlockingRead: true,
+				allowSymlinkTargetWithinRoot: true,
+				maxBytes: 512 * 1024
+			})).buffer.toString("utf-8");
+		} catch (error) {
+			if (shouldSkipScriptPreflightPathError(error, SafeOpenError)) continue;
+			throw error;
+		}
+		const first = /\$[A-Z_][A-Z0-9_]{1,}/g.exec(content);
+		if (first) {
+			const idx = first.index;
+			const line = content.slice(0, idx).split("\n").length;
+			const token = first[0];
+			throw new Error([
+				`exec preflight: detected likely shell variable injection (${token}) in ${target.kind} script: ${path.basename(absPath)}:${line}.`,
+				target.kind === "python" ? `In Python, use os.environ.get(${JSON.stringify(token.slice(1))}) instead of raw ${token}.` : `In Node.js, use process.env[${JSON.stringify(token.slice(1))}] instead of raw ${token}.`,
+				"(If this is inside a string literal on purpose, escape it or restructure the code.)"
+			].join("\n"));
+		}
+		if (target.kind === "node") {
+			const firstNonEmpty = content.split(/\r?\n/).map((l) => l.trim()).find((l) => l.length > 0);
+			if (firstNonEmpty && /^NODE\b/.test(firstNonEmpty)) throw new Error(`exec preflight: JS file starts with shell syntax (${firstNonEmpty}). This looks like a shell command, not JavaScript.`);
+		}
+	}
+}
+function shouldSkipExecScriptPreflight(params) {
+	return params.host === "gateway" && params.security === "full" && params.ask === "off";
+}
+function parseExecApprovalShellCommand(raw) {
+	const match = raw.trimStart().match(/^\/approve(?:@[^\s]+)?\s+([A-Za-z0-9][A-Za-z0-9._:-]*)\s+(allow-once|allow-always|always|deny)\b/i);
+	if (!match) return null;
+	return {
+		approvalId: match[1],
+		decision: normalizeLowercaseStringOrEmpty(match[2]) === "always" ? "allow-always" : normalizeLowercaseStringOrEmpty(match[2])
+	};
+}
+function rejectExecApprovalShellCommand(command) {
+	const isEnvAssignmentToken = (token) => /^[A-Za-z_][A-Za-z0-9_]*=.*$/u.test(token);
+	const shellWrappers = new Set([
+		"bash",
+		"dash",
+		"fish",
+		"ksh",
+		"sh",
+		"zsh"
+	]);
+	const commandStandaloneOptions = new Set([
+		"-p",
+		"-v",
+		"-V"
+	]);
+	const envOptionsWithValues = new Set([
+		"-C",
+		"-S",
+		"-u",
+		"--argv0",
+		"--block-signal",
+		"--chdir",
+		"--default-signal",
+		"--ignore-signal",
+		"--split-string",
+		"--unset"
+	]);
+	const execOptionsWithValues = new Set(["-a"]);
+	const execStandaloneOptions = new Set(["-c", "-l"]);
+	const sudoOptionsWithValues = new Set([
+		"-C",
+		"-D",
+		"-g",
+		"-p",
+		"-R",
+		"-T",
+		"-U",
+		"-u",
+		"--chdir",
+		"--close-from",
+		"--group",
+		"--host",
+		"--other-user",
+		"--prompt",
+		"--role",
+		"--type",
+		"--user"
+	]);
+	const sudoStandaloneOptions = new Set([
+		"-A",
+		"-E",
+		"--askpass",
+		"--preserve-env"
+	]);
+	const extractEnvSplitStringPayload = (argv) => {
+		const remaining = [...argv];
+		while (remaining[0] && isEnvAssignmentToken(remaining[0])) remaining.shift();
+		if (remaining[0] !== "env") return [];
+		remaining.shift();
+		const payloads = [];
+		while (remaining.length > 0) {
+			while (remaining[0] && isEnvAssignmentToken(remaining[0])) remaining.shift();
+			const token = remaining[0];
+			if (!token) break;
+			if (token === "--") {
+				remaining.shift();
+				continue;
+			}
+			if (!token.startsWith("-") || token === "-") break;
+			const option = remaining.shift();
+			const normalized = option.split("=", 1)[0];
+			if (normalized === "-S" || normalized === "--split-string") {
+				const value = option.includes("=") ? option.slice(option.indexOf("=") + 1) : remaining.shift();
+				if (value?.trim()) payloads.push(value);
+				continue;
+			}
+			if (envOptionsWithValues.has(normalized) && !option.includes("=") && remaining[0]) remaining.shift();
+		}
+		return payloads;
+	};
+	const stripApprovalCommandPrefixes = (argv) => {
+		const remaining = [...argv];
+		while (remaining.length > 0) {
+			while (remaining[0] && isEnvAssignmentToken(remaining[0])) remaining.shift();
+			const token = remaining[0];
+			if (!token) break;
+			if (token === "--") {
+				remaining.shift();
+				continue;
+			}
+			if (token === "env") {
+				remaining.shift();
+				while (remaining.length > 0) {
+					while (remaining[0] && isEnvAssignmentToken(remaining[0])) remaining.shift();
+					const envToken = remaining[0];
+					if (!envToken) break;
+					if (envToken === "--") {
+						remaining.shift();
+						continue;
+					}
+					if (!envToken.startsWith("-") || envToken === "-") break;
+					const option = remaining.shift();
+					const normalized = option.split("=", 1)[0];
+					if (envOptionsWithValues.has(normalized) && !option.includes("=") && remaining[0]) remaining.shift();
+				}
+				continue;
+			}
+			if (token === "command" || token === "builtin") {
+				remaining.shift();
+				while (remaining[0]?.startsWith("-")) {
+					const option = remaining.shift();
+					if (option === "--") break;
+					if (!commandStandaloneOptions.has(option.split("=", 1)[0])) continue;
+				}
+				continue;
+			}
+			if (token === "exec") {
+				remaining.shift();
+				while (remaining[0]?.startsWith("-")) {
+					const option = remaining.shift();
+					if (option === "--") break;
+					const normalized = option.split("=", 1)[0];
+					if (execStandaloneOptions.has(normalized)) continue;
+					if (execOptionsWithValues.has(normalized) && !option.includes("=") && remaining[0]) remaining.shift();
+				}
+				continue;
+			}
+			if (token === "sudo") {
+				remaining.shift();
+				while (remaining[0]?.startsWith("-")) {
+					const option = remaining.shift();
+					if (option === "--") break;
+					const normalized = option.split("=", 1)[0];
+					if (sudoStandaloneOptions.has(normalized)) continue;
+					if (sudoOptionsWithValues.has(normalized) && !option.includes("=") && remaining[0]) remaining.shift();
+				}
+				continue;
+			}
+			break;
+		}
+		return remaining;
+	};
+	const extractShellWrapperPayload = (argv) => {
+		const [commandName, ...rest] = argv;
+		if (!commandName || !shellWrappers.has(path.basename(commandName))) return [];
+		for (let i = 0; i < rest.length; i += 1) {
+			const token = rest[i];
+			if (!token) continue;
+			if (token === "-c" || token === "-lc" || token === "-ic" || token === "-xc") return rest[i + 1] ? [rest[i + 1]] : [];
+			if (/^-[^-]*c[^-]*$/u.test(token)) return rest[i + 1] ? [rest[i + 1]] : [];
+		}
+		return [];
+	};
+	const buildCandidates = (argv) => {
+		const envSplitCandidates = extractEnvSplitStringPayload(argv).flatMap((payload) => {
+			const innerArgv = splitShellArgs(payload);
+			return innerArgv ? buildCandidates(innerArgv) : [payload];
+		});
+		const stripped = stripApprovalCommandPrefixes(argv);
+		const shellWrapperCandidates = extractShellWrapperPayload(stripped).flatMap((payload) => {
+			const innerArgv = splitShellArgs(payload);
+			return innerArgv ? buildCandidates(innerArgv) : [payload];
+		});
+		return [
+			...stripped.length > 0 ? [stripped.join(" ")] : [],
+			...envSplitCandidates,
+			...shellWrapperCandidates
+		];
+	};
+	const rawCommand = command.trim();
+	const analysis = analyzeShellCommand({ command: rawCommand });
+	const candidates = analysis.ok ? analysis.segments.flatMap((segment) => buildCandidates(segment.argv)) : rawCommand.split(/\r?\n/).map((line) => line.trim()).filter(Boolean).flatMap((line) => {
+		const argv = splitShellArgs(line);
+		return argv ? buildCandidates(argv) : [line];
+	});
+	for (const candidate of candidates) {
+		if (!parseExecApprovalShellCommand(candidate)) continue;
+		throw new Error(["exec cannot run /approve commands.", "Show the /approve command to the user as chat text, or route it through the approval command handler instead of shell execution."].join(" "));
+	}
+}
+function createExecTool(defaults) {
+	const defaultBackgroundMs = clampWithDefault(defaults?.backgroundMs ?? readEnvInt("PI_BASH_YIELD_MS"), 1e4, 10, 12e4);
+	const allowBackground = defaults?.allowBackground ?? true;
+	const defaultTimeoutSec = typeof defaults?.timeoutSec === "number" && defaults.timeoutSec > 0 ? defaults.timeoutSec : 1800;
+	const defaultPathPrepend = normalizePathPrepend(defaults?.pathPrepend);
+	const { safeBins, safeBinProfiles, trustedSafeBinDirs, unprofiledSafeBins, unprofiledInterpreterSafeBins } = resolveExecSafeBinRuntimePolicy({
+		local: {
+			safeBins: defaults?.safeBins,
+			safeBinTrustedDirs: defaults?.safeBinTrustedDirs,
+			safeBinProfiles: defaults?.safeBinProfiles
+		},
+		onWarning: (message) => {
+			logInfo(message);
+		}
+	});
+	if (unprofiledSafeBins.length > 0) logInfo(`exec: ignoring unprofiled safeBins entries (${unprofiledSafeBins.toSorted().join(", ")}); use allowlist or define tools.exec.safeBinProfiles.<bin>`);
+	if (unprofiledInterpreterSafeBins.length > 0) logInfo(`exec: interpreter/runtime binaries in safeBins (${unprofiledInterpreterSafeBins.join(", ")}) are unsafe without explicit hardened profiles; prefer allowlist entries`);
+	const notifyOnExit = defaults?.notifyOnExit !== false;
+	const notifyOnExitEmptySuccess = defaults?.notifyOnExitEmptySuccess === true;
+	const notifySessionKey = normalizeOptionalString(defaults?.sessionKey);
+	const notifyDeliveryContext = normalizeDeliveryContext({
+		channel: defaults?.messageProvider,
+		to: defaults?.currentChannelId,
+		accountId: defaults?.accountId,
+		threadId: defaults?.currentThreadTs
+	});
+	const approvalRunningNoticeMs = resolveApprovalRunningNoticeMs(defaults?.approvalRunningNoticeMs);
+	const parsedAgentSession = parseAgentSessionKey(defaults?.sessionKey);
+	const agentId = defaults?.agentId ?? (parsedAgentSession ? resolveAgentIdFromSessionKey(defaults?.sessionKey) : void 0);
+	return {
+		name: "exec",
+		label: "exec",
+		displaySummary: EXEC_TOOL_DISPLAY_SUMMARY,
+		get description() {
+			return describeExecTool({
+				agentId,
+				hasCronTool: defaults?.hasCronTool === true
+			});
+		},
+		parameters: execSchema,
+		execute: async (_toolCallId, args, signal, onUpdate) => {
+			const params = args;
+			if (!params.command) throw new Error("Provide a command to start.");
+			const maxOutput = DEFAULT_MAX_OUTPUT;
+			const pendingMaxOutput = DEFAULT_PENDING_MAX_OUTPUT;
+			const warnings = [];
+			let execCommandOverride;
+			const backgroundRequested = params.background === true;
+			const yieldRequested = typeof params.yieldMs === "number";
+			if (!allowBackground && (backgroundRequested || yieldRequested)) warnings.push("Warning: background execution is disabled; running synchronously.");
+			const yieldWindow = allowBackground ? backgroundRequested ? 0 : clampWithDefault(params.yieldMs ?? defaultBackgroundMs, defaultBackgroundMs, 10, 12e4) : null;
+			const elevatedDefaults = defaults?.elevated;
+			const elevatedAllowed = Boolean(elevatedDefaults?.enabled && elevatedDefaults.allowed);
+			const elevatedDefaultMode = elevatedDefaults?.defaultLevel === "full" ? "full" : elevatedDefaults?.defaultLevel === "ask" ? "ask" : elevatedDefaults?.defaultLevel === "on" ? "ask" : "off";
+			const effectiveDefaultMode = elevatedAllowed ? elevatedDefaultMode : "off";
+			const elevatedMode = typeof params.elevated === "boolean" ? params.elevated ? elevatedDefaultMode === "full" ? "full" : "ask" : "off" : effectiveDefaultMode;
+			const elevatedRequested = elevatedMode !== "off";
+			if (elevatedRequested) {
+				if (!elevatedDefaults?.enabled || !elevatedDefaults.allowed) {
+					const runtime = defaults?.sandbox ? "sandboxed" : "direct";
+					const gates = [];
+					const contextParts = [];
+					const provider = normalizeOptionalString(defaults?.messageProvider);
+					const sessionKey = normalizeOptionalString(defaults?.sessionKey);
+					if (provider) contextParts.push(`provider=${provider}`);
+					if (sessionKey) contextParts.push(`session=${sessionKey}`);
+					if (!elevatedDefaults?.enabled) gates.push("enabled (tools.elevated.enabled / agents.list[].tools.elevated.enabled)");
+					else gates.push("allowFrom (tools.elevated.allowFrom.<provider> / agents.list[].tools.elevated.allowFrom.<provider>)");
+					throw new Error([
+						`elevated is not available right now (runtime=${runtime}).`,
+						`Failing gates: ${gates.join(", ")}`,
+						contextParts.length > 0 ? `Context: ${contextParts.join(" ")}` : void 0,
+						"Fix-it keys:",
+						"- tools.elevated.enabled",
+						"- tools.elevated.allowFrom.<provider>",
+						"- agents.list[].tools.elevated.enabled",
+						"- agents.list[].tools.elevated.allowFrom.<provider>"
+					].filter(Boolean).join("\n"));
+				}
+			}
+			if (elevatedRequested) logInfo(`exec: elevated command ${truncateMiddle(params.command, 120)}`);
+			const target = resolveExecTarget({
+				configuredTarget: defaults?.host,
+				requestedTarget: normalizeExecTarget(params.host),
+				elevatedRequested,
+				sandboxAvailable: Boolean(defaults?.sandbox)
+			});
+			const host = target.effectiveHost;
+			const approvalDefaults = loadExecApprovals().defaults;
+			const configuredSecurity = defaults?.security ?? approvalDefaults?.security ?? (host === "sandbox" ? "deny" : "full");
+			let security = minSecurity(configuredSecurity, normalizeExecSecurity(params.security) ?? configuredSecurity);
+			if (elevatedRequested && elevatedMode === "full") security = "full";
+			const configuredAsk = defaults?.ask ?? approvalDefaults?.ask ?? "off";
+			let ask = maxAsk(configuredAsk, normalizeExecAsk(params.ask) ?? configuredAsk);
+			const bypassApprovals = elevatedRequested && elevatedMode === "full";
+			if (bypassApprovals) ask = "off";
+			const sandbox = host === "sandbox" ? defaults?.sandbox : void 0;
+			if (target.selectedTarget === "sandbox" && !sandbox) throw new Error(["exec host=sandbox requires a sandbox runtime for this session.", "Enable sandbox mode (`agents.defaults.sandbox.mode=\"non-main\"` or `\"all\"`) or use host=auto/gateway/node."].join("\n"));
+			const explicitWorkdir = normalizeOptionalString(params.workdir);
+			const defaultWorkdir = normalizeOptionalString(defaults?.cwd);
+			let workdir;
+			let containerWorkdir = sandbox?.containerWorkdir;
+			if (sandbox) {
+				const resolved = await resolveSandboxWorkdir({
+					workdir: explicitWorkdir ?? defaultWorkdir ?? process.cwd(),
+					sandbox,
+					warnings
+				});
+				workdir = resolved.hostWorkdir;
+				containerWorkdir = resolved.containerWorkdir;
+			} else if (host === "node") workdir = explicitWorkdir;
+			else workdir = resolveWorkdir(explicitWorkdir ?? defaultWorkdir ?? process.cwd(), warnings);
+			rejectExecApprovalShellCommand(params.command);
+			const inheritedBaseEnv = coerceEnv(process.env);
+			const hostEnvResult = host === "sandbox" ? null : sanitizeHostExecEnvWithDiagnostics({
+				baseEnv: inheritedBaseEnv,
+				overrides: params.env,
+				blockPathOverrides: true
+			});
+			if (hostEnvResult && params.env && (hostEnvResult.rejectedOverrideBlockedKeys.length > 0 || hostEnvResult.rejectedOverrideInvalidKeys.length > 0)) {
+				const blockedKeys = hostEnvResult.rejectedOverrideBlockedKeys;
+				const invalidKeys = hostEnvResult.rejectedOverrideInvalidKeys;
+				const pathBlocked = blockedKeys.includes("PATH");
+				if (pathBlocked && blockedKeys.length === 1 && invalidKeys.length === 0) throw new Error("Security Violation: Custom 'PATH' variable is forbidden during host execution.");
+				if (blockedKeys.length === 1 && invalidKeys.length === 0) throw new Error(`Security Violation: Environment variable '${blockedKeys[0]}' is forbidden during host execution.`);
+				const details = [];
+				if (blockedKeys.length > 0) details.push(`blocked override keys: ${blockedKeys.join(", ")}`);
+				if (invalidKeys.length > 0) details.push(`invalid non-portable override keys: ${invalidKeys.join(", ")}`);
+				const suffix = details.join("; ");
+				if (pathBlocked) throw new Error(`Security Violation: Custom 'PATH' variable is forbidden during host execution (${suffix}).`);
+				throw new Error(`Security Violation: ${suffix}.`);
+			}
+			const env = sandbox && host === "sandbox" ? buildSandboxEnv({
+				defaultPath: DEFAULT_PATH,
+				paramsEnv: params.env,
+				sandboxEnv: sandbox.env,
+				containerWorkdir: containerWorkdir ?? sandbox.containerWorkdir
+			}) : hostEnvResult?.env ?? inheritedBaseEnv;
+			if (!sandbox && host === "gateway" && !params.env?.PATH) applyShellPath(env, getShellPathFromLoginShell({
+				env: process.env,
+				timeoutMs: resolveShellEnvFallbackTimeoutMs(process.env)
+			}));
+			if (host === "node" && defaultPathPrepend.length > 0) warnings.push("Warning: tools.exec.pathPrepend is ignored for host=node. Configure PATH on the node host/service instead.");
+			else applyPathPrepend(env, defaultPathPrepend);
+			if (host === "node") return executeNodeHostCommand({
+				command: params.command,
+				workdir,
+				env,
+				requestedEnv: params.env,
+				requestedNode: params.node?.trim(),
+				boundNode: defaults?.node?.trim(),
+				sessionKey: defaults?.sessionKey,
+				turnSourceChannel: defaults?.messageProvider,
+				turnSourceTo: defaults?.currentChannelId,
+				turnSourceAccountId: defaults?.accountId,
+				turnSourceThreadId: defaults?.currentThreadTs,
+				agentId,
+				security,
+				ask,
+				strictInlineEval: defaults?.strictInlineEval,
+				trigger: defaults?.trigger,
+				timeoutSec: params.timeout,
+				defaultTimeoutSec,
+				approvalRunningNoticeMs,
+				warnings,
+				notifySessionKey,
+				notifyOnExit,
+				trustedSafeBinDirs
+			});
+			if (!workdir) throw new Error("exec internal error: local execution requires a resolved workdir");
+			if (host === "gateway" && !bypassApprovals) {
+				const gatewayResult = await processGatewayAllowlist({
+					command: params.command,
+					workdir,
+					env,
+					requestedEnv: params.env,
+					pty: params.pty === true && !sandbox,
+					timeoutSec: params.timeout,
+					defaultTimeoutSec,
+					security,
+					ask,
+					safeBins,
+					safeBinProfiles,
+					strictInlineEval: defaults?.strictInlineEval,
+					trigger: defaults?.trigger,
+					agentId,
+					sessionKey: defaults?.sessionKey,
+					turnSourceChannel: defaults?.messageProvider,
+					turnSourceTo: defaults?.currentChannelId,
+					turnSourceAccountId: defaults?.accountId,
+					turnSourceThreadId: defaults?.currentThreadTs,
+					scopeKey: defaults?.scopeKey,
+					warnings,
+					notifySessionKey,
+					approvalRunningNoticeMs,
+					maxOutput,
+					pendingMaxOutput,
+					trustedSafeBinDirs
+				});
+				if (gatewayResult.pendingResult) return gatewayResult.pendingResult;
+				execCommandOverride = gatewayResult.execCommandOverride;
+				if (gatewayResult.allowWithoutEnforcedCommand) execCommandOverride = void 0;
+			}
+			const explicitTimeoutSec = typeof params.timeout === "number" ? params.timeout : null;
+			const effectiveTimeout = allowBackground && explicitTimeoutSec === null && (backgroundRequested || yieldRequested) ? null : explicitTimeoutSec ?? defaultTimeoutSec;
+			const getWarningText = () => warnings.length ? `${warnings.join("\n")}\n\n` : "";
+			const usePty = params.pty === true && !sandbox;
+			if (!shouldSkipExecScriptPreflight({
+				host,
+				security,
+				ask
+			})) await validateScriptFileForShellBleed({
+				command: params.command,
+				workdir
+			});
+			const run = await runExecProcess({
+				command: params.command,
+				execCommand: execCommandOverride,
+				workdir,
+				env,
+				sandbox,
+				containerWorkdir,
+				usePty,
+				warnings,
+				maxOutput,
+				pendingMaxOutput,
+				notifyOnExit,
+				notifyOnExitEmptySuccess,
+				scopeKey: defaults?.scopeKey,
+				sessionKey: notifySessionKey,
+				notifyDeliveryContext,
+				timeoutSec: effectiveTimeout,
+				onUpdate
+			});
+			let yielded = false;
+			let yieldTimer = null;
+			const onAbortSignal = () => {
+				run.disableUpdates();
+				if (yielded || run.session.backgrounded) return;
+				run.kill();
+			};
+			if (signal?.aborted) onAbortSignal();
+			else if (signal) signal.addEventListener("abort", onAbortSignal, { once: true });
+			return new Promise((resolve, reject) => {
+				const resolveRunning = () => resolve({
+					content: [{
+						type: "text",
+						text: `${getWarningText()}Command still running (session ${run.session.id}, pid ${run.session.pid ?? "n/a"}). Use process (list/poll/log/write/kill/clear/remove) for follow-up.`
+					}],
+					details: {
+						status: "running",
+						sessionId: run.session.id,
+						pid: run.session.pid ?? void 0,
+						startedAt: run.startedAt,
+						cwd: run.session.cwd,
+						tail: run.session.tail
+					}
+				});
+				const onYieldNow = () => {
+					if (yieldTimer) clearTimeout(yieldTimer);
+					if (yielded) return;
+					yielded = true;
+					markBackgrounded(run.session);
+					resolveRunning();
+				};
+				if (allowBackground && yieldWindow !== null) if (yieldWindow === 0) onYieldNow();
+				else yieldTimer = setTimeout(() => {
+					if (yielded) return;
+					yielded = true;
+					markBackgrounded(run.session);
+					resolveRunning();
+				}, yieldWindow);
+				run.promise.then((outcome) => {
+					if (yieldTimer) clearTimeout(yieldTimer);
+					if (yielded || run.session.backgrounded) return;
+					resolve(buildExecForegroundResult({
+						outcome,
+						cwd: run.session.cwd,
+						warningText: getWarningText()
+					}));
+				}).catch((err) => {
+					if (yieldTimer) clearTimeout(yieldTimer);
+					if (yielded || run.session.backgrounded) return;
+					reject(err);
+				});
+			});
+		}
+	};
+}
+const execTool = createExecTool();
+//#endregion
+//#region src/agents/pty-keys.ts
+const ESC = "\x1B";
+const CR = "\r";
+const TAB = "	";
+const BACKSPACE = "";
+const BRACKETED_PASTE_START = `${ESC}[200~`;
+const BRACKETED_PASTE_END = `${ESC}[201~`;
+/** SS3 sequences for DECCKM application cursor key mode (smkx). */
+const DECCKM_SS3_KEYS = {
+	up: `${ESC}OA`,
+	down: `${ESC}OB`,
+	right: `${ESC}OC`,
+	left: `${ESC}OD`,
+	home: `${ESC}OH`,
+	end: `${ESC}OF`
+};
+const namedKeyMap = new Map([
+	["enter", CR],
+	["return", CR],
+	["tab", TAB],
+	["escape", ESC],
+	["esc", ESC],
+	["space", " "],
+	["bspace", BACKSPACE],
+	["backspace", BACKSPACE],
+	["up", `${ESC}[A`],
+	["down", `${ESC}[B`],
+	["right", `${ESC}[C`],
+	["left", `${ESC}[D`],
+	["home", `${ESC}[1~`],
+	["end", `${ESC}[4~`],
+	["pageup", `${ESC}[5~`],
+	["pgup", `${ESC}[5~`],
+	["ppage", `${ESC}[5~`],
+	["pagedown", `${ESC}[6~`],
+	["pgdn", `${ESC}[6~`],
+	["npage", `${ESC}[6~`],
+	["insert", `${ESC}[2~`],
+	["ic", `${ESC}[2~`],
+	["delete", `${ESC}[3~`],
+	["del", `${ESC}[3~`],
+	["dc", `${ESC}[3~`],
+	["btab", `${ESC}[Z`],
+	["f1", `${ESC}OP`],
+	["f2", `${ESC}OQ`],
+	["f3", `${ESC}OR`],
+	["f4", `${ESC}OS`],
+	["f5", `${ESC}[15~`],
+	["f6", `${ESC}[17~`],
+	["f7", `${ESC}[18~`],
+	["f8", `${ESC}[19~`],
+	["f9", `${ESC}[20~`],
+	["f10", `${ESC}[21~`],
+	["f11", `${ESC}[23~`],
+	["f12", `${ESC}[24~`],
+	["kp/", `${ESC}Oo`],
+	["kp*", `${ESC}Oj`],
+	["kp-", `${ESC}Om`],
+	["kp+", `${ESC}Ok`],
+	["kp7", `${ESC}Ow`],
+	["kp8", `${ESC}Ox`],
+	["kp9", `${ESC}Oy`],
+	["kp4", `${ESC}Ot`],
+	["kp5", `${ESC}Ou`],
+	["kp6", `${ESC}Ov`],
+	["kp1", `${ESC}Oq`],
+	["kp2", `${ESC}Or`],
+	["kp3", `${ESC}Os`],
+	["kp0", `${ESC}Op`],
+	["kp.", `${ESC}On`],
+	["kpenter", `${ESC}OM`]
+]);
+const modifiableNamedKeys = new Set([
+	"up",
+	"down",
+	"left",
+	"right",
+	"home",
+	"end",
+	"pageup",
+	"pgup",
+	"ppage",
+	"pagedown",
+	"pgdn",
+	"npage",
+	"insert",
+	"ic",
+	"delete",
+	"del",
+	"dc"
+]);
+function hasCursorModeSensitiveKeys(request) {
+	return request.keys?.some((raw) => {
+		const token = raw.trim();
+		if (!token) return false;
+		const parsed = parseModifiers(token);
+		if (hasAnyModifier(parsed.mods)) return false;
+		return normalizeLowercaseStringOrEmpty(parsed.base) in DECCKM_SS3_KEYS;
+	}) ?? false;
+}
+function encodeKeySequence(request, cursorKeyMode) {
+	const warnings = [];
+	let data = "";
+	if (request.literal) data += request.literal;
+	if (request.hex?.length) for (const raw of request.hex) {
+		const byte = parseHexByte(raw);
+		if (byte === null) {
+			warnings.push(`Invalid hex byte: ${raw}`);
+			continue;
+		}
+		data += String.fromCharCode(byte);
+	}
+	if (request.keys?.length) for (const token of request.keys) data += encodeKeyToken(token, warnings, cursorKeyMode);
+	return {
+		data,
+		warnings
+	};
+}
+function encodePaste(text, bracketed = true) {
+	if (!bracketed) return text;
+	return `${BRACKETED_PASTE_START}${text}${BRACKETED_PASTE_END}`;
+}
+function encodeKeyToken(raw, warnings, cursorKeyMode) {
+	const token = raw.trim();
+	if (!token) return "";
+	if (token.length === 2 && token.startsWith("^")) {
+		const ctrl = toCtrlChar(token[1]);
+		if (ctrl) return ctrl;
+	}
+	const parsed = parseModifiers(token);
+	const base = parsed.base;
+	const baseLower = normalizeLowercaseStringOrEmpty(base);
+	if (baseLower === "tab" && parsed.mods.shift) return `${ESC}[Z`;
+	if (modifiableNamedKeys.has(baseLower) && cursorKeyMode === "application" && !hasAnyModifier(parsed.mods)) {
+		const ss3Seq = DECCKM_SS3_KEYS[baseLower];
+		if (ss3Seq) return ss3Seq;
+	}
+	const baseSeq = namedKeyMap.get(baseLower);
+	if (baseSeq) {
+		let seq = baseSeq;
+		if (modifiableNamedKeys.has(baseLower) && hasAnyModifier(parsed.mods)) {
+			const mod = xtermModifier(parsed.mods);
+			if (mod > 1) {
+				const modified = applyXtermModifier(seq, mod);
+				if (modified) {
+					seq = modified;
+					return seq;
+				}
+			}
+		}
+		if (parsed.mods.alt) return `${ESC}${seq}`;
+		return seq;
+	}
+	if (base.length === 1) return applyCharModifiers(base, parsed.mods);
+	if (parsed.hasModifiers) warnings.push(`Unknown key "${base}" for modifiers; sending literal.`);
+	return base;
+}
+function parseModifiers(token) {
+	const mods = {
+		ctrl: false,
+		alt: false,
+		shift: false
+	};
+	let rest = token;
+	let sawModifiers = false;
+	while (rest.length > 2 && rest[1] === "-") {
+		const mod = normalizeLowercaseStringOrEmpty(rest[0]);
+		if (mod === "c") mods.ctrl = true;
+		else if (mod === "m") mods.alt = true;
+		else if (mod === "s") mods.shift = true;
+		else break;
+		sawModifiers = true;
+		rest = rest.slice(2);
+	}
+	return {
+		mods,
+		base: rest,
+		hasModifiers: sawModifiers
+	};
+}
+function applyCharModifiers(char, mods) {
+	let value = char;
+	if (mods.shift && value.length === 1 && /[a-z]/.test(value)) value = value.toUpperCase();
+	if (mods.ctrl) {
+		const ctrl = toCtrlChar(value);
+		if (ctrl) value = ctrl;
+	}
+	if (mods.alt) value = `${ESC}${value}`;
+	return value;
+}
+function toCtrlChar(char) {
+	if (char.length !== 1) return null;
+	if (char === "?") return "";
+	const code = char.toUpperCase().charCodeAt(0);
+	if (code >= 64 && code <= 95) return String.fromCharCode(code & 31);
+	return null;
+}
+function xtermModifier(mods) {
+	let mod = 1;
+	if (mods.shift) mod += 1;
+	if (mods.alt) mod += 2;
+	if (mods.ctrl) mod += 4;
+	return mod;
+}
+function applyXtermModifier(sequence, modifier) {
+	const escPattern = escapeRegExp(ESC);
+	const csiNumber = new RegExp(`^${escPattern}\\[(\\d+)([~A-Z])$`);
+	const csiArrow = new RegExp(`^${escPattern}\\[(A|B|C|D|H|F)$`);
+	const numberMatch = sequence.match(csiNumber);
+	if (numberMatch) return `${ESC}[${numberMatch[1]};${modifier}${numberMatch[2]}`;
+	const arrowMatch = sequence.match(csiArrow);
+	if (arrowMatch) return `${ESC}[1;${modifier}${arrowMatch[1]}`;
+	return null;
+}
+function hasAnyModifier(mods) {
+	return mods.ctrl || mods.alt || mods.shift;
+}
+function parseHexByte(raw) {
+	const lower = normalizeLowercaseStringOrEmpty(raw);
+	const normalized = lower.startsWith("0x") ? lower.slice(2) : lower;
+	if (!/^[0-9a-f]{1,2}$/.test(normalized)) return null;
+	const value = Number.parseInt(normalized, 16);
+	if (Number.isNaN(value) || value < 0 || value > 255) return null;
+	return value;
+}
+//#endregion
+//#region src/agents/bash-tools.process-send-keys.ts
+function failText$1(text) {
+	return {
+		content: [{
+			type: "text",
+			text
+		}],
+		details: { status: "failed" }
+	};
+}
+async function writeToStdin(stdin, data) {
+	await new Promise((resolve, reject) => {
+		stdin.write(data, (err) => {
+			if (err) reject(err);
+			else resolve();
+		});
+	});
+}
+async function handleProcessSendKeys(params) {
+	const request = {
+		keys: params.keys,
+		hex: params.hex,
+		literal: params.literal
+	};
+	if (params.session.cursorKeyMode === "unknown" && hasCursorModeSensitiveKeys(request)) return failText$1(`Session ${params.sessionId} cursor key mode is not known yet. Poll or log until startup output appears, then retry send-keys.`);
+	const { data, warnings } = encodeKeySequence(request, params.session.cursorKeyMode === "unknown" ? void 0 : params.session.cursorKeyMode);
+	if (!data) return failText$1("No key data provided.");
+	await writeToStdin(params.stdin, data);
+	return {
+		content: [{
+			type: "text",
+			text: `Sent ${data.length} bytes to session ${params.sessionId}.` + (warnings.length ? `\nWarnings:\n- ${warnings.join("\n- ")}` : "")
+		}],
+		details: {
+			status: "running",
+			sessionId: params.sessionId,
+			name: deriveSessionName(params.session.command)
+		}
+	};
+}
+//#endregion
+//#region src/agents/bash-tools.process.ts
+const DEFAULT_LOG_TAIL_LINES = 200;
+function resolveLogSliceWindow(offset, limit) {
+	const usingDefaultTail = offset === void 0 && limit === void 0;
+	return {
+		effectiveOffset: offset,
+		effectiveLimit: typeof limit === "number" && Number.isFinite(limit) ? limit : usingDefaultTail ? DEFAULT_LOG_TAIL_LINES : void 0,
+		usingDefaultTail
+	};
+}
+function defaultTailNote(totalLines, usingDefaultTail) {
+	if (!usingDefaultTail || totalLines <= DEFAULT_LOG_TAIL_LINES) return "";
+	return `\n\n[showing last ${DEFAULT_LOG_TAIL_LINES} of ${totalLines} lines; pass offset/limit to page]`;
+}
+const MAX_POLL_WAIT_MS = 12e4;
+function resolvePollWaitMs(value) {
+	if (typeof value === "number" && Number.isFinite(value)) return Math.max(0, Math.min(MAX_POLL_WAIT_MS, Math.floor(value)));
+	if (typeof value === "string") {
+		const parsed = Number.parseInt(value.trim(), 10);
+		if (Number.isFinite(parsed)) return Math.max(0, Math.min(MAX_POLL_WAIT_MS, parsed));
+	}
+	return 0;
+}
+function failText(text) {
+	return {
+		content: [{
+			type: "text",
+			text
+		}],
+		details: { status: "failed" }
+	};
+}
+function recordPollRetrySuggestion(sessionId, hasNewOutput) {
+	try {
+		return recordCommandPoll(getDiagnosticSessionState({ sessionId }), sessionId, hasNewOutput);
+	} catch {
+		return;
+	}
+}
+function resetPollRetrySuggestion(sessionId) {
+	try {
+		resetCommandPollCount(getDiagnosticSessionState({ sessionId }), sessionId);
+	} catch {}
+}
+function createProcessTool(defaults) {
+	if (defaults?.cleanupMs !== void 0) setJobTtlMs(defaults.cleanupMs);
+	const scopeKey = defaults?.scopeKey;
+	const supervisor = getProcessSupervisor();
+	const isInScope = (session) => !scopeKey || session?.scopeKey === scopeKey;
+	const cancelManagedSession = (sessionId) => {
+		const record = supervisor.getRecord(sessionId);
+		if (!record || record.state === "exited") return false;
+		supervisor.cancel(sessionId, "manual-cancel");
+		return true;
+	};
+	const terminateSessionFallback = (session) => {
+		const pid = session.pid ?? session.child?.pid;
+		if (typeof pid !== "number" || !Number.isFinite(pid) || pid <= 0) return false;
+		killProcessTree(pid);
+		return true;
+	};
+	return {
+		name: "process",
+		label: "process",
+		displaySummary: PROCESS_TOOL_DISPLAY_SUMMARY,
+		description: describeProcessTool({ hasCronTool: defaults?.hasCronTool === true }),
+		parameters: processSchema,
+		execute: async (_toolCallId, args, _signal, _onUpdate) => {
+			const params = args;
+			if (params.action === "list") {
+				const running = listRunningSessions().filter((s) => isInScope(s)).map((s) => ({
+					sessionId: s.id,
+					status: "running",
+					pid: s.pid ?? void 0,
+					startedAt: s.startedAt,
+					runtimeMs: Date.now() - s.startedAt,
+					cwd: s.cwd,
+					command: s.command,
+					name: deriveSessionName(s.command),
+					tail: s.tail,
+					truncated: s.truncated
+				}));
+				const finished = listFinishedSessions().filter((s) => isInScope(s)).map((s) => ({
+					sessionId: s.id,
+					status: s.status,
+					startedAt: s.startedAt,
+					endedAt: s.endedAt,
+					runtimeMs: s.endedAt - s.startedAt,
+					cwd: s.cwd,
+					command: s.command,
+					name: deriveSessionName(s.command),
+					tail: s.tail,
+					truncated: s.truncated,
+					exitCode: s.exitCode ?? void 0,
+					exitSignal: s.exitSignal ?? void 0
+				}));
+				return {
+					content: [{
+						type: "text",
+						text: [...running, ...finished].toSorted((a, b) => b.startedAt - a.startedAt).map((s) => {
+							const label = s.name ? truncateMiddle(s.name, 80) : truncateMiddle(s.command, 120);
+							return `${s.sessionId} ${pad(s.status, 9)} ${formatDurationCompact(s.runtimeMs) ?? "n/a"} :: ${label}`;
+						}).join("\n") || "No running or recent sessions."
+					}],
+					details: {
+						status: "completed",
+						sessions: [...running, ...finished]
+					}
+				};
+			}
+			if (!params.sessionId) return {
+				content: [{
+					type: "text",
+					text: "sessionId is required for this action."
+				}],
+				details: { status: "failed" }
+			};
+			const session = getSession(params.sessionId);
+			const finished = getFinishedSession(params.sessionId);
+			const scopedSession = isInScope(session) ? session : void 0;
+			const scopedFinished = isInScope(finished) ? finished : void 0;
+			const failedResult = (text) => ({
+				content: [{
+					type: "text",
+					text
+				}],
+				details: { status: "failed" }
+			});
+			const resolveBackgroundedWritableStdin = () => {
+				if (!scopedSession) return {
+					ok: false,
+					result: failedResult(`No active session found for ${params.sessionId}`)
+				};
+				if (!scopedSession.backgrounded) return {
+					ok: false,
+					result: failedResult(`Session ${params.sessionId} is not backgrounded.`)
+				};
+				const stdin = scopedSession.stdin ?? scopedSession.child?.stdin;
+				if (!stdin || stdin.destroyed) return {
+					ok: false,
+					result: failedResult(`Session ${params.sessionId} stdin is not writable.`)
+				};
+				return {
+					ok: true,
+					session: scopedSession,
+					stdin
+				};
+			};
+			const writeToStdin = async (stdin, data) => {
+				await new Promise((resolve, reject) => {
+					stdin.write(data, (err) => {
+						if (err) reject(err);
+						else resolve();
+					});
+				});
+			};
+			const runningSessionResult = (session, text) => ({
+				content: [{
+					type: "text",
+					text
+				}],
+				details: {
+					status: "running",
+					sessionId: params.sessionId,
+					name: deriveSessionName(session.command)
+				}
+			});
+			switch (params.action) {
+				case "poll": {
+					if (!scopedSession) {
+						if (scopedFinished) {
+							resetPollRetrySuggestion(params.sessionId);
+							return {
+								content: [{
+									type: "text",
+									text: (scopedFinished.tail || `(no output recorded${scopedFinished.truncated ? " — truncated to cap" : ""})`) + `\n\nProcess exited with ${scopedFinished.exitSignal ? `signal ${scopedFinished.exitSignal}` : `code ${scopedFinished.exitCode ?? 0}`}.`
+								}],
+								details: {
+									status: scopedFinished.status === "completed" ? "completed" : "failed",
+									sessionId: params.sessionId,
+									exitCode: scopedFinished.exitCode ?? void 0,
+									aggregated: scopedFinished.aggregated,
+									name: deriveSessionName(scopedFinished.command)
+								}
+							};
+						}
+						resetPollRetrySuggestion(params.sessionId);
+						return failText(`No session found for ${params.sessionId}`);
+					}
+					if (!scopedSession.backgrounded) return failText(`Session ${params.sessionId} is not backgrounded.`);
+					const pollWaitMs = resolvePollWaitMs(params.timeout);
+					if (pollWaitMs > 0 && !scopedSession.exited) {
+						const deadline = Date.now() + pollWaitMs;
+						while (!scopedSession.exited && Date.now() < deadline) await new Promise((resolve) => setTimeout(resolve, Math.max(0, Math.min(250, deadline - Date.now()))));
+					}
+					const { stdout, stderr } = drainSession(scopedSession);
+					const exited = scopedSession.exited;
+					const exitCode = scopedSession.exitCode ?? 0;
+					const exitSignal = scopedSession.exitSignal ?? void 0;
+					if (exited) {
+						const status = exitCode === 0 && exitSignal == null ? "completed" : "failed";
+						markExited(scopedSession, scopedSession.exitCode ?? null, scopedSession.exitSignal ?? null, status);
+					}
+					const status = exited ? exitCode === 0 && exitSignal == null ? "completed" : "failed" : "running";
+					const output = [stdout.trimEnd(), stderr.trimEnd()].filter(Boolean).join("\n").trim();
+					const hasNewOutput = output.length > 0;
+					const retryInMs = exited ? void 0 : recordPollRetrySuggestion(params.sessionId, hasNewOutput);
+					if (exited) resetPollRetrySuggestion(params.sessionId);
+					return {
+						content: [{
+							type: "text",
+							text: (output || "(no new output)") + (exited ? `\n\nProcess exited with ${exitSignal ? `signal ${exitSignal}` : `code ${exitCode}`}.` : "\n\nProcess still running.")
+						}],
+						details: {
+							status,
+							sessionId: params.sessionId,
+							exitCode: exited ? exitCode : void 0,
+							aggregated: scopedSession.aggregated,
+							name: deriveSessionName(scopedSession.command),
+							...typeof retryInMs === "number" ? { retryInMs } : {}
+						}
+					};
+				}
+				case "log":
+					if (scopedSession) {
+						if (!scopedSession.backgrounded) return {
+							content: [{
+								type: "text",
+								text: `Session ${params.sessionId} is not backgrounded.`
+							}],
+							details: { status: "failed" }
+						};
+						const window = resolveLogSliceWindow(params.offset, params.limit);
+						const { slice, totalLines, totalChars } = sliceLogLines(scopedSession.aggregated, window.effectiveOffset, window.effectiveLimit);
+						const logDefaultTailNote = defaultTailNote(totalLines, window.usingDefaultTail);
+						return {
+							content: [{
+								type: "text",
+								text: (slice || "(no output yet)") + logDefaultTailNote
+							}],
+							details: {
+								status: scopedSession.exited ? "completed" : "running",
+								sessionId: params.sessionId,
+								total: totalLines,
+								totalLines,
+								totalChars,
+								truncated: scopedSession.truncated,
+								name: deriveSessionName(scopedSession.command)
+							}
+						};
+					}
+					if (scopedFinished) {
+						const window = resolveLogSliceWindow(params.offset, params.limit);
+						const { slice, totalLines, totalChars } = sliceLogLines(scopedFinished.aggregated, window.effectiveOffset, window.effectiveLimit);
+						const status = scopedFinished.status === "completed" ? "completed" : "failed";
+						const logDefaultTailNote = defaultTailNote(totalLines, window.usingDefaultTail);
+						return {
+							content: [{
+								type: "text",
+								text: (slice || "(no output recorded)") + logDefaultTailNote
+							}],
+							details: {
+								status,
+								sessionId: params.sessionId,
+								total: totalLines,
+								totalLines,
+								totalChars,
+								truncated: scopedFinished.truncated,
+								exitCode: scopedFinished.exitCode ?? void 0,
+								exitSignal: scopedFinished.exitSignal ?? void 0,
+								name: deriveSessionName(scopedFinished.command)
+							}
+						};
+					}
+					return {
+						content: [{
+							type: "text",
+							text: `No session found for ${params.sessionId}`
+						}],
+						details: { status: "failed" }
+					};
+				case "write": {
+					const resolved = resolveBackgroundedWritableStdin();
+					if (!resolved.ok) return resolved.result;
+					await writeToStdin(resolved.stdin, params.data ?? "");
+					if (params.eof) resolved.stdin.end();
+					return runningSessionResult(resolved.session, `Wrote ${(params.data ?? "").length} bytes to session ${params.sessionId}${params.eof ? " (stdin closed)" : ""}.`);
+				}
+				case "send-keys": {
+					const resolved = resolveBackgroundedWritableStdin();
+					if (!resolved.ok) return resolved.result;
+					return await handleProcessSendKeys({
+						sessionId: params.sessionId,
+						session: resolved.session,
+						stdin: resolved.stdin,
+						keys: params.keys,
+						hex: params.hex,
+						literal: params.literal
+					});
+				}
+				case "submit": {
+					const resolved = resolveBackgroundedWritableStdin();
+					if (!resolved.ok) return resolved.result;
+					await writeToStdin(resolved.stdin, "\r");
+					return runningSessionResult(resolved.session, `Submitted session ${params.sessionId} (sent CR).`);
+				}
+				case "paste": {
+					const resolved = resolveBackgroundedWritableStdin();
+					if (!resolved.ok) return resolved.result;
+					const payload = encodePaste(params.text ?? "", params.bracketed !== false);
+					if (!payload) return {
+						content: [{
+							type: "text",
+							text: "No paste text provided."
+						}],
+						details: { status: "failed" }
+					};
+					await writeToStdin(resolved.stdin, payload);
+					return runningSessionResult(resolved.session, `Pasted ${params.text?.length ?? 0} chars to session ${params.sessionId}.`);
+				}
+				case "kill": {
+					if (!scopedSession) return failText(`No active session found for ${params.sessionId}`);
+					if (!scopedSession.backgrounded) return failText(`Session ${params.sessionId} is not backgrounded.`);
+					const canceled = cancelManagedSession(scopedSession.id);
+					if (!canceled) {
+						if (!terminateSessionFallback(scopedSession)) return failText(`Unable to terminate session ${params.sessionId}: no active supervisor run or process id.`);
+						markExited(scopedSession, null, "SIGKILL", "failed");
+					}
+					resetPollRetrySuggestion(params.sessionId);
+					return {
+						content: [{
+							type: "text",
+							text: canceled ? `Termination requested for session ${params.sessionId}.` : `Killed session ${params.sessionId}.`
+						}],
+						details: {
+							status: "failed",
+							name: scopedSession ? deriveSessionName(scopedSession.command) : void 0
+						}
+					};
+				}
+				case "clear":
+					if (scopedFinished) {
+						resetPollRetrySuggestion(params.sessionId);
+						deleteSession(params.sessionId);
+						return {
+							content: [{
+								type: "text",
+								text: `Cleared session ${params.sessionId}.`
+							}],
+							details: { status: "completed" }
+						};
+					}
+					return {
+						content: [{
+							type: "text",
+							text: `No finished session found for ${params.sessionId}`
+						}],
+						details: { status: "failed" }
+					};
+				case "remove":
+					if (scopedSession) {
+						const canceled = cancelManagedSession(scopedSession.id);
+						if (canceled) {
+							scopedSession.backgrounded = false;
+							deleteSession(params.sessionId);
+						} else {
+							if (!terminateSessionFallback(scopedSession)) return failText(`Unable to remove session ${params.sessionId}: no active supervisor run or process id.`);
+							markExited(scopedSession, null, "SIGKILL", "failed");
+							deleteSession(params.sessionId);
+						}
+						resetPollRetrySuggestion(params.sessionId);
+						return {
+							content: [{
+								type: "text",
+								text: canceled ? `Removed session ${params.sessionId} (termination requested).` : `Removed session ${params.sessionId}.`
+							}],
+							details: {
+								status: "failed",
+								name: scopedSession ? deriveSessionName(scopedSession.command) : void 0
+							}
+						};
+					}
+					if (scopedFinished) {
+						resetPollRetrySuggestion(params.sessionId);
+						deleteSession(params.sessionId);
+						return {
+							content: [{
+								type: "text",
+								text: `Removed session ${params.sessionId}.`
+							}],
+							details: { status: "completed" }
+						};
+					}
+					return {
+						content: [{
+							type: "text",
+							text: `No session found for ${params.sessionId}`
+						}],
+						details: { status: "failed" }
+					};
+			}
+			return {
+				content: [{
+					type: "text",
+					text: `Unknown action ${params.action}`
+				}],
+				details: { status: "failed" }
+			};
+		}
+	};
+}
+const processTool = createProcessTool();
+//#endregion
+export { execTool as i, processTool as n, createExecTool as r, createProcessTool as t };