@posthog/agent 2.3.403 → 2.3.418

package/dist/adapters/claude/permissions/permission-options.js

@@ -1,8 +1,8 @@
 // src/utils/common.ts
 var IS_ROOT = typeof process !== "undefined" && (process.geteuid?.() ?? process.getuid?.()) === 0;
+var ALLOW_BYPASS = !IS_ROOT || !!process.env.IS_SANDBOX;
 
 // src/execution-mode.ts
-var ALLOW_BYPASS = !IS_ROOT;
 var availableModes = [
   {
     id: "default",
@@ -149,10 +149,9 @@ function buildPermissionOptions(toolName, toolInput, repoRoot, suggestions) {
   }
   return permissionOptions("Yes, always allow");
 }
-var ALLOW_BYPASS2 = !IS_ROOT || !!process.env.IS_SANDBOX;
 function buildExitPlanModePermissionOptions() {
   const options = [];
-  if (ALLOW_BYPASS2) {
+  if (ALLOW_BYPASS) {
     options.push({
       kind: "allow_always",
       name: "Yes, bypass all permissions",

package/dist/adapters/claude/permissions/permission-options.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../src/utils/common.ts","../../../../src/execution-mode.ts","../../../../src/adapters/claude/tools.ts","../../../../src/adapters/claude/permissions/permission-options.ts"],"sourcesContent":["import type { Logger } from \"./logger\";\n\n/**\n * Races an operation against a timeout.\n * Returns success with the value if the operation completes in time,\n * or timeout if the operation takes longer than the specified duration.\n */\nexport async function withTimeout<T>(\n  operation: Promise<T>,\n  timeoutMs: number,\n): Promise<{ result: \"success\"; value: T } | { result: \"timeout\" }> {\n  const timeoutPromise = new Promise<{ result: \"timeout\" }>((resolve) =>\n    setTimeout(() => resolve({ result: \"timeout\" }), timeoutMs),\n  );\n  const operationPromise = operation.then((value) => ({\n    result: \"success\" as const,\n    value,\n  }));\n  return Promise.race([operationPromise, timeoutPromise]);\n}\n\nexport const IS_ROOT =\n  typeof process !== \"undefined\" &&\n  (process.geteuid?.() ?? process.getuid?.()) === 0;\n\nexport function unreachable(value: never, logger: Logger): void {\n  let valueAsString: string;\n  try {\n    valueAsString = JSON.stringify(value);\n  } catch {\n    valueAsString = String(value);\n  }\n  logger.error(`Unexpected case: ${valueAsString}`);\n}\n","import { IS_ROOT } from \"./utils/common\";\n\nexport interface ModeInfo {\n  id: string;\n  name: string;\n  description: string;\n}\n\n// Helper constant that can easily be toggled for env/feature flag/etc\nconst ALLOW_BYPASS = !IS_ROOT;\n\nconst availableModes: ModeInfo[] = [\n  {\n    id: \"default\",\n    name: \"Default\",\n    description: \"Standard behavior, prompts for dangerous operations\",\n  },\n  {\n    id: \"acceptEdits\",\n    name: \"Accept Edits\",\n    description: \"Auto-accept file edit operations\",\n  },\n  {\n    id: \"plan\",\n    name: \"Plan Mode\",\n    description: \"Planning mode, no actual tool execution\",\n  },\n];\n\nif (ALLOW_BYPASS) {\n  availableModes.push(\n    {\n      id: \"bypassPermissions\",\n      name: \"Bypass Permissions\",\n      description: \"Auto-accept all permission requests\",\n    },\n    {\n      id: \"auto\",\n      name: \"Auto Mode\",\n      description: \"Use a model classifier to approve/deny permission prompts\",\n    },\n  );\n}\n\n// Expose execution mode IDs in type-safe order for type checks\nexport const CODE_EXECUTION_MODES = [\n  \"default\",\n  \"acceptEdits\",\n  \"plan\",\n  \"bypassPermissions\",\n  \"auto\",\n] as const;\n\nexport type CodeExecutionMode = (typeof CODE_EXECUTION_MODES)[number];\n\nexport function isCodeExecutionMode(mode: string): mode is CodeExecutionMode {\n  return (CODE_EXECUTION_MODES as readonly string[]).includes(mode);\n}\n\nexport function getAvailableModes(): ModeInfo[] {\n  return IS_ROOT\n    ? availableModes.filter((m) => m.id !== \"bypassPermissions\")\n    : availableModes;\n}\n\n// --- Codex-native modes ---\n\nexport const CODEX_NATIVE_MODES = [\"auto\", \"read-only\", \"full-access\"] as const;\n\nexport type CodexNativeMode = (typeof CODEX_NATIVE_MODES)[number];\n\n/** Union of all permission mode IDs across adapters */\nexport type PermissionMode = CodeExecutionMode | CodexNativeMode;\n\nexport function isCodexNativeMode(mode: string): mode is CodexNativeMode {\n  return (CODEX_NATIVE_MODES as readonly string[]).includes(mode);\n}\n\nconst codexModes: ModeInfo[] = [\n  {\n    id: \"read-only\",\n    name: \"Read Only\",\n    description: \"Read-only access, no file modifications\",\n  },\n  {\n    id: \"auto\",\n    name: \"Auto\",\n    description: \"Standard behavior, prompts for dangerous operations\",\n  },\n];\n\nif (ALLOW_BYPASS) {\n  codexModes.push({\n    id: \"full-access\",\n    name: \"Full Access\",\n    description: \"Auto-accept all permission requests\",\n  });\n}\n\nexport function getAvailableCodexModes(): ModeInfo[] {\n  return IS_ROOT\n    ? codexModes.filter((m) => m.id !== \"full-access\")\n    : codexModes;\n}\n","export {\n  CODE_EXECUTION_MODES,\n  type CodeExecutionMode,\n  getAvailableModes,\n  type ModeInfo,\n} from \"../../execution-mode\";\n\nimport type { CodeExecutionMode } from \"../../execution-mode\";\nimport { isMcpToolReadOnly } from \"./mcp/tool-metadata\";\n\nexport const READ_TOOLS: Set<string> = new Set([\"Read\", \"NotebookRead\"]);\n\nexport const WRITE_TOOLS: Set<string> = new Set([\n  \"Edit\",\n  \"Write\",\n  \"NotebookEdit\",\n]);\n\nexport const BASH_TOOLS: Set<string> = new Set([\n  \"Bash\",\n  \"BashOutput\",\n  \"KillShell\",\n]);\n\nexport const SEARCH_TOOLS: Set<string> = new Set([\"Glob\", \"Grep\", \"LS\"]);\n\nexport const WEB_TOOLS: Set<string> = new Set([\"WebSearch\", \"WebFetch\"]);\n\nexport const AGENT_TOOLS: Set<string> = new Set([\n  \"Task\",\n  \"Agent\",\n  \"TodoWrite\",\n  \"Skill\",\n]);\n\nconst BASE_ALLOWED_TOOLS = [\n  ...READ_TOOLS,\n  ...SEARCH_TOOLS,\n  ...WEB_TOOLS,\n  ...AGENT_TOOLS,\n];\n\nconst AUTO_ALLOWED_TOOLS: Record<string, Set<string>> = {\n  auto: new Set(BASE_ALLOWED_TOOLS),\n  default: new Set(BASE_ALLOWED_TOOLS),\n  acceptEdits: new Set([...BASE_ALLOWED_TOOLS, ...WRITE_TOOLS]),\n  plan: new Set(BASE_ALLOWED_TOOLS),\n};\n\nexport function isToolAllowedForMode(\n  toolName: string,\n  mode: CodeExecutionMode,\n): boolean {\n  if (mode === \"bypassPermissions\") {\n    return true;\n  }\n  if (AUTO_ALLOWED_TOOLS[mode]?.has(toolName) === true) {\n    return true;\n  }\n  if (isMcpToolReadOnly(toolName)) {\n    return true;\n  }\n  return false;\n}\n","import type { PermissionUpdate } from \"@anthropic-ai/claude-agent-sdk\";\nimport { IS_ROOT } from \"../../../utils/common\";\nimport { BASH_TOOLS, READ_TOOLS, SEARCH_TOOLS, WRITE_TOOLS } from \"../tools\";\n\nexport interface PermissionOption {\n  kind: \"allow_once\" | \"allow_always\" | \"reject_once\" | \"reject_always\";\n  name: string;\n  optionId: string;\n  _meta?: { description?: string; customInput?: boolean };\n}\n\nfunction permissionOptions(allowAlwaysLabel: string): PermissionOption[] {\n  return [\n    { kind: \"allow_once\", name: \"Yes\", optionId: \"allow\" },\n    { kind: \"allow_always\", name: allowAlwaysLabel, optionId: \"allow_always\" },\n    {\n      kind: \"reject_once\",\n      name: \"No, and tell the agent what to do differently\",\n      optionId: \"reject\",\n      _meta: { customInput: true },\n    },\n  ];\n}\n\nexport function buildPermissionOptions(\n  toolName: string,\n  toolInput: Record<string, unknown>,\n  repoRoot?: string,\n  suggestions?: PermissionUpdate[],\n): PermissionOption[] {\n  if (BASH_TOOLS.has(toolName)) {\n    const rawRuleContent = suggestions\n      ?.flatMap((s) => (\"rules\" in s ? s.rules : []))\n      .find((r) => r.toolName === \"Bash\" && r.ruleContent)?.ruleContent;\n    const ruleContent = rawRuleContent?.replace(/:?\\*$/, \"\");\n\n    const command = toolInput?.command as string | undefined;\n    const cmdName = command?.split(/\\s+/)[0] ?? \"this command\";\n    const scopeLabel = repoRoot ? ` in ${repoRoot}` : \"\";\n    const label = ruleContent ?? `\\`${cmdName}\\` commands`;\n\n    return permissionOptions(\n      `Yes, and don't ask again for ${label}${scopeLabel}`,\n    );\n  }\n\n  if (toolName === \"BashOutput\") {\n    return permissionOptions(\"Yes, allow all background process reads\");\n  }\n\n  if (toolName === \"KillShell\") {\n    return permissionOptions(\"Yes, allow killing processes\");\n  }\n\n  if (WRITE_TOOLS.has(toolName)) {\n    return permissionOptions(\"Yes, allow all edits during this session\");\n  }\n\n  if (READ_TOOLS.has(toolName)) {\n    return permissionOptions(\"Yes, allow all reads during this session\");\n  }\n\n  if (SEARCH_TOOLS.has(toolName)) {\n    return permissionOptions(\"Yes, allow all searches during this session\");\n  }\n\n  if (toolName === \"WebFetch\") {\n    const url = toolInput?.url as string | undefined;\n    let domain = \"\";\n    try {\n      domain = url ? new URL(url).hostname : \"\";\n    } catch {}\n    return permissionOptions(\n      domain\n        ? `Yes, allow all fetches from ${domain}`\n        : \"Yes, allow all fetches\",\n    );\n  }\n\n  if (toolName === \"WebSearch\") {\n    return permissionOptions(\"Yes, allow all web searches\");\n  }\n\n  if (toolName === \"Task\") {\n    return permissionOptions(\"Yes, allow all sub-tasks\");\n  }\n\n  if (toolName === \"TodoWrite\") {\n    return permissionOptions(\"Yes, allow all todo updates\");\n  }\n\n  return permissionOptions(\"Yes, always allow\");\n}\n\nconst ALLOW_BYPASS = !IS_ROOT || !!process.env.IS_SANDBOX;\n\nexport function buildExitPlanModePermissionOptions(): PermissionOption[] {\n  const options: PermissionOption[] = [];\n\n  if (ALLOW_BYPASS) {\n    options.push({\n      kind: \"allow_always\",\n      name: \"Yes, bypass all permissions\",\n      optionId: \"bypassPermissions\",\n    });\n  }\n\n  options.push(\n    {\n      kind: \"allow_always\",\n      name: 'Yes, and use \"auto\" mode',\n      optionId: \"auto\",\n    },\n    {\n      kind: \"allow_always\",\n      name: \"Yes, and auto-accept edits\",\n      optionId: \"acceptEdits\",\n    },\n    {\n      kind: \"allow_once\",\n      name: \"Yes, and manually approve edits\",\n      optionId: \"default\",\n    },\n    {\n      kind: \"reject_once\",\n      name: \"No, and tell the agent what to do differently\",\n      optionId: \"reject_with_feedback\",\n      _meta: { customInput: true },\n    },\n  );\n\n  return options;\n}\n"],"mappings":";AAqBO,IAAM,UACX,OAAO,YAAY,gBAClB,QAAQ,UAAU,KAAK,QAAQ,SAAS,OAAO;;;ACdlD,IAAM,eAAe,CAAC;AAEtB,IAAM,iBAA6B;AAAA,EACjC;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AACF;AAEA,IAAI,cAAc;AAChB,iBAAe;AAAA,IACb;AAAA,MACE,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,EACF;AACF;AAoCA,IAAM,aAAyB;AAAA,EAC7B;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AACF;AAEA,IAAI,cAAc;AAChB,aAAW,KAAK;AAAA,IACd,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf,CAAC;AACH;;;ACvFO,IAAM,aAA0B,oBAAI,IAAI,CAAC,QAAQ,cAAc,CAAC;AAEhE,IAAM,cAA2B,oBAAI,IAAI;AAAA,EAC9C;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,IAAM,aAA0B,oBAAI,IAAI;AAAA,EAC7C;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,IAAM,eAA4B,oBAAI,IAAI,CAAC,QAAQ,QAAQ,IAAI,CAAC;AAEhE,IAAM,YAAyB,oBAAI,IAAI,CAAC,aAAa,UAAU,CAAC;AAEhE,IAAM,cAA2B,oBAAI,IAAI;AAAA,EAC9C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,IAAM,qBAAqB;AAAA,EACzB,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AACL;AAEA,IAAM,qBAAkD;AAAA,EACtD,MAAM,IAAI,IAAI,kBAAkB;AAAA,EAChC,SAAS,IAAI,IAAI,kBAAkB;AAAA,EACnC,aAAa,oBAAI,IAAI,CAAC,GAAG,oBAAoB,GAAG,WAAW,CAAC;AAAA,EAC5D,MAAM,IAAI,IAAI,kBAAkB;AAClC;;;ACpCA,SAAS,kBAAkB,kBAA8C;AACvE,SAAO;AAAA,IACL,EAAE,MAAM,cAAc,MAAM,OAAO,UAAU,QAAQ;AAAA,IACrD,EAAE,MAAM,gBAAgB,MAAM,kBAAkB,UAAU,eAAe;AAAA,IACzE;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,OAAO,EAAE,aAAa,KAAK;AAAA,IAC7B;AAAA,EACF;AACF;AAEO,SAAS,uBACd,UACA,WACA,UACA,aACoB;AACpB,MAAI,WAAW,IAAI,QAAQ,GAAG;AAC5B,UAAM,iBAAiB,aACnB,QAAQ,CAAC,MAAO,WAAW,IAAI,EAAE,QAAQ,CAAC,CAAE,EAC7C,KAAK,CAAC,MAAM,EAAE,aAAa,UAAU,EAAE,WAAW,GAAG;AACxD,UAAM,cAAc,gBAAgB,QAAQ,SAAS,EAAE;AAEvD,UAAM,UAAU,WAAW;AAC3B,UAAM,UAAU,SAAS,MAAM,KAAK,EAAE,CAAC,KAAK;AAC5C,UAAM,aAAa,WAAW,OAAO,QAAQ,KAAK;AAClD,UAAM,QAAQ,eAAe,KAAK,OAAO;AAEzC,WAAO;AAAA,MACL,gCAAgC,KAAK,GAAG,UAAU;AAAA,IACpD;AAAA,EACF;AAEA,MAAI,aAAa,cAAc;AAC7B,WAAO,kBAAkB,yCAAyC;AAAA,EACpE;AAEA,MAAI,aAAa,aAAa;AAC5B,WAAO,kBAAkB,8BAA8B;AAAA,EACzD;AAEA,MAAI,YAAY,IAAI,QAAQ,GAAG;AAC7B,WAAO,kBAAkB,0CAA0C;AAAA,EACrE;AAEA,MAAI,WAAW,IAAI,QAAQ,GAAG;AAC5B,WAAO,kBAAkB,0CAA0C;AAAA,EACrE;AAEA,MAAI,aAAa,IAAI,QAAQ,GAAG;AAC9B,WAAO,kBAAkB,6CAA6C;AAAA,EACxE;AAEA,MAAI,aAAa,YAAY;AAC3B,UAAM,MAAM,WAAW;AACvB,QAAI,SAAS;AACb,QAAI;AACF,eAAS,MAAM,IAAI,IAAI,GAAG,EAAE,WAAW;AAAA,IACzC,QAAQ;AAAA,IAAC;AACT,WAAO;AAAA,MACL,SACI,+BAA+B,MAAM,KACrC;AAAA,IACN;AAAA,EACF;AAEA,MAAI,aAAa,aAAa;AAC5B,WAAO,kBAAkB,6BAA6B;AAAA,EACxD;AAEA,MAAI,aAAa,QAAQ;AACvB,WAAO,kBAAkB,0BAA0B;AAAA,EACrD;AAEA,MAAI,aAAa,aAAa;AAC5B,WAAO,kBAAkB,6BAA6B;AAAA,EACxD;AAEA,SAAO,kBAAkB,mBAAmB;AAC9C;AAEA,IAAMA,gBAAe,CAAC,WAAW,CAAC,CAAC,QAAQ,IAAI;AAExC,SAAS,qCAAyD;AACvE,QAAM,UAA8B,CAAC;AAErC,MAAIA,eAAc;AAChB,YAAQ,KAAK;AAAA,MACX,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAEA,UAAQ;AAAA,IACN;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,OAAO,EAAE,aAAa,KAAK;AAAA,IAC7B;AAAA,EACF;AAEA,SAAO;AACT;","names":["ALLOW_BYPASS"]}
+{"version":3,"sources":["../../../../src/utils/common.ts","../../../../src/execution-mode.ts","../../../../src/adapters/claude/tools.ts","../../../../src/adapters/claude/permissions/permission-options.ts"],"sourcesContent":["import type { Logger } from \"./logger\";\n\n/**\n * Races an operation against a timeout.\n * Returns success with the value if the operation completes in time,\n * or timeout if the operation takes longer than the specified duration.\n */\nexport async function withTimeout<T>(\n  operation: Promise<T>,\n  timeoutMs: number,\n): Promise<{ result: \"success\"; value: T } | { result: \"timeout\" }> {\n  const timeoutPromise = new Promise<{ result: \"timeout\" }>((resolve) =>\n    setTimeout(() => resolve({ result: \"timeout\" }), timeoutMs),\n  );\n  const operationPromise = operation.then((value) => ({\n    result: \"success\" as const,\n    value,\n  }));\n  return Promise.race([operationPromise, timeoutPromise]);\n}\n\nexport const IS_ROOT =\n  typeof process !== \"undefined\" &&\n  (process.geteuid?.() ?? process.getuid?.()) === 0;\n\nexport const ALLOW_BYPASS = !IS_ROOT || !!process.env.IS_SANDBOX;\n\nexport function unreachable(value: never, logger: Logger): void {\n  let valueAsString: string;\n  try {\n    valueAsString = JSON.stringify(value);\n  } catch {\n    valueAsString = String(value);\n  }\n  logger.error(`Unexpected case: ${valueAsString}`);\n}\n","import { ALLOW_BYPASS } from \"./utils/common\";\n\nexport interface ModeInfo {\n  id: string;\n  name: string;\n  description: string;\n}\n\nconst availableModes: ModeInfo[] = [\n  {\n    id: \"default\",\n    name: \"Default\",\n    description: \"Standard behavior, prompts for dangerous operations\",\n  },\n  {\n    id: \"acceptEdits\",\n    name: \"Accept Edits\",\n    description: \"Auto-accept file edit operations\",\n  },\n  {\n    id: \"plan\",\n    name: \"Plan Mode\",\n    description: \"Planning mode, no actual tool execution\",\n  },\n];\n\nif (ALLOW_BYPASS) {\n  availableModes.push(\n    {\n      id: \"bypassPermissions\",\n      name: \"Bypass Permissions\",\n      description: \"Auto-accept all permission requests\",\n    },\n    {\n      id: \"auto\",\n      name: \"Auto Mode\",\n      description: \"Use a model classifier to approve/deny permission prompts\",\n    },\n  );\n}\n\n// Expose execution mode IDs in type-safe order for type checks\nexport const CODE_EXECUTION_MODES = [\n  \"default\",\n  \"acceptEdits\",\n  \"plan\",\n  \"bypassPermissions\",\n  \"auto\",\n] as const;\n\nexport type CodeExecutionMode = (typeof CODE_EXECUTION_MODES)[number];\n\nexport function isCodeExecutionMode(mode: string): mode is CodeExecutionMode {\n  return (CODE_EXECUTION_MODES as readonly string[]).includes(mode);\n}\n\nexport function getAvailableModes(): ModeInfo[] {\n  return ALLOW_BYPASS\n    ? availableModes\n    : availableModes.filter((m) => m.id !== \"bypassPermissions\");\n}\n\n// --- Codex-native modes ---\n\nexport const CODEX_NATIVE_MODES = [\"auto\", \"read-only\", \"full-access\"] as const;\n\nexport type CodexNativeMode = (typeof CODEX_NATIVE_MODES)[number];\n\n/** Union of all permission mode IDs across adapters */\nexport type PermissionMode = CodeExecutionMode | CodexNativeMode;\n\nexport function isCodexNativeMode(mode: string): mode is CodexNativeMode {\n  return (CODEX_NATIVE_MODES as readonly string[]).includes(mode);\n}\n\nconst codexModes: ModeInfo[] = [\n  {\n    id: \"read-only\",\n    name: \"Read Only\",\n    description: \"Read-only access, no file modifications\",\n  },\n  {\n    id: \"auto\",\n    name: \"Auto\",\n    description: \"Standard behavior, prompts for dangerous operations\",\n  },\n];\n\nif (ALLOW_BYPASS) {\n  codexModes.push({\n    id: \"full-access\",\n    name: \"Full Access\",\n    description: \"Auto-accept all permission requests\",\n  });\n}\n\nexport function getAvailableCodexModes(): ModeInfo[] {\n  return ALLOW_BYPASS\n    ? codexModes\n    : codexModes.filter((m) => m.id !== \"full-access\");\n}\n","export {\n  CODE_EXECUTION_MODES,\n  type CodeExecutionMode,\n  getAvailableModes,\n  type ModeInfo,\n} from \"../../execution-mode\";\n\nimport type { CodeExecutionMode } from \"../../execution-mode\";\nimport { isMcpToolReadOnly } from \"./mcp/tool-metadata\";\n\nexport const READ_TOOLS: Set<string> = new Set([\"Read\", \"NotebookRead\"]);\n\nexport const WRITE_TOOLS: Set<string> = new Set([\n  \"Edit\",\n  \"Write\",\n  \"NotebookEdit\",\n]);\n\nexport const BASH_TOOLS: Set<string> = new Set([\n  \"Bash\",\n  \"BashOutput\",\n  \"KillShell\",\n]);\n\nexport const SEARCH_TOOLS: Set<string> = new Set([\"Glob\", \"Grep\", \"LS\"]);\n\nexport const WEB_TOOLS: Set<string> = new Set([\"WebSearch\", \"WebFetch\"]);\n\nexport const AGENT_TOOLS: Set<string> = new Set([\n  \"Task\",\n  \"Agent\",\n  \"TodoWrite\",\n  \"Skill\",\n]);\n\nconst BASE_ALLOWED_TOOLS = [\n  ...READ_TOOLS,\n  ...SEARCH_TOOLS,\n  ...WEB_TOOLS,\n  ...AGENT_TOOLS,\n];\n\nconst AUTO_ALLOWED_TOOLS: Record<string, Set<string>> = {\n  auto: new Set(BASE_ALLOWED_TOOLS),\n  default: new Set(BASE_ALLOWED_TOOLS),\n  acceptEdits: new Set([...BASE_ALLOWED_TOOLS, ...WRITE_TOOLS]),\n  plan: new Set(BASE_ALLOWED_TOOLS),\n};\n\nexport function isToolAllowedForMode(\n  toolName: string,\n  mode: CodeExecutionMode,\n): boolean {\n  if (mode === \"bypassPermissions\") {\n    return true;\n  }\n  if (AUTO_ALLOWED_TOOLS[mode]?.has(toolName) === true) {\n    return true;\n  }\n  if (isMcpToolReadOnly(toolName)) {\n    return true;\n  }\n  return false;\n}\n","import type { PermissionUpdate } from \"@anthropic-ai/claude-agent-sdk\";\nimport { ALLOW_BYPASS } from \"../../../utils/common\";\nimport { BASH_TOOLS, READ_TOOLS, SEARCH_TOOLS, WRITE_TOOLS } from \"../tools\";\n\nexport interface PermissionOption {\n  kind: \"allow_once\" | \"allow_always\" | \"reject_once\" | \"reject_always\";\n  name: string;\n  optionId: string;\n  _meta?: { description?: string; customInput?: boolean };\n}\n\nfunction permissionOptions(allowAlwaysLabel: string): PermissionOption[] {\n  return [\n    { kind: \"allow_once\", name: \"Yes\", optionId: \"allow\" },\n    { kind: \"allow_always\", name: allowAlwaysLabel, optionId: \"allow_always\" },\n    {\n      kind: \"reject_once\",\n      name: \"No, and tell the agent what to do differently\",\n      optionId: \"reject\",\n      _meta: { customInput: true },\n    },\n  ];\n}\n\nexport function buildPermissionOptions(\n  toolName: string,\n  toolInput: Record<string, unknown>,\n  repoRoot?: string,\n  suggestions?: PermissionUpdate[],\n): PermissionOption[] {\n  if (BASH_TOOLS.has(toolName)) {\n    const rawRuleContent = suggestions\n      ?.flatMap((s) => (\"rules\" in s ? s.rules : []))\n      .find((r) => r.toolName === \"Bash\" && r.ruleContent)?.ruleContent;\n    const ruleContent = rawRuleContent?.replace(/:?\\*$/, \"\");\n\n    const command = toolInput?.command as string | undefined;\n    const cmdName = command?.split(/\\s+/)[0] ?? \"this command\";\n    const scopeLabel = repoRoot ? ` in ${repoRoot}` : \"\";\n    const label = ruleContent ?? `\\`${cmdName}\\` commands`;\n\n    return permissionOptions(\n      `Yes, and don't ask again for ${label}${scopeLabel}`,\n    );\n  }\n\n  if (toolName === \"BashOutput\") {\n    return permissionOptions(\"Yes, allow all background process reads\");\n  }\n\n  if (toolName === \"KillShell\") {\n    return permissionOptions(\"Yes, allow killing processes\");\n  }\n\n  if (WRITE_TOOLS.has(toolName)) {\n    return permissionOptions(\"Yes, allow all edits during this session\");\n  }\n\n  if (READ_TOOLS.has(toolName)) {\n    return permissionOptions(\"Yes, allow all reads during this session\");\n  }\n\n  if (SEARCH_TOOLS.has(toolName)) {\n    return permissionOptions(\"Yes, allow all searches during this session\");\n  }\n\n  if (toolName === \"WebFetch\") {\n    const url = toolInput?.url as string | undefined;\n    let domain = \"\";\n    try {\n      domain = url ? new URL(url).hostname : \"\";\n    } catch {}\n    return permissionOptions(\n      domain\n        ? `Yes, allow all fetches from ${domain}`\n        : \"Yes, allow all fetches\",\n    );\n  }\n\n  if (toolName === \"WebSearch\") {\n    return permissionOptions(\"Yes, allow all web searches\");\n  }\n\n  if (toolName === \"Task\") {\n    return permissionOptions(\"Yes, allow all sub-tasks\");\n  }\n\n  if (toolName === \"TodoWrite\") {\n    return permissionOptions(\"Yes, allow all todo updates\");\n  }\n\n  return permissionOptions(\"Yes, always allow\");\n}\n\nexport function buildExitPlanModePermissionOptions(): PermissionOption[] {\n  const options: PermissionOption[] = [];\n\n  if (ALLOW_BYPASS) {\n    options.push({\n      kind: \"allow_always\",\n      name: \"Yes, bypass all permissions\",\n      optionId: \"bypassPermissions\",\n    });\n  }\n\n  options.push(\n    {\n      kind: \"allow_always\",\n      name: 'Yes, and use \"auto\" mode',\n      optionId: \"auto\",\n    },\n    {\n      kind: \"allow_always\",\n      name: \"Yes, and auto-accept edits\",\n      optionId: \"acceptEdits\",\n    },\n    {\n      kind: \"allow_once\",\n      name: \"Yes, and manually approve edits\",\n      optionId: \"default\",\n    },\n    {\n      kind: \"reject_once\",\n      name: \"No, and tell the agent what to do differently\",\n      optionId: \"reject_with_feedback\",\n      _meta: { customInput: true },\n    },\n  );\n\n  return options;\n}\n"],"mappings":";AAqBO,IAAM,UACX,OAAO,YAAY,gBAClB,QAAQ,UAAU,KAAK,QAAQ,SAAS,OAAO;AAE3C,IAAM,eAAe,CAAC,WAAW,CAAC,CAAC,QAAQ,IAAI;;;ACjBtD,IAAM,iBAA6B;AAAA,EACjC;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AACF;AAEA,IAAI,cAAc;AAChB,iBAAe;AAAA,IACb;AAAA,MACE,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,EACF;AACF;AAoCA,IAAM,aAAyB;AAAA,EAC7B;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AACF;AAEA,IAAI,cAAc;AAChB,aAAW,KAAK;AAAA,IACd,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf,CAAC;AACH;;;ACpFO,IAAM,aAA0B,oBAAI,IAAI,CAAC,QAAQ,cAAc,CAAC;AAEhE,IAAM,cAA2B,oBAAI,IAAI;AAAA,EAC9C;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,IAAM,aAA0B,oBAAI,IAAI;AAAA,EAC7C;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,IAAM,eAA4B,oBAAI,IAAI,CAAC,QAAQ,QAAQ,IAAI,CAAC;AAEhE,IAAM,YAAyB,oBAAI,IAAI,CAAC,aAAa,UAAU,CAAC;AAEhE,IAAM,cAA2B,oBAAI,IAAI;AAAA,EAC9C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,IAAM,qBAAqB;AAAA,EACzB,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AACL;AAEA,IAAM,qBAAkD;AAAA,EACtD,MAAM,IAAI,IAAI,kBAAkB;AAAA,EAChC,SAAS,IAAI,IAAI,kBAAkB;AAAA,EACnC,aAAa,oBAAI,IAAI,CAAC,GAAG,oBAAoB,GAAG,WAAW,CAAC;AAAA,EAC5D,MAAM,IAAI,IAAI,kBAAkB;AAClC;;;ACpCA,SAAS,kBAAkB,kBAA8C;AACvE,SAAO;AAAA,IACL,EAAE,MAAM,cAAc,MAAM,OAAO,UAAU,QAAQ;AAAA,IACrD,EAAE,MAAM,gBAAgB,MAAM,kBAAkB,UAAU,eAAe;AAAA,IACzE;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,OAAO,EAAE,aAAa,KAAK;AAAA,IAC7B;AAAA,EACF;AACF;AAEO,SAAS,uBACd,UACA,WACA,UACA,aACoB;AACpB,MAAI,WAAW,IAAI,QAAQ,GAAG;AAC5B,UAAM,iBAAiB,aACnB,QAAQ,CAAC,MAAO,WAAW,IAAI,EAAE,QAAQ,CAAC,CAAE,EAC7C,KAAK,CAAC,MAAM,EAAE,aAAa,UAAU,EAAE,WAAW,GAAG;AACxD,UAAM,cAAc,gBAAgB,QAAQ,SAAS,EAAE;AAEvD,UAAM,UAAU,WAAW;AAC3B,UAAM,UAAU,SAAS,MAAM,KAAK,EAAE,CAAC,KAAK;AAC5C,UAAM,aAAa,WAAW,OAAO,QAAQ,KAAK;AAClD,UAAM,QAAQ,eAAe,KAAK,OAAO;AAEzC,WAAO;AAAA,MACL,gCAAgC,KAAK,GAAG,UAAU;AAAA,IACpD;AAAA,EACF;AAEA,MAAI,aAAa,cAAc;AAC7B,WAAO,kBAAkB,yCAAyC;AAAA,EACpE;AAEA,MAAI,aAAa,aAAa;AAC5B,WAAO,kBAAkB,8BAA8B;AAAA,EACzD;AAEA,MAAI,YAAY,IAAI,QAAQ,GAAG;AAC7B,WAAO,kBAAkB,0CAA0C;AAAA,EACrE;AAEA,MAAI,WAAW,IAAI,QAAQ,GAAG;AAC5B,WAAO,kBAAkB,0CAA0C;AAAA,EACrE;AAEA,MAAI,aAAa,IAAI,QAAQ,GAAG;AAC9B,WAAO,kBAAkB,6CAA6C;AAAA,EACxE;AAEA,MAAI,aAAa,YAAY;AAC3B,UAAM,MAAM,WAAW;AACvB,QAAI,SAAS;AACb,QAAI;AACF,eAAS,MAAM,IAAI,IAAI,GAAG,EAAE,WAAW;AAAA,IACzC,QAAQ;AAAA,IAAC;AACT,WAAO;AAAA,MACL,SACI,+BAA+B,MAAM,KACrC;AAAA,IACN;AAAA,EACF;AAEA,MAAI,aAAa,aAAa;AAC5B,WAAO,kBAAkB,6BAA6B;AAAA,EACxD;AAEA,MAAI,aAAa,QAAQ;AACvB,WAAO,kBAAkB,0BAA0B;AAAA,EACrD;AAEA,MAAI,aAAa,aAAa;AAC5B,WAAO,kBAAkB,6BAA6B;AAAA,EACxD;AAEA,SAAO,kBAAkB,mBAAmB;AAC9C;AAEO,SAAS,qCAAyD;AACvE,QAAM,UAA8B,CAAC;AAErC,MAAI,cAAc;AAChB,YAAQ,KAAK;AAAA,MACX,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAEA,UAAQ;AAAA,IACN;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,IACZ;AAAA,IACA;AAAA,MACE,MAAM;AAAA,MACN,MAAM;AAAA,MACN,UAAU;AAAA,MACV,OAAO,EAAE,aAAa,KAAK;AAAA,IAC7B;AAAA,EACF;AAEA,SAAO;AACT;","names":[]}

package/dist/adapters/claude/tools.js

@@ -1,8 +1,8 @@
 // src/utils/common.ts
 var IS_ROOT = typeof process !== "undefined" && (process.geteuid?.() ?? process.getuid?.()) === 0;
+var ALLOW_BYPASS = !IS_ROOT || !!process.env.IS_SANDBOX;
 
 // src/execution-mode.ts
-var ALLOW_BYPASS = !IS_ROOT;
 var availableModes = [
   {
     id: "default",
@@ -42,7 +42,7 @@ var CODE_EXECUTION_MODES = [
   "auto"
 ];
 function getAvailableModes() {
-  return IS_ROOT ? availableModes.filter((m) => m.id !== "bypassPermissions") : availableModes;
+  return ALLOW_BYPASS ? availableModes : availableModes.filter((m) => m.id !== "bypassPermissions");
 }
 var codexModes = [
   {

package/dist/adapters/claude/tools.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/utils/common.ts","../../../src/execution-mode.ts","../../../src/adapters/claude/mcp/tool-metadata.ts","../../../src/adapters/claude/tools.ts"],"sourcesContent":["import type { Logger } from \"./logger\";\n\n/**\n * Races an operation against a timeout.\n * Returns success with the value if the operation completes in time,\n * or timeout if the operation takes longer than the specified duration.\n */\nexport async function withTimeout<T>(\n  operation: Promise<T>,\n  timeoutMs: number,\n): Promise<{ result: \"success\"; value: T } | { result: \"timeout\" }> {\n  const timeoutPromise = new Promise<{ result: \"timeout\" }>((resolve) =>\n    setTimeout(() => resolve({ result: \"timeout\" }), timeoutMs),\n  );\n  const operationPromise = operation.then((value) => ({\n    result: \"success\" as const,\n    value,\n  }));\n  return Promise.race([operationPromise, timeoutPromise]);\n}\n\nexport const IS_ROOT =\n  typeof process !== \"undefined\" &&\n  (process.geteuid?.() ?? process.getuid?.()) === 0;\n\nexport function unreachable(value: never, logger: Logger): void {\n  let valueAsString: string;\n  try {\n    valueAsString = JSON.stringify(value);\n  } catch {\n    valueAsString = String(value);\n  }\n  logger.error(`Unexpected case: ${valueAsString}`);\n}\n","import { IS_ROOT } from \"./utils/common\";\n\nexport interface ModeInfo {\n  id: string;\n  name: string;\n  description: string;\n}\n\n// Helper constant that can easily be toggled for env/feature flag/etc\nconst ALLOW_BYPASS = !IS_ROOT;\n\nconst availableModes: ModeInfo[] = [\n  {\n    id: \"default\",\n    name: \"Default\",\n    description: \"Standard behavior, prompts for dangerous operations\",\n  },\n  {\n    id: \"acceptEdits\",\n    name: \"Accept Edits\",\n    description: \"Auto-accept file edit operations\",\n  },\n  {\n    id: \"plan\",\n    name: \"Plan Mode\",\n    description: \"Planning mode, no actual tool execution\",\n  },\n];\n\nif (ALLOW_BYPASS) {\n  availableModes.push(\n    {\n      id: \"bypassPermissions\",\n      name: \"Bypass Permissions\",\n      description: \"Auto-accept all permission requests\",\n    },\n    {\n      id: \"auto\",\n      name: \"Auto Mode\",\n      description: \"Use a model classifier to approve/deny permission prompts\",\n    },\n  );\n}\n\n// Expose execution mode IDs in type-safe order for type checks\nexport const CODE_EXECUTION_MODES = [\n  \"default\",\n  \"acceptEdits\",\n  \"plan\",\n  \"bypassPermissions\",\n  \"auto\",\n] as const;\n\nexport type CodeExecutionMode = (typeof CODE_EXECUTION_MODES)[number];\n\nexport function isCodeExecutionMode(mode: string): mode is CodeExecutionMode {\n  return (CODE_EXECUTION_MODES as readonly string[]).includes(mode);\n}\n\nexport function getAvailableModes(): ModeInfo[] {\n  return IS_ROOT\n    ? availableModes.filter((m) => m.id !== \"bypassPermissions\")\n    : availableModes;\n}\n\n// --- Codex-native modes ---\n\nexport const CODEX_NATIVE_MODES = [\"auto\", \"read-only\", \"full-access\"] as const;\n\nexport type CodexNativeMode = (typeof CODEX_NATIVE_MODES)[number];\n\n/** Union of all permission mode IDs across adapters */\nexport type PermissionMode = CodeExecutionMode | CodexNativeMode;\n\nexport function isCodexNativeMode(mode: string): mode is CodexNativeMode {\n  return (CODEX_NATIVE_MODES as readonly string[]).includes(mode);\n}\n\nconst codexModes: ModeInfo[] = [\n  {\n    id: \"read-only\",\n    name: \"Read Only\",\n    description: \"Read-only access, no file modifications\",\n  },\n  {\n    id: \"auto\",\n    name: \"Auto\",\n    description: \"Standard behavior, prompts for dangerous operations\",\n  },\n];\n\nif (ALLOW_BYPASS) {\n  codexModes.push({\n    id: \"full-access\",\n    name: \"Full Access\",\n    description: \"Auto-accept all permission requests\",\n  });\n}\n\nexport function getAvailableCodexModes(): ModeInfo[] {\n  return IS_ROOT\n    ? codexModes.filter((m) => m.id !== \"full-access\")\n    : codexModes;\n}\n","import type { McpServerStatus, Query } from \"@anthropic-ai/claude-agent-sdk\";\nimport { Logger } from \"../../../utils/logger\";\n\nexport type McpToolApprovalState = \"approved\" | \"needs_approval\" | \"do_not_use\";\n\n/** Maps MCP tool keys (e.g. `mcp__server__tool`) to their backend approval state. */\nexport type McpToolApprovals = Record<string, McpToolApprovalState>;\n\nexport interface McpToolMetadata {\n  readOnly: boolean;\n  name: string;\n  description?: string;\n  approvalState?: McpToolApprovalState;\n}\n\nconst mcpToolMetadataCache: Map<string, McpToolMetadata> = new Map();\n\nconst PENDING_RETRY_INTERVAL_MS = 1_000;\nconst PENDING_MAX_RETRIES = 10;\n\nexport function sanitizeMcpServerName(name: string): string {\n  return name.replace(/[^a-zA-Z0-9_-]/g, \"_\");\n}\n\nfunction buildToolKey(serverName: string, toolName: string): string {\n  return `mcp__${serverName}__${toolName}`;\n}\n\nfunction delay(ms: number): Promise<void> {\n  return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\nexport async function fetchMcpToolMetadata(\n  q: Query,\n  logger: Logger = new Logger({ debug: false, prefix: \"[McpToolMetadata]\" }),\n): Promise<void> {\n  let retries = 0;\n\n  while (retries <= PENDING_MAX_RETRIES) {\n    let statuses: McpServerStatus[];\n    try {\n      statuses = await q.mcpServerStatus();\n    } catch (error) {\n      logger.error(\"Failed to fetch MCP server status\", {\n        error: error instanceof Error ? error.message : String(error),\n      });\n      return;\n    }\n\n    const pendingServers = statuses.filter((s) => s.status === \"pending\");\n\n    for (const server of statuses) {\n      if (server.status !== \"connected\" || !server.tools) {\n        continue;\n      }\n\n      let readOnlyCount = 0;\n      for (const tool of server.tools) {\n        const toolKey = buildToolKey(server.name, tool.name);\n        const readOnly = tool.annotations?.readOnly === true;\n\n        const existing = mcpToolMetadataCache.get(toolKey);\n        mcpToolMetadataCache.set(toolKey, {\n          readOnly,\n          name: tool.name,\n          description: tool.description,\n          approvalState: existing?.approvalState,\n        });\n        if (readOnly) readOnlyCount++;\n      }\n\n      logger.info(\"Fetched MCP tool metadata\", {\n        serverName: server.name,\n        toolCount: server.tools.length,\n        readOnlyCount,\n      });\n    }\n\n    if (pendingServers.length === 0) {\n      return;\n    }\n\n    retries++;\n    if (retries > PENDING_MAX_RETRIES) {\n      logger.warn(\"Gave up waiting for pending MCP servers\", {\n        pendingServers: pendingServers.map((s) => s.name),\n      });\n      return;\n    }\n\n    logger.info(\"Waiting for pending MCP servers\", {\n      pendingServers: pendingServers.map((s) => s.name),\n      retry: retries,\n    });\n    await delay(PENDING_RETRY_INTERVAL_MS);\n  }\n}\n\nexport function getMcpToolMetadata(\n  toolName: string,\n): McpToolMetadata | undefined {\n  return mcpToolMetadataCache.get(toolName);\n}\n\nexport function isMcpToolReadOnly(toolName: string): boolean {\n  const metadata = mcpToolMetadataCache.get(toolName);\n  return metadata?.readOnly === true;\n}\n\nexport function getConnectedMcpServerNames(): string[] {\n  const names = new Set<string>();\n  for (const key of mcpToolMetadataCache.keys()) {\n    const parts = key.split(\"__\");\n    if (parts.length >= 3) names.add(parts[1]);\n  }\n  return [...names];\n}\n\nexport function getMcpToolApprovalState(\n  toolName: string,\n): McpToolApprovalState | undefined {\n  return mcpToolMetadataCache.get(toolName)?.approvalState;\n}\n\nexport function setMcpToolApprovalStates(approvals: McpToolApprovals): void {\n  for (const [toolKey, approvalState] of Object.entries(approvals)) {\n    const existing = mcpToolMetadataCache.get(toolKey);\n    if (existing) {\n      existing.approvalState = approvalState;\n    } else {\n      mcpToolMetadataCache.set(toolKey, {\n        readOnly: false,\n        name: toolKey,\n        approvalState,\n      });\n    }\n  }\n}\n\nexport function clearMcpToolMetadataCache(): void {\n  mcpToolMetadataCache.clear();\n}\n","export {\n  CODE_EXECUTION_MODES,\n  type CodeExecutionMode,\n  getAvailableModes,\n  type ModeInfo,\n} from \"../../execution-mode\";\n\nimport type { CodeExecutionMode } from \"../../execution-mode\";\nimport { isMcpToolReadOnly } from \"./mcp/tool-metadata\";\n\nexport const READ_TOOLS: Set<string> = new Set([\"Read\", \"NotebookRead\"]);\n\nexport const WRITE_TOOLS: Set<string> = new Set([\n  \"Edit\",\n  \"Write\",\n  \"NotebookEdit\",\n]);\n\nexport const BASH_TOOLS: Set<string> = new Set([\n  \"Bash\",\n  \"BashOutput\",\n  \"KillShell\",\n]);\n\nexport const SEARCH_TOOLS: Set<string> = new Set([\"Glob\", \"Grep\", \"LS\"]);\n\nexport const WEB_TOOLS: Set<string> = new Set([\"WebSearch\", \"WebFetch\"]);\n\nexport const AGENT_TOOLS: Set<string> = new Set([\n  \"Task\",\n  \"Agent\",\n  \"TodoWrite\",\n  \"Skill\",\n]);\n\nconst BASE_ALLOWED_TOOLS = [\n  ...READ_TOOLS,\n  ...SEARCH_TOOLS,\n  ...WEB_TOOLS,\n  ...AGENT_TOOLS,\n];\n\nconst AUTO_ALLOWED_TOOLS: Record<string, Set<string>> = {\n  auto: new Set(BASE_ALLOWED_TOOLS),\n  default: new Set(BASE_ALLOWED_TOOLS),\n  acceptEdits: new Set([...BASE_ALLOWED_TOOLS, ...WRITE_TOOLS]),\n  plan: new Set(BASE_ALLOWED_TOOLS),\n};\n\nexport function isToolAllowedForMode(\n  toolName: string,\n  mode: CodeExecutionMode,\n): boolean {\n  if (mode === \"bypassPermissions\") {\n    return true;\n  }\n  if (AUTO_ALLOWED_TOOLS[mode]?.has(toolName) === true) {\n    return true;\n  }\n  if (isMcpToolReadOnly(toolName)) {\n    return true;\n  }\n  return false;\n}\n"],"mappings":";AAqBO,IAAM,UACX,OAAO,YAAY,gBAClB,QAAQ,UAAU,KAAK,QAAQ,SAAS,OAAO;;;ACdlD,IAAM,eAAe,CAAC;AAEtB,IAAM,iBAA6B;AAAA,EACjC;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AACF;AAEA,IAAI,cAAc;AAChB,iBAAe;AAAA,IACb;AAAA,MACE,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,EACF;AACF;AAGO,IAAM,uBAAuB;AAAA,EAClC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAQO,SAAS,oBAAgC;AAC9C,SAAO,UACH,eAAe,OAAO,CAAC,MAAM,EAAE,OAAO,mBAAmB,IACzD;AACN;AAeA,IAAM,aAAyB;AAAA,EAC7B;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AACF;AAEA,IAAI,cAAc;AAChB,aAAW,KAAK;AAAA,IACd,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf,CAAC;AACH;;;AClFA,IAAM,uBAAqD,oBAAI,IAAI;AAyF5D,SAAS,kBAAkB,UAA2B;AAC3D,QAAM,WAAW,qBAAqB,IAAI,QAAQ;AAClD,SAAO,UAAU,aAAa;AAChC;;;ACjGO,IAAM,aAA0B,oBAAI,IAAI,CAAC,QAAQ,cAAc,CAAC;AAEhE,IAAM,cAA2B,oBAAI,IAAI;AAAA,EAC9C;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,IAAM,aAA0B,oBAAI,IAAI;AAAA,EAC7C;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,IAAM,eAA4B,oBAAI,IAAI,CAAC,QAAQ,QAAQ,IAAI,CAAC;AAEhE,IAAM,YAAyB,oBAAI,IAAI,CAAC,aAAa,UAAU,CAAC;AAEhE,IAAM,cAA2B,oBAAI,IAAI;AAAA,EAC9C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,IAAM,qBAAqB;AAAA,EACzB,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AACL;AAEA,IAAM,qBAAkD;AAAA,EACtD,MAAM,IAAI,IAAI,kBAAkB;AAAA,EAChC,SAAS,IAAI,IAAI,kBAAkB;AAAA,EACnC,aAAa,oBAAI,IAAI,CAAC,GAAG,oBAAoB,GAAG,WAAW,CAAC;AAAA,EAC5D,MAAM,IAAI,IAAI,kBAAkB;AAClC;AAEO,SAAS,qBACd,UACA,MACS;AACT,MAAI,SAAS,qBAAqB;AAChC,WAAO;AAAA,EACT;AACA,MAAI,mBAAmB,IAAI,GAAG,IAAI,QAAQ,MAAM,MAAM;AACpD,WAAO;AAAA,EACT;AACA,MAAI,kBAAkB,QAAQ,GAAG;AAC/B,WAAO;AAAA,EACT;AACA,SAAO;AACT;","names":[]}
+{"version":3,"sources":["../../../src/utils/common.ts","../../../src/execution-mode.ts","../../../src/adapters/claude/mcp/tool-metadata.ts","../../../src/adapters/claude/tools.ts"],"sourcesContent":["import type { Logger } from \"./logger\";\n\n/**\n * Races an operation against a timeout.\n * Returns success with the value if the operation completes in time,\n * or timeout if the operation takes longer than the specified duration.\n */\nexport async function withTimeout<T>(\n  operation: Promise<T>,\n  timeoutMs: number,\n): Promise<{ result: \"success\"; value: T } | { result: \"timeout\" }> {\n  const timeoutPromise = new Promise<{ result: \"timeout\" }>((resolve) =>\n    setTimeout(() => resolve({ result: \"timeout\" }), timeoutMs),\n  );\n  const operationPromise = operation.then((value) => ({\n    result: \"success\" as const,\n    value,\n  }));\n  return Promise.race([operationPromise, timeoutPromise]);\n}\n\nexport const IS_ROOT =\n  typeof process !== \"undefined\" &&\n  (process.geteuid?.() ?? process.getuid?.()) === 0;\n\nexport const ALLOW_BYPASS = !IS_ROOT || !!process.env.IS_SANDBOX;\n\nexport function unreachable(value: never, logger: Logger): void {\n  let valueAsString: string;\n  try {\n    valueAsString = JSON.stringify(value);\n  } catch {\n    valueAsString = String(value);\n  }\n  logger.error(`Unexpected case: ${valueAsString}`);\n}\n","import { ALLOW_BYPASS } from \"./utils/common\";\n\nexport interface ModeInfo {\n  id: string;\n  name: string;\n  description: string;\n}\n\nconst availableModes: ModeInfo[] = [\n  {\n    id: \"default\",\n    name: \"Default\",\n    description: \"Standard behavior, prompts for dangerous operations\",\n  },\n  {\n    id: \"acceptEdits\",\n    name: \"Accept Edits\",\n    description: \"Auto-accept file edit operations\",\n  },\n  {\n    id: \"plan\",\n    name: \"Plan Mode\",\n    description: \"Planning mode, no actual tool execution\",\n  },\n];\n\nif (ALLOW_BYPASS) {\n  availableModes.push(\n    {\n      id: \"bypassPermissions\",\n      name: \"Bypass Permissions\",\n      description: \"Auto-accept all permission requests\",\n    },\n    {\n      id: \"auto\",\n      name: \"Auto Mode\",\n      description: \"Use a model classifier to approve/deny permission prompts\",\n    },\n  );\n}\n\n// Expose execution mode IDs in type-safe order for type checks\nexport const CODE_EXECUTION_MODES = [\n  \"default\",\n  \"acceptEdits\",\n  \"plan\",\n  \"bypassPermissions\",\n  \"auto\",\n] as const;\n\nexport type CodeExecutionMode = (typeof CODE_EXECUTION_MODES)[number];\n\nexport function isCodeExecutionMode(mode: string): mode is CodeExecutionMode {\n  return (CODE_EXECUTION_MODES as readonly string[]).includes(mode);\n}\n\nexport function getAvailableModes(): ModeInfo[] {\n  return ALLOW_BYPASS\n    ? availableModes\n    : availableModes.filter((m) => m.id !== \"bypassPermissions\");\n}\n\n// --- Codex-native modes ---\n\nexport const CODEX_NATIVE_MODES = [\"auto\", \"read-only\", \"full-access\"] as const;\n\nexport type CodexNativeMode = (typeof CODEX_NATIVE_MODES)[number];\n\n/** Union of all permission mode IDs across adapters */\nexport type PermissionMode = CodeExecutionMode | CodexNativeMode;\n\nexport function isCodexNativeMode(mode: string): mode is CodexNativeMode {\n  return (CODEX_NATIVE_MODES as readonly string[]).includes(mode);\n}\n\nconst codexModes: ModeInfo[] = [\n  {\n    id: \"read-only\",\n    name: \"Read Only\",\n    description: \"Read-only access, no file modifications\",\n  },\n  {\n    id: \"auto\",\n    name: \"Auto\",\n    description: \"Standard behavior, prompts for dangerous operations\",\n  },\n];\n\nif (ALLOW_BYPASS) {\n  codexModes.push({\n    id: \"full-access\",\n    name: \"Full Access\",\n    description: \"Auto-accept all permission requests\",\n  });\n}\n\nexport function getAvailableCodexModes(): ModeInfo[] {\n  return ALLOW_BYPASS\n    ? codexModes\n    : codexModes.filter((m) => m.id !== \"full-access\");\n}\n","import type { McpServerStatus, Query } from \"@anthropic-ai/claude-agent-sdk\";\nimport { Logger } from \"../../../utils/logger\";\n\nexport type McpToolApprovalState = \"approved\" | \"needs_approval\" | \"do_not_use\";\n\n/** Maps MCP tool keys (e.g. `mcp__server__tool`) to their backend approval state. */\nexport type McpToolApprovals = Record<string, McpToolApprovalState>;\n\nexport interface McpToolMetadata {\n  readOnly: boolean;\n  name: string;\n  description?: string;\n  approvalState?: McpToolApprovalState;\n}\n\nconst mcpToolMetadataCache: Map<string, McpToolMetadata> = new Map();\n\nconst PENDING_RETRY_INTERVAL_MS = 1_000;\nconst PENDING_MAX_RETRIES = 10;\n\nexport function sanitizeMcpServerName(name: string): string {\n  return name.replace(/[^a-zA-Z0-9_-]/g, \"_\");\n}\n\nfunction buildToolKey(serverName: string, toolName: string): string {\n  return `mcp__${serverName}__${toolName}`;\n}\n\nfunction delay(ms: number): Promise<void> {\n  return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\nexport async function fetchMcpToolMetadata(\n  q: Query,\n  logger: Logger = new Logger({ debug: false, prefix: \"[McpToolMetadata]\" }),\n): Promise<void> {\n  let retries = 0;\n\n  while (retries <= PENDING_MAX_RETRIES) {\n    let statuses: McpServerStatus[];\n    try {\n      statuses = await q.mcpServerStatus();\n    } catch (error) {\n      logger.error(\"Failed to fetch MCP server status\", {\n        error: error instanceof Error ? error.message : String(error),\n      });\n      return;\n    }\n\n    const pendingServers = statuses.filter((s) => s.status === \"pending\");\n\n    for (const server of statuses) {\n      if (server.status !== \"connected\" || !server.tools) {\n        continue;\n      }\n\n      let readOnlyCount = 0;\n      for (const tool of server.tools) {\n        const toolKey = buildToolKey(server.name, tool.name);\n        const readOnly = tool.annotations?.readOnly === true;\n\n        const existing = mcpToolMetadataCache.get(toolKey);\n        mcpToolMetadataCache.set(toolKey, {\n          readOnly,\n          name: tool.name,\n          description: tool.description,\n          approvalState: existing?.approvalState,\n        });\n        if (readOnly) readOnlyCount++;\n      }\n\n      logger.info(\"Fetched MCP tool metadata\", {\n        serverName: server.name,\n        toolCount: server.tools.length,\n        readOnlyCount,\n      });\n    }\n\n    if (pendingServers.length === 0) {\n      return;\n    }\n\n    retries++;\n    if (retries > PENDING_MAX_RETRIES) {\n      logger.warn(\"Gave up waiting for pending MCP servers\", {\n        pendingServers: pendingServers.map((s) => s.name),\n      });\n      return;\n    }\n\n    logger.info(\"Waiting for pending MCP servers\", {\n      pendingServers: pendingServers.map((s) => s.name),\n      retry: retries,\n    });\n    await delay(PENDING_RETRY_INTERVAL_MS);\n  }\n}\n\nexport function getMcpToolMetadata(\n  toolName: string,\n): McpToolMetadata | undefined {\n  return mcpToolMetadataCache.get(toolName);\n}\n\nexport function isMcpToolReadOnly(toolName: string): boolean {\n  const metadata = mcpToolMetadataCache.get(toolName);\n  return metadata?.readOnly === true;\n}\n\nexport function getConnectedMcpServerNames(): string[] {\n  const names = new Set<string>();\n  for (const key of mcpToolMetadataCache.keys()) {\n    const parts = key.split(\"__\");\n    if (parts.length >= 3) names.add(parts[1]);\n  }\n  return [...names];\n}\n\nexport function getMcpToolApprovalState(\n  toolName: string,\n): McpToolApprovalState | undefined {\n  return mcpToolMetadataCache.get(toolName)?.approvalState;\n}\n\nexport function setMcpToolApprovalStates(approvals: McpToolApprovals): void {\n  for (const [toolKey, approvalState] of Object.entries(approvals)) {\n    const existing = mcpToolMetadataCache.get(toolKey);\n    if (existing) {\n      existing.approvalState = approvalState;\n    } else {\n      mcpToolMetadataCache.set(toolKey, {\n        readOnly: false,\n        name: toolKey,\n        approvalState,\n      });\n    }\n  }\n}\n\nexport function clearMcpToolMetadataCache(): void {\n  mcpToolMetadataCache.clear();\n}\n","export {\n  CODE_EXECUTION_MODES,\n  type CodeExecutionMode,\n  getAvailableModes,\n  type ModeInfo,\n} from \"../../execution-mode\";\n\nimport type { CodeExecutionMode } from \"../../execution-mode\";\nimport { isMcpToolReadOnly } from \"./mcp/tool-metadata\";\n\nexport const READ_TOOLS: Set<string> = new Set([\"Read\", \"NotebookRead\"]);\n\nexport const WRITE_TOOLS: Set<string> = new Set([\n  \"Edit\",\n  \"Write\",\n  \"NotebookEdit\",\n]);\n\nexport const BASH_TOOLS: Set<string> = new Set([\n  \"Bash\",\n  \"BashOutput\",\n  \"KillShell\",\n]);\n\nexport const SEARCH_TOOLS: Set<string> = new Set([\"Glob\", \"Grep\", \"LS\"]);\n\nexport const WEB_TOOLS: Set<string> = new Set([\"WebSearch\", \"WebFetch\"]);\n\nexport const AGENT_TOOLS: Set<string> = new Set([\n  \"Task\",\n  \"Agent\",\n  \"TodoWrite\",\n  \"Skill\",\n]);\n\nconst BASE_ALLOWED_TOOLS = [\n  ...READ_TOOLS,\n  ...SEARCH_TOOLS,\n  ...WEB_TOOLS,\n  ...AGENT_TOOLS,\n];\n\nconst AUTO_ALLOWED_TOOLS: Record<string, Set<string>> = {\n  auto: new Set(BASE_ALLOWED_TOOLS),\n  default: new Set(BASE_ALLOWED_TOOLS),\n  acceptEdits: new Set([...BASE_ALLOWED_TOOLS, ...WRITE_TOOLS]),\n  plan: new Set(BASE_ALLOWED_TOOLS),\n};\n\nexport function isToolAllowedForMode(\n  toolName: string,\n  mode: CodeExecutionMode,\n): boolean {\n  if (mode === \"bypassPermissions\") {\n    return true;\n  }\n  if (AUTO_ALLOWED_TOOLS[mode]?.has(toolName) === true) {\n    return true;\n  }\n  if (isMcpToolReadOnly(toolName)) {\n    return true;\n  }\n  return false;\n}\n"],"mappings":";AAqBO,IAAM,UACX,OAAO,YAAY,gBAClB,QAAQ,UAAU,KAAK,QAAQ,SAAS,OAAO;AAE3C,IAAM,eAAe,CAAC,WAAW,CAAC,CAAC,QAAQ,IAAI;;;ACjBtD,IAAM,iBAA6B;AAAA,EACjC;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AACF;AAEA,IAAI,cAAc;AAChB,iBAAe;AAAA,IACb;AAAA,MACE,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,EACF;AACF;AAGO,IAAM,uBAAuB;AAAA,EAClC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAQO,SAAS,oBAAgC;AAC9C,SAAO,eACH,iBACA,eAAe,OAAO,CAAC,MAAM,EAAE,OAAO,mBAAmB;AAC/D;AAeA,IAAM,aAAyB;AAAA,EAC7B;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA;AAAA,IACE,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AACF;AAEA,IAAI,cAAc;AAChB,aAAW,KAAK;AAAA,IACd,IAAI;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf,CAAC;AACH;;;AC/EA,IAAM,uBAAqD,oBAAI,IAAI;AAyF5D,SAAS,kBAAkB,UAA2B;AAC3D,QAAM,WAAW,qBAAqB,IAAI,QAAQ;AAClD,SAAO,UAAU,aAAa;AAChC;;;ACjGO,IAAM,aAA0B,oBAAI,IAAI,CAAC,QAAQ,cAAc,CAAC;AAEhE,IAAM,cAA2B,oBAAI,IAAI;AAAA,EAC9C;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,IAAM,aAA0B,oBAAI,IAAI;AAAA,EAC7C;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,IAAM,eAA4B,oBAAI,IAAI,CAAC,QAAQ,QAAQ,IAAI,CAAC;AAEhE,IAAM,YAAyB,oBAAI,IAAI,CAAC,aAAa,UAAU,CAAC;AAEhE,IAAM,cAA2B,oBAAI,IAAI;AAAA,EAC9C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,IAAM,qBAAqB;AAAA,EACzB,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AAAA,EACH,GAAG;AACL;AAEA,IAAM,qBAAkD;AAAA,EACtD,MAAM,IAAI,IAAI,kBAAkB;AAAA,EAChC,SAAS,IAAI,IAAI,kBAAkB;AAAA,EACnC,aAAa,oBAAI,IAAI,CAAC,GAAG,oBAAoB,GAAG,WAAW,CAAC;AAAA,EAC5D,MAAM,IAAI,IAAI,kBAAkB;AAClC;AAEO,SAAS,qBACd,UACA,MACS;AACT,MAAI,SAAS,qBAAqB;AAChC,WAAO;AAAA,EACT;AACA,MAAI,mBAAmB,IAAI,GAAG,IAAI,QAAQ,MAAM,MAAM;AACpD,WAAO;AAAA,EACT;AACA,MAAI,kBAAkB,QAAQ,GAAG;AAC/B,WAAO;AAAA,EACT;AACA,SAAO;AACT;","names":[]}

package/dist/agent.js

@@ -4030,7 +4030,7 @@ import { v7 as uuidv7 } from "uuid";
 // package.json
 var package_default = {
   name: "@posthog/agent",
-  version: "2.3.403",
+  version: "2.3.418",
   repository: "https://github.com/PostHog/code",
   description: "TypeScript agent framework wrapping Claude Agent SDK with Git-based task execution for PostHog",
   exports: {
@@ -7974,6 +7974,8 @@ var ParseResult = class {
     return this.calls.filter((c) => CAPTURE_METHODS.has(c.method)).map((c) => ({
       name: c.key,
       line: c.line,
+      keyStartCol: c.keyStartCol,
+      keyEndCol: c.keyEndCol,
       dynamic: c.dynamic ?? false,
       viaWrapper: c.viaWrapper,
       inJsx: c.inJsx
@@ -7984,6 +7986,8 @@ var ParseResult = class {
       method: c.method,
       flagKey: c.key,
       line: c.line,
+      keyStartCol: c.keyStartCol,
+      keyEndCol: c.keyEndCol,
       viaWrapper: c.viaWrapper,
       inJsx: c.inJsx
     }));
@@ -8133,6 +8137,15 @@ var PostHogEnricher = class {
       settled[4]
     );
   }
+  /**
+   * Detect wrapper functions (functions that internally call a PostHog SDK
+   * method) defined in the given source. Used by callers like `enrichSource`
+   * to pick up same-file wrappers such as `track(...)` without threading
+   * through filesystem I/O.
+   */
+  async findWrappersInSource(source, languageId) {
+    return this.detector.findWrappers(source, languageId);
+  }
   async parseFile(filePath) {
     const ext = path3.extname(filePath).toLowerCase();
     const languageId = EXT_TO_LANG_ID[ext];
@@ -8333,6 +8346,7 @@ async function withTimeout(operation, timeoutMs) {
   return Promise.race([operationPromise, timeoutPromise]);
 }
 var IS_ROOT = typeof process !== "undefined" && (process.geteuid?.() ?? process.getuid?.()) === 0;
+var ALLOW_BYPASS = !IS_ROOT || !!process.env.IS_SANDBOX;
 function unreachable(value, logger) {
   let valueAsString;
   try {
@@ -10157,7 +10171,6 @@ function normalizeAskUserQuestionInput(input) {
 }
 
 // src/execution-mode.ts
-var ALLOW_BYPASS = !IS_ROOT;
 var availableModes = [
   {
     id: "default",
@@ -10200,7 +10213,7 @@ function isCodeExecutionMode(mode) {
   return CODE_EXECUTION_MODES.includes(mode);
 }
 function getAvailableModes() {
-  return IS_ROOT ? availableModes.filter((m) => m.id !== "bypassPermissions") : availableModes;
+  return ALLOW_BYPASS ? availableModes : availableModes.filter((m) => m.id !== "bypassPermissions");
 }
 var CODEX_NATIVE_MODES = ["auto", "read-only", "full-access"];
 function isCodexNativeMode(mode) {
@@ -10333,10 +10346,9 @@ function buildPermissionOptions(toolName, toolInput, repoRoot, suggestions) {
   }
   return permissionOptions("Yes, always allow");
 }
-var ALLOW_BYPASS2 = !IS_ROOT || !!process.env.IS_SANDBOX;
 function buildExitPlanModePermissionOptions() {
   const options = [];
-  if (ALLOW_BYPASS2) {
+  if (ALLOW_BYPASS) {
     options.push({
       kind: "allow_always",
       name: "Yes, bypass all permissions",
@@ -10439,17 +10451,8 @@ async function requestPlanApproval(context, updatedInput) {
   });
 }
 async function applyPlanApproval(response, context, updatedInput) {
-  const { session } = context;
   if (response.outcome?.outcome === "selected" && (response.outcome.optionId === "auto" || response.outcome.optionId === "default" || response.outcome.optionId === "acceptEdits" || response.outcome.optionId === "bypassPermissions")) {
-    session.permissionMode = response.outcome.optionId;
-    await session.query.setPermissionMode(response.outcome.optionId);
-    await context.client.sessionUpdate({
-      sessionId: context.sessionId,
-      update: {
-        sessionUpdate: "current_mode_update",
-        currentModeId: response.outcome.optionId
-      }
-    });
+    await context.applySessionMode(response.outcome.optionId);
     await context.updateConfigOption("mode", response.outcome.optionId);
     return {
       behavior: "allow",
@@ -10470,9 +10473,8 @@ async function applyPlanApproval(response, context, updatedInput) {
   return { behavior: "deny", message, interrupt: !feedback };
 }
 async function handleEnterPlanModeTool(context) {
-  const { session, toolInput } = context;
-  session.permissionMode = "plan";
-  await session.query.setPermissionMode("plan");
+  const { toolInput } = context;
+  await context.applySessionMode("plan");
   await context.updateConfigOption("mode", "plan");
   return {
     behavior: "allow",
@@ -11187,7 +11189,7 @@ function buildSessionOptions(params) {
     stderr: (err2) => params.logger.error(err2),
     cwd: params.cwd,
     includePartialMessages: true,
-    allowDangerouslySkipPermissions: !IS_ROOT,
+    allowDangerouslySkipPermissions: !IS_ROOT || !!process.env.IS_SANDBOX,
     permissionMode: params.permissionMode,
     canUseTool: params.canUseTool,
     executable: "node",
@@ -17070,6 +17072,15 @@ var ClaudeAcpAgent = class extends BaseAcpAgent {
         configOptions: this.session.configOptions
       }
     });
+    if (configId === "mode") {
+      await this.client.sessionUpdate({
+        sessionId: this.sessionId,
+        update: {
+          sessionUpdate: "current_mode_update",
+          currentModeId: value
+        }
+      });
+    }
   }
   async applySessionMode(modeId) {
     if (!CODE_EXECUTION_MODES.includes(modeId)) {
@@ -17292,6 +17303,7 @@ var ClaudeAcpAgent = class extends BaseAcpAgent {
       fileContentCache: this.fileContentCache,
       logger: this.logger,
       updateConfigOption: (configId, value) => this.updateConfigOption(configId, value),
+      applySessionMode: (modeId) => this.applySessionMode(modeId),
       allowedDomains
     });
   }
@@ -18278,6 +18290,15 @@ var CodexAcpAgent = class extends BaseAcpAgent {
     if (response.configOptions) {
       this.sessionState.configOptions = response.configOptions;
     }
+    if (params.configId === "mode" && typeof params.value === "string") {
+      await this.client.sessionUpdate({
+        sessionId: this.sessionId,
+        update: {
+          sessionUpdate: "current_mode_update",
+          currentModeId: params.value
+        }
+      });
+    }
     return response;
   }
   async authenticate(_params) {