@probelabs/probe 0.6.0-rc254 → 0.6.0-rc256

package/README.md

@@ -23,6 +23,7 @@ During installation, the package will automatically download the appropriate pro
 - **Search Code**: Search for patterns in your codebase using Elasticsearch-like query syntax
 - **Query Code**: Find specific code structures using tree-sitter patterns
 - **Extract Code**: Extract code blocks from files based on file paths and line numbers
+- **Edit Code**: AI-powered code editing with text replacement (fuzzy matching), AST-aware symbol replace/insert across 16 languages, and line-targeted editing with optional hash-based integrity verification
 - **AI Tools Integration**: Ready-to-use tools for Vercel AI SDK, LangChain, and other AI frameworks
 - **System Message**: Default system message for AI assistants with instructions on using probe tools
 - **Cross-Platform**: Works on Windows, macOS, and Linux
@@ -91,7 +92,7 @@ const agent = new ProbeAgent({
   path: '/path/to/your/project',
   provider: 'anthropic',   // or 'openai', 'google'
   model: 'claude-3-5-sonnet-20241022',  // Optional: override model
-  allowEdit: false,        // Optional: enable code modification
+  allowEdit: true,         // Optional: enable edit + create tools for code modification
   debug: true,            // Optional: enable debug logging
   allowedTools: ['*'],    // Optional: filter available tools (see Tool Filtering below)
   enableMcp: true,        // Optional: enable MCP tool integration
@@ -292,8 +293,7 @@ const agent5 = new ProbeAgent({
 - `listFiles` - List files and directories
 - `searchFiles` - Find files by glob pattern
 - `bash` - Execute bash commands (requires `enableBash: true`)
-- `implement` - Implement features with aider (requires `allowEdit: true`)
-- `edit` - Edit files with exact string replacement (requires `allowEdit: true`)
+- `edit` - Edit files with text replacement, AST-aware symbol editing, or line-targeted editing (requires `allowEdit: true`)
 - `create` - Create new files (requires `allowEdit: true`)
 - `delegate` - Delegate tasks to subagents (requires `enableDelegate: true`)
 - `attempt_completion` - Signal task completion
@@ -327,6 +327,168 @@ probe agent "Analyze the architecture" --allowed-tools all
 - Blocked tools will not appear in the system message and cannot be executed
 - Use `allowedTools: []` for pure conversational AI without code analysis tools
 
+### Code Editing (Edit & Create Tools)
+
+Probe provides built-in code modification tools that work across all interfaces. The `edit` tool supports four modes: text-based find/replace with fuzzy matching, AST-aware symbol replacement, symbol insertion, and line-targeted editing with optional hash-based integrity verification.
+
+#### Enabling Edit Tools
+
+**CLI Agent:**
+```bash
+# Enable with --allow-edit flag
+probe agent "Fix the bug in auth.js" --allow-edit --path ./my-project
+
+# Enable with environment variable
+ALLOW_EDIT=1 probe agent "Refactor the login flow" --path ./my-project
+```
+
+**SDK (ProbeAgent):**
+```javascript
+import { ProbeAgent } from '@probelabs/probe';
+
+const agent = new ProbeAgent({
+  path: '/path/to/project',
+  allowEdit: true,       // enables edit + create tools
+  // hashLines defaults to true when allowEdit is true (line integrity verification)
+  provider: 'anthropic'
+});
+
+// The agent can now modify files when answering questions
+const answer = await agent.answer("Fix the off-by-one error in calculateTotal");
+```
+
+**SDK (Standalone Tools):**
+```javascript
+import { editTool, createTool } from '@probelabs/probe';
+
+const edit = editTool({
+  allowedFolders: ['/path/to/project'],
+  cwd: '/path/to/project'
+});
+
+const create = createTool({
+  allowedFolders: ['/path/to/project'],
+  cwd: '/path/to/project'
+});
+```
+
+#### Edit Tool Modes
+
+| Mode | Parameters | Use Case |
+|------|-----------|----------|
+| **Text edit** | `old_string` + `new_string` | Small, precise changes: fix a condition, rename a variable, update a value |
+| **Symbol replace** | `symbol` + `new_string` | Replace an entire function/class/method by name (AST-aware, 16 languages) |
+| **Symbol insert** | `symbol` + `new_string` + `position` | Insert new code before or after an existing symbol |
+| **Line-targeted edit** | `start_line` + `new_string` | Edit specific lines from extract/search output; ideal for changes inside large functions |
+
+#### Edit Tool Parameters
+
+| Parameter | Required | Description |
+|-----------|----------|-------------|
+| `file_path` | Yes | Path to the file to edit (absolute or relative to cwd) |
+| `new_string` | Yes | Replacement text or new code content |
+| `old_string` | No | Text to find and replace. Copy verbatim from the file. |
+| `replace_all` | No | Replace all occurrences (default: `false`, text mode only) |
+| `symbol` | No | Code symbol name for AST-aware editing (e.g. `"myFunction"`, `"MyClass.myMethod"`) |
+| `position` | No | `"before"` or `"after"` — insert near the symbol or line instead of replacing it |
+| `start_line` | No | Line reference for line-targeted editing (e.g. `"42"` or `"42:ab"` with hash) |
+| `end_line` | No | End of line range, inclusive (e.g. `"55"` or `"55:cd"`). Defaults to `start_line`. |
+
+#### Examples
+
+**Text edit — find and replace:**
+```javascript
+await edit.execute({
+  file_path: 'src/main.js',
+  old_string: 'return false;',
+  new_string: 'return true;'
+});
+// => "Successfully edited src/main.js (1 replacement)"
+```
+
+**Text edit — fuzzy matching handles whitespace differences:**
+```javascript
+// File has: "  const x = 1;"  (2-space indent)
+// Your search string omits the indent — fuzzy matching finds it anyway
+await edit.execute({
+  file_path: 'src/main.js',
+  old_string: 'const x = 1;',
+  new_string: '  const x = 2;'
+});
+// => "Successfully edited src/main.js (1 replacement, matched via line-trimmed)"
+```
+
+**Symbol replace — rewrite a function by name:**
+```javascript
+await edit.execute({
+  file_path: 'src/utils.js',
+  symbol: 'calculateTotal',
+  new_string: `function calculateTotal(items) {
+  return items.reduce((sum, item) => sum + item.price * item.quantity, 0);
+}`
+});
+// => "Successfully replaced symbol "calculateTotal" in src/utils.js (was lines 10-15, now 3 lines)"
+```
+
+**Symbol insert — add a new function after an existing one:**
+```javascript
+await edit.execute({
+  file_path: 'src/utils.js',
+  symbol: 'calculateTotal',
+  position: 'after',
+  new_string: `function calculateTax(total, rate) {
+  return total * rate;
+}`
+});
+// => "Successfully inserted 3 lines after symbol "calculateTotal" in src/utils.js (at line 16)"
+```
+
+**Line-targeted edit — edit specific lines from extract output:**
+```javascript
+// After extracting "src/order.js#processOrder" and seeing lines 143-145
+await edit.execute({
+  file_path: 'src/order.js',
+  start_line: '143',
+  end_line: '145',
+  new_string: '  const items = order.items.filter(i => i.active);'
+});
+// => "Successfully edited src/order.js (lines 143-145 replaced with 1 line)"
+```
+
+**Line-targeted edit — with hash integrity verification:**
+```javascript
+// Use the hash from extract output (e.g. "143:cd") for verification
+await edit.execute({
+  file_path: 'src/order.js',
+  start_line: '143:cd',
+  new_string: '  const items = order.items.filter(i => i.active);'
+});
+// If hash matches: edit succeeds
+// If hash doesn't match: error with updated reference for retry
+```
+
+**Create a new file:**
+```javascript
+await create.execute({
+  file_path: 'src/newModule.js',
+  content: `export function greet(name) {
+  return \`Hello, \${name}!\`;
+}`
+});
+// => "Successfully created src/newModule.js (52 bytes)"
+```
+
+#### Key Features
+
+- **Fuzzy matching**: Text mode automatically handles minor whitespace and indentation differences between your search string and the actual file content. Four strategies are tried in order: exact match, line-trimmed, whitespace-normalized, indent-flexible.
+- **AST-aware symbol editing**: Symbol mode uses tree-sitter to locate functions, classes, and methods by name across 16 languages (JavaScript, TypeScript, Python, Rust, Go, Java, C, C++, Ruby, PHP, Swift, Kotlin, Scala, C#, Lua, Zig).
+- **Auto-indentation**: Symbol mode automatically adjusts the indentation of `new_string` to match the original symbol's indentation level.
+- **Line-targeted editing**: Use line numbers from `extract`/`search` output to make precise edits inside large functions. Optional hash-based integrity verification detects stale references.
+- **Extract→Edit workflow**: Extract a function by symbol name (e.g. `"file.js#myFunction"`), then use the line numbers from the output to surgically edit specific lines with `start_line`/`end_line`.
+- **File state tracking**: Automatic per-session tracking ensures edits are never based on stale content. Files read via `search`/`extract` are tracked; edits to unread or modified files are blocked with recovery instructions.
+- **Self-healing errors**: All error messages include specific recovery instructions telling you (or the LLM) exactly how to fix the call and retry.
+- **Security**: Path traversal attacks are blocked — all file operations are restricted to `allowedFolders`.
+
 ### Using as an MCP Server
 
 Probe includes a built-in MCP (Model Context Protocol) server for integration with AI assistants:
@@ -844,6 +1006,7 @@ probe mcp --timeout 60
 
 ## Additional Documentation
 
+- [Edit & Create Tools](./docs/EDIT_CREATE_TOOLS.md) - Code editing with fuzzy matching, AST-aware symbol editing, and file creation
 - [Context Window Compaction](./CONTEXT_COMPACTION.md) - Automatic conversation history compression
 - [MCP Integration](./MCP_INTEGRATION_SUMMARY.md) - Model Context Protocol support details
 - [Delegate Tool](./DELEGATE_TOOL_README.md) - Task distribution to subagents

package/build/agent/ProbeAgent.d.ts

@@ -35,7 +35,7 @@ export interface ProbeAgentOptions {
   systemPrompt?: string;
   /** Predefined prompt type (persona) */
   promptType?: 'code-explorer' | 'code-searcher' | 'engineer' | 'code-review' | 'support' | 'architect';
-  /** Allow the use of the 'implement' tool for code editing */
+  /** Allow the use of the 'edit' and 'create' tools for code editing */
   allowEdit?: boolean;
   /** Enable the delegate tool for task distribution to subagents */
   enableDelegate?: boolean;

package/build/agent/ProbeAgent.js

@@ -57,7 +57,6 @@ import {
   useSkillToolDefinition,
   readImageToolDefinition,
   attemptCompletionToolDefinition,
-  implementToolDefinition,
   editToolDefinition,
   createToolDefinition,
   googleSearchToolDefinition,
@@ -66,6 +65,7 @@ import {
   parseXmlToolCallWithThinking
 } from './tools.js';
 import { createMessagePreview, detectUnrecognizedToolCall, detectStuckResponse, areBothStuckResponses } from '../tools/common.js';
+import { FileTracker } from '../tools/fileTracker.js';
 import {
   createWrappedTools,
   listFilesToolInstance,
@@ -83,7 +83,8 @@ import {
   isJsonSchemaDefinition,
   createSchemaDefinitionCorrectionPrompt,
   validateAndFixMermaidResponse,
-  tryAutoWrapForSimpleSchema
+  tryAutoWrapForSimpleSchema,
+  tryExtractValidJsonPrefix
 } from './schemaUtils.js';
 import { removeThinkingTags, extractThinkingContent } from './xmlParsingUtils.js';
 import { predefinedPrompts } from './shared/prompts.js';
@@ -178,7 +179,7 @@ export class ProbeAgent {
    * @param {string} [options.customPrompt] - Custom prompt to replace the default system message
    * @param {string} [options.systemPrompt] - Alias for customPrompt; takes precedence when both are provided
    * @param {string} [options.promptType] - Predefined prompt type (code-explorer, code-searcher, architect, code-review, support)
-   * @param {boolean} [options.allowEdit=false] - Allow the use of the 'implement' tool
+   * @param {boolean} [options.allowEdit=false] - Allow the use of the 'edit' and 'create' tools
    * @param {boolean} [options.enableDelegate=false] - Enable the delegate tool for task distribution to subagents
    * @param {boolean} [options.enableExecutePlan=false] - Enable the execute_plan DSL orchestration tool
    * @param {string} [options.architectureFileName] - Architecture context filename to embed from repo root (defaults to AGENTS.md with CLAUDE.md fallback; ARCHITECTURE.md is always included when present)
@@ -229,6 +230,7 @@ export class ProbeAgent {
     this.customPrompt = options.systemPrompt || options.customPrompt || null;
     this.promptType = options.promptType || 'code-explorer';
     this.allowEdit = !!options.allowEdit;
+    this.hashLines = options.hashLines !== undefined ? !!options.hashLines : this.allowEdit;
     this.enableDelegate = !!options.enableDelegate;
     this.enableExecutePlan = !!options.enableExecutePlan;
     this.debug = options.debug || process.env.DEBUG === '1';
@@ -328,7 +330,8 @@ export class ProbeAgent {
     if (this.debug) {
       console.log(`[DEBUG] Generated session ID for agent: ${this.sessionId}`);
       console.log(`[DEBUG] Maximum tool iterations configured: ${MAX_TOOL_ITERATIONS}`);
-      console.log(`[DEBUG] Allow Edit (implement tool): ${this.allowEdit}`);
+      console.log(`[DEBUG] Allow Edit: ${this.allowEdit}`);
+      console.log(`[DEBUG] Hash Lines: ${this.hashLines}`);
       console.log(`[DEBUG] Search delegation enabled: ${this.searchDelegate}`);
       console.log(`[DEBUG] Workspace root: ${this.workspaceRoot}`);
       console.log(`[DEBUG] Working directory (cwd): ${this.cwd}`);
@@ -831,9 +834,12 @@ export class ProbeAgent {
       cwd: this.cwd,
       workspaceRoot: this.workspaceRoot,
       allowedFolders: this.allowedFolders,
+      // File state tracking for safe multi-edit workflows (only when editing is enabled)
+      fileTracker: this.allowEdit ? new FileTracker({ debug: this.debug }) : null,
       outline: this.outline,
       searchDelegate: this.searchDelegate,
       allowEdit: this.allowEdit,
+      hashLines: this.hashLines,
       enableDelegate: this.enableDelegate,
       enableExecutePlan: this.enableExecutePlan,
       enableBash: this.enableBash,
@@ -2553,16 +2559,12 @@ ${extractGuidance}
     }
 
     // Edit tools (require both allowEdit flag AND allowedTools permission)
-    if (this.allowEdit && isToolAllowed('implement')) {
-      toolDefinitions += `${implementToolDefinition}\n`;
-    }
     if (this.allowEdit && isToolAllowed('edit')) {
       toolDefinitions += `${editToolDefinition}\n`;
     }
     if (this.allowEdit && isToolAllowed('create')) {
       toolDefinitions += `${createToolDefinition}\n`;
     }
-
     // Bash tool (require both enableBash flag AND allowedTools permission)
     if (this.enableBash && isToolAllowed('bash')) {
       toolDefinitions += `${bashToolDefinition}\n`;
@@ -2645,7 +2647,7 @@ The configuration is loaded from src/config.js lines 15-25 which contains the da
       availableToolsList += '- query: Search code using structural AST patterns.\n';
     }
     if (isToolAllowed('extract')) {
-      availableToolsList += '- extract: Extract specific code blocks or lines from files.\n';
+      availableToolsList += '- extract: Extract specific code blocks or lines from files. Use with symbol targets (e.g. "file.js#funcName") to get line numbers for line-targeted editing.\n';
     }
     if (isToolAllowed('listFiles')) {
       availableToolsList += '- listFiles: List files and directories in a specified location.\n';
@@ -2662,11 +2664,8 @@ The configuration is loaded from src/config.js lines 15-25 which contains the da
     if (isToolAllowed('readImage')) {
       availableToolsList += '- readImage: Read and load an image file for AI analysis.\n';
     }
-    if (this.allowEdit && isToolAllowed('implement')) {
-      availableToolsList += '- implement: Implement a feature or fix a bug using aider.\n';
-    }
     if (this.allowEdit && isToolAllowed('edit')) {
-      availableToolsList += '- edit: Edit files using exact string replacement.\n';
+      availableToolsList += '- edit: Edit files using text replacement, AST-aware symbol operations, or line-targeted editing.\n';
     }
     if (this.allowEdit && isToolAllowed('create')) {
       availableToolsList += '- create: Create new files with specified content.\n';
@@ -2757,8 +2756,14 @@ Follow these instructions carefully:
 8. Once the task is fully completed, use the '<attempt_completion>' tool to provide the final result. This is the ONLY way to signal completion.
 9. Prefer concise and focused search queries. Use specific keywords and phrases to narrow down results.${this.allowEdit ? `
 10. When modifying files, choose the appropriate tool:
-    - Use 'edit' for precise changes to existing files (requires exact string match)
-    - Use 'create' for new files or complete file rewrites` : ''}
+    - Use 'edit' for all code modifications:
+      * For small changes (a line or a few lines), use old_string + new_string — copy old_string verbatim from the file.
+      * For rewriting entire functions/classes/methods, use the symbol parameter instead (no exact text matching needed).
+      * For editing specific lines from search/extract output, use start_line (and optionally end_line) with the line numbers shown in the output.${this.hashLines ? ' Line references include content hashes (e.g. "42:ab") for integrity verification.' : ''}
+      * For editing inside large functions: first use extract with the symbol target (e.g. "file.js#myFunction") to see the function with line numbers${this.hashLines ? ' and hashes' : ''}, then use start_line/end_line to surgically edit specific lines within it.
+    - Use 'create' for new files or complete file rewrites.
+    - If an edit fails, read the error message — it tells you exactly how to fix the call and retry.
+    - The system tracks which files you've seen via search/extract. If you try to edit a file you haven't read, or one that changed since you last read it, the edit will fail with instructions to re-read first. Always use extract before editing to ensure you have current file content.` : ''}
 </instructions>
 `;
 
@@ -3023,8 +3028,9 @@ Follow these instructions carefully:
       // +1 for schema formatting
       // +2 for potential Mermaid validation retries (can be multiple diagrams)
       // +1 for potential JSON correction
-      const baseMaxIterations = this.maxIterations || MAX_TOOL_ITERATIONS;
-      const maxIterations = options.schema ? baseMaxIterations + 4 : baseMaxIterations;
+      // _maxIterationsOverride: used by correction calls to cap iterations (issue #447)
+      const baseMaxIterations = options._maxIterationsOverride || this.maxIterations || MAX_TOOL_ITERATIONS;
+      const maxIterations = (options._maxIterationsOverride) ? baseMaxIterations : (options.schema ? baseMaxIterations + 4 : baseMaxIterations);
 
       // Check if we're using CLI-based engines which handle their own agentic loop
       const isClaudeCode = this.clientApiProvider === 'claude-code' || process.env.USE_CLAUDE_CODE === 'true';
@@ -3420,8 +3426,11 @@ Follow these instructions carefully:
           validTools.push('attempt_completion');
 
           // Edit tools (require both allowEdit flag AND allowedTools permission)
-          if (this.allowEdit && this.allowedTools.isEnabled('implement')) {
-            validTools.push('implement', 'edit', 'create');
+          if (this.allowEdit && this.allowedTools.isEnabled('edit')) {
+            validTools.push('edit');
+          }
+          if (this.allowEdit && this.allowedTools.isEnabled('create')) {
+            validTools.push('create');
           }
           // Bash tool (require both enableBash flag AND allowedTools permission)
           if (this.enableBash && this.allowedTools.isEnabled('bash')) {
@@ -3804,6 +3813,7 @@ Follow these instructions carefully:
                       mcpConfigPath: this.mcpConfigPath, // Inherit MCP config path
                       enableBash: this.enableBash,      // Inherit bash enablement
                       bashConfig: this.bashConfig,      // Inherit bash configuration
+                      allowEdit: this.allowEdit,        // Inherit edit/create permission
                       allowedTools: allowedToolsForDelegate,  // Inherit allowed tools from parent
                       debug: this.debug,
                       tracer: this.tracer
@@ -4685,11 +4695,14 @@ Convert your previous response content into actual JSON data that follows this s
                 0
               );
               
+              // Strip schema from correction options to prevent inflated iteration budget (issue #447)
+              const { schema: _unusedSchema1, ...schemaDefCorrectionOptions } = options;
               finalResult = await this.answer(schemaDefinitionPrompt, [], {
-                ...options,
+                ...schemaDefCorrectionOptions,
                 _schemaFormatted: true,
                 _skipValidation: true,  // Skip validation in recursive correction calls to prevent loops
-                _completionPromptProcessed: true  // Prevent cascading completion prompts in retry calls
+                _completionPromptProcessed: true,  // Prevent cascading completion prompts in retry calls
+                _maxIterationsOverride: 3  // Correction should complete in 1-2 iterations (issue #447)
               });
               finalResult = cleanSchemaResponse(finalResult);
               validation = validateJsonResponse(finalResult);
@@ -4745,12 +4758,15 @@ Convert your previous response content into actual JSON data that follows this s
                 );
               }
               
+              // Strip schema from correction options to prevent inflated iteration budget (issue #447)
+              const { schema: _unusedSchema2, ...correctionOptions } = options;
               finalResult = await this.answer(correctionPrompt, [], {
-                ...options,
+                ...correctionOptions,
                 _schemaFormatted: true,
                 _skipValidation: true,  // Skip validation in recursive correction calls to prevent loops
                 _disableTools: true,    // Only allow attempt_completion - prevent AI from using search/query tools
-                _completionPromptProcessed: true  // Prevent cascading completion prompts in retry calls
+                _completionPromptProcessed: true,  // Prevent cascading completion prompts in retry calls
+                _maxIterationsOverride: 3  // Correction should complete in 1-2 iterations (issue #447)
               });
               finalResult = cleanSchemaResponse(finalResult);
               

package/build/agent/acp/tools.js

@@ -162,7 +162,8 @@ export class ACPToolManager {
         return ToolCallKind.extract;
       case 'delegate':
         return ToolCallKind.execute;
-      case 'implement':
+      case 'edit':
+      case 'create':
         return ToolCallKind.edit;
       default:
         return ToolCallKind.execute;

package/build/agent/acp/tools.test.js

@@ -117,7 +117,8 @@ describe('ACPToolManager', () => {
       expect(toolManager.getToolKind('query')).toBe(ToolCallKind.query);
       expect(toolManager.getToolKind('extract')).toBe(ToolCallKind.extract);
       expect(toolManager.getToolKind('delegate')).toBe(ToolCallKind.execute);
-      expect(toolManager.getToolKind('implement')).toBe(ToolCallKind.edit);
+      expect(toolManager.getToolKind('edit')).toBe(ToolCallKind.edit);
+      expect(toolManager.getToolKind('create')).toBe(ToolCallKind.edit);
       expect(toolManager.getToolKind('unknown')).toBe(ToolCallKind.execute);
     });
   });

package/build/agent/bashDefaults.js

@@ -30,13 +30,45 @@ export const DEFAULT_ALLOW_PATTERNS = [
   'tree', 'tree:*',
   
   // Git read-only operations
-  'git:status', 'git:log', 'git:log:*', 'git:diff', 'git:diff:*',
+  'git:status', 'git:status:*', 'git:log', 'git:log:*', 'git:diff', 'git:diff:*',
   'git:show', 'git:show:*', 'git:branch', 'git:branch:*',
   'git:tag', 'git:tag:*', 'git:describe', 'git:describe:*',
   'git:remote', 'git:remote:*', 'git:config:*',
-  'git:blame', 'git:blame:*', 'git:shortlog', 'git:reflog',
-  'git:ls-files', 'git:ls-tree', 'git:rev-parse', 'git:rev-list',
+  'git:blame', 'git:blame:*', 'git:shortlog', 'git:shortlog:*', 'git:reflog', 'git:reflog:*',
+  'git:ls-files', 'git:ls-files:*', 'git:ls-tree', 'git:ls-tree:*',
+  'git:ls-remote', 'git:ls-remote:*',
+  'git:rev-parse', 'git:rev-parse:*', 'git:rev-list', 'git:rev-list:*',
+  'git:cat-file', 'git:cat-file:*',
+  'git:diff-tree', 'git:diff-tree:*', 'git:diff-files', 'git:diff-files:*',
+  'git:diff-index', 'git:diff-index:*',
+  'git:for-each-ref', 'git:for-each-ref:*',
+  'git:merge-base', 'git:merge-base:*',
+  'git:name-rev', 'git:name-rev:*',
+  'git:count-objects', 'git:count-objects:*',
+  'git:verify-commit', 'git:verify-commit:*', 'git:verify-tag', 'git:verify-tag:*',
+  'git:check-ignore', 'git:check-ignore:*', 'git:check-attr', 'git:check-attr:*',
+  'git:stash:list', 'git:stash:show', 'git:stash:show:*',
+  'git:worktree:list', 'git:worktree:list:*',
+  'git:notes:list', 'git:notes:show', 'git:notes:show:*',
   'git:--version', 'git:help', 'git:help:*',
+
+  // GitHub CLI (gh) read-only operations
+  'gh:--version', 'gh:help', 'gh:help:*', 'gh:status',
+  'gh:auth:status', 'gh:auth:status:*',
+  'gh:issue:list', 'gh:issue:list:*', 'gh:issue:view', 'gh:issue:view:*',
+  'gh:issue:status', 'gh:issue:status:*',
+  'gh:pr:list', 'gh:pr:list:*', 'gh:pr:view', 'gh:pr:view:*',
+  'gh:pr:status', 'gh:pr:status:*', 'gh:pr:diff', 'gh:pr:diff:*',
+  'gh:pr:checks', 'gh:pr:checks:*',
+  'gh:repo:list', 'gh:repo:list:*', 'gh:repo:view', 'gh:repo:view:*',
+  'gh:release:list', 'gh:release:list:*', 'gh:release:view', 'gh:release:view:*',
+  'gh:run:list', 'gh:run:list:*', 'gh:run:view', 'gh:run:view:*',
+  'gh:workflow:list', 'gh:workflow:list:*', 'gh:workflow:view', 'gh:workflow:view:*',
+  'gh:gist:list', 'gh:gist:list:*', 'gh:gist:view', 'gh:gist:view:*',
+  'gh:search:issues', 'gh:search:issues:*', 'gh:search:prs', 'gh:search:prs:*',
+  'gh:search:repos', 'gh:search:repos:*', 'gh:search:code', 'gh:search:code:*',
+  'gh:search:commits', 'gh:search:commits:*',
+  'gh:api', 'gh:api:*',
   
   // Package managers (information only)
   'npm:list', 'npm:ls', 'npm:view', 'npm:info', 'npm:show',
@@ -165,9 +197,46 @@ export const DEFAULT_DENY_PATTERNS = [
   'sysctl:-w:*',
   
   // Dangerous git operations
-  'git:push', 'git:push:*', 'git:force', 'git:reset:--hard:*',
-  'git:clean:-fd', 'git:rm:*', 'git:commit', 'git:merge',
-  'git:rebase', 'git:cherry-pick', 'git:stash:drop',
+  'git:push', 'git:push:*', 'git:force', 'git:reset', 'git:reset:*',
+  'git:clean', 'git:clean:*', 'git:rm', 'git:rm:*',
+  'git:commit', 'git:commit:*', 'git:merge', 'git:merge:*',
+  'git:rebase', 'git:rebase:*', 'git:cherry-pick', 'git:cherry-pick:*',
+  'git:stash:drop', 'git:stash:drop:*', 'git:stash:pop', 'git:stash:pop:*',
+  'git:stash:push', 'git:stash:push:*', 'git:stash:clear',
+  'git:branch:-d', 'git:branch:-d:*', 'git:branch:-D', 'git:branch:-D:*',
+  'git:branch:--delete', 'git:branch:--delete:*',
+  'git:tag:-d', 'git:tag:-d:*', 'git:tag:--delete', 'git:tag:--delete:*',
+  'git:remote:remove', 'git:remote:remove:*', 'git:remote:rm', 'git:remote:rm:*',
+  'git:checkout:--force', 'git:checkout:--force:*',
+  'git:checkout:-f', 'git:checkout:-f:*',
+  'git:submodule:deinit', 'git:submodule:deinit:*',
+  'git:notes:add', 'git:notes:add:*', 'git:notes:remove', 'git:notes:remove:*',
+  'git:worktree:add', 'git:worktree:add:*',
+  'git:worktree:remove', 'git:worktree:remove:*',
+
+  // Dangerous GitHub CLI (gh) write operations
+  'gh:issue:create', 'gh:issue:create:*', 'gh:issue:close', 'gh:issue:close:*',
+  'gh:issue:delete', 'gh:issue:delete:*', 'gh:issue:edit', 'gh:issue:edit:*',
+  'gh:issue:reopen', 'gh:issue:reopen:*',
+  'gh:issue:comment', 'gh:issue:comment:*',
+  'gh:pr:create', 'gh:pr:create:*', 'gh:pr:close', 'gh:pr:close:*',
+  'gh:pr:merge', 'gh:pr:merge:*', 'gh:pr:edit', 'gh:pr:edit:*',
+  'gh:pr:reopen', 'gh:pr:reopen:*', 'gh:pr:review', 'gh:pr:review:*',
+  'gh:pr:comment', 'gh:pr:comment:*',
+  'gh:repo:create', 'gh:repo:create:*', 'gh:repo:delete', 'gh:repo:delete:*',
+  'gh:repo:fork', 'gh:repo:fork:*', 'gh:repo:rename', 'gh:repo:rename:*',
+  'gh:repo:archive', 'gh:repo:archive:*', 'gh:repo:clone', 'gh:repo:clone:*',
+  'gh:release:create', 'gh:release:create:*', 'gh:release:delete', 'gh:release:delete:*',
+  'gh:release:edit', 'gh:release:edit:*',
+  'gh:run:cancel', 'gh:run:cancel:*', 'gh:run:rerun', 'gh:run:rerun:*',
+  'gh:workflow:run', 'gh:workflow:run:*',
+  'gh:workflow:enable', 'gh:workflow:enable:*', 'gh:workflow:disable', 'gh:workflow:disable:*',
+  'gh:gist:create', 'gh:gist:create:*', 'gh:gist:delete', 'gh:gist:delete:*',
+  'gh:gist:edit', 'gh:gist:edit:*',
+  'gh:secret:set', 'gh:secret:set:*', 'gh:secret:delete', 'gh:secret:delete:*',
+  'gh:variable:set', 'gh:variable:set:*', 'gh:variable:delete', 'gh:variable:delete:*',
+  'gh:label:create', 'gh:label:create:*', 'gh:label:delete', 'gh:label:delete:*',
+  'gh:ssh-key:add', 'gh:ssh-key:add:*', 'gh:ssh-key:delete', 'gh:ssh-key:delete:*',
   
   // File system mounting and partitioning
   'mount', 'mount:*', 'umount', 'umount:*', 'fdisk', 'fdisk:*',