@probelabs/probe 0.6.0-rc254 → 0.6.0-rc256

package/index.d.ts

@@ -13,8 +13,10 @@ export interface ProbeAgentOptions {
   systemPrompt?: string;
   /** Predefined prompt type (persona) */
   promptType?: 'code-explorer' | 'engineer' | 'code-review' | 'support' | 'architect';
-  /** Allow the use of the 'implement' tool for code editing */
+  /** Allow the use of the 'edit' and 'create' tools for code editing */
   allowEdit?: boolean;
+  /** Annotate search/extract output with line hashes for integrity verification */
+  hashLines?: boolean;
   /** Architecture context filename to embed from repo root (defaults to AGENTS.md with CLAUDE.md fallback; ARCHITECTURE.md is always included when present) */
   architectureFileName?: string;
   /** Search directory path */
@@ -562,12 +564,196 @@ export declare function listFilesByLevel(
  */
 export declare const DEFAULT_SYSTEM_MESSAGE: string;
 
+/**
+ * Content record for a tracked symbol
+ */
+export interface ContentRecord {
+  /** SHA-256 content hash (first 16 hex chars) */
+  contentHash: string;
+  /** 1-indexed start line */
+  startLine: number;
+  /** 1-indexed end line */
+  endLine: number;
+  /** Symbol name, if from a symbol extract */
+  symbolName: string | null;
+  /** How the content was obtained: 'extract' or 'edit' */
+  source: string;
+  /** When the record was created (ms since epoch) */
+  timestamp: number;
+}
+
+/**
+ * Result of a staleness check
+ */
+export interface FileCheckResult {
+  /** Whether the file is safe to edit */
+  ok: boolean;
+  /** Reason for rejection: 'untracked' or 'stale' */
+  reason?: 'untracked' | 'stale';
+  /** Human-readable message explaining the rejection */
+  message?: string;
+}
+
+/**
+ * Compute a SHA-256 content hash for a code block.
+ * Normalizes trailing whitespace per line for robustness.
+ */
+export declare function computeContentHash(content: string): string;
+
+/**
+ * Per-session content-aware file state tracker for safe multi-edit workflows.
+ * Two-tier tracking: file-level "seen" flag + symbol-level content hashes.
+ * Edits proceed when the target symbol hasn't changed, even if other parts of the file changed.
+ */
+export declare class FileTracker {
+  constructor(options?: { debug?: boolean });
+
+  /** Mark a file as seen (read via search/extract) */
+  markFileSeen(resolvedPath: string): void;
+
+  /** Check if a file has been seen in this session */
+  isFileSeen(resolvedPath: string): boolean;
+
+  /** Store a content hash for a symbol */
+  trackSymbolContent(resolvedPath: string, symbolName: string, code: string, startLine: number, endLine: number, source?: string): void;
+
+  /** Look up a stored content record for a symbol */
+  getSymbolRecord(resolvedPath: string, symbolName: string): ContentRecord | null;
+
+  /** Check if a symbol's current content matches what was stored */
+  checkSymbolContent(resolvedPath: string, symbolName: string, currentCode: string): FileCheckResult;
+
+  /** Track files from extract target strings (marks as seen, hashes symbol targets) */
+  trackFilesFromExtract(targets: string[], cwd: string): Promise<void>;
+
+  /** Track files from probe search/extract output text (marks as seen) */
+  trackFilesFromOutput(output: string, cwd: string): Promise<void>;
+
+  /** Check if a file is safe to edit (seen-check only) */
+  checkBeforeEdit(resolvedPath: string): FileCheckResult;
+
+  /** Mark file as seen after write, invalidate content records */
+  trackFileAfterWrite(resolvedPath: string): Promise<void>;
+
+  /** Update stored hash after successful symbol write */
+  trackSymbolAfterWrite(resolvedPath: string, symbolName: string, code: string, startLine: number, endLine: number): void;
+
+  /** Remove all content records for a file */
+  invalidateFileRecords(resolvedPath: string): void;
+
+  /** Quick sync check if a file is being tracked (alias for isFileSeen) */
+  isTracked(resolvedPath: string): boolean;
+
+  /** Clear all tracking state */
+  clear(): void;
+}
+
+/**
+ * Edit tool configuration options
+ */
+export interface EditToolOptions {
+  /** Debug mode */
+  debug?: boolean;
+  /** Allowed directories for file operations */
+  allowedFolders?: string[];
+  /** Working directory for resolving relative paths */
+  cwd?: string;
+  /** Workspace root for relative path display */
+  workspaceRoot?: string;
+  /** File tracker for staleness detection (created automatically by ProbeAgent) */
+  fileTracker?: FileTracker;
+}
+
+/**
+ * Edit tool parameters (text mode)
+ */
+export interface EditTextParams {
+  /** Path to the file to edit */
+  file_path: string;
+  /** Text to find in the file (copy verbatim) */
+  old_string: string;
+  /** Replacement text */
+  new_string: string;
+  /** Replace all occurrences (default: false) */
+  replace_all?: boolean;
+}
+
+/**
+ * Edit tool parameters (symbol replace mode)
+ */
+export interface EditSymbolReplaceParams {
+  /** Path to the file to edit */
+  file_path: string;
+  /** Symbol name to replace (e.g. "myFunction", "MyClass.myMethod") */
+  symbol: string;
+  /** New code to replace the symbol with */
+  new_string: string;
+}
+
+/**
+ * Edit tool parameters (symbol insert mode)
+ */
+export interface EditSymbolInsertParams {
+  /** Path to the file to edit */
+  file_path: string;
+  /** Symbol name to insert near */
+  symbol: string;
+  /** New code to insert */
+  new_string: string;
+  /** Insert before or after the symbol */
+  position: 'before' | 'after';
+}
+
+/**
+ * Line-targeted edit parameters
+ */
+export interface EditLineTargetedParams {
+  /** Path to the file to edit */
+  file_path: string;
+  /** New code content */
+  new_string: string;
+  /** Line reference (e.g. "42" or "42:ab" with hash) */
+  start_line: string;
+  /** End of line range, inclusive (e.g. "55" or "55:cd"). Defaults to start_line. */
+  end_line?: string;
+  /** Insert before or after the line instead of replacing */
+  position?: 'before' | 'after';
+}
+
+/**
+ * Create tool parameters
+ */
+export interface CreateParams {
+  /** Path where the file should be created */
+  file_path: string;
+  /** Content to write to the file */
+  content: string;
+  /** Overwrite if file exists (default: false) */
+  overwrite?: boolean;
+}
+
+/**
+ * Create edit tool instance
+ */
+export declare function editTool(options?: EditToolOptions): {
+  execute(params: EditTextParams | EditSymbolReplaceParams | EditSymbolInsertParams | EditLineTargetedParams): Promise<string>;
+};
+
+/**
+ * Create create tool instance
+ */
+export declare function createTool(options?: EditToolOptions): {
+  execute(params: CreateParams): Promise<string>;
+};
+
 /**
  * Schema definitions
  */
 export declare const searchSchema: any;
 export declare const querySchema: any;
 export declare const extractSchema: any;
+export declare const editSchema: any;
+export declare const createSchema: any;
 export declare const attemptCompletionSchema: any;
 
 /**
@@ -576,6 +762,8 @@ export declare const attemptCompletionSchema: any;
 export declare const searchToolDefinition: any;
 export declare const queryToolDefinition: any;
 export declare const extractToolDefinition: any;
+export declare const editToolDefinition: string;
+export declare const createToolDefinition: string;
 export declare const attemptCompletionToolDefinition: any;
 
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@probelabs/probe",
-  "version": "0.6.0-rc254",
+  "version": "0.6.0-rc256",
   "description": "Node.js wrapper for the probe code search tool",
   "main": "src/index.js",
   "module": "src/index.js",

package/src/agent/ProbeAgent.d.ts

@@ -35,7 +35,7 @@ export interface ProbeAgentOptions {
   systemPrompt?: string;
   /** Predefined prompt type (persona) */
   promptType?: 'code-explorer' | 'code-searcher' | 'engineer' | 'code-review' | 'support' | 'architect';
-  /** Allow the use of the 'implement' tool for code editing */
+  /** Allow the use of the 'edit' and 'create' tools for code editing */
   allowEdit?: boolean;
   /** Enable the delegate tool for task distribution to subagents */
   enableDelegate?: boolean;

package/src/agent/ProbeAgent.js

@@ -57,7 +57,6 @@ import {
   useSkillToolDefinition,
   readImageToolDefinition,
   attemptCompletionToolDefinition,
-  implementToolDefinition,
   editToolDefinition,
   createToolDefinition,
   googleSearchToolDefinition,
@@ -66,6 +65,7 @@ import {
   parseXmlToolCallWithThinking
 } from './tools.js';
 import { createMessagePreview, detectUnrecognizedToolCall, detectStuckResponse, areBothStuckResponses } from '../tools/common.js';
+import { FileTracker } from '../tools/fileTracker.js';
 import {
   createWrappedTools,
   listFilesToolInstance,
@@ -83,7 +83,8 @@ import {
   isJsonSchemaDefinition,
   createSchemaDefinitionCorrectionPrompt,
   validateAndFixMermaidResponse,
-  tryAutoWrapForSimpleSchema
+  tryAutoWrapForSimpleSchema,
+  tryExtractValidJsonPrefix
 } from './schemaUtils.js';
 import { removeThinkingTags, extractThinkingContent } from './xmlParsingUtils.js';
 import { predefinedPrompts } from './shared/prompts.js';
@@ -178,7 +179,7 @@ export class ProbeAgent {
    * @param {string} [options.customPrompt] - Custom prompt to replace the default system message
    * @param {string} [options.systemPrompt] - Alias for customPrompt; takes precedence when both are provided
    * @param {string} [options.promptType] - Predefined prompt type (code-explorer, code-searcher, architect, code-review, support)
-   * @param {boolean} [options.allowEdit=false] - Allow the use of the 'implement' tool
+   * @param {boolean} [options.allowEdit=false] - Allow the use of the 'edit' and 'create' tools
    * @param {boolean} [options.enableDelegate=false] - Enable the delegate tool for task distribution to subagents
    * @param {boolean} [options.enableExecutePlan=false] - Enable the execute_plan DSL orchestration tool
    * @param {string} [options.architectureFileName] - Architecture context filename to embed from repo root (defaults to AGENTS.md with CLAUDE.md fallback; ARCHITECTURE.md is always included when present)
@@ -229,6 +230,7 @@ export class ProbeAgent {
     this.customPrompt = options.systemPrompt || options.customPrompt || null;
     this.promptType = options.promptType || 'code-explorer';
     this.allowEdit = !!options.allowEdit;
+    this.hashLines = options.hashLines !== undefined ? !!options.hashLines : this.allowEdit;
     this.enableDelegate = !!options.enableDelegate;
     this.enableExecutePlan = !!options.enableExecutePlan;
     this.debug = options.debug || process.env.DEBUG === '1';
@@ -328,7 +330,8 @@ export class ProbeAgent {
     if (this.debug) {
       console.log(`[DEBUG] Generated session ID for agent: ${this.sessionId}`);
       console.log(`[DEBUG] Maximum tool iterations configured: ${MAX_TOOL_ITERATIONS}`);
-      console.log(`[DEBUG] Allow Edit (implement tool): ${this.allowEdit}`);
+      console.log(`[DEBUG] Allow Edit: ${this.allowEdit}`);
+      console.log(`[DEBUG] Hash Lines: ${this.hashLines}`);
       console.log(`[DEBUG] Search delegation enabled: ${this.searchDelegate}`);
       console.log(`[DEBUG] Workspace root: ${this.workspaceRoot}`);
       console.log(`[DEBUG] Working directory (cwd): ${this.cwd}`);
@@ -831,9 +834,12 @@ export class ProbeAgent {
       cwd: this.cwd,
       workspaceRoot: this.workspaceRoot,
       allowedFolders: this.allowedFolders,
+      // File state tracking for safe multi-edit workflows (only when editing is enabled)
+      fileTracker: this.allowEdit ? new FileTracker({ debug: this.debug }) : null,
       outline: this.outline,
       searchDelegate: this.searchDelegate,
       allowEdit: this.allowEdit,
+      hashLines: this.hashLines,
       enableDelegate: this.enableDelegate,
       enableExecutePlan: this.enableExecutePlan,
       enableBash: this.enableBash,
@@ -2553,16 +2559,12 @@ ${extractGuidance}
     }
 
     // Edit tools (require both allowEdit flag AND allowedTools permission)
-    if (this.allowEdit && isToolAllowed('implement')) {
-      toolDefinitions += `${implementToolDefinition}\n`;
-    }
     if (this.allowEdit && isToolAllowed('edit')) {
       toolDefinitions += `${editToolDefinition}\n`;
     }
     if (this.allowEdit && isToolAllowed('create')) {
       toolDefinitions += `${createToolDefinition}\n`;
     }
-
     // Bash tool (require both enableBash flag AND allowedTools permission)
     if (this.enableBash && isToolAllowed('bash')) {
       toolDefinitions += `${bashToolDefinition}\n`;
@@ -2645,7 +2647,7 @@ The configuration is loaded from src/config.js lines 15-25 which contains the da
       availableToolsList += '- query: Search code using structural AST patterns.\n';
     }
     if (isToolAllowed('extract')) {
-      availableToolsList += '- extract: Extract specific code blocks or lines from files.\n';
+      availableToolsList += '- extract: Extract specific code blocks or lines from files. Use with symbol targets (e.g. "file.js#funcName") to get line numbers for line-targeted editing.\n';
     }
     if (isToolAllowed('listFiles')) {
       availableToolsList += '- listFiles: List files and directories in a specified location.\n';
@@ -2662,11 +2664,8 @@ The configuration is loaded from src/config.js lines 15-25 which contains the da
     if (isToolAllowed('readImage')) {
       availableToolsList += '- readImage: Read and load an image file for AI analysis.\n';
     }
-    if (this.allowEdit && isToolAllowed('implement')) {
-      availableToolsList += '- implement: Implement a feature or fix a bug using aider.\n';
-    }
     if (this.allowEdit && isToolAllowed('edit')) {
-      availableToolsList += '- edit: Edit files using exact string replacement.\n';
+      availableToolsList += '- edit: Edit files using text replacement, AST-aware symbol operations, or line-targeted editing.\n';
     }
     if (this.allowEdit && isToolAllowed('create')) {
       availableToolsList += '- create: Create new files with specified content.\n';
@@ -2757,8 +2756,14 @@ Follow these instructions carefully:
 8. Once the task is fully completed, use the '<attempt_completion>' tool to provide the final result. This is the ONLY way to signal completion.
 9. Prefer concise and focused search queries. Use specific keywords and phrases to narrow down results.${this.allowEdit ? `
 10. When modifying files, choose the appropriate tool:
-    - Use 'edit' for precise changes to existing files (requires exact string match)
-    - Use 'create' for new files or complete file rewrites` : ''}
+    - Use 'edit' for all code modifications:
+      * For small changes (a line or a few lines), use old_string + new_string — copy old_string verbatim from the file.
+      * For rewriting entire functions/classes/methods, use the symbol parameter instead (no exact text matching needed).
+      * For editing specific lines from search/extract output, use start_line (and optionally end_line) with the line numbers shown in the output.${this.hashLines ? ' Line references include content hashes (e.g. "42:ab") for integrity verification.' : ''}
+      * For editing inside large functions: first use extract with the symbol target (e.g. "file.js#myFunction") to see the function with line numbers${this.hashLines ? ' and hashes' : ''}, then use start_line/end_line to surgically edit specific lines within it.
+    - Use 'create' for new files or complete file rewrites.
+    - If an edit fails, read the error message — it tells you exactly how to fix the call and retry.
+    - The system tracks which files you've seen via search/extract. If you try to edit a file you haven't read, or one that changed since you last read it, the edit will fail with instructions to re-read first. Always use extract before editing to ensure you have current file content.` : ''}
 </instructions>
 `;
 
@@ -3023,8 +3028,9 @@ Follow these instructions carefully:
       // +1 for schema formatting
       // +2 for potential Mermaid validation retries (can be multiple diagrams)
       // +1 for potential JSON correction
-      const baseMaxIterations = this.maxIterations || MAX_TOOL_ITERATIONS;
-      const maxIterations = options.schema ? baseMaxIterations + 4 : baseMaxIterations;
+      // _maxIterationsOverride: used by correction calls to cap iterations (issue #447)
+      const baseMaxIterations = options._maxIterationsOverride || this.maxIterations || MAX_TOOL_ITERATIONS;
+      const maxIterations = (options._maxIterationsOverride) ? baseMaxIterations : (options.schema ? baseMaxIterations + 4 : baseMaxIterations);
 
       // Check if we're using CLI-based engines which handle their own agentic loop
       const isClaudeCode = this.clientApiProvider === 'claude-code' || process.env.USE_CLAUDE_CODE === 'true';
@@ -3420,8 +3426,11 @@ Follow these instructions carefully:
           validTools.push('attempt_completion');
 
           // Edit tools (require both allowEdit flag AND allowedTools permission)
-          if (this.allowEdit && this.allowedTools.isEnabled('implement')) {
-            validTools.push('implement', 'edit', 'create');
+          if (this.allowEdit && this.allowedTools.isEnabled('edit')) {
+            validTools.push('edit');
+          }
+          if (this.allowEdit && this.allowedTools.isEnabled('create')) {
+            validTools.push('create');
           }
           // Bash tool (require both enableBash flag AND allowedTools permission)
           if (this.enableBash && this.allowedTools.isEnabled('bash')) {
@@ -3804,6 +3813,7 @@ Follow these instructions carefully:
                       mcpConfigPath: this.mcpConfigPath, // Inherit MCP config path
                       enableBash: this.enableBash,      // Inherit bash enablement
                       bashConfig: this.bashConfig,      // Inherit bash configuration
+                      allowEdit: this.allowEdit,        // Inherit edit/create permission
                       allowedTools: allowedToolsForDelegate,  // Inherit allowed tools from parent
                       debug: this.debug,
                       tracer: this.tracer
@@ -4685,11 +4695,14 @@ Convert your previous response content into actual JSON data that follows this s
                 0
               );
               
+              // Strip schema from correction options to prevent inflated iteration budget (issue #447)
+              const { schema: _unusedSchema1, ...schemaDefCorrectionOptions } = options;
               finalResult = await this.answer(schemaDefinitionPrompt, [], {
-                ...options,
+                ...schemaDefCorrectionOptions,
                 _schemaFormatted: true,
                 _skipValidation: true,  // Skip validation in recursive correction calls to prevent loops
-                _completionPromptProcessed: true  // Prevent cascading completion prompts in retry calls
+                _completionPromptProcessed: true,  // Prevent cascading completion prompts in retry calls
+                _maxIterationsOverride: 3  // Correction should complete in 1-2 iterations (issue #447)
               });
               finalResult = cleanSchemaResponse(finalResult);
               validation = validateJsonResponse(finalResult);
@@ -4745,12 +4758,15 @@ Convert your previous response content into actual JSON data that follows this s
                 );
               }
               
+              // Strip schema from correction options to prevent inflated iteration budget (issue #447)
+              const { schema: _unusedSchema2, ...correctionOptions } = options;
               finalResult = await this.answer(correctionPrompt, [], {
-                ...options,
+                ...correctionOptions,
                 _schemaFormatted: true,
                 _skipValidation: true,  // Skip validation in recursive correction calls to prevent loops
                 _disableTools: true,    // Only allow attempt_completion - prevent AI from using search/query tools
-                _completionPromptProcessed: true  // Prevent cascading completion prompts in retry calls
+                _completionPromptProcessed: true,  // Prevent cascading completion prompts in retry calls
+                _maxIterationsOverride: 3  // Correction should complete in 1-2 iterations (issue #447)
               });
               finalResult = cleanSchemaResponse(finalResult);
               

package/src/agent/acp/tools.js

@@ -162,7 +162,8 @@ export class ACPToolManager {
         return ToolCallKind.extract;
       case 'delegate':
         return ToolCallKind.execute;
-      case 'implement':
+      case 'edit':
+      case 'create':
         return ToolCallKind.edit;
       default:
         return ToolCallKind.execute;

package/src/agent/acp/tools.test.js

@@ -117,7 +117,8 @@ describe('ACPToolManager', () => {
       expect(toolManager.getToolKind('query')).toBe(ToolCallKind.query);
       expect(toolManager.getToolKind('extract')).toBe(ToolCallKind.extract);
       expect(toolManager.getToolKind('delegate')).toBe(ToolCallKind.execute);
-      expect(toolManager.getToolKind('implement')).toBe(ToolCallKind.edit);
+      expect(toolManager.getToolKind('edit')).toBe(ToolCallKind.edit);
+      expect(toolManager.getToolKind('create')).toBe(ToolCallKind.edit);
       expect(toolManager.getToolKind('unknown')).toBe(ToolCallKind.execute);
     });
   });

package/src/agent/bashDefaults.js

@@ -30,13 +30,45 @@ export const DEFAULT_ALLOW_PATTERNS = [
   'tree', 'tree:*',
   
   // Git read-only operations
-  'git:status', 'git:log', 'git:log:*', 'git:diff', 'git:diff:*',
+  'git:status', 'git:status:*', 'git:log', 'git:log:*', 'git:diff', 'git:diff:*',
   'git:show', 'git:show:*', 'git:branch', 'git:branch:*',
   'git:tag', 'git:tag:*', 'git:describe', 'git:describe:*',
   'git:remote', 'git:remote:*', 'git:config:*',
-  'git:blame', 'git:blame:*', 'git:shortlog', 'git:reflog',
-  'git:ls-files', 'git:ls-tree', 'git:rev-parse', 'git:rev-list',
+  'git:blame', 'git:blame:*', 'git:shortlog', 'git:shortlog:*', 'git:reflog', 'git:reflog:*',
+  'git:ls-files', 'git:ls-files:*', 'git:ls-tree', 'git:ls-tree:*',
+  'git:ls-remote', 'git:ls-remote:*',
+  'git:rev-parse', 'git:rev-parse:*', 'git:rev-list', 'git:rev-list:*',
+  'git:cat-file', 'git:cat-file:*',
+  'git:diff-tree', 'git:diff-tree:*', 'git:diff-files', 'git:diff-files:*',
+  'git:diff-index', 'git:diff-index:*',
+  'git:for-each-ref', 'git:for-each-ref:*',
+  'git:merge-base', 'git:merge-base:*',
+  'git:name-rev', 'git:name-rev:*',
+  'git:count-objects', 'git:count-objects:*',
+  'git:verify-commit', 'git:verify-commit:*', 'git:verify-tag', 'git:verify-tag:*',
+  'git:check-ignore', 'git:check-ignore:*', 'git:check-attr', 'git:check-attr:*',
+  'git:stash:list', 'git:stash:show', 'git:stash:show:*',
+  'git:worktree:list', 'git:worktree:list:*',
+  'git:notes:list', 'git:notes:show', 'git:notes:show:*',
   'git:--version', 'git:help', 'git:help:*',
+
+  // GitHub CLI (gh) read-only operations
+  'gh:--version', 'gh:help', 'gh:help:*', 'gh:status',
+  'gh:auth:status', 'gh:auth:status:*',
+  'gh:issue:list', 'gh:issue:list:*', 'gh:issue:view', 'gh:issue:view:*',
+  'gh:issue:status', 'gh:issue:status:*',
+  'gh:pr:list', 'gh:pr:list:*', 'gh:pr:view', 'gh:pr:view:*',
+  'gh:pr:status', 'gh:pr:status:*', 'gh:pr:diff', 'gh:pr:diff:*',
+  'gh:pr:checks', 'gh:pr:checks:*',
+  'gh:repo:list', 'gh:repo:list:*', 'gh:repo:view', 'gh:repo:view:*',
+  'gh:release:list', 'gh:release:list:*', 'gh:release:view', 'gh:release:view:*',
+  'gh:run:list', 'gh:run:list:*', 'gh:run:view', 'gh:run:view:*',
+  'gh:workflow:list', 'gh:workflow:list:*', 'gh:workflow:view', 'gh:workflow:view:*',
+  'gh:gist:list', 'gh:gist:list:*', 'gh:gist:view', 'gh:gist:view:*',
+  'gh:search:issues', 'gh:search:issues:*', 'gh:search:prs', 'gh:search:prs:*',
+  'gh:search:repos', 'gh:search:repos:*', 'gh:search:code', 'gh:search:code:*',
+  'gh:search:commits', 'gh:search:commits:*',
+  'gh:api', 'gh:api:*',
   
   // Package managers (information only)
   'npm:list', 'npm:ls', 'npm:view', 'npm:info', 'npm:show',
@@ -165,9 +197,46 @@ export const DEFAULT_DENY_PATTERNS = [
   'sysctl:-w:*',
   
   // Dangerous git operations
-  'git:push', 'git:push:*', 'git:force', 'git:reset:--hard:*',
-  'git:clean:-fd', 'git:rm:*', 'git:commit', 'git:merge',
-  'git:rebase', 'git:cherry-pick', 'git:stash:drop',
+  'git:push', 'git:push:*', 'git:force', 'git:reset', 'git:reset:*',
+  'git:clean', 'git:clean:*', 'git:rm', 'git:rm:*',
+  'git:commit', 'git:commit:*', 'git:merge', 'git:merge:*',
+  'git:rebase', 'git:rebase:*', 'git:cherry-pick', 'git:cherry-pick:*',
+  'git:stash:drop', 'git:stash:drop:*', 'git:stash:pop', 'git:stash:pop:*',
+  'git:stash:push', 'git:stash:push:*', 'git:stash:clear',
+  'git:branch:-d', 'git:branch:-d:*', 'git:branch:-D', 'git:branch:-D:*',
+  'git:branch:--delete', 'git:branch:--delete:*',
+  'git:tag:-d', 'git:tag:-d:*', 'git:tag:--delete', 'git:tag:--delete:*',
+  'git:remote:remove', 'git:remote:remove:*', 'git:remote:rm', 'git:remote:rm:*',
+  'git:checkout:--force', 'git:checkout:--force:*',
+  'git:checkout:-f', 'git:checkout:-f:*',
+  'git:submodule:deinit', 'git:submodule:deinit:*',
+  'git:notes:add', 'git:notes:add:*', 'git:notes:remove', 'git:notes:remove:*',
+  'git:worktree:add', 'git:worktree:add:*',
+  'git:worktree:remove', 'git:worktree:remove:*',
+
+  // Dangerous GitHub CLI (gh) write operations
+  'gh:issue:create', 'gh:issue:create:*', 'gh:issue:close', 'gh:issue:close:*',
+  'gh:issue:delete', 'gh:issue:delete:*', 'gh:issue:edit', 'gh:issue:edit:*',
+  'gh:issue:reopen', 'gh:issue:reopen:*',
+  'gh:issue:comment', 'gh:issue:comment:*',
+  'gh:pr:create', 'gh:pr:create:*', 'gh:pr:close', 'gh:pr:close:*',
+  'gh:pr:merge', 'gh:pr:merge:*', 'gh:pr:edit', 'gh:pr:edit:*',
+  'gh:pr:reopen', 'gh:pr:reopen:*', 'gh:pr:review', 'gh:pr:review:*',
+  'gh:pr:comment', 'gh:pr:comment:*',
+  'gh:repo:create', 'gh:repo:create:*', 'gh:repo:delete', 'gh:repo:delete:*',
+  'gh:repo:fork', 'gh:repo:fork:*', 'gh:repo:rename', 'gh:repo:rename:*',
+  'gh:repo:archive', 'gh:repo:archive:*', 'gh:repo:clone', 'gh:repo:clone:*',
+  'gh:release:create', 'gh:release:create:*', 'gh:release:delete', 'gh:release:delete:*',
+  'gh:release:edit', 'gh:release:edit:*',
+  'gh:run:cancel', 'gh:run:cancel:*', 'gh:run:rerun', 'gh:run:rerun:*',
+  'gh:workflow:run', 'gh:workflow:run:*',
+  'gh:workflow:enable', 'gh:workflow:enable:*', 'gh:workflow:disable', 'gh:workflow:disable:*',
+  'gh:gist:create', 'gh:gist:create:*', 'gh:gist:delete', 'gh:gist:delete:*',
+  'gh:gist:edit', 'gh:gist:edit:*',
+  'gh:secret:set', 'gh:secret:set:*', 'gh:secret:delete', 'gh:secret:delete:*',
+  'gh:variable:set', 'gh:variable:set:*', 'gh:variable:delete', 'gh:variable:delete:*',
+  'gh:label:create', 'gh:label:create:*', 'gh:label:delete', 'gh:label:delete:*',
+  'gh:ssh-key:add', 'gh:ssh-key:add:*', 'gh:ssh-key:delete', 'gh:ssh-key:delete:*',
   
   // File system mounting and partitioning
   'mount', 'mount:*', 'umount', 'umount:*', 'fdisk', 'fdisk:*',

package/src/agent/index.js

@@ -124,7 +124,8 @@ function parseArgs() {
     schema: null,
     provider: null,
     model: null,
-    allowEdit: false,
+    allowEdit: process.env.ALLOW_EDIT === '1' || false,
+    hashLines: process.env.HASH_LINES !== undefined ? process.env.HASH_LINES === '1' : undefined,
     enableDelegate: false,
     verbose: false,
     help: false,
@@ -167,6 +168,10 @@ function parseArgs() {
       config.verbose = true;
     } else if (arg === '--allow-edit') {
       config.allowEdit = true;
+    } else if (arg === '--hash-lines') {
+      config.hashLines = true;
+    } else if (arg === '--no-hash-lines') {
+      config.hashLines = false;
     } else if (arg === '--enable-delegate') {
       config.enableDelegate = true;
     } else if (arg === '--no-delegate') {
@@ -275,12 +280,14 @@ Options:
   --schema <schema|file>           Output schema (JSON, XML, any format - text or file path)
   --provider <name>                Force AI provider: anthropic, openai, google
   --model <name>                   Override model name
-  --allow-edit                     Enable code modification capabilities
+  --allow-edit                     Enable code modification capabilities (edit + create tools)
+  --hash-lines                     Annotate search/extract output with line hashes (default: on when --allow-edit)
+  --no-hash-lines                  Disable line hash annotations even with --allow-edit
   --enable-delegate                Enable delegate tool for task distribution to subagents
   --allowed-tools <tools>          Filter available tools (comma-separated list)
                                    Use '*' or 'all' for all tools (default)
                                    Use 'none' or '' for no tools (raw AI mode)
-                                   Specific tools: search,query,extract,listFiles,searchFiles,listSkills,useSkill
+                                   Specific tools: search,query,extract,edit,create,listFiles,searchFiles,listSkills,useSkill
                                    Supports exclusion: '*,!bash' (all except bash)
   --disable-tools                  Disable all tools (raw AI mode, no code analysis)
                                    Convenience flag equivalent to --allowed-tools none
@@ -318,6 +325,8 @@ Environment Variables:
   FORCE_PROVIDER                  Force specific provider (anthropic, openai, google)
   MODEL_NAME                      Override model name
   MAX_RESPONSE_TOKENS             Maximum tokens for AI response
+  ALLOW_EDIT                      Enable code modification (set to '1')
+  HASH_LINES                      Annotate output with line hashes (set to '1'; default: on with ALLOW_EDIT)
   DEBUG                           Enable verbose mode (set to '1')
 
 Examples:
@@ -334,6 +343,8 @@ Examples:
   probe agent "Explain this code" --allowed-tools search,extract  # Only search and extract
   probe agent "What is this project about?" --allowed-tools none  # Raw AI mode (no tools)
   probe agent "Tell me about this project" --disable-tools        # Raw AI mode (convenience flag)
+  probe agent "Fix the off-by-one error" --allow-edit --path ./src  # Enable code editing
+  ALLOW_EDIT=1 probe agent "Refactor the login flow"                # Edit via env var
   probe agent --mcp               # Start MCP server mode
   probe agent --acp               # Start ACP server mode
 
@@ -612,9 +623,9 @@ class ProbeAgentMcpServer {
                 // Retry once with correction prompt
                 const correctionPrompt = createJsonCorrectionPrompt(result, schema, validation.error);
                 try {
-                  result = await agent.answer(correctionPrompt, [], { schema, _schemaFormatted: true, _disableTools: true });
+                  result = await agent.answer(correctionPrompt, [], { schema, _schemaFormatted: true, _disableTools: true, _maxIterationsOverride: 3 });
                   result = cleanSchemaResponse(result);
-                  
+
                   // Validate again after correction
                   const finalValidation = validateJsonResponse(result);
                   if (!finalValidation.isValid && args.debug) {
@@ -960,11 +971,11 @@ async function main() {
             try {
               if (appTracer) {
                 result = await appTracer.withSpan('agent.json_correction',
-                  () => agent.answer(correctionPrompt, [], { schema, _schemaFormatted: true, _disableTools: true }),
+                  () => agent.answer(correctionPrompt, [], { schema, _schemaFormatted: true, _disableTools: true, _maxIterationsOverride: 3 }),
                   { 'original_error': validation.error }
                 );
               } else {
-                result = await agent.answer(correctionPrompt, [], { schema, _schemaFormatted: true, _disableTools: true });
+                result = await agent.answer(correctionPrompt, [], { schema, _schemaFormatted: true, _disableTools: true, _maxIterationsOverride: 3 });
               }
               result = cleanSchemaResponse(result);
               

package/src/agent/mcp/xmlBridge.js

@@ -6,6 +6,7 @@
 import { MCPClientManager } from './client.js';
 import { loadMCPConfiguration } from './config.js';
 import { processXmlWithThinkingAndRecovery } from '../xmlParsingUtils.js';
+import { unescapeXmlEntities } from '../../tools/common.js';
 
 /**
  * Convert MCP tool to XML definition format
@@ -111,7 +112,7 @@ export function parseXmlMcpToolCall(xmlString, mcpToolNames = []) {
       let match;
       while ((match = paramPattern.exec(content)) !== null) {
         const [, paramName, paramValue] = match;
-        params[paramName] = paramValue.trim();
+        params[paramName] = unescapeXmlEntities(paramValue.trim());
       }
     }
 
@@ -393,7 +394,7 @@ function parseNativeXmlTool(xmlString, toolName) {
     const [, paramName, paramValue] = match;
     // Skip if this is the params tag itself (MCP format)
     if (paramName !== 'params') {
-      params[paramName] = paramValue.trim();
+      params[paramName] = unescapeXmlEntities(paramValue.trim());
     }
   }