@qwen-code/qwen-code 0.16.1-preview.0 → 0.16.2

package/chunks/{chunk-QQAHXZS2.js → chunk-7HM6OB7M.js}

@@ -36,11 +36,11 @@ import {
 } from "./chunk-TW522KN6.js";
 import {
   runSideQuery
-} from "./chunk-34S63Y6S.js";
+} from "./chunk-C27V5A2J.js";
 import {
   escapeSystemReminderTags,
   escapeXml
-} from "./chunk-QDV553GJ.js";
+} from "./chunk-EY6BDW7Y.js";
 import {
   DefaultHookOutput,
   HOOKS_CONFIG_FIELDS,
@@ -52,14 +52,14 @@ import {
   StopHookOutput,
   createHookOutput,
   getHookKey
-} from "./chunk-33FTD7OV.js";
+} from "./chunk-K72FHBFO.js";
 import {
   DEFAULT_FILE_FILTERING_OPTIONS
 } from "./chunk-77WXWU44.js";
 import {
   BaseTokenStorage,
   KeychainTokenStorage
-} from "./chunk-Q7IZ5RFJ.js";
+} from "./chunk-GVWPJCXU.js";
 import {
   AUTH_ENV_MAPPINGS,
   ApiResponseEvent,
@@ -114,6 +114,7 @@ import {
   initializeTelemetry,
   isTelemetrySdkInitialized,
   isUtf8CompatibleEncoding,
+  isWithinRoot,
   logArenaAgentCompleted,
   logArenaSessionEnded,
   logArenaSessionStarted,
@@ -160,7 +161,7 @@ import {
   truncateSpanError,
   truncateToolOutput,
   uiTelemetryService
-} from "./chunk-DDU3LH4J.js";
+} from "./chunk-4YNZFYJY.js";
 import {
   DEFAULT_QWEN_EMBEDDING_MODEL,
   DEFAULT_QWEN_MODEL
@@ -173,12 +174,12 @@ import {
   getAutoMemoryMetadataPath,
   getAutoMemoryRoot,
   isAutoMemPath
-} from "./chunk-G5JCK3FG.js";
+} from "./chunk-NQ3E7YLD.js";
 import {
   DEFAULT_TOKEN_LIMIT,
   ESCALATED_MAX_TOKENS,
   tokenLimit
-} from "./chunk-ERQCJRX4.js";
+} from "./chunk-6NUSWV4M.js";
 import {
   FinishReason,
   createModelContent,
@@ -188,7 +189,7 @@ import {
 } from "./chunk-T4VD6OJ4.js";
 import {
   STRUCTURED_OUTPUT_REDACTED_ARGS
-} from "./chunk-JZNYPW2X.js";
+} from "./chunk-FO7BIVSR.js";
 import {
   AgentStatistics,
   BaseDeclarativeTool,
@@ -203,7 +204,7 @@ import {
   isTool,
   require_ajv,
   require_dist
-} from "./chunk-OEIT4HZX.js";
+} from "./chunk-YMDXEEOW.js";
 import {
   PATH_ARG_KEYS,
   QWEN_DIR,
@@ -222,7 +223,7 @@ import {
   setDebugLogSession,
   toFriendlyError,
   unescapePath
-} from "./chunk-W2FLCFLJ.js";
+} from "./chunk-ACBGEKB7.js";
 import {
   require_undici
 } from "./chunk-E7E2MFYM.js";
@@ -15589,11 +15590,11 @@ var require_extract_zip = __commonJS({
     var { createWriteStream: createWriteStream3, promises: fs81 } = __require("fs");
     var getStream = require_get_stream();
     var path84 = __require("path");
-    var { promisify: promisify5 } = __require("util");
+    var { promisify: promisify6 } = __require("util");
     var stream2 = __require("stream");
     var yauzl = require_yauzl();
-    var openZip = promisify5(yauzl.open);
-    var pipeline = promisify5(stream2.pipeline);
+    var openZip = promisify6(yauzl.open);
+    var pipeline = promisify6(stream2.pipeline);
     var Extractor = class {
       static {
         __name(this, "Extractor");
@@ -15660,14 +15661,14 @@ var require_extract_zip = __commonJS({
         const IFMT2 = 61440;
         const IFDIR2 = 16384;
         const IFLNK2 = 40960;
-        const symlink = (mode & IFMT2) === IFLNK2;
+        const symlink2 = (mode & IFMT2) === IFLNK2;
         let isDir = (mode & IFMT2) === IFDIR2;
         if (!isDir && entry.fileName.endsWith("/")) {
           isDir = true;
         }
         const madeBy = entry.versionMadeBy >> 8;
         if (!isDir) isDir = madeBy === 0 && entry.externalFileAttributes === 16;
-        debug2("extracting entry", { filename: entry.fileName, isDir, isSymlink: symlink });
+        debug2("extracting entry", { filename: entry.fileName, isDir, isSymlink: symlink2 });
         const procMode = this.getExtractedMode(mode, isDir) & 511;
         const destDir = isDir ? dest : path84.dirname(dest);
         const mkdirOptions = { recursive: true };
@@ -15678,8 +15679,8 @@ var require_extract_zip = __commonJS({
         await fs81.mkdir(destDir, mkdirOptions);
         if (isDir) return;
         debug2("opening read stream", dest);
-        const readStream = await promisify5(this.zipfile.openReadStream.bind(this.zipfile))(entry);
-        if (symlink) {
+        const readStream = await promisify6(this.zipfile.openReadStream.bind(this.zipfile))(entry);
+        if (symlink2) {
           const link2 = await getStream(readStream);
           debug2("creating symlink", link2, dest);
           await fs81.symlink(link2, dest);
@@ -34206,22 +34207,7 @@ IMPORTANT: Always use the ${ToolNames.TODO_WRITE} tool to plan and track tasks t
 
 ## New Applications
 
-**Goal:** Autonomously implement and deliver a visually appealing, substantially complete, and functional prototype. Utilize all tools at your disposal to implement the application. Some tools you may especially find useful are '${ToolNames.WRITE_FILE}', '${ToolNames.EDIT}' and '${ToolNames.SHELL}'.
-
-1. **Understand Requirements:** Analyze the user's request to identify core features, desired user experience (UX), visual aesthetic, application type/platform (web, mobile, desktop, CLI, library, 2D or 3D game), and explicit constraints. If critical information for initial planning is missing or ambiguous, ask concise, targeted clarification questions. Use the ${ToolNames.ASK_USER_QUESTION} tool to ask questions, clarify and gather information as needed.
-2. **Propose Plan:** Formulate an internal development plan. Present a clear, concise, high-level summary to the user. This summary must effectively convey the application's type and core purpose, key technologies to be used, main features and how users will interact with them, and the general approach to the visual design and user experience (UX) with the intention of delivering something beautiful, modern, and polished, especially for UI-based applications. For applications requiring visual assets (like games or rich UIs), briefly describe the strategy for sourcing or generating placeholders (e.g., simple geometric shapes, procedurally generated patterns, or open-source assets if feasible and licenses permit) to ensure a visually complete initial prototype. Ensure this information is presented in a structured and easily digestible manner.
-  - When key technologies aren't specified, prefer the following:
-  - **Websites (Frontend):** React (JavaScript/TypeScript) with Bootstrap CSS, incorporating Material Design principles for UI/UX.
-  - **Back-End APIs:** Node.js with Express.js (JavaScript/TypeScript) or Python with FastAPI.
-  - **Full-stack:** Next.js (React/Node.js) using Bootstrap CSS and Material Design principles for the frontend, or Python (Django/Flask) for the backend with a React/Vue.js frontend styled with Bootstrap CSS and Material Design principles.
-  - **CLIs:** Python or Go.
-  - **Mobile App:** Compose Multiplatform (Kotlin Multiplatform) or Flutter (Dart) using Material Design libraries and principles, when sharing code between Android and iOS. Jetpack Compose (Kotlin JVM) with Material Design principles or SwiftUI (Swift) for native apps targeted at either Android or iOS, respectively.
-  - **3d Games:** HTML/CSS/JavaScript with Three.js.
-  - **2d Games:** HTML/CSS/JavaScript.
-3. **User Approval:** Obtain user approval for the proposed plan.
-4. **Implementation:** Use the '${ToolNames.TODO_WRITE}' tool to convert the approved plan into a structured todo list with specific, actionable tasks, then autonomously implement each task utilizing all available tools. When starting ensure you scaffold the application using '${ToolNames.SHELL}' for commands like 'npm init', 'npx create-react-app'. Aim for full scope completion. Proactively create or source necessary placeholder assets (e.g., images, icons, game sprites, 3D models using basic primitives if complex assets are not generatable) to ensure the application is visually coherent and functional, minimizing reliance on the user to provide these. If the model can generate simple assets (e.g., a uniformly colored square sprite, a simple 3D cube), it should do so. Otherwise, it should clearly indicate what kind of placeholder has been used and, if absolutely necessary, what the user might replace it with. Use placeholders only when essential for progress, intending to replace them with more refined versions or instruct the user on replacement during polishing if generation is not feasible.
-5. **Verify:** Review work against the original request, the approved plan. Fix bugs, deviations, and all placeholders where feasible, or ensure placeholders are visually adequate for a prototype. Ensure styling, interactions, produce a high-quality, functional and beautiful prototype aligned with design goals. Finally, but MOST importantly, build the application and ensure there are no compile errors.
-6. **Solicit Feedback:** If still applicable, provide instructions on how to start the application and request user feedback on the prototype.
+When a user wants to create a new application, project, website, game, or library from scratch, use the '${ToolNames.SKILL}' tool with skill="new-app" to load the detailed workflow and tech-stack guidance.
 
 # Operational Guidelines
 
@@ -38116,6 +38102,9 @@ function evaluateShellSegment(segment) {
   if (!segment.trim()) {
     return true;
   }
+  if (detectCommandSubstitution(segment)) {
+    return false;
+  }
   const stripped = stripShellWrapper(segment);
   if (!stripped) {
     return true;
@@ -50849,7 +50838,8 @@ init_esbuild_shims();
 import * as fs15 from "node:fs/promises";
 import * as path15 from "node:path";
 import { randomBytes as randomBytes2, randomInt } from "node:crypto";
-import { execSync as execSync3 } from "node:child_process";
+import { execFile as execFile2, execSync as execSync3 } from "node:child_process";
+import { promisify as promisify2 } from "node:util";
 
 // node_modules/simple-git/dist/esm/index.js
 init_esbuild_shims();
@@ -55668,6 +55658,7 @@ async function initRepositoryWithMainBranch(git) {
 __name(initRepositoryWithMainBranch, "initRepositoryWithMainBranch");
 
 // packages/core/src/services/gitWorktreeService.ts
+var execFileAsync2 = promisify2(execFile2);
 var debugLogger25 = createDebugLogger("GIT_WORKTREE_SERVICE");
 var WORKTREE_BRANCH_PREFIX = "worktree-";
 function worktreeBranchForSlug(slug) {
@@ -55864,6 +55855,25 @@ var GitWorktreeService = class _GitWorktreeService {
     const hash = await this.git.revparse(["HEAD"]);
     return hash.trim();
   }
+  /**
+   * Resolves a git ref name to a 40-char commit SHA. Returns `null` when
+   * the ref is unknown / unborn / not a commit.
+   *
+   * Used by Phase D-3 to lock in `FETCH_HEAD` immediately after
+   * `fetchPullRequestRef` succeeds, so the SHA passed to
+   * `git worktree add` is immutable against a concurrent `git fetch` from
+   * another process sharing the same repo, AND so `WorktreeExitDialog`'s
+   * `rev-list <originalHeadCommit>..HEAD` counts only THIS session's new
+   * work rather than every commit in the fetched PR.
+   */
+  async resolveRef(ref) {
+    try {
+      const out2 = (await this.git.raw(["rev-parse", "--verify", ref])).trim();
+      return /^[0-9a-f]{40}$/.test(out2) ? out2 : null;
+    } catch {
+      return null;
+    }
+  }
   /**
    * Creates a single worktree.
    */
@@ -56353,6 +56363,207 @@ var GitWorktreeService = class _GitWorktreeService {
     const suffix = randomBytes2(3).toString("hex");
     return `${adj}-${noun}-${suffix}`;
   }
+  /**
+   * Parses a PR reference from a string. Recognised forms:
+   *
+   * - `#123` — shorthand PR number
+   * - `https://github.com/<owner>/<repo>/pull/123` — full GitHub URL
+   *   (any host, any query string, any fragment)
+   *
+   * Returns the parsed PR number on match, `null` otherwise. The slug for
+   * a PR worktree is derived by callers as `pr-<N>` and the branch as
+   * `worktree-pr-<N>` (see `createUserWorktree`).
+   *
+   * Mirrors claude-code's `parsePRReference` (utils/worktree.ts:633) so
+   * cross-CLI muscle memory transfers.
+   */
+  static parsePRReference(input) {
+    if (typeof input !== "string") return null;
+    const trimmed2 = input.trim();
+    const urlMatch = trimmed2.match(
+      /^https?:\/\/[^/]+\/[^/]+\/[^/]+\/pull\/(\d+)(?:\/[^?#]*)?(?:[?#].*)?$/i
+    );
+    if (urlMatch?.[1]) {
+      const n = parseInt(urlMatch[1], 10);
+      return Number.isSafeInteger(n) && n > 0 ? n : null;
+    }
+    const hashMatch = trimmed2.match(/^#([1-9]\d*)$/);
+    if (hashMatch?.[1]) {
+      const n = parseInt(hashMatch[1], 10);
+      return Number.isSafeInteger(n) && n > 0 ? n : null;
+    }
+    return null;
+  }
+  /**
+   * Identifies the registered worktree at `worktreePath` as a member of
+   * THIS repository (`sourceRepoPath`). Returns the branch + HEAD commit
+   * SHA on success, or `null` when the path is not a worktree of this
+   * repo.
+   *
+   * Used by Phase D-1's re-attach path: when `--worktree foo` is passed
+   * and `<repoRoot>/.qwen/worktrees/foo` already exists on disk, we
+   * verify it really IS a Qwen-managed worktree of the current repo (not
+   * a standalone `git init` someone dropped at that path) before
+   * assuming it's safe to chdir into. Returning the HEAD SHA in the
+   * same call avoids a second subprocess to recapture it after chdir.
+   *
+   * Implementation — a single `git rev-parse` returning four lines:
+   * 1. `HEAD` → the worktree's HEAD commit SHA (must come BEFORE
+   *    `--abbrev-ref` since the flag sticks for all subsequent refs).
+   * 2. `--abbrev-ref HEAD` → the branch name. A detached HEAD produces
+   *    `HEAD` here, which we treat as "no real branch" and return null
+   *    — the caller's re-attach gate will then refuse, since the
+   *    slug-derived branch couldn't possibly be `HEAD`.
+   * 3. `--git-common-dir` → the common `.git` directory. For a real
+   *    linked worktree of this repo that's `<sourceRepoPath>/.git`;
+   *    for a sibling `git init` it resolves to `<worktreePath>/.git`.
+   *    We compare against this repo's own common-dir to reject the
+   *    latter.
+   * 4. `--show-toplevel` → git's idea of the worktree top. For a real
+   *    linked worktree this equals `worktreePath`; for a plain
+   *    directory living UNDER the main repo (e.g. `mkdir
+   *    <repo>/.qwen/worktrees/foo`) git walks up to the outer `.git`
+   *    and returns the OUTER repo's root — which would otherwise pass
+   *    the common-dir check and let us "re-attach" to a non-worktree
+   *    directory. Compare paths to reject this.
+   */
+  async getRegisteredWorktreeBranch(worktreePath) {
+    let resolvedWorktreePath;
+    try {
+      const stat16 = await fs15.stat(worktreePath);
+      if (!stat16.isDirectory()) return null;
+      resolvedWorktreePath = await fs15.realpath(worktreePath);
+    } catch {
+      return null;
+    }
+    const probeGit = simpleGit(worktreePath);
+    let ourCommonDir;
+    let headCommit;
+    let branch;
+    let probeCommonDir;
+    let probeToplevel;
+    try {
+      const [ourRaw, probeRaw] = await Promise.all([
+        this.git.raw(["rev-parse", "--git-common-dir"]),
+        probeGit.raw([
+          "rev-parse",
+          "HEAD",
+          "--abbrev-ref",
+          "HEAD",
+          "--git-common-dir",
+          "--show-toplevel"
+        ])
+      ]);
+      ourCommonDir = path15.resolve(this.sourceRepoPath, ourRaw.trim());
+      const lines = probeRaw.split("\n").map((l) => l.trim()).filter((l) => l.length > 0);
+      if (lines.length < 4) return null;
+      headCommit = lines[0];
+      branch = lines[1];
+      probeCommonDir = path15.resolve(worktreePath, lines[2]);
+      probeToplevel = path15.resolve(lines[3]);
+    } catch (error) {
+      debugLogger25.debug(
+        `getRegisteredWorktreeBranch: probe at ${worktreePath} failed: ${error}`
+      );
+      return null;
+    }
+    if (probeCommonDir !== ourCommonDir) {
+      debugLogger25.debug(
+        `getRegisteredWorktreeBranch: ${worktreePath} belongs to a different repo (common-dir=${probeCommonDir}, expected ${ourCommonDir})`
+      );
+      return null;
+    }
+    if (probeToplevel !== resolvedWorktreePath) {
+      debugLogger25.debug(
+        `getRegisteredWorktreeBranch: ${worktreePath} is not a registered worktree (toplevel=${probeToplevel}, expected ${resolvedWorktreePath})`
+      );
+      return null;
+    }
+    if (!branch || branch === "HEAD") return null;
+    return { branch, headCommit };
+  }
+  /**
+   * Fetches the GitHub PR ref `refs/pull/<N>/head` from the `origin` remote
+   * so a subsequent `createUserWorktree(..., 'FETCH_HEAD')` call can branch
+   * off the PR's tip (Phase D-3). Returns `{ success: true }` on success,
+   * or `{ success: false, error }` with a user-facing reason on failure.
+   *
+   * Implementation notes:
+   *
+   * - Uses `git fetch origin pull/<N>/head` (no `gh` CLI dependency).
+   * - Hard timeout of 30s by default — overridable for tests. A hung git
+   *   process on a misconfigured corporate proxy would otherwise stall
+   *   the entire startup sequence.
+   * - Does NOT create a local branch — leaves the ref accessible only
+   *   via `FETCH_HEAD`. Subsequent `git worktree add -b <branch> <wt>
+   *   FETCH_HEAD` materialises the worktree branch off it.
+   *
+   * Error message taxonomy is friendly because this is the user's first
+   * impression when their `--worktree=#<N>` fails:
+   * - missing `origin` → tell them the remote is required + how to fix
+   * - timeout → mention the configured timeout so they can blame the network
+   * - generic failure → "PR may not exist or origin is unreachable"
+   */
+  async fetchPullRequestRef(prNumber, options2) {
+    if (!Number.isSafeInteger(prNumber) || prNumber <= 0 || prNumber > 1e9) {
+      return {
+        success: false,
+        error: `Invalid PR number: ${prNumber}.`
+      };
+    }
+    const timeoutMs = options2?.timeoutMs ?? 3e4;
+    const prNumberStr = String(prNumber);
+    if (!/^[1-9][0-9]*$/.test(prNumberStr)) {
+      return {
+        success: false,
+        error: `Invalid PR number: ${prNumber}.`
+      };
+    }
+    const refspec = `pull/${prNumberStr}/head`;
+    try {
+      await execFileAsync2(
+        "git",
+        ["fetch", "--end-of-options", "origin", refspec],
+        {
+          cwd: this.sourceRepoPath,
+          timeout: timeoutMs,
+          env: { ...process.env, LANG: "C", LC_ALL: "C" }
+        }
+      );
+      return { success: true };
+    } catch (error) {
+      const err2 = error;
+      const stderr = typeof err2.stderr === "string" ? err2.stderr : err2.stderr instanceof Buffer ? err2.stderr.toString("utf8") : "";
+      const lower = stderr.toLowerCase();
+      if (err2.signal === "SIGTERM") {
+        return {
+          success: false,
+          error: `Failed to fetch PR #${prNumber}: timed out after ${Math.round(timeoutMs / 1e3)}s. Check network connectivity and any HTTP(S) proxy settings.`
+        };
+      }
+      if (lower.includes("does not appear to be a git repository") || lower.includes("could not read from remote repository") || lower.includes("'origin' does not appear")) {
+        return {
+          success: false,
+          error: `--worktree=#${prNumber} requires an "origin" remote that points at GitHub. Add one with \`git remote add origin <url>\` and retry.`
+        };
+      }
+      if (lower.includes("no such ref") || lower.includes("couldn't find remote ref") || lower.includes("couldn't find remote ref pull/")) {
+        return {
+          success: false,
+          error: `Failed to fetch PR #${prNumber}: the PR does not exist on origin, or origin is not a GitHub repository (only GitHub exposes refs/pull/<N>/head).`
+        };
+      }
+      const firstLine = stderr.split("\n").find((l) => l.trim().length > 0);
+      const detail = firstLine ? ` (${firstLine.trim()})` : "";
+      debugLogger25.warn(
+        `fetchPullRequestRef: git fetch pull/${prNumber}/head failed: ${error}`
+      );
+      return {
+        success: false,
+        error: `Failed to fetch PR #${prNumber}: PR may not exist, or origin remote is unreachable${detail}.`
+      };
+    }
+  }
   /**
    * Validates a worktree slug. Returns null on success, or an error message.
    *
@@ -56398,7 +56609,7 @@ var GitWorktreeService = class _GitWorktreeService {
    * silently resetting the branch. The previous `-B` form would have
    * dropped any commits unique to that branch — see review #4073.
    */
-  async createUserWorktree(slug, baseBranch) {
+  async createUserWorktree(slug, baseBranch, options2) {
     const validationError = _GitWorktreeService.validateUserWorktreeSlug(slug);
     if (validationError) {
       debugLogger25.warn(
@@ -56437,6 +56648,17 @@ var GitWorktreeService = class _GitWorktreeService {
           `createUserWorktree: failed to configure core.hooksPath for ${slug}: ${error}`
         );
       });
+      const symlinkPaths = options2?.symlinkDirectories ?? [];
+      if (symlinkPaths.length > 0) {
+        await this.symlinkConfiguredDirectories(
+          worktreePath,
+          symlinkPaths
+        ).catch((error) => {
+          debugLogger25.warn(
+            `createUserWorktree: symlinkConfiguredDirectories failed for ${slug}: ${error}`
+          );
+        });
+      }
       const worktree = {
         id: slug,
         name: slug,
@@ -56509,6 +56731,172 @@ var GitWorktreeService = class _GitWorktreeService {
       );
     }
   }
+  /**
+   * Phase D-2 symlink loop. For each configured directory under the main
+   * repository, creates a symbolic link from the new worktree to the
+   * main-repo location (`<worktreePath>/<dir>` → `<repoRoot>/<dir>`).
+   *
+   * Fail-open semantics — the worktree IS already on disk and usable by
+   * the time this runs, so a symlink failure must NOT abort the parent
+   * `createUserWorktree` call. Per-entry failures are logged at debug or
+   * warn level depending on cause:
+   *
+   * - **ENOENT on source** (the main repo does not have the directory):
+   *   debug log, skip. Typical for users who configure `node_modules`
+   *   but launch from a fresh clone where `npm install` hasn't run yet.
+   * - **EEXIST on destination** (something already lives at the symlink
+   *   target inside the worktree): debug log, skip. No overwrite; the
+   *   existing content (whether file, dir, or stale link) wins.
+   * - **Absolute path or path traversal in the configured value**:
+   *   warn log, skip the entry. Configured values must stay relative to
+   *   the repo root to prevent a setting from redirecting writes onto
+   *   `/etc`, `~`, or anywhere outside the repo subtree.
+   * - **Other I/O errors**: warn log, continue to the next entry.
+   *
+   * Mirrors claude-code's `symlinkDirectories` helper (utils/worktree.ts).
+   */
+  async symlinkConfiguredDirectories(worktreePath, configured) {
+    let repoRootAbs;
+    try {
+      repoRootAbs = await fs15.realpath(this.sourceRepoPath);
+    } catch {
+      debugLogger25.warn(
+        `symlinkConfiguredDirectories: cannot realpath sourceRepoPath "${this.sourceRepoPath}", skipping all entries`
+      );
+      return;
+    }
+    const gitDirAbs = path15.join(repoRootAbs, ".git");
+    const qwenDirAbs = path15.join(repoRootAbs, ".qwen");
+    const realWorktreePath = await fs15.realpath(worktreePath).catch(() => worktreePath);
+    for (const raw2 of configured) {
+      if (typeof raw2 !== "string" || raw2.length === 0) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: skipping non-string / empty entry: ${JSON.stringify(raw2)}`
+        );
+        continue;
+      }
+      if (path15.isAbsolute(raw2)) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: refusing absolute path "${raw2}"`
+        );
+        continue;
+      }
+      if (raw2.split(/[\\/]/).includes("..")) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: refusing path "${raw2}" \u2014 contains '..' segment`
+        );
+        continue;
+      }
+      const sourceAbs = path15.resolve(repoRootAbs, raw2);
+      if (sourceAbs === repoRootAbs) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: refusing empty / repo-root path "${raw2}"`
+        );
+        continue;
+      }
+      if (!isWithinRoot(sourceAbs, repoRootAbs)) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: refusing path "${raw2}" \u2014 resolves outside repo root (${sourceAbs} vs ${repoRootAbs})`
+        );
+        continue;
+      }
+      if (isWithinRoot(sourceAbs, gitDirAbs)) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: refusing git-internal path "${raw2}"`
+        );
+        continue;
+      }
+      if (isWithinRoot(sourceAbs, qwenDirAbs)) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: refusing path "${raw2}" \u2014 the .qwen tree is CLI-managed; symlinking any of it could create a worktrees-inside-worktrees loop or alias CLI metadata.`
+        );
+        continue;
+      }
+      let sourceStat = null;
+      try {
+        sourceStat = await fs15.stat(sourceAbs);
+      } catch (error) {
+        if (isNodeError(error) && error.code === "ENOENT") {
+          debugLogger25.debug(
+            `symlinkConfiguredDirectories: source missing, skipping: ${sourceAbs}`
+          );
+        } else {
+          debugLogger25.warn(
+            `symlinkConfiguredDirectories: cannot stat ${sourceAbs}: ${error}`
+          );
+        }
+        continue;
+      }
+      let realSource;
+      try {
+        realSource = await fs15.realpath(sourceAbs);
+      } catch (error) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: cannot realpath source "${sourceAbs}": ${error}`
+        );
+        continue;
+      }
+      if (!isWithinRoot(realSource, repoRootAbs)) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: refusing path "${raw2}" \u2014 real source ${realSource} escapes repo root ${repoRootAbs}`
+        );
+        continue;
+      }
+      if (isWithinRoot(realSource, gitDirAbs)) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: refusing path "${raw2}" \u2014 real source ${realSource} resolves inside .git`
+        );
+        continue;
+      }
+      if (isWithinRoot(realSource, qwenDirAbs)) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: refusing path "${raw2}" \u2014 real source ${realSource} resolves inside .qwen`
+        );
+        continue;
+      }
+      const destAbs = path15.join(worktreePath, raw2);
+      try {
+        await fs15.mkdir(path15.dirname(destAbs), { recursive: true });
+      } catch (error) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: cannot mkdir parent of ${destAbs}: ${error}`
+        );
+        continue;
+      }
+      let realDestParent;
+      try {
+        realDestParent = await fs15.realpath(path15.dirname(destAbs));
+      } catch (error) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: cannot realpath dest parent for "${raw2}" (${path15.dirname(destAbs)}): ${error}`
+        );
+        continue;
+      }
+      if (!isWithinRoot(realDestParent, realWorktreePath)) {
+        debugLogger25.warn(
+          `symlinkConfiguredDirectories: refusing path "${raw2}" \u2014 dest parent ${realDestParent} escapes worktree root ${realWorktreePath} (committed-symlink chain)`
+        );
+        continue;
+      }
+      try {
+        const symlinkType = sourceStat.isDirectory() ? process.platform === "win32" ? "junction" : "dir" : "file";
+        await fs15.symlink(realSource, destAbs, symlinkType);
+        debugLogger25.debug(
+          `symlinkConfiguredDirectories: linked ${destAbs} \u2192 ${realSource} (${symlinkType})`
+        );
+      } catch (error) {
+        if (isNodeError(error) && error.code === "EEXIST") {
+          debugLogger25.debug(
+            `symlinkConfiguredDirectories: destination exists, skipping: ${destAbs}`
+          );
+        } else {
+          debugLogger25.warn(
+            `symlinkConfiguredDirectories: failed to link ${destAbs} \u2192 ${realSource}: ${error}`
+          );
+        }
+      }
+    }
+  }
   /**
    * Returns true if a local branch with the given name exists.
    *
@@ -58681,7 +59069,9 @@ var AgentToolInvocation = class extends BaseToolInvocation {
             `[Agent] getCurrentBranch failed at ${projectRoot}: ${error}`
           );
         }
-        const created = await wtService.createUserWorktree(slug, parentBranch);
+        const created = await wtService.createUserWorktree(slug, parentBranch, {
+          symlinkDirectories: this.config.getWorktreeSymlinkDirectories()
+        });
         if (!created.success || !created.worktree) {
           return failWorktreeProvisioning(
             `Failed to create isolation worktree: ${created.error ?? "unknown error"}`
@@ -65179,9 +65569,9 @@ function evaluateAwkReadOnly(args2) {
 }
 __name(evaluateAwkReadOnly, "evaluateAwkReadOnly");
 function evaluateStatementReadOnly(node) {
+  if (containsCommandSubstitutionAST(node)) return false;
   switch (node.type) {
     case "command":
-      if (containsCommandSubstitutionAST(node)) return false;
       return evaluateCommandReadOnly(node);
     case "pipeline": {
       for (const child of node.namedChildren) {
@@ -69393,12 +69783,12 @@ import { dirname as dirname9, isAbsolute as isAbsolute6, join as join21, relativ
 
 // packages/core/src/utils/gitDiff.ts
 init_esbuild_shims();
-import { execFile as execFile2 } from "node:child_process";
+import { execFile as execFile3 } from "node:child_process";
 import * as nodeFs from "node:fs";
 import { access as access3, lstat as lstat3, open, readFile as readFile14, stat as stat6 } from "node:fs/promises";
 import * as path31 from "node:path";
-import { promisify as promisify2 } from "node:util";
-var execFileAsync2 = promisify2(execFile2);
+import { promisify as promisify3 } from "node:util";
+var execFileAsync3 = promisify3(execFile3);
 var GIT_TIMEOUT_MS = 5e3;
 var MAX_FILES = 50;
 var MAX_DIFF_SIZE_BYTES = 1e6;
@@ -69919,7 +70309,7 @@ __name(mapWithConcurrency, "mapWithConcurrency");
 async function runGit(args2, cwd2) {
   const fullArgs = ["-c", "core.quotepath=false", ...args2];
   try {
-    const { stdout } = await execFileAsync2("git", fullArgs, {
+    const { stdout } = await execFileAsync3("git", fullArgs, {
       cwd: cwd2,
       timeout: GIT_TIMEOUT_MS,
       maxBuffer: 64 * 1024 * 1024,
@@ -73430,7 +73820,7 @@ import { posix as posix3, win32 } from "node:path";
 import { fileURLToPath as fileURLToPath3 } from "node:url";
 import { lstatSync, readdir as readdirCB, readdirSync, readlinkSync as readlinkSync2, realpathSync as rps } from "fs";
 import * as actualFS from "node:fs";
-import { lstat as lstat4, readdir as readdir7, readlink as readlink2, realpath as realpath3 } from "node:fs/promises";
+import { lstat as lstat4, readdir as readdir7, readlink as readlink2, realpath as realpath4 } from "node:fs/promises";
 
 // node_modules/minipass/dist/esm/index.js
 init_esbuild_shims();
@@ -74332,7 +74722,7 @@ var defaultFS = {
     lstat: lstat4,
     readdir: readdir7,
     readlink: readlink2,
-    realpath: realpath3
+    realpath: realpath4
   }
 };
 var fsFromOption = /* @__PURE__ */ __name((fsOption) => !fsOption || fsOption === defaultFS || fsOption === actualFS ? defaultFS : {
@@ -78528,11 +78918,11 @@ import { URL as URL3 } from "node:url";
 
 // packages/core/src/utils/secure-browser-launcher.ts
 init_esbuild_shims();
-import { execFile as execFile3 } from "node:child_process";
-import { promisify as promisify3 } from "node:util";
+import { execFile as execFile4 } from "node:child_process";
+import { promisify as promisify4 } from "node:util";
 import { platform } from "node:os";
 import { URL as URL2 } from "node:url";
-var execFileAsync3 = promisify3(execFile3);
+var execFileAsync4 = promisify4(execFile4);
 function validateUrl(url2) {
   let parsedUrl;
   try {
@@ -78592,7 +78982,7 @@ async function openBrowserSecurely(url2) {
     stdio: "ignore"
   };
   try {
-    await execFileAsync3(command, args2, options2);
+    await execFileAsync4(command, args2, options2);
   } catch (_error) {
     if ((platformName === "linux" || platformName === "freebsd" || platformName === "openbsd") && command === "xdg-open") {
       const fallbackCommands = [
@@ -78605,7 +78995,7 @@ async function openBrowserSecurely(url2) {
       ];
       for (const fallbackCommand of fallbackCommands) {
         try {
-          await execFileAsync3(fallbackCommand, [url2], options2);
+          await execFileAsync4(fallbackCommand, [url2], options2);
           return;
         } catch {
           continue;
@@ -78791,7 +79181,7 @@ var HybridTokenStorage = class extends BaseTokenStorage {
     const forceFileStorage = process.env[FORCE_FILE_STORAGE_ENV_VAR] === "true";
     if (!forceFileStorage) {
       try {
-        const { KeychainTokenStorage: KeychainTokenStorage2 } = await import("./keychain-token-storage-QCF76A5D.js");
+        const { KeychainTokenStorage: KeychainTokenStorage2 } = await import("./keychain-token-storage-3552ENXE.js");
         const keychainStorage = new KeychainTokenStorage2(this.serviceName);
         const isAvailable = await keychainStorage.isAvailable();
         if (isAvailable) {
@@ -81074,7 +81464,7 @@ __name(isEnabled, "isEnabled");
 init_esbuild_shims();
 import path39 from "node:path";
 import { fileURLToPath as fileURLToPath6 } from "node:url";
-import { execFile as execFile4 } from "node:child_process";
+import { execFile as execFile5 } from "node:child_process";
 
 // packages/core/src/utils/bundlePaths.ts
 init_esbuild_shims();
@@ -81219,7 +81609,7 @@ async function runRipgrep(args2, signal) {
   }
   await ensureRipgrepHealthy(selection);
   return new Promise((resolve31) => {
-    const child = execFile4(
+    const child = execFile5(
       selection.command,
       args2,
       {
@@ -83163,7 +83553,7 @@ import * as sysPath2 from "path";
 
 // node_modules/readdirp/esm/index.js
 init_esbuild_shims();
-import { stat as stat9, lstat as lstat5, readdir as readdir9, realpath as realpath4 } from "node:fs/promises";
+import { stat as stat9, lstat as lstat5, readdir as readdir9, realpath as realpath5 } from "node:fs/promises";
 import { Readable } from "node:stream";
 import { resolve as presolve, relative as prelative, join as pjoin, sep as psep } from "node:path";
 var EntryTypes = {
@@ -83342,7 +83732,7 @@ var ReaddirpStream = class extends Readable {
     if (stats && stats.isSymbolicLink()) {
       const full = entry.fullPath;
       try {
-        const entryRealPath = await realpath4(full);
+        const entryRealPath = await realpath5(full);
         const entryRealPathStats = await lstat5(entryRealPath);
         if (entryRealPathStats.isFile()) {
           return "file";
@@ -84051,7 +84441,7 @@ var NodeFsHandler = class {
    * @param realpath
    * @returns closer for the watcher instance.
    */
-  async _handleDir(dir, stats, initialAdd, depth, target, wh, realpath6) {
+  async _handleDir(dir, stats, initialAdd, depth, target, wh, realpath7) {
     const parentDir = this.fsw._getWatchedDir(sysPath.dirname(dir));
     const tracked = parentDir.has(sysPath.basename(dir));
     if (!(initialAdd && this.fsw.options.ignoreInitial) && !target && !tracked) {
@@ -84062,7 +84452,7 @@ var NodeFsHandler = class {
     let throttler;
     let closer;
     const oDepth = this.fsw.options.depth;
-    if ((oDepth == null || depth <= oDepth) && !this.fsw._symlinkPaths.has(realpath6)) {
+    if ((oDepth == null || depth <= oDepth) && !this.fsw._symlinkPaths.has(realpath7)) {
       if (!target) {
         await this._handleRead(dir, initialAdd, wh, target, dir, depth, throttler);
         if (this.fsw.closed)
@@ -87847,9 +88237,8 @@ var PermissionManager = class _PermissionManager {
    *
    * When a sub-command returns 'default' (no rule matches), it is resolved to
    * the actual default permission using AST analysis:
-   *   - Command substitution detected → 'deny'
    *   - Read-only command (cd, ls, git status, etc.) → 'allow'
-   *   - Otherwise → 'ask'
+   *   - Otherwise (including command substitution) → 'ask'
    *
    * Example: with rules `allow: [git checkout *]`
    *   - "cd /path && git checkout -b feature" → allow (cd) + allow (rule) → allow
@@ -87883,19 +88272,26 @@ var PermissionManager = class _PermissionManager {
    * Resolve 'default' permission to actual permission using AST analysis.
    * This mirrors the logic in ShellToolInvocation.getDefaultPermission().
    *
+   * Command substitution ($(), ``, <(), >()) is NOT a hard deny here — it
+   * falls through to 'ask' along with every other non-read-only command, so
+   * the user (or YOLO mode) can decide. The user-facing warning is surfaced
+   * by ShellToolInvocation.getConfirmationDetails so the confirmation prompt
+   * still flags the substitution clearly. See issue #4093 for why a hard
+   * deny here is wrong: it (a) cannot be overridden by YOLO mode and (b)
+   * fires inconsistently based on whether the PermissionManager has
+   * "relevant" rules for the surrounding compound command.
+   *
    * @param command - The shell command to analyze.
-   * @returns 'deny' for command substitution, 'allow' for read-only, 'ask' otherwise.
+   * @returns 'allow' for read-only, 'ask' otherwise.
    */
   async resolveDefaultPermission(command) {
-    if (detectCommandSubstitution(command)) {
-      return "deny";
-    }
     try {
       const isReadOnly = await isShellCommandReadOnlyAST(command);
       if (isReadOnly) {
         return "allow";
       }
-    } catch {
+    } catch (e) {
+      debugLogger60.warn("AST read-only check failed, falling back to ask:", e);
     }
     return "ask";
   }
@@ -94342,9 +94738,9 @@ var SymlinkError = class extends Error {
   symlink;
   syscall = "symlink";
   code = "TAR_SYMLINK_ERROR";
-  constructor(symlink, path84) {
+  constructor(symlink2, path84) {
     super("TAR_SYMLINK_ERROR: Cannot extract through symbolic link");
-    this.symlink = symlink;
+    this.symlink = symlink2;
     this.path = path84;
   }
   get name() {
@@ -105544,6 +105940,20 @@ var Config = class {
   }
   sessionId;
   sessionData;
+  /**
+   * One-shot notice produced by `setupStartupWorktree` (Phase D-1) when the
+   * CLI was launched with `--worktree`. The active entry point (TUI XOR
+   * headless) reads it via {@link consumePendingStartupWorktreeNotice} on
+   * the model's first prompt and skips Phase C's `restoreWorktreeContext`
+   * for that turn — startup wins over the resumed-session sidecar. ACP is
+   * gated out earlier in `gemini.tsx` (mutex with `--worktree`) so it
+   * never reaches this slot.
+   *
+   * @invariant At most one consumer per process. If a future entry path
+   * sets this slot without ever consuming, the string persists until
+   * process exit (which dies with the process — no leak).
+   */
+  pendingStartupWorktreeNotice = null;
   debugLogger;
   toolRegistry;
   /**
@@ -105670,6 +106080,7 @@ var Config = class {
   arenaManagerChangeCallback = null;
   arenaAgentClient;
   agentsSettings;
+  worktreeSettings;
   skipLoopDetection;
   skipStartupContext;
   bareMode;
@@ -105859,6 +106270,7 @@ var Config = class {
     this.eventEmitter = params.eventEmitter;
     this.arenaAgentClient = ArenaAgentClient.create();
     this.agentsSettings = params.agents ?? {};
+    this.worktreeSettings = params.worktree ?? {};
     if (params.contextFileName) {
       setGeminiMdFilename(params.contextFileName);
     }
@@ -105888,8 +106300,8 @@ var Config = class {
       isWorkspaceTrusted: this.isTrustedFolder()
     });
     this.enableManagedAutoMemory = params.enableManagedAutoMemory ?? true;
-    this.enableManagedAutoDream = params.enableManagedAutoDream ?? false;
-    this.enableAutoSkill = params.enableAutoSkill ?? false;
+    this.enableManagedAutoDream = params.enableManagedAutoDream ?? true;
+    this.enableAutoSkill = params.enableAutoSkill ?? true;
     this.fastModel = params.fastModel || void 0;
     this.disableAllHooks = params.disableAllHooks ?? false;
     this.stopHookBlockingCap = resolveStopHookBlockingCap(
@@ -106645,6 +107057,27 @@ var Config = class {
   getTargetDir() {
     return this.targetDir;
   }
+  /**
+   * Stashes a one-shot context message that the next user prompt will
+   * inject into the model (see {@link pendingStartupWorktreeNotice}). Called
+   * from `gemini.tsx` right after `loadCliConfig` when `--worktree` produced
+   * a valid worktree. Pass `null` to clear (rarely needed).
+   */
+  setPendingStartupWorktreeNotice(notice) {
+    this.pendingStartupWorktreeNotice = notice;
+  }
+  /**
+   * Reads and clears the pending startup-worktree notice. Returns `null`
+   * when nothing is stashed (the common case). Each entry point (TUI /
+   * headless / ACP) calls this on the model's first prompt; a non-null
+   * return means the entry point should NOT additionally call
+   * `restoreWorktreeContext()` for that prompt — startup overrides resume.
+   */
+  consumePendingStartupWorktreeNotice() {
+    const v = this.pendingStartupWorktreeNotice;
+    this.pendingStartupWorktreeNotice = null;
+    return v;
+  }
   getProjectRoot() {
     return this.targetDir;
   }
@@ -106926,6 +107359,17 @@ var Config = class {
   getAgentsSettings() {
     return this.agentsSettings;
   }
+  /**
+   * Convenience accessor for `worktree.symlinkDirectories` — returns an
+   * empty array when the setting is unset, so callers can pass the
+   * result directly into the GitWorktreeService loop without nullchecks.
+   *
+   * (No general `getWorktreeSettings()` getter yet — add one when a
+   * second field on `WorktreeSettings` justifies the broader API.)
+   */
+  getWorktreeSymlinkDirectories() {
+    return this.worktreeSettings.symlinkDirectories ?? [];
+  }
   /**
    * Clean up Arena runtime. When `force` is true (e.g., /arena select --discard),
    * always removes worktrees regardless of preserveArtifacts.
@@ -107765,25 +108209,25 @@ var Config = class {
       if (options2?.forSubAgent) return;
       const schema = this.jsonSchema;
       await registerLazy(ToolNames.STRUCTURED_OUTPUT, async () => {
-        const { SyntheticOutputTool } = await import("./syntheticOutput-6N4MZYQT.js");
+        const { SyntheticOutputTool } = await import("./syntheticOutput-AKTXC6FR.js");
         return new SyntheticOutputTool(schema);
       });
     }, "registerStructuredOutputIfRequested");
     if (this.getBareMode()) {
       await registerLazy(ToolNames.READ_FILE, async () => {
-        const { ReadFileTool } = await import("./read-file-5QUJ3ZIL.js");
+        const { ReadFileTool } = await import("./read-file-J7DH4OKV.js");
         return new ReadFileTool(this);
       });
       await registerLazy(ToolNames.EDIT, async () => {
-        const { EditTool } = await import("./edit-2CY35GKJ.js");
+        const { EditTool } = await import("./edit-4LLGNYVZ.js");
         return new EditTool(this);
       });
       await registerLazy(ToolNames.NOTEBOOK_EDIT, async () => {
-        const { NotebookEditTool } = await import("./notebook-edit-RWOEUTYU.js");
+        const { NotebookEditTool } = await import("./notebook-edit-P4QVLW6I.js");
         return new NotebookEditTool(this);
       });
       await registerLazy(ToolNames.SHELL, async () => {
-        const { ShellTool: ShellTool2 } = await import("./shell-DA54BZO2.js");
+        const { ShellTool: ShellTool2 } = await import("./shell-ZNTQIRK6.js");
         return new ShellTool2(this);
       });
       await registerStructuredOutputIfRequested();
@@ -107793,31 +108237,31 @@ var Config = class {
       return registry;
     }
     await registerLazy(ToolNames.TOOL_SEARCH, async () => {
-      const { ToolSearchTool } = await import("./tool-search-PONJXBSP.js");
+      const { ToolSearchTool } = await import("./tool-search-C2EMLFBJ.js");
       return new ToolSearchTool(this);
     });
     await registerLazy(ToolNames.AGENT, async () => {
-      const { AgentTool: AgentTool2 } = await import("./agent-KYFWAFRH.js");
+      const { AgentTool: AgentTool2 } = await import("./agent-RY5EB3XR.js");
       return new AgentTool2(this);
     });
     await registerLazy(ToolNames.TASK_STOP, async () => {
-      const { TaskStopTool } = await import("./task-stop-TTT4O7JR.js");
+      const { TaskStopTool } = await import("./task-stop-2NYFR2ES.js");
       return new TaskStopTool(this);
     });
     await registerLazy(ToolNames.SEND_MESSAGE, async () => {
-      const { SendMessageTool } = await import("./send-message-GDN76EHU.js");
+      const { SendMessageTool } = await import("./send-message-JUFP62VD.js");
       return new SendMessageTool(this);
     });
     await registerLazy(ToolNames.SKILL, async () => {
-      const { SkillTool } = await import("./skill-47FZXDEM.js");
+      const { SkillTool } = await import("./skill-CFCUIY23.js");
       return new SkillTool(this);
     });
     await registerLazy(ToolNames.LS, async () => {
-      const { LSTool } = await import("./ls-QZTZYURK.js");
+      const { LSTool } = await import("./ls-MYXAM7LJ.js");
       return new LSTool(this);
     });
     await registerLazy(ToolNames.READ_FILE, async () => {
-      const { ReadFileTool } = await import("./read-file-5QUJ3ZIL.js");
+      const { ReadFileTool } = await import("./read-file-J7DH4OKV.js");
       return new ReadFileTool(this);
     });
     if (this.getUseRipgrep()) {
@@ -107830,7 +108274,7 @@ var Config = class {
       }
       if (useRipgrep) {
         await registerLazy(ToolNames.GREP, async () => {
-          const { RipGrepTool: RipGrepTool2 } = await import("./ripGrep-PA7M7MJS.js");
+          const { RipGrepTool: RipGrepTool2 } = await import("./ripGrep-33DECY4F.js");
           return new RipGrepTool2(this);
         });
       } else {
@@ -107843,85 +108287,85 @@ var Config = class {
           )
         );
         await registerLazy(ToolNames.GREP, async () => {
-          const { GrepTool } = await import("./grep-GKU7Y77F.js");
+          const { GrepTool } = await import("./grep-2UUPSSIQ.js");
           return new GrepTool(this);
         });
       }
     } else {
       await registerLazy(ToolNames.GREP, async () => {
-        const { GrepTool } = await import("./grep-GKU7Y77F.js");
+        const { GrepTool } = await import("./grep-2UUPSSIQ.js");
         return new GrepTool(this);
       });
     }
     await registerLazy(ToolNames.GLOB, async () => {
-      const { GlobTool } = await import("./glob-C5ZNGH7V.js");
+      const { GlobTool } = await import("./glob-6X6OCEWE.js");
       return new GlobTool(this);
     });
     await registerLazy(ToolNames.EDIT, async () => {
-      const { EditTool } = await import("./edit-2CY35GKJ.js");
+      const { EditTool } = await import("./edit-4LLGNYVZ.js");
       return new EditTool(this);
     });
     await registerLazy(ToolNames.NOTEBOOK_EDIT, async () => {
-      const { NotebookEditTool } = await import("./notebook-edit-RWOEUTYU.js");
+      const { NotebookEditTool } = await import("./notebook-edit-P4QVLW6I.js");
       return new NotebookEditTool(this);
     });
     await registerLazy(ToolNames.WRITE_FILE, async () => {
-      const { WriteFileTool } = await import("./write-file-2YX4NB3B.js");
+      const { WriteFileTool } = await import("./write-file-EEPVRS4Q.js");
       return new WriteFileTool(this);
     });
     await registerLazy(ToolNames.SHELL, async () => {
-      const { ShellTool: ShellTool2 } = await import("./shell-DA54BZO2.js");
+      const { ShellTool: ShellTool2 } = await import("./shell-ZNTQIRK6.js");
       return new ShellTool2(this);
     });
     await registerLazy(ToolNames.TODO_WRITE, async () => {
-      const { TodoWriteTool } = await import("./todoWrite-GYUYNLKE.js");
+      const { TodoWriteTool } = await import("./todoWrite-WHZ2O2XP.js");
       return new TodoWriteTool(this);
     });
     await registerLazy(ToolNames.ASK_USER_QUESTION, async () => {
-      const { AskUserQuestionTool } = await import("./askUserQuestion-KFDJMM66.js");
+      const { AskUserQuestionTool } = await import("./askUserQuestion-R3MKD2JT.js");
       return new AskUserQuestionTool(this);
     });
     if (!this.sdkMode) {
       await registerLazy(ToolNames.EXIT_PLAN_MODE, async () => {
-        const { ExitPlanModeTool } = await import("./exitPlanMode-3JP3BRRO.js");
+        const { ExitPlanModeTool } = await import("./exitPlanMode-WD5IH7NS.js");
         return new ExitPlanModeTool(this);
       });
     }
     await registerLazy(ToolNames.ENTER_WORKTREE, async () => {
-      const { EnterWorktreeTool } = await import("./enter-worktree-HJGN4DH2.js");
+      const { EnterWorktreeTool } = await import("./enter-worktree-E2R5XAFT.js");
       return new EnterWorktreeTool(this);
     });
     await registerLazy(ToolNames.EXIT_WORKTREE, async () => {
-      const { ExitWorktreeTool } = await import("./exit-worktree-VAPX5N2E.js");
+      const { ExitWorktreeTool } = await import("./exit-worktree-YVBYYYDD.js");
       return new ExitWorktreeTool(this);
     });
     await registerLazy(ToolNames.WEB_FETCH, async () => {
-      const { WebFetchTool } = await import("./web-fetch-V4TWMRQD.js");
+      const { WebFetchTool } = await import("./web-fetch-S6MZXPZ5.js");
       return new WebFetchTool(this);
     });
     if (this.isLspEnabled() && this.getLspClient()) {
       await registerLazy(ToolNames.LSP, async () => {
-        const { LspTool } = await import("./lsp-L6NQBEQA.js");
+        const { LspTool } = await import("./lsp-PFGI35JL.js");
         return new LspTool(this);
       });
     }
     await registerStructuredOutputIfRequested();
     if (this.isCronEnabled()) {
       await registerLazy(ToolNames.CRON_CREATE, async () => {
-        const { CronCreateTool } = await import("./cron-create-GJT7LK4I.js");
+        const { CronCreateTool } = await import("./cron-create-BTEOGHPH.js");
         return new CronCreateTool(this);
       });
       await registerLazy(ToolNames.CRON_LIST, async () => {
-        const { CronListTool } = await import("./cron-list-P42BOGWK.js");
+        const { CronListTool } = await import("./cron-list-SV6QRZW2.js");
         return new CronListTool(this);
       });
       await registerLazy(ToolNames.CRON_DELETE, async () => {
-        const { CronDeleteTool } = await import("./cron-delete-PWUIASTZ.js");
+        const { CronDeleteTool } = await import("./cron-delete-56CEWELN.js");
         return new CronDeleteTool(this);
       });
     }
     await registerLazy(ToolNames.MONITOR, async () => {
-      const { MonitorTool } = await import("./monitor-HJTGGH2N.js");
+      const { MonitorTool } = await import("./monitor-VUHPEGUW.js");
       return new MonitorTool(this);
     });
     if (this.pendingMcpBudgetCallback) {
@@ -117323,9 +117767,9 @@ var formatMemoryUsage = /* @__PURE__ */ __name((bytes) => {
 // packages/core/src/utils/memoryDiagnostics.ts
 init_esbuild_shims();
 import { readdir as readdir15, readFile as readFile26 } from "node:fs/promises";
-import { execFile as execFile5 } from "node:child_process";
+import { execFile as execFile6 } from "node:child_process";
 import process7 from "node:process";
-import { promisify as promisify4 } from "node:util";
+import { promisify as promisify5 } from "node:util";
 import v8 from "node:v8";
 var RSS_HEAP_GAP_RATIO = 10;
 var RSS_HEAP_GAP_MIN_BYTES = 256 * 1024 * 1024;
@@ -117334,7 +117778,7 @@ var ACTIVE_HANDLES_THRESHOLD = 256;
 var ACTIVE_REQUESTS_THRESHOLD = 100;
 var OPEN_FD_THRESHOLD = 500;
 var debugLogger91 = createDebugLogger("MEMORY_DIAGNOSTICS");
-var execFileAsync4 = promisify4(execFile5);
+var execFileAsync5 = promisify5(execFile6);
 async function collectMemoryDiagnostics(options2 = {}) {
   const now = options2.now ?? (() => /* @__PURE__ */ new Date());
   const platform8 = options2.platform ?? process7.platform;
@@ -117463,7 +117907,7 @@ async function collectProcessTreeMemoryUsage(platform8) {
   if (platform8 === "win32") {
     throw new Error("process tree RSS probe is unavailable on win32");
   }
-  const { stdout } = await execFileAsync4("ps", ["-axo", "pid=,ppid=,rss="], {
+  const { stdout } = await execFileAsync5("ps", ["-axo", "pid=,ppid=,rss="], {
     maxBuffer: 1024 * 1024,
     timeout: 5e3
   });
@@ -118816,7 +119260,7 @@ __name(doesToolInvocationMatch, "doesToolInvocationMatch");
 
 // packages/core/src/utils/shell-utils.ts
 import {
-  execFile as execFile6,
+  execFile as execFile7,
   execFileSync
 } from "node:child_process";
 import { accessSync, constants as fsConstants } from "node:fs";
@@ -119621,6 +120065,21 @@ function detectCommandSubstitution(command) {
   return false;
 }
 __name(detectCommandSubstitution, "detectCommandSubstitution");
+var COMMAND_SUBSTITUTION_WARNING = "Contains command substitution ($(...), backticks, <(...), or >(...)).";
+function hasShellSubstitution(rawCommand) {
+  if (typeof rawCommand !== "string" || rawCommand.length === 0) return false;
+  if (detectCommandSubstitution(rawCommand)) return true;
+  const stripped = stripShellWrapper(rawCommand);
+  return stripped !== rawCommand && detectCommandSubstitution(stripped);
+}
+__name(hasShellSubstitution, "hasShellSubstitution");
+function buildShellExecWarnings(strippedCommand, rawCommand) {
+  if (hasShellSubstitution(rawCommand) || detectCommandSubstitution(strippedCommand)) {
+    return [COMMAND_SUBSTITUTION_WARNING];
+  }
+  return void 0;
+}
+__name(buildShellExecWarnings, "buildShellExecWarnings");
 async function checkCommandPermissions(command, config, sessionAllowlist) {
   if (detectCommandSubstitution(command)) {
     return {
@@ -119772,7 +120231,7 @@ async function checkCommandPermissions(command, config, sessionAllowlist) {
 __name(checkCommandPermissions, "checkCommandPermissions");
 function execCommand(command, args2, options2 = {}) {
   return new Promise((resolve31, reject) => {
-    const child = execFile6(
+    const child = execFile7(
       command,
       args2,
       { encoding: "utf8", ...options2 },
@@ -121720,10 +122179,15 @@ var ShellToolInvocation = class extends BaseToolInvocation {
   }
   /**
    * AST-based permission check for the shell command.
+   * - Substitution-bearing commands (any form, including inside an
+   *   env-prefix wrapper that `stripShellWrapper` would discard) → 'ask'
    * - Read-only commands (via AST analysis) → 'allow'
    * - All other commands → 'ask'
    */
   async getDefaultPermission() {
+    if (hasShellSubstitution(this.params.command)) {
+      return "ask";
+    }
     const command = stripShellWrapper(this.params.command);
     try {
       const isReadOnly = await isShellCommandReadOnlyAST(command);
@@ -121784,6 +122248,7 @@ var ShellToolInvocation = class extends BaseToolInvocation {
     } catch (e) {
       debugLogger93.warn("Failed to extract command rules:", e);
     }
+    const warnings = buildShellExecWarnings(command, this.params.command);
     const confirmationDetails = {
       type: "exec",
       title: "Confirm Shell Command",
@@ -121793,6 +122258,9 @@ var ShellToolInvocation = class extends BaseToolInvocation {
       onConfirm: /* @__PURE__ */ __name(async (_outcome, _payload) => {
       }, "onConfirm")
     };
+    if (warnings) {
+      confirmationDetails.warnings = warnings;
+    }
     return confirmationDetails;
   }
   async execute(signal, updateOutput, shellExecutionConfig, setPidCallback, setPromoteAbortControllerCallback) {
@@ -123464,6 +123932,9 @@ export {
   normalizeMonitorCommand,
   hasUnsafeMonitorBackgroundOperator,
   detectCommandSubstitution,
+  COMMAND_SUBSTITUTION_WARNING,
+  hasShellSubstitution,
+  buildShellExecWarnings,
   checkCommandPermissions,
   execCommand,
   resolveCommandPath,