@satelliteoflove/godot-mcp 3.13.0 → 3.15.0

package/addon/command_router.gd

@@ -23,6 +23,7 @@ func setup(plugin: EditorPlugin) -> void:
 	_register_handler(MCPProfilerCommands.new(), plugin)
 	_register_handler(MCPRuntimeStateCommands.new(), plugin)
 	_register_handler(MCPGameTimeCommands.new(), plugin)
+	_register_handler(MCPExecCommands.new(), plugin)
 
 
 func _register_handler(handler: MCPBaseCommand, plugin: EditorPlugin) -> void:

package/addon/commands/debug_commands.gd

@@ -125,6 +125,15 @@ func get_log_messages(params: Dictionary) -> Dictionary:
 	if clear:
 		MCPLogger.clear_errors()
 
+	# The phantom "Identifier not found: <autoload>" errors that mislead agents
+	# come from the editor running stale after project.godot was edited on disk
+	# (#245). When that divergence is present, attach it here so the caller reads
+	# the log and the "your editor is stale, restart it" advisory in one shot,
+	# instead of chasing compile errors that do not exist at runtime.
+	var staleness := MCPUtils.detect_project_staleness()
+	if staleness.get("stale", false):
+		result["staleness"] = staleness
+
 	return _success(result)
 
 

package/addon/commands/exec_commands.gd

@@ -0,0 +1,117 @@
+@tool
+extends MCPBaseCommand
+class_name MCPExecCommands
+
+# godot_exec relay (#243): run / list / remove / clear execute in the game
+# bridge (mcp_game_bridge.gd); this side only forwards over the debugger
+# channel and waits, exactly like game_time_commands.gd. The server derives the
+# timeout cascade from the call's declared budget and pushes relay_timeout_ms
+# in params; the constants are fallbacks for an older server that pushes none.
+# RUN_TIMEOUT is generous because a synchronous user script cannot be aborted
+# mid-flight — the relay waiting is what turns a hung script into a typed
+# TIMEOUT instead of a socket kill.
+const BASE_TIMEOUT := 10.0
+const RUN_TIMEOUT := 28.0
+
+var _last_error: Dictionary = {}
+var _call_seq := 0
+
+
+func get_commands() -> Dictionary:
+	return {
+		"exec_run": exec_run,
+		"exec_list": exec_list,
+		"exec_remove": exec_remove,
+		"exec_clear": exec_clear,
+	}
+
+
+func exec_run(params: Dictionary) -> Dictionary:
+	return await _relay("exec_run", params, _relay_timeout(params, RUN_TIMEOUT))
+
+
+func exec_list(params: Dictionary) -> Dictionary:
+	return await _relay("exec_list", params, BASE_TIMEOUT)
+
+
+func exec_remove(params: Dictionary) -> Dictionary:
+	return await _relay("exec_remove", params, BASE_TIMEOUT)
+
+
+func exec_clear(params: Dictionary) -> Dictionary:
+	return await _relay("exec_clear", params, BASE_TIMEOUT)
+
+
+func _relay_timeout(params: Dictionary, fallback: float) -> float:
+	# Use the server-pushed relay budget when present (#276); the local constant
+	# is only a fallback for an older server that does not derive the cascade.
+	var ms: float = float(params.get("relay_timeout_ms", fallback * 1000.0))
+	return ms / 1000.0
+
+
+func _relay(msg_type: String, params: Dictionary, timeout: float) -> Dictionary:
+	# Explicit request/response correlation: the debugger plugin keys responses
+	# by msg_type alone, so a timed-out call's LATE response (a slow script that
+	# finished after we gave up) could otherwise be consumed as the answer to
+	# the next call of the same type — wrong result, silently, and every result
+	# after it shifted by one. The bridge echoes call_id; the wait loop discards
+	# mismatches. A response with no call_id (older addon) is accepted as-is.
+	_call_seq += 1
+	var call_id := _call_seq
+	params = params.duplicate()
+	params["call_id"] = call_id
+	var response = await _send_and_wait(msg_type, [params], timeout, call_id)
+	if response == null:
+		return _last_error
+	if response is Dictionary:
+		response.erase("call_id")  # transport detail, not part of the result
+		if response.has("error"):
+			return _error("EXEC_ERROR", str(response["error"]))
+		return _success(response)
+	return _success({"data": response})
+
+
+func _send_and_wait(msg_type: String, args: Array, timeout: float, call_id: int):
+	if not EditorInterface.is_playing_scene():
+		_last_error = _error("NOT_RUNNING", "No game is currently running")
+		return null
+
+	var debugger_plugin = _plugin.get_debugger_plugin() if _plugin else null
+	if debugger_plugin == null or not debugger_plugin.has_active_session():
+		_last_error = _error("NO_SESSION", "No active debug session")
+		return null
+
+	var sent: bool = debugger_plugin.send_game_message(msg_type, args)
+	if not sent:
+		_last_error = _error("SEND_FAILED", "Failed to send message to game")
+		return null
+
+	var start_time := Time.get_ticks_msec()
+	while true:
+		await Engine.get_main_loop().process_frame
+		# A hard runtime error (or failed assert) in exec'd code breaks the game
+		# into the editor debugger, suspending the bridge handler mid-call —
+		# left alone, the game sits paused and this relay times out.
+		# Auto-continue: the handler resumes, the error lands in its logger
+		# window, and the response arrives with runtime_errors as designed.
+		# Honest limit: the break REASON is not queryable, so this resumes ANY
+		# break in the window — including a developer's own breakpoint hit by
+		# unrelated game code while an exec call is in flight. Accepted for the
+		# dev-tooling threat model and surfaced in the tool description.
+		if debugger_plugin.is_session_breaked():
+			debugger_plugin.continue_session()
+		if debugger_plugin.has_response(msg_type):
+			var response = debugger_plugin.get_response(msg_type)
+			debugger_plugin.clear_response(msg_type)
+			if response is Dictionary and response.has("call_id") \
+					and int(response["call_id"]) != call_id:
+				continue  # a previous call's late response — discard, keep waiting for ours
+			return response
+		if (Time.get_ticks_msec() - start_time) / 1000.0 > timeout:
+			debugger_plugin.clear_response(msg_type)
+			var hint := ""
+			if debugger_plugin.is_session_breaked():
+				hint = " (the game is paused in the editor debugger and did not resume; press Continue in the editor or run godot_editor stop)"
+			_last_error = _error("TIMEOUT", "Timed out waiting for %s response%s" % [msg_type, hint])
+			return null
+	return null  # unreachable; satisfies the parser

package/addon/commands/exec_commands.gd.uid

@@ -0,0 +1 @@
+uid://clbw4kvqpf2py

package/addon/commands/input_commands.gd

@@ -101,7 +101,16 @@ func _get_editor_input_map() -> Dictionary:
 			"name": action_name,
 			"events": event_strings,
 		})
-	return _success({"actions": actions, "source": "editor"})
+	# This map is read from the editor's in-memory InputMap, which is loaded at
+	# startup and goes stale if project.godot's [input] section is edited on disk
+	# (#245). Flag that so the caller knows the map may be incomplete and can
+	# recover with `godot_editor restart`. The game-running path above reads fresh
+	# from the bridge, so it never carries this.
+	var result := {"actions": actions, "source": "editor"}
+	var staleness := MCPUtils.detect_project_staleness()
+	if staleness.get("stale", false):
+		result["staleness"] = staleness
+	return _success(result)
 
 
 func _event_to_string(event: InputEvent) -> String:

package/addon/commands/project_commands.gd

@@ -6,10 +6,18 @@ class_name MCPProjectCommands
 func get_commands() -> Dictionary:
 	return {
 		"get_project_info": get_project_info,
-		"get_project_settings": get_project_settings
+		"get_project_settings": get_project_settings,
+		"get_project_staleness": get_project_staleness,
 	}
 
 
+# Detect whether project.godot was edited on disk after the editor loaded it,
+# leaving the editor's in-memory ProjectSettings / InputMap stale (#245). Always
+# returns the full report (stale or not); recovery is `godot_editor restart`.
+func get_project_staleness(_params: Dictionary) -> Dictionary:
+	return _success(MCPUtils.detect_project_staleness())
+
+
 func get_project_info(_params: Dictionary) -> Dictionary:
 	return _success({
 		"name": ProjectSettings.get_setting("application/config/name", "Unknown"),

package/addon/core/mcp_debugger_plugin.gd

@@ -326,3 +326,27 @@ func toggle_frame_profiler(enable: bool) -> void:
 	var session := get_session(_active_session_id)
 	if session:
 		session.toggle_profiler("mcp_frame_profiler", enable)
+
+
+# True when the debugger has paused the running game (script error, failed
+# assert, or breakpoint). A break suspends whatever bridge handler was running
+# mid-call, so relays that would otherwise time out can detect and recover.
+func is_session_breaked() -> bool:
+	if _active_session_id < 0:
+		return false
+	var session := get_session(_active_session_id)
+	return session != null and session.is_breaked()
+
+
+# Resume a debugger-paused game. EditorDebuggerSession exposes no continue API,
+# but the raw "continue" command is the same wire message the editor's Continue
+# button sends (ScriptEditorDebugger::_put_msg), and the game's RemoteDebugger
+# handles it in its break loop. Returns false when there is nothing to resume.
+func continue_session() -> bool:
+	if _active_session_id < 0:
+		return false
+	var session := get_session(_active_session_id)
+	if session == null or not session.is_breaked():
+		return false
+	session.send_message("continue", [])
+	return true

package/addon/core/mcp_utils.gd

@@ -127,3 +127,174 @@ static func ensure_dir_exists(path: String) -> Error:
 			return ERR_CANT_OPEN
 		return dir.make_dir_recursive(path.trim_prefix("res://"))
 	return DirAccess.make_dir_recursive_absolute(path)
+
+
+# ── project.godot staleness (#245) ────────────────────────────────────────────
+# The editor caches ProjectSettings / InputMap in memory at load. An agent that
+# edits project.godot as a file (batch-writing autoloads / input map) leaves the
+# editor stale: its log fills with phantom "Identifier not found: <autoload>"
+# errors that do not exist at runtime, and its input map is out of date — while
+# spawned games (which read disk fresh at launch) work fine. We detect that by
+# content-diffing the two sections that actually cause the trap, [autoload] and
+# [input], disk vs the editor's in-memory state. Recovery is `godot_editor
+# restart` (#250). A content diff (not an mtime check) is used deliberately: it
+# never false-positives when the editor itself saves project.godot (e.g. the
+# plugin's own startup autoload write), because disk is then written FROM memory.
+
+
+# Pure: diff already-read disk vs in-memory sets. No engine access, so this is
+# unit-testable headless. Autoloads are symmetric (added/removed/value-changed,
+# raw-string compare incl. the "*" singleton prefix). Input is additive-only
+# (actions present on disk but not loaded — the trap); the reverse direction and
+# event values are intentionally ignored (built-in ui_* noise / fragile compares).
+static func diff_project_staleness(
+		disk_autoloads: Dictionary, mem_autoloads: Dictionary,
+		disk_input_keys: Array, mem_input_keys: Array) -> Dictionary:
+	var autoload_added := []
+	var autoload_removed := []
+	var autoload_changed := []
+	for key in disk_autoloads:
+		if not mem_autoloads.has(key):
+			autoload_added.append(key)
+		elif str(disk_autoloads[key]) != str(mem_autoloads[key]):
+			autoload_changed.append(key)
+	for key in mem_autoloads:
+		if not disk_autoloads.has(key):
+			autoload_removed.append(key)
+
+	var mem_input_set := {}
+	for k in mem_input_keys:
+		mem_input_set[k] = true
+	var input_added := []
+	for k in disk_input_keys:
+		if not mem_input_set.has(k):
+			input_added.append(k)
+
+	autoload_added.sort()
+	autoload_removed.sort()
+	autoload_changed.sort()
+	input_added.sort()
+
+	var stale: bool = not (autoload_added.is_empty() and autoload_removed.is_empty()
+		and autoload_changed.is_empty() and input_added.is_empty())
+
+	return {
+		"stale": stale,
+		"autoload": {
+			"added": autoload_added,
+			"removed": autoload_removed,
+			"changed": autoload_changed,
+		},
+		"input": {"added": input_added},
+		"summary": _staleness_summary(autoload_added, autoload_removed, autoload_changed, input_added),
+	}
+
+
+static func _staleness_summary(a_added: Array, a_removed: Array, a_changed: Array, i_added: Array) -> String:
+	var parts := []
+	if not a_added.is_empty():
+		parts.append("%d autoload(s) added on disk (%s)" % [a_added.size(), ", ".join(a_added)])
+	if not a_removed.is_empty():
+		parts.append("%d autoload(s) removed on disk (%s)" % [a_removed.size(), ", ".join(a_removed)])
+	if not a_changed.is_empty():
+		parts.append("%d autoload(s) changed on disk (%s)" % [a_changed.size(), ", ".join(a_changed)])
+	if not i_added.is_empty():
+		parts.append("%d input action(s) added on disk (%s)" % [i_added.size(), ", ".join(i_added)])
+	if parts.is_empty():
+		return "project.godot on disk matches the editor's loaded settings."
+	return ("project.godot was edited on disk after the editor loaded it: %s. The editor's in-memory "
+		+ "settings are stale (its log may show phantom \"Identifier not found\" errors that do not "
+		+ "exist at runtime). Run `godot_editor restart` to reload project.godot (save:false to discard "
+		+ "unsaved editor changes).") % "; ".join(parts)
+
+
+# Editor-context orchestrator. Reads project.godot from disk (a plain text scan,
+# NOT ConfigFile — which would eagerly instantiate the [input] InputEvent
+# sub-objects) and the in-memory ProjectSettings, then diffs. Never throws: any
+# read failure returns {stale=false, note=...} so a transient I/O hiccup can
+# never produce a false "stale" (recovery is disruptive — silence beats crying
+# wolf). The {stale, autoload, input, summary} shape mirrors diff_project_staleness.
+static func detect_project_staleness() -> Dictionary:
+	var disk := _read_disk_project_sections()
+	if disk.is_empty():
+		return {"stale": false, "note": "Could not read res://project.godot to check staleness."}
+
+	var mem := _read_mem_sections()
+	var mem_autoloads: Dictionary = mem["autoload"]
+	var disk_autoloads: Dictionary = disk.get("autoload", {})
+	# A project with autoloads always writes the [autoload] section (the addon
+	# writes its own bridge autoload at startup). If the section is absent, treat
+	# it as "nothing to compare" rather than "everything removed".
+	if not disk.get("has_autoload_section", false):
+		disk_autoloads = mem_autoloads.duplicate()
+
+	return diff_project_staleness(
+		disk_autoloads, mem_autoloads,
+		disk.get("input_keys", []), mem["input_keys"])
+
+
+# Scan project.godot once, section-aware. Returns
+#   { autoload: {Name: "value"}, input_keys: [action,...], has_autoload_section }
+# or {} if the file can't be read. Only [autoload] (name + unquoted value) and
+# [input] (action NAMES only — the InputEvent dicts are never parsed) are read.
+static func _read_disk_project_sections() -> Dictionary:
+	if not FileAccess.file_exists("res://project.godot"):
+		MCPLog.warn("project.godot not found; skipping staleness check")
+		return {}
+	var text := FileAccess.get_file_as_string("res://project.godot")
+	if text.is_empty():
+		MCPLog.warn("Could not read project.godot for staleness check")
+		return {}
+
+	var autoloads := {}
+	var input_keys := []
+	var has_autoload := false
+	var section := ""
+	# A top-level key line: identifier `=` value, at column 0. Dict-body lines of
+	# an [input] action start with `"`/`}`/`]` (or are indented), so they never match.
+	var key_re := RegEx.new()
+	key_re.compile("^([A-Za-z_][A-Za-z0-9_]*)=(.*)$")
+
+	for raw in text.split("\n"):
+		var line := raw.strip_edges(false, true)  # trailing only (drops CR / spaces)
+		if line.begins_with("[") and line.ends_with("]"):
+			section = line.substr(1, line.length() - 2)
+			if section == "autoload":
+				has_autoload = true
+			continue
+		if section != "autoload" and section != "input":
+			continue
+		var m := key_re.search(line)
+		if m == null:
+			continue
+		var key := m.get_string(1)
+		if section == "autoload":
+			autoloads[key] = _unquote(m.get_string(2))
+		elif not key.begins_with("ui_"):
+			input_keys.append(key)
+
+	return {"autoload": autoloads, "input_keys": input_keys, "has_autoload_section": has_autoload}
+
+
+# Single pass over ProjectSettings (it carries hundreds of entries) collecting
+# both the in-memory autoloads ({Name: value}) and the non-builtin input action
+# names. Returns { autoload: Dictionary, input_keys: Array }.
+static func _read_mem_sections() -> Dictionary:
+	var autoloads := {}
+	var input_keys := []
+	for prop in ProjectSettings.get_property_list():
+		var pname: String = prop["name"]
+		if pname.begins_with("autoload/"):
+			autoloads[pname.substr(9)] = str(ProjectSettings.get_setting(pname, ""))
+		elif pname.begins_with("input/"):
+			var action := pname.substr(6)
+			if not action.begins_with("ui_"):
+				input_keys.append(action)
+	return {"autoload": autoloads, "input_keys": input_keys}
+
+
+static func _unquote(s: String) -> String:
+	var t := s.strip_edges()
+	if t.length() >= 2 and t.begins_with("\"") and t.ends_with("\""):
+		return t.substr(1, t.length() - 2)
+	return t

package/addon/game_bridge/mcp_exec_guard.gd

@@ -0,0 +1,225 @@
+extends RefCounted
+class_name MCPExecGuard
+
+## Pure helpers behind godot_exec (#243): the static denylist scan and the
+## function-body wrapper that turn agent-provided GDScript into something the
+## game bridge can compile and run. No engine-state access — everything here is
+## headless-testable (test/exec_guard_headless_test.gd).
+##
+## The scan is an ACCIDENT GUARD, not a security boundary: GDScript cannot be
+## sandboxed, and a determined author can trivially evade a token scan (string-
+## built calls, indirection). Its job is to stop a well-meaning agent from
+## casually reaching outside the game process (spawning processes, writing
+## files, persisting project damage) — the threat model of local dev tooling
+## where the agent already has shell access anyway.
+
+# Tokens that reach outside the game process or persist damage to disk.
+# Granularity rationale:
+#  - OS.* spawn/kill/shell methods individually (the rest of OS is harmless and
+#    frequently legitimate: get_ticks, environment reads, ...).
+#  - DirAccess whole-class: every directory mutation lives there; losing
+#    read-only listing is acceptable collateral.
+#  - FileAccess at the WRITE-constant level: any direct write-mode open must
+#    name one of these constants, while read access (loading a save file to
+#    inspect it) stays available — which is why FileAccess is not class-blocked.
+#  - ResourceSaver whole-class: writes res:// and user:// resources.
+#  - EditorInterface: belt-and-suspenders; not normally reachable from a game.
+const DENYLIST: Array[String] = [
+	"OS.execute",
+	"OS.execute_with_pipe",
+	"OS.create_process",
+	"OS.create_instance",
+	"OS.kill",
+	"OS.shell_open",
+	"OS.shell_show_in_file_manager",
+	"OS.move_to_trash",
+	"DirAccess",
+	"FileAccess.WRITE",
+	"FileAccess.READ_WRITE",
+	"FileAccess.WRITE_READ",
+	"ResourceSaver",
+	"ProjectSettings.save",
+	"ProjectSettings.save_custom",
+	"EditorInterface",
+]
+
+# Wrapped user code must compile under projects that escalate warnings to
+# errors, and snippets legitimately ignore parameters, shadow autoload names,
+# discard return values, etc. An invalid warning name here is itself a parse
+# error — pinned by the headless compile test on the Godot version in use.
+const WRAPPER_WARNING_IGNORES := "@warning_ignore(\"unused_parameter\", \"shadowed_global_identifier\", \"shadowed_variable\", \"shadowed_variable_base_class\", \"standalone_expression\", \"return_value_discarded\", \"unused_variable\", \"unreachable_code\", \"integer_division\")"
+
+
+## Scan agent-provided source BEFORE compiling. Comments and string contents
+## are stripped first, so `print("OS.execute")` passes while `OS.execute(...)`
+## is caught. Returns {ok: true} or {ok: false, token, message}.
+static func scan_source(source: String) -> Dictionary:
+	var lex := _lex(_normalize(source))
+	var stripped: String = lex["stripped"]
+	if stripped.strip_edges().is_empty():
+		return {
+			"ok": false,
+			"token": "",
+			"message": "NO_CODE: exec source contains no executable code (comments only or empty)",
+		}
+	# Normalize the SCAN copy (never the wrapper input) so the two formatter-
+	# plausible token splits — `OS . execute` and a line continuation after the
+	# dot — still match. Over-matching here only over-blocks, which is the safe
+	# direction for an accident guard.
+	stripped = stripped.replace("\\\n", "")
+	var dot_ws := RegEx.new()
+	dot_ws.compile("\\s*\\.\\s*")
+	stripped = dot_ws.sub(stripped, ".", true)
+	if _token_re("await").search(stripped) != null:
+		return {
+			"ok": false,
+			"token": "await",
+			"message": "SYNC_ONLY: exec source is synchronous-only; 'await' is not allowed. " +
+				"For waiting on game state, compose with godot_game_time step/step_until; " +
+				"for sustained behavior, attach a node under `holder`.",
+		}
+	for token in DENYLIST:
+		if _token_re(token).search(stripped) != null:
+			return {
+				"ok": false,
+				"token": token,
+				"message": "DENIED_TOKEN: source contains '%s' — blocked by the exec denylist " % token +
+					"(an accident guard against process/file-write escape, not a security boundary). " +
+					"Exec is for mutating the running game's state, not the system around it.",
+			}
+	return {"ok": true}
+
+
+## Wrap user source as the body of `_mcp_run(<binding_names>)` on a RefCounted,
+## so bindings are bare names (`G.wave = 5` just works) and multi-statement
+## code with control flow compiles. Lines inside multiline strings are left
+## untouched (prefixing them would corrupt string content); everything else is
+## prefixed with one indent unit matched to the user's own indent character, so
+## the wrapper can never introduce a mixed-tabs-and-spaces parse error.
+static func build_wrapper(source: String, binding_names: PackedStringArray) -> String:
+	var normalized := _normalize(source)
+	var lex := _lex(normalized)
+	var in_string_lines: Array = lex["in_string_lines"]
+	var lines := normalized.split("\n")
+	var indent := _detect_indent_unit(lines, in_string_lines, lex["in_bracket_lines"])
+	var body: Array = []
+	for i in lines.size():
+		var line: String = lines[i]
+		var starts_in_string: bool = in_string_lines[i] if i < in_string_lines.size() else false
+		if starts_in_string or line.strip_edges().is_empty():
+			body.append(line)
+		else:
+			body.append(indent + line)
+	return "extends RefCounted\n\n%s\nfunc _mcp_run(%s):\n%s\n" % [
+		WRAPPER_WARNING_IGNORES,
+		", ".join(binding_names),
+		"\n".join(body),
+	]
+
+
+static func _normalize(source: String) -> String:
+	return source.replace("\r\n", "\n").replace("\r", "\n")
+
+
+static func _token_re(token: String) -> RegEx:
+	# Word-boundary match so `OS.execute` does not hit `MyOS.executed` — and,
+	# because `_` is a word character, `OS.execute` does NOT match
+	# `OS.execute_with_pipe` (which has its own entry).
+	var re := RegEx.new()
+	re.compile("\\b%s\\b" % token.replace(".", "\\."))
+	return re
+
+
+## One lexical pass tracking string/comment/bracket state. Returns:
+##   stripped:         source with comments removed and string CONTENTS removed
+##                     (quotes kept), line structure preserved — the scan target
+##   in_string_lines:  per line, whether it STARTS inside a (triple-quoted)
+##                     string — those lines must not be indent-prefixed
+##   in_bracket_lines: per line, whether it STARTS inside an open ()/[]/{} —
+##                     bracket interiors have free-form indentation, so these
+##                     lines must not drive indent-unit detection
+## Known accepted miss: raw strings (r"...") treat backslash as an escape here
+## though GDScript does not — the failure mode is over-blocking or an honest
+## compile error, never silent corruption.
+static func _lex(source: String) -> Dictionary:
+	var stripped := ""
+	var in_string_lines: Array = [false]
+	var in_bracket_lines: Array = [false]
+	var quote := ""  # active quote: '"', "'", '"""', or "'''"
+	var depth := 0  # open-bracket depth, tracked outside strings/comments
+	var i := 0
+	var n := source.length()
+	while i < n:
+		var c := source[i]
+		if quote != "":
+			if c == "\n":
+				stripped += "\n"
+				in_string_lines.append(true)
+				in_bracket_lines.append(depth > 0)
+				i += 1
+			elif c == "\\":
+				# An escaped char never ends the string — but an escaped
+				# NEWLINE (a line continuation inside the string) still starts
+				# a new physical line. Record it, or every following line would
+				# be mis-indexed and build_wrapper would prefix indent into the
+				# string's runtime value: silent corruption.
+				if i + 1 < n and source[i + 1] == "\n":
+					stripped += "\n"
+					in_string_lines.append(true)
+					in_bracket_lines.append(depth > 0)
+				i += 2
+			elif source.substr(i, quote.length()) == quote:
+				stripped += quote
+				i += quote.length()
+				quote = ""
+			else:
+				i += 1
+			continue
+		if c == "#":
+			while i < n and source[i] != "\n":
+				i += 1
+			continue
+		if c == "\"" or c == "'":
+			quote = c.repeat(3) if source.substr(i, 3) == c.repeat(3) else c
+			stripped += quote
+			i += quote.length()
+			continue
+		if c == "(" or c == "[" or c == "{":
+			depth += 1
+		elif c == ")" or c == "]" or c == "}":
+			depth = maxi(0, depth - 1)
+		if c == "\n":
+			stripped += "\n"
+			in_string_lines.append(false)
+			in_bracket_lines.append(depth > 0)
+			i += 1
+			continue
+		stripped += c
+		i += 1
+	return {
+		"stripped": stripped,
+		"in_string_lines": in_string_lines,
+		"in_bracket_lines": in_bracket_lines,
+	}
+
+
+static func _detect_indent_unit(lines: PackedStringArray, in_string_lines: Array, in_bracket_lines: Array) -> String:
+	# Match the user's indent character: GDScript rejects mixed tabs/spaces in
+	# one indentation run, so the wrapper prefix must agree with the body. Four
+	# spaces composes with any space width (nesting only has to increase).
+	# Bracket-continuation lines are skipped: their indentation is free-form
+	# (a space-aligned array literal in otherwise tab-indented code is legal),
+	# so they must not decide the prefix for real block lines.
+	for i in lines.size():
+		if i < in_string_lines.size() and in_string_lines[i]:
+			continue
+		if i < in_bracket_lines.size() and in_bracket_lines[i]:
+			continue
+		var line := lines[i]
+		if line.strip_edges().is_empty():
+			continue
+		if line.begins_with("\t"):
+			return "\t"
+		if line.begins_with(" "):
+			return "    "
+	return "\t"

package/addon/game_bridge/mcp_exec_guard.gd.uid

@@ -0,0 +1 @@
+uid://cdscqjpsiv412