@semalt-ai/code 1.19.0 → 1.20.1

package/test/permission-flush.test.js

@@ -0,0 +1,302 @@
+'use strict';
+
+// Permission-prompt flush — open file/web activity groups must be committed to
+// scrollback when a permission-gated (effectful) tool triggers a prompt, NOT
+// left rendering LIVE in the writer's activity region beside the modal.
+//
+// Root cause this guards: the agent loop asks permission BEFORE onToolStart
+// (agent.js), so onToolStart's "flush the other group before this non-groupable
+// op" step is sequenced AFTER the modal and cannot fire while it is open. The fix
+// adds an unconditional flush of both trackers at the TOP of the onPermissionAsk
+// handler (chat-turn.js). This is safe because groupable tools (read_file /
+// list_dir) are read-only with a NULL permission descriptor, so onPermissionAsk
+// never fires for them — by the time it fires the prompting tool is non-groupable.
+//
+// Tests drive the REAL createTurnHandler callbacks (same harness shape as
+// file-activity.test.js / web-activity-ordering.test.js), simulating the
+// loop's onPermissionAsk → (grant ⇒ onToolStart/onToolEnd | deny ⇒ nothing)
+// sequence by hand.
+
+const { test } = require('node:test');
+const assert = require('node:assert');
+
+// Stable colour env for byte comparisons (node:test isolates each file's process).
+process.stdout.isTTY = true;
+delete process.env.NO_COLOR;
+
+const { stripAnsi } = require('../lib/ui/utils');
+const { createTurnHandler } = require('../lib/commands/chat-turn');
+const { TOOL_REGISTRY } = require('../lib/tool_registry');
+
+// ── Live harness: drive the real createTurnHandler callbacks ──────────────────
+// Mirrors file-activity.test.js's harness. Records every committed line in one
+// ordered log so we can assert flush ORDERING (group above the prompting tool).
+function harness(opts) {
+  const events = [];
+  const writerModule = {
+    startActivity() {}, updateActivity() {},
+    endActivity(id, line) {
+      for (const raw of String(line == null ? '' : line).split('\n')) {
+        if (raw === '') continue;
+        events.push({ kind: 'commit', line: stripAnsi(raw) });
+      }
+    },
+    scrollback(line) { events.push({ kind: 'scrollback', line: stripAnsi(String(line)) }); },
+  };
+  const chatHistory = {
+    addMessage(m) { if (m && m.isError) events.push({ kind: 'error-body', output: m.output }); },
+    streamToken() {}, clearStreamingContent() {},
+    deferToolOutput() {}, commitDeferredDetail() {},
+    finalizeLastMessage(content) { if (content && content.trim()) events.push({ kind: 'answer', content }); },
+  };
+  const statusBar = { update() {}, onToken() {}, addPendingTokens() {}, updateMetrics() {}, setCost() {} };
+  const inputField = { on() {}, removeListener() {}, releaseNavigation() {}, setDisabled() {} };
+
+  let scenario = async () => {};
+  const runAgentLoop = async (messages, model, maxIter, limit, loopOpts) => {
+    await scenario(loopOpts.callbacks);
+    return { messages, metrics: { turns: [] }, withheldActions: [] };
+  };
+
+  const ctx = {
+    inputField, statusBar, chatHistory, writerModule, runAgentLoop,
+    getConfig: () => ({ auth_token: 'tok', max_iterations: 50, show_cost: false, system_prompt_mode: 'system_role' }),
+    approxTokens: () => 0,
+    resolveCommand: () => null,
+    opts: {},
+    TAG_REGISTRY: {},
+    collapseListMsg() {}, handlePendingSelection() {}, showPendingStep() {},
+    activateNavCapture() {}, finalizeListMsg() {},
+    createChatIfNeeded: async () => {}, saveTurnToDashboard: async () => {}, saveSession() {},
+    messages: [], currentModel: 'm', debugMode: (opts && opts.debugMode) || false, pendingImages: [],
+    chatSync: async () => '', resolvedSystemPrompt: '', resolvedTokenLimit: null, planMode: false,
+  };
+
+  const handler = createTurnHandler(ctx, {});
+  return { events, handler, setScenario: (fn) => { scenario = fn; } };
+}
+
+// One fully-successful groupable file op (read / list_dir).
+function fileOp(cb, tag, path, bytes) {
+  cb.onToolStart(tag, path, { id: `${tag}-${path}`, attrs: { path } });
+  cb.onToolEnd(tag, 'contents', 5, { id: `${tag}-${path}`, attrs: { path }, meta: { bytes: bytes || 10 }, error: null });
+}
+
+// One fully-successful web op (http_get) — leaves the web group OPEN (it only
+// flushes on a non-web tool start, terminal narration, or turn end).
+function webOp(cb, url) {
+  cb.onToolStart('http_get', url, { id: `g-${url}`, attrs: { url } });
+  cb.onToolEnd('http_get', {}, 120, { id: `g-${url}`, attrs: { url }, meta: { status_code: 200, bytes: 1000 }, error: null });
+}
+
+const commits = (events) => events.filter((e) => e.kind === 'commit');
+const fileSummaries = (events) => commits(events).filter((e) => /file .* explored ×\d+/.test(e.line));
+const webSummaries = (events) => commits(events).filter((e) => / web /.test(e.line) && /source/.test(e.line));
+
+// ───────────────────────────────────────────────────────────────────────────
+// (a) 2-read group (below threshold) + permission-gated write_file → the group
+//     flushes as TWO individual lines at onPermissionAsk, BEFORE the prompt; no
+//     stale live group remains during the modal. (grant path)
+// ───────────────────────────────────────────────────────────────────────────
+test('(a) <3 file group flushes as individual lines at onPermissionAsk, above the prompting tool', async () => {
+  const h = harness();
+  let commitsAtAsk = -1;
+  h.setScenario(async (cb) => {
+    cb.onAssistantMessage('');
+    fileOp(cb, 'read', '/a.js');
+    fileOp(cb, 'read', '/b.js');
+    // Effectful tool triggers a permission prompt — fires BEFORE onToolStart.
+    cb.onPermissionAsk('write_file', '/out.js');
+    commitsAtAsk = commits(h.events).length;            // snapshot at the ask
+    // Grant → the tool now starts and ends.
+    cb.onToolStart('write_file', '/out.js', { id: 'w1', attrs: { path: '/out.js' } });
+    cb.onToolEnd('write_file', 'ok', 4, { id: 'w1', attrs: { path: '/out.js' }, meta: { bytes: 3 }, error: null });
+    cb.onAssistantMessage('done');
+  });
+  await h.handler('two reads then a write');
+
+  // The two reads were committed at the moment the prompt opened — not stranded.
+  assert.strictEqual(commitsAtAsk, 2, 'both read lines committed AT onPermissionAsk, before the modal');
+  assert.strictEqual(fileSummaries(h.events).length, 0, 'a 2-op group stays individual lines (no summary)');
+  const reads = commits(h.events).filter((e) => /read \//.test(e.line));
+  assert.strictEqual(reads.length, 2, 'two individual read lines');
+  // Ordering: the read lines land ABOVE the write_file line.
+  const iLastRead = h.events.map((e) => e).reduce((acc, e, i) => (e.kind === 'commit' && /read \//.test(e.line) ? i : acc), -1);
+  const iWrite = h.events.findIndex((e) => e.kind === 'commit' && /out\.js/.test(e.line) && !/read/.test(e.line));
+  assert.ok(iLastRead >= 0 && iWrite >= 0 && iLastRead < iWrite, 'read group commits ABOVE the write_file row');
+});
+
+// ───────────────────────────────────────────────────────────────────────────
+// (b) ≥3-read group + permission-gated write_file → the group flushes as ONE
+//     summary at onPermissionAsk, BEFORE the prompt, above the tool row.
+// ───────────────────────────────────────────────────────────────────────────
+test('(b) ≥3 file group flushes as a summary at onPermissionAsk, above the prompting tool', async () => {
+  const h = harness();
+  let summariesAtAsk = -1;
+  h.setScenario(async (cb) => {
+    cb.onAssistantMessage('');
+    for (let i = 0; i < 3; i++) fileOp(cb, 'read', `/r${i}.js`);
+    cb.onPermissionAsk('write_file', '/out.js');
+    summariesAtAsk = fileSummaries(h.events).length;     // snapshot at the ask
+    cb.onToolStart('write_file', '/out.js', { id: 'w1', attrs: { path: '/out.js' } });
+    cb.onToolEnd('write_file', 'ok', 4, { id: 'w1', attrs: { path: '/out.js' }, meta: { bytes: 3 }, error: null });
+    cb.onAssistantMessage('done');
+  });
+  await h.handler('three reads then a write');
+
+  assert.strictEqual(summariesAtAsk, 1, 'the summary committed AT onPermissionAsk');
+  const s = fileSummaries(h.events);
+  assert.strictEqual(s.length, 1, 'exactly one summary overall');
+  assert.match(s[0].line, /explored ×3/, 'collapsed explored ×3 summary');
+  const iSummary = h.events.findIndex((e) => e.kind === 'commit' && /explored ×3/.test(e.line));
+  const iWrite = h.events.findIndex((e) => e.kind === 'commit' && /out\.js/.test(e.line) && !/read/.test(e.line));
+  assert.ok(iSummary >= 0 && iWrite >= 0 && iSummary < iWrite, 'summary lands ABOVE the write_file row');
+});
+
+// ───────────────────────────────────────────────────────────────────────────
+// (c) open WEB group + permission-gated write_file → the web group flushes at
+//     onPermissionAsk (the IDENTICAL latent gap on the web tracker).
+// ───────────────────────────────────────────────────────────────────────────
+test('(c) open web group flushes at onPermissionAsk, above the prompting tool', async () => {
+  const h = harness();
+  let webAtAsk = -1;
+  h.setScenario(async (cb) => {
+    cb.onAssistantMessage('');
+    webOp(cb, 'https://x.example');                      // web group left OPEN
+    cb.onPermissionAsk('write_file', '/out.js');
+    webAtAsk = webSummaries(h.events).length;            // snapshot at the ask
+    cb.onToolStart('write_file', '/out.js', { id: 'w1', attrs: { path: '/out.js' } });
+    cb.onToolEnd('write_file', 'ok', 4, { id: 'w1', attrs: { path: '/out.js' }, meta: { bytes: 3 }, error: null });
+    cb.onAssistantMessage('done');
+  });
+  await h.handler('a fetch then a write');
+
+  assert.strictEqual(webAtAsk, 1, 'the web summary committed AT onPermissionAsk (latent web gap fixed)');
+  const w = webSummaries(h.events);
+  assert.strictEqual(w.length, 1, 'exactly one web summary');
+  const iWeb = h.events.findIndex((e) => e.kind === 'commit' && / web /.test(e.line) && /source/.test(e.line));
+  const iWrite = h.events.findIndex((e) => e.kind === 'commit' && /out\.js/.test(e.line) && !/web/.test(e.line));
+  assert.ok(iWeb >= 0 && iWrite >= 0 && iWeb < iWrite, 'web summary lands ABOVE the write_file row');
+});
+
+// ───────────────────────────────────────────────────────────────────────────
+// (d) DENIAL path — onToolStart never runs. The group must still be flushed at
+//     onPermissionAsk, not stranded live until the turn-end finally.
+// ───────────────────────────────────────────────────────────────────────────
+test('(d) denial path: the group is flushed at onPermissionAsk, not stranded until the finally', async () => {
+  const h = harness();
+  let commitsAtAsk = -1;
+  h.setScenario(async (cb) => {
+    cb.onAssistantMessage('');
+    for (let i = 0; i < 3; i++) fileOp(cb, 'read', `/r${i}.js`);
+    cb.onPermissionAsk('write_file', '/out.js');
+    commitsAtAsk = fileSummaries(h.events).length;       // snapshot at the ask
+    // DENY: agent.js breaks the loop — NO onToolStart, NO onToolEnd for the tool.
+    cb.onAssistantMessage('I was denied, stopping.');
+  });
+  await h.handler('three reads then a denied write');
+
+  assert.strictEqual(commitsAtAsk, 1, 'the read group was committed AT onPermissionAsk, before deny — not stranded');
+  // And there is exactly one summary in total (the finally flush is a no-op).
+  assert.strictEqual(fileSummaries(h.events).length, 1, 'still exactly one summary after the finally');
+});
+
+// ───────────────────────────────────────────────────────────────────────────
+// (e) DOUBLE-FLUSH guard — onPermissionAsk flush, then the post-grant onToolStart
+//     flush, then the turn-end finally flush all call flush(); the group must
+//     commit EXACTLY ONCE (idempotent isOpen()/groupId===null guard).
+// ───────────────────────────────────────────────────────────────────────────
+test('(e) double-flush guard: onPermissionAsk + onToolStart + finally → exactly one commit', async () => {
+  const h = harness();
+  h.setScenario(async (cb) => {
+    cb.onAssistantMessage('');
+    for (let i = 0; i < 3; i++) fileOp(cb, 'read', `/r${i}.js`);     // ≥3 → one summary line
+    cb.onPermissionAsk('write_file', '/out.js');                     // flush #1 (commits)
+    cb.onToolStart('write_file', '/out.js', { id: 'w1', attrs: { path: '/out.js' } }); // flush #2 (no-op)
+    cb.onToolEnd('write_file', 'ok', 4, { id: 'w1', attrs: { path: '/out.js' }, meta: { bytes: 3 }, error: null });
+    cb.onAssistantMessage('done');                                   // finally flush (no-op)
+  });
+  await h.handler('idempotent double flush');
+
+  const s = fileSummaries(h.events);
+  assert.strictEqual(s.length, 1, 'the group committed EXACTLY once despite three flush() calls');
+  assert.match(s[0].line, /explored ×3/);
+});
+
+// ───────────────────────────────────────────────────────────────────────────
+// (f) INTENTIONAL BEHAVIOR CHANGE (Option b — "fix: flush activity groups before
+//     content-bearing narration for correct ordering").
+//
+//     PREVIOUSLY this test asserted that content-bearing INTERMEDIATE narration
+//     ("Reading a couple more.") did NOT split the group, collapsing all four
+//     reads into one "explored ×4" summary. That ordering was chronologically
+//     WRONG: the narration committed to scrollback ABOVE a still-open group, so
+//     the group's summary later landed BELOW the conclusion it was based on.
+//
+//     NEW behavior: any content-bearing intermediate narration flushes the open
+//     group FIRST, so each sub-group commits ABOVE its narration. A chatty
+//     multi-read run therefore FRAGMENTS into correctly-ordered sub-groups
+//     ("explored ×3" / narration / "explored ×3") instead of one "explored ×6".
+//     This is the deliberate Option-(b) tradeoff — each fragment is chronologically
+//     truthful. (Silent runs with empty interim narration STILL fully collapse —
+//     see narration-ordering.test.js case (b)/(g).)
+//
+//     Uses 3 reads per fragment so each crosses GROUP_THRESHOLD and emits a
+//     summary line (a <3 fragment would render individual per-op lines instead).
+// ───────────────────────────────────────────────────────────────────────────
+test('(f) content-bearing interim narration FRAGMENTS the read run into correctly-ordered sub-groups', async () => {
+  const h = harness();
+  h.setScenario(async (cb) => {
+    cb.onAssistantMessage('');                                  // empty pre-tool narration — must NOT flush
+    fileOp(cb, 'read', '/i1a.js');
+    fileOp(cb, 'read', '/i1b.js');
+    fileOp(cb, 'read', '/i1c.js');
+    cb.onAssistantMessage('Reading a couple more.', { terminal: false }); // content-bearing → FLUSHES group #1
+    fileOp(cb, 'read', '/i2a.js');
+    fileOp(cb, 'read', '/i2b.js');
+    fileOp(cb, 'read', '/i2c.js');
+    cb.onAssistantMessage('All read.', { terminal: true });     // terminal → flushes group #2
+    // onPermissionAsk is intentionally never called for this read-only run.
+  });
+  await h.handler('multi-iteration reads, content-bearing interim narration');
+
+  const s = fileSummaries(h.events);
+  assert.strictEqual(s.length, 2, 'content-bearing interim narration split the run into TWO summaries');
+  assert.match(s[0].line, /explored ×3/, 'first fragment: the three reads before the interim narration');
+  assert.match(s[1].line, /explored ×3/, 'second fragment: the three reads after it');
+
+  // Ordering: each summary lands ABOVE its narration (the Option-(b) guarantee).
+  const iSum1 = h.events.findIndex((e) => e.kind === 'commit' && /explored ×3/.test(e.line));
+  const iNarr1 = h.events.findIndex((e) => e.kind === 'answer' && e.content === 'Reading a couple more.');
+  const iSum2 = h.events.findIndex((e, idx) => idx > iSum1 && e.kind === 'commit' && /explored ×3/.test(e.line));
+  const iNarr2 = h.events.findIndex((e) => e.kind === 'answer' && e.content === 'All read.');
+  assert.ok(iSum1 >= 0 && iNarr1 > iSum1, 'group #1 commits ABOVE the interim narration');
+  assert.ok(iSum2 > iNarr1 && iNarr2 > iSum2, 'group #2 commits below the interim narration and ABOVE the terminal answer');
+});
+
+// ───────────────────────────────────────────────────────────────────────────
+// (g) read_file / list_dir have NULL permission descriptors → onPermissionAsk is
+//     never invoked for them, so the unconditional flush can never wrongly break
+//     an in-progress read/list group. (Groupable ⇒ null descriptor invariant.)
+// ───────────────────────────────────────────────────────────────────────────
+test('(g) read_file and list_dir have null permission descriptors (groupable ⇒ never reaches onPermissionAsk)', async () => {
+  const byTag = (t) => TOOL_REGISTRY.find((e) => Array.isArray(e.tags) && e.tags.includes(t));
+  const readEntry = byTag('read_file');
+  const listEntry = byTag('list_dir');
+  const writeEntry = byTag('write_file');
+
+  assert.ok(readEntry && typeof readEntry.permission === 'function', 'read_file entry present with a permission fn');
+  assert.ok(listEntry && typeof listEntry.permission === 'function', 'list_dir entry present with a permission fn');
+  assert.ok(writeEntry && typeof writeEntry.permission === 'function', 'write_file entry present with a permission fn');
+
+  // Groupable read-only tools: null descriptor → the loop's askGate is false →
+  // onPermissionAsk is NOT invoked for them.
+  assert.strictEqual(readEntry.permission({}, ['/a.js']), null, 'read_file descriptor is null');
+  assert.strictEqual(listEntry.permission({}, ['/d']), null, 'list_dir descriptor is null');
+
+  // Contrast: write_file (the prompting tool above) returns a NON-null descriptor.
+  // (_uiActive:true skips the headless diff branch, which would touch ctx.writer.)
+  const writeDesc = await writeEntry.permission({ _uiActive: true }, ['/out.js', 'x']);
+  assert.ok(writeDesc && typeof writeDesc === 'object' && writeDesc.tag === 'write_file',
+    'write_file returns a non-null permission descriptor');
+});

package/test/permissions.test.js

@@ -16,6 +16,8 @@ const {
   TIER_NET,
   TIER_SYS,
 } = require('../lib/permissions');
+const dbg = require('../lib/debug');
+const { loadRuleLayers } = require('../lib/permission-rules');
 
 // Minimal ui: interactiveSelect throws so any accidental fall-through to the
 // interactive path fails loudly instead of hanging on stdin.
@@ -155,6 +157,203 @@ test('clear() resets auto-approve-all back to the gated state', async () => {
   assert.strictEqual(pm.state.sessionApprovedTags.size, 0);
 });
 
+// ── Per-command auto-approve line is gone by default; grant line stays once,
+//    debug breadcrumb preserved. (Drop the redundant "Auto-approved" line.) ──
+
+// uiCallbacks that record every committed system message so we can assert the
+// absence of a per-command "Auto-approved" line and the presence of the
+// one-time grant line.
+function recordingUICallbacks(actions = []) {
+  const messages = [];
+  return {
+    messages,
+    onShowModal: () => {},
+    onCloseModal: () => {},
+    onAddMessage: (m) => { messages.push(m); },
+    onCaptureNavigation: (handler) => {
+      setImmediate(() => { for (const a of actions) handler(a); });
+      return () => {};
+    },
+  };
+}
+
+function autoApprovedMessages(messages) {
+  return messages.filter((m) => typeof m.content === 'string' && m.content.includes('Auto-approved'));
+}
+
+test('default: an auto-approved command emits NO per-command "Auto-approved" line', async () => {
+  // exec tier pre-approves the `exec` tag → askPermission auto-approves without
+  // a prompt and would have called _emitAutoApproved.
+  const pm = createPermissionManager(uiStub, { allowedTiers: ['exec'] });
+  const cb = recordingUICallbacks();
+  pm.setUICallbacks(cb);
+
+  assert.strictEqual(await pm.askPermission('exec', 'git status', 'exec'), true);
+  assert.strictEqual(await pm.askPermission('exec', 'ls -la', 'exec'), true);
+
+  assert.deepStrictEqual(
+    autoApprovedMessages(cb.messages),
+    [],
+    'no per-command "Auto-approved: <cmd>" line should reach scrollback by default',
+  );
+});
+
+test('default: --dangerously-skip-permissions auto-approves with no per-command line', async () => {
+  const pm = createPermissionManager(uiStub, { skipPermissions: true });
+  const cb = recordingUICallbacks();
+  pm.setUICallbacks(cb);
+
+  assert.strictEqual(await pm.askPermission('exec', 'rm -rf build', 'exec'), true);
+  assert.deepStrictEqual(autoApprovedMessages(cb.messages), []);
+});
+
+test('uniform across tools: a non-shell auto-approved tool emits no per-command line', async () => {
+  const pm = createPermissionManager(uiStub, { allowedTiers: ['fs', 'net'] });
+  const cb = recordingUICallbacks();
+  pm.setUICallbacks(cb);
+
+  assert.strictEqual(await pm.askPermission('file', 'write src/a.js', 'write_file'), true);
+  assert.strictEqual(await pm.askPermission('net', 'fetch https://x', 'http_get'), true);
+
+  assert.deepStrictEqual(autoApprovedMessages(cb.messages), []);
+});
+
+test('the one-time grant line still fires exactly once at "always", not per command', async () => {
+  await withTTY(async () => {
+    const pm = createPermissionManager(uiStub, {});
+    const cb = recordingUICallbacks(['next', 'select']); // Yes → Always
+    pm.setUICallbacks(cb);
+
+    // First call: interactive → "Always" grant.
+    assert.strictEqual(await pm.askPermission('exec', 'run once', 'exec'), true);
+    // Subsequent calls: auto-approved by the remembered tag (no modal).
+    assert.strictEqual(await pm.askPermission('exec', 'run twice', 'exec'), true);
+    assert.strictEqual(await pm.askPermission('exec', 'run thrice', 'exec'), true);
+
+    const grants = cb.messages.filter(
+      (m) => typeof m.content === 'string' && m.content.includes('Auto-approve enabled for'),
+    );
+    assert.strictEqual(grants.length, 1, 'grant line fires exactly once at grant time');
+    assert.deepStrictEqual(
+      autoApprovedMessages(cb.messages),
+      [],
+      'no per-command "Auto-approved" line on the subsequent auto-approved commands',
+    );
+  });
+});
+
+test('--debug: the per-command auto-approve detail is preserved (incl. rule/skip context)', async () => {
+  // In simple (--debug) mode dbg.log routes synchronously to writer.scrollback;
+  // capture it to assert the breadcrumb (with rule context) is preserved.
+  const writer = require('../lib/ui/writer');
+  const origScrollback = writer.scrollback;
+  const captured = [];
+  writer.scrollback = (s) => { captured.push(String(s)); };
+  dbg.init({ debug: true });
+  try {
+    // A per-pattern `allow` rule auto-approves and embeds its `[rule: …]`
+    // context into the description handed to _emitAutoApproved.
+    const layers = loadRuleLayers(
+      { permissions: { rules: [{ tool: 'exec', match: '*', action: 'allow' }] } },
+      null,
+      null,
+    );
+    const pm = createPermissionManager(uiStub, { rules: layers, cwd: process.cwd() });
+    const cb = recordingUICallbacks();
+    pm.setUICallbacks(cb);
+
+    const verdict = pm.resolveRule(['exec', 'git status']);
+    assert.strictEqual(verdict.decision, 'allow', 'rule should resolve to allow');
+    assert.strictEqual(await pm.askPermission('exec', 'git status', 'exec', verdict), true);
+
+    // The per-command breadcrumb does NOT pollute the chat UI surface — it goes
+    // only to debug output.
+    assert.deepStrictEqual(autoApprovedMessages(cb.messages), []);
+
+    const breadcrumb = captured.find((s) => s.includes('auto-approved:'));
+    assert.ok(breadcrumb, 'debug output carries the per-command auto-approve breadcrumb');
+    assert.match(breadcrumb, /\[rule/, 'rule context preserved in debug detail');
+    assert.match(breadcrumb, /git status/, 'the command/description preserved in debug detail');
+  } finally {
+    dbg.close();
+    writer.scrollback = origScrollback;
+  }
+});
+
+// ── D1 (Output Refactor Phase 2): the permission close-summary is gone ──
+//
+// When a tool is manually approved, the modal close used to commit a redundant
+// `✓ shell: ls` / `✓ file: Edit line N` summary line to scrollback — fully
+// duplicating the execution result line that follows. That echo is removed:
+// the result line (emitted by the agent loop, not the permission gate) is the
+// SINGLE post-execution confirmation, so manual-approve now matches auto-approve.
+
+// Callbacks that record both committed system messages AND any post-close
+// summary string handed to onCloseModal, so we can assert the summary is absent.
+function recordingModalCallbacks(actions = []) {
+  const messages = [];
+  const closeSummaries = [];
+  return {
+    messages,
+    closeSummaries,
+    onShowModal: () => {},
+    onCloseModal: (summary) => { if (summary !== undefined) closeSummaries.push(summary); },
+    onAddMessage: (m) => { messages.push(m); },
+    onCaptureNavigation: (handler) => {
+      setImmediate(() => { for (const a of actions) handler(a); });
+      return () => {};
+    },
+  };
+}
+
+test('D1: a manually-approved (Yes) call emits no close-summary line', async () => {
+  await withTTY(async () => {
+    const pm = createPermissionManager(uiStub, {});
+    const cb = recordingModalCallbacks(['select']); // Yes
+    pm.setUICallbacks(cb);
+    assert.strictEqual(await pm.askPermission('shell', 'ls', 'exec'), true);
+    assert.deepStrictEqual(cb.closeSummaries, [], 'no close-summary committed to scrollback');
+    assert.deepStrictEqual(cb.messages, [], 'plain Yes commits nothing to scrollback');
+  });
+});
+
+test('D1: a denied (Esc → No) call also emits no close-summary line', async () => {
+  await withTTY(async () => {
+    const pm = createPermissionManager(uiStub, {});
+    const cb = recordingModalCallbacks(['cancel']); // Esc → No
+    pm.setUICallbacks(cb);
+    assert.strictEqual(await pm.askPermission('file', 'write src/a.js', 'write_file'), false);
+    assert.deepStrictEqual(cb.closeSummaries, [], 'no close-summary on denial either');
+  });
+});
+
+test('D1 parity: manual-approve (Yes) and auto-approve produce identical post-exec output', async () => {
+  // Manual approve: interactive Yes through the modal.
+  const manual = await withTTY(async () => {
+    const pm = createPermissionManager(uiStub, {});
+    const cb = recordingModalCallbacks(['select']); // Yes
+    pm.setUICallbacks(cb);
+    assert.strictEqual(await pm.askPermission('shell', 'ls', 'exec'), true);
+    return { messages: cb.messages, closeSummaries: cb.closeSummaries };
+  });
+
+  // Auto-approve via the exec tier flag: no modal shown at all.
+  const auto = await (async () => {
+    const pm = createPermissionManager(uiStub, { allowedTiers: ['exec'] });
+    const cb = recordingModalCallbacks();
+    pm.setUICallbacks(cb);
+    assert.strictEqual(await pm.askPermission('shell', 'ls', 'exec'), true);
+    return { messages: cb.messages, closeSummaries: cb.closeSummaries };
+  })();
+
+  // Both commit NOTHING post-execution — the result line (emitted by the agent
+  // loop, not the permission gate) is the sole confirmation. This is the proof
+  // the close-summary was pure duplication.
+  assert.deepStrictEqual(manual, { messages: [], closeSummaries: [] });
+  assert.deepStrictEqual(auto, { messages: [], closeSummaries: [] });
+  assert.deepStrictEqual(manual, auto, 'manual-approve == auto-approve post-exec output');
+});
+
 test('permission tiers map the expected tags', () => {
   assert.ok(TIER_EXEC.includes('exec'));
   assert.ok(TIER_FS.includes('write_file') && TIER_FS.includes('read_file'));

package/test/read-paginate.test.js

@@ -11,7 +11,7 @@
 // pathological long lines.
 //
 // Step 0 finding: edit_file is LINE-NUMBER-based (lines[lineNum-1] = content) and
-// replace_in_file is MATCH-based (regex on a search string). A MIX. Decision:
+// replace_in_file is MATCH-based (literal-by-default search string). A MIX. Decision:
 // line numbers are OPTIONAL, default OFF (show_line_numbers). Rationale —
 // replace_in_file (the match-based path) needs raw, copyable line text, so
 // default-off keeps snippets verbatim AND avoids the ~1.7x token tax on every