@semalt-ai/code 1.8.3 → 1.8.5

package/lib/tools.js

@@ -9,6 +9,8 @@ const path = require('path');
 const { spawn } = require('child_process');
 
 const { logToolCall } = require('./audit');
+const { spawnWithGroup, killTreeEscalating } = require('./proc');
+const writer = require('./ui/writer');
 
 const MEMORY_PATH = path.join(os.homedir(), '.semalt-ai', 'memory.json');
 
@@ -22,6 +24,7 @@ function getSkippedOps() { return _skippedOps.slice(); }
 let _uiActive = false;
 function setUIActive(v) { _uiActive = v; }
 function isUIActive() { return _uiActive; }
+// audit: allowed — fires only when TUI is inactive (one-shot non-TUI commands), no live region to protect.
 function _log(...args) { if (!_uiActive) console.log(...args); }
 
 // Reject writes outside the project CWD and in sensitive system/home dirs
@@ -87,7 +90,130 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     return options.length >= 2 ? options : [];
   }
 
-  async function agentExecShell(command) {
+  // Build the permission descriptor for a [action, ...args] call tuple.
+  // Returns null when no permission gate is needed — read-only ops, dry-run
+  // skips, and --readonly blocks short-circuit through the executor's own
+  // error path. When non-null the caller (the agent loop) feeds the three
+  // fields straight into permissionManager.askPermission.
+  //
+  // Side effects, intentionally hosted here so they fire pre-picker:
+  //   - write/append: render the file diff. In CLI mode the diff is
+  //     emitted to scrollback; in TUI mode it's appended to `description`
+  //     so it renders inside the picker bubble.
+  //   - delete_file / move_file: emit a CLI warning line above the picker.
+  // Centralizing these means the executor body stays purely about the
+  // operation itself.
+  async function describePermission(call) {
+    if (!Array.isArray(call) || call.length === 0) return null;
+    const [action, ...args] = call;
+
+    // Dry-run skips the gate for every tool whose executor has a dry-run
+    // early return — asking the user to authorize an op that won't run is
+    // confusing UX. write/append are handled inside their own case so the
+    // diff still renders before the skip. Tools without dry-run support
+    // (delete_file, make_dir, etc.) fall through and get gated normally.
+    if (_dryRun && (action === 'shell' || action === 'exec' || action === 'download' || action === 'http_get')) {
+      return null;
+    }
+
+    // --readonly blocks the op deterministically; no point prompting first.
+    // The executor's own readonlyBlock() check produces the user-facing
+    // error message on the next dispatch step.
+    const READONLY_TAG = {
+      write: 'write_file',
+      append: 'append_file',
+      delete_file: 'delete_file',
+      move_file: 'move_file',
+      copy_file: 'copy_file',
+    };
+    const roTag = READONLY_TAG[action];
+    if (roTag && permissionManager.readonlyBlock(roTag)) return null;
+
+    switch (action) {
+      case 'shell':
+      case 'exec':
+        return { actionType: 'shell', description: args[0] || '', tag: 'exec' };
+
+      case 'write':
+      case 'append': {
+        const filePath = args[0];
+        const content = args[1];
+        const tag = action === 'write' ? 'write_file' : 'append_file';
+
+        let existing = '';
+        try { existing = await fsp.readFile(filePath, 'utf8'); } catch {}
+        const finalContent = action === 'write' ? (content || '') : (existing + (content || ''));
+        const diffOutput = _uiActive
+          ? renderDiff(existing, finalContent, filePath, { inset: DIFF_BUBBLE_INSET })
+          : renderDiff(existing, finalContent, filePath);
+        if (!_uiActive) writer.scrollback(diffOutput);
+
+        // Dry-run renders the diff (above) but skips the picker — the
+        // executor's dry-run early return reports the skip.
+        if (_dryRun) return null;
+
+        let desc = `${action === 'write' ? 'Write' : 'Append to'} ${filePath}`;
+        if (content) desc += ` (${content.length} chars)`;
+        if (_uiActive) desc = `${desc}\n${diffOutput}`;
+        return { actionType: 'file', description: desc, tag };
+      }
+
+      case 'delete_file': {
+        const filePath = args[0];
+        _log(`  ${FG_YELLOW}${BOLD}⚠ Deleting: ${filePath}${RST}`);
+        return { actionType: 'file', description: `Delete ${filePath}`, tag: 'delete_file' };
+      }
+
+      case 'make_dir':
+        return { actionType: 'file', description: `Create directory ${args[0]}`, tag: 'make_dir' };
+
+      case 'remove_dir':
+        return { actionType: 'file', description: `Remove directory ${args[0]}`, tag: 'remove_dir' };
+
+      case 'move_file': {
+        const src = args[0];
+        const dst = args[1];
+        _log(`  ${FG_YELLOW}${BOLD}⚠ Moving: ${src} → ${dst}${RST}`);
+        return { actionType: 'file', description: `Move ${src} to ${dst}`, tag: 'move_file' };
+      }
+
+      case 'copy_file':
+        return { actionType: 'file', description: `Copy ${args[0]} to ${args[1]}`, tag: 'copy_file' };
+
+      case 'edit_file':
+        return { actionType: 'file', description: `Edit line ${args[1]} in ${args[0]}`, tag: 'edit_file' };
+
+      case 'replace_in_file':
+        return { actionType: 'file', description: `Replace in ${args[0]}`, tag: 'replace_in_file' };
+
+      case 'set_env':
+        return { actionType: 'env', description: `Set env ${args[0]}=${args[1] || ''}`, tag: 'set_env' };
+
+      case 'download':
+        return { actionType: 'net', description: `Download ${args[0]}`, tag: 'download' };
+
+      case 'upload':
+        return { actionType: 'file', description: `Upload to ${args[0]}`, tag: 'upload' };
+
+      case 'http_get':
+        return { actionType: 'net', description: `HTTP GET ${args[0]}`, tag: 'http_get' };
+
+      // ask_user is a real gate — "do you want me to ask the user this
+      // question?" — separate from the question prompt itself (which is
+      // captureSelect or stdin further down in the executor). Lifted here
+      // so the activity bubble doesn't pre-date grant.
+      case 'ask_user':
+        return { actionType: 'user', description: `Ask user: ${args[0]}`, tag: 'ask_user' };
+
+      case 'store_memory':
+        return { actionType: 'memory', description: `Store memory: ${args[0]}`, tag: 'store_memory' };
+
+      default:
+        return null;
+    }
+  }
+
+  async function agentExecShell(command, options = {}) {
     if (_dryRun) {
       _log(`  ${FG_DARK}[dry-run] $ ${command}${RST}`);
       _skippedOps.push({ category: 'cmd', symbol: '▶', desc: command });
@@ -95,56 +221,102 @@ function createToolExecutor(permissionManager, ui, getConfig) {
       return { exit_code: 0, stdout: '', stderr: 'dry-run: command skipped' };
     }
 
-    const approved = await permissionManager.askPermission('shell', command, 'exec');
-    if (!approved) {
-      logToolCall('exec', { command }, false, 'denied');
-      return { exit_code: -1, stdout: '', stderr: 'Permission denied by user' };
-    }
-
     const cfg = getConfig ? getConfig() : {};
     const timeout = cfg.command_timeout_ms || 30000;
+    const { signal } = options;
 
     return new Promise((resolve) => {
       let child;
       try {
-        child = spawn(command, { shell: true });
+        // spawnWithGroup gives us a process-group leader on POSIX so
+        // killTreeEscalating can reach descendants via -pid. With shell:true
+        // a plain child.kill targets only the sh wrapper, leaving the real
+        // workload (find /, pipelines, etc.) running as orphans.
+        child = spawnWithGroup(spawn, command, [], { shell: true });
       } catch (error) {
         _log(`  ${FG_RED}✗ ${error.message}${RST}`);
         logToolCall('exec', { command }, true, 'error');
         return resolve({ exit_code: -1, stdout: '', stderr: error.message });
       }
+      const startedAt = Date.now();
       let stdout = '';
       let stderr = '';
       let killed = false;
+      let abortedByUser = false;
+
       const timer = setTimeout(() => {
         killed = true;
-        try { child.kill('SIGTERM'); } catch {}
+        killTreeEscalating(child);
       }, timeout);
+
+      let onAbort = null;
+      const detachAbort = () => {
+        if (onAbort && signal) {
+          signal.removeEventListener('abort', onAbort);
+          onAbort = null;
+        }
+      };
+      if (signal) {
+        if (signal.aborted) {
+          abortedByUser = true;
+          killTreeEscalating(child);
+        } else {
+          onAbort = () => {
+            abortedByUser = true;
+            killTreeEscalating(child);
+          };
+          signal.addEventListener('abort', onAbort, { once: true });
+        }
+      }
+
       child.stdout.setEncoding('utf8');
       child.stderr.setEncoding('utf8');
       child.stdout.on('data', (c) => { stdout += c; });
       child.stderr.on('data', (c) => { stderr += c; });
       child.on('error', (error) => {
         clearTimeout(timer);
+        detachAbort();
         _log(`  ${FG_RED}✗ ${error.message}${RST}`);
         logToolCall('exec', { command }, true, 'error');
         resolve({ exit_code: -1, stdout, stderr: stderr || error.message });
       });
-      child.on('close', (code, signal) => {
+      child.on('close', (code, sigName) => {
         clearTimeout(timer);
+        detachAbort();
+        if (abortedByUser) {
+          const elapsed_s = Math.max(0, Math.round((Date.now() - startedAt) / 1000));
+          const note = `[user interrupted after ${elapsed_s}s]`;
+          stderr += (stderr ? '\n' : '') + note;
+          logToolCall('exec', { command }, true, 'aborted');
+          resolve({ exit_code: -1, stdout, stderr, aborted: true, elapsed_s });
+          return;
+        }
         if (killed) stderr += (stderr ? '\n' : '') + `[timed out after ${timeout}ms]`;
-        const exit_code = killed ? -1 : (code != null ? code : (signal ? -1 : 0));
+        const exit_code = killed ? -1 : (code != null ? code : (sigName ? -1 : 0));
         logToolCall('exec', { command }, true, exit_code === 0 ? 'ok' : 'error');
         resolve({ exit_code, stdout, stderr });
       });
     });
   }
 
-  async function agentExecFile(action, ...args) {
+  async function agentExecFile(action, ...rest) {
+    // The trailing arg may be an options object `{ signal }`. Detect and peel
+    // it off so positional args line up with the existing per-action branches.
+    // All real positional args are strings or numbers, so a plain object at
+    // the tail is unambiguously options.
+    let signal = null;
+    let args = rest;
+    const last = rest[rest.length - 1];
+    if (last && typeof last === 'object' && !Array.isArray(last)
+        && Object.getPrototypeOf(last) === Object.prototype) {
+      signal = last.signal || null;
+      args = rest.slice(0, -1);
+    }
     const [arg0 = null, arg1 = null, arg2 = null, arg3 = null] = args;
 
     if (action === 'read') {
       const filePath = arg0;
+      const startedAt = Date.now();
       const stat = await fsp.stat(filePath).catch(() => null);
       if (stat) {
         const cfg = getConfig ? getConfig() : {};
@@ -155,8 +327,12 @@ function createToolExecutor(permissionManager, ui, getConfig) {
           return { error: `File too large: ${kb} KB exceeds max_file_size_kb=${cfg.max_file_size_kb || 512}` };
         }
       }
+      if (signal && signal.aborted) {
+        logToolCall('read_file', { path: filePath }, true, 'aborted');
+        return { aborted: true, elapsed_s: Math.max(0, Math.round((Date.now() - startedAt) / 1000)) };
+      }
       try {
-        const data = await fsp.readFile(filePath, 'utf8');
+        const data = await fsp.readFile(filePath, { encoding: 'utf8', signal: signal || undefined });
         const lines = data.split('\n').length;
         if (lines > 10) {
           _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Read ${filePath} (${lines} lines, ${data.length} chars)${RST}`);
@@ -164,8 +340,12 @@ function createToolExecutor(permissionManager, ui, getConfig) {
           _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Read ${filePath}${RST}`);
         }
         logToolCall('read_file', { path: filePath }, true, 'ok');
-        return { content: data, path: filePath };
+        return { content: data, path: filePath, bytes: Buffer.byteLength(data, 'utf8') };
       } catch (error) {
+        if (error && (error.name === 'AbortError' || error.code === 'ABORT_ERR')) {
+          logToolCall('read_file', { path: filePath }, true, 'aborted');
+          return { aborted: true, elapsed_s: Math.max(0, Math.round((Date.now() - startedAt) / 1000)) };
+        }
         _log(`  ${FG_RED}✗ ${error.message}${RST}`);
         logToolCall('read_file', { path: filePath }, true, 'error');
         return { error: error.message };
@@ -188,23 +368,8 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return _sandboxError(filePath);
       }
 
-      // Read existing content for diff display
-      let existing = '';
-      try { existing = await fsp.readFile(filePath, 'utf8'); } catch {}
-
-      // For append the final state is existing + new content
-      const finalContent = action === 'write' ? (content || '') : (existing + (content || ''));
-
-      // In CLI mode, print the diff inline. In TUI mode, direct stdout writes
-      // collide with the live chat-history/status-bar redraw, so we route the
-      // diff into the permission description instead (where it renders inside
-      // the permission bubble and is safely truncated by MAX_DESC_LINES).
-      const diffOutput = _uiActive
-        ? renderDiff(existing, finalContent, filePath, { inset: DIFF_BUBBLE_INSET })
-        : renderDiff(existing, finalContent, filePath);
-      if (!_uiActive) process.stdout.write(diffOutput + '\n');
-
-      // Dry-run: record the skipped op and return without writing
+      // Dry-run: record the skipped op and return without writing. The diff
+      // was already rendered in describePermission ahead of this dispatch.
       if (_dryRun) {
         const verb = action === 'write' ? 'write' : 'append';
         _skippedOps.push({ category: 'file', symbol: '✎', desc: `${verb} ${filePath}` });
@@ -212,15 +377,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return { status: 'dry-run', message: 'dry-run: write skipped', path: filePath };
       }
 
-      // Permission check — routes through TUI dialog in chat mode, interactiveSelect in legacy CLI mode
-      let desc = `${action === 'write' ? 'Write' : 'Append to'} ${filePath}`;
-      if (content) desc += ` (${content.length} chars)`;
-      if (_uiActive) desc = `${desc}\n${diffOutput}`;
-      const approved = await permissionManager.askPermission('file', desc, tag);
-      if (!approved) {
-        logToolCall(tag, { path: filePath, content }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         const dir = path.dirname(filePath);
         if (dir && dir !== '.') await fsp.mkdir(dir, { recursive: true });
@@ -270,13 +426,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return _sandboxError(filePath);
       }
 
-      _log(`  ${FG_YELLOW}${BOLD}⚠ Deleting: ${filePath}${RST}`);
-
-      const approved = await permissionManager.askPermission('file', `Delete ${filePath}`, 'delete_file');
-      if (!approved) {
-        logToolCall('delete_file', { path: filePath }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         await fsp.unlink(filePath);
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Deleted ${filePath}${RST}`);
@@ -295,11 +444,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         logToolCall('make_dir', { path: dirPath }, false, 'denied');
         return _sandboxError(dirPath);
       }
-      const approved = await permissionManager.askPermission('file', `Create directory ${dirPath}`, 'make_dir');
-      if (!approved) {
-        logToolCall('make_dir', { path: dirPath }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         await fsp.mkdir(dirPath, { recursive: true });
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Created directory ${dirPath}${RST}`);
@@ -318,11 +462,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         logToolCall('remove_dir', { path: dirPath }, false, 'denied');
         return _sandboxError(dirPath);
       }
-      const approved = await permissionManager.askPermission('file', `Remove directory ${dirPath}`, 'remove_dir');
-      if (!approved) {
-        logToolCall('remove_dir', { path: dirPath }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         await fsp.rm(dirPath, { recursive: true, force: true });
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Removed directory ${dirPath}${RST}`);
@@ -350,13 +489,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return _sandboxError(dst);
       }
 
-      _log(`  ${FG_YELLOW}${BOLD}⚠ Moving: ${src} → ${dst}${RST}`);
-
-      const approved = await permissionManager.askPermission('file', `Move ${src} to ${dst}`, 'move_file');
-      if (!approved) {
-        logToolCall('move_file', { src, dst }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         const dstDir = path.dirname(dst);
         if (dstDir && dstDir !== '.') await fsp.mkdir(dstDir, { recursive: true });
@@ -393,11 +525,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return _sandboxError(dst);
       }
 
-      const approved = await permissionManager.askPermission('file', `Copy ${src} to ${dst}`, 'copy_file');
-      if (!approved) {
-        logToolCall('copy_file', { src, dst }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         const dstDir = path.dirname(dst);
         if (dstDir && dstDir !== '.') await fsp.mkdir(dstDir, { recursive: true });
@@ -416,11 +543,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
       const filePath = arg0;
       const lineNum = arg1;
       const newContent = arg2;
-      const approved = await permissionManager.askPermission('file', `Edit line ${lineNum} in ${filePath}`, 'edit_file');
-      if (!approved) {
-        logToolCall('edit_file', { path: filePath, line: lineNum }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         const data = await fsp.readFile(filePath, 'utf8');
         const lines = data.split('\n');
@@ -469,11 +591,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
       const searchStr = arg1;
       const replaceStr = arg2;
       const flags = arg3 || '';
-      const approved = await permissionManager.askPermission('file', `Replace in ${filePath}`, 'replace_in_file');
-      if (!approved) {
-        logToolCall('replace_in_file', { path: filePath, search: searchStr }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         const data = await fsp.readFile(filePath, 'utf8');
         const guardErr = _checkRegexSafety(searchStr, data);
@@ -500,6 +617,7 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'search_files') {
       const pattern = arg0;
       const searchDir = arg1 || '.';
+      const startedAt = Date.now();
       try {
         let regStr = pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&');
         regStr = regStr.replace(/\*\*/g, '\x00');
@@ -510,15 +628,21 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         const matchName = !pattern.includes('/');
         const files = [];
         async function walk(dir, rel) {
+          if (signal && signal.aborted) return;
           let entries;
           try { entries = await fsp.readdir(dir, { withFileTypes: true }); } catch { return; }
           for (const entry of entries) {
+            if (signal && signal.aborted) return;
             const relPath = rel ? `${rel}/${entry.name}` : entry.name;
             if (regex.test(matchName ? entry.name : relPath)) files.push(relPath);
             if (entry.isDirectory()) await walk(path.join(dir, entry.name), relPath);
           }
         }
         await walk(searchDir, '');
+        if (signal && signal.aborted) {
+          logToolCall('search_files', { pattern, dir: searchDir }, true, 'aborted');
+          return { aborted: true, elapsed_s: Math.max(0, Math.round((Date.now() - startedAt) / 1000)) };
+        }
         files.sort();
         _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Found ${files.length} file(s) matching "${pattern}"${RST}`);
         logToolCall('search_files', { pattern, dir: searchDir }, true, 'ok');
@@ -559,11 +683,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'set_env') {
       const varName = arg0;
       const value = arg1 || '';
-      const approved = await permissionManager.askPermission('env', `Set env ${varName}=${value}`, 'set_env');
-      if (!approved) {
-        logToolCall('set_env', { name: varName }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       process.env[varName] = value;
       _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Set env ${varName}${RST}`);
       logToolCall('set_env', { name: varName }, true, 'ok');
@@ -584,12 +703,37 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         fileName = 'download';
       }
       const outPath = path.join(process.cwd(), fileName);
-      const approved = await permissionManager.askPermission('net', `Download ${url}`, 'download');
-      if (!approved) {
-        logToolCall('download', { url }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
+      const startedAt = Date.now();
       return new Promise((resolve) => {
+        let abortedByUser = false;
+        let onAbort = null;
+        let activeReq = null;
+        let activeFile = null;
+        const detachAbort = () => {
+          if (onAbort && signal) {
+            try { signal.removeEventListener('abort', onAbort); } catch {}
+            onAbort = null;
+          }
+        };
+        const finishAborted = () => {
+          fs.unlink(outPath, () => {});
+          logToolCall('download', { url }, true, 'aborted');
+          resolve({ aborted: true, elapsed_s: Math.max(0, Math.round((Date.now() - startedAt) / 1000)) });
+        };
+        if (signal) {
+          if (signal.aborted) {
+            abortedByUser = true;
+            finishAborted();
+            return;
+          }
+          onAbort = () => {
+            abortedByUser = true;
+            try { if (activeReq) activeReq.destroy(new Error('Aborted')); } catch {}
+            try { if (activeFile) activeFile.destroy(); } catch {}
+          };
+          signal.addEventListener('abort', onAbort, { once: true });
+        }
+
         function doDownload(target, redirectsLeft) {
           const proto = target.startsWith('https') ? https : http;
           const req = proto.get(target, (res) => {
@@ -600,27 +744,43 @@ function createToolExecutor(permissionManager, ui, getConfig) {
             if (res.statusCode >= 400) {
               res.resume();
               const msg = `HTTP ${res.statusCode}`;
+              detachAbort();
               _log(`  ${FG_RED}✗ ${msg}${RST}`);
               logToolCall('download', { url }, true, 'error');
               return resolve({ error: msg });
             }
             const file = fs.createWriteStream(outPath);
+            activeFile = file;
             res.pipe(file);
             file.on('finish', () => {
               file.close();
+              detachAbort();
               _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}Downloaded to ${outPath}${RST}`);
               logToolCall('download', { url }, true, 'ok');
               resolve({ status: 'ok', path: outPath });
             });
             file.on('error', (err) => {
+              if (abortedByUser) {
+                detachAbort();
+                finishAborted();
+                return;
+              }
               fs.unlink(outPath, () => {});
+              detachAbort();
               _log(`  ${FG_RED}✗ ${err.message}${RST}`);
               logToolCall('download', { url }, true, 'error');
               resolve({ error: err.message });
             });
           });
+          activeReq = req;
           req.on('error', (err) => {
+            if (abortedByUser) {
+              detachAbort();
+              finishAborted();
+              return;
+            }
             fs.unlink(outPath, () => {});
+            detachAbort();
             _log(`  ${FG_RED}✗ ${err.message}${RST}`);
             logToolCall('download', { url }, true, 'error');
             resolve({ error: err.message });
@@ -628,6 +788,7 @@ function createToolExecutor(permissionManager, ui, getConfig) {
           req.setTimeout(120000, () => {
             req.destroy();
             fs.unlink(outPath, () => {});
+            detachAbort();
             logToolCall('download', { url }, true, 'error');
             resolve({ error: 'Request timeout' });
           });
@@ -643,11 +804,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         logToolCall('upload', { path: filePath }, false, 'denied');
         return _sandboxError(filePath);
       }
-      const approved = await permissionManager.askPermission('file', `Upload to ${filePath}`, 'upload');
-      if (!approved) {
-        logToolCall('upload', { path: filePath }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         const dir = path.dirname(filePath);
         if (dir && dir !== '.') await fsp.mkdir(dir, { recursive: true });
@@ -670,15 +826,37 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         logToolCall('http_get', { url }, false, 'dry-run');
         return { status: 'dry-run', message: 'dry-run: network call skipped' };
       }
-      const approved = await permissionManager.askPermission('net', `HTTP GET ${url}`, 'http_get');
-      if (!approved) {
-        logToolCall('http_get', { url }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       const httpCfg = getConfig ? getConfig() : {};
       const reqTimeoutMs = Math.max(15000, httpCfg.request_timeout_ms || 15000);
       const maxBytes = Math.max(1024, httpCfg.http_fetch_max_bytes || 262144);
+      const startedAt = Date.now();
       return new Promise((resolve) => {
+        let abortedByUser = false;
+        let onAbort = null;
+        let activeReq = null;
+        const detachAbort = () => {
+          if (onAbort && signal) {
+            try { signal.removeEventListener('abort', onAbort); } catch {}
+            onAbort = null;
+          }
+        };
+        const finishAborted = () => {
+          logToolCall('http_get', { url }, true, 'aborted');
+          resolve({ aborted: true, elapsed_s: Math.max(0, Math.round((Date.now() - startedAt) / 1000)) });
+        };
+        if (signal) {
+          if (signal.aborted) {
+            abortedByUser = true;
+            finishAborted();
+            return;
+          }
+          onAbort = () => {
+            abortedByUser = true;
+            try { if (activeReq) activeReq.destroy(new Error('Aborted')); } catch {}
+          };
+          signal.addEventListener('abort', onAbort, { once: true });
+        }
+
         function doGet(target, redirectsLeft) {
           const proto = target.startsWith('https') ? https : http;
           const req = proto.get(target, (res) => {
@@ -704,6 +882,8 @@ function createToolExecutor(permissionManager, ui, getConfig) {
               }
             });
             res.on('end', () => {
+              if (abortedByUser) return;
+              detachAbort();
               const kept = Buffer.concat(bufs);
               const keptBytes = kept.length;
               let body = kept.toString('utf8');
@@ -715,18 +895,29 @@ function createToolExecutor(permissionManager, ui, getConfig) {
               }
               _log(`  ${FG_GREEN}✓${RST} ${FG_GRAY}HTTP GET ${target} (${res.statusCode}, ${totalBytes} bytes${capped ? `, truncated to ${keptBytes}` : ''})${RST}`);
               logToolCall('http_get', { url: target }, true, res.statusCode < 400 ? 'ok' : 'error');
-              resolve({ status_code: res.statusCode, body });
+              // `bytes` is the total transferred payload length (pre-cap);
+              // consumers that want to know the wire size without parsing
+              // the appended truncation note rely on this.
+              resolve({ status_code: res.statusCode, body, bytes: totalBytes });
             });
           });
+          activeReq = req;
           req.on('error', (err) => {
+            if (abortedByUser) {
+              detachAbort();
+              finishAborted();
+              return;
+            }
+            detachAbort();
             _log(`  ${FG_RED}✗ ${err.message}${RST}`);
             logToolCall('http_get', { url: target }, true, 'error');
-            resolve({ error: err.message });
+            resolve({ error: err.message, error_code: err.code });
           });
           req.setTimeout(reqTimeoutMs, () => {
             req.destroy();
+            detachAbort();
             logToolCall('http_get', { url: target }, true, 'error');
-            resolve({ error: 'Request timeout' });
+            resolve({ error: 'Request timeout', error_code: 'ETIMEDOUT' });
           });
         }
         doGet(url, 5);
@@ -735,11 +926,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
 
     if (action === 'ask_user') {
       const question = arg0;
-      const approved = await permissionManager.askPermission('user', `Ask user: ${question}`, 'ask_user');
-      if (!approved) {
-        logToolCall('ask_user', { question }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       const options = _parseNumberedOptions(question);
       if (options.length >= 2) {
         const selected = await permissionManager.captureSelect({ options });
@@ -747,10 +933,12 @@ function createToolExecutor(permissionManager, ui, getConfig) {
         return { question, answer: selected || options[0] };
       }
       if (!process.stdout.isTTY || process.stdin.isRaw) {
-        process.stdout.write(`\n  ${FG_YELLOW}?${RST} ${question}\n  ${DIM}[auto-answering 'y']${RST}\n`);
+        writer.scrollback(`\n  ${FG_YELLOW}?${RST} ${question}\n  ${DIM}[auto-answering 'y']${RST}`);
         logToolCall('ask_user', { question }, true, 'ok');
         return { question, answer: 'y' };
       }
+      // audit: allowed — inline prompt without trailing newline; unreachable when TUI writer is active
+      // (process.stdin.isRaw is true while the TUI input field holds raw mode).
       process.stdout.write(`\n  ${FG_YELLOW}?${RST} ${question}\n  ${FG_GRAY}>${RST} `);
       const buf = Buffer.alloc(4096);
       let input = '';
@@ -770,11 +958,6 @@ function createToolExecutor(permissionManager, ui, getConfig) {
     if (action === 'store_memory') {
       const key = arg0;
       const value = arg1 || '';
-      const approved = await permissionManager.askPermission('memory', `Store memory: ${key}`, 'store_memory');
-      if (!approved) {
-        logToolCall('store_memory', { key }, false, 'denied');
-        return { error: 'Permission denied' };
-      }
       try {
         let mem = {};
         try { mem = JSON.parse(await fsp.readFile(MEMORY_PATH, 'utf8')); } catch {}
@@ -846,6 +1029,7 @@ function createToolExecutor(permissionManager, ui, getConfig) {
   return {
     agentExecFile,
     agentExecShell,
+    describePermission,
   };
 }
 
@@ -865,7 +1049,7 @@ function mapInvokeToCall(toolName, params) {
     case 'delete_file':
       return p.path ? ['delete_file', p.path] : null;
     case 'list_dir':
-      return ['list_dir', p.path || p.dir || '.'];
+      return ['list_dir', p.path || '.'];
     case 'make_dir':
       return p.path ? ['make_dir', p.path] : null;
     case 'remove_dir':
@@ -877,7 +1061,7 @@ function mapInvokeToCall(toolName, params) {
     case 'file_stat':
       return p.path ? ['file_stat', p.path] : null;
     case 'search_files':
-      return ['search_files', p.pattern || p.glob || '*', p.dir || '.'];
+      return ['search_files', p.pattern || '*', p.dir || '.'];
     case 'search_in_file':
       return p.path && p.pattern ? ['search_in_file', p.path, p.pattern] : null;
     case 'replace_in_file':
@@ -910,9 +1094,6 @@ function mapInvokeToCall(toolName, params) {
       return ['system_info'];
     case 'exec':
     case 'shell':
-    case 'run':
-    case 'run_command':
-    case 'bash':
       return p.command ? ['shell', p.command] : null;
     default:
       return null;