@stigmer/runner 3.0.3 → 3.0.4

package/dist/.build-fingerprint

@@ -1 +1 @@
-{"hash":"f39ecbdabee6cf8e","builtAt":"2026-06-10T07:04:09.007Z","fileCount":192}
+{"hash":"af9f8d2d84cef6db","builtAt":"2026-06-10T08:56:06.851Z","fileCount":192}

package/dist/activities/execute-cursor/hook-script.d.ts

@@ -16,12 +16,20 @@
  *    so its ledger is the authoritative record of what was gated this turn
  * 5. Returns { "permission": "allow" } or { "permission": "deny" } on stdout
  *
- * The script is self-contained (no Node.js required) for portability. It uses
- * bash + grep/cut for lightweight JSON field extraction. All policy decisions
- * are pre-computed by the runner into the state file (and into this generated
- * script); the hook only performs mechanical field extraction and string
- * lookups — the policy itself is authored once in TypeScript (approval-policy.ts
- * / approval-state.ts).
+ * Identity extraction runs on the SAME Node.js binary as the runner (its
+ * absolute path — process.execPath — is baked into the script at generation
+ * time), because the identity token must be byte-identical to the one the
+ * runner computes from the parsed stream event. The original grep/cut
+ * extraction is kept only as a best-effort fallback if that binary cannot run:
+ * grep's `"command":"[^"]*"` truncates at the first JSON-escaped quote, so for
+ * a shell command like `printf '%s' "x" > file` the fallback token will NOT
+ * match the runner's — the call is still denied (the gate holds) but the
+ * denial cannot be overlaid onto the real streamed tool call and a grant for
+ * it will not match on reinvocation. All policy decisions are pre-computed by
+ * the runner into the state file (and into this generated script); the hook
+ * only performs mechanical field extraction and string lookups — the policy
+ * itself is authored once in TypeScript (approval-policy.ts /
+ * approval-state.ts).
  *
  * Cross-taxonomy identity (the crux):
  * The preToolUse hook and the SDK event stream name the same operation

package/dist/activities/execute-cursor/hook-script.js

@@ -16,12 +16,20 @@
  *    so its ledger is the authoritative record of what was gated this turn
  * 5. Returns { "permission": "allow" } or { "permission": "deny" } on stdout
  *
- * The script is self-contained (no Node.js required) for portability. It uses
- * bash + grep/cut for lightweight JSON field extraction. All policy decisions
- * are pre-computed by the runner into the state file (and into this generated
- * script); the hook only performs mechanical field extraction and string
- * lookups — the policy itself is authored once in TypeScript (approval-policy.ts
- * / approval-state.ts).
+ * Identity extraction runs on the SAME Node.js binary as the runner (its
+ * absolute path — process.execPath — is baked into the script at generation
+ * time), because the identity token must be byte-identical to the one the
+ * runner computes from the parsed stream event. The original grep/cut
+ * extraction is kept only as a best-effort fallback if that binary cannot run:
+ * grep's `"command":"[^"]*"` truncates at the first JSON-escaped quote, so for
+ * a shell command like `printf '%s' "x" > file` the fallback token will NOT
+ * match the runner's — the call is still denied (the gate holds) but the
+ * denial cannot be overlaid onto the real streamed tool call and a grant for
+ * it will not match on reinvocation. All policy decisions are pre-computed by
+ * the runner into the state file (and into this generated script); the hook
+ * only performs mechanical field extraction and string lookups — the policy
+ * itself is authored once in TypeScript (approval-policy.ts /
+ * approval-state.ts).
  *
  * Cross-taxonomy identity (the crux):
  * The preToolUse hook and the SDK event stream name the same operation
@@ -70,10 +78,41 @@ function buildCategoryCaseArms() {
     const arms = [];
     for (const [category, names] of byCategory) {
         const pattern = names.map((n) => `"${n}"`).join("|");
-        arms.push(`    ${pattern}) CATEGORY="${category}" ;;`);
+        arms.push(`      ${pattern}) CATEGORY="${category}" ;;`);
     }
     return arms.join("\n");
 }
+/**
+ * Build the inline Node.js identity extractor embedded in the hook script.
+ *
+ * Parses the hook's stdin JSON properly (the bash fallback's grep truncates
+ * string values at the first escaped quote) and emits four lines:
+ * tool_name, canonical category, identity token, and MCP name-token. The token
+ * encodings must stay byte-identical to grantToken() in approval-state.ts.
+ *
+ * Authored as a single-quoted bash string, so the JS must not contain single
+ * quotes. The category map and salient field list are baked from
+ * approval-policy.ts — the same source the runner uses — so the two sides can
+ * never disagree.
+ */
+function buildNodeIdentityScript() {
+    const categoryMap = {};
+    for (const [name, category] of getBuiltInGatedCategories()) {
+        categoryMap[name] = category;
+    }
+    const categories = JSON.stringify(categoryMap);
+    const fields = JSON.stringify(SALIENT_ARG_FIELDS);
+    return [
+        `const t=JSON.parse(require("fs").readFileSync(0,"utf8"));`,
+        `const name=typeof t.tool_name==="string"?t.tool_name:"";`,
+        `const cat=(${categories})[name]||"";`,
+        `const a=(t.tool_input&&typeof t.tool_input==="object")?t.tool_input:{};`,
+        `let s="";`,
+        `for(const f of ${fields}){const v=a[f];if(typeof v==="string"&&v){s=v;break;}}`,
+        `const b=(x)=>Buffer.from(x,"utf8").toString("base64");`,
+        `process.stdout.write(name+"\\n"+cat+"\\n"+b(cat+"\\n"+s)+"\\n"+b(name+"\\n"));`,
+    ].join("");
+}
 /**
  * Generates the bash hook script content.
  *
@@ -90,6 +129,7 @@ function buildCategoryCaseArms() {
 export function generateHookScript(stateFilePath, ledgerFilePath) {
     const salientFields = SALIENT_ARG_FIELDS.join(" ");
     const categoryCaseArms = buildCategoryCaseArms();
+    const nodeIdentityScript = buildNodeIdentityScript();
     return `#!/bin/bash
 # Stigmer HITL approval hook for Cursor preToolUse
 # Generated by cursor-runner — do not edit manually.
@@ -103,15 +143,45 @@ set -euo pipefail
 
 INPUT=$(cat)
 
-# Extract tool_name from the hook input JSON. The hook receives PascalCase names
-# (Write/Shell/Delete/Read/...). Every extraction ends with '|| true': under
-# 'set -e' a non-matching grep would otherwise abort the script and emit no
-# decision.
-TOOL_NAME=$(echo "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4 || true)
-
 STATE_FILE="${stateFilePath}"
 LEDGER_FILE="${ledgerFilePath}"
 
+# --- Canonical identity: tool_name / category / identity token / MCP token ---
+# Computed by the same Node.js binary that runs the cursor-runner (absolute path
+# baked at generation time) so JSON string values — file paths and especially
+# shell commands containing quotes, newlines, or unicode escapes — decode to the
+# exact bytes the runner sees in the stream event. ELECTRON_RUN_AS_NODE makes
+# the invocation safe when the runner is embedded in an Electron app (where
+# process.execPath is the Electron binary).
+NODE_BIN="${process.execPath}"
+IDENTITY=$(printf '%s' "$INPUT" | ELECTRON_RUN_AS_NODE=1 "$NODE_BIN" -e '${nodeIdentityScript}' 2>/dev/null || true)
+if [ -n "$IDENTITY" ]; then
+  TOOL_NAME=$(printf '%s\\n' "$IDENTITY" | sed -n 1p)
+  CATEGORY=$(printf '%s\\n' "$IDENTITY" | sed -n 2p)
+  TOKEN=$(printf '%s\\n' "$IDENTITY" | sed -n 3p)
+  MCP_TOKEN=$(printf '%s\\n' "$IDENTITY" | sed -n 4p)
+else
+  # Fallback when the Node binary cannot run: grep/cut extraction. Best-effort
+  # only — '"field":"[^"]*"' truncates at the first JSON-escaped quote, so the
+  # token may not match the runner's for values containing escapes. Gating still
+  # holds (deny goes out); only denial correlation and grant precision degrade.
+  # Every extraction ends with '|| true': under 'set -e' a non-matching grep
+  # would otherwise abort the script and emit no decision.
+  TOOL_NAME=$(echo "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4 || true)
+  SALIENT=""
+  for field in ${salientFields}; do
+    v=$(echo "$INPUT" | grep -o "\\"$field\\":\\"[^\\"]*\\"" | head -1 | cut -d'"' -f4 || true)
+    if [ -n "$v" ]; then SALIENT="$v"; break; fi
+  done
+  CATEGORY=""
+  case "$TOOL_NAME" in
+${categoryCaseArms}
+      *) CATEGORY="" ;;
+  esac
+  TOKEN=$(printf '%s\\n%s' "$CATEGORY" "$SALIENT" | base64 | tr -d '\\n')
+  MCP_TOKEN=$(printf '%s\\n' "$TOOL_NAME" | base64 | tr -d '\\n')
+fi
+
 # --- Failsafe: missing state file → deny (fail-closed) ---
 if [ ! -f "$STATE_FILE" ]; then
   echo '{"permission":"deny","agent_message":"${APPROVAL_REQUIRED_AGENT_MESSAGE}","user_message":"Tool requires approval: '"$TOOL_NAME"'"}'
@@ -126,22 +196,6 @@ if echo "$STATE" | grep -q '"autoApproveAll":true'; then
   exit 0
 fi
 
-# --- Salient resource value (file path / command), spanning both taxonomies'
-# arg field names (file_path here, path on the stream side). First match wins. ---
-SALIENT=""
-for field in ${salientFields}; do
-  v=$(echo "$INPUT" | grep -o "\\"$field\\":\\"[^\\"]*\\"" | head -1 | cut -d'"' -f4 || true)
-  if [ -n "$v" ]; then SALIENT="$v"; break; fi
-done
-
-# --- Canonical approval category for this hook tool_name (baked from
-# approval-policy.ts). Empty for non-gated tools. ---
-CATEGORY=""
-case "$TOOL_NAME" in
-${categoryCaseArms}
-    *) CATEGORY="" ;;
-esac
-
 # Append a denial record to the ledger. Best-effort: a ledger write failure must
 # never abort the decision (the deny still goes out on stdout). toolName is raw
 # for human-readable debugging; token drives correlation in the runner.
@@ -151,8 +205,6 @@ record_denial() {
 
 # --- 2. Gated built-in tools (category non-empty) ---
 if [ -n "$CATEGORY" ]; then
-  # Canonical identity token: base64("$CATEGORY\\n$SALIENT").
-  TOKEN=$(printf '%s\\n%s' "$CATEGORY" "$SALIENT" | base64 | tr -d '\\n')
   # Reinvocation grant: this exact resource was approved earlier → allow.
   if echo "$STATE" | grep -qF "\\"$TOKEN\\""; then
     echo '{"permission":"allow"}'
@@ -171,7 +223,6 @@ fi
 if echo "$STATE" | grep -q "\\"mcpToolPolicies\\"" && [ -n "$TOOL_NAME" ]; then
   TOOL_POLICY=$(echo "$STATE" | grep -o "\\"$TOOL_NAME\\":{[^}]*}" | head -1 || true)
   if [ -n "$TOOL_POLICY" ] && ! echo "$TOOL_POLICY" | grep -q '"requiresApproval":false'; then
-    MCP_TOKEN=$(printf '%s\\n' "$TOOL_NAME" | base64 | tr -d '\\n')
     if echo "$STATE" | grep -qF "\\"$MCP_TOKEN\\""; then
       echo '{"permission":"allow"}'
       exit 0

package/dist/activities/execute-cursor/hook-script.js.map

@@ -1 +1 @@
-{"version":3,"file":"hook-script.js","sourceRoot":"","sources":["../../../src/activities/execute-cursor/hook-script.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;AAEH,OAAO,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,MAAM,sBAAsB,CAAC;AAErF,MAAM,+BAA+B,GACnC,0EAA0E;IAC1E,6EAA6E;IAC7E,4EAA4E;IAC5E,sCAAsC,CAAC;AAEzC;;;;GAIG;AACH,SAAS,qBAAqB;IAC5B,MAAM,UAAU,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC/C,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,yBAAyB,EAAE,EAAE,CAAC;QAC3D,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC7C,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjB,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAClC,CAAC;IACD,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3C,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrD,IAAI,CAAC,IAAI,CAAC,OAAO,OAAO,eAAe,QAAQ,MAAM,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACzB,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,aAAqB,EAAE,cAAsB;IAC9E,MAAM,aAAa,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnD,MAAM,gBAAgB,GAAG,qBAAqB,EAAE,CAAC;IACjD,OAAO;;;;;;;;;;;;;;;;;;;cAmBK,aAAa;eACZ,cAAc;;;;gDAImB,+BAA+B;;;;;;;;;;;;;;;eAehE,aAAa;;;;;;;;;EAS1B,gBAAgB;;;;;;;;;;;;;;;;;;;;;gDAqB8B,+BAA+B;;;;;;;;;;;;;;;;;;;;;;kDAsB7B,+BAA+B;;;;;;;;;;;CAWhF,CAAC;AACF,CAAC"}
+{"version":3,"file":"hook-script.js","sourceRoot":"","sources":["../../../src/activities/execute-cursor/hook-script.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2DG;AAEH,OAAO,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,MAAM,sBAAsB,CAAC;AAErF,MAAM,+BAA+B,GACnC,0EAA0E;IAC1E,6EAA6E;IAC7E,4EAA4E;IAC5E,sCAAsC,CAAC;AAEzC;;;;GAIG;AACH,SAAS,qBAAqB;IAC5B,MAAM,UAAU,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC/C,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,yBAAyB,EAAE,EAAE,CAAC;QAC3D,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC7C,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjB,UAAU,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAClC,CAAC;IACD,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3C,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrD,IAAI,CAAC,IAAI,CAAC,SAAS,OAAO,eAAe,QAAQ,MAAM,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACzB,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,uBAAuB;IAC9B,MAAM,WAAW,GAA2B,EAAE,CAAC;IAC/C,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,yBAAyB,EAAE,EAAE,CAAC;QAC3D,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC;IAC/B,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;IAClD,OAAO;QACL,2DAA2D;QAC3D,0DAA0D;QAC1D,cAAc,UAAU,cAAc;QACtC,yEAAyE;QACzE,WAAW;QACX,kBAAkB,MAAM,wDAAwD;QAChF,wDAAwD;QACxD,gFAAgF;KACjF,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACb,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,aAAqB,EAAE,cAAsB;IAC9E,MAAM,aAAa,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnD,MAAM,gBAAgB,GAAG,qBAAqB,EAAE,CAAC;IACjD,MAAM,kBAAkB,GAAG,uBAAuB,EAAE,CAAC;IACrD,OAAO;;;;;;;;;;;;;cAaK,aAAa;eACZ,cAAc;;;;;;;;;YASjB,OAAO,CAAC,QAAQ;2EAC+C,kBAAkB;;;;;;;;;;;;;;;iBAe5E,aAAa;;;;;;EAM5B,gBAAgB;;;;;;;;;gDAS8B,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;gDA2B/B,+BAA+B;;;;;;;;;;;;;;;;;;;;;kDAqB7B,+BAA+B;;;;;;;;;;;CAWhF,CAAC;AACF,CAAC"}

package/dist/activities/execute-cursor/session-lifecycle.d.ts

@@ -56,6 +56,15 @@ export interface ResumeAgentOptions {
     apiKey: string;
     agentId: string;
     sessionId: string;
+    /**
+     * Workspace directories — same as {@link CreateAgentOptions.workspaceDirs}.
+     * NOT persisted across Agent.resume(): without an explicit cwd the SDK falls
+     * back to process.cwd(), which both mis-roots the resumed agent and loads
+     * the "project" setting source (and therefore the HITL approval hook in
+     * .cursor/hooks.json) from the wrong directory — silently disabling the
+     * approval gate on every resumed turn.
+     */
+    workspaceDirs: string[];
     /** Durable workspace volume root; the SDK state store lives under it. */
     workspaceRootDir: string;
     model?: string;

package/dist/activities/execute-cursor/session-lifecycle.js

@@ -129,6 +129,9 @@ export async function createAgent(options) {
  * propagate or fall back to a fresh agent with continuation context.
  */
 export async function resumeAgent(options) {
+    const cwd = options.workspaceDirs.length === 1
+        ? options.workspaceDirs[0]
+        : options.workspaceDirs;
     const platform = resolvePlatformOptions(options.sessionId, options.workspaceRootDir);
     console.log(`resumeAgent: agentId=${options.agentId}, sessionId=${options.sessionId}, ` +
         `workspaceRef=${platform.workspaceRef}, stateRoot=${platform.stateRoot}, ` +
@@ -136,9 +139,13 @@ export async function resumeAgent(options) {
     return Agent.resume(options.agentId, {
         apiKey: options.apiKey,
         model: options.model ? { id: options.model } : undefined,
-        // settingSources are not persisted across resume, so the "project" source
-        // (which loads the HITL approval hook) must be re-supplied every turn.
-        local: { settingSources: [...LOCAL_SETTING_SOURCES] },
+        // Neither cwd nor settingSources survive Agent.resume(); both must be
+        // re-supplied every turn. Omitting cwd makes the SDK fall back to
+        // process.cwd(), which re-roots the agent in the runner's own working
+        // directory and loads the "project" setting source — the .cursor/hooks.json
+        // carrying the HITL approval hook — from that wrong directory, silently
+        // disabling the approval gate on every resumed turn.
+        local: { cwd, settingSources: [...LOCAL_SETTING_SOURCES] },
         mcpServers: options.mcpServers,
         agents: options.agents,
         platform,
@@ -222,6 +229,7 @@ export async function resolveAgent(harnessStateId, options, mode = "local") {
                     apiKey: options.apiKey,
                     agentId: harnessStateId,
                     sessionId: options.sessionId,
+                    workspaceDirs: options.workspaceDirs,
                     workspaceRootDir: options.workspaceRootDir,
                     model: options.model,
                     mcpServers: options.mcpServers,

package/dist/activities/execute-cursor/session-lifecycle.js.map

@@ -1 +1 @@
-{"version":3,"file":"session-lifecycle.js","sourceRoot":"","sources":["../../../src/activities/execute-cursor/session-lifecycle.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAIpC,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,oBAAoB,GAAG,2BAA2B,CAAC;AAEzD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,qBAAqB,GAAG,CAAC,SAAS,CAAU,CAAC;AA+FnD,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,sBAAsB,CACpC,SAAiB,EACjB,gBAAwB;IAExB,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,8EAA8E;YAC9E,kFAAkF;YAClF,gFAAgF,CACjF,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,iFAAiF;YACjF,gFAAgF,CACjF,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,EAAE,oBAAoB,EAAE,SAAS,CAAC,CAAC;IAC1E,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,OAAO;QACL,YAAY,EAAE,mBAAmB,SAAS,EAAE;QAC5C,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAA2B;IAC3D,MAAM,GAAG,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC;QAC5C,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;QAC1B,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAE1B,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrF,OAAO,CAAC,GAAG,CACT,0BAA0B,OAAO,CAAC,SAAS,kBAAkB,QAAQ,CAAC,YAAY,IAAI;QACtF,aAAa,QAAQ,CAAC,SAAS,iBAAiB,OAAO,CAAC,GAAG,EAAE,EAAE,CAChE,CAAC;IAEF,OAAO,KAAK,CAAC,MAAM,CAAC;QAClB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE;QAC5B,KAAK,EAAE,EAAE,GAAG,EAAE,cAAc,EAAE,CAAC,GAAG,qBAAqB,CAAC,EAAE;QAC1D,UAAU,EAAE,OAAO,CAAC,UAAiC;QACrD,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ;KACT,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAA2B;IAC3D,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrF,OAAO,CAAC,GAAG,CACT,wBAAwB,OAAO,CAAC,OAAO,eAAe,OAAO,CAAC,SAAS,IAAI;QAC3E,gBAAgB,QAAQ,CAAC,YAAY,eAAe,QAAQ,CAAC,SAAS,IAAI;QAC1E,eAAe,OAAO,CAAC,GAAG,EAAE,EAAE,CAC/B,CAAC;IAEF,OAAO,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE;QACnC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS;QACxD,0EAA0E;QAC1E,uEAAuE;QACvE,KAAK,EAAE,EAAE,cAAc,EAAE,CAAC,GAAG,qBAAqB,CAAC,EAAE;QACrD,UAAU,EAAE,OAAO,CAAC,UAAiC;QACrD,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ;KACT,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAgC;IACrE,OAAO,CAAC,GAAG,CACT,+BAA+B,OAAO,CAAC,SAAS,IAAI;QACpD,SAAS,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACtD,CAAC;IAEF,OAAO,KAAK,CAAC,MAAM,CAAC;QAClB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS;QACxD,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE;QAC/B,UAAU,EAAE,OAAO,CAAC,UAAiC;QACrD,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAgC;IACrE,OAAO,CAAC,GAAG,CACT,6BAA6B,OAAO,CAAC,OAAO,EAAE,CAC/C,CAAC;IAEF,OAAO,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE;QACnC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS;QACxD,UAAU,EAAE,OAAO,CAAC,UAAiC;QACrD,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,cAAsB,EACtB,OAAqD,EACrD,OAA0B,OAAO;IAEjC,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAI,KAAK,OAAO;gBAC5B,CAAC,CAAC,MAAM,gBAAgB,CAAC;oBACrB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,cAAc;oBACvB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,MAAM,EAAE,OAAO,CAAC,MAAM;iBACvB,CAAC;gBACJ,CAAC,CAAC,MAAM,WAAW,CAAC;oBAChB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,cAAc;oBACvB,SAAS,EAAG,OAA8B,CAAC,SAAS;oBACpD,gBAAgB,EAAG,OAA8B,CAAC,gBAAgB;oBAClE,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,MAAM,EAAE,OAAO,CAAC,MAAM;iBACvB,CAAC,CAAC;YAEP,OAAO;gBACL,KAAK;gBACL,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,IAAI;gBACb,IAAI;gBACJ,MAAM,EAAE,sBAAsB;aAC/B,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,OAAO,CAAC,IAAI,CACV,mCAAmC,IAAI,WAAW,cAAc,KAAK;gBACrE,2CAA2C;gBAC3C,aAAa,OAAO,CAAC,SAAS,YAAY,MAAM,EAAE,CACnD,CAAC;YAEF,MAAM,KAAK,GAAG,IAAI,KAAK,OAAO;gBAC5B,CAAC,CAAC,MAAM,gBAAgB,CAAC,OAAkC,CAAC;gBAC5D,CAAC,CAAC,MAAM,WAAW,CAAC,OAA6B,CAAC,CAAC;YAErD,OAAO,CAAC,GAAG,CACT,0BAA0B,IAAI,kBAAkB;gBAChD,cAAc,cAAc,gBAAgB,KAAK,CAAC,OAAO,IAAI;gBAC7D,aAAa,OAAO,CAAC,SAAS,EAAE,CACjC,CAAC;YAEF,OAAO;gBACL,KAAK;gBACL,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,KAAK,EAAE,IAAI;gBACX,OAAO,EAAE,KAAK;gBACd,IAAI;gBACJ,MAAM,EAAE,8BAA8B;gBACtC,mBAAmB,EAAE,MAAM;aAC5B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,KAAK,OAAO;QAC5B,CAAC,CAAC,MAAM,gBAAgB,CAAC,OAAkC,CAAC;QAC5D,CAAC,CAAC,MAAM,WAAW,CAAC,OAA6B,CAAC,CAAC;IAErD,OAAO;QACL,KAAK;QACL,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,KAAK;QACd,IAAI;QACJ,MAAM,EAAE,yBAAyB;KAClC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAAe,EAAE,MAAc;IAChE,IAAI,CAAC;QACH,MAAM,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CACV,kCAAkC,OAAO,GAAG,EAC5C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAC;IACJ,CAAC;AACH,CAAC"}
+{"version":3,"file":"session-lifecycle.js","sourceRoot":"","sources":["../../../src/activities/execute-cursor/session-lifecycle.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,KAAK,EAAE,MAAM,aAAa,CAAC;AAIpC,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,oBAAoB,GAAG,2BAA2B,CAAC;AAEzD;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,qBAAqB,GAAG,CAAC,SAAS,CAAU,CAAC;AAwGnD,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,sBAAsB,CACpC,SAAiB,EACjB,gBAAwB;IAExB,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,8EAA8E;YAC9E,kFAAkF;YAClF,gFAAgF,CACjF,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,iFAAiF;YACjF,gFAAgF,CACjF,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,gBAAgB,EAAE,oBAAoB,EAAE,SAAS,CAAC,CAAC;IAC1E,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,OAAO;QACL,YAAY,EAAE,mBAAmB,SAAS,EAAE;QAC5C,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAA2B;IAC3D,MAAM,GAAG,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC;QAC5C,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;QAC1B,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAE1B,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrF,OAAO,CAAC,GAAG,CACT,0BAA0B,OAAO,CAAC,SAAS,kBAAkB,QAAQ,CAAC,YAAY,IAAI;QACtF,aAAa,QAAQ,CAAC,SAAS,iBAAiB,OAAO,CAAC,GAAG,EAAE,EAAE,CAChE,CAAC;IAEF,OAAO,KAAK,CAAC,MAAM,CAAC;QAClB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE;QAC5B,KAAK,EAAE,EAAE,GAAG,EAAE,cAAc,EAAE,CAAC,GAAG,qBAAqB,CAAC,EAAE;QAC1D,UAAU,EAAE,OAAO,CAAC,UAAiC;QACrD,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ;KACT,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAA2B;IAC3D,MAAM,GAAG,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC;QAC5C,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;QAC1B,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC;IAE1B,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACrF,OAAO,CAAC,GAAG,CACT,wBAAwB,OAAO,CAAC,OAAO,eAAe,OAAO,CAAC,SAAS,IAAI;QAC3E,gBAAgB,QAAQ,CAAC,YAAY,eAAe,QAAQ,CAAC,SAAS,IAAI;QAC1E,eAAe,OAAO,CAAC,GAAG,EAAE,EAAE,CAC/B,CAAC;IAEF,OAAO,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE;QACnC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS;QACxD,sEAAsE;QACtE,kEAAkE;QAClE,sEAAsE;QACtE,4EAA4E;QAC5E,wEAAwE;QACxE,qDAAqD;QACrD,KAAK,EAAE,EAAE,GAAG,EAAE,cAAc,EAAE,CAAC,GAAG,qBAAqB,CAAC,EAAE;QAC1D,UAAU,EAAE,OAAO,CAAC,UAAiC;QACrD,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ;KACT,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,wBAAwB;AACxB,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAgC;IACrE,OAAO,CAAC,GAAG,CACT,+BAA+B,OAAO,CAAC,SAAS,IAAI;QACpD,SAAS,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACtD,CAAC;IAEF,OAAO,KAAK,CAAC,MAAM,CAAC;QAClB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS;QACxD,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE;QAC/B,UAAU,EAAE,OAAO,CAAC,UAAiC;QACrD,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAgC;IACrE,OAAO,CAAC,GAAG,CACT,6BAA6B,OAAO,CAAC,OAAO,EAAE,CAC/C,CAAC;IAEF,OAAO,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE;QACnC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS;QACxD,UAAU,EAAE,OAAO,CAAC,UAAiC;QACrD,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,cAAsB,EACtB,OAAqD,EACrD,OAA0B,OAAO;IAEjC,IAAI,cAAc,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,IAAI,KAAK,OAAO;gBAC5B,CAAC,CAAC,MAAM,gBAAgB,CAAC;oBACrB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,cAAc;oBACvB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,MAAM,EAAE,OAAO,CAAC,MAAM;iBACvB,CAAC;gBACJ,CAAC,CAAC,MAAM,WAAW,CAAC;oBAChB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,cAAc;oBACvB,SAAS,EAAG,OAA8B,CAAC,SAAS;oBACpD,aAAa,EAAG,OAA8B,CAAC,aAAa;oBAC5D,gBAAgB,EAAG,OAA8B,CAAC,gBAAgB;oBAClE,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,MAAM,EAAE,OAAO,CAAC,MAAM;iBACvB,CAAC,CAAC;YAEP,OAAO;gBACL,KAAK;gBACL,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,IAAI;gBACb,IAAI;gBACJ,MAAM,EAAE,sBAAsB;aAC/B,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAChE,OAAO,CAAC,IAAI,CACV,mCAAmC,IAAI,WAAW,cAAc,KAAK;gBACrE,2CAA2C;gBAC3C,aAAa,OAAO,CAAC,SAAS,YAAY,MAAM,EAAE,CACnD,CAAC;YAEF,MAAM,KAAK,GAAG,IAAI,KAAK,OAAO;gBAC5B,CAAC,CAAC,MAAM,gBAAgB,CAAC,OAAkC,CAAC;gBAC5D,CAAC,CAAC,MAAM,WAAW,CAAC,OAA6B,CAAC,CAAC;YAErD,OAAO,CAAC,GAAG,CACT,0BAA0B,IAAI,kBAAkB;gBAChD,cAAc,cAAc,gBAAgB,KAAK,CAAC,OAAO,IAAI;gBAC7D,aAAa,OAAO,CAAC,SAAS,EAAE,CACjC,CAAC;YAEF,OAAO;gBACL,KAAK;gBACL,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,KAAK,EAAE,IAAI;gBACX,OAAO,EAAE,KAAK;gBACd,IAAI;gBACJ,MAAM,EAAE,8BAA8B;gBACtC,mBAAmB,EAAE,MAAM;aAC5B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,KAAK,OAAO;QAC5B,CAAC,CAAC,MAAM,gBAAgB,CAAC,OAAkC,CAAC;QAC5D,CAAC,CAAC,MAAM,WAAW,CAAC,OAA6B,CAAC,CAAC;IAErD,OAAO;QACL,KAAK;QACL,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,KAAK;QACd,IAAI;QACJ,MAAM,EAAE,yBAAyB;KAClC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAAe,EAAE,MAAc;IAChE,IAAI,CAAC;QACH,MAAM,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CACV,kCAAkC,OAAO,GAAG,EAC5C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAC;IACJ,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stigmer/runner",
-  "version": "3.0.3",
+  "version": "3.0.4",
   "description": "Embeddable Temporal worker for the Stigmer AI agent platform — handles agent execution, workflow orchestration, and MCP server management",
   "license": "Apache-2.0",
   "type": "module",
@@ -84,7 +84,7 @@
     "@opentelemetry/resources": "^2.0.0",
     "@opentelemetry/sdk-trace-base": "^2.0.0",
     "@opentelemetry/sdk-trace-node": "^2.0.0",
-    "@stigmer/protos": "3.0.3",
+    "@stigmer/protos": "3.0.4",
     "@temporalio/activity": "^1.11.0",
     "@temporalio/client": "^1.11.0",
     "@temporalio/common": "^1.11.0",

package/src/activities/execute-cursor/__tests__/hook-script.test.ts

@@ -146,4 +146,59 @@ d("generated preToolUse hook", () => {
     const h = setup({ noStateFile: true });
     expect(h.decide(hookWrite("/x/a.txt")).permission).toBe("deny");
   });
+
+  // Regression: the original grep-based extraction truncated string values at
+  // the first JSON-escaped character, so a shell command containing double
+  // quotes (e.g. `printf '%s' 'x' > "file"`) produced a ledger token that never
+  // matched the runner's grantToken — the denied call stayed COMPLETED in the
+  // persisted messages and a grant for it was re-denied on reinvocation.
+  // (Observed live in TestCursorHarness_HITL_ResumedTurn_StillGated.)
+  it("records a byte-identical token for commands with quotes, escapes, and newlines", () => {
+    const commands = [
+      'printf \'%s\' \'hello\' > "/tmp/a dir/resumed-gate.txt"',
+      'echo "double \\"nested\\" quotes" && echo done',
+      "line1\nline2\twith\ttabs",
+      'unicode: caf\u00e9 \u2014 emoji \u{1F600}',
+    ];
+    for (const command of commands) {
+      const h = setup({});
+      expect(h.decide(hookShell(command)).permission).toBe("deny");
+      const ledger = h.ledger();
+      expect(ledger).toHaveLength(1);
+      expect(ledger[0].token).toBe(grantToken("shell", command));
+    }
+  });
+
+  it("allows the exact granted shell command even when it contains quotes", () => {
+    const command = 'printf \'%s\' \'hello-resume\' > "/x/resumed-gate.txt"';
+    const id = toolIdentity("shell", "", { command });
+    const h = setup({ grants: [{ toolName: "shell", mcpServerSlug: "", key: id.key, salient: id.salient }] });
+
+    expect(h.decide(hookShell(command)).permission).toBe("allow");
+    // A different command is NOT covered by the grant -> still gated.
+    expect(h.decide(hookShell('rm -rf "/x"')).permission).toBe("deny");
+  });
+
+  it("still denies gated tools via the bash fallback when the Node binary is unavailable", () => {
+    const ws = mkdtempSync(join(tmpdir(), "hook-script-fallback-"));
+    tempDirs.push(ws);
+    const dir = join(ws, ".cursor", "hooks");
+    mkdirSync(dir, { recursive: true });
+    const statePath = join(dir, "state.json");
+    const ledgerPath = join(dir, "denials.jsonl");
+    const scriptPath = join(dir, "hook.sh");
+    // Break the baked Node path to force the grep/cut fallback.
+    const script = generateHookScript(statePath, ledgerPath)
+      .replace(`NODE_BIN="${process.execPath}"`, 'NODE_BIN="/nonexistent/node"');
+    writeFileSync(scriptPath, script, "utf-8");
+    writeFileSync(statePath, JSON.stringify(buildApprovalState(new Map(), false)), "utf-8");
+
+    const raw = execFileSync("bash", [scriptPath], {
+      input: JSON.stringify(hookWrite("/x/a.txt")),
+    }).toString();
+    expect(raw).toContain('"permission":"deny"');
+    const ledger = readFileSync(ledgerPath, "utf-8").split("\n").filter(Boolean).map((l) => JSON.parse(l));
+    expect(ledger).toHaveLength(1);
+    expect(ledger[0].token).toBe(grantToken("write", "/x/a.txt"));
+  });
 });

package/src/activities/execute-cursor/__tests__/session-lifecycle.test.ts

@@ -7,12 +7,20 @@
  * collide. These invariants are correctness-critical, hence the explicit tests.
  */
 
-import { describe, it, expect, afterEach } from "vitest";
+import { describe, it, expect, afterEach, vi } from "vitest";
 import { mkdtempSync, rmSync, existsSync } from "node:fs";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 
-import { resolvePlatformOptions } from "../session-lifecycle.js";
+vi.mock("@cursor/sdk", () => ({
+  Agent: {
+    create: vi.fn(async () => ({ agentId: "agent-created" })),
+    resume: vi.fn(async () => ({ agentId: "agent-resumed" })),
+  },
+}));
+
+import { Agent } from "@cursor/sdk";
+import { resolvePlatformOptions, createAgent, resumeAgent } from "../session-lifecycle.js";
 
 const tempRoots: string[] = [];
 
@@ -63,3 +71,66 @@ describe("resolvePlatformOptions", () => {
     expect(() => resolvePlatformOptions("ses-123", "")).toThrow(/workspaceRootDir is required/);
   });
 });
+
+// ---------------------------------------------------------------------------
+// Workspace binding across create/resume
+//
+// Regression: Agent.resume() does not persist local.cwd. When resumeAgent()
+// omitted it, the SDK fell back to process.cwd() — re-rooting the resumed
+// agent in the runner's own working directory and loading the "project"
+// setting source (the .cursor/hooks.json carrying the HITL approval hook)
+// from that wrong directory. Result: on every resumed turn, file edits and
+// shell commands ran unguarded with no approval card (observed in production
+// execution aex_01ktr5na07f5xtmn0dz3mfjtdp).
+// ---------------------------------------------------------------------------
+
+describe("workspace binding on create/resume", () => {
+  const baseOptions = {
+    apiKey: "key",
+    sessionId: "ses-cwd-test",
+    model: "gpt-test",
+  };
+
+  it("createAgent passes the single workspace dir as local.cwd", async () => {
+    const workspaceRootDir = freshWorkspaceRoot();
+    await createAgent({
+      ...baseOptions,
+      workspaceDirs: ["/work/repo-a"],
+      workspaceRootDir,
+    });
+
+    const callOptions = vi.mocked(Agent.create).mock.calls.at(-1)![0] as any;
+    expect(callOptions.local.cwd).toBe("/work/repo-a");
+    expect(callOptions.local.settingSources).toContain("project");
+  });
+
+  it("resumeAgent re-supplies local.cwd (not persisted by Agent.resume)", async () => {
+    const workspaceRootDir = freshWorkspaceRoot();
+    await resumeAgent({
+      ...baseOptions,
+      agentId: "agent-123",
+      workspaceDirs: ["/work/repo-a"],
+      workspaceRootDir,
+    });
+
+    const [agentId, callOptions] = vi.mocked(Agent.resume).mock.calls.at(-1)! as [string, any];
+    expect(agentId).toBe("agent-123");
+    // The load-bearing assertion: without cwd the SDK re-roots the agent at
+    // process.cwd() and the project HITL hook never loads on resumed turns.
+    expect(callOptions.local.cwd).toBe("/work/repo-a");
+    expect(callOptions.local.settingSources).toContain("project");
+  });
+
+  it("resumeAgent passes multiple workspace dirs as an array cwd", async () => {
+    const workspaceRootDir = freshWorkspaceRoot();
+    await resumeAgent({
+      ...baseOptions,
+      agentId: "agent-456",
+      workspaceDirs: ["/work/repo-a", "/work/repo-b"],
+      workspaceRootDir,
+    });
+
+    const callOptions = vi.mocked(Agent.resume).mock.calls.at(-1)![1] as any;
+    expect(callOptions.local.cwd).toEqual(["/work/repo-a", "/work/repo-b"]);
+  });
+});

package/src/activities/execute-cursor/hook-script.ts

@@ -16,12 +16,20 @@
  *    so its ledger is the authoritative record of what was gated this turn
  * 5. Returns { "permission": "allow" } or { "permission": "deny" } on stdout
  *
- * The script is self-contained (no Node.js required) for portability. It uses
- * bash + grep/cut for lightweight JSON field extraction. All policy decisions
- * are pre-computed by the runner into the state file (and into this generated
- * script); the hook only performs mechanical field extraction and string
- * lookups — the policy itself is authored once in TypeScript (approval-policy.ts
- * / approval-state.ts).
+ * Identity extraction runs on the SAME Node.js binary as the runner (its
+ * absolute path — process.execPath — is baked into the script at generation
+ * time), because the identity token must be byte-identical to the one the
+ * runner computes from the parsed stream event. The original grep/cut
+ * extraction is kept only as a best-effort fallback if that binary cannot run:
+ * grep's `"command":"[^"]*"` truncates at the first JSON-escaped quote, so for
+ * a shell command like `printf '%s' "x" > file` the fallback token will NOT
+ * match the runner's — the call is still denied (the gate holds) but the
+ * denial cannot be overlaid onto the real streamed tool call and a grant for
+ * it will not match on reinvocation. All policy decisions are pre-computed by
+ * the runner into the state file (and into this generated script); the hook
+ * only performs mechanical field extraction and string lookups — the policy
+ * itself is authored once in TypeScript (approval-policy.ts /
+ * approval-state.ts).
  *
  * Cross-taxonomy identity (the crux):
  * The preToolUse hook and the SDK event stream name the same operation
@@ -74,11 +82,43 @@ function buildCategoryCaseArms(): string {
   const arms: string[] = [];
   for (const [category, names] of byCategory) {
     const pattern = names.map((n) => `"${n}"`).join("|");
-    arms.push(`    ${pattern}) CATEGORY="${category}" ;;`);
+    arms.push(`      ${pattern}) CATEGORY="${category}" ;;`);
   }
   return arms.join("\n");
 }
 
+/**
+ * Build the inline Node.js identity extractor embedded in the hook script.
+ *
+ * Parses the hook's stdin JSON properly (the bash fallback's grep truncates
+ * string values at the first escaped quote) and emits four lines:
+ * tool_name, canonical category, identity token, and MCP name-token. The token
+ * encodings must stay byte-identical to grantToken() in approval-state.ts.
+ *
+ * Authored as a single-quoted bash string, so the JS must not contain single
+ * quotes. The category map and salient field list are baked from
+ * approval-policy.ts — the same source the runner uses — so the two sides can
+ * never disagree.
+ */
+function buildNodeIdentityScript(): string {
+  const categoryMap: Record<string, string> = {};
+  for (const [name, category] of getBuiltInGatedCategories()) {
+    categoryMap[name] = category;
+  }
+  const categories = JSON.stringify(categoryMap);
+  const fields = JSON.stringify(SALIENT_ARG_FIELDS);
+  return [
+    `const t=JSON.parse(require("fs").readFileSync(0,"utf8"));`,
+    `const name=typeof t.tool_name==="string"?t.tool_name:"";`,
+    `const cat=(${categories})[name]||"";`,
+    `const a=(t.tool_input&&typeof t.tool_input==="object")?t.tool_input:{};`,
+    `let s="";`,
+    `for(const f of ${fields}){const v=a[f];if(typeof v==="string"&&v){s=v;break;}}`,
+    `const b=(x)=>Buffer.from(x,"utf8").toString("base64");`,
+    `process.stdout.write(name+"\\n"+cat+"\\n"+b(cat+"\\n"+s)+"\\n"+b(name+"\\n"));`,
+  ].join("");
+}
+
 /**
  * Generates the bash hook script content.
  *
@@ -95,6 +135,7 @@ function buildCategoryCaseArms(): string {
 export function generateHookScript(stateFilePath: string, ledgerFilePath: string): string {
   const salientFields = SALIENT_ARG_FIELDS.join(" ");
   const categoryCaseArms = buildCategoryCaseArms();
+  const nodeIdentityScript = buildNodeIdentityScript();
   return `#!/bin/bash
 # Stigmer HITL approval hook for Cursor preToolUse
 # Generated by cursor-runner — do not edit manually.
@@ -108,15 +149,45 @@ set -euo pipefail
 
 INPUT=$(cat)
 
-# Extract tool_name from the hook input JSON. The hook receives PascalCase names
-# (Write/Shell/Delete/Read/...). Every extraction ends with '|| true': under
-# 'set -e' a non-matching grep would otherwise abort the script and emit no
-# decision.
-TOOL_NAME=$(echo "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4 || true)
-
 STATE_FILE="${stateFilePath}"
 LEDGER_FILE="${ledgerFilePath}"
 
+# --- Canonical identity: tool_name / category / identity token / MCP token ---
+# Computed by the same Node.js binary that runs the cursor-runner (absolute path
+# baked at generation time) so JSON string values — file paths and especially
+# shell commands containing quotes, newlines, or unicode escapes — decode to the
+# exact bytes the runner sees in the stream event. ELECTRON_RUN_AS_NODE makes
+# the invocation safe when the runner is embedded in an Electron app (where
+# process.execPath is the Electron binary).
+NODE_BIN="${process.execPath}"
+IDENTITY=$(printf '%s' "$INPUT" | ELECTRON_RUN_AS_NODE=1 "$NODE_BIN" -e '${nodeIdentityScript}' 2>/dev/null || true)
+if [ -n "$IDENTITY" ]; then
+  TOOL_NAME=$(printf '%s\\n' "$IDENTITY" | sed -n 1p)
+  CATEGORY=$(printf '%s\\n' "$IDENTITY" | sed -n 2p)
+  TOKEN=$(printf '%s\\n' "$IDENTITY" | sed -n 3p)
+  MCP_TOKEN=$(printf '%s\\n' "$IDENTITY" | sed -n 4p)
+else
+  # Fallback when the Node binary cannot run: grep/cut extraction. Best-effort
+  # only — '"field":"[^"]*"' truncates at the first JSON-escaped quote, so the
+  # token may not match the runner's for values containing escapes. Gating still
+  # holds (deny goes out); only denial correlation and grant precision degrade.
+  # Every extraction ends with '|| true': under 'set -e' a non-matching grep
+  # would otherwise abort the script and emit no decision.
+  TOOL_NAME=$(echo "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4 || true)
+  SALIENT=""
+  for field in ${salientFields}; do
+    v=$(echo "$INPUT" | grep -o "\\"$field\\":\\"[^\\"]*\\"" | head -1 | cut -d'"' -f4 || true)
+    if [ -n "$v" ]; then SALIENT="$v"; break; fi
+  done
+  CATEGORY=""
+  case "$TOOL_NAME" in
+${categoryCaseArms}
+      *) CATEGORY="" ;;
+  esac
+  TOKEN=$(printf '%s\\n%s' "$CATEGORY" "$SALIENT" | base64 | tr -d '\\n')
+  MCP_TOKEN=$(printf '%s\\n' "$TOOL_NAME" | base64 | tr -d '\\n')
+fi
+
 # --- Failsafe: missing state file → deny (fail-closed) ---
 if [ ! -f "$STATE_FILE" ]; then
   echo '{"permission":"deny","agent_message":"${APPROVAL_REQUIRED_AGENT_MESSAGE}","user_message":"Tool requires approval: '"$TOOL_NAME"'"}'
@@ -131,22 +202,6 @@ if echo "$STATE" | grep -q '"autoApproveAll":true'; then
   exit 0
 fi
 
-# --- Salient resource value (file path / command), spanning both taxonomies'
-# arg field names (file_path here, path on the stream side). First match wins. ---
-SALIENT=""
-for field in ${salientFields}; do
-  v=$(echo "$INPUT" | grep -o "\\"$field\\":\\"[^\\"]*\\"" | head -1 | cut -d'"' -f4 || true)
-  if [ -n "$v" ]; then SALIENT="$v"; break; fi
-done
-
-# --- Canonical approval category for this hook tool_name (baked from
-# approval-policy.ts). Empty for non-gated tools. ---
-CATEGORY=""
-case "$TOOL_NAME" in
-${categoryCaseArms}
-    *) CATEGORY="" ;;
-esac
-
 # Append a denial record to the ledger. Best-effort: a ledger write failure must
 # never abort the decision (the deny still goes out on stdout). toolName is raw
 # for human-readable debugging; token drives correlation in the runner.
@@ -156,8 +211,6 @@ record_denial() {
 
 # --- 2. Gated built-in tools (category non-empty) ---
 if [ -n "$CATEGORY" ]; then
-  # Canonical identity token: base64("$CATEGORY\\n$SALIENT").
-  TOKEN=$(printf '%s\\n%s' "$CATEGORY" "$SALIENT" | base64 | tr -d '\\n')
   # Reinvocation grant: this exact resource was approved earlier → allow.
   if echo "$STATE" | grep -qF "\\"$TOKEN\\""; then
     echo '{"permission":"allow"}'
@@ -176,7 +229,6 @@ fi
 if echo "$STATE" | grep -q "\\"mcpToolPolicies\\"" && [ -n "$TOOL_NAME" ]; then
   TOOL_POLICY=$(echo "$STATE" | grep -o "\\"$TOOL_NAME\\":{[^}]*}" | head -1 || true)
   if [ -n "$TOOL_POLICY" ] && ! echo "$TOOL_POLICY" | grep -q '"requiresApproval":false'; then
-    MCP_TOKEN=$(printf '%s\\n' "$TOOL_NAME" | base64 | tr -d '\\n')
     if echo "$STATE" | grep -qF "\\"$MCP_TOKEN\\""; then
       echo '{"permission":"allow"}'
       exit 0

package/src/activities/execute-cursor/session-lifecycle.ts

@@ -93,6 +93,15 @@ export interface ResumeAgentOptions {
   apiKey: string;
   agentId: string;
   sessionId: string;
+  /**
+   * Workspace directories — same as {@link CreateAgentOptions.workspaceDirs}.
+   * NOT persisted across Agent.resume(): without an explicit cwd the SDK falls
+   * back to process.cwd(), which both mis-roots the resumed agent and loads
+   * the "project" setting source (and therefore the HITL approval hook in
+   * .cursor/hooks.json) from the wrong directory — silently disabling the
+   * approval gate on every resumed turn.
+   */
+  workspaceDirs: string[];
   /** Durable workspace volume root; the SDK state store lives under it. */
   workspaceRootDir: string;
   model?: string;
@@ -244,6 +253,10 @@ export async function createAgent(options: CreateAgentOptions): Promise<SDKAgent
  * propagate or fall back to a fresh agent with continuation context.
  */
 export async function resumeAgent(options: ResumeAgentOptions): Promise<SDKAgent> {
+  const cwd = options.workspaceDirs.length === 1
+    ? options.workspaceDirs[0]
+    : options.workspaceDirs;
+
   const platform = resolvePlatformOptions(options.sessionId, options.workspaceRootDir);
   console.log(
     `resumeAgent: agentId=${options.agentId}, sessionId=${options.sessionId}, ` +
@@ -254,9 +267,13 @@ export async function resumeAgent(options: ResumeAgentOptions): Promise<SDKAgent
   return Agent.resume(options.agentId, {
     apiKey: options.apiKey,
     model: options.model ? { id: options.model } : undefined,
-    // settingSources are not persisted across resume, so the "project" source
-    // (which loads the HITL approval hook) must be re-supplied every turn.
-    local: { settingSources: [...LOCAL_SETTING_SOURCES] },
+    // Neither cwd nor settingSources survive Agent.resume(); both must be
+    // re-supplied every turn. Omitting cwd makes the SDK fall back to
+    // process.cwd(), which re-roots the agent in the runner's own working
+    // directory and loads the "project" setting source — the .cursor/hooks.json
+    // carrying the HITL approval hook — from that wrong directory, silently
+    // disabling the approval gate on every resumed turn.
+    local: { cwd, settingSources: [...LOCAL_SETTING_SOURCES] },
     mcpServers: options.mcpServers as Record<string, any>,
     agents: options.agents,
     platform,
@@ -355,6 +372,7 @@ export async function resolveAgent(
             apiKey: options.apiKey,
             agentId: harnessStateId,
             sessionId: (options as CreateAgentOptions).sessionId,
+            workspaceDirs: (options as CreateAgentOptions).workspaceDirs,
             workspaceRootDir: (options as CreateAgentOptions).workspaceRootDir,
             model: options.model,
             mcpServers: options.mcpServers,