@wangzhizhi/remi 0.0.1-alpha

package/node_modules/@remi/tools/dist/index.js

@@ -0,0 +1,3875 @@
+import { autoReviewToolPermission, evaluateToolPermission, summarizeToolInput, } from '@remi/permissions';
+import { spawn } from 'node:child_process';
+import { mkdir, readdir, readFile, realpath, rmdir, stat, unlink, writeFile } from 'node:fs/promises';
+import { homedir } from 'node:os';
+import { basename, dirname, isAbsolute, join, relative, resolve, sep } from 'node:path';
+export const toolsPackageName = '@remi/tools';
+export function createToolRegistry(tools = []) {
+    const byName = new Map();
+    const registry = {
+        register(tool) {
+            validateToolDefinition(tool);
+            if (byName.has(tool.name)) {
+                throw new Error(`Tool already registered: ${tool.name}`);
+            }
+            byName.set(tool.name, tool);
+            return registry;
+        },
+        get(name) {
+            return byName.get(name);
+        },
+        require(name) {
+            const tool = byName.get(name);
+            if (!tool) {
+                throw new Error(`Unknown tool: ${name}`);
+            }
+            return tool;
+        },
+        list() {
+            return [...byName.values()];
+        },
+        toJSONSchemas() {
+            return Object.fromEntries([...byName.values()].map(tool => [tool.name, toolInputSchemaToJsonSchema(tool.inputSchema)]));
+        },
+    };
+    for (const tool of tools) {
+        registry.register(tool);
+    }
+    return registry;
+}
+export function toolInputSchemaToJsonSchema(schema) {
+    return {
+        type: schema.type,
+        ...(schema.description ? { description: schema.description } : {}),
+        properties: Object.fromEntries(Object.entries(schema.properties).map(([name, property]) => [name, toolSchemaPropertyToJsonSchema(property)])),
+        ...(schema.required ? { required: schema.required } : {}),
+        additionalProperties: schema.additionalProperties ?? false,
+    };
+}
+export function toolOutputSchemaToJsonSchema(schema) {
+    return toolInputSchemaToJsonSchema(schema);
+}
+export function commandCandidatesForCapability(capabilityId, platform, options = {}) {
+    const candidate = (command, risk, extra = {}) => ({
+        capabilityId,
+        platform,
+        command,
+        risk,
+        requiresApproval: risk !== 'read-only',
+        ...extra,
+    });
+    if (capabilityId === 'network.ip') {
+        if (platform === 'win32') {
+            return [candidate('ipconfig /all', 'read-only')];
+        }
+        if (platform === 'linux') {
+            return [
+                candidate('ip addr show', 'read-only'),
+                candidate('ifconfig -a', 'read-only'),
+                candidate('hostname -I', 'read-only'),
+            ];
+        }
+        return [candidate('ifconfig -a', 'read-only')];
+    }
+    if (capabilityId === 'network.mac') {
+        if (platform === 'win32') {
+            return [
+                candidate('getmac /v /fo csv', 'read-only'),
+                candidate('ipconfig /all', 'read-only'),
+            ];
+        }
+        if (platform === 'linux') {
+            return [
+                candidate('ip link', 'read-only'),
+                candidate('ifconfig -a', 'read-only'),
+            ];
+        }
+        return [candidate('ifconfig -a', 'read-only')];
+    }
+    if (capabilityId === 'network.ports') {
+        const port = normalizedPort(options.port);
+        const portSpecific = port ? `lsof -i :${port} -P -n` : 'lsof -i -P -n';
+        if (platform === 'win32') {
+            return [candidate('netstat -ano', 'read-only')];
+        }
+        if (platform === 'linux') {
+            return [
+                candidate(portSpecific, 'read-only', port ? { target: String(port) } : {}),
+                candidate('ss -ltn', 'read-only'),
+                candidate('netstat -an', 'read-only'),
+            ];
+        }
+        return [
+            candidate(portSpecific, 'read-only', port ? { target: String(port) } : {}),
+            candidate('netstat -an', 'read-only'),
+        ];
+    }
+    if (capabilityId === 'logs.search') {
+        const pattern = options.pattern?.trim();
+        const path = options.path?.trim() || '.';
+        if (!pattern) {
+            return [];
+        }
+        return [
+            candidate(`rg -n ${quoteCommandArg(pattern)} ${quoteCommandArg(path)}`, 'read-only', { target: path }),
+            candidate(`grep -n ${quoteCommandArg(pattern)} ${quoteCommandArg(path)}`, 'read-only', { target: path }),
+        ];
+    }
+    if (capabilityId === 'download.url') {
+        const url = safeCapabilityUrl(options.url);
+        if (!url) {
+            return [];
+        }
+        return [
+            candidate(`curl -L ${quoteCommandArg(url)}`, 'network', { target: url }),
+            candidate(`wget -O - ${quoteCommandArg(url)}`, 'network', { target: url }),
+        ];
+    }
+    const installTarget = safeCapabilityToken(options.packageName) ?? safeCapabilityToken(options.toolName);
+    if (capabilityId === 'tool.install' && installTarget) {
+        if (platform === 'darwin') {
+            return [candidate(`brew install ${quoteCommandArg(installTarget)}`, 'install', { packageManager: 'brew', target: installTarget })];
+        }
+        if (platform === 'linux') {
+            return [
+                candidate(`apt install ${quoteCommandArg(installTarget)}`, 'admin', { packageManager: 'apt', target: installTarget, requiresAdmin: true }),
+                candidate(`apt-get install ${quoteCommandArg(installTarget)}`, 'admin', { packageManager: 'apt-get', target: installTarget, requiresAdmin: true }),
+            ];
+        }
+        return [
+            candidate(`winget install ${quoteCommandArg(installTarget)}`, 'install', { packageManager: 'winget', target: installTarget }),
+            candidate(`scoop install ${quoteCommandArg(installTarget)}`, 'install', { packageManager: 'scoop', target: installTarget }),
+            candidate(`choco install ${quoteCommandArg(installTarget)}`, 'admin', { packageManager: 'choco', target: installTarget, requiresAdmin: true }),
+        ];
+    }
+    return [];
+}
+export function normalizeCommandProbeResult(input) {
+    if (input.permissionStatus === 'deny' || input.errorCode === 'COMMAND_DENIED' || input.errorCode === 'PERMISSION_DENIED' || input.errorCode === 'PERMISSION_REQUIRED') {
+        return 'denied';
+    }
+    if (input.exitCode === 0) {
+        return 'available';
+    }
+    const stderr = input.stderr?.toLowerCase() ?? '';
+    if (input.exitCode === 127 ||
+        stderr.includes('command not found') ||
+        stderr.includes('not recognized as an internal or external command') ||
+        stderr.includes('no such file or directory')) {
+        return 'missing';
+    }
+    return 'failed';
+}
+function normalizedPort(port) {
+    return typeof port === 'number' && Number.isSafeInteger(port) && port >= 1 && port <= 65_535 ? port : undefined;
+}
+function safeCapabilityToken(value) {
+    const trimmed = value?.trim();
+    if (!trimmed || trimmed.length > 120) {
+        return undefined;
+    }
+    return /^[A-Za-z0-9@][A-Za-z0-9._+:/@-]*$/.test(trimmed) ? trimmed : undefined;
+}
+function safeCapabilityUrl(value) {
+    const trimmed = value?.trim();
+    if (!trimmed || /[\s\r\n]/.test(trimmed)) {
+        return undefined;
+    }
+    try {
+        const url = new URL(trimmed);
+        return url.protocol === 'https:' || url.protocol === 'http:' ? url.toString() : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+function toolSchemaPropertyToJsonSchema(property) {
+    return {
+        type: property.type,
+        description: property.description,
+        ...(property.enum ? { enum: property.enum } : {}),
+        ...(property.items ? { items: toolSchemaPropertyToJsonSchema(property.items) } : {}),
+        ...(property.properties
+            ? {
+                properties: Object.fromEntries(Object.entries(property.properties).map(([name, nested]) => [name, toolSchemaPropertyToJsonSchema(nested)])),
+            }
+            : {}),
+        ...(property.required ? { required: property.required } : {}),
+        ...(property.additionalProperties !== undefined ? { additionalProperties: property.additionalProperties } : {}),
+    };
+}
+function validateToolDefinition(tool) {
+    if (!/^[a-z][a-z0-9_]*$/.test(tool.name)) {
+        throw new Error(`Invalid tool name: ${tool.name}`);
+    }
+    if (tool.description.trim().length === 0) {
+        throw new Error(`Tool ${tool.name} must include a description`);
+    }
+    if (!Number.isSafeInteger(tool.outputLimit.maxBytes) || tool.outputLimit.maxBytes <= 0) {
+        throw new Error(`Tool ${tool.name} must define a positive outputLimit.maxBytes`);
+    }
+    if (tool.permissionPolicy.reason.trim().length === 0) {
+        throw new Error(`Tool ${tool.name} must explain its permission policy`);
+    }
+    if (tool.outputSchema.type !== 'object') {
+        throw new Error(`Tool ${tool.name} must define an object outputSchema`);
+    }
+}
+const readonlyPermissionPolicy = {
+    mode: 'ask',
+    requirements: ['filesystem-read'],
+    reason: 'Reads local filesystem content. Requires read-only permission mode or explicit approval before execution.',
+};
+const readonlyCommandPermissionPolicy = {
+    mode: 'ask',
+    requirements: ['shell-exec', 'filesystem-read'],
+    reason: 'Executes a conservative allowlist of read-only local inspection commands. Requires read-only permission mode or explicit approval.',
+};
+const executeShellPermissionPolicy = {
+    mode: 'ask',
+    requirements: ['shell-exec'],
+    reason: 'Executes local shell-style commands without using a general shell. Requires explicit approval unless full access or a narrow saved rule applies.',
+};
+const agentStatePermissionPolicy = {
+    mode: 'allow',
+    requirements: ['agent-state'],
+    reason: 'Updates Remi task state only. Does not read or modify the filesystem.',
+};
+const readOnlyCommandAllowlistDescription = 'Allowed: pwd and safe read-only forms of common local inspection commands such as ls, cat, head, tail, wc, file, stat, du, df, grep, find, rg, ps, uname, date, whoami, id, which/where, sort, uniq, cut, nl, diff, cmp, comm, strings, hexdump, od, xxd, basename, dirname, realpath, readlink, tar list, uptime, hostname, ifconfig, ip, ipconfig, getmac, netstat, ss, lsof, arp, and read-only git subcommands. ' +
+    'Not allowed: cd, go/go run/go test/go mod, npm, pnpm, node, python, bash, sh, package managers, interpreters, build/test commands, write commands, curl/wget downloads, pipes, redirects, chained commands, backgrounding, command substitution, or dangerous flags.';
+const writePermissionPolicy = {
+    mode: 'ask',
+    requirements: ['filesystem-write'],
+    reason: 'Writes local filesystem content. Requires auto permission mode or explicit approval before execution.',
+};
+const deletePermissionPolicy = {
+    mode: 'ask',
+    requirements: ['filesystem-write'],
+    reason: 'Deletes a local file. Requires explicit approval unless full-access is enabled.',
+};
+const pathProperty = {
+    type: 'string',
+    description: 'Path relative to the current working directory. Absolute paths are rejected by the future executor unless explicitly approved.',
+};
+const maxBytesProperty = {
+    type: 'integer',
+    description: 'Maximum bytes to return before truncation. The executor will clamp this to the tool output limit.',
+};
+export const readFileTool = {
+    name: 'read_file',
+    description: 'Read UTF-8 text from a local file without modifying it.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            path: pathProperty,
+            startLine: { type: 'integer', description: 'Optional 1-based first line to include.' },
+            endLine: { type: 'integer', description: 'Optional 1-based last line to include.' },
+            maxBytes: maxBytesProperty,
+        },
+        required: ['path'],
+        additionalProperties: false,
+    },
+    outputSchema: {
+        type: 'object',
+        properties: {
+            path: { type: 'string', description: 'Normalized path that was read.' },
+            content: { type: 'string', description: 'UTF-8 file content or requested line range.' },
+            bytes: { type: 'integer', description: 'Number of bytes returned.' },
+            truncated: { type: 'boolean', description: 'Whether content was truncated by output limits.' },
+        },
+        required: ['path', 'content', 'bytes', 'truncated'],
+        additionalProperties: false,
+    },
+    riskLevel: 'read',
+    permissionPolicy: readonlyPermissionPolicy,
+    outputLimit: { maxBytes: 128 * 1024, truncate: 'tail' },
+};
+export const listFilesTool = {
+    name: 'list_files',
+    description: 'List files and directories under a local project path without reading file contents.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            path: pathProperty,
+            recursive: { type: 'boolean', description: 'Whether to recursively traverse child directories.' },
+            includeHidden: { type: 'boolean', description: 'Whether to include dotfiles and hidden directories.' },
+            maxEntries: { type: 'integer', description: 'Maximum number of entries to return.' },
+        },
+        required: ['path'],
+        additionalProperties: false,
+    },
+    outputSchema: {
+        type: 'object',
+        properties: {
+            path: { type: 'string', description: 'Normalized listed path.' },
+            entries: {
+                type: 'array',
+                description: 'Directory entries.',
+                items: {
+                    type: 'object',
+                    description: 'A single file or directory entry.',
+                    properties: {
+                        path: { type: 'string', description: 'Entry path relative to cwd.' },
+                        type: { type: 'string', description: 'Entry kind.', enum: ['file', 'directory', 'symlink', 'other'] },
+                        sizeBytes: { type: 'integer', description: 'File size in bytes when available.' },
+                    },
+                    required: ['path', 'type'],
+                    additionalProperties: false,
+                },
+            },
+            truncated: { type: 'boolean', description: 'Whether entries were truncated by maxEntries or output limits.' },
+        },
+        required: ['path', 'entries', 'truncated'],
+        additionalProperties: false,
+    },
+    riskLevel: 'read',
+    permissionPolicy: readonlyPermissionPolicy,
+    outputLimit: { maxBytes: 64 * 1024, truncate: 'tail' },
+};
+export const searchTextTool = {
+    name: 'search_text',
+    description: 'Search inside local project file contents without modifying them. Do not use for file names, extensions, or glob/path patterns.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            query: { type: 'string', description: 'Plain text or regex content query, depending on isRegex. Not a file name, wildcard, extension, or path glob.' },
+            path: pathProperty,
+            includeGlob: { type: 'string', description: 'Optional glob pattern limiting searched files.' },
+            isRegex: { type: 'boolean', description: 'Whether query should be treated as a regular expression.' },
+            caseSensitive: { type: 'boolean', description: 'Whether matching is case-sensitive.' },
+            maxResults: { type: 'integer', description: 'Maximum number of matches to return.' },
+        },
+        required: ['query'],
+        additionalProperties: false,
+    },
+    outputSchema: {
+        type: 'object',
+        properties: {
+            matches: {
+                type: 'array',
+                description: 'Text search matches.',
+                items: {
+                    type: 'object',
+                    description: 'A single match.',
+                    properties: {
+                        path: { type: 'string', description: 'Matched file path relative to cwd.' },
+                        line: { type: 'integer', description: '1-based line number.' },
+                        column: { type: 'integer', description: '1-based column number.' },
+                        text: { type: 'string', description: 'Matching line preview.' },
+                    },
+                    required: ['path', 'line', 'column', 'text'],
+                    additionalProperties: false,
+                },
+            },
+            truncated: { type: 'boolean', description: 'Whether matches were truncated by maxResults or output limits.' },
+        },
+        required: ['matches', 'truncated'],
+        additionalProperties: false,
+    },
+    riskLevel: 'read',
+    permissionPolicy: readonlyPermissionPolicy,
+    outputLimit: { maxBytes: 128 * 1024, truncate: 'tail' },
+};
+export const globTool = {
+    name: 'glob',
+    description: 'Find local project paths that match a glob pattern without reading file contents.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            pattern: { type: 'string', description: 'Glob pattern to match file or directory paths relative to cwd, such as **/*.ts, *.go, go.*, or **/main.go.' },
+            path: pathProperty,
+            includeHidden: { type: 'boolean', description: 'Whether to include dotfiles and hidden directories.' },
+            maxResults: { type: 'integer', description: 'Maximum number of paths to return.' },
+        },
+        required: ['pattern'],
+        additionalProperties: false,
+    },
+    outputSchema: {
+        type: 'object',
+        properties: {
+            matches: {
+                type: 'array',
+                description: 'Matched paths relative to cwd.',
+                items: { type: 'string', description: 'Matched path.' },
+            },
+            truncated: { type: 'boolean', description: 'Whether matches were truncated by maxResults or output limits.' },
+        },
+        required: ['matches', 'truncated'],
+        additionalProperties: false,
+    },
+    riskLevel: 'read',
+    permissionPolicy: readonlyPermissionPolicy,
+    outputLimit: { maxBytes: 64 * 1024, truncate: 'tail' },
+};
+export const todoWriteTool = {
+    name: 'todo_write',
+    description: 'Create or update the visible plan checklist for the current task. Send the complete current list each time.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            items: {
+                type: 'array',
+                description: 'Complete current plan items in display order.',
+                items: {
+                    type: 'object',
+                    description: 'One plan item.',
+                    properties: {
+                        id: { type: 'string', description: 'Optional stable item id.' },
+                        content: { type: 'string', description: 'Short user-visible plan item text.' },
+                        status: { type: 'string', description: 'Current item status.', enum: ['pending', 'in_progress', 'completed'] },
+                    },
+                    required: ['content', 'status'],
+                    additionalProperties: false,
+                },
+            },
+        },
+        required: ['items'],
+        additionalProperties: false,
+    },
+    outputSchema: {
+        type: 'object',
+        properties: {
+            items: {
+                type: 'array',
+                description: 'Normalized plan items.',
+                items: {
+                    type: 'object',
+                    description: 'One normalized plan item.',
+                    properties: {
+                        id: { type: 'string', description: 'Stable item id when provided.' },
+                        content: { type: 'string', description: 'Plan item text.' },
+                        status: { type: 'string', description: 'Current item status.', enum: ['pending', 'in_progress', 'completed'] },
+                    },
+                    required: ['content', 'status'],
+                    additionalProperties: false,
+                },
+            },
+        },
+        required: ['items'],
+        additionalProperties: false,
+    },
+    riskLevel: 'read',
+    permissionPolicy: agentStatePermissionPolicy,
+    outputLimit: { maxBytes: 32 * 1024, truncate: 'tail' },
+};
+export const createDirectoryTool = {
+    name: 'create_directory',
+    description: 'Create a local directory. Does not write file contents.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            path: pathProperty,
+            recursive: { type: 'boolean', description: 'Whether to create missing parent directories. Defaults to true.' },
+        },
+        required: ['path'],
+        additionalProperties: false,
+    },
+    outputSchema: {
+        type: 'object',
+        properties: {
+            path: { type: 'string', description: 'Normalized created path.' },
+            created: { type: 'boolean', description: 'Whether the directory did not exist before this call.' },
+        },
+        required: ['path', 'created'],
+        additionalProperties: false,
+    },
+    riskLevel: 'write',
+    permissionPolicy: writePermissionPolicy,
+    outputLimit: { maxBytes: 16 * 1024, truncate: 'tail' },
+};
+export const writeFileTool = {
+    name: 'write_file',
+    description: 'Write UTF-8 text to a local file. Refuses to overwrite existing files unless overwrite is true and the file was read first.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            path: pathProperty,
+            content: { type: 'string', description: 'UTF-8 text content to write.' },
+            overwrite: { type: 'boolean', description: 'Whether to overwrite an existing file. Defaults to false.' },
+            createDirectories: { type: 'boolean', description: 'Whether to create missing parent directories. Defaults to true.' },
+        },
+        required: ['path', 'content'],
+        additionalProperties: false,
+    },
+    outputSchema: {
+        type: 'object',
+        properties: {
+            path: { type: 'string', description: 'Normalized written path.' },
+            bytes: { type: 'integer', description: 'Number of bytes written.' },
+            created: { type: 'boolean', description: 'Whether this call created a new file.' },
+            overwritten: { type: 'boolean', description: 'Whether this call overwrote an existing file.' },
+            addedLines: { type: 'integer', description: 'Number of added lines in the write diff.' },
+            removedLines: { type: 'integer', description: 'Number of removed lines in the write diff.' },
+            diffPreview: { type: 'string', description: 'A bounded unified-style diff preview for user display.' },
+        },
+        required: ['path', 'bytes', 'created', 'overwritten'],
+        additionalProperties: false,
+    },
+    riskLevel: 'write',
+    permissionPolicy: writePermissionPolicy,
+    outputLimit: { maxBytes: 16 * 1024, truncate: 'tail' },
+};
+export const editFileTool = {
+    name: 'edit_file',
+    description: 'Modify an existing UTF-8 text file by exact string replacement. Requires a prior full read_file result for the same file.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            path: pathProperty,
+            oldString: { type: 'string', description: 'Exact existing text to replace. Must match the current file content.' },
+            newString: { type: 'string', description: 'Replacement text.' },
+            replaceAll: { type: 'boolean', description: 'Whether to replace every occurrence. Defaults to false and requires a unique match.' },
+        },
+        required: ['path', 'oldString', 'newString'],
+        additionalProperties: false,
+    },
+    outputSchema: {
+        type: 'object',
+        properties: {
+            path: { type: 'string', description: 'Normalized edited path.' },
+            bytes: { type: 'integer', description: 'Number of bytes written after the edit.' },
+            addedLines: { type: 'integer', description: 'Number of added lines in the edit diff.' },
+            removedLines: { type: 'integer', description: 'Number of removed lines in the edit diff.' },
+            diffPreview: { type: 'string', description: 'A bounded unified-style diff preview for user display.' },
+        },
+        required: ['path', 'bytes', 'addedLines', 'removedLines', 'diffPreview'],
+        additionalProperties: false,
+    },
+    riskLevel: 'write',
+    permissionPolicy: writePermissionPolicy,
+    outputLimit: { maxBytes: 16 * 1024, truncate: 'tail' },
+};
+export const deleteFileTool = {
+    name: 'delete_file',
+    description: 'Delete one local file after permission review. Does not delete directories; use this instead of rm for user-requested file deletion.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            path: pathProperty,
+        },
+        required: ['path'],
+        additionalProperties: false,
+    },
+    outputSchema: {
+        type: 'object',
+        properties: {
+            path: { type: 'string', description: 'Normalized deleted path.' },
+            deleted: { type: 'boolean', description: 'Whether the file was deleted.' },
+            bytes: { type: 'integer', description: 'Number of bytes deleted.' },
+            addedLines: { type: 'integer', description: 'Number of added lines in the deletion diff. Always 0 for a deleted file.' },
+            removedLines: { type: 'integer', description: 'Number of removed lines in the deletion diff.' },
+            diffPreview: { type: 'string', description: 'A bounded diff preview for user display.' },
+        },
+        required: ['path', 'deleted', 'bytes', 'addedLines', 'removedLines', 'diffPreview'],
+        additionalProperties: false,
+    },
+    riskLevel: 'write',
+    permissionPolicy: deletePermissionPolicy,
+    outputLimit: { maxBytes: 16 * 1024, truncate: 'tail' },
+};
+export const deleteDirectoryTool = {
+    name: 'delete_directory',
+    description: 'Delete one empty local directory after permission review. Refuses non-empty directories and files; use this instead of rmdir for user-requested empty directory deletion.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            path: pathProperty,
+        },
+        required: ['path'],
+        additionalProperties: false,
+    },
+    outputSchema: {
+        type: 'object',
+        properties: {
+            path: { type: 'string', description: 'Normalized deleted directory path.' },
+            deleted: { type: 'boolean', description: 'Whether the empty directory was deleted.' },
+        },
+        required: ['path', 'deleted'],
+        additionalProperties: false,
+    },
+    riskLevel: 'write',
+    permissionPolicy: deletePermissionPolicy,
+    outputLimit: { maxBytes: 16 * 1024, truncate: 'tail' },
+};
+export const runCommandTool = {
+    name: 'run_command',
+    description: `Run one conservative read-only local inspection command without a shell. ${readOnlyCommandAllowlistDescription}`,
+    inputSchema: {
+        type: 'object',
+        description: readOnlyCommandAllowlistDescription,
+        properties: {
+            command: {
+                type: 'string',
+                description: `A simple allowlisted command line. ${readOnlyCommandAllowlistDescription}`,
+            },
+            timeoutMs: { type: 'integer', description: 'Optional timeout in milliseconds. Clamped to a safe maximum.' },
+            maxBytes: maxBytesProperty,
+        },
+        required: ['command'],
+        additionalProperties: false,
+    },
+    outputSchema: {
+        type: 'object',
+        properties: {
+            command: { type: 'string', description: 'Command that was executed.' },
+            exitCode: { type: 'integer', description: 'Process exit code, or -1 when terminated by timeout or abort.' },
+            stdout: { type: 'string', description: 'Captured standard output.' },
+            stderr: { type: 'string', description: 'Captured standard error.' },
+            bytes: { type: 'integer', description: 'Total captured output bytes.' },
+            timedOut: { type: 'boolean', description: 'Whether execution was terminated by timeout.' },
+            truncated: { type: 'boolean', description: 'Whether output was truncated by output limits.' },
+        },
+        required: ['command', 'exitCode', 'stdout', 'stderr', 'bytes', 'timedOut', 'truncated'],
+        additionalProperties: false,
+    },
+    riskLevel: 'execute',
+    permissionPolicy: readonlyCommandPermissionPolicy,
+    outputLimit: { maxBytes: 128 * 1024, truncate: 'tail' },
+};
+export const executeShellTool = {
+    name: 'execute_shell',
+    description: 'Run a local validation/build, install/download, or side-effect command after permission review. Supports simple commands, safe cd segments, and sequential && or ; segments, executed without a general shell. Use this for go test, pnpm test, build, package managers, curl/wget downloads, sed/cp/mv/rm/rmdir/sh, scripts, and other execution commands that are outside read-only run_command.',
+    inputSchema: {
+        type: 'object',
+        properties: {
+            command: {
+                type: 'string',
+                description: 'Command to execute after approval. Supported syntax is simple argv, safe cd segments, plus && or ; sequencing. Pipes, redirects, backgrounding, command substitution, environment assignments, and shell glob expansion are rejected.',
+            },
+            cwd: { type: 'string', description: 'Optional working directory for the command. Must resolve inside allowed read roots.' },
+            timeoutMs: { type: 'integer', description: 'Optional timeout in milliseconds. Clamped to a safe maximum.' },
+            maxBytes: maxBytesProperty,
+        },
+        required: ['command'],
+        additionalProperties: false,
+    },
+    outputSchema: {
+        type: 'object',
+        properties: {
+            command: { type: 'string', description: 'Original command line.' },
+            cwd: { type: 'string', description: 'Working directory where the command ran.' },
+            exitCode: { type: 'integer', description: 'Final process exit code, or -1 when terminated by timeout or abort.' },
+            stdout: { type: 'string', description: 'Combined captured standard output.' },
+            stderr: { type: 'string', description: 'Combined captured standard error.' },
+            bytes: { type: 'integer', description: 'Total captured output bytes.' },
+            timedOut: { type: 'boolean', description: 'Whether any segment was terminated by timeout.' },
+            truncated: { type: 'boolean', description: 'Whether output was truncated by output limits.' },
+            segments: {
+                type: 'array',
+                description: 'Executed command segments.',
+                items: {
+                    type: 'object',
+                    description: 'One command segment result.',
+                    properties: {
+                        command: { type: 'string', description: 'Segment command.' },
+                        exitCode: { type: 'integer', description: 'Segment exit code.' },
+                        stdout: { type: 'string', description: 'Segment stdout.' },
+                        stderr: { type: 'string', description: 'Segment stderr.' },
+                        timedOut: { type: 'boolean', description: 'Whether the segment timed out.' },
+                    },
+                    required: ['command', 'exitCode', 'stdout', 'stderr', 'timedOut'],
+                    additionalProperties: false,
+                },
+            },
+        },
+        required: ['command', 'cwd', 'exitCode', 'stdout', 'stderr', 'bytes', 'timedOut', 'truncated', 'segments'],
+        additionalProperties: false,
+    },
+    riskLevel: 'execute',
+    permissionPolicy: executeShellPermissionPolicy,
+    outputLimit: { maxBytes: 128 * 1024, truncate: 'tail' },
+};
+export const readOnlyTools = [readFileTool, listFilesTool, searchTextTool, globTool, runCommandTool];
+export const builtInTools = [
+    readFileTool,
+    listFilesTool,
+    searchTextTool,
+    globTool,
+    todoWriteTool,
+    createDirectoryTool,
+    editFileTool,
+    writeFileTool,
+    deleteFileTool,
+    deleteDirectoryTool,
+    runCommandTool,
+    executeShellTool,
+];
+export function createReadOnlyToolRegistry() {
+    return createToolRegistry([...readOnlyTools]);
+}
+export function createBuiltInToolRegistry() {
+    return createToolRegistry([...builtInTools]);
+}
+export function createReadOnlyDryRunExecutor(registry = createReadOnlyToolRegistry(), evaluatePermission = evaluateToolPermission) {
+    return {
+        async execute(request) {
+            const tool = registry.get(request.call.toolName);
+            if (!tool) {
+                const decision = {
+                    status: 'deny',
+                    reason: `Unknown tool: ${request.call.toolName}`,
+                    requirements: [],
+                };
+                const result = {
+                    ok: false,
+                    callId: request.call.id,
+                    toolName: request.call.toolName,
+                    error: {
+                        code: 'UNKNOWN_TOOL',
+                        message: decision.reason,
+                    },
+                };
+                return {
+                    dryRun: true,
+                    callId: request.call.id,
+                    toolName: request.call.toolName,
+                    permissionDecision: decision,
+                    transcriptEvents: [toolResultTranscriptEvent(result)],
+                    result,
+                };
+            }
+            const permissionRequest = createToolPermissionRequest(tool, request.call, request.context);
+            const permissionDecision = evaluatePermission(permissionRequest);
+            const result = dryRunResult(tool, request.call, permissionDecision);
+            return {
+                dryRun: true,
+                callId: request.call.id,
+                toolName: request.call.toolName,
+                permissionRequest,
+                permissionDecision,
+                transcriptEvents: [
+                    {
+                        type: 'tool_call',
+                        callId: request.call.id,
+                        toolName: request.call.toolName,
+                        input: request.call.input,
+                        riskLevel: tool.riskLevel,
+                        permissionPolicy: tool.permissionPolicy,
+                        status: permissionDecision.status === 'deny' ? 'denied' : permissionDecision.status === 'ask' ? 'pending-permission' : 'dry-run',
+                    },
+                    toolResultTranscriptEvent(result),
+                ],
+                result,
+            };
+        },
+    };
+}
+export function createReadOnlyFileSystemExecutor(registry = createReadOnlyToolRegistry(), evaluatePermission = evaluateToolPermission) {
+    return createLocalToolExecutor(registry, evaluatePermission);
+}
+export function createLocalToolExecutor(registry = createBuiltInToolRegistry(), evaluatePermission = evaluateToolPermission) {
+    return {
+        async execute(request) {
+            const tool = registry.get(request.call.toolName);
+            if (!tool) {
+                return unknownToolOutcome(request);
+            }
+            const permissionRequest = createToolPermissionRequest(tool, request.call, request.context);
+            const initialDecision = evaluatePermission(permissionRequest);
+            let permissionDecision = await applyLocalPermissionMode(tool, permissionRequest, request.call, request.context, initialDecision);
+            if (permissionDecision.status === 'ask' && request.context.permissionProfile === 'auto-review') {
+                permissionDecision = autoReviewToolPermission(permissionRequest) ?? permissionDecision;
+            }
+            if (permissionDecision.status === 'ask' && commandPermissionRulesAllow(permissionRequest, request.context.permissionRules ?? [])) {
+                permissionDecision = {
+                    status: 'allow',
+                    reason: 'A saved command-prefix permission rule allows this request.',
+                    requirements: permissionDecision.requirements,
+                };
+            }
+            if (permissionDecision.status === 'ask' && await filesystemPermissionRulesAllow(request.call, request.context, request.context.permissionRules ?? [])) {
+                permissionDecision = {
+                    status: 'allow',
+                    reason: 'A saved filesystem directory permission rule allows this request.',
+                    requirements: permissionDecision.requirements,
+                };
+            }
+            if (permissionDecision.status === 'ask' && request.context.requestPermission) {
+                try {
+                    permissionDecision = await request.context.requestPermission(permissionRequest, permissionDecision);
+                }
+                catch (error) {
+                    permissionDecision = {
+                        status: 'deny',
+                        reason: error instanceof Error ? error.message : 'Permission request was rejected.',
+                        requirements: permissionDecision.requirements,
+                    };
+                }
+            }
+            const callEvent = {
+                type: 'tool_call',
+                callId: request.call.id,
+                toolName: request.call.toolName,
+                input: request.call.input,
+                riskLevel: tool.riskLevel,
+                permissionPolicy: tool.permissionPolicy,
+                status: permissionDecision.status === 'deny' ? 'denied' : 'running',
+            };
+            if (permissionDecision.status !== 'allow') {
+                const result = {
+                    ok: false,
+                    callId: request.call.id,
+                    toolName: tool.name,
+                    error: {
+                        code: deniedToolErrorCode(tool.name, permissionDecision),
+                        message: permissionDecision.reason,
+                    },
+                };
+                return {
+                    dryRun: false,
+                    callId: request.call.id,
+                    toolName: tool.name,
+                    permissionRequest,
+                    permissionDecision,
+                    transcriptEvents: [{ ...callEvent, status: 'denied' }, toolResultTranscriptEvent(result)],
+                    result,
+                };
+            }
+            const result = await executeLocalTool(tool.name, await requestWithApprovedWriteScope(request, permissionDecision));
+            return {
+                dryRun: false,
+                callId: request.call.id,
+                toolName: tool.name,
+                permissionRequest,
+                permissionDecision,
+                transcriptEvents: [callEvent, toolResultTranscriptEvent(result)],
+                result,
+            };
+        },
+    };
+}
+function deniedToolErrorCode(toolName, decision) {
+    if (decision.status === 'ask') {
+        return 'PERMISSION_REQUIRED';
+    }
+    if ((toolName === 'run_command' || toolName === 'execute_shell') && isCommandPolicyDenial(decision.reason)) {
+        return 'COMMAND_DENIED';
+    }
+    return 'PERMISSION_DENIED';
+}
+function isCommandPolicyDenial(reason) {
+    return [
+        'Command must not be empty.',
+        'Command is too long.',
+        'Multi-line commands are not allowed.',
+        'Unclosed quote in command.',
+        'Shell command cannot end with an operator.',
+        'Shell command contains an empty segment.',
+        'Shell operators, redirects, backgrounding, and command substitution are not allowed.',
+        'Backgrounding is not supported by execute_shell.',
+        'Pipes are not supported by execute_shell.',
+        'Shell redirects are not supported by execute_shell.',
+        'Command substitution and shell variable expansion are not supported by execute_shell.',
+        'Environment variable assignments are not supported by execute_shell.',
+        'Command must be an allowlisted executable name, not a path.',
+        'Executable paths must be relative to the current workspace',
+        'Command is blocked by Remi safety policy:',
+        'Dangerous removal target is not allowed through execute_shell:',
+        'Command is not in the read-only allowlist:',
+        'Only read-only git subcommands are allowed',
+        'Executable path is outside supported relative workspace form:',
+        'cd supports at most one target directory in execute_shell.',
+        'cd - is not supported by execute_shell.',
+        'cd flags are not supported by execute_shell.',
+        'run_command requires a string command.',
+        'execute_shell requires a string command.',
+        'Flag is not allowed',
+        'Flag is not in the read-only allowlist',
+        'Flag value is not in the read-only allowlist',
+        'Argument is not in the read-only allowlist',
+        'Flag is blocked in read-only mode',
+        'Streaming flags are not allowed',
+        'read-only mode allows',
+        'Only tar list mode is allowed in read-only mode.',
+        'tar list mode must name an archive file with -f.',
+        'pwd does not accept arguments in read-only mode.',
+    ].some(pattern => reason.includes(pattern));
+}
+export function createToolPermissionRequest(tool, call, context) {
+    const command = buildToolPermissionCommand(tool.name, call.input, context);
+    const targetPath = permissionTargetPath(call.input);
+    const suggestedRules = buildFilesystemPermissionRules(tool.name, call.input, context);
+    return {
+        kind: 'tool',
+        toolName: tool.name,
+        riskLevel: tool.riskLevel,
+        policy: tool.permissionPolicy,
+        cwd: context.cwd,
+        sessionId: context.sessionId,
+        inputSummary: summarizeToolInput(call.input),
+        ...(targetPath ? { targetPath } : {}),
+        ...(command ? { command } : {}),
+        ...(suggestedRules.length > 0 ? { suggestedRules, canPersist: true } : {}),
+    };
+}
+function permissionTargetPath(input) {
+    const path = input['path'];
+    return typeof path === 'string' && path.trim().length > 0 ? path : undefined;
+}
+function dryRunResult(tool, call, decision) {
+    const summary = `Dry run only: ${tool.name} was not executed. Permission decision: ${decision.status}.`;
+    return {
+        ok: true,
+        callId: call.id,
+        toolName: tool.name,
+        output: JSON.stringify({
+            dryRun: true,
+            toolName: tool.name,
+            permissionDecision: decision.status,
+            message: summary,
+        }),
+        truncated: false,
+        bytes: Buffer.byteLength(summary, 'utf8'),
+    };
+}
+function toolResultTranscriptEvent(result) {
+    if (result.ok) {
+        return {
+            type: 'tool_result',
+            callId: result.callId,
+            toolName: result.toolName,
+            ok: true,
+            summary: result.output,
+            bytes: result.bytes,
+            truncated: result.truncated,
+        };
+    }
+    return {
+        type: 'tool_result',
+        callId: result.callId,
+        toolName: result.toolName,
+        ok: false,
+        summary: result.error.message,
+        errorCode: result.error.code,
+    };
+}
+function unknownToolOutcome(request) {
+    const decision = {
+        status: 'deny',
+        reason: `Unknown tool: ${request.call.toolName}`,
+        requirements: [],
+    };
+    const result = {
+        ok: false,
+        callId: request.call.id,
+        toolName: request.call.toolName,
+        error: {
+            code: 'UNKNOWN_TOOL',
+            message: decision.reason,
+        },
+    };
+    return {
+        dryRun: false,
+        callId: request.call.id,
+        toolName: request.call.toolName,
+        permissionDecision: decision,
+        transcriptEvents: [toolResultTranscriptEvent(result)],
+        result,
+    };
+}
+async function applyLocalPermissionMode(tool, permissionRequest, call, context, decision) {
+    const mode = context.permissionMode ?? 'ask';
+    if (tool.name === 'run_command') {
+        const validation = validateReadOnlyCommandInput(call.input);
+        if (!validation.ok) {
+            return {
+                status: 'deny',
+                reason: validation.reason,
+                requirements: tool.permissionPolicy.requirements,
+            };
+        }
+        if (decision.status === 'ask' && (mode === 'readonly' || mode === 'auto' || mode === 'bypass')) {
+            return {
+                status: 'allow',
+                reason: `${mode} permission mode allows validated read-only local inspection commands.`,
+                requirements: decision.requirements,
+            };
+        }
+    }
+    if (tool.name === 'execute_shell') {
+        const validation = validateExecuteShellInput(call.input, context.cwd);
+        if (!validation.ok) {
+            return {
+                status: 'deny',
+                reason: validation.reason,
+                requirements: tool.permissionPolicy.requirements,
+            };
+        }
+        if (decision.status === 'ask' && mode === 'bypass') {
+            return {
+                status: 'allow',
+                reason: 'full-access permission profile allows local command execution without prompting.',
+                requirements: decision.requirements,
+            };
+        }
+    }
+    if (tool.name === 'delete_file' || tool.name === 'delete_directory') {
+        const writeScope = await writableScopeForCall(call, context);
+        if (!writeScope.ok) {
+            return {
+                status: 'deny',
+                reason: writeScope.reason,
+                requirements: decision.requirements,
+            };
+        }
+        if (decision.status === 'ask' && mode === 'bypass') {
+            return {
+                status: 'allow',
+                reason: `full-access permission profile allows this ${tool.name === 'delete_file' ? 'file' : 'directory'} deletion without prompting.`,
+                requirements: decision.requirements,
+            };
+        }
+        return {
+            status: 'ask',
+            reason: `${tool.name === 'delete_file' ? 'Deleting a file' : 'Deleting an empty directory'} requires approval: ${writeScope.displayPath}`,
+            requirements: decision.requirements,
+        };
+    }
+    if (decision.status !== 'ask') {
+        return decision;
+    }
+    const isReadOnlyTool = tool.riskLevel === 'read' && tool.permissionPolicy.requirements.every(requirement => requirement === 'filesystem-read');
+    if (isReadOnlyTool && (mode === 'readonly' || mode === 'auto' || mode === 'bypass')) {
+        return {
+            status: 'allow',
+            reason: `${mode} permission mode allows read-only filesystem tools.`,
+            requirements: decision.requirements,
+        };
+    }
+    const isWriteTool = tool.riskLevel === 'write' && tool.permissionPolicy.requirements.every(requirement => requirement === 'filesystem-write');
+    if (isWriteTool && (mode === 'auto' || mode === 'bypass')) {
+        const writeScope = await writableScopeForCall(call, context);
+        if (!writeScope.ok) {
+            return {
+                status: 'deny',
+                reason: writeScope.reason,
+                requirements: decision.requirements,
+            };
+        }
+        if (writeScope.outsideAllowedRoots && mode !== 'bypass') {
+            return {
+                status: 'ask',
+                reason: `Writing outside the current workspace requires approval: ${writeScope.displayPath}`,
+                requirements: decision.requirements,
+            };
+        }
+        return {
+            status: 'allow',
+            reason: writeScope.outsideAllowedRoots
+                ? 'full-access permission profile allows this filesystem write without prompting.'
+                : `${mode} permission mode allows local filesystem writes inside the workspace.`,
+            requirements: decision.requirements,
+        };
+    }
+    return decision;
+}
+async function requestWithApprovedWriteScope(request, decision) {
+    if (decision.status !== 'allow') {
+        return request;
+    }
+    const writeScope = await writableScopeForCall(request.call, request.context);
+    if (!writeScope.ok || !writeScope.outsideAllowedRoots) {
+        return request;
+    }
+    return {
+        ...request,
+        context: {
+            ...request.context,
+            allowedWriteRoots: uniqueStrings([...(request.context.allowedWriteRoots ?? [request.context.cwd]), writeScope.approvalRoot]),
+        },
+    };
+}
+async function writableScopeForCall(call, context) {
+    const inputPath = writablePathInput(call);
+    if (inputPath === undefined) {
+        return { ok: true, outsideAllowedRoots: false, approvalRoot: context.cwd, displayPath: '.' };
+    }
+    if (inputPath.trim().length === 0) {
+        return { ok: false, reason: 'Path must not be empty.' };
+    }
+    const absolutePath = isAbsolute(inputPath) ? resolve(inputPath) : resolve(context.cwd, inputPath);
+    const normalizedPath = await normalizeWritablePath(absolutePath);
+    if (isSensitivePath(normalizedPath)) {
+        return { ok: false, reason: `Refusing to write sensitive path: ${displayPath(normalizedPath, context.cwd)}` };
+    }
+    const allowedRoots = await Promise.all((context.allowedWriteRoots?.length ? context.allowedWriteRoots : [context.cwd]).map(root => safeRealRoot(root)));
+    const outsideAllowedRoots = !allowedRoots.some(root => isPathInside(normalizedPath, root));
+    return {
+        ok: true,
+        outsideAllowedRoots,
+        approvalRoot: normalizedPath,
+        displayPath: displayPath(normalizedPath, await safeRealRoot(context.cwd)),
+    };
+}
+function writablePathInput(call) {
+    if (call.toolName !== 'create_directory' && call.toolName !== 'edit_file' && call.toolName !== 'write_file' && call.toolName !== 'delete_file' && call.toolName !== 'delete_directory') {
+        return undefined;
+    }
+    return typeof call.input['path'] === 'string' ? call.input['path'] : '';
+}
+function uniqueStrings(values) {
+    return Array.from(new Set(values));
+}
+async function executeLocalTool(toolName, request) {
+    try {
+        if (toolName === 'read_file') {
+            return await executeReadFile(request);
+        }
+        if (toolName === 'list_files') {
+            return await executeListFiles(request);
+        }
+        if (toolName === 'search_text') {
+            return await executeSearchText(request);
+        }
+        if (toolName === 'glob') {
+            return await executeGlob(request);
+        }
+        if (toolName === 'todo_write') {
+            return executeTodoWrite(request);
+        }
+        if (toolName === 'create_directory') {
+            return await executeCreateDirectory(request);
+        }
+        if (toolName === 'edit_file') {
+            return await executeEditFile(request);
+        }
+        if (toolName === 'write_file') {
+            return await executeWriteFile(request);
+        }
+        if (toolName === 'delete_file') {
+            return await executeDeleteFile(request);
+        }
+        if (toolName === 'delete_directory') {
+            return await executeDeleteDirectory(request);
+        }
+        if (toolName === 'run_command') {
+            return await executeRunCommand(request);
+        }
+        if (toolName === 'execute_shell') {
+            return await executeShell(request);
+        }
+        return {
+            ok: false,
+            callId: request.call.id,
+            toolName,
+            error: { code: 'UNKNOWN_TOOL', message: `Unknown tool: ${toolName}` },
+        };
+    }
+    catch (error) {
+        return {
+            ok: false,
+            callId: request.call.id,
+            toolName,
+            error: normalizeToolError(error),
+        };
+    }
+}
+async function executeReadFile(request) {
+    const input = request.call.input;
+    const path = requiredString(input, 'path');
+    const target = await resolveReadablePath(path, request.context, { requireFile: true, rejectSensitive: true });
+    const stats = await stat(target.absolutePath);
+    const content = await readFile(target.absolutePath, 'utf8');
+    const startLine = optionalPositiveInteger(input, 'startLine');
+    const endLine = optionalPositiveInteger(input, 'endLine');
+    const rangedContent = sliceLineRange(content, startLine, endLine);
+    const maxBytes = clampPositiveInteger(optionalPositiveInteger(input, 'maxBytes') ?? request.context.maxOutputBytes, 1, outputLimitFor('read_file', request.context));
+    const payload = boundedReadFilePayload(target.displayPath, rangedContent, maxBytes, outputLimitFor('read_file', request.context));
+    recordReadFileState(request.context, target, {
+        content: startLine === undefined && endLine === undefined && !payload.truncated ? content : payload.content,
+        mtimeMs: stats.mtimeMs,
+        partial: startLine !== undefined || endLine !== undefined || payload.truncated,
+    });
+    return jsonToolResult(request, payload);
+}
+async function executeListFiles(request) {
+    const input = request.call.input;
+    const path = requiredString(input, 'path');
+    const recursive = optionalBoolean(input, 'recursive') ?? false;
+    const includeHidden = optionalBoolean(input, 'includeHidden') ?? false;
+    const maxEntries = clampPositiveInteger(optionalPositiveInteger(input, 'maxEntries') ?? 200, 1, 5000);
+    const target = await resolveReadablePath(path, request.context, { requireDirectory: true, rejectSensitive: false });
+    const entries = await collectDirectoryEntries(target.absolutePath, request.context, { recursive, includeHidden, maxEntries });
+    return jsonToolResult(request, {
+        path: target.displayPath,
+        entries: entries.items.map(item => ({
+            path: displayPath(item.absolutePath, request.context.cwd),
+            type: item.type,
+            ...(item.sizeBytes !== undefined ? { sizeBytes: item.sizeBytes } : {}),
+        })),
+        truncated: entries.truncated,
+    });
+}
+function boundedReadFilePayload(path, content, requestedMaxBytes, outputMaxBytes) {
+    let contentMaxBytes = Math.max(1, Math.min(requestedMaxBytes, outputMaxBytes));
+    let truncated = truncateStringBytes(content, contentMaxBytes, 'tail');
+    let payload = readFilePayload(path, truncated.text, truncated.truncated);
+    while (Buffer.byteLength(JSON.stringify(payload), 'utf8') > outputMaxBytes && contentMaxBytes > 1) {
+        const overflow = Buffer.byteLength(JSON.stringify(payload), 'utf8') - outputMaxBytes;
+        contentMaxBytes = Math.max(1, contentMaxBytes - overflow - 64);
+        truncated = truncateStringBytes(content, contentMaxBytes, 'tail');
+        payload = readFilePayload(path, truncated.text, true);
+    }
+    return payload;
+}
+function readFilePayload(path, content, truncated) {
+    return {
+        path,
+        content,
+        bytes: Buffer.byteLength(content, 'utf8'),
+        truncated,
+    };
+}
+async function executeSearchText(request) {
+    const input = request.call.input;
+    const query = requiredString(input, 'query');
+    const path = optionalString(input, 'path') ?? '.';
+    const includeGlob = optionalString(input, 'includeGlob');
+    const isRegex = optionalBoolean(input, 'isRegex') ?? false;
+    const caseSensitive = optionalBoolean(input, 'caseSensitive') ?? false;
+    const maxResults = clampPositiveInteger(optionalPositiveInteger(input, 'maxResults') ?? 50, 1, 500);
+    const target = await resolveReadablePath(path, request.context, { rejectSensitive: false });
+    const matcher = createTextMatcher(query, { isRegex, caseSensitive });
+    const includeMatcher = includeGlob ? createGlobMatcher(includeGlob) : undefined;
+    const files = (await collectFiles(target.absolutePath, request.context, { includeHidden: false, maxEntries: 5000 })).items;
+    const matches = [];
+    for (const file of files) {
+        if (matches.length >= maxResults) {
+            break;
+        }
+        const fileDisplayPath = displayPath(file.absolutePath, request.context.cwd);
+        if (includeMatcher && !includeMatcher(fileDisplayPath)) {
+            continue;
+        }
+        if (isSensitivePath(file.absolutePath)) {
+            continue;
+        }
+        let content = '';
+        try {
+            content = await readFile(file.absolutePath, 'utf8');
+        }
+        catch {
+            continue;
+        }
+        const lines = content.split(/\r?\n/);
+        for (let index = 0; index < lines.length && matches.length < maxResults; index += 1) {
+            const match = matcher(lines[index] ?? '');
+            if (!match) {
+                continue;
+            }
+            matches.push({
+                path: fileDisplayPath,
+                line: index + 1,
+                column: match.column,
+                text: truncateStringBytes(match.text, 500, 'tail').text,
+            });
+        }
+    }
+    return jsonToolResult(request, {
+        matches,
+        truncated: matches.length >= maxResults,
+    });
+}
+async function executeGlob(request) {
+    const input = request.call.input;
+    const pattern = requiredString(input, 'pattern');
+    const path = optionalString(input, 'path') ?? '.';
+    const includeHidden = optionalBoolean(input, 'includeHidden') ?? false;
+    const maxResults = clampPositiveInteger(optionalPositiveInteger(input, 'maxResults') ?? 200, 1, 5000);
+    const target = await resolveReadablePath(path, request.context, { rejectSensitive: false });
+    const matcher = createGlobMatcher(pattern);
+    const entries = await collectDirectoryEntries(target.absolutePath, request.context, { recursive: true, includeHidden, maxEntries: maxResults });
+    const matches = entries.items
+        .map(item => displayPath(item.absolutePath, request.context.cwd))
+        .filter(item => matcher(item))
+        .slice(0, maxResults);
+    return jsonToolResult(request, {
+        matches,
+        truncated: entries.truncated || matches.length >= maxResults,
+    });
+}
+function executeTodoWrite(request) {
+    const items = normalizeTodoItems(request.call.input['items']);
+    const inProgressCount = items.filter(item => item.status === 'in_progress').length;
+    if (inProgressCount > 1) {
+        throw toolError('TODO_MULTIPLE_IN_PROGRESS', 'Only one plan item can be in_progress at a time.');
+    }
+    return jsonToolResult(request, { items });
+}
+async function executeCreateDirectory(request) {
+    const input = request.call.input;
+    const path = requiredString(input, 'path');
+    const recursive = optionalBoolean(input, 'recursive') ?? true;
+    const target = await resolveWritablePath(path, request.context);
+    const existed = await pathExists(target.absolutePath);
+    if (existed) {
+        const stats = await stat(target.absolutePath);
+        if (!stats.isDirectory()) {
+            throw toolError('NOT_A_DIRECTORY', `Path exists and is not a directory: ${path}`);
+        }
+    }
+    await mkdir(target.absolutePath, { recursive });
+    return jsonToolResult(request, {
+        path: target.displayPath,
+        created: !existed,
+    });
+}
+async function executeEditFile(request) {
+    const input = request.call.input;
+    const path = requiredString(input, 'path');
+    const oldString = requiredString(input, 'oldString');
+    const newString = requiredString(input, 'newString');
+    const replaceAll = optionalBoolean(input, 'replaceAll') ?? false;
+    const target = await resolveWritablePath(path, request.context);
+    const existed = await pathExists(target.absolutePath);
+    if (!existed) {
+        throw toolError('PATH_NOT_FOUND', `Path does not exist: ${path}`);
+    }
+    const entry = await requireFullReadState(target, request.context, path);
+    if (oldString.length === 0) {
+        throw toolError('INVALID_INPUT', 'oldString must not be empty. Use write_file for whole-file creation or replacement.');
+    }
+    const matches = countOccurrences(entry.content, oldString);
+    if (matches === 0) {
+        throw toolError('STRING_NOT_FOUND', `oldString was not found in ${target.displayPath}. Read the file again if it changed.`);
+    }
+    if (matches > 1 && !replaceAll) {
+        throw toolError('STRING_NOT_UNIQUE', `oldString appears ${matches} times in ${target.displayPath}. Set replaceAll=true or provide more context.`);
+    }
+    const nextContent = replaceAll ? entry.content.split(oldString).join(newString) : entry.content.replace(oldString, newString);
+    await writeFile(target.absolutePath, nextContent, { encoding: 'utf8', flag: 'w' });
+    const stats = await stat(target.absolutePath);
+    updateReadFileState(request.context, target.absolutePath, {
+        content: nextContent,
+        displayPath: target.displayPath,
+        mtimeMs: stats.mtimeMs,
+        partial: false,
+    });
+    const bytes = Buffer.byteLength(nextContent, 'utf8');
+    const diff = buildTextDiff(entry.content, nextContent);
+    return jsonToolResult(request, {
+        path: target.displayPath,
+        bytes,
+        addedLines: diff.addedLines,
+        removedLines: diff.removedLines,
+        diffPreview: diff.preview,
+    });
+}
+async function executeWriteFile(request) {
+    const input = request.call.input;
+    const path = requiredString(input, 'path');
+    const content = requiredString(input, 'content');
+    const overwrite = optionalBoolean(input, 'overwrite') ?? false;
+    const createDirectories = optionalBoolean(input, 'createDirectories') ?? true;
+    const target = await resolveWritablePath(path, request.context);
+    const existed = await pathExists(target.absolutePath);
+    let previousContent = '';
+    if (existed) {
+        const stats = await stat(target.absolutePath);
+        if (!stats.isFile()) {
+            throw toolError('NOT_A_FILE', `Path exists and is not a file: ${path}`);
+        }
+        if (!overwrite) {
+            throw toolError('FILE_EXISTS', `Refusing to overwrite existing file without overwrite=true: ${path}`);
+        }
+        if (!isSensitivePath(target.absolutePath)) {
+            previousContent = (await requireFullReadState(target, request.context, path)).content;
+        }
+    }
+    if (createDirectories) {
+        await mkdir(dirname(target.absolutePath), { recursive: true });
+    }
+    await writeFile(target.absolutePath, content, { encoding: 'utf8', flag: overwrite ? 'w' : 'wx' });
+    const stats = await stat(target.absolutePath);
+    updateReadFileState(request.context, target.absolutePath, {
+        content,
+        displayPath: target.displayPath,
+        mtimeMs: stats.mtimeMs,
+        partial: false,
+    });
+    const bytes = Buffer.byteLength(content, 'utf8');
+    const diff = isSensitivePath(target.absolutePath) ? { addedLines: 0, removedLines: 0, preview: '' } : buildTextDiff(previousContent, content);
+    return jsonToolResult(request, {
+        path: target.displayPath,
+        bytes,
+        created: !existed,
+        overwritten: existed,
+        addedLines: diff.addedLines,
+        removedLines: diff.removedLines,
+        diffPreview: diff.preview,
+    });
+}
+async function executeDeleteFile(request) {
+    const input = request.call.input;
+    const path = requiredString(input, 'path');
+    const target = await resolveWritablePath(path, request.context);
+    const existed = await pathExists(target.absolutePath);
+    if (!existed) {
+        throw toolError('PATH_NOT_FOUND', `Path does not exist: ${path}`);
+    }
+    const stats = await stat(target.absolutePath);
+    if (!stats.isFile()) {
+        throw toolError('NOT_A_FILE', `delete_file only deletes regular files: ${path}`);
+    }
+    const previousContent = await readFile(target.absolutePath);
+    const diff = buildDeletionDiff(previousContent);
+    await unlink(target.absolutePath);
+    request.context.readFileState?.delete(target.absolutePath);
+    return jsonToolResult(request, {
+        path: target.displayPath,
+        deleted: true,
+        bytes: stats.size,
+        addedLines: diff.addedLines,
+        removedLines: diff.removedLines,
+        diffPreview: diff.preview,
+    });
+}
+async function executeDeleteDirectory(request) {
+    const input = request.call.input;
+    const path = requiredString(input, 'path');
+    const target = await resolveWritablePath(path, request.context);
+    const existed = await pathExists(target.absolutePath);
+    if (!existed) {
+        throw toolError('PATH_NOT_FOUND', `Path does not exist: ${path}`);
+    }
+    const stats = await stat(target.absolutePath);
+    if (!stats.isDirectory()) {
+        throw toolError('NOT_A_DIRECTORY', `delete_directory only deletes directories: ${path}`);
+    }
+    const entries = await readdir(target.absolutePath);
+    if (entries.length > 0) {
+        throw toolError('DIRECTORY_NOT_EMPTY', `delete_directory only deletes empty directories: ${path}`);
+    }
+    await rmdir(target.absolutePath);
+    return jsonToolResult(request, {
+        path: target.displayPath,
+        deleted: true,
+    });
+}
+function recordReadFileState(context, target, entry) {
+    const previous = context.readFileState?.get(target.absolutePath);
+    if (entry.partial && previous && !previous.partial) {
+        return;
+    }
+    updateReadFileState(context, target.absolutePath, {
+        content: entry.content,
+        displayPath: target.displayPath,
+        mtimeMs: entry.mtimeMs,
+        partial: entry.partial,
+    });
+}
+function updateReadFileState(context, absolutePath, entry) {
+    const state = context.readFileState ?? new Map();
+    state.set(absolutePath, entry);
+    context.readFileState = state;
+}
+async function requireFullReadState(target, context, inputPath) {
+    const entry = context.readFileState?.get(target.absolutePath);
+    if (!entry) {
+        throw toolError('FILE_NOT_READ', `File must be read with read_file before editing or overwriting: ${inputPath}`);
+    }
+    if (entry.partial) {
+        throw toolError('FILE_PARTIALLY_READ', `File was only partially read. Read the full file before editing or overwriting: ${entry.displayPath}`);
+    }
+    const stats = await stat(target.absolutePath);
+    if (!stats.isFile()) {
+        throw toolError('NOT_A_FILE', `Path is not a file: ${inputPath}`);
+    }
+    const currentContent = await readFile(target.absolutePath, 'utf8');
+    if (currentContent !== entry.content) {
+        throw toolError('FILE_CHANGED_SINCE_READ', `File changed after it was read. Read it again before editing or overwriting: ${entry.displayPath}`);
+    }
+    updateReadFileState(context, target.absolutePath, {
+        ...entry,
+        mtimeMs: stats.mtimeMs,
+    });
+    return {
+        ...entry,
+        mtimeMs: stats.mtimeMs,
+    };
+}
+function countOccurrences(text, search) {
+    let count = 0;
+    let index = 0;
+    while (true) {
+        const next = text.indexOf(search, index);
+        if (next < 0) {
+            return count;
+        }
+        count += 1;
+        index = next + search.length;
+    }
+}
+const defaultDiffContextLines = 1;
+const maxLcsDiffCells = 2_000_000;
+const diffOmissionMarker = '⋮';
+function buildTextDiff(before, after, maxPreviewLines = 80, contextLines = defaultDiffContextLines) {
+    const beforeLines = splitDiffLines(before);
+    const afterLines = splitDiffLines(after);
+    const diffLines = beforeLines.length * afterLines.length <= maxLcsDiffCells
+        ? buildLcsDiff(beforeLines, afterLines)
+        : [
+            ...beforeLines.map((text, index) => ({ kind: 'remove', text, oldLine: index + 1 })),
+            ...afterLines.map((text, index) => ({ kind: 'add', text, newLine: index + 1 })),
+        ];
+    const addedLines = diffLines.filter(line => line.kind === 'add').length;
+    const removedLines = diffLines.filter(line => line.kind === 'remove').length;
+    const selectedLines = selectDiffPreviewLines(diffLines, contextLines, maxPreviewLines);
+    const previewLines = selectedLines.map(line => formatDiffPreviewLine(line, selectedLines));
+    const renderedDiffLines = selectedLines.filter(line => line.kind === 'add' || line.kind === 'remove').length;
+    const omitted = addedLines + removedLines - renderedDiffLines;
+    if (omitted > 0) {
+        previewLines.push(`${diffOmissionMarker} ${omitted} diff lines omitted`);
+    }
+    return {
+        addedLines,
+        removedLines,
+        preview: previewLines.join('\n'),
+    };
+}
+function buildDeletionDiff(content) {
+    if (isProbablyBinary(content)) {
+        return { addedLines: 0, removedLines: 0, preview: '' };
+    }
+    return buildTextDiff(content.toString('utf8'), '');
+}
+function isProbablyBinary(content) {
+    const sampleLength = Math.min(content.length, 8_000);
+    for (let index = 0; index < sampleLength; index += 1) {
+        if (content[index] === 0) {
+            return true;
+        }
+    }
+    return false;
+}
+function selectDiffPreviewLines(diffLines, contextLines, maxPreviewLines) {
+    const include = new Set();
+    for (let index = 0; index < diffLines.length; index += 1) {
+        if (diffLines[index]?.kind === 'same') {
+            continue;
+        }
+        const start = Math.max(0, index - contextLines);
+        const end = Math.min(diffLines.length - 1, index + contextLines);
+        for (let candidate = start; candidate <= end; candidate += 1) {
+            include.add(candidate);
+        }
+    }
+    const selectedIndexes = [...include].sort((left, right) => left - right);
+    const preview = [];
+    let previousIndex = -1;
+    for (const index of selectedIndexes) {
+        if (previousIndex >= 0 && index > previousIndex + 1) {
+            preview.push({ kind: 'ellipsis' });
+        }
+        const line = diffLines[index];
+        if (line) {
+            preview.push(line);
+        }
+        previousIndex = index;
+    }
+    if (preview.length <= maxPreviewLines) {
+        return preview;
+    }
+    const capped = preview.slice(0, maxPreviewLines);
+    if (capped[capped.length - 1]?.kind !== 'ellipsis') {
+        capped.push({ kind: 'ellipsis' });
+    }
+    return capped;
+}
+function formatDiffPreviewLine(line, allLines) {
+    if (line.kind === 'ellipsis') {
+        return diffOmissionMarker;
+    }
+    const lineNumber = displayDiffLineNumber(line);
+    const width = diffLineNumberWidth(allLines);
+    const marker = line.kind === 'add' ? '+' : line.kind === 'remove' ? '-' : ' ';
+    return `${String(lineNumber).padStart(width)} ${marker} ${line.text}`;
+}
+function diffLineNumberWidth(lines) {
+    const maxLineNumber = lines.reduce((max, line) => {
+        if (line.kind === 'ellipsis') {
+            return max;
+        }
+        return Math.max(max, displayDiffLineNumber(line));
+    }, 1);
+    return String(maxLineNumber).length;
+}
+function displayDiffLineNumber(line) {
+    return line.kind === 'remove' ? line.oldLine ?? line.newLine ?? 0 : line.newLine ?? line.oldLine ?? 0;
+}
+function splitDiffLines(content) {
+    const normalized = content.replace(/\r\n/g, '\n');
+    if (normalized.length === 0) {
+        return [];
+    }
+    return normalized.endsWith('\n') ? normalized.slice(0, -1).split('\n') : normalized.split('\n');
+}
+function buildLcsDiff(beforeLines, afterLines) {
+    const rows = beforeLines.length;
+    const columns = afterLines.length;
+    const table = Array.from({ length: rows + 1 }, () => Array(columns + 1).fill(0));
+    for (let row = rows - 1; row >= 0; row -= 1) {
+        for (let column = columns - 1; column >= 0; column -= 1) {
+            table[row][column] =
+                beforeLines[row] === afterLines[column]
+                    ? table[row + 1][column + 1] + 1
+                    : Math.max(table[row + 1][column], table[row][column + 1]);
+        }
+    }
+    const diff = [];
+    let row = 0;
+    let column = 0;
+    while (row < rows && column < columns) {
+        const beforeLine = beforeLines[row];
+        const afterLine = afterLines[column];
+        if (beforeLine === afterLine) {
+            diff.push({ kind: 'same', text: beforeLine ?? '', oldLine: row + 1, newLine: column + 1 });
+            row += 1;
+            column += 1;
+        }
+        else if (table[row + 1][column] >= table[row][column + 1]) {
+            diff.push({ kind: 'remove', text: beforeLine ?? '', oldLine: row + 1 });
+            row += 1;
+        }
+        else {
+            diff.push({ kind: 'add', text: afterLine ?? '', newLine: column + 1 });
+            column += 1;
+        }
+    }
+    while (row < rows) {
+        diff.push({ kind: 'remove', text: beforeLines[row] ?? '', oldLine: row + 1 });
+        row += 1;
+    }
+    while (column < columns) {
+        diff.push({ kind: 'add', text: afterLines[column] ?? '', newLine: column + 1 });
+        column += 1;
+    }
+    return diff;
+}
+async function executeRunCommand(request) {
+    const command = requiredString(request.call.input, 'command');
+    const parsed = parseSimpleCommand(command);
+    const validation = validateParsedReadOnlyCommand(parsed);
+    if (!validation.ok) {
+        throw toolError('COMMAND_DENIED', validation.reason);
+    }
+    await validateCommandPathOperands(parsed, request.context);
+    const timeoutMs = clampPositiveInteger(optionalPositiveInteger(request.call.input, 'timeoutMs') ?? request.context.commandTimeoutMs ?? 30_000, 1_000, 60_000);
+    const maxBytes = clampPositiveInteger(optionalPositiveInteger(request.call.input, 'maxBytes') ?? request.context.maxOutputBytes, 1, outputLimitFor('run_command', request.context));
+    const result = await spawnReadOnlyCommand(parsed, request.context, { timeoutMs, maxBytes });
+    return jsonToolResult(request, {
+        command: stringifyCommand(parsed),
+        exitCode: result.exitCode,
+        stdout: result.stdout,
+        stderr: result.stderr,
+        bytes: result.bytes,
+        timedOut: result.timedOut,
+        truncated: result.truncated,
+    });
+}
+async function executeShell(request) {
+    const command = requiredString(request.call.input, 'command');
+    const requestedCwd = optionalString(request.call.input, 'cwd') ?? request.context.cwd;
+    const workdir = await resolveReadablePath(requestedCwd, request.context, { requireDirectory: true, rejectSensitive: false });
+    const commandContext = { ...request.context, cwd: workdir.absolutePath };
+    const parsed = parseShellCommand(command);
+    for (const segment of parsed.segments) {
+        const validation = validateParsedExecuteShellCommand(segment, commandContext.cwd);
+        if (!validation.ok) {
+            throw toolError('COMMAND_DENIED', validation.reason);
+        }
+    }
+    const timeoutMs = clampPositiveInteger(optionalPositiveInteger(request.call.input, 'timeoutMs') ?? request.context.commandTimeoutMs ?? 120_000, 1_000, 10 * 60_000);
+    const maxBytes = clampPositiveInteger(optionalPositiveInteger(request.call.input, 'maxBytes') ?? request.context.maxOutputBytes, 1, outputLimitFor('execute_shell', request.context));
+    const result = await spawnShellSegments(parsed, commandContext, { timeoutMs, maxBytes });
+    return jsonToolResult(request, {
+        command,
+        cwd: workdir.displayPath,
+        exitCode: result.exitCode,
+        stdout: result.stdout,
+        stderr: result.stderr,
+        bytes: result.bytes,
+        timedOut: result.timedOut,
+        truncated: result.truncated,
+        segments: result.segments,
+    });
+}
+function jsonToolResult(request, payload) {
+    const raw = JSON.stringify(payload);
+    const limit = outputLimitFor(request.call.toolName, request.context);
+    const truncated = truncateStringBytes(raw, limit, 'tail');
+    return {
+        ok: true,
+        callId: request.call.id,
+        toolName: request.call.toolName,
+        output: truncated.text,
+        truncated: truncated.truncated,
+        bytes: Buffer.byteLength(truncated.text, 'utf8'),
+    };
+}
+const neverPersistShellPrefixes = new Set([
+    'cp',
+    'mv',
+    'sed',
+    'rm',
+    'rmdir',
+    'sudo',
+    'su',
+    'doas',
+    'pkexec',
+    'sh',
+    'bash',
+    'zsh',
+    'fish',
+    'dash',
+    'env',
+    'xargs',
+    'awk',
+    'curl',
+    'wget',
+    'brew',
+    'apt',
+    'apt-get',
+    'winget',
+    'choco',
+    'scoop',
+    'nc',
+    'netcat',
+    'ssh',
+    'scp',
+    'sftp',
+    'chmod',
+    'chown',
+    'chgrp',
+    'ruby',
+    'perl',
+    'php',
+    'python',
+    'python2',
+    'python3',
+    'node',
+    'deno',
+    'bun',
+    'npx',
+    'tsx',
+    'lua',
+    'make',
+    'cmake',
+]);
+function buildToolPermissionCommand(toolName, input, context) {
+    if (toolName === 'execute_shell') {
+        return buildExecuteShellPermissionCommand(input, context);
+    }
+    if (toolName === 'create_directory') {
+        return buildCreateDirectoryPermissionCommand(input, context);
+    }
+    if (toolName === 'write_file') {
+        return undefined;
+    }
+    if (toolName === 'edit_file') {
+        return undefined;
+    }
+    if (toolName === 'delete_file') {
+        return buildDeleteFilePermissionCommand(input, context);
+    }
+    if (toolName === 'delete_directory') {
+        return buildDeleteDirectoryPermissionCommand(input);
+    }
+    return undefined;
+}
+function buildFilesystemPermissionRules(toolName, input, context) {
+    const operation = filesystemOperationForTool(toolName);
+    if (!operation) {
+        return [];
+    }
+    const path = input['path'];
+    if (typeof path !== 'string' || path.trim().length === 0) {
+        return [];
+    }
+    const root = suggestedFilesystemPermissionRoot(path, context);
+    if (!root) {
+        return [];
+    }
+    return [
+        {
+            kind: 'filesystem-write-root',
+            root,
+            operations: filesystemOperationsForSuggestedRule(operation),
+        },
+    ];
+}
+function filesystemOperationsForSuggestedRule(operation) {
+    if (operation === 'write' || operation === 'edit') {
+        return ['write', 'edit'];
+    }
+    return [operation];
+}
+function filesystemOperationForTool(toolName) {
+    if (toolName === 'create_directory') {
+        return 'create';
+    }
+    if (toolName === 'write_file') {
+        return 'write';
+    }
+    if (toolName === 'edit_file') {
+        return 'edit';
+    }
+    if (toolName === 'delete_file') {
+        return 'delete';
+    }
+    if (toolName === 'delete_directory') {
+        return 'delete';
+    }
+    return undefined;
+}
+function suggestedFilesystemPermissionRoot(inputPath, context) {
+    const absolutePath = isAbsolute(inputPath) ? resolve(inputPath) : resolve(context.cwd, inputPath);
+    const cwd = resolve(context.cwd);
+    if (isPathInside(absolutePath, cwd)) {
+        return cwd;
+    }
+    const home = homedir();
+    const desktop = resolve(home, 'Desktop');
+    if (isPathInside(absolutePath, desktop)) {
+        const rel = relative(desktop, absolutePath);
+        const [project] = rel.split(sep).filter(Boolean);
+        if (project) {
+            return resolve(desktop, project);
+        }
+    }
+    return dirname(absolutePath);
+}
+function buildExecuteShellPermissionCommand(input, context) {
+    const command = input['command'];
+    if (typeof command !== 'string') {
+        return undefined;
+    }
+    try {
+        const parsed = parseShellCommand(command);
+        const cwd = shellPermissionCwd(input, context.cwd);
+        const capabilities = commandCapabilitiesForSegments(parsed.segments);
+        const allowPersistentRules = canPersistShellCommand(parsed.segments, capabilities);
+        const fullCommandRule = allowPersistentRules && parsed.segments.some(segment => segment.command === 'cd') && !parsed.hasWildcard
+            ? { kind: 'shell-prefix', prefix: command.trim(), cwd: resolve(cwd) }
+            : undefined;
+        let segmentCwd = cwd;
+        const segments = parsed.segments.map(segment => {
+            const cwdForSegment = segmentCwd;
+            const suggestedRule = fullCommandRule || !allowPersistentRules ? undefined : parsed.hasWildcard ? undefined : suggestShellPermissionRule(segment, cwdForSegment);
+            const result = {
+                command: segment.command,
+                args: segment.args,
+                display: stringifyCommand(segment),
+                cwd: cwdForSegment,
+                ...(suggestedRule ? { suggestedPrefix: suggestedRule.prefix, suggestedRule } : {}),
+            };
+            const nextCwd = cdTargetCwd(segment, cwdForSegment);
+            if (nextCwd) {
+                segmentCwd = nextCwd;
+            }
+            return result;
+        });
+        const suggestedRules = segments
+            .map(segment => segment.suggestedRule)
+            .filter((rule) => rule !== undefined && rule.kind === 'shell-prefix');
+        const effectiveSuggestedRules = allowPersistentRules ? fullCommandRule ? [fullCommandRule] : suggestedRules : [];
+        const suggestedRule = effectiveSuggestedRules.length === 1 ? effectiveSuggestedRules[0] : undefined;
+        const suggestedPrefix = suggestedRule?.prefix;
+        return {
+            commandLine: command,
+            segments,
+            cwd,
+            ...(capabilities.length === 1 ? { capability: capabilities[0] } : {}),
+            ...(capabilities.length > 0 ? { capabilities } : {}),
+            ...(suggestedPrefix ? { suggestedPrefix } : {}),
+            ...(suggestedRule ? { suggestedRule } : {}),
+            ...(effectiveSuggestedRules.length > 0 ? { suggestedRules: effectiveSuggestedRules } : {}),
+            canPersist: effectiveSuggestedRules.length > 0 && (fullCommandRule !== undefined || effectiveSuggestedRules.length === segments.length),
+            rulesMatchable: !parsed.hasWildcard,
+        };
+    }
+    catch {
+        return {
+            commandLine: command,
+            segments: [],
+            canPersist: false,
+            rulesMatchable: false,
+        };
+    }
+}
+function buildCreateDirectoryPermissionCommand(input, context) {
+    const path = input['path'];
+    if (typeof path !== 'string' || path.trim().length === 0) {
+        return undefined;
+    }
+    const recursive = input['recursive'] !== false;
+    const args = recursive ? ['-p', path] : [path];
+    const segment = {
+        command: 'mkdir',
+        args,
+        display: stringifyCommand({ command: 'mkdir', args }),
+    };
+    return {
+        commandLine: segment.display,
+        segments: [segment],
+        canPersist: false,
+    };
+}
+function buildDeleteFilePermissionCommand(input, context) {
+    const path = input['path'];
+    if (typeof path !== 'string' || path.trim().length === 0) {
+        return undefined;
+    }
+    const segment = {
+        command: 'rm',
+        args: [path],
+        display: `rm ${quoteCommandArg(path)}`,
+    };
+    return {
+        commandLine: segment.display,
+        segments: [segment],
+        canPersist: false,
+    };
+}
+function buildDeleteDirectoryPermissionCommand(input) {
+    const path = input['path'];
+    if (typeof path !== 'string' || path.trim().length === 0) {
+        return undefined;
+    }
+    const segment = {
+        command: 'rmdir',
+        args: [path],
+        display: `rmdir ${quoteCommandArg(path)}`,
+    };
+    return {
+        commandLine: segment.display,
+        segments: [segment],
+        canPersist: false,
+    };
+}
+function commandCapabilitiesForSegments(segments) {
+    return segments
+        .map(segment => commandCapabilityForSegment(segment))
+        .filter((capability) => capability !== undefined);
+}
+function commandCapabilityForSegment(segment) {
+    const command = segment.command.toLowerCase();
+    const platform = currentHostPlatform();
+    if (command === 'curl' || command === 'wget') {
+        const target = segment.args.find(arg => /^https?:\/\//i.test(arg));
+        return {
+            id: 'download.url',
+            risk: 'network',
+            ...(platform ? { platform } : {}),
+            ...(target ? { target } : {}),
+        };
+    }
+    const installCapability = packageManagerInstallCapability(command, segment.args, platform);
+    if (installCapability) {
+        return installCapability;
+    }
+    if (command === 'ifconfig' || command === 'ip' || command === 'ipconfig') {
+        return { id: 'network.ip', risk: 'read-only', ...(platform ? { platform } : {}) };
+    }
+    if (command === 'getmac' || command === 'arp') {
+        return { id: 'network.mac', risk: 'read-only', ...(platform ? { platform } : {}) };
+    }
+    if (command === 'netstat' || command === 'ss' || command === 'lsof') {
+        return { id: 'network.ports', risk: 'read-only', ...(platform ? { platform } : {}) };
+    }
+    if (command === 'rg' || command === 'grep') {
+        return { id: 'logs.search', risk: 'read-only', ...(platform ? { platform } : {}) };
+    }
+    return undefined;
+}
+function packageManagerInstallCapability(command, args, platform) {
+    const installSubcommand = args[0]?.toLowerCase();
+    if (!['install', 'add'].includes(installSubcommand ?? '')) {
+        return undefined;
+    }
+    const packageManager = packageManagerForCommand(command);
+    if (!packageManager) {
+        return undefined;
+    }
+    const target = firstNonFlagArgument(args.slice(1));
+    const requiresAdmin = packageManager === 'apt' || packageManager === 'apt-get' || packageManager === 'choco';
+    return {
+        id: 'tool.install',
+        risk: requiresAdmin ? 'admin' : 'install',
+        packageManager,
+        requiresAdmin,
+        ...(platform ? { platform } : {}),
+        ...(target ? { target } : {}),
+    };
+}
+function packageManagerForCommand(command) {
+    if (command === 'brew' || command === 'apt' || command === 'apt-get' || command === 'winget' || command === 'choco' || command === 'scoop') {
+        return command;
+    }
+    return undefined;
+}
+function firstNonFlagArgument(args) {
+    for (const arg of args) {
+        if (arg === '--') {
+            continue;
+        }
+        if (arg.startsWith('-') || arg.startsWith('/')) {
+            continue;
+        }
+        return arg;
+    }
+    return undefined;
+}
+function currentHostPlatform() {
+    if (process.platform === 'darwin' || process.platform === 'linux' || process.platform === 'win32') {
+        return process.platform;
+    }
+    return undefined;
+}
+function canPersistShellCommand(segments, capabilities) {
+    if (segments.some(segment => isEphemeralApprovalShellCommand(segment.command))) {
+        return false;
+    }
+    return capabilities.every(capability => capability.risk === 'read-only');
+}
+function isEphemeralApprovalShellCommand(command) {
+    return command === 'curl' ||
+        command === 'wget' ||
+        command === 'brew' ||
+        command === 'apt' ||
+        command === 'apt-get' ||
+        command === 'winget' ||
+        command === 'choco' ||
+        command === 'scoop';
+}
+function validateReadOnlyCommandInput(input) {
+    const command = input['command'];
+    if (typeof command !== 'string') {
+        return { ok: false, reason: 'run_command requires a string command.' };
+    }
+    try {
+        return validateParsedReadOnlyCommand(parseSimpleCommand(command, { allowDollarLiteral: true, allowEnvAssignmentArgs: true }));
+    }
+    catch (error) {
+        return { ok: false, reason: error instanceof Error ? error.message : String(error) };
+    }
+}
+function validateExecuteShellInput(input, defaultCwd) {
+    const command = input['command'];
+    if (typeof command !== 'string') {
+        return { ok: false, reason: 'execute_shell requires a string command.' };
+    }
+    try {
+        const parsed = parseShellCommand(command);
+        const cwd = shellPermissionCwd(input, defaultCwd);
+        for (const segment of parsed.segments) {
+            const validation = validateParsedExecuteShellCommand(segment, cwd);
+            if (!validation.ok) {
+                return validation;
+            }
+        }
+        return { ok: true };
+    }
+    catch (error) {
+        return { ok: false, reason: error instanceof Error ? error.message : String(error) };
+    }
+}
+function parseShellCommand(commandLine) {
+    if (commandLine.trim().length === 0) {
+        throw new Error('Command must not be empty.');
+    }
+    if (commandLine.length > 4000) {
+        throw new Error('Command is too long.');
+    }
+    if (/[\r\n]/.test(commandLine)) {
+        throw new Error('Multi-line commands are not allowed.');
+    }
+    const parts = splitShellCommandSegments(commandLine);
+    const segments = parts.segments.map(segment => parseSimpleCommand(segment, { allowOperators: false, allowExecutablePath: true }));
+    if (segments.length === 0) {
+        throw new Error('Command must not be empty.');
+    }
+    return {
+        segments,
+        operators: parts.operators,
+        hasWildcard: parts.hasWildcard,
+    };
+}
+function splitShellCommandSegments(commandLine) {
+    const segments = [];
+    const operators = [];
+    let current = '';
+    let quote;
+    let hasWildcard = false;
+    for (let index = 0; index < commandLine.length; index += 1) {
+        const char = commandLine[index];
+        if (char === undefined) {
+            continue;
+        }
+        if (quote) {
+            if (char === quote) {
+                quote = undefined;
+                current += char;
+                continue;
+            }
+            current += char;
+            continue;
+        }
+        if (char === '"' || char === "'") {
+            quote = char;
+            current += char;
+            continue;
+        }
+        if (char === '*' || char === '?' || char === '[' || char === ']') {
+            hasWildcard = true;
+            current += char;
+            continue;
+        }
+        if (char === ';') {
+            pushShellSegment(segments, current);
+            operators.push(';');
+            current = '';
+            continue;
+        }
+        if (char === '&') {
+            if (commandLine[index + 1] === '&') {
+                pushShellSegment(segments, current);
+                operators.push('&&');
+                current = '';
+                index += 1;
+                continue;
+            }
+            throw new Error('Backgrounding is not supported by execute_shell.');
+        }
+        if (char === '|') {
+            throw new Error('Pipes are not supported by execute_shell.');
+        }
+        if (char === '<' || char === '>') {
+            throw new Error('Shell redirects are not supported by execute_shell.');
+        }
+        if (char === '`' || char === '$') {
+            throw new Error('Command substitution and shell variable expansion are not supported by execute_shell.');
+        }
+        current += char;
+    }
+    if (quote) {
+        throw new Error('Unclosed quote in command.');
+    }
+    pushShellSegment(segments, current);
+    if (operators.length >= segments.length) {
+        throw new Error('Shell command cannot end with an operator.');
+    }
+    return { segments, operators, hasWildcard };
+}
+function pushShellSegment(segments, raw) {
+    const segment = raw.trim();
+    if (segment.length === 0) {
+        throw new Error('Shell command contains an empty segment.');
+    }
+    segments.push(segment);
+}
+function parseSimpleCommand(commandLine, options = {}) {
+    if (commandLine.trim().length === 0) {
+        throw new Error('Command must not be empty.');
+    }
+    if (commandLine.length > 4000) {
+        throw new Error('Command is too long.');
+    }
+    if (/[\r\n]/.test(commandLine)) {
+        throw new Error('Multi-line commands are not allowed.');
+    }
+    const operatorPattern = options.allowDollarLiteral ? /[|<>;&`]/ : /[|<>;&`$]/;
+    if ((options.allowOperators ?? false) === false && operatorPattern.test(commandLine)) {
+        throw new Error('Shell operators, redirects, backgrounding, and command substitution are not allowed.');
+    }
+    const tokens = tokenizeCommandLine(commandLine);
+    if (tokens.length === 0) {
+        throw new Error('Command must not be empty.');
+    }
+    const [command, ...args] = tokens;
+    if (!command) {
+        throw new Error('Command must not be empty.');
+    }
+    if ((options.allowExecutablePath ?? false) === false && command.includes('/')) {
+        throw new Error('Command must be an allowlisted executable name, not a path.');
+    }
+    if (command.includes('/') && !isAllowedExecutablePathToken(command)) {
+        throw new Error('Executable paths must be relative to the current workspace, such as ./run.sh.');
+    }
+    if (/^[A-Za-z_][A-Za-z0-9_]*=/.test(command)) {
+        throw new Error('Environment variable assignments are not supported by execute_shell.');
+    }
+    for (const arg of args) {
+        if ((options.allowEnvAssignmentArgs ?? false) === false && /^[A-Za-z_][A-Za-z0-9_]*=/.test(arg)) {
+            throw new Error('Environment variable assignments are not supported by execute_shell.');
+        }
+    }
+    return { command, args };
+}
+function isAllowedExecutablePathToken(command) {
+    return command.startsWith('./');
+}
+function tokenizeCommandLine(commandLine) {
+    const tokens = [];
+    let current = '';
+    let quote;
+    for (let index = 0; index < commandLine.length; index += 1) {
+        const char = commandLine[index];
+        if (char === undefined) {
+            continue;
+        }
+        if (quote) {
+            if (char === quote) {
+                quote = undefined;
+                continue;
+            }
+            current += char;
+            continue;
+        }
+        if (char === '"' || char === "'") {
+            quote = char;
+            continue;
+        }
+        if (/\s/.test(char)) {
+            if (current.length > 0) {
+                tokens.push(current);
+                current = '';
+            }
+            continue;
+        }
+        current += char;
+    }
+    if (quote) {
+        throw new Error('Unclosed quote in command.');
+    }
+    if (current.length > 0) {
+        tokens.push(current);
+    }
+    return tokens;
+}
+function validateParsedReadOnlyCommand(command) {
+    if (command.command === 'pwd') {
+        return command.args.length === 0 ? { ok: true } : { ok: false, reason: 'pwd does not accept arguments in read-only mode.' };
+    }
+    if (command.command === 'whoami') {
+        return command.args.length === 0 ? { ok: true } : { ok: false, reason: 'whoami does not accept arguments in read-only mode.' };
+    }
+    if (command.command === 'ls') {
+        return validateFlags(command, {
+            allowedFlags: new Set(['-l', '-h', '-lh', '-hl', '--color=never', '--color=auto']),
+            deniedFlags: new Set(['-a', '-A', '--all', '--almost-all', '-R', '--recursive']),
+        });
+    }
+    if (command.command === 'cat') {
+        return validateFlags(command, {
+            allowedFlags: new Set(['-n', '-b', '-s']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'head') {
+        return validateHeadTailCommand(command, { allowFollow: false });
+    }
+    if (command.command === 'tail') {
+        return validateHeadTailCommand(command, { allowFollow: false });
+    }
+    if (command.command === 'wc') {
+        return validateFlags(command, {
+            allowedFlags: new Set(['-l', '-w', '-c', '-m', '-L']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'file') {
+        return validateFlags(command, {
+            allowedFlags: new Set(['-b', '--brief', '-i', '--mime', '--mime-type', '--mime-encoding', '-h', '--no-dereference', '-L', '--dereference']),
+            deniedFlags: new Set(['-f', '--files-from']),
+        });
+    }
+    if (command.command === 'stat') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-L', '-x', '-s', '-r', '-q', '-t']),
+            valueFlags: new Set(['-f', '-c']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'du') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-s', '-h', '-k', '-m', '-g', '-x', '-c']),
+            valueFlags: new Set(['-d', '--max-depth']),
+            deniedFlags: new Set(['-a', '--all', '-I', '--exclude', '--files0-from']),
+        });
+    }
+    if (command.command === 'df') {
+        return validateFlags(command, {
+            allowedFlags: new Set(['-h', '-H', '-k', '-m', '-g', '-P', '-T', '-i']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'grep') {
+        return validateGrepCommand(command);
+    }
+    if (command.command === 'find') {
+        return validateFindCommand(command);
+    }
+    if (command.command === 'rg') {
+        return validateRipgrepCommand(command);
+    }
+    if (command.command === 'ps') {
+        return validatePsCommand(command);
+    }
+    if (command.command === 'uname') {
+        return validateFlags(command, {
+            allowedFlags: new Set(['-a', '-s', '-n', '-r', '-v', '-m', '-p']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'date') {
+        return validateDateCommand(command);
+    }
+    if (command.command === 'id') {
+        return validateFlags(command, {
+            allowedFlags: new Set(['-u', '-g', '-G', '-n', '-r', '-p']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'which') {
+        return validateFlags(command, {
+            allowedFlags: new Set(['-a', '-s']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'where') {
+        return validateWhereCommand(command);
+    }
+    if (command.command === 'hostname') {
+        return validateHostnameCommand(command);
+    }
+    if (command.command === 'ifconfig') {
+        return validateIfconfigCommand(command);
+    }
+    if (command.command === 'ip') {
+        return validateIpCommand(command);
+    }
+    if (command.command === 'ipconfig') {
+        return validateIpconfigCommand(command);
+    }
+    if (command.command === 'getmac') {
+        return validateGetmacCommand(command);
+    }
+    if (command.command === 'netstat') {
+        return validateNetstatCommand(command);
+    }
+    if (command.command === 'ss') {
+        return validateSsCommand(command);
+    }
+    if (command.command === 'lsof') {
+        return validateLsofCommand(command);
+    }
+    if (command.command === 'arp') {
+        return validateArpCommand(command);
+    }
+    if (command.command === 'uptime') {
+        return command.args.length === 0 ? { ok: true } : { ok: false, reason: `${command.command} does not accept arguments in read-only mode.` };
+    }
+    if (command.command === 'basename') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-a']),
+            valueFlags: new Set(['-s']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'dirname') {
+        return validateFlags(command, {
+            allowedFlags: new Set([]),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'realpath' || command.command === 'readlink') {
+        return validateFlags(command, {
+            allowedFlags: new Set(['-f', '-m', '-n', '-q']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'sort') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-b', '-d', '-f', '-g', '-h', '-M', '-n', '-r', '-u', '-V', '-c', '-C', '-s']),
+            valueFlags: new Set(['-k', '--key', '-t', '--field-separator']),
+            deniedFlags: new Set(['-o', '--output', '--files0-from', '--compress-program', '-T', '--temporary-directory']),
+        });
+    }
+    if (command.command === 'uniq') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-c', '-d', '-D', '-u', '-i']),
+            valueFlags: new Set(['-f', '-s', '-w']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'cut') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-s', '--only-delimited', '--complement']),
+            valueFlags: new Set(['-b', '--bytes', '-c', '--characters', '-f', '--fields', '-d', '--delimiter', '--output-delimiter']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'nl') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-p']),
+            valueFlags: new Set(['-b', '-d', '-f', '-h', '-i', '-l', '-n', '-s', '-v', '-w']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'diff') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-u', '-c', '-q', '-s', '-r', '-N', '-B', '-b', '-w', '-i', '--brief', '--report-identical-files']),
+            valueFlags: new Set(['-U', '--unified', '-C', '--context', '-L', '--label', '-I', '--ignore-matching-lines', '-x', '--exclude']),
+            deniedFlags: new Set(['--output']),
+        });
+    }
+    if (command.command === 'cmp') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-s', '-l', '-b']),
+            valueFlags: new Set(['-n', '-i']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'comm') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-1', '-2', '-3', '--check-order', '--nocheck-order']),
+            valueFlags: new Set(['--output-delimiter']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'strings') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-a', '-f']),
+            valueFlags: new Set(['-n', '-t', '-e']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'hexdump') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-C', '-b', '-c', '-d', '-o', '-x', '-v']),
+            valueFlags: new Set(['-n', '-s']),
+            deniedFlags: new Set(['-e', '-f']),
+        });
+    }
+    if (command.command === 'od') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-a', '-b', '-c', '-d', '-f', '-h', '-i', '-l', '-o', '-s', '-x', '-v']),
+            valueFlags: new Set(['-A', '-j', '-N', '-t', '-w']),
+            deniedFlags: new Set([]),
+        });
+    }
+    if (command.command === 'xxd') {
+        return validateFlagsWithValues(command, {
+            allowedFlags: new Set(['-a', '-b', '-c', '-E', '-g', '-i', '-l', '-p', '-ps', '-u']),
+            valueFlags: new Set(['-c', '-g', '-l', '-s']),
+            deniedFlags: new Set(['-r']),
+        });
+    }
+    if (command.command === 'tar') {
+        return validateTarListCommand(command);
+    }
+    if (command.command === 'git') {
+        return validateGitCommand(command);
+    }
+    return {
+        ok: false,
+        reason: `Command is not in the read-only allowlist: ${command.command}`,
+    };
+}
+function validateParsedExecuteShellCommand(command, cwd) {
+    const deniedCommands = new Set([
+        'sudo',
+        'su',
+        'chown',
+        'chgrp',
+        'mkfs',
+        'diskutil',
+        'launchctl',
+        'security',
+    ]);
+    if (deniedCommands.has(command.command)) {
+        return { ok: false, reason: `Command is blocked by Remi safety policy: ${command.command}` };
+    }
+    if (command.command === 'cd') {
+        return validateCdCommand(command);
+    }
+    if (command.command === 'rm' || command.command === 'rmdir') {
+        return validateRemovalCommand(command, cwd);
+    }
+    if (command.command.includes('/') && !isAllowedExecutablePathToken(command.command)) {
+        return { ok: false, reason: `Executable path is outside supported relative workspace form: ${command.command}` };
+    }
+    return { ok: true };
+}
+function validateCdCommand(command) {
+    if (command.args.length > 1) {
+        return { ok: false, reason: 'cd supports at most one target directory in execute_shell.' };
+    }
+    const target = command.args[0];
+    if (target === '-') {
+        return { ok: false, reason: 'cd - is not supported by execute_shell.' };
+    }
+    if (target?.startsWith('-') && target !== '-') {
+        return { ok: false, reason: 'cd flags are not supported by execute_shell.' };
+    }
+    return { ok: true };
+}
+function validateRemovalCommand(command, cwd) {
+    for (const target of removalPathOperands(command)) {
+        const dangerousReason = dangerousRemovalReason(target, cwd);
+        if (dangerousReason) {
+            return { ok: false, reason: dangerousReason };
+        }
+    }
+    return { ok: true };
+}
+function removalPathOperands(command) {
+    const operands = [];
+    let endOfOptions = false;
+    for (const arg of command.args) {
+        if (!endOfOptions && arg === '--') {
+            endOfOptions = true;
+            continue;
+        }
+        if (!endOfOptions && arg.startsWith('-') && arg !== '-') {
+            continue;
+        }
+        operands.push(arg);
+    }
+    return operands;
+}
+function dangerousRemovalReason(inputPath, cwd) {
+    const normalizedInput = inputPath.trim().replace(/[\\/]+/g, '/');
+    if (!normalizedInput) {
+        return undefined;
+    }
+    if (normalizedInput === '*' || /[*?[\]]/.test(normalizedInput) || normalizedInput.endsWith('/*')) {
+        return `Dangerous removal target is not allowed through execute_shell: ${inputPath}`;
+    }
+    const expandedPath = normalizedInput === '~'
+        ? homedir()
+        : normalizedInput.startsWith('~/')
+            ? resolve(homedir(), normalizedInput.slice(2))
+            : normalizedInput;
+    const absolutePath = isAbsolute(expandedPath) ? resolve(expandedPath) : resolve(cwd, expandedPath);
+    const normalizedPath = absolutePath === '/' ? '/' : absolutePath.replace(/\/+$/, '');
+    if (normalizedPath === '/') {
+        return `Dangerous removal target is not allowed through execute_shell: ${inputPath}`;
+    }
+    const normalizedHome = homedir().replace(/[\\/]+/g, '/').replace(/\/+$/, '');
+    if (normalizedPath.replace(/[\\/]+/g, '/') === normalizedHome) {
+        return `Dangerous removal target is not allowed through execute_shell: ${inputPath}`;
+    }
+    if (dirname(normalizedPath) === '/') {
+        return `Dangerous removal target is not allowed through execute_shell: ${inputPath}`;
+    }
+    return undefined;
+}
+function shellPermissionCwd(input, defaultCwd) {
+    const requested = typeof input['cwd'] === 'string' && input['cwd'].trim().length > 0 ? input['cwd'] : defaultCwd;
+    return isAbsolute(requested) ? resolve(requested) : resolve(defaultCwd, requested);
+}
+function cdTargetCwd(command, cwd) {
+    if (command.command !== 'cd') {
+        return undefined;
+    }
+    const target = command.args[0] ?? homedir();
+    if (target === '-') {
+        return undefined;
+    }
+    if (target === '~') {
+        return homedir();
+    }
+    if (target.startsWith('~/')) {
+        return resolve(homedir(), target.slice(2));
+    }
+    return isAbsolute(target) ? resolve(target) : resolve(cwd, target);
+}
+function buildExactCommandRule(command, args, cwd) {
+    return {
+        kind: 'shell-prefix',
+        prefix: stringifyCommand({ command, args }),
+        cwd: resolve(cwd),
+    };
+}
+function suggestShellPermissionRule(command, cwd) {
+    const prefix = suggestShellPrefix(command) ?? stringifyCommand(command);
+    if (!prefix) {
+        return undefined;
+    }
+    return {
+        kind: 'shell-prefix',
+        prefix,
+        cwd: resolve(cwd),
+    };
+}
+function suggestShellPrefix(command) {
+    const [firstArg, secondArg] = command.args;
+    if (isNeverPersistShellPrefix(command.command)) {
+        return undefined;
+    }
+    if (command.command === 'go' && firstArg) {
+        if (firstArg === 'mod' && secondArg) {
+            return `go mod ${secondArg}`;
+        }
+        return `go ${firstArg}`;
+    }
+    if ((command.command === 'pnpm' || command.command === 'npm' || command.command === 'yarn') && firstArg) {
+        return firstArg === 'run' && secondArg ? `${command.command} run ${secondArg}` : `${command.command} ${firstArg}`;
+    }
+    if (command.command === 'git' && firstArg) {
+        return `git ${firstArg}`;
+    }
+    if ((command.command === 'python' || command.command === 'python3') && firstArg === '-m' && secondArg) {
+        if (['pytest', 'unittest', 'mypy', 'ruff'].includes(secondArg)) {
+            return `${command.command} -m ${secondArg}`;
+        }
+        return undefined;
+    }
+    if (command.command === 'python' || command.command === 'python3') {
+        return undefined;
+    }
+    if (command.command === 'node' && firstArg) {
+        if (firstArg === '-e' || firstArg === '--eval' || firstArg === '-p' || firstArg === '--print') {
+            return undefined;
+        }
+        return `node ${firstArg}`;
+    }
+    if (command.command === 'node') {
+        return undefined;
+    }
+    if (command.command.startsWith('./')) {
+        return stringifyCommand(command);
+    }
+    if (firstArg && /^[a-z][a-z0-9]*(-[a-z0-9]+)*$/.test(firstArg)) {
+        return `${command.command} ${firstArg}`;
+    }
+    return command.command;
+}
+function isNeverPersistShellPrefix(command) {
+    return neverPersistShellPrefixes.has(command);
+}
+function commandPermissionRulesAllow(request, rules) {
+    if (!request.command || rules.length === 0 || request.command.rulesMatchable === false) {
+        return false;
+    }
+    if (!canPersistShellCommand(request.command.segments, request.command.capabilities ?? [])) {
+        return false;
+    }
+    const commandCwd = request.command.cwd ?? request.cwd;
+    if (rules.some(rule => rawCommandRuleMatches(rule, request.command?.commandLine ?? '', commandCwd))) {
+        return true;
+    }
+    return request.command.segments.every(segment => {
+        const segmentCwd = segment.cwd ?? commandCwd;
+        return rules.some(rule => commandPrefixRuleMatches(rule, segment, segmentCwd));
+    });
+}
+async function filesystemPermissionRulesAllow(call, context, rules) {
+    const operation = filesystemOperationForTool(call.toolName);
+    if (!operation || rules.length === 0) {
+        return false;
+    }
+    const scope = await writableScopeForCall(call, context);
+    if (!scope.ok) {
+        return false;
+    }
+    for (const rule of rules) {
+        if (rule.kind !== 'filesystem-write-root') {
+            continue;
+        }
+        if (rule.operations?.length && !rule.operations.includes(operation)) {
+            continue;
+        }
+        const root = await normalizeWritablePath(resolve(rule.root));
+        if (isPathInside(scope.approvalRoot, root)) {
+            return true;
+        }
+    }
+    return false;
+}
+function commandPrefixRuleMatches(rule, segment, cwd) {
+    if (rule.kind !== 'shell-prefix' || rule.prefix.trim().length === 0) {
+        return false;
+    }
+    if (rule.cwd && !isPathInside(resolve(cwd), resolve(rule.cwd))) {
+        return false;
+    }
+    let parsedRule;
+    try {
+        parsedRule = parseSimpleCommand(rule.prefix, { allowExecutablePath: true });
+    }
+    catch {
+        return false;
+    }
+    if (parsedRule.command !== segment.command) {
+        return false;
+    }
+    if (segment.command === 'rm' || segment.command === 'mkdir') {
+        return parsedRule.args.length === segment.args.length && parsedRule.args.every((arg, index) => segment.args[index] === arg);
+    }
+    if (segment.command === 'write' || segment.command === 'edit') {
+        return false;
+    }
+    if (parsedRule.args.length > segment.args.length) {
+        return false;
+    }
+    return parsedRule.args.every((arg, index) => segment.args[index] === arg);
+}
+function rawCommandRuleMatches(rule, commandLine, cwd) {
+    if (rule.kind !== 'shell-prefix' || rule.prefix.trim().length === 0) {
+        return false;
+    }
+    if (rule.cwd && !isPathInside(resolve(cwd), resolve(rule.cwd))) {
+        return false;
+    }
+    const prefix = rule.prefix.trim();
+    if (!/[;&|<>`$]/.test(prefix)) {
+        return false;
+    }
+    return commandLine.trim() === prefix;
+}
+function validateFlags(command, options) {
+    for (const arg of command.args) {
+        if (!arg.startsWith('-') || arg === '-') {
+            continue;
+        }
+        if (options.deniedFlags.has(arg)) {
+            return { ok: false, reason: `Flag is not allowed for ${command.command}: ${arg}` };
+        }
+        if (!options.allowedFlags.has(arg) && !isNumericCountFlag(arg)) {
+            return { ok: false, reason: `Flag is not in the read-only allowlist for ${command.command}: ${arg}` };
+        }
+    }
+    return { ok: true };
+}
+function validateFlagsWithValues(command, options) {
+    for (let index = 0; index < command.args.length; index += 1) {
+        const arg = command.args[index];
+        if (!arg || !arg.startsWith('-') || arg === '-') {
+            continue;
+        }
+        const [flagName] = arg.split('=', 1);
+        if (!flagName) {
+            continue;
+        }
+        if (options.deniedFlags.has(arg) || options.deniedFlags.has(flagName)) {
+            return { ok: false, reason: `Flag is not allowed for ${command.command}: ${arg}` };
+        }
+        if (options.valueFlags.has(flagName)) {
+            if (!arg.includes('=')) {
+                index += 1;
+            }
+            continue;
+        }
+        if (!options.allowedFlags.has(arg) && !options.allowedFlags.has(flagName) && !isNumericCountFlag(arg)) {
+            return { ok: false, reason: `Flag is not in the read-only allowlist for ${command.command}: ${arg}` };
+        }
+    }
+    return { ok: true };
+}
+function validateHeadTailCommand(command, options) {
+    const denied = new Set(['-f', '--follow', '--retry', '--pid']);
+    for (let index = 0; index < command.args.length; index += 1) {
+        const arg = command.args[index];
+        if (!arg || !arg.startsWith('-') || arg === '-') {
+            continue;
+        }
+        if (denied.has(arg) || (!options.allowFollow && arg.startsWith('--follow'))) {
+            return { ok: false, reason: `Streaming flags are not allowed for ${command.command}: ${arg}` };
+        }
+        if (arg === '-n' || arg === '-c' || arg === '--lines' || arg === '--bytes') {
+            index += 1;
+            continue;
+        }
+        if (arg.startsWith('-n') || arg.startsWith('-c') || arg.startsWith('--lines=') || arg.startsWith('--bytes=') || isNumericCountFlag(arg)) {
+            continue;
+        }
+        return { ok: false, reason: `Flag is not in the read-only allowlist for ${command.command}: ${arg}` };
+    }
+    return { ok: true };
+}
+function validateRipgrepCommand(command) {
+    const deniedPrefixes = [
+        '--hidden',
+        '--no-ignore',
+        '--unrestricted',
+        '--pre',
+        '--pre-glob',
+        '--files-with-matches',
+        '--files-without-match',
+    ];
+    const deniedExact = new Set(['-u', '-uu', '-uuu', '--debug']);
+    for (const arg of command.args) {
+        if (deniedExact.has(arg) || deniedPrefixes.some(prefix => arg === prefix || arg.startsWith(`${prefix}=`))) {
+            return { ok: false, reason: `Flag is not allowed for rg in read-only mode: ${arg}` };
+        }
+    }
+    return { ok: true };
+}
+function validateGrepCommand(command) {
+    const valueFlags = new Set(['-e', '--regexp', '-f', '--file', '-m', '--max-count', '-A', '-B', '-C', '--after-context', '--before-context', '--context']);
+    const allowedFlags = new Set([
+        '-n',
+        '--line-number',
+        '-H',
+        '--with-filename',
+        '-h',
+        '--no-filename',
+        '-i',
+        '--ignore-case',
+        '-I',
+        '-v',
+        '--invert-match',
+        '-w',
+        '--word-regexp',
+        '-x',
+        '--line-regexp',
+        '-F',
+        '--fixed-strings',
+        '-E',
+        '--extended-regexp',
+        '-G',
+        '--basic-regexp',
+        '-c',
+        '--count',
+        '-l',
+        '--files-with-matches',
+        '-L',
+        '--files-without-match',
+        '-o',
+        '--only-matching',
+        '-s',
+        '--no-messages',
+    ]);
+    const deniedFlags = new Set(['-r', '-R', '--recursive', '-d', '--directories', '-D', '--devices', '--exclude', '--exclude-from', '--include']);
+    return validateFlagsWithValues(command, { allowedFlags, valueFlags, deniedFlags });
+}
+function validateFindCommand(command) {
+    const denied = new Set([
+        '-exec',
+        '-execdir',
+        '-ok',
+        '-okdir',
+        '-delete',
+        '-fls',
+        '-fprint',
+        '-fprint0',
+        '-fprintf',
+        '-printf',
+    ]);
+    for (const arg of command.args) {
+        if (denied.has(arg)) {
+            return { ok: false, reason: `Flag is not allowed for find in read-only mode: ${arg}` };
+        }
+    }
+    return { ok: true };
+}
+function validatePsCommand(command) {
+    const allowedFlags = new Set(['-a', '-A', '-e', '-f', '-j', '-l', '-u', '-x', '-r', '-p', '-o', '-c', '-M', '-m', '-ww', '-w']);
+    const deniedFlags = new Set(['--sort']);
+    return validateFlagsWithValues(command, {
+        allowedFlags,
+        valueFlags: new Set(['-p', '-o', '-u', '-U', '-G', '-g', '-t']),
+        deniedFlags,
+    });
+}
+function validateDateCommand(command) {
+    for (let index = 0; index < command.args.length; index += 1) {
+        const arg = command.args[index];
+        if (!arg) {
+            continue;
+        }
+        if (arg === '-s' || arg === '--set' || arg.startsWith('--set=')) {
+            return { ok: false, reason: `Flag is not allowed for date in read-only mode: ${arg}` };
+        }
+        if (arg === '-r' || arg === '-j' || arg === '-u' || arg === '-R' || arg === '-I') {
+            continue;
+        }
+        if (arg === '-f') {
+            index += 2;
+            continue;
+        }
+        if (arg.startsWith('+')) {
+            continue;
+        }
+        return { ok: false, reason: `Argument is not in the read-only allowlist for date: ${arg}` };
+    }
+    return { ok: true };
+}
+function validateHostnameCommand(command) {
+    if (command.args.length === 0) {
+        return { ok: true };
+    }
+    const allowedFlags = new Set(['-f', '-s', '-d', '-i', '-I']);
+    for (const arg of command.args) {
+        if (!allowedFlags.has(arg)) {
+            return { ok: false, reason: `Flag is not in the read-only allowlist for hostname: ${arg}` };
+        }
+    }
+    return { ok: true };
+}
+function validateWhereCommand(command) {
+    const allowedFlags = new Set(['/q', '/t', '/f']);
+    const deniedFlags = new Set(['/r']);
+    for (const arg of command.args) {
+        const normalized = arg.toLowerCase();
+        if (deniedFlags.has(normalized)) {
+            return { ok: false, reason: `Flag is blocked in read-only mode for where: ${arg}` };
+        }
+        if (normalized.startsWith('/')) {
+            if (!allowedFlags.has(normalized)) {
+                return { ok: false, reason: `Flag is not in the read-only allowlist for where: ${arg}` };
+            }
+            continue;
+        }
+        if (!/^[A-Za-z0-9_.:-]+$/.test(arg)) {
+            return { ok: false, reason: `Argument is not in the read-only allowlist for where: ${arg}` };
+        }
+    }
+    return { ok: true };
+}
+function validateIfconfigCommand(command) {
+    if (command.args.length === 0) {
+        return { ok: true };
+    }
+    if (command.args.length === 1 && command.args[0] === '-a') {
+        return { ok: true };
+    }
+    if (command.args.length === 1 && /^[A-Za-z0-9_.:-]+$/.test(command.args[0] ?? '')) {
+        return { ok: true };
+    }
+    return { ok: false, reason: 'ifconfig read-only mode allows no arguments, -a, or one interface name only.' };
+}
+function validateIpCommand(command) {
+    const denied = new Set(['add', 'del', 'delete', 'replace', 'change', 'set', 'flush', 'save', 'restore', 'monitor']);
+    for (const arg of command.args) {
+        if (denied.has(arg)) {
+            return { ok: false, reason: `Argument is not in the read-only allowlist for ip: ${arg}` };
+        }
+    }
+    const allowedGlobalFlags = new Set(['-o', '-oneline', '-brief', '-br', '-4', '-6', '-j', '-json']);
+    const args = command.args.filter(arg => !allowedGlobalFlags.has(arg));
+    if (args.length === 0) {
+        return { ok: true };
+    }
+    const family = args[0];
+    if (!family || !['addr', 'address', 'link', 'route', 'neigh', 'neighbor'].includes(family)) {
+        return { ok: false, reason: `Argument is not in the read-only allowlist for ip: ${family ?? ''}` };
+    }
+    const action = args[1];
+    if (!action) {
+        return { ok: true };
+    }
+    if (!['show', 'list', 'ls', 'get'].includes(action)) {
+        return { ok: false, reason: `Argument is not in the read-only allowlist for ip: ${action}` };
+    }
+    const allowedQualifiers = new Set(['dev', 'to', 'from', 'scope', 'table', 'vrf']);
+    for (let index = 2; index < args.length; index += 1) {
+        const arg = args[index];
+        if (!arg) {
+            continue;
+        }
+        if (allowedQualifiers.has(arg)) {
+            index += 1;
+            continue;
+        }
+        if (/^[A-Za-z0-9_.:/%-]+$/.test(arg)) {
+            continue;
+        }
+        return { ok: false, reason: `Argument is not in the read-only allowlist for ip: ${arg}` };
+    }
+    return { ok: true };
+}
+function validateIpconfigCommand(command) {
+    if (command.args.length === 0) {
+        return { ok: true };
+    }
+    const allowed = new Set(['/all', '/displaydns', '/showclassid', '/?']);
+    const denied = new Set(['/release', '/release6', '/renew', '/renew6', '/flushdns', '/registerdns', '/setclassid']);
+    for (const arg of command.args) {
+        const normalized = arg.toLowerCase();
+        if (denied.has(normalized)) {
+            return { ok: false, reason: `Flag is blocked in read-only mode for ipconfig: ${arg}` };
+        }
+        if (!allowed.has(normalized) && !/^[A-Za-z0-9*_.:-]+$/.test(arg)) {
+            return { ok: false, reason: `Flag is not in the read-only allowlist for ipconfig: ${arg}` };
+        }
+    }
+    return { ok: true };
+}
+function validateGetmacCommand(command) {
+    const denied = new Set(['/s', '/u', '/p']);
+    const allowedNoValue = new Set(['/v', '/nh', '/?']);
+    const allowedValue = new Set(['/fo']);
+    for (let index = 0; index < command.args.length; index += 1) {
+        const arg = command.args[index];
+        if (!arg) {
+            continue;
+        }
+        const normalized = arg.toLowerCase();
+        if (denied.has(normalized)) {
+            return { ok: false, reason: `Flag is blocked in read-only mode for getmac: ${arg}` };
+        }
+        if (allowedValue.has(normalized)) {
+            const value = command.args[index + 1]?.toLowerCase();
+            if (!value || !['table', 'list', 'csv'].includes(value)) {
+                return { ok: false, reason: `Flag value is not in the read-only allowlist for getmac: ${arg}` };
+            }
+            index += 1;
+            continue;
+        }
+        if (!allowedNoValue.has(normalized)) {
+            return { ok: false, reason: `Flag is not in the read-only allowlist for getmac: ${arg}` };
+        }
+    }
+    return { ok: true };
+}
+function validateNetstatCommand(command) {
+    for (const arg of command.args) {
+        if (/^[-/][A-Za-z0-9]+$/.test(arg)) {
+            continue;
+        }
+        if (/^(tcp|udp|tcp4|udp4|tcp6|udp6)$/i.test(arg)) {
+            continue;
+        }
+        return { ok: false, reason: `Argument is not in the read-only allowlist for netstat: ${arg}` };
+    }
+    return { ok: true };
+}
+function validateSsCommand(command) {
+    const allowedLong = new Set(['--all', '--listening', '--tcp', '--udp', '--numeric', '--processes', '--resolve', '--summary', '--ipv4', '--ipv6']);
+    for (const arg of command.args) {
+        if (allowedLong.has(arg)) {
+            continue;
+        }
+        if (/^-[altunprs46]+$/.test(arg)) {
+            continue;
+        }
+        if (arg.startsWith('-')) {
+            return { ok: false, reason: `Flag is not in the read-only allowlist for ss: ${arg}` };
+        }
+        if (/^(state|sport|dport|src|dst|=|:|[0-9]+|LISTEN|ESTAB|TIME-WAIT)$/i.test(arg)) {
+            continue;
+        }
+        if (/^[:0-9A-Za-z_.%-]+$/.test(arg)) {
+            continue;
+        }
+        return { ok: false, reason: `Argument is not in the read-only allowlist for ss: ${arg}` };
+    }
+    return { ok: true };
+}
+function validateLsofCommand(command) {
+    const allowedNoValue = new Set(['-P', '-n', '-a']);
+    const allowedValue = new Set(['-i', '-p', '-u', '-s']);
+    for (let index = 0; index < command.args.length; index += 1) {
+        const arg = command.args[index];
+        if (!arg) {
+            continue;
+        }
+        if (allowedNoValue.has(arg) || arg.startsWith('-i') || arg.startsWith('-sTCP:')) {
+            continue;
+        }
+        if (allowedValue.has(arg)) {
+            const value = command.args[index + 1];
+            if (!value || !/^[A-Za-z0-9_.,:@%+-]+$/.test(value)) {
+                return { ok: false, reason: `Flag value is not in the read-only allowlist for lsof: ${arg}` };
+            }
+            index += 1;
+            continue;
+        }
+        if (/^:[0-9]+$/.test(arg)) {
+            continue;
+        }
+        return { ok: false, reason: `Argument is not in the read-only allowlist for lsof: ${arg}` };
+    }
+    return { ok: true };
+}
+function validateArpCommand(command) {
+    if (command.args.length === 0) {
+        return { ok: true };
+    }
+    const allowed = new Set(['-a', '-n', '-v', '/a']);
+    for (const arg of command.args) {
+        if (allowed.has(arg.toLowerCase())) {
+            continue;
+        }
+        if (arg.startsWith('-') || arg.startsWith('/')) {
+            return { ok: false, reason: `Flag is not in the read-only allowlist for arp: ${arg}` };
+        }
+        if (/^[0-9A-Fa-f:.%-]+$/.test(arg)) {
+            continue;
+        }
+        return { ok: false, reason: `Argument is not in the read-only allowlist for arp: ${arg}` };
+    }
+    return { ok: true };
+}
+function validateTarListCommand(command) {
+    let hasListMode = false;
+    let hasFileFlag = false;
+    const deniedLong = new Set([
+        '--extract',
+        '--get',
+        '--create',
+        '--append',
+        '--update',
+        '--delete',
+        '--to-command',
+        '--checkpoint-action',
+        '--remove-files',
+        '--overwrite',
+    ]);
+    for (let index = 0; index < command.args.length; index += 1) {
+        const arg = command.args[index];
+        if (!arg) {
+            continue;
+        }
+        if (deniedLong.has(arg) || Array.from(deniedLong).some(flag => arg.startsWith(`${flag}=`))) {
+            return { ok: false, reason: `Flag is not allowed for tar in read-only mode: ${arg}` };
+        }
+        if (arg === '-t' || arg === '--list' || (arg.startsWith('-') && arg.includes('t'))) {
+            hasListMode = true;
+        }
+        if (arg === '-f' || arg === '--file') {
+            hasFileFlag = true;
+            index += 1;
+            continue;
+        }
+        if (arg.startsWith('--file=')) {
+            hasFileFlag = true;
+            continue;
+        }
+        if (arg.startsWith('-')) {
+            if (/[xcduA]/.test(arg)) {
+                return { ok: false, reason: `Flag is not allowed for tar in read-only mode: ${arg}` };
+            }
+            continue;
+        }
+    }
+    if (!hasListMode) {
+        return { ok: false, reason: 'Only tar list mode is allowed in read-only mode.' };
+    }
+    if (!hasFileFlag && !command.args.some(arg => arg === '-tf' || arg === '-tvf' || arg === '-ztf' || arg === '-jtf' || arg === '-Jtf')) {
+        return { ok: false, reason: 'tar list mode must name an archive file with -f.' };
+    }
+    return { ok: true };
+}
+function validateGitCommand(command) {
+    const subcommand = command.args.find(arg => !arg.startsWith('-'));
+    const allowedSubcommands = new Set(['status', 'diff', 'log', 'show', 'branch', 'rev-parse', 'ls-files', 'grep', 'blame', 'describe', 'tag']);
+    if (!subcommand || !allowedSubcommands.has(subcommand)) {
+        return { ok: false, reason: `Only read-only git subcommands are allowed: ${Array.from(allowedSubcommands).join(', ')}.` };
+    }
+    const deniedPrefixes = ['--git-dir', '--work-tree', '--exec-path', '--output', '--ext-diff', '--upload-pack', '--receive-pack'];
+    const deniedExact = new Set(['--no-index', '--external-diff', '--quiet', '--paginate']);
+    for (const arg of command.args) {
+        if (deniedExact.has(arg) || deniedPrefixes.some(prefix => arg === prefix || arg.startsWith(`${prefix}=`))) {
+            return { ok: false, reason: `Flag is not allowed for git in read-only mode: ${arg}` };
+        }
+    }
+    return { ok: true };
+}
+function isNumericCountFlag(arg) {
+    return /^-\d+$/.test(arg);
+}
+async function validateCommandPathOperands(command, context) {
+    const operands = pathOperands(command);
+    for (const operand of operands) {
+        await resolveReadablePath(operand, context, { rejectSensitive: true });
+    }
+}
+function pathOperands(command) {
+    if ([
+        'pwd',
+        'git',
+        'ps',
+        'uname',
+        'date',
+        'whoami',
+        'id',
+        'which',
+        'where',
+        'hostname',
+        'uptime',
+        'ifconfig',
+        'ip',
+        'ipconfig',
+        'getmac',
+        'netstat',
+        'ss',
+        'lsof',
+        'arp',
+        'basename',
+        'dirname',
+    ].includes(command.command)) {
+        return [];
+    }
+    if (command.command === 'rg') {
+        const nonFlags = command.args.filter(arg => !arg.startsWith('-'));
+        if (command.args.includes('--files')) {
+            return nonFlags;
+        }
+        return nonFlags.slice(1);
+    }
+    if (command.command === 'grep') {
+        return grepPathOperands(command);
+    }
+    if (command.command === 'find') {
+        return findPathOperands(command);
+    }
+    if (command.command === 'tar') {
+        return tarPathOperands(command);
+    }
+    const skipValueFlagsByCommand = {
+        stat: new Set(['-f', '-c', '-t']),
+        du: new Set(['-d', '--max-depth']),
+        sort: new Set(['-k', '--key', '-t', '--field-separator']),
+        uniq: new Set(['-f', '-s', '-w']),
+        cut: new Set(['-b', '--bytes', '-c', '--characters', '-f', '--fields', '-d', '--delimiter', '--output-delimiter']),
+        nl: new Set(['-b', '-d', '-f', '-h', '-i', '-l', '-n', '-s', '-v', '-w']),
+        diff: new Set(['-U', '--unified', '-C', '--context', '-L', '--label', '-I', '--ignore-matching-lines', '-x', '--exclude']),
+        cmp: new Set(['-n', '-i']),
+        comm: new Set(['--output-delimiter']),
+        strings: new Set(['-n', '-t', '-e']),
+        hexdump: new Set(['-n', '-s']),
+        od: new Set(['-A', '-j', '-N', '-t', '-w']),
+        xxd: new Set(['-c', '-g', '-l', '-s']),
+    };
+    const skipValueFlags = skipValueFlagsByCommand[command.command];
+    const operands = [];
+    for (let index = 0; index < command.args.length; index += 1) {
+        const arg = command.args[index];
+        if (!arg) {
+            continue;
+        }
+        if (command.command === 'head' || command.command === 'tail') {
+            if (arg === '-n' || arg === '-c' || arg === '--lines' || arg === '--bytes') {
+                index += 1;
+                continue;
+            }
+        }
+        if (command.command === 'stat' && (arg === '-f' || arg === '-c' || arg === '-t')) {
+            index += 1;
+            continue;
+        }
+        if (command.command === 'du' && (arg === '-d' || arg === '--max-depth')) {
+            index += 1;
+            continue;
+        }
+        if (skipValueFlags?.has(arg)) {
+            index += 1;
+            continue;
+        }
+        if (arg.includes('=')) {
+            const [flagName] = arg.split('=', 1);
+            if (flagName && skipValueFlags?.has(flagName)) {
+                continue;
+            }
+        }
+        if (arg.startsWith('-') && arg !== '-') {
+            continue;
+        }
+        operands.push(arg);
+    }
+    return operands;
+}
+function grepPathOperands(command) {
+    const operands = [];
+    let patternConsumed = false;
+    for (let index = 0; index < command.args.length; index += 1) {
+        const arg = command.args[index];
+        if (!arg) {
+            continue;
+        }
+        if (arg === '-e' || arg === '--regexp' || arg === '-f' || arg === '--file' || arg === '-m' || arg === '--max-count' || arg === '-A' || arg === '-B' || arg === '-C' || arg === '--after-context' || arg === '--before-context' || arg === '--context') {
+            index += 1;
+            if (arg === '-e' || arg === '--regexp') {
+                patternConsumed = true;
+            }
+            continue;
+        }
+        if (arg.startsWith('-')) {
+            continue;
+        }
+        if (!patternConsumed) {
+            patternConsumed = true;
+            continue;
+        }
+        operands.push(arg);
+    }
+    return operands;
+}
+function findPathOperands(command) {
+    const operands = [];
+    for (const arg of command.args) {
+        if (arg.startsWith('-') || arg === '!' || arg === '(' || arg === ')') {
+            break;
+        }
+        operands.push(arg);
+    }
+    return operands.length > 0 ? operands : ['.'];
+}
+function tarPathOperands(command) {
+    const operands = [];
+    for (let index = 0; index < command.args.length; index += 1) {
+        const arg = command.args[index];
+        if (!arg) {
+            continue;
+        }
+        if (arg === '-f' || arg === '--file') {
+            const archive = command.args[index + 1];
+            if (archive) {
+                operands.push(archive);
+            }
+            index += 1;
+            continue;
+        }
+        if (arg.startsWith('--file=')) {
+            operands.push(arg.slice('--file='.length));
+            continue;
+        }
+        if (arg.startsWith('-') && arg.includes('f')) {
+            const archive = command.args[index + 1];
+            if (archive) {
+                operands.push(archive);
+            }
+            index += 1;
+            continue;
+        }
+        if (arg.startsWith('-')) {
+            continue;
+        }
+    }
+    return operands;
+}
+function stringifyCommand(command) {
+    return [command.command, ...command.args].join(' ');
+}
+function quoteCommandArg(arg) {
+    if (/^[A-Za-z0-9_./:@%+=,-]+$/.test(arg)) {
+        return arg;
+    }
+    return `'${arg.replaceAll("'", "'\\''")}'`;
+}
+async function spawnReadOnlyCommand(command, context, options) {
+    return await new Promise((resolvePromise, rejectPromise) => {
+        const child = spawn(command.command, command.args, {
+            cwd: context.cwd,
+            shell: false,
+            env: safeCommandEnv(),
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+        let stdout = Buffer.alloc(0);
+        let stderr = Buffer.alloc(0);
+        let timedOut = false;
+        let truncated = false;
+        let settled = false;
+        const finish = (exitCode) => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timeout);
+            context.signal?.removeEventListener('abort', onAbort);
+            resolvePromise({
+                exitCode,
+                stdout: stdout.toString('utf8'),
+                stderr: stderr.toString('utf8'),
+                bytes: stdout.byteLength + stderr.byteLength,
+                timedOut,
+                truncated,
+            });
+        };
+        const kill = () => {
+            if (!child.killed) {
+                child.kill('SIGTERM');
+            }
+        };
+        const append = (stream, chunk) => {
+            const remaining = Math.max(0, options.maxBytes - stdout.byteLength - stderr.byteLength);
+            if (remaining <= 0) {
+                truncated = true;
+                kill();
+                return;
+            }
+            const next = chunk.byteLength > remaining ? chunk.subarray(0, remaining) : chunk;
+            if (stream === 'stdout') {
+                stdout = Buffer.concat([stdout, next]);
+            }
+            else {
+                stderr = Buffer.concat([stderr, next]);
+            }
+            if (next.byteLength < chunk.byteLength || stdout.byteLength + stderr.byteLength >= options.maxBytes) {
+                truncated = true;
+                kill();
+            }
+        };
+        const onAbort = () => {
+            kill();
+        };
+        const timeout = setTimeout(() => {
+            timedOut = true;
+            kill();
+        }, options.timeoutMs);
+        context.signal?.addEventListener('abort', onAbort, { once: true });
+        child.stdout?.on('data', chunk => append('stdout', Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk))));
+        child.stderr?.on('data', chunk => append('stderr', Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk))));
+        child.on('error', error => {
+            if (settled)
+                return;
+            settled = true;
+            clearTimeout(timeout);
+            context.signal?.removeEventListener('abort', onAbort);
+            if (isSpawnCommandNotFound(error)) {
+                const stderrText = commandNotFoundStderr(command.command);
+                resolvePromise({
+                    exitCode: 127,
+                    stdout: '',
+                    stderr: stderrText,
+                    bytes: Buffer.byteLength(stderrText, 'utf8'),
+                    timedOut: false,
+                    truncated: false,
+                });
+                return;
+            }
+            rejectPromise(error);
+        });
+        child.on('close', code => finish(code ?? -1));
+    });
+}
+function isSpawnCommandNotFound(error) {
+    return Boolean(error && typeof error === 'object' && 'code' in error && error.code === 'ENOENT');
+}
+function commandNotFoundStderr(command) {
+    return [
+        `Command not found: ${command}`,
+        'This is recoverable: try a platform-equivalent built-in command, or use execute_shell for an approved package-manager install when the user wants the missing tool installed.',
+        '',
+    ].join('\n');
+}
+async function spawnShellSegments(command, context, options) {
+    const segments = [];
+    let stdout = '';
+    let stderr = '';
+    let exitCode = 0;
+    let timedOut = false;
+    let truncated = false;
+    let bytes = 0;
+    let segmentContext = context;
+    for (let index = 0; index < command.segments.length; index += 1) {
+        const segment = command.segments[index];
+        if (!segment) {
+            continue;
+        }
+        const remainingBytes = Math.max(1, options.maxBytes - bytes);
+        const display = stringifyCommand(segment);
+        const result = segment.command === 'cd'
+            ? await executeCdSegment(segment, segmentContext)
+            : await spawnReadOnlyCommand(segment, segmentContext, { timeoutMs: options.timeoutMs, maxBytes: remainingBytes });
+        segments.push({
+            command: display,
+            exitCode: result.exitCode,
+            stdout: result.stdout,
+            stderr: result.stderr,
+            timedOut: result.timedOut,
+        });
+        stdout += result.stdout;
+        stderr += result.stderr;
+        bytes += result.bytes;
+        exitCode = result.exitCode;
+        timedOut = timedOut || result.timedOut;
+        truncated = truncated || result.truncated;
+        if (result.truncated || result.timedOut) {
+            break;
+        }
+        if (segment.command === 'cd' && result.exitCode === 0 && result.cwd) {
+            segmentContext = { ...segmentContext, cwd: result.cwd };
+        }
+        const nextOperator = command.operators[index];
+        if (nextOperator === '&&' && result.exitCode !== 0) {
+            break;
+        }
+    }
+    return {
+        exitCode,
+        stdout,
+        stderr,
+        bytes,
+        timedOut,
+        truncated,
+        segments,
+    };
+}
+async function executeCdSegment(command, context) {
+    const target = command.args[0] ?? homedir();
+    try {
+        const workdir = await resolveReadablePath(target, context, { requireDirectory: true, rejectSensitive: false });
+        return {
+            exitCode: 0,
+            stdout: '',
+            stderr: '',
+            bytes: 0,
+            timedOut: false,
+            truncated: false,
+            cwd: workdir.absolutePath,
+        };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        const stderr = `cd: ${message}\n`;
+        return {
+            exitCode: 1,
+            stdout: '',
+            stderr,
+            bytes: Buffer.byteLength(stderr, 'utf8'),
+            timedOut: false,
+            truncated: false,
+        };
+    }
+}
+function safeCommandEnv() {
+    return {
+        PATH: process.env['PATH'] ?? '/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
+        HOME: process.env['HOME'] ?? '',
+        LANG: process.env['LANG'] ?? 'C.UTF-8',
+        LC_ALL: process.env['LC_ALL'] ?? '',
+        TERM: process.env['TERM'] ?? 'dumb',
+        NO_COLOR: '1',
+        GIT_CONFIG_NOSYSTEM: '1',
+    };
+}
+function outputLimitFor(toolName, context) {
+    const toolLimit = toolName === 'read_file' || toolName === 'search_text' || toolName === 'run_command' || toolName === 'execute_shell'
+        ? 128 * 1024
+        : toolName === 'list_files' || toolName === 'glob'
+            ? 64 * 1024
+            : toolName === 'edit_file' || toolName === 'write_file' || toolName === 'create_directory' || toolName === 'delete_file'
+                ? 16 * 1024
+                : 16 * 1024;
+    return clampPositiveInteger(Math.min(toolLimit, context.maxOutputBytes), 1, toolLimit);
+}
+async function resolveReadablePath(inputPath, context, options = {}) {
+    if (inputPath.trim().length === 0) {
+        throw toolError('INVALID_INPUT', 'Path must not be empty.');
+    }
+    const absolutePath = isAbsolute(inputPath) ? resolve(inputPath) : resolve(context.cwd, inputPath);
+    const realTarget = await realpath(absolutePath).catch(() => {
+        throw toolError('PATH_NOT_FOUND', `Path does not exist: ${inputPath}`);
+    });
+    const allowedRoots = await Promise.all((context.allowedReadRoots?.length ? context.allowedReadRoots : [context.cwd]).map(root => safeRealRoot(root)));
+    if (!allowedRoots.some(root => isPathInside(realTarget, root))) {
+        throw toolError('PATH_OUTSIDE_ALLOWED_ROOTS', `Path is outside allowed read roots: ${inputPath}`);
+    }
+    if (options.rejectSensitive && isSensitivePath(realTarget)) {
+        throw toolError('SENSITIVE_FILE_DENIED', `Refusing to read sensitive file: ${displayPath(realTarget, context.cwd)}`);
+    }
+    const stats = await stat(realTarget);
+    if (options.requireFile && !stats.isFile()) {
+        throw toolError('NOT_A_FILE', `Path is not a file: ${inputPath}`);
+    }
+    if (options.requireDirectory && !stats.isDirectory()) {
+        throw toolError('NOT_A_DIRECTORY', `Path is not a directory: ${inputPath}`);
+    }
+    return { absolutePath: realTarget, displayPath: displayPath(realTarget, await safeRealRoot(context.cwd)) };
+}
+async function resolveWritablePath(inputPath, context) {
+    if (inputPath.trim().length === 0) {
+        throw toolError('INVALID_INPUT', 'Path must not be empty.');
+    }
+    const absolutePath = isAbsolute(inputPath) ? resolve(inputPath) : resolve(context.cwd, inputPath);
+    const normalizedPath = await normalizeWritablePath(absolutePath);
+    if (isSensitivePath(normalizedPath)) {
+        throw toolError('SENSITIVE_FILE_DENIED', `Refusing to write sensitive path: ${displayPath(normalizedPath, context.cwd)}`);
+    }
+    const allowedRoots = await Promise.all((context.allowedWriteRoots?.length ? context.allowedWriteRoots : [context.cwd]).map(root => safeRealRoot(root)));
+    if (!allowedRoots.some(root => isPathInside(normalizedPath, root))) {
+        throw toolError('PATH_OUTSIDE_ALLOWED_ROOTS', `Path is outside allowed write roots: ${inputPath}`);
+    }
+    return { absolutePath: normalizedPath, displayPath: displayPath(normalizedPath, await safeRealRoot(context.cwd)) };
+}
+async function safeRealRoot(root) {
+    return realpath(root).catch(() => resolve(root));
+}
+async function normalizeWritablePath(absolutePath) {
+    const pending = [];
+    let current = absolutePath;
+    while (true) {
+        try {
+            return join(await realpath(current), ...pending.reverse());
+        }
+        catch {
+            const parent = dirname(current);
+            if (parent === current) {
+                return absolutePath;
+            }
+            pending.push(basename(current));
+            current = parent;
+        }
+    }
+}
+async function pathExists(path) {
+    return stat(path).then(() => true, () => false);
+}
+function isPathInside(target, root) {
+    const rel = relative(root, target);
+    return rel === '' || (!rel.startsWith('..') && !isAbsolute(rel));
+}
+function displayPath(absolutePath, cwd) {
+    const rel = relative(cwd, absolutePath);
+    if (rel === '') {
+        return '.';
+    }
+    if (!rel.startsWith('..') && !isAbsolute(rel)) {
+        return rel.split(sep).join('/');
+    }
+    return absolutePath;
+}
+function isSensitivePath(absolutePath) {
+    const normalized = absolutePath.split(sep).join('/');
+    const name = basename(absolutePath);
+    const lowerName = name.toLowerCase();
+    if (normalized.endsWith('/.agent/config.local.json')) {
+        return true;
+    }
+    return (lowerName === '.env' ||
+        lowerName.startsWith('.env.') ||
+        lowerName === '.npmrc' ||
+        lowerName === '.pypirc' ||
+        lowerName === '.netrc' ||
+        lowerName === 'id_rsa' ||
+        lowerName === 'id_dsa' ||
+        lowerName === 'id_ecdsa' ||
+        lowerName === 'id_ed25519' ||
+        lowerName.endsWith('.pem') ||
+        lowerName.endsWith('.key') ||
+        lowerName.endsWith('.p12') ||
+        lowerName.endsWith('.pfx') ||
+        lowerName.includes('token') ||
+        lowerName.includes('secret'));
+}
+async function collectDirectoryEntries(root, context, options) {
+    const items = [];
+    let truncated = false;
+    const visit = async (dir) => {
+        if (items.length >= options.maxEntries) {
+            truncated = true;
+            return;
+        }
+        const entries = await readdir(dir, { withFileTypes: true });
+        for (const entry of entries.sort((left, right) => left.name.localeCompare(right.name))) {
+            if (items.length >= options.maxEntries) {
+                truncated = true;
+                return;
+            }
+            if (!options.includeHidden && entry.name.startsWith('.')) {
+                continue;
+            }
+            const absolutePath = join(dir, entry.name);
+            if (isSensitivePath(absolutePath)) {
+                continue;
+            }
+            const type = entry.isDirectory() ? 'directory' : entry.isFile() ? 'file' : entry.isSymbolicLink() ? 'symlink' : 'other';
+            const sizeBytes = type === 'file' ? await fileSizeBytes(absolutePath) : undefined;
+            items.push({ absolutePath, type, ...(sizeBytes !== undefined ? { sizeBytes } : {}) });
+            if (options.recursive && entry.isDirectory() && !isSkippedDirectory(entry.name)) {
+                await visit(absolutePath);
+            }
+        }
+    };
+    await visit(root);
+    return { items, truncated };
+}
+async function fileSizeBytes(path) {
+    try {
+        return (await stat(path)).size;
+    }
+    catch {
+        return undefined;
+    }
+}
+async function collectFiles(root, context, options) {
+    const stats = await stat(root);
+    if (stats.isFile()) {
+        return { items: [{ absolutePath: root }], truncated: false };
+    }
+    const entries = await collectDirectoryEntries(root, context, { recursive: true, includeHidden: options.includeHidden, maxEntries: options.maxEntries });
+    return {
+        items: entries.items.filter(item => item.type === 'file').map(item => ({ absolutePath: item.absolutePath })),
+        truncated: entries.truncated,
+    };
+}
+function isSkippedDirectory(name) {
+    return name === 'node_modules' || name === '.git' || name === 'dist' || name === '.agent';
+}
+function sliceLineRange(content, startLine, endLine) {
+    if (startLine === undefined && endLine === undefined) {
+        return content;
+    }
+    const lines = content.split(/\r?\n/);
+    const startIndex = Math.max(0, (startLine ?? 1) - 1);
+    const endIndex = endLine === undefined ? lines.length : Math.max(startIndex, endLine);
+    return lines.slice(startIndex, endIndex).join('\n');
+}
+function truncateStringBytes(text, maxBytes, mode) {
+    const bytes = Buffer.from(text, 'utf8');
+    if (bytes.byteLength <= maxBytes) {
+        return { text, truncated: false };
+    }
+    if (mode === 'head') {
+        return { text: bytes.subarray(0, maxBytes).toString('utf8'), truncated: true };
+    }
+    if (mode === 'middle') {
+        const left = Math.max(0, Math.floor((maxBytes - 20) / 2));
+        const right = Math.max(0, maxBytes - 20 - left);
+        return {
+            text: `${bytes.subarray(0, left).toString('utf8')}\n... truncated ...\n${bytes.subarray(bytes.byteLength - right).toString('utf8')}`,
+            truncated: true,
+        };
+    }
+    return { text: bytes.subarray(bytes.byteLength - maxBytes).toString('utf8'), truncated: true };
+}
+function createTextMatcher(query, options) {
+    if (options.isRegex) {
+        let regex;
+        try {
+            regex = new RegExp(query, options.caseSensitive ? '' : 'i');
+        }
+        catch {
+            throw toolError('INVALID_REGEX', `Invalid regular expression: ${query}`);
+        }
+        return line => {
+            const match = regex.exec(line);
+            return match ? { column: match.index + 1, text: line } : undefined;
+        };
+    }
+    const needle = options.caseSensitive ? query : query.toLowerCase();
+    return line => {
+        const haystack = options.caseSensitive ? line : line.toLowerCase();
+        const index = haystack.indexOf(needle);
+        return index >= 0 ? { column: index + 1, text: line } : undefined;
+    };
+}
+function createGlobMatcher(pattern) {
+    const regex = new RegExp(`^${globToRegex(pattern)}$`);
+    return path => regex.test(path);
+}
+function globToRegex(pattern) {
+    let output = '';
+    for (let index = 0; index < pattern.length; index += 1) {
+        const char = pattern[index];
+        const next = pattern[index + 1];
+        if (char === '*' && next === '*') {
+            output += '.*';
+            index += 1;
+        }
+        else if (char === '*') {
+            output += '[^/]*';
+        }
+        else if (char === '?') {
+            output += '[^/]';
+        }
+        else {
+            output += escapeRegex(char ?? '');
+        }
+    }
+    return output;
+}
+function escapeRegex(value) {
+    return value.replace(/[|\\{}()[\]^$+?.]/g, '\\$&');
+}
+function normalizeTodoItems(value) {
+    if (!Array.isArray(value)) {
+        throw toolError('INVALID_INPUT', 'items must be an array.');
+    }
+    if (value.length === 0) {
+        throw toolError('INVALID_INPUT', 'items must include at least one plan item.');
+    }
+    if (value.length > 30) {
+        throw toolError('INVALID_INPUT', 'items must include at most 30 plan items.');
+    }
+    return value.map((item, index) => normalizeTodoItem(item, index));
+}
+function normalizeTodoItem(value, index) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        throw toolError('INVALID_INPUT', `items[${index}] must be an object.`);
+    }
+    const record = value;
+    const content = record['content'];
+    const status = record['status'];
+    const id = record['id'];
+    if (typeof content !== 'string' || content.trim().length === 0) {
+        throw toolError('INVALID_INPUT', `items[${index}].content must be a non-empty string.`);
+    }
+    if (status !== 'pending' && status !== 'in_progress' && status !== 'completed') {
+        throw toolError('INVALID_INPUT', `items[${index}].status must be pending, in_progress, or completed.`);
+    }
+    if (id !== undefined && (typeof id !== 'string' || id.trim().length === 0)) {
+        throw toolError('INVALID_INPUT', `items[${index}].id must be a non-empty string when provided.`);
+    }
+    return {
+        ...(typeof id === 'string' ? { id: id.trim() } : {}),
+        content: content.trim(),
+        status,
+    };
+}
+function requiredString(input, key) {
+    const value = input[key];
+    if (typeof value !== 'string') {
+        throw toolError('INVALID_INPUT', `${key} must be a string.`);
+    }
+    return value;
+}
+function optionalString(input, key) {
+    const value = input[key];
+    if (value === undefined)
+        return undefined;
+    if (typeof value !== 'string') {
+        throw toolError('INVALID_INPUT', `${key} must be a string.`);
+    }
+    return value;
+}
+function optionalBoolean(input, key) {
+    const value = input[key];
+    if (value === undefined)
+        return undefined;
+    if (typeof value !== 'boolean') {
+        throw toolError('INVALID_INPUT', `${key} must be a boolean.`);
+    }
+    return value;
+}
+function optionalPositiveInteger(input, key) {
+    const value = input[key];
+    if (value === undefined)
+        return undefined;
+    if (typeof value !== 'number' || !Number.isSafeInteger(value) || value <= 0) {
+        throw toolError('INVALID_INPUT', `${key} must be a positive integer.`);
+    }
+    return value;
+}
+function clampPositiveInteger(value, min, max) {
+    return Math.max(min, Math.min(max, Math.floor(value)));
+}
+function toolError(code, message) {
+    const error = new Error(message);
+    error.code = code;
+    return error;
+}
+function normalizeToolError(error) {
+    if (error && typeof error === 'object' && 'code' in error && typeof error.code === 'string') {
+        return {
+            code: error.code,
+            message: error instanceof Error ? error.message : String(error.code),
+        };
+    }
+    const message = error instanceof Error ? error.message : String(error);
+    if (isCommandPolicyDenial(message)) {
+        return {
+            code: 'COMMAND_DENIED',
+            message,
+        };
+    }
+    return {
+        code: 'TOOL_EXECUTION_FAILED',
+        message,
+    };
+}