@within-7/minto 0.3.9 → 0.4.0

package/dist/messages.js

@@ -1,39 +1,63 @@
-let getMessages = () => [];
-let setMessages = () => {
-};
+class MessageBus {
+  messagesGetter = () => [];
+  messagesSetter = () => {
+  };
+  modelConfigChangeHandler = null;
+  languageChangeHandler = null;
+  registerMessagesGetter(getter) {
+    this.messagesGetter = getter;
+  }
+  getMessagesGetter() {
+    return this.messagesGetter;
+  }
+  registerMessagesSetter(setter) {
+    this.messagesSetter = setter;
+  }
+  getMessagesSetter() {
+    return this.messagesSetter;
+  }
+  setModelConfigChangeHandler(handler) {
+    this.modelConfigChangeHandler = handler;
+  }
+  triggerModelConfigChange() {
+    this.modelConfigChangeHandler?.();
+  }
+  setLanguageChangeHandler(handler) {
+    this.languageChangeHandler = handler;
+  }
+  async triggerLanguageChange() {
+    await this.languageChangeHandler?.();
+  }
+}
+const messageBus = new MessageBus();
 function setMessagesGetter(getter) {
-  getMessages = getter;
+  messageBus.registerMessagesGetter(getter);
 }
 function getMessagesGetter() {
-  return getMessages;
+  return messageBus.getMessagesGetter();
 }
 function setMessagesSetter(setter) {
-  setMessages = setter;
+  messageBus.registerMessagesSetter(setter);
 }
 function getMessagesSetter() {
-  return setMessages;
+  return messageBus.getMessagesSetter();
 }
-let onModelConfigChange = null;
 function setModelConfigChangeHandler(handler) {
-  onModelConfigChange = handler;
+  messageBus.setModelConfigChangeHandler(handler);
 }
 function triggerModelConfigChange() {
-  if (onModelConfigChange) {
-    onModelConfigChange();
-  }
+  messageBus.triggerModelConfigChange();
 }
-let onLanguageChange = null;
 function setLanguageChangeHandler(handler) {
-  onLanguageChange = handler;
+  messageBus.setLanguageChangeHandler(handler);
 }
 async function triggerLanguageChange() {
-  if (onLanguageChange) {
-    await onLanguageChange();
-  }
+  await messageBus.triggerLanguageChange();
 }
 export {
   getMessagesGetter,
   getMessagesSetter,
+  messageBus,
   setLanguageChangeHandler,
   setMessagesGetter,
   setMessagesSetter,

package/dist/messages.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../src/messages.ts"],
-  "sourcesContent": ["import React from 'react'\nimport type { Message } from './query'\n\nlet getMessages: () => Message[] = () => []\nlet setMessages: React.Dispatch<React.SetStateAction<Message[]>> = () => {}\n\nexport function setMessagesGetter(getter: () => Message[]) {\n  getMessages = getter\n}\n\nexport function getMessagesGetter(): () => Message[] {\n  return getMessages\n}\n\nexport function setMessagesSetter(\n  setter: React.Dispatch<React.SetStateAction<Message[]>>,\n) {\n  setMessages = setter\n}\n\nexport function getMessagesSetter(): React.Dispatch<\n  React.SetStateAction<Message[]>\n> {\n  return setMessages\n}\n\n// Global UI refresh mechanism for model configuration changes\nlet onModelConfigChange: (() => void) | null = null\n\nexport function setModelConfigChangeHandler(handler: () => void) {\n  onModelConfigChange = handler\n}\n\nexport function triggerModelConfigChange() {\n  if (onModelConfigChange) {\n    onModelConfigChange()\n  }\n}\n\n// Global UI refresh mechanism for language changes\n// Similar to model config change, but preserves conversation history\nlet onLanguageChange: (() => Promise<void>) | null = null\n\nexport function setLanguageChangeHandler(handler: () => Promise<void>) {\n  onLanguageChange = handler\n}\n\nexport async function triggerLanguageChange() {\n  if (onLanguageChange) {\n    await onLanguageChange()\n  }\n}\n"],
-  "mappings": "AAGA,IAAI,cAA+B,MAAM,CAAC;AAC1C,IAAI,cAA+D,MAAM;AAAC;AAEnE,SAAS,kBAAkB,QAAyB;AACzD,gBAAc;AAChB;AAEO,SAAS,oBAAqC;AACnD,SAAO;AACT;AAEO,SAAS,kBACd,QACA;AACA,gBAAc;AAChB;AAEO,SAAS,oBAEd;AACA,SAAO;AACT;AAGA,IAAI,sBAA2C;AAExC,SAAS,4BAA4B,SAAqB;AAC/D,wBAAsB;AACxB;AAEO,SAAS,2BAA2B;AACzC,MAAI,qBAAqB;AACvB,wBAAoB;AAAA,EACtB;AACF;AAIA,IAAI,mBAAiD;AAE9C,SAAS,yBAAyB,SAA8B;AACrE,qBAAmB;AACrB;AAEA,eAAsB,wBAAwB;AAC5C,MAAI,kBAAkB;AACpB,UAAM,iBAAiB;AAAA,EACzB;AACF;",
+  "sourcesContent": ["import React from 'react'\nimport type { Message } from './query'\n\n/**\n * MessageBus \u2014 encapsulates global message state and UI refresh handlers.\n *\n * Replaces loose module-level variables with a single owning object.\n * Provides getter/setter registration for React state binding,\n * plus event-style hooks for model config and language changes.\n */\nclass MessageBus {\n  private messagesGetter: () => Message[] = () => []\n  private messagesSetter: React.Dispatch<React.SetStateAction<Message[]>> =\n    () => {}\n  private modelConfigChangeHandler: (() => void) | null = null\n  private languageChangeHandler: (() => Promise<void>) | null = null\n\n  registerMessagesGetter(getter: () => Message[]): void {\n    this.messagesGetter = getter\n  }\n\n  getMessagesGetter(): () => Message[] {\n    return this.messagesGetter\n  }\n\n  registerMessagesSetter(\n    setter: React.Dispatch<React.SetStateAction<Message[]>>,\n  ): void {\n    this.messagesSetter = setter\n  }\n\n  getMessagesSetter(): React.Dispatch<React.SetStateAction<Message[]>> {\n    return this.messagesSetter\n  }\n\n  setModelConfigChangeHandler(handler: () => void): void {\n    this.modelConfigChangeHandler = handler\n  }\n\n  triggerModelConfigChange(): void {\n    this.modelConfigChangeHandler?.()\n  }\n\n  setLanguageChangeHandler(handler: () => Promise<void>): void {\n    this.languageChangeHandler = handler\n  }\n\n  async triggerLanguageChange(): Promise<void> {\n    await this.languageChangeHandler?.()\n  }\n}\n\nexport const messageBus = new MessageBus()\n\n// Backward-compatible function exports (thin wrappers)\nexport function setMessagesGetter(getter: () => Message[]) {\n  messageBus.registerMessagesGetter(getter)\n}\n\nexport function getMessagesGetter(): () => Message[] {\n  return messageBus.getMessagesGetter()\n}\n\nexport function setMessagesSetter(\n  setter: React.Dispatch<React.SetStateAction<Message[]>>,\n) {\n  messageBus.registerMessagesSetter(setter)\n}\n\nexport function getMessagesSetter(): React.Dispatch<\n  React.SetStateAction<Message[]>\n> {\n  return messageBus.getMessagesSetter()\n}\n\nexport function setModelConfigChangeHandler(handler: () => void) {\n  messageBus.setModelConfigChangeHandler(handler)\n}\n\nexport function triggerModelConfigChange() {\n  messageBus.triggerModelConfigChange()\n}\n\nexport function setLanguageChangeHandler(handler: () => Promise<void>) {\n  messageBus.setLanguageChangeHandler(handler)\n}\n\nexport async function triggerLanguageChange() {\n  await messageBus.triggerLanguageChange()\n}\n"],
+  "mappings": "AAUA,MAAM,WAAW;AAAA,EACP,iBAAkC,MAAM,CAAC;AAAA,EACzC,iBACN,MAAM;AAAA,EAAC;AAAA,EACD,2BAAgD;AAAA,EAChD,wBAAsD;AAAA,EAE9D,uBAAuB,QAA+B;AACpD,SAAK,iBAAiB;AAAA,EACxB;AAAA,EAEA,oBAAqC;AACnC,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,uBACE,QACM;AACN,SAAK,iBAAiB;AAAA,EACxB;AAAA,EAEA,oBAAqE;AACnE,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,4BAA4B,SAA2B;AACrD,SAAK,2BAA2B;AAAA,EAClC;AAAA,EAEA,2BAAiC;AAC/B,SAAK,2BAA2B;AAAA,EAClC;AAAA,EAEA,yBAAyB,SAAoC;AAC3D,SAAK,wBAAwB;AAAA,EAC/B;AAAA,EAEA,MAAM,wBAAuC;AAC3C,UAAM,KAAK,wBAAwB;AAAA,EACrC;AACF;AAEO,MAAM,aAAa,IAAI,WAAW;AAGlC,SAAS,kBAAkB,QAAyB;AACzD,aAAW,uBAAuB,MAAM;AAC1C;AAEO,SAAS,oBAAqC;AACnD,SAAO,WAAW,kBAAkB;AACtC;AAEO,SAAS,kBACd,QACA;AACA,aAAW,uBAAuB,MAAM;AAC1C;AAEO,SAAS,oBAEd;AACA,SAAO,WAAW,kBAAkB;AACtC;AAEO,SAAS,4BAA4B,SAAqB;AAC/D,aAAW,4BAA4B,OAAO;AAChD;AAEO,SAAS,2BAA2B;AACzC,aAAW,yBAAyB;AACtC;AAEO,SAAS,yBAAyB,SAA8B;AACrE,aAAW,yBAAyB,OAAO;AAC7C;AAEA,eAAsB,wBAAwB;AAC5C,QAAM,WAAW,sBAAsB;AACzC;",
   "names": []
 }

package/dist/permissions.js

@@ -15,7 +15,11 @@ import { PRODUCT_NAME } from "./constants/product.js";
 import {
   getToolRiskLevel
 } from "./utils/toolRiskClassification.js";
-import { resolve, relative, isAbsolute } from "path";
+import { resolve, relative, isAbsolute, join } from "path";
+import { getHookManager } from "./utils/hookManager.js";
+import { existsSync, readFileSync } from "fs";
+import { homedir } from "os";
+import { CONFIG_BASE_DIR } from "./constants/product.js";
 const SAFE_COMMANDS = /* @__PURE__ */ new Set([
   "git status",
   "git diff",
@@ -241,7 +245,70 @@ function shouldAllowByRiskLevel(safetyMode, riskLevel, toolName, input) {
       return false;
   }
 }
+let settingsPermissionsCache = null;
+function loadSettingsPermissions() {
+  if (settingsPermissionsCache) return settingsPermissionsCache;
+  const deny = [];
+  const allow = [];
+  const cwd = getCwd();
+  const home = homedir();
+  const settingsFiles = [
+    join(home, ".claude", "settings.json"),
+    join(home, CONFIG_BASE_DIR, "settings.json"),
+    join(cwd, ".claude", "settings.json"),
+    join(cwd, CONFIG_BASE_DIR, "settings.json")
+  ];
+  for (const file of settingsFiles) {
+    if (!existsSync(file)) continue;
+    try {
+      const content = JSON.parse(readFileSync(file, "utf-8"));
+      if (content?.permissions?.deny && Array.isArray(content.permissions.deny)) {
+        deny.push(...content.permissions.deny);
+      }
+      if (content?.permissions?.allow && Array.isArray(content.permissions.allow)) {
+        allow.push(...content.permissions.allow);
+      }
+    } catch {
+    }
+  }
+  settingsPermissionsCache = { deny, allow };
+  return settingsPermissionsCache;
+}
+function matchesPermissionPattern(toolName, input, patterns) {
+  for (const pattern of patterns) {
+    if (pattern === toolName) return true;
+    if (toolName === "Bash" && pattern.startsWith("Bash(") && input?.command) {
+      const cmdPattern = pattern.slice(5, -1);
+      const command = String(input.command);
+      if (cmdPattern.endsWith(":*")) {
+        const prefix = cmdPattern.slice(0, -2);
+        if (command.startsWith(prefix)) return true;
+      } else if (command === cmdPattern) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
 const hasPermissionsToUseTool = async (tool, input, context, _assistantMessage) => {
+  const settingsPerms = loadSettingsPermissions();
+  if (matchesPermissionPattern(
+    tool.name,
+    input,
+    settingsPerms.deny
+  )) {
+    return {
+      result: false,
+      message: `Tool "${tool.name}" is denied by settings configuration.`
+    };
+  }
+  if (matchesPermissionPattern(
+    tool.name,
+    input,
+    settingsPerms.allow
+  )) {
+    return { result: true };
+  }
   const safetyMode = getEffectiveSafetyMode(context.options);
   const riskLevel = getToolRiskLevel(
     tool.name,
@@ -295,6 +362,13 @@ const hasPermissionsToUseTool = async (tool, input, context, _assistantMessage)
       if (allowedTools.includes(permissionKey)) {
         return { result: true };
       }
+      const hookDecision = await firePermissionRequestHook(
+        tool.name,
+        input
+      );
+      if (hookDecision === "approve") {
+        return { result: true };
+      }
       return {
         result: false,
         message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`
@@ -302,6 +376,25 @@ const hasPermissionsToUseTool = async (tool, input, context, _assistantMessage)
     }
   }
 };
+async function firePermissionRequestHook(toolName, toolInput) {
+  try {
+    const hookMgr = getHookManager();
+    if (!hookMgr) return "ask";
+    const result = await hookMgr.executePermissionRequest(
+      toolName,
+      toolInput,
+      "other"
+    );
+    if (!result.shouldContinue && !result.shouldAskUser) {
+      return "block";
+    }
+    if (result.shouldContinue && !result.shouldAskUser) {
+      if (result.reason) return "approve";
+    }
+  } catch {
+  }
+  return "ask";
+}
 async function savePermission(tool, input, prefix) {
   const key = getPermissionKey(tool, input, prefix);
   if (tool === FileEditTool || tool === FileWriteTool || tool === NotebookEditTool) {

package/dist/permissions.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../src/permissions.ts"],
-  "sourcesContent": ["import type { CanUseToolFn } from './hooks/useCanUseTool'\nimport { Tool, ToolUseContext } from './Tool'\nimport { BashTool, inputSchema } from './tools/BashTool/BashTool'\nimport { FileEditTool } from './tools/FileEditTool/FileEditTool'\nimport { FileWriteTool } from './tools/FileWriteTool/FileWriteTool'\nimport { NotebookEditTool } from './tools/NotebookEditTool/NotebookEditTool'\nimport { getCommandSubcommandPrefix, splitCommand } from './utils/commands'\nimport {\n  getCurrentProjectConfig,\n  saveCurrentProjectConfig,\n  type SafetyMode,\n} from '@utils/config'\nimport { AbortError } from './utils/errors'\nimport { logError } from './utils/log'\nimport { grantWritePermissionForOriginalDir } from './utils/permissions/filesystem'\nimport { getCwd } from './utils/state'\nimport { PRODUCT_NAME } from './constants/product'\nimport {\n  getToolRiskLevel,\n  type RiskLevel,\n} from './utils/toolRiskClassification'\nimport { resolve, relative, isAbsolute } from 'path'\n\n// Commands that are known to be safe for execution\nconst SAFE_COMMANDS = new Set([\n  'git status',\n  'git diff',\n  'git log',\n  'git branch',\n  'pwd',\n  'tree',\n  'date',\n  'which',\n])\n\nexport const bashToolCommandHasExactMatchPermission = (\n  tool: Tool,\n  command: string,\n  allowedTools: string[],\n): boolean => {\n  if (SAFE_COMMANDS.has(command)) {\n    return true\n  }\n  // Check exact match first\n  if (allowedTools.includes(getPermissionKey(tool, { command }, null))) {\n    return true\n  }\n  // Check if command is an exact match with an approved prefix\n  if (allowedTools.includes(getPermissionKey(tool, { command }, command))) {\n    return true\n  }\n  return false\n}\n\nexport const bashToolCommandHasPermission = (\n  tool: Tool,\n  command: string,\n  prefix: string | null,\n  allowedTools: string[],\n): boolean => {\n  // Check exact match first\n  if (bashToolCommandHasExactMatchPermission(tool, command, allowedTools)) {\n    return true\n  }\n  return allowedTools.includes(getPermissionKey(tool, { command }, prefix))\n}\n\nexport const bashToolHasPermission = async (\n  tool: Tool,\n  command: string,\n  context: ToolUseContext,\n  allowedTools: string[],\n  getCommandSubcommandPrefixFn = getCommandSubcommandPrefix,\n): Promise<PermissionResult> => {\n  if (bashToolCommandHasExactMatchPermission(tool, command, allowedTools)) {\n    // This is an exact match for a command that is allowed, so we can skip the prefix check\n    return { result: true }\n  }\n\n  const subCommands = splitCommand(command).filter(_ => {\n    // Denim likes to add this, we strip it out so we don't need to prompt the user each time\n    if (_ === `cd ${getCwd()}`) {\n      return false\n    }\n    return true\n  })\n  const commandSubcommandPrefix = await getCommandSubcommandPrefixFn(\n    command,\n    context.abortController.signal,\n  )\n  if (context.abortController.signal.aborted) {\n    throw new AbortError()\n  }\n\n  if (commandSubcommandPrefix === null) {\n    // Fail closed and ask for user approval if the command prefix query failed (e.g. due to network error)\n    // This is NOT the same as `fullCommandPrefix.commandPrefix === null`, which means no prefix was detected\n    return {\n      result: false,\n      message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`,\n    }\n  }\n\n  if (commandSubcommandPrefix.commandInjectionDetected) {\n    // Only allow exact matches for potential command injections\n    if (bashToolCommandHasExactMatchPermission(tool, command, allowedTools)) {\n      return { result: true }\n    } else {\n      return {\n        result: false,\n        message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`,\n      }\n    }\n  }\n\n  // After the commandInjectionDetected check above, TypeScript still sees the union type.\n  // We know commandInjectionDetected is false here, so commandPrefix exists.\n  // Use 'in' check for proper type narrowing\n  const commandPrefix =\n    'commandPrefix' in commandSubcommandPrefix\n      ? commandSubcommandPrefix.commandPrefix\n      : null\n\n  // If there is only one command, no need to process subCommands\n  if (subCommands.length < 2) {\n    if (\n      bashToolCommandHasPermission(tool, command, commandPrefix, allowedTools)\n    ) {\n      return { result: true }\n    } else {\n      return {\n        result: false,\n        message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`,\n      }\n    }\n  }\n  if (\n    subCommands.every(subCommand => {\n      const prefixResult =\n        commandSubcommandPrefix.subcommandPrefixes.get(subCommand)\n      if (prefixResult === undefined || prefixResult.commandInjectionDetected) {\n        // If prefix result is missing or command injection is detected, always ask for permission\n        return false\n      }\n      // After the check above, we know commandInjectionDetected is false\n      // Use 'in' check for proper type narrowing\n      const subCommandPrefix =\n        'commandPrefix' in prefixResult ? prefixResult.commandPrefix : null\n      const hasPermission = bashToolCommandHasPermission(\n        tool,\n        subCommand,\n        subCommandPrefix,\n        allowedTools,\n      )\n      return hasPermission\n    })\n  ) {\n    return { result: true }\n  }\n  return {\n    result: false,\n    message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`,\n  }\n}\n\ntype PermissionResult = { result: true } | { result: false; message: string }\n\n/**\n * Get effective safety mode from context options\n * Handles backward compatibility with legacy safeMode boolean\n */\nfunction getEffectiveSafetyMode(options: {\n  safeMode?: boolean\n  safetyMode?: SafetyMode\n}): SafetyMode {\n  // New safetyMode takes precedence\n  if (options.safetyMode) {\n    return options.safetyMode\n  }\n  // Backward compatibility: convert legacy safeMode boolean\n  // safeMode: true \u2192 'strict' (old behavior)\n  // safeMode: false \u2192 'yolo' (permissive)\n  if (options.safeMode === true) {\n    return 'strict'\n  }\n  // Default to 'yolo' for non-technical users (zero interruption)\n  return 'yolo'\n}\n\n/**\n * Check if a path is within the project directory\n * Used by Free mode to allow operations within project boundaries\n */\nfunction isPathWithinProject(targetPath: string, projectDir: string): boolean {\n  // Resolve to absolute path\n  const absolutePath = isAbsolute(targetPath)\n    ? resolve(targetPath)\n    : resolve(projectDir, targetPath)\n\n  // Get relative path from project directory\n  const relativePath = relative(projectDir, absolutePath)\n\n  // Path is within project if:\n  // 1. It doesn't start with '..' (not escaping project)\n  // 2. It's not an absolute path (after relative calculation)\n  return !relativePath.startsWith('..') && !isAbsolute(relativePath)\n}\n\n/**\n * System critical paths that should NEVER be auto-allowed, even in Free mode\n * These paths require explicit user confirmation regardless of safety mode\n */\nconst SYSTEM_CRITICAL_PATHS = [\n  '/etc',\n  '/bin',\n  '/sbin',\n  '/usr/bin',\n  '/usr/sbin',\n  '/var',\n  '/System',\n  '/Library',\n  '/Applications',\n  '/private',\n  'C:\\\\Windows',\n  'C:\\\\Program Files',\n  'C:\\\\Program Files (x86)',\n]\n\n/**\n * Check if a path is a system critical path\n */\nfunction isSystemCriticalPath(targetPath: string): boolean {\n  const normalizedPath = resolve(targetPath).toLowerCase()\n  return SYSTEM_CRITICAL_PATHS.some(criticalPath =>\n    normalizedPath.startsWith(criticalPath.toLowerCase()),\n  )\n}\n\n/**\n * Extract paths from tool input for boundary checking in Free mode\n */\nfunction extractPathsFromToolInput(\n  toolName: string,\n  input: { [k: string]: unknown },\n): string[] {\n  const paths: string[] = []\n\n  // File tools\n  if (toolName === 'Read' || toolName === 'Write' || toolName === 'Edit') {\n    if (typeof input.file_path === 'string') {\n      paths.push(input.file_path)\n    }\n  }\n\n  // Glob/Grep tools\n  if (toolName === 'Glob' || toolName === 'Grep') {\n    if (typeof input.path === 'string') {\n      paths.push(input.path)\n    }\n  }\n\n  // LS tool\n  if (toolName === 'LS') {\n    if (typeof input.path === 'string') {\n      paths.push(input.path)\n    }\n  }\n\n  // NotebookEdit\n  if (toolName === 'NotebookEdit') {\n    if (typeof input.notebook_path === 'string') {\n      paths.push(input.notebook_path)\n    }\n  }\n\n  return paths\n}\n\n/**\n * Extract paths from a Bash command for boundary checking\n * This is a simplified extraction - complex commands may need manual review\n */\nfunction extractPathsFromBashCommand(command: string): string[] {\n  const paths: string[] = []\n\n  // Extract quoted paths\n  const quotedMatches = command.matchAll(/[\"']([^\"']+)[\"']/g)\n  for (const match of quotedMatches) {\n    if (match[1] && (match[1].includes('/') || match[1].startsWith('.'))) {\n      paths.push(match[1])\n    }\n  }\n\n  // Extract unquoted paths (starting with ./ or / or ../)\n  const unquotedMatches = command.matchAll(\n    /(?:^|\\s)((?:\\.\\/|\\/|\\.\\.\\/)[^\\s;&|>]+)/g,\n  )\n  for (const match of unquotedMatches) {\n    if (match[1]) {\n      paths.push(match[1])\n    }\n  }\n\n  // Extract redirect targets\n  const redirectMatches = command.matchAll(/>\\s*[\"']?([^\\s\"';&|]+)[\"']?/g)\n  for (const match of redirectMatches) {\n    if (match[1] && !match[1].startsWith('&')) {\n      paths.push(match[1])\n    }\n  }\n\n  return [...new Set(paths)] // Deduplicate\n}\n\n/**\n * Check if all paths in an operation are within the project directory\n * Used by Free mode for path-based permission decisions\n */\nfunction areAllPathsWithinProject(\n  toolName: string,\n  input: { [k: string]: unknown },\n  projectDir: string,\n): { withinProject: boolean; outsidePaths: string[] } {\n  let paths: string[] = []\n\n  // For Bash tool, extract paths from command\n  if (toolName === 'Bash' && typeof input.command === 'string') {\n    paths = extractPathsFromBashCommand(input.command)\n  } else {\n    paths = extractPathsFromToolInput(toolName, input)\n  }\n\n  // If no paths detected, allow by default (e.g., pwd, date, etc.)\n  if (paths.length === 0) {\n    return { withinProject: true, outsidePaths: [] }\n  }\n\n  const outsidePaths: string[] = []\n  for (const path of paths) {\n    // Check system critical paths first\n    if (isSystemCriticalPath(path)) {\n      outsidePaths.push(path)\n      continue\n    }\n\n    // Check if path is within project\n    if (!isPathWithinProject(path, projectDir)) {\n      outsidePaths.push(path)\n    }\n  }\n\n  return {\n    withinProject: outsidePaths.length === 0,\n    outsidePaths,\n  }\n}\n\n/**\n * Check if a tool should be allowed based on safety mode and risk level\n *\n * Safety Mode Matrix:\n * | Mode   | Safe Tools | Monitored Tools | Dangerous Tools |\n * |--------|------------|-----------------|-----------------|\n * | yolo   | \u2713 allow    | \u2713 allow         | \u2713 allow         |\n * | smart  | \u2713 allow    | \u2713 allow         | \u26A0 ask           |\n * | strict | \u2713 allow    | \u26A0 ask           | \u26A0 ask           |\n * | free   | Path-based: within project = allow, outside = ask |\n */\nfunction shouldAllowByRiskLevel(\n  safetyMode: SafetyMode,\n  riskLevel: RiskLevel,\n  toolName?: string,\n  input?: { [k: string]: unknown },\n): boolean {\n  switch (safetyMode) {\n    case 'yolo':\n      // YOLO mode: allow everything\n      return true\n    case 'smart':\n      // Smart mode: allow safe and monitored, ask for dangerous\n      return riskLevel === 'safe' || riskLevel === 'monitored'\n    case 'strict':\n      // Strict mode: only allow safe tools\n      return riskLevel === 'safe'\n    case 'free':\n      // Free mode: path-based decision\n      // Safe tools (read-only) are always allowed\n      if (riskLevel === 'safe') {\n        return true\n      }\n      // For tools with side effects, check path boundaries\n      if (toolName && input) {\n        const projectDir = getCwd()\n        const { withinProject } = areAllPathsWithinProject(\n          toolName,\n          input,\n          projectDir,\n        )\n        return withinProject\n      }\n      // If we can't determine paths, ask for confirmation\n      return false\n  }\n}\n\nexport const hasPermissionsToUseTool: CanUseToolFn = async (\n  tool,\n  input,\n  context,\n  _assistantMessage,\n): Promise<PermissionResult> => {\n  const safetyMode = getEffectiveSafetyMode(context.options)\n\n  // Get risk level for this tool (with command-specific classification for Bash)\n  const riskLevel = getToolRiskLevel(\n    tool.name,\n    input as { command?: string } | undefined,\n  )\n\n  // Check if this tool should be auto-allowed based on safety mode and risk level\n  // For Free mode, we also pass tool name and input for path-based decisions\n  if (\n    shouldAllowByRiskLevel(\n      safetyMode,\n      riskLevel,\n      tool.name,\n      input as { [k: string]: unknown },\n    )\n  ) {\n    return { result: true }\n  }\n\n  if (context.abortController.signal.aborted) {\n    throw new AbortError()\n  }\n\n  // Check if the tool needs permissions\n  try {\n    if (!tool.needsPermissions(input as never)) {\n      return { result: true }\n    }\n  } catch (e) {\n    logError(`Error checking permissions: ${e}`)\n    return { result: false, message: 'Error checking permissions' }\n  }\n\n  const projectConfig = getCurrentProjectConfig()\n  const allowedTools = projectConfig.allowedTools ?? []\n  // Special case for BashTool to allow blanket commands without exposing them in the UI\n  if (tool === BashTool && allowedTools.includes(BashTool.name)) {\n    return { result: true }\n  }\n\n  // TODO: Move this into tool definitions (done for read tools!)\n  switch (tool) {\n    // For bash tool, check each sub-command's permissions separately\n    case BashTool: {\n      // The types have already been validated by the tool,\n      // so we can safely parse the input (as opposed to safeParse).\n      const { command } = inputSchema.parse(input)\n      return await bashToolHasPermission(tool, command, context, allowedTools)\n    }\n    // For file editing tools, check session-only permissions\n    case FileEditTool:\n    case FileWriteTool:\n    case NotebookEditTool: {\n      // The types have already been validated by the tool,\n      // so we can safely pass this in\n      if (!tool.needsPermissions(input)) {\n        return { result: true }\n      }\n      return {\n        result: false,\n        message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`,\n      }\n    }\n    // For other tools, check persistent permissions\n    default: {\n      const permissionKey = getPermissionKey(tool, input, null)\n      if (allowedTools.includes(permissionKey)) {\n        return { result: true }\n      }\n\n      return {\n        result: false,\n        message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`,\n      }\n    }\n  }\n}\n\nexport async function savePermission(\n  tool: Tool,\n  input: { [k: string]: unknown },\n  prefix: string | null,\n): Promise<void> {\n  const key = getPermissionKey(tool, input, prefix)\n\n  // For file editing tools, store write permissions only in memory\n  if (\n    tool === FileEditTool ||\n    tool === FileWriteTool ||\n    tool === NotebookEditTool\n  ) {\n    grantWritePermissionForOriginalDir()\n    return\n  }\n\n  // For other tools, store permissions on disk\n  const projectConfig = getCurrentProjectConfig()\n  if (projectConfig.allowedTools.includes(key)) {\n    return\n  }\n\n  projectConfig.allowedTools.push(key)\n  projectConfig.allowedTools.sort()\n\n  saveCurrentProjectConfig(projectConfig)\n}\n\nfunction getPermissionKey(\n  tool: Tool,\n  input: { [k: string]: unknown },\n  prefix: string | null,\n): string {\n  switch (tool) {\n    case BashTool:\n      if (prefix) {\n        return `${BashTool.name}(${prefix}:*)`\n      }\n      return `${BashTool.name}(${BashTool.renderToolUseMessage(input as never)})`\n    default:\n      return tool.name\n  }\n}\n"],
-  "mappings": "AAEA,SAAS,UAAU,mBAAmB;AACtC,SAAS,oBAAoB;AAC7B,SAAS,qBAAqB;AAC9B,SAAS,wBAAwB;AACjC,SAAS,4BAA4B,oBAAoB;AACzD;AAAA,EACE;AAAA,EACA;AAAA,OAEK;AACP,SAAS,kBAAkB;AAC3B,SAAS,gBAAgB;AACzB,SAAS,0CAA0C;AACnD,SAAS,cAAc;AACvB,SAAS,oBAAoB;AAC7B;AAAA,EACE;AAAA,OAEK;AACP,SAAS,SAAS,UAAU,kBAAkB;AAG9C,MAAM,gBAAgB,oBAAI,IAAI;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,MAAM,yCAAyC,CACpD,MACA,SACA,iBACY;AACZ,MAAI,cAAc,IAAI,OAAO,GAAG;AAC9B,WAAO;AAAA,EACT;AAEA,MAAI,aAAa,SAAS,iBAAiB,MAAM,EAAE,QAAQ,GAAG,IAAI,CAAC,GAAG;AACpE,WAAO;AAAA,EACT;AAEA,MAAI,aAAa,SAAS,iBAAiB,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,GAAG;AACvE,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEO,MAAM,+BAA+B,CAC1C,MACA,SACA,QACA,iBACY;AAEZ,MAAI,uCAAuC,MAAM,SAAS,YAAY,GAAG;AACvE,WAAO;AAAA,EACT;AACA,SAAO,aAAa,SAAS,iBAAiB,MAAM,EAAE,QAAQ,GAAG,MAAM,CAAC;AAC1E;AAEO,MAAM,wBAAwB,OACnC,MACA,SACA,SACA,cACA,+BAA+B,+BACD;AAC9B,MAAI,uCAAuC,MAAM,SAAS,YAAY,GAAG;AAEvE,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AAEA,QAAM,cAAc,aAAa,OAAO,EAAE,OAAO,OAAK;AAEpD,QAAI,MAAM,MAAM,OAAO,CAAC,IAAI;AAC1B,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,CAAC;AACD,QAAM,0BAA0B,MAAM;AAAA,IACpC;AAAA,IACA,QAAQ,gBAAgB;AAAA,EAC1B;AACA,MAAI,QAAQ,gBAAgB,OAAO,SAAS;AAC1C,UAAM,IAAI,WAAW;AAAA,EACvB;AAEA,MAAI,4BAA4B,MAAM;AAGpC,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS,GAAG,YAAY,iCAAiC,KAAK,IAAI;AAAA,IACpE;AAAA,EACF;AAEA,MAAI,wBAAwB,0BAA0B;AAEpD,QAAI,uCAAuC,MAAM,SAAS,YAAY,GAAG;AACvE,aAAO,EAAE,QAAQ,KAAK;AAAA,IACxB,OAAO;AACL,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,GAAG,YAAY,iCAAiC,KAAK,IAAI;AAAA,MACpE;AAAA,IACF;AAAA,EACF;AAKA,QAAM,gBACJ,mBAAmB,0BACf,wBAAwB,gBACxB;AAGN,MAAI,YAAY,SAAS,GAAG;AAC1B,QACE,6BAA6B,MAAM,SAAS,eAAe,YAAY,GACvE;AACA,aAAO,EAAE,QAAQ,KAAK;AAAA,IACxB,OAAO;AACL,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,GAAG,YAAY,iCAAiC,KAAK,IAAI;AAAA,MACpE;AAAA,IACF;AAAA,EACF;AACA,MACE,YAAY,MAAM,gBAAc;AAC9B,UAAM,eACJ,wBAAwB,mBAAmB,IAAI,UAAU;AAC3D,QAAI,iBAAiB,UAAa,aAAa,0BAA0B;AAEvE,aAAO;AAAA,IACT;AAGA,UAAM,mBACJ,mBAAmB,eAAe,aAAa,gBAAgB;AACjE,UAAM,gBAAgB;AAAA,MACpB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,WAAO;AAAA,EACT,CAAC,GACD;AACA,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS,GAAG,YAAY,iCAAiC,KAAK,IAAI;AAAA,EACpE;AACF;AAQA,SAAS,uBAAuB,SAGjB;AAEb,MAAI,QAAQ,YAAY;AACtB,WAAO,QAAQ;AAAA,EACjB;AAIA,MAAI,QAAQ,aAAa,MAAM;AAC7B,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAMA,SAAS,oBAAoB,YAAoB,YAA6B;AAE5E,QAAM,eAAe,WAAW,UAAU,IACtC,QAAQ,UAAU,IAClB,QAAQ,YAAY,UAAU;AAGlC,QAAM,eAAe,SAAS,YAAY,YAAY;AAKtD,SAAO,CAAC,aAAa,WAAW,IAAI,KAAK,CAAC,WAAW,YAAY;AACnE;AAMA,MAAM,wBAAwB;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAKA,SAAS,qBAAqB,YAA6B;AACzD,QAAM,iBAAiB,QAAQ,UAAU,EAAE,YAAY;AACvD,SAAO,sBAAsB;AAAA,IAAK,kBAChC,eAAe,WAAW,aAAa,YAAY,CAAC;AAAA,EACtD;AACF;AAKA,SAAS,0BACP,UACA,OACU;AACV,QAAM,QAAkB,CAAC;AAGzB,MAAI,aAAa,UAAU,aAAa,WAAW,aAAa,QAAQ;AACtE,QAAI,OAAO,MAAM,cAAc,UAAU;AACvC,YAAM,KAAK,MAAM,SAAS;AAAA,IAC5B;AAAA,EACF;AAGA,MAAI,aAAa,UAAU,aAAa,QAAQ;AAC9C,QAAI,OAAO,MAAM,SAAS,UAAU;AAClC,YAAM,KAAK,MAAM,IAAI;AAAA,IACvB;AAAA,EACF;AAGA,MAAI,aAAa,MAAM;AACrB,QAAI,OAAO,MAAM,SAAS,UAAU;AAClC,YAAM,KAAK,MAAM,IAAI;AAAA,IACvB;AAAA,EACF;AAGA,MAAI,aAAa,gBAAgB;AAC/B,QAAI,OAAO,MAAM,kBAAkB,UAAU;AAC3C,YAAM,KAAK,MAAM,aAAa;AAAA,IAChC;AAAA,EACF;AAEA,SAAO;AACT;AAMA,SAAS,4BAA4B,SAA2B;AAC9D,QAAM,QAAkB,CAAC;AAGzB,QAAM,gBAAgB,QAAQ,SAAS,mBAAmB;AAC1D,aAAW,SAAS,eAAe;AACjC,QAAI,MAAM,CAAC,MAAM,MAAM,CAAC,EAAE,SAAS,GAAG,KAAK,MAAM,CAAC,EAAE,WAAW,GAAG,IAAI;AACpE,YAAM,KAAK,MAAM,CAAC,CAAC;AAAA,IACrB;AAAA,EACF;AAGA,QAAM,kBAAkB,QAAQ;AAAA,IAC9B;AAAA,EACF;AACA,aAAW,SAAS,iBAAiB;AACnC,QAAI,MAAM,CAAC,GAAG;AACZ,YAAM,KAAK,MAAM,CAAC,CAAC;AAAA,IACrB;AAAA,EACF;AAGA,QAAM,kBAAkB,QAAQ,SAAS,8BAA8B;AACvE,aAAW,SAAS,iBAAiB;AACnC,QAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,WAAW,GAAG,GAAG;AACzC,YAAM,KAAK,MAAM,CAAC,CAAC;AAAA,IACrB;AAAA,EACF;AAEA,SAAO,CAAC,GAAG,IAAI,IAAI,KAAK,CAAC;AAC3B;AAMA,SAAS,yBACP,UACA,OACA,YACoD;AACpD,MAAI,QAAkB,CAAC;AAGvB,MAAI,aAAa,UAAU,OAAO,MAAM,YAAY,UAAU;AAC5D,YAAQ,4BAA4B,MAAM,OAAO;AAAA,EACnD,OAAO;AACL,YAAQ,0BAA0B,UAAU,KAAK;AAAA,EACnD;AAGA,MAAI,MAAM,WAAW,GAAG;AACtB,WAAO,EAAE,eAAe,MAAM,cAAc,CAAC,EAAE;AAAA,EACjD;AAEA,QAAM,eAAyB,CAAC;AAChC,aAAW,QAAQ,OAAO;AAExB,QAAI,qBAAqB,IAAI,GAAG;AAC9B,mBAAa,KAAK,IAAI;AACtB;AAAA,IACF;AAGA,QAAI,CAAC,oBAAoB,MAAM,UAAU,GAAG;AAC1C,mBAAa,KAAK,IAAI;AAAA,IACxB;AAAA,EACF;AAEA,SAAO;AAAA,IACL,eAAe,aAAa,WAAW;AAAA,IACvC;AAAA,EACF;AACF;AAaA,SAAS,uBACP,YACA,WACA,UACA,OACS;AACT,UAAQ,YAAY;AAAA,IAClB,KAAK;AAEH,aAAO;AAAA,IACT,KAAK;AAEH,aAAO,cAAc,UAAU,cAAc;AAAA,IAC/C,KAAK;AAEH,aAAO,cAAc;AAAA,IACvB,KAAK;AAGH,UAAI,cAAc,QAAQ;AACxB,eAAO;AAAA,MACT;AAEA,UAAI,YAAY,OAAO;AACrB,cAAM,aAAa,OAAO;AAC1B,cAAM,EAAE,cAAc,IAAI;AAAA,UACxB;AAAA,UACA;AAAA,UACA;AAAA,QACF;AACA,eAAO;AAAA,MACT;AAEA,aAAO;AAAA,EACX;AACF;AAEO,MAAM,0BAAwC,OACnD,MACA,OACA,SACA,sBAC8B;AAC9B,QAAM,aAAa,uBAAuB,QAAQ,OAAO;AAGzD,QAAM,YAAY;AAAA,IAChB,KAAK;AAAA,IACL;AAAA,EACF;AAIA,MACE;AAAA,IACE;AAAA,IACA;AAAA,IACA,KAAK;AAAA,IACL;AAAA,EACF,GACA;AACA,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AAEA,MAAI,QAAQ,gBAAgB,OAAO,SAAS;AAC1C,UAAM,IAAI,WAAW;AAAA,EACvB;AAGA,MAAI;AACF,QAAI,CAAC,KAAK,iBAAiB,KAAc,GAAG;AAC1C,aAAO,EAAE,QAAQ,KAAK;AAAA,IACxB;AAAA,EACF,SAAS,GAAG;AACV,aAAS,+BAA+B,CAAC,EAAE;AAC3C,WAAO,EAAE,QAAQ,OAAO,SAAS,6BAA6B;AAAA,EAChE;AAEA,QAAM,gBAAgB,wBAAwB;AAC9C,QAAM,eAAe,cAAc,gBAAgB,CAAC;AAEpD,MAAI,SAAS,YAAY,aAAa,SAAS,SAAS,IAAI,GAAG;AAC7D,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AAGA,UAAQ,MAAM;AAAA;AAAA,IAEZ,KAAK,UAAU;AAGb,YAAM,EAAE,QAAQ,IAAI,YAAY,MAAM,KAAK;AAC3C,aAAO,MAAM,sBAAsB,MAAM,SAAS,SAAS,YAAY;AAAA,IACzE;AAAA;AAAA,IAEA,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,kBAAkB;AAGrB,UAAI,CAAC,KAAK,iBAAiB,KAAK,GAAG;AACjC,eAAO,EAAE,QAAQ,KAAK;AAAA,MACxB;AACA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,GAAG,YAAY,iCAAiC,KAAK,IAAI;AAAA,MACpE;AAAA,IACF;AAAA;AAAA,IAEA,SAAS;AACP,YAAM,gBAAgB,iBAAiB,MAAM,OAAO,IAAI;AACxD,UAAI,aAAa,SAAS,aAAa,GAAG;AACxC,eAAO,EAAE,QAAQ,KAAK;AAAA,MACxB;AAEA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,GAAG,YAAY,iCAAiC,KAAK,IAAI;AAAA,MACpE;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAsB,eACpB,MACA,OACA,QACe;AACf,QAAM,MAAM,iBAAiB,MAAM,OAAO,MAAM;AAGhD,MACE,SAAS,gBACT,SAAS,iBACT,SAAS,kBACT;AACA,uCAAmC;AACnC;AAAA,EACF;AAGA,QAAM,gBAAgB,wBAAwB;AAC9C,MAAI,cAAc,aAAa,SAAS,GAAG,GAAG;AAC5C;AAAA,EACF;AAEA,gBAAc,aAAa,KAAK,GAAG;AACnC,gBAAc,aAAa,KAAK;AAEhC,2BAAyB,aAAa;AACxC;AAEA,SAAS,iBACP,MACA,OACA,QACQ;AACR,UAAQ,MAAM;AAAA,IACZ,KAAK;AACH,UAAI,QAAQ;AACV,eAAO,GAAG,SAAS,IAAI,IAAI,MAAM;AAAA,MACnC;AACA,aAAO,GAAG,SAAS,IAAI,IAAI,SAAS,qBAAqB,KAAc,CAAC;AAAA,IAC1E;AACE,aAAO,KAAK;AAAA,EAChB;AACF;",
+  "sourcesContent": ["import type { CanUseToolFn } from './hooks/useCanUseTool'\nimport { Tool, ToolUseContext } from './Tool'\nimport { BashTool, inputSchema } from './tools/BashTool/BashTool'\nimport { FileEditTool } from './tools/FileEditTool/FileEditTool'\nimport { FileWriteTool } from './tools/FileWriteTool/FileWriteTool'\nimport { NotebookEditTool } from './tools/NotebookEditTool/NotebookEditTool'\nimport { getCommandSubcommandPrefix, splitCommand } from './utils/commands'\nimport {\n  getCurrentProjectConfig,\n  saveCurrentProjectConfig,\n  type SafetyMode,\n} from '@utils/config'\nimport { AbortError } from './utils/errors'\nimport { logError } from './utils/log'\nimport { grantWritePermissionForOriginalDir } from './utils/permissions/filesystem'\nimport { getCwd } from './utils/state'\nimport { PRODUCT_NAME } from './constants/product'\nimport {\n  getToolRiskLevel,\n  type RiskLevel,\n} from './utils/toolRiskClassification'\nimport { resolve, relative, isAbsolute, join } from 'path'\nimport { getHookManager } from './utils/hookManager'\nimport { existsSync, readFileSync } from 'fs'\nimport { homedir } from 'os'\nimport { CONFIG_BASE_DIR } from './constants/product'\n\n// Commands that are known to be safe for execution\nconst SAFE_COMMANDS = new Set([\n  'git status',\n  'git diff',\n  'git log',\n  'git branch',\n  'pwd',\n  'tree',\n  'date',\n  'which',\n])\n\nexport const bashToolCommandHasExactMatchPermission = (\n  tool: Tool,\n  command: string,\n  allowedTools: string[],\n): boolean => {\n  if (SAFE_COMMANDS.has(command)) {\n    return true\n  }\n  // Check exact match first\n  if (allowedTools.includes(getPermissionKey(tool, { command }, null))) {\n    return true\n  }\n  // Check if command is an exact match with an approved prefix\n  if (allowedTools.includes(getPermissionKey(tool, { command }, command))) {\n    return true\n  }\n  return false\n}\n\nexport const bashToolCommandHasPermission = (\n  tool: Tool,\n  command: string,\n  prefix: string | null,\n  allowedTools: string[],\n): boolean => {\n  // Check exact match first\n  if (bashToolCommandHasExactMatchPermission(tool, command, allowedTools)) {\n    return true\n  }\n  return allowedTools.includes(getPermissionKey(tool, { command }, prefix))\n}\n\nexport const bashToolHasPermission = async (\n  tool: Tool,\n  command: string,\n  context: ToolUseContext,\n  allowedTools: string[],\n  getCommandSubcommandPrefixFn = getCommandSubcommandPrefix,\n): Promise<PermissionResult> => {\n  if (bashToolCommandHasExactMatchPermission(tool, command, allowedTools)) {\n    // This is an exact match for a command that is allowed, so we can skip the prefix check\n    return { result: true }\n  }\n\n  const subCommands = splitCommand(command).filter(_ => {\n    // Denim likes to add this, we strip it out so we don't need to prompt the user each time\n    if (_ === `cd ${getCwd()}`) {\n      return false\n    }\n    return true\n  })\n  const commandSubcommandPrefix = await getCommandSubcommandPrefixFn(\n    command,\n    context.abortController.signal,\n  )\n  if (context.abortController.signal.aborted) {\n    throw new AbortError()\n  }\n\n  if (commandSubcommandPrefix === null) {\n    // Fail closed and ask for user approval if the command prefix query failed (e.g. due to network error)\n    // This is NOT the same as `fullCommandPrefix.commandPrefix === null`, which means no prefix was detected\n    return {\n      result: false,\n      message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`,\n    }\n  }\n\n  if (commandSubcommandPrefix.commandInjectionDetected) {\n    // Only allow exact matches for potential command injections\n    if (bashToolCommandHasExactMatchPermission(tool, command, allowedTools)) {\n      return { result: true }\n    } else {\n      return {\n        result: false,\n        message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`,\n      }\n    }\n  }\n\n  // After the commandInjectionDetected check above, TypeScript still sees the union type.\n  // We know commandInjectionDetected is false here, so commandPrefix exists.\n  // Use 'in' check for proper type narrowing\n  const commandPrefix =\n    'commandPrefix' in commandSubcommandPrefix\n      ? commandSubcommandPrefix.commandPrefix\n      : null\n\n  // If there is only one command, no need to process subCommands\n  if (subCommands.length < 2) {\n    if (\n      bashToolCommandHasPermission(tool, command, commandPrefix, allowedTools)\n    ) {\n      return { result: true }\n    } else {\n      return {\n        result: false,\n        message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`,\n      }\n    }\n  }\n  if (\n    subCommands.every(subCommand => {\n      const prefixResult =\n        commandSubcommandPrefix.subcommandPrefixes.get(subCommand)\n      if (prefixResult === undefined || prefixResult.commandInjectionDetected) {\n        // If prefix result is missing or command injection is detected, always ask for permission\n        return false\n      }\n      // After the check above, we know commandInjectionDetected is false\n      // Use 'in' check for proper type narrowing\n      const subCommandPrefix =\n        'commandPrefix' in prefixResult ? prefixResult.commandPrefix : null\n      const hasPermission = bashToolCommandHasPermission(\n        tool,\n        subCommand,\n        subCommandPrefix,\n        allowedTools,\n      )\n      return hasPermission\n    })\n  ) {\n    return { result: true }\n  }\n  return {\n    result: false,\n    message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`,\n  }\n}\n\ntype PermissionResult = { result: true } | { result: false; message: string }\n\n/**\n * Get effective safety mode from context options\n * Handles backward compatibility with legacy safeMode boolean\n */\nfunction getEffectiveSafetyMode(options: {\n  safeMode?: boolean\n  safetyMode?: SafetyMode\n}): SafetyMode {\n  // New safetyMode takes precedence\n  if (options.safetyMode) {\n    return options.safetyMode\n  }\n  // Backward compatibility: convert legacy safeMode boolean\n  // safeMode: true \u2192 'strict' (old behavior)\n  // safeMode: false \u2192 'yolo' (permissive)\n  if (options.safeMode === true) {\n    return 'strict'\n  }\n  // Default to 'yolo' for non-technical users (zero interruption)\n  return 'yolo'\n}\n\n/**\n * Check if a path is within the project directory\n * Used by Free mode to allow operations within project boundaries\n */\nfunction isPathWithinProject(targetPath: string, projectDir: string): boolean {\n  // Resolve to absolute path\n  const absolutePath = isAbsolute(targetPath)\n    ? resolve(targetPath)\n    : resolve(projectDir, targetPath)\n\n  // Get relative path from project directory\n  const relativePath = relative(projectDir, absolutePath)\n\n  // Path is within project if:\n  // 1. It doesn't start with '..' (not escaping project)\n  // 2. It's not an absolute path (after relative calculation)\n  return !relativePath.startsWith('..') && !isAbsolute(relativePath)\n}\n\n/**\n * System critical paths that should NEVER be auto-allowed, even in Free mode\n * These paths require explicit user confirmation regardless of safety mode\n */\nconst SYSTEM_CRITICAL_PATHS = [\n  '/etc',\n  '/bin',\n  '/sbin',\n  '/usr/bin',\n  '/usr/sbin',\n  '/var',\n  '/System',\n  '/Library',\n  '/Applications',\n  '/private',\n  'C:\\\\Windows',\n  'C:\\\\Program Files',\n  'C:\\\\Program Files (x86)',\n]\n\n/**\n * Check if a path is a system critical path\n */\nfunction isSystemCriticalPath(targetPath: string): boolean {\n  const normalizedPath = resolve(targetPath).toLowerCase()\n  return SYSTEM_CRITICAL_PATHS.some(criticalPath =>\n    normalizedPath.startsWith(criticalPath.toLowerCase()),\n  )\n}\n\n/**\n * Extract paths from tool input for boundary checking in Free mode\n */\nfunction extractPathsFromToolInput(\n  toolName: string,\n  input: { [k: string]: unknown },\n): string[] {\n  const paths: string[] = []\n\n  // File tools\n  if (toolName === 'Read' || toolName === 'Write' || toolName === 'Edit') {\n    if (typeof input.file_path === 'string') {\n      paths.push(input.file_path)\n    }\n  }\n\n  // Glob/Grep tools\n  if (toolName === 'Glob' || toolName === 'Grep') {\n    if (typeof input.path === 'string') {\n      paths.push(input.path)\n    }\n  }\n\n  // LS tool\n  if (toolName === 'LS') {\n    if (typeof input.path === 'string') {\n      paths.push(input.path)\n    }\n  }\n\n  // NotebookEdit\n  if (toolName === 'NotebookEdit') {\n    if (typeof input.notebook_path === 'string') {\n      paths.push(input.notebook_path)\n    }\n  }\n\n  return paths\n}\n\n/**\n * Extract paths from a Bash command for boundary checking\n * This is a simplified extraction - complex commands may need manual review\n */\nfunction extractPathsFromBashCommand(command: string): string[] {\n  const paths: string[] = []\n\n  // Extract quoted paths\n  const quotedMatches = command.matchAll(/[\"']([^\"']+)[\"']/g)\n  for (const match of quotedMatches) {\n    if (match[1] && (match[1].includes('/') || match[1].startsWith('.'))) {\n      paths.push(match[1])\n    }\n  }\n\n  // Extract unquoted paths (starting with ./ or / or ../)\n  const unquotedMatches = command.matchAll(\n    /(?:^|\\s)((?:\\.\\/|\\/|\\.\\.\\/)[^\\s;&|>]+)/g,\n  )\n  for (const match of unquotedMatches) {\n    if (match[1]) {\n      paths.push(match[1])\n    }\n  }\n\n  // Extract redirect targets\n  const redirectMatches = command.matchAll(/>\\s*[\"']?([^\\s\"';&|]+)[\"']?/g)\n  for (const match of redirectMatches) {\n    if (match[1] && !match[1].startsWith('&')) {\n      paths.push(match[1])\n    }\n  }\n\n  return [...new Set(paths)] // Deduplicate\n}\n\n/**\n * Check if all paths in an operation are within the project directory\n * Used by Free mode for path-based permission decisions\n */\nfunction areAllPathsWithinProject(\n  toolName: string,\n  input: { [k: string]: unknown },\n  projectDir: string,\n): { withinProject: boolean; outsidePaths: string[] } {\n  let paths: string[] = []\n\n  // For Bash tool, extract paths from command\n  if (toolName === 'Bash' && typeof input.command === 'string') {\n    paths = extractPathsFromBashCommand(input.command)\n  } else {\n    paths = extractPathsFromToolInput(toolName, input)\n  }\n\n  // If no paths detected, allow by default (e.g., pwd, date, etc.)\n  if (paths.length === 0) {\n    return { withinProject: true, outsidePaths: [] }\n  }\n\n  const outsidePaths: string[] = []\n  for (const path of paths) {\n    // Check system critical paths first\n    if (isSystemCriticalPath(path)) {\n      outsidePaths.push(path)\n      continue\n    }\n\n    // Check if path is within project\n    if (!isPathWithinProject(path, projectDir)) {\n      outsidePaths.push(path)\n    }\n  }\n\n  return {\n    withinProject: outsidePaths.length === 0,\n    outsidePaths,\n  }\n}\n\n/**\n * Check if a tool should be allowed based on safety mode and risk level\n *\n * Safety Mode Matrix:\n * | Mode   | Safe Tools | Monitored Tools | Dangerous Tools |\n * |--------|------------|-----------------|-----------------|\n * | yolo   | \u2713 allow    | \u2713 allow         | \u2713 allow         |\n * | smart  | \u2713 allow    | \u2713 allow         | \u26A0 ask           |\n * | strict | \u2713 allow    | \u26A0 ask           | \u26A0 ask           |\n * | free   | Path-based: within project = allow, outside = ask |\n */\nfunction shouldAllowByRiskLevel(\n  safetyMode: SafetyMode,\n  riskLevel: RiskLevel,\n  toolName?: string,\n  input?: { [k: string]: unknown },\n): boolean {\n  switch (safetyMode) {\n    case 'yolo':\n      // YOLO mode: allow everything\n      return true\n    case 'smart':\n      // Smart mode: allow safe and monitored, ask for dangerous\n      return riskLevel === 'safe' || riskLevel === 'monitored'\n    case 'strict':\n      // Strict mode: only allow safe tools\n      return riskLevel === 'safe'\n    case 'free':\n      // Free mode: path-based decision\n      // Safe tools (read-only) are always allowed\n      if (riskLevel === 'safe') {\n        return true\n      }\n      // For tools with side effects, check path boundaries\n      if (toolName && input) {\n        const projectDir = getCwd()\n        const { withinProject } = areAllPathsWithinProject(\n          toolName,\n          input,\n          projectDir,\n        )\n        return withinProject\n      }\n      // If we can't determine paths, ask for confirmation\n      return false\n  }\n}\n\n/**\n * Load permission deny/allow rules from settings.json files.\n * Checks: .minto/settings.json, .claude/settings.json, ~/.minto/settings.json, ~/.claude/settings.json\n */\nlet settingsPermissionsCache: {\n  deny: string[]\n  allow: string[]\n} | null = null\n\nfunction loadSettingsPermissions(): { deny: string[]; allow: string[] } {\n  if (settingsPermissionsCache) return settingsPermissionsCache\n\n  const deny: string[] = []\n  const allow: string[] = []\n\n  const cwd = getCwd()\n  const home = homedir()\n\n  // Check settings files in priority order (later overrides earlier)\n  const settingsFiles = [\n    join(home, '.claude', 'settings.json'),\n    join(home, CONFIG_BASE_DIR, 'settings.json'),\n    join(cwd, '.claude', 'settings.json'),\n    join(cwd, CONFIG_BASE_DIR, 'settings.json'),\n  ]\n\n  for (const file of settingsFiles) {\n    if (!existsSync(file)) continue\n    try {\n      const content = JSON.parse(readFileSync(file, 'utf-8'))\n      if (\n        content?.permissions?.deny &&\n        Array.isArray(content.permissions.deny)\n      ) {\n        deny.push(...content.permissions.deny)\n      }\n      if (\n        content?.permissions?.allow &&\n        Array.isArray(content.permissions.allow)\n      ) {\n        allow.push(...content.permissions.allow)\n      }\n    } catch {\n      // Ignore malformed settings files\n    }\n  }\n\n  settingsPermissionsCache = { deny, allow }\n  return settingsPermissionsCache\n}\n\n/**\n * Check if tool matches any pattern in a permission list.\n * Patterns can be exact tool names or tool(pattern) for Bash commands.\n */\nfunction matchesPermissionPattern(\n  toolName: string,\n  input: { [k: string]: unknown } | undefined,\n  patterns: string[],\n): boolean {\n  for (const pattern of patterns) {\n    // Exact tool name match\n    if (pattern === toolName) return true\n\n    // Bash command pattern: Bash(command:*)\n    if (toolName === 'Bash' && pattern.startsWith('Bash(') && input?.command) {\n      const cmdPattern = pattern.slice(5, -1) // Remove Bash( and )\n      const command = String(input.command)\n      if (cmdPattern.endsWith(':*')) {\n        const prefix = cmdPattern.slice(0, -2)\n        if (command.startsWith(prefix)) return true\n      } else if (command === cmdPattern) {\n        return true\n      }\n    }\n  }\n  return false\n}\n\nexport const hasPermissionsToUseTool: CanUseToolFn = async (\n  tool,\n  input,\n  context,\n  _assistantMessage,\n): Promise<PermissionResult> => {\n  // Step 0: Check settings.json deny rules (highest priority - block immediately)\n  const settingsPerms = loadSettingsPermissions()\n  if (\n    matchesPermissionPattern(\n      tool.name,\n      input as { [k: string]: unknown },\n      settingsPerms.deny,\n    )\n  ) {\n    return {\n      result: false,\n      message: `Tool \"${tool.name}\" is denied by settings configuration.`,\n    }\n  }\n\n  // Step 0b: Check settings.json allow rules (explicit allow)\n  if (\n    matchesPermissionPattern(\n      tool.name,\n      input as { [k: string]: unknown },\n      settingsPerms.allow,\n    )\n  ) {\n    return { result: true }\n  }\n\n  const safetyMode = getEffectiveSafetyMode(context.options)\n\n  // Get risk level for this tool (with command-specific classification for Bash)\n  const riskLevel = getToolRiskLevel(\n    tool.name,\n    input as { command?: string } | undefined,\n  )\n\n  // Check if this tool should be auto-allowed based on safety mode and risk level\n  // For Free mode, we also pass tool name and input for path-based decisions\n  if (\n    shouldAllowByRiskLevel(\n      safetyMode,\n      riskLevel,\n      tool.name,\n      input as { [k: string]: unknown },\n    )\n  ) {\n    return { result: true }\n  }\n\n  if (context.abortController.signal.aborted) {\n    throw new AbortError()\n  }\n\n  // Check if the tool needs permissions\n  try {\n    if (!tool.needsPermissions(input as never)) {\n      return { result: true }\n    }\n  } catch (e) {\n    logError(`Error checking permissions: ${e}`)\n    return { result: false, message: 'Error checking permissions' }\n  }\n\n  const projectConfig = getCurrentProjectConfig()\n  const allowedTools = projectConfig.allowedTools ?? []\n  // Special case for BashTool to allow blanket commands without exposing them in the UI\n  if (tool === BashTool && allowedTools.includes(BashTool.name)) {\n    return { result: true }\n  }\n\n  // TODO: Move this into tool definitions (done for read tools!)\n  switch (tool) {\n    // For bash tool, check each sub-command's permissions separately\n    case BashTool: {\n      // The types have already been validated by the tool,\n      // so we can safely parse the input (as opposed to safeParse).\n      const { command } = inputSchema.parse(input)\n      return await bashToolHasPermission(tool, command, context, allowedTools)\n    }\n    // For file editing tools, check session-only permissions\n    case FileEditTool:\n    case FileWriteTool:\n    case NotebookEditTool: {\n      // The types have already been validated by the tool,\n      // so we can safely pass this in\n      if (!tool.needsPermissions(input)) {\n        return { result: true }\n      }\n      return {\n        result: false,\n        message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`,\n      }\n    }\n    // For other tools, check persistent permissions\n    default: {\n      const permissionKey = getPermissionKey(tool, input, null)\n      if (allowedTools.includes(permissionKey)) {\n        return { result: true }\n      }\n\n      // Fire PermissionRequest hook before denying\n      const hookDecision = await firePermissionRequestHook(\n        tool.name,\n        input as Record<string, unknown>,\n      )\n      if (hookDecision === 'approve') {\n        return { result: true }\n      }\n\n      return {\n        result: false,\n        message: `${PRODUCT_NAME} requested permissions to use ${tool.name}, but you haven't granted it yet.`,\n      }\n    }\n  }\n}\n\n/**\n * Fire PermissionRequest hook when a tool needs permission\n * Returns 'approve' to auto-grant, 'block' to deny, or 'ask' to proceed normally\n */\nasync function firePermissionRequestHook(\n  toolName: string,\n  toolInput: Record<string, unknown>,\n): Promise<'approve' | 'block' | 'ask'> {\n  try {\n    const hookMgr = getHookManager()\n    if (!hookMgr) return 'ask'\n\n    const result = await hookMgr.executePermissionRequest(\n      toolName,\n      toolInput,\n      'other',\n    )\n\n    if (!result.shouldContinue && !result.shouldAskUser) {\n      return 'block'\n    }\n    if (result.shouldContinue && !result.shouldAskUser) {\n      // Check if hook explicitly approved (vs just no hooks matched)\n      if (result.reason) return 'approve'\n    }\n  } catch {\n    // Hook errors don't block permission flow\n  }\n  return 'ask'\n}\n\nexport async function savePermission(\n  tool: Tool,\n  input: { [k: string]: unknown },\n  prefix: string | null,\n): Promise<void> {\n  const key = getPermissionKey(tool, input, prefix)\n\n  // For file editing tools, store write permissions only in memory\n  if (\n    tool === FileEditTool ||\n    tool === FileWriteTool ||\n    tool === NotebookEditTool\n  ) {\n    grantWritePermissionForOriginalDir()\n    return\n  }\n\n  // For other tools, store permissions on disk\n  const projectConfig = getCurrentProjectConfig()\n  if (projectConfig.allowedTools.includes(key)) {\n    return\n  }\n\n  projectConfig.allowedTools.push(key)\n  projectConfig.allowedTools.sort()\n\n  saveCurrentProjectConfig(projectConfig)\n}\n\nfunction getPermissionKey(\n  tool: Tool,\n  input: { [k: string]: unknown },\n  prefix: string | null,\n): string {\n  switch (tool) {\n    case BashTool:\n      if (prefix) {\n        return `${BashTool.name}(${prefix}:*)`\n      }\n      return `${BashTool.name}(${BashTool.renderToolUseMessage(input as never)})`\n    default:\n      return tool.name\n  }\n}\n"],
+  "mappings": "AAEA,SAAS,UAAU,mBAAmB;AACtC,SAAS,oBAAoB;AAC7B,SAAS,qBAAqB;AAC9B,SAAS,wBAAwB;AACjC,SAAS,4BAA4B,oBAAoB;AACzD;AAAA,EACE;AAAA,EACA;AAAA,OAEK;AACP,SAAS,kBAAkB;AAC3B,SAAS,gBAAgB;AACzB,SAAS,0CAA0C;AACnD,SAAS,cAAc;AACvB,SAAS,oBAAoB;AAC7B;AAAA,EACE;AAAA,OAEK;AACP,SAAS,SAAS,UAAU,YAAY,YAAY;AACpD,SAAS,sBAAsB;AAC/B,SAAS,YAAY,oBAAoB;AACzC,SAAS,eAAe;AACxB,SAAS,uBAAuB;AAGhC,MAAM,gBAAgB,oBAAI,IAAI;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAEM,MAAM,yCAAyC,CACpD,MACA,SACA,iBACY;AACZ,MAAI,cAAc,IAAI,OAAO,GAAG;AAC9B,WAAO;AAAA,EACT;AAEA,MAAI,aAAa,SAAS,iBAAiB,MAAM,EAAE,QAAQ,GAAG,IAAI,CAAC,GAAG;AACpE,WAAO;AAAA,EACT;AAEA,MAAI,aAAa,SAAS,iBAAiB,MAAM,EAAE,QAAQ,GAAG,OAAO,CAAC,GAAG;AACvE,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAEO,MAAM,+BAA+B,CAC1C,MACA,SACA,QACA,iBACY;AAEZ,MAAI,uCAAuC,MAAM,SAAS,YAAY,GAAG;AACvE,WAAO;AAAA,EACT;AACA,SAAO,aAAa,SAAS,iBAAiB,MAAM,EAAE,QAAQ,GAAG,MAAM,CAAC;AAC1E;AAEO,MAAM,wBAAwB,OACnC,MACA,SACA,SACA,cACA,+BAA+B,+BACD;AAC9B,MAAI,uCAAuC,MAAM,SAAS,YAAY,GAAG;AAEvE,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AAEA,QAAM,cAAc,aAAa,OAAO,EAAE,OAAO,OAAK;AAEpD,QAAI,MAAM,MAAM,OAAO,CAAC,IAAI;AAC1B,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,CAAC;AACD,QAAM,0BAA0B,MAAM;AAAA,IACpC;AAAA,IACA,QAAQ,gBAAgB;AAAA,EAC1B;AACA,MAAI,QAAQ,gBAAgB,OAAO,SAAS;AAC1C,UAAM,IAAI,WAAW;AAAA,EACvB;AAEA,MAAI,4BAA4B,MAAM;AAGpC,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS,GAAG,YAAY,iCAAiC,KAAK,IAAI;AAAA,IACpE;AAAA,EACF;AAEA,MAAI,wBAAwB,0BAA0B;AAEpD,QAAI,uCAAuC,MAAM,SAAS,YAAY,GAAG;AACvE,aAAO,EAAE,QAAQ,KAAK;AAAA,IACxB,OAAO;AACL,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,GAAG,YAAY,iCAAiC,KAAK,IAAI;AAAA,MACpE;AAAA,IACF;AAAA,EACF;AAKA,QAAM,gBACJ,mBAAmB,0BACf,wBAAwB,gBACxB;AAGN,MAAI,YAAY,SAAS,GAAG;AAC1B,QACE,6BAA6B,MAAM,SAAS,eAAe,YAAY,GACvE;AACA,aAAO,EAAE,QAAQ,KAAK;AAAA,IACxB,OAAO;AACL,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,GAAG,YAAY,iCAAiC,KAAK,IAAI;AAAA,MACpE;AAAA,IACF;AAAA,EACF;AACA,MACE,YAAY,MAAM,gBAAc;AAC9B,UAAM,eACJ,wBAAwB,mBAAmB,IAAI,UAAU;AAC3D,QAAI,iBAAiB,UAAa,aAAa,0BAA0B;AAEvE,aAAO;AAAA,IACT;AAGA,UAAM,mBACJ,mBAAmB,eAAe,aAAa,gBAAgB;AACjE,UAAM,gBAAgB;AAAA,MACpB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,WAAO;AAAA,EACT,CAAC,GACD;AACA,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,SAAS,GAAG,YAAY,iCAAiC,KAAK,IAAI;AAAA,EACpE;AACF;AAQA,SAAS,uBAAuB,SAGjB;AAEb,MAAI,QAAQ,YAAY;AACtB,WAAO,QAAQ;AAAA,EACjB;AAIA,MAAI,QAAQ,aAAa,MAAM;AAC7B,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAMA,SAAS,oBAAoB,YAAoB,YAA6B;AAE5E,QAAM,eAAe,WAAW,UAAU,IACtC,QAAQ,UAAU,IAClB,QAAQ,YAAY,UAAU;AAGlC,QAAM,eAAe,SAAS,YAAY,YAAY;AAKtD,SAAO,CAAC,aAAa,WAAW,IAAI,KAAK,CAAC,WAAW,YAAY;AACnE;AAMA,MAAM,wBAAwB;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAKA,SAAS,qBAAqB,YAA6B;AACzD,QAAM,iBAAiB,QAAQ,UAAU,EAAE,YAAY;AACvD,SAAO,sBAAsB;AAAA,IAAK,kBAChC,eAAe,WAAW,aAAa,YAAY,CAAC;AAAA,EACtD;AACF;AAKA,SAAS,0BACP,UACA,OACU;AACV,QAAM,QAAkB,CAAC;AAGzB,MAAI,aAAa,UAAU,aAAa,WAAW,aAAa,QAAQ;AACtE,QAAI,OAAO,MAAM,cAAc,UAAU;AACvC,YAAM,KAAK,MAAM,SAAS;AAAA,IAC5B;AAAA,EACF;AAGA,MAAI,aAAa,UAAU,aAAa,QAAQ;AAC9C,QAAI,OAAO,MAAM,SAAS,UAAU;AAClC,YAAM,KAAK,MAAM,IAAI;AAAA,IACvB;AAAA,EACF;AAGA,MAAI,aAAa,MAAM;AACrB,QAAI,OAAO,MAAM,SAAS,UAAU;AAClC,YAAM,KAAK,MAAM,IAAI;AAAA,IACvB;AAAA,EACF;AAGA,MAAI,aAAa,gBAAgB;AAC/B,QAAI,OAAO,MAAM,kBAAkB,UAAU;AAC3C,YAAM,KAAK,MAAM,aAAa;AAAA,IAChC;AAAA,EACF;AAEA,SAAO;AACT;AAMA,SAAS,4BAA4B,SAA2B;AAC9D,QAAM,QAAkB,CAAC;AAGzB,QAAM,gBAAgB,QAAQ,SAAS,mBAAmB;AAC1D,aAAW,SAAS,eAAe;AACjC,QAAI,MAAM,CAAC,MAAM,MAAM,CAAC,EAAE,SAAS,GAAG,KAAK,MAAM,CAAC,EAAE,WAAW,GAAG,IAAI;AACpE,YAAM,KAAK,MAAM,CAAC,CAAC;AAAA,IACrB;AAAA,EACF;AAGA,QAAM,kBAAkB,QAAQ;AAAA,IAC9B;AAAA,EACF;AACA,aAAW,SAAS,iBAAiB;AACnC,QAAI,MAAM,CAAC,GAAG;AACZ,YAAM,KAAK,MAAM,CAAC,CAAC;AAAA,IACrB;AAAA,EACF;AAGA,QAAM,kBAAkB,QAAQ,SAAS,8BAA8B;AACvE,aAAW,SAAS,iBAAiB;AACnC,QAAI,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,WAAW,GAAG,GAAG;AACzC,YAAM,KAAK,MAAM,CAAC,CAAC;AAAA,IACrB;AAAA,EACF;AAEA,SAAO,CAAC,GAAG,IAAI,IAAI,KAAK,CAAC;AAC3B;AAMA,SAAS,yBACP,UACA,OACA,YACoD;AACpD,MAAI,QAAkB,CAAC;AAGvB,MAAI,aAAa,UAAU,OAAO,MAAM,YAAY,UAAU;AAC5D,YAAQ,4BAA4B,MAAM,OAAO;AAAA,EACnD,OAAO;AACL,YAAQ,0BAA0B,UAAU,KAAK;AAAA,EACnD;AAGA,MAAI,MAAM,WAAW,GAAG;AACtB,WAAO,EAAE,eAAe,MAAM,cAAc,CAAC,EAAE;AAAA,EACjD;AAEA,QAAM,eAAyB,CAAC;AAChC,aAAW,QAAQ,OAAO;AAExB,QAAI,qBAAqB,IAAI,GAAG;AAC9B,mBAAa,KAAK,IAAI;AACtB;AAAA,IACF;AAGA,QAAI,CAAC,oBAAoB,MAAM,UAAU,GAAG;AAC1C,mBAAa,KAAK,IAAI;AAAA,IACxB;AAAA,EACF;AAEA,SAAO;AAAA,IACL,eAAe,aAAa,WAAW;AAAA,IACvC;AAAA,EACF;AACF;AAaA,SAAS,uBACP,YACA,WACA,UACA,OACS;AACT,UAAQ,YAAY;AAAA,IAClB,KAAK;AAEH,aAAO;AAAA,IACT,KAAK;AAEH,aAAO,cAAc,UAAU,cAAc;AAAA,IAC/C,KAAK;AAEH,aAAO,cAAc;AAAA,IACvB,KAAK;AAGH,UAAI,cAAc,QAAQ;AACxB,eAAO;AAAA,MACT;AAEA,UAAI,YAAY,OAAO;AACrB,cAAM,aAAa,OAAO;AAC1B,cAAM,EAAE,cAAc,IAAI;AAAA,UACxB;AAAA,UACA;AAAA,UACA;AAAA,QACF;AACA,eAAO;AAAA,MACT;AAEA,aAAO;AAAA,EACX;AACF;AAMA,IAAI,2BAGO;AAEX,SAAS,0BAA+D;AACtE,MAAI,yBAA0B,QAAO;AAErC,QAAM,OAAiB,CAAC;AACxB,QAAM,QAAkB,CAAC;AAEzB,QAAM,MAAM,OAAO;AACnB,QAAM,OAAO,QAAQ;AAGrB,QAAM,gBAAgB;AAAA,IACpB,KAAK,MAAM,WAAW,eAAe;AAAA,IACrC,KAAK,MAAM,iBAAiB,eAAe;AAAA,IAC3C,KAAK,KAAK,WAAW,eAAe;AAAA,IACpC,KAAK,KAAK,iBAAiB,eAAe;AAAA,EAC5C;AAEA,aAAW,QAAQ,eAAe;AAChC,QAAI,CAAC,WAAW,IAAI,EAAG;AACvB,QAAI;AACF,YAAM,UAAU,KAAK,MAAM,aAAa,MAAM,OAAO,CAAC;AACtD,UACE,SAAS,aAAa,QACtB,MAAM,QAAQ,QAAQ,YAAY,IAAI,GACtC;AACA,aAAK,KAAK,GAAG,QAAQ,YAAY,IAAI;AAAA,MACvC;AACA,UACE,SAAS,aAAa,SACtB,MAAM,QAAQ,QAAQ,YAAY,KAAK,GACvC;AACA,cAAM,KAAK,GAAG,QAAQ,YAAY,KAAK;AAAA,MACzC;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,6BAA2B,EAAE,MAAM,MAAM;AACzC,SAAO;AACT;AAMA,SAAS,yBACP,UACA,OACA,UACS;AACT,aAAW,WAAW,UAAU;AAE9B,QAAI,YAAY,SAAU,QAAO;AAGjC,QAAI,aAAa,UAAU,QAAQ,WAAW,OAAO,KAAK,OAAO,SAAS;AACxE,YAAM,aAAa,QAAQ,MAAM,GAAG,EAAE;AACtC,YAAM,UAAU,OAAO,MAAM,OAAO;AACpC,UAAI,WAAW,SAAS,IAAI,GAAG;AAC7B,cAAM,SAAS,WAAW,MAAM,GAAG,EAAE;AACrC,YAAI,QAAQ,WAAW,MAAM,EAAG,QAAO;AAAA,MACzC,WAAW,YAAY,YAAY;AACjC,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEO,MAAM,0BAAwC,OACnD,MACA,OACA,SACA,sBAC8B;AAE9B,QAAM,gBAAgB,wBAAwB;AAC9C,MACE;AAAA,IACE,KAAK;AAAA,IACL;AAAA,IACA,cAAc;AAAA,EAChB,GACA;AACA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,SAAS,SAAS,KAAK,IAAI;AAAA,IAC7B;AAAA,EACF;AAGA,MACE;AAAA,IACE,KAAK;AAAA,IACL;AAAA,IACA,cAAc;AAAA,EAChB,GACA;AACA,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AAEA,QAAM,aAAa,uBAAuB,QAAQ,OAAO;AAGzD,QAAM,YAAY;AAAA,IAChB,KAAK;AAAA,IACL;AAAA,EACF;AAIA,MACE;AAAA,IACE;AAAA,IACA;AAAA,IACA,KAAK;AAAA,IACL;AAAA,EACF,GACA;AACA,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AAEA,MAAI,QAAQ,gBAAgB,OAAO,SAAS;AAC1C,UAAM,IAAI,WAAW;AAAA,EACvB;AAGA,MAAI;AACF,QAAI,CAAC,KAAK,iBAAiB,KAAc,GAAG;AAC1C,aAAO,EAAE,QAAQ,KAAK;AAAA,IACxB;AAAA,EACF,SAAS,GAAG;AACV,aAAS,+BAA+B,CAAC,EAAE;AAC3C,WAAO,EAAE,QAAQ,OAAO,SAAS,6BAA6B;AAAA,EAChE;AAEA,QAAM,gBAAgB,wBAAwB;AAC9C,QAAM,eAAe,cAAc,gBAAgB,CAAC;AAEpD,MAAI,SAAS,YAAY,aAAa,SAAS,SAAS,IAAI,GAAG;AAC7D,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AAGA,UAAQ,MAAM;AAAA;AAAA,IAEZ,KAAK,UAAU;AAGb,YAAM,EAAE,QAAQ,IAAI,YAAY,MAAM,KAAK;AAC3C,aAAO,MAAM,sBAAsB,MAAM,SAAS,SAAS,YAAY;AAAA,IACzE;AAAA;AAAA,IAEA,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,kBAAkB;AAGrB,UAAI,CAAC,KAAK,iBAAiB,KAAK,GAAG;AACjC,eAAO,EAAE,QAAQ,KAAK;AAAA,MACxB;AACA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,GAAG,YAAY,iCAAiC,KAAK,IAAI;AAAA,MACpE;AAAA,IACF;AAAA;AAAA,IAEA,SAAS;AACP,YAAM,gBAAgB,iBAAiB,MAAM,OAAO,IAAI;AACxD,UAAI,aAAa,SAAS,aAAa,GAAG;AACxC,eAAO,EAAE,QAAQ,KAAK;AAAA,MACxB;AAGA,YAAM,eAAe,MAAM;AAAA,QACzB,KAAK;AAAA,QACL;AAAA,MACF;AACA,UAAI,iBAAiB,WAAW;AAC9B,eAAO,EAAE,QAAQ,KAAK;AAAA,MACxB;AAEA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,GAAG,YAAY,iCAAiC,KAAK,IAAI;AAAA,MACpE;AAAA,IACF;AAAA,EACF;AACF;AAMA,eAAe,0BACb,UACA,WACsC;AACtC,MAAI;AACF,UAAM,UAAU,eAAe;AAC/B,QAAI,CAAC,QAAS,QAAO;AAErB,UAAM,SAAS,MAAM,QAAQ;AAAA,MAC3B;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,QAAI,CAAC,OAAO,kBAAkB,CAAC,OAAO,eAAe;AACnD,aAAO;AAAA,IACT;AACA,QAAI,OAAO,kBAAkB,CAAC,OAAO,eAAe;AAElD,UAAI,OAAO,OAAQ,QAAO;AAAA,IAC5B;AAAA,EACF,QAAQ;AAAA,EAER;AACA,SAAO;AACT;AAEA,eAAsB,eACpB,MACA,OACA,QACe;AACf,QAAM,MAAM,iBAAiB,MAAM,OAAO,MAAM;AAGhD,MACE,SAAS,gBACT,SAAS,iBACT,SAAS,kBACT;AACA,uCAAmC;AACnC;AAAA,EACF;AAGA,QAAM,gBAAgB,wBAAwB;AAC9C,MAAI,cAAc,aAAa,SAAS,GAAG,GAAG;AAC5C;AAAA,EACF;AAEA,gBAAc,aAAa,KAAK,GAAG;AACnC,gBAAc,aAAa,KAAK;AAEhC,2BAAyB,aAAa;AACxC;AAEA,SAAS,iBACP,MACA,OACA,QACQ;AACR,UAAQ,MAAM;AAAA,IACZ,KAAK;AACH,UAAI,QAAQ;AACV,eAAO,GAAG,SAAS,IAAI,IAAI,MAAM;AAAA,MACnC;AACA,aAAO,GAAG,SAAS,IAAI,IAAI,SAAS,qBAAqB,KAAc,CAAC;AAAA,IAC1E;AACE,aAAO,KAAK;AAAA,EAChB;AACF;",
   "names": []
 }

package/dist/query.js

@@ -31,7 +31,7 @@ import {
   normalizeMessagesForAPI
 } from "./utils/messages.js";
 import { withTimeout, ToolTimeoutError } from "./utils/toolTimeout.js";
-import { setStreamingState, resetStreamingState } from "./components/Spinner.js";
+import { setStreamingState, resetStreamingState } from "./utils/streamingState.js";
 import { BashTool } from "./tools/BashTool/BashTool.js";
 function normalizeToolResultContent(content) {
   if (content === null || content === void 0) {
@@ -122,24 +122,8 @@ async function* query(messages, systemPrompt, context, canUseTool, toolUseContex
     messages: messages.length,
     timestamp: Date.now()
   });
-  if (reminders && messages.length > 0) {
-    for (let i = messages.length - 1; i >= 0; i--) {
-      const msg = messages[i];
-      if (msg?.type === "user") {
-        const lastUserMessage = msg;
-        messages[i] = {
-          ...lastUserMessage,
-          message: {
-            ...lastUserMessage.message,
-            content: typeof lastUserMessage.message.content === "string" ? reminders + lastUserMessage.message.content : [
-              ...Array.isArray(lastUserMessage.message.content) ? lastUserMessage.message.content : [],
-              { type: "text", text: reminders }
-            ]
-          }
-        };
-        break;
-      }
-    }
+  if (reminders) {
+    fullSystemPrompt.push(reminders);
   }
   markPhase("LLM_PREPARATION");
   setStreamingState({ phase: "waiting" });
@@ -180,6 +164,11 @@ async function* query(messages, systemPrompt, context, canUseTool, toolUseContex
   );
   if (!toolUseMessages.length) {
     resetStreamingState();
+    const hookManager = getHookManager();
+    if (hookManager) {
+      hookManager.executeStop().catch(() => {
+      });
+    }
     return;
   }
   const toolResults = [];
@@ -437,6 +426,15 @@ async function* runToolUse(toolUse, siblingToolUseIDs, assistantMessage, canUseT
     }
   } catch (e) {
     logError(e);
+    const hookManager = getHookManager();
+    if (hookManager) {
+      hookManager.executePostToolUseFailure(
+        toolName,
+        toolInput,
+        e instanceof Error ? e.message : String(e)
+      ).catch(() => {
+      });
+    }
     const errorMessage = createUserMessage([
       {
         type: "tool_result",
@@ -684,6 +682,16 @@ async function* checkPermissionsAndCallTool(tool, toolUseID, siblingToolUseIDs,
       recordToolCall(tool.name, true);
     } catch {
     }
+    const hookMgr = getHookManager();
+    if (hookMgr) {
+      hookMgr.executePostToolUseFailure(
+        tool.name,
+        normalizedInput,
+        error instanceof Error ? error.message : String(error),
+        error instanceof ToolTimeoutError ? "timeout" : void 0
+      ).catch(() => {
+      });
+    }
     if (error instanceof ToolTimeoutError) {
       debug.error("TOOL_TIMEOUT", {
         toolName: tool.name,