@within-7/minto 0.4.0 → 0.4.2

package/dist/tools/BashTool/BashTool.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/tools/BashTool/BashTool.tsx"],
-  "sourcesContent": ["import { statSync } from 'fs'\nimport { EOL } from 'os'\nimport { isAbsolute, relative, resolve } from 'path'\nimport * as React from 'react'\nimport { z } from 'zod'\nimport { FallbackToolUseRejectedMessage } from '@components/FallbackToolUseRejectedMessage'\nimport { PRODUCT_NAME } from '@constants/product'\nimport { queryQuick } from '@services/claude'\nimport { Tool, ValidationResult } from '@tool'\nimport { splitCommand } from '@utils/commands'\nimport { isInDirectory } from '@utils/file'\nimport { logError } from '@utils/log'\nimport {\n  PersistentShell,\n  type StreamingYield,\n  type StreamingResult,\n} from '@utils/PersistentShell'\nimport { getCwd, getOriginalCwd } from '@utils/state'\nimport { getGlobalConfig } from '@utils/config'\nimport { getModelManager } from '@utils/model'\nimport { BackgroundShellManager } from '@utils/BackgroundShellManager'\nimport BashToolResultMessage from './BashToolResultMessage'\nimport {\n  BANNED_COMMANDS,\n  PROMPT,\n  matchesDangerousPattern,\n  detectDangerousPatterns,\n} from './prompt'\nimport { formatOutput, getCommandFilePaths } from './utils'\n\nexport const inputSchema = z.strictObject({\n  command: z.string().describe('The command to execute'),\n  timeout: z\n    .number()\n    .optional()\n    .describe('Optional timeout in milliseconds (max 600000)'),\n  run_in_background: z\n    .boolean()\n    .optional()\n    .describe('Set to true to run this command in the background'),\n  description: z\n    .string()\n    .optional()\n    .describe(\n      `Clear, concise description of what this command does in active voice. Never use words like \"complex\" or \"risk\" in the description - just describe what it does.\n\nFor simple commands (git, npm, standard CLI tools), keep it brief (5-10 words):\n- ls \u2192 \"List files in current directory\"\n- git status \u2192 \"Show working tree status\"\n- npm install \u2192 \"Install package dependencies\"\n\nFor commands that are harder to parse at a glance (piped commands, obscure flags, etc.), add enough context to clarify what it does:\n- find . -name \"*.tmp\" -exec rm {} \\\\; \u2192 \"Find and delete all .tmp files recursively\"\n- git reset --hard origin/main \u2192 \"Discard all local changes and match remote main\"\n- curl -s url | jq '.data[]' \u2192 \"Fetch JSON from URL and extract data array elements\"`,\n    ),\n})\n\ntype In = typeof inputSchema\nexport type Out = {\n  stdout: string\n  stdoutLines: number // Total number of lines in original stdout, even if `stdout` is now truncated\n  stderr: string\n  stderrLines: number // Total number of lines in original stderr, even if `stderr` is now truncated\n  interrupted: boolean\n  shellId?: string // Present if run_in_background is true\n}\n\nexport const BashTool = {\n  name: 'Bash',\n  async description() {\n    return 'Executes shell commands on your computer'\n  },\n  async prompt() {\n    const config = getGlobalConfig()\n    // \uD83D\uDD27 Fix: Use ModelManager to get actual current model\n    const modelManager = getModelManager()\n    const modelName =\n      modelManager.getModelName('main') || '<No Model Configured>'\n    // Substitute the placeholder in the static PROMPT string\n    return PROMPT.replace(/{MODEL_NAME}/g, modelName)\n  },\n  isReadOnly() {\n    return false\n  },\n  isConcurrencySafe() {\n    return false // BashTool modifies state/files, not safe for concurrent execution\n  },\n  inputSchema,\n  userFacingName() {\n    return 'Bash'\n  },\n  async isEnabled() {\n    return true\n  },\n  needsPermissions(): boolean {\n    // Always check per-project permissions for BashTool\n    return true\n  },\n  async validateInput({ command }): Promise<ValidationResult> {\n    // Detect dangerous patterns (critical only block, others warn)\n    const dangerousPatterns = detectDangerousPatterns(command)\n    const criticalPatterns = dangerousPatterns.filter(\n      p => p.severity === 'critical',\n    )\n\n    if (criticalPatterns.length > 0) {\n      const patternNames = criticalPatterns.map(p => p.name).join(', ')\n      logError(\n        `SECURITY: Critical dangerous patterns detected in command: ${patternNames}`,\n      )\n      return {\n        result: false,\n        message: `Command contains critical security risks: ${patternNames}. This command has been blocked for security reasons.`,\n      }\n    }\n\n    // Log warnings for high-severity patterns (non-blocking)\n    const highPatterns = dangerousPatterns.filter(p => p.severity === 'high')\n    if (highPatterns.length > 0) {\n      const patternNames = highPatterns.map(p => p.name).join(', ')\n      logError(\n        `SECURITY WARNING: High-severity patterns detected in command: ${patternNames}. User confirmation required.`,\n      )\n    }\n\n    const commands = splitCommand(command)\n    for (const cmd of commands) {\n      const parts = cmd.split(' ')\n      const baseCmd = parts[0]\n\n      // Check if command is banned\n      if (baseCmd && BANNED_COMMANDS.includes(baseCmd.toLowerCase())) {\n        return {\n          result: false,\n          message: `Command '${baseCmd}' is not allowed for security reasons`,\n        }\n      }\n\n      // Also check for commands that might be invoked with full path\n      // e.g., /usr/bin/curl, /bin/rm\n      if (baseCmd && (baseCmd.startsWith('/') || baseCmd.startsWith('./'))) {\n        const cmdName = baseCmd.split('/').pop()?.toLowerCase()\n        if (cmdName && BANNED_COMMANDS.includes(cmdName)) {\n          return {\n            result: false,\n            message: `Command '${cmdName}' is not allowed for security reasons (full path: ${baseCmd})`,\n          }\n        }\n      }\n\n      // Special handling for cd command\n      if (baseCmd === 'cd' && parts[1]) {\n        const targetDir = parts[1]!.replace(/^['\"]|['\"]$/g, '') // Remove quotes if present\n        const fullTargetDir = isAbsolute(targetDir)\n          ? targetDir\n          : resolve(getCwd(), targetDir)\n        if (\n          !isInDirectory(\n            relative(getOriginalCwd(), fullTargetDir),\n            relative(getCwd(), getOriginalCwd()),\n          )\n        ) {\n          return {\n            result: false,\n            message: `ERROR: cd to '${fullTargetDir}' was blocked. For security, ${PRODUCT_NAME} may only change directories to child directories of the original working directory (${getOriginalCwd()}) for this session.`,\n          }\n        }\n      }\n    }\n\n    return { result: true }\n  },\n  renderToolUseMessage({ command, description }) {\n    // Clean up any command that uses the quoted HEREDOC pattern\n    let displayCommand = command\n    if (command.includes(\"\\\"$(cat <<'EOF'\")) {\n      const match = command.match(\n        /^(.*?)\"?\\$\\(cat <<'EOF'\\n([\\s\\S]*?)\\n\\s*EOF\\n\\s*\\)\"(.*)$/,\n      )\n      if (match && match[1] && match[2]) {\n        const prefix = match[1]\n        const content = match[2]\n        const suffix = match[3] || ''\n        displayCommand = `${prefix.trim()} \"${content.trim()}\"${suffix.trim()}`\n      }\n    }\n\n    // If description is provided, show it instead of (or alongside) the command\n    if (description) {\n      return description\n    }\n\n    return displayCommand\n  },\n  renderToolUseRejectedMessage() {\n    return <FallbackToolUseRejectedMessage />\n  },\n\n  renderToolResultMessage(content) {\n    return <BashToolResultMessage content={content} verbose={false} />\n  },\n  renderResultForAssistant({ interrupted, stdout, stderr }) {\n    let errorMessage = stderr.trim()\n    if (interrupted) {\n      if (stderr) errorMessage += EOL\n      errorMessage += '<error>Command was aborted before completion</error>'\n    }\n    const hasBoth = stdout.trim() && errorMessage\n    return `${stdout.trim()}${hasBoth ? '\\n' : ''}${errorMessage.trim()}`\n  },\n  async *call(\n    { command, timeout = 120000, run_in_background = false },\n    { abortController, readFileTimestamps },\n  ) {\n    // Sandbox pre-validation (if enabled)\n    try {\n      const { getCurrentProjectConfig } = await import('@utils/config')\n      const projectConfig = getCurrentProjectConfig()\n      if (projectConfig.sandbox?.enabled) {\n        const { getSandboxController } = await import('@services/sandbox')\n        const sandbox = getSandboxController(getCwd())\n        if (await sandbox.isAvailable()) {\n          const validation = await sandbox.validateCommand(command)\n          if (!validation.valid) {\n            const reason = validation.violations\n              .map(v => v.details || v.type)\n              .join('; ')\n            const data: Out = {\n              stdout: '',\n              stdoutLines: 0,\n              stderr: `Sandbox violation: ${reason || 'Command blocked by sandbox policy'}`,\n              stderrLines: 1,\n              interrupted: false,\n            }\n            yield {\n              type: 'result',\n              resultForAssistant: `Sandbox blocked: ${reason}`,\n              data,\n            }\n            return\n          }\n        }\n      }\n    } catch {\n      // Sandbox not available or error - continue without it\n    }\n\n    // Handle background execution\n    if (run_in_background) {\n      const shellId = BackgroundShellManager.getInstance().create(\n        command,\n        getCwd(),\n      )\n\n      const data: Out = {\n        stdout: `Background shell started with ID: ${shellId}`,\n        stdoutLines: 1,\n        stderr: '',\n        stderrLines: 0,\n        interrupted: false,\n        shellId,\n      }\n\n      yield {\n        type: 'result',\n        resultForAssistant: `Started background shell: ${shellId}\\nCommand: ${command}`,\n        data,\n      }\n      return\n    }\n\n    let stdout = ''\n    let stderr = ''\n\n    // \uD83D\uDD27 CRITICAL FIX: Track whether this tool invocation has completed\n    // to prevent async callbacks from accessing stale context\n    let isCompleted = false\n\n    // \uD83D\uDD27 Check if already cancelled before starting execution\n    if (abortController.signal.aborted) {\n      const data: Out = {\n        stdout: '',\n        stdoutLines: 0,\n        stderr: 'Command cancelled before execution',\n        stderrLines: 1,\n        interrupted: true,\n      }\n\n      yield {\n        type: 'result',\n        resultForAssistant: this.renderResultForAssistant(data),\n        data,\n      }\n      return\n    }\n\n    try {\n      // Execute commands with streaming output\n      let result: StreamingResult | null = null\n      let streamedStdout = ''\n      let streamedStderr = ''\n\n      // Use streaming execution for real-time output\n      const streamingGenerator = PersistentShell.getInstance().execStreaming(\n        command,\n        abortController.signal,\n        timeout,\n      )\n\n      for await (const chunk of streamingGenerator) {\n        if (chunk.type === 'chunk') {\n          // Accumulate streamed output\n          if (chunk.stdout) {\n            streamedStdout += chunk.stdout\n          }\n          if (chunk.stderr) {\n            streamedStderr += chunk.stderr\n          }\n\n          // Yield progress update for real-time UI feedback\n          // Use StreamingProgressContent format for proper rendering\n          yield {\n            type: 'progress',\n            content: {\n              type: 'streaming',\n              toolName: 'Bash',\n              stdout: streamedStdout,\n              stderr: streamedStderr,\n              isStreaming: true,\n            },\n          }\n        } else if (chunk.type === 'result') {\n          // Final result\n          result = chunk\n        }\n      }\n\n      // Use the final result (or construct from streamed data)\n      if (!result) {\n        result = {\n          type: 'result',\n          stdout: streamedStdout,\n          stderr: streamedStderr,\n          code: 0,\n          interrupted: false,\n        }\n      }\n\n      stdout += (result.stdout || '').trim() + EOL\n      stderr += (result.stderr || '').trim() + EOL\n      if (result.code !== 0) {\n        stderr += `Exit code ${result.code}`\n      }\n\n      if (!isInDirectory(getCwd(), getOriginalCwd())) {\n        // Shell directory is outside original working directory, reset it\n        await PersistentShell.getInstance().setCwd(getOriginalCwd())\n        stderr = `${stderr.trim()}${EOL}Shell cwd was reset to ${getOriginalCwd()}`\n      }\n\n      // Update read timestamps for any files referenced by the command\n      // Don't block the main thread!\n      // Skip this in tests because it makes fixtures non-deterministic (they might not always get written),\n      // so will be missing in CI.\n      if (process.env.NODE_ENV !== 'test') {\n        getCommandFilePaths(command, stdout).then(filePaths => {\n          // \uD83D\uDD27 CRITICAL FIX: Check if tool invocation has already completed\n          // to prevent accessing potentially stale context\n          if (isCompleted) {\n            return // Tool has finished, don't access readFileTimestamps\n          }\n\n          for (const filePath of filePaths) {\n            const fullFilePath = isAbsolute(filePath)\n              ? filePath\n              : resolve(getCwd(), filePath)\n\n            // Try/catch in case the file doesn't exist (because Haiku didn't properly extract it)\n            try {\n              readFileTimestamps[fullFilePath] = statSync(fullFilePath).mtimeMs\n            } catch (e) {\n              logError(e)\n            }\n          }\n        })\n      }\n\n      const { totalLines: stdoutLines, truncatedContent: stdoutContent } =\n        formatOutput(stdout.trim())\n      const { totalLines: stderrLines, truncatedContent: stderrContent } =\n        formatOutput(stderr.trim())\n\n      const data: Out = {\n        stdout: stdoutContent,\n        stdoutLines,\n        stderr: stderrContent,\n        stderrLines,\n        interrupted: result.interrupted,\n      }\n\n      yield {\n        type: 'result',\n        resultForAssistant: this.renderResultForAssistant(data),\n        data,\n      }\n    } catch (error) {\n      // \uD83D\uDD27 Handle cancellation or other errors properly\n      const isAborted = abortController.signal.aborted\n      const errorMessage = isAborted\n        ? 'Command was cancelled by user'\n        : `Command failed: ${error instanceof Error ? error.message : String(error)}`\n\n      const data: Out = {\n        stdout: stdout.trim(),\n        stdoutLines: stdout.split('\\n').length,\n        stderr: errorMessage,\n        stderrLines: 1,\n        interrupted: isAborted,\n      }\n\n      yield {\n        type: 'result',\n        resultForAssistant: this.renderResultForAssistant(data),\n        data,\n      }\n    } finally {\n      // \uD83D\uDD27 CRITICAL FIX: Mark tool invocation as completed\n      // This prevents async callbacks (like getCommandFilePaths) from\n      // accessing potentially stale context after this tool returns\n      isCompleted = true\n    }\n  },\n} satisfies Tool\n"],
-  "mappings": "AAAA,SAAS,gBAAgB;AACzB,SAAS,WAAW;AACpB,SAAS,YAAY,UAAU,eAAe;AAC9C,YAAY,WAAW;AACvB,SAAS,SAAS;AAClB,SAAS,sCAAsC;AAC/C,SAAS,oBAAoB;AAG7B,SAAS,oBAAoB;AAC7B,SAAS,qBAAqB;AAC9B,SAAS,gBAAgB;AACzB;AAAA,EACE;AAAA,OAGK;AACP,SAAS,QAAQ,sBAAsB;AACvC,SAAS,uBAAuB;AAChC,SAAS,uBAAuB;AAChC,SAAS,8BAA8B;AACvC,OAAO,2BAA2B;AAClC;AAAA,EACE;AAAA,EACA;AAAA,EAEA;AAAA,OACK;AACP,SAAS,cAAc,2BAA2B;AAE3C,MAAM,cAAc,EAAE,aAAa;AAAA,EACxC,SAAS,EAAE,OAAO,EAAE,SAAS,wBAAwB;AAAA,EACrD,SAAS,EACN,OAAO,EACP,SAAS,EACT,SAAS,+CAA+C;AAAA,EAC3D,mBAAmB,EAChB,QAAQ,EACR,SAAS,EACT,SAAS,mDAAmD;AAAA,EAC/D,aAAa,EACV,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWF;AACJ,CAAC;AAYM,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,MAAM,cAAc;AAClB,WAAO;AAAA,EACT;AAAA,EACA,MAAM,SAAS;AACb,UAAM,SAAS,gBAAgB;AAE/B,UAAM,eAAe,gBAAgB;AACrC,UAAM,YACJ,aAAa,aAAa,MAAM,KAAK;AAEvC,WAAO,OAAO,QAAQ,iBAAiB,SAAS;AAAA,EAClD;AAAA,EACA,aAAa;AACX,WAAO;AAAA,EACT;AAAA,EACA,oBAAoB;AAClB,WAAO;AAAA,EACT;AAAA,EACA;AAAA,EACA,iBAAiB;AACf,WAAO;AAAA,EACT;AAAA,EACA,MAAM,YAAY;AAChB,WAAO;AAAA,EACT;AAAA,EACA,mBAA4B;AAE1B,WAAO;AAAA,EACT;AAAA,EACA,MAAM,cAAc,EAAE,QAAQ,GAA8B;AAE1D,UAAM,oBAAoB,wBAAwB,OAAO;AACzD,UAAM,mBAAmB,kBAAkB;AAAA,MACzC,OAAK,EAAE,aAAa;AAAA,IACtB;AAEA,QAAI,iBAAiB,SAAS,GAAG;AAC/B,YAAM,eAAe,iBAAiB,IAAI,OAAK,EAAE,IAAI,EAAE,KAAK,IAAI;AAChE;AAAA,QACE,8DAA8D,YAAY;AAAA,MAC5E;AACA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,6CAA6C,YAAY;AAAA,MACpE;AAAA,IACF;AAGA,UAAM,eAAe,kBAAkB,OAAO,OAAK,EAAE,aAAa,MAAM;AACxE,QAAI,aAAa,SAAS,GAAG;AAC3B,YAAM,eAAe,aAAa,IAAI,OAAK,EAAE,IAAI,EAAE,KAAK,IAAI;AAC5D;AAAA,QACE,iEAAiE,YAAY;AAAA,MAC/E;AAAA,IACF;AAEA,UAAM,WAAW,aAAa,OAAO;AACrC,eAAW,OAAO,UAAU;AAC1B,YAAM,QAAQ,IAAI,MAAM,GAAG;AAC3B,YAAM,UAAU,MAAM,CAAC;AAGvB,UAAI,WAAW,gBAAgB,SAAS,QAAQ,YAAY,CAAC,GAAG;AAC9D,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,SAAS,YAAY,OAAO;AAAA,QAC9B;AAAA,MACF;AAIA,UAAI,YAAY,QAAQ,WAAW,GAAG,KAAK,QAAQ,WAAW,IAAI,IAAI;AACpE,cAAM,UAAU,QAAQ,MAAM,GAAG,EAAE,IAAI,GAAG,YAAY;AACtD,YAAI,WAAW,gBAAgB,SAAS,OAAO,GAAG;AAChD,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,SAAS,YAAY,OAAO,qDAAqD,OAAO;AAAA,UAC1F;AAAA,QACF;AAAA,MACF;AAGA,UAAI,YAAY,QAAQ,MAAM,CAAC,GAAG;AAChC,cAAM,YAAY,MAAM,CAAC,EAAG,QAAQ,gBAAgB,EAAE;AACtD,cAAM,gBAAgB,WAAW,SAAS,IACtC,YACA,QAAQ,OAAO,GAAG,SAAS;AAC/B,YACE,CAAC;AAAA,UACC,SAAS,eAAe,GAAG,aAAa;AAAA,UACxC,SAAS,OAAO,GAAG,eAAe,CAAC;AAAA,QACrC,GACA;AACA,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,SAAS,iBAAiB,aAAa,gCAAgC,YAAY,wFAAwF,eAAe,CAAC;AAAA,UAC7L;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AAAA,EACA,qBAAqB,EAAE,SAAS,YAAY,GAAG;AAE7C,QAAI,iBAAiB;AACrB,QAAI,QAAQ,SAAS,gBAAiB,GAAG;AACvC,YAAM,QAAQ,QAAQ;AAAA,QACpB;AAAA,MACF;AACA,UAAI,SAAS,MAAM,CAAC,KAAK,MAAM,CAAC,GAAG;AACjC,cAAM,SAAS,MAAM,CAAC;AACtB,cAAM,UAAU,MAAM,CAAC;AACvB,cAAM,SAAS,MAAM,CAAC,KAAK;AAC3B,yBAAiB,GAAG,OAAO,KAAK,CAAC,KAAK,QAAQ,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC;AAAA,MACvE;AAAA,IACF;AAGA,QAAI,aAAa;AACf,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AAAA,EACA,+BAA+B;AAC7B,WAAO,oCAAC,oCAA+B;AAAA,EACzC;AAAA,EAEA,wBAAwB,SAAS;AAC/B,WAAO,oCAAC,yBAAsB,SAAkB,SAAS,OAAO;AAAA,EAClE;AAAA,EACA,yBAAyB,EAAE,aAAa,QAAQ,OAAO,GAAG;AACxD,QAAI,eAAe,OAAO,KAAK;AAC/B,QAAI,aAAa;AACf,UAAI,OAAQ,iBAAgB;AAC5B,sBAAgB;AAAA,IAClB;AACA,UAAM,UAAU,OAAO,KAAK,KAAK;AACjC,WAAO,GAAG,OAAO,KAAK,CAAC,GAAG,UAAU,OAAO,EAAE,GAAG,aAAa,KAAK,CAAC;AAAA,EACrE;AAAA,EACA,OAAO,KACL,EAAE,SAAS,UAAU,MAAQ,oBAAoB,MAAM,GACvD,EAAE,iBAAiB,mBAAmB,GACtC;AAEA,QAAI;AACF,YAAM,EAAE,wBAAwB,IAAI,MAAM,OAAO,eAAe;AAChE,YAAM,gBAAgB,wBAAwB;AAC9C,UAAI,cAAc,SAAS,SAAS;AAClC,cAAM,EAAE,qBAAqB,IAAI,MAAM,OAAO,mBAAmB;AACjE,cAAM,UAAU,qBAAqB,OAAO,CAAC;AAC7C,YAAI,MAAM,QAAQ,YAAY,GAAG;AAC/B,gBAAM,aAAa,MAAM,QAAQ,gBAAgB,OAAO;AACxD,cAAI,CAAC,WAAW,OAAO;AACrB,kBAAM,SAAS,WAAW,WACvB,IAAI,OAAK,EAAE,WAAW,EAAE,IAAI,EAC5B,KAAK,IAAI;AACZ,kBAAM,OAAY;AAAA,cAChB,QAAQ;AAAA,cACR,aAAa;AAAA,cACb,QAAQ,sBAAsB,UAAU,mCAAmC;AAAA,cAC3E,aAAa;AAAA,cACb,aAAa;AAAA,YACf;AACA,kBAAM;AAAA,cACJ,MAAM;AAAA,cACN,oBAAoB,oBAAoB,MAAM;AAAA,cAC9C;AAAA,YACF;AACA;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF,QAAQ;AAAA,IAER;AAGA,QAAI,mBAAmB;AACrB,YAAM,UAAU,uBAAuB,YAAY,EAAE;AAAA,QACnD;AAAA,QACA,OAAO;AAAA,MACT;AAEA,YAAM,OAAY;AAAA,QAChB,QAAQ,qCAAqC,OAAO;AAAA,QACpD,aAAa;AAAA,QACb,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,aAAa;AAAA,QACb;AAAA,MACF;AAEA,YAAM;AAAA,QACJ,MAAM;AAAA,QACN,oBAAoB,6BAA6B,OAAO;AAAA,WAAc,OAAO;AAAA,QAC7E;AAAA,MACF;AACA;AAAA,IACF;AAEA,QAAI,SAAS;AACb,QAAI,SAAS;AAIb,QAAI,cAAc;AAGlB,QAAI,gBAAgB,OAAO,SAAS;AAClC,YAAM,OAAY;AAAA,QAChB,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,aAAa;AAAA,MACf;AAEA,YAAM;AAAA,QACJ,MAAM;AAAA,QACN,oBAAoB,KAAK,yBAAyB,IAAI;AAAA,QACtD;AAAA,MACF;AACA;AAAA,IACF;AAEA,QAAI;AAEF,UAAI,SAAiC;AACrC,UAAI,iBAAiB;AACrB,UAAI,iBAAiB;AAGrB,YAAM,qBAAqB,gBAAgB,YAAY,EAAE;AAAA,QACvD;AAAA,QACA,gBAAgB;AAAA,QAChB;AAAA,MACF;AAEA,uBAAiB,SAAS,oBAAoB;AAC5C,YAAI,MAAM,SAAS,SAAS;AAE1B,cAAI,MAAM,QAAQ;AAChB,8BAAkB,MAAM;AAAA,UAC1B;AACA,cAAI,MAAM,QAAQ;AAChB,8BAAkB,MAAM;AAAA,UAC1B;AAIA,gBAAM;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,cACP,MAAM;AAAA,cACN,UAAU;AAAA,cACV,QAAQ;AAAA,cACR,QAAQ;AAAA,cACR,aAAa;AAAA,YACf;AAAA,UACF;AAAA,QACF,WAAW,MAAM,SAAS,UAAU;AAElC,mBAAS;AAAA,QACX;AAAA,MACF;AAGA,UAAI,CAAC,QAAQ;AACX,iBAAS;AAAA,UACP,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,MACF;AAEA,iBAAW,OAAO,UAAU,IAAI,KAAK,IAAI;AACzC,iBAAW,OAAO,UAAU,IAAI,KAAK,IAAI;AACzC,UAAI,OAAO,SAAS,GAAG;AACrB,kBAAU,aAAa,OAAO,IAAI;AAAA,MACpC;AAEA,UAAI,CAAC,cAAc,OAAO,GAAG,eAAe,CAAC,GAAG;AAE9C,cAAM,gBAAgB,YAAY,EAAE,OAAO,eAAe,CAAC;AAC3D,iBAAS,GAAG,OAAO,KAAK,CAAC,GAAG,GAAG,0BAA0B,eAAe,CAAC;AAAA,MAC3E;AAMA,UAAI,QAAQ,IAAI,aAAa,QAAQ;AACnC,4BAAoB,SAAS,MAAM,EAAE,KAAK,eAAa;AAGrD,cAAI,aAAa;AACf;AAAA,UACF;AAEA,qBAAW,YAAY,WAAW;AAChC,kBAAM,eAAe,WAAW,QAAQ,IACpC,WACA,QAAQ,OAAO,GAAG,QAAQ;AAG9B,gBAAI;AACF,iCAAmB,YAAY,IAAI,SAAS,YAAY,EAAE;AAAA,YAC5D,SAAS,GAAG;AACV,uBAAS,CAAC;AAAA,YACZ;AAAA,UACF;AAAA,QACF,CAAC;AAAA,MACH;AAEA,YAAM,EAAE,YAAY,aAAa,kBAAkB,cAAc,IAC/D,aAAa,OAAO,KAAK,CAAC;AAC5B,YAAM,EAAE,YAAY,aAAa,kBAAkB,cAAc,IAC/D,aAAa,OAAO,KAAK,CAAC;AAE5B,YAAM,OAAY;AAAA,QAChB,QAAQ;AAAA,QACR;AAAA,QACA,QAAQ;AAAA,QACR;AAAA,QACA,aAAa,OAAO;AAAA,MACtB;AAEA,YAAM;AAAA,QACJ,MAAM;AAAA,QACN,oBAAoB,KAAK,yBAAyB,IAAI;AAAA,QACtD;AAAA,MACF;AAAA,IACF,SAAS,OAAO;AAEd,YAAM,YAAY,gBAAgB,OAAO;AACzC,YAAM,eAAe,YACjB,kCACA,mBAAmB,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAE7E,YAAM,OAAY;AAAA,QAChB,QAAQ,OAAO,KAAK;AAAA,QACpB,aAAa,OAAO,MAAM,IAAI,EAAE;AAAA,QAChC,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,aAAa;AAAA,MACf;AAEA,YAAM;AAAA,QACJ,MAAM;AAAA,QACN,oBAAoB,KAAK,yBAAyB,IAAI;AAAA,QACtD;AAAA,MACF;AAAA,IACF,UAAE;AAIA,oBAAc;AAAA,IAChB;AAAA,EACF;AACF;",
+  "sourcesContent": ["import { statSync } from 'fs'\nimport { EOL } from 'os'\nimport { isAbsolute, relative, resolve } from 'path'\nimport * as React from 'react'\nimport { z } from 'zod'\nimport { FallbackToolUseRejectedMessage } from '@components/FallbackToolUseRejectedMessage'\nimport { PRODUCT_NAME } from '@constants/product'\nimport { queryQuick } from '@services/claude'\nimport { Tool, ValidationResult } from '@tool'\nimport { splitCommand } from '@utils/commands'\nimport { isInDirectory } from '@utils/file'\nimport { logError } from '@utils/log'\nimport {\n  PersistentShell,\n  type StreamingYield,\n  type StreamingResult,\n} from '@utils/PersistentShell'\nimport { getCwd, getOriginalCwd } from '@utils/state'\nimport { getGlobalConfig } from '@utils/config'\nimport { getModelManager } from '@utils/model'\nimport { BackgroundShellManager } from '@utils/BackgroundShellManager'\nimport BashToolResultMessage from './BashToolResultMessage'\nimport {\n  BANNED_COMMANDS,\n  PROMPT,\n  matchesDangerousPattern,\n  detectDangerousPatterns,\n} from './prompt'\nimport { formatOutput, getCommandFilePaths, summarizeBashOutput } from './utils'\n\nexport const inputSchema = z.strictObject({\n  command: z.string().describe('The command to execute'),\n  timeout: z\n    .number()\n    .optional()\n    .describe('Optional timeout in milliseconds (max 600000)'),\n  run_in_background: z\n    .boolean()\n    .optional()\n    .describe('Set to true to run this command in the background'),\n  description: z\n    .string()\n    .optional()\n    .describe(\n      `Clear, concise description of what this command does in active voice. Never use words like \"complex\" or \"risk\" in the description - just describe what it does.\n\nFor simple commands (git, npm, standard CLI tools), keep it brief (5-10 words):\n- ls \u2192 \"List files in current directory\"\n- git status \u2192 \"Show working tree status\"\n- npm install \u2192 \"Install package dependencies\"\n\nFor commands that are harder to parse at a glance (piped commands, obscure flags, etc.), add enough context to clarify what it does:\n- find . -name \"*.tmp\" -exec rm {} \\\\; \u2192 \"Find and delete all .tmp files recursively\"\n- git reset --hard origin/main \u2192 \"Discard all local changes and match remote main\"\n- curl -s url | jq '.data[]' \u2192 \"Fetch JSON from URL and extract data array elements\"`,\n    ),\n})\n\ntype In = typeof inputSchema\nexport type Out = {\n  stdout: string\n  stdoutLines: number // Total number of lines in original stdout, even if `stdout` is now truncated\n  stderr: string\n  stderrLines: number // Total number of lines in original stderr, even if `stderr` is now truncated\n  interrupted: boolean\n  shellId?: string // Present if run_in_background is true\n}\n\nexport const BashTool = {\n  name: 'Bash',\n  async description() {\n    return 'Executes shell commands on your computer'\n  },\n  async prompt() {\n    const config = getGlobalConfig()\n    // \uD83D\uDD27 Fix: Use ModelManager to get actual current model\n    const modelManager = getModelManager()\n    const modelName =\n      modelManager.getModelName('main') || '<No Model Configured>'\n    // Substitute the placeholder in the static PROMPT string\n    return PROMPT.replace(/{MODEL_NAME}/g, modelName)\n  },\n  isReadOnly() {\n    return false\n  },\n  isConcurrencySafe() {\n    return false // BashTool modifies state/files, not safe for concurrent execution\n  },\n  inputSchema,\n  userFacingName() {\n    return 'Bash'\n  },\n  async isEnabled() {\n    return true\n  },\n  needsPermissions(): boolean {\n    // Always check per-project permissions for BashTool\n    return true\n  },\n  async validateInput({ command }, context?): Promise<ValidationResult> {\n    // === Phase 1: Always-enforced safety (even with bypassPermissions) ===\n\n    // 1. Critical dangerous patterns (fork bombs, rm -rf /, eval injection...)\n    const dangerousPatterns = detectDangerousPatterns(command)\n    const criticalPatterns = dangerousPatterns.filter(\n      p => p.severity === 'critical',\n    )\n\n    if (criticalPatterns.length > 0) {\n      const patternNames = criticalPatterns.map(p => p.name).join(', ')\n      logError(\n        `SECURITY: Critical dangerous patterns detected in command: ${patternNames}`,\n      )\n      return {\n        result: false,\n        message: `Command contains critical security risks: ${patternNames}. This command has been blocked for security reasons.`,\n      }\n    }\n\n    // 2. Directory sandboxing \u2014 cd must stay within originalCwd\n    const commands = splitCommand(command)\n    for (const cmd of commands) {\n      const parts = cmd.split(' ')\n      const baseCmd = parts[0]\n\n      // Block cd, pushd, and popd that escape the sandbox directory\n      if ((baseCmd === 'cd' || baseCmd === 'pushd') && parts[1]) {\n        const targetDir = parts[1]!.replace(/^['\"]|['\"]$/g, '') // Remove quotes if present\n        const fullTargetDir = isAbsolute(targetDir)\n          ? targetDir\n          : resolve(getCwd(), targetDir)\n        if (\n          !isInDirectory(\n            relative(getOriginalCwd(), fullTargetDir),\n            relative(getCwd(), getOriginalCwd()),\n          )\n        ) {\n          return {\n            result: false,\n            message: `ERROR: ${baseCmd} to '${fullTargetDir}' was blocked. For security, ${PRODUCT_NAME} may only change directories to child directories of the original working directory (${getOriginalCwd()}) for this session.`,\n          }\n        }\n      }\n\n      // Block popd as it can restore directories outside the sandbox\n      if (baseCmd === 'popd') {\n        return {\n          result: false,\n          message: `ERROR: popd is blocked. For security, ${PRODUCT_NAME} does not allow popd as it could navigate outside the original working directory (${getOriginalCwd()}).`,\n        }\n      }\n    }\n\n    // === Phase 2: Permission-gated checks (skipped for team agents / acceptEdits) ===\n    // Team agents and acceptEdits mode: skip interactive confirmation for banned\n    // commands and high-severity warnings, but Phase 1 critical patterns and\n    // directory sandboxing are ALWAYS enforced above.\n    const pm = context?.options?.permissionMode\n    if (pm === 'bypassPermissions') {\n      return { result: true }\n    }\n\n    // 3. High-severity pattern warnings (non-blocking)\n    const highPatterns = dangerousPatterns.filter(p => p.severity === 'high')\n    if (highPatterns.length > 0) {\n      const patternNames = highPatterns.map(p => p.name).join(', ')\n      logError(\n        `SECURITY WARNING: High-severity patterns detected in command: ${patternNames}. User confirmation required.`,\n      )\n    }\n\n    // 4. BANNED_COMMANDS check (only for non-team agents)\n    // Check each pipe segment independently to prevent bypass via piping\n    for (const cmd of commands) {\n      const pipeSegments = cmd.split(/\\s*\\|\\s*/)\n      for (const segment of pipeSegments) {\n        const trimmed = segment.trim()\n        if (!trimmed) continue\n        const baseCmd = trimmed.split(/\\s+/)[0]\n\n        if (baseCmd && BANNED_COMMANDS.includes(baseCmd.toLowerCase())) {\n          return {\n            result: false,\n            message: `Command '${baseCmd}' is not allowed for security reasons`,\n          }\n        }\n\n        // Also check for commands that might be invoked with full path\n        // e.g., /usr/bin/curl, /bin/rm\n        if (baseCmd && (baseCmd.startsWith('/') || baseCmd.startsWith('./'))) {\n          const cmdName = baseCmd.split('/').pop()?.toLowerCase()\n          if (cmdName && BANNED_COMMANDS.includes(cmdName)) {\n            return {\n              result: false,\n              message: `Command '${cmdName}' is not allowed for security reasons (full path: ${baseCmd})`,\n            }\n          }\n        }\n      }\n    }\n\n    return { result: true }\n  },\n  renderToolUseMessage({ command, description }) {\n    // Clean up any command that uses the quoted HEREDOC pattern\n    let displayCommand = command\n    if (command.includes(\"\\\"$(cat <<'EOF'\")) {\n      const match = command.match(\n        /^(.*?)\"?\\$\\(cat <<'EOF'\\n([\\s\\S]*?)\\n\\s*EOF\\n\\s*\\)\"(.*)$/,\n      )\n      if (match && match[1] && match[2]) {\n        const prefix = match[1]\n        const content = match[2]\n        const suffix = match[3] || ''\n        displayCommand = `${prefix.trim()} \"${content.trim()}\"${suffix.trim()}`\n      }\n    }\n\n    // If description is provided, show it instead of (or alongside) the command\n    if (description) {\n      return description\n    }\n\n    return displayCommand\n  },\n  renderToolUseRejectedMessage() {\n    return <FallbackToolUseRejectedMessage />\n  },\n\n  renderToolResultMessage(content) {\n    return <BashToolResultMessage content={content} verbose={false} />\n  },\n  renderResultForAssistant({ interrupted, stdout, stderr }) {\n    let errorMessage = stderr.trim()\n    if (interrupted) {\n      if (stderr) errorMessage += EOL\n      errorMessage += '<error>Command was aborted before completion</error>'\n    }\n    const hasBoth = stdout.trim() && errorMessage\n    return `${stdout.trim()}${hasBoth ? '\\n' : ''}${errorMessage.trim()}`\n  },\n  async *call(\n    { command, timeout = 120000, run_in_background = false },\n    { abortController, readFileTimestamps },\n  ) {\n    // Sandbox pre-validation (if enabled)\n    try {\n      const { getCurrentProjectConfig } = await import('@utils/config')\n      const projectConfig = getCurrentProjectConfig()\n      if (projectConfig.sandbox?.enabled) {\n        const { getSandboxController } = await import('@services/sandbox')\n        const sandbox = getSandboxController(getCwd())\n        if (await sandbox.isAvailable()) {\n          const validation = await sandbox.validateCommand(command)\n          if (!validation.valid) {\n            const reason = validation.violations\n              .map(v => v.details || v.type)\n              .join('; ')\n            const data: Out = {\n              stdout: '',\n              stdoutLines: 0,\n              stderr: `Sandbox violation: ${reason || 'Command blocked by sandbox policy'}`,\n              stderrLines: 1,\n              interrupted: false,\n            }\n            yield {\n              type: 'result',\n              resultForAssistant: `Sandbox blocked: ${reason}`,\n              data,\n            }\n            return\n          }\n        }\n      }\n    } catch {\n      // Sandbox not available or error - continue without it\n    }\n\n    // Handle background execution\n    if (run_in_background) {\n      const shellId = BackgroundShellManager.getInstance().create(\n        command,\n        getCwd(),\n      )\n\n      const data: Out = {\n        stdout: `Background shell started with ID: ${shellId}`,\n        stdoutLines: 1,\n        stderr: '',\n        stderrLines: 0,\n        interrupted: false,\n        shellId,\n      }\n\n      yield {\n        type: 'result',\n        resultForAssistant: `Started background shell: ${shellId}\\nCommand: ${command}`,\n        data,\n      }\n      return\n    }\n\n    let stdout = ''\n    let stderr = ''\n\n    // \uD83D\uDD27 CRITICAL FIX: Track whether this tool invocation has completed\n    // to prevent async callbacks from accessing stale context\n    let isCompleted = false\n\n    // \uD83D\uDD27 Check if already cancelled before starting execution\n    if (abortController.signal.aborted) {\n      const data: Out = {\n        stdout: '',\n        stdoutLines: 0,\n        stderr: 'Command cancelled before execution',\n        stderrLines: 1,\n        interrupted: true,\n      }\n\n      yield {\n        type: 'result',\n        resultForAssistant: this.renderResultForAssistant(data),\n        data,\n      }\n      return\n    }\n\n    try {\n      // Execute commands with streaming output\n      let result: StreamingResult | null = null\n      let streamedStdout = ''\n      let streamedStderr = ''\n\n      // Use streaming execution for real-time output\n      const streamingGenerator = PersistentShell.getInstance().execStreaming(\n        command,\n        abortController.signal,\n        timeout,\n      )\n\n      for await (const chunk of streamingGenerator) {\n        if (chunk.type === 'chunk') {\n          // Accumulate streamed output\n          if (chunk.stdout) {\n            streamedStdout += chunk.stdout\n          }\n          if (chunk.stderr) {\n            streamedStderr += chunk.stderr\n          }\n\n          // Yield progress update for real-time UI feedback\n          // Use StreamingProgressContent format for proper rendering\n          yield {\n            type: 'progress',\n            content: {\n              type: 'streaming',\n              toolName: 'Bash',\n              stdout: streamedStdout,\n              stderr: streamedStderr,\n              isStreaming: true,\n            },\n          }\n        } else if (chunk.type === 'result') {\n          // Final result\n          result = chunk\n        }\n      }\n\n      // Use the final result (or construct from streamed data)\n      if (!result) {\n        result = {\n          type: 'result',\n          stdout: streamedStdout,\n          stderr: streamedStderr,\n          code: 0,\n          interrupted: false,\n        }\n      }\n\n      stdout += (result.stdout || '').trim() + EOL\n      stderr += (result.stderr || '').trim() + EOL\n      if (result.code !== 0) {\n        stderr += `Exit code ${result.code}`\n      }\n\n      if (!isInDirectory(getCwd(), getOriginalCwd())) {\n        // Shell directory is outside original working directory, reset it\n        await PersistentShell.getInstance().setCwd(getOriginalCwd())\n        stderr = `${stderr.trim()}${EOL}Shell cwd was reset to ${getOriginalCwd()}`\n      }\n\n      // Update read timestamps for any files referenced by the command\n      // Don't block the main thread!\n      // Skip this in tests because it makes fixtures non-deterministic (they might not always get written),\n      // so will be missing in CI.\n      if (process.env.NODE_ENV !== 'test') {\n        getCommandFilePaths(command, stdout).then(filePaths => {\n          // \uD83D\uDD27 CRITICAL FIX: Check if tool invocation has already completed\n          // to prevent accessing potentially stale context\n          if (isCompleted) {\n            return // Tool has finished, don't access readFileTimestamps\n          }\n\n          for (const filePath of filePaths) {\n            const fullFilePath = isAbsolute(filePath)\n              ? filePath\n              : resolve(getCwd(), filePath)\n\n            // Try/catch in case the file doesn't exist (because Haiku didn't properly extract it)\n            try {\n              readFileTimestamps[fullFilePath] = statSync(fullFilePath).mtimeMs\n            } catch (e) {\n              logError(e)\n            }\n          }\n        })\n      }\n\n      // Summarize large output if enabled (opt-in via config or env var)\n      const summarized = await summarizeBashOutput(\n        command,\n        stdout.trim(),\n        stderr.trim(),\n      )\n\n      const { totalLines: stdoutLines, truncatedContent: stdoutContent } =\n        formatOutput(summarized.stdout)\n      const { totalLines: stderrLines, truncatedContent: stderrContent } =\n        formatOutput(summarized.stderr)\n\n      const data: Out = {\n        stdout: stdoutContent,\n        stdoutLines,\n        stderr: stderrContent,\n        stderrLines,\n        interrupted: result.interrupted,\n      }\n\n      yield {\n        type: 'result',\n        resultForAssistant: this.renderResultForAssistant(data),\n        data,\n      }\n    } catch (error) {\n      // \uD83D\uDD27 Handle cancellation or other errors properly\n      const isAborted = abortController.signal.aborted\n      const errorMessage = isAborted\n        ? 'Command was cancelled by user'\n        : `Command failed: ${error instanceof Error ? error.message : String(error)}`\n\n      const data: Out = {\n        stdout: stdout.trim(),\n        stdoutLines: stdout.split('\\n').length,\n        stderr: errorMessage,\n        stderrLines: 1,\n        interrupted: isAborted,\n      }\n\n      yield {\n        type: 'result',\n        resultForAssistant: this.renderResultForAssistant(data),\n        data,\n      }\n    } finally {\n      // \uD83D\uDD27 CRITICAL FIX: Mark tool invocation as completed\n      // This prevents async callbacks (like getCommandFilePaths) from\n      // accessing potentially stale context after this tool returns\n      isCompleted = true\n    }\n  },\n} satisfies Tool\n"],
+  "mappings": "AAAA,SAAS,gBAAgB;AACzB,SAAS,WAAW;AACpB,SAAS,YAAY,UAAU,eAAe;AAC9C,YAAY,WAAW;AACvB,SAAS,SAAS;AAClB,SAAS,sCAAsC;AAC/C,SAAS,oBAAoB;AAG7B,SAAS,oBAAoB;AAC7B,SAAS,qBAAqB;AAC9B,SAAS,gBAAgB;AACzB;AAAA,EACE;AAAA,OAGK;AACP,SAAS,QAAQ,sBAAsB;AACvC,SAAS,uBAAuB;AAChC,SAAS,uBAAuB;AAChC,SAAS,8BAA8B;AACvC,OAAO,2BAA2B;AAClC;AAAA,EACE;AAAA,EACA;AAAA,EAEA;AAAA,OACK;AACP,SAAS,cAAc,qBAAqB,2BAA2B;AAEhE,MAAM,cAAc,EAAE,aAAa;AAAA,EACxC,SAAS,EAAE,OAAO,EAAE,SAAS,wBAAwB;AAAA,EACrD,SAAS,EACN,OAAO,EACP,SAAS,EACT,SAAS,+CAA+C;AAAA,EAC3D,mBAAmB,EAChB,QAAQ,EACR,SAAS,EACT,SAAS,mDAAmD;AAAA,EAC/D,aAAa,EACV,OAAO,EACP,SAAS,EACT;AAAA,IACC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWF;AACJ,CAAC;AAYM,MAAM,WAAW;AAAA,EACtB,MAAM;AAAA,EACN,MAAM,cAAc;AAClB,WAAO;AAAA,EACT;AAAA,EACA,MAAM,SAAS;AACb,UAAM,SAAS,gBAAgB;AAE/B,UAAM,eAAe,gBAAgB;AACrC,UAAM,YACJ,aAAa,aAAa,MAAM,KAAK;AAEvC,WAAO,OAAO,QAAQ,iBAAiB,SAAS;AAAA,EAClD;AAAA,EACA,aAAa;AACX,WAAO;AAAA,EACT;AAAA,EACA,oBAAoB;AAClB,WAAO;AAAA,EACT;AAAA,EACA;AAAA,EACA,iBAAiB;AACf,WAAO;AAAA,EACT;AAAA,EACA,MAAM,YAAY;AAChB,WAAO;AAAA,EACT;AAAA,EACA,mBAA4B;AAE1B,WAAO;AAAA,EACT;AAAA,EACA,MAAM,cAAc,EAAE,QAAQ,GAAG,SAAqC;AAIpE,UAAM,oBAAoB,wBAAwB,OAAO;AACzD,UAAM,mBAAmB,kBAAkB;AAAA,MACzC,OAAK,EAAE,aAAa;AAAA,IACtB;AAEA,QAAI,iBAAiB,SAAS,GAAG;AAC/B,YAAM,eAAe,iBAAiB,IAAI,OAAK,EAAE,IAAI,EAAE,KAAK,IAAI;AAChE;AAAA,QACE,8DAA8D,YAAY;AAAA,MAC5E;AACA,aAAO;AAAA,QACL,QAAQ;AAAA,QACR,SAAS,6CAA6C,YAAY;AAAA,MACpE;AAAA,IACF;AAGA,UAAM,WAAW,aAAa,OAAO;AACrC,eAAW,OAAO,UAAU;AAC1B,YAAM,QAAQ,IAAI,MAAM,GAAG;AAC3B,YAAM,UAAU,MAAM,CAAC;AAGvB,WAAK,YAAY,QAAQ,YAAY,YAAY,MAAM,CAAC,GAAG;AACzD,cAAM,YAAY,MAAM,CAAC,EAAG,QAAQ,gBAAgB,EAAE;AACtD,cAAM,gBAAgB,WAAW,SAAS,IACtC,YACA,QAAQ,OAAO,GAAG,SAAS;AAC/B,YACE,CAAC;AAAA,UACC,SAAS,eAAe,GAAG,aAAa;AAAA,UACxC,SAAS,OAAO,GAAG,eAAe,CAAC;AAAA,QACrC,GACA;AACA,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,SAAS,UAAU,OAAO,QAAQ,aAAa,gCAAgC,YAAY,wFAAwF,eAAe,CAAC;AAAA,UACrM;AAAA,QACF;AAAA,MACF;AAGA,UAAI,YAAY,QAAQ;AACtB,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,SAAS,yCAAyC,YAAY,qFAAqF,eAAe,CAAC;AAAA,QACrK;AAAA,MACF;AAAA,IACF;AAMA,UAAM,KAAK,SAAS,SAAS;AAC7B,QAAI,OAAO,qBAAqB;AAC9B,aAAO,EAAE,QAAQ,KAAK;AAAA,IACxB;AAGA,UAAM,eAAe,kBAAkB,OAAO,OAAK,EAAE,aAAa,MAAM;AACxE,QAAI,aAAa,SAAS,GAAG;AAC3B,YAAM,eAAe,aAAa,IAAI,OAAK,EAAE,IAAI,EAAE,KAAK,IAAI;AAC5D;AAAA,QACE,iEAAiE,YAAY;AAAA,MAC/E;AAAA,IACF;AAIA,eAAW,OAAO,UAAU;AAC1B,YAAM,eAAe,IAAI,MAAM,UAAU;AACzC,iBAAW,WAAW,cAAc;AAClC,cAAM,UAAU,QAAQ,KAAK;AAC7B,YAAI,CAAC,QAAS;AACd,cAAM,UAAU,QAAQ,MAAM,KAAK,EAAE,CAAC;AAEtC,YAAI,WAAW,gBAAgB,SAAS,QAAQ,YAAY,CAAC,GAAG;AAC9D,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,SAAS,YAAY,OAAO;AAAA,UAC9B;AAAA,QACF;AAIA,YAAI,YAAY,QAAQ,WAAW,GAAG,KAAK,QAAQ,WAAW,IAAI,IAAI;AACpE,gBAAM,UAAU,QAAQ,MAAM,GAAG,EAAE,IAAI,GAAG,YAAY;AACtD,cAAI,WAAW,gBAAgB,SAAS,OAAO,GAAG;AAChD,mBAAO;AAAA,cACL,QAAQ;AAAA,cACR,SAAS,YAAY,OAAO,qDAAqD,OAAO;AAAA,YAC1F;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,QAAQ,KAAK;AAAA,EACxB;AAAA,EACA,qBAAqB,EAAE,SAAS,YAAY,GAAG;AAE7C,QAAI,iBAAiB;AACrB,QAAI,QAAQ,SAAS,gBAAiB,GAAG;AACvC,YAAM,QAAQ,QAAQ;AAAA,QACpB;AAAA,MACF;AACA,UAAI,SAAS,MAAM,CAAC,KAAK,MAAM,CAAC,GAAG;AACjC,cAAM,SAAS,MAAM,CAAC;AACtB,cAAM,UAAU,MAAM,CAAC;AACvB,cAAM,SAAS,MAAM,CAAC,KAAK;AAC3B,yBAAiB,GAAG,OAAO,KAAK,CAAC,KAAK,QAAQ,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC;AAAA,MACvE;AAAA,IACF;AAGA,QAAI,aAAa;AACf,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AAAA,EACA,+BAA+B;AAC7B,WAAO,oCAAC,oCAA+B;AAAA,EACzC;AAAA,EAEA,wBAAwB,SAAS;AAC/B,WAAO,oCAAC,yBAAsB,SAAkB,SAAS,OAAO;AAAA,EAClE;AAAA,EACA,yBAAyB,EAAE,aAAa,QAAQ,OAAO,GAAG;AACxD,QAAI,eAAe,OAAO,KAAK;AAC/B,QAAI,aAAa;AACf,UAAI,OAAQ,iBAAgB;AAC5B,sBAAgB;AAAA,IAClB;AACA,UAAM,UAAU,OAAO,KAAK,KAAK;AACjC,WAAO,GAAG,OAAO,KAAK,CAAC,GAAG,UAAU,OAAO,EAAE,GAAG,aAAa,KAAK,CAAC;AAAA,EACrE;AAAA,EACA,OAAO,KACL,EAAE,SAAS,UAAU,MAAQ,oBAAoB,MAAM,GACvD,EAAE,iBAAiB,mBAAmB,GACtC;AAEA,QAAI;AACF,YAAM,EAAE,wBAAwB,IAAI,MAAM,OAAO,eAAe;AAChE,YAAM,gBAAgB,wBAAwB;AAC9C,UAAI,cAAc,SAAS,SAAS;AAClC,cAAM,EAAE,qBAAqB,IAAI,MAAM,OAAO,mBAAmB;AACjE,cAAM,UAAU,qBAAqB,OAAO,CAAC;AAC7C,YAAI,MAAM,QAAQ,YAAY,GAAG;AAC/B,gBAAM,aAAa,MAAM,QAAQ,gBAAgB,OAAO;AACxD,cAAI,CAAC,WAAW,OAAO;AACrB,kBAAM,SAAS,WAAW,WACvB,IAAI,OAAK,EAAE,WAAW,EAAE,IAAI,EAC5B,KAAK,IAAI;AACZ,kBAAM,OAAY;AAAA,cAChB,QAAQ;AAAA,cACR,aAAa;AAAA,cACb,QAAQ,sBAAsB,UAAU,mCAAmC;AAAA,cAC3E,aAAa;AAAA,cACb,aAAa;AAAA,YACf;AACA,kBAAM;AAAA,cACJ,MAAM;AAAA,cACN,oBAAoB,oBAAoB,MAAM;AAAA,cAC9C;AAAA,YACF;AACA;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF,QAAQ;AAAA,IAER;AAGA,QAAI,mBAAmB;AACrB,YAAM,UAAU,uBAAuB,YAAY,EAAE;AAAA,QACnD;AAAA,QACA,OAAO;AAAA,MACT;AAEA,YAAM,OAAY;AAAA,QAChB,QAAQ,qCAAqC,OAAO;AAAA,QACpD,aAAa;AAAA,QACb,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,aAAa;AAAA,QACb;AAAA,MACF;AAEA,YAAM;AAAA,QACJ,MAAM;AAAA,QACN,oBAAoB,6BAA6B,OAAO;AAAA,WAAc,OAAO;AAAA,QAC7E;AAAA,MACF;AACA;AAAA,IACF;AAEA,QAAI,SAAS;AACb,QAAI,SAAS;AAIb,QAAI,cAAc;AAGlB,QAAI,gBAAgB,OAAO,SAAS;AAClC,YAAM,OAAY;AAAA,QAChB,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,aAAa;AAAA,MACf;AAEA,YAAM;AAAA,QACJ,MAAM;AAAA,QACN,oBAAoB,KAAK,yBAAyB,IAAI;AAAA,QACtD;AAAA,MACF;AACA;AAAA,IACF;AAEA,QAAI;AAEF,UAAI,SAAiC;AACrC,UAAI,iBAAiB;AACrB,UAAI,iBAAiB;AAGrB,YAAM,qBAAqB,gBAAgB,YAAY,EAAE;AAAA,QACvD;AAAA,QACA,gBAAgB;AAAA,QAChB;AAAA,MACF;AAEA,uBAAiB,SAAS,oBAAoB;AAC5C,YAAI,MAAM,SAAS,SAAS;AAE1B,cAAI,MAAM,QAAQ;AAChB,8BAAkB,MAAM;AAAA,UAC1B;AACA,cAAI,MAAM,QAAQ;AAChB,8BAAkB,MAAM;AAAA,UAC1B;AAIA,gBAAM;AAAA,YACJ,MAAM;AAAA,YACN,SAAS;AAAA,cACP,MAAM;AAAA,cACN,UAAU;AAAA,cACV,QAAQ;AAAA,cACR,QAAQ;AAAA,cACR,aAAa;AAAA,YACf;AAAA,UACF;AAAA,QACF,WAAW,MAAM,SAAS,UAAU;AAElC,mBAAS;AAAA,QACX;AAAA,MACF;AAGA,UAAI,CAAC,QAAQ;AACX,iBAAS;AAAA,UACP,MAAM;AAAA,UACN,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,aAAa;AAAA,QACf;AAAA,MACF;AAEA,iBAAW,OAAO,UAAU,IAAI,KAAK,IAAI;AACzC,iBAAW,OAAO,UAAU,IAAI,KAAK,IAAI;AACzC,UAAI,OAAO,SAAS,GAAG;AACrB,kBAAU,aAAa,OAAO,IAAI;AAAA,MACpC;AAEA,UAAI,CAAC,cAAc,OAAO,GAAG,eAAe,CAAC,GAAG;AAE9C,cAAM,gBAAgB,YAAY,EAAE,OAAO,eAAe,CAAC;AAC3D,iBAAS,GAAG,OAAO,KAAK,CAAC,GAAG,GAAG,0BAA0B,eAAe,CAAC;AAAA,MAC3E;AAMA,UAAI,QAAQ,IAAI,aAAa,QAAQ;AACnC,4BAAoB,SAAS,MAAM,EAAE,KAAK,eAAa;AAGrD,cAAI,aAAa;AACf;AAAA,UACF;AAEA,qBAAW,YAAY,WAAW;AAChC,kBAAM,eAAe,WAAW,QAAQ,IACpC,WACA,QAAQ,OAAO,GAAG,QAAQ;AAG9B,gBAAI;AACF,iCAAmB,YAAY,IAAI,SAAS,YAAY,EAAE;AAAA,YAC5D,SAAS,GAAG;AACV,uBAAS,CAAC;AAAA,YACZ;AAAA,UACF;AAAA,QACF,CAAC;AAAA,MACH;AAGA,YAAM,aAAa,MAAM;AAAA,QACvB;AAAA,QACA,OAAO,KAAK;AAAA,QACZ,OAAO,KAAK;AAAA,MACd;AAEA,YAAM,EAAE,YAAY,aAAa,kBAAkB,cAAc,IAC/D,aAAa,WAAW,MAAM;AAChC,YAAM,EAAE,YAAY,aAAa,kBAAkB,cAAc,IAC/D,aAAa,WAAW,MAAM;AAEhC,YAAM,OAAY;AAAA,QAChB,QAAQ;AAAA,QACR;AAAA,QACA,QAAQ;AAAA,QACR;AAAA,QACA,aAAa,OAAO;AAAA,MACtB;AAEA,YAAM;AAAA,QACJ,MAAM;AAAA,QACN,oBAAoB,KAAK,yBAAyB,IAAI;AAAA,QACtD;AAAA,MACF;AAAA,IACF,SAAS,OAAO;AAEd,YAAM,YAAY,gBAAgB,OAAO;AACzC,YAAM,eAAe,YACjB,kCACA,mBAAmB,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAE7E,YAAM,OAAY;AAAA,QAChB,QAAQ,OAAO,KAAK;AAAA,QACpB,aAAa,OAAO,MAAM,IAAI,EAAE;AAAA,QAChC,QAAQ;AAAA,QACR,aAAa;AAAA,QACb,aAAa;AAAA,MACf;AAEA,YAAM;AAAA,QACJ,MAAM;AAAA,QACN,oBAAoB,KAAK,yBAAyB,IAAI;AAAA,QACtD;AAAA,MACF;AAAA,IACF,UAAE;AAIA,oBAAc;AAAA,IAChB;AAAA,EACF;AACF;",
   "names": []
 }

package/dist/tools/BashTool/prompt.js

@@ -1,9 +1,7 @@
 import { PRODUCT_NAME, PRODUCT_URL } from "../../constants/product.js";
 import { TOOL_NAME as TASK_TOOL_NAME } from "../TaskTool/constants.js";
-import { FileReadTool } from "../FileReadTool/FileReadTool.js";
 import { TOOL_NAME_FOR_PROMPT as GLOB_TOOL_NAME } from "../GlobTool/prompt.js";
 import { TOOL_NAME_FOR_PROMPT as GREP_TOOL_NAME } from "../GrepTool/prompt.js";
-import { LSTool } from "../lsTool/lsTool.js";
 const MAX_OUTPUT_LENGTH = 3e4;
 const MAX_RENDERED_LINES = 5;
 const BANNED_COMMANDS = [
@@ -105,6 +103,12 @@ const BANNED_COMMANDS = [
   "alias",
   "unalias",
   "function",
+  // Shell builtin bypass - can invoke banned commands by bypassing aliases/functions
+  "command",
+  "builtin",
+  // Bash builtin - can invoke banned commands directly
+  "type",
+  // Can reveal command locations to aid bypass attempts
   // Cron/scheduling - persistent access
   "crontab",
   "at",
@@ -178,15 +182,17 @@ const BANNED_COMMANDS = [
 ];
 const DANGEROUS_PATTERN_METADATA = [
   // CRITICAL: Command Injection & Execution Bypass
+  // Note: $(cat <<'EOF'...) HEREDOC pattern is whitelisted — it's the standard
+  // multi-line string idiom used for git commits and is not exploitable.
   {
-    pattern: /\$\([^)]+\)/,
+    pattern: /\$\((?!cat\s+<<['"]?EOF)/,
     name: "command substitution $(...)",
-    severity: "critical"
+    severity: "high"
   },
   {
     pattern: /`[^`]+`/,
     name: "backtick command substitution",
-    severity: "critical"
+    severity: "high"
   },
   {
     pattern: /;\s*(rm|chmod|chown|dd|mkfs)\b/i,
@@ -356,160 +362,131 @@ function matchesDangerousPattern(command) {
   );
   return criticalMatches.length > 0;
 }
-const PROMPT = `Executes a given bash command in a persistent shell session with optional timeout, ensuring proper handling and security measures.
+const PROMPT = `Executes a given bash command and returns its output.
 
-Before executing the command, please follow these steps:
+The working directory persists between commands, but shell state does not. The shell environment is initialized from the user's profile (bash or zsh).
 
-1. Directory Verification:
-   - If the command will create new directories or files, first use the LS tool to verify the parent directory exists and is the correct location
-   - For example, before running "mkdir foo/bar", first use LS to check that "foo" exists and is the intended parent directory
+IMPORTANT: Avoid using this tool to run \`find\`, \`grep\`, \`cat\`, \`head\`, \`tail\`, \`sed\`, \`awk\`, or \`echo\` commands, unless explicitly instructed or after you have verified that a dedicated tool cannot accomplish your task. Instead, use the appropriate dedicated tool as this will provide a much better experience for the user:
 
-2. Security Check:
-   - For security and to limit the threat of a prompt injection attack, some commands are limited or banned. If you use a disallowed command, you will receive an error message explaining the restriction. Explain the error to the User.
-   - Verify that the command is not one of the banned commands: ${BANNED_COMMANDS.join(", ")}.
+ - File search: Use ${GLOB_TOOL_NAME} (NOT find or ls)
+ - Content search: Use ${GREP_TOOL_NAME} (NOT grep or rg)
+ - Read files: Use Read (NOT cat/head/tail)
+ - Edit files: Use Edit (NOT sed/awk)
+ - Write files: Use Write (NOT echo >/cat <<EOF)
+ - Communication: Output text directly (NOT echo/printf)
+While the Bash tool can do similar things, it's better to use the built-in tools as they provide a better user experience and make it easier to review tool calls and give permission.
 
-3. Command Execution:
-   - Always quote file paths that contain spaces with double quotes (e.g., cd "path with spaces/file.txt")
-   - Examples of proper quoting:
-     - cd "/Users/name/My Documents" (correct)
-     - cd /Users/name/My Documents (incorrect - will fail)
-     - python "/path/with spaces/script.py" (correct)
-     - python /path/with spaces/script.py (incorrect - will fail)
-   - After ensuring proper quoting, execute the command.
-   - Capture the output of the command.
+# Instructions
+ - If your command will create new directories or files, first use this tool to run \`ls\` to verify the parent directory exists and is the correct location.
+ - Always quote file paths that contain spaces with double quotes in your command (e.g., cd "path with spaces/file.txt")
+ - Try to maintain your current working directory throughout the session by using absolute paths and avoiding usage of \`cd\`. You may use \`cd\` if the User explicitly requests it.
+ - You may specify an optional timeout in milliseconds (up to 600000ms / 10 minutes). By default, your command will timeout after 120000ms (2 minutes).
+ - You can use the \`run_in_background\` parameter to run the command in the background. Only use this if you don't need the result immediately and are OK being notified when the command completes later. You do not need to check the output right away - you'll be notified when it finishes. You do not need to use '&' at the end of the command when using this parameter.
+ - Write a clear, concise description of what your command does.
+ - When issuing multiple commands:
+  - If the commands are independent and can run in parallel, make multiple Bash tool calls in a single message.
+  - If the commands depend on each other and must run sequentially, use a single Bash call with '&&' to chain them together.
+  - Use ';' only when you need to run commands sequentially but don't care if earlier commands fail.
+  - DO NOT use newlines to separate commands (newlines are ok in quoted strings).
+ - For git commands:
+  - Prefer to create a new commit rather than amending an existing commit.
+  - Before running destructive operations (e.g., git reset --hard, git push --force, git checkout --), consider whether there is a safer alternative that achieves the same goal. Only use destructive operations when they are truly the best approach.
+  - Never skip hooks (--no-verify) or bypass signing (--no-gpg-sign, -c commit.gpgsign=false) unless the user has explicitly asked for it. If a hook fails, investigate and fix the underlying issue.
+ - Avoid unnecessary \`sleep\` commands:
+  - Do not sleep between commands that can run immediately \u2014 just run them.
+  - If your command is long running and you would like to be notified when it finishes \u2013 simply run your command using \`run_in_background\`. There is no need to sleep in this case.
+  - Do not retry failing commands in a sleep loop \u2014 diagnose the root cause or consider an alternative approach.
+  - If waiting for a background task you started with \`run_in_background\`, you will be notified when it completes \u2014 do not poll.
+  - If you must poll an external process, use a check command (e.g. \`gh run view\`) rather than sleeping first.
+  - If you must sleep, keep the duration short (1-5 seconds) to avoid blocking the user.
 
-4. Output Processing:
-   - If the output exceeds ${MAX_OUTPUT_LENGTH} characters, output will be truncated before being returned to you.
-   - Prepare the output for display to the user.
-
-5. Return Result:
-   - Provide the processed output of the command.
-   - If any errors occurred during execution, include those in the output.
-
-Usage notes:
-  - The command argument is required.
-  - You can specify an optional timeout in milliseconds (up to 600000ms / 10 minutes). If not specified, commands will timeout after 30 minutes.
-  - You can set run_in_background to true to run the command in the background. This is useful for long-running processes like dev servers, build watches, or monitoring tasks. When running in background, you will receive a shell_id that can be used with BashOutputTool and KillShellTool to monitor and manage the task.
-  - VERY IMPORTANT: You MUST avoid using search commands like \`find\` and \`grep\`. Instead use ${GREP_TOOL_NAME}, ${GLOB_TOOL_NAME}, or ${TASK_TOOL_NAME} to search. You MUST avoid read tools like \`cat\`, \`head\`, \`tail\`, and \`ls\`, and use ${FileReadTool.name} and ${LSTool.name} to read files.
-  - When issuing multiple commands, use the ';' or '&&' operator to separate them. DO NOT use newlines (newlines are ok in quoted strings).
-  - IMPORTANT: All commands share the same shell session. Shell state (environment variables, virtual environments, current directory, etc.) persist between commands. For example, if you set an environment variable as part of a command, the environment variable will persist for subsequent commands.
-  - Try to maintain your current working directory throughout the session by using absolute paths and avoiding usage of \`cd\`. You may use \`cd\` if the User explicitly requests it.
-  <good-example>
-  pytest /foo/bar/tests
-  </good-example>
-  <bad-example>
-  cd /foo/bar && pytest tests
-  </bad-example>
 
 # Committing changes with git
 
-When the user asks you to create a new git commit, follow these steps carefully:
-
-1. Start with a single message that contains exactly three tool_use blocks that do the following (it is VERY IMPORTANT that you send these tool_use blocks in a single message, otherwise it will feel slow to the user!):
-   - Run a git status command to see all untracked files.
-   - Run a git diff command to see both staged and unstaged changes that will be committed.
-   - Run a git log command to see recent commit messages, so that you can follow this repository's commit message style.
+Only create commits when requested by the user. If unclear, ask first. When the user asks you to create a new git commit, follow these steps carefully:
 
-2. Use the git context at the start of this conversation to determine which files are relevant to your commit. Add relevant untracked files to the staging area. Do not commit files that were already modified at the start of this conversation, if they are not relevant to your commit.
-
-3. Analyze all staged changes (both previously staged and newly added) and draft a commit message. Wrap your analysis process in <commit_analysis> tags:
-
-<commit_analysis>
-- List the files that have been changed or added
-- Summarize the nature of the changes (eg. new feature, enhancement to an existing feature, bug fix, refactoring, test, docs, etc.)
-- Brainstorm the purpose or motivation behind these changes
-- Do not use tools to explore code, beyond what is available in the git context
-- Assess the impact of these changes on the overall project
-- Check for any sensitive information that shouldn't be committed
-- Draft a concise (1-2 sentences) commit message that focuses on the "why" rather than the "what"
-- Ensure your language is clear, concise, and to the point
-- Ensure the message accurately reflects the changes and their purpose (i.e. "add" means a wholly new feature, "update" means an enhancement to an existing feature, "fix" means a bug fix, etc.)
-- Ensure the message is not generic (avoid words like "Update" or "Fix" without context)
-- Review the draft message to ensure it accurately reflects the changes and their purpose
-</commit_analysis>
+Git Safety Protocol:
+- NEVER update the git config
+- NEVER run destructive git commands (push --force, reset --hard, checkout ., restore ., clean -f, branch -D) unless the user explicitly requests these actions. Taking unauthorized destructive actions is unhelpful and can result in lost work, so it's best to ONLY run these commands when given direct instructions
+- NEVER skip hooks (--no-verify, --no-gpg-sign, etc) unless the user explicitly requests it
+- NEVER run force push to main/master, warn the user if they request it
+- CRITICAL: Always create NEW commits rather than amending, unless the user explicitly requests a git amend. When a pre-commit hook fails, the commit did NOT happen \u2014 so --amend would modify the PREVIOUS commit, which may result in destroying work or losing previous changes. Instead, after hook failure, fix the issue, re-stage, and create a NEW commit
+- When staging files, prefer adding specific files by name rather than using "git add -A" or "git add .", which can accidentally include sensitive files (.env, credentials) or large binaries
+- NEVER commit changes unless the user explicitly asks you to. It is VERY IMPORTANT to only commit when explicitly asked, otherwise the user will feel that you are being too proactive
 
-4. Create the commit with a message ending with:
-\u{1F916} Generated with ${PRODUCT_NAME} & {MODEL_NAME}
-Co-Authored-By: ${PRODUCT_NAME} <noreply@${PRODUCT_NAME}.com>
+1. You can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. run the following bash commands in parallel, each using the Bash tool:
+  - Run a git status command to see all untracked files. IMPORTANT: Never use the -uall flag as it can cause memory issues on large repos.
+  - Run a git diff command to see both staged and unstaged changes that will be committed.
+  - Run a git log command to see recent commit messages, so that you can follow this repository's commit message style.
+2. Analyze all staged changes (both previously staged and newly added) and draft a commit message:
+  - Summarize the nature of the changes (eg. new feature, enhancement to an existing feature, bug fix, refactoring, test, docs, etc.). Ensure the message accurately reflects the changes and their purpose (i.e. "add" means a wholly new feature, "update" means an enhancement to an existing feature, "fix" means a bug fix, etc.).
+  - Do not commit files that likely contain secrets (.env, credentials.json, etc). Warn the user if they specifically request to commit those files
+  - Draft a concise (1-2 sentences) commit message that focuses on the "why" rather than the "what"
+  - Ensure it accurately reflects the changes and their purpose
+3. You can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. run the following commands:
+   - Add relevant untracked files to the staging area.
+   - Create the commit with a message ending with:
+   Co-Authored-By: ${PRODUCT_NAME} <noreply@${PRODUCT_NAME}.com>
+   - Run git status after the commit completes to verify success.
+   Note: git status depends on the commit completing, so run it sequentially after the commit.
+4. If the commit fails due to pre-commit hook: fix the issue and create a NEW commit
 
+Important notes:
+- NEVER run additional commands to read or explore code, besides git bash commands
+- NEVER use the TodoWrite or ${TASK_TOOL_NAME} tools
+- DO NOT push to the remote repository unless the user explicitly asks you to do so
+- IMPORTANT: Never use git commands with the -i flag (like git rebase -i or git add -i) since they require interactive input which is not supported.
+- IMPORTANT: Do not use --no-edit with git rebase commands, as the --no-edit flag is not a valid option for git rebase.
+- If there are no changes to commit (i.e., no untracked files and no modifications), do not create an empty commit
 - In order to ensure good formatting, ALWAYS pass the commit message via a HEREDOC, a la this example:
 <example>
 git commit -m "$(cat <<'EOF'
    Commit message here.
 
-   \u{1F916} Generated with ${PRODUCT_NAME} & {MODEL_NAME}
    Co-Authored-By: ${PRODUCT_NAME} <noreply@${PRODUCT_NAME}.com>
    EOF
    )"
 </example>
 
-5. If the commit fails due to pre-commit hook changes, retry the commit ONCE to include these automated changes. If it fails again, it usually means a pre-commit hook is preventing the commit. If the commit succeeds but you notice that files were modified by the pre-commit hook, you MUST amend your commit to include them.
-
-6. Finally, run git status to make sure the commit succeeded.
-
-Important notes:
-- When possible, combine the "git add" and "git commit" commands into a single "git commit -am" command, to speed things up
-- However, be careful not to stage files (e.g. with \`git add .\`) for commits that aren't part of the change, they may have untracked files they want to keep around, but not commit.
-- NEVER update the git config
-- DO NOT push to the remote repository
-- IMPORTANT: Never use git commands with the -i flag (like git rebase -i or git add -i) since they require interactive input which is not supported.
-- If there are no changes to commit (i.e., no untracked files and no modifications), do not create an empty commit
-- Ensure your commit message is meaningful and concise. It should explain the purpose of the changes, not just describe them.
-- Return an empty response - the user will see the git output directly
-
 # Creating pull requests
 Use the gh command via the Bash tool for ALL GitHub-related tasks including working with issues, pull requests, checks, and releases. If given a Github URL use the gh command to get the information needed.
 
 IMPORTANT: When the user asks you to create a pull request, follow these steps carefully:
 
-1. Understand the current state of the branch. Remember to send a single message that contains multiple tool_use blocks (it is VERY IMPORTANT that you do this in a single message, otherwise it will feel slow to the user!):
-   - Run a git status command to see all untracked files.
-   - Run a git diff command to see both staged and unstaged changes that will be committed.
+1. You can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. run the following bash commands in parallel using the Bash tool, in order to understand the current state of the branch since it diverged from the main branch:
+   - Run a git status command to see all untracked files (never use -uall flag)
+   - Run a git diff command to see both staged and unstaged changes that will be committed
    - Check if the current branch tracks a remote branch and is up to date with the remote, so you know if you need to push to the remote
-   - Run a git log command and \`git diff main...HEAD\` to understand the full commit history for the current branch (from the time it diverged from the \`main\` branch.)
-
-2. Create new branch if needed
-
-3. Commit changes if needed
-
-4. Push to remote with -u flag if needed
-
-5. Analyze all changes that will be included in the pull request, making sure to look at all relevant commits (not just the latest commit, but all commits that will be included in the pull request!), and draft a pull request summary. Wrap your analysis process in <pr_analysis> tags:
-
-<pr_analysis>
-- List the commits since diverging from the main branch
-- Summarize the nature of the changes (eg. new feature, enhancement to an existing feature, bug fix, refactoring, test, docs, etc.)
-- Brainstorm the purpose or motivation behind these changes
-- Assess the impact of these changes on the overall project
-- Do not use tools to explore code, beyond what is available in the git context
-- Check for any sensitive information that shouldn't be committed
-- Draft a concise (1-2 bullet points) pull request summary that focuses on the "why" rather than the "what"
-- Ensure the summary accurately reflects all changes since diverging from the main branch
-- Ensure your language is clear, concise, and to the point
-- Ensure the summary accurately reflects the changes and their purpose (ie. "add" means a wholly new feature, "update" means an enhancement to an existing feature, "fix" means a bug fix, etc.)
-- Ensure the summary is not generic (avoid words like "Update" or "Fix" without context)
-- Review the draft summary to ensure it accurately reflects the changes and their purpose
-</pr_analysis>
-
-6. Create PR using gh pr create with the format below. Use a HEREDOC to pass the body to ensure correct formatting.
+   - Run a git log command and \`git diff [base-branch]...HEAD\` to understand the full commit history for the current branch (from the time it diverged from the base branch)
+2. Analyze all changes that will be included in the pull request, making sure to look at all relevant commits (NOT just the latest commit, but ALL commits that will be included in the pull request!!!), and draft a pull request title and summary:
+   - Keep the PR title short (under 70 characters)
+   - Use the description/body for details, not the title
+3. You can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. run the following commands in parallel:
+   - Create new branch if needed
+   - Push to remote with -u flag if needed
+   - Create PR using gh pr create with the format below. Use a HEREDOC to pass the body to ensure correct formatting.
 <example>
 gh pr create --title "the pr title" --body "$(cat <<'EOF'
 ## Summary
 <1-3 bullet points>
 
 ## Test plan
-[Checklist of TODOs for testing the pull request...]
+[Bulleted markdown checklist of TODOs for testing the pull request...]
 
-\u{1F916} Generated with [${PRODUCT_NAME}](${PRODUCT_URL}) & {MODEL_NAME}
+\u{1F916} Generated with [${PRODUCT_NAME}](${PRODUCT_URL})
 EOF
 )"
 </example>
 
 Important:
-- Return an empty response - the user will see the gh output directly
-- Never update git config`;
+- DO NOT use the TodoWrite or ${TASK_TOOL_NAME} tools
+- Return the PR URL when you're done, so the user can see it
+
+# Other common operations
+- View comments on a Github PR: gh api repos/foo/bar/pulls/123/comments`;
 export {
   BANNED_COMMANDS,
+  DANGEROUS_PATTERN_METADATA,
   MAX_OUTPUT_LENGTH,
   MAX_RENDERED_LINES,
   PROMPT,

package/dist/tools/BashTool/prompt.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../src/tools/BashTool/prompt.ts"],
-  "sourcesContent": ["import { PRODUCT_NAME, PRODUCT_URL } from '@constants/product'\nimport { TOOL_NAME as TASK_TOOL_NAME } from '@tools/TaskTool/constants'\nimport { FileReadTool } from '@tools/FileReadTool/FileReadTool'\nimport { TOOL_NAME_FOR_PROMPT as GLOB_TOOL_NAME } from '@tools/GlobTool/prompt'\nimport { TOOL_NAME_FOR_PROMPT as GREP_TOOL_NAME } from '@tools/GrepTool/prompt'\nimport { LSTool } from '@tools/lsTool/lsTool'\n\nexport const MAX_OUTPUT_LENGTH = 30000\nexport const MAX_RENDERED_LINES = 5\n\n/**\n * Banned commands for security\n *\n * Categories:\n * - Network tools: Could be used for data exfiltration or network attacks\n * - System modification: Could damage the system or escalate privileges\n * - Shell execution: Could bypass command restrictions\n * - Browsers: Could open external content\n * - Dangerous file operations: Could cause data loss\n */\nexport const BANNED_COMMANDS = [\n  // Network tools - data exfiltration risk\n  'curl',\n  'curlie',\n  'wget',\n  'axel',\n  'aria2c',\n  'nc',\n  'netcat',\n  'ncat',\n  'telnet',\n  'lynx',\n  'w3m',\n  'links',\n  'httpie',\n  'xh',\n  'http-prompt',\n  'ftp',\n  'sftp',\n  'scp',\n  'rsync',\n  'socat',\n  'nmap',\n  'tcpdump',\n  'wireshark',\n  'tshark',\n\n  // Browsers - could open external content\n  'chrome',\n  'chromium',\n  'firefox',\n  'safari',\n  'opera',\n  'brave',\n  'open', // macOS open command could launch apps/URLs\n\n  // Privilege escalation - dangerous system access\n  'sudo',\n  'su',\n  'doas',\n  'pkexec',\n  'gksudo',\n  'kdesudo',\n\n  // Shell execution - could bypass restrictions\n  'eval',\n  'source',\n  'exec',\n  'bash',\n  'sh',\n  'zsh',\n  'fish',\n  'csh',\n  'tcsh',\n  'ksh',\n  'dash',\n  'ash',\n  'xargs', // Can execute arbitrary commands\n  'parallel', // GNU parallel can execute commands\n  'xonsh',\n  'powershell',\n  'pwsh',\n  'cmd',\n\n  // Dangerous file operations - data loss risk\n  'rm',\n  'rmdir',\n  'shred',\n  'srm',\n  'wipe',\n  'dd', // Can overwrite disks\n  'mkfs', // Can format disks\n  'fdisk',\n  'parted',\n  'wipefs',\n\n  // System modification - could damage system\n  'chmod',\n  'chown',\n  'chgrp',\n  'chattr',\n  'setfacl',\n  'shutdown',\n  'reboot',\n  'poweroff',\n  'halt',\n  'init',\n  'systemctl',\n  'service',\n  'launchctl', // macOS service control\n\n  // Process control - could affect system stability\n  'kill',\n  'killall',\n  'pkill',\n\n  // Aliases and functions - could hide malicious commands\n  'alias',\n  'unalias',\n  'function',\n\n  // Cron/scheduling - persistent access\n  'crontab',\n  'at',\n  'atq',\n  'atrm',\n\n  // User management - privilege escalation\n  'useradd',\n  'userdel',\n  'usermod',\n  'groupadd',\n  'groupdel',\n  'groupmod',\n  'passwd',\n  'chpasswd',\n\n  // Package managers - could install malware\n  'apt',\n  'apt-get',\n  'aptitude',\n  'dpkg',\n  'yum',\n  'dnf',\n  'rpm',\n  'pacman',\n  'brew',\n  'port', // MacPorts\n  'pip',\n  'pip3',\n  'npm',\n  'yarn',\n  'pnpm',\n  'gem',\n  'cargo',\n  'go', // go install could install packages\n\n  // Compilers/interpreters with execution capability\n  'python',\n  'python3',\n  'python2',\n  'ruby',\n  'perl',\n  'php',\n  'node',\n  'deno',\n  'bun',\n  'lua',\n  'awk',\n  'gawk',\n  'mawk',\n  'nawk',\n  'sed', // Can execute commands with e flag\n\n  // Container/VM - could escape sandbox\n  'docker',\n  'podman',\n  'kubectl',\n  'vagrant',\n  'virsh',\n  'qemu',\n  'virtualbox',\n  'vboxmanage',\n\n  // System info that could aid attacks\n  'env', // Exposes environment variables including secrets\n\n  // Encryption/keys - could exfiltrate secrets\n  'gpg',\n  'openssl',\n  'ssh-keygen',\n  'ssh-agent',\n  'ssh-add',\n]\n\n/**\n * Detailed dangerous pattern match information\n */\nexport interface DangerousPatternMatch {\n  pattern: string\n  name: string\n  match: string\n  severity: 'critical' | 'high' | 'medium'\n}\n\n/**\n * Mapping of dangerous patterns with metadata\n */\nconst DANGEROUS_PATTERN_METADATA: Array<{\n  pattern: RegExp\n  name: string\n  severity: 'critical' | 'high' | 'medium'\n}> = [\n  // CRITICAL: Command Injection & Execution Bypass\n  {\n    pattern: /\\$\\([^)]+\\)/,\n    name: 'command substitution $(...)',\n    severity: 'critical',\n  },\n  {\n    pattern: /`[^`]+`/,\n    name: 'backtick command substitution',\n    severity: 'critical',\n  },\n  {\n    pattern: /;\\s*(rm|chmod|chown|dd|mkfs)\\b/i,\n    name: 'chained destructive command',\n    severity: 'critical',\n  },\n  {\n    pattern: /&&\\s*(rm|chmod|chown|dd|mkfs)\\b/i,\n    name: 'conditional destructive command',\n    severity: 'critical',\n  },\n  {\n    pattern: /\\|\\s*bash\\b/i,\n    name: 'pipe to bash',\n    severity: 'critical',\n  },\n  {\n    pattern: /\\|\\s*sh\\b/i,\n    name: 'pipe to sh',\n    severity: 'critical',\n  },\n  {\n    pattern: /curl.*\\|\\s*(bash|sh)\\b/i,\n    name: 'curl pipe to shell',\n    severity: 'critical',\n  },\n  {\n    pattern: /wget.*\\|\\s*(bash|sh)\\b/i,\n    name: 'wget pipe to shell',\n    severity: 'critical',\n  },\n  {\n    pattern: /eval\\s+['\"$]/,\n    name: 'eval with dynamic input',\n    severity: 'critical',\n  },\n\n  // CRITICAL: Destructive Operations\n  {\n    pattern: /\\brm\\s+-rf\\s+\\/(?!\\S)/,\n    name: 'rm -rf /',\n    severity: 'critical',\n  },\n  {\n    pattern: />\\s*\\/dev\\/sd[a-z]/i,\n    name: 'write to block device',\n    severity: 'critical',\n  },\n  {\n    pattern: />\\s*\\/dev\\/nvme/i,\n    name: 'write to NVMe device',\n    severity: 'critical',\n  },\n  {\n    pattern: />\\s*\\/etc\\/(passwd|shadow|sudoers)/i,\n    name: 'overwrite critical system files',\n    severity: 'critical',\n  },\n  {\n    pattern: />\\s*\\/boot\\//i,\n    name: 'overwrite boot files',\n    severity: 'critical',\n  },\n\n  // CRITICAL: Fork Bomb & DoS\n  {\n    pattern: /:\\(\\)\\s*\\{\\s*:\\s*\\|\\s*:\\s*&\\s*\\}\\s*;?\\s*:/,\n    name: 'fork bomb pattern ()',\n    severity: 'critical',\n  },\n  {\n    pattern: /\\.\\s*\\(\\)\\s*\\{\\s*\\.\\s*\\|\\s*\\.\\s*&\\s*\\}\\s*;?\\s*\\./,\n    name: 'fork bomb pattern (.)',\n    severity: 'critical',\n  },\n\n  // HIGH: Reverse Shell & Data Exfiltration\n  {\n    pattern: /\\$\\(\\s*<\\s*\\/dev\\/tcp/i,\n    name: 'TCP socket connection',\n    severity: 'high',\n  },\n  {\n    pattern: /\\/dev\\/tcp\\//i,\n    name: 'direct TCP device access',\n    severity: 'high',\n  },\n  {\n    pattern: /\\/dev\\/udp\\//i,\n    name: 'direct UDP device access',\n    severity: 'high',\n  },\n  {\n    pattern: /mkfifo.*nc/i,\n    name: 'named pipe with netcat',\n    severity: 'high',\n  },\n  {\n    pattern: /bash\\s+-i\\s+>&\\s*\\/dev\\/tcp/i,\n    name: 'interactive bash reverse shell',\n    severity: 'high',\n  },\n\n  // HIGH: Data Encoding & Obfuscation\n  {\n    pattern: /base64\\s+(-d|--decode).*\\|\\s*(bash|sh|eval)/i,\n    name: 'base64 decode and execute',\n    severity: 'high',\n  },\n  {\n    pattern: /xxd\\s+-r.*\\|\\s*(bash|sh|eval)/i,\n    name: 'hex decode and execute',\n    severity: 'high',\n  },\n\n  // HIGH: System & Security Manipulation\n  {\n    pattern: /HISTFILE=/i,\n    name: 'history file manipulation',\n    severity: 'high',\n  },\n  {\n    pattern: /unset\\s+HISTFILE/i,\n    name: 'disable command history',\n    severity: 'high',\n  },\n  {\n    pattern: /history\\s+-c/i,\n    name: 'clear command history',\n    severity: 'high',\n  },\n  {\n    pattern: /LD_PRELOAD=/i,\n    name: 'library preload injection',\n    severity: 'high',\n  },\n  {\n    pattern: /LD_LIBRARY_PATH=/i,\n    name: 'library path injection',\n    severity: 'high',\n  },\n  {\n    pattern: /DYLD_INSERT_LIBRARIES=/i,\n    name: 'macOS library injection',\n    severity: 'high',\n  },\n\n  // MEDIUM: Suspicious Command Patterns\n  {\n    pattern: /\\$\\{[^}]*\\}/,\n    name: 'variable expansion',\n    severity: 'medium',\n  },\n]\n\n/**\n * Check if a command matches any dangerous pattern and return detailed information\n */\nexport function detectDangerousPatterns(\n  command: string,\n): DangerousPatternMatch[] {\n  const matches: DangerousPatternMatch[] = []\n\n  for (const { pattern, name, severity } of DANGEROUS_PATTERN_METADATA) {\n    const match = command.match(pattern)\n    if (match) {\n      matches.push({\n        pattern: pattern.toString(),\n        name,\n        match: match[0],\n        severity,\n      })\n    }\n  }\n\n  return matches\n}\n\n/**\n * Check if a command matches any dangerous pattern (backward compatible)\n */\nexport function matchesDangerousPattern(command: string): boolean {\n  const criticalMatches = detectDangerousPatterns(command).filter(\n    m => m.severity === 'critical',\n  )\n  return criticalMatches.length > 0\n}\n\nexport const PROMPT = `Executes a given bash command in a persistent shell session with optional timeout, ensuring proper handling and security measures.\n\nBefore executing the command, please follow these steps:\n\n1. Directory Verification:\n   - If the command will create new directories or files, first use the LS tool to verify the parent directory exists and is the correct location\n   - For example, before running \"mkdir foo/bar\", first use LS to check that \"foo\" exists and is the intended parent directory\n\n2. Security Check:\n   - For security and to limit the threat of a prompt injection attack, some commands are limited or banned. If you use a disallowed command, you will receive an error message explaining the restriction. Explain the error to the User.\n   - Verify that the command is not one of the banned commands: ${BANNED_COMMANDS.join(', ')}.\n\n3. Command Execution:\n   - Always quote file paths that contain spaces with double quotes (e.g., cd \"path with spaces/file.txt\")\n   - Examples of proper quoting:\n     - cd \"/Users/name/My Documents\" (correct)\n     - cd /Users/name/My Documents (incorrect - will fail)\n     - python \"/path/with spaces/script.py\" (correct)\n     - python /path/with spaces/script.py (incorrect - will fail)\n   - After ensuring proper quoting, execute the command.\n   - Capture the output of the command.\n\n4. Output Processing:\n   - If the output exceeds ${MAX_OUTPUT_LENGTH} characters, output will be truncated before being returned to you.\n   - Prepare the output for display to the user.\n\n5. Return Result:\n   - Provide the processed output of the command.\n   - If any errors occurred during execution, include those in the output.\n\nUsage notes:\n  - The command argument is required.\n  - You can specify an optional timeout in milliseconds (up to 600000ms / 10 minutes). If not specified, commands will timeout after 30 minutes.\n  - You can set run_in_background to true to run the command in the background. This is useful for long-running processes like dev servers, build watches, or monitoring tasks. When running in background, you will receive a shell_id that can be used with BashOutputTool and KillShellTool to monitor and manage the task.\n  - VERY IMPORTANT: You MUST avoid using search commands like \\`find\\` and \\`grep\\`. Instead use ${GREP_TOOL_NAME}, ${GLOB_TOOL_NAME}, or ${TASK_TOOL_NAME} to search. You MUST avoid read tools like \\`cat\\`, \\`head\\`, \\`tail\\`, and \\`ls\\`, and use ${FileReadTool.name} and ${LSTool.name} to read files.\n  - When issuing multiple commands, use the ';' or '&&' operator to separate them. DO NOT use newlines (newlines are ok in quoted strings).\n  - IMPORTANT: All commands share the same shell session. Shell state (environment variables, virtual environments, current directory, etc.) persist between commands. For example, if you set an environment variable as part of a command, the environment variable will persist for subsequent commands.\n  - Try to maintain your current working directory throughout the session by using absolute paths and avoiding usage of \\`cd\\`. You may use \\`cd\\` if the User explicitly requests it.\n  <good-example>\n  pytest /foo/bar/tests\n  </good-example>\n  <bad-example>\n  cd /foo/bar && pytest tests\n  </bad-example>\n\n# Committing changes with git\n\nWhen the user asks you to create a new git commit, follow these steps carefully:\n\n1. Start with a single message that contains exactly three tool_use blocks that do the following (it is VERY IMPORTANT that you send these tool_use blocks in a single message, otherwise it will feel slow to the user!):\n   - Run a git status command to see all untracked files.\n   - Run a git diff command to see both staged and unstaged changes that will be committed.\n   - Run a git log command to see recent commit messages, so that you can follow this repository's commit message style.\n\n2. Use the git context at the start of this conversation to determine which files are relevant to your commit. Add relevant untracked files to the staging area. Do not commit files that were already modified at the start of this conversation, if they are not relevant to your commit.\n\n3. Analyze all staged changes (both previously staged and newly added) and draft a commit message. Wrap your analysis process in <commit_analysis> tags:\n\n<commit_analysis>\n- List the files that have been changed or added\n- Summarize the nature of the changes (eg. new feature, enhancement to an existing feature, bug fix, refactoring, test, docs, etc.)\n- Brainstorm the purpose or motivation behind these changes\n- Do not use tools to explore code, beyond what is available in the git context\n- Assess the impact of these changes on the overall project\n- Check for any sensitive information that shouldn't be committed\n- Draft a concise (1-2 sentences) commit message that focuses on the \"why\" rather than the \"what\"\n- Ensure your language is clear, concise, and to the point\n- Ensure the message accurately reflects the changes and their purpose (i.e. \"add\" means a wholly new feature, \"update\" means an enhancement to an existing feature, \"fix\" means a bug fix, etc.)\n- Ensure the message is not generic (avoid words like \"Update\" or \"Fix\" without context)\n- Review the draft message to ensure it accurately reflects the changes and their purpose\n</commit_analysis>\n\n4. Create the commit with a message ending with:\n\uD83E\uDD16 Generated with ${PRODUCT_NAME} & {MODEL_NAME}\nCo-Authored-By: ${PRODUCT_NAME} <noreply@${PRODUCT_NAME}.com>\n\n- In order to ensure good formatting, ALWAYS pass the commit message via a HEREDOC, a la this example:\n<example>\ngit commit -m \"$(cat <<'EOF'\n   Commit message here.\n\n   \uD83E\uDD16 Generated with ${PRODUCT_NAME} & {MODEL_NAME}\n   Co-Authored-By: ${PRODUCT_NAME} <noreply@${PRODUCT_NAME}.com>\n   EOF\n   )\"\n</example>\n\n5. If the commit fails due to pre-commit hook changes, retry the commit ONCE to include these automated changes. If it fails again, it usually means a pre-commit hook is preventing the commit. If the commit succeeds but you notice that files were modified by the pre-commit hook, you MUST amend your commit to include them.\n\n6. Finally, run git status to make sure the commit succeeded.\n\nImportant notes:\n- When possible, combine the \"git add\" and \"git commit\" commands into a single \"git commit -am\" command, to speed things up\n- However, be careful not to stage files (e.g. with \\`git add .\\`) for commits that aren't part of the change, they may have untracked files they want to keep around, but not commit.\n- NEVER update the git config\n- DO NOT push to the remote repository\n- IMPORTANT: Never use git commands with the -i flag (like git rebase -i or git add -i) since they require interactive input which is not supported.\n- If there are no changes to commit (i.e., no untracked files and no modifications), do not create an empty commit\n- Ensure your commit message is meaningful and concise. It should explain the purpose of the changes, not just describe them.\n- Return an empty response - the user will see the git output directly\n\n# Creating pull requests\nUse the gh command via the Bash tool for ALL GitHub-related tasks including working with issues, pull requests, checks, and releases. If given a Github URL use the gh command to get the information needed.\n\nIMPORTANT: When the user asks you to create a pull request, follow these steps carefully:\n\n1. Understand the current state of the branch. Remember to send a single message that contains multiple tool_use blocks (it is VERY IMPORTANT that you do this in a single message, otherwise it will feel slow to the user!):\n   - Run a git status command to see all untracked files.\n   - Run a git diff command to see both staged and unstaged changes that will be committed.\n   - Check if the current branch tracks a remote branch and is up to date with the remote, so you know if you need to push to the remote\n   - Run a git log command and \\`git diff main...HEAD\\` to understand the full commit history for the current branch (from the time it diverged from the \\`main\\` branch.)\n\n2. Create new branch if needed\n\n3. Commit changes if needed\n\n4. Push to remote with -u flag if needed\n\n5. Analyze all changes that will be included in the pull request, making sure to look at all relevant commits (not just the latest commit, but all commits that will be included in the pull request!), and draft a pull request summary. Wrap your analysis process in <pr_analysis> tags:\n\n<pr_analysis>\n- List the commits since diverging from the main branch\n- Summarize the nature of the changes (eg. new feature, enhancement to an existing feature, bug fix, refactoring, test, docs, etc.)\n- Brainstorm the purpose or motivation behind these changes\n- Assess the impact of these changes on the overall project\n- Do not use tools to explore code, beyond what is available in the git context\n- Check for any sensitive information that shouldn't be committed\n- Draft a concise (1-2 bullet points) pull request summary that focuses on the \"why\" rather than the \"what\"\n- Ensure the summary accurately reflects all changes since diverging from the main branch\n- Ensure your language is clear, concise, and to the point\n- Ensure the summary accurately reflects the changes and their purpose (ie. \"add\" means a wholly new feature, \"update\" means an enhancement to an existing feature, \"fix\" means a bug fix, etc.)\n- Ensure the summary is not generic (avoid words like \"Update\" or \"Fix\" without context)\n- Review the draft summary to ensure it accurately reflects the changes and their purpose\n</pr_analysis>\n\n6. Create PR using gh pr create with the format below. Use a HEREDOC to pass the body to ensure correct formatting.\n<example>\ngh pr create --title \"the pr title\" --body \"$(cat <<'EOF'\n## Summary\n<1-3 bullet points>\n\n## Test plan\n[Checklist of TODOs for testing the pull request...]\n\n\uD83E\uDD16 Generated with [${PRODUCT_NAME}](${PRODUCT_URL}) & {MODEL_NAME}\nEOF\n)\"\n</example>\n\nImportant:\n- Return an empty response - the user will see the gh output directly\n- Never update git config`\n"],
-  "mappings": "AAAA,SAAS,cAAc,mBAAmB;AAC1C,SAAS,aAAa,sBAAsB;AAC5C,SAAS,oBAAoB;AAC7B,SAAS,wBAAwB,sBAAsB;AACvD,SAAS,wBAAwB,sBAAsB;AACvD,SAAS,cAAc;AAEhB,MAAM,oBAAoB;AAC1B,MAAM,qBAAqB;AAY3B,MAAM,kBAAkB;AAAA;AAAA,EAE7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAeA,MAAM,6BAID;AAAA;AAAA,EAEH;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA;AAAA,EAGA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA;AAAA,EAGA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA;AAAA,EAGA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA;AAAA,EAGA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA;AAAA,EAGA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA;AAAA,EAGA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AACF;AAKO,SAAS,wBACd,SACyB;AACzB,QAAM,UAAmC,CAAC;AAE1C,aAAW,EAAE,SAAS,MAAM,SAAS,KAAK,4BAA4B;AACpE,UAAM,QAAQ,QAAQ,MAAM,OAAO;AACnC,QAAI,OAAO;AACT,cAAQ,KAAK;AAAA,QACX,SAAS,QAAQ,SAAS;AAAA,QAC1B;AAAA,QACA,OAAO,MAAM,CAAC;AAAA,QACd;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,wBAAwB,SAA0B;AAChE,QAAM,kBAAkB,wBAAwB,OAAO,EAAE;AAAA,IACvD,OAAK,EAAE,aAAa;AAAA,EACtB;AACA,SAAO,gBAAgB,SAAS;AAClC;AAEO,MAAM,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kEAU4C,gBAAgB,KAAK,IAAI,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,6BAa/D,iBAAiB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mGAWqD,cAAc,KAAK,cAAc,QAAQ,cAAc,+FAA+F,aAAa,IAAI,QAAQ,OAAO,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,2BAuCzQ,YAAY;AAAA,kBACd,YAAY,aAAa,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8BAOhC,YAAY;AAAA,qBACd,YAAY,aAAa,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4BA8DrC,YAAY,KAAK,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;",
+  "sourcesContent": ["import { PRODUCT_NAME, PRODUCT_URL } from '@constants/product'\nimport { TOOL_NAME as TASK_TOOL_NAME } from '@tools/TaskTool/constants'\nimport { TOOL_NAME_FOR_PROMPT as GLOB_TOOL_NAME } from '@tools/GlobTool/prompt'\nimport { TOOL_NAME_FOR_PROMPT as GREP_TOOL_NAME } from '@tools/GrepTool/prompt'\n\nexport const MAX_OUTPUT_LENGTH = 30000\nexport const MAX_RENDERED_LINES = 5\n\n/**\n * Banned commands for security\n *\n * Categories:\n * - Network tools: Could be used for data exfiltration or network attacks\n * - System modification: Could damage the system or escalate privileges\n * - Shell execution: Could bypass command restrictions\n * - Browsers: Could open external content\n * - Dangerous file operations: Could cause data loss\n */\nexport const BANNED_COMMANDS = [\n  // Network tools - data exfiltration risk\n  'curl',\n  'curlie',\n  'wget',\n  'axel',\n  'aria2c',\n  'nc',\n  'netcat',\n  'ncat',\n  'telnet',\n  'lynx',\n  'w3m',\n  'links',\n  'httpie',\n  'xh',\n  'http-prompt',\n  'ftp',\n  'sftp',\n  'scp',\n  'rsync',\n  'socat',\n  'nmap',\n  'tcpdump',\n  'wireshark',\n  'tshark',\n\n  // Browsers - could open external content\n  'chrome',\n  'chromium',\n  'firefox',\n  'safari',\n  'opera',\n  'brave',\n  'open', // macOS open command could launch apps/URLs\n\n  // Privilege escalation - dangerous system access\n  'sudo',\n  'su',\n  'doas',\n  'pkexec',\n  'gksudo',\n  'kdesudo',\n\n  // Shell execution - could bypass restrictions\n  'eval',\n  'source',\n  'exec',\n  'bash',\n  'sh',\n  'zsh',\n  'fish',\n  'csh',\n  'tcsh',\n  'ksh',\n  'dash',\n  'ash',\n  'xargs', // Can execute arbitrary commands\n  'parallel', // GNU parallel can execute commands\n  'xonsh',\n  'powershell',\n  'pwsh',\n  'cmd',\n\n  // Dangerous file operations - data loss risk\n  'rm',\n  'rmdir',\n  'shred',\n  'srm',\n  'wipe',\n  'dd', // Can overwrite disks\n  'mkfs', // Can format disks\n  'fdisk',\n  'parted',\n  'wipefs',\n\n  // System modification - could damage system\n  'chmod',\n  'chown',\n  'chgrp',\n  'chattr',\n  'setfacl',\n  'shutdown',\n  'reboot',\n  'poweroff',\n  'halt',\n  'init',\n  'systemctl',\n  'service',\n  'launchctl', // macOS service control\n\n  // Process control - could affect system stability\n  'kill',\n  'killall',\n  'pkill',\n\n  // Aliases and functions - could hide malicious commands\n  'alias',\n  'unalias',\n  'function',\n\n  // Shell builtin bypass - can invoke banned commands by bypassing aliases/functions\n  'command',\n  'builtin', // Bash builtin - can invoke banned commands directly\n  'type', // Can reveal command locations to aid bypass attempts\n\n  // Cron/scheduling - persistent access\n  'crontab',\n  'at',\n  'atq',\n  'atrm',\n\n  // User management - privilege escalation\n  'useradd',\n  'userdel',\n  'usermod',\n  'groupadd',\n  'groupdel',\n  'groupmod',\n  'passwd',\n  'chpasswd',\n\n  // Package managers - could install malware\n  'apt',\n  'apt-get',\n  'aptitude',\n  'dpkg',\n  'yum',\n  'dnf',\n  'rpm',\n  'pacman',\n  'brew',\n  'port', // MacPorts\n  'pip',\n  'pip3',\n  'npm',\n  'yarn',\n  'pnpm',\n  'gem',\n  'cargo',\n  'go', // go install could install packages\n\n  // Compilers/interpreters with execution capability\n  'python',\n  'python3',\n  'python2',\n  'ruby',\n  'perl',\n  'php',\n  'node',\n  'deno',\n  'bun',\n  'lua',\n  'awk',\n  'gawk',\n  'mawk',\n  'nawk',\n  'sed', // Can execute commands with e flag\n\n  // Container/VM - could escape sandbox\n  'docker',\n  'podman',\n  'kubectl',\n  'vagrant',\n  'virsh',\n  'qemu',\n  'virtualbox',\n  'vboxmanage',\n\n  // System info that could aid attacks\n  'env', // Exposes environment variables including secrets\n\n  // Encryption/keys - could exfiltrate secrets\n  'gpg',\n  'openssl',\n  'ssh-keygen',\n  'ssh-agent',\n  'ssh-add',\n]\n\n/**\n * Detailed dangerous pattern match information\n */\nexport interface DangerousPatternMatch {\n  pattern: string\n  name: string\n  match: string\n  severity: 'critical' | 'high' | 'medium'\n}\n\n/**\n * Mapping of dangerous patterns with metadata\n */\nexport const DANGEROUS_PATTERN_METADATA: Array<{\n  pattern: RegExp\n  name: string\n  severity: 'critical' | 'high' | 'medium'\n}> = [\n  // CRITICAL: Command Injection & Execution Bypass\n  // Note: $(cat <<'EOF'...) HEREDOC pattern is whitelisted \u2014 it's the standard\n  // multi-line string idiom used for git commits and is not exploitable.\n  {\n    pattern: /\\$\\((?!cat\\s+<<['\"]?EOF)/,\n    name: 'command substitution $(...)',\n    severity: 'high',\n  },\n  {\n    pattern: /`[^`]+`/,\n    name: 'backtick command substitution',\n    severity: 'high',\n  },\n  {\n    pattern: /;\\s*(rm|chmod|chown|dd|mkfs)\\b/i,\n    name: 'chained destructive command',\n    severity: 'critical',\n  },\n  {\n    pattern: /&&\\s*(rm|chmod|chown|dd|mkfs)\\b/i,\n    name: 'conditional destructive command',\n    severity: 'critical',\n  },\n  {\n    pattern: /\\|\\s*bash\\b/i,\n    name: 'pipe to bash',\n    severity: 'critical',\n  },\n  {\n    pattern: /\\|\\s*sh\\b/i,\n    name: 'pipe to sh',\n    severity: 'critical',\n  },\n  {\n    pattern: /curl.*\\|\\s*(bash|sh)\\b/i,\n    name: 'curl pipe to shell',\n    severity: 'critical',\n  },\n  {\n    pattern: /wget.*\\|\\s*(bash|sh)\\b/i,\n    name: 'wget pipe to shell',\n    severity: 'critical',\n  },\n  {\n    pattern: /eval\\s+['\"$]/,\n    name: 'eval with dynamic input',\n    severity: 'critical',\n  },\n\n  // CRITICAL: Destructive Operations\n  {\n    pattern: /\\brm\\s+-rf\\s+\\/(?!\\S)/,\n    name: 'rm -rf /',\n    severity: 'critical',\n  },\n  {\n    pattern: />\\s*\\/dev\\/sd[a-z]/i,\n    name: 'write to block device',\n    severity: 'critical',\n  },\n  {\n    pattern: />\\s*\\/dev\\/nvme/i,\n    name: 'write to NVMe device',\n    severity: 'critical',\n  },\n  {\n    pattern: />\\s*\\/etc\\/(passwd|shadow|sudoers)/i,\n    name: 'overwrite critical system files',\n    severity: 'critical',\n  },\n  {\n    pattern: />\\s*\\/boot\\//i,\n    name: 'overwrite boot files',\n    severity: 'critical',\n  },\n\n  // CRITICAL: Fork Bomb & DoS\n  {\n    pattern: /:\\(\\)\\s*\\{\\s*:\\s*\\|\\s*:\\s*&\\s*\\}\\s*;?\\s*:/,\n    name: 'fork bomb pattern ()',\n    severity: 'critical',\n  },\n  {\n    pattern: /\\.\\s*\\(\\)\\s*\\{\\s*\\.\\s*\\|\\s*\\.\\s*&\\s*\\}\\s*;?\\s*\\./,\n    name: 'fork bomb pattern (.)',\n    severity: 'critical',\n  },\n\n  // HIGH: Reverse Shell & Data Exfiltration\n  {\n    pattern: /\\$\\(\\s*<\\s*\\/dev\\/tcp/i,\n    name: 'TCP socket connection',\n    severity: 'high',\n  },\n  {\n    pattern: /\\/dev\\/tcp\\//i,\n    name: 'direct TCP device access',\n    severity: 'high',\n  },\n  {\n    pattern: /\\/dev\\/udp\\//i,\n    name: 'direct UDP device access',\n    severity: 'high',\n  },\n  {\n    pattern: /mkfifo.*nc/i,\n    name: 'named pipe with netcat',\n    severity: 'high',\n  },\n  {\n    pattern: /bash\\s+-i\\s+>&\\s*\\/dev\\/tcp/i,\n    name: 'interactive bash reverse shell',\n    severity: 'high',\n  },\n\n  // HIGH: Data Encoding & Obfuscation\n  {\n    pattern: /base64\\s+(-d|--decode).*\\|\\s*(bash|sh|eval)/i,\n    name: 'base64 decode and execute',\n    severity: 'high',\n  },\n  {\n    pattern: /xxd\\s+-r.*\\|\\s*(bash|sh|eval)/i,\n    name: 'hex decode and execute',\n    severity: 'high',\n  },\n\n  // HIGH: System & Security Manipulation\n  {\n    pattern: /HISTFILE=/i,\n    name: 'history file manipulation',\n    severity: 'high',\n  },\n  {\n    pattern: /unset\\s+HISTFILE/i,\n    name: 'disable command history',\n    severity: 'high',\n  },\n  {\n    pattern: /history\\s+-c/i,\n    name: 'clear command history',\n    severity: 'high',\n  },\n  {\n    pattern: /LD_PRELOAD=/i,\n    name: 'library preload injection',\n    severity: 'high',\n  },\n  {\n    pattern: /LD_LIBRARY_PATH=/i,\n    name: 'library path injection',\n    severity: 'high',\n  },\n  {\n    pattern: /DYLD_INSERT_LIBRARIES=/i,\n    name: 'macOS library injection',\n    severity: 'high',\n  },\n\n  // MEDIUM: Suspicious Command Patterns\n  {\n    pattern: /\\$\\{[^}]*\\}/,\n    name: 'variable expansion',\n    severity: 'medium',\n  },\n]\n\n/**\n * Check if a command matches any dangerous pattern and return detailed information\n */\nexport function detectDangerousPatterns(\n  command: string,\n): DangerousPatternMatch[] {\n  const matches: DangerousPatternMatch[] = []\n\n  for (const { pattern, name, severity } of DANGEROUS_PATTERN_METADATA) {\n    const match = command.match(pattern)\n    if (match) {\n      matches.push({\n        pattern: pattern.toString(),\n        name,\n        match: match[0],\n        severity,\n      })\n    }\n  }\n\n  return matches\n}\n\n/**\n * Check if a command matches any dangerous pattern (backward compatible)\n */\nexport function matchesDangerousPattern(command: string): boolean {\n  const criticalMatches = detectDangerousPatterns(command).filter(\n    m => m.severity === 'critical',\n  )\n  return criticalMatches.length > 0\n}\n\nexport const PROMPT = `Executes a given bash command and returns its output.\n\nThe working directory persists between commands, but shell state does not. The shell environment is initialized from the user's profile (bash or zsh).\n\nIMPORTANT: Avoid using this tool to run \\`find\\`, \\`grep\\`, \\`cat\\`, \\`head\\`, \\`tail\\`, \\`sed\\`, \\`awk\\`, or \\`echo\\` commands, unless explicitly instructed or after you have verified that a dedicated tool cannot accomplish your task. Instead, use the appropriate dedicated tool as this will provide a much better experience for the user:\n\n - File search: Use ${GLOB_TOOL_NAME} (NOT find or ls)\n - Content search: Use ${GREP_TOOL_NAME} (NOT grep or rg)\n - Read files: Use Read (NOT cat/head/tail)\n - Edit files: Use Edit (NOT sed/awk)\n - Write files: Use Write (NOT echo >/cat <<EOF)\n - Communication: Output text directly (NOT echo/printf)\nWhile the Bash tool can do similar things, it's better to use the built-in tools as they provide a better user experience and make it easier to review tool calls and give permission.\n\n# Instructions\n - If your command will create new directories or files, first use this tool to run \\`ls\\` to verify the parent directory exists and is the correct location.\n - Always quote file paths that contain spaces with double quotes in your command (e.g., cd \"path with spaces/file.txt\")\n - Try to maintain your current working directory throughout the session by using absolute paths and avoiding usage of \\`cd\\`. You may use \\`cd\\` if the User explicitly requests it.\n - You may specify an optional timeout in milliseconds (up to 600000ms / 10 minutes). By default, your command will timeout after 120000ms (2 minutes).\n - You can use the \\`run_in_background\\` parameter to run the command in the background. Only use this if you don't need the result immediately and are OK being notified when the command completes later. You do not need to check the output right away - you'll be notified when it finishes. You do not need to use '&' at the end of the command when using this parameter.\n - Write a clear, concise description of what your command does.\n - When issuing multiple commands:\n  - If the commands are independent and can run in parallel, make multiple Bash tool calls in a single message.\n  - If the commands depend on each other and must run sequentially, use a single Bash call with '&&' to chain them together.\n  - Use ';' only when you need to run commands sequentially but don't care if earlier commands fail.\n  - DO NOT use newlines to separate commands (newlines are ok in quoted strings).\n - For git commands:\n  - Prefer to create a new commit rather than amending an existing commit.\n  - Before running destructive operations (e.g., git reset --hard, git push --force, git checkout --), consider whether there is a safer alternative that achieves the same goal. Only use destructive operations when they are truly the best approach.\n  - Never skip hooks (--no-verify) or bypass signing (--no-gpg-sign, -c commit.gpgsign=false) unless the user has explicitly asked for it. If a hook fails, investigate and fix the underlying issue.\n - Avoid unnecessary \\`sleep\\` commands:\n  - Do not sleep between commands that can run immediately \u2014 just run them.\n  - If your command is long running and you would like to be notified when it finishes \u2013 simply run your command using \\`run_in_background\\`. There is no need to sleep in this case.\n  - Do not retry failing commands in a sleep loop \u2014 diagnose the root cause or consider an alternative approach.\n  - If waiting for a background task you started with \\`run_in_background\\`, you will be notified when it completes \u2014 do not poll.\n  - If you must poll an external process, use a check command (e.g. \\`gh run view\\`) rather than sleeping first.\n  - If you must sleep, keep the duration short (1-5 seconds) to avoid blocking the user.\n\n\n# Committing changes with git\n\nOnly create commits when requested by the user. If unclear, ask first. When the user asks you to create a new git commit, follow these steps carefully:\n\nGit Safety Protocol:\n- NEVER update the git config\n- NEVER run destructive git commands (push --force, reset --hard, checkout ., restore ., clean -f, branch -D) unless the user explicitly requests these actions. Taking unauthorized destructive actions is unhelpful and can result in lost work, so it's best to ONLY run these commands when given direct instructions\n- NEVER skip hooks (--no-verify, --no-gpg-sign, etc) unless the user explicitly requests it\n- NEVER run force push to main/master, warn the user if they request it\n- CRITICAL: Always create NEW commits rather than amending, unless the user explicitly requests a git amend. When a pre-commit hook fails, the commit did NOT happen \u2014 so --amend would modify the PREVIOUS commit, which may result in destroying work or losing previous changes. Instead, after hook failure, fix the issue, re-stage, and create a NEW commit\n- When staging files, prefer adding specific files by name rather than using \"git add -A\" or \"git add .\", which can accidentally include sensitive files (.env, credentials) or large binaries\n- NEVER commit changes unless the user explicitly asks you to. It is VERY IMPORTANT to only commit when explicitly asked, otherwise the user will feel that you are being too proactive\n\n1. You can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. run the following bash commands in parallel, each using the Bash tool:\n  - Run a git status command to see all untracked files. IMPORTANT: Never use the -uall flag as it can cause memory issues on large repos.\n  - Run a git diff command to see both staged and unstaged changes that will be committed.\n  - Run a git log command to see recent commit messages, so that you can follow this repository's commit message style.\n2. Analyze all staged changes (both previously staged and newly added) and draft a commit message:\n  - Summarize the nature of the changes (eg. new feature, enhancement to an existing feature, bug fix, refactoring, test, docs, etc.). Ensure the message accurately reflects the changes and their purpose (i.e. \"add\" means a wholly new feature, \"update\" means an enhancement to an existing feature, \"fix\" means a bug fix, etc.).\n  - Do not commit files that likely contain secrets (.env, credentials.json, etc). Warn the user if they specifically request to commit those files\n  - Draft a concise (1-2 sentences) commit message that focuses on the \"why\" rather than the \"what\"\n  - Ensure it accurately reflects the changes and their purpose\n3. You can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. run the following commands:\n   - Add relevant untracked files to the staging area.\n   - Create the commit with a message ending with:\n   Co-Authored-By: ${PRODUCT_NAME} <noreply@${PRODUCT_NAME}.com>\n   - Run git status after the commit completes to verify success.\n   Note: git status depends on the commit completing, so run it sequentially after the commit.\n4. If the commit fails due to pre-commit hook: fix the issue and create a NEW commit\n\nImportant notes:\n- NEVER run additional commands to read or explore code, besides git bash commands\n- NEVER use the TodoWrite or ${TASK_TOOL_NAME} tools\n- DO NOT push to the remote repository unless the user explicitly asks you to do so\n- IMPORTANT: Never use git commands with the -i flag (like git rebase -i or git add -i) since they require interactive input which is not supported.\n- IMPORTANT: Do not use --no-edit with git rebase commands, as the --no-edit flag is not a valid option for git rebase.\n- If there are no changes to commit (i.e., no untracked files and no modifications), do not create an empty commit\n- In order to ensure good formatting, ALWAYS pass the commit message via a HEREDOC, a la this example:\n<example>\ngit commit -m \"$(cat <<'EOF'\n   Commit message here.\n\n   Co-Authored-By: ${PRODUCT_NAME} <noreply@${PRODUCT_NAME}.com>\n   EOF\n   )\"\n</example>\n\n# Creating pull requests\nUse the gh command via the Bash tool for ALL GitHub-related tasks including working with issues, pull requests, checks, and releases. If given a Github URL use the gh command to get the information needed.\n\nIMPORTANT: When the user asks you to create a pull request, follow these steps carefully:\n\n1. You can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. run the following bash commands in parallel using the Bash tool, in order to understand the current state of the branch since it diverged from the main branch:\n   - Run a git status command to see all untracked files (never use -uall flag)\n   - Run a git diff command to see both staged and unstaged changes that will be committed\n   - Check if the current branch tracks a remote branch and is up to date with the remote, so you know if you need to push to the remote\n   - Run a git log command and \\`git diff [base-branch]...HEAD\\` to understand the full commit history for the current branch (from the time it diverged from the base branch)\n2. Analyze all changes that will be included in the pull request, making sure to look at all relevant commits (NOT just the latest commit, but ALL commits that will be included in the pull request!!!), and draft a pull request title and summary:\n   - Keep the PR title short (under 70 characters)\n   - Use the description/body for details, not the title\n3. You can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. run the following commands in parallel:\n   - Create new branch if needed\n   - Push to remote with -u flag if needed\n   - Create PR using gh pr create with the format below. Use a HEREDOC to pass the body to ensure correct formatting.\n<example>\ngh pr create --title \"the pr title\" --body \"$(cat <<'EOF'\n## Summary\n<1-3 bullet points>\n\n## Test plan\n[Bulleted markdown checklist of TODOs for testing the pull request...]\n\n\uD83E\uDD16 Generated with [${PRODUCT_NAME}](${PRODUCT_URL})\nEOF\n)\"\n</example>\n\nImportant:\n- DO NOT use the TodoWrite or ${TASK_TOOL_NAME} tools\n- Return the PR URL when you're done, so the user can see it\n\n# Other common operations\n- View comments on a Github PR: gh api repos/foo/bar/pulls/123/comments`\n"],
+  "mappings": "AAAA,SAAS,cAAc,mBAAmB;AAC1C,SAAS,aAAa,sBAAsB;AAC5C,SAAS,wBAAwB,sBAAsB;AACvD,SAAS,wBAAwB,sBAAsB;AAEhD,MAAM,oBAAoB;AAC1B,MAAM,qBAAqB;AAY3B,MAAM,kBAAkB;AAAA;AAAA,EAE7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA;AAAA,EACA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAeO,MAAM,6BAIR;AAAA;AAAA;AAAA;AAAA,EAIH;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA;AAAA,EAGA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA;AAAA,EAGA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA;AAAA,EAGA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA;AAAA,EAGA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA;AAAA,EAGA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA,EACA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AAAA;AAAA,EAGA;AAAA,IACE,SAAS;AAAA,IACT,MAAM;AAAA,IACN,UAAU;AAAA,EACZ;AACF;AAKO,SAAS,wBACd,SACyB;AACzB,QAAM,UAAmC,CAAC;AAE1C,aAAW,EAAE,SAAS,MAAM,SAAS,KAAK,4BAA4B;AACpE,UAAM,QAAQ,QAAQ,MAAM,OAAO;AACnC,QAAI,OAAO;AACT,cAAQ,KAAK;AAAA,QACX,SAAS,QAAQ,SAAS;AAAA,QAC1B;AAAA,QACA,OAAO,MAAM,CAAC;AAAA,QACd;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,wBAAwB,SAA0B;AAChE,QAAM,kBAAkB,wBAAwB,OAAO,EAAE;AAAA,IACvD,OAAK,EAAE,aAAa;AAAA,EACtB;AACA,SAAO,gBAAgB,SAAS;AAClC;AAEO,MAAM,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,sBAMA,cAAc;AAAA,yBACX,cAAc;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAyDlB,YAAY,aAAa,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,+BAO3B,cAAc;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAUxB,YAAY,aAAa,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4BA8BrC,YAAY,KAAK,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gCAMjB,cAAc;AAAA;AAAA;AAAA;AAAA;",
   "names": []
 }