@wrongstack/core 0.276.3 → 0.277.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/dist/{agent-bridge-D7A-eu3C.d.ts → agent-bridge-BFJ2ODzI.d.ts} +1 -1
  2. package/dist/{agent-subagent-runner-CEuw4ATz.d.ts → agent-subagent-runner-BimKihiC.d.ts} +7 -7
  3. package/dist/{brain-BLOyN5ZP.d.ts → brain-CCfuEOdp.d.ts} +1 -1
  4. package/dist/{compactor-DcBpaJsI.d.ts → compactor-D3BGw26y.d.ts} +1 -1
  5. package/dist/{config-Bf5mj-ad.d.ts → config-DAOjriz9.d.ts} +1 -1
  6. package/dist/{context-CLnUMW5g.d.ts → context-DPlA6kid.d.ts} +5 -6
  7. package/dist/coordination/index.d.ts +17 -17
  8. package/dist/coordination/index.js +38 -14
  9. package/dist/coordination/index.js.map +1 -1
  10. package/dist/defaults/index.d.ts +27 -27
  11. package/dist/defaults/index.js +96 -53
  12. package/dist/defaults/index.js.map +1 -1
  13. package/dist/execution/index.d.ts +15 -15
  14. package/dist/execution/index.js +13 -1
  15. package/dist/execution/index.js.map +1 -1
  16. package/dist/execution/prompt-enhancer.d.ts +1 -1
  17. package/dist/extension/index.d.ts +6 -6
  18. package/dist/{global-mailbox-Iqfkgmwu.d.ts → global-mailbox-Dr4cTKqL.d.ts} +1 -1
  19. package/dist/{goal-store-DGb6b5Ed.d.ts → goal-store-C1uH4srH.d.ts} +1 -1
  20. package/dist/hq/index.d.ts +5 -5
  21. package/dist/{index-Cn0NOshr.d.ts → index-DJXj-dcr.d.ts} +5 -5
  22. package/dist/{index-L4RZN9jJ.d.ts → index-cMEmzCVN.d.ts} +23 -5
  23. package/dist/index.d.ts +41 -41
  24. package/dist/index.js +139 -71
  25. package/dist/index.js.map +1 -1
  26. package/dist/infrastructure/index.d.ts +6 -6
  27. package/dist/infrastructure/index.js +4 -1
  28. package/dist/infrastructure/index.js.map +1 -1
  29. package/dist/kernel/index.d.ts +11 -11
  30. package/dist/{mcp-servers-CuZGf9fI.d.ts → mcp-servers-CFb60-pH.d.ts} +3 -3
  31. package/dist/models/index.d.ts +5 -5
  32. package/dist/{models-registry-8XOdxWQu.d.ts → models-registry-5Ufn7f2m.d.ts} +1 -1
  33. package/dist/{multi-agent-coordinator-CiRtKVTk.d.ts → multi-agent-coordinator-CcrcncvG.d.ts} +1 -1
  34. package/dist/{null-fleet-bus-d9G-bVy9.d.ts → null-fleet-bus-C9KsYyrI.d.ts} +13 -6
  35. package/dist/observability/index.d.ts +2 -2
  36. package/dist/{path-resolver-BhIb6mtd.d.ts → path-resolver-CEeX9I7O.d.ts} +3 -3
  37. package/dist/{permission-BCbQDR2s.d.ts → permission-DbsGOA1C.d.ts} +7 -6
  38. package/dist/{permission-policy-C0ikndX_.d.ts → permission-policy-BpEea3r7.d.ts} +12 -14
  39. package/dist/{pipeline-Dl6XbfE7.d.ts → pipeline-CEjBjzVA.d.ts} +2 -2
  40. package/dist/{provider-model-resolve-B70epO19.d.ts → provider-model-resolve-BpfXp3Jj.d.ts} +3 -3
  41. package/dist/{provider-runner-DZ808MSM.d.ts → provider-runner-CnOSr5BN.d.ts} +3 -3
  42. package/dist/{retry-policy-Dt3_z8Aj.d.ts → retry-policy-Git9WF6d.d.ts} +1 -1
  43. package/dist/sdd/index.d.ts +9 -9
  44. package/dist/{secret-vault-BUJ2d1gB.d.ts → secret-vault-DDSMHqIm.d.ts} +1 -1
  45. package/dist/security/index.d.ts +5 -5
  46. package/dist/security/index.js +83 -45
  47. package/dist/security/index.js.map +1 -1
  48. package/dist/{selector-BCkWgdwy.d.ts → selector-Cq72C0Oy.d.ts} +1 -1
  49. package/dist/{session-event-bridge-CMvIO59_.d.ts → session-event-bridge-DG94B3Bk.d.ts} +1 -1
  50. package/dist/{session-reader-C8aiChUu.d.ts → session-reader-BzT-iMQT.d.ts} +1 -1
  51. package/dist/storage/index.d.ts +11 -11
  52. package/dist/{strategy-compactor-DI1OHVbB.d.ts → strategy-compactor-Bt_ZH6R0.d.ts} +10 -10
  53. package/dist/{todos-checkpoint-Ddd2CGr0.d.ts → todos-checkpoint-CH1pcua9.d.ts} +5 -5
  54. package/dist/{tool-executor-Bmd5Ygoo.d.ts → tool-executor-SVFq7IOR.d.ts} +9 -9
  55. package/dist/tools/index.d.ts +2 -2
  56. package/dist/tools/index.js +5 -6
  57. package/dist/tools/index.js.map +1 -1
  58. package/dist/types/index.d.ts +19 -19
  59. package/dist/types/index.js +13 -1
  60. package/dist/types/index.js.map +1 -1
  61. package/dist/utils/index.d.ts +17 -3
  62. package/dist/utils/index.js +5 -1
  63. package/dist/utils/index.js.map +1 -1
  64. package/dist/{worktree-manager-DBdl_5rs.d.ts → worktree-manager-C4YIf1Fa.d.ts} +1 -1
  65. package/instructions/leader-after-task.md +6 -0
  66. package/package.json +2 -2
  67. package/skills/output-standards/SKILL.md +1 -0
  68. package/skills/research-web/SKILL.md +1 -1
@@ -1,20 +1,20 @@
1
- import { T as Token, a as Renderer, S as SystemPromptBuilder, H as HookRegistry } from '../pipeline-Dl6XbfE7.js';
2
- export { d as BindOptions, C as Container, D as Decorator, F as Factory, b as Middleware, M as MiddlewareHandler, N as NextFn, P as Pipeline, e as PipelineOptions } from '../pipeline-Dl6XbfE7.js';
3
- import { c as MemoryStore, B as BrainArbiter } from '../brain-BLOyN5ZP.js';
4
- export { E as EventBus, m as EventLogger, n as EventMap, a as EventName, L as Listener, v as ScopedEventBus } from '../brain-BLOyN5ZP.js';
5
- import { C as Compactor } from '../compactor-DcBpaJsI.js';
6
- import { j as ConfigLoader, l as ConfigStore, M as ModelsRegistry } from '../config-Bf5mj-ad.js';
7
- import { E as ErrorHandler, R as RetryPolicy } from '../retry-policy-Dt3_z8Aj.js';
1
+ import { T as Token, a as Renderer, S as SystemPromptBuilder, H as HookRegistry } from '../pipeline-CEjBjzVA.js';
2
+ export { d as BindOptions, C as Container, D as Decorator, F as Factory, b as Middleware, M as MiddlewareHandler, N as NextFn, P as Pipeline, e as PipelineOptions } from '../pipeline-CEjBjzVA.js';
3
+ import { c as MemoryStore, B as BrainArbiter } from '../brain-CCfuEOdp.js';
4
+ export { E as EventBus, m as EventLogger, n as EventMap, a as EventName, L as Listener, v as ScopedEventBus } from '../brain-CCfuEOdp.js';
5
+ import { C as Compactor } from '../compactor-D3BGw26y.js';
6
+ import { j as ConfigLoader, l as ConfigStore, M as ModelsRegistry } from '../config-DAOjriz9.js';
7
+ import { E as ErrorHandler, R as RetryPolicy } from '../retry-policy-Git9WF6d.js';
8
8
  import { I as InputReader } from '../input-reader-E-ffP2ee.js';
9
9
  import { L as Logger } from '../logger-B63L5bTg.js';
10
10
  import { M as ModeStore } from '../mode-CZlO9iU1.js';
11
11
  import { P as PathResolver } from '../path-resolver-CPRj4bFY.js';
12
- import { P as PermissionPolicy, S as SecretScrubber } from '../permission-BCbQDR2s.js';
13
- import { P as ProviderRunner } from '../provider-runner-DZ808MSM.js';
14
- import { e as TokenCounter, k as SessionStore } from '../context-CLnUMW5g.js';
12
+ import { P as PermissionPolicy, S as SecretScrubber } from '../permission-DbsGOA1C.js';
13
+ import { P as ProviderRunner } from '../provider-runner-CnOSr5BN.js';
14
+ import { e as TokenCounter, k as SessionStore } from '../context-DPlA6kid.js';
15
15
  import { P as PromptLoader } from '../prompt-DLd35n4Q.js';
16
16
  import { S as SkillLoader } from '../skill-DGIXCtdv.js';
17
- import { W as WorktreeManager } from '../worktree-manager-DBdl_5rs.js';
17
+ import { W as WorktreeManager } from '../worktree-manager-C4YIf1Fa.js';
18
18
  import '../mailbox-types-DTl7bRH3.js';
19
19
  import '../observability-D-HZN_mF.js';
20
20
 
@@ -1,6 +1,6 @@
1
- import { C as Compactor } from './compactor-DcBpaJsI.js';
2
- import { M as Message, T as Tool } from './context-CLnUMW5g.js';
3
- import { c as MCPServerConfig } from './config-Bf5mj-ad.js';
1
+ import { C as Compactor } from './compactor-D3BGw26y.js';
2
+ import { M as Message, T as Tool } from './context-DPlA6kid.js';
3
+ import { c as MCPServerConfig } from './config-DAOjriz9.js';
4
4
 
5
5
  type ContextManagerAction = 'check' | 'summary' | 'prune' | 'add_note' | 'compact' | 'repair';
6
6
  interface ContextManagerInput {
@@ -1,8 +1,8 @@
1
- export { D as DefaultModelsRegistry, a as DefaultModelsRegistryOptions, c as classifyFamily } from '../models-registry-8XOdxWQu.js';
2
- export { C as CODEX_MODELS, a as CodexModelMeta, D as DefaultModeStore, L as LLMSelector, b as LLMSelectorOptions, M as ModeLoaderOptions, P as ProviderModelDescriptor, c as codexModelMeta, d as describeCatalogModel, l as loadProjectModes, e as loadUserModes, r as resolveProviderModelList } from '../provider-model-resolve-B70epO19.js';
3
- import { d as ModelMatrixEntry, P as ProviderConfig } from '../config-Bf5mj-ad.js';
4
- import '../context-CLnUMW5g.js';
5
- import '../selector-BCkWgdwy.js';
1
+ export { D as DefaultModelsRegistry, a as DefaultModelsRegistryOptions, c as classifyFamily } from '../models-registry-5Ufn7f2m.js';
2
+ export { C as CODEX_MODELS, a as CodexModelMeta, D as DefaultModeStore, L as LLMSelector, b as LLMSelectorOptions, M as ModeLoaderOptions, P as ProviderModelDescriptor, c as codexModelMeta, d as describeCatalogModel, l as loadProjectModes, e as loadUserModes, r as resolveProviderModelList } from '../provider-model-resolve-BpfXp3Jj.js';
3
+ import { d as ModelMatrixEntry, P as ProviderConfig } from '../config-DAOjriz9.js';
4
+ import '../context-DPlA6kid.js';
5
+ import '../selector-Cq72C0Oy.js';
6
6
  import '../mode-CZlO9iU1.js';
7
7
 
8
8
  /**
@@ -1,4 +1,4 @@
1
- import { M as ModelsRegistry, a as ModelsDevPayload, R as ResolvedProvider, b as ResolvedModel, W as WireFamily } from './config-Bf5mj-ad.js';
1
+ import { M as ModelsRegistry, a as ModelsDevPayload, R as ResolvedProvider, b as ResolvedModel, W as WireFamily } from './config-DAOjriz9.js';
2
2
 
3
3
  interface DefaultModelsRegistryOptions {
4
4
  cacheFile: string;
@@ -1,4 +1,4 @@
1
- import { S as SubagentConfig, M as MultiAgentCoordinator, c as MultiAgentConfig, d as SubagentRunner, e as BudgetSessionIdSource, F as FleetBus, f as SpawnResult, T as TaskSpec, a as BridgeMessage, A as AgentBridge, C as CoordinatorStatus, g as TaskResult } from './agent-subagent-runner-CEuw4ATz.js';
1
+ import { S as SubagentConfig, M as MultiAgentCoordinator, c as MultiAgentConfig, d as SubagentRunner, e as BudgetSessionIdSource, F as FleetBus, f as SpawnResult, T as TaskSpec, a as BridgeMessage, A as AgentBridge, C as CoordinatorStatus, g as TaskResult } from './agent-subagent-runner-BimKihiC.js';
2
2
  import { EventEmitter } from 'node:events';
3
3
 
4
4
  /**
@@ -1,12 +1,12 @@
1
- import { A as AgentPhase, b as AgentDefinition, a as DefaultMultiAgentCoordinator, D as DispatchClassifier } from './multi-agent-coordinator-CiRtKVTk.js';
2
- import { F as FleetBus, j as FleetUsage, S as SubagentConfig, k as FleetUsageAggregator, g as TaskResult, C as CoordinatorStatus, T as TaskSpec, c as MultiAgentConfig, d as SubagentRunner } from './agent-subagent-runner-CEuw4ATz.js';
3
- import { b as SessionWriter, T as Tool, k as SessionStore } from './context-CLnUMW5g.js';
4
- import { B as BrainArbiter, E as EventBus } from './brain-BLOyN5ZP.js';
1
+ import { A as AgentPhase, b as AgentDefinition, a as DefaultMultiAgentCoordinator, D as DispatchClassifier } from './multi-agent-coordinator-CcrcncvG.js';
2
+ import { F as FleetBus, j as FleetUsage, S as SubagentConfig, k as FleetUsageAggregator, g as TaskResult, C as CoordinatorStatus, T as TaskSpec, c as MultiAgentConfig, d as SubagentRunner } from './agent-subagent-runner-BimKihiC.js';
3
+ import { b as SessionWriter, T as Tool, k as SessionStore } from './context-DPlA6kid.js';
4
+ import { B as BrainArbiter, E as EventBus } from './brain-CCfuEOdp.js';
5
5
  import { EventEmitter } from 'node:events';
6
6
  import { L as Logger } from './logger-B63L5bTg.js';
7
7
  import { D as DirectorStateSnapshot } from './director-state-BfeCUbmk.js';
8
- import { d as ModelMatrixEntry } from './config-Bf5mj-ad.js';
9
- import { I as InMemoryAgentBridge } from './agent-bridge-D7A-eu3C.js';
8
+ import { d as ModelMatrixEntry } from './config-DAOjriz9.js';
9
+ import { I as InMemoryAgentBridge } from './agent-bridge-BFJ2ODzI.js';
10
10
 
11
11
  /**
12
12
  * Alert levels the Director can emit when a collab session needs attention.
@@ -518,6 +518,8 @@ declare class FleetManager implements IFleetManager {
518
518
  private readonly stateCheckpoint;
519
519
  private readonly sessionWriter;
520
520
  private manifestTimer;
521
+ private manifestWriteChain;
522
+ private disposed;
521
523
  private readonly manifestDebounceMs;
522
524
  /** Fleet-wide cost cap. Infinity = no cap. Distinct from SubagentBudget limits,
523
525
  * which track per-subagent spend — this field caps the entire fleet total. */
@@ -600,6 +602,7 @@ declare class FleetManager implements IFleetManager {
600
602
  cacheWrite?: number | undefined;
601
603
  }): void;
602
604
  writeManifest(): Promise<string | null>;
605
+ private writeManifestNow;
603
606
  /**
604
607
  * Attach task ids to an already-spawned subagent. Called by
605
608
  * `Director.assign()` after the coordinator assigns a task.
@@ -616,6 +619,7 @@ declare class FleetManager implements IFleetManager {
616
619
  * Clears any pending debounce timer before writing.
617
620
  */
618
621
  flushManifest(): Promise<void>;
622
+ private clearManifestTimer;
619
623
  /** Best-effort session event writer. Swallows failures. */
620
624
  private appendSessionEvent;
621
625
  addPendingTask(taskId: string, subagentId: string, description: string): void;
@@ -1110,6 +1114,7 @@ declare class Director implements ICoordinator {
1110
1114
  private readonly sessionIdSource;
1111
1115
  /** Debounce timer for periodic manifest writes. */
1112
1116
  private manifestTimer;
1117
+ private manifestWriteChain;
1113
1118
  private readonly manifestDebounceMs;
1114
1119
  /** Fleet-wide cost cap (entire fleet total, distinct from SubagentBudget limits). Infinity means no cap. */
1115
1120
  private readonly maxFleetCostUsd;
@@ -1264,6 +1269,7 @@ declare class Director implements ICoordinator {
1264
1269
  * collapses into one write. Set `manifestDebounceMs` to 0 to write
1265
1270
  * synchronously (no debounce); set to negative to disable entirely. */
1266
1271
  private scheduleManifest;
1272
+ private clearManifestTimer;
1267
1273
  /**
1268
1274
  * Spawn a subagent. Identical to the coordinator's `spawn()` but
1269
1275
  * captures provider/model metadata for the usage aggregator and
@@ -1312,6 +1318,7 @@ declare class Director implements ICoordinator {
1312
1318
  * replay an entire director run.
1313
1319
  */
1314
1320
  writeManifest(): Promise<string | null>;
1321
+ private writeManifestNow;
1315
1322
  /**
1316
1323
  * Tear down the director: stop every subagent, close every bridge
1317
1324
  * endpoint, and (when configured) write the final manifest. Idempotent
@@ -1,6 +1,6 @@
1
1
  import { M as MetricsSink, d as MetricLabels, f as MetricsSnapshot, H as HealthRegistry, a as HealthCheck, A as AggregateHealth, T as Tracer, S as Span } from '../observability-D-HZN_mF.js';
2
- import { E as EventBus } from '../brain-BLOyN5ZP.js';
3
- import '../context-CLnUMW5g.js';
2
+ import { E as EventBus } from '../brain-CCfuEOdp.js';
3
+ import '../context-DPlA6kid.js';
4
4
 
5
5
  /**
6
6
  * In-memory metrics sink. Suitable for embedded use, tests, and /metrics
@@ -1,6 +1,6 @@
1
- import { E as EventBus } from './brain-BLOyN5ZP.js';
2
- import { M as ModelsRegistry, b as ResolvedModel } from './config-Bf5mj-ad.js';
3
- import { e as TokenCounter, U as Usage, f as CacheStats } from './context-CLnUMW5g.js';
1
+ import { E as EventBus } from './brain-CCfuEOdp.js';
2
+ import { M as ModelsRegistry, b as ResolvedModel } from './config-DAOjriz9.js';
3
+ import { e as TokenCounter, U as Usage, f as CacheStats } from './context-DPlA6kid.js';
4
4
  import { P as PathResolver } from './path-resolver-CPRj4bFY.js';
5
5
 
6
6
  /**
@@ -1,4 +1,4 @@
1
- import { T as Tool, C as Context, h as Permission } from './context-CLnUMW5g.js';
1
+ import { T as Tool, C as Context, h as Permission } from './context-DPlA6kid.js';
2
2
 
3
3
  interface SecretScrubber {
4
4
  scrub(text: string): string;
@@ -43,8 +43,9 @@ interface PermissionPolicy {
43
43
  pattern: string;
44
44
  }): void;
45
45
  /**
46
- * Auto-approve this tool+pattern for the remainder of the session (no persistence).
47
- * Used when user presses 'y' prevents LLM retry from re-triggering confirm.
46
+ * Auto-approve this tool+pattern once (no persistence). Used when user
47
+ * presses 'y' so the immediate confirmed re-run can proceed without making
48
+ * future destructive calls silent.
48
49
  */
49
50
  allowOnce(rule: {
50
51
  tool: string;
@@ -55,13 +56,13 @@ interface PermissionPolicy {
55
56
  getYolo?(): boolean;
56
57
  /** Optional runtime setter for policies that support leader YOLO toggling. */
57
58
  setYolo?(enabled: boolean): void;
58
- /** Optional runtime query for the destructive YOLO override. */
59
+ /** Optional runtime query for the deprecated destructive YOLO override. */
59
60
  getYoloDestructive?(): boolean;
60
- /** Optional runtime setter for the destructive YOLO override. */
61
+ /** Optional runtime setter for the deprecated destructive YOLO override. */
61
62
  setYoloDestructive?(enabled: boolean): void;
62
63
  /** Query whether destructive-operation confirmation gate is active. */
63
64
  getConfirmDestructive?(): boolean;
64
- /** Enable/disable destructive-operation confirmation (only meaningful in yolo mode). */
65
+ /** Compatibility setter; current default policy keeps the gate enabled in YOLO mode. */
65
66
  setConfirmDestructive?(enabled: boolean): void;
66
67
  /** Set the prompt delegate (optional). */
67
68
  setPromptDelegate?(delegate: ((tool: Tool, input: unknown, suggestedPattern: string) => Promise<'yes' | 'no' | 'always' | 'deny'>) | undefined): void;
@@ -1,23 +1,20 @@
1
- import { T as Tool, C as Context } from './context-CLnUMW5g.js';
1
+ import { T as Tool, C as Context } from './context-DPlA6kid.js';
2
2
  import { I as InputReader } from './input-reader-E-ffP2ee.js';
3
- import { P as PermissionPolicy, a as PermissionDecision } from './permission-BCbQDR2s.js';
3
+ import { P as PermissionPolicy, a as PermissionDecision } from './permission-DbsGOA1C.js';
4
4
 
5
5
  interface PermissionPolicyOptions {
6
6
  trustFile: string;
7
7
  yolo?: boolean | undefined;
8
8
  /**
9
- * When true, YOLO mode auto-approves even destructive calls without confirm.
10
- * @deprecated YOLO now auto-approves everything by default. Use `confirmDestructive`
11
- * to opt back into destructive-operation confirmation prompts.
9
+ * @deprecated Kept for CLI compatibility only. YOLO no longer bypasses
10
+ * destructive-operation confirmation.
12
11
  */
13
12
  yoloDestructive?: boolean | undefined;
14
13
  /** @deprecated Use `yoloDestructive`. */
15
14
  forceAllYolo?: boolean | undefined;
16
15
  /**
17
- * When true AND yolo is true, destructive operations still require confirmation.
18
- * This is the opt-in safety net: set this if you want YOLO for normal work but
19
- * explicit approval for `rm -rf`, project-escaping writes, etc.
20
- * Has no effect when yolo is false (normal permission flow applies).
16
+ * @deprecated Destructive confirmation is always enabled in YOLO mode.
17
+ * Kept for compatibility with older callers.
21
18
  */
22
19
  confirmDestructive?: boolean | undefined;
23
20
  promptDelegate?: (tool: Tool, input: unknown, suggestedPattern: string) => Promise<'yes' | 'no' | 'always' | 'deny'>;
@@ -40,9 +37,10 @@ declare class DefaultPermissionPolicy implements PermissionPolicy {
40
37
  */
41
38
  private sessionDenied;
42
39
  /**
43
- * Session-scoped "soft trust" map. When the user presses 'a' (allow once),
44
- * the tool+pattern is added here. If the LLM retries in the same session,
45
- * we return auto directly without asking again.
40
+ * Session-scoped one-shot "soft trust" map. When the user presses 'y', the
41
+ * tool+pattern is added here so the immediate confirm re-run can proceed.
42
+ * The entry is consumed on first use; future calls must ask again unless the
43
+ * user chose persistent trust.
46
44
  *
47
45
  * Cleared on reload().
48
46
  */
@@ -94,7 +92,7 @@ declare class DefaultPermissionPolicy implements PermissionPolicy {
94
92
  /** Check whether the destructive YOLO override is active. */
95
93
  getYoloDestructive(): boolean;
96
94
  /** Toggle destructive confirmation gate (only meaningful when yolo is active). */
97
- setConfirmDestructive(enabled: boolean): void;
95
+ setConfirmDestructive(_enabled: boolean): void;
98
96
  /** Check whether destructive confirmation gate is active. */
99
97
  getConfirmDestructive(): boolean;
100
98
  reload(): Promise<void>;
@@ -115,7 +113,7 @@ declare class DefaultPermissionPolicy implements PermissionPolicy {
115
113
  tool: string;
116
114
  pattern: string;
117
115
  }): void;
118
- /** Auto-approve this tool+pattern for the rest of this session (no trust file). */
116
+ /** Auto-approve this tool+pattern once (no trust file). */
119
117
  allowOnce(rule: {
120
118
  tool: string;
121
119
  pattern: string;
@@ -1,6 +1,6 @@
1
- import { T as Tool, r as TextBlock, i as ContentBlock } from './context-CLnUMW5g.js';
1
+ import { T as Tool, r as TextBlock, i as ContentBlock } from './context-DPlA6kid.js';
2
2
  import { a as MailboxAgentStatus } from './mailbox-types-DTl7bRH3.js';
3
- import { H as HookEvent, f as HookMatcher, I as InProcessHook, S as ShellHook, g as HookEntry, T as ToolResultRenderMode } from './config-Bf5mj-ad.js';
3
+ import { H as HookEvent, f as HookMatcher, I as InProcessHook, S as ShellHook, g as HookEntry, T as ToolResultRenderMode } from './config-DAOjriz9.js';
4
4
 
5
5
  /** Model capabilities relevant to prompt composition. */
6
6
  interface ModelCapabilities {
@@ -1,7 +1,7 @@
1
- import { P as Provider, M as Message } from './context-CLnUMW5g.js';
2
- import { M as MessageSelector, S as SelectorResult } from './selector-BCkWgdwy.js';
1
+ import { P as Provider, M as Message } from './context-DPlA6kid.js';
2
+ import { M as MessageSelector, S as SelectorResult } from './selector-Cq72C0Oy.js';
3
3
  import { M as ModeStore, a as ModeConfig, b as Mode } from './mode-CZlO9iU1.js';
4
- import { e as ModelsDevModel, R as ResolvedProvider } from './config-Bf5mj-ad.js';
4
+ import { e as ModelsDevModel, R as ResolvedProvider } from './config-DAOjriz9.js';
5
5
 
6
6
  /**
7
7
  * Offline **floor** for the ChatGPT "Sign in with ChatGPT" (`openai-codex`)
@@ -1,8 +1,8 @@
1
- import { E as EventBus } from './brain-BLOyN5ZP.js';
1
+ import { E as EventBus } from './brain-CCfuEOdp.js';
2
2
  import { L as Logger } from './logger-B63L5bTg.js';
3
3
  import { T as Tracer } from './observability-D-HZN_mF.js';
4
- import { P as Provider, c as Request, C as Context, d as Response } from './context-CLnUMW5g.js';
5
- import { R as RetryPolicy } from './retry-policy-Dt3_z8Aj.js';
4
+ import { P as Provider, c as Request, C as Context, d as Response } from './context-DPlA6kid.js';
5
+ import { R as RetryPolicy } from './retry-policy-Git9WF6d.js';
6
6
 
7
7
  /**
8
8
  * Options passed to a ProviderRunner when calling the provider.
@@ -1,4 +1,4 @@
1
- import { C as Context, d as Response, g as ProviderError } from './context-CLnUMW5g.js';
1
+ import { C as Context, d as Response, g as ProviderError } from './context-DPlA6kid.js';
2
2
 
3
3
  type RecoveryDecision = {
4
4
  /**
@@ -1,17 +1,17 @@
1
1
  import { h as Specification, e as SpecStatus, S as SpecAnalysis, g as SpecValidationResult, f as SpecTemplate, b as SpecRequirement } from '../spec-TBi3Jr6T.js';
2
2
  import { d as TaskGraph, e as TaskNode, i as TaskFilter, j as TaskSort, c as TaskProgress, T as TaskType, a as TaskPriority } from '../task-graph-u1q9Jkyk.js';
3
- import { E as EventBus, B as BrainArbiter } from '../brain-BLOyN5ZP.js';
4
- import { h as Agent, i as AgentFactory, g as TaskResult, D as DoneCondition } from '../agent-subagent-runner-CEuw4ATz.js';
5
- import { W as WorktreeManager } from '../worktree-manager-DBdl_5rs.js';
6
- import '../context-CLnUMW5g.js';
7
- import '../index-Cn0NOshr.js';
3
+ import { E as EventBus, B as BrainArbiter } from '../brain-CCfuEOdp.js';
4
+ import { h as Agent, i as AgentFactory, g as TaskResult, D as DoneCondition } from '../agent-subagent-runner-BimKihiC.js';
5
+ import { W as WorktreeManager } from '../worktree-manager-C4YIf1Fa.js';
6
+ import '../context-DPlA6kid.js';
7
+ import '../index-DJXj-dcr.js';
8
8
  import '../logger-B63L5bTg.js';
9
- import '../pipeline-Dl6XbfE7.js';
9
+ import '../pipeline-CEjBjzVA.js';
10
10
  import '../mailbox-types-DTl7bRH3.js';
11
- import '../config-Bf5mj-ad.js';
11
+ import '../config-DAOjriz9.js';
12
12
  import '../observability-D-HZN_mF.js';
13
- import '../permission-BCbQDR2s.js';
14
- import '../retry-policy-Dt3_z8Aj.js';
13
+ import '../permission-DbsGOA1C.js';
14
+ import '../retry-policy-Git9WF6d.js';
15
15
 
16
16
  interface TaskStore {
17
17
  saveGraph(graph: TaskGraph): Promise<void>;
@@ -1,4 +1,4 @@
1
- import { S as SecretScrubber } from './permission-BCbQDR2s.js';
1
+ import { S as SecretScrubber } from './permission-DbsGOA1C.js';
2
2
  import { L as Logger } from './logger-B63L5bTg.js';
3
3
  import { R as RotatableSecretVault, S as SecretVault } from './secret-vault-BAKpgFw_.js';
4
4
 
@@ -1,8 +1,8 @@
1
- export { a as DefaultSecretScrubber, D as DefaultSecretVault, S as SecretVaultOptions, d as decryptConfigSecrets, e as encryptConfigSecrets, i as isSecretField, m as migratePlaintextSecrets, r as rewriteConfigEncrypted, b as rotateConfigKeys } from '../secret-vault-BUJ2d1gB.js';
2
- export { A as AutoApprovePermissionPolicy, D as DefaultPermissionPolicy, P as PermissionPolicyOptions } from '../permission-policy-C0ikndX_.js';
3
- export { D as DANGEROUS_FOR_SUBAGENTS, T as ToolCapabilities, a as ToolCapability, g as getDangerousCapabilities, h as hasCapability, b as hasDangerousCapabilityForSubagents } from '../index-L4RZN9jJ.js';
4
- import '../permission-BCbQDR2s.js';
5
- import '../context-CLnUMW5g.js';
1
+ export { a as DefaultSecretScrubber, D as DefaultSecretVault, S as SecretVaultOptions, d as decryptConfigSecrets, e as encryptConfigSecrets, i as isSecretField, m as migratePlaintextSecrets, r as rewriteConfigEncrypted, b as rotateConfigKeys } from '../secret-vault-DDSMHqIm.js';
2
+ export { A as AutoApprovePermissionPolicy, D as DefaultPermissionPolicy, P as PermissionPolicyOptions } from '../permission-policy-BpEea3r7.js';
3
+ export { D as DANGEROUS_FOR_SUBAGENTS, T as ToolCapabilities, a as ToolCapability, g as getDangerousCapabilities, h as hasCapability, b as hasDangerousCapabilityForSubagents } from '../index-cMEmzCVN.js';
4
+ import '../permission-DbsGOA1C.js';
5
+ import '../context-DPlA6kid.js';
6
6
  import '../logger-B63L5bTg.js';
7
7
  import '../secret-vault-BAKpgFw_.js';
8
8
  import '../input-reader-E-ffP2ee.js';
@@ -1101,6 +1101,8 @@ var ToolCapabilities = {
1101
1101
  SHELL_ARBITRARY: "shell.arbitrary",
1102
1102
  /** Can execute a restricted set of commands (the `exec` tool). */
1103
1103
  SHELL_RESTRICTED: "shell.restricted",
1104
+ /** Can run a restricted project formatter/linter-style command. */
1105
+ SHELL_EXEC: "shell.exec",
1104
1106
  /** Can read files inside the project (and possibly outside via symlinks if not guarded). */
1105
1107
  FS_READ: "fs.read",
1106
1108
  /** Can write / modify / delete files inside the project. */
@@ -1109,6 +1111,20 @@ var ToolCapabilities = {
1109
1111
  FS_WRITE_OUTSIDE_PROJECT: "fs.write.outside-project",
1110
1112
  /** Can perform outbound network requests. */
1111
1113
  NET_OUTBOUND: "net.outbound",
1114
+ /** Can mutate in-memory session todos only. */
1115
+ SESSION_TODO: "session.todo",
1116
+ /** Can mutate in-memory session mode only. */
1117
+ SESSION_MODE: "session.mode",
1118
+ /** Can inspect registered tool metadata. */
1119
+ TOOL_META: "tool.meta",
1120
+ /** Can invoke arbitrary registered tools through a meta-tool. */
1121
+ TOOL_MUTATE_ANY: "tool.mutate.any",
1122
+ /** Can read persistent memory. */
1123
+ MEMORY_READ: "memory.read",
1124
+ /** Can write persistent memory. */
1125
+ MEMORY_WRITE: "memory.write",
1126
+ /** Can delete persistent memory. */
1127
+ MEMORY_DELETE: "memory.delete",
1112
1128
  /** Proxies tools from external MCP servers (unknown capability). */
1113
1129
  MCP_PROXY: "mcp.proxy",
1114
1130
  /** Can spawn or manage subagents / multi-agent tasks. */
@@ -1127,8 +1143,12 @@ var ToolCapabilities = {
1127
1143
  var DANGEROUS_FOR_SUBAGENTS = [
1128
1144
  ToolCapabilities.SHELL_ARBITRARY,
1129
1145
  ToolCapabilities.SHELL_RESTRICTED,
1146
+ ToolCapabilities.SHELL_EXEC,
1130
1147
  ToolCapabilities.FS_WRITE,
1131
1148
  ToolCapabilities.FS_WRITE_OUTSIDE_PROJECT,
1149
+ ToolCapabilities.TOOL_MUTATE_ANY,
1150
+ ToolCapabilities.MEMORY_WRITE,
1151
+ ToolCapabilities.MEMORY_DELETE,
1132
1152
  ToolCapabilities.MCP_PROXY,
1133
1153
  ToolCapabilities.SUBAGENT_SPAWN,
1134
1154
  ToolCapabilities.CONFIG_MUTATE,
@@ -1138,8 +1158,12 @@ var DANGEROUS_FOR_SUBAGENTS = [
1138
1158
  ToolCapabilities.FS_READ,
1139
1159
  ToolCapabilities.FS_WRITE,
1140
1160
  ToolCapabilities.NET_OUTBOUND,
1161
+ ToolCapabilities.SESSION_TODO,
1162
+ ToolCapabilities.TOOL_META,
1163
+ ToolCapabilities.MEMORY_READ,
1141
1164
  ToolCapabilities.SHELL_ARBITRARY,
1142
1165
  ToolCapabilities.SHELL_RESTRICTED,
1166
+ ToolCapabilities.SHELL_EXEC,
1143
1167
  ToolCapabilities.PACKAGE_INSTALL
1144
1168
  ];
1145
1169
  function hasDangerousCapabilityForSubagents(toolOrCaps) {
@@ -1284,6 +1308,15 @@ function isClearlyDestructiveBashCommand(command, projectRoot) {
1284
1308
  function matchesTrust(patterns, subject) {
1285
1309
  return patterns.includes(subject) || matchAny(patterns, subject);
1286
1310
  }
1311
+ function shellCommandLineFromInput(input) {
1312
+ const command = getInputString(input, "command") ?? getInputString(input, "cmd") ?? getInputString(input, "script");
1313
+ if (!command) return void 0;
1314
+ if (!input || typeof input !== "object") return command;
1315
+ const args = input["args"];
1316
+ if (!Array.isArray(args) || args.length === 0) return command;
1317
+ const renderedArgs = args.filter((arg) => typeof arg === "string").map((arg) => /\s/.test(arg) ? `"${arg.replace(/"/g, '\\"')}"` : arg);
1318
+ return [command, ...renderedArgs].join(" ");
1319
+ }
1287
1320
  var DefaultPermissionPolicy = class {
1288
1321
  policy = {};
1289
1322
  loaded = false;
@@ -1301,9 +1334,10 @@ var DefaultPermissionPolicy = class {
1301
1334
  */
1302
1335
  sessionDenied = /* @__PURE__ */ new Map();
1303
1336
  /**
1304
- * Session-scoped "soft trust" map. When the user presses 'a' (allow once),
1305
- * the tool+pattern is added here. If the LLM retries in the same session,
1306
- * we return auto directly without asking again.
1337
+ * Session-scoped one-shot "soft trust" map. When the user presses 'y', the
1338
+ * tool+pattern is added here so the immediate confirm re-run can proceed.
1339
+ * The entry is consumed on first use; future calls must ask again unless the
1340
+ * user chose persistent trust.
1307
1341
  *
1308
1342
  * Cleared on reload().
1309
1343
  */
@@ -1342,7 +1376,7 @@ var DefaultPermissionPolicy = class {
1342
1376
  this.trustFile = opts.trustFile;
1343
1377
  this.yolo = opts.yolo ?? false;
1344
1378
  this.yoloDestructive = opts.yoloDestructive ?? opts.forceAllYolo ?? false;
1345
- this.confirmDestructive = opts.confirmDestructive ?? false;
1379
+ this.confirmDestructive = true;
1346
1380
  this.promptDelegate = opts.promptDelegate;
1347
1381
  }
1348
1382
  /**
@@ -1373,9 +1407,9 @@ var DefaultPermissionPolicy = class {
1373
1407
  return this.yoloDestructive;
1374
1408
  }
1375
1409
  /** Toggle destructive confirmation gate (only meaningful when yolo is active). */
1376
- setConfirmDestructive(enabled) {
1377
- if (this.confirmDestructive !== enabled) this._evalCache.clear();
1378
- this.confirmDestructive = enabled;
1410
+ setConfirmDestructive(_enabled) {
1411
+ if (!this.confirmDestructive) this._evalCache.clear();
1412
+ this.confirmDestructive = true;
1379
1413
  }
1380
1414
  /** Check whether destructive confirmation gate is active. */
1381
1415
  getConfirmDestructive() {
@@ -1414,12 +1448,12 @@ var DefaultPermissionPolicy = class {
1414
1448
  return decision;
1415
1449
  }
1416
1450
  if (this.sessionAllowed.has(cacheKey)) {
1451
+ this.sessionAllowed.delete(cacheKey);
1417
1452
  const decision = {
1418
1453
  permission: "auto",
1419
1454
  source: "trust",
1420
- reason: "session soft allow (user pressed yes)"
1455
+ reason: "session one-shot allow (user pressed yes)"
1421
1456
  };
1422
- this._evalCache.set(cacheKey, decision);
1423
1457
  return decision;
1424
1458
  }
1425
1459
  if (entry?.deny && subject && matchesTrust(entry.deny, subject)) {
@@ -1432,6 +1466,29 @@ var DefaultPermissionPolicy = class {
1432
1466
  this._evalCache.set(cacheKey, decision);
1433
1467
  return decision;
1434
1468
  }
1469
+ if (this.yolo) {
1470
+ const destructive = this.isDestructiveYoloCall(tool, input, ctx);
1471
+ if (destructive) {
1472
+ if (this.promptDelegate) {
1473
+ const decision = await this.promptDelegate(tool, input, subject ?? tool.name);
1474
+ if (decision === "deny") {
1475
+ await this.deny({ tool: tool.name, pattern: subject ?? tool.name });
1476
+ return { permission: "deny", source: "user", reason: "user denied destructive yolo" };
1477
+ }
1478
+ return {
1479
+ permission: decision === "yes" || decision === "always" ? "auto" : "deny",
1480
+ source: "user",
1481
+ reason: "destructive yolo approved for this call"
1482
+ };
1483
+ }
1484
+ return {
1485
+ permission: "confirm",
1486
+ source: "yolo_destructive",
1487
+ riskTier: "destructive",
1488
+ reason: "destructive tool needs explicit approval in YOLO mode"
1489
+ };
1490
+ }
1491
+ }
1435
1492
  if (entry?.allow && subject && matchesTrust(entry.allow, subject)) {
1436
1493
  const decision = { permission: "auto", source: "trust", reason: "matched allow pattern" };
1437
1494
  this._evalCache.set(cacheKey, decision);
@@ -1443,29 +1500,6 @@ var DefaultPermissionPolicy = class {
1443
1500
  return decision;
1444
1501
  }
1445
1502
  if (this.yolo) {
1446
- if (this.confirmDestructive) {
1447
- const destructive = this.isDestructiveYoloCall(tool, input, ctx);
1448
- if (destructive) {
1449
- if (this.promptDelegate) {
1450
- const decision2 = await this.promptDelegate(tool, input, subject ?? tool.name);
1451
- if (decision2 === "always") {
1452
- await this.trust({ tool: tool.name, pattern: subject ?? tool.name });
1453
- return { permission: "auto", source: "user", reason: "destructive yolo always-allowed" };
1454
- }
1455
- if (decision2 === "deny") {
1456
- await this.deny({ tool: tool.name, pattern: subject ?? tool.name });
1457
- return { permission: "deny", source: "user", reason: "user denied destructive yolo" };
1458
- }
1459
- return { permission: decision2 === "yes" ? "auto" : "deny", source: "user" };
1460
- }
1461
- return {
1462
- permission: "confirm",
1463
- source: "yolo_destructive",
1464
- riskTier: "destructive",
1465
- reason: "destructive tool needs explicit approval (confirmDestructive is on)"
1466
- };
1467
- }
1468
- }
1469
1503
  const decision = { permission: "auto", source: "yolo" };
1470
1504
  this._evalCache.set(cacheKey, decision);
1471
1505
  return decision;
@@ -1482,7 +1516,8 @@ var DefaultPermissionPolicy = class {
1482
1516
  const hasWriteCap = hasCapability(tool, ToolCapabilities.FS_WRITE);
1483
1517
  const hasShellCap = hasCapability(tool, [
1484
1518
  ToolCapabilities.SHELL_ARBITRARY,
1485
- ToolCapabilities.SHELL_RESTRICTED
1519
+ ToolCapabilities.SHELL_RESTRICTED,
1520
+ ToolCapabilities.SHELL_EXEC
1486
1521
  ]);
1487
1522
  const hasInstallCap = hasCapability(tool, ToolCapabilities.PACKAGE_INSTALL);
1488
1523
  const hasConfigCap = hasCapability(tool, ToolCapabilities.CONFIG_MUTATE);
@@ -1510,27 +1545,30 @@ var DefaultPermissionPolicy = class {
1510
1545
  // Capability-based destructive check (preferred over name-based)
1511
1546
  isDestructiveByCapability(tool) {
1512
1547
  const caps = tool.capabilities ?? [];
1513
- if (caps.includes("shell.arbitrary")) return true;
1514
- if (caps.includes("fs.write")) return true;
1515
- if (caps.includes("fs.write.outside-project")) return true;
1548
+ if (caps.includes(ToolCapabilities.SHELL_ARBITRARY)) return true;
1549
+ if (caps.includes(ToolCapabilities.SHELL_RESTRICTED)) return true;
1550
+ if (caps.includes(ToolCapabilities.SHELL_EXEC)) return true;
1551
+ if (caps.includes(ToolCapabilities.FS_WRITE)) return true;
1552
+ if (caps.includes(ToolCapabilities.FS_WRITE_OUTSIDE_PROJECT)) return true;
1516
1553
  return false;
1517
1554
  }
1518
1555
  isDestructiveYoloCall(tool, input, ctx) {
1519
1556
  if (this.isDestructiveByCapability(tool)) {
1520
- if (tool.name === "bash") {
1521
- const command = getInputString(input, "command");
1522
- return command ? isClearlyDestructiveBashCommand(command, ctx.projectRoot) : true;
1557
+ const caps = tool.capabilities ?? [];
1558
+ if (caps.includes(ToolCapabilities.SHELL_ARBITRARY) || caps.includes(ToolCapabilities.SHELL_RESTRICTED) || caps.includes(ToolCapabilities.SHELL_EXEC)) {
1559
+ const command = shellCommandLineFromInput(input);
1560
+ return command ? isClearlyDestructiveBashCommand(command, ctx.projectRoot) : tool.riskTier === "destructive";
1523
1561
  }
1524
- if (tool.name === "write" || tool.name === "edit" || tool.name === "replace" || tool.name === "patch") {
1562
+ if (caps.includes(ToolCapabilities.FS_WRITE_OUTSIDE_PROJECT)) return true;
1563
+ if (caps.includes(ToolCapabilities.FS_WRITE)) {
1525
1564
  const targetPath = getInputString(input, "path") ?? getInputString(input, "file");
1526
1565
  if (!targetPath || !ctx.projectRoot) return false;
1527
1566
  return !pathLooksInsideProject(targetPath, ctx.projectRoot);
1528
1567
  }
1529
- return true;
1530
1568
  }
1531
- if (tool.name === "bash") {
1532
- const command = getInputString(input, "command");
1533
- return command ? isClearlyDestructiveBashCommand(command, ctx.projectRoot) : true;
1569
+ if (tool.name === "bash" || tool.name === "shell" || tool.name === "exec") {
1570
+ const command = shellCommandLineFromInput(input);
1571
+ return command ? isClearlyDestructiveBashCommand(command, ctx.projectRoot) : tool.riskTier === "destructive";
1534
1572
  }
1535
1573
  if (tool.name === "write" || tool.name === "edit" || tool.name === "replace" || tool.name === "patch") {
1536
1574
  const targetPath = getInputString(input, "path") ?? getInputString(input, "file");
@@ -1579,7 +1617,7 @@ var DefaultPermissionPolicy = class {
1579
1617
  this.sessionDenied.set(`${rule.tool}::${rule.pattern}`, true);
1580
1618
  this._evalCache.clear();
1581
1619
  }
1582
- /** Auto-approve this tool+pattern for the rest of this session (no trust file). */
1620
+ /** Auto-approve this tool+pattern once (no trust file). */
1583
1621
  allowOnce(rule) {
1584
1622
  this.sessionAllowed.set(`${rule.tool}::${rule.pattern}`, true);
1585
1623
  this._evalCache.clear();