@wrongstack/core 0.276.4 → 0.277.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/dist/{agent-bridge-D7A-eu3C.d.ts → agent-bridge-BFJ2ODzI.d.ts} +1 -1
  2. package/dist/{agent-subagent-runner-CEuw4ATz.d.ts → agent-subagent-runner-BimKihiC.d.ts} +7 -7
  3. package/dist/{brain-BLOyN5ZP.d.ts → brain-CCfuEOdp.d.ts} +1 -1
  4. package/dist/{compactor-DcBpaJsI.d.ts → compactor-D3BGw26y.d.ts} +1 -1
  5. package/dist/{config-Bf5mj-ad.d.ts → config-DAOjriz9.d.ts} +1 -1
  6. package/dist/{context-CLnUMW5g.d.ts → context-DPlA6kid.d.ts} +5 -6
  7. package/dist/coordination/index.d.ts +17 -17
  8. package/dist/coordination/index.js +38 -14
  9. package/dist/coordination/index.js.map +1 -1
  10. package/dist/defaults/index.d.ts +27 -27
  11. package/dist/defaults/index.js +177 -93
  12. package/dist/defaults/index.js.map +1 -1
  13. package/dist/execution/index.d.ts +15 -15
  14. package/dist/execution/index.js +13 -1
  15. package/dist/execution/index.js.map +1 -1
  16. package/dist/execution/prompt-enhancer.d.ts +1 -1
  17. package/dist/extension/index.d.ts +6 -6
  18. package/dist/{global-mailbox-Iqfkgmwu.d.ts → global-mailbox-Dr4cTKqL.d.ts} +1 -1
  19. package/dist/{goal-store-DGb6b5Ed.d.ts → goal-store-C1uH4srH.d.ts} +1 -1
  20. package/dist/hq/index.d.ts +5 -5
  21. package/dist/{index-Cn0NOshr.d.ts → index-DJXj-dcr.d.ts} +5 -5
  22. package/dist/{index-L4RZN9jJ.d.ts → index-cMEmzCVN.d.ts} +23 -5
  23. package/dist/index.d.ts +41 -41
  24. package/dist/index.js +220 -111
  25. package/dist/index.js.map +1 -1
  26. package/dist/infrastructure/index.d.ts +6 -6
  27. package/dist/infrastructure/index.js +4 -1
  28. package/dist/infrastructure/index.js.map +1 -1
  29. package/dist/kernel/index.d.ts +11 -11
  30. package/dist/{mcp-servers-CuZGf9fI.d.ts → mcp-servers-CFb60-pH.d.ts} +3 -3
  31. package/dist/models/index.d.ts +5 -5
  32. package/dist/{models-registry-8XOdxWQu.d.ts → models-registry-5Ufn7f2m.d.ts} +1 -1
  33. package/dist/{multi-agent-coordinator-CiRtKVTk.d.ts → multi-agent-coordinator-CcrcncvG.d.ts} +1 -1
  34. package/dist/{null-fleet-bus-d9G-bVy9.d.ts → null-fleet-bus-C9KsYyrI.d.ts} +13 -6
  35. package/dist/observability/index.d.ts +2 -2
  36. package/dist/{path-resolver-BhIb6mtd.d.ts → path-resolver-CEeX9I7O.d.ts} +3 -3
  37. package/dist/{permission-BCbQDR2s.d.ts → permission-DbsGOA1C.d.ts} +7 -6
  38. package/dist/{permission-policy-C0ikndX_.d.ts → permission-policy-BpEea3r7.d.ts} +12 -14
  39. package/dist/{pipeline-Dl6XbfE7.d.ts → pipeline-CEjBjzVA.d.ts} +2 -2
  40. package/dist/{provider-model-resolve-B70epO19.d.ts → provider-model-resolve-BpfXp3Jj.d.ts} +3 -3
  41. package/dist/{provider-runner-DZ808MSM.d.ts → provider-runner-CnOSr5BN.d.ts} +3 -3
  42. package/dist/{retry-policy-Dt3_z8Aj.d.ts → retry-policy-Git9WF6d.d.ts} +1 -1
  43. package/dist/sdd/index.d.ts +9 -9
  44. package/dist/{secret-vault-BUJ2d1gB.d.ts → secret-vault-DDSMHqIm.d.ts} +1 -1
  45. package/dist/security/index.d.ts +5 -5
  46. package/dist/security/index.js +173 -94
  47. package/dist/security/index.js.map +1 -1
  48. package/dist/{selector-BCkWgdwy.d.ts → selector-Cq72C0Oy.d.ts} +1 -1
  49. package/dist/{session-event-bridge-CMvIO59_.d.ts → session-event-bridge-DG94B3Bk.d.ts} +1 -1
  50. package/dist/{session-reader-C8aiChUu.d.ts → session-reader-BzT-iMQT.d.ts} +1 -1
  51. package/dist/storage/index.d.ts +11 -11
  52. package/dist/{strategy-compactor-DI1OHVbB.d.ts → strategy-compactor-Bt_ZH6R0.d.ts} +10 -10
  53. package/dist/{todos-checkpoint-Ddd2CGr0.d.ts → todos-checkpoint-CH1pcua9.d.ts} +5 -5
  54. package/dist/{tool-executor-Bmd5Ygoo.d.ts → tool-executor-SVFq7IOR.d.ts} +9 -9
  55. package/dist/tools/index.d.ts +2 -2
  56. package/dist/tools/index.js +5 -6
  57. package/dist/tools/index.js.map +1 -1
  58. package/dist/types/index.d.ts +19 -19
  59. package/dist/types/index.js +13 -1
  60. package/dist/types/index.js.map +1 -1
  61. package/dist/utils/index.d.ts +17 -3
  62. package/dist/utils/index.js +5 -1
  63. package/dist/utils/index.js.map +1 -1
  64. package/dist/{worktree-manager-DBdl_5rs.d.ts → worktree-manager-C4YIf1Fa.d.ts} +1 -1
  65. package/instructions/leader-after-task.md +6 -0
  66. package/package.json +2 -2
  67. package/skills/output-standards/SKILL.md +1 -0
  68. package/skills/research-web/SKILL.md +1 -1
@@ -1,45 +1,45 @@
1
- export { I as InMemoryAgentBridge, a as InMemoryBridgeTransport, c as createMessage } from '../agent-bridge-D7A-eu3C.js';
2
- export { i as AgentFactory, w as AgentFactoryResult, x as AgentRunnerOptions, y as BudgetExceededError, z as BudgetKind, E as BudgetLimits, K as BudgetUsage, F as FleetBus, O as FleetEvent, Q as FleetHandler, j as FleetUsage, k as FleetUsageAggregator, R as SubagentBudget, Z as SubagentUsageSnapshot, a0 as makeAgentSubagentRunner } from '../agent-subagent-runner-CEuw4ATz.js';
3
- export { a as AGENTS_BY_PHASE, b as AGENT_CATALOG, c as ALL_AGENT_DEFINITIONS, d as ALL_FLEET_AGENTS, e as AUDIT_LOG_AGENT, f as AutoExtendCeiling, g as AutoExtendPolicy, B as BUG_HUNTER_AGENT, n as CreateDelegateToolOptions, D as DEFAULT_DIRECTOR_PREAMBLE, q as DEFAULT_SUBAGENT_BASELINE, r as DelegateHost, s as Director, w as DirectorPromptParts, x as DirectorSessionFactory, y as DirectorSessionFactoryOptions, F as FLEET_ROSTER, z as FLEET_ROSTER_BUDGETS, J as FleetRosterBudget, K as FleetSpawnBudgetError, L as ICoordinator, M as IFleetManager, O as NULL_FLEET_BUS, R as REFACTOR_PLANNER_AGENT, S as SECURITY_SCANNER_AGENT, V as SubagentPromptParts, W as applyRosterBudget, X as attachAutoExtend, Y as composeDirectorPrompt, Z as composeSubagentPrompt, _ as createDelegateTool, $ as getAgentDefinition, a1 as makeAskTool, a2 as makeAssignTool, a3 as makeAwaitTasksTool, a4 as makeCollabDebugTool, a5 as makeDirectorSessionFactory, a6 as makeFleetEmitTool, a7 as makeFleetTool, a8 as makeRollUpTool, a9 as makeSpawnTool, ab as makeTerminateTool, ad as rosterSummaryFromConfigs } from '../null-fleet-bus-d9G-bVy9.js';
4
- export { c as AgentBudgetTier, d as AgentCapability, b as AgentDefinition, A as AgentPhase, e as DEFAULT_DISPATCH_ROLE, a as DefaultMultiAgentCoordinator, f as DispatchCandidate, D as DispatchClassifier, g as DispatchMethod, h as DispatchOptions, i as DispatchResult, j as MultiAgentCoordinatorOptions, k as dispatchAgent, m as makeLLMClassifier, s as scoreAgents } from '../multi-agent-coordinator-CiRtKVTk.js';
5
- export { A as AutoCompactionMiddleware, a as AutonomousRunner, b as AutonomousRunnerOptions, c as AutonomyPromptContributorOptions, C as CompactorStrategy, D as DefaultDesignKitLoader, d as DefaultPromptLoader, e as DefaultSkillLoader, f as DesignKitLoaderOptions, g as DesignOverrides, h as DoneCheckResult, i as DoneConditionChecker, I as IntelligentCompactor, j as IntelligentCompactorOptions, P as PersistedActiveKit, k as PromptLoaderOptions, S as SelectiveCompactor, l as SelectiveCompactorOptions, m as SkillLoaderOptions, n as StrategyCompactorOptions, _ as _resetDesignKitLoaderMemo, o as _resetDesignRulesCache, p as activateDesign, q as applyTokenOverrides, r as buildGoalPreamble, s as clearActiveKit, t as clearPersistedActiveKit, u as createStrategyCompactor, v as designProjectDir, w as detectFrontendFile, x as detectFrontendIntent, y as getDesignKitLoader, z as getDesignState, B as installDesignStudioMiddleware, E as loadActiveKit, F as loadProjectDesignRules, G as makeAutonomyPromptContributor, H as makeDesignDetectToolCallMiddleware, J as makeDesignDetectUserInputMiddleware, K as makeDesignStudioRequestMiddleware, L as makeDesignVerifyToolCallMiddleware, M as recordKitChoice, N as recordOverrides, O as renderPrompt, Q as resolveBundledDesignKitsDir, R as setActiveKit, T as setDesignOverrides } from '../strategy-compactor-DI1OHVbB.js';
6
- import { e as DesignKitTokens, D as DesignStack } from '../tool-executor-Bmd5Ygoo.js';
7
- export { C as CompactorOptions, h as DefaultErrorHandler, i as DefaultRetryPolicy, E as EternalAutonomyEngine, k as EternalAutonomyOptions, l as EternalEngineState, H as HybridCompactor, I as IterationStage, P as ParallelEngineState, m as ParallelEternalEngine, n as ParallelEternalOptions, o as ParallelIterationStage, T as ToolExecutor } from '../tool-executor-Bmd5Ygoo.js';
8
- import { P as ProviderRunner, R as RunProviderOptions } from '../provider-runner-DZ808MSM.js';
9
- import { d as Response } from '../context-CLnUMW5g.js';
10
- export { C as ContextManagerAction, a as ContextManagerInput, b as ContextManagerResult, c as ContextManagerToolOptions, d as allServers, e as awsServer, f as blockServer, g as braveSearchServer, h as context7Server, i as contextManagerTool, j as createContextManagerTool, k as everArtServer, l as filesystemServer, m as githubServer, n as googleMapsServer, o as miniMaxVisionServer, p as playwrightServer, s as sentinelServer, q as slackServer, r as sshManagerServer, z as zaiVisionServer } from '../mcp-servers-CuZGf9fI.js';
1
+ export { I as InMemoryAgentBridge, a as InMemoryBridgeTransport, c as createMessage } from '../agent-bridge-BFJ2ODzI.js';
2
+ export { i as AgentFactory, w as AgentFactoryResult, x as AgentRunnerOptions, y as BudgetExceededError, z as BudgetKind, E as BudgetLimits, K as BudgetUsage, F as FleetBus, O as FleetEvent, Q as FleetHandler, j as FleetUsage, k as FleetUsageAggregator, R as SubagentBudget, Z as SubagentUsageSnapshot, a0 as makeAgentSubagentRunner } from '../agent-subagent-runner-BimKihiC.js';
3
+ export { a as AGENTS_BY_PHASE, b as AGENT_CATALOG, c as ALL_AGENT_DEFINITIONS, d as ALL_FLEET_AGENTS, e as AUDIT_LOG_AGENT, f as AutoExtendCeiling, g as AutoExtendPolicy, B as BUG_HUNTER_AGENT, n as CreateDelegateToolOptions, D as DEFAULT_DIRECTOR_PREAMBLE, q as DEFAULT_SUBAGENT_BASELINE, r as DelegateHost, s as Director, w as DirectorPromptParts, x as DirectorSessionFactory, y as DirectorSessionFactoryOptions, F as FLEET_ROSTER, z as FLEET_ROSTER_BUDGETS, J as FleetRosterBudget, K as FleetSpawnBudgetError, L as ICoordinator, M as IFleetManager, O as NULL_FLEET_BUS, R as REFACTOR_PLANNER_AGENT, S as SECURITY_SCANNER_AGENT, V as SubagentPromptParts, W as applyRosterBudget, X as attachAutoExtend, Y as composeDirectorPrompt, Z as composeSubagentPrompt, _ as createDelegateTool, $ as getAgentDefinition, a1 as makeAskTool, a2 as makeAssignTool, a3 as makeAwaitTasksTool, a4 as makeCollabDebugTool, a5 as makeDirectorSessionFactory, a6 as makeFleetEmitTool, a7 as makeFleetTool, a8 as makeRollUpTool, a9 as makeSpawnTool, ab as makeTerminateTool, ad as rosterSummaryFromConfigs } from '../null-fleet-bus-C9KsYyrI.js';
4
+ export { c as AgentBudgetTier, d as AgentCapability, b as AgentDefinition, A as AgentPhase, e as DEFAULT_DISPATCH_ROLE, a as DefaultMultiAgentCoordinator, f as DispatchCandidate, D as DispatchClassifier, g as DispatchMethod, h as DispatchOptions, i as DispatchResult, j as MultiAgentCoordinatorOptions, k as dispatchAgent, m as makeLLMClassifier, s as scoreAgents } from '../multi-agent-coordinator-CcrcncvG.js';
5
+ export { A as AutoCompactionMiddleware, a as AutonomousRunner, b as AutonomousRunnerOptions, c as AutonomyPromptContributorOptions, C as CompactorStrategy, D as DefaultDesignKitLoader, d as DefaultPromptLoader, e as DefaultSkillLoader, f as DesignKitLoaderOptions, g as DesignOverrides, h as DoneCheckResult, i as DoneConditionChecker, I as IntelligentCompactor, j as IntelligentCompactorOptions, P as PersistedActiveKit, k as PromptLoaderOptions, S as SelectiveCompactor, l as SelectiveCompactorOptions, m as SkillLoaderOptions, n as StrategyCompactorOptions, _ as _resetDesignKitLoaderMemo, o as _resetDesignRulesCache, p as activateDesign, q as applyTokenOverrides, r as buildGoalPreamble, s as clearActiveKit, t as clearPersistedActiveKit, u as createStrategyCompactor, v as designProjectDir, w as detectFrontendFile, x as detectFrontendIntent, y as getDesignKitLoader, z as getDesignState, B as installDesignStudioMiddleware, E as loadActiveKit, F as loadProjectDesignRules, G as makeAutonomyPromptContributor, H as makeDesignDetectToolCallMiddleware, J as makeDesignDetectUserInputMiddleware, K as makeDesignStudioRequestMiddleware, L as makeDesignVerifyToolCallMiddleware, M as recordKitChoice, N as recordOverrides, O as renderPrompt, Q as resolveBundledDesignKitsDir, R as setActiveKit, T as setDesignOverrides } from '../strategy-compactor-Bt_ZH6R0.js';
6
+ import { e as DesignKitTokens, D as DesignStack } from '../tool-executor-SVFq7IOR.js';
7
+ export { C as CompactorOptions, h as DefaultErrorHandler, i as DefaultRetryPolicy, E as EternalAutonomyEngine, k as EternalAutonomyOptions, l as EternalEngineState, H as HybridCompactor, I as IterationStage, P as ParallelEngineState, m as ParallelEternalEngine, n as ParallelEternalOptions, o as ParallelIterationStage, T as ToolExecutor } from '../tool-executor-SVFq7IOR.js';
8
+ import { P as ProviderRunner, R as RunProviderOptions } from '../provider-runner-CnOSr5BN.js';
9
+ import { d as Response } from '../context-DPlA6kid.js';
10
+ export { C as ContextManagerAction, a as ContextManagerInput, b as ContextManagerResult, c as ContextManagerToolOptions, d as allServers, e as awsServer, f as blockServer, g as braveSearchServer, h as context7Server, i as contextManagerTool, j as createContextManagerTool, k as everArtServer, l as filesystemServer, m as githubServer, n as googleMapsServer, o as miniMaxVisionServer, p as playwrightServer, s as sentinelServer, q as slackServer, r as sshManagerServer, z as zaiVisionServer } from '../mcp-servers-CFb60-pH.js';
11
11
  export { D as DefaultLogger, a as DefaultLoggerOptions, L as LogFormat } from '../logger-D3lV0cUZ.js';
12
- export { C as CODEX_MODELS, a as CodexModelMeta, D as DefaultModeStore, L as LLMSelector, b as LLMSelectorOptions, M as ModeLoaderOptions, P as ProviderModelDescriptor, c as codexModelMeta, d as describeCatalogModel, l as loadProjectModes, e as loadUserModes, r as resolveProviderModelList } from '../provider-model-resolve-B70epO19.js';
13
- export { D as DefaultModelsRegistry, a as DefaultModelsRegistryOptions, c as classifyFamily } from '../models-registry-8XOdxWQu.js';
12
+ export { C as CODEX_MODELS, a as CodexModelMeta, D as DefaultModeStore, L as LLMSelector, b as LLMSelectorOptions, M as ModeLoaderOptions, P as ProviderModelDescriptor, c as codexModelMeta, d as describeCatalogModel, l as loadProjectModes, e as loadUserModes, r as resolveProviderModelList } from '../provider-model-resolve-BpfXp3Jj.js';
13
+ export { D as DefaultModelsRegistry, a as DefaultModelsRegistryOptions, c as classifyFamily } from '../models-registry-5Ufn7f2m.js';
14
14
  export { DefaultHealthRegistry, InMemoryMetricsSink, MetricsServerHandle, MetricsServerOptions, NoopMetricsSink, NoopTracer, OTelTracer, OtlpMetricsExporterHandle, OtlpMetricsExporterOptions, OtlpTraceExporterHandle, OtlpTraceExporterOptions, PROMETHEUS_CONTENT_TYPE, buildOtlpMetricsRequest, buildOtlpTracesRequest, renderPrometheus, startMetricsServer, startOtlpMetricsExporter, startOtlpTraceExporter, wireMetricsToEvents } from '../observability/index.js';
15
15
  export { AISpecBuilder, AISpecBuilderOptions, AISpecPhase, AISpecSession, AutoExecutor, AutoExecutorOptions, BottleneckTask, CleanupStaleSddOptions, CleanupStaleSddResult, CollectedAnswer, CommandVerifierOptions, ConflictSide, CriticalPathAnalysis, DefaultTaskStore, DestroySddProjectOptions, DestroySddProjectResult, ExecutionSummary, GeneratedTask, LlmConflictResolverOptions, RollbackFromDiskOptions, RunResult, SPEC_TEMPLATES, SddBoardColumn, SddBoardEvent, SddBoardFeedEntry, SddBoardIndexEntry, SddBoardProjector, SddBoardProjectorOptions, SddBoardSnapshot, SddBoardStatus, SddBoardStore, SddBoardStoreOptions, SddBoardTask, SddDeadlockChain, SddIngestResult, SddInterviewDriver, SddInterviewDriverOptions, SddInterviewSnapshot, SddLifecycleOp, SddLifecycleOptions, SddLifecycleResult, SddParallelRun, SddParallelRunOptions, SddProgress, SddRunControl, SddRunHandle, SddRunRegistry, SddSubtaskSpec, SddSupervisor, SddSupervisorOptions, SddSupervisorVerdict, SddTaskDecomposer, SddTaskDecomposerOptions, SddTaskDisplayStatus, SpecDiff, SpecDrivenDev, SpecDrivenDevOptions, SpecIndexEntry, SpecParser, SpecStore, SpecStoreOptions, SpecVersion, SpecVersioning, StartSddRunOptions, SubtaskGeneratorOptions, TaskBatch, TaskExecutionContext, TaskExecutionResult, TaskFlow, TaskFlowEventMap, TaskFlowEventName, TaskFlowExecutionContext, TaskFlowOptions, TaskFlowPhase, TaskGenerator, TaskGeneratorOptions, TaskGraphIndexEntry, TaskGraphStore, TaskGraphStoreOptions, TaskStore, TaskTracker, TaskTrackerOptions, TaskTransition, WaveResult, analyzeCriticalPath, applySddLifecycle, buildBoardSnapshot, buildBoardTasks, cleanupSddWorktrees, cleanupStaleSddWorktrees, createAutoExecutor, destroySddProject, extractVerificationCommand, getTemplate, hasConflictMarkers, isExplanatoryText, listTemplates, makeCommandVerifier, makeLlmConflictResolver, makeLlmSubtaskGenerator, makePreferSideConflictResolver, renderProgress, renderSpecAnalysis, renderTaskGraph, renderTaskList, resolveConflictText, rollbackSddRunFromDisk, shortIdMap, startSddRun, templateToMarkdown } from '../sdd/index.js';
16
- export { A as AutoApprovePermissionPolicy, D as DefaultPermissionPolicy, P as PermissionPolicyOptions } from '../permission-policy-C0ikndX_.js';
17
- export { a as DefaultSecretScrubber, D as DefaultSecretVault, S as SecretVaultOptions, d as decryptConfigSecrets, e as encryptConfigSecrets, m as migratePlaintextSecrets, r as rewriteConfigEncrypted } from '../secret-vault-BUJ2d1gB.js';
18
- export { A as AbandonedSession, a as AttachmentStoreOptions, C as ConfigLoaderOptions, b as ConfigMigration, c as ConfigMigrationError, d as ConfigSource, D as DEFAULT_CONFIG_MIGRATIONS, e as DefaultAttachmentStore, f as DefaultConfigLoader, g as DefaultConfigStore, h as DefaultMemoryStore, i as DefaultSessionStore, k as MemoryStoreOptions, l as MigrationContext, m as MigrationResult, P as PersistedQueueItem, n as PlanFile, o as PlanItem, p as PlanTemplate, Q as QueueStore, R as RecoveryLock, q as RecoveryLockOptions, S as SessionAnalyzer, r as SessionStoreOptions, T as TodosCheckpointFile, s as addPlanItem, t as attachPlanCheckpoint, u as attachTodosCheckpoint, v as clearPlan, w as deriveTodosFromPlanItem, x as emptyPlan, y as formatPlan, z as formatPlanTemplates, B as getPlanTemplate, E as listPlanTemplates, G as loadPlan, H as loadTodosCheckpoint, K as removePlanItem, L as runConfigMigrations, N as savePlan, O as saveTodosCheckpoint, U as setPlanItemStatus } from '../todos-checkpoint-Ddd2CGr0.js';
16
+ export { A as AutoApprovePermissionPolicy, D as DefaultPermissionPolicy, P as PermissionPolicyOptions } from '../permission-policy-BpEea3r7.js';
17
+ export { a as DefaultSecretScrubber, D as DefaultSecretVault, S as SecretVaultOptions, d as decryptConfigSecrets, e as encryptConfigSecrets, m as migratePlaintextSecrets, r as rewriteConfigEncrypted } from '../secret-vault-DDSMHqIm.js';
18
+ export { A as AbandonedSession, a as AttachmentStoreOptions, C as ConfigLoaderOptions, b as ConfigMigration, c as ConfigMigrationError, d as ConfigSource, D as DEFAULT_CONFIG_MIGRATIONS, e as DefaultAttachmentStore, f as DefaultConfigLoader, g as DefaultConfigStore, h as DefaultMemoryStore, i as DefaultSessionStore, k as MemoryStoreOptions, l as MigrationContext, m as MigrationResult, P as PersistedQueueItem, n as PlanFile, o as PlanItem, p as PlanTemplate, Q as QueueStore, R as RecoveryLock, q as RecoveryLockOptions, S as SessionAnalyzer, r as SessionStoreOptions, T as TodosCheckpointFile, s as addPlanItem, t as attachPlanCheckpoint, u as attachTodosCheckpoint, v as clearPlan, w as deriveTodosFromPlanItem, x as emptyPlan, y as formatPlan, z as formatPlanTemplates, B as getPlanTemplate, E as listPlanTemplates, G as loadPlan, H as loadTodosCheckpoint, K as removePlanItem, L as runConfigMigrations, N as savePlan, O as saveTodosCheckpoint, U as setPlanItemStatus } from '../todos-checkpoint-CH1pcua9.js';
19
19
  export { a as DirectorStateCheckpoint, D as DirectorStateSnapshot, b as DirectorSubagentState, c as DirectorTaskState, l as loadDirectorState } from '../director-state-BfeCUbmk.js';
20
- export { A as AuditLevel, S as SessionEventBridge, b as SessionEventBridgeOptions, c as SessionSamplingOptions, T as ToolProgressSamplingOptions, d as createSessionEventBridge, r as resolveAuditLevel, e as resolveSessionLoggingConfig } from '../session-event-bridge-CMvIO59_.js';
21
- export { D as DefaultSessionReader } from '../session-reader-C8aiChUu.js';
20
+ export { A as AuditLevel, S as SessionEventBridge, b as SessionEventBridgeOptions, c as SessionSamplingOptions, T as ToolProgressSamplingOptions, d as createSessionEventBridge, r as resolveAuditLevel, e as resolveSessionLoggingConfig } from '../session-event-bridge-DG94B3Bk.js';
21
+ export { D as DefaultSessionReader } from '../session-reader-BzT-iMQT.js';
22
22
  export { D as DEFAULT_AUTONOMY_CONFIG, b as DEFAULT_CONTEXT_CONFIG, e as DEFAULT_TOOLS_CONFIG } from '../default-config-azFprTB3.js';
23
- import '../index-Cn0NOshr.js';
23
+ import '../index-DJXj-dcr.js';
24
24
  import '../logger-B63L5bTg.js';
25
- import '../pipeline-Dl6XbfE7.js';
25
+ import '../pipeline-CEjBjzVA.js';
26
26
  import '../mailbox-types-DTl7bRH3.js';
27
- import '../config-Bf5mj-ad.js';
27
+ import '../config-DAOjriz9.js';
28
28
  import '../observability-D-HZN_mF.js';
29
- import '../brain-BLOyN5ZP.js';
30
- import '../permission-BCbQDR2s.js';
31
- import '../retry-policy-Dt3_z8Aj.js';
29
+ import '../brain-CCfuEOdp.js';
30
+ import '../permission-DbsGOA1C.js';
31
+ import '../retry-policy-Git9WF6d.js';
32
32
  import 'node:events';
33
- import '../compactor-DcBpaJsI.js';
34
- import '../selector-BCkWgdwy.js';
33
+ import '../compactor-D3BGw26y.js';
34
+ import '../selector-Cq72C0Oy.js';
35
35
  import '../skill-DGIXCtdv.js';
36
36
  import '../wstack-paths-_NrRovdr.js';
37
37
  import '../prompt-DLd35n4Q.js';
38
- import '../goal-store-DGb6b5Ed.js';
38
+ import '../goal-store-C1uH4srH.js';
39
39
  import '../mode-CZlO9iU1.js';
40
40
  import '../spec-TBi3Jr6T.js';
41
41
  import '../task-graph-u1q9Jkyk.js';
42
- import '../worktree-manager-DBdl_5rs.js';
42
+ import '../worktree-manager-C4YIf1Fa.js';
43
43
  import '../input-reader-E-ffP2ee.js';
44
44
  import '../secret-vault-BAKpgFw_.js';
45
45
 
@@ -6546,6 +6546,8 @@ var ToolCapabilities = {
6546
6546
  SHELL_ARBITRARY: "shell.arbitrary",
6547
6547
  /** Can execute a restricted set of commands (the `exec` tool). */
6548
6548
  SHELL_RESTRICTED: "shell.restricted",
6549
+ /** Can run a restricted project formatter/linter-style command. */
6550
+ SHELL_EXEC: "shell.exec",
6549
6551
  /** Can read files inside the project (and possibly outside via symlinks if not guarded). */
6550
6552
  FS_READ: "fs.read",
6551
6553
  /** Can write / modify / delete files inside the project. */
@@ -6554,6 +6556,12 @@ var ToolCapabilities = {
6554
6556
  FS_WRITE_OUTSIDE_PROJECT: "fs.write.outside-project",
6555
6557
  /** Can perform outbound network requests. */
6556
6558
  NET_OUTBOUND: "net.outbound",
6559
+ /** Can invoke arbitrary registered tools through a meta-tool. */
6560
+ TOOL_MUTATE_ANY: "tool.mutate.any",
6561
+ /** Can write persistent memory. */
6562
+ MEMORY_WRITE: "memory.write",
6563
+ /** Can delete persistent memory. */
6564
+ MEMORY_DELETE: "memory.delete",
6557
6565
  /** Proxies tools from external MCP servers (unknown capability). */
6558
6566
  MCP_PROXY: "mcp.proxy",
6559
6567
  /** Can spawn or manage subagents / multi-agent tasks. */
@@ -6568,8 +6576,12 @@ var ToolCapabilities = {
6568
6576
  var DANGEROUS_FOR_SUBAGENTS = [
6569
6577
  ToolCapabilities.SHELL_ARBITRARY,
6570
6578
  ToolCapabilities.SHELL_RESTRICTED,
6579
+ ToolCapabilities.SHELL_EXEC,
6571
6580
  ToolCapabilities.FS_WRITE,
6572
6581
  ToolCapabilities.FS_WRITE_OUTSIDE_PROJECT,
6582
+ ToolCapabilities.TOOL_MUTATE_ANY,
6583
+ ToolCapabilities.MEMORY_WRITE,
6584
+ ToolCapabilities.MEMORY_DELETE,
6573
6585
  ToolCapabilities.MCP_PROXY,
6574
6586
  ToolCapabilities.SUBAGENT_SPAWN,
6575
6587
  ToolCapabilities.CONFIG_MUTATE,
@@ -8520,6 +8532,7 @@ var Director = class _Director {
8520
8532
  sessionIdSource;
8521
8533
  /** Debounce timer for periodic manifest writes. */
8522
8534
  manifestTimer = null;
8535
+ manifestWriteChain = Promise.resolve();
8523
8536
  manifestDebounceMs;
8524
8537
  /** Fleet-wide cost cap (entire fleet total, distinct from SubagentBudget limits). Infinity means no cap. */
8525
8538
  maxFleetCostUsd;
@@ -8696,7 +8709,7 @@ var Director = class _Director {
8696
8709
  }
8697
8710
  );
8698
8711
  if (this.fleetManager) {
8699
- this.fleetManager.flushManifest();
8712
+ void this.fleetManager.flushManifest();
8700
8713
  } else {
8701
8714
  this.scheduleManifest();
8702
8715
  }
@@ -8975,6 +8988,7 @@ var Director = class _Director {
8975
8988
  return;
8976
8989
  }
8977
8990
  if (this.manifestDebounceMs < 0) return;
8991
+ if (this.manifestTimer) return;
8978
8992
  this.manifestTimer = setTimeout(() => {
8979
8993
  this.manifestTimer = null;
8980
8994
  void this.writeManifest().catch(
@@ -8982,6 +8996,11 @@ var Director = class _Director {
8982
8996
  );
8983
8997
  }, this.manifestDebounceMs);
8984
8998
  }
8999
+ clearManifestTimer() {
9000
+ if (!this.manifestTimer) return;
9001
+ clearTimeout(this.manifestTimer);
9002
+ this.manifestTimer = null;
9003
+ }
8985
9004
  /**
8986
9005
  * Spawn a subagent. Identical to the coordinator's `spawn()` but
8987
9006
  * captures provider/model metadata for the usage aggregator and
@@ -9204,6 +9223,13 @@ var Director = class _Director {
9204
9223
  * replay an entire director run.
9205
9224
  */
9206
9225
  async writeManifest() {
9226
+ if (!this.manifestPath) return null;
9227
+ this.clearManifestTimer();
9228
+ const write = this.manifestWriteChain.catch(() => void 0).then(() => this.writeManifestNow());
9229
+ this.manifestWriteChain = write.catch(() => void 0);
9230
+ return write;
9231
+ }
9232
+ async writeManifestNow() {
9207
9233
  if (!this.manifestPath) return null;
9208
9234
  const manifest = {
9209
9235
  directorRunId: this.id,
@@ -9236,10 +9262,7 @@ var Director = class _Director {
9236
9262
  * — calling shutdown twice is a no-op on the second invocation.
9237
9263
  */
9238
9264
  async shutdown() {
9239
- if (this.manifestTimer) {
9240
- clearTimeout(this.manifestTimer);
9241
- this.manifestTimer = null;
9242
- }
9265
+ this.clearManifestTimer();
9243
9266
  if (this.taskCompletedListener) {
9244
9267
  this.coordinator.off("task.completed", this.taskCompletedListener);
9245
9268
  this.taskCompletedListener = null;
@@ -9258,8 +9281,11 @@ var Director = class _Director {
9258
9281
  }
9259
9282
  this.subagentBridges.clear();
9260
9283
  await this.bridge.stop().catch((err) => this.logShutdownError("director_bridge_stop", err));
9261
- if (this.manifestPath)
9284
+ if (this.fleetManager) {
9285
+ await this.fleetManager.flushManifest().catch((err) => this.logShutdownError("fleet_manifest_flush", err));
9286
+ } else if (this.manifestPath) {
9262
9287
  await this.writeManifest().catch((err) => this.logShutdownError("manifest_write", err));
9288
+ }
9263
9289
  if (this.stateCheckpoint) {
9264
9290
  this.stateCheckpoint.setUsage(this.usage.snapshot());
9265
9291
  await this.stateCheckpoint.flush().catch((err) => this.logShutdownError("state_checkpoint_flush", err));
@@ -16756,7 +16782,7 @@ ${errorDetails}`,
16756
16782
  const decision = await this.opts.permissionPolicy.evaluate(tool, use.input, ctx);
16757
16783
  let effectivePermission = decision.permission;
16758
16784
  const policy = this.opts.permissionPolicy;
16759
- const yolo = policy.getYolo?.() === true || policy.getYoloDestructive?.() === true;
16785
+ const yolo = policy.getYolo?.() === true;
16760
16786
  const authoritativeAuto = decision.source === "yolo";
16761
16787
  if (toolDangerousCaps.length > 0 && effectivePermission === "auto" && !yolo && !authoritativeAuto) {
16762
16788
  effectivePermission = "confirm";
@@ -17295,7 +17321,10 @@ function createContextManagerTool(opts = {}) {
17295
17321
  required: ["action"]
17296
17322
  },
17297
17323
  permission: "auto",
17298
- mutating: true,
17324
+ // Mutates only the in-memory conversation context, like the todo tool.
17325
+ // It must stay auto-runnable so the model can inspect/repair/compact its
17326
+ // own context without hitting a permission prompt loop.
17327
+ mutating: false,
17299
17328
  async execute(input, ctx) {
17300
17329
  const messages = ctx.messages;
17301
17330
  const beforeTokens = roughEstimate(messages);
@@ -24718,19 +24747,51 @@ var LruCache = class {
24718
24747
  // src/security/permission-policy.ts
24719
24748
  init_safe_json();
24720
24749
  init_tool_subject();
24721
- var DESTRUCTIVE_BASH_PATTERNS = [
24722
- /\bgit\s+(?:clean\s+-[^\s]*[xdf]|reset\s+--hard)\b/i,
24723
- /\b(?:drop|truncate)\s+(?:table|database|schema)\b/i,
24724
- /\bdelete\s+from\b/i,
24725
- /\b(?:mkfs|format|diskpart|shutdown|reboot)\b/i,
24726
- /\bchmod\s+-R\s+777\b/i,
24727
- /\bchown\s+-R\b/i,
24728
- /\b(?:curl|wget)\b.*\|\s*(?:sh|bash|zsh|pwsh|powershell)\b/i,
24729
- /\b(?:powershell|pwsh)\b.*(?:-encodedcommand|-enc)\b/i,
24730
- /:\(\)\s*\{\s*:\|:&\s*}\s*;/
24750
+ var CATASTROPHIC_PATTERNS = [
24751
+ /\b(?:mkfs(?:\.[a-z0-9]+)?|mke2fs|newfs)\b/i,
24752
+ // make a filesystem — wipes a partition
24753
+ /\bformat\s+[A-Za-z]:/i,
24754
+ // format C: — wipes a Windows volume
24755
+ /\bdiskpart\b/i,
24756
+ // Windows partition editor
24757
+ /\bdd\b[^|]*\bof=(?:\/dev\/|\\\\[.?]\\)/i,
24758
+ // dd writing straight to a raw device
24759
+ />\s*\/dev\/(?:sd|hd|nvme|disk|mapper|vd)/i,
24760
+ // redirect into a raw block device
24761
+ /:\(\)\s*\{\s*:\|:&\s*\}\s*;/
24762
+ // classic fork bomb
24731
24763
  ];
24732
- var PROJECT_ESCAPE_PATTERN = /(?:^|[\s"'])\.\.(?:[\\/]|$)/;
24733
- var ABSOLUTE_PATH_PATTERN = /(?:^|[\s"'])(?:~[\\/]|\/[A-Za-z0-9_.-]|[A-Za-z]:[\\/])/;
24764
+ var CATASTROPHIC_POSIX_ROOTS = /* @__PURE__ */ new Set([
24765
+ "/etc",
24766
+ "/usr",
24767
+ "/bin",
24768
+ "/sbin",
24769
+ "/lib",
24770
+ "/lib64",
24771
+ "/var",
24772
+ "/boot",
24773
+ "/dev",
24774
+ "/sys",
24775
+ "/proc",
24776
+ "/opt",
24777
+ "/root",
24778
+ "/home",
24779
+ "/srv",
24780
+ "/run",
24781
+ "/system",
24782
+ "/library",
24783
+ "/applications",
24784
+ "/users"
24785
+ ]);
24786
+ var CATASTROPHIC_WIN_SUBDIRS = /* @__PURE__ */ new Set([
24787
+ "windows",
24788
+ "system32",
24789
+ "winnt",
24790
+ "program files",
24791
+ "program files (x86)",
24792
+ "programdata",
24793
+ "users"
24794
+ ]);
24734
24795
  var SHELL_OPERATORS = /* @__PURE__ */ new Set(["&&", "||", "|", ";", ">", ">>", "<", "2>", "2>>"]);
24735
24796
  function getInputString(input, key) {
24736
24797
  if (!input || typeof input !== "object") return void 0;
@@ -24747,20 +24808,21 @@ function pathLooksInsideProject(rawPath, projectRoot) {
24747
24808
  function tokenizeShell(command) {
24748
24809
  return command.match(/"[^"]*"|'[^']*'|\S+/g)?.map((token) => token.replace(/^['"]|['"]$/g, "")) ?? [];
24749
24810
  }
24750
- function pathTokenIsOutsideProject(token, projectRoot) {
24751
- if (!token || SHELL_OPERATORS.has(token) || token.startsWith("-")) return false;
24752
- if (token === "/" || token === "~" || token === "." || token === "..") return token !== ".";
24753
- if (token.includes("*")) return true;
24754
- if (token.startsWith("..") || token.includes("../") || token.includes("..\\")) return true;
24755
- if (path4.isAbsolute(token) || token.startsWith("~/")) return !pathLooksInsideProject(token, projectRoot);
24811
+ function isCatastrophicDeleteTarget(rawTarget) {
24812
+ const t = rawTarget.replace(/^['"]|['"]$/g, "").trim();
24813
+ if (!t) return false;
24814
+ if (t === "*" || t === "." || t === "./" || t === ".\\" || t === "./*" || t === ".\\*") return true;
24815
+ const s = t.replace(/[\\/]\*+$/, "").replace(/[\\/]+$/, "");
24816
+ if (s === "") return true;
24817
+ if (s === "~" || /^\$HOME$/i.test(s) || /^%USERPROFILE%$/i.test(s)) return true;
24818
+ if (/^[A-Za-z]:$/.test(s)) return true;
24819
+ const norm = s.toLowerCase().replace(/\\/g, "/");
24820
+ if (CATASTROPHIC_POSIX_ROOTS.has(norm)) return true;
24821
+ const win = norm.match(/^[a-z]:\/([^/]+)$/);
24822
+ if (win?.[1] && CATASTROPHIC_WIN_SUBDIRS.has(win[1])) return true;
24756
24823
  return false;
24757
24824
  }
24758
- function hasDangerousDeleteTarget(tokens, start, projectRoot) {
24759
- const targets = tokens.slice(start).filter((token) => !token.startsWith("-") && !SHELL_OPERATORS.has(token));
24760
- if (targets.length === 0) return true;
24761
- return targets.some((target) => pathTokenIsOutsideProject(target, projectRoot));
24762
- }
24763
- function hasDestructiveDelete(command, projectRoot) {
24825
+ function hasCatastrophicDelete(command) {
24764
24826
  const tokens = tokenizeShell(command);
24765
24827
  for (let i = 0; i < tokens.length; i++) {
24766
24828
  const token = tokens[i]?.toLowerCase();
@@ -24768,35 +24830,43 @@ function hasDestructiveDelete(command, projectRoot) {
24768
24830
  if (token === "rm") {
24769
24831
  const args = tokens.slice(i + 1);
24770
24832
  const recursiveOrForce = args.some(
24771
- (arg) => /^-[^-]*[rf]/i.test(arg) || arg === "--recursive" || arg === "--force"
24833
+ (arg) => /^-[^-]*[rf]/i.test(arg) || arg === "--recursive" || arg === "--force" || arg === "--no-preserve-root"
24772
24834
  );
24773
- if (recursiveOrForce && hasDangerousDeleteTarget(tokens, i + 1, projectRoot)) return true;
24835
+ if (!recursiveOrForce) continue;
24836
+ const targets = args.filter((arg) => !arg.startsWith("-") && !SHELL_OPERATORS.has(arg));
24837
+ if (targets.length === 0) return true;
24838
+ if (targets.some(isCatastrophicDeleteTarget)) return true;
24839
+ }
24840
+ if (token === "remove-item" || token === "ri") {
24841
+ const args = tokens.slice(i + 1);
24842
+ const recursive = args.some((arg) => {
24843
+ const a = arg.toLowerCase();
24844
+ return a === "-recurse" || a === "-force";
24845
+ });
24846
+ if (!recursive) continue;
24847
+ const targets = args.filter((arg) => !arg.startsWith("-") && !SHELL_OPERATORS.has(arg));
24848
+ if (targets.some(isCatastrophicDeleteTarget)) return true;
24774
24849
  }
24775
24850
  if (token === "rmdir" || token === "rd") {
24776
24851
  const args = tokens.slice(i + 1);
24777
24852
  const recursive = args.some((arg) => arg.toLowerCase() === "/s");
24778
- if (recursive && hasDangerousDeleteTarget(tokens, i + 1, projectRoot)) return true;
24853
+ if (!recursive) continue;
24854
+ const targets = args.filter((arg) => !arg.startsWith("-") && !arg.startsWith("/") && !SHELL_OPERATORS.has(arg));
24855
+ if (targets.some(isCatastrophicDeleteTarget)) return true;
24779
24856
  }
24780
24857
  if (token === "del" || token === "erase") {
24781
- if (hasDangerousDeleteTarget(tokens, i + 1, projectRoot)) return true;
24782
- }
24783
- if (token === "remove-item") {
24784
- const args = tokens.slice(i + 1).map((arg) => arg.toLowerCase());
24785
- const recursiveOrForce = args.includes("-recurse") || args.includes("-force");
24786
- if (recursiveOrForce && hasDangerousDeleteTarget(tokens, i + 1, projectRoot)) return true;
24858
+ const args = tokens.slice(i + 1);
24859
+ const targets = args.filter((arg) => !arg.startsWith("-") && !arg.startsWith("/") && !SHELL_OPERATORS.has(arg));
24860
+ if (targets.some(isCatastrophicDeleteTarget)) return true;
24787
24861
  }
24788
24862
  }
24789
24863
  return false;
24790
24864
  }
24791
- function isClearlyDestructiveBashCommand(command, projectRoot) {
24865
+ function isClearlyDestructiveBashCommand(command, _projectRoot) {
24792
24866
  const trimmed = command.trim();
24793
24867
  if (!trimmed) return false;
24794
- if (hasDestructiveDelete(trimmed, projectRoot)) return true;
24795
- if (DESTRUCTIVE_BASH_PATTERNS.some((pattern) => pattern.test(trimmed))) return true;
24796
- if (/\bcd\s+(?:\.\.|~|\/|[A-Za-z]:[\\/])/i.test(trimmed)) return true;
24797
- if (PROJECT_ESCAPE_PATTERN.test(trimmed)) return true;
24798
- const absolute = trimmed.match(ABSOLUTE_PATH_PATTERN)?.[0]?.trim().replace(/^['"]|['"]$/g, "");
24799
- if (absolute && !pathLooksInsideProject(absolute, projectRoot)) return true;
24868
+ if (hasCatastrophicDelete(trimmed)) return true;
24869
+ if (CATASTROPHIC_PATTERNS.some((pattern) => pattern.test(trimmed))) return true;
24800
24870
  return false;
24801
24871
  }
24802
24872
 
@@ -24804,6 +24874,15 @@ function isClearlyDestructiveBashCommand(command, projectRoot) {
24804
24874
  function matchesTrust(patterns, subject) {
24805
24875
  return patterns.includes(subject) || matchAny(patterns, subject);
24806
24876
  }
24877
+ function shellCommandLineFromInput(input) {
24878
+ const command = getInputString(input, "command") ?? getInputString(input, "cmd") ?? getInputString(input, "script");
24879
+ if (!command) return void 0;
24880
+ if (!input || typeof input !== "object") return command;
24881
+ const args = input["args"];
24882
+ if (!Array.isArray(args) || args.length === 0) return command;
24883
+ const renderedArgs = args.filter((arg) => typeof arg === "string").map((arg) => /\s/.test(arg) ? `"${arg.replace(/"/g, '\\"')}"` : arg);
24884
+ return [command, ...renderedArgs].join(" ");
24885
+ }
24807
24886
  var DefaultPermissionPolicy = class {
24808
24887
  policy = {};
24809
24888
  loaded = false;
@@ -24821,9 +24900,10 @@ var DefaultPermissionPolicy = class {
24821
24900
  */
24822
24901
  sessionDenied = /* @__PURE__ */ new Map();
24823
24902
  /**
24824
- * Session-scoped "soft trust" map. When the user presses 'a' (allow once),
24825
- * the tool+pattern is added here. If the LLM retries in the same session,
24826
- * we return auto directly without asking again.
24903
+ * Session-scoped one-shot "soft trust" map. When the user presses 'y', the
24904
+ * tool+pattern is added here so the immediate confirm re-run can proceed.
24905
+ * The entry is consumed on first use; future calls must ask again unless the
24906
+ * user chose persistent trust.
24827
24907
  *
24828
24908
  * Cleared on reload().
24829
24909
  */
@@ -24862,7 +24942,7 @@ var DefaultPermissionPolicy = class {
24862
24942
  this.trustFile = opts.trustFile;
24863
24943
  this.yolo = opts.yolo ?? false;
24864
24944
  this.yoloDestructive = opts.yoloDestructive ?? opts.forceAllYolo ?? false;
24865
- this.confirmDestructive = opts.confirmDestructive ?? false;
24945
+ this.confirmDestructive = true;
24866
24946
  this.promptDelegate = opts.promptDelegate;
24867
24947
  }
24868
24948
  /**
@@ -24893,9 +24973,9 @@ var DefaultPermissionPolicy = class {
24893
24973
  return this.yoloDestructive;
24894
24974
  }
24895
24975
  /** Toggle destructive confirmation gate (only meaningful when yolo is active). */
24896
- setConfirmDestructive(enabled) {
24897
- if (this.confirmDestructive !== enabled) this._evalCache.clear();
24898
- this.confirmDestructive = enabled;
24976
+ setConfirmDestructive(_enabled) {
24977
+ if (!this.confirmDestructive) this._evalCache.clear();
24978
+ this.confirmDestructive = true;
24899
24979
  }
24900
24980
  /** Check whether destructive confirmation gate is active. */
24901
24981
  getConfirmDestructive() {
@@ -24934,12 +25014,12 @@ var DefaultPermissionPolicy = class {
24934
25014
  return decision;
24935
25015
  }
24936
25016
  if (this.sessionAllowed.has(cacheKey)) {
25017
+ this.sessionAllowed.delete(cacheKey);
24937
25018
  const decision = {
24938
25019
  permission: "auto",
24939
25020
  source: "trust",
24940
- reason: "session soft allow (user pressed yes)"
25021
+ reason: "session one-shot allow (user pressed yes)"
24941
25022
  };
24942
- this._evalCache.set(cacheKey, decision);
24943
25023
  return decision;
24944
25024
  }
24945
25025
  if (entry?.deny && subject && matchesTrust(entry.deny, subject)) {
@@ -24952,6 +25032,29 @@ var DefaultPermissionPolicy = class {
24952
25032
  this._evalCache.set(cacheKey, decision);
24953
25033
  return decision;
24954
25034
  }
25035
+ if (this.yolo) {
25036
+ const destructive = this.isDestructiveYoloCall(tool, input, ctx);
25037
+ if (destructive) {
25038
+ if (this.promptDelegate) {
25039
+ const decision = await this.promptDelegate(tool, input, subject ?? tool.name);
25040
+ if (decision === "deny") {
25041
+ await this.deny({ tool: tool.name, pattern: subject ?? tool.name });
25042
+ return { permission: "deny", source: "user", reason: "user denied destructive yolo" };
25043
+ }
25044
+ return {
25045
+ permission: decision === "yes" || decision === "always" ? "auto" : "deny",
25046
+ source: "user",
25047
+ reason: "destructive yolo approved for this call"
25048
+ };
25049
+ }
25050
+ return {
25051
+ permission: "confirm",
25052
+ source: "yolo_destructive",
25053
+ riskTier: "destructive",
25054
+ reason: "destructive tool needs explicit approval in YOLO mode"
25055
+ };
25056
+ }
25057
+ }
24955
25058
  if (entry?.allow && subject && matchesTrust(entry.allow, subject)) {
24956
25059
  const decision = { permission: "auto", source: "trust", reason: "matched allow pattern" };
24957
25060
  this._evalCache.set(cacheKey, decision);
@@ -24963,29 +25066,6 @@ var DefaultPermissionPolicy = class {
24963
25066
  return decision;
24964
25067
  }
24965
25068
  if (this.yolo) {
24966
- if (this.confirmDestructive) {
24967
- const destructive = this.isDestructiveYoloCall(tool, input, ctx);
24968
- if (destructive) {
24969
- if (this.promptDelegate) {
24970
- const decision2 = await this.promptDelegate(tool, input, subject ?? tool.name);
24971
- if (decision2 === "always") {
24972
- await this.trust({ tool: tool.name, pattern: subject ?? tool.name });
24973
- return { permission: "auto", source: "user", reason: "destructive yolo always-allowed" };
24974
- }
24975
- if (decision2 === "deny") {
24976
- await this.deny({ tool: tool.name, pattern: subject ?? tool.name });
24977
- return { permission: "deny", source: "user", reason: "user denied destructive yolo" };
24978
- }
24979
- return { permission: decision2 === "yes" ? "auto" : "deny", source: "user" };
24980
- }
24981
- return {
24982
- permission: "confirm",
24983
- source: "yolo_destructive",
24984
- riskTier: "destructive",
24985
- reason: "destructive tool needs explicit approval (confirmDestructive is on)"
24986
- };
24987
- }
24988
- }
24989
25069
  const decision = { permission: "auto", source: "yolo" };
24990
25070
  this._evalCache.set(cacheKey, decision);
24991
25071
  return decision;
@@ -25002,7 +25082,8 @@ var DefaultPermissionPolicy = class {
25002
25082
  const hasWriteCap = hasCapability(tool, ToolCapabilities.FS_WRITE);
25003
25083
  const hasShellCap = hasCapability(tool, [
25004
25084
  ToolCapabilities.SHELL_ARBITRARY,
25005
- ToolCapabilities.SHELL_RESTRICTED
25085
+ ToolCapabilities.SHELL_RESTRICTED,
25086
+ ToolCapabilities.SHELL_EXEC
25006
25087
  ]);
25007
25088
  const hasInstallCap = hasCapability(tool, ToolCapabilities.PACKAGE_INSTALL);
25008
25089
  const hasConfigCap = hasCapability(tool, ToolCapabilities.CONFIG_MUTATE);
@@ -25030,27 +25111,30 @@ var DefaultPermissionPolicy = class {
25030
25111
  // Capability-based destructive check (preferred over name-based)
25031
25112
  isDestructiveByCapability(tool) {
25032
25113
  const caps = tool.capabilities ?? [];
25033
- if (caps.includes("shell.arbitrary")) return true;
25034
- if (caps.includes("fs.write")) return true;
25035
- if (caps.includes("fs.write.outside-project")) return true;
25114
+ if (caps.includes(ToolCapabilities.SHELL_ARBITRARY)) return true;
25115
+ if (caps.includes(ToolCapabilities.SHELL_RESTRICTED)) return true;
25116
+ if (caps.includes(ToolCapabilities.SHELL_EXEC)) return true;
25117
+ if (caps.includes(ToolCapabilities.FS_WRITE)) return true;
25118
+ if (caps.includes(ToolCapabilities.FS_WRITE_OUTSIDE_PROJECT)) return true;
25036
25119
  return false;
25037
25120
  }
25038
25121
  isDestructiveYoloCall(tool, input, ctx) {
25039
25122
  if (this.isDestructiveByCapability(tool)) {
25040
- if (tool.name === "bash") {
25041
- const command = getInputString(input, "command");
25042
- return command ? isClearlyDestructiveBashCommand(command, ctx.projectRoot) : true;
25123
+ const caps = tool.capabilities ?? [];
25124
+ if (caps.includes(ToolCapabilities.SHELL_ARBITRARY) || caps.includes(ToolCapabilities.SHELL_RESTRICTED) || caps.includes(ToolCapabilities.SHELL_EXEC)) {
25125
+ const command = shellCommandLineFromInput(input);
25126
+ return command ? isClearlyDestructiveBashCommand(command, ctx.projectRoot) : tool.riskTier === "destructive";
25043
25127
  }
25044
- if (tool.name === "write" || tool.name === "edit" || tool.name === "replace" || tool.name === "patch") {
25128
+ if (caps.includes(ToolCapabilities.FS_WRITE_OUTSIDE_PROJECT)) return true;
25129
+ if (caps.includes(ToolCapabilities.FS_WRITE)) {
25045
25130
  const targetPath = getInputString(input, "path") ?? getInputString(input, "file");
25046
25131
  if (!targetPath || !ctx.projectRoot) return false;
25047
25132
  return !pathLooksInsideProject(targetPath, ctx.projectRoot);
25048
25133
  }
25049
- return true;
25050
25134
  }
25051
- if (tool.name === "bash") {
25052
- const command = getInputString(input, "command");
25053
- return command ? isClearlyDestructiveBashCommand(command, ctx.projectRoot) : true;
25135
+ if (tool.name === "bash" || tool.name === "shell" || tool.name === "exec") {
25136
+ const command = shellCommandLineFromInput(input);
25137
+ return command ? isClearlyDestructiveBashCommand(command, ctx.projectRoot) : tool.riskTier === "destructive";
25054
25138
  }
25055
25139
  if (tool.name === "write" || tool.name === "edit" || tool.name === "replace" || tool.name === "patch") {
25056
25140
  const targetPath = getInputString(input, "path") ?? getInputString(input, "file");
@@ -25099,7 +25183,7 @@ var DefaultPermissionPolicy = class {
25099
25183
  this.sessionDenied.set(`${rule.tool}::${rule.pattern}`, true);
25100
25184
  this._evalCache.clear();
25101
25185
  }
25102
- /** Auto-approve this tool+pattern for the rest of this session (no trust file). */
25186
+ /** Auto-approve this tool+pattern once (no trust file). */
25103
25187
  allowOnce(rule) {
25104
25188
  this.sessionAllowed.set(`${rule.tool}::${rule.pattern}`, true);
25105
25189
  this._evalCache.clear();