@wrongstack/core 0.277.2 → 0.280.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (83) hide show
  1. package/dist/{agent-bridge-BFJ2ODzI.d.ts → agent-bridge-DXC6QDJ4.d.ts} +1 -1
  2. package/dist/{agent-subagent-runner-BimKihiC.d.ts → agent-subagent-runner-PoqNKiR4.d.ts} +563 -471
  3. package/dist/{compactor-D3BGw26y.d.ts → compactor-U3agvUIG.d.ts} +1 -1
  4. package/dist/{config-DAOjriz9.d.ts → config-Cr3312zc.d.ts} +102 -4
  5. package/dist/coordination/index.d.ts +1087 -998
  6. package/dist/coordination/index.js +12235 -12052
  7. package/dist/coordination/index.js.map +1 -1
  8. package/dist/defaults/index.d.ts +31 -30
  9. package/dist/defaults/index.js +403 -189
  10. package/dist/defaults/index.js.map +1 -1
  11. package/dist/{brain-CCfuEOdp.d.ts → events-Bs2fmldo.d.ts} +117 -112
  12. package/dist/execution/index.d.ts +27 -19
  13. package/dist/execution/index.js +216 -63
  14. package/dist/execution/index.js.map +1 -1
  15. package/dist/execution/prompt-enhancer.d.ts +1 -1
  16. package/dist/execution/prompt-enhancer.js.map +1 -1
  17. package/dist/extension/index.d.ts +8 -7
  18. package/dist/{global-mailbox-Dr4cTKqL.d.ts → global-mailbox-Ct7IorLJ.d.ts} +84 -6
  19. package/dist/{goal-store-C1uH4srH.d.ts → goal-store-C4F6DjC0.d.ts} +1 -1
  20. package/dist/hq/index.d.ts +504 -7
  21. package/dist/hq/index.js +1069 -20
  22. package/dist/hq/index.js.map +1 -1
  23. package/dist/{index-DJXj-dcr.d.ts → index-kidebiDh.d.ts} +8 -5
  24. package/dist/{index-cMEmzCVN.d.ts → index-nP09-oP2.d.ts} +2 -2
  25. package/dist/index.d.ts +153 -76
  26. package/dist/index.js +5791 -3163
  27. package/dist/index.js.map +1 -1
  28. package/dist/infrastructure/index.d.ts +7 -6
  29. package/dist/kernel/index.d.ts +14 -13
  30. package/dist/kernel/index.js +31 -15
  31. package/dist/kernel/index.js.map +1 -1
  32. package/dist/{mailbox-types-DTl7bRH3.d.ts → mailbox-types-BGZWrYTJ.d.ts} +38 -0
  33. package/dist/{mcp-servers-CFb60-pH.d.ts → mcp-servers-D910X5_r.d.ts} +3 -3
  34. package/dist/models/index.d.ts +5 -5
  35. package/dist/models/index.js.map +1 -1
  36. package/dist/{models-registry-5Ufn7f2m.d.ts → models-registry-CLkoOcHk.d.ts} +1 -1
  37. package/dist/{multi-agent-coordinator-CcrcncvG.d.ts → multi-agent-coordinator-CieyUoEL.d.ts} +1 -1
  38. package/dist/{null-fleet-bus-C9KsYyrI.d.ts → null-fleet-bus-DkdmZJ_W.d.ts} +464 -464
  39. package/dist/observability/index.d.ts +3 -2
  40. package/dist/{path-resolver-CEeX9I7O.d.ts → path-resolver-XfZ9eLxG.d.ts} +3 -3
  41. package/dist/{permission-DbsGOA1C.d.ts → permission-Dx6dIqS2.d.ts} +2 -7
  42. package/dist/{permission-policy-BpEea3r7.d.ts → permission-policy-C8vJcnX5.d.ts} +2 -2
  43. package/dist/{pipeline-CEjBjzVA.d.ts → pipeline-BwAP21_4.d.ts} +9 -4
  44. package/dist/{provider-model-resolve-BpfXp3Jj.d.ts → provider-model-resolve-CwQNZWt_.d.ts} +3 -3
  45. package/dist/{provider-runner-CnOSr5BN.d.ts → provider-runner-CYHFImzV.d.ts} +3 -3
  46. package/dist/{retry-policy-Git9WF6d.d.ts → retry-policy-D4feSLk3.d.ts} +1 -1
  47. package/dist/sdd/index.d.ts +11 -10
  48. package/dist/sdd/index.js +2 -2
  49. package/dist/sdd/index.js.map +1 -1
  50. package/dist/secret-scrubber-3MHDDAtm.d.ts +6 -0
  51. package/dist/{secret-vault-DDSMHqIm.d.ts → secret-vault-CImt2XrR.d.ts} +1 -1
  52. package/dist/security/index.d.ts +6 -5
  53. package/dist/security/index.js.map +1 -1
  54. package/dist/{selector-Cq72C0Oy.d.ts → selector-Dy-MzKp1.d.ts} +1 -1
  55. package/dist/{session-event-bridge-DG94B3Bk.d.ts → session-event-bridge-CqdiGnfU.d.ts} +1 -1
  56. package/dist/{session-reader-BzT-iMQT.d.ts → session-reader-Hk0WbNm9.d.ts} +1 -1
  57. package/dist/{skill-DGIXCtdv.d.ts → skill-DHniprNl.d.ts} +15 -1
  58. package/dist/skills/index.d.ts +472 -26
  59. package/dist/skills/index.js +872 -129
  60. package/dist/skills/index.js.map +1 -1
  61. package/dist/storage/index.d.ts +27 -14
  62. package/dist/storage/index.js +264 -85
  63. package/dist/storage/index.js.map +1 -1
  64. package/dist/{strategy-compactor-Bt_ZH6R0.d.ts → strategy-compactor-CQwhbErd.d.ts} +32 -17
  65. package/dist/{todos-checkpoint-CH1pcua9.d.ts → todos-checkpoint-Bk2uP7Ex.d.ts} +6 -6
  66. package/dist/{context-DPlA6kid.d.ts → tool-BkOgs_KL.d.ts} +306 -286
  67. package/dist/{tool-executor-SVFq7IOR.d.ts → tool-executor-SiE1wlZo.d.ts} +9 -9
  68. package/dist/tools/index.d.ts +2 -2
  69. package/dist/tools/index.js.map +1 -1
  70. package/dist/types/index.d.ts +22 -21
  71. package/dist/types/index.js +7 -9
  72. package/dist/types/index.js.map +1 -1
  73. package/dist/utils/index.d.ts +30 -4
  74. package/dist/utils/index.js +50 -1
  75. package/dist/utils/index.js.map +1 -1
  76. package/dist/{worktree-manager-C4YIf1Fa.d.ts → worktree-manager-BjOFF6bt.d.ts} +1 -1
  77. package/dist/{wstack-paths-_NrRovdr.d.ts → wstack-paths-CMl_cYgq.d.ts} +8 -0
  78. package/package.json +1 -1
  79. package/skills/mailbox-bridge/SKILL.md +1 -0
  80. package/skills/plugin-author/SKILL.md +350 -0
  81. package/skills/sdd/SKILL.md +134 -134
  82. package/skills/skill-creator/SKILL.md +45 -7
  83. package/skills/wrongstack-mailbox/SKILL.md +40 -21
@@ -1,37 +1,3 @@
1
- /**
2
- * Side-effect risk classification for structured audit recording (P2 #5).
3
- *
4
- * @see {@link import('../core/context.js').Context.recordSideEffect}
5
- */
6
- /**
7
- * The kind of risk a tool side-effect poses. Used by /diag and session
8
- * replay to filter and group side effects.
9
- */
10
- type SideEffectRisk = 'fs.write' | 'shell' | 'package' | 'network' | 'config';
11
- /**
12
- * A structured record of a non-filesystem side effect produced by a tool.
13
- * Appended to the session JSONL as a `side_effect` event for audit and
14
- * observability.
15
- */
16
- interface SideEffect {
17
- /** Session-unique tool call ID (from the tool_use block). */
18
- toolUseId: string;
19
- /** Tool name: 'bash' | 'install' | 'fetch' | ... */
20
- toolName: string;
21
- /** ISO timestamp. */
22
- ts: string;
23
- /** The input the tool received (command, url, packages). */
24
- input: Record<string, unknown>;
25
- /**
26
- * Optional outcome summary — NOT the full output (that's already in the
27
- * tool_result block). A short string like "exit 0", "installed 42 packages",
28
- * "HTTP 200 (12KB)", or "timed out".
29
- */
30
- outcome?: string | undefined;
31
- /** Risk classification for filtering in /diag. */
32
- risk: SideEffectRisk;
33
- }
34
-
35
1
  interface TextBlock {
36
2
  type: 'text';
37
3
  text: string;
@@ -109,6 +75,40 @@ declare function isToolResultBlock(b: ContentBlock): b is ToolResultBlock;
109
75
  declare function isImageBlock(b: ContentBlock): b is ImageBlock;
110
76
  declare function isThinkingBlock(b: ContentBlock): b is ThinkingBlock;
111
77
 
78
+ /**
79
+ * Side-effect risk classification for structured audit recording (P2 #5).
80
+ *
81
+ * @see {@link import('../core/context.js').Context.recordSideEffect}
82
+ */
83
+ /**
84
+ * The kind of risk a tool side-effect poses. Used by /diag and session
85
+ * replay to filter and group side effects.
86
+ */
87
+ type SideEffectRisk = 'fs.write' | 'shell' | 'package' | 'network' | 'config';
88
+ /**
89
+ * A structured record of a non-filesystem side effect produced by a tool.
90
+ * Appended to the session JSONL as a `side_effect` event for audit and
91
+ * observability.
92
+ */
93
+ interface SideEffect {
94
+ /** Session-unique tool call ID (from the tool_use block). */
95
+ toolUseId: string;
96
+ /** Tool name: 'bash' | 'install' | 'fetch' | ... */
97
+ toolName: string;
98
+ /** ISO timestamp. */
99
+ ts: string;
100
+ /** The input the tool received (command, url, packages). */
101
+ input: Record<string, unknown>;
102
+ /**
103
+ * Optional outcome summary — NOT the full output (that's already in the
104
+ * tool_result block). A short string like "exit 0", "installed 42 packages",
105
+ * "HTTP 200 (12KB)", or "timed out".
106
+ */
107
+ outcome?: string | undefined;
108
+ /** Risk classification for filtering in /diag. */
109
+ risk: SideEffectRisk;
110
+ }
111
+
112
112
  type MessageRole = 'user' | 'assistant' | 'system';
113
113
  interface Message {
114
114
  role: MessageRole;
@@ -395,258 +395,21 @@ declare class ParseError extends WrongStackError {
395
395
  * from different upstream APIs without parsing the message.
396
396
  */
397
397
  source?: string | undefined;
398
- context?: Record<string, unknown> | undefined;
399
- cause?: unknown | undefined;
400
- });
401
- }
402
- declare function isWrongStackError(err: unknown): err is WrongStackError;
403
- declare function isToolError(err: unknown): err is ToolError;
404
- declare function isConfigError(err: unknown): err is ConfigError;
405
- declare function isPluginError(err: unknown): err is PluginError;
406
- declare function isSessionError(err: unknown): err is SessionError;
407
- declare function isAgentError(err: unknown): err is AgentError;
408
- declare function isFsError(err: unknown): err is FsError;
409
- declare function isToolValidationError(err: unknown): err is ToolValidationError;
410
- declare function isFetchError(err: unknown): err is FetchError;
411
- declare function isParseError(err: unknown): err is ParseError;
412
- declare function isSddError(err: unknown): err is SddError;
413
-
414
- type Permission = 'auto' | 'confirm' | 'deny';
415
- /**
416
- * Risk tier for tools in YOLO mode. YOLO auto-approves normal project work,
417
- * while clearly destructive calls still require confirmation.
418
- *
419
- * - `safe` — read-only, no side effects (read, glob, grep, etc.)
420
- * - `standard` — non-destructive writes and mutations (write, edit, safe shell commands)
421
- * - `destructive` — irreversible or broadside effects (recursive deletes, db drops, etc.)
422
- */
423
- type RiskTier = 'safe' | 'standard' | 'destructive';
424
- /**
425
- * Icon identifiers for tools — each UI (WebUI/TUI/REPL) maps these to its own icon library.
426
- * Add the icon directly on each Tool so all UIs consume the same canonical value.
427
- */
428
- type ToolIconId = 'file' | 'edit' | 'search' | 'folder' | 'terminal' | 'web' | 'git' | 'tree' | 'code' | 'test' | 'package' | 'document' | 'scaffold' | 'todo' | 'plan' | 'task' | 'meta' | 'index' | 'json' | 'diff' | 'logs' | 'settings' | 'fallback';
429
- interface JSONSchema {
430
- type?: string | undefined;
431
- properties?: Record<string, JSONSchema>;
432
- required?: string[] | undefined;
433
- items?: JSONSchema | undefined;
434
- enum?: unknown[] | undefined;
435
- description?: string | undefined;
436
- [k: string]: unknown;
437
- }
438
- /**
439
- * Tool progress event — yielded by `Tool.executeStream` to give the UI
440
- * something to render while a long-running tool works. The executor
441
- * publishes each event via EventBus as `tool.progress` so the TUI, logger,
442
- * and observability layer can consume them uniformly.
443
- *
444
- * Keep events small. They are buffered through the EventBus synchronously
445
- * and rendered on the main thread.
446
- */
447
- interface ToolProgressEvent {
448
- /**
449
- * - `log` — verbose informational message (e.g. "scanning…")
450
- * - `warning` — non-fatal issue (e.g. "skipped X due to ENOENT")
451
- * - `metric` — numeric data (e.g. files scanned so far)
452
- * - `file_changed` — a tool that mutates the workspace announces a write
453
- * - `partial_output` — stream of textual output (bash stdout, fetch body)
454
- */
455
- type: 'log' | 'warning' | 'metric' | 'file_changed' | 'partial_output';
456
- text?: string | undefined;
457
- data?: Record<string, unknown>;
458
- }
459
- /**
460
- * Terminal event for `executeStream`. The output must match the tool's
461
- * declared output type — the executor unwraps `output` and treats it like
462
- * a normal `execute` return value.
463
- */
464
- interface ToolFinalEvent<O> {
465
- type: 'final';
466
- output: O;
467
- }
468
- type ToolStreamEvent<O = unknown> = ToolProgressEvent | ToolFinalEvent<O>;
469
- interface Tool<I = unknown, O = unknown> {
470
- name: string;
471
- description: string;
472
- /**
473
- * Pre-computed token estimate for this tool's definition (name +
474
- * description + JSON-serialized inputSchema). Set by ToolRegistry on
475
- * registration; consumed by estimateToolDefTokens / estimateRequestTokens
476
- * to skip redundant JSON.stringify on every context-pressure check.
477
- */
478
- _estDefTokens?: number | undefined;
479
- usageHint?: string | undefined;
480
- /** Optional category for grouping in help lists and system prompts. */
481
- category?: string | undefined;
482
- inputSchema: JSONSchema;
483
- permission: Permission;
484
- mutating: boolean;
485
- /**
486
- * Risk tier for selective YOLO gating. When YOLO is active, clearly
487
- * destructive calls still emit `confirm`. Defaults to `standard` when
488
- * omitted — callers should always check `riskTier` after the basic
489
- * permission decision.
490
- */
491
- riskTier?: RiskTier | undefined;
492
- /**
493
- * Input-field name that the permission policy should match trust rules
494
- * against. Without this, the policy falls back to a heuristic
495
- * (`command` / `path` / `url` / `name`) that can collide across tools —
496
- * e.g. an HTTP tool whose `path` means "request path" would be checked
497
- * against filesystem-path trust rules. Set explicitly to avoid the
498
- * cross-tool subject collision.
499
- *
500
- * The named field's value must be a string at runtime; non-string values
501
- * fall back to the heuristic.
502
- */
503
- subjectKey?: string | undefined;
504
- maxOutputBytes?: number | undefined;
505
- timeoutMs?: number | undefined;
506
- /**
507
- * Hint for the TUI spinner — does NOT affect actual timeout enforcement.
508
- * Use `timeoutMs` for hard limits. Leave undefined when duration varies
509
- * unpredictably.
510
- */
511
- estimatedDurationMs?: number | undefined;
512
- /**
513
- * Declarative security capabilities granted by this tool.
514
- *
515
- * Examples: "shell.arbitrary", "fs.write", "fs.write.outside-project",
516
- * "net.outbound", "mcp.proxy", "subagent.spawn", "config.mutate".
517
- *
518
- * These are used by permission policies (especially subagent guards) and
519
- * future capability-based allowlists. Prefer well-known values over ad-hoc strings.
520
- *
521
- * This field is optional for backward compatibility. Tools without it are
522
- * treated conservatively by guards.
523
- */
524
- capabilities?: readonly string[] | undefined;
525
- /**
526
- * Icon identifier for this tool — consumed by all UIs (WebUI/TUI/REPL) to
527
- * render a tool-specific icon instead of a generic fallback.
528
- * Each UI maps this id to its own icon library.
529
- */
530
- icon?: ToolIconId | undefined;
531
- execute(input: I, ctx: Context, opts: {
532
- signal: AbortSignal;
533
- }): Promise<O>;
534
- /**
535
- * Optional cross-field validation hook. Called by the executor AFTER
536
- * JSON Schema validation passes and AFTER PreToolUse hooks may have
537
- * rewritten the input, but BEFORE permission checks and execution.
538
- *
539
- * Use this for invariants the JSON Schema cannot express — e.g.
540
- * `old_string !== new_string` in edit, or `end > start` in a range tool.
541
- * Return an array of validation errors (empty = valid). The executor
542
- * surfaces them to the model just like schema validation errors, so the
543
- * model can self-correct without the tool's `execute()` running.
544
- *
545
- * P3 #16 (before-release.md): tools that implement cross-field checks
546
- * inside `execute()` can migrate them here for earlier rejection and
547
- * consistent error formatting.
548
- */
549
- validate?(input: I): string[];
550
- /**
551
- * Optional streaming variant. When defined, the executor prefers this
552
- * over `execute` — yielded events become `tool.progress` EventBus events
553
- * and the terminal `final` event provides the output. Tools that don't
554
- * have intermediate state shouldn't implement this; the default `execute`
555
- * path is more efficient.
556
- */
557
- executeStream?(input: I, ctx: Context, opts: {
558
- signal: AbortSignal;
559
- }): AsyncIterable<ToolStreamEvent<O>>;
560
- /**
561
- * Optional teardown hook fired by the executor when the tool's run is
562
- * aborted (signal triggered). Errors thrown here are swallowed so they
563
- * never mask the originating failure.
564
- *
565
- * **When to use `cleanup` vs `ctx.registerAbortHook`:**
566
- *
567
- * - Use `cleanup` for resources **owned by the tool author** that are
568
- * established at execute-time: child processes spawned by the tool,
569
- * file handles opened by the tool, network connections initiated by
570
- * the tool. The lifecycle is co-located with the tool definition, so
571
- * readers see the resource and its teardown in one place.
572
- *
573
- * ```ts
574
- * async execute(input, ctx, opts) {
575
- * const child = spawn(...);
576
- * // … tool work …
577
- * },
578
- * async cleanup(_input, _ctx) {
579
- * // best-effort kill of any child still running
580
- * }
581
- * ```
582
- *
583
- * - Use `ctx.registerAbortHook` for **context-scoped teardown** registered
584
- * dynamically inside `execute`: when the tool delegates to a library
585
- * that needs cancellation, or when the resource is created lazily
586
- * somewhere down the call stack and the natural cleanup point isn't
587
- * at the tool boundary. The hook fires when the **agent run** ends,
588
- * not when this specific tool call aborts.
589
- *
590
- * ```ts
591
- * async execute(input, ctx, opts) {
592
- * const handle = openHelper();
593
- * ctx.registerAbortHook(() => handle.dispose());
594
- * // … work …
595
- * }
596
- * ```
597
- *
598
- * If both are registered for the same resource, `cleanup` fires first
599
- * (on tool abort) and the abort-hook fires after on the wider run abort.
600
- * Avoid double-free by gating one on the other's effect, or pick a single
601
- * teardown channel per resource.
602
- */
603
- cleanup?(input: I, ctx: Context): Promise<void>;
604
- /**
605
- * Optional custom output serializer. When present, the executor's output
606
- * serializer calls this INSTEAD of the central `renderToolObject()` switch
607
- * — the tool owns its own pretty-printing.
608
- *
609
- * Return a string representation of the output that the model will see in
610
- * its tool_result block. The serializer applies the iteration output cap
611
- * AFTER this runs, so don't worry about truncation.
612
- *
613
- * P3 #21 (before-release.md): `renderToolObject()` is a god function with
614
- * 30+ per-tool branches, far from each tool's definition. New tools that
615
- * want custom output no longer need to add a branch there — they implement
616
- * this method instead. Existing branches stay until migrated incrementally.
617
- */
618
- serialize?(output: O, input: I): string;
619
- }
620
- interface ToolCallContext {
621
- tool: Tool;
622
- input: unknown;
623
- callId: string;
624
- ctx: Context;
625
- signal: AbortSignal;
626
- }
627
- /**
628
- * Error categories for tool execution failures.
629
- * Used by the executor to classify errors and determine retry strategy.
630
- */
631
- declare enum ToolErrorCategory {
632
- TRANSIENT = "transient",// ETIMEDOUT, ECONNRESET, network timeout, HTTP 429/503
633
- NOT_FOUND = "not_found",// ENOENT, ENOTDIR, HTTP 404
634
- PERMISSION = "permission",// EACCES, EPERM, HTTP 401/403
635
- VALIDATION = "validation",// schema validation error, HTTP 400
636
- FATAL = "fatal"
637
- }
638
- /**
639
- * Structured tool error information for the LLM and retry logic.
640
- */
641
- interface ToolErrorInfo {
642
- readonly category: ToolErrorCategory;
643
- /** Whether the operation can be retried automatically. */
644
- readonly retryable: boolean;
645
- /** User-facing message describing the error. */
646
- readonly userMessage: string;
647
- /** Optional technical detail for debugging. */
648
- readonly detail?: string;
398
+ context?: Record<string, unknown> | undefined;
399
+ cause?: unknown | undefined;
400
+ });
649
401
  }
402
+ declare function isWrongStackError(err: unknown): err is WrongStackError;
403
+ declare function isToolError(err: unknown): err is ToolError;
404
+ declare function isConfigError(err: unknown): err is ConfigError;
405
+ declare function isPluginError(err: unknown): err is PluginError;
406
+ declare function isSessionError(err: unknown): err is SessionError;
407
+ declare function isAgentError(err: unknown): err is AgentError;
408
+ declare function isFsError(err: unknown): err is FsError;
409
+ declare function isToolValidationError(err: unknown): err is ToolValidationError;
410
+ declare function isFetchError(err: unknown): err is FetchError;
411
+ declare function isParseError(err: unknown): err is ParseError;
412
+ declare function isSddError(err: unknown): err is SddError;
650
413
 
651
414
  /**
652
415
  * Token usage for a single provider call, normalized across providers.
@@ -1532,6 +1295,24 @@ interface ContextRepeatedReadEvidence {
1532
1295
  count: number;
1533
1296
  lastToolUseId: string;
1534
1297
  }
1298
+ /** Where a completed-work ledger entry came from. */
1299
+ type CompletedWorkSource = 'todo' | 'plan' | 'task' | 'verification' | 'manual';
1300
+ /**
1301
+ * One unit of finished work, kept in the session's completed-work ledger so
1302
+ * the model (and a resumed session) can see what is already done and build
1303
+ * on it instead of redoing it. Persisted via the completed-work checkpoint
1304
+ * (`storage/completed-work-checkpoint.ts`).
1305
+ */
1306
+ interface CompletedWorkEvidence {
1307
+ /** Stable dedupe key — completing the same unit twice updates in place (e.g. "task:<id>"). */
1308
+ key: string;
1309
+ source: CompletedWorkSource;
1310
+ summary: string;
1311
+ /** Epoch ms when the work was marked complete. */
1312
+ completedAt: number;
1313
+ /** Optional pointer to proof (test run, commit hash, file path). */
1314
+ evidence?: string | undefined;
1315
+ }
1535
1316
  interface ContextEvidenceState {
1536
1317
  currentIntent?: ContextIntentEvidence | undefined;
1537
1318
  sessionGoals: string[];
@@ -1540,6 +1321,8 @@ interface ContextEvidenceState {
1540
1321
  toolCalls: ToolOutputMetadata[];
1541
1322
  fileGraph: Record<string, ContextFileEvidence>;
1542
1323
  repeatedReads: ContextRepeatedReadEvidence[];
1324
+ /** Ledger of finished work (tasks, todos, verifications) — see {@link CompletedWorkEvidence}. */
1325
+ completedWork: CompletedWorkEvidence[];
1543
1326
  lastReadPath?: string | undefined;
1544
1327
  updatedAt: number;
1545
1328
  }
@@ -1954,4 +1737,241 @@ declare class Context implements RunEnv {
1954
1737
  usage(): Usage;
1955
1738
  }
1956
1739
 
1957
- export { type ProviderErrorBody as $, AgentError as A, ConfigError as B, Context as C, type ContextEvidenceState as D, type ContextFileEvidence as E, type ContextInit as F, type ContextIntentEvidence as G, type ContextRepeatedReadEvidence as H, ERROR_CODES as I, type JSONSchema as J, type ErrorCode as K, type ErrorSeverity as L, type Message as M, type ErrorSubsystem as N, FetchError as O, type Provider as P, type FileSnapshot as Q, type ReasoningRequest as R, type SessionEvent as S, type Tool as T, type Usage as U, FsError as V, type ImageBlock as W, type JsonSchemaSpec as X, type MessageRole as Y, ParseError as Z, PluginError as _, type ReasoningConfig as a, type ReadonlyConversationState as a0, type RequestCacheControl as a1, type ResponseFormat as a2, type RiskTier as a3, type RunEnv as a4, type SafetySetting as a5, SddError as a6, SessionError as a7, type SideEffect as a8, type SideEffectRisk as a9, isSessionError as aA, isTextBlock as aB, isThinkingBlock as aC, isToolError as aD, isToolResultBlock as aE, isToolUseBlock as aF, isToolValidationError as aG, isWrongStackError as aH, toWrongStackError as aI, wrapAsState as aJ, type StateChange as aa, type StateChangeHandler as ab, type StopReason as ac, type StreamEvent as ad, StreamHangError as ae, type ThinkingBlock as af, type ToolCallContext as ag, ToolError as ah, type ToolErrorInfo as ai, type ToolEvidenceStatus as aj, type ToolFinalEvent as ak, type ToolIconId as al, type ToolStreamEvent as am, ToolValidationError as an, WrongStackError as ao, asBlocks as ap, asText as aq, extractRunEnv as ar, isAgentError as as, isConfigError as at, isFetchError as au, isFsError as av, isImageBlock as aw, isParseError as ax, isPluginError as ay, isSddError as az, type SessionWriter as b, type Request as c, type Response as d, type TokenCounter as e, type CacheStats as f, ProviderError as g, type Permission as h, type ContentBlock as i, type SessionMetadata as j, type SessionStore as k, ToolErrorCategory as l, type ToolProgressEvent as m, type ToolOutputMetadata as n, type Capabilities as o, type ReasoningEffort as p, type CacheTtl as q, type TextBlock as r, type ToolUseBlock as s, type ToolResultBlock as t, type RunOptions as u, ConversationState as v, type ResumedSession as w, type SessionData as x, type SessionSummary as y, type TodoItem as z };
1740
+ type Permission = 'auto' | 'confirm' | 'deny';
1741
+ /**
1742
+ * Risk tier for tools in YOLO mode. YOLO auto-approves normal project work,
1743
+ * while clearly destructive calls still require confirmation.
1744
+ *
1745
+ * - `safe` — read-only, no side effects (read, glob, grep, etc.)
1746
+ * - `standard` — non-destructive writes and mutations (write, edit, safe shell commands)
1747
+ * - `destructive` — irreversible or broadside effects (recursive deletes, db drops, etc.)
1748
+ */
1749
+ type RiskTier = 'safe' | 'standard' | 'destructive';
1750
+ /**
1751
+ * Icon identifiers for tools — each UI (WebUI/TUI/REPL) maps these to its own icon library.
1752
+ * Add the icon directly on each Tool so all UIs consume the same canonical value.
1753
+ */
1754
+ type ToolIconId = 'file' | 'edit' | 'search' | 'folder' | 'terminal' | 'web' | 'git' | 'tree' | 'code' | 'test' | 'package' | 'document' | 'scaffold' | 'todo' | 'plan' | 'task' | 'meta' | 'index' | 'json' | 'diff' | 'logs' | 'settings' | 'fallback';
1755
+ interface JSONSchema {
1756
+ type?: string | undefined;
1757
+ properties?: Record<string, JSONSchema>;
1758
+ required?: string[] | undefined;
1759
+ items?: JSONSchema | undefined;
1760
+ enum?: unknown[] | undefined;
1761
+ description?: string | undefined;
1762
+ [k: string]: unknown;
1763
+ }
1764
+ /**
1765
+ * Tool progress event — yielded by `Tool.executeStream` to give the UI
1766
+ * something to render while a long-running tool works. The executor
1767
+ * publishes each event via EventBus as `tool.progress` so the TUI, logger,
1768
+ * and observability layer can consume them uniformly.
1769
+ *
1770
+ * Keep events small. They are buffered through the EventBus synchronously
1771
+ * and rendered on the main thread.
1772
+ */
1773
+ interface ToolProgressEvent {
1774
+ /**
1775
+ * - `log` — verbose informational message (e.g. "scanning…")
1776
+ * - `warning` — non-fatal issue (e.g. "skipped X due to ENOENT")
1777
+ * - `metric` — numeric data (e.g. files scanned so far)
1778
+ * - `file_changed` — a tool that mutates the workspace announces a write
1779
+ * - `partial_output` — stream of textual output (bash stdout, fetch body)
1780
+ */
1781
+ type: 'log' | 'warning' | 'metric' | 'file_changed' | 'partial_output';
1782
+ text?: string | undefined;
1783
+ data?: Record<string, unknown>;
1784
+ }
1785
+ /**
1786
+ * Terminal event for `executeStream`. The output must match the tool's
1787
+ * declared output type — the executor unwraps `output` and treats it like
1788
+ * a normal `execute` return value.
1789
+ */
1790
+ interface ToolFinalEvent<O> {
1791
+ type: 'final';
1792
+ output: O;
1793
+ }
1794
+ type ToolStreamEvent<O = unknown> = ToolProgressEvent | ToolFinalEvent<O>;
1795
+ interface Tool<I = unknown, O = unknown> {
1796
+ name: string;
1797
+ description: string;
1798
+ /**
1799
+ * Pre-computed token estimate for this tool's definition (name +
1800
+ * description + JSON-serialized inputSchema). Set by ToolRegistry on
1801
+ * registration; consumed by estimateToolDefTokens / estimateRequestTokens
1802
+ * to skip redundant JSON.stringify on every context-pressure check.
1803
+ */
1804
+ _estDefTokens?: number | undefined;
1805
+ usageHint?: string | undefined;
1806
+ /** Optional category for grouping in help lists and system prompts. */
1807
+ category?: string | undefined;
1808
+ inputSchema: JSONSchema;
1809
+ permission: Permission;
1810
+ mutating: boolean;
1811
+ /**
1812
+ * Risk tier for selective YOLO gating. When YOLO is active, clearly
1813
+ * destructive calls still emit `confirm`. Defaults to `standard` when
1814
+ * omitted — callers should always check `riskTier` after the basic
1815
+ * permission decision.
1816
+ */
1817
+ riskTier?: RiskTier | undefined;
1818
+ /**
1819
+ * Input-field name that the permission policy should match trust rules
1820
+ * against. Without this, the policy falls back to a heuristic
1821
+ * (`command` / `path` / `url` / `name`) that can collide across tools —
1822
+ * e.g. an HTTP tool whose `path` means "request path" would be checked
1823
+ * against filesystem-path trust rules. Set explicitly to avoid the
1824
+ * cross-tool subject collision.
1825
+ *
1826
+ * The named field's value must be a string at runtime; non-string values
1827
+ * fall back to the heuristic.
1828
+ */
1829
+ subjectKey?: string | undefined;
1830
+ maxOutputBytes?: number | undefined;
1831
+ timeoutMs?: number | undefined;
1832
+ /**
1833
+ * Hint for the TUI spinner — does NOT affect actual timeout enforcement.
1834
+ * Use `timeoutMs` for hard limits. Leave undefined when duration varies
1835
+ * unpredictably.
1836
+ */
1837
+ estimatedDurationMs?: number | undefined;
1838
+ /**
1839
+ * Declarative security capabilities granted by this tool.
1840
+ *
1841
+ * Examples: "shell.arbitrary", "fs.write", "fs.write.outside-project",
1842
+ * "net.outbound", "mcp.proxy", "subagent.spawn", "config.mutate".
1843
+ *
1844
+ * These are used by permission policies (especially subagent guards) and
1845
+ * future capability-based allowlists. Prefer well-known values over ad-hoc strings.
1846
+ *
1847
+ * This field is optional for backward compatibility. Tools without it are
1848
+ * treated conservatively by guards.
1849
+ */
1850
+ capabilities?: readonly string[] | undefined;
1851
+ /**
1852
+ * Icon identifier for this tool — consumed by all UIs (WebUI/TUI/REPL) to
1853
+ * render a tool-specific icon instead of a generic fallback.
1854
+ * Each UI maps this id to its own icon library.
1855
+ */
1856
+ icon?: ToolIconId | undefined;
1857
+ execute(input: I, ctx: Context, opts: {
1858
+ signal: AbortSignal;
1859
+ }): Promise<O>;
1860
+ /**
1861
+ * Optional cross-field validation hook. Called by the executor AFTER
1862
+ * JSON Schema validation passes and AFTER PreToolUse hooks may have
1863
+ * rewritten the input, but BEFORE permission checks and execution.
1864
+ *
1865
+ * Use this for invariants the JSON Schema cannot express — e.g.
1866
+ * `old_string !== new_string` in edit, or `end > start` in a range tool.
1867
+ * Return an array of validation errors (empty = valid). The executor
1868
+ * surfaces them to the model just like schema validation errors, so the
1869
+ * model can self-correct without the tool's `execute()` running.
1870
+ *
1871
+ * P3 #16 (before-release.md): tools that implement cross-field checks
1872
+ * inside `execute()` can migrate them here for earlier rejection and
1873
+ * consistent error formatting.
1874
+ */
1875
+ validate?(input: I): string[];
1876
+ /**
1877
+ * Optional streaming variant. When defined, the executor prefers this
1878
+ * over `execute` — yielded events become `tool.progress` EventBus events
1879
+ * and the terminal `final` event provides the output. Tools that don't
1880
+ * have intermediate state shouldn't implement this; the default `execute`
1881
+ * path is more efficient.
1882
+ */
1883
+ executeStream?(input: I, ctx: Context, opts: {
1884
+ signal: AbortSignal;
1885
+ }): AsyncIterable<ToolStreamEvent<O>>;
1886
+ /**
1887
+ * Optional teardown hook fired by the executor when the tool's run is
1888
+ * aborted (signal triggered). Errors thrown here are swallowed so they
1889
+ * never mask the originating failure.
1890
+ *
1891
+ * **When to use `cleanup` vs `ctx.registerAbortHook`:**
1892
+ *
1893
+ * - Use `cleanup` for resources **owned by the tool author** that are
1894
+ * established at execute-time: child processes spawned by the tool,
1895
+ * file handles opened by the tool, network connections initiated by
1896
+ * the tool. The lifecycle is co-located with the tool definition, so
1897
+ * readers see the resource and its teardown in one place.
1898
+ *
1899
+ * ```ts
1900
+ * async execute(input, ctx, opts) {
1901
+ * const child = spawn(...);
1902
+ * // … tool work …
1903
+ * },
1904
+ * async cleanup(_input, _ctx) {
1905
+ * // best-effort kill of any child still running
1906
+ * }
1907
+ * ```
1908
+ *
1909
+ * - Use `ctx.registerAbortHook` for **context-scoped teardown** registered
1910
+ * dynamically inside `execute`: when the tool delegates to a library
1911
+ * that needs cancellation, or when the resource is created lazily
1912
+ * somewhere down the call stack and the natural cleanup point isn't
1913
+ * at the tool boundary. The hook fires when the **agent run** ends,
1914
+ * not when this specific tool call aborts.
1915
+ *
1916
+ * ```ts
1917
+ * async execute(input, ctx, opts) {
1918
+ * const handle = openHelper();
1919
+ * ctx.registerAbortHook(() => handle.dispose());
1920
+ * // … work …
1921
+ * }
1922
+ * ```
1923
+ *
1924
+ * If both are registered for the same resource, `cleanup` fires first
1925
+ * (on tool abort) and the abort-hook fires after on the wider run abort.
1926
+ * Avoid double-free by gating one on the other's effect, or pick a single
1927
+ * teardown channel per resource.
1928
+ */
1929
+ cleanup?(input: I, ctx: Context): Promise<void>;
1930
+ /**
1931
+ * Optional custom output serializer. When present, the executor's output
1932
+ * serializer calls this INSTEAD of the central `renderToolObject()` switch
1933
+ * — the tool owns its own pretty-printing.
1934
+ *
1935
+ * Return a string representation of the output that the model will see in
1936
+ * its tool_result block. The serializer applies the iteration output cap
1937
+ * AFTER this runs, so don't worry about truncation.
1938
+ *
1939
+ * P3 #21 (before-release.md): `renderToolObject()` is a god function with
1940
+ * 30+ per-tool branches, far from each tool's definition. New tools that
1941
+ * want custom output no longer need to add a branch there — they implement
1942
+ * this method instead. Existing branches stay until migrated incrementally.
1943
+ */
1944
+ serialize?(output: O, input: I): string;
1945
+ }
1946
+ interface ToolCallContext {
1947
+ tool: Tool;
1948
+ input: unknown;
1949
+ callId: string;
1950
+ ctx: Context;
1951
+ signal: AbortSignal;
1952
+ }
1953
+ /**
1954
+ * Error categories for tool execution failures.
1955
+ * Used by the executor to classify errors and determine retry strategy.
1956
+ */
1957
+ declare enum ToolErrorCategory {
1958
+ TRANSIENT = "transient",// ETIMEDOUT, ECONNRESET, network timeout, HTTP 429/503
1959
+ NOT_FOUND = "not_found",// ENOENT, ENOTDIR, HTTP 404
1960
+ PERMISSION = "permission",// EACCES, EPERM, HTTP 401/403
1961
+ VALIDATION = "validation",// schema validation error, HTTP 400
1962
+ FATAL = "fatal"
1963
+ }
1964
+ /**
1965
+ * Structured tool error information for the LLM and retry logic.
1966
+ */
1967
+ interface ToolErrorInfo {
1968
+ readonly category: ToolErrorCategory;
1969
+ /** Whether the operation can be retried automatically. */
1970
+ readonly retryable: boolean;
1971
+ /** User-facing message describing the error. */
1972
+ readonly userMessage: string;
1973
+ /** Optional technical detail for debugging. */
1974
+ readonly detail?: string;
1975
+ }
1976
+
1977
+ export { type MessageRole as $, type TodoItem as A, AgentError as B, Context as C, type CompletedWorkEvidence as D, type CompletedWorkSource as E, ConfigError as F, type ContextEvidenceState as G, type ContextFileEvidence as H, type ContextInit as I, type JSONSchema as J, type ContextIntentEvidence as K, type ContextRepeatedReadEvidence as L, type Message as M, ERROR_CODES as N, type ErrorCode as O, type Provider as P, type ErrorSeverity as Q, type ReasoningRequest as R, type SessionEvent as S, type Tool as T, type Usage as U, type ErrorSubsystem as V, FetchError as W, type FileSnapshot as X, FsError as Y, type ImageBlock as Z, type JsonSchemaSpec as _, type ReasoningConfig as a, ParseError as a0, PluginError as a1, type ProviderErrorBody as a2, type ReadonlyConversationState as a3, type RequestCacheControl as a4, type ResponseFormat as a5, type RunEnv as a6, type SafetySetting as a7, SddError as a8, SessionError as a9, isPluginError as aA, isSddError as aB, isSessionError as aC, isTextBlock as aD, isThinkingBlock as aE, isToolError as aF, isToolResultBlock as aG, isToolUseBlock as aH, isToolValidationError as aI, isWrongStackError as aJ, toWrongStackError as aK, wrapAsState as aL, type SideEffect as aa, type SideEffectRisk as ab, type StateChange as ac, type StateChangeHandler as ad, type StopReason as ae, type StreamEvent as af, StreamHangError as ag, type ThinkingBlock as ah, type ToolCallContext as ai, ToolError as aj, type ToolErrorInfo as ak, type ToolEvidenceStatus as al, type ToolFinalEvent as am, type ToolIconId as an, type ToolStreamEvent as ao, ToolValidationError as ap, WrongStackError as aq, asBlocks as ar, asText as as, extractRunEnv as at, isAgentError as au, isConfigError as av, isFetchError as aw, isFsError as ax, isImageBlock as ay, isParseError as az, type SessionWriter as b, type Request as c, type Response as d, type Permission as e, type TokenCounter as f, type CacheStats as g, ProviderError as h, type ContentBlock as i, type SessionMetadata as j, type SessionStore as k, ToolErrorCategory as l, type ToolProgressEvent as m, type RiskTier as n, type ToolOutputMetadata as o, type ReasoningEffort as p, type CacheTtl as q, type Capabilities as r, type TextBlock as s, type ToolUseBlock as t, type ToolResultBlock as u, type RunOptions as v, ConversationState as w, type ResumedSession as x, type SessionData as y, type SessionSummary as z };
@@ -1,12 +1,12 @@
1
- import { C as Context, g as ProviderError, T as Tool, s as ToolUseBlock, t as ToolResultBlock, l as ToolErrorCategory } from './context-DPlA6kid.js';
2
- import { C as Compactor, a as CompactReport } from './compactor-D3BGw26y.js';
3
- import { E as ErrorHandler, a as RecoveryDecision, R as RetryPolicy } from './retry-policy-Git9WF6d.js';
4
- import { M as ModelsRegistry, C as Config } from './config-DAOjriz9.js';
5
- import { h as Agent, i as AgentFactory } from './agent-subagent-runner-BimKihiC.js';
6
- import { B as BrainArbiter, E as EventBus } from './brain-CCfuEOdp.js';
7
- import { J as JournalEntry } from './goal-store-C1uH4srH.js';
8
- import { D as DispatchClassifier, a as DefaultMultiAgentCoordinator } from './multi-agent-coordinator-CcrcncvG.js';
9
- import { T as ToolExecutorOptions, a as ToolExecutorStrategy, b as ToolBatchResult } from './index-DJXj-dcr.js';
1
+ import { C as Context, h as ProviderError, T as Tool, t as ToolUseBlock, u as ToolResultBlock, l as ToolErrorCategory } from './tool-BkOgs_KL.js';
2
+ import { C as Compactor, a as CompactReport } from './compactor-U3agvUIG.js';
3
+ import { E as ErrorHandler, a as RecoveryDecision, R as RetryPolicy } from './retry-policy-D4feSLk3.js';
4
+ import { M as ModelsRegistry, C as Config } from './config-Cr3312zc.js';
5
+ import { h as Agent, i as AgentFactory } from './agent-subagent-runner-PoqNKiR4.js';
6
+ import { B as BrainArbiter, E as EventBus } from './events-Bs2fmldo.js';
7
+ import { J as JournalEntry } from './goal-store-C4F6DjC0.js';
8
+ import { D as DispatchClassifier, a as DefaultMultiAgentCoordinator } from './multi-agent-coordinator-CieyUoEL.js';
9
+ import { T as ToolExecutorOptions, a as ToolExecutorStrategy, b as ToolBatchResult } from './index-kidebiDh.js';
10
10
 
11
11
  interface CompactorOptions {
12
12
  preserveK?: number | undefined;
@@ -1,5 +1,5 @@
1
- import { T as Tool } from '../context-DPlA6kid.js';
2
- import { c as MCPServerConfig, C as Config } from '../config-DAOjriz9.js';
1
+ import { T as Tool } from '../tool-BkOgs_KL.js';
2
+ import { c as MCPServerConfig, C as Config } from '../config-Cr3312zc.js';
3
3
  import '../dispatcher-types.d-BBeXBQgS.js';
4
4
  import 'node:https';
5
5
  import 'undici';