@wrongstack/core 0.54.1 → 0.66.13

package/dist/defaults/index.js

@@ -1,7 +1,7 @@
 import * as crypto2 from 'crypto';
 import { randomBytes, randomUUID, createCipheriv, createDecipheriv, createHash } from 'crypto';
 import * as fsp from 'fs/promises';
-import * as path15 from 'path';
+import * as path16 from 'path';
 import { isAbsolute, resolve } from 'path';
 import * as fs5 from 'fs';
 import * as os from 'os';
@@ -32,9 +32,9 @@ __export(atomic_write_exports, {
   ensureDir: () => ensureDir
 });
 async function atomicWrite(targetPath, content, opts = {}) {
-  const dir = path15.dirname(targetPath);
+  const dir = path16.dirname(targetPath);
   await fsp.mkdir(dir, { recursive: true });
-  const tmp = path15.join(dir, `.${path15.basename(targetPath)}.${randomBytes(6).toString("hex")}.tmp`);
+  const tmp = path16.join(dir, `.${path16.basename(targetPath)}.${randomBytes(6).toString("hex")}.tmp`);
   try {
     if (typeof content === "string") {
       await fsp.writeFile(tmp, content, { flag: "wx", encoding: opts.encoding ?? "utf8" });
@@ -89,7 +89,7 @@ async function renameWithRetry(from, to) {
       if (!code || !TRANSIENT_RENAME_CODES.has(code) || i === delays.length) {
         throw err;
       }
-      await new Promise((resolve4) => setTimeout(resolve4, delays[i]));
+      await new Promise((resolve5) => setTimeout(resolve5, delays[i]));
     }
   }
   throw lastErr;
@@ -169,7 +169,7 @@ var DefaultLogger = class _DefaultLogger {
     this.pretty = opts.pretty ?? true;
     if (this.file) {
       try {
-        fs5.mkdirSync(path15.dirname(this.file), { recursive: true });
+        fs5.mkdirSync(path16.dirname(this.file), { recursive: true });
       } catch {
       }
     }
@@ -342,7 +342,7 @@ var DefaultSessionStore = class {
   }
   /** Join session ID to its absolute path within the store directory. */
   sessionPath(id, ext) {
-    return path15.join(this.dir, `${id}${ext}`);
+    return path16.join(this.dir, `${id}${ext}`);
   }
   async ensureShardDir(_id) {
     await ensureDir(this.dir);
@@ -352,7 +352,7 @@ var DefaultSessionStore = class {
     const startedAt = (/* @__PURE__ */ new Date()).toISOString();
     const id = meta.id ?? `${startedAt.replace(/[:.]/g, "-")}-${randomBytes(2).toString("hex")}`;
     const shardDir = await this.ensureShardDir(id);
-    const file = path15.join(shardDir, `${id}.jsonl`);
+    const file = path16.join(shardDir, `${id}.jsonl`);
     let handle;
     try {
       handle = await fsp.open(file, "a", 384);
@@ -445,7 +445,7 @@ var DefaultSessionStore = class {
     const ids = [];
     const entries = await fsp.readdir(dir, { withFileTypes: true });
     for (const entry of entries) {
-      const full = path15.join(dir, entry.name);
+      const full = path16.join(dir, entry.name);
       if (entry.isDirectory()) {
         ids.push(...await this.collectSessionIds(full));
       } else if (entry.isFile() && entry.name.endsWith(".jsonl")) {
@@ -601,7 +601,7 @@ var FileSessionWriter = class {
     this.meta = meta;
     this.events = events;
     this.resumed = opts.resumed ?? false;
-    this.manifestFile = opts.dir ? path15.join(opts.dir, `${id}.summary.json`) : "";
+    this.manifestFile = opts.dir ? path16.join(opts.dir, `${id}.summary.json`) : "";
     this.filePath = opts.filePath ?? "";
     this.secretScrubber = opts.secretScrubber;
     this.summary = {
@@ -883,7 +883,7 @@ init_atomic_write();
 var QueueStore = class {
   file;
   constructor(opts) {
-    this.file = path15.join(opts.dir, "queue.json");
+    this.file = path16.join(opts.dir, "queue.json");
   }
   async write(items) {
     if (items.length === 0) {
@@ -953,7 +953,7 @@ var DefaultAttachmentStore = class {
     let data = input.data;
     if (this.spoolDir && bytes >= this.spoolThreshold) {
       await fsp.mkdir(this.spoolDir, { recursive: true });
-      spooledPath = path15.join(this.spoolDir, `${id}.bin`);
+      spooledPath = path16.join(this.spoolDir, `${id}.bin`);
       await atomicWrite(spooledPath, input.data, {
         encoding: input.kind === "image" ? "base64" : "utf8"
       });
@@ -1141,7 +1141,7 @@ ${body.trim()}`);
   async remember(text, scope = "project-memory") {
     return this.runSerialized(scope, async () => {
       const file = this.files[scope];
-      await ensureDir(path15.dirname(file));
+      await ensureDir(path16.dirname(file));
       let existing = "";
       try {
         existing = await fsp.readFile(file, "utf8");
@@ -1765,7 +1765,7 @@ var RecoveryLock = class {
   sessionStore;
   probe;
   constructor(opts) {
-    this.file = path15.join(opts.dir, LOCK_FILE);
+    this.file = path16.join(opts.dir, LOCK_FILE);
     this.pid = opts.pid ?? process.pid;
     this.hostname = opts.hostname ?? os.hostname();
     this.maxAgeMs = opts.maxAgeMs ?? DEFAULT_MAX_AGE_MS;
@@ -1823,7 +1823,7 @@ var RecoveryLock = class {
    * null return before calling this.
    */
   async write(sessionId) {
-    await ensureDir(path15.dirname(this.file));
+    await ensureDir(path16.dirname(this.file));
     const lock = {
       v: 1,
       sessionId,
@@ -3050,7 +3050,7 @@ var DefaultSecretVault = class {
     } catch (err) {
       if (err.code !== "ENOENT") throw err;
     }
-    fs5.mkdirSync(path15.dirname(this.keyFile), { recursive: true });
+    fs5.mkdirSync(path16.dirname(this.keyFile), { recursive: true });
     const key = randomBytes(KEY_BYTES);
     try {
       fs5.writeFileSync(this.keyFile, key, { mode: 384, flag: "wx" });
@@ -3119,7 +3119,7 @@ async function rewriteConfigEncrypted(configPath, vault, patch) {
   }
   const merged = deepMerge2(current, patch ?? {});
   const encrypted = encryptConfigSecrets(merged, vault);
-  await fsp.mkdir(path15.dirname(configPath), { recursive: true });
+  await fsp.mkdir(path16.dirname(configPath), { recursive: true });
   await atomicWrite(configPath, JSON.stringify(encrypted, null, 2), { mode: 384 });
   await restrictFilePermissions(configPath);
 }
@@ -3321,6 +3321,87 @@ function matchGlob(pattern, input) {
 function matchAny(patterns, input) {
   return patterns.some((p) => matchGlob(p, input));
 }
+var DESTRUCTIVE_BASH_PATTERNS = [
+  /\bgit\s+(?:clean\s+-[^\s]*[xdf]|reset\s+--hard)\b/i,
+  /\b(?:drop|truncate)\s+(?:table|database|schema)\b/i,
+  /\bdelete\s+from\b/i,
+  /\b(?:mkfs|format|diskpart|shutdown|reboot)\b/i,
+  /\bchmod\s+-R\s+777\b/i,
+  /\bchown\s+-R\b/i,
+  /\b(?:curl|wget)\b.*\|\s*(?:sh|bash|zsh|pwsh|powershell)\b/i,
+  /\b(?:powershell|pwsh)\b.*(?:-encodedcommand|-enc)\b/i,
+  /:\(\)\s*\{\s*:\|:&\s*}\s*;/
+];
+var PROJECT_ESCAPE_PATTERN = /(?:^|[\s"'])\.\.(?:[\\/]|$)/;
+var ABSOLUTE_PATH_PATTERN = /(?:^|[\s"'])(?:~[\\/]|\/[A-Za-z0-9_.-]|[A-Za-z]:[\\/])/;
+var SHELL_OPERATORS = /* @__PURE__ */ new Set(["&&", "||", "|", ";", ">", ">>", "<", "2>", "2>>"]);
+function getInputString(input, key) {
+  if (!input || typeof input !== "object") return void 0;
+  const value = input[key];
+  return typeof value === "string" ? value : void 0;
+}
+function pathLooksInsideProject(rawPath, projectRoot) {
+  if (!projectRoot) return false;
+  if (rawPath === "~" || rawPath.startsWith("~/") || rawPath.startsWith("~\\")) return false;
+  const resolved = path16.resolve(projectRoot, rawPath);
+  const relative2 = path16.relative(projectRoot, resolved);
+  return !!relative2 && !relative2.startsWith("..") && !path16.isAbsolute(relative2);
+}
+function tokenizeShell(command) {
+  return command.match(/"[^"]*"|'[^']*'|\S+/g)?.map((token) => token.replace(/^['"]|['"]$/g, "")) ?? [];
+}
+function pathTokenIsOutsideProject(token, projectRoot) {
+  if (!token || SHELL_OPERATORS.has(token) || token.startsWith("-")) return false;
+  if (token === "/" || token === "~" || token === "." || token === "..") return token !== ".";
+  if (token.includes("*")) return true;
+  if (token.startsWith("..") || token.includes("../") || token.includes("..\\")) return true;
+  if (path16.isAbsolute(token) || token.startsWith("~/")) return !pathLooksInsideProject(token, projectRoot);
+  return false;
+}
+function hasDangerousDeleteTarget(tokens, start, projectRoot) {
+  const targets = tokens.slice(start).filter((token) => !token.startsWith("-") && !SHELL_OPERATORS.has(token));
+  if (targets.length === 0) return true;
+  return targets.some((target) => pathTokenIsOutsideProject(target, projectRoot));
+}
+function hasDestructiveDelete(command, projectRoot) {
+  const tokens = tokenizeShell(command);
+  for (let i = 0; i < tokens.length; i++) {
+    const token = tokens[i]?.toLowerCase();
+    if (!token) continue;
+    if (token === "rm") {
+      const args = tokens.slice(i + 1);
+      const recursiveOrForce = args.some(
+        (arg) => /^-[^-]*[rf]/i.test(arg) || arg === "--recursive" || arg === "--force"
+      );
+      if (recursiveOrForce && hasDangerousDeleteTarget(tokens, i + 1, projectRoot)) return true;
+    }
+    if (token === "rmdir" || token === "rd") {
+      const args = tokens.slice(i + 1);
+      const recursive = args.some((arg) => arg.toLowerCase() === "/s");
+      if (recursive && hasDangerousDeleteTarget(tokens, i + 1, projectRoot)) return true;
+    }
+    if (token === "del" || token === "erase") {
+      if (hasDangerousDeleteTarget(tokens, i + 1, projectRoot)) return true;
+    }
+    if (token === "remove-item") {
+      const args = tokens.slice(i + 1).map((arg) => arg.toLowerCase());
+      const recursiveOrForce = args.includes("-recurse") || args.includes("-force");
+      if (recursiveOrForce && hasDangerousDeleteTarget(tokens, i + 1, projectRoot)) return true;
+    }
+  }
+  return false;
+}
+function isClearlyDestructiveBashCommand(command, projectRoot) {
+  const trimmed = command.trim();
+  if (!trimmed) return false;
+  if (hasDestructiveDelete(trimmed, projectRoot)) return true;
+  if (DESTRUCTIVE_BASH_PATTERNS.some((pattern) => pattern.test(trimmed))) return true;
+  if (/\bcd\s+(?:\.\.|~|\/|[A-Za-z]:[\\/])/i.test(trimmed)) return true;
+  if (PROJECT_ESCAPE_PATTERN.test(trimmed)) return true;
+  const absolute = trimmed.match(ABSOLUTE_PATH_PATTERN)?.[0]?.trim().replace(/^['"]|['"]$/g, "");
+  if (absolute && !pathLooksInsideProject(absolute, projectRoot)) return true;
+  return false;
+}
 
 // src/security/permission-policy.ts
 var DefaultPermissionPolicy = class {
@@ -3328,7 +3409,9 @@ var DefaultPermissionPolicy = class {
   loaded = false;
   trustFile;
   yolo;
-  forceAllYolo;
+  yoloDestructive;
+  /** When true, destructive ops still require confirmation even in YOLO mode. */
+  confirmDestructive;
   /**
    * Session-scoped "soft deny" map. When the user presses 'n' (block once),
    * the tool+pattern is added here. If the LLM retries in the same session,
@@ -3361,7 +3444,8 @@ var DefaultPermissionPolicy = class {
   constructor(opts) {
     this.trustFile = opts.trustFile;
     this.yolo = opts.yolo ?? false;
-    this.forceAllYolo = opts.forceAllYolo ?? false;
+    this.yoloDestructive = opts.yoloDestructive ?? opts.forceAllYolo ?? false;
+    this.confirmDestructive = opts.confirmDestructive ?? false;
     this.promptDelegate = opts.promptDelegate;
   }
   /**
@@ -3381,13 +3465,29 @@ var DefaultPermissionPolicy = class {
   getYolo() {
     return this.yolo;
   }
-  /** Toggle force-all-YOLO at runtime. */
+  /** Toggle the destructive YOLO override at runtime. */
+  setYoloDestructive(enabled) {
+    this.yoloDestructive = enabled;
+  }
+  /** Check whether the destructive YOLO override is active. */
+  getYoloDestructive() {
+    return this.yoloDestructive;
+  }
+  /** Toggle destructive confirmation gate (only meaningful when yolo is active). */
+  setConfirmDestructive(enabled) {
+    this.confirmDestructive = enabled;
+  }
+  /** Check whether destructive confirmation gate is active. */
+  getConfirmDestructive() {
+    return this.confirmDestructive;
+  }
+  /** @deprecated Use `setYoloDestructive`. */
   setForceAllYolo(enabled) {
-    this.forceAllYolo = enabled;
+    this.setYoloDestructive(enabled);
   }
-  /** Check whether force-all-YOLO is active. */
+  /** @deprecated Use `getYoloDestructive`. */
   getForceAllYolo() {
-    return this.forceAllYolo;
+    return this.getYoloDestructive();
   }
   async reload() {
     try {
@@ -3434,29 +3534,28 @@ var DefaultPermissionPolicy = class {
       return { permission: "auto", source: "trust" };
     }
     if (this.yolo) {
-      if (tool.riskTier === "destructive" && !this.forceAllYolo) {
-        if (this.promptDelegate) {
-          const decision = await this.promptDelegate(tool, input, subject ?? tool.name);
-          if (decision === "always") {
-            await this.trust({ tool: tool.name, pattern: subject ?? tool.name });
-            return {
-              permission: "auto",
-              source: "user",
-              reason: "destructive yolo always-allowed"
-            };
-          }
-          if (decision === "deny") {
-            await this.deny({ tool: tool.name, pattern: subject ?? tool.name });
-            return { permission: "deny", source: "user", reason: "user denied destructive yolo" };
+      if (this.confirmDestructive) {
+        const destructive = this.isDestructiveYoloCall(tool, input, ctx);
+        if (destructive) {
+          if (this.promptDelegate) {
+            const decision = await this.promptDelegate(tool, input, subject ?? tool.name);
+            if (decision === "always") {
+              await this.trust({ tool: tool.name, pattern: subject ?? tool.name });
+              return { permission: "auto", source: "user", reason: "destructive yolo always-allowed" };
+            }
+            if (decision === "deny") {
+              await this.deny({ tool: tool.name, pattern: subject ?? tool.name });
+              return { permission: "deny", source: "user", reason: "user denied destructive yolo" };
+            }
+            return { permission: decision === "yes" ? "auto" : "deny", source: "user" };
           }
-          return { permission: decision === "yes" ? "auto" : "deny", source: "user" };
+          return {
+            permission: "confirm",
+            source: "yolo_destructive",
+            riskTier: "destructive",
+            reason: "destructive tool needs explicit approval (confirmDestructive is on)"
+          };
         }
-        return {
-          permission: "confirm",
-          source: "yolo_destructive",
-          riskTier: "destructive",
-          reason: "destructive tool needs explicit approval even in yolo mode"
-        };
       }
       return { permission: "auto", source: "yolo" };
     }
@@ -3486,6 +3585,18 @@ var DefaultPermissionPolicy = class {
     }
     return { permission: "confirm", source: "default" };
   }
+  isDestructiveYoloCall(tool, input, ctx) {
+    if (tool.name === "bash") {
+      const command = getInputString(input, "command");
+      return command ? isClearlyDestructiveBashCommand(command, ctx.projectRoot) : true;
+    }
+    if (tool.name === "write" || tool.name === "edit" || tool.name === "replace" || tool.name === "patch") {
+      const targetPath = getInputString(input, "path") ?? getInputString(input, "file");
+      if (!targetPath || !ctx.projectRoot) return false;
+      return !pathLooksInsideProject(targetPath, ctx.projectRoot);
+    }
+    return tool.riskTier === "destructive";
+  }
   async trust(rule) {
     if (!this.loaded) await this.reload();
     const entry = this.policy[rule.tool] ?? {};
@@ -3803,7 +3914,7 @@ var DefaultRetryPolicy = class {
 };
 
 // src/execution/error-handler.ts
-var CONTEXT_OVERFLOW_RE = /context|too long|tokens/i;
+var CONTEXT_OVERFLOW_RE = /context|too long|tokens|exceeds the context window|context window/i;
 function buildRecoveryStrategies(opts) {
   return [
     {
@@ -3811,7 +3922,7 @@ function buildRecoveryStrategies(opts) {
       compactor: opts?.compactor,
       async attempt(err, ctx) {
         if (!(err instanceof ProviderError)) return null;
-        if (err.status !== 413 && !CONTEXT_OVERFLOW_RE.test(err.message)) return null;
+        if (err.status !== 413 && !isContextOverflowError(err)) return null;
         if (this.compactor) {
           try {
             const report = await this.compactor.compact(ctx, { aggressive: true });
@@ -3845,6 +3956,14 @@ function buildRecoveryStrategies(opts) {
   ];
 }
 var DEFAULT_RECOVERY_STRATEGIES = buildRecoveryStrategies();
+function isContextOverflowError(err) {
+  return CONTEXT_OVERFLOW_RE.test([
+    err.message,
+    err.body?.message,
+    err.body?.type,
+    err.body?.raw
+  ].filter(Boolean).join("\n"));
+}
 var DefaultErrorHandler = class {
   strategies;
   constructor(strategies = DEFAULT_RECOVERY_STRATEGIES) {
@@ -3861,7 +3980,7 @@ var DefaultErrorHandler = class {
       if (err.status === 429) return { kind: "rate_limit", retryable: true };
       if (err.status === 529) return { kind: "overloaded", retryable: true };
       if (err.status >= 500) return { kind: "server", retryable: true };
-      if (err.status === 413 || CONTEXT_OVERFLOW_RE.test(err.message)) {
+      if (err.status === 413 || isContextOverflowError(err)) {
         return { kind: "context_overflow", retryable: false };
       }
       if (err.status >= 400) return { kind: "client", retryable: false };
@@ -3900,7 +4019,7 @@ var DefaultSkillLoader = class {
         const entries = await fsp.readdir(dir, { withFileTypes: true });
         for (const e of entries) {
           if (!e.isDirectory()) continue;
-          const skillFile = path15.join(dir, e.name, "SKILL.md");
+          const skillFile = path16.join(dir, e.name, "SKILL.md");
           try {
             const raw = await fsp.readFile(skillFile, "utf8");
             const meta = parseFrontmatter(raw);
@@ -4312,8 +4431,8 @@ async function streamProviderToResponse(provider, req, signal, ctx, events) {
       try {
         await Promise.race([
           Promise.resolve(iter.return?.()),
-          new Promise((resolve4) => {
-            drainTimer = setTimeout(resolve4, 500);
+          new Promise((resolve5) => {
+            drainTimer = setTimeout(resolve5, 500);
           })
         ]);
       } finally {
@@ -4374,7 +4493,7 @@ async function runProviderWithRetry(opts) {
           description
         });
       }
-      await new Promise((resolve4, reject) => {
+      await new Promise((resolve5, reject) => {
         let settled = false;
         const onAbort = () => {
           if (settled) return;
@@ -4387,7 +4506,7 @@ async function runProviderWithRetry(opts) {
           settled = true;
           clearTimeout(t);
           signal.removeEventListener("abort", onAbort);
-          resolve4();
+          resolve5();
         }, delay);
         if (signal.aborted) {
           onAbort();
@@ -5488,11 +5607,11 @@ function validateAgainstSchema(value, schema) {
   walk3(value, schema, "", errors);
   return { ok: errors.length === 0, errors };
 }
-function walk3(value, schema, path18, errors) {
+function walk3(value, schema, path19, errors) {
   if (schema.enum !== void 0) {
     if (!schema.enum.some((e) => deepEqual(e, value))) {
       errors.push({
-        path: path18 || "<root>",
+        path: path19 || "<root>",
         message: `expected one of ${JSON.stringify(schema.enum)}, got ${JSON.stringify(value)}`
       });
       return;
@@ -5501,7 +5620,7 @@ function walk3(value, schema, path18, errors) {
   if (typeof schema.type === "string") {
     if (!checkType(value, schema.type)) {
       errors.push({
-        path: path18 || "<root>",
+        path: path19 || "<root>",
         message: `expected ${schema.type}, got ${describeType(value)}`
       });
       return;
@@ -5511,19 +5630,19 @@ function walk3(value, schema, path18, errors) {
     const obj = value;
     for (const req of schema.required ?? []) {
       if (!(req in obj)) {
-        errors.push({ path: joinPath(path18, req), message: "required property missing" });
+        errors.push({ path: joinPath(path19, req), message: "required property missing" });
       }
     }
     if (schema.properties) {
       for (const [key, subSchema] of Object.entries(schema.properties)) {
         if (key in obj) {
-          walk3(obj[key], subSchema, joinPath(path18, key), errors);
+          walk3(obj[key], subSchema, joinPath(path19, key), errors);
         }
       }
     }
   }
   if (schema.type === "array" && Array.isArray(value) && schema.items) {
-    value.forEach((item, i) => walk3(item, schema.items, `${path18}[${i}]`, errors));
+    value.forEach((item, i) => walk3(item, schema.items, `${path19}[${i}]`, errors));
   }
 }
 function checkType(value, type) {
@@ -5649,8 +5768,9 @@ var ToolExecutor = class {
    */
   async executeBatch(toolUses, ctx, strategy) {
     let budget = this.opts.perIterationOutputCapBytes ?? 1e5;
-    const runOne = async (use) => {
+    const runOne = async (use0) => {
       const start = Date.now();
+      let use = use0;
       const tool = this.registry.get(use.name);
       if (!tool) {
         const result = this.unknownToolResult(use, () => this.registry.list().map((t) => t.name));
@@ -5683,10 +5803,36 @@ Please call the tool again with arguments that match its inputSchema. You can us
         budget = this.decrementBudget(result, budget);
         return { result, tool, durationMs: Date.now() - start };
       }
+      if (this.opts.hookRunner?.has("PreToolUse")) {
+        const pre = await this.opts.hookRunner.preToolUse(tool.name, use.input, ctx);
+        if (pre.block) {
+          const result = this.blockedByHookResult(use, pre.reason);
+          budget = this.decrementBudget(result, budget);
+          return { result, tool, durationMs: Date.now() - start };
+        }
+        if (pre.input) {
+          const reval = validateAgainstSchema(pre.input, tool.inputSchema);
+          if (!reval.ok) {
+            const errorDetails = reval.errors.map((e) => `  - ${e.path || "input"}: ${e.message}`).join("\n");
+            const result = {
+              type: "tool_result",
+              tool_use_id: use.id,
+              content: `A PreToolUse hook rewrote the arguments for "${tool.name}" into an invalid shape.
+
+Validation errors:
+${errorDetails}`,
+              is_error: true
+            };
+            budget = this.decrementBudget(result, budget);
+            return { result, tool, durationMs: Date.now() - start };
+          }
+          use = { ...use, input: pre.input };
+        }
+      }
       const decision = await this.opts.permissionPolicy.evaluate(tool, use.input, ctx);
       let effectivePermission = decision.permission;
       const policy = this.opts.permissionPolicy;
-      const yolo = policy.getYolo?.() === true || policy.getForceAllYolo?.() === true;
+      const yolo = policy.getYolo?.() === true || policy.getYoloDestructive?.() === true || policy.getForceAllYolo?.() === true;
       if (toolDangerousCaps.length > 0 && effectivePermission === "auto" && !yolo) {
         effectivePermission = "confirm";
       }
@@ -5729,7 +5875,20 @@ Please call the tool again with arguments that match its inputSchema. You can us
         "tool.has_dangerous_capabilities": toolCapsForAudit.length > 0
       });
       try {
-        const result = await this.executeTool(tool, use, ctx, budget);
+        let result = await this.executeTool(tool, use, ctx, budget);
+        if (this.opts.hookRunner?.has("PostToolUse")) {
+          const post = await this.opts.hookRunner.postToolUse(
+            tool.name,
+            use.input,
+            { content: String(result.content), isError: !!result.is_error },
+            ctx
+          );
+          if (post.additionalContext) {
+            result = { ...result, content: `${result.content}
+
+${post.additionalContext}` };
+          }
+        }
         budget = this.decrementBudget(result, budget);
         span?.setAttribute("tool.is_error", !!result.is_error);
         span?.setAttribute(
@@ -5918,6 +6077,14 @@ ${excerpt}`;
       is_error: true
     };
   }
+  blockedByHookResult(use, reason) {
+    return {
+      type: "tool_result",
+      tool_use_id: use.id,
+      content: `Tool "${use.name}" was blocked by a PreToolUse hook: ${reason ?? "no reason given"}`,
+      is_error: true
+    };
+  }
   decrementBudget(result, budget) {
     const contentBytes = typeof result.content === "string" ? Buffer.byteLength(result.content, "utf8") : Buffer.byteLength(JSON.stringify(result.content), "utf8");
     return Math.max(0, budget - contentBytes);
@@ -6144,8 +6311,8 @@ var AutonomousRunner = class {
 init_atomic_write();
 var MAX_JOURNAL_ENTRIES = 500;
 function goalFilePath(projectRoot) {
-  const hash = createHash("sha256").update(path15.resolve(projectRoot)).digest("hex").slice(0, 12);
-  return path15.join(os.homedir(), ".wrongstack", "projects", hash, "goal.json");
+  const hash = createHash("sha256").update(path16.resolve(projectRoot)).digest("hex").slice(0, 12);
+  return path16.join(os.homedir(), ".wrongstack", "projects", hash, "goal.json");
 }
 async function loadGoal(filePath) {
   let raw;
@@ -6631,7 +6798,8 @@ ${recentJournal}` : "No prior iterations.",
       "   \u2022 When this iteration's Task is finished (real artifact / passing",
       "     test / applied diff / clean output), emit `[done]` on its own line.",
       "   \u2022 Do not stop on the first obstacle \u2014 try at least 3 distinct",
-      "     approaches before giving up. YOLO is active; no confirmations.",
+      "     approaches before giving up. YOLO is active for normal project work;",
+      "     destructive-gated confirmations still belong to the permission flow.",
       "",
       "2. UPDATE TODO STATE (when Source is `todo`)",
       "   \u2022 Mark this todo `in_progress` via the todos tool before tool work.",
@@ -6760,7 +6928,7 @@ ${recentJournal}` : "No prior iterations.",
   }
 };
 function sleep(ms) {
-  return new Promise((resolve4) => setTimeout(resolve4, ms));
+  return new Promise((resolve5) => setTimeout(resolve5, ms));
 }
 
 // src/coordination/subagent-budget.ts
@@ -6976,12 +7144,12 @@ var SubagentBudget = class _SubagentBudget {
           if (!bus || !bus.hasListenerFor("budget.threshold_reached")) {
             return Promise.resolve("stop");
           }
-          return new Promise((resolve4) => {
+          return new Promise((resolve5) => {
             let resolved = false;
             const respond = (d) => {
               if (resolved) return;
               resolved = true;
-              resolve4(d);
+              resolve5(d);
             };
             const fallback = setTimeout(
               () => respond("stop"),
@@ -7052,15 +7220,22 @@ var SubagentBudget = class _SubagentBudget {
     void this.checkLimits();
   }
   /**
-   * Wall-clock budget check. Unlike other limits, timeout is always a hard stop
-   * — wall-clock time cannot be "extended" by the coordinator, so it throws
-   * synchronously rather than entering the negotiation flow.
+   * Wall-clock / idle budget check. Delegates to `checkLimits(elapsed)`, so
+   * `timeout` and `idle_timeout` follow the SAME negotiation path as the other
+   * kinds — they are NOT a special-cased hard stop. This is deliberate: a
+   * heartbeat-aware policy (see `attachAutoExtend` and `CollabSession`) grants
+   * a timeout extension only while the agent is making progress and denies it
+   * once the agent is genuinely stuck, which is safer than an unconditional
+   * hard kill of a long-but-working agent. The runner translates the resulting
+   * `BudgetThresholdSignal` decision (`extend` → patch limits in place,
+   * `stop` → abort) just like every other kind.
    *
-   * Decision table:
-   * - no `onThreshold` handler         → throw `BudgetExceededError`
-   * - `mode === 'sync'`               → throw `BudgetExceededError`
-   * - `mode === 'auto'` + no listener  → throw `BudgetExceededError`
-   * - `mode === 'auto'` + listener     → throw `BudgetExceededError` (timeout is not extendable)
+   * Decision table (same as `checkLimits`):
+   * - no `onThreshold` handler        → throw `BudgetExceededError` (hard stop)
+   * - `mode === 'sync'`               → throw `BudgetExceededError` (hard stop)
+   * - `mode === 'auto'` + no listener → throw `BudgetExceededError` (no one to ask)
+   * - `mode === 'auto'` + listener    → throw `BudgetThresholdSignal` (negotiated;
+   *                                     a heartbeat-aware policy may extend the timeout)
    */
   checkTimeout() {
     if (this.startTime === null) return;
@@ -9926,7 +10101,10 @@ var NICKNAME_POOL = {
   "lavoisier": { name: "Lavoisier", domain: "chemistry" },
   "mendeleev": { name: "Mendeleev", domain: "chemistry" }
 };
-var ALL_NICKNAMES = Object.values(NICKNAME_POOL);
+var ALL_NICKNAMES = Object.entries(NICKNAME_POOL);
+var NAME_TO_KEY = Object.fromEntries(
+  ALL_NICKNAMES.map(([key, entry]) => [entry.name, key])
+);
 var DOMAIN_PREFERENCES = {
   "security": ["shannon", "turing", "lamarr", "stallman"],
   "bug-hunter": ["darwin", "curie", "feynman", "fermi"],
@@ -9959,17 +10137,23 @@ function assignNickname(role, used) {
   for (const key of preferences) {
     const entry = NICKNAME_POOL[key];
     if (entry && !used.has(key)) {
-      return `${entry.name} (${formatRole(role)})`;
+      return { key, display: `${entry.name} (${formatRole(role)})` };
     }
   }
-  for (const entry of ALL_NICKNAMES) {
-    const key = Object.entries(NICKNAME_POOL).find(([, v]) => v.name === entry.name)?.[0];
-    if (key && !used.has(key)) {
-      return `${entry.name} (${formatRole(role)})`;
+  for (const [key, entry] of ALL_NICKNAMES) {
+    if (!used.has(key)) {
+      return { key, display: `${entry.name} (${formatRole(role)})` };
     }
   }
   const counter = used.size + 1;
-  return `Scientist #${counter} (${formatRole(role)})`;
+  return { key: `scientist-${counter}`, display: `Scientist #${counter} (${formatRole(role)})` };
+}
+function nicknameKeyFromDisplay(display) {
+  const base = display.replace(/\s*\([^)]*\)\s*$/, "").trim();
+  const key = NAME_TO_KEY[base];
+  if (key) return key;
+  const synthesized = base.match(/^Scientist #(\d+)$/);
+  return synthesized ? `scientist-${synthesized[1]}` : void 0;
 }
 function formatRole(role) {
   return role.split(/[-_]/).map((w) => w.charAt(0).toUpperCase() + w.slice(1)).join(" ");
@@ -10056,11 +10240,10 @@ var DefaultMultiAgentCoordinator = class _DefaultMultiAgentCoordinator extends E
     const name = subagent.name?.trim() ?? "";
     const isPlaceholder = name === "" || name.toLowerCase() === role.toLowerCase() || name === "subagent" || name === "adhoc" || name === "generic" || /^slot-/.test(name);
     if (!isPlaceholder) return subagent;
-    const nickname = assignNickname(role, this.usedNicknames);
-    const baseKey = nickname.split(" ")[0].toLowerCase().replace(/[^a-z0-9-]/g, "-");
-    this.usedNicknames.add(baseKey);
-    this.subagentNicknames.set(subagentId, baseKey);
-    return { ...subagent, name: nickname };
+    const { key, display } = assignNickname(role, this.usedNicknames);
+    this.usedNicknames.add(key);
+    this.subagentNicknames.set(subagentId, key);
+    return { ...subagent, name: display };
   }
   async spawn(subagent) {
     const id = subagent.id || randomUUID();
@@ -10208,7 +10391,7 @@ var DefaultMultiAgentCoordinator = class _DefaultMultiAgentCoordinator extends E
       taskIds.map((id) => {
         const cached = this.completedResults.find((r) => r.taskId === id);
         if (cached) return cached;
-        return new Promise((resolve4, reject) => {
+        return new Promise((resolve5, reject) => {
           const timeout = setTimeout(() => {
             this.off("task.completed", handler);
             reject(new Error(`awaitTasks timed out waiting for task "${id}"`));
@@ -10217,7 +10400,7 @@ var DefaultMultiAgentCoordinator = class _DefaultMultiAgentCoordinator extends E
             if (result.taskId === id) {
               clearTimeout(timeout);
               this.off("task.completed", handler);
-              resolve4(result);
+              resolve5(result);
             }
           };
           this.on("task.completed", handler);
@@ -10312,23 +10495,32 @@ var DefaultMultiAgentCoordinator = class _DefaultMultiAgentCoordinator extends E
    */
   drainPendingAsAborted(message) {
     const dropped = this.pendingTasks.splice(0, this.pendingTasks.length);
-    for (const t of dropped) {
-      const synthetic = {
-        subagentId: t.subagentId ?? "unassigned",
-        taskId: t.id,
-        status: "stopped",
-        error: {
-          kind: "aborted_by_parent",
-          message,
-          retryable: false
-        },
-        iterations: 0,
-        toolCalls: 0,
-        durationMs: 0
-      };
-      this.completedResults.push(synthetic);
-      this.emit("task.completed", { task: t, result: synthetic });
-    }
+    for (const t of dropped) this.emitPendingAborted(t, message);
+  }
+  /**
+   * Emit a synthetic `stopped`/`aborted_by_parent` completion for a single
+   * PENDING task — one that was never counted in `inFlight`. This MUST bypass
+   * `recordCompletion`: that path does `inFlight--`, which for a pending task
+   * steals a decrement from a genuinely in-flight task and trips the underflow
+   * guard — suppressing that real task's `task.completed` and hanging its
+   * `awaitTasks()` caller. Pushes the result and fires the event directly.
+   */
+  emitPendingAborted(task, message) {
+    const synthetic = {
+      subagentId: task.subagentId ?? "unassigned",
+      taskId: task.id,
+      status: "stopped",
+      error: {
+        kind: "aborted_by_parent",
+        message,
+        retryable: false
+      },
+      iterations: 0,
+      toolCalls: 0,
+      durationMs: 0
+    };
+    this.completedResults.push(synthetic);
+    this.emit("task.completed", { task, result: synthetic });
   }
   async runDispatched(subagentId, task) {
     const subagent = this.subagents.get(subagentId);
@@ -10589,20 +10781,10 @@ var DefaultMultiAgentCoordinator = class _DefaultMultiAgentCoordinator extends E
     const orphaned = this.pendingTasks.filter((t) => t.subagentId === subagentId);
     this.pendingTasks = this.pendingTasks.filter((t) => t.subagentId !== subagentId);
     for (const t of orphaned) {
-      const synthetic = {
-        subagentId,
-        taskId: t.id,
-        status: "stopped",
-        error: {
-          kind: "aborted_by_parent",
-          message: `Subagent "${subagentId}" was removed while task "${t.id}" was pending`,
-          retryable: false
-        },
-        iterations: 0,
-        toolCalls: 0,
-        durationMs: 0
-      };
-      this.recordCompletion(synthetic);
+      this.emitPendingAborted(
+        t,
+        `Subagent "${subagentId}" was removed while task "${t.id}" was pending`
+      );
     }
     this.fleetBus?.emit({
       subagentId,
@@ -10720,7 +10902,7 @@ function providerErrorToSubagentError(err, message, cause) {
 
 // src/execution/parallel-eternal-engine.ts
 function sleep2(ms) {
-  return new Promise((resolve4) => setTimeout(resolve4, ms));
+  return new Promise((resolve5) => setTimeout(resolve5, ms));
 }
 var GOAL_COMPLETE_MARKER2 = /^\s*\[goal[_\s-]?complete\]\s*$/im;
 var ParallelEternalEngine = class {
@@ -10899,7 +11081,8 @@ ${recentJournal}` : "No prior iterations.",
       "\u2500\u2500 EXECUTION PROTOCOL \u2500\u2500",
       "\u2022 Execute the assigned task end-to-end using multiple tool calls.",
       "\u2022 Emit `[done]` on its own line when the task is complete.",
-      "\u2022 Do not ask for confirmation \u2014 YOLO is active.",
+      "\u2022 Do not ask before routine in-project tool use \u2014 YOLO is active for normal project work.",
+      "\u2022 If a destructive-gated confirmation appears, wait for the permission flow.",
       "\u2022 If the overall Mission is accomplished, emit `[GOAL_COMPLETE]` followed by a verification recipe.",
       "\u2022 Keep output concise \u2014 summarize findings, do not transcribe files."
     ].join("\n");
@@ -10979,6 +11162,7 @@ ${personaLine}Task: ${task}
     } catch {
       results = coordinator.results().slice(-taskIds.length);
     }
+    await Promise.allSettled(subagentIds.map((id) => coordinator.remove(id)));
     const allSuccessful = results.length > 0 && results.every((r) => r.status === "success");
     const goalComplete = results.some(
       (r) => r.status === "success" && typeof r.result === "string" && GOAL_COMPLETE_MARKER2.test(r.result)
@@ -11156,8 +11340,10 @@ ${journalTail.join("\n")}` : "Recent journal: (none \u2014 this is the first ite
       "  decide.",
       "",
       "### Operating principles",
-      "- YOLO is active. Do NOT ask for confirmation, do NOT propose",
-      "  options. Pick the best path and execute it.",
+      "- YOLO is active for normal project work. Proceed with routine",
+      "  in-project tool use without pre-confirming; pick the best path and execute it.",
+      "  If the permission system raises a destructive-gated confirmation, wait",
+      "  for that flow instead of trying to bypass it.",
       "- Use tools freely; multiple calls per turn are normal and expected.",
       "- When working on a todo, mark it `in_progress` via the todos tool",
       "  before tool work and `completed` (or `cancelled` with a reason)",
@@ -11346,7 +11532,7 @@ var InMemoryAgentBridge = class {
       );
     }
     this.inflightGuards.add(correlationId);
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve5, reject) => {
       const timer = setTimeout(() => {
         this.inflightGuards.delete(correlationId);
         this.pendingRequests.delete(correlationId);
@@ -11358,7 +11544,7 @@ var InMemoryAgentBridge = class {
         return;
       }
       this.pendingRequests.set(correlationId, {
-        resolve: resolve4,
+        resolve: resolve5,
         reject,
         timer
       });
@@ -12036,6 +12222,10 @@ Emit each evaluation immediately. Do not wait until you have read all reports.`;
     return lines.join("\n");
   }
   cleanup() {
+    if (this._timeoutTimer) {
+      clearTimeout(this._timeoutTimer);
+      this._timeoutTimer = void 0;
+    }
     for (const dispose of this.disposers) dispose();
     this.disposers.length = 0;
   }
@@ -13153,18 +13343,20 @@ var Director = class _Director {
       if (e.subagentId.startsWith("bug-hunter-") || e.subagentId.startsWith("refactor-planner-") || e.subagentId.startsWith("critic-")) {
         return;
       }
-      if (payload.kind === "timeout") {
+      if (payload.kind === "timeout" || payload.kind === "idle_timeout") {
+        const heartbeatKey = `${e.subagentId}:${payload.kind}`;
         const progress = progressBySubagent.get(e.subagentId) ?? 0;
-        const lastProgress = lastTimeoutProgress.get(e.subagentId) ?? -1;
+        const lastProgress = lastTimeoutProgress.get(heartbeatKey) ?? -1;
         if (progress <= lastProgress) {
           payload.deny();
           return;
         }
-        lastTimeoutProgress.set(e.subagentId, progress);
+        lastTimeoutProgress.set(heartbeatKey, progress);
+        const field = payload.kind === "timeout" ? "timeoutMs" : "idleTimeoutMs";
         setImmediate(() => {
           const newLimit = Math.min(Math.ceil(payload.limit * 2), 24 * 60 * 6e4);
-          this.recordExtension(e.subagentId, e.taskId, "timeout", newLimit);
-          payload.extend({ timeoutMs: newLimit });
+          this.recordExtension(e.subagentId, e.taskId, payload.kind, newLimit);
+          payload.extend({ [field]: newLimit });
         });
         return;
       }
@@ -13480,10 +13672,9 @@ var Director = class _Director {
       if (this.fleetManager) {
         this.fleetManager.assignNicknameAndRecord(config);
       } else {
-        config.name = assignNickname(role, this._usedNicknames);
-        this._usedNicknames.add(
-          config.name.split(" ")[0].toLowerCase().replace(/[^a-z0-9-]/g, "-")
-        );
+        const { key, display } = assignNickname(role, this._usedNicknames);
+        config.name = display;
+        this._usedNicknames.add(key);
       }
     }
     result = await this.coordinator.spawn(config);
@@ -13658,7 +13849,7 @@ var Director = class _Director {
       })),
       usage: this.usage.snapshot()
     };
-    await fsp.mkdir(path15.dirname(this.manifestPath), { recursive: true });
+    await fsp.mkdir(path16.dirname(this.manifestPath), { recursive: true });
     await atomicWrite(this.manifestPath, JSON.stringify(manifest, null, 2), { mode: 384 });
     return this.manifestPath;
   }
@@ -13777,11 +13968,11 @@ var Director = class _Director {
         if (cached) return cached;
         const existing = this.taskWaiters.get(id);
         if (existing) return existing.promise;
-        let resolve4;
+        let resolve5;
         const promise = new Promise((res) => {
-          resolve4 = res;
+          resolve5 = res;
         });
-        this.taskWaiters.set(id, { promise, resolve: resolve4 });
+        this.taskWaiters.set(id, { promise, resolve: resolve5 });
         return promise;
       })
     );
@@ -13805,8 +13996,8 @@ var Director = class _Director {
     } else {
       const entry = this.manifestEntries.get(subagentId);
       if (entry?.name) {
-        const nicknameKey = entry.name.split(" ")[0].toLowerCase().replace(/[^a-z0-9-]/g, "-");
-        this._usedNicknames.delete(nicknameKey);
+        const nicknameKey = nicknameKeyFromDisplay(entry.name);
+        if (nicknameKey) this._usedNicknames.delete(nicknameKey);
       }
     }
     this.manifestEntries.delete(subagentId);
@@ -13864,7 +14055,7 @@ var Director = class _Director {
    */
   async readSession(subagentId, tail) {
     if (!this.sessionsRoot) return null;
-    const filePath = path15.join(this.sessionsRoot, this.directorRunId, `${subagentId}.jsonl`);
+    const filePath = path16.join(this.sessionsRoot, this.directorRunId, `${subagentId}.jsonl`);
     let raw;
     try {
       raw = await fsp.readFile(filePath, "utf8");
@@ -14166,7 +14357,7 @@ function createDelegateTool(opts) {
           subagentId
         });
         const dir = director;
-        const result = await new Promise((resolve4) => {
+        const result = await new Promise((resolve5) => {
           let settled = false;
           let timer;
           const finish = (value) => {
@@ -14176,7 +14367,7 @@ function createDelegateTool(opts) {
             offTool();
             offIter();
             offProgress();
-            resolve4(value);
+            resolve5(value);
           };
           const arm = () => {
             if (timer) clearTimeout(timer);
@@ -14320,13 +14511,13 @@ async function readSubagentPartial(opts, subagentId) {
   if (!opts.sessionsRoot) return void 0;
   const candidates = [];
   if (opts.directorRunId) {
-    candidates.push(path15.join(opts.sessionsRoot, opts.directorRunId, `${subagentId}.jsonl`));
+    candidates.push(path16.join(opts.sessionsRoot, opts.directorRunId, `${subagentId}.jsonl`));
   } else {
     try {
       const entries = await fsp.readdir(opts.sessionsRoot, { withFileTypes: true });
       for (const entry of entries) {
         if (entry.isDirectory()) {
-          candidates.push(path15.join(opts.sessionsRoot, entry.name, `${subagentId}.jsonl`));
+          candidates.push(path16.join(opts.sessionsRoot, entry.name, `${subagentId}.jsonl`));
         }
       }
     } catch {
@@ -14373,9 +14564,9 @@ function makeDirectorSessionFactory(opts) {
   let dir;
   if (opts.store) {
     store = opts.store;
-    dir = opts.sessionsRoot ? path15.join(opts.sessionsRoot, runId) : "(caller-managed)";
+    dir = opts.sessionsRoot ? path16.join(opts.sessionsRoot, runId) : "(caller-managed)";
   } else if (opts.sessionsRoot) {
-    dir = path15.join(opts.sessionsRoot, runId);
+    dir = path16.join(opts.sessionsRoot, runId);
     store = new DefaultSessionStore({ dir });
   } else {
     throw new Error("makeDirectorSessionFactory requires either `store` or `sessionsRoot`");
@@ -14579,7 +14770,7 @@ var DefaultModelsRegistry = class {
     this.overlay = opts.overlay;
     this.overlayUrl = opts.overlayUrl;
     this.overlayFile = opts.overlayFile;
-    this.overlayCacheFile = opts.overlayCacheFile ?? (opts.overlayUrl ? path15.join(path15.dirname(opts.cacheFile), "models-overlay-cache.json") : void 0);
+    this.overlayCacheFile = opts.overlayCacheFile ?? (opts.overlayUrl ? path16.join(path16.dirname(opts.cacheFile), "models-overlay-cache.json") : void 0);
   }
   async load(opts = {}) {
     if (this.payload && !opts.force) return this.payload;
@@ -14792,7 +14983,7 @@ var DefaultModelsRegistry = class {
   }
   /** Used by `wstack models refresh` to expose where the cache lives. */
   cacheLocation() {
-    return path15.resolve(this.cacheFile);
+    return path16.resolve(this.cacheFile);
   }
 };
 function hasEntries(payload) {
@@ -15079,7 +15270,7 @@ var DefaultModeStore = class {
   }
   async loadActiveMode() {
     try {
-      const configPath = path15.join(this.configDir, "mode.json");
+      const configPath = path16.join(this.configDir, "mode.json");
       const content = await fsp.readFile(configPath, "utf8");
       const data = JSON.parse(content);
       this.activeModeId = data.activeMode ?? null;
@@ -15090,7 +15281,7 @@ var DefaultModeStore = class {
   async saveActiveMode() {
     try {
       await fsp.mkdir(this.configDir, { recursive: true });
-      const configPath = path15.join(this.configDir, "mode.json");
+      const configPath = path16.join(this.configDir, "mode.json");
       await atomicWrite(
         configPath,
         JSON.stringify({ activeMode: this.activeModeId }, null, 2)
@@ -15105,11 +15296,11 @@ async function loadProjectModes(modesDir) {
     const entries = await fsp.readdir(modesDir);
     for (const entry of entries) {
       if (!entry.endsWith(".md") && !entry.endsWith(".txt")) continue;
-      const filePath = path15.join(modesDir, entry);
+      const filePath = path16.join(modesDir, entry);
       const stat5 = await fsp.stat(filePath);
       if (!stat5.isFile()) continue;
       const content = await fsp.readFile(filePath, "utf8");
-      const id = path15.basename(entry, path15.extname(entry));
+      const id = path16.basename(entry, path16.extname(entry));
       modes.push({
         id,
         name: id.replace(/[-_]/g, " ").replace(/\b\w/g, (c) => c.toUpperCase()),
@@ -15125,7 +15316,7 @@ async function loadProjectModes(modesDir) {
 async function loadUserModes(modesDir) {
   const modes = [];
   try {
-    const manifestPath = path15.join(modesDir, "modes.json");
+    const manifestPath = path16.join(modesDir, "modes.json");
     const content = await fsp.readFile(manifestPath, "utf8");
     const manifest = JSON.parse(content);
     for (const mode of manifest.modes) {
@@ -16042,7 +16233,7 @@ var SpecStore = class {
   indexPath;
   constructor(opts) {
     this.baseDir = opts.baseDir;
-    this.indexPath = path15.join(this.baseDir, "_index.json");
+    this.indexPath = path16.join(this.baseDir, "_index.json");
   }
   async save(spec) {
     await ensureDir(this.baseDir);
@@ -16111,7 +16302,7 @@ var SpecStore = class {
     return updated;
   }
   filePath(id) {
-    return path15.join(this.baseDir, `${id}.json`);
+    return path16.join(this.baseDir, `${id}.json`);
   }
   async readIndex() {
     try {
@@ -16168,7 +16359,7 @@ var TaskGraphStore = class {
   indexPath;
   constructor(opts) {
     this.baseDir = opts.baseDir;
-    this.indexPath = path15.join(this.baseDir, "_index.json");
+    this.indexPath = path16.join(this.baseDir, "_index.json");
   }
   async save(graph) {
     await ensureDir(this.baseDir);
@@ -16206,7 +16397,7 @@ var TaskGraphStore = class {
     }
   }
   filePath(id) {
-    return path15.join(this.baseDir, `${id}.json`);
+    return path16.join(this.baseDir, `${id}.json`);
   }
   async readIndex() {
     try {
@@ -16451,9 +16642,9 @@ var AISpecBuilder = class {
     if (!this.sessionPath) return;
     try {
       const fsp16 = await import('fs/promises');
-      const path18 = await import('path');
+      const path19 = await import('path');
       const { atomicWrite: atomicWrite2 } = await Promise.resolve().then(() => (init_atomic_write(), atomic_write_exports));
-      await fsp16.mkdir(path18.dirname(this.sessionPath), { recursive: true });
+      await fsp16.mkdir(path19.dirname(this.sessionPath), { recursive: true });
       await atomicWrite2(this.sessionPath, JSON.stringify(this.session, null, 2));
     } catch {
     }
@@ -17163,15 +17354,15 @@ function computeCriticalPath(graph, _topoOrder, blockedByMap) {
       maxId = id;
     }
   }
-  const path18 = [];
+  const path19 = [];
   let current = maxId;
   const visited = /* @__PURE__ */ new Set();
   while (current && !visited.has(current)) {
     visited.add(current);
-    path18.unshift(current);
+    path19.unshift(current);
     current = prev.get(current) ?? null;
   }
-  return path18;
+  return path19;
 }
 function computeParallelGroups(graph, blockedByMap) {
   const groups = [];
@@ -17721,7 +17912,7 @@ var SddParallelRun = class {
       "\u2500\u2500 EXECUTION PROTOCOL \u2500\u2500",
       "\u2022 Execute the assigned SDD task end-to-end using multiple tool calls.",
       "\u2022 Mark the task [done] in the tracker when complete.",
-      "\u2022 Do not ask for confirmation.",
+      "\u2022 Do not ask before routine in-project tool use; if a permission gate appears, wait for that flow.",
       "\u2022 Keep output concise \u2014 summarize changes, do not transcribe files."
     ].join("\n");
     const spawns = subagentIds.map(
@@ -17964,9 +18155,9 @@ var DefaultHealthRegistry = class {
   }
   async runOne(check) {
     let timer = null;
-    const timeout = new Promise((resolve4) => {
+    const timeout = new Promise((resolve5) => {
       timer = setTimeout(
-        () => resolve4({ status: "unhealthy", detail: `timeout after ${this.timeoutMs}ms` }),
+        () => resolve5({ status: "unhealthy", detail: `timeout after ${this.timeoutMs}ms` }),
         this.timeoutMs
       );
     });
@@ -18149,7 +18340,7 @@ async function startMetricsServer(opts) {
   const tls = opts.tls;
   const useHttps = !!(tls?.cert && tls?.key);
   const host = opts.host ?? "127.0.0.1";
-  const path18 = opts.path ?? "/metrics";
+  const path19 = opts.path ?? "/metrics";
   const healthPath = opts.healthPath ?? "/healthz";
   const healthRegistry = opts.healthRegistry;
   const listener = (req, res) => {
@@ -18159,7 +18350,7 @@ async function startMetricsServer(opts) {
       return;
     }
     const url = req.url.split("?")[0];
-    if (url === path18) {
+    if (url === path19) {
       let body;
       try {
         body = renderPrometheus(opts.sink.snapshot());
@@ -18205,14 +18396,14 @@ async function startMetricsServer(opts) {
     const { createServer } = await import('http');
     server = createServer(listener);
   }
-  await new Promise((resolve4, reject) => {
+  await new Promise((resolve5, reject) => {
     const onError = (err) => {
       server.off("listening", onListening);
       reject(err);
     };
     const onListening = () => {
       server.off("error", onError);
-      resolve4();
+      resolve5();
     };
     server.once("error", onError);
     server.once("listening", onListening);
@@ -18223,9 +18414,9 @@ async function startMetricsServer(opts) {
   const protocol = useHttps ? "https" : "http";
   return {
     port: boundPort,
-    url: `${protocol}://${host}:${boundPort}${path18}`,
-    close: () => new Promise((resolve4, reject) => {
-      server.close((err) => err ? reject(err) : resolve4());
+    url: `${protocol}://${host}:${boundPort}${path19}`,
+    close: () => new Promise((resolve5, reject) => {
+      server.close((err) => err ? reject(err) : resolve5());
     })
   };
 }
@@ -18774,7 +18965,7 @@ var context7Server = () => ({
   name: "context7",
   description: "Codebase-aware documentation and Q&A (context7.ai)",
   transport: "streamable-http",
-  url: "https://server.context7.ai/mcp",
+  url: "https://mcp.context7.com/mcp",
   permission: "confirm"
 });
 var braveSearchServer = () => ({