@wrongstack/tools 0.1.4 → 0.1.7

package/dist/index.js

@@ -1,10 +1,11 @@
 import * as fs4 from 'fs/promises';
 import * as path from 'path';
 import { dirname } from 'path';
-import { spawn } from 'child_process';
 import { atomicWrite, unifiedDiff, detectNewlineStyle, normalizeToLf, toStyle, compileGlob, stripAnsi } from '@wrongstack/core';
+import { spawn } from 'child_process';
 import * as os from 'os';
 import * as dns from 'dns/promises';
+import * as net from 'net';
 import * as fsSync from 'fs';
 import { statSync } from 'fs';
 
@@ -43,83 +44,6 @@ function isBinaryBuffer(buf) {
   }
   return false;
 }
-async function* spawnStream(opts) {
-  const max = opts.maxBytes ?? 2e5;
-  const flushAt = opts.flushBytes ?? 4 * 1024;
-  let stdout = "";
-  let stderr = "";
-  let pending = "";
-  let error;
-  const child = spawn(opts.cmd, opts.args, {
-    cwd: opts.cwd,
-    signal: opts.signal,
-    stdio: ["ignore", "pipe", "pipe"]
-  });
-  const queue = [];
-  let waiter;
-  const wake = () => {
-    if (waiter) {
-      const w = waiter;
-      waiter = void 0;
-      w();
-    }
-  };
-  child.stdout?.on("data", (c) => {
-    const s = c.toString();
-    if (stdout.length < max) stdout += s;
-    queue.push({ kind: "out", data: s });
-    wake();
-  });
-  child.stderr?.on("data", (c) => {
-    const s = c.toString();
-    if (stderr.length < max) stderr += s;
-    queue.push({ kind: "err", data: s });
-    wake();
-  });
-  child.on("error", (e) => {
-    error = e.message;
-    queue.push({ kind: "error", data: e.message });
-    wake();
-  });
-  child.on("close", (code) => {
-    queue.push({ kind: "close", data: "", code: code ?? 0 });
-    wake();
-  });
-  let exitCode = 0;
-  let spawnFailed = false;
-  for (; ; ) {
-    while (queue.length === 0) {
-      await new Promise((resolve2) => {
-        waiter = resolve2;
-      });
-    }
-    const chunk = queue.shift();
-    if (chunk.kind === "close") {
-      if (!spawnFailed) exitCode = chunk.code ?? 0;
-      break;
-    }
-    if (chunk.kind === "error") {
-      spawnFailed = true;
-      exitCode = 1;
-      continue;
-    }
-    pending += chunk.data;
-    if (pending.length >= flushAt) {
-      yield { type: "partial_output", text: pending };
-      pending = "";
-    }
-  }
-  if (pending.length > 0) {
-    yield { type: "partial_output", text: pending };
-  }
-  return {
-    stdout,
-    stderr,
-    exitCode,
-    truncated: stdout.length >= max || stderr.length >= max,
-    error
-  };
-}
 
 // src/read.ts
 var MAX_BYTES = 5 * 1024 * 1024;
@@ -256,7 +180,8 @@ var editTool = {
       );
     }
     const lastReadMtime = ctx.lastReadMtime(absPath);
-    if (lastReadMtime !== void 0 && stat9.mtimeMs > lastReadMtime + 1) {
+    const mtimeTolerance = process.platform === "win32" ? 2e3 : 1;
+    if (lastReadMtime !== void 0 && stat9.mtimeMs > lastReadMtime + mtimeTolerance) {
       throw new Error(`edit: file "${input.path}" was modified externally. Re-read it first.`);
     }
     const original = await fs4.readFile(absPath, "utf8");
@@ -331,6 +256,48 @@ function findSimilarity(haystack, needle) {
   }
   return line;
 }
+
+// src/_regex.ts
+var MAX_PATTERN_LEN = 512;
+var DANGEROUS_PATTERNS = [
+  /(\([^)]*[+*][^)]*\))[+*]/,
+  // (a+)+, (.*)+, etc — nested quantifier on a group with internal quantifier
+  /(\(\?:[^)]*[+*][^)]*\))[+*]/
+  // same, with non-capturing group
+];
+function compileUserRegex(pattern, flags) {
+  if (typeof pattern !== "string") {
+    return { ok: false, reason: "pattern must be a string" };
+  }
+  if (pattern.length === 0) {
+    return { ok: false, reason: "pattern is empty" };
+  }
+  if (pattern.length > MAX_PATTERN_LEN) {
+    return { ok: false, reason: `pattern exceeds ${MAX_PATTERN_LEN} characters` };
+  }
+  for (const rx of DANGEROUS_PATTERNS) {
+    if (rx.test(pattern)) {
+      return {
+        ok: false,
+        reason: "pattern looks vulnerable to catastrophic backtracking \u2014 rewrite without nested quantifiers"
+      };
+    }
+  }
+  try {
+    return { ok: true, regex: new RegExp(pattern, flags) };
+  } catch (err) {
+    return {
+      ok: false,
+      reason: err instanceof Error ? err.message : "invalid regex"
+    };
+  }
+}
+var MAX_SUBJECT_LEN = 64 * 1024;
+function capSubject(line) {
+  return line.length > MAX_SUBJECT_LEN ? line.slice(0, MAX_SUBJECT_LEN) : line;
+}
+
+// src/replace.ts
 var DEFAULT_IGNORE = ["node_modules", ".git", "dist", "build", ".next", "coverage"];
 var replaceTool = {
   name: "replace",
@@ -358,23 +325,38 @@ var replaceTool = {
     if (!input?.pattern) throw new Error("replace: pattern is required");
     if (input.replacement === void 0) throw new Error("replace: replacement is required");
     if (!input?.files) throw new Error("replace: files is required");
-    const re = new RegExp(input.pattern, "g");
+    const replaceAll = input.replace_all ?? true;
+    const compiled = compileUserRegex(input.pattern, replaceAll ? "g" : "");
+    if (!compiled.ok) {
+      throw new Error(`replace: ${compiled.reason}`);
+    }
+    const re = compiled.regex;
     const globRe = input.glob ? compileGlob(input.glob) : null;
     const dryRun = input.dry_run ?? false;
-    const replaceAll = input.replace_all ?? true;
     const filesInput = Array.isArray(input.files) ? input.files.join(",") : input.files;
     const fileList = await resolveFiles(filesInput, ctx, globRe);
     const results = [];
     let totalReplacements = 0;
     for (const absPath of fileList) {
-      const stat9 = await fs4.stat(absPath).catch((err) => {
+      const lstat2 = await fs4.lstat(absPath).catch((err) => {
         if (err.code === "ENOENT") return null;
         throw err;
       });
+      if (!lstat2 || !lstat2.isFile()) continue;
+      if (lstat2.isSymbolicLink()) continue;
+      let realPath;
+      try {
+        realPath = await fs4.realpath(absPath);
+      } catch {
+        continue;
+      }
+      const rel = path.relative(ctx.projectRoot, realPath);
+      if (rel.startsWith("..") || path.isAbsolute(rel)) continue;
+      const stat9 = await fs4.stat(realPath).catch(() => null);
       if (!stat9 || !stat9.isFile()) continue;
       let content;
       try {
-        const buf = await fs4.readFile(absPath);
+        const buf = await fs4.readFile(realPath);
         if (isBinaryBuffer(buf)) continue;
         content = buf.toString("utf8");
       } catch {
@@ -385,13 +367,12 @@ var replaceTool = {
       re.lastIndex = 0;
       const matches = [...contentLf.matchAll(re)];
       if (matches.length === 0) continue;
-      const newContentLf = replaceAll ? contentLf.replace(re, input.replacement) : contentLf.replace(re, input.replacement);
+      const newContentLf = contentLf.replace(re, input.replacement);
       re.lastIndex = 0;
-      const actualCount = replaceAll ? matches.length : 1;
-      totalReplacements += actualCount;
+      totalReplacements += matches.length;
       if (!dryRun) {
         const newContent = toStyle(newContentLf, style);
-        await atomicWrite(absPath, newContent, { mode: stat9.mode & 511 });
+        await atomicWrite(realPath, newContent, { mode: stat9.mode & 511 });
       }
       const diff = dryRun || matches.length > 0 ? unifiedDiff(content, toStyle(newContentLf, style), { fromFile: absPath, toFile: absPath }) : void 0;
       results.push({
@@ -438,13 +419,13 @@ async function globFiles(pattern, base, extraGlob) {
   return await globNative(pattern, base, extraGlob);
 }
 function checkRg() {
-  return new Promise((resolve2) => {
+  return new Promise((resolve4) => {
     try {
       const p = spawn("rg", ["--version"], { stdio: "ignore" });
-      p.on("error", () => resolve2(false));
-      p.on("close", (code) => resolve2(code === 0));
+      p.on("error", () => resolve4(false));
+      p.on("close", (code) => resolve4(code === 0));
     } catch {
-      resolve2(false);
+      resolve4(false);
     }
   });
 }
@@ -456,10 +437,10 @@ function spawnRgFind(pattern, base) {
     buf += chunk.toString();
   });
   return {
-    promise: new Promise((resolve2, reject) => {
+    promise: new Promise((resolve4, reject) => {
       child.on("error", reject);
       child.on("close", () => {
-        resolve2(buf.split("\n").filter(Boolean));
+        resolve4(buf.split("\n").filter(Boolean));
       });
     })
   };
@@ -616,13 +597,13 @@ var grepTool = {
   }
 };
 async function detectRg(signal) {
-  return new Promise((resolve2) => {
+  return new Promise((resolve4) => {
     try {
       const p = spawn("rg", ["--version"], { stdio: "ignore", signal });
-      p.on("error", () => resolve2(false));
-      p.on("close", (code) => resolve2(code === 0));
+      p.on("error", () => resolve4(false));
+      p.on("close", (code) => resolve4(code === 0));
     } catch {
-      resolve2(false);
+      resolve4(false);
     }
   });
 }
@@ -642,6 +623,8 @@ async function* runRgStream(input, base, mode, limit, signal) {
   let totalLines = 0;
   let batchSinceFlush = 0;
   const FLUSH_AT = 16;
+  const MAX_BUF_BYTES = 1e6;
+  let bufOverflow = false;
   const child = spawn("rg", args, { signal, stdio: ["ignore", "pipe", "pipe"] });
   const queue = [];
   let waiter;
@@ -679,6 +662,14 @@ async function* runRgStream(input, base, mode, limit, signal) {
     }
     if (c.kind === "close") break;
     buf += c.data;
+    if (buf.length > MAX_BUF_BYTES && !bufOverflow) {
+      bufOverflow = true;
+      buf = buf.slice(-MAX_BUF_BYTES);
+      try {
+        child.kill("SIGTERM");
+      } catch {
+      }
+    }
     const idx = buf.lastIndexOf("\n");
     if (idx === -1) continue;
     const ready = buf.slice(0, idx);
@@ -725,14 +716,18 @@ async function* runRgStream(input, base, mode, limit, signal) {
     output: {
       matches,
       count: totalLines,
-      truncated: totalLines > limit,
+      truncated: totalLines > limit || bufOverflow,
       used: "rg"
     }
   };
 }
 async function runNative(input, base, mode, limit, signal) {
   const flags = input.case_insensitive ? "i" : "";
-  const re = new RegExp(input.pattern, flags);
+  const compiled = compileUserRegex(input.pattern, flags);
+  if (!compiled.ok) {
+    throw new Error(`grep: ${compiled.reason}`);
+  }
+  const re = compiled.regex;
   const globRe = input.glob ? compileGlob(input.glob) : null;
   const matches = [];
   const fileMatches = /* @__PURE__ */ new Map();
@@ -749,6 +744,7 @@ async function runNative(input, base, mode, limit, signal) {
     for (const e of entries) {
       if (stopped) return;
       if (DEFAULT_IGNORE3.includes(e.name)) continue;
+      if (e.isSymbolicLink()) continue;
       const full = path.join(dir, e.name);
       if (e.isDirectory()) {
         await walk(full);
@@ -764,7 +760,7 @@ async function runNative(input, base, mode, limit, signal) {
           const lines = text.split(/\r?\n/);
           let fileHits = 0;
           for (let i = 0; i < lines.length; i++) {
-            const ln = lines[i] ?? "";
+            const ln = capSubject(lines[i] ?? "");
             re.lastIndex = 0;
             if (re.test(ln)) {
               fileHits++;
@@ -797,6 +793,86 @@ async function runNative(input, base, mode, limit, signal) {
     used: "native"
   };
 }
+
+// src/_env.ts
+var ALLOWED_KEYS = /* @__PURE__ */ new Set([
+  "PATH",
+  "HOME",
+  "USER",
+  "USERNAME",
+  "LOGNAME",
+  "SHELL",
+  "LANG",
+  "LC_ALL",
+  "LC_CTYPE",
+  "TERM",
+  "TZ",
+  "TMPDIR",
+  "TEMP",
+  "TMP",
+  "PWD",
+  "OLDPWD",
+  "COMSPEC",
+  "SYSTEMROOT",
+  "SYSTEMDRIVE",
+  "WINDIR",
+  "PROGRAMFILES",
+  "PROGRAMFILES(X86)",
+  "PROGRAMDATA",
+  "APPDATA",
+  "LOCALAPPDATA",
+  "USERPROFILE",
+  "PUBLIC",
+  "PATHEXT"
+]);
+var SECRET_NAME_PARTS = [
+  "TOKEN",
+  "SECRET",
+  "PASSWORD",
+  "PASSWD",
+  "AUTH",
+  "CRED",
+  "BEARER",
+  "COOKIE",
+  "PRIVATE"
+];
+function looksSecret(name) {
+  const upper = name.toUpperCase();
+  for (const p of SECRET_NAME_PARTS) {
+    if (upper.includes(p)) return true;
+  }
+  if (/(?:^|_)KEY(?:$|_|S$)/i.test(upper)) return true;
+  if (/API[_-]?KEY/i.test(upper)) return true;
+  if (/ACCESS[_-]?KEY/i.test(upper)) return true;
+  if (/SESSION[_-]?ID/i.test(upper) === false && /SESSION/i.test(upper)) {
+    return true;
+  }
+  return false;
+}
+function buildChildEnv(sessionId) {
+  const passthrough = process.env["WRONGSTACK_BASH_ENV_PASSTHROUGH"] === "1";
+  const out = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v === void 0) continue;
+    if (passthrough) {
+      out[k] = v;
+      continue;
+    }
+    const upper = k.toUpperCase();
+    if (ALLOWED_KEYS.has(upper)) {
+      out[k] = v;
+      continue;
+    }
+    if (looksSecret(upper)) continue;
+    if (upper.startsWith("NODE_") || upper.startsWith("NPM_") || upper.startsWith("PNPM_") || upper.startsWith("YARN_") || upper.startsWith("GIT_") || upper.startsWith("CI") || upper.startsWith("XDG_") || upper === "EDITOR" || upper === "VISUAL" || upper === "PAGER") {
+      out[k] = v;
+    }
+  }
+  if (sessionId) out["WRONGSTACK_SESSION_ID"] = sessionId;
+  return out;
+}
+
+// src/bash.ts
 var MAX_OUTPUT = 32768;
 var DEFAULT_TIMEOUT = 3e4;
 var STREAM_FLUSH_INTERVAL_MS = 200;
@@ -807,6 +883,10 @@ var bashTool = {
   usageHint: "Runs via `bash -c` (or `cmd /c` on Windows). Cwd is the project root. Default timeout 30s. Output truncated from the middle if oversized. Use for git, npm, builds, tests.",
   permission: "confirm",
   mutating: true,
+  // Trust rules match on the literal `command` string. Without subjectKey
+  // the policy heuristic would have done the same here, but declaring it
+  // explicitly removes the implicit cross-tool aliasing.
+  subjectKey: "command",
   timeoutMs: 3e4,
   maxOutputBytes: MAX_OUTPUT,
   estimatedDurationMs: 3e3,
@@ -833,13 +913,13 @@ var bashTool = {
     const isWin = os.platform() === "win32";
     const shell = isWin ? process.env["COMSPEC"] ?? "cmd.exe" : process.env["SHELL"] ?? "/bin/bash";
     const args = isWin ? ["/c", input.command] : ["-c", input.command];
-    const env = { ...process.env };
-    env["WRONGSTACK_SESSION_ID"] = ctx.session.id;
+    const env = buildChildEnv(ctx.session?.id);
+    const detached = isWin ? !!input.background : true;
     const child = spawn(shell, args, {
       cwd: ctx.projectRoot,
       env,
       stdio: input.background ? "ignore" : ["ignore", "pipe", "pipe"],
-      detached: input.background,
+      detached,
       signal: opts.signal
     });
     if (input.background) {
@@ -869,10 +949,26 @@ var bashTool = {
         }
       } else {
         try {
-          child.kill("SIGTERM");
+          if (typeof child.pid === "number") {
+            try {
+              process.kill(-child.pid, "SIGTERM");
+            } catch {
+              child.kill("SIGTERM");
+            }
+          } else {
+            child.kill("SIGTERM");
+          }
           const killTimer = setTimeout(() => {
             try {
-              child.kill("SIGKILL");
+              if (typeof child.pid === "number") {
+                try {
+                  process.kill(-child.pid, "SIGKILL");
+                } catch {
+                  child.kill("SIGKILL");
+                }
+              } else {
+                child.kill("SIGKILL");
+              }
             } catch {
             }
           }, 2e3);
@@ -894,10 +990,10 @@ var bashTool = {
         queue.push(c);
       }
     };
-    const next = () => new Promise((resolve2) => {
+    const next = () => new Promise((resolve4) => {
       const c = queue.shift();
-      if (c) resolve2(c);
-      else resolveNext = resolve2;
+      if (c) resolve4(c);
+      else resolveNext = resolve4;
     });
     let lastFlush = Date.now();
     const flush = () => {
@@ -989,32 +1085,13 @@ var ALLOWED_COMMANDS = {
   docker: ["--version", "ps", "images", "build"],
   kubectl: ["version", "get", "describe", "logs"]
 };
-var FORBIDDEN_PATTERNS = [
-  /;\s*rm\s+-rf/i,
-  /\|\s*rm\s/i,
-  /\&\&\s*rm/i,
-  /\$\(.*rm/s,
-  /`.*rm/s,
-  /eval\s*\(/i,
-  /exec\s+/i,
-  /nc\s+-e/i,
-  /bash\s+-i/i,
-  /\/dev\/tcp\//i,
-  /curl\s+.*\|/i,
-  /wget\s+.*\|/i,
-  /chmod\s+777/i,
-  /chmod\s+4755/i,
-  />\s*\/dev\//i,
-  /2>\s*\/dev\//i,
-  /tee\s+/i
-];
 var MAX_ARGS = 20;
 var MAX_OUTPUT2 = 2e5;
 var TIMEOUT_MS = 3e4;
 var execTool = {
   name: "exec",
   description: "Restricted shell that only runs pre-approved commands with constrained arguments. Safer alternative to `bash`.",
-  usageHint: "Set `command` (must be in allowlist). `args` passed through. Unknown commands require `allow_unknown: true`. Blocks dangerous patterns.",
+  usageHint: "Set `command` (must be in allowlist). `args` passed through. For arbitrary shell access use the `bash` tool instead.",
   permission: "confirm",
   mutating: false,
   timeoutMs: TIMEOUT_MS,
@@ -1023,57 +1100,56 @@ var execTool = {
     properties: {
       command: { type: "string", description: "Command to run (must be in allowlist)" },
       args: { type: "array", items: { type: "string" }, description: "Arguments" },
-      cwd: { type: "string", description: "Working directory" },
-      timeout: { type: "integer", description: "Timeout in ms (default: 30000)" },
-      allow_unknown: {
-        type: "boolean",
-        description: "Allow commands not in allowlist (DANGEROUS, use with caution)"
-      }
+      cwd: { type: "string", description: "Working directory (must resolve inside project root)" },
+      timeout: { type: "integer", description: "Timeout in ms (default: 30000)" }
     },
     required: ["command"]
   },
   async execute(input, ctx, opts) {
     const cmd = input.command.trim();
     if (!cmd) return { command: cmd, args: [], stdout: "", stderr: "Empty command", exitCode: 1, truncated: false, allowed: false };
-    if (FORBIDDEN_PATTERNS.some((re) => re.test(cmd))) {
+    if (!(cmd in ALLOWED_COMMANDS)) {
       return {
         command: cmd,
         args: input.args ?? [],
         stdout: "",
-        stderr: `Command blocked: dangerous pattern detected`,
+        stderr: `Command "${cmd}" not in allowlist. Use the bash tool for arbitrary commands.`,
         exitCode: 1,
         truncated: false,
         allowed: false
       };
     }
-    const allowedCommands = { ...ALLOWED_COMMANDS };
-    if (input.allow_unknown) {
-      allowedCommands[cmd] = [];
-    }
-    if (!(cmd in allowedCommands)) {
+    const args = (input.args ?? []).slice(0, MAX_ARGS);
+    const timeout = Math.min(input.timeout ?? TIMEOUT_MS, TIMEOUT_MS);
+    const requestedCwd = input.cwd ? path.resolve(ctx.projectRoot, input.cwd) : ctx.cwd;
+    const rel = path.relative(ctx.projectRoot, requestedCwd);
+    if (rel.startsWith("..") || path.isAbsolute(rel)) {
       return {
         command: cmd,
-        args: input.args ?? [],
+        args,
         stdout: "",
-        stderr: `Command "${cmd}" not in allowlist. Set allow_unknown: true to bypass.`,
+        stderr: `cwd "${input.cwd}" resolves outside project root`,
         exitCode: 1,
         truncated: false,
         allowed: false
       };
     }
-    const args = (input.args ?? []).slice(0, MAX_ARGS);
-    const timeout = Math.min(input.timeout ?? TIMEOUT_MS, TIMEOUT_MS);
-    const cwd = input.cwd ?? ctx.cwd;
+    const cwd = requestedCwd;
     const signal = opts.signal;
-    return runCommand(cmd, args, cwd, timeout, signal);
+    return runCommand(cmd, args, cwd, timeout, signal, ctx.session?.id);
   }
 };
-function runCommand(cmd, args, cwd, timeout, signal) {
-  return new Promise((resolve2) => {
+function runCommand(cmd, args, cwd, timeout, signal, sessionId) {
+  return new Promise((resolve4) => {
     let stdout = "";
     let stderr = "";
     let killed = false;
-    const child = spawn(cmd, args, { cwd, signal, stdio: ["ignore", "pipe", "pipe"] });
+    const child = spawn(cmd, args, {
+      cwd,
+      signal,
+      env: buildChildEnv(sessionId),
+      stdio: ["ignore", "pipe", "pipe"]
+    });
     const timer = setTimeout(() => {
       killed = true;
       child.kill("SIGTERM");
@@ -1086,7 +1162,7 @@ function runCommand(cmd, args, cwd, timeout, signal) {
     });
     child.on("close", (code) => {
       clearTimeout(timer);
-      resolve2({
+      resolve4({
         command: cmd,
         args,
         stdout: stdout.slice(0, MAX_OUTPUT2),
@@ -1098,7 +1174,7 @@ function runCommand(cmd, args, cwd, timeout, signal) {
     });
     child.on("error", (err) => {
       clearTimeout(timer);
-      resolve2({
+      resolve4({
         command: cmd,
         args,
         stdout: stdout.slice(0, MAX_OUTPUT2),
@@ -1112,17 +1188,6 @@ function runCommand(cmd, args, cwd, timeout, signal) {
 }
 var MAX_BYTES2 = 131072;
 var TIMEOUT_MS2 = 2e4;
-var PRIVATE_RANGES = [
-  /^10\./,
-  /^192\.168\./,
-  /^172\.(1[6-9]|2[0-9]|3[01])\./,
-  /^127\./,
-  /^0\./,
-  /^169\.254\./,
-  /^::1$/,
-  /^fc/i,
-  /^fe80:/i
-];
 var ALLOW_PRIVATE = process.env["WRONGSTACK_FETCH_ALLOW_PRIVATE"] === "1";
 async function fetchWithRedirectLimit(url, maxRedirects, signal) {
   const headers = {
@@ -1132,6 +1197,14 @@ async function fetchWithRedirectLimit(url, maxRedirects, signal) {
   let redirectCount = 0;
   let currentUrl = url;
   for (; ; ) {
+    const parsed = new URL(currentUrl);
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+      throw new Error(`fetch: redirect to unsupported protocol "${parsed.protocol}"`);
+    }
+    if (parsed.protocol === "http:" && !ALLOW_PRIVATE) {
+      throw new Error("fetch: redirect to http:// blocked (HTTPS required by default)");
+    }
+    await assertNotPrivate(parsed.hostname);
     const res = await fetch(currentUrl, {
       redirect: "manual",
       signal,
@@ -1157,6 +1230,11 @@ var fetchTool = {
   usageHint: "HTTPS only by default. Localhost and RFC1918 ranges blocked unless WRONGSTACK_FETCH_ALLOW_PRIVATE=1. Max 5 redirects, 20s timeout, 128KB cap.",
   permission: "confirm",
   mutating: false,
+  // Trust rules for fetch match on the literal URL — declare it explicitly
+  // so a user can trust `https://api.example.com/*` without accidentally
+  // matching that pattern on any other tool that happens to have a `url`
+  // input field.
+  subjectKey: "url",
   timeoutMs: TIMEOUT_MS2,
   maxOutputBytes: MAX_BYTES2,
   inputSchema: {
@@ -1244,35 +1322,118 @@ var fetchTool = {
 };
 async function assertNotPrivate(hostname) {
   if (ALLOW_PRIVATE) return;
-  if (PRIVATE_RANGES.some((r) => r.test(hostname))) {
-    throw new Error(`fetch: blocked private/loopback address "${hostname}"`);
-  }
-  if (hostname === "localhost" || hostname.endsWith(".localhost")) {
+  const host = hostname.startsWith("[") && hostname.endsWith("]") ? hostname.slice(1, -1) : hostname;
+  if (host === "localhost" || host.endsWith(".localhost")) {
     throw new Error("fetch: blocked localhost target");
   }
-  try {
-    const records = await dns.lookup(hostname, { all: true });
-    for (const r of records) {
-      if (PRIVATE_RANGES.some((re) => re.test(r.address))) {
-        throw new Error(`fetch: resolved to private address ${r.address}`);
+  const ipVersion = net.isIP(host);
+  if (ipVersion === 4) {
+    if (isPrivateIPv4(host)) {
+      throw new Error(`fetch: blocked private/loopback address "${host}"`);
+    }
+  } else if (ipVersion === 6) {
+    if (isPrivateIPv6(host)) {
+      throw new Error(`fetch: blocked private/loopback address "${host}"`);
+    }
+  } else {
+    try {
+      const records = await dns.lookup(host, { all: true });
+      for (const r of records) {
+        const bad = r.family === 4 ? isPrivateIPv4(r.address) : isPrivateIPv6(r.address);
+        if (bad) {
+          throw new Error(`fetch: resolved to private address ${r.address}`);
+        }
       }
+    } catch (err) {
+      if (err instanceof Error && err.message.startsWith("fetch:")) throw err;
     }
-  } catch (err) {
-    if (err instanceof Error && err.message.startsWith("fetch:")) throw err;
   }
 }
+function isPrivateIPv4(addr) {
+  const parts = addr.split(".").map((p) => Number.parseInt(p, 10));
+  if (parts.length !== 4 || parts.some((n) => Number.isNaN(n) || n < 0 || n > 255)) {
+    return true;
+  }
+  const [a, b, c] = parts;
+  if (a === 0) return true;
+  if (a === 10) return true;
+  if (a === 127) return true;
+  if (a === 169 && b === 254) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 192 && b === 0 && c === 0) return true;
+  if (a === 100 && b >= 64 && b <= 127) return true;
+  if (a >= 224) return true;
+  return false;
+}
+function isPrivateIPv6(addr) {
+  const lower = addr.toLowerCase();
+  if (lower === "::" || lower === "::1") return true;
+  const groups = expandIPv6(lower);
+  if (!groups) return true;
+  if (groups[0] === 0 && groups[1] === 0 && groups[2] === 0 && groups[3] === 0 && groups[4] === 0 && groups[5] === 65535) {
+    const a = (groups[6] ?? 0) >> 8;
+    const b = (groups[6] ?? 0) & 255;
+    const c = (groups[7] ?? 0) >> 8;
+    const d = (groups[7] ?? 0) & 255;
+    return isPrivateIPv4(`${a}.${b}.${c}.${d}`);
+  }
+  const high = groups[0] ?? 0;
+  if ((high & 65024) === 64512) return true;
+  if ((high & 65472) === 65152) return true;
+  if ((high & 65280) === 65280) return true;
+  return false;
+}
+function expandIPv6(addr) {
+  const parts = addr.split("::");
+  if (parts.length > 2) return null;
+  const parseGroups = (s) => {
+    if (s === "") return [];
+    const out = [];
+    for (const g of s.split(":")) {
+      if (g.length === 0 || g.length > 4) return null;
+      const n = Number.parseInt(g, 16);
+      if (Number.isNaN(n) || n < 0 || n > 65535) return null;
+      out.push(n);
+    }
+    return out;
+  };
+  if (parts.length === 1) {
+    const groups = parseGroups(parts[0] ?? "");
+    if (!groups || groups.length !== 8) return null;
+    return groups;
+  }
+  const head = parseGroups(parts[0] ?? "");
+  const tail = parseGroups(parts[1] ?? "");
+  if (!head || !tail) return null;
+  const fill = 8 - head.length - tail.length;
+  if (fill < 0) return null;
+  return [...head, ...new Array(fill).fill(0), ...tail];
+}
 function combineSignals(...sigs) {
   if (typeof AbortSignal.any === "function") {
     return AbortSignal.any(sigs);
   }
   const ctrl = new AbortController();
+  const cleanups = [];
+  const detach = () => {
+    for (const fn of cleanups) fn();
+    cleanups.length = 0;
+  };
   for (const s of sigs) {
     if (s.aborted) {
+      detach();
       ctrl.abort(s.reason);
-      break;
+      return ctrl.signal;
     }
-    s.addEventListener("abort", () => ctrl.abort(s.reason), { once: true });
+    const onAbort = () => {
+      detach();
+      ctrl.abort(s.reason);
+    };
+    s.addEventListener("abort", onAbort, { once: true });
+    cleanups.push(() => s.removeEventListener("abort", onAbort));
   }
+  ctrl.signal.addEventListener("abort", detach, { once: true });
   return ctrl.signal;
 }
 function prettyJson(s) {
@@ -1557,7 +1718,7 @@ var todoTool = {
         }
       }
     }
-    ctx.todos = items;
+    ctx.state.replaceTodos(items);
     return {
       count: items.length,
       in_progress: items.filter((t) => t.status === "in_progress").length
@@ -1571,10 +1732,10 @@ var gitTool = {
   description: "Run git commands. Wraps common operations: status, log, diff, commit, branch, checkout, stash, push, pull, fetch, reset.",
   usageHint: "Prefer built-in subcommands over raw args. `command` is required. `message` for commits. `branch` for checkout/branch. `files` for status/diff. `format` for log.",
   permission: "confirm",
-  mutating: ["commit", "push", "pull", "checkout", "stash", "reset"].includes(
-    "commit"
-    // this is for type-check only; runtime check below
-  ),
+  // Conservative: any of these may mutate. The non-mutating commands
+  // (status/log/diff/branch/fetch) are still gated on `permission: 'confirm'`
+  // and `MUTATING_SUBCOMMANDS` is consulted at runtime for per-call checks.
+  mutating: true,
   timeoutMs: TIMEOUT_MS4,
   inputSchema: {
     type: "object",
@@ -1596,7 +1757,6 @@ var gitTool = {
         ],
         description: "Git subcommand"
       },
-      args: { type: "string", description: "Raw args string (bypasses subcommand logic)" },
       files: {
         type: "string",
         description: 'File(s) for status/diff: single path, comma-separated list, or "**/*.ts" glob'
@@ -1615,12 +1775,12 @@ var gitTool = {
   },
   async execute(input, ctx, opts) {
     if (!input?.command) throw new Error("git: command is required");
-    const gitDir = findGitDir(ctx.cwd);
+    const gitDir = findGitDir(ctx.cwd, ctx.projectRoot);
     if (!gitDir) {
       return {
         command: input.command,
         stdout: "",
-        stderr: "Not in a git repository",
+        stderr: "Not in a git repository (within project root)",
         exitCode: 128,
         truncated: false
       };
@@ -1629,7 +1789,8 @@ var gitTool = {
     return await runGit(args, gitDir, opts.signal);
   }
 };
-function findGitDir(cwd) {
+function findGitDir(cwd, projectRoot) {
+  const root = projectRoot;
   let dir = cwd;
   for (let i = 0; i < 20; i++) {
     try {
@@ -1637,6 +1798,7 @@ function findGitDir(cwd) {
       if (stat9.isDirectory()) return dir;
     } catch {
     }
+    if (dir === root) break;
     const parent = dirname(dir);
     if (parent === dir) break;
     dir = parent;
@@ -1644,7 +1806,6 @@ function findGitDir(cwd) {
   return null;
 }
 function buildArgs(input) {
-  if (input.args) return input.args.split(/\s+/).filter(Boolean);
   const limit = input.limit ?? 20;
   const files = input.files ? (Array.isArray(input.files) ? input.files : input.files.split(",")).map((s) => s.trim()).filter(Boolean) : [];
   switch (input.command) {
@@ -1691,7 +1852,7 @@ function buildArgs(input) {
   }
 }
 function runGit(args, cwd, signal) {
-  return new Promise((resolve2) => {
+  return new Promise((resolve4) => {
     let stdout = "";
     let stderr = "";
     const child = spawn("git", args, {
@@ -1710,7 +1871,7 @@ function runGit(args, cwd, signal) {
       }
     });
     child.on("error", (err) => {
-      resolve2({
+      resolve4({
         command: args[0],
         stdout,
         stderr: err.message,
@@ -1719,7 +1880,7 @@ function runGit(args, cwd, signal) {
       });
     });
     child.on("close", (code) => {
-      resolve2({
+      resolve4({
         command: args[0],
         stdout: stdout.slice(0, MAX_OUTPUT3),
         stderr: stderr.slice(0, MAX_OUTPUT3),
@@ -1749,51 +1910,90 @@ var patchTool = {
   async execute(input, ctx, opts) {
     if (!input?.patch) throw new Error("patch: patch content is required");
     const dir = input.directory ? safeResolve(input.directory, ctx) : ctx.cwd;
-    const strip = input.strip ?? 1;
+    const strip = Math.max(1, input.strip ?? 1);
     const dryRun = input.dry_run ?? false;
-    const patchFile = path.join(dir, `.wstack_patch_${Date.now()}.diff`);
-    await fs4.writeFile(patchFile, input.patch, "utf8");
-    const args = [
-      "-p" + strip,
-      "--merge",
-      ...dryRun ? ["--dry-run"] : [],
-      "-i",
-      patchFile
-    ];
-    const result = await runPatch(args, dir, opts.signal);
-    await fs4.unlink(patchFile).catch(() => {
-    });
-    if (result.exitCode !== 0 && !dryRun) {
+    const targets = extractDiffTargets(input.patch);
+    for (const t of targets) {
+      const stripped = stripPathComponents(t, strip);
+      if (!stripped) continue;
+      const candidate = path.resolve(dir, stripped);
+      const rel = path.relative(ctx.projectRoot, candidate);
+      if (rel.startsWith("..") || path.isAbsolute(rel)) {
+        return {
+          applied: 0,
+          rejected: 1,
+          files: [],
+          dry_run: dryRun,
+          message: `patch refused: target "${t}" resolves outside project root`
+        };
+      }
+    }
+    const tmpDir = await fs4.mkdtemp(path.join(dir, ".wstack_patch_"));
+    try {
+      await fs4.chmod(tmpDir, 448).catch(() => {
+      });
+      const patchFile = path.join(tmpDir, "in.diff");
+      await fs4.writeFile(patchFile, input.patch, { mode: 384 });
+      const args = [
+        `-p${strip}`,
+        "--merge",
+        ...dryRun ? ["--dry-run"] : [],
+        "-i",
+        patchFile
+      ];
+      const result = await runPatch(args, dir, opts.signal);
+      if (result.exitCode !== 0 && !dryRun) {
+        return {
+          applied: 0,
+          rejected: 1,
+          files: [],
+          dry_run: dryRun,
+          message: `patch failed: ${result.stderr || result.stdout}`
+        };
+      }
+      const patched = extractPatchedFiles(result.stdout);
       return {
-        applied: 0,
-        rejected: 1,
-        files: [],
+        applied: patched.length,
+        rejected: 0,
+        files: patched,
         dry_run: dryRun,
-        message: `patch failed: ${result.stderr || result.stdout}`
+        message: result.stdout || "patch applied"
       };
+    } finally {
+      await fs4.rm(tmpDir, { recursive: true, force: true }).catch(() => {
+      });
     }
-    return {
-      applied: result.stdout.includes("patching file") ? 1 : 0,
-      rejected: 0,
-      files: extractPatchedFiles(result.stdout),
-      dry_run: dryRun,
-      message: result.stdout || "patch applied"
-    };
   }
 };
+function extractDiffTargets(patch) {
+  const out = [];
+  const re = /^\+\+\+\s+([^\t\r\n]+)/gm;
+  for (const m of patch.matchAll(re)) {
+    const target = m[1]?.trim();
+    if (!target || target === "/dev/null") continue;
+    out.push(target);
+  }
+  return out;
+}
+function stripPathComponents(p, strip) {
+  const parts = p.replace(/\\/g, "/").split("/");
+  if (parts.length <= strip) return void 0;
+  return parts.slice(strip).join("/");
+}
 function runPatch(args, cwd, signal) {
-  return new Promise((resolve2) => {
+  return new Promise((resolve4) => {
     let stdout = "";
     let stderr = "";
-    const child = spawn("patch", args, { cwd, signal, stdio: ["pipe", "pipe", "pipe"] });
+    const env = { ...process.env, LANG: "C", LC_ALL: "C" };
+    const child = spawn("patch", args, { cwd, signal, env, stdio: ["pipe", "pipe", "pipe"] });
     child.stdout?.on("data", (c) => {
       stdout += c.toString();
     });
     child.stderr?.on("data", (c) => {
       stderr += c.toString();
     });
-    child.on("close", (code) => resolve2({ exitCode: code ?? 1, stdout, stderr }));
-    child.on("error", (e) => resolve2({ exitCode: 1, stdout: "", stderr: e.message }));
+    child.on("close", (code) => resolve4({ exitCode: code ?? 1, stdout, stderr }));
+    child.on("error", (e) => resolve4({ exitCode: 1, stdout: "", stderr: e.message }));
   });
 }
 function extractPatchedFiles(output) {
@@ -1872,8 +2072,8 @@ var jsonTool = {
     };
   }
 };
-function query(data, path10) {
-  const parts = path10.replace(/\[(\d+)\]/g, ".$1").split(".").filter(Boolean);
+function query(data, path12) {
+  const parts = path12.replace(/\[(\d+)\]/g, ".$1").split(".").filter(Boolean);
   let current = data;
   for (const part of parts) {
     if (current === null || current === void 0) return void 0;
@@ -1979,18 +2179,18 @@ function findGitDir2(cwd) {
   let dir = cwd;
   for (let i = 0; i < 20; i++) {
     try {
-      const stat9 = __require("fs").statSync(`${dir}/.git`);
+      const stat9 = statSync(path.join(dir, ".git"));
       if (stat9.isDirectory()) return dir;
     } catch {
     }
-    const parent = __require("path").dirname(dir);
+    const parent = path.dirname(dir);
     if (parent === dir) break;
     dir = parent;
   }
   return null;
 }
 function runGit2(args, cwd, signal) {
-  return new Promise((resolve2) => {
+  return new Promise((resolve4) => {
     let stdout = "";
     let stderr = "";
     const child = spawn("git", args, { cwd, signal, stdio: ["ignore", "pipe", "pipe"] });
@@ -2000,8 +2200,8 @@ function runGit2(args, cwd, signal) {
     child.stderr?.on("data", (c) => {
       stderr += c.toString();
     });
-    child.on("close", (code) => resolve2({ stdout, stderr, exitCode: code ?? 0 }));
-    child.on("error", (e) => resolve2({ stdout: "", stderr: e.message, exitCode: 1 }));
+    child.on("close", (code) => resolve4({ stdout, stderr, exitCode: code ?? 0 }));
+    child.on("error", (e) => resolve4({ stdout: "", stderr: e.message, exitCode: 1 }));
   });
 }
 async function fileDiff(input, ctx, signal) {
@@ -2124,10 +2324,15 @@ var treeTool = {
       if (queue.length > 0) {
         yield queue.shift();
       } else {
-        await Promise.race([
-          walkPromise,
-          new Promise((r) => setTimeout(r, 50))
-        ]).catch(() => void 0);
+        let pollTimer;
+        const poll = new Promise((r) => {
+          pollTimer = setTimeout(r, 50);
+        });
+        try {
+          await Promise.race([walkPromise, poll]).catch(() => void 0);
+        } finally {
+          if (pollTimer) clearTimeout(pollTimer);
+        }
       }
     }
     await walkPromise;
@@ -2182,6 +2387,83 @@ async function walkDir(dir, depth, opts) {
     }
   }
 }
+async function* spawnStream(opts) {
+  const max = opts.maxBytes ?? 2e5;
+  const flushAt = opts.flushBytes ?? 4 * 1024;
+  let stdout = "";
+  let stderr = "";
+  let pending = "";
+  let error;
+  const child = spawn(opts.cmd, opts.args, {
+    cwd: opts.cwd,
+    signal: opts.signal,
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+  const queue = [];
+  let waiter;
+  const wake = () => {
+    if (waiter) {
+      const w = waiter;
+      waiter = void 0;
+      w();
+    }
+  };
+  child.stdout?.on("data", (c) => {
+    const s = c.toString();
+    if (stdout.length < max) stdout += s;
+    queue.push({ kind: "out", data: s });
+    wake();
+  });
+  child.stderr?.on("data", (c) => {
+    const s = c.toString();
+    if (stderr.length < max) stderr += s;
+    queue.push({ kind: "err", data: s });
+    wake();
+  });
+  child.on("error", (e) => {
+    error = e.message;
+    queue.push({ kind: "error", data: e.message });
+    wake();
+  });
+  child.on("close", (code) => {
+    queue.push({ kind: "close", data: "", code: code ?? 0 });
+    wake();
+  });
+  let exitCode = 0;
+  let spawnFailed = false;
+  for (; ; ) {
+    while (queue.length === 0) {
+      await new Promise((resolve4) => {
+        waiter = resolve4;
+      });
+    }
+    const chunk = queue.shift();
+    if (chunk.kind === "close") {
+      if (!spawnFailed) exitCode = chunk.code ?? 0;
+      break;
+    }
+    if (chunk.kind === "error") {
+      spawnFailed = true;
+      exitCode = 1;
+      continue;
+    }
+    pending += chunk.data;
+    if (pending.length >= flushAt) {
+      yield { type: "partial_output", text: pending };
+      pending = "";
+    }
+  }
+  if (pending.length > 0) {
+    yield { type: "partial_output", text: pending };
+  }
+  return {
+    stdout,
+    stderr,
+    exitCode,
+    truncated: stdout.length >= max || stderr.length >= max,
+    error
+  };
+}
 
 // src/lint.ts
 var lintTool = {
@@ -2836,7 +3118,7 @@ async function detectManager2(cwd) {
   return "npm";
 }
 function runOutdated(manager, args, cwd, signal) {
-  return new Promise((resolve2) => {
+  return new Promise((resolve4) => {
     let stdout = "";
     let stderr = "";
     const MAX = 1e5;
@@ -2849,9 +3131,9 @@ function runOutdated(manager, args, cwd, signal) {
     });
     child.on("close", (code) => {
       const result = parseOutdatedOutput(stdout, code ?? 0);
-      resolve2(result);
+      resolve4(result);
     });
-    child.on("error", (e) => resolve2({
+    child.on("error", (e) => resolve4({
       exit_code: 1,
       packages: [],
       total: 0,
@@ -2937,7 +3219,14 @@ var logsTool = {
   async execute(input, ctx, opts) {
     const cwd = input.cwd ? safeResolve(input.cwd, ctx) : ctx.cwd;
     const lines = input.lines ?? 100;
-    const filterRe = input.filter ? new RegExp(input.filter, "i") : null;
+    let filterRe = null;
+    if (input.filter) {
+      const compiled = compileUserRegex(input.filter, "i");
+      if (!compiled.ok) {
+        throw new Error(`logs: ${compiled.reason}`);
+      }
+      filterRe = compiled.regex;
+    }
     if (input.service) {
       return await dockerLogs(input.service, lines, filterRe, cwd, opts.signal);
     }
@@ -2957,7 +3246,7 @@ async function dockerLogs(service, lines, filterRe, cwd, signal, since) {
   const args = ["logs"];
   if (lines > 0) args.push("--tail", String(lines));
   args.push("--timestamps", service);
-  return new Promise((resolve2) => {
+  return new Promise((resolve4) => {
     let stdout = "";
     let stderr = "";
     const MAX = 2e5;
@@ -2971,7 +3260,7 @@ async function dockerLogs(service, lines, filterRe, cwd, signal, since) {
     child.on("close", (code) => {
       const output = stdout + stderr;
       const entries = parseLogLines(output, filterRe);
-      resolve2({
+      resolve4({
         source: `docker:${service}`,
         entries,
         total: entries.length,
@@ -2979,7 +3268,7 @@ async function dockerLogs(service, lines, filterRe, cwd, signal, since) {
         stream_mode: false
       });
     });
-    child.on("error", (e) => resolve2({
+    child.on("error", (e) => resolve4({
       source: `docker:${service}`,
       entries: [],
       total: 0,
@@ -2988,29 +3277,41 @@ async function dockerLogs(service, lines, filterRe, cwd, signal, since) {
     }));
   });
 }
-async function fileLogs(path10, lines, filterRe, stream) {
+var MAX_TAIL_LINES = 1e5;
+async function fileLogs(path12, lines, filterRe, stream) {
   const { createInterface } = await import('readline');
   const { createReadStream } = await import('fs');
   const entries = [];
-  const allLines = [];
+  const effLines = lines > 0 ? Math.min(lines, MAX_TAIL_LINES) : MAX_TAIL_LINES;
+  const window = new Array(effLines);
+  let writeIdx = 0;
+  let totalLines = 0;
   const rl = createInterface({
-    input: createReadStream(path10),
+    input: createReadStream(path12),
     crlfDelay: Number.POSITIVE_INFINITY
   });
   for await (const line of rl) {
     if (filterRe && !filterRe.test(line)) continue;
-    allLines.push(line);
+    window[writeIdx] = line;
+    writeIdx = (writeIdx + 1) % effLines;
+    totalLines++;
+  }
+  const ordered = [];
+  const start = totalLines >= effLines ? writeIdx : 0;
+  const count = Math.min(totalLines, effLines);
+  for (let i = 0; i < count; i++) {
+    const v = window[(start + i) % effLines];
+    if (v !== void 0) ordered.push(v);
   }
-  const sliced = lines > 0 ? allLines.slice(-lines) : allLines;
-  for (const line of sliced) {
+  for (const line of ordered) {
     const parsed = parseLine(line);
     if (parsed) entries.push(parsed);
   }
   return {
-    source: path10,
+    source: path12,
     entries,
     total: entries.length,
-    truncated: allLines.length > lines && lines > 0,
+    truncated: totalLines > effLines,
     stream_mode: stream
   };
 }