@wrongstack/tools 0.260.0 → 0.265.1

package/dist/fetch.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/_util.ts","../src/fetch.ts"],"names":[],"mappings":";;;;;;;AA+FO,SAAS,cAAA,CAAe,GAAW,GAAA,EAAqB;AAC7D,EAAA,IAAI,OAAO,UAAA,CAAW,CAAA,EAAG,MAAM,CAAA,IAAK,KAAK,OAAO,CAAA;AAChD,EAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,GAAA,GAAM,CAAC,CAAA;AAC/B,EAAA,OACE,CAAA,CAAE,KAAA,CAAM,CAAA,EAAG,IAAI,CAAA,GACf;AAAA,iBAAA,EAAiB,MAAA,CAAO,UAAA,CAAW,CAAA,EAAG,MAAM,IAAI,GAAG,CAAA;AAAA,CAAA,GACnD,CAAA,CAAE,KAAA,CAAM,CAAC,IAAI,CAAA;AAEjB;;;AC1FA,IAAM,EAAA,GAAK,IAAI,eAAA,CAAgB;AAAA;AAAA,EAE7B,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,cAAA,EAAgB;AAClB,CAAC,CAAA;AAMD,EAAA,CAAG,QAAQ,wBAAA,EAA0B;AAAA,EACnC,MAAA,EAAQ,CAAC,QAAA,EAAU,OAAA,EAAS,UAAU,CAAA;AAAA,EACtC,aAAa,MAAM;AACrB,CAAC,CAAA;AAcD,IAAM,SAAA,GAAY,MAAA;AAClB,IAAM,UAAA,GAAa,GAAA;AAEnB,IAAM,aAAA,GAAgB,OAAA,CAAQ,GAAA,CAAI,gCAAgC,CAAA,KAAM,GAAA;AACxE,IAAI,aAAA,IAAiB,CAAC,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA,EAAG;AACvC,EAAA,OAAA,CAAQ,IAAA;AAAA,IACN;AAAA,GAGF;AACF;AAGA,IAAM,cAAA,GAAiB,CAAC,OAAA,KAAwC,WAAA,CAAY,IAAI,OAAO,CAAA;AAkBvF,SAAS,aAAA,CACP,QAAA,EACA,OAAA,EACA,QAAA,EACM;AACN,EACG,GAAA,CAAA,MAAA,CAAO,UAAU,EAAE,GAAA,EAAK,MAAM,CAAA,CAC9B,IAAA,CAAK,CAAC,OAAA,KAAY;AACjB,IAAA,MAAM,SAAS,OAAA,EAAS,MAAA;AACxB,IAAA,MAAM,QAAA,GACJ,MAAA,KAAW,CAAA,IAAK,MAAA,KAAW,CAAA,GAAI,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW,MAAM,CAAA,GAAI,OAAA;AAC9E,IAAA,MAAM,IAAA,GAAO,QAAA,CAAS,MAAA,GAAS,CAAA,GAAI,QAAA,GAAW,OAAA;AAC9C,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,KAAA,MAAW,KAAK,IAAA,EAAM;AACpB,QAAA,MAAM,GAAA,GAAM,CAAA,CAAE,MAAA,KAAW,CAAA,GAAI,aAAA,CAAc,EAAE,OAAO,CAAA,GAAI,aAAA,CAAc,CAAA,CAAE,OAAO,CAAA;AAC/E,QAAA,IAAI,GAAA,EAAK;AACP,UAAA,QAAA;AAAA,YACE,MAAA,CAAO,OAAO,IAAI,KAAA,CAAM,sCAAsC,CAAA,CAAE,OAAO,EAAE,CAAA,EAAG;AAAA,cAC1E,IAAA,EAAM;AAAA,aACP;AAAA,WACH;AACA,UAAA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,IAAA,IAAI,SAAS,GAAA,EAAK;AAChB,MAAA,QAAA;AAAA,QACE,IAAA;AAAA,QACA,IAAA,CAAK,GAAA,CAAI,CAAC,CAAA,MAAO,EAAE,OAAA,EAAS,CAAA,CAAE,OAAA,EAAS,MAAA,EAAQ,CAAA,CAAE,MAAA,EAAO,CAAE;AAAA,OAC5D;AACA,MAAA;AAAA,IACF;AACA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,EAAA,CAAG,CAAC,CAAA;AACvB,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,QAAA;AAAA,QACE,MAAA,CAAO,MAAA,CAAO,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,QAAQ,CAAA,CAAE,CAAA,EAAG,EAAE,IAAA,EAAM,WAAA,EAAa;AAAA,OACrF;AACA,MAAA;AAAA,IACF;AACA,IAAA,QAAA,CAAS,IAAA,EAAM,KAAA,CAAM,OAAA,EAAS,KAAA,CAAM,MAAM,CAAA;AAAA,EAC5C,CAAC,CAAA,CACA,KAAA,CAAM,CAAC,GAAA,KAAQ,QAAA,CAAS,GAA4B,CAAC,CAAA;AAC1D;AAOA,IAAI,WAAA;AACJ,SAAS,mBAAA,GAA6B;AACpC,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,WAAA,GAAc,IAAI,MAAM,EAAE,OAAA,EAAS,EAAE,MAAA,EAAQ,aAAA,IAA0B,CAAA;AAAA,EACzE;AACA,EAAA,OAAO,WAAA;AACT;AAKA,IAAI,qBAAA,GAAwB,KAAA;AAC5B,IAAI,CAAC,qBAAA,EAAuB;AAC1B,EAAA,qBAAA,GAAwB,IAAA;AACxB,EAAA,OAAA,CAAQ,EAAA,CAAG,cAAc,MAAM;AAC7B,IAAA,WAAA,EAAa,OAAA,EAAQ;AACrB,IAAA,WAAA,GAAc,MAAA;AAAA,EAChB,CAAC,CAAA;AACH;AAUA,eAAsB,YAAA,CACpB,GAAA,EACA,YAAA,EACA,MAAA,EACA,OAAA,GAAkC;AAAA,EAChC,YAAA,EAAc,0CAAA;AAAA,EACd,MAAA,EAAQ;AACV,CAAA,EACmB;AACnB,EAAA,IAAI,aAAA,GAAgB,CAAA;AACpB,EAAA,IAAI,UAAA,GAAa,GAAA;AACjB,EAAA,WAAS;AAGP,IAAA,MAAM,MAAA,GAAS,IAAI,GAAA,CAAI,UAAU,CAAA;AACjC,IAAA,IAAI,MAAA,CAAO,QAAA,KAAa,QAAA,IAAY,MAAA,CAAO,aAAa,OAAA,EAAS;AAC/D,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yCAAA,EAA4C,MAAA,CAAO,QAAQ,CAAA,CAAA,CAAG,CAAA;AAAA,IAChF;AACA,IAAA,IAAI,MAAA,CAAO,QAAA,KAAa,OAAA,IAAW,CAAC,aAAA,EAAe;AACjD,MAAA,MAAM,IAAI,MAAM,gEAAgE,CAAA;AAAA,IAClF;AACA,IAAA,MAAM,gBAAA,CAAiB,OAAO,QAAQ,CAAA;AAQtC,IAAA,MAAM,IAAA,GAAO;AAAA,MACX,QAAA,EAAU,QAAA;AAAA,MACV,MAAA;AAAA,MACA,OAAA;AAAA,MACA,YAAY,mBAAA;AAAoB,KAClC;AACA,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,UAAA,EAAY,IAA8B,CAAA;AAClE,IAAA,IAAI,GAAA,CAAI,MAAA,GAAS,GAAA,IAAO,GAAA,CAAI,SAAS,GAAA,EAAK;AACxC,MAAA,OAAO,GAAA;AAAA,IACT;AACA,IAAA,aAAA,EAAA;AACA,IAAA,IAAI,gBAAgB,YAAA,EAAc;AAChC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,gBAAA,EAAmB,YAAY,CAAA,UAAA,CAAY,CAAA;AAAA,IAC7D;AACA,IAAA,MAAM,QAAA,GAAW,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AAC3C,IAAA,IAAI,CAAC,QAAA,EAAU;AACb,MAAA,MAAM,IAAI,MAAM,gDAAgD,CAAA;AAAA,IAClE;AACA,IAAA,UAAA,GAAa,IAAI,GAAA,CAAI,QAAA,EAAU,UAAU,EAAE,QAAA,EAAS;AAAA,EACtD;AACF;AAEO,IAAM,SAAA,GAA2C;AAAA,EACtD,IAAA,EAAM,OAAA;AAAA,EACN,QAAA,EAAU,SAAA;AAAA,EACV,WAAA,EACE,oNAAA;AAAA,EAEF,SAAA,EACE,+ZAAA;AAAA,EAOF,UAAA,EAAY,SAAA;AAAA,EACZ,QAAA,EAAU,KAAA;AAAA,EACV,YAAA,EAAc,CAAC,cAAc,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAK7B,UAAA,EAAY,KAAA;AAAA,EACZ,SAAA,EAAW,UAAA;AAAA,EACX,cAAA,EAAgB,SAAA;AAAA,EAChB,WAAA,EAAa;AAAA,IACX,IAAA,EAAM,QAAA;AAAA,IACN,UAAA,EAAY;AAAA,MACV,GAAA,EAAK;AAAA,QACH,IAAA,EAAM,QAAA;AAAA,QACN,WAAA,EAAa;AAAA,OACf;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,IAAA,EAAM,QAAA;AAAA,QACN,IAAA,EAAM,CAAC,UAAA,EAAY,MAAA,EAAQ,KAAK,CAAA;AAAA,QAChC,WAAA,EAAa;AAAA;AACf,KACF;AAAA,IACA,QAAA,EAAU,CAAC,KAAK;AAAA,GAClB;AAAA,EACA,MAAM,OAAA,CAAQ,KAAA,EAAO,GAAA,EAAK,IAAA,EAAM;AAC9B,IAAA,IAAI,KAAA;AACJ,IAAA,MAAM,gBAAgB,SAAA,CAAU,aAAA;AAChC,IAAA,IAAI,CAAC,aAAA,EAAe,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAC7E,IAAA,WAAA,MAAiB,EAAA,IAAM,aAAA,CAAc,KAAA,EAAO,GAAA,EAAK,IAAI,CAAA,EAAG;AACtD,MAAA,IAAI,EAAA,CAAG,IAAA,KAAS,OAAA,EAAS,KAAA,GAAQ,EAAA,CAAG,MAAA;AAAA,IACtC;AACA,IAAA,IAAI,CAAC,KAAA,EAAO,MAAM,IAAI,MAAM,yCAAyC,CAAA;AACrE,IAAA,OAAO,KAAA;AAAA,EACT,CAAA;AAAA,EACA,OAAO,aAAA,CAAc,KAAA,EAAO,IAAA,EAAM,IAAA,EAAoD;AACpF,IAAA,IAAI,CAAC,KAAA,EAAO,GAAA,EAAK,MAAM,IAAI,MAAM,wBAAwB,CAAA;AACzD,IAAA,MAAM,CAAA,GAAI,IAAI,GAAA,CAAI,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAA,CAAE,QAAA,KAAa,QAAA,IAAY,CAAA,CAAE,aAAa,OAAA,EAAS;AACrD,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,CAAA,CAAE,QAAQ,CAAA,CAAA,CAAG,CAAA;AAAA,IAC/D;AACA,IAAA,IAAI,CAAA,CAAE,QAAA,KAAa,OAAA,IAAW,CAAC,aAAA,EAAe;AAC5C,MAAA,MAAM,IAAI,MAAM,oDAAoD,CAAA;AAAA,IACtE;AACA,IAAA,MAAM,gBAAA,CAAiB,EAAE,QAAQ,CAAA;AAEjC,IAAA,MAAM,EAAE,IAAA,EAAM,KAAA,EAAO,MAAM,CAAA,IAAA,EAAO,KAAA,CAAM,GAAG,CAAA,CAAA,EAAG;AAE9C,IAAA,MAAM,IAAA,GAAO,IAAI,eAAA,EAAgB;AACjC,IAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,MAAM,IAAA,CAAK,KAAA,CAAM,IAAI,KAAA,CAAM,eAAe,CAAC,CAAA,EAAG,UAAU,CAAA;AACjF,IAAA,MAAM,WAAW,cAAA,CAAe,CAAC,KAAK,MAAA,EAAQ,IAAA,CAAK,MAAM,CAAC,CAAA;AAE1D,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,YAAA,CAAa,KAAA,CAAM,GAAA,EAAK,GAAG,QAAQ,CAAA;AAErD,MAAA,MAAM,EAAA,GAAK,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,IAAK,0BAAA;AAC9C,MAAA,IAAI,sDAAA,CAAuD,IAAA,CAAK,EAAE,CAAA,EAAG;AACnE,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6CAAA,EAAgD,EAAE,CAAA,CAAA,CAAG,CAAA;AAAA,MACvE;AAEA,MAAA,MAAM;AAAA,QACJ,IAAA,EAAM,KAAA;AAAA,QACN,IAAA,EAAM,CAAA,KAAA,EAAQ,GAAA,CAAI,MAAM,IAAI,EAAE,CAAA,CAAA;AAAA,QAC9B,MAAM,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,aAAa,EAAA;AAAG,OAC9C;AAEA,MAAA,MAAM,MAAA,GAAS,GAAA,CAAI,IAAA,EAAM,SAAA,EAAU;AACnC,MAAA,IAAI,QAAA,GAAW,CAAA;AACf,MAAA,MAAM,SAAuB,EAAC;AAC9B,MAAA,IAAI,YAAA,GAAe,CAAA;AACnB,MAAA,MAAM,WAAW,CAAA,GAAI,IAAA;AACrB,MAAA,IAAI,MAAA,EAAQ;AACV,QAAA,WAAS;AACP,UAAA,MAAM,EAAE,KAAA,EAAO,IAAA,EAAK,GAAI,MAAM,OAAO,IAAA,EAAK;AAC1C,UAAA,IAAI,IAAA,EAAM;AACV,UAAA,IAAI,CAAC,KAAA,EAAO;AACZ,UAAA,QAAA,IAAY,KAAA,CAAM,UAAA;AAClB,UAAA,YAAA,IAAgB,KAAA,CAAM,UAAA;AACtB,UAAA,MAAA,CAAO,KAAK,KAAK,CAAA;AACjB,UAAA,IAAI,gBAAgB,QAAA,EAAU;AAI5B,YAAA,MAAM,SAAS,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,OAAO,CAAA;AAClD,YAAA,MAAM;AAAA,cACJ,IAAA,EAAM,gBAAA;AAAA,cACN,IAAA,EAAM,MAAA;AAAA,cACN,IAAA,EAAM,EAAE,QAAA;AAAS,aACnB;AACA,YAAA,YAAA,GAAe,CAAA;AAAA,UACjB;AACA,UAAA,IAAI,WAAW,SAAA,EAAW;AAAA,QAC5B;AAAA,MACF;AACA,MAAA,MAAM,IAAA,GAAO,MAAA,CAAO,MAAA,CAAO,MAAA,CAAO,IAAI,CAAC,CAAA,KAAM,MAAA,CAAO,IAAA,CAAK,CAAC,CAAC,CAAC,CAAA,CAAE,SAAS,MAAM,CAAA;AAE7E,MAAA,MAAM,SAAS,KAAA,CAAM,MAAA,KAAW,GAAG,QAAA,CAAS,WAAW,IAAI,UAAA,GAAa,MAAA,CAAA;AACxE,MAAA,IAAI,OAAA;AACJ,MAAA,IAAI,MAAA,KAAW,OAAO,OAAA,GAAU,IAAA;AAAA,WAAA,IACvB,MAAA,KAAW,cAAc,EAAA,CAAG,QAAA,CAAS,WAAW,CAAA,EAAG,OAAA,GAAU,EAAA,CAAG,QAAA,CAAS,IAAI,CAAA;AAAA,WAAA,IAC7E,GAAG,QAAA,CAAS,kBAAkB,CAAA,EAAG,OAAA,GAAU,WAAW,IAAI,CAAA;AAAA,WAC9D,OAAA,GAAU,IAAA;AAEf,MAAA,MAAM;AAAA,QACJ,IAAA,EAAM,OAAA;AAAA,QACN,MAAA,EAAQ;AAAA,UACN,OAAA,EAAS,cAAA,CAAe,OAAA,EAAS,SAAS,CAAA;AAAA,UAC1C,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,YAAA,EAAc,EAAA;AAAA,UACd,KAAK,GAAA,CAAI;AAAA;AACX,OACF;AAAA,IACF,CAAA,SAAE;AACA,MAAA,YAAA,CAAa,KAAK,CAAA;AAAA,IACpB;AAAA,EACF;AACF;AAEA,eAAe,iBAAiB,QAAA,EAAiC;AAC/D,EAAA,IAAI,aAAA,EAAe;AAEnB,EAAA,MAAM,IAAA,GACJ,QAAA,CAAS,UAAA,CAAW,GAAG,CAAA,IAAK,QAAA,CAAS,QAAA,CAAS,GAAG,CAAA,GAAI,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI,QAAA;AAE/E,EAAA,IAAI,IAAA,KAAS,WAAA,IAAe,IAAA,CAAK,QAAA,CAAS,YAAY,CAAA,EAAG;AACvD,IAAA,MAAM,IAAI,MAAM,iCAAiC,CAAA;AAAA,EACnD;AAEA,EAAA,MAAM,SAAA,GAAgB,SAAK,IAAI,CAAA;AAC/B,EAAA,IAAI,cAAc,CAAA,EAAG;AACnB,IAAA,IAAI,aAAA,CAAc,IAAI,CAAA,EAAG;AACvB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yCAAA,EAA4C,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,IACrE;AAAA,EACF,CAAA,MAAA,IAAW,cAAc,CAAA,EAAG;AAC1B,IAAA,IAAI,aAAA,CAAc,IAAI,CAAA,EAAG;AACvB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yCAAA,EAA4C,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,IACrE;AAAA,EACF,CAAA,MAAO;AAOL,IAAA,IAAI;AAEF,MAAA,MAAM,UAAU,MAAU,GAAA,CAAA,MAAA,CAAO,MAAM,EAAE,GAAA,EAAK,MAAM,CAAA;AACpD,MAAA,KAAA,MAAW,KAAK,OAAA,EAAS;AACvB,QAAA,MAAM,GAAA,GAAM,CAAA,CAAE,MAAA,KAAW,CAAA,GAAI,aAAA,CAAc,EAAE,OAAO,CAAA,GAAI,aAAA,CAAc,CAAA,CAAE,OAAO,CAAA;AAC/E,QAAA,IAAI,GAAA,EAAK;AACP,UAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mCAAA,EAAsC,CAAA,CAAE,OAAO,CAAA,CAAE,CAAA;AAAA,QACnE;AAAA,MACF;AAAA,IACF,SAAS,GAAA,EAAK;AACZ,MAAA,IAAI,eAAe,KAAA,IAAS,GAAA,CAAI,QAAQ,UAAA,CAAW,QAAQ,GAAG,MAAM,GAAA;AAAA,IAEtE;AAAA,EACF;AACF;AAEA,SAAS,WAAW,CAAA,EAAmB;AACrC,EAAA,IAAI;AACF,IAAA,OAAO,KAAK,SAAA,CAAU,IAAA,CAAK,MAAM,CAAC,CAAA,EAAG,MAAM,CAAC,CAAA;AAAA,EAC9C,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,CAAA;AAAA,EACT;AACF","file":"fetch.js","sourcesContent":["import * as fsp from 'node:fs/promises';\nimport * as path from 'node:path';\nimport * as Core from '@wrongstack/core';\nimport type { Context } from '@wrongstack/core';\n/** Detected package manager for a project directory. */\nexport type PackageManager = 'pnpm' | 'yarn' | 'npm';\n\n/**\n * Detect the project's package manager by inspecting lockfiles in `cwd`.\n * Order: pnpm → yarn → npm (default). Missing or unreadable directories fall\n * back to `npm` rather than throwing, so a `safeResolve`-checked cwd that\n * happens to be empty never aborts the tool.\n */\nexport async function detectPackageManager(cwd: string): Promise<PackageManager> {\n  const { stat } = await import('node:fs/promises');\n  try {\n    await stat(`${cwd}/pnpm-lock.yaml`);\n    return 'pnpm';\n  } catch {\n    /* not pnpm */\n  }\n  try {\n    await stat(`${cwd}/yarn.lock`);\n    return 'yarn';\n  } catch {\n    /* not yarn */\n  }\n  return 'npm';\n}\n\nexport function resolvePath(input: string, ctx: Context): string {\n  return path.isAbsolute(input) ? path.normalize(input) : path.resolve(ctx.workingDir ?? ctx.cwd, input);\n}\n\nexport function ensureInsideRoot(absPath: string, ctx: Context): string {\n  const root = path.resolve(ctx.projectRoot);\n  const target = path.resolve(absPath);\n  const rel = path.relative(root, target);\n  if (rel.startsWith('..') || path.isAbsolute(rel)) {\n    throw new Error(`Path \"${absPath}\" is outside project root \"${root}\"`);\n  }\n  return target;\n}\n\nexport function safeResolve(input: string, ctx: Context): string {\n  return ensureInsideRoot(resolvePath(input, ctx), ctx);\n}\n\n/**\n * Defense against in-root→out-of-root symlink escape (CWE-59). `safeResolve`\n * only does a syntactic `../` check, so a symlink that lives *inside* the\n * project root but points outside still passes it. This resolves the path\n * through `fs.realpath` and re-verifies containment against the realpath of\n * the project root (comparing like-for-like, since the root itself may be a\n * symlink — macOS `/var`→`/private/var`, Windows 8.3 short names). For a path\n * that does not exist yet (e.g. a `write` to a new file) the nearest existing\n * ancestor directory is checked instead. Throws if the real target escapes.\n *\n * Mirrors the per-file guard already used in `replace.ts`/`grep.ts`; applied\n * to single-file `read`/`edit`/`write` it throws (rather than skips) because\n * the caller named exactly one file.\n */\nexport async function assertRealInsideRoot(absPath: string, ctx: Context): Promise<void> {\n  const realRoot = await fsp.realpath(ctx.projectRoot).catch(() => path.resolve(ctx.projectRoot));\n  let probe = absPath;\n  for (;;) {\n    let real: string;\n    try {\n      real = await fsp.realpath(probe);\n    } catch (err) {\n      if ((err as NodeJS.ErrnoException).code === 'ENOENT') {\n        const parent = path.dirname(probe);\n        if (parent === probe) return; // reached fs root without escaping\n        probe = parent;\n        continue;\n      }\n      throw err;\n    }\n    const rel = path.relative(realRoot, real);\n    if (rel.startsWith('..') || path.isAbsolute(rel)) {\n      throw new Error(\n        `Path \"${absPath}\" resolves through a symlink outside project root \"${realRoot}\"`,\n      );\n    }\n    return;\n  }\n}\n\n/** `safeResolve` + symlink realpath containment check. Async. */\nexport async function safeResolveReal(input: string, ctx: Context): Promise<string> {\n  const abs = safeResolve(input, ctx);\n  await assertRealInsideRoot(abs, ctx);\n  return abs;\n}\n\nexport function truncateMiddle(s: string, max: number): string {\n  if (Buffer.byteLength(s, 'utf8') <= max) return s;\n  const half = Math.floor(max / 2);\n  return (\n    s.slice(0, half) +\n    `\\n…[truncated ${Buffer.byteLength(s, 'utf8') - max} bytes from middle]…\\n` +\n    s.slice(-half)\n  );\n}\n\nexport function isBinaryBuffer(buf: Buffer): boolean {\n  const len = Math.min(buf.length, 8192);\n  for (let i = 0; i < len; i++) {\n    if (buf[i] === 0) return true;\n  }\n  return false;\n}\n\n// ─── Command-output normalization (token-saving) ────────────────────────────\n//\n// Raw process output is full of tokens the model gains nothing from: ANSI\n// escapes, carriage-return progress spam, runs of identical warning lines, and\n// huge tails of build noise. These helpers strip that noise before the output\n// reaches the LLM. They are scoped to COMMAND tools (bash/git/exec and the\n// _spawn-stream consumers) — never applied to structured/code outputs.\n\n/** Unified byte cap for all command tool output fed to the model. */\nexport const COMMAND_OUTPUT_MAX_BYTES = 32_768;\n\n/** Runs of >= this many identical consecutive lines are collapsed. */\nconst REPEAT_RUN_THRESHOLD = 3;\n\n/**\n * Collapse carriage-return overwrites the way a terminal would: `\\r\\n` becomes\n * `\\n`, and a bare `\\r` (progress redraw) keeps only the text after the LAST\n * `\\r` on its physical line. Without this, a single progress bar that redraws\n * 200 times explodes into 200 lines.\n */\nexport function collapseCarriageReturns(text: string): string {\n  const lf = text.replace(/\\r\\n/g, '\\n');\n  if (!lf.includes('\\r')) return lf;\n  return lf\n    .split('\\n')\n    .map((line) => (line.includes('\\r') ? line.slice(line.lastIndexOf('\\r') + 1) : line))\n    .join('\\n');\n}\n\n/**\n * Collapse a run of `minRun`+ identical consecutive lines into the line once\n * plus a marker. Consecutive-only — it never reorders or dedups non-adjacent\n * lines, so diffs/source stay intact.\n */\nexport function collapseConsecutiveDuplicates(text: string, minRun = REPEAT_RUN_THRESHOLD): string {\n  const lines = text.split('\\n');\n  const out: string[] = [];\n  let i = 0;\n  while (i < lines.length) {\n    let j = i + 1;\n    while (j < lines.length && lines[j] === lines[i]) j++;\n    const run = j - i;\n    if (run >= minRun) {\n      out.push(lines[i]!, `… ⟨repeated ${run}×⟩`);\n    } else {\n      for (let k = i; k < j; k++) out.push(lines[k]!);\n    }\n    i = j;\n  }\n  return out.join('\\n');\n}\n\n/** Largest prefix of `s` whose UTF-8 byte length is <= `maxBytes`. */\nfunction takeHeadBytes(s: string, maxBytes: number): string {\n  if (maxBytes <= 0) return '';\n  if (Buffer.byteLength(s, 'utf8') <= maxBytes) return s;\n  let lo = 0;\n  let hi = s.length;\n  while (lo < hi) {\n    const mid = Math.ceil((lo + hi) / 2);\n    if (Buffer.byteLength(s.slice(0, mid), 'utf8') <= maxBytes) lo = mid;\n    else hi = mid - 1;\n  }\n  return s.slice(0, lo);\n}\n\n/** Largest suffix of `s` whose UTF-8 byte length is <= `maxBytes`. */\nfunction takeTailBytes(s: string, maxBytes: number): string {\n  if (maxBytes <= 0) return '';\n  if (Buffer.byteLength(s, 'utf8') <= maxBytes) return s;\n  let lo = 0;\n  let hi = s.length;\n  while (lo < hi) {\n    const mid = Math.ceil((lo + hi) / 2);\n    if (Buffer.byteLength(s.slice(s.length - mid), 'utf8') <= maxBytes) lo = mid;\n    else hi = mid - 1;\n  }\n  return s.slice(s.length - lo);\n}\n\n/**\n * Truncate to `maxBytes` keeping BOTH ends — the head (what ran / early context)\n * and the tail (errors and summaries usually land last), biased ~45/55 toward\n * the tail. The result never exceeds `maxBytes`.\n */\nexport function truncateHeadTail(s: string, maxBytes: number): string {\n  const total = Buffer.byteLength(s, 'utf8');\n  if (total <= maxBytes) return s;\n  // Reserve a fixed allowance for the marker so the final string can't exceed\n  // the cap even though the dropped-byte count's digit width varies.\n  const MARKER_RESERVE = 64;\n  const avail = Math.max(0, maxBytes - MARKER_RESERVE);\n  const headBudget = Math.floor(avail * 0.45);\n  const head = takeHeadBytes(s, headBudget);\n  const tail = takeTailBytes(s, avail - Buffer.byteLength(head, 'utf8'));\n  const kept = Buffer.byteLength(head, 'utf8') + Buffer.byteLength(tail, 'utf8');\n  return `${head}\\n…[truncated ${total - kept} bytes]…\\n${tail}`;\n}\n\n/**\n * Full token-saving pipeline for command tool output: strip ANSI → collapse\n * carriage-return progress → trim trailing whitespace → collapse identical\n * consecutive lines → squeeze blank-line runs → head+tail truncate to the cap.\n */\nexport function normalizeCommandOutput(\n  raw: string,\n  opts: { maxBytes?: number | undefined } = {},\n): string {\n  if (!raw) return raw;\n  let text = Core.stripAnsi(raw);\n  text = collapseCarriageReturns(text);\n  text = text.replace(/[ \\t]+$/gm, ''); // trailing whitespace per line\n  text = collapseConsecutiveDuplicates(text);\n  text = text.replace(/\\n{3,}/g, '\\n\\n'); // >=2 blank lines → 1\n  return truncateHeadTail(text, opts.maxBytes ?? COMMAND_OUTPUT_MAX_BYTES);\n}\n","import * as dns from 'node:dns/promises';\nimport * as net from 'node:net';\nimport type { Tool, ToolStreamEvent } from '@wrongstack/core';\nimport { isPrivateIPv4, isPrivateIPv6 } from '@wrongstack/core';\nimport { Agent } from 'undici';\nimport TurndownService from 'turndown';\nimport { truncateMiddle } from './_util.js';\n\n/**\n * Singleton Turndown instance for HTML→Markdown conversion.\n * Pre-configured with sensible defaults; code blocks are handled via the\n * default fenced code rule. Reused across all fetch calls.\n */\nconst TD = new TurndownService({\n  // Use `# Title` for headings, not setext underline style (`Title\\n=====`).\n  headingStyle: 'atx',\n  // Don't wrap code blocks in <pre> — render them as triple-backtick blocks.\n  codeBlockStyle: 'fenced',\n});\n\n// Strip <script>/<style>/<noscript> before turndown sees them. The old\n// hand-rolled converter did this via regex; turndown's DOM-based approach\n// may keep their text content unless we remove the elements first.\n// Using turndown's own addRule mechanism keeps the logic co-located.\nTD.addRule('stripDangerousElements', {\n  filter: ['script', 'style', 'noscript'],\n  replacement: () => '',\n});\n\ninterface FetchInput {\n  url: string;\n  format?: 'markdown' | 'text' | 'raw' | undefined;\n}\n\ninterface FetchOutput {\n  content: string;\n  status: number;\n  content_type: string;\n  url: string;\n}\n\nconst MAX_BYTES = 131_072;\nconst TIMEOUT_MS = 20_000;\n\nconst ALLOW_PRIVATE = process.env['WRONGSTACK_FETCH_ALLOW_PRIVATE'] === '1';\nif (ALLOW_PRIVATE && !process.env['CI']) {\n  console.warn(\n    '[WrongStack] WARNING: WRONGSTACK_FETCH_ALLOW_PRIVATE=1 is active —\\n' +\n    '  fetch tool can now access private IPs (10.x, 192.168.x, 169.254.x),\\n' +\n    '  cloud metadata endpoints, and plaintext HTTP. Use only on isolated networks.',\n  );\n}\n\n/** Abort when any of the signals abort (Node 22+ — AbortSignal.any shipped in Node 20). */\nconst combineSignals = (signals: AbortSignal[]): AbortSignal => AbortSignal.any(signals);\n\ntype LookupCallback = (\n  err: NodeJS.ErrnoException | null,\n  address?: string | Array<{ address: string | undefined; family: number }>,\n  family?: number | undefined,\n) => void;\n\n/**\n * DNS lookup used by the undici dispatcher below. It performs the SINGLE name\n * resolution that the TCP connection actually uses, and rejects if any\n * resolved address is private/loopback/link-local. Because the connection\n * reuses exactly this result, there is no DNS-rebinding TOCTOU window between\n * the security check and the connect — closing the gap the old code documented\n * (validate with one dns.lookup, then let fetch re-resolve independently).\n * TLS still validates the certificate against the hostname (SNI is set by\n * undici from the URL), so pinning the IP does not weaken cert checking.\n */\nfunction guardedLookup(\n  hostname: string,\n  options: { all?: boolean | undefined; family?: number | undefined },\n  callback: LookupCallback,\n): void {\n  dns\n    .lookup(hostname, { all: true })\n    .then((records) => {\n      const family = options?.family;\n      const byFamily =\n        family === 4 || family === 6 ? records.filter((r) => r.family === family) : records;\n      const list = byFamily.length > 0 ? byFamily : records;\n      if (!ALLOW_PRIVATE) {\n        for (const r of list) {\n          const bad = r.family === 4 ? isPrivateIPv4(r.address) : isPrivateIPv6(r.address);\n          if (bad) {\n            callback(\n              Object.assign(new Error(`fetch: resolved to private address ${r.address}`), {\n                code: 'EAI_FAIL',\n              }),\n            );\n            return;\n          }\n        }\n      }\n      if (options?.all) {\n        callback(\n          null,\n          list.map((r) => ({ address: r.address, family: r.family })),\n        );\n        return;\n      }\n      const first = list.at(0);\n      if (!first) {\n        callback(\n          Object.assign(new Error(`fetch: no address for ${hostname}`), { code: 'ENOTFOUND' }),\n        );\n        return;\n      }\n      callback(null, first.address, first.family);\n    })\n    .catch((err) => callback(err as NodeJS.ErrnoException));\n}\n\n// Reused across requests; guardedLookup re-validates on every new connection,\n// so connection pooling is safe. Literal-IP targets bypass lookup entirely and\n// are caught by assertNotPrivate's pre-check instead.\n// Destroyed on process exit so long-running processes (eternal autonomy,\n// MCP server mode) don't let the connection pool grow unboundedly.\nlet pinnedAgent: Agent | undefined;\nfunction getPinnedDispatcher(): Agent {\n  if (!pinnedAgent) {\n    pinnedAgent = new Agent({ connect: { lookup: guardedLookup as never } });\n  }\n  return pinnedAgent;\n}\n// Clean up the global dispatcher on exit — undici Agents maintain connection\n// pools and DNS caches that should be torn down in long-running processes.\n// Guard against duplicate registration (module reload/HMR would otherwise\n// accumulate listeners).\nlet _beforeExitRegistered = false;\nif (!_beforeExitRegistered) {\n  _beforeExitRegistered = true;\n  process.on('beforeExit', () => {\n    pinnedAgent?.destroy();\n    pinnedAgent = undefined;\n  });\n}\n\n/**\n * SSRF-guarded fetch with manual, per-hop-revalidated redirects, exported so\n * other builtin tools (e.g. `search`) get the same protections instead of a\n * weaker `redirect: 'follow'`. Every hop is re-checked against private/loopback\n * ranges and the connection is pinned to the validated IP via the undici\n * dispatcher (no DNS-rebinding TOCTOU). `headers` defaults to the plain `fetch`\n * tool's; callers may override (e.g. a browser User-Agent for search engines).\n */\nexport async function guardedFetch(\n  url: string,\n  maxRedirects: number,\n  signal: AbortSignal,\n  headers: Record<string, string> = {\n    'user-agent': 'WrongStack/1.0 (+https://wrongstack.com)',\n    accept: 'text/html,application/json;q=0.9,text/plain;q=0.8,*/*;q=0.1',\n  },\n): Promise<Response> {\n  let redirectCount = 0;\n  let currentUrl = url;\n  for (;;) {\n    // Re-validate every hop. A public host can 302 to 169.254.169.254 (cloud metadata),\n    // or DNS can rebind between hops; checking only the initial URL is insufficient.\n    const parsed = new URL(currentUrl);\n    if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {\n      throw new Error(`fetch: redirect to unsupported protocol \"${parsed.protocol}\"`);\n    }\n    if (parsed.protocol === 'http:' && !ALLOW_PRIVATE) {\n      throw new Error('fetch: redirect to http:// blocked (HTTPS required by default)');\n    }\n    await assertNotPrivate(parsed.hostname);\n\n    // The dispatcher pins the connection to the IP guardedLookup validated —\n    // no independent re-resolution, so DNS rebinding can't swap in a private\n    // address between check and connect. `dispatcher` is a runtime option of\n    // Node's undici-backed global fetch but isn't in lib.dom's RequestInit, and\n    // our undici Agent's type differs from the @types/node copy — hence the\n    // cast. (Verified: global fetch invokes the Agent's custom lookup.)\n    const init = {\n      redirect: 'manual' as const,\n      signal,\n      headers,\n      dispatcher: getPinnedDispatcher(),\n    };\n    const res = await fetch(currentUrl, init as unknown as RequestInit);\n    if (res.status < 300 || res.status > 399) {\n      return res;\n    }\n    redirectCount++;\n    if (redirectCount > maxRedirects) {\n      throw new Error(`fetch: exceeded ${maxRedirects} redirects`);\n    }\n    const location = res.headers.get('location');\n    if (!location) {\n      throw new Error('fetch: redirect status with no location header');\n    }\n    currentUrl = new URL(location, currentUrl).toString();\n  }\n}\n\nexport const fetchTool: Tool<FetchInput, FetchOutput> = {\n  name: 'fetch',\n  category: 'Network',\n  description:\n    'Fetch a URL and return its content. HTML pages are automatically converted to clean markdown. ' +\n    'This tool has strong SSRF protections (private IPs, localhost, and cloud metadata endpoints are blocked by default).',\n  usageHint:\n    'Use this when you need external information (documentation, API responses, web pages, etc.).\\n\\n' +\n    'Security notes:\\n' +\n    '- Only HTTPS is allowed by default.\\n' +\n    '- Internal/private networks are blocked unless explicitly enabled via environment variable.\\n' +\n    '- Redirects are followed but re-validated at each hop.\\n' +\n    '- Output is capped (128KB by default) to avoid flooding context.\\n' +\n    'Prefer this over raw `bash curl` or `bash wget`.',\n  permission: 'confirm',\n  mutating: false,\n  capabilities: ['net.outbound'],\n  // Trust rules for fetch match on the literal URL — declare it explicitly\n  // so a user can trust `https://api.example.com/*` without accidentally\n  // matching that pattern on any other tool that happens to have a `url`\n  // input field.\n  subjectKey: 'url',\n  timeoutMs: TIMEOUT_MS,\n  maxOutputBytes: MAX_BYTES,\n  inputSchema: {\n    type: 'object',\n    properties: {\n      url: {\n        type: 'string',\n        description: 'The target URL (must use https://).',\n      },\n      format: {\n        type: 'string',\n        enum: ['markdown', 'text', 'raw'],\n        description: 'Output format. \"markdown\" is recommended for HTML pages.',\n      },\n    },\n    required: ['url'],\n  },\n  async execute(input, ctx, opts) {\n    let final: FetchOutput | undefined;\n    const executeStream = fetchTool.executeStream;\n    if (!executeStream) throw new Error('fetchTool: stream execution unavailable');\n    for await (const ev of executeStream(input, ctx, opts)) {\n      if (ev.type === 'final') final = ev.output;\n    }\n    if (!final) throw new Error('fetch: stream ended without final event');\n    return final;\n  },\n  async *executeStream(input, _ctx, opts): AsyncGenerator<ToolStreamEvent<FetchOutput>> {\n    if (!input?.url) throw new Error('fetch: url is required');\n    const u = new URL(input.url);\n    if (u.protocol !== 'https:' && u.protocol !== 'http:') {\n      throw new Error(`fetch: unsupported protocol \"${u.protocol}\"`);\n    }\n    if (u.protocol === 'http:' && !ALLOW_PRIVATE) {\n      throw new Error('fetch: http:// blocked (HTTPS required by default)');\n    }\n    await assertNotPrivate(u.hostname);\n\n    yield { type: 'log', text: `GET ${input.url}` };\n\n    const ctrl = new AbortController();\n    const timer = setTimeout(() => ctrl.abort(new Error('fetch timeout')), TIMEOUT_MS);\n    const combined = combineSignals([opts.signal, ctrl.signal]);\n\n    try {\n      const res = await guardedFetch(input.url, 5, combined);\n\n      const ct = res.headers.get('content-type') ?? 'application/octet-stream';\n      if (/^image\\/|^audio\\/|^video\\/|application\\/octet-stream/.test(ct)) {\n        throw new Error(`fetch: refusing to read binary content-type \"${ct}\"`);\n      }\n\n      yield {\n        type: 'log',\n        text: `HTTP ${res.status} ${ct}`,\n        data: { status: res.status, contentType: ct },\n      };\n\n      const reader = res.body?.getReader();\n      let received = 0;\n      const chunks: Uint8Array[] = [];\n      let pendingBytes = 0;\n      const FLUSH_AT = 4 * 1024;\n      if (reader) {\n        for (;;) {\n          const { value, done } = await reader.read();\n          if (done) break;\n          if (!value) continue;\n          received += value.byteLength;\n          pendingBytes += value.byteLength;\n          chunks.push(value);\n          if (pendingBytes >= FLUSH_AT) {\n            // Snapshot recent bytes for the partial_output. Keep it cheap —\n            // don't try to decode UTF-8 boundaries; the TUI just needs a\n            // \"things are happening\" signal.\n            const recent = Buffer.from(value).toString('utf-8');\n            yield {\n              type: 'partial_output',\n              text: recent,\n              data: { received },\n            };\n            pendingBytes = 0;\n          }\n          if (received > MAX_BYTES) break;\n        }\n      }\n      const text = Buffer.concat(chunks.map((c) => Buffer.from(c))).toString('utf8');\n\n      const format = input.format ?? (ct.includes('text/html') ? 'markdown' : 'text');\n      let content: string;\n      if (format === 'raw') content = text;\n      else if (format === 'markdown' && ct.includes('text/html')) content = TD.turndown(text);\n      else if (ct.includes('application/json')) content = prettyJson(text);\n      else content = text;\n\n      yield {\n        type: 'final',\n        output: {\n          content: truncateMiddle(content, MAX_BYTES),\n          status: res.status,\n          content_type: ct,\n          url: res.url,\n        },\n      };\n    } finally {\n      clearTimeout(timer);\n    }\n  },\n};\n\nasync function assertNotPrivate(hostname: string): Promise<void> {\n  if (ALLOW_PRIVATE) return;\n\n  const host =\n    hostname.startsWith('[') && hostname.endsWith(']') ? hostname.slice(1, -1) : hostname;\n\n  if (host === 'localhost' || host.endsWith('.localhost')) {\n    throw new Error('fetch: blocked localhost target');\n  }\n\n  const ipVersion = net.isIP(host);\n  if (ipVersion === 4) {\n    if (isPrivateIPv4(host)) {\n      throw new Error(`fetch: blocked private/loopback address \"${host}\"`);\n    }\n  } else if (ipVersion === 6) {\n    if (isPrivateIPv6(host)) {\n      throw new Error(`fetch: blocked private/loopback address \"${host}\"`);\n    }\n  } else {\n    // Hostname — pre-flight check: resolve and reject if any record is private,\n    // so we fail fast with a clear error before opening a socket. The\n    // authoritative anti-rebinding control is guardedLookup on the pinned\n    // undici dispatcher (see getPinnedDispatcher): it performs the single\n    // resolution the connection actually uses, so there is no TOCTOU between\n    // this check and the connect. Each redirect target is re-checked too.\n    try {\n      // Use dns.lookup for async hostname resolution (matches guardedLookup below).\n      const records = await dns.lookup(host, { all: true });\n      for (const r of records) {\n        const bad = r.family === 4 ? isPrivateIPv4(r.address) : isPrivateIPv6(r.address);\n        if (bad) {\n          throw new Error(`fetch: resolved to private address ${r.address}`);\n        }\n      }\n    } catch (err) {\n      if (err instanceof Error && err.message.startsWith('fetch:')) throw err;\n      // DNS failure — let fetch handle it\n    }\n  }\n}\n\nfunction prettyJson(s: string): string {\n  try {\n    return JSON.stringify(JSON.parse(s), null, 2);\n  } catch {\n    return s;\n  }\n}\n\n"]}
+{"version":3,"sources":["../src/_util.ts","../src/fetch.ts"],"names":[],"mappings":";;;;;;;AAiHO,SAAS,cAAA,CAAe,GAAW,GAAA,EAAqB;AAC7D,EAAA,IAAI,OAAO,UAAA,CAAW,CAAA,EAAG,MAAM,CAAA,IAAK,KAAK,OAAO,CAAA;AAChD,EAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,GAAA,GAAM,CAAC,CAAA;AAC/B,EAAA,OACE,CAAA,CAAE,KAAA,CAAM,CAAA,EAAG,IAAI,CAAA,GACf;AAAA,iBAAA,EAAiB,MAAA,CAAO,UAAA,CAAW,CAAA,EAAG,MAAM,IAAI,GAAG,CAAA;AAAA,CAAA,GACnD,CAAA,CAAE,KAAA,CAAM,CAAC,IAAI,CAAA;AAEjB;;;AC5GA,IAAM,EAAA,GAAK,IAAI,eAAA,CAAgB;AAAA;AAAA,EAE7B,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,cAAA,EAAgB;AAClB,CAAC,CAAA;AAMD,EAAA,CAAG,QAAQ,wBAAA,EAA0B;AAAA,EACnC,MAAA,EAAQ,CAAC,QAAA,EAAU,OAAA,EAAS,UAAU,CAAA;AAAA,EACtC,aAAa,MAAM;AACrB,CAAC,CAAA;AAcD,IAAM,SAAA,GAAY,MAAA;AAClB,IAAM,UAAA,GAAa,GAAA;AAEnB,IAAM,aAAA,GAAgB,OAAA,CAAQ,GAAA,CAAI,gCAAgC,CAAA,KAAM,GAAA;AAExE,IAAI,aAAA,IAAiB,CAAC,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA,EAAG;AACvC,EAAA,OAAA,CAAQ,IAAA;AAAA,IACN;AAAA,GAGF;AACF;AAGA,IAAM,cAAA,GAAiB,CAAC,OAAA,KAAwC,WAAA,CAAY,IAAI,OAAO,CAAA;AAkBhF,SAAS,aAAA,CACd,QAAA,EACA,OAAA,EACA,QAAA,EACM;AACN,EACG,GAAA,CAAA,MAAA,CAAO,UAAU,EAAE,GAAA,EAAK,MAAM,CAAA,CAC9B,IAAA,CAAK,CAAC,OAAA,KAAY;AACjB,IAAA,MAAM,SAAS,OAAA,EAAS,MAAA;AACxB,IAAA,MAAM,QAAA,GACJ,MAAA,KAAW,CAAA,IAAK,MAAA,KAAW,CAAA,GAAI,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW,MAAM,CAAA,GAAI,OAAA;AAC9E,IAAA,MAAM,IAAA,GAAO,QAAA,CAAS,MAAA,GAAS,CAAA,GAAI,QAAA,GAAW,OAAA;AAC9C,IAAA,IAAI,CAAC,aAAA,EAAe;AAClB,MAAA,KAAA,MAAW,KAAK,IAAA,EAAM;AACpB,QAAA,MAAM,GAAA,GAAM,CAAA,CAAE,MAAA,KAAW,CAAA,GAAI,aAAA,CAAc,EAAE,OAAO,CAAA,GAAI,aAAA,CAAc,CAAA,CAAE,OAAO,CAAA;AAC/E,QAAA,IAAI,GAAA,EAAK;AACP,UAAA,QAAA;AAAA,YACE,MAAA,CAAO,OAAO,IAAI,KAAA,CAAM,sCAAsC,CAAA,CAAE,OAAO,EAAE,CAAA,EAAG;AAAA,cAC1E,IAAA,EAAM;AAAA,aACP;AAAA,WACH;AACA,UAAA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,IAAA,IAAI,SAAS,GAAA,EAAK;AAChB,MAAA,QAAA;AAAA,QACE,IAAA;AAAA,QACA,IAAA,CAAK,GAAA,CAAI,CAAC,CAAA,MAAO,EAAE,OAAA,EAAS,CAAA,CAAE,OAAA,EAAS,MAAA,EAAQ,CAAA,CAAE,MAAA,EAAO,CAAE;AAAA,OAC5D;AACA,MAAA;AAAA,IACF;AACA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,EAAA,CAAG,CAAC,CAAA;AACvB,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,QAAA;AAAA,QACE,MAAA,CAAO,MAAA,CAAO,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,QAAQ,CAAA,CAAE,CAAA,EAAG,EAAE,IAAA,EAAM,WAAA,EAAa;AAAA,OACrF;AACA,MAAA;AAAA,IACF;AACA,IAAA,QAAA,CAAS,IAAA,EAAM,KAAA,CAAM,OAAA,EAAS,KAAA,CAAM,MAAM,CAAA;AAAA,EAC5C,CAAC,CAAA,CACA,KAAA,CAAM,CAAC,GAAA,KAAQ,QAAA,CAAS,GAA4B,CAAC,CAAA;AAC1D;AAOA,IAAI,WAAA;AACJ,SAAS,mBAAA,GAA6B;AACpC,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,WAAA,GAAc,IAAI,MAAM,EAAE,OAAA,EAAS,EAAE,MAAA,EAAQ,aAAA,IAA0B,CAAA;AAAA,EACzE;AACA,EAAA,OAAO,WAAA;AACT;AAKA,IAAI,qBAAA,GAAwB,KAAA;AAC5B,IAAI,CAAC,qBAAA,EAAuB;AAC1B,EAAA,qBAAA,GAAwB,IAAA;AAExB,EAAA,OAAA,CAAQ,EAAA,CAAG,cAAc,MAAM;AAC7B,IAAA,WAAA,EAAa,OAAA,EAAQ;AACrB,IAAA,WAAA,GAAc,MAAA;AAAA,EAChB,CAAC,CAAA;AACH;AAUA,eAAsB,YAAA,CACpB,GAAA,EACA,YAAA,EACA,MAAA,EACA,OAAA,GAAkC;AAAA,EAChC,YAAA,EAAc,0CAAA;AAAA,EACd,MAAA,EAAQ;AACV,CAAA,EACmB;AACnB,EAAA,IAAI,aAAA,GAAgB,CAAA;AACpB,EAAA,IAAI,UAAA,GAAa,GAAA;AACjB,EAAA,WAAS;AAGP,IAAA,MAAM,MAAA,GAAS,IAAI,GAAA,CAAI,UAAU,CAAA;AACjC,IAAA,IAAI,MAAA,CAAO,QAAA,KAAa,QAAA,IAAY,MAAA,CAAO,aAAa,OAAA,EAAS;AAC/D,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yCAAA,EAA4C,MAAA,CAAO,QAAQ,CAAA,CAAA,CAAG,CAAA;AAAA,IAChF;AACA,IAAA,IAAI,MAAA,CAAO,QAAA,KAAa,OAAA,IAAW,CAAC,aAAA,EAAe;AACjD,MAAA,MAAM,IAAI,MAAM,gEAAgE,CAAA;AAAA,IAClF;AACA,IAAA,MAAM,gBAAA,CAAiB,OAAO,QAAQ,CAAA;AAQtC,IAAA,MAAM,IAAA,GAAO;AAAA,MACX,QAAA,EAAU,QAAA;AAAA,MACV,MAAA;AAAA,MACA,OAAA;AAAA,MACA,YAAY,mBAAA;AAAoB,KAClC;AACA,IAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,UAAA,EAAY,IAA8B,CAAA;AAClE,IAAA,IAAI,GAAA,CAAI,MAAA,GAAS,GAAA,IAAO,GAAA,CAAI,SAAS,GAAA,EAAK;AACxC,MAAA,OAAO,GAAA;AAAA,IACT;AACA,IAAA,aAAA,EAAA;AACA,IAAA,IAAI,gBAAgB,YAAA,EAAc;AAChC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,gBAAA,EAAmB,YAAY,CAAA,UAAA,CAAY,CAAA;AAAA,IAC7D;AACA,IAAA,MAAM,QAAA,GAAW,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AAC3C,IAAA,IAAI,CAAC,QAAA,EAAU;AACb,MAAA,MAAM,IAAI,MAAM,gDAAgD,CAAA;AAAA,IAClE;AACA,IAAA,UAAA,GAAa,IAAI,GAAA,CAAI,QAAA,EAAU,UAAU,EAAE,QAAA,EAAS;AAAA,EACtD;AACF;AAEO,IAAM,SAAA,GAA2C;AAAA,EACtD,IAAA,EAAM,OAAA;AAAA,EACN,QAAA,EAAU,SAAA;AAAA,EACV,WAAA,EACE,oNAAA;AAAA,EAEF,SAAA,EACE,+ZAAA;AAAA,EAOF,UAAA,EAAY,SAAA;AAAA,EACZ,QAAA,EAAU,KAAA;AAAA,EACV,YAAA,EAAc,CAAC,cAAc,CAAA;AAAA,EAC7B,IAAA,EAAM,KAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAKN,UAAA,EAAY,KAAA;AAAA,EACZ,SAAA,EAAW,UAAA;AAAA,EACX,cAAA,EAAgB,SAAA;AAAA,EAChB,WAAA,EAAa;AAAA,IACX,IAAA,EAAM,QAAA;AAAA,IACN,UAAA,EAAY;AAAA,MACV,GAAA,EAAK;AAAA,QACH,IAAA,EAAM,QAAA;AAAA,QACN,WAAA,EAAa;AAAA,OACf;AAAA,MACA,MAAA,EAAQ;AAAA,QACN,IAAA,EAAM,QAAA;AAAA,QACN,IAAA,EAAM,CAAC,UAAA,EAAY,MAAA,EAAQ,KAAK,CAAA;AAAA,QAChC,WAAA,EAAa;AAAA;AACf,KACF;AAAA,IACA,QAAA,EAAU,CAAC,KAAK;AAAA,GAClB;AAAA,EACA,MAAM,OAAA,CAAQ,KAAA,EAAO,GAAA,EAAK,IAAA,EAAM;AAC9B,IAAA,IAAI,KAAA;AACJ,IAAA,MAAM,gBAAgB,SAAA,CAAU,aAAA;AAChC,IAAA,IAAI,CAAC,aAAA,EAAe,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAC7E,IAAA,WAAA,MAAiB,EAAA,IAAM,aAAA,CAAc,KAAA,EAAO,GAAA,EAAK,IAAI,CAAA,EAAG;AACtD,MAAA,IAAI,EAAA,CAAG,IAAA,KAAS,OAAA,EAAS,KAAA,GAAQ,EAAA,CAAG,MAAA;AAAA,IACtC;AACA,IAAA,IAAI,CAAC,KAAA,EAAO,MAAM,IAAI,MAAM,yCAAyC,CAAA;AACrE,IAAA,OAAO,KAAA;AAAA,EACT,CAAA;AAAA,EACA,OAAO,aAAA,CAAc,KAAA,EAAO,IAAA,EAAM,IAAA,EAAoD;AACpF,IAAA,IAAI,CAAC,KAAA,EAAO,GAAA,EAAK,MAAM,IAAI,MAAM,wBAAwB,CAAA;AACzD,IAAA,MAAM,CAAA,GAAI,IAAI,GAAA,CAAI,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,CAAA,CAAE,QAAA,KAAa,QAAA,IAAY,CAAA,CAAE,aAAa,OAAA,EAAS;AACrD,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,CAAA,CAAE,QAAQ,CAAA,CAAA,CAAG,CAAA;AAAA,IAC/D;AACA,IAAA,IAAI,CAAA,CAAE,QAAA,KAAa,OAAA,IAAW,CAAC,aAAA,EAAe;AAC5C,MAAA,MAAM,IAAI,MAAM,oDAAoD,CAAA;AAAA,IACtE;AACA,IAAA,MAAM,gBAAA,CAAiB,EAAE,QAAQ,CAAA;AAEjC,IAAA,MAAM,EAAE,IAAA,EAAM,KAAA,EAAO,MAAM,CAAA,IAAA,EAAO,KAAA,CAAM,GAAG,CAAA,CAAA,EAAG;AAE9C,IAAA,MAAM,IAAA,GAAO,IAAI,eAAA,EAAgB;AACjC,IAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,MAAM,IAAA,CAAK,KAAA,CAAM,IAAI,KAAA,CAAM,eAAe,CAAC,CAAA,EAAG,UAAU,CAAA;AACjF,IAAA,MAAM,WAAW,cAAA,CAAe,CAAC,KAAK,MAAA,EAAQ,IAAA,CAAK,MAAM,CAAC,CAAA;AAE1D,IAAA,IAAI;AACF,MAAA,MAAM,MAAM,MAAM,YAAA,CAAa,KAAA,CAAM,GAAA,EAAK,GAAG,QAAQ,CAAA;AAErD,MAAA,MAAM,EAAA,GAAK,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,IAAK,0BAAA;AAC9C,MAAA,IAAI,sDAAA,CAAuD,IAAA,CAAK,EAAE,CAAA,EAAG;AACnE,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6CAAA,EAAgD,EAAE,CAAA,CAAA,CAAG,CAAA;AAAA,MACvE;AAEA,MAAA,MAAM;AAAA,QACJ,IAAA,EAAM,KAAA;AAAA,QACN,IAAA,EAAM,CAAA,KAAA,EAAQ,GAAA,CAAI,MAAM,IAAI,EAAE,CAAA,CAAA;AAAA,QAC9B,MAAM,EAAE,MAAA,EAAQ,GAAA,CAAI,MAAA,EAAQ,aAAa,EAAA;AAAG,OAC9C;AAEA,MAAA,MAAM,MAAA,GAAS,GAAA,CAAI,IAAA,EAAM,SAAA,EAAU;AACnC,MAAA,IAAI,QAAA,GAAW,CAAA;AACf,MAAA,MAAM,SAAuB,EAAC;AAC9B,MAAA,IAAI,YAAA,GAAe,CAAA;AACnB,MAAA,MAAM,WAAW,CAAA,GAAI,IAAA;AACrB,MAAA,IAAI,MAAA,EAAQ;AACV,QAAA,WAAS;AACP,UAAA,MAAM,EAAE,KAAA,EAAO,IAAA,EAAK,GAAI,MAAM,OAAO,IAAA,EAAK;AAC1C,UAAA,IAAI,IAAA,EAAM;AACV,UAAA,IAAI,CAAC,KAAA,EAAO;AACZ,UAAA,QAAA,IAAY,KAAA,CAAM,UAAA;AAClB,UAAA,YAAA,IAAgB,KAAA,CAAM,UAAA;AACtB,UAAA,MAAA,CAAO,KAAK,KAAK,CAAA;AACjB,UAAA,IAAI,gBAAgB,QAAA,EAAU;AAI5B,YAAA,MAAM,SAAS,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,OAAO,CAAA;AAClD,YAAA,MAAM;AAAA,cACJ,IAAA,EAAM,gBAAA;AAAA,cACN,IAAA,EAAM,MAAA;AAAA,cACN,IAAA,EAAM,EAAE,QAAA;AAAS,aACnB;AACA,YAAA,YAAA,GAAe,CAAA;AAAA,UACjB;AACA,UAAA,IAAI,WAAW,SAAA,EAAW;AAAA,QAC5B;AAAA,MACF;AACA,MAAA,MAAM,IAAA,GAAO,MAAA,CAAO,MAAA,CAAO,MAAA,CAAO,IAAI,CAAC,CAAA,KAAM,MAAA,CAAO,IAAA,CAAK,CAAC,CAAC,CAAC,CAAA,CAAE,SAAS,MAAM,CAAA;AAE7E,MAAA,MAAM,SAAS,KAAA,CAAM,MAAA,KAAW,GAAG,QAAA,CAAS,WAAW,IAAI,UAAA,GAAa,MAAA,CAAA;AACxE,MAAA,IAAI,OAAA;AACJ,MAAA,IAAI,MAAA,KAAW,OAAO,OAAA,GAAU,IAAA;AAAA,WAAA,IACvB,MAAA,KAAW,cAAc,EAAA,CAAG,QAAA,CAAS,WAAW,CAAA,EAAG,OAAA,GAAU,EAAA,CAAG,QAAA,CAAS,IAAI,CAAA;AAAA,WAAA,IAC7E,GAAG,QAAA,CAAS,kBAAkB,CAAA,EAAG,OAAA,GAAU,WAAW,IAAI,CAAA;AAAA,WAC9D,OAAA,GAAU,IAAA;AAEf,MAAA,MAAM;AAAA,QACJ,IAAA,EAAM,OAAA;AAAA,QACN,MAAA,EAAQ;AAAA,UACN,OAAA,EAAS,cAAA,CAAe,OAAA,EAAS,SAAS,CAAA;AAAA,UAC1C,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,YAAA,EAAc,EAAA;AAAA,UACd,KAAK,GAAA,CAAI;AAAA;AACX,OACF;AAAA,IACF,CAAA,SAAE;AACA,MAAA,YAAA,CAAa,KAAK,CAAA;AAAA,IACpB;AAAA,EACF;AACF;AAEA,eAAe,iBAAiB,QAAA,EAAiC;AAC/D,EAAA,IAAI,aAAA,EAAe;AAEnB,EAAA,MAAM,IAAA,GACJ,QAAA,CAAS,UAAA,CAAW,GAAG,CAAA,IAAK,QAAA,CAAS,QAAA,CAAS,GAAG,CAAA,GAAI,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI,QAAA;AAE/E,EAAA,IAAI,IAAA,KAAS,WAAA,IAAe,IAAA,CAAK,QAAA,CAAS,YAAY,CAAA,EAAG;AACvD,IAAA,MAAM,IAAI,MAAM,iCAAiC,CAAA;AAAA,EACnD;AAEA,EAAA,MAAM,SAAA,GAAgB,SAAK,IAAI,CAAA;AAC/B,EAAA,IAAI,cAAc,CAAA,EAAG;AACnB,IAAA,IAAI,aAAA,CAAc,IAAI,CAAA,EAAG;AACvB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yCAAA,EAA4C,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,IACrE;AAAA,EACF,CAAA,MAAA,IAAW,cAAc,CAAA,EAAG;AAC1B,IAAA,IAAI,aAAA,CAAc,IAAI,CAAA,EAAG;AACvB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yCAAA,EAA4C,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,IACrE;AAAA,EACF,CAAA,MAAO;AAOL,IAAA,IAAI;AAEF,MAAA,MAAM,UAAU,MAAU,GAAA,CAAA,MAAA,CAAO,MAAM,EAAE,GAAA,EAAK,MAAM,CAAA;AACpD,MAAA,KAAA,MAAW,KAAK,OAAA,EAAS;AACvB,QAAA,MAAM,GAAA,GAAM,CAAA,CAAE,MAAA,KAAW,CAAA,GAAI,aAAA,CAAc,EAAE,OAAO,CAAA,GAAI,aAAA,CAAc,CAAA,CAAE,OAAO,CAAA;AAC/E,QAAA,IAAI,GAAA,EAAK;AACP,UAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mCAAA,EAAsC,CAAA,CAAE,OAAO,CAAA,CAAE,CAAA;AAAA,QACnE;AAAA,MACF;AAAA,IACF,SAAS,GAAA,EAAK;AACZ,MAAA,IAAI,eAAe,KAAA,IAAS,GAAA,CAAI,QAAQ,UAAA,CAAW,QAAQ,GAAG,MAAM,GAAA;AAAA,IAEtE;AAAA,EACF;AACF;AAEA,SAAS,WAAW,CAAA,EAAmB;AACrC,EAAA,IAAI;AACF,IAAA,OAAO,KAAK,SAAA,CAAU,IAAA,CAAK,MAAM,CAAC,CAAA,EAAG,MAAM,CAAC,CAAA;AAAA,EAC9C,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,CAAA;AAAA,EACT;AACF","file":"fetch.js","sourcesContent":["import * as fsp from 'node:fs/promises';\nimport * as path from 'node:path';\nimport * as Core from '@wrongstack/core';\nimport type { Context } from '@wrongstack/core';\n/** Detected package manager for a project directory. */\nexport type PackageManager = 'pnpm' | 'yarn' | 'npm';\n\n/**\n * Detect the project's package manager by inspecting lockfiles in `cwd`.\n * Order: pnpm → yarn → npm (default). Missing or unreadable directories fall\n * back to `npm` rather than throwing, so a `safeResolve`-checked cwd that\n * happens to be empty never aborts the tool.\n */\nexport async function detectPackageManager(cwd: string): Promise<PackageManager> {\n  const { stat } = await import('node:fs/promises');\n  try {\n    await stat(`${cwd}/pnpm-lock.yaml`);\n    return 'pnpm';\n  } catch {\n    /* not pnpm */\n  }\n  try {\n    await stat(`${cwd}/yarn.lock`);\n    return 'yarn';\n  } catch {\n    /* not yarn */\n  }\n  return 'npm';\n}\n\nexport function resolvePath(input: string, ctx: Context): string {\n  return path.isAbsolute(input) ? path.normalize(input) : path.resolve(ctx.workingDir ?? ctx.cwd, input);\n}\n\n/**\n * Roots every file tool may always reach, even in restricted mode: the\n * project root and the user-global `~/.wrongstack` directory (config, memory,\n * sessions, skills). `~/.wrongstack` honors the `WRONGSTACK_HOME` override.\n */\nfunction allowedRoots(ctx: Context): string[] {\n  return [path.resolve(ctx.projectRoot), path.resolve(Core.wstackGlobalRoot())];\n}\n\n/** True if `target` is `root` itself or nested inside any of `roots`. */\nfunction isInsideAny(target: string, roots: string[]): boolean {\n  return roots.some((root) => {\n    const rel = path.relative(root, target);\n    return rel === '' || (!rel.startsWith('..') && !path.isAbsolute(rel));\n  });\n}\n\nexport function ensureInsideRoot(absPath: string, ctx: Context): string {\n  const target = path.resolve(absPath);\n  // Unrestricted filesystem access: skip the project-root containment check.\n  if (ctx.allowOutsideProjectRoot) return target;\n  if (isInsideAny(target, allowedRoots(ctx))) return target;\n  throw new Error(`Path \"${absPath}\" is outside project root \"${path.resolve(ctx.projectRoot)}\"`);\n}\n\nexport function safeResolve(input: string, ctx: Context): string {\n  return ensureInsideRoot(resolvePath(input, ctx), ctx);\n}\n\n/**\n * Defense against in-root→out-of-root symlink escape (CWE-59). `safeResolve`\n * only does a syntactic `../` check, so a symlink that lives *inside* the\n * project root but points outside still passes it. This resolves the path\n * through `fs.realpath` and re-verifies containment against the realpath of\n * the project root (comparing like-for-like, since the root itself may be a\n * symlink — macOS `/var`→`/private/var`, Windows 8.3 short names). For a path\n * that does not exist yet (e.g. a `write` to a new file) the nearest existing\n * ancestor directory is checked instead. Throws if the real target escapes.\n *\n * Mirrors the per-file guard already used in `replace.ts`/`grep.ts`; applied\n * to single-file `read`/`edit`/`write` it throws (rather than skips) because\n * the caller named exactly one file.\n */\nexport async function assertRealInsideRoot(absPath: string, ctx: Context): Promise<void> {\n  // Unrestricted filesystem access: no symlink-escape check to perform.\n  if (ctx.allowOutsideProjectRoot) return;\n  // Compare like-for-like against the realpath of each always-allowed root\n  // (project root + ~/.wrongstack), since a root may itself be a symlink.\n  const realRoots = await Promise.all(\n    allowedRoots(ctx).map((r) => fsp.realpath(r).catch(() => path.resolve(r))),\n  );\n  let probe = absPath;\n  for (;;) {\n    let real: string;\n    try {\n      real = await fsp.realpath(probe);\n    } catch (err) {\n      if ((err as NodeJS.ErrnoException).code === 'ENOENT') {\n        const parent = path.dirname(probe);\n        if (parent === probe) return; // reached fs root without escaping\n        probe = parent;\n        continue;\n      }\n      throw err;\n    }\n    if (isInsideAny(real, realRoots)) return;\n    throw new Error(\n      `Path \"${absPath}\" resolves through a symlink outside project root \"${realRoots[0]}\"`,\n    );\n  }\n}\n\n/** `safeResolve` + symlink realpath containment check. Async. */\nexport async function safeResolveReal(input: string, ctx: Context): Promise<string> {\n  const abs = safeResolve(input, ctx);\n  await assertRealInsideRoot(abs, ctx);\n  return abs;\n}\n\nexport function truncateMiddle(s: string, max: number): string {\n  if (Buffer.byteLength(s, 'utf8') <= max) return s;\n  const half = Math.floor(max / 2);\n  return (\n    s.slice(0, half) +\n    `\\n…[truncated ${Buffer.byteLength(s, 'utf8') - max} bytes from middle]…\\n` +\n    s.slice(-half)\n  );\n}\n\nexport function isBinaryBuffer(buf: Buffer): boolean {\n  const len = Math.min(buf.length, 8192);\n  for (let i = 0; i < len; i++) {\n    if (buf[i] === 0) return true;\n  }\n  return false;\n}\n\n// ─── Command-output normalization (token-saving) ────────────────────────────\n//\n// Raw process output is full of tokens the model gains nothing from: ANSI\n// escapes, carriage-return progress spam, runs of identical warning lines, and\n// huge tails of build noise. These helpers strip that noise before the output\n// reaches the LLM. They are scoped to COMMAND tools (bash/git/exec and the\n// _spawn-stream consumers) — never applied to structured/code outputs.\n\n/** Unified byte cap for all command tool output fed to the model. */\nexport const COMMAND_OUTPUT_MAX_BYTES = 32_768;\n\n/** Runs of >= this many identical consecutive lines are collapsed. */\nconst REPEAT_RUN_THRESHOLD = 3;\n\n/**\n * Collapse carriage-return overwrites the way a terminal would: `\\r\\n` becomes\n * `\\n`, and a bare `\\r` (progress redraw) keeps only the text after the LAST\n * `\\r` on its physical line. Without this, a single progress bar that redraws\n * 200 times explodes into 200 lines.\n */\nexport function collapseCarriageReturns(text: string): string {\n  const lf = text.replace(/\\r\\n/g, '\\n');\n  if (!lf.includes('\\r')) return lf;\n  return lf\n    .split('\\n')\n    .map((line) => (line.includes('\\r') ? line.slice(line.lastIndexOf('\\r') + 1) : line))\n    .join('\\n');\n}\n\n/**\n * Collapse a run of `minRun`+ identical consecutive lines into the line once\n * plus a marker. Consecutive-only — it never reorders or dedups non-adjacent\n * lines, so diffs/source stay intact.\n */\nexport function collapseConsecutiveDuplicates(text: string, minRun = REPEAT_RUN_THRESHOLD): string {\n  const lines = text.split('\\n');\n  const out: string[] = [];\n  let i = 0;\n  while (i < lines.length) {\n    let j = i + 1;\n    while (j < lines.length && lines[j] === lines[i]) j++;\n    const run = j - i;\n    if (run >= minRun) {\n      out.push(lines[i]!, `… ⟨repeated ${run}×⟩`);\n    } else {\n      for (let k = i; k < j; k++) out.push(lines[k]!);\n    }\n    i = j;\n  }\n  return out.join('\\n');\n}\n\n/** Largest prefix of `s` whose UTF-8 byte length is <= `maxBytes`. */\nfunction takeHeadBytes(s: string, maxBytes: number): string {\n  if (maxBytes <= 0) return '';\n  /* v8 ignore next -- only caller (truncateHeadTail) passes a budget smaller than s; defensive. */\n  if (Buffer.byteLength(s, 'utf8') <= maxBytes) return s;\n  let lo = 0;\n  let hi = s.length;\n  while (lo < hi) {\n    const mid = Math.ceil((lo + hi) / 2);\n    if (Buffer.byteLength(s.slice(0, mid), 'utf8') <= maxBytes) lo = mid;\n    else hi = mid - 1;\n  }\n  return s.slice(0, lo);\n}\n\n/** Largest suffix of `s` whose UTF-8 byte length is <= `maxBytes`. */\nfunction takeTailBytes(s: string, maxBytes: number): string {\n  if (maxBytes <= 0) return '';\n  /* v8 ignore next -- only caller (truncateHeadTail) passes a budget smaller than s; defensive. */\n  if (Buffer.byteLength(s, 'utf8') <= maxBytes) return s;\n  let lo = 0;\n  let hi = s.length;\n  while (lo < hi) {\n    const mid = Math.ceil((lo + hi) / 2);\n    if (Buffer.byteLength(s.slice(s.length - mid), 'utf8') <= maxBytes) lo = mid;\n    else hi = mid - 1;\n  }\n  return s.slice(s.length - lo);\n}\n\n/**\n * Truncate to `maxBytes` keeping BOTH ends — the head (what ran / early context)\n * and the tail (errors and summaries usually land last), biased ~45/55 toward\n * the tail. The result never exceeds `maxBytes`.\n */\nexport function truncateHeadTail(s: string, maxBytes: number): string {\n  const total = Buffer.byteLength(s, 'utf8');\n  if (total <= maxBytes) return s;\n  // Reserve a fixed allowance for the marker so the final string can't exceed\n  // the cap even though the dropped-byte count's digit width varies.\n  const MARKER_RESERVE = 64;\n  const avail = Math.max(0, maxBytes - MARKER_RESERVE);\n  const headBudget = Math.floor(avail * 0.45);\n  const head = takeHeadBytes(s, headBudget);\n  const tail = takeTailBytes(s, avail - Buffer.byteLength(head, 'utf8'));\n  const kept = Buffer.byteLength(head, 'utf8') + Buffer.byteLength(tail, 'utf8');\n  return `${head}\\n…[truncated ${total - kept} bytes]…\\n${tail}`;\n}\n\n/**\n * Full token-saving pipeline for command tool output: strip ANSI → collapse\n * carriage-return progress → trim trailing whitespace → collapse identical\n * consecutive lines → squeeze blank-line runs → head+tail truncate to the cap.\n */\nexport function normalizeCommandOutput(\n  raw: string,\n  opts: { maxBytes?: number | undefined } = {},\n): string {\n  if (!raw) return raw;\n  let text = Core.stripAnsi(raw);\n  text = collapseCarriageReturns(text);\n  text = text.replace(/[ \\t]+$/gm, ''); // trailing whitespace per line\n  text = collapseConsecutiveDuplicates(text);\n  text = text.replace(/\\n{3,}/g, '\\n\\n'); // >=2 blank lines → 1\n  return truncateHeadTail(text, opts.maxBytes ?? COMMAND_OUTPUT_MAX_BYTES);\n}\n","import * as dns from 'node:dns/promises';\nimport * as net from 'node:net';\nimport type { Tool, ToolStreamEvent } from '@wrongstack/core';\nimport { isPrivateIPv4, isPrivateIPv6 } from '@wrongstack/core';\nimport { Agent } from 'undici';\nimport TurndownService from 'turndown';\nimport { truncateMiddle } from './_util.js';\n\n/**\n * Singleton Turndown instance for HTML→Markdown conversion.\n * Pre-configured with sensible defaults; code blocks are handled via the\n * default fenced code rule. Reused across all fetch calls.\n */\nconst TD = new TurndownService({\n  // Use `# Title` for headings, not setext underline style (`Title\\n=====`).\n  headingStyle: 'atx',\n  // Don't wrap code blocks in <pre> — render them as triple-backtick blocks.\n  codeBlockStyle: 'fenced',\n});\n\n// Strip <script>/<style>/<noscript> before turndown sees them. The old\n// hand-rolled converter did this via regex; turndown's DOM-based approach\n// may keep their text content unless we remove the elements first.\n// Using turndown's own addRule mechanism keeps the logic co-located.\nTD.addRule('stripDangerousElements', {\n  filter: ['script', 'style', 'noscript'],\n  replacement: () => '',\n});\n\ninterface FetchInput {\n  url: string;\n  format?: 'markdown' | 'text' | 'raw' | undefined;\n}\n\ninterface FetchOutput {\n  content: string;\n  status: number;\n  content_type: string;\n  url: string;\n}\n\nconst MAX_BYTES = 131_072;\nconst TIMEOUT_MS = 20_000;\n\nconst ALLOW_PRIVATE = process.env['WRONGSTACK_FETCH_ALLOW_PRIVATE'] === '1';\n/* v8 ignore next 8 -- module-load-time opt-in warning; gated on an env var not set during tests. */\nif (ALLOW_PRIVATE && !process.env['CI']) {\n  console.warn(\n    '[WrongStack] WARNING: WRONGSTACK_FETCH_ALLOW_PRIVATE=1 is active —\\n' +\n    '  fetch tool can now access private IPs (10.x, 192.168.x, 169.254.x),\\n' +\n    '  cloud metadata endpoints, and plaintext HTTP. Use only on isolated networks.',\n  );\n}\n\n/** Abort when any of the signals abort (Node 22+ — AbortSignal.any shipped in Node 20). */\nconst combineSignals = (signals: AbortSignal[]): AbortSignal => AbortSignal.any(signals);\n\ntype LookupCallback = (\n  err: NodeJS.ErrnoException | null,\n  address?: string | Array<{ address: string | undefined; family: number }>,\n  family?: number | undefined,\n) => void;\n\n/**\n * DNS lookup used by the undici dispatcher below. It performs the SINGLE name\n * resolution that the TCP connection actually uses, and rejects if any\n * resolved address is private/loopback/link-local. Because the connection\n * reuses exactly this result, there is no DNS-rebinding TOCTOU window between\n * the security check and the connect — closing the gap the old code documented\n * (validate with one dns.lookup, then let fetch re-resolve independently).\n * TLS still validates the certificate against the hostname (SNI is set by\n * undici from the URL), so pinning the IP does not weaken cert checking.\n */\nexport function guardedLookup(\n  hostname: string,\n  options: { all?: boolean | undefined; family?: number | undefined },\n  callback: LookupCallback,\n): void {\n  dns\n    .lookup(hostname, { all: true })\n    .then((records) => {\n      const family = options?.family;\n      const byFamily =\n        family === 4 || family === 6 ? records.filter((r) => r.family === family) : records;\n      const list = byFamily.length > 0 ? byFamily : records;\n      if (!ALLOW_PRIVATE) {\n        for (const r of list) {\n          const bad = r.family === 4 ? isPrivateIPv4(r.address) : isPrivateIPv6(r.address);\n          if (bad) {\n            callback(\n              Object.assign(new Error(`fetch: resolved to private address ${r.address}`), {\n                code: 'EAI_FAIL',\n              }),\n            );\n            return;\n          }\n        }\n      }\n      if (options?.all) {\n        callback(\n          null,\n          list.map((r) => ({ address: r.address, family: r.family })),\n        );\n        return;\n      }\n      const first = list.at(0);\n      if (!first) {\n        callback(\n          Object.assign(new Error(`fetch: no address for ${hostname}`), { code: 'ENOTFOUND' }),\n        );\n        return;\n      }\n      callback(null, first.address, first.family);\n    })\n    .catch((err) => callback(err as NodeJS.ErrnoException));\n}\n\n// Reused across requests; guardedLookup re-validates on every new connection,\n// so connection pooling is safe. Literal-IP targets bypass lookup entirely and\n// are caught by assertNotPrivate's pre-check instead.\n// Destroyed on process exit so long-running processes (eternal autonomy,\n// MCP server mode) don't let the connection pool grow unboundedly.\nlet pinnedAgent: Agent | undefined;\nfunction getPinnedDispatcher(): Agent {\n  if (!pinnedAgent) {\n    pinnedAgent = new Agent({ connect: { lookup: guardedLookup as never } });\n  }\n  return pinnedAgent;\n}\n// Clean up the global dispatcher on exit — undici Agents maintain connection\n// pools and DNS caches that should be torn down in long-running processes.\n// Guard against duplicate registration (module reload/HMR would otherwise\n// accumulate listeners).\nlet _beforeExitRegistered = false;\nif (!_beforeExitRegistered) {\n  _beforeExitRegistered = true;\n  /* v8 ignore next 4 -- process 'beforeExit' cleanup; not deterministically triggerable in-test. */\n  process.on('beforeExit', () => {\n    pinnedAgent?.destroy();\n    pinnedAgent = undefined;\n  });\n}\n\n/**\n * SSRF-guarded fetch with manual, per-hop-revalidated redirects, exported so\n * other builtin tools (e.g. `search`) get the same protections instead of a\n * weaker `redirect: 'follow'`. Every hop is re-checked against private/loopback\n * ranges and the connection is pinned to the validated IP via the undici\n * dispatcher (no DNS-rebinding TOCTOU). `headers` defaults to the plain `fetch`\n * tool's; callers may override (e.g. a browser User-Agent for search engines).\n */\nexport async function guardedFetch(\n  url: string,\n  maxRedirects: number,\n  signal: AbortSignal,\n  headers: Record<string, string> = {\n    'user-agent': 'WrongStack/1.0 (+https://wrongstack.com)',\n    accept: 'text/html,application/json;q=0.9,text/plain;q=0.8,*/*;q=0.1',\n  },\n): Promise<Response> {\n  let redirectCount = 0;\n  let currentUrl = url;\n  for (;;) {\n    // Re-validate every hop. A public host can 302 to 169.254.169.254 (cloud metadata),\n    // or DNS can rebind between hops; checking only the initial URL is insufficient.\n    const parsed = new URL(currentUrl);\n    if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {\n      throw new Error(`fetch: redirect to unsupported protocol \"${parsed.protocol}\"`);\n    }\n    if (parsed.protocol === 'http:' && !ALLOW_PRIVATE) {\n      throw new Error('fetch: redirect to http:// blocked (HTTPS required by default)');\n    }\n    await assertNotPrivate(parsed.hostname);\n\n    // The dispatcher pins the connection to the IP guardedLookup validated —\n    // no independent re-resolution, so DNS rebinding can't swap in a private\n    // address between check and connect. `dispatcher` is a runtime option of\n    // Node's undici-backed global fetch but isn't in lib.dom's RequestInit, and\n    // our undici Agent's type differs from the @types/node copy — hence the\n    // cast. (Verified: global fetch invokes the Agent's custom lookup.)\n    const init = {\n      redirect: 'manual' as const,\n      signal,\n      headers,\n      dispatcher: getPinnedDispatcher(),\n    };\n    const res = await fetch(currentUrl, init as unknown as RequestInit);\n    if (res.status < 300 || res.status > 399) {\n      return res;\n    }\n    redirectCount++;\n    if (redirectCount > maxRedirects) {\n      throw new Error(`fetch: exceeded ${maxRedirects} redirects`);\n    }\n    const location = res.headers.get('location');\n    if (!location) {\n      throw new Error('fetch: redirect status with no location header');\n    }\n    currentUrl = new URL(location, currentUrl).toString();\n  }\n}\n\nexport const fetchTool: Tool<FetchInput, FetchOutput> = {\n  name: 'fetch',\n  category: 'Network',\n  description:\n    'Fetch a URL and return its content. HTML pages are automatically converted to clean markdown. ' +\n    'This tool has strong SSRF protections (private IPs, localhost, and cloud metadata endpoints are blocked by default).',\n  usageHint:\n    'Use this when you need external information (documentation, API responses, web pages, etc.).\\n\\n' +\n    'Security notes:\\n' +\n    '- Only HTTPS is allowed by default.\\n' +\n    '- Internal/private networks are blocked unless explicitly enabled via environment variable.\\n' +\n    '- Redirects are followed but re-validated at each hop.\\n' +\n    '- Output is capped (128KB by default) to avoid flooding context.\\n' +\n    'Prefer this over raw `bash curl` or `bash wget`.',\n  permission: 'confirm',\n  mutating: false,\n  capabilities: ['net.outbound'],\n  icon: 'web',\n  // Trust rules for fetch match on the literal URL — declare it explicitly\n  // so a user can trust `https://api.example.com/*` without accidentally\n  // matching that pattern on any other tool that happens to have a `url`\n  // input field.\n  subjectKey: 'url',\n  timeoutMs: TIMEOUT_MS,\n  maxOutputBytes: MAX_BYTES,\n  inputSchema: {\n    type: 'object',\n    properties: {\n      url: {\n        type: 'string',\n        description: 'The target URL (must use https://).',\n      },\n      format: {\n        type: 'string',\n        enum: ['markdown', 'text', 'raw'],\n        description: 'Output format. \"markdown\" is recommended for HTML pages.',\n      },\n    },\n    required: ['url'],\n  },\n  async execute(input, ctx, opts) {\n    let final: FetchOutput | undefined;\n    const executeStream = fetchTool.executeStream;\n    if (!executeStream) throw new Error('fetchTool: stream execution unavailable');\n    for await (const ev of executeStream(input, ctx, opts)) {\n      if (ev.type === 'final') final = ev.output;\n    }\n    if (!final) throw new Error('fetch: stream ended without final event');\n    return final;\n  },\n  async *executeStream(input, _ctx, opts): AsyncGenerator<ToolStreamEvent<FetchOutput>> {\n    if (!input?.url) throw new Error('fetch: url is required');\n    const u = new URL(input.url);\n    if (u.protocol !== 'https:' && u.protocol !== 'http:') {\n      throw new Error(`fetch: unsupported protocol \"${u.protocol}\"`);\n    }\n    if (u.protocol === 'http:' && !ALLOW_PRIVATE) {\n      throw new Error('fetch: http:// blocked (HTTPS required by default)');\n    }\n    await assertNotPrivate(u.hostname);\n\n    yield { type: 'log', text: `GET ${input.url}` };\n\n    const ctrl = new AbortController();\n    const timer = setTimeout(() => ctrl.abort(new Error('fetch timeout')), TIMEOUT_MS);\n    const combined = combineSignals([opts.signal, ctrl.signal]);\n\n    try {\n      const res = await guardedFetch(input.url, 5, combined);\n\n      const ct = res.headers.get('content-type') ?? 'application/octet-stream';\n      if (/^image\\/|^audio\\/|^video\\/|application\\/octet-stream/.test(ct)) {\n        throw new Error(`fetch: refusing to read binary content-type \"${ct}\"`);\n      }\n\n      yield {\n        type: 'log',\n        text: `HTTP ${res.status} ${ct}`,\n        data: { status: res.status, contentType: ct },\n      };\n\n      const reader = res.body?.getReader();\n      let received = 0;\n      const chunks: Uint8Array[] = [];\n      let pendingBytes = 0;\n      const FLUSH_AT = 4 * 1024;\n      if (reader) {\n        for (;;) {\n          const { value, done } = await reader.read();\n          if (done) break;\n          if (!value) continue;\n          received += value.byteLength;\n          pendingBytes += value.byteLength;\n          chunks.push(value);\n          if (pendingBytes >= FLUSH_AT) {\n            // Snapshot recent bytes for the partial_output. Keep it cheap —\n            // don't try to decode UTF-8 boundaries; the TUI just needs a\n            // \"things are happening\" signal.\n            const recent = Buffer.from(value).toString('utf-8');\n            yield {\n              type: 'partial_output',\n              text: recent,\n              data: { received },\n            };\n            pendingBytes = 0;\n          }\n          if (received > MAX_BYTES) break;\n        }\n      }\n      const text = Buffer.concat(chunks.map((c) => Buffer.from(c))).toString('utf8');\n\n      const format = input.format ?? (ct.includes('text/html') ? 'markdown' : 'text');\n      let content: string;\n      if (format === 'raw') content = text;\n      else if (format === 'markdown' && ct.includes('text/html')) content = TD.turndown(text);\n      else if (ct.includes('application/json')) content = prettyJson(text);\n      else content = text;\n\n      yield {\n        type: 'final',\n        output: {\n          content: truncateMiddle(content, MAX_BYTES),\n          status: res.status,\n          content_type: ct,\n          url: res.url,\n        },\n      };\n    } finally {\n      clearTimeout(timer);\n    }\n  },\n};\n\nasync function assertNotPrivate(hostname: string): Promise<void> {\n  if (ALLOW_PRIVATE) return;\n\n  const host =\n    hostname.startsWith('[') && hostname.endsWith(']') ? hostname.slice(1, -1) : hostname;\n\n  if (host === 'localhost' || host.endsWith('.localhost')) {\n    throw new Error('fetch: blocked localhost target');\n  }\n\n  const ipVersion = net.isIP(host);\n  if (ipVersion === 4) {\n    if (isPrivateIPv4(host)) {\n      throw new Error(`fetch: blocked private/loopback address \"${host}\"`);\n    }\n  } else if (ipVersion === 6) {\n    if (isPrivateIPv6(host)) {\n      throw new Error(`fetch: blocked private/loopback address \"${host}\"`);\n    }\n  } else {\n    // Hostname — pre-flight check: resolve and reject if any record is private,\n    // so we fail fast with a clear error before opening a socket. The\n    // authoritative anti-rebinding control is guardedLookup on the pinned\n    // undici dispatcher (see getPinnedDispatcher): it performs the single\n    // resolution the connection actually uses, so there is no TOCTOU between\n    // this check and the connect. Each redirect target is re-checked too.\n    try {\n      // Use dns.lookup for async hostname resolution (matches guardedLookup below).\n      const records = await dns.lookup(host, { all: true });\n      for (const r of records) {\n        const bad = r.family === 4 ? isPrivateIPv4(r.address) : isPrivateIPv6(r.address);\n        if (bad) {\n          throw new Error(`fetch: resolved to private address ${r.address}`);\n        }\n      }\n    } catch (err) {\n      if (err instanceof Error && err.message.startsWith('fetch:')) throw err;\n      // DNS failure — let fetch handle it\n    }\n  }\n}\n\nfunction prettyJson(s: string): string {\n  try {\n    return JSON.stringify(JSON.parse(s), null, 2);\n  } catch {\n    return s;\n  }\n}\n\n"]}

package/dist/format.js

@@ -131,6 +131,23 @@ var CircuitBreaker = class {
   lastSlowAt = null;
   /** Timestamp when the breaker was opened (for cooldown calculation). */
   openedAt = null;
+  /**
+   * Master enable flag. When false the breaker is bypassed: `beforeCall`
+   * always returns true and `afterCall` records nothing. The class itself
+   * defaults to enabled (so the standalone unit tests exercise tripping); the
+   * ProcessRegistry flips this off until the user opts in via `/settings`.
+   */
+  enabled = true;
+  /**
+   * Fired (best-effort) when the breaker transitions into the `open` state.
+   * The registry uses this to arm its auto kill/reset countdown.
+   */
+  onTrip;
+  /**
+   * Fired (best-effort) when the breaker returns to `closed` after having been
+   * open/half-open. The registry uses this to cancel a pending kill/reset.
+   */
+  onReset;
   constructor(config = {}) {
     this.maxConsecutiveFailures = config.maxConsecutiveFailures ?? DEFAULT_MAX_CONSECUTIVE_FAILURES;
     this.slowCallThresholdMs = config.slowCallThresholdMs ?? DEFAULT_SLOW_CALL_THRESHOLD_MS;
@@ -139,12 +156,22 @@ var CircuitBreaker = class {
     this.maxCallsPerWindow = config.maxCallsPerWindow ?? DEFAULT_MAX_CALLS_PER_WINDOW;
     this.cooldownMs = config.cooldownMs ?? DEFAULT_COOLDOWN_MS;
   }
+  /** Toggle the master enable. Disabling resets to a clean `closed` state. */
+  setEnabled(enabled) {
+    if (this.enabled === enabled) return;
+    this.enabled = enabled;
+    if (!enabled) this._reset();
+  }
+  get isEnabled() {
+    return this.enabled;
+  }
   /**
    * Returns true if the circuit allows a new call to proceed.
    * When false, callers should abort the tool call and return a
    * circuit-breaker error instead of spawning a process.
    */
   get canProceed() {
+    if (!this.enabled) return true;
     this._checkStateTransition();
     return this.state !== "open";
   }
@@ -180,7 +207,7 @@ var CircuitBreaker = class {
    *                  not affect breaker state.
    */
   beforeCall(bypass = false) {
-    if (bypass) return true;
+    if (bypass || !this.enabled) return true;
     this._checkStateTransition();
     if (this.state === "open") return false;
     return true;
@@ -195,7 +222,7 @@ var CircuitBreaker = class {
    *                  Use for background/fire-and-forget processes.
    */
   afterCall(durationMs, failed, bypass = false) {
-    if (bypass) return;
+    if (bypass || !this.enabled) return;
     const now = Date.now();
     if (this.state === "half-open") {
       if (failed) {
@@ -241,12 +268,23 @@ var CircuitBreaker = class {
     if (this.state === "open") return;
     this.state = "open";
     this.openedAt = Date.now();
+    try {
+      this.onTrip?.();
+    } catch {
+    }
   }
   _reset() {
+    const wasRecovering = this.state !== "closed";
     this.state = "closed";
     this.consecutiveFailures = 0;
     this.window = [];
     this.openedAt = null;
+    if (wasRecovering) {
+      try {
+        this.onReset?.();
+      } catch {
+      }
+    }
   }
   /** Transition from open → half-open when cooldown elapses. */
   _checkStateTransition() {
@@ -308,8 +346,21 @@ function killWin32Tree(pid) {
 var ProcessRegistryImpl = class {
   processes = /* @__PURE__ */ new Map();
   breaker;
+  /**
+   * Auto kill/reset config. When the breaker trips and `autoKillResetMs > 0`,
+   * a countdown is armed; on expiry all tracked processes are killed and the
+   * breaker is reset to closed (forced recovery). Zero means manual recovery
+   * only (`/kill reset`).
+   */
+  autoKillResetMs = 0;
+  autoKillTimer = null;
+  autoKillArmedAt = null;
+  breakerCountdownListeners = [];
   constructor(breakerConfig) {
     this.breaker = new CircuitBreaker(breakerConfig);
+    this.breaker.onTrip = () => this._armAutoKillReset();
+    this.breaker.onReset = () => this._cancelAutoKillReset();
+    this.breaker.setEnabled(false);
   }
   register(info) {
     this.processes.set(info.pid, { ...info, killed: false, protected: info.protected ?? false });
@@ -385,6 +436,90 @@ var ProcessRegistryImpl = class {
   forceBreakerReset() {
     this.breaker.forceReset();
   }
+  /**
+   * Configure circuit-breaker protection at runtime. Called from `/settings`
+   * (instant, all modes) and on TUI mount (applies persisted config).
+   *
+   * - `enabled` toggles whether the breaker gates `bash`/`exec`.
+   * - `autoKillResetMs` arms the auto kill/reset countdown when the breaker
+   *   trips (0 = manual recovery only).
+   *
+   * Re-applies cleanly on every call: cancels a pending countdown when the
+   * timeout is cleared or protection disabled, and re-arms if the breaker is
+   * currently open under the new settings.
+   */
+  setBreakerConfig(cfg) {
+    if (cfg.enabled !== void 0) this.breaker.setEnabled(cfg.enabled);
+    if (cfg.autoKillResetMs !== void 0) this.autoKillResetMs = Math.max(0, cfg.autoKillResetMs);
+    if (this.autoKillResetMs <= 0) {
+      this._cancelAutoKillReset();
+      return;
+    }
+    if (this.breaker.isEnabled && this.breaker.snapshot().state === "open") {
+      this._armAutoKillReset();
+    }
+  }
+  /**
+   * Live countdown to the next auto kill/reset, or null when nothing is armed.
+   * The TUI polls this on a 1s tick while armed so the statusline decrements.
+   */
+  getBreakerCountdown() {
+    if (this.autoKillArmedAt === null || this.autoKillResetMs <= 0) return null;
+    const elapsed = Date.now() - this.autoKillArmedAt;
+    return { remainingMs: Math.max(0, this.autoKillResetMs - elapsed), totalMs: this.autoKillResetMs };
+  }
+  /**
+   * Subscribe to countdown arm/cancel events. Returns an unsubscribe function.
+   * Use {@link getBreakerCountdown} for the live ticking value between events.
+   */
+  onBreakerCountdownChange(listener) {
+    this.breakerCountdownListeners.push(listener);
+    return () => {
+      this.breakerCountdownListeners = this.breakerCountdownListeners.filter((l) => l !== listener);
+    };
+  }
+  _emitBreakerCountdown() {
+    const snap = this.getBreakerCountdown();
+    for (const l of this.breakerCountdownListeners) {
+      try {
+        l(snap);
+      } catch {
+      }
+    }
+  }
+  /**
+   * Arm the auto kill/reset countdown. Idempotent: re-arming resets the window
+   * (a fresh trip after a failed half-open probe restarts the clock). No-op
+   * when protection is off or no timeout is configured.
+   */
+  _armAutoKillReset() {
+    if (this.autoKillResetMs <= 0 || !this.breaker.isEnabled) return;
+    this._clearAutoKillTimer();
+    this.autoKillArmedAt = Date.now();
+    this.autoKillTimer = setTimeout(() => {
+      this.autoKillTimer = null;
+      this.autoKillArmedAt = null;
+      this.killAll({ force: false });
+      this.breaker.forceReset();
+      this._emitBreakerCountdown();
+    }, this.autoKillResetMs);
+    this.autoKillTimer.unref?.();
+    this._emitBreakerCountdown();
+  }
+  _cancelAutoKillReset() {
+    const wasArmed = this.autoKillArmedAt !== null;
+    this._clearAutoKillTimer();
+    if (wasArmed) {
+      this.autoKillArmedAt = null;
+      this._emitBreakerCountdown();
+    }
+  }
+  _clearAutoKillTimer() {
+    if (this.autoKillTimer !== null) {
+      clearTimeout(this.autoKillTimer);
+      this.autoKillTimer = null;
+    }
+  }
   /** Kill a single process by PID.
    *
    *  On POSIX: sends SIGTERM to the *process group* (-pid) so that
@@ -523,8 +658,9 @@ async function* spawnStream(opts) {
   let pending = "";
   let error;
   const spool = createOutputSpool({ tool: opts.cmd, thresholdBytes: max });
-  const cmd = resolveWin32Command(opts.cmd);
-  const needsShell = isWin && (cmd.endsWith(".cmd") || cmd.endsWith(".bat"));
+  const resolved = resolveWin32Command(opts.cmd);
+  const needsShell = isWin && (resolved.endsWith(".cmd") || resolved.endsWith(".bat"));
+  const cmd = needsShell ? opts.cmd : resolved;
   const child = spawn(cmd, opts.args, {
     cwd: opts.cwd,
     env: buildChildEnv(),
@@ -674,14 +810,20 @@ async function* spawnStream(opts) {
 function resolvePath(input, ctx) {
   return path3.isAbsolute(input) ? path3.normalize(input) : path3.resolve(ctx.workingDir ?? ctx.cwd, input);
 }
+function allowedRoots(ctx) {
+  return [path3.resolve(ctx.projectRoot), path3.resolve(Core.wstackGlobalRoot())];
+}
+function isInsideAny(target, roots) {
+  return roots.some((root) => {
+    const rel = path3.relative(root, target);
+    return rel === "" || !rel.startsWith("..") && !path3.isAbsolute(rel);
+  });
+}
 function ensureInsideRoot(absPath, ctx) {
-  const root = path3.resolve(ctx.projectRoot);
   const target = path3.resolve(absPath);
-  const rel = path3.relative(root, target);
-  if (rel.startsWith("..") || path3.isAbsolute(rel)) {
-    throw new Error(`Path "${absPath}" is outside project root "${root}"`);
-  }
-  return target;
+  if (ctx.allowOutsideProjectRoot) return target;
+  if (isInsideAny(target, allowedRoots(ctx))) return target;
+  throw new Error(`Path "${absPath}" is outside project root "${path3.resolve(ctx.projectRoot)}"`);
 }
 function safeResolve(input, ctx) {
   return ensureInsideRoot(resolvePath(input, ctx), ctx);
@@ -766,6 +908,7 @@ var formatTool = {
   permission: "confirm",
   mutating: true,
   capabilities: ["fs.write", "shell.exec"],
+  icon: "code",
   timeoutMs: 6e4,
   inputSchema: {
     type: "object",