npm - @yail259/overnight - Versions diffs - 0.1.0 → 0.2.0 - Mend

@yail259/overnight 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/cli.js CHANGED Viewed

@@ -8831,9 +8831,142 @@ var DEFAULT_TIMEOUT = 300;
 var DEFAULT_STALL_TIMEOUT = 120;
 var DEFAULT_RETRY_COUNT = 3;
 var DEFAULT_RETRY_DELAY = 5;
-var DEFAULT_VERIFY_PROMPT = "Verify this is complete and correct. If there are issues, list them.";
+var DEFAULT_VERIFY_PROMPT = "Review what you just implemented. Check for correctness, completeness, and compile errors. Fix any issues you find.";
 var DEFAULT_STATE_FILE = ".overnight-state.json";
 var DEFAULT_NTFY_TOPIC = "overnight";
+var DEFAULT_MAX_TURNS = 100;
+var DEFAULT_DENY_PATTERNS = [
+  "**/.env",
+  "**/.env.*",
+  "**/.git/config",
+  "**/credentials*",
+  "**/*.key",
+  "**/*.pem",
+  "**/*.p12",
+  "**/id_rsa*",
+  "**/id_ed25519*",
+  "**/.ssh/*",
+  "**/.aws/*",
+  "**/.npmrc",
+  "**/.netrc"
+];
+// src/security.ts
+import { appendFileSync } from "fs";
+import { resolve, relative, isAbsolute } from "path";
+function matchesPattern(filePath, pattern) {
+  const normalizedPath = filePath.replace(/\\/g, "/");
+  let regex = pattern.replace(/\./g, "\\.").replace(/\*\*/g, "{{GLOBSTAR}}").replace(/\*/g, "[^/]*").replace(/{{GLOBSTAR}}/g, ".*");
+  if (!pattern.startsWith("/")) {
+    regex = `(^|/)${regex}`;
+  }
+  return new RegExp(regex + "$").test(normalizedPath);
+}
+function isPathWithinSandbox(filePath, sandboxDir) {
+  const absolutePath = isAbsolute(filePath) ? filePath : resolve(process.cwd(), filePath);
+  const absoluteSandbox = isAbsolute(sandboxDir) ? sandboxDir : resolve(process.cwd(), sandboxDir);
+  const relativePath = relative(absoluteSandbox, absolutePath);
+  return !relativePath.startsWith("..") && !isAbsolute(relativePath);
+}
+function isPathDenied(filePath, denyPatterns) {
+  for (const pattern of denyPatterns) {
+    if (matchesPattern(filePath, pattern)) {
+      return pattern;
+    }
+  }
+  return null;
+}
+function createSecurityHooks(config) {
+  const sandboxDir = config.sandbox_dir;
+  const denyPatterns = config.deny_patterns ?? DEFAULT_DENY_PATTERNS;
+  const auditLog = config.audit_log;
+  const preToolUseHook = async (input, _toolUseId, _context) => {
+    const hookEventName = input.hook_event_name;
+    if (hookEventName !== "PreToolUse")
+      return {};
+    const toolName = input.tool_name;
+    const toolInput = input.tool_input;
+    let filePath;
+    if (toolName === "Read" || toolName === "Write" || toolName === "Edit") {
+      filePath = toolInput.file_path;
+    } else if (toolName === "Glob" || toolName === "Grep") {
+      filePath = toolInput.path;
+    } else if (toolName === "Bash") {
+      const command = toolInput.command;
+      if (auditLog) {
+        const timestamp = new Date().toISOString();
+        appendFileSync(auditLog, `${timestamp} [BASH] ${command}
+`);
+      }
+      return {};
+    }
+    if (!filePath)
+      return {};
+    if (sandboxDir && !isPathWithinSandbox(filePath, sandboxDir)) {
+      return {
+        hookSpecificOutput: {
+          hookEventName,
+          permissionDecision: "deny",
+          permissionDecisionReason: `Path "${filePath}" is outside sandbox directory "${sandboxDir}"`
+        }
+      };
+    }
+    const matchedPattern = isPathDenied(filePath, denyPatterns);
+    if (matchedPattern) {
+      return {
+        hookSpecificOutput: {
+          hookEventName,
+          permissionDecision: "deny",
+          permissionDecisionReason: `Path "${filePath}" matches deny pattern "${matchedPattern}"`
+        }
+      };
+    }
+    return {};
+  };
+  const postToolUseHook = async (input, _toolUseId, _context) => {
+    if (!auditLog)
+      return {};
+    const hookEventName = input.hook_event_name;
+    if (hookEventName !== "PostToolUse")
+      return {};
+    const toolName = input.tool_name;
+    const toolInput = input.tool_input;
+    const timestamp = new Date().toISOString();
+    let logEntry = `${timestamp} [${toolName}]`;
+    if (toolName === "Read" || toolName === "Write" || toolName === "Edit") {
+      logEntry += ` ${toolInput.file_path}`;
+    } else if (toolName === "Glob") {
+      logEntry += ` pattern=${toolInput.pattern} path=${toolInput.path ?? "."}`;
+    } else if (toolName === "Grep") {
+      logEntry += ` pattern=${toolInput.pattern}`;
+    }
+    appendFileSync(auditLog, logEntry + `
+`);
+    return {};
+  };
+  return {
+    PreToolUse: [
+      { matcher: "Read|Write|Edit|Glob|Grep|Bash", hooks: [preToolUseHook] }
+    ],
+    PostToolUse: [
+      { matcher: "Read|Write|Edit|Glob|Grep|Bash", hooks: [postToolUseHook] }
+    ]
+  };
+}
+function validateSecurityConfig(config) {
+  if (config.sandbox_dir) {
+    const resolved = isAbsolute(config.sandbox_dir) ? config.sandbox_dir : resolve(process.cwd(), config.sandbox_dir);
+    console.log(`  Sandbox: ${resolved}`);
+  }
+  const denyPatterns = config.deny_patterns ?? DEFAULT_DENY_PATTERNS;
+  console.log(`  Deny patterns: ${denyPatterns.length} patterns`);
+  if (config.max_turns) {
+    console.log(`  Max turns: ${config.max_turns}`);
+  }
+  if (config.audit_log) {
+    console.log(`  Audit log: ${config.audit_log}`);
+  }
+}
 // node_modules/@anthropic-ai/claude-agent-sdk/sdk.mjs
 import { join as join5 } from "path";
@@ -8850,7 +8983,7 @@ import { cwd } from "process";
 import { realpathSync as realpathSync2 } from "fs";
 import { randomUUID } from "crypto";
 import { randomUUID as randomUUID2 } from "crypto";
-import { appendFileSync as appendFileSync2, existsSync as existsSync2, mkdirSync as mkdirSync2 } from "fs";
+import { appendFileSync as appendFileSync22, existsSync as existsSync2, mkdirSync as mkdirSync2 } from "fs";
 import { join as join3 } from "path";
 import { randomUUID as randomUUID3 } from "crypto";
 var __create2 = Object.create;
@@ -11724,7 +11857,7 @@ var require_compile = __commonJS2((exports) => {
     const schOrFunc = root2.refs[ref];
     if (schOrFunc)
       return schOrFunc;
-    let _sch = resolve.call(this, root2, ref);
+    let _sch = resolve2.call(this, root2, ref);
     if (_sch === undefined) {
       const schema = (_a = root2.localRefs) === null || _a === undefined ? undefined : _a[ref];
       const { schemaId } = this.opts;
@@ -11751,7 +11884,7 @@ var require_compile = __commonJS2((exports) => {
   function sameSchemaEnv(s1, s2) {
     return s1.schema === s2.schema && s1.root === s2.root && s1.baseId === s2.baseId;
   }
-  function resolve(root2, ref) {
+  function resolve2(root2, ref) {
     let sch;
     while (typeof (sch = this.refs[ref]) == "string")
       ref = sch;
@@ -12249,54 +12382,54 @@ var require_fast_uri = __commonJS2((exports, module) => {
     }
     return uri;
   }
-  function resolve(baseURI, relativeURI, options) {
+  function resolve2(baseURI, relativeURI, options) {
     const schemelessOptions = Object.assign({ scheme: "null" }, options);
     const resolved = resolveComponents(parse6(baseURI, schemelessOptions), parse6(relativeURI, schemelessOptions), schemelessOptions, true);
     return serialize(resolved, { ...schemelessOptions, skipEscape: true });
   }
-  function resolveComponents(base, relative, options, skipNormalization) {
+  function resolveComponents(base, relative2, options, skipNormalization) {
     const target = {};
     if (!skipNormalization) {
       base = parse6(serialize(base, options), options);
-      relative = parse6(serialize(relative, options), options);
+      relative2 = parse6(serialize(relative2, options), options);
     }
     options = options || {};
-    if (!options.tolerant && relative.scheme) {
-      target.scheme = relative.scheme;
-      target.userinfo = relative.userinfo;
-      target.host = relative.host;
-      target.port = relative.port;
-      target.path = removeDotSegments(relative.path || "");
-      target.query = relative.query;
+    if (!options.tolerant && relative2.scheme) {
+      target.scheme = relative2.scheme;
+      target.userinfo = relative2.userinfo;
+      target.host = relative2.host;
+      target.port = relative2.port;
+      target.path = removeDotSegments(relative2.path || "");
+      target.query = relative2.query;
     } else {
-      if (relative.userinfo !== undefined || relative.host !== undefined || relative.port !== undefined) {
-        target.userinfo = relative.userinfo;
-        target.host = relative.host;
-        target.port = relative.port;
-        target.path = removeDotSegments(relative.path || "");
-        target.query = relative.query;
+      if (relative2.userinfo !== undefined || relative2.host !== undefined || relative2.port !== undefined) {
+        target.userinfo = relative2.userinfo;
+        target.host = relative2.host;
+        target.port = relative2.port;
+        target.path = removeDotSegments(relative2.path || "");
+        target.query = relative2.query;
       } else {
-        if (!relative.path) {
+        if (!relative2.path) {
           target.path = base.path;
-          if (relative.query !== undefined) {
-            target.query = relative.query;
+          if (relative2.query !== undefined) {
+            target.query = relative2.query;
           } else {
             target.query = base.query;
           }
         } else {
-          if (relative.path.charAt(0) === "/") {
-            target.path = removeDotSegments(relative.path);
+          if (relative2.path.charAt(0) === "/") {
+            target.path = removeDotSegments(relative2.path);
           } else {
             if ((base.userinfo !== undefined || base.host !== undefined || base.port !== undefined) && !base.path) {
-              target.path = "/" + relative.path;
+              target.path = "/" + relative2.path;
             } else if (!base.path) {
-              target.path = relative.path;
+              target.path = relative2.path;
             } else {
-              target.path = base.path.slice(0, base.path.lastIndexOf("/") + 1) + relative.path;
+              target.path = base.path.slice(0, base.path.lastIndexOf("/") + 1) + relative2.path;
             }
             target.path = removeDotSegments(target.path);
           }
-          target.query = relative.query;
+          target.query = relative2.query;
         }
         target.userinfo = base.userinfo;
         target.host = base.host;
@@ -12304,7 +12437,7 @@ var require_fast_uri = __commonJS2((exports, module) => {
       }
       target.scheme = base.scheme;
     }
-    target.fragment = relative.fragment;
+    target.fragment = relative2.fragment;
     return target;
   }
   function equal(uriA, uriB, options) {
@@ -12482,7 +12615,7 @@ var require_fast_uri = __commonJS2((exports, module) => {
   var fastUri = {
     SCHEMES,
     normalize,
-    resolve,
+    resolve: resolve2,
     resolveComponents,
     equal,
     serialize,
@@ -16072,7 +16205,7 @@ function logForSdkDebugging(message) {
   const timestamp = new Date().toISOString();
   const output = `${timestamp} ${message}
 `;
-  appendFileSync2(path, output);
+  appendFileSync22(path, output);
 }
 function mergeSandboxIntoExtraArgs(extraArgs, sandbox) {
   const effectiveExtraArgs = { ...extraArgs };
@@ -16474,7 +16607,7 @@ class ProcessTransport {
       }
       return;
     }
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve2, reject) => {
       const exitHandler = (code, signal) => {
         if (this.abortController.signal.aborted) {
           reject(new AbortError("Operation aborted"));
@@ -16484,7 +16617,7 @@ class ProcessTransport {
         if (error) {
           reject(error);
         } else {
-          resolve();
+          resolve2();
         }
       };
       this.process.once("exit", exitHandler);
@@ -16535,17 +16668,17 @@ class Stream {
     if (this.hasError) {
       return Promise.reject(this.hasError);
     }
-    return new Promise((resolve, reject) => {
-      this.readResolve = resolve;
+    return new Promise((resolve2, reject) => {
+      this.readResolve = resolve2;
       this.readReject = reject;
     });
   }
   enqueue(value) {
     if (this.readResolve) {
-      const resolve = this.readResolve;
+      const resolve2 = this.readResolve;
       this.readResolve = undefined;
       this.readReject = undefined;
-      resolve({ done: false, value });
+      resolve2({ done: false, value });
     } else {
       this.queue.push(value);
     }
@@ -16553,10 +16686,10 @@ class Stream {
   done() {
     this.isDone = true;
     if (this.readResolve) {
-      const resolve = this.readResolve;
+      const resolve2 = this.readResolve;
       this.readResolve = undefined;
       this.readReject = undefined;
-      resolve({ done: true, value: undefined });
+      resolve2({ done: true, value: undefined });
     }
   }
   error(error) {
@@ -16886,10 +17019,10 @@ class Query {
       type: "control_request",
       request
     };
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve2, reject) => {
       this.pendingControlResponses.set(requestId, (response) => {
         if (response.subtype === "success") {
-          resolve(response);
+          resolve2(response);
         } else {
           reject(new Error(response.error));
           if (response.pending_permission_requests) {
@@ -16979,15 +17112,15 @@ class Query {
       logForDebugging(`[Query.waitForFirstResult] Result already received, returning immediately`);
       return Promise.resolve();
     }
-    return new Promise((resolve) => {
+    return new Promise((resolve2) => {
       if (this.abortController?.signal.aborted) {
-        resolve();
+        resolve2();
         return;
       }
-      this.abortController?.signal.addEventListener("abort", () => resolve(), {
+      this.abortController?.signal.addEventListener("abort", () => resolve2(), {
         once: true
       });
-      this.firstResultReceivedResolve = resolve;
+      this.firstResultReceivedResolve = resolve2;
     });
   }
   handleHookCallbacks(callbackId, input, toolUseID, abortSignal) {
@@ -17038,13 +17171,13 @@ class Query {
   handleMcpControlRequest(serverName, mcpRequest, transport) {
     const messageId = "id" in mcpRequest.message ? mcpRequest.message.id : null;
     const key = `${serverName}:${messageId}`;
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve2, reject) => {
       const cleanup = () => {
         this.pendingMcpResponses.delete(key);
       };
       const resolveAndCleanup = (response) => {
         cleanup();
-        resolve(response);
+        resolve2(response);
       };
       const rejectAndCleanup = (error) => {
         cleanup();
@@ -25452,6 +25585,78 @@ function query({
 // src/runner.ts
 import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync3, unlinkSync as unlinkSync2 } from "fs";
+import { execSync } from "child_process";
+import { createHash } from "crypto";
+var SPINNER_FRAMES = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
+class ProgressDisplay {
+  interval = null;
+  frame = 0;
+  startTime = Date.now();
+  currentActivity = "Working";
+  lastToolUse = "";
+  start(activity) {
+    this.currentActivity = activity;
+    this.startTime = Date.now();
+    this.frame = 0;
+    if (this.interval)
+      return;
+    this.interval = setInterval(() => {
+      const elapsed = Math.floor((Date.now() - this.startTime) / 1000);
+      const toolInfo = this.lastToolUse ? ` → ${this.lastToolUse}` : "";
+      process.stdout.write(`\r\x1B[K${SPINNER_FRAMES[this.frame]} ${this.currentActivity} (${elapsed}s)${toolInfo}`);
+      this.frame = (this.frame + 1) % SPINNER_FRAMES.length;
+    }, 100);
+  }
+  updateActivity(activity) {
+    this.currentActivity = activity;
+  }
+  updateTool(toolName, detail) {
+    this.lastToolUse = detail ? `${toolName}: ${detail}` : toolName;
+  }
+  stop(finalMessage) {
+    if (this.interval) {
+      clearInterval(this.interval);
+      this.interval = null;
+    }
+    process.stdout.write("\r\x1B[K");
+    if (finalMessage) {
+      console.log(finalMessage);
+    }
+  }
+  getElapsed() {
+    return (Date.now() - this.startTime) / 1000;
+  }
+}
+var claudeExecutablePath;
+function findClaudeExecutable() {
+  if (claudeExecutablePath !== undefined)
+    return claudeExecutablePath;
+  if (process.env.CLAUDE_CODE_PATH) {
+    claudeExecutablePath = process.env.CLAUDE_CODE_PATH;
+    return claudeExecutablePath;
+  }
+  try {
+    const cmd = process.platform === "win32" ? "where claude" : "which claude";
+    claudeExecutablePath = execSync(cmd, { encoding: "utf-8" }).trim().split(`
+`)[0];
+    return claudeExecutablePath;
+  } catch {
+    const commonPaths = [
+      "/usr/local/bin/claude",
+      "/opt/homebrew/bin/claude",
+      `${process.env.HOME}/.local/bin/claude`,
+      `${process.env.HOME}/.nvm/versions/node/v22.12.0/bin/claude`
+    ];
+    for (const p of commonPaths) {
+      if (existsSync3(p)) {
+        claudeExecutablePath = p;
+        return claudeExecutablePath;
+      }
+    }
+  }
+  return;
+}
 function isRetryableError(error2) {
   const errorStr = error2.message.toLowerCase();
   const retryablePatterns = [
@@ -25469,7 +25674,7 @@ function isRetryableError(error2) {
   return retryablePatterns.some((pattern) => errorStr.includes(pattern));
 }
 async function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
 async function runWithTimeout(promise, timeoutMs) {
   let timeoutId;
@@ -25485,19 +25690,69 @@ async function runWithTimeout(promise, timeoutMs) {
     throw e;
   }
 }
-async function collectResult(prompt, options) {
-  let sessionId;
+function getToolDetail(toolName, toolInput) {
+  switch (toolName) {
+    case "Read":
+    case "Write":
+    case "Edit":
+      const filePath = toolInput.file_path;
+      if (filePath) {
+        return filePath.split("/").pop() || filePath;
+      }
+      break;
+    case "Glob":
+      return toolInput.pattern || "";
+    case "Grep":
+      return toolInput.pattern?.slice(0, 20) || "";
+    case "Bash":
+      const cmd = toolInput.command || "";
+      return cmd.slice(0, 30) + (cmd.length > 30 ? "..." : "");
+  }
+  return "";
+}
+async function collectResultWithProgress(prompt, options, progress, onSessionId) {
+  let sessionId2;
   let result;
-  const conversation = query({ prompt, options });
-  for await (const message of conversation) {
-    if (message.type === "result") {
-      result = message.result;
-      sessionId = message.session_id;
+  let lastError;
+  try {
+    const conversation = query({ prompt, options });
+    for await (const message of conversation) {
+      if (process.env.OVERNIGHT_DEBUG) {
+        console.error(`
+[DEBUG] message.type=${message.type}, keys=${Object.keys(message).join(",")}`);
+      }
+      if (message.type === "result") {
+        result = message.result;
+        sessionId2 = message.session_id;
+      } else if (message.type === "assistant" && "message" in message) {
+        const assistantMsg = message.message;
+        if (assistantMsg.content) {
+          for (const block of assistantMsg.content) {
+            if (process.env.OVERNIGHT_DEBUG) {
+              console.error(`[DEBUG] content block: type=${block.type}, name=${block.name}`);
+            }
+            if (block.type === "tool_use" && block.name) {
+              const detail = block.input ? getToolDetail(block.name, block.input) : "";
+              progress.updateTool(block.name, detail);
+            }
+          }
+        }
+      } else if (message.type === "system" && "subtype" in message) {
+        if (message.subtype === "init") {
+          sessionId2 = message.session_id;
+          if (sessionId2 && onSessionId) {
+            onSessionId(sessionId2);
+          }
+        }
+      }
     }
+  } catch (e) {
+    lastError = e.message;
+    throw e;
   }
-  return { sessionId, result };
+  return { sessionId: sessionId2, result, error: lastError };
 }
-async function runJob(config2, log) {
+async function runJob(config2, log, options) {
   const startTime = Date.now();
   const tools = config2.allowed_tools ?? DEFAULT_TOOLS;
   const timeout = (config2.timeout_seconds ?? DEFAULT_TIMEOUT) * 1000;
@@ -25505,31 +25760,71 @@ async function runJob(config2, log) {
   const retryDelay = config2.retry_delay ?? DEFAULT_RETRY_DELAY;
   const verifyPrompt = config2.verify_prompt ?? DEFAULT_VERIFY_PROMPT;
   let retriesUsed = 0;
+  let resumeSessionId = options?.resumeSessionId;
   const logMsg = (msg) => log?.(msg);
-  logMsg(`Starting: ${config2.prompt.slice(0, 60)}...`);
+  const progress = new ProgressDisplay;
+  const claudePath = findClaudeExecutable();
+  if (!claudePath) {
+    logMsg("\x1B[31m✗ Error: Could not find 'claude' CLI.\x1B[0m");
+    logMsg("\x1B[33m  Install it with:\x1B[0m");
+    logMsg("    curl -fsSL https://claude.ai/install.sh | bash");
+    logMsg("\x1B[33m  Or set CLAUDE_CODE_PATH environment variable.\x1B[0m");
+    return {
+      task: config2.prompt,
+      status: "failed",
+      error: "Claude CLI not found. Install with: curl -fsSL https://claude.ai/install.sh | bash",
+      duration_seconds: 0,
+      verified: false,
+      retries: 0
+    };
+  }
+  if (process.env.OVERNIGHT_DEBUG) {
+    logMsg(`\x1B[2mDebug: Claude path = ${claudePath}\x1B[0m`);
+  }
+  const taskPreview = config2.prompt.slice(0, 60) + (config2.prompt.length > 60 ? "..." : "");
+  if (resumeSessionId) {
+    logMsg(`\x1B[36m▶\x1B[0m Resuming: ${taskPreview}`);
+  } else {
+    logMsg(`\x1B[36m▶\x1B[0m ${taskPreview}`);
+  }
   for (let attempt = 0;attempt <= retryCount; attempt++) {
     try {
-      const options = {
+      const securityHooks = config2.security ? createSecurityHooks(config2.security) : undefined;
+      const sdkOptions = {
         allowedTools: tools,
         permissionMode: "acceptEdits",
-        ...config2.working_dir && { cwd: config2.working_dir }
+        ...claudePath && { pathToClaudeCodeExecutable: claudePath },
+        ...config2.working_dir && { cwd: config2.working_dir },
+        ...config2.security?.max_turns && { maxTurns: config2.security.max_turns },
+        ...securityHooks && { hooks: securityHooks },
+        ...resumeSessionId && { resume: resumeSessionId }
       };
-      let sessionId;
+      let sessionId2;
       let result;
+      const prompt = resumeSessionId ? "Continue where you left off. Complete the original task." : config2.prompt;
+      progress.start(resumeSessionId ? "Resuming" : "Working");
       try {
-        const collected = await runWithTimeout(collectResult(config2.prompt, options), timeout);
-        sessionId = collected.sessionId;
+        const collected = await runWithTimeout(collectResultWithProgress(prompt, sdkOptions, progress, (id) => {
+          sessionId2 = id;
+          options?.onSessionId?.(id);
+        }), timeout);
+        sessionId2 = collected.sessionId;
         result = collected.result;
+        progress.stop();
       } catch (e) {
+        progress.stop();
         if (e.message === "TIMEOUT") {
           if (attempt < retryCount) {
             retriesUsed = attempt + 1;
+            if (sessionId2) {
+              resumeSessionId = sessionId2;
+            }
             const delay = retryDelay * Math.pow(2, attempt);
-            logMsg(`Timeout after ${config2.timeout_seconds ?? DEFAULT_TIMEOUT}s, retrying in ${delay}s (attempt ${attempt + 1}/${retryCount})...`);
+            logMsg(`\x1B[33m⚠ Timeout after ${config2.timeout_seconds ?? DEFAULT_TIMEOUT}s, retrying in ${delay}s (${attempt + 1}/${retryCount})\x1B[0m`);
             await sleep(delay * 1000);
             continue;
           }
-          logMsg(`Timeout after ${config2.timeout_seconds ?? DEFAULT_TIMEOUT}s (exhausted retries)`);
+          logMsg(`\x1B[31m✗ Timeout after ${config2.timeout_seconds ?? DEFAULT_TIMEOUT}s (exhausted retries)\x1B[0m`);
           return {
             task: config2.prompt,
             status: "timeout",
@@ -25541,37 +25836,50 @@ async function runJob(config2, log) {
         }
         throw e;
       }
-      if (config2.verify !== false && sessionId) {
-        logMsg("Running verification...");
+      if (config2.verify !== false && sessionId2) {
+        progress.start("Verifying");
         const verifyOptions = {
-          resume: sessionId,
-          permissionMode: "acceptEdits"
+          allowedTools: tools,
+          resume: sessionId2,
+          permissionMode: "acceptEdits",
+          ...claudePath && { pathToClaudeCodeExecutable: claudePath },
+          ...config2.working_dir && { cwd: config2.working_dir },
+          ...config2.security?.max_turns && { maxTurns: config2.security.max_turns }
         };
+        const fixPrompt = verifyPrompt + " If you find any issues, fix them now. Only report issues you cannot fix.";
         try {
-          const verifyResult = await runWithTimeout(collectResult(verifyPrompt, verifyOptions), timeout / 2);
-          const issueWords = ["issue", "error", "fail", "incorrect", "missing"];
-          if (verifyResult.result && issueWords.some((word) => verifyResult.result.toLowerCase().includes(word))) {
-            logMsg("Verification found potential issues");
+          const verifyResult = await runWithTimeout(collectResultWithProgress(fixPrompt, verifyOptions, progress, (id) => {
+            sessionId2 = id;
+            options?.onSessionId?.(id);
+          }), timeout / 2);
+          progress.stop();
+          if (verifyResult.result) {
+            result = verifyResult.result;
+          }
+          const unfixableWords = ["cannot fix", "unable to", "blocked by", "requires manual"];
+          if (verifyResult.result && unfixableWords.some((word) => verifyResult.result.toLowerCase().includes(word))) {
+            logMsg(`\x1B[33m⚠ Verification found unfixable issues\x1B[0m`);
             return {
               task: config2.prompt,
               status: "verification_failed",
               result,
-              error: `Verification issues: ${verifyResult.result}`,
+              error: `Unfixable issues: ${verifyResult.result}`,
               duration_seconds: (Date.now() - startTime) / 1000,
               verified: false,
               retries: retriesUsed
             };
           }
         } catch (e) {
+          progress.stop();
           if (e.message === "TIMEOUT") {
-            logMsg("Verification timed out - continuing anyway");
+            logMsg("\x1B[33m⚠ Verification timed out - continuing anyway\x1B[0m");
           } else {
             throw e;
           }
         }
       }
       const duration3 = (Date.now() - startTime) / 1000;
-      logMsg(`Completed in ${duration3.toFixed(1)}s`);
+      logMsg(`\x1B[32m✓ Completed in ${duration3.toFixed(1)}s\x1B[0m`);
       return {
         task: config2.prompt,
         status: "success",
@@ -25581,16 +25889,20 @@ async function runJob(config2, log) {
         retries: retriesUsed
       };
     } catch (e) {
+      progress.stop();
       const error2 = e;
       if (isRetryableError(error2) && attempt < retryCount) {
         retriesUsed = attempt + 1;
+        if (sessionId) {
+          resumeSessionId = sessionId;
+        }
         const delay = retryDelay * Math.pow(2, attempt);
-        logMsg(`Retryable error: ${error2.message}, retrying in ${delay}s (attempt ${attempt + 1}/${retryCount})...`);
+        logMsg(`\x1B[33m⚠ ${error2.message}, retrying in ${delay}s (${attempt + 1}/${retryCount})\x1B[0m`);
         await sleep(delay * 1000);
         continue;
       }
       const duration3 = (Date.now() - startTime) / 1000;
-      logMsg(`Failed: ${error2.message}`);
+      logMsg(`\x1B[31m✗ Failed: ${error2.message}\x1B[0m`);
       return {
         task: config2.prompt,
         status: "failed",
@@ -25610,6 +25922,56 @@ async function runJob(config2, log) {
     retries: retriesUsed
   };
 }
+function taskKey(config2) {
+  if (config2.id)
+    return config2.id;
+  return createHash("sha256").update(config2.prompt).digest("hex").slice(0, 12);
+}
+function validateDag(configs) {
+  const ids = new Set(configs.map((c) => c.id).filter(Boolean));
+  for (const c of configs) {
+    for (const dep of c.depends_on ?? []) {
+      if (!ids.has(dep)) {
+        return `Task "${c.id ?? c.prompt.slice(0, 40)}" depends on unknown id "${dep}"`;
+      }
+    }
+  }
+  const visited = new Set;
+  const inStack = new Set;
+  const idToConfig = new Map(configs.filter((c) => c.id).map((c) => [c.id, c]));
+  function hasCycle(id) {
+    if (inStack.has(id))
+      return true;
+    if (visited.has(id))
+      return false;
+    visited.add(id);
+    inStack.add(id);
+    const config2 = idToConfig.get(id);
+    for (const dep of config2?.depends_on ?? []) {
+      if (hasCycle(dep))
+        return true;
+    }
+    inStack.delete(id);
+    return false;
+  }
+  for (const id of ids) {
+    if (hasCycle(id))
+      return `Dependency cycle detected involving "${id}"`;
+  }
+  return null;
+}
+function depsReady(config2, completed) {
+  if (!config2.depends_on || config2.depends_on.length === 0)
+    return "ready";
+  for (const dep of config2.depends_on) {
+    const result = completed[dep];
+    if (!result)
+      return "waiting";
+    if (result.status !== "success")
+      return "blocked";
+  }
+  return "ready";
+}
 function saveState(state, stateFile) {
   writeFileSync(stateFile, JSON.stringify(state, null, 2));
 }
@@ -25624,26 +25986,84 @@ function clearState(stateFile) {
 }
 async function runJobsWithState(configs, options = {}) {
   const stateFile = options.stateFile ?? DEFAULT_STATE_FILE;
-  const results = options.priorResults ? [...options.priorResults] : [];
-  const startIndex = options.startIndex ?? 0;
-  for (let i = 0;i < configs.length; i++) {
-    if (i < startIndex)
-      continue;
+  const dagError = validateDag(configs);
+  if (dagError) {
+    options.log?.(`\x1B[31m✗ DAG error: ${dagError}\x1B[0m`);
+    return [];
+  }
+  const state = loadState(stateFile) ?? {
+    completed: {},
+    timestamp: new Date().toISOString()
+  };
+  let currentConfigs = configs;
+  while (true) {
+    const notDone = currentConfigs.filter((c) => !(taskKey(c) in state.completed));
+    if (notDone.length === 0)
+      break;
+    const ready = notDone.filter((c) => depsReady(c, state.completed) === "ready");
+    const blocked = notDone.filter((c) => depsReady(c, state.completed) === "blocked");
+    for (const bc of blocked) {
+      const key2 = taskKey(bc);
+      if (key2 in state.completed)
+        continue;
+      const failedDeps = (bc.depends_on ?? []).filter((dep) => state.completed[dep] && state.completed[dep].status !== "success");
+      const label2 = bc.id ?? bc.prompt.slice(0, 40);
+      options.log?.(`
+\x1B[31m✗ Skipping "${label2}" — dependency failed: ${failedDeps.join(", ")}\x1B[0m`);
+      state.completed[key2] = {
+        task: bc.prompt,
+        status: "failed",
+        error: `Blocked by failed dependencies: ${failedDeps.join(", ")}`,
+        duration_seconds: 0,
+        verified: false,
+        retries: 0
+      };
+      state.timestamp = new Date().toISOString();
+      saveState(state, stateFile);
+    }
+    if (ready.length === 0)
+      break;
+    const config2 = ready[0];
+    const key = taskKey(config2);
+    const totalNotDone = notDone.length - blocked.length;
+    const totalDone = Object.keys(state.completed).length;
+    const label = config2.id ? `${config2.id}` : "";
     options.log?.(`
-[${i + 1}/${configs.length}] Running job...`);
-    const result = await runJob(configs[i], options.log);
-    results.push(result);
-    const state = {
-      completed_indices: Array.from({ length: results.length }, (_, i2) => i2),
-      results,
-      timestamp: new Date().toISOString(),
-      total_jobs: configs.length
-    };
+\x1B[1m[${totalDone + 1}/${totalDone + totalNotDone}]${label ? ` ${label}` : ""}\x1B[0m`);
+    const resumeSessionId = state.inProgress?.hash === key ? state.inProgress.sessionId : undefined;
+    if (resumeSessionId) {
+      options.log?.(`\x1B[2mResuming session ${resumeSessionId.slice(0, 8)}...\x1B[0m`);
+    }
+    state.inProgress = { hash: key, prompt: config2.prompt, startedAt: new Date().toISOString() };
     saveState(state, stateFile);
-    if (i < configs.length - 1) {
+    const result = await runJob(config2, options.log, {
+      resumeSessionId,
+      onSessionId: (id) => {
+        state.inProgress = { hash: key, prompt: config2.prompt, sessionId: id, startedAt: state.inProgress.startedAt };
+        saveState(state, stateFile);
+      }
+    });
+    state.completed[key] = result;
+    state.inProgress = undefined;
+    state.timestamp = new Date().toISOString();
+    saveState(state, stateFile);
+    if (options.reloadConfigs) {
+      try {
+        currentConfigs = options.reloadConfigs();
+        const newDagError = validateDag(currentConfigs);
+        if (newDagError) {
+          options.log?.(`\x1B[33m⚠ DAG error in updated YAML, ignoring reload: ${newDagError}\x1B[0m`);
+          currentConfigs = configs;
+        }
+      } catch {}
+    }
+    const nextNotDone = currentConfigs.filter((c) => !(taskKey(c) in state.completed));
+    const nextReady = nextNotDone.filter((c) => depsReady(c, state.completed) === "ready");
+    if (nextReady.length > 0) {
       await sleep(1000);
     }
   }
+  const results = currentConfigs.map((c) => state.completed[taskKey(c)]).filter((r) => r !== undefined);
   clearState(stateFile);
   return results;
 }
@@ -25877,12 +26297,27 @@ overnight resume tasks.yaml
 Run \`overnight <command> --help\` for command-specific options.
 `;
-function parseTasksFile(path) {
+function parseTasksFile(path, cliSecurity) {
   const content = readFileSync3(path, "utf-8");
-  const data = $parse(content);
+  let data;
+  try {
+    data = $parse(content);
+  } catch (e) {
+    const error2 = e;
+    console.error(`\x1B[31mError parsing ${path}:\x1B[0m`);
+    console.error(`  ${error2.message.split(`
+`)[0]}`);
+    process.exit(1);
+  }
   const tasks = Array.isArray(data) ? data : data.tasks ?? [];
   const defaults = Array.isArray(data) ? {} : data.defaults ?? {};
-  return tasks.map((task) => {
+  const fileSecurity = !Array.isArray(data) && data.defaults?.security || {};
+  const security = cliSecurity || Object.keys(fileSecurity).length > 0 ? {
+    ...fileSecurity,
+    ...cliSecurity,
+    deny_patterns: cliSecurity?.deny_patterns ?? fileSecurity.deny_patterns ?? DEFAULT_DENY_PATTERNS
+  } : undefined;
+  const configs = tasks.map((task) => {
     if (typeof task === "string") {
       return {
         prompt: task,
@@ -25890,19 +26325,24 @@ function parseTasksFile(path) {
         stall_timeout_seconds: defaults.stall_timeout_seconds ?? DEFAULT_STALL_TIMEOUT,
         verify: defaults.verify ?? true,
         verify_prompt: defaults.verify_prompt ?? DEFAULT_VERIFY_PROMPT,
-        allowed_tools: defaults.allowed_tools
+        allowed_tools: defaults.allowed_tools,
+        security
       };
     }
     return {
+      id: task.id ?? undefined,
+      depends_on: task.depends_on ?? undefined,
       prompt: task.prompt,
       working_dir: task.working_dir ?? undefined,
       timeout_seconds: task.timeout_seconds ?? defaults.timeout_seconds ?? DEFAULT_TIMEOUT,
       stall_timeout_seconds: task.stall_timeout_seconds ?? defaults.stall_timeout_seconds ?? DEFAULT_STALL_TIMEOUT,
       verify: task.verify ?? defaults.verify ?? true,
       verify_prompt: task.verify_prompt ?? defaults.verify_prompt ?? DEFAULT_VERIFY_PROMPT,
-      allowed_tools: task.allowed_tools ?? defaults.allowed_tools
+      allowed_tools: task.allowed_tools ?? defaults.allowed_tools,
+      security: task.security ?? security
     };
   });
+  return { configs, security };
 }
 function printSummary(results) {
   const statusColors = {
@@ -25928,26 +26368,45 @@ ${bold}Job Results${reset}`);
 ${bold}Summary:${reset} ${succeeded}/${results.length} succeeded`);
 }
 var program2 = new Command;
-program2.name("overnight").description("Batch job runner for Claude Code").version("0.1.0").action(() => {
+program2.name("overnight").description("Batch job runner for Claude Code").version("0.2.0").action(() => {
   console.log(AGENT_HELP);
 });
-program2.command("run").description("Run jobs from a YAML tasks file").argument("<tasks-file>", "Path to tasks.yaml file").option("-o, --output <file>", "Output file for results JSON").option("-q, --quiet", "Minimal output").option("-s, --state-file <file>", "Custom state file path").option("--notify", "Send push notification via ntfy.sh").option("--notify-topic <topic>", "ntfy.sh topic", DEFAULT_NTFY_TOPIC).option("-r, --report <file>", "Generate markdown report").action(async (tasksFile, opts) => {
+program2.command("run").description("Run jobs from a YAML tasks file").argument("<tasks-file>", "Path to tasks.yaml file").option("-o, --output <file>", "Output file for results JSON").option("-q, --quiet", "Minimal output").option("-s, --state-file <file>", "Custom state file path").option("--notify", "Send push notification via ntfy.sh").option("--notify-topic <topic>", "ntfy.sh topic", DEFAULT_NTFY_TOPIC).option("-r, --report <file>", "Generate markdown report").option("--sandbox <dir>", "Sandbox directory (restrict file access)").option("--max-turns <n>", "Max agent iterations per task", String(DEFAULT_MAX_TURNS)).option("--audit-log <file>", "Audit log file path").option("--no-security", "Disable default security (deny patterns)").action(async (tasksFile, opts) => {
   if (!existsSync5(tasksFile)) {
     console.error(`Error: File not found: ${tasksFile}`);
     process.exit(1);
   }
-  const configs = parseTasksFile(tasksFile);
+  const cliSecurity = opts.security === false ? undefined : {
+    ...opts.sandbox && { sandbox_dir: opts.sandbox },
+    ...opts.maxTurns && { max_turns: parseInt(opts.maxTurns, 10) },
+    ...opts.auditLog && { audit_log: opts.auditLog }
+  };
+  const { configs, security } = parseTasksFile(tasksFile, cliSecurity);
   if (configs.length === 0) {
     console.error("No tasks found in file");
     process.exit(1);
   }
-  console.log(`\x1B[1movernight: Running ${configs.length} jobs...\x1B[0m
-`);
+  const existingState = loadState(opts.stateFile ?? DEFAULT_STATE_FILE);
+  if (existingState) {
+    const done = Object.keys(existingState.completed).length;
+    const pending = configs.filter((c) => !(taskKey(c) in existingState.completed)).length;
+    console.log(`\x1B[1movernight: Resuming — ${done} done, ${pending} remaining\x1B[0m`);
+    console.log(`\x1B[2mLast checkpoint: ${existingState.timestamp}\x1B[0m`);
+  } else {
+    console.log(`\x1B[1movernight: Running ${configs.length} jobs...\x1B[0m`);
+  }
+  if (security && !opts.quiet) {
+    console.log("\x1B[2mSecurity:\x1B[0m");
+    validateSecurityConfig(security);
+  }
+  console.log("");
   const log = opts.quiet ? undefined : (msg) => console.log(msg);
   const startTime = Date.now();
+  const reloadConfigs = () => parseTasksFile(tasksFile, cliSecurity).configs;
   const results = await runJobsWithState(configs, {
     stateFile: opts.stateFile,
-    log
+    log,
+    reloadConfigs
   });
   const totalDuration = (Date.now() - startTime) / 1000;
   if (opts.notify) {
@@ -25974,7 +26433,7 @@ program2.command("run").description("Run jobs from a YAML tasks file").argument(
     process.exit(1);
   }
 });
-program2.command("resume").description("Resume a previous run from saved state").argument("<tasks-file>", "Path to tasks.yaml file").option("-o, --output <file>", "Output file for results JSON").option("-q, --quiet", "Minimal output").option("-s, --state-file <file>", "Custom state file path").option("--notify", "Send push notification via ntfy.sh").option("--notify-topic <topic>", "ntfy.sh topic", DEFAULT_NTFY_TOPIC).option("-r, --report <file>", "Generate markdown report").action(async (tasksFile, opts) => {
+program2.command("resume").description("Resume a previous run from saved state").argument("<tasks-file>", "Path to tasks.yaml file").option("-o, --output <file>", "Output file for results JSON").option("-q, --quiet", "Minimal output").option("-s, --state-file <file>", "Custom state file path").option("--notify", "Send push notification via ntfy.sh").option("--notify-topic <topic>", "ntfy.sh topic", DEFAULT_NTFY_TOPIC).option("-r, --report <file>", "Generate markdown report").option("--sandbox <dir>", "Sandbox directory (restrict file access)").option("--max-turns <n>", "Max agent iterations per task", String(DEFAULT_MAX_TURNS)).option("--audit-log <file>", "Audit log file path").option("--no-security", "Disable default security (deny patterns)").action(async (tasksFile, opts) => {
   const stateFile = opts.stateFile ?? DEFAULT_STATE_FILE;
   const state = loadState(stateFile);
   if (!state) {
@@ -25986,26 +26445,32 @@ program2.command("resume").description("Resume a previous run from saved state")
     console.error(`Error: File not found: ${tasksFile}`);
     process.exit(1);
   }
-  const configs = parseTasksFile(tasksFile);
+  const cliSecurity = opts.security === false ? undefined : {
+    ...opts.sandbox && { sandbox_dir: opts.sandbox },
+    ...opts.maxTurns && { max_turns: parseInt(opts.maxTurns, 10) },
+    ...opts.auditLog && { audit_log: opts.auditLog }
+  };
+  const { configs, security } = parseTasksFile(tasksFile, cliSecurity);
   if (configs.length === 0) {
     console.error("No tasks found in file");
     process.exit(1);
   }
-  if (configs.length !== state.total_jobs) {
-    console.error(`Task file has ${configs.length} jobs but state has ${state.total_jobs}`);
-    process.exit(1);
+  const completedCount = Object.keys(state.completed).length;
+  const pendingCount = configs.filter((c) => !(taskKey(c) in state.completed)).length;
+  console.log(`\x1B[1movernight: Resuming — ${completedCount} done, ${pendingCount} remaining\x1B[0m`);
+  console.log(`\x1B[2mLast checkpoint: ${state.timestamp}\x1B[0m`);
+  if (security && !opts.quiet) {
+    console.log("\x1B[2mSecurity:\x1B[0m");
+    validateSecurityConfig(security);
   }
-  const startIndex = state.completed_indices.length;
-  console.log(`\x1B[1movernight: Resuming from job ${startIndex + 1}/${configs.length}...\x1B[0m`);
-  console.log(`\x1B[2mLast checkpoint: ${state.timestamp}\x1B[0m
-`);
+  console.log("");
   const log = opts.quiet ? undefined : (msg) => console.log(msg);
   const startTime = Date.now();
+  const reloadConfigs = () => parseTasksFile(tasksFile, cliSecurity).configs;
   const results = await runJobsWithState(configs, {
     stateFile,
     log,
-    startIndex,
-    priorResults: state.results
+    reloadConfigs
   });
   const totalDuration = (Date.now() - startTime) / 1000;
   if (opts.notify) {
@@ -26032,12 +26497,18 @@ program2.command("resume").description("Resume a previous run from saved state")
     process.exit(1);
   }
 });
-program2.command("single").description("Run a single job directly").argument("<prompt>", "The task prompt").option("-t, --timeout <seconds>", "Timeout in seconds", "300").option("--verify", "Run verification pass", true).option("--no-verify", "Skip verification pass").option("-T, --tools <tool...>", "Allowed tools").action(async (prompt, opts) => {
+program2.command("single").description("Run a single job directly").argument("<prompt>", "The task prompt").option("-t, --timeout <seconds>", "Timeout in seconds", "300").option("--verify", "Run verification pass", true).option("--no-verify", "Skip verification pass").option("-T, --tools <tool...>", "Allowed tools").option("--sandbox <dir>", "Sandbox directory (restrict file access)").option("--max-turns <n>", "Max agent iterations", String(DEFAULT_MAX_TURNS)).option("--no-security", "Disable default security (deny patterns)").action(async (prompt, opts) => {
+  const security = opts.security === false ? undefined : {
+    ...opts.sandbox && { sandbox_dir: opts.sandbox },
+    ...opts.maxTurns && { max_turns: parseInt(opts.maxTurns, 10) },
+    deny_patterns: DEFAULT_DENY_PATTERNS
+  };
   const config2 = {
     prompt,
     timeout_seconds: parseInt(opts.timeout, 10),
     verify: opts.verify,
-    allowed_tools: opts.tools
+    allowed_tools: opts.tools,
+    security
   };
   const log = (msg) => console.log(msg);
   const result = await runJob(config2, log);
@@ -26063,6 +26534,7 @@ program2.command("init").description("Create an example tasks.yaml file").action
 defaults:
   timeout_seconds: 300  # 5 minutes per task
   verify: true          # Run verification after each task
   # Secure defaults - no Bash, just file operations
   allowed_tools:
     - Read
@@ -26071,6 +26543,15 @@ defaults:
     - Glob
     - Grep
+  # Security settings (optional - deny_patterns enabled by default)
+  security:
+    sandbox_dir: "."      # Restrict to current directory
+    max_turns: 100        # Prevent runaway agents
+    # audit_log: "overnight-audit.log"  # Uncomment to enable
+    # deny_patterns:       # Default patterns block .env, .key, .pem, etc.
+    #   - "**/.env*"
+    #   - "**/*.key"
 tasks:
   # Simple string format
   - "Find and fix any TODO comments in the codebase"