@zhijiewang/openharness 2.30.1 → 2.31.0

package/dist/commands/index.d.ts

@@ -8,7 +8,7 @@
  *   session.ts  — /clear, /compact, /export, /history, /browse, /resume, /fork, /pin, /unpin
  *   git.ts      — /diff, /undo, /rewind, /commit, /log
  *   info.ts     — /help, /cost, /status, /config, /files, /model, /memory, /doctor, /context, /mcp, /init
- *   settings.ts — /theme, /companion, /fast, /keys, /effort, /sandbox, /permissions, /allowed-tools
+ *   settings.ts — /theme, /companion, /fast, /keys, /effort, /permissions, /allowed-tools
  *   ai.ts       — /plan, /review, /roles, /agents, /plugins, /btw, /loop, /cybergotchi
  *   skills.ts   — /skill-create, /skill-delete, /skill-edit, /skill-search, /skill-install
  */

package/dist/commands/index.js

@@ -8,7 +8,7 @@
  *   session.ts  — /clear, /compact, /export, /history, /browse, /resume, /fork, /pin, /unpin
  *   git.ts      — /diff, /undo, /rewind, /commit, /log
  *   info.ts     — /help, /cost, /status, /config, /files, /model, /memory, /doctor, /context, /mcp, /init
- *   settings.ts — /theme, /companion, /fast, /keys, /effort, /sandbox, /permissions, /allowed-tools
+ *   settings.ts — /theme, /companion, /fast, /keys, /effort, /permissions, /allowed-tools
  *   ai.ts       — /plan, /review, /roles, /agents, /plugins, /btw, /loop, /cybergotchi
  *   skills.ts   — /skill-create, /skill-delete, /skill-edit, /skill-search, /skill-install
  */

package/dist/commands/info.js

@@ -10,7 +10,6 @@ import { estimateMessageTokens } from "../harness/context-warning.js";
 import { getContextWindow } from "../harness/cost.js";
 import { getHooks, invalidateHookCache } from "../harness/hooks.js";
 import { discoverPlugins, discoverSkills } from "../harness/plugins.js";
-import { invalidateSandboxCache } from "../harness/sandbox.js";
 import { formatTrace, listTracedSessions, loadTrace } from "../harness/traces.js";
 import { getVerificationConfig, invalidateVerificationCache } from "../harness/verification.js";
 import { normalizeMcpConfig } from "../mcp/config-normalize.js";
@@ -76,7 +75,6 @@ export function registerInfoCommands(register, getCommandMap) {
                 "fast",
                 "keys",
                 "effort",
-                "sandbox",
                 "permissions",
                 "allowed-tools",
                 "login",
@@ -752,13 +750,12 @@ export function registerInfoCommands(register, getCommandMap) {
         return { output: lines.join("\n"), handled: true };
     });
     register("reload-plugins", "Hot-reload plugins, skills, hooks, MCP servers and config without restarting the session.", async () => {
-        // Invalidate every cached source — config, hooks, sandbox, verification.
+        // Invalidate every cached source — config, hooks, verification.
         // Skills + plugins aren't cached (each discoverSkills/discoverPlugins call
         // reads fresh) but we still re-run them for the report so the user sees
         // a count consistent with the new on-disk state.
         invalidateConfigCache();
         invalidateHookCache();
-        invalidateSandboxCache();
         invalidateVerificationCache();
         // Tear down + reconnect MCP servers (the live connections aren't
         // cache-driven; they're long-lived sockets that need an explicit
@@ -780,7 +777,7 @@ export function registerInfoCommands(register, getCommandMap) {
         const mcpServers = connectedMcpServers().length;
         const lines = [
             "Hot reload complete:",
-            "  - config + hooks + sandbox + verification: caches invalidated",
+            "  - config + hooks + verification: caches invalidated",
             `  - hook events configured:       ${hookEvents}`,
             `  - MCP servers connected:        ${mcpServers}${mcpError ? ` (error: ${mcpError})` : ""}`,
             `  - MCP tools loaded:             ${mcpTools}`,

package/dist/commands/settings.d.ts

@@ -1,5 +1,5 @@
 /**
- * Settings commands — /theme, /companion, /fast, /keys, /keybindings, /effort, /sandbox, /permissions, /allowed-tools, /trust
+ * Settings commands — /theme, /companion, /fast, /keys, /keybindings, /effort, /permissions, /allowed-tools, /trust
  */
 import type { CommandHandler } from "./types.js";
 export declare function registerSettingsCommands(register: (name: string, description: string, handler: CommandHandler) => void): void;

package/dist/commands/settings.js

@@ -1,5 +1,5 @@
 /**
- * Settings commands — /theme, /companion, /fast, /keys, /keybindings, /effort, /sandbox, /permissions, /allowed-tools, /trust
+ * Settings commands — /theme, /companion, /fast, /keys, /keybindings, /effort, /permissions, /allowed-tools, /trust
  */
 import { spawn } from "node:child_process";
 import { existsSync, mkdirSync, writeFileSync } from "node:fs";
@@ -8,7 +8,6 @@ import { dirname, join } from "node:path";
 import { readApprovalLog } from "../harness/approvals.js";
 import { readOhConfig } from "../harness/config.js";
 import { loadKeybindings } from "../harness/keybindings.js";
-import { sandboxStatus } from "../harness/sandbox.js";
 import { isTrusted, listTrusted, trust } from "../harness/trust.js";
 const KEYBINDINGS_TEMPLATE = `[
   { "key": "ctrl+d", "action": "/diff" },
@@ -136,9 +135,6 @@ export function registerSettingsCommands(register) {
         }
         return { output: `Effort level set to: ${level}`, handled: true };
     });
-    register("sandbox", "Show sandbox status and restrictions", () => {
-        return { output: `${sandboxStatus()}\n\nConfigure in .oh/config.yaml under sandbox:`, handled: true };
-    });
     register("permissions", "View or change permission mode (or 'log' for approval history)", (args, ctx) => {
         const trimmed = args.trim();
         if (!trimmed) {

package/dist/harness/config.d.ts

@@ -208,14 +208,6 @@ export type OhConfig = {
         enabled?: boolean;
         endpoint?: string;
     };
-    /** Sandbox — filesystem and network restrictions */
-    sandbox?: {
-        enabled?: boolean;
-        allowedPaths?: string[];
-        allowedDomains?: string[];
-        blockNetwork?: boolean;
-        blockedCommands?: string[];
-    };
     /** Remote server security settings */
     remote?: {
         tokens?: string[];

package/dist/harness/project-purge.d.ts

@@ -0,0 +1,56 @@
+/**
+ * `oh project purge` core logic — extracted from the CLI command for testability.
+ *
+ * Deletes per-project openHarness state at a target directory:
+ *   1. The entire `.oh/` directory at that path (config, RULES.md, memory/,
+ *      skills/, agents/, output-styles/, plans/, checkpoints/, exports).
+ *   2. The workspace-trust entry for that path in `~/.oh/trusted-dirs.json`,
+ *      if present.
+ *
+ * What it does NOT touch (these are global-and-cross-project):
+ *   - `~/.oh/sessions/`              session transcripts (may span projects)
+ *   - `~/.oh/credentials.enc`        global API keys
+ *   - `~/.oh/memory/` (etc.)         global counterparts of project state
+ *   - `~/.oh/plugins/`, marketplaces installed plugins
+ *   - `~/.oh/telemetry/`, traces/    global observability data
+ *   - `~/.oh/approvals.log`          append-only audit log
+ *   - `~/.oh/keybindings.json`,
+ *     `~/.oh/config.yaml`            global config
+ *
+ * Mirrors Claude Code's `claude project purge` UX surface (--dry-run, --yes,
+ * default plan + confirm). `--all` and `--interactive` are deferred — openHarness
+ * has no project registry, so `--all` would need a session-cwd scan, and
+ * `--dry-run` already covers the spec for `--interactive`.
+ */
+export type PurgeEntry = {
+    /** Filesystem path that will be removed. */
+    path: string;
+    /** Human-readable label shown in the plan. */
+    label: string;
+    /** Cumulative size in bytes. 0 when the entry is metadata-only (e.g. a trust-store entry). */
+    bytes: number;
+    /** When false, this entry is reported but doesn't currently exist on disk. */
+    exists: boolean;
+    /** When true, removal is via JSON edit instead of `rmSync`. Used for the trust-store entry. */
+    jsonEdit?: boolean;
+};
+export type PurgePlan = {
+    projectPath: string;
+    entries: PurgeEntry[];
+    totalBytes: number;
+};
+/** Format bytes as a short human string (e.g. `1.2 MB`, `342 B`). */
+export declare function formatBytes(bytes: number): string;
+/**
+ * Build the list of things `purge` would delete, without touching the filesystem.
+ * Inspects the `.oh/` directory at `projectPath` and looks for a trust-store entry.
+ */
+export declare function planPurge(projectPath: string): PurgePlan;
+/** Render a plan as a multi-line string for display. */
+export declare function formatPurgePlan(plan: PurgePlan): string;
+/** Execute the plan. Returns the count of successfully removed entries and any errors. */
+export declare function executePurge(plan: PurgePlan): {
+    deleted: number;
+    errors: string[];
+};
+//# sourceMappingURL=project-purge.d.ts.map

package/dist/harness/project-purge.js

@@ -0,0 +1,198 @@
+/**
+ * `oh project purge` core logic — extracted from the CLI command for testability.
+ *
+ * Deletes per-project openHarness state at a target directory:
+ *   1. The entire `.oh/` directory at that path (config, RULES.md, memory/,
+ *      skills/, agents/, output-styles/, plans/, checkpoints/, exports).
+ *   2. The workspace-trust entry for that path in `~/.oh/trusted-dirs.json`,
+ *      if present.
+ *
+ * What it does NOT touch (these are global-and-cross-project):
+ *   - `~/.oh/sessions/`              session transcripts (may span projects)
+ *   - `~/.oh/credentials.enc`        global API keys
+ *   - `~/.oh/memory/` (etc.)         global counterparts of project state
+ *   - `~/.oh/plugins/`, marketplaces installed plugins
+ *   - `~/.oh/telemetry/`, traces/    global observability data
+ *   - `~/.oh/approvals.log`          append-only audit log
+ *   - `~/.oh/keybindings.json`,
+ *     `~/.oh/config.yaml`            global config
+ *
+ * Mirrors Claude Code's `claude project purge` UX surface (--dry-run, --yes,
+ * default plan + confirm). `--all` and `--interactive` are deferred — openHarness
+ * has no project registry, so `--all` would need a session-cwd scan, and
+ * `--dry-run` already covers the spec for `--interactive`.
+ */
+import { existsSync, readdirSync, readFileSync, rmSync, statSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join, resolve } from "node:path";
+/**
+ * Path to the workspace-trust file. Resolved per-call so `OH_TRUST_FILE`
+ * env-var overrides (used by tests) take effect without re-importing.
+ */
+function trustFilePath() {
+    return process.env.OH_TRUST_FILE ?? join(homedir(), ".oh", "trusted-dirs.json");
+}
+/** Walk a directory and return the cumulative size in bytes. Errors swallowed. */
+function dirSize(path) {
+    let total = 0;
+    try {
+        if (!existsSync(path))
+            return 0;
+        const stats = statSync(path);
+        if (stats.isFile())
+            return stats.size;
+        if (!stats.isDirectory())
+            return 0;
+        for (const entry of readdirSync(path)) {
+            total += dirSize(join(path, entry));
+        }
+    }
+    catch {
+        /* permission errors etc. — best-effort sizing */
+    }
+    return total;
+}
+/** Format bytes as a short human string (e.g. `1.2 MB`, `342 B`). */
+export function formatBytes(bytes) {
+    if (bytes < 1024)
+        return `${bytes} B`;
+    if (bytes < 1024 * 1024)
+        return `${(bytes / 1024).toFixed(1)} KB`;
+    if (bytes < 1024 * 1024 * 1024)
+        return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+    return `${(bytes / (1024 * 1024 * 1024)).toFixed(2)} GB`;
+}
+/** Normalize a directory the same way `harness/trust.ts` does. Lowercase on Windows. */
+function normalizeForTrust(dir) {
+    const abs = resolve(dir);
+    return process.platform === "win32" ? abs.toLowerCase() : abs;
+}
+/**
+ * Build the list of things `purge` would delete, without touching the filesystem.
+ * Inspects the `.oh/` directory at `projectPath` and looks for a trust-store entry.
+ */
+export function planPurge(projectPath) {
+    const project = resolve(projectPath);
+    const ohDir = join(project, ".oh");
+    const entries = [];
+    if (existsSync(ohDir)) {
+        // Group sub-paths so the plan is informative without listing every file.
+        const knownChildren = [
+            { rel: "config.yaml", label: "Project config (config.yaml)" },
+            { rel: "RULES.md", label: "Project rules (RULES.md)" },
+            { rel: "memory", label: "Memories (.oh/memory/)" },
+            { rel: "skills", label: "Skills (.oh/skills/)" },
+            { rel: "agents", label: "Agent roles (.oh/agents/)" },
+            { rel: "output-styles", label: "Output styles (.oh/output-styles/)" },
+            { rel: "plans", label: "Plans (.oh/plans/)" },
+            { rel: "checkpoints", label: "Checkpoints (.oh/checkpoints/)" },
+        ];
+        for (const child of knownChildren) {
+            const path = join(ohDir, child.rel);
+            if (existsSync(path)) {
+                entries.push({ path, label: child.label, bytes: dirSize(path), exists: true });
+            }
+        }
+        // Anything else under .oh/ that we didn't enumerate (export-*, etc.).
+        try {
+            const explicit = new Set(knownChildren.map((c) => c.rel));
+            for (const name of readdirSync(ohDir)) {
+                if (explicit.has(name))
+                    continue;
+                const path = join(ohDir, name);
+                entries.push({
+                    path,
+                    label: `Other .oh/ entry (${name})`,
+                    bytes: dirSize(path),
+                    exists: true,
+                });
+            }
+        }
+        catch {
+            /* directory unreadable — caught later when we try to remove */
+        }
+        // Finally, add the .oh dir itself so it's removed after children are reported.
+        entries.push({ path: ohDir, label: ".oh/ directory", bytes: 0, exists: true });
+    }
+    // Workspace-trust entry, if any.
+    const trustFile = trustFilePath();
+    if (existsSync(trustFile)) {
+        try {
+            const raw = readFileSync(trustFile, "utf8");
+            const parsed = JSON.parse(raw);
+            if (Array.isArray(parsed.trusted)) {
+                const target = normalizeForTrust(project);
+                const isTrusted = parsed.trusted.some((p) => typeof p === "string" && normalizeForTrust(p) === target);
+                if (isTrusted) {
+                    entries.push({
+                        path: trustFile,
+                        label: "Workspace-trust entry (~/.oh/trusted-dirs.json)",
+                        bytes: 0,
+                        exists: true,
+                        jsonEdit: true,
+                    });
+                }
+            }
+        }
+        catch {
+            /* malformed trust file — nothing to remove */
+        }
+    }
+    const totalBytes = entries.reduce((sum, e) => sum + e.bytes, 0);
+    return { projectPath: project, entries, totalBytes };
+}
+/** Render a plan as a multi-line string for display. */
+export function formatPurgePlan(plan) {
+    const lines = [];
+    lines.push(`Purge plan for ${plan.projectPath}`);
+    lines.push("");
+    if (plan.entries.length === 0) {
+        lines.push("  (nothing to delete — no .oh/ directory and no trust entry)");
+        return lines.join("\n");
+    }
+    for (const entry of plan.entries) {
+        const size = entry.bytes > 0 ? `  [${formatBytes(entry.bytes)}]` : "";
+        lines.push(`  - ${entry.label}${size}`);
+    }
+    lines.push("");
+    lines.push(`Total: ${plan.entries.length} target(s), ${formatBytes(plan.totalBytes)}`);
+    lines.push("");
+    lines.push("Not touched (global state): ~/.oh/sessions/, credentials, plugins,");
+    lines.push("  telemetry, traces, approvals.log, keybindings, global config.");
+    return lines.join("\n");
+}
+/** Execute the plan. Returns the count of successfully removed entries and any errors. */
+export function executePurge(plan) {
+    let deleted = 0;
+    const errors = [];
+    for (const entry of plan.entries) {
+        if (entry.jsonEdit) {
+            // Trust entry — JSON edit, not file delete.
+            try {
+                const raw = readFileSync(entry.path, "utf8");
+                const parsed = JSON.parse(raw);
+                if (Array.isArray(parsed.trusted)) {
+                    const target = normalizeForTrust(plan.projectPath);
+                    const filtered = parsed.trusted.filter((p) => typeof p === "string" && normalizeForTrust(p) !== target);
+                    writeFileSync(entry.path, JSON.stringify({ trusted: filtered }, null, 2));
+                    deleted++;
+                }
+            }
+            catch (err) {
+                errors.push(`${entry.label}: ${err instanceof Error ? err.message : String(err)}`);
+            }
+            continue;
+        }
+        try {
+            if (existsSync(entry.path)) {
+                rmSync(entry.path, { recursive: true, force: true });
+                deleted++;
+            }
+        }
+        catch (err) {
+            errors.push(`${entry.label}: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    return { deleted, errors };
+}
+//# sourceMappingURL=project-purge.js.map

package/dist/main.js

@@ -1111,6 +1111,62 @@ program
     .action(async () => {
     await runInitWizard({ exitOnDone: true });
 });
+// ── project — per-project state management ──
+//
+// `oh project purge [path]` — delete all openHarness state for a project
+//
+// Mirrors Claude Code's `claude project purge`. Removes the entire `.oh/`
+// directory at the target path plus the workspace-trust entry (if any).
+// Sessions, credentials, plugins, telemetry, traces, and global config are
+// NOT touched — they're global-and-cross-project. Default UX prints the
+// deletion plan and asks for confirmation; --dry-run previews; --yes skips
+// the prompt. `--all` is deferred (openHarness has no project registry, so
+// "all projects" isn't well-defined without a session-cwd scan).
+const projectCmd = program.command("project").description("Manage per-project openHarness state");
+projectCmd
+    .command("purge [path]")
+    .description("Delete all openHarness state for a project (config, rules, memory, skills, agents, plans, checkpoints, trust entry). Sessions, credentials, plugins, telemetry, and global config are NOT touched. Defaults to the current directory.")
+    .option("--dry-run", "Preview what would be deleted without touching the filesystem")
+    .option("-y, --yes", "Skip the confirmation prompt")
+    .action(async (pathArg, opts) => {
+    const { planPurge, formatPurgePlan, executePurge } = await import("./harness/project-purge.js");
+    const target = pathArg ?? process.cwd();
+    if (!existsSync(target)) {
+        process.stderr.write(`Error: path does not exist: ${target}\n`);
+        process.exit(1);
+    }
+    const plan = planPurge(target);
+    console.log(formatPurgePlan(plan));
+    if (plan.entries.length === 0) {
+        return;
+    }
+    if (opts.dryRun) {
+        console.log("\n(dry-run — no files were deleted)");
+        return;
+    }
+    if (!opts.yes) {
+        const readline = await import("node:readline/promises");
+        const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+        try {
+            const answer = (await rl.question("\nProceed with deletion? [y/N] ")).trim();
+            if (!/^y(es)?$/i.test(answer)) {
+                console.log("Aborted.");
+                return;
+            }
+        }
+        finally {
+            rl.close();
+        }
+    }
+    const result = executePurge(plan);
+    console.log(`\nDeleted ${result.deleted} of ${plan.entries.length} target(s).`);
+    if (result.errors.length > 0) {
+        console.log(`${result.errors.length} error(s):`);
+        for (const err of result.errors)
+            console.log(`  ⚠ ${err}`);
+        process.exit(1);
+    }
+});
 // ── auth (audit B6) — provider-agnostic credential management ──
 //
 // `oh auth login [provider] --key <value>`  — set API key for a provider

package/dist/tools/FileReadTool/index.js

@@ -59,10 +59,9 @@ export const FileReadTool = {
                 return { output: `Error: ${filePath} is a directory, not a file.`, isError: true };
             }
             const ext = path.extname(filePath).toLowerCase();
-            // Image files: return as base64
+            // Image files: return as base64 (auto-downscaled if oversized)
             if (IMAGE_EXTENSIONS.has(ext)) {
-                const buffer = await fs.readFile(filePath);
-                const base64 = buffer.toString("base64");
+                const raw = await fs.readFile(filePath);
                 const mimeTypes = {
                     ".png": "image/png",
                     ".jpg": "image/jpeg",
@@ -72,7 +71,11 @@ export const FileReadTool = {
                     ".bmp": "image/bmp",
                     ".svg": "image/svg+xml",
                 };
-                return { output: `__IMAGE__:${mimeTypes[ext] ?? "image/png"}:${base64}`, isError: false };
+                const mediaType = mimeTypes[ext] ?? "image/png";
+                const { downscaleIfLarge } = await import("../../utils/image-downscale.js");
+                const { buffer } = await downscaleIfLarge(raw, mediaType);
+                const base64 = buffer.toString("base64");
+                return { output: `__IMAGE__:${mediaType}:${base64}`, isError: false };
             }
             // PDF files: extract text per page (basic extraction)
             if (ext === ".pdf") {

package/dist/tools/ImageReadTool/index.js

@@ -1,6 +1,7 @@
 import * as fs from "node:fs/promises";
 import * as path from "node:path";
 import { z } from "zod";
+import { downscaleIfLarge } from "../../utils/image-downscale.js";
 const SUPPORTED_TYPES = {
     ".png": "image/png",
     ".jpg": "image/jpeg",
@@ -37,7 +38,11 @@ export const ImageReadTool = {
             };
         }
         try {
-            const buffer = await fs.readFile(filePath);
+            const raw = await fs.readFile(filePath);
+            // Auto-downscale to ≤2000px on the longest dimension. PDFs and
+            // missing-sharp installs pass through unchanged. Aspect + format
+            // preserved by sharp.
+            const { buffer } = await downscaleIfLarge(raw, mediaType);
             const base64 = buffer.toString("base64");
             return {
                 output: `${IMAGE_PREFIX}:${mediaType}:${base64}`,

package/dist/utils/image-downscale.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Image auto-downscale — bound the longest dimension to a fixed maximum
+ * before encoding the image as base64 for the model.
+ *
+ * Why: most providers reject or downsample images above ~1568-2048px on
+ * the longest side. Shipping a 4000px screenshot wastes input tokens, can
+ * exceed the request size limit, and historically broke the session
+ * outright when an oversized image landed in the conversation history.
+ *
+ * The function is a no-op for images already within bounds, for formats
+ * sharp doesn't process (PDF, SVG), and when sharp itself isn't installed
+ * (it's an `optionalDependency` so unsupported platforms still install).
+ * Any sharp error returns the original buffer unchanged — we never break a
+ * tool call over a downscale failure.
+ */
+/** @internal Test-only reset of the lazy sharp cache. */
+export declare function _resetSharpCacheForTest(): void;
+export type DownscaleResult = {
+    /** The (possibly resized) buffer to encode. */
+    buffer: Buffer;
+    /** True if a resize actually happened; false for passthrough. */
+    downscaled: boolean;
+    /** Set when sharp wasn't available — caller may want to surface a one-time hint. */
+    reason?: "sharp-unavailable" | "unsupported-format" | "within-bounds" | "sharp-error";
+};
+/**
+ * Downscale `buffer` so its longest dimension is ≤ `maxDimension` (default 2000).
+ * Aspect ratio preserved. Format preserved (PNG stays PNG, JPEG stays JPEG, etc.).
+ *
+ * Pure pass-through for: PDF, SVG, BMP (sharp doesn't handle reliably),
+ * already-small images, missing sharp, and any sharp error.
+ */
+export declare function downscaleIfLarge(buffer: Buffer, mediaType: string, maxDimension?: number): Promise<DownscaleResult>;
+//# sourceMappingURL=image-downscale.d.ts.map

package/dist/utils/image-downscale.js

@@ -0,0 +1,89 @@
+/**
+ * Image auto-downscale — bound the longest dimension to a fixed maximum
+ * before encoding the image as base64 for the model.
+ *
+ * Why: most providers reject or downsample images above ~1568-2048px on
+ * the longest side. Shipping a 4000px screenshot wastes input tokens, can
+ * exceed the request size limit, and historically broke the session
+ * outright when an oversized image landed in the conversation history.
+ *
+ * The function is a no-op for images already within bounds, for formats
+ * sharp doesn't process (PDF, SVG), and when sharp itself isn't installed
+ * (it's an `optionalDependency` so unsupported platforms still install).
+ * Any sharp error returns the original buffer unchanged — we never break a
+ * tool call over a downscale failure.
+ */
+const DEFAULT_MAX_DIMENSION = 2000;
+const SHARP_SUPPORTED_TYPES = new Set([
+    "image/png",
+    "image/jpeg",
+    "image/jpg",
+    "image/gif",
+    "image/webp",
+    "image/avif",
+    "image/tiff",
+]);
+let _sharpModule;
+/** Lazy-load sharp; cache the result so we don't pay the import cost per image. */
+async function getSharp() {
+    if (_sharpModule !== undefined)
+        return _sharpModule;
+    try {
+        const mod = (await import("sharp"));
+        _sharpModule = (mod.default ?? mod);
+        return _sharpModule;
+    }
+    catch {
+        _sharpModule = null;
+        return null;
+    }
+}
+/** @internal Test-only reset of the lazy sharp cache. */
+export function _resetSharpCacheForTest() {
+    _sharpModule = undefined;
+}
+/**
+ * Downscale `buffer` so its longest dimension is ≤ `maxDimension` (default 2000).
+ * Aspect ratio preserved. Format preserved (PNG stays PNG, JPEG stays JPEG, etc.).
+ *
+ * Pure pass-through for: PDF, SVG, BMP (sharp doesn't handle reliably),
+ * already-small images, missing sharp, and any sharp error.
+ */
+export async function downscaleIfLarge(buffer, mediaType, maxDimension = DEFAULT_MAX_DIMENSION) {
+    if (!SHARP_SUPPORTED_TYPES.has(mediaType)) {
+        return { buffer, downscaled: false, reason: "unsupported-format" };
+    }
+    const sharp = await getSharp();
+    if (!sharp) {
+        return { buffer, downscaled: false, reason: "sharp-unavailable" };
+    }
+    try {
+        const pipeline = sharp(buffer);
+        const meta = await pipeline.metadata();
+        const w = meta.width ?? 0;
+        const h = meta.height ?? 0;
+        if (w === 0 || h === 0) {
+            // Animated GIFs can report 0 here; pass through rather than mangle.
+            return { buffer, downscaled: false, reason: "unsupported-format" };
+        }
+        if (Math.max(w, h) <= maxDimension) {
+            return { buffer, downscaled: false, reason: "within-bounds" };
+        }
+        // `fit: "inside"` + `withoutEnlargement: true` resizes proportionally
+        // so the longest side equals maxDimension, with no upscaling.
+        const out = await pipeline
+            .resize({
+            width: maxDimension,
+            height: maxDimension,
+            fit: "inside",
+            withoutEnlargement: true,
+        })
+            .toBuffer();
+        return { buffer: out, downscaled: true };
+    }
+    catch {
+        // Corrupt image, unsupported subformat, etc. — never fail the tool over this.
+        return { buffer, downscaled: false, reason: "sharp-error" };
+    }
+}
+//# sourceMappingURL=image-downscale.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zhijiewang/openharness",
-  "version": "2.30.1",
+  "version": "2.31.0",
   "description": "Open-source terminal coding agent. Works with any LLM.",
   "type": "module",
   "bin": {
@@ -63,7 +63,6 @@
     "@types/react": "^18.3.0",
     "c8": "^11.0.0",
     "husky": "^9.1.7",
-    "sharp": "^0.34.5",
     "tsx": "^4.19.0",
     "typescript": "^5.8.0"
   },
@@ -92,6 +91,7 @@
   },
   "homepage": "https://github.com/zhijiewong/openharness#readme",
   "optionalDependencies": {
-    "@napi-rs/keyring": "^1.2.0"
+    "@napi-rs/keyring": "^1.2.0",
+    "sharp": "^0.34.5"
   }
 }

package/dist/harness/sandbox.d.ts

@@ -1,34 +0,0 @@
-/**
- * Sandbox — filesystem and network restrictions for tool execution.
- *
- * Limits what tools can access:
- * - File tools: only write to allowed paths
- * - Web tools: only access allowed domains
- * - Bash: restricted commands (no curl/wget by default)
- *
- * Reduces permission prompts while maintaining security.
- */
-export type SandboxConfig = {
-    enabled: boolean;
-    /** Paths tools can write to (glob-style, relative to cwd) */
-    allowedPaths: string[];
-    /** Domains WebFetch/WebSearch can access */
-    allowedDomains: string[];
-    /** Block all network access */
-    blockNetwork: boolean;
-    /** Commands blocked in Bash (default: curl, wget) */
-    blockedCommands: string[];
-};
-/** Get the current sandbox config */
-export declare function getSandboxConfig(): SandboxConfig;
-/** Reset cached config */
-export declare function invalidateSandboxCache(): void;
-/** Check if a file path is allowed for writing */
-export declare function isPathAllowed(filePath: string): boolean;
-/** Check if a domain is allowed for network access */
-export declare function isDomainAllowed(url: string): boolean;
-/** Check if a bash command is allowed */
-export declare function isCommandAllowed(command: string): boolean;
-/** Get a human-readable sandbox status */
-export declare function sandboxStatus(): string;
-//# sourceMappingURL=sandbox.d.ts.map

package/dist/harness/sandbox.js

@@ -1,104 +0,0 @@
-/**
- * Sandbox — filesystem and network restrictions for tool execution.
- *
- * Limits what tools can access:
- * - File tools: only write to allowed paths
- * - Web tools: only access allowed domains
- * - Bash: restricted commands (no curl/wget by default)
- *
- * Reduces permission prompts while maintaining security.
- */
-import { relative, resolve } from "node:path";
-import { readOhConfig } from "./config.js";
-const DEFAULT_SANDBOX = {
-    enabled: false,
-    allowedPaths: ["."], // current directory
-    allowedDomains: [], // empty = all allowed
-    blockNetwork: false,
-    blockedCommands: ["curl", "wget"],
-};
-// ── Sandbox Manager ──
-let _config = null;
-/** Get the current sandbox config */
-export function getSandboxConfig() {
-    if (_config)
-        return _config;
-    const ohConfig = readOhConfig();
-    if (ohConfig?.sandbox) {
-        _config = {
-            ...DEFAULT_SANDBOX,
-            ...ohConfig.sandbox,
-        };
-    }
-    else {
-        _config = DEFAULT_SANDBOX;
-    }
-    return _config;
-}
-/** Reset cached config */
-export function invalidateSandboxCache() {
-    _config = null;
-}
-/** Check if a file path is allowed for writing */
-export function isPathAllowed(filePath) {
-    const config = getSandboxConfig();
-    if (!config.enabled)
-        return true;
-    const resolved = resolve(filePath);
-    const cwd = process.cwd();
-    for (const allowed of config.allowedPaths) {
-        const allowedResolved = resolve(cwd, allowed);
-        // Check if the file is within the allowed directory
-        const rel = relative(allowedResolved, resolved);
-        if (!rel.startsWith("..") && !rel.startsWith("/"))
-            return true;
-    }
-    return false;
-}
-/** Check if a domain is allowed for network access */
-export function isDomainAllowed(url) {
-    const config = getSandboxConfig();
-    if (!config.enabled)
-        return true;
-    if (config.blockNetwork)
-        return false;
-    if (config.allowedDomains.length === 0)
-        return true;
-    try {
-        const hostname = new URL(url).hostname.toLowerCase();
-        return config.allowedDomains.some((d) => hostname === d.toLowerCase() || hostname.endsWith(`.${d.toLowerCase()}`));
-    }
-    catch {
-        return false;
-    }
-}
-/** Check if a bash command is allowed */
-export function isCommandAllowed(command) {
-    const config = getSandboxConfig();
-    if (!config.enabled)
-        return true;
-    const firstWord = command.trim().split(/\s+/)[0]?.toLowerCase() ?? "";
-    return !config.blockedCommands.includes(firstWord);
-}
-/** Get a human-readable sandbox status */
-export function sandboxStatus() {
-    const config = getSandboxConfig();
-    if (!config.enabled)
-        return "Sandbox: disabled";
-    const lines = ["Sandbox: enabled"];
-    lines.push(`  Allowed paths: ${config.allowedPaths.join(", ") || "none"}`);
-    if (config.blockNetwork) {
-        lines.push("  Network: blocked");
-    }
-    else if (config.allowedDomains.length > 0) {
-        lines.push(`  Allowed domains: ${config.allowedDomains.join(", ")}`);
-    }
-    else {
-        lines.push("  Network: unrestricted");
-    }
-    if (config.blockedCommands.length > 0) {
-        lines.push(`  Blocked commands: ${config.blockedCommands.join(", ")}`);
-    }
-    return lines.join("\n");
-}
-//# sourceMappingURL=sandbox.js.map