agdi 2.2.0 → 2.2.1

package/dist/index.js

@@ -2,7 +2,7 @@
 
 // src/index.ts
 import { Command } from "commander";
-import chalk9 from "chalk";
+import chalk12 from "chalk";
 import ora4 from "ora";
 
 // src/core/llm/index.ts
@@ -1020,7 +1020,7 @@ async function runProject(targetDir) {
   if (!fs3.existsSync(nodeModulesPath)) {
     console.log(chalk6.yellow("\u{1F4E6} Installing dependencies...\n"));
     const installSpinner = ora2("Running npm install...").start();
-    await new Promise((resolve, reject) => {
+    await new Promise((resolve5, reject) => {
       const install = spawn("npm", ["install"], {
         cwd: absoluteDir,
         stdio: "inherit",
@@ -1029,7 +1029,7 @@ async function runProject(targetDir) {
       install.on("close", (code) => {
         if (code === 0) {
           installSpinner.succeed("Dependencies installed!");
-          resolve();
+          resolve5();
         } else {
           installSpinner.fail("npm install failed");
           reject(new Error(`npm install exited with code ${code}`));
@@ -1272,16 +1272,1475 @@ async function selectModel() {
 
 // src/commands/codex.ts
 import { input as input4 } from "@inquirer/prompts";
-import chalk8 from "chalk";
+import chalk11 from "chalk";
 import ora3 from "ora";
-var SYSTEM_PROMPT3 = `You are Agdi dev, an elite AI coding assistant. You help developers write code, debug issues, and build applications.
+
+// src/actions/plan-executor.ts
+import { select as select4, confirm } from "@inquirer/prompts";
+import chalk10 from "chalk";
+import { spawn as spawn2 } from "child_process";
+import { resolve as resolve4 } from "path";
+
+// src/actions/types.ts
+function summarizePlan(plan) {
+  let filesCreated = 0;
+  let filesDeleted = 0;
+  let dirsCreated = 0;
+  let commandsToRun = 0;
+  const domains = [];
+  const ports = [];
+  let maxRiskTier = 0;
+  for (const action of plan.actions) {
+    switch (action.type) {
+      case "mkdir":
+        dirsCreated++;
+        maxRiskTier = Math.max(maxRiskTier, 1);
+        break;
+      case "writeFile":
+        filesCreated++;
+        maxRiskTier = Math.max(maxRiskTier, 1);
+        break;
+      case "deleteFile":
+        filesDeleted++;
+        maxRiskTier = Math.max(maxRiskTier, 1);
+        break;
+      case "exec":
+        commandsToRun++;
+        if (["npm", "yarn", "pnpm", "pip"].includes(action.argv[0])) {
+          maxRiskTier = Math.max(maxRiskTier, 2);
+          if (["npm", "yarn", "pnpm"].includes(action.argv[0])) {
+            domains.push("registry.npmjs.org");
+          }
+          if (action.argv[0] === "pip") {
+            domains.push("pypi.org");
+          }
+        }
+        if (action.argv.includes("dev") || action.argv.includes("start")) {
+          ports.push(3e3);
+        }
+        break;
+    }
+  }
+  return {
+    filesCreated,
+    filesDeleted,
+    dirsCreated,
+    commandsToRun,
+    domains: [...new Set(domains)],
+    ports: [...new Set(ports)],
+    riskTier: maxRiskTier
+  };
+}
+function parseActionPlan(response) {
+  try {
+    const jsonMatch = response.match(/\{[\s\S]*"actions"[\s\S]*\}/);
+    if (!jsonMatch) {
+      return null;
+    }
+    const parsed = JSON.parse(jsonMatch[0]);
+    if (!parsed.actions || !Array.isArray(parsed.actions)) {
+      return null;
+    }
+    return {
+      projectName: parsed.projectName || "generated-app",
+      actions: parsed.actions,
+      nextSteps: parsed.nextSteps
+    };
+  } catch {
+    return null;
+  }
+}
+
+// src/actions/fs-tools.ts
+import { mkdir, writeFile, rm, readFile } from "fs/promises";
+import { existsSync as existsSync3 } from "fs";
+import { resolve, dirname, relative, isAbsolute } from "path";
+
+// src/security/execution-env.ts
+import chalk8 from "chalk";
+import { platform, cwd as processCwd } from "os";
+import { existsSync, readFileSync } from "fs";
+function detectWSL() {
+  if (platform() !== "linux") return false;
+  try {
+    if (process.env.WSL_DISTRO_NAME || process.env.WSLENV) {
+      return true;
+    }
+    if (existsSync("/proc/version")) {
+      const version = readFileSync("/proc/version", "utf-8");
+      return version.toLowerCase().includes("microsoft");
+    }
+  } catch {
+  }
+  return false;
+}
+function detectContainer() {
+  try {
+    if (existsSync("/.dockerenv")) {
+      return true;
+    }
+    if (existsSync("/proc/1/cgroup")) {
+      const cgroup = readFileSync("/proc/1/cgroup", "utf-8");
+      if (cgroup.includes("docker") || cgroup.includes("lxc") || cgroup.includes("kubepods")) {
+        return true;
+      }
+    }
+    if (process.env.KUBERNETES_SERVICE_HOST) {
+      return true;
+    }
+  } catch {
+  }
+  return false;
+}
+function detectBackend() {
+  const os2 = platform();
+  if (detectContainer()) {
+    return "container";
+  }
+  if (detectWSL()) {
+    return "wsl";
+  }
+  switch (os2) {
+    case "win32":
+      return "windows-host";
+    case "linux":
+      return "linux-host";
+    case "darwin":
+      return "macos-host";
+    default:
+      return "linux-host";
+  }
+}
+function getWorkspaceRoot() {
+  return processCwd();
+}
+function detectEnvironment(overrides) {
+  const os2 = platform() === "win32" ? "windows" : platform() === "darwin" ? "darwin" : "linux";
+  const backend = detectBackend();
+  const workspaceRoot = getWorkspaceRoot();
+  return {
+    os: os2,
+    backend,
+    workspaceRoot,
+    cwd: workspaceRoot,
+    // Start cwd at workspace root
+    networkPolicy: "off",
+    // Default: network off
+    allowedDomains: [
+      "registry.npmjs.org",
+      "pypi.org",
+      "github.com",
+      "api.github.com"
+    ],
+    trustLevel: "untrusted",
+    // Default: untrusted
+    isContainer: backend === "container",
+    isWSL: backend === "wsl",
+    ...overrides
+  };
+}
+function formatBackend(backend) {
+  switch (backend) {
+    case "windows-host":
+      return "Windows host";
+    case "linux-host":
+      return "Linux host";
+    case "macos-host":
+      return "macOS host";
+    case "wsl":
+      return "WSL (Windows Subsystem for Linux)";
+    case "container":
+      return "Container sandbox";
+  }
+}
+function formatNetwork(policy, domains) {
+  switch (policy) {
+    case "off":
+      return "off";
+    case "allowlist":
+      return `allowlist (${domains.slice(0, 2).join(", ")}${domains.length > 2 ? "..." : ""})`;
+    case "on":
+      return "unrestricted";
+  }
+}
+function formatTrust(trust) {
+  switch (trust) {
+    case "untrusted":
+      return chalk8.red("untrusted (read-only mode)");
+    case "session":
+      return chalk8.yellow("session trusted");
+    case "persistent":
+      return chalk8.green("trusted");
+  }
+}
+function displaySessionHeader(env) {
+  const boxWidth = 54;
+  const topBorder = "\u256D\u2500 Agdi Terminal Session " + "\u2500".repeat(boxWidth - 25) + "\u256E";
+  const bottomBorder = "\u2570" + "\u2500".repeat(boxWidth) + "\u256F";
+  const lines = [
+    `Exec env:  ${formatBackend(env.backend)}`,
+    `Workspace: ${truncatePath(env.workspaceRoot, 40)}`,
+    `cwd:       ${truncatePath(env.cwd, 40)}`,
+    `Network:   ${formatNetwork(env.networkPolicy, env.allowedDomains)}`,
+    `Trust:     ${formatTrust(env.trustLevel)}`
+  ];
+  console.log(chalk8.cyan(topBorder));
+  for (const line of lines) {
+    const padding = " ".repeat(Math.max(0, boxWidth - stripAnsi(line).length - 2));
+    console.log(chalk8.cyan("\u2502 ") + line + padding + chalk8.cyan(" \u2502"));
+  }
+  console.log(chalk8.cyan(bottomBorder));
+  console.log("");
+}
+function truncatePath(path4, maxLen) {
+  if (path4.length <= maxLen) return path4;
+  return "..." + path4.slice(-(maxLen - 3));
+}
+function stripAnsi(str) {
+  return str.replace(/\u001b\[[0-9;]*m/g, "");
+}
+var currentEnvironment = null;
+function initSession(overrides) {
+  currentEnvironment = detectEnvironment(overrides);
+  return currentEnvironment;
+}
+function getEnvironment() {
+  if (!currentEnvironment) {
+    return initSession();
+  }
+  return currentEnvironment;
+}
+function updateEnvironment(updates) {
+  currentEnvironment = { ...getEnvironment(), ...updates };
+  return currentEnvironment;
+}
+
+// src/security/audit-logger.ts
+import { existsSync as existsSync2, appendFileSync, readFileSync as readFileSync2, mkdirSync, writeFileSync } from "fs";
+import { join } from "path";
+import { homedir as homedir2 } from "os";
+var LOG_DIR = join(homedir2(), ".agdi");
+var LOG_FILE = join(LOG_DIR, "audit.jsonl");
+var MAX_OUTPUT_LENGTH = 1e3;
+var currentSessionId = null;
+function generateSessionId() {
+  return `${Date.now()}-${Math.random().toString(36).substring(2, 8)}`;
+}
+function getSessionId() {
+  if (!currentSessionId) {
+    currentSessionId = generateSessionId();
+  }
+  return currentSessionId;
+}
+function ensureLogDir() {
+  if (!existsSync2(LOG_DIR)) {
+    mkdirSync(LOG_DIR, { recursive: true });
+  }
+}
+function truncateOutput(output) {
+  if (!output) return output;
+  if (output.length <= MAX_OUTPUT_LENGTH) return output;
+  return output.substring(0, MAX_OUTPUT_LENGTH) + `... (truncated, ${output.length} total chars)`;
+}
+function logEvent(event) {
+  ensureLogDir();
+  const fullEvent = {
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    sessionId: getSessionId(),
+    ...event
+  };
+  if (fullEvent.result?.output) {
+    fullEvent.result.output = truncateOutput(fullEvent.result.output);
+  }
+  try {
+    appendFileSync(LOG_FILE, JSON.stringify(fullEvent) + "\n");
+  } catch (error) {
+    console.error("Failed to write audit log:", error);
+  }
+}
+function logSessionStart(workspacePath, trustLevel) {
+  currentSessionId = generateSessionId();
+  logEvent({
+    eventType: "session_start",
+    metadata: {
+      workspacePath,
+      trustLevel,
+      platform: process.platform,
+      nodeVersion: process.version
+    }
+  });
+}
+function logSessionEnd() {
+  logEvent({
+    eventType: "session_end"
+  });
+}
+
+// src/actions/fs-tools.ts
+function isWithinWorkspace(p, workspaceRoot) {
+  const resolved = resolve(workspaceRoot, p);
+  const root = resolve(workspaceRoot);
+  const rel = relative(root, resolved);
+  return rel === "" || !rel.startsWith("..") && !isAbsolute(rel);
+}
+function validatePath(path4) {
+  const env = getEnvironment();
+  const resolved = resolve(env.workspaceRoot, path4);
+  if (!isWithinWorkspace(path4, env.workspaceRoot)) {
+    return {
+      valid: false,
+      resolved,
+      error: `Path outside workspace: ${path4}`
+    };
+  }
+  return { valid: true, resolved };
+}
+async function mkdirTool(path4) {
+  const validation = validatePath(path4);
+  if (!validation.valid) {
+    return { success: false, error: validation.error };
+  }
+  try {
+    await mkdir(validation.resolved, { recursive: true });
+    logEvent({
+      eventType: "command_result",
+      command: `mkdir ${path4}`,
+      result: { exitCode: 0 },
+      metadata: { tool: "mkdirTool", path: validation.resolved }
+    });
+    return { success: true };
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    return { success: false, error: msg };
+  }
+}
+async function writeFileTool(path4, content) {
+  const validation = validatePath(path4);
+  if (!validation.valid) {
+    return { success: false, error: validation.error };
+  }
+  try {
+    const dir = dirname(validation.resolved);
+    await mkdir(dir, { recursive: true });
+    await writeFile(validation.resolved, content, "utf-8");
+    logEvent({
+      eventType: "command_result",
+      command: `writeFile ${path4}`,
+      result: { exitCode: 0 },
+      metadata: {
+        tool: "writeFileTool",
+        path: validation.resolved,
+        contentLength: content.length
+      }
+    });
+    return { success: true };
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    return { success: false, error: msg };
+  }
+}
+async function deleteFileTool(path4) {
+  const validation = validatePath(path4);
+  if (!validation.valid) {
+    return { success: false, error: validation.error };
+  }
+  try {
+    if (!existsSync3(validation.resolved)) {
+      return { success: true };
+    }
+    await rm(validation.resolved);
+    logEvent({
+      eventType: "command_result",
+      command: `deleteFile ${path4}`,
+      result: { exitCode: 0 },
+      metadata: { tool: "deleteFileTool", path: validation.resolved }
+    });
+    return { success: true };
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    return { success: false, error: msg };
+  }
+}
+
+// src/security/permission-gate.ts
+import { resolve as resolve2, relative as relative2, isAbsolute as isAbsolute2 } from "path";
+
+// src/security/argv-parser.ts
+var WINDOWS_FLAG_PATTERNS = [
+  // Single letter flags: /i, /s, /r, /q, etc.
+  /^\/[aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ]$/,
+  // Numbered flags: /1, /2, etc.
+  /^\/[0-9]+$/,
+  // Common multi-char flags
+  /^\/(?:all|help|version|quiet|verbose|force|recursive)$/i,
+  // findstr flags
+  /^\/(?:b|e|l|r|s|i|x|v|n|m|o|p|offline|c|g|f|d|a)$/i,
+  // xcopy/robocopy flags
+  /^\/(?:e|s|h|k|y|q|f|l|c|v|w|d|u|m|a|t|n|o|x|exclude|copy|move|purge)$/i,
+  // dir flags
+  /^\/(?:a|b|c|d|l|n|o|p|q|r|s|t|w|x|4)$/i
+];
+var TOOL_ARG_SCHEMAS = {
+  findstr: { flags: [], notPaths: [] },
+  // All /x args are flags
+  xcopy: { flags: [], notPaths: [] },
+  robocopy: { flags: [], notPaths: [] },
+  dir: { flags: [], notPaths: [] },
+  find: { flags: [], notPaths: [0] },
+  // First arg is search string
+  grep: { flags: [], notPaths: [0] },
+  // First arg is pattern
+  sed: { flags: [], notPaths: [0] },
+  // First arg is expression
+  awk: { flags: [], notPaths: [0] }
+  // First arg is program
+};
+function parseArgv(command) {
+  const argv = [];
+  let current = "";
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let escaped = false;
+  for (let i = 0; i < command.length; i++) {
+    const char = command[i];
+    if (escaped) {
+      current += char;
+      escaped = false;
+      continue;
+    }
+    if (char === "\\" && !inSingleQuote) {
+      escaped = true;
+      continue;
+    }
+    if (char === "'" && !inDoubleQuote) {
+      inSingleQuote = !inSingleQuote;
+      continue;
+    }
+    if (char === '"' && !inSingleQuote) {
+      inDoubleQuote = !inDoubleQuote;
+      continue;
+    }
+    if ((char === " " || char === "	") && !inSingleQuote && !inDoubleQuote) {
+      if (current) {
+        argv.push(current);
+        current = "";
+      }
+      continue;
+    }
+    current += char;
+  }
+  if (current) {
+    argv.push(current);
+  }
+  return {
+    argv,
+    command: argv[0] || "",
+    args: argv.slice(1),
+    rawCommand: command
+  };
+}
+function isWindowsFlag(token, commandName) {
+  for (const pattern of WINDOWS_FLAG_PATTERNS) {
+    if (pattern.test(token)) {
+      return true;
+    }
+  }
+  if (commandName && TOOL_ARG_SCHEMAS[commandName.toLowerCase()]) {
+    if (/^\/[a-zA-Z]/.test(token)) {
+      return true;
+    }
+  }
+  return false;
+}
+function isLikelyPath(token, commandName) {
+  if (isWindowsFlag(token, commandName)) {
+    return false;
+  }
+  if (token.startsWith("/") && token.length > 1 && token.includes("/")) {
+    return true;
+  }
+  if (/^[A-Za-z]:[\\/]/.test(token)) {
+    return true;
+  }
+  if (token.includes("/") || token.includes("\\")) {
+    return true;
+  }
+  if (/\.[a-zA-Z0-9]{1,6}$/.test(token) && !token.startsWith("-") && !token.startsWith("/")) {
+    return true;
+  }
+  if (token === "." || token === ".." || token.startsWith("./") || token.startsWith("../")) {
+    return true;
+  }
+  return false;
+}
+var WRITE_COMMANDS = {
+  // Position of write path(s) in args (0-indexed)
+  cp: [1],
+  mv: [1],
+  touch: [0, 1, 2, 3, 4],
+  // All args
+  mkdir: [0, 1, 2, 3, 4],
+  rm: [0, 1, 2, 3, 4],
+  echo: [],
+  // Only writes with >
+  tee: [0],
+  sed: [1],
+  // With -i
+  tar: [1],
+  // -cf archive
+  zip: [0],
+  unzip: [],
+  // Uses -d flag
+  git: [],
+  // Complex
+  npm: [],
+  // Writes to node_modules
+  yarn: [],
+  pnpm: []
+};
+var READ_COMMANDS = {
+  cat: [0, 1, 2, 3, 4],
+  head: [0],
+  tail: [0],
+  less: [0],
+  more: [0],
+  grep: [1, 2, 3, 4],
+  find: [0],
+  ls: [0],
+  dir: [0],
+  type: [0]
+};
+function extractPaths(parsed) {
+  const paths = [];
+  const cmd = parsed.command.toLowerCase();
+  const rawCmd = parsed.rawCommand;
+  const redirectMatch = rawCmd.match(/>\s*(\S+)/);
+  if (redirectMatch) {
+    paths.push({
+      path: redirectMatch[1],
+      operation: "write",
+      position: -1
+    });
+  }
+  for (let i = 0; i < parsed.args.length; i++) {
+    const arg = parsed.args[i];
+    if (!isLikelyPath(arg, cmd)) {
+      continue;
+    }
+    let operation = "unknown";
+    if (WRITE_COMMANDS[cmd]?.includes(i)) {
+      operation = "write";
+    } else if (READ_COMMANDS[cmd]?.includes(i)) {
+      operation = "read";
+    }
+    paths.push({
+      path: arg,
+      operation,
+      position: i
+    });
+  }
+  return paths;
+}
+function extractDomains(command) {
+  const domains = [];
+  const urlPattern = /https?:\/\/([a-zA-Z0-9.-]+)/gi;
+  let match;
+  while ((match = urlPattern.exec(command)) !== null) {
+    domains.push(match[1]);
+  }
+  const networkCommands = ["curl", "wget", "fetch", "npm", "yarn", "pnpm", "pip", "git"];
+  const parsed = parseArgv(command);
+  if (networkCommands.includes(parsed.command.toLowerCase())) {
+    if (["npm", "yarn", "pnpm"].includes(parsed.command.toLowerCase())) {
+      domains.push("registry.npmjs.org");
+    }
+    if (parsed.command.toLowerCase() === "pip") {
+      domains.push("pypi.org");
+    }
+  }
+  return [...new Set(domains)];
+}
+function extractPorts(command) {
+  const ports = [];
+  const patterns = [
+    /-p\s*(\d+)/gi,
+    // -p 3000
+    /--port[=\s]+(\d+)/gi,
+    // --port 3000 or --port=3000
+    /:(\d{2,5})(?:\s|$|\/)/g,
+    // :3000 or localhost:3000
+    /PORT[=:]\s*(\d+)/gi
+    // PORT=3000
+  ];
+  for (const pattern of patterns) {
+    let match;
+    while ((match = pattern.exec(command)) !== null) {
+      const port = parseInt(match[1], 10);
+      if (port > 0 && port <= 65535) {
+        ports.push(port);
+      }
+    }
+  }
+  return [...new Set(ports)];
+}
+
+// src/security/rules-engine.ts
+import { existsSync as existsSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";
+import { join as join2 } from "path";
+import { homedir as homedir3 } from "os";
+var DEFAULT_RULES = [
+  // Tier 0: Read-only (allow)
+  { id: "default-ls", pattern: ["ls"], action: "allow", source: "default", createdAt: "", description: "List directory" },
+  { id: "default-dir", pattern: ["dir"], action: "allow", source: "default", createdAt: "", description: "List directory (Windows)" },
+  { id: "default-cat", pattern: ["cat"], action: "allow", source: "default", createdAt: "", description: "View file" },
+  { id: "default-type", pattern: ["type"], action: "allow", source: "default", createdAt: "", description: "View file (Windows)" },
+  { id: "default-pwd", pattern: ["pwd"], action: "allow", source: "default", createdAt: "", description: "Print working directory" },
+  { id: "default-echo", pattern: ["echo"], action: "allow", source: "default", createdAt: "", description: "Print text" },
+  { id: "default-head", pattern: ["head"], action: "allow", source: "default", createdAt: "", description: "View file head" },
+  { id: "default-tail", pattern: ["tail"], action: "allow", source: "default", createdAt: "", description: "View file tail" },
+  { id: "default-find", pattern: ["find"], action: "allow", source: "default", createdAt: "", description: "Find files" },
+  { id: "default-grep", pattern: ["grep"], action: "allow", source: "default", createdAt: "", description: "Search in files" },
+  { id: "default-findstr", pattern: ["findstr"], action: "allow", source: "default", createdAt: "", description: "Search in files (Windows)" },
+  // Git read commands (allow)
+  { id: "default-git-status", pattern: ["git", "status"], action: "allow", source: "default", createdAt: "", description: "Git status" },
+  { id: "default-git-diff", pattern: ["git", "diff"], action: "allow", source: "default", createdAt: "", description: "Git diff" },
+  { id: "default-git-log", pattern: ["git", "log"], action: "allow", source: "default", createdAt: "", description: "Git log" },
+  { id: "default-git-branch", pattern: ["git", "branch"], action: "allow", source: "default", createdAt: "", description: "Git branch" },
+  { id: "default-git-show", pattern: ["git", "show"], action: "allow", source: "default", createdAt: "", description: "Git show" },
+  // Tier 1: Workspace writes (prompt)
+  { id: "default-touch", pattern: ["touch"], action: "prompt", source: "default", createdAt: "", description: "Create file" },
+  { id: "default-mkdir", pattern: ["mkdir"], action: "prompt", source: "default", createdAt: "", description: "Create directory" },
+  { id: "default-git-add", pattern: ["git", "add"], action: "prompt", source: "default", createdAt: "", description: "Git add" },
+  { id: "default-git-commit", pattern: ["git", "commit"], action: "prompt", source: "default", createdAt: "", description: "Git commit" },
+  // Tier 2: Package managers (prompt)
+  { id: "default-npm-install", pattern: ["npm", "install"], action: "prompt", source: "default", createdAt: "", description: "npm install" },
+  { id: "default-npm-i", pattern: ["npm", "i"], action: "prompt", source: "default", createdAt: "", description: "npm install (short)" },
+  { id: "default-yarn-add", pattern: ["yarn", "add"], action: "prompt", source: "default", createdAt: "", description: "yarn add" },
+  { id: "default-yarn-install", pattern: ["yarn", "install"], action: "prompt", source: "default", createdAt: "", description: "yarn install" },
+  { id: "default-pnpm-install", pattern: ["pnpm", "install"], action: "prompt", source: "default", createdAt: "", description: "pnpm install" },
+  { id: "default-pnpm-add", pattern: ["pnpm", "add"], action: "prompt", source: "default", createdAt: "", description: "pnpm add" },
+  { id: "default-pip-install", pattern: ["pip", "install"], action: "prompt", source: "default", createdAt: "", description: "pip install" },
+  // Tier 3: Dangerous (forbid)
+  { id: "default-sudo", pattern: ["sudo"], action: "forbid", source: "default", createdAt: "", description: "Elevated privileges" },
+  { id: "default-rm-rf", pattern: ["rm", "-rf"], action: "forbid", source: "default", createdAt: "", description: "Recursive force delete" },
+  { id: "default-rm-fr", pattern: ["rm", "-fr"], action: "forbid", source: "default", createdAt: "", description: "Recursive force delete" },
+  { id: "default-chmod-777", pattern: ["chmod", "777"], action: "forbid", source: "default", createdAt: "", description: "World-writable permissions" },
+  { id: "default-curl-bash", pattern: ["curl"], action: "prompt", source: "default", createdAt: "", description: "HTTP request" },
+  { id: "default-wget", pattern: ["wget"], action: "prompt", source: "default", createdAt: "", description: "HTTP download" },
+  { id: "default-git-push-force", pattern: ["git", "push", "--force"], action: "forbid", source: "default", createdAt: "", description: "Force push" },
+  { id: "default-git-push-f", pattern: ["git", "push", "-f"], action: "forbid", source: "default", createdAt: "", description: "Force push" }
+];
+function matchesPosition(argvItem, patternItem) {
+  const argLower = argvItem.toLowerCase();
+  if (Array.isArray(patternItem)) {
+    return patternItem.some((p) => p.toLowerCase() === argLower);
+  }
+  return patternItem.toLowerCase() === argLower;
+}
+function matchesPattern(argv, pattern) {
+  if (argv.length < pattern.length) {
+    return false;
+  }
+  for (let i = 0; i < pattern.length; i++) {
+    if (!matchesPosition(argv[i], pattern[i])) {
+      return false;
+    }
+  }
+  return true;
+}
+function getRestrictionLevel(action) {
+  switch (action) {
+    case "forbid":
+      return 2;
+    case "prompt":
+      return 1;
+    case "allow":
+      return 0;
+  }
+}
+function evaluateRules(argv, rules) {
+  const matchedRules = [];
+  for (const rule of rules) {
+    if (matchesPattern(argv, rule.pattern)) {
+      matchedRules.push(rule);
+    }
+  }
+  if (matchedRules.length === 0) {
+    return {
+      decision: "prompt",
+      // Default: prompt for unknown
+      matchedRules: [],
+      mostRestrictive: null
+    };
+  }
+  let mostRestrictive = matchedRules[0];
+  for (const rule of matchedRules) {
+    if (getRestrictionLevel(rule.action) > getRestrictionLevel(mostRestrictive.action)) {
+      mostRestrictive = rule;
+    }
+  }
+  return {
+    decision: mostRestrictive.action,
+    matchedRules,
+    mostRestrictive
+  };
+}
+var RULES_DIR = join2(homedir3(), ".agdi");
+var RULES_FILE = join2(RULES_DIR, "rules.json");
+function loadUserRules() {
+  try {
+    if (existsSync4(RULES_FILE)) {
+      const data = readFileSync3(RULES_FILE, "utf-8");
+      const parsed = JSON.parse(data);
+      return parsed.rules || [];
+    }
+  } catch {
+  }
+  return [];
+}
+var sessionRules = [];
+function getAllRules() {
+  return [...DEFAULT_RULES, ...loadUserRules(), ...sessionRules];
+}
+
+// src/security/shell-wrapper-detector.ts
+var SHELL_WRAPPERS = {
+  bash: {
+    patterns: [/^bash$/i],
+    extractScript: (argv) => {
+      const cIdx = argv.findIndex((a) => a === "-c" || a === "-lc");
+      return cIdx !== -1 && argv[cIdx + 1] ? argv[cIdx + 1] : void 0;
+    }
+  },
+  sh: {
+    patterns: [/^sh$/i],
+    extractScript: (argv) => {
+      const cIdx = argv.findIndex((a) => a === "-c");
+      return cIdx !== -1 && argv[cIdx + 1] ? argv[cIdx + 1] : void 0;
+    }
+  },
+  zsh: {
+    patterns: [/^zsh$/i],
+    extractScript: (argv) => {
+      const cIdx = argv.findIndex((a) => a === "-c");
+      return cIdx !== -1 && argv[cIdx + 1] ? argv[cIdx + 1] : void 0;
+    }
+  },
+  cmd: {
+    patterns: [/^cmd$/i, /^cmd\.exe$/i],
+    extractScript: (argv) => {
+      const cIdx = argv.findIndex((a) => a.toLowerCase() === "/c" || a.toLowerCase() === "/k");
+      return cIdx !== -1 ? argv.slice(cIdx + 1).join(" ") : void 0;
+    }
+  },
+  powershell: {
+    patterns: [/^powershell$/i, /^powershell\.exe$/i],
+    extractScript: (argv) => {
+      const cIdx = argv.findIndex(
+        (a) => a.toLowerCase() === "-command" || a.toLowerCase() === "-c" || a.toLowerCase() === "-encodedcommand" || a.toLowerCase() === "-e"
+      );
+      return cIdx !== -1 && argv[cIdx + 1] ? argv[cIdx + 1] : void 0;
+    }
+  },
+  pwsh: {
+    patterns: [/^pwsh$/i, /^pwsh\.exe$/i],
+    extractScript: (argv) => {
+      const cIdx = argv.findIndex(
+        (a) => a.toLowerCase() === "-command" || a.toLowerCase() === "-c"
+      );
+      return cIdx !== -1 && argv[cIdx + 1] ? argv[cIdx + 1] : void 0;
+    }
+  }
+};
+var COMPLEX_SCRIPT_PATTERNS = [
+  /\bif\b.*\bthen\b/i,
+  // if-then
+  /\bfor\b.*\bdo\b/i,
+  // for loops
+  /\bwhile\b.*\bdo\b/i,
+  // while loops
+  /\bfunction\b/i,
+  // function definitions
+  /\$\(/,
+  // command substitution
+  /`[^`]+`/,
+  // backtick substitution
+  /\|\|/,
+  // OR chain
+  /\&\&.*\&\&/,
+  // multiple AND chains
+  /\beval\b/i,
+  // eval
+  /\bexec\b/i,
+  // exec
+  /\bsource\b/i,
+  // source
+  /\.\s+\//,
+  // dot source
+  /<<[<-]?\s*[A-Z]+/
+  // heredocs
+];
+function isComplexScript(script) {
+  return COMPLEX_SCRIPT_PATTERNS.some((pattern) => pattern.test(script));
+}
+function splitSimpleScript(script) {
+  if (isComplexScript(script)) {
+    return null;
+  }
+  const commands = [];
+  const semiParts = script.split(/\s*;\s*/);
+  if (semiParts.length > 1) {
+    for (const part of semiParts) {
+      const trimmed = part.trim();
+      if (trimmed) {
+        commands.push(trimmed);
+      }
+    }
+    return commands;
+  }
+  const andParts = script.split(/\s*&&\s*/);
+  if (andParts.length > 1 && andParts.length <= 3) {
+    for (const part of andParts) {
+      const trimmed = part.trim();
+      if (trimmed) {
+        commands.push(trimmed);
+      }
+    }
+    return commands;
+  }
+  return [script.trim()];
+}
+function detectShellWrapper(argv) {
+  if (argv.length === 0) {
+    return { isWrapper: false, isComplex: false };
+  }
+  const cmd = argv[0];
+  for (const [wrapperType, config] of Object.entries(SHELL_WRAPPERS)) {
+    for (const pattern of config.patterns) {
+      if (pattern.test(cmd)) {
+        const script = config.extractScript(argv);
+        if (!script) {
+          return {
+            isWrapper: true,
+            wrapperType,
+            isComplex: true
+            // Treat interactive shells as complex
+          };
+        }
+        const isComplex = isComplexScript(script);
+        const subCommands = splitSimpleScript(script);
+        return {
+          isWrapper: true,
+          wrapperType,
+          embeddedScript: script,
+          subCommands: subCommands || void 0,
+          isComplex
+        };
+      }
+    }
+  }
+  return { isWrapper: false, isComplex: false };
+}
+function getMostRestrictiveTier(tiers) {
+  return Math.max(...tiers, 0);
+}
+function isHighRiskWrapper(result) {
+  if (result.isComplex) {
+    return true;
+  }
+  if (result.embeddedScript?.includes("encodedcommand")) {
+    return true;
+  }
+  return false;
+}
+
+// src/security/permission-gate.ts
+var HARD_DENY_PATTERNS = [
+  { pattern: /\.ssh\/.*(?:id_rsa|id_ed25519|authorized_keys)/i, msg: "SSH key access" },
+  { pattern: /\/etc\/shadow/i, msg: "Shadow file access" },
+  { pattern: /\/etc\/passwd/i, msg: "Passwd file access" },
+  { pattern: /\brm\s+(-[rf]+\s+)*[\/\\]$/i, msg: "Root filesystem deletion" },
+  { pattern: /\brm\s+(-[rf]+\s+)*~$/i, msg: "Home directory deletion" },
+  { pattern: /\bcurl\s+[^\|]*\|\s*(bash|sh|zsh)/i, msg: "Piped script execution" },
+  { pattern: /\bwget\s+[^\|]*\|\s*(bash|sh|zsh)/i, msg: "Piped script execution" },
+  { pattern: /\bchmod\s+777\s+\//i, msg: "World-writable root" },
+  { pattern: /\b(sudo|su|runas|doas)\b/i, msg: "Privilege escalation" },
+  { pattern: /\bformat\s+[a-z]:/i, msg: "Drive format" },
+  { pattern: /\bmkfs\b/i, msg: "Filesystem creation" },
+  { pattern: /\bdd\s+.*of=\/dev/i, msg: "Raw device write" }
+];
+var TIER_0_COMMANDS = /* @__PURE__ */ new Set([
+  "ls",
+  "dir",
+  "cat",
+  "type",
+  "head",
+  "tail",
+  "less",
+  "more",
+  "pwd",
+  "echo",
+  "find",
+  "grep",
+  "findstr",
+  "which",
+  "where",
+  "wc",
+  "sort",
+  "uniq",
+  "diff",
+  "cmp",
+  "file",
+  "stat"
+]);
+var TIER_0_GIT = /* @__PURE__ */ new Set([
+  "status",
+  "diff",
+  "log",
+  "show",
+  "branch",
+  "remote",
+  "tag",
+  "stash",
+  "describe",
+  "rev-parse",
+  "config"
+]);
+var TIER_1_COMMANDS = /* @__PURE__ */ new Set([
+  "touch",
+  "mkdir",
+  "cp",
+  "mv",
+  "rm",
+  "rmdir",
+  "ln"
+]);
+var TIER_1_GIT = /* @__PURE__ */ new Set([
+  "add",
+  "commit",
+  "checkout",
+  "switch",
+  "merge",
+  "rebase",
+  "reset",
+  "stash",
+  "clean",
+  "restore"
+]);
+var TIER_2_COMMANDS = /* @__PURE__ */ new Set([
+  "npm",
+  "yarn",
+  "pnpm",
+  "pip",
+  "pip3",
+  "poetry",
+  "cargo",
+  "node",
+  "python",
+  "python3",
+  "ruby",
+  "go",
+  "java",
+  "make",
+  "cmake",
+  "gcc",
+  "g++",
+  "clang",
+  "docker",
+  "docker-compose",
+  "chmod",
+  "chown"
+]);
+function classifyRisk(argv, rawCommand) {
+  if (argv.length === 0) return 3;
+  const cmd = argv[0].toLowerCase();
+  const wrapperResult = detectShellWrapper(argv);
+  if (wrapperResult.isWrapper) {
+    if (isHighRiskWrapper(wrapperResult)) {
+      return 3;
+    }
+    if (wrapperResult.subCommands && wrapperResult.subCommands.length > 0) {
+      const subTiers = wrapperResult.subCommands.map((sc) => {
+        const parsed = parseArgv(sc);
+        return classifyRisk(parsed.argv, sc);
+      });
+      return getMostRestrictiveTier(subTiers);
+    }
+  }
+  for (const { pattern } of HARD_DENY_PATTERNS) {
+    if (pattern.test(rawCommand)) {
+      return 3;
+    }
+  }
+  if (cmd === "git" && argv.length > 1) {
+    const subCmd = argv[1].toLowerCase();
+    if (TIER_0_GIT.has(subCmd)) return 0;
+    if (TIER_1_GIT.has(subCmd)) return 1;
+    if (subCmd === "push" || subCmd === "pull" || subCmd === "fetch" || subCmd === "clone") {
+      return 2;
+    }
+    return 2;
+  }
+  if (TIER_0_COMMANDS.has(cmd)) return 0;
+  if (TIER_1_COMMANDS.has(cmd)) return 1;
+  if (TIER_2_COMMANDS.has(cmd)) return 2;
+  return 2;
+}
+function isWithinWorkspace2(p, workspaceRoot, cwd) {
+  const resolved = resolve2(cwd, p);
+  const root = resolve2(workspaceRoot);
+  const rel = relative2(root, resolved);
+  return rel === "" || !rel.startsWith("..") && !isAbsolute2(rel);
+}
+function validatePaths(paths, workspaceRoot, cwd) {
+  const violations = [];
+  for (const p of paths) {
+    if (p.operation === "write" && !isWithinWorkspace2(p.path, workspaceRoot, cwd)) {
+      violations.push({
+        message: `Write to path outside workspace: ${p.path}`,
+        severity: "promptable"
+        // User might intentionally allow
+      });
+    }
+  }
+  return violations;
+}
+function validateNetwork(domains, policy, allowedDomains) {
+  if (policy === "on" || domains.length === 0) {
+    return [];
+  }
+  const violations = [];
+  if (policy === "off" && domains.length > 0) {
+    violations.push({
+      message: `Network access requested: ${domains.join(", ")}`,
+      severity: "promptable"
+      // User can approve network
+    });
+    return violations;
+  }
+  for (const domain of domains) {
+    const isAllowed = allowedDomains.some(
+      (allowed) => domain === allowed || domain.endsWith("." + allowed)
+    );
+    if (!isAllowed) {
+      violations.push({
+        message: `Domain not in allowlist: ${domain}`,
+        severity: "promptable"
+      });
+    }
+  }
+  return violations;
+}
+function checkHardViolations(command) {
+  const violations = [];
+  for (const { pattern, msg } of HARD_DENY_PATTERNS) {
+    if (pattern.test(command)) {
+      violations.push({
+        message: msg,
+        severity: "hard"
+      });
+    }
+  }
+  return violations;
+}
+function evaluateCommand(command, cwd) {
+  const env = getEnvironment();
+  const effectiveCwd = cwd || env.cwd;
+  const parsed = parseArgv(command);
+  const paths = extractPaths(parsed);
+  const domains = extractDomains(command);
+  const ports = extractPorts(command);
+  const wrapperResult = detectShellWrapper(parsed.argv);
+  const riskTier = classifyRisk(parsed.argv, command);
+  const violations = [];
+  violations.push(...checkHardViolations(command));
+  if (env.trustLevel === "untrusted" && riskTier > 0) {
+    return {
+      decision: "prompt",
+      riskTier,
+      command,
+      cwd: effectiveCwd,
+      parsedArgv: parsed.argv,
+      paths,
+      ports,
+      domains,
+      reason: "Workspace is untrusted. Trust this folder to allow file writes and command execution.",
+      violations: [{ message: "Workspace not trusted", severity: "promptable" }],
+      isShellWrapper: wrapperResult.isWrapper,
+      subCommands: wrapperResult.subCommands
+    };
+  }
+  violations.push(...validatePaths(paths, env.workspaceRoot, effectiveCwd));
+  violations.push(...validateNetwork(domains, env.networkPolicy, env.allowedDomains));
+  const rules = getAllRules();
+  const ruleResult = evaluateRules(parsed.argv, rules);
+  const hasHardViolation = violations.some((v) => v.severity === "hard");
+  const hasPromptableViolation = violations.some((v) => v.severity === "promptable");
+  let decision;
+  let reason;
+  if (hasHardViolation) {
+    decision = "deny";
+    reason = violations.find((v) => v.severity === "hard")?.message || "Security violation";
+  } else if (ruleResult.decision === "forbid") {
+    decision = "deny";
+    reason = ruleResult.mostRestrictive?.description || "Forbidden by rule";
+  } else if (hasPromptableViolation) {
+    decision = "prompt";
+    reason = violations.find((v) => v.severity === "promptable")?.message || "Approval required";
+  } else if (ruleResult.decision === "allow" && riskTier <= 1) {
+    decision = "allow";
+    reason = ruleResult.mostRestrictive?.description || "Allowed by rule";
+  } else {
+    decision = "prompt";
+    reason = getRiskDescription(riskTier, parsed.argv);
+  }
+  return {
+    decision,
+    riskTier,
+    command,
+    cwd: effectiveCwd,
+    parsedArgv: parsed.argv,
+    paths,
+    ports,
+    domains,
+    reason,
+    violations,
+    matchedRuleId: ruleResult.mostRestrictive?.id,
+    isShellWrapper: wrapperResult.isWrapper,
+    subCommands: wrapperResult.subCommands
+  };
+}
+function getRiskDescription(tier, argv) {
+  const cmd = argv[0] || "unknown";
+  switch (tier) {
+    case 0:
+      return `Read-only: ${cmd}`;
+    case 1:
+      return `Workspace modification: ${cmd}`;
+    case 2:
+      return `System/package operation: ${cmd}`;
+    case 3:
+      return `Potentially dangerous: ${cmd}`;
+  }
+}
+
+// src/security/workspace-trust.ts
+import { select as select3 } from "@inquirer/prompts";
+import chalk9 from "chalk";
+import { existsSync as existsSync5, readFileSync as readFileSync4, writeFileSync as writeFileSync3, mkdirSync as mkdirSync3 } from "fs";
+import { join as join3, resolve as resolve3 } from "path";
+import { homedir as homedir4 } from "os";
+var CONFIG_DIR2 = join3(homedir4(), ".agdi");
+var TRUST_FILE = join3(CONFIG_DIR2, "trusted-workspaces.json");
+function loadTrustConfig() {
+  try {
+    if (existsSync5(TRUST_FILE)) {
+      const data = readFileSync4(TRUST_FILE, "utf-8");
+      return JSON.parse(data);
+    }
+  } catch {
+  }
+  return { trustedWorkspaces: [] };
+}
+function saveTrustConfig(config) {
+  try {
+    if (!existsSync5(CONFIG_DIR2)) {
+      mkdirSync3(CONFIG_DIR2, { recursive: true });
+    }
+    writeFileSync3(TRUST_FILE, JSON.stringify(config, null, 2));
+  } catch (error) {
+    console.error("Failed to save trust config:", error);
+  }
+}
+function normalizePath(path4) {
+  return resolve3(path4).toLowerCase().replace(/\\/g, "/");
+}
+function trustWorkspace(workspacePath) {
+  const config = loadTrustConfig();
+  const normalized = normalizePath(workspacePath);
+  if (config.trustedWorkspaces.some((w) => w.normalizedPath === normalized)) {
+    return;
+  }
+  config.trustedWorkspaces.push({
+    path: workspacePath,
+    normalizedPath: normalized,
+    trustedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  saveTrustConfig(config);
+}
+
+// src/actions/plan-executor.ts
+function displayPlanSummary(plan) {
+  const summary = summarizePlan(plan);
+  const boxWidth = 56;
+  console.log("");
+  console.log(chalk10.cyan("\u256D\u2500 Action Plan \u2500" + "\u2500".repeat(boxWidth - 15) + "\u256E"));
+  console.log(chalk10.cyan("\u2502 ") + chalk10.white(`Project: ${plan.projectName}`.padEnd(boxWidth - 2)) + chalk10.cyan(" \u2502"));
+  console.log(chalk10.cyan("\u2502 ") + "\u2500".repeat(boxWidth - 2) + chalk10.cyan(" \u2502"));
+  const lines = [];
+  if (summary.dirsCreated > 0) {
+    lines.push(`\u{1F4C1} Create ${summary.dirsCreated} directories`);
+  }
+  if (summary.filesCreated > 0) {
+    lines.push(`\u{1F4C4} Create ${summary.filesCreated} files`);
+  }
+  if (summary.filesDeleted > 0) {
+    lines.push(`\u{1F5D1}\uFE0F  Delete ${summary.filesDeleted} files`);
+  }
+  if (summary.commandsToRun > 0) {
+    lines.push(`\u26A1 Run ${summary.commandsToRun} commands`);
+  }
+  if (summary.domains.length > 0) {
+    lines.push(`\u{1F310} Network: ${summary.domains.join(", ")}`);
+  }
+  if (summary.ports.length > 0) {
+    lines.push(`\u{1F50C} Ports: ${summary.ports.join(", ")}`);
+  }
+  for (const line of lines) {
+    console.log(chalk10.cyan("\u2502 ") + chalk10.gray(line.padEnd(boxWidth - 2)) + chalk10.cyan(" \u2502"));
+  }
+  console.log(chalk10.cyan("\u2570" + "\u2500".repeat(boxWidth) + "\u256F"));
+  console.log("");
+}
+function displayActionProgress(action, index, total) {
+  const num = `[${index + 1}/${total}]`;
+  switch (action.type) {
+    case "mkdir":
+      console.log(chalk10.gray(`${num} Creating directory: ${action.path}`));
+      break;
+    case "writeFile":
+      console.log(chalk10.gray(`${num} Writing file: ${action.path}`));
+      break;
+    case "deleteFile":
+      console.log(chalk10.gray(`${num} Deleting file: ${action.path}`));
+      break;
+    case "exec":
+      console.log(chalk10.blue(`${num} Running: ${action.argv.join(" ")}`));
+      break;
+  }
+}
+async function dryRunActions(plan) {
+  const gateResults = [];
+  let requiresTrust = false;
+  let hasHardDeny = false;
+  for (const action of plan.actions) {
+    if (action.type === "exec") {
+      const command = action.argv.join(" ");
+      const result = evaluateCommand(command, action.cwd);
+      gateResults.push(result);
+      if (result.decision === "deny") {
+        const isHard = result.violations.some((v) => v.severity === "hard");
+        if (isHard) {
+          hasHardDeny = true;
+        }
+      }
+      if (result.violations.some((v) => v.message === "Workspace not trusted")) {
+        requiresTrust = true;
+      }
+    } else {
+      const env = getEnvironment();
+      if (env.trustLevel === "untrusted") {
+        requiresTrust = true;
+      }
+    }
+  }
+  return {
+    canProceed: !hasHardDeny,
+    requiresTrust,
+    gateResults
+  };
+}
+async function executeAction(action) {
+  const env = getEnvironment();
+  switch (action.type) {
+    case "mkdir": {
+      const result = await mkdirTool(action.path);
+      return {
+        action,
+        success: result.success,
+        error: result.error
+      };
+    }
+    case "writeFile": {
+      const result = await writeFileTool(action.path, action.content);
+      return {
+        action,
+        success: result.success,
+        error: result.error
+      };
+    }
+    case "deleteFile": {
+      const result = await deleteFileTool(action.path);
+      return {
+        action,
+        success: result.success,
+        error: result.error
+      };
+    }
+    case "exec": {
+      const cwd = action.cwd ? resolve4(env.workspaceRoot, action.cwd) : env.workspaceRoot;
+      const command = action.argv.join(" ");
+      return new Promise((resolvePromise) => {
+        let output = "";
+        let error = "";
+        const child = spawn2(action.argv[0], action.argv.slice(1), {
+          cwd,
+          shell: true,
+          stdio: "pipe"
+        });
+        child.stdout?.on("data", (data) => {
+          const text = data.toString();
+          output += text;
+          process.stdout.write(text);
+        });
+        child.stderr?.on("data", (data) => {
+          const text = data.toString();
+          error += text;
+          process.stderr.write(text);
+        });
+        child.on("close", (code) => {
+          resolvePromise({
+            action,
+            success: code === 0,
+            error: code !== 0 ? error || `Exit code: ${code}` : void 0,
+            output
+          });
+        });
+        child.on("error", (err) => {
+          resolvePromise({
+            action,
+            success: false,
+            error: err.message
+          });
+        });
+      });
+    }
+  }
+}
+async function executePlan(plan) {
+  const env = getEnvironment();
+  const results = [];
+  const filesCreated = [];
+  const commandsRun = [];
+  const errors = [];
+  displayPlanSummary(plan);
+  const dryRun = await dryRunActions(plan);
+  if (!dryRun.canProceed) {
+    console.log(chalk10.red("\n\u26D4 Plan contains actions that cannot be approved:"));
+    for (const result of dryRun.gateResults) {
+      if (result.decision === "deny") {
+        console.log(chalk10.red(`   - ${result.command}: ${result.reason}`));
+        errors.push(result.reason);
+      }
+    }
+    return { success: false, results, filesCreated, commandsRun, errors };
+  }
+  if (dryRun.requiresTrust) {
+    console.log(chalk10.yellow("\u26A0\uFE0F  This workspace is not trusted."));
+    console.log(chalk10.gray("   The plan requires file writes and command execution.\n"));
+    const trustChoice = await select4({
+      message: "Trust this workspace?",
+      choices: [
+        { name: "Trust for this session", value: "session" },
+        { name: "Trust and remember", value: "persistent" },
+        { name: "Cancel", value: "cancel" }
+      ]
+    });
+    if (trustChoice === "cancel") {
+      console.log(chalk10.yellow("\n\u{1F44B} Plan cancelled.\n"));
+      return { success: false, results, filesCreated, commandsRun, errors: ["User cancelled"] };
+    }
+    if (trustChoice === "persistent") {
+      trustWorkspace(env.workspaceRoot);
+      updateEnvironment({ trustLevel: "persistent" });
+      console.log(chalk10.green("\u2713 Workspace trusted and remembered\n"));
+    } else {
+      updateEnvironment({ trustLevel: "session" });
+      console.log(chalk10.green("\u2713 Trusted for this session\n"));
+    }
+  }
+  const approved = await confirm({
+    message: `Execute ${plan.actions.length} actions?`,
+    default: true
+  });
+  if (!approved) {
+    console.log(chalk10.yellow("\n\u{1F44B} Plan cancelled.\n"));
+    return { success: false, results, filesCreated, commandsRun, errors: ["User cancelled"] };
+  }
+  logEvent({
+    eventType: "command_start",
+    command: `executePlan: ${plan.projectName}`,
+    metadata: {
+      actionsCount: plan.actions.length,
+      summary: summarizePlan(plan)
+    }
+  });
+  console.log(chalk10.cyan("\n\u25B6 Executing plan...\n"));
+  for (let i = 0; i < plan.actions.length; i++) {
+    const action = plan.actions[i];
+    displayActionProgress(action, i, plan.actions.length);
+    const result = await executeAction(action);
+    results.push(result);
+    if (result.success) {
+      if (action.type === "writeFile" || action.type === "mkdir") {
+        filesCreated.push(action.path);
+      }
+      if (action.type === "exec") {
+        commandsRun.push(action.argv.join(" "));
+      }
+    } else {
+      errors.push(result.error || "Unknown error");
+      console.log(chalk10.red(`   \u2717 Failed: ${result.error}`));
+    }
+  }
+  const success = errors.length === 0;
+  if (success) {
+    console.log(chalk10.green(`
+\u2713 Plan executed successfully!`));
+    console.log(chalk10.gray(`  Created ${filesCreated.length} files`));
+    console.log(chalk10.gray(`  Ran ${commandsRun.length} commands
+`));
+  } else {
+    console.log(chalk10.red(`
+\u2717 Plan completed with ${errors.length} errors
+`));
+  }
+  if (plan.nextSteps) {
+    console.log(chalk10.cyan("Next steps:"));
+    console.log(chalk10.gray(`  ${plan.nextSteps}
+`));
+  }
+  logEvent({
+    eventType: "command_result",
+    command: `executePlan: ${plan.projectName}`,
+    result: {
+      exitCode: success ? 0 : 1
+    },
+    metadata: {
+      filesCreated,
+      commandsRun,
+      errors
+    }
+  });
+  return { success, results, filesCreated, commandsRun, errors };
+}
+async function parseAndExecutePlan(response) {
+  const plan = parseActionPlan(response);
+  if (!plan) {
+    console.log(chalk10.yellow("\n\u26A0\uFE0F  Could not parse action plan from response.\n"));
+    return null;
+  }
+  return executePlan(plan);
+}
+
+// src/commands/codex.ts
+var CHAT_SYSTEM_PROMPT = `You are Agdi dev, an elite AI coding assistant. You help developers write code, debug issues, and build applications.
 
 ## Your Capabilities
 - Write complete, production-ready code
 - Debug and fix code issues  
 - Explain code and architecture
-- Generate full applications from descriptions
-- Run shell commands (when requested)
+- Answer coding questions
 
 ## Response Style
 - Be concise and direct
@@ -1293,31 +2752,66 @@ var SYSTEM_PROMPT3 = `You are Agdi dev, an elite AI coding assistant. You help d
 - Use TypeScript by default
 - Follow modern best practices
 - Include proper error handling
-- Write self-documenting code
+- Write self-documenting code`;
+var BUILD_SYSTEM_PROMPT = `You are Agdi dev, an AI coding assistant that generates applications.
+
+## CRITICAL: Output Format
+When the user asks to build an app, do NOT print file contents in markdown blocks.
+
+Instead, output a single JSON object with this exact structure:
+{
+  "projectName": "my-app",
+  "actions": [
+    { "type": "mkdir", "path": "src" },
+    { "type": "writeFile", "path": "package.json", "content": "{...}" },
+    { "type": "writeFile", "path": "src/index.ts", "content": "..." },
+    { "type": "exec", "argv": ["pnpm", "install"], "cwd": "." },
+    { "type": "exec", "argv": ["pnpm", "dev"], "cwd": "." }
+  ],
+  "nextSteps": "Open http://localhost:3000 to see your app"
+}
 
-When generating applications, create complete file structures with all necessary code.`;
+## Action Types
+- mkdir: { type: "mkdir", path: "relative/path" }
+- writeFile: { type: "writeFile", path: "relative/path/file.ts", content: "file contents" }
+- deleteFile: { type: "deleteFile", path: "relative/path/file.ts" }
+- exec: { type: "exec", argv: ["command", "arg1", "arg2"], cwd: "." }
+
+## Rules
+1. All paths MUST be relative to workspace root (no leading /)
+2. Use pnpm as package manager
+3. Include exec steps for install/dev only if user requests running the app
+4. Keep actions minimal (no redundant writes)
+5. Create complete, production-ready code
+6. Use TypeScript by default
+7. Include proper error handling
+8. Output ONLY the JSON object, no extra text`;
 async function startCodingMode() {
   const activeConfig = getActiveProvider();
   if (!activeConfig) {
-    console.log(chalk8.red("\u274C No API key configured. Run: agdi"));
+    console.log(chalk11.red("\u274C No API key configured. Run: agdi"));
     return;
   }
   const { provider, apiKey, model } = activeConfig;
   const config = loadConfig();
-  console.log(chalk8.cyan.bold("\n\u26A1 Agdi dev\n"));
-  console.log(chalk8.gray(`Model: ${chalk8.cyan(model)}`));
-  console.log(chalk8.gray("Commands: /model, /chat, /build, /help, /exit\n"));
-  console.log(chalk8.gray("\u2500".repeat(50) + "\n"));
+  const env = initSession();
+  displaySessionHeader(env);
+  logSessionStart(env.workspaceRoot, env.trustLevel);
+  console.log(chalk11.cyan.bold("\u26A1 Agdi dev\n"));
+  console.log(chalk11.gray(`Model: ${chalk11.cyan(model)}`));
+  console.log(chalk11.gray("Commands: /model, /chat, /build, /help, /exit\n"));
+  console.log(chalk11.gray("\u2500".repeat(50) + "\n"));
   const pm = new ProjectManager();
   let llm = createLLMProvider(provider, { apiKey, model });
   while (true) {
     try {
       const userInput = await input4({
-        message: chalk8.green("\u2192")
+        message: chalk11.green("\u2192")
       });
       const trimmed = userInput.trim().toLowerCase();
       if (trimmed === "/exit" || trimmed === "exit" || trimmed === "quit") {
-        console.log(chalk8.gray("\n\u{1F44B} Goodbye!\n"));
+        logSessionEnd();
+        console.log(chalk11.gray("\n\u{1F44B} Goodbye!\n"));
         break;
       }
       if (trimmed === "/help") {
@@ -1332,22 +2826,22 @@ async function startCodingMode() {
             apiKey: newConfig.apiKey,
             model: newConfig.model
           });
-          console.log(chalk8.gray(`Now using: ${chalk8.cyan(newConfig.model)}
+          console.log(chalk11.gray(`Now using: ${chalk11.cyan(newConfig.model)}
 `));
         }
         continue;
       }
       if (trimmed === "/chat") {
-        console.log(chalk8.gray("\nSwitching to chat mode. Type /code to return.\n"));
+        console.log(chalk11.gray("\nSwitching to chat mode. Type /code to return.\n"));
         await chatMode(llm);
         continue;
       }
       if (trimmed.startsWith("/build ") || trimmed.startsWith("build ")) {
         const prompt = userInput.replace(/^\/?build\s+/i, "").trim();
         if (prompt) {
-          await buildApp(prompt, llm, pm);
+          await buildAppWithPlan(prompt, llm);
         } else {
-          console.log(chalk8.yellow("\nUsage: /build <description>\n"));
+          console.log(chalk11.yellow("\nUsage: /build <description>\n"));
         }
         continue;
       }
@@ -1356,12 +2850,12 @@ async function startCodingMode() {
       }
       const isGenerationRequest = /^(create|build|make|generate|design|implement)\s+(me\s+)?(a\s+|an\s+)?/i.test(userInput.trim());
       if (isGenerationRequest) {
-        await buildApp(userInput, llm, pm);
+        await buildAppWithPlan(userInput, llm);
         continue;
       }
       const spinner = ora3("Thinking...").start();
       try {
-        const response = await llm.generate(userInput, SYSTEM_PROMPT3);
+        const response = await llm.generate(userInput, CHAT_SYSTEM_PROMPT);
         spinner.stop();
         console.log("\n" + formatResponse(response.text) + "\n");
       } catch (error) {
@@ -1370,43 +2864,23 @@ async function startCodingMode() {
       }
     } catch (error) {
       if (error.name === "ExitPromptError") {
-        console.log(chalk8.gray("\n\n\u{1F44B} Goodbye!\n"));
+        logSessionEnd();
+        console.log(chalk11.gray("\n\n\u{1F44B} Goodbye!\n"));
         process.exit(0);
       }
       throw error;
     }
   }
 }
-async function buildApp(prompt, llm, pm) {
-  const spinner = ora3("Generating application...").start();
+async function buildAppWithPlan(prompt, llm) {
+  const spinner = ora3("Generating action plan...").start();
   try {
-    pm.create("generated-app", prompt);
-    const { plan, files } = await generateApp(prompt, llm, (step, file) => {
-      spinner.text = file ? `${step} ${chalk8.gray(file)}` : step;
-    });
-    pm.updateFiles(files);
-    spinner.succeed(chalk8.green("Application generated!"));
-    console.log(chalk8.gray("\n\u{1F4C1} Files:"));
-    for (const file of files.slice(0, 10)) {
-      console.log(chalk8.gray(`   ${file.path}`));
-    }
-    if (files.length > 10) {
-      console.log(chalk8.gray(`   ... and ${files.length - 10} more`));
-    }
-    const shouldWrite = await input4({
-      message: "Write to disk? (y/n):",
-      default: "y"
-    });
-    if (shouldWrite.toLowerCase() === "y") {
-      const dir = await input4({
-        message: "Output directory:",
-        default: "./generated-app"
-      });
-      await writeProject(pm.get(), dir);
-      console.log(chalk8.green(`
-\u2705 Written to ${dir}
-`));
-      console.log(chalk8.gray("Next: cd " + dir + " && npm install && npm run dev\n"));
+    const response = await llm.generate(prompt, BUILD_SYSTEM_PROMPT);
+    spinner.stop();
+    const result = await parseAndExecutePlan(response.text);
+    if (!result) {
+      console.log(chalk11.yellow("\n\u26A0\uFE0F  Model did not return an action plan. Showing response:\n"));
+      console.log(formatResponse(response.text) + "\n");
     }
   } catch (error) {
     spinner.fail("Generation failed");
@@ -1417,10 +2891,10 @@ async function chatMode(llm) {
   while (true) {
     try {
       const userInput = await input4({
-        message: chalk8.blue("\u{1F4AC}")
+        message: chalk11.blue("\u{1F4AC}")
       });
       if (userInput.toLowerCase() === "/code" || userInput.toLowerCase() === "/exit") {
-        console.log(chalk8.gray("\nBack to Agdi dev mode.\n"));
+        console.log(chalk11.gray("\nBack to Agdi dev mode.\n"));
         return;
       }
       if (!userInput.trim()) continue;
@@ -1438,48 +2912,49 @@ async function chatMode(llm) {
 }
 function formatResponse(text) {
   return text.replace(/```(\w+)?\n([\s\S]*?)```/g, (_, lang, code) => {
-    const header = lang ? chalk8.gray(`\u2500\u2500 ${lang} \u2500\u2500`) : chalk8.gray("\u2500\u2500 code \u2500\u2500");
+    const header = lang ? chalk11.gray(`\u2500\u2500 ${lang} \u2500\u2500`) : chalk11.gray("\u2500\u2500 code \u2500\u2500");
     return `
 ${header}
-${chalk8.white(code.trim())}
-${chalk8.gray("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500")}
+${chalk11.white(code.trim())}
+${chalk11.gray("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500")}
 `;
   });
 }
 function showHelp() {
-  console.log(chalk8.cyan.bold("\n\u{1F4D6} Commands\n"));
-  console.log(chalk8.gray("  /model     ") + "Change AI model");
-  console.log(chalk8.gray("  /build     ") + "Generate a full application");
-  console.log(chalk8.gray("  /chat      ") + "Switch to chat mode");
-  console.log(chalk8.gray("  /help      ") + "Show this help");
-  console.log(chalk8.gray("  /exit      ") + "Exit Agdi");
-  console.log(chalk8.gray("\n  Or just type your coding question!\n"));
+  console.log(chalk11.cyan.bold("\n\u{1F4D6} Commands\n"));
+  console.log(chalk11.gray("  /build     ") + "Generate and execute an application");
+  console.log(chalk11.gray("  /model     ") + "Change AI model");
+  console.log(chalk11.gray("  /chat      ") + "Switch to chat mode");
+  console.log(chalk11.gray("  /help      ") + "Show this help");
+  console.log(chalk11.gray("  /exit      ") + "Exit Agdi");
+  console.log(chalk11.gray("\n  Or just type your coding question!\n"));
+  console.log(chalk11.gray('Tip: "Create a todo app" will generate & write files.\n'));
 }
 function handleError(error) {
   const msg = error instanceof Error ? error.message : String(error);
   if (msg.includes("429") || msg.includes("quota")) {
-    console.log(chalk8.yellow("\n\u26A0\uFE0F  Quota exceeded. Run /model to switch.\n"));
+    console.log(chalk11.yellow("\n\u26A0\uFE0F  Quota exceeded. Run /model to switch.\n"));
   } else if (msg.includes("401") || msg.includes("403")) {
-    console.log(chalk8.red("\n\u{1F511} Invalid API key. Run: agdi auth\n"));
+    console.log(chalk11.red("\n\u{1F511} Invalid API key. Run: agdi auth\n"));
   } else {
-    console.log(chalk8.red("\n" + msg + "\n"));
+    console.log(chalk11.red("\n" + msg + "\n"));
   }
 }
 
 // src/index.ts
 var BANNER = `
-${chalk9.cyan(`    ___              __ _  `)}
-${chalk9.cyan(`   /   |  ____ _____/ /(_) `)}
-${chalk9.cyan(`  / /| | / __ \`/ __  // /  `)}
-${chalk9.cyan(` / ___ |/ /_/ / /_/ // /   `)}
-${chalk9.cyan(`/_/  |_|\\_, /\\__,_//_/    `)}
-${chalk9.cyan(`       /____/              `)}
+${chalk12.cyan(`    ___              __ _  `)}
+${chalk12.cyan(`   /   |  ____ _____/ /(_) `)}
+${chalk12.cyan(`  / /| | / __ \`/ __  // /  `)}
+${chalk12.cyan(` / ___ |/ /_/ / /_/ // /   `)}
+${chalk12.cyan(`/_/  |_|\\_, /\\__,_//_/    `)}
+${chalk12.cyan(`       /____/              `)}
 `;
 var program = new Command();
-program.name("agdi").description(chalk9.cyan("\u{1F680} AI-powered coding assistant")).version("2.1.0").configureHelp({
+program.name("agdi").description(chalk12.cyan("\u{1F680} AI-powered coding assistant")).version("2.1.0").configureHelp({
   // Show banner only when help is requested
   formatHelp: (cmd, helper) => {
-    return BANNER + "\n" + chalk9.gray("  The Open Source AI Architect") + "\n" + chalk9.gray("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n") + "\n" + helper.formatHelp(cmd, helper);
+    return BANNER + "\n" + chalk12.gray("  The Open Source AI Architect") + "\n" + chalk12.gray("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n") + "\n" + helper.formatHelp(cmd, helper);
   }
 });
 program.action(async () => {
@@ -1490,7 +2965,7 @@ program.action(async () => {
     await startCodingMode();
   } catch (error) {
     if (error.name === "ExitPromptError") {
-      console.log(chalk9.gray("\n\n\u{1F44B} Goodbye!\n"));
+      console.log(chalk12.gray("\n\n\u{1F44B} Goodbye!\n"));
       process.exit(0);
     }
     throw error;
@@ -1505,7 +2980,7 @@ program.command("auth").description("Configure API keys").option("--status", "Sh
     }
   } catch (error) {
     if (error.name === "ExitPromptError") {
-      console.log(chalk9.gray("\n\n\u{1F44B} Cancelled.\n"));
+      console.log(chalk12.gray("\n\n\u{1F44B} Cancelled.\n"));
       process.exit(0);
     }
     throw error;
@@ -1516,7 +2991,7 @@ program.command("model").alias("models").description("Change AI model").action(a
     await selectModel();
   } catch (error) {
     if (error.name === "ExitPromptError") {
-      console.log(chalk9.gray("\n\n\u{1F44B} Cancelled.\n"));
+      console.log(chalk12.gray("\n\n\u{1F44B} Cancelled.\n"));
       process.exit(0);
     }
     throw error;
@@ -1530,7 +3005,7 @@ program.command("chat").description("Start a chat session").action(async () => {
     await startChat();
   } catch (error) {
     if (error.name === "ExitPromptError") {
-      console.log(chalk9.gray("\n\n\u{1F44B} Goodbye!\n"));
+      console.log(chalk12.gray("\n\n\u{1F44B} Goodbye!\n"));
       process.exit(0);
     }
     throw error;
@@ -1541,7 +3016,7 @@ program.command("run [directory]").description("Run a generated project").action
     await runProject(directory);
   } catch (error) {
     if (error.name === "ExitPromptError") {
-      console.log(chalk9.gray("\n\n\u{1F44B} Cancelled.\n"));
+      console.log(chalk12.gray("\n\n\u{1F44B} Cancelled.\n"));
       process.exit(0);
     }
     throw error;
@@ -1554,7 +3029,7 @@ program.command("build <prompt>").alias("b").description("Generate an app from a
     }
     const activeConfig = getActiveProvider();
     if (!activeConfig) {
-      console.log(chalk9.red("\u274C No API key configured. Run: agdi auth"));
+      console.log(chalk12.red("\u274C No API key configured. Run: agdi auth"));
       return;
     }
     const spinner = ora4("Generating application...").start();
@@ -1566,30 +3041,30 @@ program.command("build <prompt>").alias("b").description("Generate an app from a
       const pm = new ProjectManager();
       pm.create(options.output.replace("./", ""), prompt);
       const { plan, files } = await generateApp(prompt, llm, (step, file) => {
-        spinner.text = file ? `${step} ${chalk9.gray(file)}` : step;
+        spinner.text = file ? `${step} ${chalk12.gray(file)}` : step;
       });
       pm.updateFiles(files);
       pm.updateDependencies(plan.dependencies);
       await writeProject(pm.get(), options.output);
-      spinner.succeed(chalk9.green("App generated!"));
-      console.log(chalk9.gray(`
-\u{1F4C1} Created ${files.length} files in ${chalk9.cyan(options.output)}`));
-      console.log(chalk9.gray("\nNext: cd " + options.output + " && npm install && npm run dev\n"));
+      spinner.succeed(chalk12.green("App generated!"));
+      console.log(chalk12.gray(`
+\u{1F4C1} Created ${files.length} files in ${chalk12.cyan(options.output)}`));
+      console.log(chalk12.gray("\nNext: cd " + options.output + " && npm install && npm run dev\n"));
     } catch (error) {
       spinner.fail("Generation failed");
       const msg = error instanceof Error ? error.message : String(error);
       if (msg.includes("429") || msg.includes("quota")) {
-        console.log(chalk9.yellow("\n\u26A0\uFE0F  Quota exceeded. Run: agdi model\n"));
+        console.log(chalk12.yellow("\n\u26A0\uFE0F  Quota exceeded. Run: agdi model\n"));
       } else if (msg.includes("401") || msg.includes("403")) {
-        console.log(chalk9.red("\n\u{1F511} Invalid API key. Run: agdi auth\n"));
+        console.log(chalk12.red("\n\u{1F511} Invalid API key. Run: agdi auth\n"));
       } else {
-        console.error(chalk9.red("\n" + msg + "\n"));
+        console.error(chalk12.red("\n" + msg + "\n"));
       }
       process.exit(1);
     }
   } catch (error) {
     if (error.name === "ExitPromptError") {
-      console.log(chalk9.gray("\n\n\u{1F44B} Cancelled.\n"));
+      console.log(chalk12.gray("\n\n\u{1F44B} Cancelled.\n"));
       process.exit(0);
     }
     throw error;
@@ -1598,11 +3073,11 @@ program.command("build <prompt>").alias("b").description("Generate an app from a
 program.command("config").description("Show configuration").action(async () => {
   const config = loadConfig();
   const active = getActiveProvider();
-  console.log(chalk9.cyan.bold("\n\u2699\uFE0F  Configuration\n"));
-  console.log(chalk9.gray("  Provider: ") + chalk9.cyan(config.defaultProvider || "not set"));
-  console.log(chalk9.gray("  Model:    ") + chalk9.cyan(config.defaultModel || "not set"));
-  console.log(chalk9.gray("  Config:   ") + chalk9.gray("~/.agdi/config.json"));
-  console.log(chalk9.cyan.bold("\n\u{1F510} API Keys\n"));
+  console.log(chalk12.cyan.bold("\n\u2699\uFE0F  Configuration\n"));
+  console.log(chalk12.gray("  Provider: ") + chalk12.cyan(config.defaultProvider || "not set"));
+  console.log(chalk12.gray("  Model:    ") + chalk12.cyan(config.defaultModel || "not set"));
+  console.log(chalk12.gray("  Config:   ") + chalk12.gray("~/.agdi/config.json"));
+  console.log(chalk12.cyan.bold("\n\u{1F510} API Keys\n"));
   const keys = [
     ["Gemini", config.geminiApiKey],
     ["OpenRouter", config.openrouterApiKey],
@@ -1611,7 +3086,7 @@ program.command("config").description("Show configuration").action(async () => {
     ["DeepSeek", config.deepseekApiKey]
   ];
   for (const [name, key] of keys) {
-    const status = key ? chalk9.green("\u2713") : chalk9.gray("\u2717");
+    const status = key ? chalk12.green("\u2713") : chalk12.gray("\u2717");
     console.log(`  ${status} ${name}`);
   }
   console.log("");