aiden-runtime 4.1.5 → 4.5.0

package/dist/tools/v4/browser/captchaCheck.js

@@ -57,10 +57,14 @@ exports.CAPTCHA_MARKERS = [
     'request unsuccessful',
     'reference number',
     'this website is using a security service',
-    // hCaptcha / reCAPTCHA explicit
+    // hCaptcha / reCAPTCHA / Turnstile explicit
     'hcaptcha.com',
     'recaptcha',
     'g-recaptcha',
+    // v4.3 Phase 3 — Cloudflare Turnstile (newer than Cloudflare's
+    // older "Just a moment" interstitial; uses its own widget).
+    'cf-turnstile',
+    'turnstile',
     // PerimeterX
     'press and hold',
     'human verification',

package/dist/tools/v4/executeCode.js

@@ -71,6 +71,7 @@ exports.executeCodeTool = {
     category: 'execute',
     mutates: false,
     toolset: 'execute',
+    riskTier: 'caution', // v4.4 Phase 1
     async execute(args) {
         const code = String(args.code ?? '');
         if (!code.trim()) {

package/dist/tools/v4/files/fileCopy.js

@@ -21,6 +21,7 @@ exports.fileCopyTool = void 0;
 const node_fs_1 = require("node:fs");
 const node_path_1 = __importDefault(require("node:path"));
 const paths_1 = require("../utils/paths");
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
 exports.fileCopyTool = {
     schema: {
         name: 'file_copy',
@@ -37,6 +38,42 @@ exports.fileCopyTool = {
     category: 'write',
     mutates: true,
     toolset: 'files',
+    riskTier: 'caution', // v4.4 Phase 1
+    // v4.4 Phase 4 — dry-run preview.
+    async buildPreview(args, ctx) {
+        const fromRaw = String(args.from ?? args.source ?? '').trim();
+        const toRaw = String(args.to ?? args.dest ?? args.destination ?? '').trim();
+        const src = (0, sandboxFs_1.isPathAllowed)(fromRaw, 'read', ctx.cwd);
+        const dst = (0, sandboxFs_1.isPathAllowed)(toRaw, 'write', ctx.cwd);
+        let srcExists = false;
+        try {
+            await node_fs_1.promises.stat(src.resolvedPath);
+            srcExists = true;
+        }
+        catch { /* missing */ }
+        if (!src.allowed) {
+            return {
+                tool: 'file_copy', args, riskTier: 'caution', detectedRisks: [],
+                sideEffects: [{ type: 'refuse', reason: src.violation.message }],
+                summary: `Refused (source): ${src.violation.code}`,
+            };
+        }
+        if (!dst.allowed) {
+            return {
+                tool: 'file_copy', args, riskTier: 'caution', detectedRisks: [],
+                sideEffects: [{ type: 'refuse', reason: dst.violation.message }],
+                summary: `Refused (dest): ${dst.violation.code}`,
+            };
+        }
+        return {
+            tool: 'file_copy',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'copy_path', from: src.resolvedPath, to: dst.resolvedPath, src_exists: srcExists }],
+            detectedRisks: [],
+            summary: `Would copy ${src.resolvedPath} → ${dst.resolvedPath}${srcExists ? '' : ' (source missing)'}`,
+        };
+    },
     async execute(args, ctx) {
         const fromRaw = String(args.from ?? args.source ?? '').trim();
         const toRaw = String(args.to ?? args.dest ?? args.destination ?? '').trim();
@@ -46,8 +83,25 @@ exports.fileCopyTool = {
         if ((0, paths_1.isProtectedPath)(fromRaw) || (0, paths_1.isProtectedPath)(toRaw)) {
             return { success: false, error: 'Access denied: protected path' };
         }
-        const from = (0, paths_1.expandPath)(fromRaw, ctx.cwd);
-        const to = (0, paths_1.expandPath)(toRaw, ctx.cwd);
+        // v4.4 Phase 2 — sandbox preflight (source = read, dest = write).
+        const srcPolicy = (0, sandboxFs_1.isPathAllowed)(fromRaw, 'read', ctx.cwd);
+        if (!srcPolicy.allowed) {
+            return {
+                success: false,
+                error: srcPolicy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(srcPolicy),
+            };
+        }
+        const dstPolicy = (0, sandboxFs_1.isPathAllowed)(toRaw, 'write', ctx.cwd);
+        if (!dstPolicy.allowed) {
+            return {
+                success: false,
+                error: dstPolicy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(dstPolicy),
+            };
+        }
+        const from = srcPolicy.resolvedPath;
+        const to = dstPolicy.resolvedPath;
         try {
             await node_fs_1.promises.mkdir(node_path_1.default.dirname(to), { recursive: true });
             await node_fs_1.promises.cp(from, to, { recursive: true });

package/dist/tools/v4/files/fileDelete.js

@@ -19,6 +19,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.fileDeleteTool = void 0;
 const node_fs_1 = require("node:fs");
 const paths_1 = require("../utils/paths");
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
 exports.fileDeleteTool = {
     schema: {
         name: 'file_delete',
@@ -38,6 +39,33 @@ exports.fileDeleteTool = {
     category: 'write',
     mutates: true,
     toolset: 'files',
+    riskTier: 'dangerous', // v4.4 Phase 1 — irreversible filesystem mutation
+    // v4.4 Phase 4 — dry-run preview.
+    async buildPreview(args, ctx) {
+        const raw = String(args.path ?? args.file ?? '').trim();
+        const recursive = args.recursive === true;
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'delete', ctx.cwd);
+        const resolved = policy.resolvedPath;
+        let exists = false;
+        try {
+            await node_fs_1.promises.stat(resolved);
+            exists = true;
+        }
+        catch { /* missing */ }
+        const sideEffects = policy.allowed
+            ? [{ type: 'delete_file', path: resolved, exists, recursive }]
+            : [{ type: 'refuse', reason: policy.violation.message }];
+        return {
+            tool: 'file_delete',
+            args,
+            riskTier: 'dangerous',
+            sideEffects,
+            detectedRisks: policy.allowed && recursive ? ['recursive_delete'] : [],
+            summary: policy.allowed
+                ? `Would ${recursive ? 'recursively ' : ''}delete ${resolved}${exists ? '' : ' (does not exist)'}`
+                : `Refused: ${policy.violation.code}`,
+        };
+    },
     async execute(args, ctx) {
         const raw = String(args.path ?? args.file ?? '').trim();
         if (!raw)
@@ -45,7 +73,16 @@ exports.fileDeleteTool = {
         if ((0, paths_1.isProtectedPath)(raw)) {
             return { success: false, error: 'Access denied: protected path' };
         }
-        const resolved = (0, paths_1.expandPath)(raw, ctx.cwd);
+        // v4.4 Phase 2 — sandbox preflight (no-op when AIDEN_SANDBOX!=1).
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'delete', ctx.cwd);
+        if (!policy.allowed) {
+            return {
+                success: false,
+                error: policy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(policy),
+            };
+        }
+        const resolved = policy.resolvedPath;
         if ((0, paths_1.isFilesystemRoot)(resolved)) {
             return { success: false, error: 'Refusing to delete filesystem root' };
         }

package/dist/tools/v4/files/fileList.js

@@ -22,6 +22,7 @@ exports.fileListTool = void 0;
 const node_fs_1 = require("node:fs");
 const node_path_1 = __importDefault(require("node:path"));
 const node_os_1 = __importDefault(require("node:os"));
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
 function expandPath(input, cwd) {
     const home = node_os_1.default.homedir();
     let p = input;
@@ -54,9 +55,19 @@ exports.fileListTool = {
     category: 'read',
     mutates: false,
     toolset: 'files',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args, ctx) {
         const raw = String(args.path ?? args.dir ?? ctx.cwd).trim();
-        const resolved = expandPath(raw || ctx.cwd, ctx.cwd);
+        // v4.4 Phase 2 — sandbox preflight (no-op when AIDEN_SANDBOX!=1).
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw || ctx.cwd, 'read', ctx.cwd);
+        if (!policy.allowed) {
+            return {
+                success: false,
+                error: policy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(policy),
+            };
+        }
+        const resolved = policy.resolvedPath;
         try {
             const entries = await node_fs_1.promises.readdir(resolved, { withFileTypes: true });
             const items = entries.map((e) => ({

package/dist/tools/v4/files/fileMove.js

@@ -22,6 +22,7 @@ exports.fileMoveTool = void 0;
 const node_fs_1 = require("node:fs");
 const node_path_1 = __importDefault(require("node:path"));
 const paths_1 = require("../utils/paths");
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
 exports.fileMoveTool = {
     schema: {
         name: 'file_move',
@@ -38,6 +39,42 @@ exports.fileMoveTool = {
     category: 'write',
     mutates: true,
     toolset: 'files',
+    riskTier: 'caution', // v4.4 Phase 1
+    // v4.4 Phase 4 — dry-run preview.
+    async buildPreview(args, ctx) {
+        const fromRaw = String(args.from ?? args.source ?? '').trim();
+        const toRaw = String(args.to ?? args.dest ?? args.destination ?? '').trim();
+        const src = (0, sandboxFs_1.isPathAllowed)(fromRaw, 'write', ctx.cwd);
+        const dst = (0, sandboxFs_1.isPathAllowed)(toRaw, 'write', ctx.cwd);
+        let srcExists = false;
+        try {
+            await node_fs_1.promises.stat(src.resolvedPath);
+            srcExists = true;
+        }
+        catch { /* missing */ }
+        if (!src.allowed) {
+            return {
+                tool: 'file_move', args, riskTier: 'caution', detectedRisks: [],
+                sideEffects: [{ type: 'refuse', reason: src.violation.message }],
+                summary: `Refused (source): ${src.violation.code}`,
+            };
+        }
+        if (!dst.allowed) {
+            return {
+                tool: 'file_move', args, riskTier: 'caution', detectedRisks: [],
+                sideEffects: [{ type: 'refuse', reason: dst.violation.message }],
+                summary: `Refused (dest): ${dst.violation.code}`,
+            };
+        }
+        return {
+            tool: 'file_move',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'move_path', from: src.resolvedPath, to: dst.resolvedPath, src_exists: srcExists }],
+            detectedRisks: [],
+            summary: `Would move ${src.resolvedPath} → ${dst.resolvedPath}${srcExists ? '' : ' (source missing)'}`,
+        };
+    },
     async execute(args, ctx) {
         const fromRaw = String(args.from ?? args.source ?? '').trim();
         const toRaw = String(args.to ?? args.dest ?? args.destination ?? '').trim();
@@ -47,8 +84,28 @@ exports.fileMoveTool = {
         if ((0, paths_1.isProtectedPath)(fromRaw) || (0, paths_1.isProtectedPath)(toRaw)) {
             return { success: false, error: 'Access denied: protected path' };
         }
-        const from = (0, paths_1.expandPath)(fromRaw, ctx.cwd);
-        const to = (0, paths_1.expandPath)(toRaw, ctx.cwd);
+        // v4.4 Phase 2 — sandbox preflight. Move = read source + write dest;
+        // since the source is also being deleted, this could arguably be
+        // 'delete' on source — but delete and write share the same allowlist
+        // semantics in the policy. 'read' on source matches copy's shape.
+        const srcPolicy = (0, sandboxFs_1.isPathAllowed)(fromRaw, 'write', ctx.cwd);
+        if (!srcPolicy.allowed) {
+            return {
+                success: false,
+                error: srcPolicy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(srcPolicy),
+            };
+        }
+        const dstPolicy = (0, sandboxFs_1.isPathAllowed)(toRaw, 'write', ctx.cwd);
+        if (!dstPolicy.allowed) {
+            return {
+                success: false,
+                error: dstPolicy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(dstPolicy),
+            };
+        }
+        const from = srcPolicy.resolvedPath;
+        const to = dstPolicy.resolvedPath;
         try {
             await node_fs_1.promises.mkdir(node_path_1.default.dirname(to), { recursive: true });
             try {

package/dist/tools/v4/files/filePatch.js

@@ -19,6 +19,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.filePatchTool = void 0;
 const node_fs_1 = require("node:fs");
 const paths_1 = require("../utils/paths");
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
 exports.filePatchTool = {
     schema: {
         name: 'file_patch',
@@ -40,6 +41,38 @@ exports.filePatchTool = {
     category: 'write',
     mutates: true,
     toolset: 'files',
+    riskTier: 'caution', // v4.4 Phase 1
+    // v4.4 Phase 4 — dry-run preview.
+    async buildPreview(args, ctx) {
+        const raw = String(args.path ?? args.file ?? '').trim();
+        const find = typeof args.find === 'string' ? args.find : '';
+        const replace = typeof args.replace === 'string' ? args.replace : '';
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'write', ctx.cwd);
+        const resolved = policy.resolvedPath;
+        let matches = 0;
+        let bytesDelta = 0;
+        if (policy.allowed && find) {
+            try {
+                const txt = await node_fs_1.promises.readFile(resolved, 'utf-8');
+                matches = txt.split(find).length - 1;
+                bytesDelta = matches * (Buffer.byteLength(replace, 'utf-8') - Buffer.byteLength(find, 'utf-8'));
+            }
+            catch { /* file may not exist — surfaced as 0 matches */ }
+        }
+        const sideEffects = policy.allowed
+            ? [{ type: 'patch_file', path: resolved, matches, bytes_delta: bytesDelta }]
+            : [{ type: 'refuse', reason: policy.violation.message }];
+        return {
+            tool: 'file_patch',
+            args,
+            riskTier: 'caution',
+            sideEffects,
+            detectedRisks: [],
+            summary: policy.allowed
+                ? `Would patch ${resolved} (${matches} match${matches === 1 ? '' : 'es'}, Δ ${bytesDelta} bytes)`
+                : `Refused: ${policy.violation.code}`,
+        };
+    },
     async execute(args, ctx) {
         const raw = String(args.path ?? args.file ?? '').trim();
         if (!raw)
@@ -47,12 +80,21 @@ exports.filePatchTool = {
         if ((0, paths_1.isProtectedPath)(raw)) {
             return { success: false, error: 'Access denied: protected path' };
         }
+        // v4.4 Phase 2 — sandbox preflight (no-op when AIDEN_SANDBOX!=1).
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'write', ctx.cwd);
+        if (!policy.allowed) {
+            return {
+                success: false,
+                error: policy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(policy),
+            };
+        }
         const find = typeof args.find === 'string' ? args.find : '';
         const replace = typeof args.replace === 'string' ? args.replace : '';
         if (!find)
             return { success: false, error: 'Empty find string' };
         const replaceAll = args.replace_all === true;
-        const resolved = (0, paths_1.expandPath)(raw, ctx.cwd);
+        const resolved = policy.resolvedPath;
         try {
             const original = await node_fs_1.promises.readFile(resolved, 'utf-8');
             const occurrences = original.split(find).length - 1;

package/dist/tools/v4/files/fileRead.js

@@ -24,6 +24,7 @@ exports.fileReadTool = void 0;
 const node_fs_1 = require("node:fs");
 const node_path_1 = __importDefault(require("node:path"));
 const node_os_1 = __importDefault(require("node:os"));
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
 const MAX_OUTPUT = 5000;
 const DENY_PATTERNS = [
     /[\\/]\.ssh[\\/]/i,
@@ -73,6 +74,7 @@ exports.fileReadTool = {
     category: 'read',
     mutates: false,
     toolset: 'files',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args, ctx) {
         const raw = String(args.path ?? args.file ?? '').trim();
         if (!raw)
@@ -83,7 +85,16 @@ exports.fileReadTool = {
                 error: 'Access denied: protected path (credentials/keys/.env)',
             };
         }
-        const resolved = expandPath(raw, ctx.cwd);
+        // v4.4 Phase 2 — sandbox preflight (no-op when AIDEN_SANDBOX!=1).
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'read', ctx.cwd);
+        if (!policy.allowed) {
+            return {
+                success: false,
+                error: policy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(policy),
+            };
+        }
+        const resolved = policy.resolvedPath;
         try {
             const content = await node_fs_1.promises.readFile(resolved, 'utf-8');
             return {

package/dist/tools/v4/files/fileWrite.js

@@ -23,6 +23,8 @@ exports.fileWriteTool = void 0;
 const node_fs_1 = require("node:fs");
 const node_path_1 = __importDefault(require("node:path"));
 const paths_1 = require("../utils/paths");
+const sandboxFs_1 = require("../../../core/v4/sandboxFs");
+const dryRun_1 = require("../../../core/v4/dryRun");
 exports.fileWriteTool = {
     schema: {
         name: 'file_write',
@@ -39,6 +41,35 @@ exports.fileWriteTool = {
     category: 'write',
     mutates: true,
     toolset: 'files',
+    riskTier: 'caution', // v4.4 Phase 1
+    // v4.4 Phase 4 — dry-run preview.
+    async buildPreview(args, ctx) {
+        const raw = String(args.path ?? args.file ?? '').trim();
+        const content = typeof args.content === 'string' ? args.content : '';
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'write', ctx.cwd);
+        const resolved = policy.resolvedPath;
+        let prevBytes;
+        try {
+            prevBytes = (await node_fs_1.promises.stat(resolved)).size;
+        }
+        catch { /* didn't exist */ }
+        const newBytes = Buffer.byteLength(content, 'utf-8');
+        const sideEffects = policy.allowed
+            ? [prevBytes !== undefined
+                    ? { type: 'overwrite_file', path: resolved, prev_bytes: prevBytes, new_bytes: newBytes, preview: (0, dryRun_1.truncatePreview)(content) }
+                    : { type: 'create_file', path: resolved, bytes: newBytes, preview: (0, dryRun_1.truncatePreview)(content) }]
+            : [{ type: 'refuse', reason: policy.violation.message }];
+        return {
+            tool: 'file_write',
+            args,
+            riskTier: 'caution',
+            sideEffects,
+            detectedRisks: [],
+            summary: policy.allowed
+                ? `Would write ${newBytes} bytes to ${resolved}`
+                : `Refused: ${policy.violation.code}`,
+        };
+    },
     async execute(args, ctx) {
         const raw = String(args.path ?? args.file ?? '').trim();
         if (!raw)
@@ -46,8 +77,17 @@ exports.fileWriteTool = {
         if ((0, paths_1.isProtectedPath)(raw)) {
             return { success: false, error: 'Access denied: protected path' };
         }
+        // v4.4 Phase 2 — sandbox preflight (no-op when AIDEN_SANDBOX!=1).
+        const policy = (0, sandboxFs_1.isPathAllowed)(raw, 'write', ctx.cwd);
+        if (!policy.allowed) {
+            return {
+                success: false,
+                error: policy.violation.message,
+                sandbox_violation: (0, sandboxFs_1.violationEnvelope)(policy),
+            };
+        }
         const content = typeof args.content === 'string' ? args.content : '';
-        const resolved = (0, paths_1.expandPath)(raw, ctx.cwd);
+        const resolved = policy.resolvedPath;
         try {
             await node_fs_1.promises.mkdir(node_path_1.default.dirname(resolved), { recursive: true });
             await node_fs_1.promises.writeFile(resolved, content, 'utf-8');

package/dist/tools/v4/index.js

@@ -26,6 +26,7 @@ exports.sessionSummaryTool = exports.memoryRemoveTool = void 0;
 exports.registerReadOnlyTools = registerReadOnlyTools;
 exports.registerWriteTools = registerWriteTools;
 exports.registerAllTools = registerAllTools;
+const dryRun_1 = require("../../core/v4/dryRun");
 const webSearch_1 = require("./web/webSearch");
 const webFetch_1 = require("./web/webFetch");
 const webPage_1 = require("./web/webPage");
@@ -96,54 +97,61 @@ const subagentFanout_1 = require("./subagent/subagentFanout");
  * the full set).
  */
 function registerReadOnlyTools(registry) {
-    registry.register(webSearch_1.webSearchTool);
-    registry.register(webFetch_1.webFetchTool);
-    registry.register(webPage_1.webPageTool);
-    registry.register(deepResearch_1.deepResearchTool);
+    // v4.4 Phase 4 — every handler is funneled through withDryRun so
+    // AIDEN_DRYRUN=1 short-circuits `execute` to a preview. Read-only
+    // tools pass through unchanged (the HOC returns the handler as-is
+    // when `mutates: false`); the wrapper is cheap (`if (!mutates)
+    // return handler`) and keeps the registration call sites uniform
+    // across read/write tool sets.
+    const register = (h) => registry.register((0, dryRun_1.withDryRun)(h));
+    register(webSearch_1.webSearchTool);
+    register(webFetch_1.webFetchTool);
+    register(webPage_1.webPageTool);
+    register(deepResearch_1.deepResearchTool);
     // Phase 16f: open_url uses shell launch (start chrome / open / xdg-open)
     // for "open X in browser" requests — bypasses Playwright detection.
-    registry.register(openUrl_1.openUrlTool);
+    register(openUrl_1.openUrlTool);
     // Phase 23.4a: youtube_search returns real /watch?v= URLs scraped
     // from youtube.com/results. media-search uses it before open_url so
     // the URL provenance gate has a candidate set to validate against —
     // closes the URL-hallucination failure mode where the model invented
     // 11-char IDs.
-    registry.register(youtubeSearch_1.youtubeSearchTool);
-    registry.register(fileRead_1.fileReadTool);
-    registry.register(fileList_1.fileListTool);
-    registry.register(browserScreenshot_1.browserScreenshotTool);
-    registry.register(browserExtract_1.browserExtractTool);
-    registry.register(browserGetUrl_1.browserGetUrlTool);
-    registry.register(sessionSearch_1.sessionSearchTool);
-    registry.register(sessionList_1.sessionListTool);
+    register(youtubeSearch_1.youtubeSearchTool);
+    register(fileRead_1.fileReadTool);
+    register(fileList_1.fileListTool);
+    register(browserScreenshot_1.browserScreenshotTool);
+    register(browserExtract_1.browserExtractTool);
+    register(browserGetUrl_1.browserGetUrlTool);
+    register(sessionSearch_1.sessionSearchTool);
+    register(sessionList_1.sessionListTool);
     // Phase v4.1.2-memory-C: recall_session reads SessionDistillation
     // files written by Phase A+B. Sits alongside session_search — the
     // two have distinct purposes (FTS5-over-messages vs ranked
     // distillation summaries); descriptions force the right model
     // choice.
-    registry.register(recallSession_1.recallSessionTool);
-    registry.register(skillsList_1.skillsListTool);
-    registry.register(skillView_1.skillViewTool);
-    registry.register(systemInfo_1.systemInfoTool);
-    registry.register(nowPlaying_1.nowPlayingTool);
-    registry.register(naturalEvents_1.naturalEventsTool);
+    register(recallSession_1.recallSessionTool);
+    register(skillsList_1.skillsListTool);
+    register(skillView_1.skillViewTool);
+    register(systemInfo_1.systemInfoTool);
+    register(nowPlaying_1.nowPlayingTool);
+    register(naturalEvents_1.naturalEventsTool);
     // Phase v4.1.2-followup-3 — computer-control read-only tools.
-    registry.register(screenshot_1.screenshotTool);
-    registry.register(osProcessList_1.osProcessListTool);
-    registry.register(clipboardRead_1.clipboardReadTool);
+    register(screenshot_1.screenshotTool);
+    register(osProcessList_1.osProcessListTool);
+    register(clipboardRead_1.clipboardReadTool);
     // v4.1.4-media — GSMTC session enumeration (read). Pair with
     // mediaTransport (write) in the write-tools registration below.
-    registry.register(mediaSessions_1.mediaSessionsTool);
-    registry.register((0, lookupToolSchema_1.makeLookupToolSchema)(registry));
+    register(mediaSessions_1.mediaSessionsTool);
+    register((0, lookupToolSchema_1.makeLookupToolSchema)(registry));
     // Phase v4.1-subagent — register a stub for subagent_fanout so its
     // schema is visible to the agent loop, the MCP server, and the
     // /tools slash command BEFORE the runtime resolves provider /
     // adapter / agent dependencies. The full runtime calls
-    // `registry.register(makeSubagentFanoutTool({...real opts}))` to
+    // `register(makeSubagentFanoutTool({...real opts}))` to
     // replace this stub once `buildAgentRuntime` has those handles.
     // Until then, calling the stub returns a clear "not wired" error
     // rather than crashing.
-    registry.register(makeSubagentFanoutStub());
+    register(makeSubagentFanoutStub());
 }
 /** Stub used until the runtime wires real provider / adapter / agent
  *  dependencies. Returns the SAME schema as the real tool so MCP and
@@ -156,7 +164,7 @@ function makeSubagentFanoutStub() {
             apiMode: 'chat_completions',
             async call() {
                 throw new Error('subagent_fanout: tool not wired — runtime did not replace the stub. ' +
-                    'Call registry.register(makeSubagentFanoutTool({...})) after buildAgentRuntime.');
+                    'Call register(makeSubagentFanoutTool({...})) after buildAgentRuntime.');
             },
         },
         runChild: async () => {
@@ -170,50 +178,55 @@ function makeSubagentFanoutStub() {
  * engine — the registration order doesn't matter for that.
  */
 function registerWriteTools(registry) {
-    registry.register(fileWrite_1.fileWriteTool);
-    registry.register(filePatch_1.filePatchTool);
-    registry.register(fileDelete_1.fileDeleteTool);
-    registry.register(fileMove_1.fileMoveTool);
-    registry.register(fileCopy_1.fileCopyTool);
-    registry.register(shellExec_1.shellExecTool);
-    registry.register(browserNavigate_1.browserNavigateTool);
-    registry.register(browserClick_1.browserClickTool);
-    registry.register(browserType_1.browserTypeTool);
-    registry.register(browserFill_1.browserFillTool);
-    registry.register(browserScroll_1.browserScrollTool);
-    registry.register(browserClose_1.browserCloseTool);
-    registry.register(executeCode_1.executeCodeTool);
-    registry.register(processSpawn_1.processSpawnTool);
-    registry.register(processList_1.processListTool);
-    registry.register(processLogRead_1.processLogReadTool);
-    registry.register(processKill_1.processKillTool);
-    registry.register(processWait_1.processWaitTool);
+    // v4.4 Phase 4 — same withDryRun wrap as registerReadOnlyTools.
+    // Write tools are where the preview path is actually hot — when
+    // AIDEN_DRYRUN=1, each handler's `buildPreview` is called instead
+    // of `execute`.
+    const register = (h) => registry.register((0, dryRun_1.withDryRun)(h));
+    register(fileWrite_1.fileWriteTool);
+    register(filePatch_1.filePatchTool);
+    register(fileDelete_1.fileDeleteTool);
+    register(fileMove_1.fileMoveTool);
+    register(fileCopy_1.fileCopyTool);
+    register(shellExec_1.shellExecTool);
+    register(browserNavigate_1.browserNavigateTool);
+    register(browserClick_1.browserClickTool);
+    register(browserType_1.browserTypeTool);
+    register(browserFill_1.browserFillTool);
+    register(browserScroll_1.browserScrollTool);
+    register(browserClose_1.browserCloseTool);
+    register(executeCode_1.executeCodeTool);
+    register(processSpawn_1.processSpawnTool);
+    register(processList_1.processListTool);
+    register(processLogRead_1.processLogReadTool);
+    register(processKill_1.processKillTool);
+    register(processWait_1.processWaitTool);
     // Phase 9: memory write tools (gated by MemoryGuard for read-back
     // verification, then by the approval engine like every other write).
-    registry.register(memoryAdd_1.memoryAddTool);
-    registry.register(memoryReplace_1.memoryReplaceTool);
-    registry.register(memoryRemove_1.memoryRemoveTool);
+    register(memoryAdd_1.memoryAddTool);
+    register(memoryReplace_1.memoryReplaceTool);
+    register(memoryRemove_1.memoryRemoveTool);
     // Phase v4.1.2 alive-core: cross-session continuity via /quit auto-summary.
-    registry.register(sessionSummary_1.sessionSummaryTool);
+    register(sessionSummary_1.sessionSummaryTool);
     // Phase 10: skill_manage — mutating, also goes through the approval
     // engine. skills_list / skill_view stay in registerReadOnlyTools.
-    registry.register(skillManage_1.skillManageTool);
+    register(skillManage_1.skillManageTool);
     // Phase v4.1.2-update: natural-language entry to the same install
     // executor that /update install uses. Two-step confirmation gate
     // (confirm:false → status; confirm:true → install).
-    registry.register(aidenSelfUpdate_1.aidenSelfUpdateTool);
+    register(aidenSelfUpdate_1.aidenSelfUpdateTool);
     // Phase v4.1.2-followup-3 — computer-control mutating tools. All
     // route through the approval engine like every other write.
-    registry.register(mediaKey_1.mediaKeyTool);
-    registry.register(volumeSet_1.volumeSetTool);
-    registry.register(appLaunch_1.appLaunchTool);
-    registry.register(appClose_1.appCloseTool);
-    registry.register(clipboardWrite_1.clipboardWriteTool);
+    register(mediaKey_1.mediaKeyTool);
+    register(volumeSet_1.volumeSetTool);
+    register(appLaunch_1.appLaunchTool);
+    register(appClose_1.appCloseTool);
+    register(clipboardWrite_1.clipboardWriteTool);
     // v4.1.4-media — verified GSMTC transport (replaces mediaKey for
     // the "name an app, play/pause it" case) + focused-window SendKeys
     // (escape hatch when GSMTC doesn't enumerate the surface).
-    registry.register(mediaTransport_1.mediaTransportTool);
-    registry.register(appInput_1.appInputTool);
+    register(mediaTransport_1.mediaTransportTool);
+    register(appInput_1.appInputTool);
 }
 /** Register every v4 tool. Most callers want this. */
 function registerAllTools(registry) {