aiden-runtime 4.1.5 → 4.5.0

package/dist/tools/v4/memory/memoryAdd.js

@@ -17,6 +17,7 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.memoryAddTool = void 0;
+const dryRun_1 = require("../../../core/v4/dryRun");
 exports.memoryAddTool = {
     schema: {
         name: 'memory_add',
@@ -37,6 +38,19 @@ exports.memoryAddTool = {
     category: 'write',
     mutates: true,
     toolset: 'memory',
+    riskTier: 'caution', // v4.4 Phase 1
+    buildPreview(args) {
+        const file = args.file === 'user' ? 'user' : 'memory';
+        const content = String(args.content ?? '');
+        return {
+            tool: 'memory_add',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'memory_write', op: 'add', bullet: (0, dryRun_1.truncatePreview)(content) }],
+            detectedRisks: [],
+            summary: `Would append to ${file === 'user' ? 'USER.md' : 'MEMORY.md'}: "${(0, dryRun_1.truncatePreview)(content, 80)}"`,
+        };
+    },
     async execute(args, ctx) {
         if (!ctx.memoryGuard) {
             return { success: false, error: 'memory guard not configured' };

package/dist/tools/v4/memory/memoryRemove.js

@@ -31,6 +31,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.memoryRemoveTool = void 0;
 const memoryGuard_1 = require("../../../moat/memoryGuard");
+const dryRun_1 = require("../../../core/v4/dryRun");
 /** Section in MEMORY.md that Phase D promotion writes to. */
 const DURABLE_FACTS_HEADER = '## Durable facts';
 exports.memoryRemoveTool = {
@@ -59,6 +60,19 @@ exports.memoryRemoveTool = {
     category: 'write',
     mutates: true,
     toolset: 'memory',
+    riskTier: 'caution', // v4.4 Phase 1
+    buildPreview(args) {
+        const file = args.file === 'user' ? 'user' : 'memory';
+        const text = String(args.text ?? '');
+        return {
+            tool: 'memory_remove',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'memory_write', op: 'remove', pattern: (0, dryRun_1.truncatePreview)(text, 80) }],
+            detectedRisks: [],
+            summary: `Would remove from ${file === 'user' ? 'USER.md' : 'MEMORY.md'}: "${(0, dryRun_1.truncatePreview)(text, 80)}"`,
+        };
+    },
     async execute(args, ctx) {
         if (!ctx.memoryGuard) {
             return { success: false, error: 'memory guard not configured' };

package/dist/tools/v4/memory/memoryReplace.js

@@ -16,6 +16,7 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.memoryReplaceTool = void 0;
+const dryRun_1 = require("../../../core/v4/dryRun");
 exports.memoryReplaceTool = {
     schema: {
         name: 'memory_replace',
@@ -37,6 +38,20 @@ exports.memoryReplaceTool = {
     category: 'write',
     mutates: true,
     toolset: 'memory',
+    riskTier: 'caution', // v4.4 Phase 1
+    buildPreview(args) {
+        const file = args.file === 'user' ? 'user' : 'memory';
+        const oldText = String(args.old_text ?? args.oldText ?? '');
+        const newText = String(args.new_text ?? args.newText ?? '');
+        return {
+            tool: 'memory_replace',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'memory_write', op: 'replace', pattern: (0, dryRun_1.truncatePreview)(oldText, 80), bullet: (0, dryRun_1.truncatePreview)(newText, 80) }],
+            detectedRisks: [],
+            summary: `Would replace in ${file === 'user' ? 'USER.md' : 'MEMORY.md'}: "${(0, dryRun_1.truncatePreview)(oldText, 40)}" → "${(0, dryRun_1.truncatePreview)(newText, 40)}"`,
+        };
+    },
     async execute(args, ctx) {
         if (!ctx.memoryGuard) {
             return { success: false, error: 'memory guard not configured' };

package/dist/tools/v4/memory/sessionSummary.js

@@ -100,6 +100,18 @@ exports.sessionSummaryTool = {
     category: 'write',
     mutates: true,
     toolset: 'memory',
+    riskTier: 'caution', // v4.4 Phase 1
+    buildPreview(args, ctx) {
+        const sessionId = String(args.session_id ?? args.sessionId ?? ctx.sessionId ?? 'current');
+        return {
+            tool: 'session_summary',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'session_distill', session_id: sessionId }],
+            detectedRisks: [],
+            summary: `Would distill session ${sessionId} into Recent-sessions section of MEMORY.md`,
+        };
+    },
     async execute(args, ctx) {
         if (!ctx.memoryGuard) {
             return { success: false, error: 'memory guard not configured' };

package/dist/tools/v4/process/processKill.js

@@ -31,6 +31,25 @@ exports.processKillTool = {
     category: 'write',
     mutates: true,
     toolset: 'process',
+    riskTier: 'dangerous', // v4.4 Phase 1
+    buildPreview(args, ctx) {
+        const id = String(args.id ?? '').trim();
+        const signal = args.signal || 'SIGTERM';
+        let pid = -1;
+        if (ctx.processes && id) {
+            const h = ctx.processes.get(id);
+            if (h && typeof h.pid === 'number')
+                pid = h.pid;
+        }
+        return {
+            tool: 'process_kill',
+            args,
+            riskTier: 'dangerous',
+            sideEffects: [{ type: 'process_kill', pid, signal }],
+            detectedRisks: signal === 'SIGKILL' ? ['SIGKILL'] : [],
+            summary: `Would send ${signal} to process ${id}${pid > 0 ? ` (pid ${pid})` : ''}`,
+        };
+    },
     async execute(args, ctx) {
         if (!ctx.processes) {
             return { success: false, error: 'process registry not configured' };

package/dist/tools/v4/process/processList.js

@@ -21,6 +21,7 @@ exports.processListTool = {
     category: 'read',
     mutates: false,
     toolset: 'process',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(_args, ctx) {
         if (!ctx.processes) {
             return { success: false, error: 'process registry not configured' };

package/dist/tools/v4/process/processLogRead.js

@@ -31,6 +31,7 @@ exports.processLogReadTool = {
     category: 'read',
     mutates: false,
     toolset: 'process',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args, ctx) {
         if (!ctx.processes) {
             return { success: false, error: 'process registry not configured' };

package/dist/tools/v4/process/processSpawn.js

@@ -32,6 +32,19 @@ exports.processSpawnTool = {
     category: 'execute',
     mutates: true,
     toolset: 'process',
+    riskTier: 'dangerous', // v4.4 Phase 1
+    buildPreview(args, ctx) {
+        const command = String(args.command ?? '').trim();
+        const cwd = typeof args.cwd === 'string' ? args.cwd : ctx.cwd;
+        return {
+            tool: 'process_spawn',
+            args,
+            riskTier: 'dangerous',
+            sideEffects: [{ type: 'process_spawn', command, args: [] }],
+            detectedRisks: [],
+            summary: `Would spawn background process: \`${command.length > 80 ? command.slice(0, 80) + '…' : command}\` in ${cwd}`,
+        };
+    },
     async execute(args, ctx) {
         if (!ctx.processes) {
             return { success: false, error: 'process registry not configured' };

package/dist/tools/v4/process/processWait.js

@@ -33,6 +33,7 @@ exports.processWaitTool = {
     category: 'read',
     mutates: false,
     toolset: 'process',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args, ctx) {
         if (!ctx.processes) {
             return { success: false, error: 'process registry not configured' };

package/dist/tools/v4/sessions/recallSession.js

@@ -78,6 +78,7 @@ exports.recallSessionTool = {
     category: 'read',
     mutates: false,
     toolset: 'sessions',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args, ctx) {
         if (!ctx.paths?.root) {
             return {

package/dist/tools/v4/sessions/sessionList.js

@@ -40,6 +40,7 @@ exports.sessionListTool = {
     category: 'read',
     mutates: false,
     toolset: 'sessions',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args, ctx) {
         if (!ctx.sessions) {
             return {

package/dist/tools/v4/sessions/sessionSearch.js

@@ -45,6 +45,7 @@ exports.sessionSearchTool = {
     category: 'read',
     mutates: false,
     toolset: 'sessions',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args, ctx) {
         const query = String(args.query ?? '').trim();
         if (!query)

package/dist/tools/v4/skills/lookupToolSchema.js

@@ -45,6 +45,7 @@ function makeLookupToolSchema(registry) {
         category: 'read',
         mutates: false,
         toolset: 'skills',
+        riskTier: 'safe', // v4.4 Phase 1
         async execute(args) {
             const name = String(args.toolName ?? args.name ?? '').trim();
             if (!name)
@@ -63,6 +64,7 @@ function makeLookupToolSchema(registry) {
                 category: handler.category,
                 mutates: handler.mutates,
                 toolset: handler.toolset,
+                riskTier: 'safe', // v4.4 Phase 1
             };
         },
     };

package/dist/tools/v4/skills/skillManage.js

@@ -78,6 +78,19 @@ exports.skillManageTool = {
     category: 'write',
     mutates: true,
     toolset: 'skills',
+    riskTier: 'caution', // v4.4 Phase 1
+    buildPreview(args) {
+        const action = typeof args.action === 'string' ? args.action : '';
+        const name = typeof args.name === 'string' ? args.name : '';
+        return {
+            tool: 'skill_manage',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'skill_write', op: action, name }],
+            detectedRisks: action === 'delete' ? ['skill_delete'] : [],
+            summary: `Would ${action} skill: ${name}`,
+        };
+    },
     async execute(args, ctx) {
         if (!ctx.skillLoader || !ctx.paths) {
             return { success: false, error: 'No skill loader configured' };

package/dist/tools/v4/skills/skillView.js

@@ -38,6 +38,7 @@ exports.skillViewTool = {
     category: 'read',
     mutates: false,
     toolset: 'skills',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args, ctx) {
         if (!ctx.skillLoader) {
             return { success: false, error: 'No skill loader configured' };

package/dist/tools/v4/skills/skillsList.js

@@ -31,6 +31,7 @@ exports.skillsListTool = {
     category: 'read',
     mutates: false,
     toolset: 'skills',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(_args, ctx) {
         if (!ctx.skillLoader) {
             return {

package/dist/tools/v4/subagent/subagentFanout.js

@@ -122,6 +122,7 @@ function makeSubagentFanoutTool(factory) {
         category: 'network',
         mutates: false,
         toolset: 'subagent',
+        riskTier: 'caution', // v4.4 Phase 1
         async execute(args, _ctx) {
             const logger = factory.logger ?? (0, factory_1.noopLogger)();
             // ── Coerce args ────────────────────────────────────────────

package/dist/tools/v4/system/aidenSelfUpdate.js

@@ -68,6 +68,22 @@ exports.aidenSelfUpdateTool = {
     category: 'write',
     mutates: true,
     toolset: 'system',
+    riskTier: 'dangerous', // v4.4 Phase 1
+    // v4.4 Phase 4 — dry-run refuses; self-update bootstrapping is not
+    // safe to model with a no-op preview.
+    buildPreview(args) {
+        return {
+            tool: 'aiden_self_update',
+            args,
+            riskTier: 'dangerous',
+            sideEffects: [{
+                    type: 'refuse',
+                    reason: 'aiden_self_update is not safe to preview in dry-run mode. Set AIDEN_DRYRUN=0 to perform a real self-update (with the usual approval-engine confirmation).',
+                }],
+            detectedRisks: ['self_update'],
+            summary: 'Refused: aiden_self_update cannot be previewed in dry-run mode',
+        };
+    },
     async execute(args, ctx) {
         if (!ctx.paths) {
             return {

package/dist/tools/v4/system/appClose.js

@@ -53,6 +53,19 @@ exports.appCloseTool = {
     category: 'execute',
     mutates: true,
     toolset: 'system',
+    riskTier: 'caution', // v4.4 Phase 1
+    buildPreview(args) {
+        const app = typeof args.app === 'string' ? args.app : '';
+        const force = args.force === true;
+        return {
+            tool: 'app_close',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'app_control', action: force ? 'force-close' : 'close', target: app }],
+            detectedRisks: force ? ['force_close'] : [],
+            summary: `Would ${force ? 'force-' : ''}close app: ${app}`,
+        };
+    },
     async execute(args, _ctx) {
         if (!(0, _psHelpers_1.isWindows)())
             return (0, _psHelpers_1.windowsOnlyError)('app_close');

package/dist/tools/v4/system/appInput.js

@@ -89,6 +89,19 @@ exports.appInputTool = {
     category: 'execute',
     mutates: true,
     toolset: 'system',
+    riskTier: 'caution', // v4.4 Phase 1
+    buildPreview(args) {
+        const app = typeof args.app === 'string' ? args.app : '';
+        const keys = typeof args.keys === 'string' ? args.keys : '';
+        return {
+            tool: 'app_input',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'app_control', action: `send-keys:${keys}`, target: app }],
+            detectedRisks: [],
+            summary: `Would send keys "${keys}" to app: ${app}`,
+        };
+    },
     async execute(args, _ctx) {
         if (!(0, _psHelpers_1.isWindows)()) {
             return (0, _psHelpers_1.windowsOnlyError)('app_input', {

package/dist/tools/v4/system/appLaunch.js

@@ -123,6 +123,19 @@ exports.appLaunchTool = {
     category: 'execute',
     mutates: true,
     toolset: 'system',
+    riskTier: 'caution', // v4.4 Phase 1
+    buildPreview(args) {
+        const app = typeof args.app === 'string' ? args.app : '';
+        const cliArgs = Array.isArray(args.args) ? args.args.map(String) : [];
+        return {
+            tool: 'app_launch',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'app_control', action: 'launch', target: app + (cliArgs.length ? ' ' + cliArgs.join(' ') : '') }],
+            detectedRisks: [],
+            summary: `Would launch app: ${app}${cliArgs.length ? ' with args ' + cliArgs.join(' ') : ''}`,
+        };
+    },
     async execute(args, _ctx) {
         if (!(0, _psHelpers_1.isWindows)())
             return (0, _psHelpers_1.windowsOnlyError)('app_launch');

package/dist/tools/v4/system/clipboardRead.js

@@ -32,6 +32,7 @@ exports.clipboardReadTool = {
     category: 'read',
     mutates: false,
     toolset: 'system',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(_args, _ctx) {
         if (!(0, _psHelpers_1.isWindows)())
             return (0, _psHelpers_1.windowsOnlyError)('clipboard_read');

package/dist/tools/v4/system/clipboardWrite.js

@@ -19,6 +19,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.clipboardWriteTool = void 0;
 const node_child_process_1 = require("node:child_process");
 const _psHelpers_1 = require("./_psHelpers");
+const dryRun_1 = require("../../../core/v4/dryRun");
 /**
  * Spawn `powershell.exe Set-Clipboard` with the text piped on stdin.
  * Wrapper Promise so the tool's `execute` can `await` it.
@@ -61,6 +62,19 @@ exports.clipboardWriteTool = {
     category: 'execute',
     mutates: true,
     toolset: 'system',
+    riskTier: 'caution', // v4.4 Phase 1
+    buildPreview(args) {
+        const text = typeof args.text === 'string' ? args.text : '';
+        const bytes = Buffer.byteLength(text, 'utf-8');
+        return {
+            tool: 'clipboard_write',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'clipboard_write', bytes, preview: (0, dryRun_1.truncatePreview)(text) }],
+            detectedRisks: [],
+            summary: `Would write ${bytes} bytes to clipboard`,
+        };
+    },
     async execute(args, _ctx) {
         if (!(0, _psHelpers_1.isWindows)())
             return (0, _psHelpers_1.windowsOnlyError)('clipboard_write');

package/dist/tools/v4/system/mediaKey.js

@@ -53,6 +53,18 @@ exports.mediaKeyTool = {
     category: 'execute',
     mutates: true,
     toolset: 'system',
+    riskTier: 'caution', // v4.4 Phase 1
+    buildPreview(args) {
+        const action = typeof args.action === 'string' ? args.action : '';
+        return {
+            tool: 'media_key',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'media_control', action }],
+            detectedRisks: [],
+            summary: `Would send media key: ${action}`,
+        };
+    },
     async execute(args, _ctx) {
         if (!(0, _psHelpers_1.isWindows)()) {
             return (0, _psHelpers_1.windowsOnlyError)('media_key', {

package/dist/tools/v4/system/mediaSessions.js

@@ -113,6 +113,7 @@ exports.mediaSessionsTool = {
     category: 'read',
     mutates: false,
     toolset: 'system',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(_args, _ctx) {
         if (!(0, _psHelpers_1.isWindows)()) {
             return (0, _psHelpers_1.windowsOnlyError)('media_sessions', {

package/dist/tools/v4/system/mediaTransport.js

@@ -135,6 +135,19 @@ exports.mediaTransportTool = {
     category: 'execute',
     mutates: true,
     toolset: 'system',
+    riskTier: 'caution', // v4.4 Phase 1
+    buildPreview(args) {
+        const action = typeof args.action === 'string' ? args.action : '';
+        const target = typeof args.target === 'string' ? args.target : '';
+        return {
+            tool: 'media_transport',
+            args,
+            riskTier: 'caution',
+            sideEffects: [{ type: 'media_control', action: target ? `${action}:${target}` : action }],
+            detectedRisks: [],
+            summary: `Would invoke media transport: ${action}${target ? ` on ${target}` : ' (current session)'}`,
+        };
+    },
     async execute(args, _ctx) {
         if (!(0, _psHelpers_1.isWindows)()) {
             // v4.1.3-essentials: tailored capability card for non-Windows.

package/dist/tools/v4/system/naturalEvents.js

@@ -40,6 +40,7 @@ exports.naturalEventsTool = {
     category: 'network',
     mutates: false,
     toolset: 'system',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args) {
         const limit = typeof args.limit === 'number' && args.limit > 0
             ? Math.floor(args.limit)

package/dist/tools/v4/system/nowPlaying.js

@@ -32,6 +32,7 @@ exports.nowPlayingTool = {
     category: 'read',
     mutates: false,
     toolset: 'system',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute() {
         try {
             const result = await (0, nowPlaying_1.getNowPlaying)();

package/dist/tools/v4/system/osProcessList.js

@@ -62,6 +62,7 @@ exports.osProcessListTool = {
     category: 'read',
     mutates: false,
     toolset: 'system',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args, _ctx) {
         if (!(0, _psHelpers_1.isWindows)())
             return (0, _psHelpers_1.windowsOnlyError)('os_process_list');

package/dist/tools/v4/system/screenshot.js

@@ -63,6 +63,7 @@ exports.screenshotTool = {
     category: 'read',
     mutates: false,
     toolset: 'system',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(_args, ctx) {
         if (!(0, _psHelpers_1.isWindows)())
             return (0, _psHelpers_1.windowsOnlyError)('screenshot');

package/dist/tools/v4/system/systemInfo.js

@@ -57,6 +57,7 @@ exports.systemInfoTool = {
     category: 'read',
     mutates: false,
     toolset: 'system',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute() {
         try {
             const info = process.platform === 'win32' ? await readWindows() : readPosix();

package/dist/tools/v4/system/volumeSet.js

@@ -123,6 +123,23 @@ exports.volumeSetTool = {
     category: 'execute',
     mutates: true,
     toolset: 'system',
+    riskTier: 'caution', // v4.4 Phase 1
+    buildPreview(args) {
+        const action = typeof args.action === 'string' ? args.action : '';
+        const percent = typeof args.percent === 'number' ? args.percent : -1;
+        return {
+            tool: 'volume_set',
+            args,
+            riskTier: 'caution',
+            sideEffects: action === 'set'
+                ? [{ type: 'volume_set', level: Math.max(0, Math.min(100, percent)) }]
+                : [{ type: 'media_control', action }],
+            detectedRisks: [],
+            summary: action === 'set'
+                ? `Would set volume to ${percent}%`
+                : `Would ${action.replace('_', ' ')}`,
+        };
+    },
     async execute(args, _ctx) {
         if (!(0, _psHelpers_1.isWindows)())
             return (0, _psHelpers_1.windowsOnlyError)('volume_set');

package/dist/tools/v4/terminal/shellExec.js

@@ -8,17 +8,34 @@
 /**
  * tools/v4/terminal/shellExec.ts — `shell_exec` wrapper.
  *
- * Routes a shell command to either the local backend (PowerShell on
- * Windows, bash on POSIX) or the Docker backend, based on
- * `ctx.terminalBackend`. Phase 8 has no shell-injection guards —
- * Phase 9's approval engine inspects every call before it lands here.
+ * Routes a shell command to one of three backends:
+ *   - local backend  (status quo: PowerShell on Windows, bash on POSIX)
+ *   - docker single-shot backend (status quo for explicit
+ *     `ctx.terminalBackend='docker'` with AIDEN_SANDBOX=0)
+ *   - docker session backend (v4.4 Phase 3: long-lived container reuse
+ *     with hardening + resource limits when AIDEN_SANDBOX=1)
  *
- * Status: PHASE 8.
+ * Backend selection precedence:
+ *   1. Per-call override `ctx.terminalBackend` wins. When that's
+ *      `'docker'` AND AIDEN_SANDBOX is enabled, the session-backed
+ *      `dockerSessionExec` is used (reuse + hardening). When
+ *      `'docker'` AND AIDEN_SANDBOX is disabled, the legacy
+ *      single-shot `dockerBackendExecute` runs (tests rely on this).
+ *   2. No override + AIDEN_SANDBOX=1 → docker session backend.
+ *   3. No override + AIDEN_SANDBOX=0 → local (current behavior).
+ *
+ * Phase 9's approval engine still gates this tool the same way. The
+ * tool stays `riskTier: 'dangerous'` — sandbox isolation does not
+ * promote a shell command's tier; it only constrains the blast radius.
+ *
+ * Status: PHASE 8 → v4.4 Phase 3.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.shellExecTool = void 0;
 const local_1 = require("../backends/local");
 const docker_1 = require("../backends/docker");
+const dockerSession_1 = require("../../../core/v4/dockerSession");
+const sandboxConfig_1 = require("../../../core/v4/sandboxConfig");
 exports.shellExecTool = {
     schema: {
         name: 'shell_exec',
@@ -43,6 +60,41 @@ exports.shellExecTool = {
     category: 'execute',
     mutates: true,
     toolset: 'terminal',
+    riskTier: 'dangerous', // v4.4 Phase 1 — arbitrary shell command
+    // v4.4 Phase 4 — dry-run preview.
+    buildPreview(args, ctx) {
+        const command = String(args.command ?? args.cmd ?? '').trim();
+        const cwd = typeof args.cwd === 'string' ? args.cwd : ctx.cwd;
+        const config = (0, sandboxConfig_1.getSandboxConfig)();
+        const userOverride = ctx.terminalBackend;
+        const effective = userOverride ?? (config.enabled ? config.defaultBackend : 'local');
+        // Lightweight risk hints — same patterns ApprovalEngine uses
+        // in smart mode. Kept inline to avoid pulling moat/ into the
+        // tool layer.
+        const risks = [];
+        if (/\brm\s+-rf?\b/.test(command))
+            risks.push('rm -rf');
+        if (/sudo\b/.test(command))
+            risks.push('sudo');
+        if (/\bcurl\s.+\|\s*(sh|bash)/.test(command))
+            risks.push('curl|sh');
+        if (/\bwget\s.+\|\s*(sh|bash)/.test(command))
+            risks.push('wget|sh');
+        if (/\bdd\s+if=/.test(command))
+            risks.push('dd');
+        if (/:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:/.test(command))
+            risks.push('fork bomb');
+        if (/format\s+[a-zA-Z]:/i.test(command))
+            risks.push('format');
+        return {
+            tool: 'shell_exec',
+            args,
+            riskTier: 'dangerous',
+            sideEffects: [{ type: 'shell_command', command, cwd, backend: effective }],
+            detectedRisks: risks,
+            summary: `Would run \`${command.length > 80 ? command.slice(0, 80) + '…' : command}\` via ${effective} backend in ${cwd}`,
+        };
+    },
     async execute(args, ctx) {
         const command = String(args.command ?? args.cmd ?? '').trim();
         if (!command)
@@ -56,10 +108,30 @@ exports.shellExecTool = {
                 : true,
         };
         const cb = ctx.log ? { log: ctx.log } : {};
-        const backend = ctx.terminalBackend ?? 'local';
-        const result = backend === 'docker'
-            ? await (0, docker_1.dockerBackendExecute)(shellArgs, { image: ctx.dockerImage }, cb)
-            : await (0, local_1.localBackendExecute)(shellArgs, cb);
+        // v4.4 Phase 3 — effective backend selection.
+        const config = (0, sandboxConfig_1.getSandboxConfig)();
+        const userOverride = ctx.terminalBackend;
+        const effective = userOverride ?? (config.enabled ? config.defaultBackend : 'local');
+        let result;
+        if (effective === 'docker') {
+            if (config.enabled) {
+                // Long-lived session container + hardening flags.
+                result = await (0, dockerSession_1.dockerSessionExec)({
+                    ...shellArgs,
+                    sessionId: ctx.sessionId,
+                    image: ctx.dockerImage,
+                }, cb);
+            }
+            else {
+                // Status-quo single-shot docker path (AIDEN_SANDBOX=0 +
+                // explicit ctx.terminalBackend='docker'). No reuse, no
+                // hardening — kept for backward compatibility.
+                result = await (0, docker_1.dockerBackendExecute)(shellArgs, { image: ctx.dockerImage }, cb);
+            }
+        }
+        else {
+            result = await (0, local_1.localBackendExecute)(shellArgs, cb);
+        }
         return {
             success: result.exitCode === 0,
             exitCode: result.exitCode,

package/dist/tools/v4/web/deepResearch.js

@@ -36,6 +36,7 @@ exports.deepResearchTool = {
     category: 'network',
     mutates: false,
     toolset: 'web',
+    riskTier: 'safe', // v4.4 Phase 1
     async execute(args) {
         const topic = String(args.topic ?? '').trim();
         if (!topic)