beecork 1.5.0 → 1.6.0

package/dist/tasks/store.js

@@ -4,17 +4,29 @@ import { getCrontabPath } from '../util/paths.js';
 import { logger } from '../util/logger.js';
 function rowToTask(row) {
     return {
-        id: row.id, name: row.name,
+        id: row.id,
+        name: row.name,
         scheduleType: row.schedule_type,
-        schedule: row.schedule, tabName: row.tab_name, message: row.message,
+        schedule: row.schedule,
+        tabName: row.tab_name,
+        message: row.message,
         payloadType: row.payload_type || 'agentTurn',
-        enabled: row.enabled === 1, createdAt: row.created_at,
-        lastRunAt: row.last_run_at, nextRunAt: row.next_run_at,
+        enabled: row.enabled === 1,
+        createdAt: row.created_at,
+        lastRunAt: row.last_run_at,
+        nextRunAt: row.next_run_at,
     };
 }
+// One-shot JSON migration only needs to run once per process lifetime, but the
+// dashboard creates a fresh TaskStore per request and MCP creates one per task
+// call. Without this flag, every instantiation re-fired existsSync + COUNT(*).
+let migrationChecked = false;
 export class TaskStore {
     constructor() {
-        this.migrateFromJson();
+        if (!migrationChecked) {
+            migrationChecked = true;
+            this.migrateFromJson();
+        }
     }
     list() {
         const db = getDb();
@@ -63,7 +75,9 @@ export class TaskStore {
             try {
                 fs.renameSync(jsonPath, jsonPath + '.bak');
             }
-            catch { /* ok */ }
+            catch {
+                /* ok */
+            }
             return;
         }
         try {

package/dist/timeline/logger.js

@@ -5,5 +5,7 @@ export function logActivity(eventType, summary, options) {
         const db = getDb();
         db.prepare('INSERT INTO activity_log (id, event_type, project_name, tab_name, summary, details, duration_ms, cost_usd) VALUES (?, ?, ?, ?, ?, ?, ?, ?)').run(uuidv4(), eventType, options?.projectName || null, options?.tabName || null, summary, options?.details || null, options?.durationMs || null, options?.costUsd || null);
     }
-    catch { /* non-critical — don't crash if logging fails */ }
+    catch {
+        /* non-critical — don't crash if logging fails */
+    }
 }

package/dist/timeline/query.js

@@ -1,9 +1,15 @@
 import { getDb } from '../db/index.js';
 function rowToEvent(r) {
     return {
-        id: r.id, eventType: r.event_type, projectName: r.project_name,
-        tabName: r.tab_name, summary: r.summary, details: r.details,
-        durationMs: r.duration_ms, costUsd: r.cost_usd, createdAt: r.created_at,
+        id: r.id,
+        eventType: r.event_type,
+        projectName: r.project_name,
+        tabName: r.tab_name,
+        summary: r.summary,
+        details: r.details,
+        durationMs: r.duration_ms,
+        costUsd: r.cost_usd,
+        createdAt: r.created_at,
     };
 }
 export function getTimeline(options) {

package/dist/types.d.ts

@@ -13,7 +13,6 @@ export interface ClaudeCodeConfig {
 }
 export interface MemoryConfig {
     dbPath: string;
-    maxLongTermEntries: number;
 }
 export interface TabConfig {
     workingDir: string;
@@ -44,11 +43,26 @@ export interface DiscordConfig {
     /** Optional admin user ID. Defaults to allowedUserIds[0]. */
     adminUserId?: string;
 }
+/**
+ * Webhook channel auth semantics:
+ *
+ * - When both `authToken` and `hmacSecret` are configured, EITHER mode
+ *   satisfies authentication (OR semantics). A valid Bearer token is enough
+ *   even if the HMAC signature is missing. There is no AND mode today.
+ * - Replay protection is NOT implemented. Callers must keep their payloads
+ *   idempotent — see L10 in the audit. Acceptable while the server binds to
+ *   127.0.0.1 only; revisit if remote exposure becomes a thing.
+ * - `allowUnauthLocalhost` is the explicit opt-in to run with no auth at all.
+ *   Useful for `curl localhost` from a trusted shell, but on a multi-user
+ *   host any local process can inject prompts into your tabs.
+ */
 export interface WebhookConfig {
     enabled: boolean;
     port: number;
     authToken?: string;
     hmacSecret?: string;
+    /** Set to true to skip the fail-secure auth check at start. NOT recommended on shared hosts. */
+    allowUnauthLocalhost?: boolean;
 }
 export interface GroupConfig {
     activationMode: 'mention' | 'reply' | 'keyword' | 'always';
@@ -56,15 +70,25 @@ export interface GroupConfig {
     tabPerGroup: boolean;
     keywords?: string[];
 }
-export interface NotificationConfig {
-    type: 'pushover' | 'ntfy' | 'webhook';
-    userKey?: string;
-    appToken?: string;
-    topic?: string;
+/**
+ * Discriminated union of notification provider configs. The `type` field
+ * narrows which fields are required so callers get full type safety instead
+ * of treating every field as optional. createNotificationProvider switches
+ * exhaustively on `type`.
+ */
+export type NotificationConfig = {
+    type: 'pushover';
+    userKey: string;
+    appToken: string;
+} | {
+    type: 'ntfy';
+    topic: string;
     server?: string;
-    url?: string;
+} | {
+    type: 'webhook';
+    url: string;
     headers?: Record<string, string>;
-}
+};
 export interface MediaGeneratorConfig {
     provider: string;
     apiKey?: string;
@@ -77,7 +101,6 @@ export interface MediaAttachment {
     mimeType: string;
     filePath: string;
     fileName?: string;
-    duration?: number;
     caption?: string;
 }
 export interface BeecorkConfig {
@@ -96,6 +119,8 @@ export interface BeecorkConfig {
     notifications?: NotificationConfig[];
     mediaGenerators?: MediaGeneratorConfig[];
     communityChannels?: string[];
+    /** Capability packs enabled via `beecork capabilities enable`. Owned by src/capabilities. */
+    capabilities?: import('./capabilities/types.js').EnabledCapability[];
     deployment: 'local' | 'vps';
 }
 export type TabStatus = 'idle' | 'running' | 'error' | 'stopped';

package/dist/util/auto-heal.js

@@ -41,10 +41,20 @@ export function autoHealInstall(fromFileUrl) {
             }
         }
         if (rewroteUnit && signaledDaemon) {
-            return { action: 'rewrote-and-signaled', unitPath, oldDaemonScript: oldDaemonScript, newDaemonScript: currentDaemonScript };
+            return {
+                action: 'rewrote-and-signaled',
+                unitPath,
+                oldDaemonScript: oldDaemonScript,
+                newDaemonScript: currentDaemonScript,
+            };
         }
         if (rewroteUnit)
-            return { action: 'rewrote-unit', unitPath, oldDaemonScript: oldDaemonScript, newDaemonScript: currentDaemonScript };
+            return {
+                action: 'rewrote-unit',
+                unitPath,
+                oldDaemonScript: oldDaemonScript,
+                newDaemonScript: currentDaemonScript,
+            };
         if (signaledDaemon)
             return { action: 'signaled-daemon', unitPath };
         return { action: 'noop' };
@@ -64,8 +74,8 @@ export function extractDaemonScript(content) {
     // launchd plist: pull the second <string> inside ProgramArguments
     const launchdMatch = content.match(/<key>\s*ProgramArguments\s*<\/key>\s*<array>([\s\S]*?)<\/array>/);
     if (launchdMatch) {
-        const args = Array.from(launchdMatch[1].matchAll(/<string>([^<]+)<\/string>/g)).map(m => m[1]);
-        const jsArg = args.find(a => a.endsWith('daemon.js'));
+        const args = Array.from(launchdMatch[1].matchAll(/<string>([^<]+)<\/string>/g)).map((m) => m[1]);
+        const jsArg = args.find((a) => a.endsWith('daemon.js'));
         if (jsArg)
             return jsArg;
     }
@@ -73,7 +83,7 @@ export function extractDaemonScript(content) {
     const systemdMatch = content.match(/^ExecStart\s*=\s*(.+)$/m);
     if (systemdMatch) {
         const parts = systemdMatch[1].split(/\s+/);
-        const jsArg = parts.find(p => p.endsWith('daemon.js'));
+        const jsArg = parts.find((p) => p.endsWith('daemon.js'));
         if (jsArg)
             return jsArg;
     }

package/dist/util/install-info.js

@@ -52,7 +52,9 @@ export function removeRuntimeInfo() {
     try {
         fs.unlinkSync(filePath);
     }
-    catch { /* not present, fine */ }
+    catch {
+        /* not present, fine */
+    }
 }
 export function isPidAlive(pid) {
     try {

package/dist/util/logger.d.ts

@@ -3,7 +3,7 @@ declare class Logger {
     private minLevel;
     private logFile;
     private stream;
-    private writeCount;
+    private bytesWritten;
     setLevel(level: LogLevel): void;
     setLogFile(name: string): void;
     private write;

package/dist/util/logger.js

@@ -7,11 +7,24 @@ const LEVEL_PRIORITY = {
     warn: 2,
     error: 3,
 };
+// Patterns that should never reach disk or stdout. Each channel uses a per-call
+// sanitizer too (defense-in-depth), but the Logger is the last line of defense
+// for any third-party error object that happens to embed a secret in its message.
+const REDACTION_PATTERNS = [
+    { re: /bot\d+:[A-Za-z0-9_-]+/g, replacement: 'bot<REDACTED>' }, // Telegram bot token
+];
+function redact(s) {
+    let out = s;
+    for (const { re, replacement } of REDACTION_PATTERNS)
+        out = out.replace(re, replacement);
+    return out;
+}
+const ROTATE_BYTES = 10 * 1024 * 1024;
 class Logger {
     minLevel = 'info';
     logFile = null;
     stream = null;
-    writeCount = 0;
+    bytesWritten = 0;
     setLevel(level) {
         this.minLevel = level;
     }
@@ -20,18 +33,30 @@ class Logger {
         fs.mkdirSync(dir, { recursive: true });
         this.logFile = path.join(dir, name);
         this.stream = fs.createWriteStream(this.logFile, { flags: 'a' });
+        // Seed bytesWritten from the existing file size so we don't reset the
+        // rotation counter on every daemon restart.
+        try {
+            this.bytesWritten = fs.statSync(this.logFile).size;
+        }
+        catch {
+            this.bytesWritten = 0;
+        }
     }
     write(level, msg, ...args) {
         if (LEVEL_PRIORITY[level] < LEVEL_PRIORITY[this.minLevel])
             return;
         const timestamp = new Date().toISOString();
         const prefix = `[${timestamp}] [${level.toUpperCase()}]`;
-        const line = args.length > 0
-            ? `${prefix} ${msg} ${args.map(a => typeof a === 'string' ? a : JSON.stringify(a)).join(' ')}`
+        const raw = args.length > 0
+            ? `${prefix} ${msg} ${args.map((a) => (typeof a === 'string' ? a : JSON.stringify(a))).join(' ')}`
             : `${prefix} ${msg}`;
+        const line = redact(raw);
         if (this.stream) {
-            this.stream.write(line + '\n');
-            this.checkRotation();
+            const out = line + '\n';
+            this.stream.write(out);
+            this.bytesWritten += out.length;
+            if (this.bytesWritten > ROTATE_BYTES)
+                this.checkRotation();
         }
         if (level === 'error') {
             console.error(line);
@@ -43,31 +68,38 @@ class Logger {
             console.log(line);
         }
     }
-    debug(msg, ...args) { this.write('debug', msg, ...args); }
-    info(msg, ...args) { this.write('info', msg, ...args); }
-    warn(msg, ...args) { this.write('warn', msg, ...args); }
-    error(msg, ...args) { this.write('error', msg, ...args); }
+    debug(msg, ...args) {
+        this.write('debug', msg, ...args);
+    }
+    info(msg, ...args) {
+        this.write('info', msg, ...args);
+    }
+    warn(msg, ...args) {
+        this.write('warn', msg, ...args);
+    }
+    error(msg, ...args) {
+        this.write('error', msg, ...args);
+    }
     checkRotation() {
         if (!this.logFile || !this.stream)
             return;
-        this.writeCount++;
-        if (this.writeCount < 100)
-            return;
-        this.writeCount = 0;
+        // bytesWritten-based gate already triggered us; rotate without statSync.
         try {
-            const stats = fs.statSync(this.logFile);
-            if (stats.size > 10 * 1024 * 1024) {
-                this.stream.end();
-                const rotated = this.logFile + '.1';
-                try {
-                    fs.unlinkSync(rotated);
-                }
-                catch { }
-                fs.renameSync(this.logFile, rotated);
-                this.stream = fs.createWriteStream(this.logFile, { flags: 'a' });
+            this.stream.end();
+            const rotated = this.logFile + '.1';
+            try {
+                fs.unlinkSync(rotated);
             }
+            catch {
+                /* not fatal */
+            }
+            fs.renameSync(this.logFile, rotated);
+            this.stream = fs.createWriteStream(this.logFile, { flags: 'a' });
+            this.bytesWritten = 0;
+        }
+        catch {
+            /* rotation failure shouldn't kill the daemon */
         }
-        catch { }
     }
     close() {
         if (this.stream) {
@@ -77,3 +109,10 @@ class Logger {
     }
 }
 export const logger = new Logger();
+// Allow operators to bump verbosity at runtime without recompiling.
+// e.g. `BEECORK_LOG_LEVEL=debug beecork start` surfaces every claude subprocess
+// stdout/stderr line via the logger.debug calls.
+const envLevel = process.env.BEECORK_LOG_LEVEL?.toLowerCase();
+if (envLevel === 'debug' || envLevel === 'info' || envLevel === 'warn' || envLevel === 'error') {
+    logger.setLevel(envLevel);
+}

package/dist/util/paths.d.ts

@@ -8,5 +8,6 @@ export declare function getPidPath(): string;
 export declare function getRuntimeInfoPath(): string;
 export declare function getCronReloadSignalPath(): string;
 export declare function getWatcherReloadSignalPath(): string;
+export declare function getWhatsappSessionPath(): string;
 export declare function ensureBeecorkDirs(): void;
 export declare function expandHome(p: string): string;

package/dist/util/paths.js

@@ -32,10 +32,20 @@ export function getCronReloadSignalPath() {
 export function getWatcherReloadSignalPath() {
     return path.join(getBeecorkHome(), '.watcher-reload');
 }
+export function getWhatsappSessionPath() {
+    return path.join(getBeecorkHome(), 'whatsapp-session');
+}
 export function ensureBeecorkDirs() {
     const home = getBeecorkHome();
-    fs.mkdirSync(home, { recursive: true });
-    fs.mkdirSync(getLogsDir(), { recursive: true });
+    fs.mkdirSync(home, { recursive: true, mode: 0o700 });
+    // Upgrade an existing dir that was created with a looser umask before this fix landed.
+    try {
+        fs.chmodSync(home, 0o700);
+    }
+    catch {
+        /* not fatal if mode change fails */
+    }
+    fs.mkdirSync(getLogsDir(), { recursive: true, mode: 0o700 });
 }
 export function expandHome(p) {
     if (p.startsWith('~/') || p === '~') {

package/dist/util/retry.js

@@ -10,7 +10,7 @@ export async function retryWithBackoff(fn, delays = [1000, 5000, 15000], label =
             lastError = err instanceof Error ? err : new Error(String(err));
             if (attempt < delays.length) {
                 logger.warn(`${label} failed (attempt ${attempt + 1}/${delays.length + 1}), retrying in ${delays[attempt]}ms: ${lastError.message}`);
-                await new Promise(resolve => setTimeout(resolve, delays[attempt]));
+                await new Promise((resolve) => setTimeout(resolve, delays[attempt]));
             }
         }
     }

package/dist/util/text.js

@@ -78,16 +78,22 @@ export function formatTabbedResponse(text, tabName) {
 export function buildMediaPrompt(media, textPrompt) {
     if (media.length === 0)
         return textPrompt;
-    const descriptions = media.map(m => {
+    const descriptions = media.map((m) => {
         if (m.type === 'voice' && m.caption?.startsWith('[Transcribed'))
             return m.caption;
         switch (m.type) {
-            case 'image': return `User sent an image: ${m.filePath}`;
-            case 'voice': return `User sent a voice message: ${m.filePath}`;
-            case 'audio': return `User sent an audio file: ${m.filePath}${m.fileName ? ` (${m.fileName})` : ''}`;
-            case 'video': return `User sent a video: ${m.filePath}`;
-            case 'document': return `User sent a file: ${m.filePath}${m.fileName ? ` (${m.fileName})` : ''}`;
-            default: return `User sent a file: ${m.filePath}`;
+            case 'image':
+                return `User sent an image: ${m.filePath}`;
+            case 'voice':
+                return `User sent a voice message: ${m.filePath}`;
+            case 'audio':
+                return `User sent an audio file: ${m.filePath}${m.fileName ? ` (${m.fileName})` : ''}`;
+            case 'video':
+                return `User sent a video: ${m.filePath}`;
+            case 'document':
+                return `User sent a file: ${m.filePath}${m.fileName ? ` (${m.fileName})` : ''}`;
+            default:
+                return `User sent a file: ${m.filePath}`;
         }
     });
     const mediaText = descriptions.join('\n');

package/dist/voice/index.js

@@ -10,7 +10,11 @@ export function initVoiceProviders(voice) {
         stt = createSTTProvider({ provider: voice.sttProvider, apiKey: voice.sttApiKey });
     }
     if (voice?.ttsProvider && voice.ttsProvider !== 'none') {
-        tts = createTTSProvider({ provider: voice.ttsProvider, apiKey: voice.ttsApiKey, voice: voice.ttsVoice });
+        tts = createTTSProvider({
+            provider: voice.ttsProvider,
+            apiKey: voice.ttsApiKey,
+            voice: voice.ttsVoice,
+        });
     }
     return { stt, tts };
 }

package/dist/voice/stt.js

@@ -1,5 +1,6 @@
-import fs from 'node:fs';
+import { readFile } from 'node:fs/promises';
 import { logger } from '../util/logger.js';
+import { assertInsideMediaDir } from '../media/store.js';
 /** OpenAI Whisper API provider */
 export class WhisperAPIProvider {
     apiKey;
@@ -10,26 +11,33 @@ export class WhisperAPIProvider {
         try {
             // Make a lightweight request to warm up the HTTPS connection
             await fetch('https://api.openai.com/v1/models', {
-                headers: { 'Authorization': `Bearer ${this.apiKey}` },
+                headers: { Authorization: `Bearer ${this.apiKey}` },
                 signal: AbortSignal.timeout(5000),
             });
         }
-        catch { /* non-critical */ }
+        catch {
+            /* non-critical */
+        }
     }
     async transcribe(filePath) {
+        // Defense-in-depth: callers should already constrain filePath to the media dir,
+        // but verify here so a leaked/forged MediaAttachment.filePath cannot exfiltrate
+        // arbitrary files (e.g. ~/.ssh/id_rsa) to the Whisper API.
+        const safePath = assertInsideMediaDir(filePath);
+        const buffer = await readFile(safePath);
         const formData = new FormData();
-        formData.append('file', new Blob([fs.readFileSync(filePath)]), 'audio.ogg');
+        formData.append('file', new Blob([buffer]), 'audio.ogg');
         formData.append('model', 'whisper-1');
         const response = await fetch('https://api.openai.com/v1/audio/transcriptions', {
             method: 'POST',
-            headers: { 'Authorization': `Bearer ${this.apiKey}` },
+            headers: { Authorization: `Bearer ${this.apiKey}` },
             body: formData,
             signal: AbortSignal.timeout(60000),
         });
         if (!response.ok) {
             throw new Error(`Whisper API error: ${response.status} ${response.statusText}`);
         }
-        const result = await response.json();
+        const result = (await response.json());
         return result.text;
     }
 }

package/dist/voice/tts.js

@@ -14,7 +14,7 @@ export class OpenAITTSProvider {
         const response = await fetch('https://api.openai.com/v1/audio/speech', {
             method: 'POST',
             headers: {
-                'Authorization': `Bearer ${this.apiKey}`,
+                Authorization: `Bearer ${this.apiKey}`,
                 'Content-Type': 'application/json',
             },
             body: JSON.stringify({

package/dist/watchers/scheduler.js

@@ -5,6 +5,8 @@ import { evaluateWatcher } from './evaluator.js';
 import { execAsync, intervalToMs } from '../tasks/scheduler.js';
 import { getLogsDir, getWatcherReloadSignalPath } from '../util/paths.js';
 import { logger } from '../util/logger.js';
+import { PendingMessageStore } from '../session/pending-store.js';
+import { logActivity } from '../timeline/index.js';
 export class WatcherScheduler {
     store = new WatcherStore();
     // watcherId -> due time in ms epoch for next check
@@ -52,7 +54,9 @@ export class WatcherScheduler {
             try {
                 fs.unlinkSync(signalPath);
             }
-            catch { /* race condition, ok */ }
+            catch {
+                /* race condition, ok */
+            }
             logger.info('Watchers: reload signal detected, reloading');
             this.loadAndSchedule();
         }
@@ -101,6 +105,9 @@ export class WatcherScheduler {
             if (result.triggered) {
                 this.store.markTriggered(watcher.id);
                 await fs.promises.appendFile(logFile, `[${new Date().toISOString()}] TRIGGERED: ${result.output.slice(0, 500)}\n`);
+                logActivity('watcher_triggered', `Watcher "${watcher.name}" triggered`, {
+                    details: result.output.slice(0, 500),
+                });
                 await this.executeAction(watcher, result.output);
             }
             else {
@@ -155,7 +162,7 @@ export class WatcherScheduler {
                             message = watcher.actionDetails.slice(colonIdx + 1).trim();
                         }
                         const fullMessage = `[Watcher "${watcher.name}" triggered] ${message}\n\nWatcher output:\n${output.slice(0, 500)}`;
-                        db.prepare('INSERT INTO pending_messages (tab_name, message, type) VALUES (?, ?, ?)').run(tabName, fullMessage, 'delegation');
+                        PendingMessageStore.enqueueDelegation(tabName, fullMessage, db);
                         if (this.onNotify) {
                             await this.onNotify(`Watcher "${watcher.name}" triggered -- delegated to tab:${tabName}`);
                         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "beecork",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "description": "Claude Code always-on infrastructure — a phone number, a memory, and an alarm clock",
   "type": "module",
   "bin": {
@@ -15,6 +15,8 @@
     "dev:daemon": "tsx src/daemon.ts",
     "test": "vitest",
     "lint": "eslint src/",
+    "format": "prettier --write \"src/**/*.ts\"",
+    "format:check": "prettier --check \"src/**/*.ts\"",
     "build:css": "tailwindcss --content src/dashboard/html.ts --minify",
     "prepublishOnly": "npm test && npm run build",
     "postinstall": "node scripts/postinstall.mjs"
@@ -27,6 +29,7 @@
     "cron-parser": "^5.5.0",
     "discord.js": "^14.26.2",
     "node-telegram-bot-api": "^0.67.0",
+    "pino": "^9.5.0",
     "qrcode-terminal": "^0.12.0",
     "uuid": "^13.0.0"
   },
@@ -36,6 +39,8 @@
     "@types/node": "^24.0.0",
     "@types/node-telegram-bot-api": "^0.64.14",
     "eslint": "^10.2.0",
+    "eslint-config-prettier": "^10.1.8",
+    "prettier": "^3.8.3",
     "tailwindcss": "^4.2.2",
     "tsx": "^4.21.0",
     "typescript": "^6.0.2",

package/dist/session/tool-classifier.d.ts

@@ -1,4 +0,0 @@
-/** Reserved for future approval mode implementation. Not currently wired into the runtime. */
-export type ToolRisk = 'safe' | 'dangerous';
-/** Classify a tool call as safe or dangerous */
-export declare function classifyTool(toolName: string, input: Record<string, unknown>): ToolRisk;

package/dist/session/tool-classifier.js

@@ -1,56 +0,0 @@
-const SAFE_TOOLS = new Set([
-    'Read', 'Glob', 'Grep', 'LSP', 'WebFetch', 'WebSearch',
-    'ToolSearch', 'TaskGet', 'TaskList',
-]);
-const DANGEROUS_TOOLS = new Set([
-    'Write', 'Edit', 'NotebookEdit',
-    'TaskCreate', 'TaskUpdate', 'TaskStop',
-]);
-const SAFE_BASH_PATTERNS = [
-    /^(ls|cat|head|tail|wc|file|stat|which|type|echo|printf)\b/,
-    /^git\s+(status|log|diff|show|branch|tag|remote)\b/,
-    /^(pwd|whoami|hostname|date|uname|env|printenv)\b/,
-    /^(find|grep|rg|fd|ag)\b/,
-    /^(node|python|ruby|go)\s+--?(version|help)/,
-    /^npm\s+(list|ls|view|info|outdated|audit)\b/,
-    /^curl\s.*-X\s*GET\b/,
-    /^curl\s+(?!.*-X\s*(POST|PUT|DELETE|PATCH))(?!.*--data)(?!.*-d\s)/,
-];
-const DANGEROUS_BASH_PATTERNS = [
-    /^rm\b/,
-    /^(mv|cp)\b.*--?(force|f)\b/,
-    /^chmod\b/,
-    /^chown\b/,
-    /^git\s+(push|reset|rebase|merge|checkout\s+--)\b/,
-    /^(docker|kubectl|terraform|ansible)\b/,
-    /^(sudo|su)\b/,
-    /^npm\s+(publish|install|uninstall|link)\b/,
-    /^(kill|killall|pkill)\b/,
-    /^curl\s.*-X\s*(POST|PUT|DELETE|PATCH)\b/,
-];
-/** Classify a tool call as safe or dangerous */
-export function classifyTool(toolName, input) {
-    if (SAFE_TOOLS.has(toolName))
-        return 'safe';
-    if (DANGEROUS_TOOLS.has(toolName))
-        return 'dangerous';
-    // Bash tool: inspect the command
-    if (toolName === 'Bash') {
-        const command = String(input.command || '').trim();
-        for (const pattern of SAFE_BASH_PATTERNS) {
-            if (pattern.test(command))
-                return 'safe';
-        }
-        for (const pattern of DANGEROUS_BASH_PATTERNS) {
-            if (pattern.test(command))
-                return 'dangerous';
-        }
-        // Default: unknown bash commands are dangerous
-        return 'dangerous';
-    }
-    // MCP tools from external servers: default to dangerous
-    if (toolName.startsWith('mcp__'))
-        return 'dangerous';
-    // Unknown tools: default to dangerous
-    return 'dangerous';
-}