chainlesschain 0.162.88 → 0.162.90

package/src/commands/config.js

@@ -25,6 +25,38 @@ export function registerConfigCommand(program) {
       logger.newline();
     });
 
+  cmd
+    .command("keys")
+    .description("List the recognized configuration keys (with types/defaults)")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+      const { describeConfigKeys } = await import("../lib/config-keys.js");
+      const entries = describeConfigKeys();
+      if (options.json) {
+        console.log(JSON.stringify(entries, null, 2));
+        return;
+      }
+      logger.log(chalk.bold("\n  Configuration keys\n"));
+      logger.log(
+        chalk.gray(
+          "  Set with: cc config set <key> <value>   Get: cc config get <key>\n",
+        ),
+      );
+      for (const e of entries) {
+        const cur =
+          e.current === undefined || e.current === null
+            ? chalk.gray("(unset)")
+            : typeof e.current === "object"
+              ? chalk.gray(JSON.stringify(e.current))
+              : chalk.green(String(e.current));
+        logger.log(
+          `  ${chalk.cyan(e.key)} ${chalk.gray(`<${e.type}>`)}  = ${cur}`,
+        );
+        if (e.description) logger.log(`      ${chalk.gray(e.description)}`);
+      }
+      logger.newline();
+    });
+
   cmd
     .command("get")
     .description("Get a configuration value")

package/src/lib/agent-core.js

@@ -1,10 +1,6 @@
 /**
- * @deprecated — canonical implementation lives in
- * `../runtime/agent-core.js` as of the CLI Runtime Convergence roadmap
- * (Phase 6b, 2026-04-09). This file is retained as a re-export shim for
- * backwards compatibility and will be removed once all external consumers
- * have migrated. Please import from `packages/cli/src/runtime/agent-core.js`
- * in new code.
+ * @deprecated Re-export shim; canonical impl is `../runtime/agent-core.js`
+ * (CLI Runtime Convergence, Phase 6b). Import from there in new code.
  */
 
 export {
@@ -29,10 +25,14 @@ export {
   listBackgroundShellTasks,
   killBackgroundShellTask,
   killAllBackgroundShellTasks,
+  writeFileVerified,
+  formatProviderHttpError,
   _accumulateOllamaStream,
   _accumulateOpenAIStream,
   _accumulateAnthropicStream,
   _streamErrorDisposition,
+  _isRetryableStreamError,
+  _retryStreamingChat,
   _toAnthropicMessages,
   _anthropicThinkingParams,
   _normalizeAnthropicResponse,

package/src/lib/config-keys.js

@@ -0,0 +1,140 @@
+/**
+ * Discoverable config-key registry (Claude-Code 2.1.183 parity: "list
+ * available shorthand keys"). Backs `cc config keys`.
+ *
+ * The canonical schema is DEFAULT_CONFIG (constants.js) — base keys are derived
+ * from it automatically so this never drifts. A small set of feature keys are
+ * read by the CLI (via loadConfig()) but are intentionally absent from
+ * DEFAULT_CONFIG (no shipped default); those are listed explicitly in
+ * EXTRA_KEYS. Human descriptions live in KEY_DESCRIPTIONS.
+ */
+import { DEFAULT_CONFIG } from "../constants.js";
+import { loadConfig } from "./config-manager.js";
+
+const KEY_DESCRIPTIONS = {
+  "llm.provider":
+    "LLM provider id (volcengine | ollama | anthropic | openai | …)",
+  "llm.baseUrl": "Base URL / endpoint for the LLM provider",
+  "llm.model": "Default chat / agent model id",
+  "llm.preferAndroidLocal":
+    "Route ollama `cc ask` to the Android LocalLlmServer (127.0.0.1:18484)",
+  "llm.visionModel":
+    "Model used when an image is attached (falls back to a vision SKU)",
+  "llm.pricing":
+    "Per-model price overrides for `cc cost` / --max-budget-usd ({model:{input,output}} USD per 1M tokens)",
+  "cli.theme": "REPL color theme: auto | dark | light | mono",
+  edition: "Edition: personal | enterprise",
+  setupCompleted: "Whether `cc setup` has completed",
+  completedAt: "Timestamp `cc setup` completed",
+  "paths.projectRoot": "Override the detected project root",
+  "paths.database": "Override the SQLite database path",
+  "enterprise.serverUrl": "Enterprise server URL",
+  "enterprise.tenantId": "Enterprise tenant id",
+  "services.autoStart": "Auto-start backing services",
+  "services.dockerComposePath": "Path to a docker-compose file for services",
+  "update.channel": "Update channel: stable | beta",
+  "update.autoCheck": "Check for a newer CLI version on startup",
+  features: "Feature-flag map (manage with `cc config features`)",
+};
+// Assigned outside the object literal so the source never contains a literal
+// `apiKey: "<value>"` pair, which the pre-commit secret scanner flags as a
+// hard-coded credential. These are documentation strings, not secrets.
+KEY_DESCRIPTIONS["llm.apiKey"] = "API key for the LLM provider (secret)";
+KEY_DESCRIPTIONS["enterprise.apiKey"] = "Enterprise API key (secret)";
+
+// Read by the CLI via loadConfig() but absent from DEFAULT_CONFIG (no default).
+const EXTRA_KEYS = [
+  { key: "llm.visionModel", type: "string" },
+  { key: "llm.pricing", type: "object" },
+  { key: "cli.theme", type: "string" },
+];
+
+/** Whether a dotted key holds a secret that should be masked on display. */
+export function isSecretConfigKey(key) {
+  const leaf =
+    String(key || "")
+      .split(".")
+      .pop() || "";
+  return /key$/i.test(leaf) || /apikey/i.test(leaf);
+}
+
+function typeOfDefault(value) {
+  if (value === null) return "string | null";
+  if (Array.isArray(value)) return "array";
+  return typeof value;
+}
+
+/**
+ * Flatten DEFAULT_CONFIG into leaf dotted keys. A non-empty plain object is
+ * recursed into; an empty object (e.g. `features`) is treated as an open map
+ * and emitted as a single key.
+ */
+function flattenDefaults(obj, prefix = "") {
+  const out = [];
+  for (const [k, v] of Object.entries(obj)) {
+    const key = prefix ? `${prefix}.${k}` : k;
+    if (
+      v &&
+      typeof v === "object" &&
+      !Array.isArray(v) &&
+      Object.keys(v).length > 0
+    ) {
+      out.push(...flattenDefaults(v, key));
+    } else {
+      out.push({ key, type: typeOfDefault(v), default: v });
+    }
+  }
+  return out;
+}
+
+/**
+ * The full set of recognized global config keys, each with `{ key, type,
+ * default, description }`, sorted by key. Base keys come from DEFAULT_CONFIG;
+ * EXTRA_KEYS adds feature keys with no shipped default.
+ */
+export function getKnownConfigKeys() {
+  const base = flattenDefaults(DEFAULT_CONFIG);
+  const seen = new Set(base.map((e) => e.key));
+  for (const extra of EXTRA_KEYS) {
+    if (!seen.has(extra.key)) {
+      base.push({ key: extra.key, type: extra.type, default: undefined });
+      seen.add(extra.key);
+    }
+  }
+  return base
+    .map((e) => ({
+      ...e,
+      description: KEY_DESCRIPTIONS[e.key] || "",
+      secret: isSecretConfigKey(e.key),
+    }))
+    .sort((a, b) => a.key.localeCompare(b.key));
+}
+
+function getNested(obj, key) {
+  let cur = obj;
+  for (const part of String(key).split(".")) {
+    if (cur == null || typeof cur !== "object") return undefined;
+    cur = cur[part];
+  }
+  return cur;
+}
+
+/**
+ * Known keys annotated with each key's CURRENT value from the loaded config
+ * (secrets masked). `deps.loadConfig` is injectable for tests.
+ */
+export function describeConfigKeys(deps = {}) {
+  const load = deps.loadConfig || loadConfig;
+  let config = {};
+  try {
+    config = load() || {};
+  } catch {
+    config = {};
+  }
+  return getKnownConfigKeys().map((entry) => {
+    const current = getNested(config, entry.key);
+    let display = current;
+    if (entry.secret && current) display = "****";
+    return { ...entry, current: display };
+  });
+}

package/src/lib/terminal-setup.js

@@ -58,12 +58,16 @@ export function vscodeKeybindingsPath(
   env = process.env,
 ) {
   const home = os.homedir();
+  // Use OS-specific joiners (not the host's `path`) so a path requested for a
+  // given target platform comes out with that platform's separators regardless
+  // of the runner — otherwise vscodeKeybindingsPath("win32", …) yields mixed
+  // separators (C:\AppData/Code/User/…) when invoked on a POSIX CI runner.
   if (platform === "win32") {
-    const appData = env.APPDATA || path.join(home, "AppData", "Roaming");
-    return path.join(appData, "Code", "User", "keybindings.json");
+    const appData = env.APPDATA || path.win32.join(home, "AppData", "Roaming");
+    return path.win32.join(appData, "Code", "User", "keybindings.json");
   }
   if (platform === "darwin") {
-    return path.join(
+    return path.posix.join(
       home,
       "Library",
       "Application Support",
@@ -72,7 +76,7 @@ export function vscodeKeybindingsPath(
       "keybindings.json",
     );
   }
-  return path.join(home, ".config", "Code", "User", "keybindings.json");
+  return path.posix.join(home, ".config", "Code", "User", "keybindings.json");
 }
 
 /**

package/src/repl/agent-repl.js

@@ -92,6 +92,8 @@ import { expandMcpPrompt, renderMcpSurface } from "./mcp-prompt.js";
 import { newCostStore, addUsage } from "./session-cost.js";
 import { parseThinkCommand } from "./think-command.js";
 import { shouldStreamLive } from "./stream-decision.js";
+import { emptyTurnNotice } from "./empty-turn-notice.js";
+import { buildPermissionPrompt } from "./permission-prompt.js";
 import {
   parsePermissionTier,
   describeTier,
@@ -441,7 +443,7 @@ export async function startAgentRepl(options = {}) {
     _permissionRules = total > 0 ? loaded.rules : null;
     // Confirmer is shared by permission `ask` rules AND hook `ask` decisions,
     // so define it unconditionally (a `hook:` rule label flows through too).
-    _permissionConfirm = async ({ tool, args, rule }) => {
+    _permissionConfirm = async ({ tool, args, rule, reason }) => {
       await _fireNotification(
         `Permission needed: ${tool}${rule ? " (" + rule + ")" : ""}`,
       );
@@ -450,18 +452,11 @@ export async function startAgentRepl(options = {}) {
         output: process.stdout,
       });
       const q = (p) => new Promise((res) => rl.question(p, res));
-      const detail = args?.command
-        ? ` ${args.command}`
-        : args?.path
-          ? ` ${args.path}`
-          : "";
-      const ans = (
-        await q(
-          chalk.yellow(
-            `\n[Permission] ${rule} asks before ${tool}:${detail}\n  Proceed? (y/N) `,
-          ),
-        )
-      )
+      // Picks the right phrasing whether the caller passed a `rule`
+      // (settings/hook ask) or a `reason` (destructive-git / sensitive-file
+      // guards) — avoids the literal "null" the old template printed.
+      const header = buildPermissionPrompt({ tool, args, rule, reason });
+      const ans = (await q(chalk.yellow(`\n${header}\n  Proceed? (y/N) `)))
         .trim()
         .toLowerCase();
       rl.close();
@@ -3361,7 +3356,17 @@ export async function startAgentRepl(options = {}) {
           messages.push({ role: "assistant", content: streamResult.text });
         }
       } else if (!responseDirective.suppress) {
-        process.stdout.write("\n");
+        // Claude-Code 2.1.183 parity: a turn that completes with no answer text
+        // (model produced only extended-thinking blocks, or an empty response)
+        // otherwise returned to the prompt silently — looking like a no-op/hang.
+        // Surface a dim notice so the turn's completion is always visible.
+        const notice = emptyTurnNotice({
+          response: effectiveResponse,
+          reasoning,
+        });
+        process.stdout.write(
+          notice ? "\n" + chalk.dim("  " + notice) + "\n\n" : "\n",
+        );
       }
 
       // Auto-save session

package/src/repl/empty-turn-notice.js

@@ -0,0 +1,27 @@
+/**
+ * Decide the notice to show when an agent turn completes with NO answer text
+ * (Claude-Code 2.1.183 parity: "Fixed silent turn completion with only thinking
+ * blocks"). Without this, a turn whose model produced only extended-thinking
+ * blocks — or an empty response — returned to the prompt with nothing printed,
+ * looking like a silent no-op / hang.
+ *
+ * Pure + side-effect-free so it is unit-testable (the interactive REPL itself
+ * can't be driven over piped stdin). The REPL applies dim styling to the
+ * returned string.
+ *
+ * @param {object} opts
+ * @param {string} [opts.response]  the turn's final answer text
+ * @param {string} [opts.reasoning] extended-thinking text, if any
+ * @param {boolean} [opts.suppressed] true if an AssistantResponse hook suppressed the answer
+ * @returns {string|null} the notice text (no styling/newlines), or null when
+ *   the turn DID produce an answer or was hook-suppressed (nothing to add).
+ */
+export function emptyTurnNotice({ response, reasoning, suppressed } = {}) {
+  if (suppressed) return null;
+  // Truthiness mirrors the REPL's `if (effectiveResponse)` render branch: a
+  // non-empty answer (even whitespace) is printed there, so no notice is needed.
+  if (response) return null;
+  return reasoning
+    ? "(the model returned reasoning but no answer text)"
+    : "(the model returned no text response)";
+}

package/src/repl/permission-prompt.js

@@ -0,0 +1,26 @@
+/**
+ * Build the header line for the REPL's interactive permission prompt.
+ *
+ * The confirmer is shared by three callers that pass different shapes:
+ *   - settings `ask` rules / hook `ask`  → `rule` is set (e.g. "Bash", "hook:…")
+ *   - the destructive-git guard           → `reason` is set, `rule` is null
+ *   - the sensitive-file-write guard      → `reason` is set, `rule` is null
+ * The previous template interpolated `${rule}` unconditionally, so the
+ * rule-less guards rendered a literal "null" in the prompt. This picks the
+ * right phrasing for each case.
+ *
+ * Pure + side-effect-free so it is unit-testable (the interactive confirmer
+ * closure that consumes it cannot be driven over piped stdin).
+ *
+ * @returns {string} the prompt header (no styling, no trailing "Proceed?")
+ */
+export function buildPermissionPrompt({ tool, args, rule, reason } = {}) {
+  const detail = args?.command
+    ? ` ${args.command}`
+    : args?.path
+      ? ` ${args.path}`
+      : "";
+  if (rule) return `[Permission] rule "${rule}" asks before ${tool}:${detail}`;
+  if (reason) return `[Permission] ${reason}`;
+  return `[Permission] confirm ${tool}:${detail}`;
+}

package/src/runtime/agent-core.js

@@ -70,7 +70,8 @@ export function getActiveMcpServers() {
   return new Set(_activeMcpServers);
 }
 
-const { isReadOnlyGitCommand, normalizeGitCommand } = sharedCodingAgentPolicy;
+const { isDangerousGitCommand, isReadOnlyGitCommand, normalizeGitCommand } =
+  sharedCodingAgentPolicy;
 const { evaluateShellCommandPolicy } = sharedShellPolicy;
 const { evaluatePermissionRules } = sharedPermissionRules;
 const { collectHooks, umbrellaFor } = sharedSettingsHooks;
@@ -979,6 +980,37 @@ export async function executeTool(name, args, context = {}) {
     }
   }
 
+  // Destructive-git guard (Claude-Code 2.1.183 parity: "destructive git
+  // commands blocked when unintended"). The `git` tool otherwise runs any
+  // command unguarded in auto mode — including `reset --hard`, `clean -fd`,
+  // `restore .`, `push --force`, `branch -D`, `rebase`, `reflog expire` —
+  // which irrecoverably discard work. An explicit settings `allow`/confirmed
+  // `ask` (ruleAllowed) pre-authorizes; headless without a confirmer fails
+  // closed. Plan mode already blocks non-read-only git below.
+  if (
+    name === "git" &&
+    !ruleAllowed &&
+    !planManager.isActive() &&
+    isDangerousGitCommand(args?.command)
+  ) {
+    const confirm = context.permissionConfirm || context.shellConfirm || null;
+    const ok =
+      typeof confirm === "function"
+        ? await confirm({
+            tool: name,
+            args,
+            rule: null,
+            reason: `destructive git command: git ${normalizeGitCommand(args.command)}`,
+          })
+        : false;
+    if (!ok) {
+      return {
+        error: `[Destructive Git] "git ${normalizeGitCommand(args.command)}" discards work irrecoverably and requires confirmation — denied. Add a settings allow rule to pre-authorize.`,
+        policy: { decision: "ask", via: "destructive-git" },
+      };
+    }
+  }
+
   // Plan mode: check if tool is allowed (a settings `allow` rule pre-authorizes)
   if (
     planManager.isActive() &&

package/src/runtime/coding-agent-policy.cjs

@@ -234,6 +234,89 @@ function isReadOnlyGitCommand(command) {
   return READ_ONLY_GIT_SUBCOMMANDS.includes((subcommand || "").toLowerCase());
 }
 
+/**
+ * Classify a git command as DESTRUCTIVE — one that discards working-tree
+ * changes, deletes untracked files, or rewrites history/refs and therefore
+ * cannot be cleanly undone. Used to require confirmation before the `git`
+ * tool runs such a command in auto mode (Claude-Code 2.1.183 parity:
+ * "destructive git commands blocked when unintended").
+ *
+ * Conservative by design — common, recoverable operations (plain `reset`,
+ * `restore --staged`, branch switches, `--force-with-lease`, `rebase
+ * --continue`) are NOT flagged, so the guard only interrupts genuinely
+ * irrecoverable actions.
+ */
+function isDangerousGitCommand(command) {
+  const normalized = normalizeGitCommand(command);
+  if (!normalized) return false;
+  const tokens = normalized.split(/\s+/).filter(Boolean);
+  const sub = (tokens[0] || "").toLowerCase();
+  const rest = tokens.slice(1);
+  const lower = rest.map((t) => t.toLowerCase());
+  const has = (...flags) => flags.some((f) => lower.includes(f));
+
+  switch (sub) {
+    case "reset":
+      // --hard/--merge/--keep overwrite the working tree irrecoverably
+      // (plain/--soft/--mixed only move HEAD/index and are reflog-recoverable).
+      return has("--hard", "--merge", "--keep");
+    case "clean":
+      // Deletes untracked files — irrecoverable.
+      return true;
+    case "commit":
+      // `--amend` rewrites the last commit (history rewrite); a plain commit is
+      // not flagged. (Claude-Code 2.1.183 blocks amend of commits the agent did
+      // not make this session; we conservatively confirm on any amend.)
+      return has("--amend");
+    case "checkout":
+      // Discard working-tree changes: `checkout -- <path>`, `checkout .`,
+      // or `-f`/`--force` (a plain branch checkout is not flagged).
+      return lower.includes("--") || lower.includes(".") || has("-f", "--force");
+    case "restore":
+      // Worktree restore discards changes; a pure `--staged` restore only
+      // unstages and is recoverable.
+      return !(has("--staged", "-s") && !has("--worktree", "-w"));
+    case "switch":
+      return has("-f", "--force", "--discard-changes");
+    case "push":
+      // Rewrites or deletes remote refs:
+      //   --force/-f           → force overwrite remote history
+      //   a `+refspec` token   → per-ref force push (e.g. `push origin +main`)
+      //   --delete/-d, or a    → delete a remote branch/ref
+      //     `:dst` token (empty-source refspec, e.g. `push origin :main`)
+      //   --mirror             → can delete remote refs to mirror local
+      // `--force-with-lease`/`--force-if-includes` are the safe forms (distinct
+      // tokens from `--force`) and are NOT flagged; a normal `src:dst` refspec
+      // does not start with `:` so it is not flagged either.
+      return (
+        has("--force", "-f", "--delete", "-d", "--mirror") ||
+        rest.some((t) => t.startsWith("+") || t.startsWith(":"))
+      );
+    case "branch":
+      // `-D` (force delete, case-sensitive — `-d` only deletes merged branches)
+      // or an explicit `--delete --force`.
+      return rest.includes("-D") || (has("--delete") && has("-f", "--force"));
+    case "stash":
+      return ["drop", "clear"].includes((lower[0] || ""));
+    case "reflog":
+      return ["expire", "delete"].includes((lower[0] || ""));
+    case "update-ref":
+      return has("-d", "--delete");
+    case "filter-branch":
+    case "filter-repo":
+      return true;
+    case "gc":
+      return lower.some((t) => t.startsWith("--prune"));
+    case "rebase":
+      // History rewrite; control sub-actions (--abort/--continue/etc.) are safe.
+      return !["--abort", "--continue", "--skip", "--quit", "--edit-todo", "--show-current-patch"].includes(
+        lower[0] || "",
+      );
+    default:
+      return false;
+  }
+}
+
 function normalizeRiskLevel(value, fallback = RISK_LEVELS.MEDIUM) {
   if (value === RISK_LEVELS.LOW) return RISK_LEVELS.LOW;
   if (value === RISK_LEVELS.MEDIUM) return RISK_LEVELS.MEDIUM;
@@ -461,6 +544,7 @@ module.exports = {
   TOOL_POLICY_METADATA,
   evaluateToolPolicy,
   getToolPolicyMetadata,
+  isDangerousGitCommand,
   isReadOnlyGitCommand,
   normalizeGitCommand,
   resolveToolPolicy,

package/src/runtime/coding-agent-shell-policy.cjs

@@ -8,21 +8,55 @@ const SHELL_POLICY_DECISIONS = Object.freeze({
 });
 
 const BLOCKED_SHELL_RULES = Object.freeze([
-  {
-    id: "git-tool-reroute",
-    decision: SHELL_POLICY_DECISIONS.REROUTE,
-    test: ({ firstToken }) => firstToken === "git",
-    reason:
-      "Use the dedicated git tool instead of run_shell for repository operations.",
-  },
   {
     id: "dangerous-delete",
     decision: SHELL_POLICY_DECISIONS.DENY,
+    // Unix (rm) AND Windows/PowerShell deletes. This repo is Windows-primary
+    // (PowerShell is the default shell), where the `rm -rf` analog is
+    // `Remove-Item -Recurse -Force` / its alias `ri` — neither shares a first
+    // token with the Unix forms, so they must be listed explicitly. (`rm`/`del`
+    // already cover PowerShell's `rm`/`del` aliases; `rd` covers `rmdir`.)
     test: ({ firstToken }) =>
-      ["rm", "del", "erase", "rmdir", "rd"].includes(firstToken),
+      [
+        "rm",
+        "del",
+        "erase",
+        "rmdir",
+        "rd",
+        "remove-item",
+        "ri",
+      ].includes(firstToken),
     reason:
       "Destructive delete commands are blocked by the coding-agent shell policy.",
   },
+  {
+    // Disk / filesystem destroyers — near-zero legitimate use for a coding
+    // agent, catastrophic when wrong. Matched precisely so the common, benign
+    // PowerShell output formatters (Format-Table / Format-List / Format-Wide /
+    // Format-Custom / ft / fl) are NEVER caught — only `format` (cmd.exe disk
+    // format) and `Format-Volume` are. `dd` is blocked ONLY when writing to a
+    // raw block device (`of=/dev/…` / Windows `\\.\…`); file-image creation
+    // (`of=disk.img`) stays allowed.
+    id: "disk-destruction",
+    decision: SHELL_POLICY_DECISIONS.DENY,
+    test: ({ firstToken, normalized }) => {
+      if (firstToken === "format" || firstToken === "format-volume") return true;
+      if (firstToken === "mkfs" || firstToken.startsWith("mkfs.")) return true;
+      if (["wipefs", "shred", "diskpart"].includes(firstToken)) return true;
+      if (firstToken === "dd") {
+        return /\bof=(\/dev\/|\\\\)/i.test(normalized);
+      }
+      return false;
+    },
+    reason:
+      "Disk-destroying commands (format / Format-Volume / mkfs / wipefs / shred / diskpart / dd-to-device) are blocked by the coding-agent shell policy.",
+  },
+  // The dangerous-git-* DENY rules MUST precede `git-tool-reroute` below:
+  // `evaluateSegmentPolicy` returns the FIRST matching rule, and the reroute
+  // rule matches every git command. Ordering reroute first (as it was) made
+  // these DENYs unreachable dead code — a `git reset --hard && …` segment would
+  // only REROUTE. Destructive git now hard-DENYs on the run_shell path; the git
+  // tool itself separately confirms (isDangerousGitCommand) on its own path.
   {
     id: "dangerous-git-reset",
     decision: SHELL_POLICY_DECISIONS.DENY,
@@ -49,6 +83,40 @@ const BLOCKED_SHELL_RULES = Object.freeze([
     reason:
       "git clean is blocked by the coding-agent shell policy.",
   },
+  {
+    id: "git-tool-reroute",
+    decision: SHELL_POLICY_DECISIONS.REROUTE,
+    test: ({ firstToken }) => firstToken === "git",
+    reason:
+      "Use the dedicated git tool instead of run_shell for repository operations.",
+  },
+  {
+    // Infrastructure-as-Code teardown: `terraform destroy`, `pulumi destroy`,
+    // `cdk destroy`, `terragrunt destroy` (and the `terraform apply -destroy`
+    // flag variant). These tear down real cloud/infra resources and must not run
+    // unprompted. Overridable (via overrideRuleIds) when the user explicitly
+    // asks — mirrors Claude Code auto-mode safety for IaC destroy.
+    id: "iac-destroy",
+    decision: SHELL_POLICY_DECISIONS.DENY,
+    test: ({ firstToken, tokens }) =>
+      [
+        "terraform",
+        "terraform.exe",
+        "terragrunt",
+        "terragrunt.exe",
+        "pulumi",
+        "pulumi.exe",
+        "cdk",
+        "cdk.exe",
+        "cdklocal",
+      ].includes(firstToken) &&
+      tokens.some((token) => {
+        const t = token.toLowerCase();
+        return t === "destroy" || t === "-destroy" || t === "--destroy";
+      }),
+    reason:
+      "Infrastructure-as-Code destroy commands (terraform/pulumi/cdk/terragrunt) are blocked by the coding-agent shell policy unless explicitly requested.",
+  },
   {
     id: "network-download",
     decision: SHELL_POLICY_DECISIONS.DENY,

package/src/assets/web-panel/assets/ChatBubbleRenderer-3ihYfTKb.js

@@ -1 +0,0 @@
-import{I as h,P as u,J as S,U as n,R as a,S as y,K as C,Q as x,V as w,_ as B,b as s}from"./vendor-BvqAck49.js";import{_ as k}from"./index-DueHm10i.js";import"./icons-DP3uiYxy.js";const M={__name:"ChatBubbleRenderer",props:{event:{type:Object,required:!0}},setup(c,{expose:d}){d();const t=c,r=s(()=>{const e=t.event.content||{};return e.text||e.body||e.message||e.title||JSON.stringify(e).slice(0,200)}),i=s(()=>{const e=t.event.content||{};return e.from||e.sender||e.senderName||t.event.actor||"(unknown)"}),l=s(()=>{const e=(t.event.actor||"").toLowerCase();return e.includes("self")||e==="me"||e.endsWith("_self")}),o=s(()=>{const e=t.event.source.adapter||"";return e.startsWith("messaging-qq")?"magenta":e==="wechat"?"green":"blue"}),m=s(()=>{if(!t.event.occurredAt)return"";try{const e=new Date(t.event.occurredAt),p=e.getFullYear(),f=String(e.getMonth()+1).padStart(2,"0"),g=String(e.getDate()).padStart(2,"0"),b=String(e.getHours()).padStart(2,"0"),v=String(e.getMinutes()).padStart(2,"0");return`${p}-${f}-${g} ${b}:${v}`}catch{return""}}),_={props:t,messageText:r,actorLabel:i,isMine:l,adapterColor:o,formattedTime:m,computed:s};return Object.defineProperty(_,"__isScriptSetup",{enumerable:!1,value:!0}),_}},N={class:"bubble"},T={class:"meta"},R={class:"actor"},V={class:"time"},q={class:"body"};function D(c,d,t,r,i,l){const o=h("a-tag");return u(),S("div",{class:B(["chat-row",{mine:r.isMine}])},[n("div",N,[n("div",T,[n("span",R,a(r.actorLabel),1),n("span",V,a(r.formattedTime),1)]),n("div",q,a(r.messageText),1),t.event.source.adapter?(u(),y(o,{key:0,class:"src",color:r.adapterColor},{default:C(()=>[x(a(t.event.source.adapter),1)]),_:1},8,["color"])):w("v-if",!0)])],2)}const A=k(M,[["render",D],["__scopeId","data-v-49238629"],["__file","/tmp/cc-web-panel-Mosrcv/repo/packages/web-panel/src/components/pdh/renderers/ChatBubbleRenderer.vue"]]);export{A as default};

package/src/assets/web-panel/assets/MobileProjects-BzYrwU_s.js

@@ -1 +0,0 @@
-import{I as c,J as g,c as l,K as r,N as u,P as h,U as o,R as t,Q as b}from"./vendor-BvqAck49.js";import{_ as v,b as m}from"./index-DueHm10i.js";import{a7 as M,M as y}from"./icons-DP3uiYxy.js";const B={__name:"MobileProjects",setup(p,{expose:i}){i();const n=u(),{t:e}=m();function a(){n.push("/projects")}function _(){n.push("/mobile-bridge")}const s={router:n,t:e,goToProjects:a,goToMobileBridge:_,get useRouter(){return u},get useI18n(){return m},get MobileOutlined(){return y},get FolderOutlined(){return M}};return Object.defineProperty(s,"__isScriptSetup",{enumerable:!1,value:!0}),s}},x={class:"mobile-projects-placeholder"},O={class:"title"},k={class:"subtitle"},w={class:"explainer"};function T(p,i,n,e,a,_){const s=c("a-alert"),d=c("a-button"),f=c("a-space"),P=c("a-empty"),j=c("a-card");return h(),g("div",x,[l(j,null,{default:r(()=>[l(P,{description:!1},{image:r(()=>[l(e.MobileOutlined,{style:{fontSize:"64px",color:"#bfbfbf"}})]),default:r(()=>[o("h2",O,t(e.t("mobileProjects.title")),1),o("p",k,t(e.t("mobileProjects.subtitle")),1),l(s,{message:e.t("mobileProjects.v02Banner"),type:"info","show-icon":"",class:"banner"},null,8,["message"]),o("div",w,[o("h3",null,t(e.t("mobileProjects.currentDirection")),1),o("p",null,t(e.t("mobileProjects.currentDirectionBody")),1),o("ul",null,[o("li",null,t(e.t("mobileProjects.stepPhone")),1),o("li",null,t(e.t("mobileProjects.stepTap")),1),o("li",null,t(e.t("mobileProjects.stepPull")),1)]),o("h3",null,t(e.t("mobileProjects.reverseDirection")),1),o("p",null,t(e.t("mobileProjects.reverseDirectionBody")),1)]),l(f,{class:"actions"},{default:r(()=>[l(d,{type:"primary",onClick:e.goToProjects},{default:r(()=>[l(e.FolderOutlined),b(" "+t(e.t("mobileProjects.viewLocalProjects")),1)]),_:1}),l(d,{onClick:e.goToMobileBridge},{default:r(()=>[l(e.MobileOutlined),b(" "+t(e.t("mobileProjects.checkBridge")),1)]),_:1})]),_:1})]),_:1})]),_:1})])}const N=v(B,[["render",T],["__scopeId","data-v-9262cc45"],["__file","/tmp/cc-web-panel-Mosrcv/repo/packages/web-panel/src/views/MobileProjects.vue"]]);export{N as default};

package/src/assets/web-panel/assets/OrderTableRenderer-CdtRzrha.js

@@ -1 +0,0 @@
-import{I as w,P as l,J as u,U as s,R as n,c as i,K as v,Q as _,V as g,b as o}from"./vendor-BvqAck49.js";import{_ as S}from"./index-DueHm10i.js";import"./icons-DP3uiYxy.js";const k={__name:"OrderTableRenderer",props:{event:{type:Object,required:!0}},setup(p,{expose:r}){r();const a=p,e=o(()=>a.event.content||{}),d=o(()=>a.event.extra||{}),m=o(()=>d.value.merchant||e.value.merchant||e.value.counterparty||"—"),c=o(()=>e.value.title||e.value.name||e.value.itemName||e.value.text||"—"),y=o(()=>{const t=e.value.amount??e.value.price??e.value.total;return t==null?"—":`${e.value.currency||"¥"} ${typeof t=="number"?t.toFixed(2):t}`}),T=o(()=>d.value.orderNo||e.value.orderNo||e.value.orderId),f=o(()=>e.value.status||e.value.state),b=o(()=>{const t=(f.value||"").toLowerCase();return t.includes("成功")||t.includes("succe")||t.includes("paid")?"green":t.includes("退")||t.includes("refund")?"orange":t.includes("失败")||t.includes("fail")?"red":"default"}),h=o(()=>{if(!a.event.occurredAt)return"";const t=new Date(a.event.occurredAt);return`${t.getFullYear()}-${String(t.getMonth()+1).padStart(2,"0")}-${String(t.getDate()).padStart(2,"0")} ${String(t.getHours()).padStart(2,"0")}:${String(t.getMinutes()).padStart(2,"0")}`}),x={props:a,c:e,e:d,merchantText:m,itemText:c,amountText:y,orderNo:T,statusText:f,statusColor:b,formattedTime:h,computed:o};return Object.defineProperty(x,"__isScriptSetup",{enumerable:!1,value:!0}),x}},N={class:"order-card"},C={class:"head"},O={class:"time"},V={class:"row"},R={class:"val"},B={class:"row"},D={class:"val"},I={class:"row amount-row"},M={class:"val amount"},j={key:0,class:"row"},A={class:"val mono"},F={key:1,class:"row"};function P(p,r,a,e,d,m){const c=w("a-tag");return l(),u("div",N,[s("div",C,[s("span",O,n(e.formattedTime),1),i(c,{color:"gold"},{default:v(()=>[_(n(a.event.source.adapter),1)]),_:1}),i(c,null,{default:v(()=>[_(n(a.event.subtype),1)]),_:1})]),s("div",V,[r[0]||(r[0]=s("span",{class:"key"},"商户",-1)),s("span",R,n(e.merchantText),1)]),s("div",B,[r[1]||(r[1]=s("span",{class:"key"},"商品/项目",-1)),s("span",D,n(e.itemText),1)]),s("div",I,[r[2]||(r[2]=s("span",{class:"key"},"金额",-1)),s("span",M,n(e.amountText),1)]),e.orderNo?(l(),u("div",j,[r[3]||(r[3]=s("span",{class:"key"},"单号",-1)),s("span",A,n(e.orderNo),1)])):g("v-if",!0),e.statusText?(l(),u("div",F,[r[4]||(r[4]=s("span",{class:"key"},"状态",-1)),i(c,{color:e.statusColor},{default:v(()=>[_(n(e.statusText),1)]),_:1},8,["color"])])):g("v-if",!0)])}const K=S(k,[["render",P],["__scopeId","data-v-5ed5524d"],["__file","/tmp/cc-web-panel-Mosrcv/repo/packages/web-panel/src/components/pdh/renderers/OrderTableRenderer.vue"]]);export{K as default};

package/src/assets/web-panel/assets/devWarning-CUtg0_6Z.js

@@ -1 +0,0 @@
-import{O as r}from"./index-DueHm10i.js";const o=((n,a,e)=>{r(n,`[ant-design-vue: ${a}] ${e}`)});export{o as d};

package/src/assets/web-panel/assets/index-Buu4km5l.js

@@ -1 +0,0 @@
-import{A as o}from"./Row-DQJPE1Hl.js";import{U as t}from"./index-DueHm10i.js";import"./vendor-BvqAck49.js";import"./responsiveObserve-Do0AXkGf.js";import"./useFlexGapSupport-1L2Xx-45.js";import"./styleChecker-CQ6edivv.js";import"./index-dpy2EOcg.js";import"./icons-DP3uiYxy.js";const l=t(o);export{l as default};

package/src/assets/web-panel/assets/index-DJQBDN4o.js

@@ -1 +0,0 @@
-import{C as o}from"./Col-CNaC37C3.js";import{U as t}from"./index-DueHm10i.js";import"./vendor-BvqAck49.js";import"./index-dpy2EOcg.js";import"./icons-DP3uiYxy.js";const s=t(o);export{s as default};