codemini-cli 0.6.4 → 0.6.6

package/src/core/agent-loop.js

@@ -1,10 +1,12 @@
 import path from 'node:path';
 import { trimInline as _trimInline, normalizePath } from './string-utils.js';
 import { captureToInbox, listInbox } from './memory-store.js';
-import { requiresApprovalEvaluation } from './command-risk.js';
-import { getToolOutputSanitizeOptions, sanitizeTextForModel } from './tool-output.js';
-import { normalizeToolArguments } from './tool-args.js';
-import { storeResultIfNeeded, summarizeToolResult } from './tool-result-store.js';
+import { requiresApprovalEvaluation } from './command-risk.js';
+import { evaluateCommandPolicy } from './command-policy.js';
+import { getToolOutputSanitizeOptions, sanitizeTextForModel } from './tool-output.js';
+import { normalizeToolArguments } from './tool-args.js';
+import { storeResultIfNeeded, summarizeToolResult } from './tool-result-store.js';
+import { markRunCommandSafeModeApproved } from './tools.js';
 
 /**
  * 安全解析 JSON 字符串。
@@ -336,8 +338,12 @@ function extractToolResultMeta(toolName, result) {
 }
 
 export const trimInline = _trimInline;
-
-function normalizeAssistantText(value) {
+
+export function shouldDenyHighRiskRunEvaluation(config = {}, evaluation = {}) {
+  return config?.policy?.allow_dangerous_commands !== true && String(evaluation?.risk || '').toLowerCase() === 'high';
+}
+
+function normalizeAssistantText(value) {
   return String(value || '').trim();
 }
 
@@ -613,10 +619,10 @@ export async function runAgentLoop({
   let lastAutoDreamCheckStep = 0;
 
   // Mutable tool list — grows as tool_search loads deferred tools
-  const activeTools = [...toolDefinitions];
-
-  async function maybeRunAutoDream(stepNumber = 0, { force = false } = {}) {
-    if ((executionMode === 'auto' ? 'normal' : executionMode) === 'plan') return;
+  const activeTools = [...toolDefinitions];
+
+  async function maybeRunAutoDream(stepNumber = 0, { force = false } = {}) {
+    if (executionMode === 'plan') return;
     const interval = Math.max(1, Number(config?.memory?.auto_dream_check_interval_steps || 20));
     const normalizedStep = Math.max(1, Number(stepNumber || 1));
     if (!force && lastAutoDreamCheckStep > 0 && normalizedStep - lastAutoDreamCheckStep < interval) return;
@@ -724,14 +730,11 @@ export async function runAgentLoop({
 
     pendingSummaryNudges = 0;
 
-    const workMode = executionMode === 'auto' ? 'normal' : executionMode;
     const normalizedApprovalMode = ['review', 'auto', 'full_access'].includes(String(approvalMode || '').toLowerCase())
       ? String(approvalMode || '').toLowerCase()
-      : executionMode === 'auto'
-        ? 'auto'
-        : 'review';
+      : 'review';
 
-    if (workMode === 'plan') {
+    if (executionMode === 'plan') {
       const plannedLines = callsToPlanSummary(toolCalls);
       finalText = [
         assistantText || '',
@@ -762,9 +765,16 @@ export async function runAgentLoop({
       let approved = true;
       let approvalArgs = args;
       let preflightErrorContent = '';
+      const runPolicyCheck = toolName === 'run'
+        ? evaluateCommandPolicy(args?.command || '', config, config?.workspaceRoot || process.cwd())
+        : { allowed: true };
+      const isSafeModePolicyBlocked = toolName === 'run'
+        && config?.policy?.safe_mode !== false
+        && !runPolicyCheck.allowed
+        && runPolicyCheck.reason !== 'blocked by dangerous command pattern';
       const isSafeModeRun = toolName === 'run'
         && config?.policy?.safe_mode !== false
-        && requiresApprovalEvaluation(args?.command || '', config?.shell?.default);
+        && (isSafeModePolicyBlocked || requiresApprovalEvaluation(args?.command || '', config?.shell?.default));
       const isFileWriteTool = toolName === 'edit' || toolName === 'write' || toolName === 'delete';
       const needsApproval = normalizedApprovalMode === 'full_access'
         ? false
@@ -790,20 +800,46 @@ export async function runAgentLoop({
         if (toolName === 'run' && isSafeModeRun && !preflightErrorContent) {
           try {
             const { evaluateCommandWithLLM } = await import('./command-evaluator.js');
-            const evaluation = await evaluateCommandWithLLM({
-              command: args?.command || '',
-              config,
-              workspaceRoot: config?.workspaceRoot || process.cwd()
-            });
-            approvalArgs = { ...args, _risk: evaluation.risk, _evaluation: evaluation };
-            /* LLM says low-risk + allow → auto-approve, skip confirmation panel */
-            if (normalizedApprovalMode !== 'review' && evaluation.risk === 'low' && evaluation.recommendation === 'allow') {
-              approvalResults.set(call.id, { approved: true, args: approvalArgs });
-              continue;
-            }
-          } catch (_) {
-            approvalArgs = { ...args, _risk: 'high', _evaluation: null };
-          }
+            const evaluation = await evaluateCommandWithLLM({
+              command: args?.command || '',
+              config,
+              workspaceRoot: config?.workspaceRoot || process.cwd()
+            });
+            approvalArgs = {
+              ...args,
+              _risk: isSafeModePolicyBlocked && evaluation.risk === 'low' ? 'medium' : evaluation.risk,
+              _evaluation: evaluation,
+              _policyBlock: isSafeModePolicyBlocked
+                ? { reason: runPolicyCheck.reason, suggestion: runPolicyCheck.suggestion || '' }
+                : null
+            };
+            if (shouldDenyHighRiskRunEvaluation(config, evaluation)) {
+              preflightErrorContent = clipToolResult({
+                error: 'Command blocked by safe mode: high-risk command denied because dangerous commands are disabled',
+                evaluation
+              }, toolResultMaxChars);
+              approvalResults.set(call.id, {
+                approved: false,
+                args: approvalArgs,
+                errorContent: preflightErrorContent
+              });
+              continue;
+            }
+            /* LLM says low-risk + allow → auto-approve, skip confirmation panel */
+            if (!isSafeModePolicyBlocked && normalizedApprovalMode !== 'review' && evaluation.risk === 'low' && evaluation.recommendation === 'allow') {
+              approvalResults.set(call.id, { approved: true, args: approvalArgs });
+              continue;
+            }
+          } catch (_) {
+            approvalArgs = {
+              ...args,
+              _risk: isSafeModePolicyBlocked ? 'medium' : 'high',
+              _evaluation: null,
+              _policyBlock: isSafeModePolicyBlocked
+                ? { reason: runPolicyCheck.reason, suggestion: runPolicyCheck.suggestion || '' }
+                : null
+            };
+          }
           if (typeof handler?.prepareApproval === 'function') {
             try {
               const approval = await handler.prepareApproval(approvalArgs);
@@ -827,10 +863,13 @@ export async function runAgentLoop({
             arguments: approvalArgs,
             approvalDetails: toolName === 'delete' ? approvalArgs.approval
               : (toolName === 'run' ? approvalArgs.approval : undefined)
-          });
-          approved = Boolean(decision?.approved);
-        }
-      }
+          });
+          approved = Boolean(decision?.approved);
+          if (approved && toolName === 'run' && isSafeModePolicyBlocked) {
+            approvalArgs = markRunCommandSafeModeApproved(approvalArgs);
+          }
+        }
+      }
       approvalResults.set(call.id, { approved, args: approvalArgs });
     }
 

package/src/core/chat-runtime.js

@@ -45,7 +45,8 @@ import {
   createGitOplogChangeTracker,
   listGitOplogChanges,
   readGitOplogPatch,
-  undoGitOplogChange
+  undoGitOplogChange,
+  undoGitOplogChanges
 } from './git-oplog-change-tracker.js';
 import { createNonGitBackupManager } from './non-git-backup.js';
 
@@ -2606,8 +2607,8 @@ function buildRuntimeStateSnapshot({ currentSession, config, model, executionMod
     sessionId: currentSession?.id || '',
     sessionTitle: currentSession?.title || '',
     messageCount: Array.isArray(currentSession?.messages) ? currentSession.messages.length : 0,
-    mode: executionMode === 'auto' ? 'normal' : (executionMode || config.execution?.mode || 'normal'),
-    approvalMode: config.execution?.approval_mode || (executionMode === 'auto' ? 'auto' : 'review'),
+    mode: executionMode || config.execution?.mode || 'normal',
+    approvalMode: config.execution?.approval_mode || 'review',
     sdkProvider: config.sdk?.provider || 'openai-compatible',
     agentRole: 'general',
     model: model || config.model?.name || '',
@@ -3103,18 +3104,21 @@ async function askModel({
     projectContextGuidance
   });
 
-  const { definitions, handlers, formatters, deferredDefinitions, dispose: disposeTools } = getBuiltinTools({
-    workspaceRoot: process.cwd(),
-    config: {
-      ...config,
-      policy: {
-        ...(config.policy || {}),
-        allowed_paths: [
-          ...(Array.isArray(config.policy?.allowed_paths) ? config.policy.allowed_paths : []),
-          path.join(getSessionsDir(), String(session.id))
-        ]
-      }
-    },
+  const toolConfig = {
+    ...config,
+    workspaceRoot: process.cwd(),
+    policy: {
+      ...(config.policy || {}),
+      allowed_paths: [
+        ...(Array.isArray(config.policy?.allowed_paths) ? config.policy.allowed_paths : []),
+        path.join(getSessionsDir(), String(session.id))
+      ]
+    }
+  };
+
+  const { definitions, handlers, formatters, deferredDefinitions, dispose: disposeTools } = getBuiltinTools({
+    workspaceRoot: process.cwd(),
+    config: toolConfig,
     sessionId: session.id,
     onSystemEvent: onAgentEvent,
     getTodos: () => normalizeTodos(session.todos),
@@ -3386,7 +3390,7 @@ async function askModel({
     requestToolApproval,
     signal,
     skipAnalysisNudge,
-    config,
+    config: toolConfig,
     changeTracker: changeTracker?.enabled
       ? {
           begin: (meta) => beginGitOplogCapture(changeTracker, meta),
@@ -4697,7 +4701,7 @@ export async function createChatRuntime({
     currentSession.model = model;
   }
   const baseSystemPrompt = systemPrompt;
-  let executionMode = config.execution?.mode === 'auto' ? 'normal' : (config.execution?.mode || 'normal');
+  let executionMode = config.execution?.mode || 'normal';
   if (hasPendingPlanApproval(currentSession)) {
     executionMode = 'plan';
   }
@@ -6701,6 +6705,7 @@ export async function createChatRuntime({
     getChangeSets: () => listGitOplogChanges(changeTracker),
     getChangeSetPatch: (id) => readGitOplogPatch(changeTracker, id),
     undoChangeSet: (id) => undoGitOplogChange(changeTracker, id),
+    undoChangeSets: (ids) => undoGitOplogChanges(changeTracker, ids),
     reloadConfig: async (options = {}) => {
       config = await loadConfig();
       config.runtime = {

package/src/core/config-store.js

@@ -150,15 +150,13 @@ function normalizePolicyLists(config) {
   next.model.name = String(next.model.name || DEFAULT_CONFIG.model.name).trim() || DEFAULT_CONFIG.model.name;
   next.model.fast_name = String(next.model.fast_name || '').trim();
   const rawExecutionMode = String(next.execution.mode || '').toLowerCase();
-  const rawApprovalMode = String(next.execution.approval_mode || next.execution.approvalMode || '').toLowerCase().replace(/-/g, '_');
+  const rawApprovalMode = String(next.execution.approval_mode || '').toLowerCase().replace(/-/g, '_');
   next.execution.mode = ['normal', 'plan'].includes(rawExecutionMode)
     ? rawExecutionMode
     : 'normal';
   next.execution.approval_mode = ['review', 'auto', 'full_access'].includes(rawApprovalMode)
     ? rawApprovalMode
-    : rawExecutionMode === 'auto'
-      ? 'auto'
-      : 'review';
+    : 'review';
   const rawTools = Array.isArray(next.execution.always_allow_tools)
     ? next.execution.always_allow_tools
     : [];

package/src/core/git-oplog-change-tracker.js

@@ -190,13 +190,26 @@ async function buildPatchForFile(root, relativePath, before, after) {
       oldPath,
       newPath
     ], { cwd: tmp, allowFailure: true, timeoutMs: 120_000 });
-    if (result.code !== 1) return '';
-    const escaped = relativePath.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-    return result.stdout
-      .replace(new RegExp(`diff --git a/old/${escaped} b/new/${escaped}`), `diff --git a/${relativePath} b/${relativePath}`)
-      .replace(new RegExp(`--- a/old/${escaped}`), before.exists ? `--- a/${relativePath}` : '--- /dev/null')
-      .replace(new RegExp(`\\+\\+\\+ b/new/${escaped}`), after.exists ? `+++ b/${relativePath}` : '+++ /dev/null');
-  } finally {
+    if (result.code !== 1) return '';
+    const escaped = relativePath.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    let patch = result.stdout
+      .replace(new RegExp(`diff --git a/old/${escaped} b/new/${escaped}`), `diff --git a/${relativePath} b/${relativePath}`)
+      .replace(new RegExp(`--- a/old/${escaped}`), before.exists ? `--- a/${relativePath}` : '--- /dev/null')
+      .replace(new RegExp(`\\+\\+\\+ b/new/${escaped}`), after.exists ? `+++ b/${relativePath}` : '+++ /dev/null');
+    if (!before.exists && after.exists && !/^new file mode /m.test(patch)) {
+      patch = patch.replace(
+        new RegExp(`^(diff --git a/${escaped} b/${escaped})$`, 'm'),
+        `$1\nnew file mode 100644`
+      );
+    }
+    if (before.exists && !after.exists && !/^deleted file mode /m.test(patch)) {
+      patch = patch.replace(
+        new RegExp(`^(diff --git a/${escaped} b/${escaped})$`, 'm'),
+        `$1\ndeleted file mode 100644`
+      );
+    }
+    return patch;
+  } finally {
     await fs.rm(tmp, { recursive: true, force: true }).catch(() => {});
   }
 }
@@ -360,11 +373,11 @@ export async function readGitOplogPatch(tracker, opId) {
   return fs.readFile(op.patchPath, 'utf8');
 }
 
-export async function undoGitOplogChange(tracker, opId) {
-  if (!isGitOplogChangeTrackerAvailable(tracker)) throw new Error('Git change oplog is not available for this session');
-  const op = await readGitOplogChange(tracker, opId);
-  if (op.revertedAt) {
-    return { ok: false, alreadyReverted: true, changeSetId: op.id, message: 'Change already reverted' };
+export async function undoGitOplogChange(tracker, opId) {
+  if (!isGitOplogChangeTrackerAvailable(tracker)) throw new Error('Git change oplog is not available for this session');
+  const op = await readGitOplogChange(tracker, opId);
+  if (op.revertedAt) {
+    return { ok: false, alreadyReverted: true, changeSetId: op.id, message: 'Change already reverted' };
   }
   const patch = await fs.readFile(op.patchPath, 'utf8');
   try {
@@ -382,6 +395,74 @@ export async function undoGitOplogChange(tracker, opId) {
     timeoutMs: 120_000
   });
   op.revertedAt = new Date().toISOString();
-  await writeJson(path.join(tracker.opsDir, `${op.id}.json`), op);
-  return { ok: true, changeSetId: op.id };
-}
+  await writeJson(path.join(tracker.opsDir, `${op.id}.json`), op);
+  return { ok: true, changeSetId: op.id };
+}
+
+export async function undoGitOplogChanges(tracker, opIds = []) {
+  if (!isGitOplogChangeTrackerAvailable(tracker)) throw new Error('Git change oplog is not available for this session');
+  const ids = [];
+  const seen = new Set();
+  for (const rawId of Array.isArray(opIds) ? opIds : [opIds]) {
+    const id = String(rawId || '').trim();
+    if (!id || seen.has(id)) continue;
+    seen.add(id);
+    ids.push(id);
+  }
+  if (!ids.length) throw new Error('Missing change ids');
+  if (ids.length === 1) return undoGitOplogChange(tracker, ids[0]);
+
+  const ops = await Promise.all(ids.map((id) => readGitOplogChange(tracker, id)));
+  const reverted = ops.find((op) => op.revertedAt);
+  if (reverted) {
+    return { ok: false, alreadyReverted: true, changeSetId: reverted.id, message: 'Change already reverted' };
+  }
+
+  const order = new Map(ids.map((id, index) => [id, index]));
+  ops.sort((a, b) => {
+    const byTime = String(b.createdAt || '').localeCompare(String(a.createdAt || ''));
+    if (byTime) return byTime;
+    return (order.get(b.id) ?? 0) - (order.get(a.id) ?? 0);
+  });
+
+  const patches = await Promise.all(ops.map(async (op) => ({
+    op,
+    patch: await fs.readFile(op.patchPath, 'utf8')
+  })));
+  if (!patches.some((item) => String(item.patch || '').trim())) throw new Error('Missing change patch');
+
+  const applied = [];
+  try {
+    for (const item of patches) {
+      if (!String(item.patch || '').trim()) continue;
+      await runGit(['apply', '-R', '--check', '--whitespace=nowarn'], {
+        cwd: tracker.workspaceRoot,
+        input: item.patch,
+        timeoutMs: 120_000
+      });
+      await runGit(['apply', '-R', '--whitespace=nowarn'], {
+        cwd: tracker.workspaceRoot,
+        input: item.patch,
+        timeoutMs: 120_000
+      });
+      applied.push(item);
+    }
+  } catch (error) {
+    for (const item of applied.reverse()) {
+      await runGit(['apply', '--whitespace=nowarn'], {
+        cwd: tracker.workspaceRoot,
+        input: item.patch,
+        allowFailure: true,
+        timeoutMs: 120_000
+      });
+    }
+    throw new Error(`Cannot undo this change cleanly because newer edits conflict with it. Undo newer changes first, or revert it manually. ${error?.message || ''}`.trim());
+  }
+
+  const revertedAt = new Date().toISOString();
+  for (const op of ops) {
+    op.revertedAt = revertedAt;
+    await writeJson(path.join(tracker.opsDir, `${op.id}.json`), op);
+  }
+  return { ok: true, changeSetIds: ops.map((op) => op.id) };
+}

package/src/core/shell-profile.js

@@ -17,8 +17,9 @@ const SHELL_PROFILES = {
     shell: 'powershell',
     label: 'PowerShell',
     command_allowlist: [
-      'rg',
-      'git',
+      'rg',
+      'cd',
+      'git',
       'node',
       'npm',
       'npx',

package/src/core/tools.js

@@ -30,8 +30,8 @@ import {
   sanitizeTextForModel,
   summarizeRunOutput
 } from './tool-output.js';
-import {
-  normalizeFilePathValue,
+import {
+  normalizeFilePathValue,
   normalizePathArgs,
   parseInlineRangePath,
   normalizePatternArgs,
@@ -39,14 +39,28 @@ import {
   normalizeWebFetchArgs,
   normalizeWebSearchArgs,
   normalizeWriteArgs
-} from './tool-args.js';
-const BACKGROUND_TASK_RECENT_OUTPUT_LIMIT = 80;
-const BACKGROUND_TASK_POLL_MS = 150;
-const MAX_AST_ENCLOSING_BYTES = 300_000;
-const MAX_AST_ENCLOSING_LINES = 5_000;
-const backgroundTaskRegistry = new Map();
-let backgroundTaskCounter = 0;
-let backgroundTaskLogCursorCounter = 0;
+} from './tool-args.js';
+const BACKGROUND_TASK_RECENT_OUTPUT_LIMIT = 80;
+const BACKGROUND_TASK_POLL_MS = 150;
+const MAX_AST_ENCLOSING_BYTES = 300_000;
+const MAX_AST_ENCLOSING_LINES = 5_000;
+const RUN_COMMAND_SAFE_MODE_APPROVED = Symbol('runCommandSafeModeApproved');
+const backgroundTaskRegistry = new Map();
+let backgroundTaskCounter = 0;
+let backgroundTaskLogCursorCounter = 0;
+
+export function markRunCommandSafeModeApproved(args = {}) {
+  const next = { ...(args && typeof args === 'object' ? args : {}) };
+  Object.defineProperty(next, RUN_COMMAND_SAFE_MODE_APPROVED, {
+    value: true,
+    enumerable: false
+  });
+  return next;
+}
+
+export function hasRunCommandSafeModeApproval(args = {}) {
+  return Boolean(args?.[RUN_COMMAND_SAFE_MODE_APPROVED]);
+}
 
 async function realpathIfExists(targetPath) {
   try {
@@ -1125,11 +1139,11 @@ async function runCommand(root, config, args) {
     throw new Error('Command blocked by policy');
   }
 
-  const check = evaluateCommandPolicy(command, config, root);
-  if (!check.allowed) {
-    throw new Error(
-      `Command blocked by safe mode: ${check.reason}${check.suggestion ? ` | ${check.suggestion}` : ''}`
-    );
+  const check = evaluateCommandPolicy(command, config, root);
+  if (!check.allowed && !hasRunCommandSafeModeApproval(args)) {
+    throw new Error(
+      `Command blocked by safe mode: ${check.reason}${check.suggestion ? ` | ${check.suggestion}` : ''}`
+    );
   }
 
   const shouldBackground =
@@ -1296,11 +1310,11 @@ async function startBackgroundTask(root, config, args) {
   ) {
     throw new Error('Command blocked by policy');
   }
-  const check = evaluateCommandPolicy(command, config, root);
-  if (!check.allowed) {
-    throw new Error(
-      `Command blocked by safe mode: ${check.reason}${check.suggestion ? ` | ${check.suggestion}` : ''}`
-    );
+  const check = evaluateCommandPolicy(command, config, root);
+  if (!check.allowed && !hasRunCommandSafeModeApproval(args)) {
+    throw new Error(
+      `Command blocked by safe mode: ${check.reason}${check.suggestion ? ` | ${check.suggestion}` : ''}`
+    );
   }
 
   const shellSpec = resolveShell(config.shell.default);
@@ -1664,9 +1678,9 @@ function editResult(pathText, action, beforeContent, afterContent, changedLine =
   };
 }
 
-function lineRangeToOffsets(content, startLineRaw, endLineRaw) {
-  const lines = splitLines(content);
-  const totalLines = lines.length;
+function lineRangeToOffsets(content, startLineRaw, endLineRaw) {
+  const lines = splitLines(content);
+  const totalLines = lines.length;
   const startLine = Math.max(1, Math.min(totalLines, Number(startLineRaw) || 1));
   const endLine = Math.max(startLine, Math.min(totalLines, Number(endLineRaw) || startLine));
   let startOffset = 0;
@@ -1678,12 +1692,64 @@ function lineRangeToOffsets(content, startLineRaw, endLineRaw) {
     endOffset += lines[i - 1].length;
     if (i < endLine) endOffset += 1;
   }
-  return { startLine, endLine, startOffset, endOffset };
-}
-
-async function replaceBlock(root, args, config = {}) {
-  const relativePath = String(args?.path || '').trim();
-  const newContent = String(args?.new_content || args?.content || '');
+  return { startLine, endLine, startOffset, endOffset };
+}
+
+function normalizeNewlinesWithMap(text) {
+  const source = String(text || '');
+  const chars = [];
+  const indexMap = [];
+  for (let i = 0; i < source.length; i += 1) {
+    const ch = source[i];
+    if (ch === '\r') {
+      chars.push('\n');
+      indexMap.push(i);
+      if (source[i + 1] === '\n') i += 1;
+      continue;
+    }
+    chars.push(ch);
+    indexMap.push(i);
+  }
+  return { text: chars.join(''), indexMap };
+}
+
+function detectEol(text) {
+  const sample = String(text || '');
+  const crlf = (sample.match(/\r\n/g) || []).length;
+  const loneLf = (sample.match(/(?<!\r)\n/g) || []).length;
+  const loneCr = (sample.match(/\r(?!\n)/g) || []).length;
+  if (crlf >= loneLf && crlf >= loneCr && crlf > 0) return '\r\n';
+  if (loneCr > loneLf && loneCr > 0) return '\r';
+  return '\n';
+}
+
+function applyEol(text, eol) {
+  return String(text || '').replace(/\r\n|\r|\n/g, eol || '\n');
+}
+
+function findLineEndingEquivalentMatches(content, oldText) {
+  const normalizedOld = normalizeNewlinesWithMap(oldText).text;
+  if (!normalizedOld) return [];
+  const normalizedContent = normalizeNewlinesWithMap(content);
+  const matches = [];
+  let pos = 0;
+  while (true) {
+    const found = normalizedContent.text.indexOf(normalizedOld, pos);
+    if (found === -1) break;
+    const start = normalizedContent.indexMap[found] ?? 0;
+    const endNorm = found + normalizedOld.length;
+    const end = endNorm >= normalizedContent.text.length
+      ? String(content || '').length
+      : normalizedContent.indexMap[endNorm];
+    matches.push({ start, end });
+    pos = found + Math.max(1, normalizedOld.length);
+  }
+  return matches;
+}
+
+async function replaceBlock(root, args, config = {}) {
+  const relativePath = String(args?.path || '').trim();
+  const newContent = String(args?.new_content || args?.content || '');
   const target = args?.target || {};
   const state = await getFileState(root, relativePath, config);
   const resolved = resolveReplaceBlockTarget(state, target);
@@ -1712,14 +1778,39 @@ async function replaceText(root, args, config = {}) {
   const rangeStart = Number(args?.start_line || args?.line);
   const rangeEnd = Number(args?.end_line || args?.line);
   const hasRange = Number.isFinite(rangeStart) && rangeStart > 0;
-  const range = hasRange
-    ? lineRangeToOffsets(state.content, rangeStart, Number.isFinite(rangeEnd) && rangeEnd >= rangeStart ? rangeEnd : rangeStart)
-    : null;
-  const searchContent = range ? state.content.slice(range.startOffset, range.endOffset) : state.content;
-  const occurrences = searchContent.split(oldText).length - 1;
-  if (occurrences !== 1) {
-    if (replaceAll && occurrences > 0) {
-      const replaced = searchContent.replaceAll(oldText, newText);
+  const range = hasRange
+    ? lineRangeToOffsets(state.content, rangeStart, Number.isFinite(rangeEnd) && rangeEnd >= rangeStart ? rangeEnd : rangeStart)
+    : null;
+  const searchContent = range ? state.content.slice(range.startOffset, range.endOffset) : state.content;
+  const occurrences = searchContent.split(oldText).length - 1;
+  let newlineMatches = null;
+  if (occurrences === 0 && /[\r\n]/.test(oldText)) {
+    newlineMatches = findLineEndingEquivalentMatches(searchContent, oldText);
+    if ((replaceAll && newlineMatches.length > 0) || newlineMatches.length === 1) {
+      let cursor = 0;
+      let replaced = '';
+      for (const match of newlineMatches) {
+        const originalMatch = searchContent.slice(match.start, match.end);
+        replaced += searchContent.slice(cursor, match.start);
+        replaced += applyEol(newText, detectEol(originalMatch));
+        cursor = match.end;
+        if (!replaceAll) break;
+      }
+      replaced += searchContent.slice(cursor);
+      const afterContent = range
+        ? `${state.content.slice(0, range.startOffset)}${replaced}${state.content.slice(range.endOffset)}`
+        : replaced;
+      await fs.writeFile(state.target, afterContent, 'utf8');
+      const first = newlineMatches[0];
+      const changedLine = range
+        ? range.startLine + splitLines(searchContent.slice(0, first.start)).length - 1
+        : splitLines(state.content.slice(0, first.start)).length;
+      return editResult(relativePath, 'replace_text', state.content, afterContent, changedLine);
+    }
+  }
+  if (occurrences !== 1) {
+    if (replaceAll && occurrences > 0) {
+      const replaced = searchContent.replaceAll(oldText, newText);
       const afterContent = range
         ? `${state.content.slice(0, range.startOffset)}${replaced}${state.content.slice(range.endOffset)}`
         : state.content.replaceAll(oldText, newText);
@@ -1744,13 +1835,14 @@ async function replaceText(root, args, config = {}) {
       lineDetails.push(`  Line ${lineNum}: ${lineText}`);
       searchPos = pos + oldText.length;
     }
-    const lineHint = lineDetails.length > 0 ? `\n${lineDetails.join('\n')}\n` : ' ';
-    throw new Error(
-      occurrences === 0
-        ? 'replace_text old_text not found'
-        : `replace_text old_text not unique; found ${occurrences} occurrences:${lineHint}Use path:"${relativePath}:N-M" to narrow the range, set replace_all=true, or provide more unique old_text`
-    );
-  }
+    const lineHint = lineDetails.length > 0 ? `\n${lineDetails.join('\n')}\n` : ' ';
+    const effectiveOccurrences = newlineMatches?.length || occurrences;
+    throw new Error(
+      effectiveOccurrences === 0
+        ? 'replace_text old_text not found'
+        : `replace_text old_text not unique; found ${effectiveOccurrences} occurrences:${lineHint}Use path:"${relativePath}:N-M" to narrow the range, set replace_all=true, or provide more unique old_text`
+    );
+  }
   const replaced = searchContent.replace(oldText, newText);
   const afterContent = range
     ? `${state.content.slice(0, range.startOffset)}${replaced}${state.content.slice(range.endOffset)}`
@@ -2842,13 +2934,14 @@ export function getBuiltinTools({ workspaceRoot = process.cwd(), config, onSyste
     run: Object.assign(
       (args) => runCommand(workspaceRoot, config, args),
       {
-        prepareApproval: async (args) => ({
-          command: args?.command || '',
-          risk: args?._risk || 'high',
-          evaluation: args?._evaluation || null
-        })
-      }
-    ),
+        prepareApproval: async (args) => ({
+          command: args?.command || '',
+          risk: args?._risk || 'high',
+          evaluation: args?._evaluation || null,
+          policyBlock: args?._policyBlock || null
+        })
+      }
+    ),
     save_memory: async (args = {}) => {
       const rawScope = String(args.scope || 'global').toLowerCase();
       const memoryScope = rawScope === 'repo' || rawScope === 'project' ? 'project'