daedalus-cli 0.4.2 → 0.5.0

package/AGENTS.md

@@ -0,0 +1,34 @@
+# Daedalus — Agent Conventions
+
+## Project Identity
+- **Name:** Daedalus (`daedalus-cli` on npm)
+- **Description:** Local-first AI coding CLI with embedded model router, multi-agent orchestration, and codebase indexing
+- **Language:** TypeScript (ESM, `"type": "module"`)
+- **Node:** >=20
+
+## Code Conventions
+- **No comments** in source files unless absolutely necessary for clarity
+- No emoji in code or docs unless user explicitly requests
+- Exports: named exports only (no default exports)
+- Types: Zod schemas in config files, interfaces in `src/types.ts`
+- Imports: always include `.js` extension in ESM imports (e.g., `'./file.js'`)
+- Error handling: throw typed errors, prefer `result` pattern for tool returns
+
+## Architecture
+- `src/index.ts` — CLI entry point, REPL loop, command dispatch
+- `src/config/` — Zod-schema validated config at `~/.daedalus/config.json`
+- `src/router/` — Model routing (priority/round-robin/fastest), health checks, rate limiting
+- `src/session/` — SQLite-backed session persistence, project memory, JSONL export
+- `src/agents/` — Multi-agent orchestration (planner, coder, reviewer, debugger, researcher)
+- `src/tools/` — 16 built-in tools + MCP transport (stdio + HTTP/SSE)
+- `src/indexing/` — FTS5 codebase indexing (TS/JS, Python, Go, Rust)
+
+## Testing
+- Framework: vitest
+- Run: `npm test` (vitest run)
+- No tests exist yet — add them under `src/` co-located as `*.test.ts`
+
+## important
+- never lint before asking
+- do not add comments
+- never use emojis

package/CHANGELOG.md

@@ -0,0 +1,70 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+- CONTRIBUTING.md, CODE_OF_CONDUCT.md, SECURITY.md — open-source governance docs
+- AGENTS.md — AI assistant conventions for tool-aided development
+- GitHub issue templates (bug report, feature request) and PR template
+- CHANGELOG.md — project changelog
+- User approval gate before dangerous tool execution (terminal, write_file)
+- MCP tool registration warning on startup
+- Personality: dry humor injected into system prompts, tool descriptions, agent roles, banner, and diff UI
+
+### Fixed
+
+- CRITICAL: Path traversal in resolvePath — now enforces project directory boundary
+- CRITICAL: Sub-agent auto-approval in diff UI — removed isSubAgent bypass
+- HIGH: Environment variables leaked to child processes — sanitized env in terminal and MCP stdio
+- HIGH: Shell injection in search_files — replaced shell command construction with direct spawn
+- HIGH: Config file world-readable permissions — chmod 0600 on non-Windows
+- HIGH: openEditor shell:true — changed to shell:false
+- HIGH: MCP stdio command injection — validates command for shell metacharacters
+- HIGH: Clipboard script security — added random suffix to temp files, size limit on text paste
+
+## [0.4.2] - 2026-06-18
+
+### Changed
+
+- Word-wrap box content to terminal width for better readability
+- User top border alignment fix
+- All message boxes share consistent border width
+
+### Added
+
+- Image paste support via `/paste` command
+- Dynamic version read from package.json
+
+## [0.4.1] - 2026-06-18
+
+### Changed
+
+- Made `indexCodebase` fully async so auto-index doesn't block startup
+- Updated README and package metadata
+- Renamed npm package to `daedalus-cli` (name conflict resolution)
+
+## [0.3.0] - 2026-06-18
+
+### Added
+
+- Initial release
+- CLI REPL with command dispatch, streaming chat, and tool execution
+- Model router with priority, round-robin, and fastest-response strategies
+- Health checking and token-bucket rate limiter
+- Session persistence via SQLite with JSONL import/export
+- Project memory — persisted facts and conventions auto-injected every turn
+- 16 built-in tools: file read/write/patch, terminal, git, web, todo, delegation, codebase search, project config
+- Interactive diff UI with y/n/a/s/e/d workflow
+- MCP support: stdio and HTTP/SSE transport
+- Multi-agent orchestration with 6 roles (orchestrator, planner, coder, reviewer, debugger, researcher)
+- Codebase indexing with FTS5 for TS/JS, Python, Go, Rust
+- Auto-discovery of local LLM servers (LM Studio, Ollama, llama.cpp, vLLM)
+- First-run onboarding wizard
+- Syntax highlighting for code blocks
+- Cross-platform support (Windows + Unix)

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,112 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+- Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+- The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+- Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+bgill55_dev@voxvivid.com. All complaints will be reviewed and investigated
+promptly and fairly.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact:** Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence:** A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact:** A violation through a single incident or series of actions.
+
+**Consequence:** A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact:** A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence:** A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact:** Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence:** A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+https://www.contributor-covenant.org/version/2/1/code_of_conduct.html.
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq.

package/CONTRIBUTING.md

@@ -0,0 +1,165 @@
+# Contributing to Daedalus
+
+Thanks for your interest in contributing! Daedalus is a local-first AI coding CLI, and we welcome contributions of all kinds — bug fixes, features, documentation, and more.
+
+## Table of Contents
+
+- [Code of Conduct](#code-of-conduct)
+- [Getting Started](#getting-started)
+- [Development Setup](#development-setup)
+- [Project Structure](#project-structure)
+- [Coding Standards](#coding-standards)
+- [Commit Guidelines](#commit-guidelines)
+- [Pull Request Process](#pull-request-process)
+- [Testing](#testing)
+- [Reporting Issues](#reporting-issues)
+
+## Code of Conduct
+
+This project is governed by the [Contributor Covenant](CODE_OF_CONDUCT.md). By participating, you agree to uphold its terms.
+
+## Getting Started
+
+1. Fork the repository
+2. Clone your fork: `git clone https://github.com/<your-username>/daedalus.git`
+3. Create a feature branch: `git checkout -b feat/your-feature-name`
+
+## Development Setup
+
+```bash
+# Install dependencies
+npm install
+
+# Run in dev mode (hot reload)
+npm run dev
+
+# Build
+npm run build
+
+# Type check
+npx tsc --noEmit
+```
+
+### Prerequisites
+
+- Node.js 20+
+- A local LLM server (LM Studio, Ollama, llama.cpp, vLLM) or a remote API key
+
+## Project Structure
+
+```
+src/
+├── index.ts                # CLI entry point, REPL, command dispatch
+├── types.ts                # Shared type definitions
+├── highlight.ts            # Syntax highlighting
+├── config/                 # Configuration loading, schema, discovery
+├── router/                 # Model routing engine
+├── session/                # Session persistence (SQLite, JSONL)
+├── agents/                 # Multi-agent system
+├── tools/                  # Tool system (16 built-in tools + MCP)
+│   ├── builtin/            # File, terminal, git, web, todo, etc.
+│   └── mcp/                # MCP transport (stdio, HTTP/SSE)
+├── indexing/               # FTS5 codebase indexing
+└── onboarding/             # Setup wizard
+```
+
+## Coding Standards
+
+### Language & Runtime
+
+- **TypeScript** with strict mode
+- **ESM** only (`"type": "module"`) — always use `.js` extension in local imports
+- **Node.js 20+** target
+
+### Style
+
+- **No comments** in source code unless the logic is non-obvious
+- **No default exports** — use named exports everywhere
+- **No emoji** in code or documentation
+- **Descriptive names** — prefer clarity over brevity
+
+### Imports
+
+```typescript
+// Local imports must include .js extension
+import { RouterConfig } from '../router/types.js';
+
+// npm imports need no extension
+import { z } from 'zod';
+```
+
+### Error Handling
+
+- Throw typed errors with descriptive messages
+- Tools return `{ success: boolean, content: string, error?: string }`
+
+## Commit Guidelines
+
+We follow [Conventional Commits](https://www.conventionalcommits.org/):
+
+```
+<type>(<scope>): <description>
+
+[optional body]
+```
+
+### Types
+
+| Type     | Usage                        |
+|----------|------------------------------|
+| feat     | New feature                  |
+| fix      | Bug fix                      |
+| docs     | Documentation only           |
+| style    | Formatting, missing semicolons |
+| refactor | Code change that fixes neither bug nor adds feature |
+| perf     | Performance improvement      |
+| test     | Adding or updating tests     |
+| chore    | Build process, tooling, CI   |
+
+### Examples
+
+```
+feat(router): add temperature-per-model support
+fix(indexing): handle symlinked directories
+docs: add contributing guide
+test(session): add SQLite CRUD tests
+```
+
+## Pull Request Process
+
+1. **Small PRs are better** — keep each PR focused on one concern
+2. **Update the CHANGELOG** — add your change under the `[Unreleased]` section
+3. **Include tests** — new features should include tests; bug fixes should add a regression test
+4. **Pass CI** — ensure all checks pass (type check, lint, tests)
+5. **Request review** — tag a maintainer or mention `@bgill55`
+
+### PR Title Format
+
+Same as commit messages: `type(scope): description`
+
+## Testing
+
+```bash
+# Run all tests
+npm test
+
+# Watch mode
+npx vitest
+
+# With coverage
+npx vitest --coverage
+```
+
+Tests are written with [vitest](https://vitest.dev/) and co-located with source files as `*.test.ts`.
+
+## Reporting Issues
+
+- **Bug reports** — use the [bug report template](.github/ISSUE_TEMPLATE/bug_report.md)
+- **Feature requests** — use the [feature request template](.github/ISSUE_TEMPLATE/feature_request.md)
+- **Security issues** — see [SECURITY.md](SECURITY.md)
+
+Before filing, please search [existing issues](https://github.com/bgill55/daedalus/issues) to avoid duplicates.
+
+## Questions?
+
+Open a [Discussion](https://github.com/bgill55/daedalus/discussions) or reach out to the maintainer.

package/README.md

@@ -249,6 +249,20 @@ It's for local-first, private, customizable AI coding — with the power to grow
 
 ---
 
+## Contributing
+
+Contributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for our contribution guidelines, coding standards, and pull request process.
+
+This project is governed by a [Code of Conduct](CODE_OF_CONDUCT.md). Please report any unacceptable behavior.
+
+## Changelog
+
+See [CHANGELOG.md](CHANGELOG.md) for the project history.
+
+## Security
+
+Report security vulnerabilities privately to bgill55_art@outlook.com — see [SECURITY.md](SECURITY.md) for details.
+
 ## License
 
 MIT

package/SECURITY.md

@@ -0,0 +1,52 @@
+# Security Policy
+
+## Supported Versions
+
+We release patches for security vulnerabilities. This table shows which versions are currently supported:
+
+| Version | Supported          |
+|---------|--------------------|
+| 0.4.x   | :white_check_mark: |
+| < 0.4   | :x:                |
+
+## Reporting a Vulnerability
+
+We take security seriously. If you discover a security vulnerability in Daedalus, please **do not** open a public issue.
+
+Instead, send a private report to **bgill55_dev@voxvivid.com** with:
+
+- A description of the vulnerability
+- Steps to reproduce it
+- Affected versions
+- Any potential mitigations you've identified
+
+You should receive a response within 48 hours. If you don't, please follow up to ensure we received your message.
+
+### What to expect
+
+1. **Acknowledgment** — we'll confirm receipt within 48 hours
+2. **Assessment** — we'll investigate and determine impact and severity
+3. **Fix** — we'll develop and test a patch
+4. **Release** — we'll publish a security advisory and a patched release
+
+### Disclosure
+
+We ask that you allow us reasonable time to fix and release a patch before publicly disclosing the vulnerability.
+
+## Security Best Practices
+
+When using Daedalus:
+
+- **API keys** are stored in `~/.daedalus/config.json` — keep this file secure
+- **Local LLM servers** should be bound to localhost (127.0.0.1) to avoid network exposure
+- **Review tool execution** — Daedalus runs terminal commands you approve; review them before confirming
+- Keep Daedalus updated to the latest version to receive security patches
+
+## Scope
+
+The following are **out of scope**:
+
+- Social engineering attacks against Daedalus maintainers
+- Attacks requiring physical access to the victim's machine
+- Vulnerabilities in third-party LLM servers or providers
+- Denial of service against local services

package/dist/agents/roles.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"roles.d.ts","sourceRoot":"","sources":["../../src/agents/roles.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAE9D,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAqHjD,CAAC;AAGF,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,CAEpD;AAGD,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,cAAc,EAAE,EAAE,QAAQ,EAAE,MAAM,GAAG,cAAc,EAAE,CAI9F"}
+{"version":3,"file":"roles.d.ts","sourceRoot":"","sources":["../../src/agents/roles.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAE9D,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAuHjD,CAAC;AAGF,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,CAEpD;AAGD,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,cAAc,EAAE,EAAE,QAAQ,EAAE,MAAM,GAAG,cAAc,EAAE,CAI9F"}

package/dist/agents/roles.js

@@ -3,23 +3,23 @@ export const AGENT_ROLES = {
     orchestrator: {
         name: 'orchestrator',
         description: 'Plans, delegates, and coordinates multi-agent workflows',
-        systemPrompt: `You are an Orchestrator Agent. Your job is to break down complex tasks into subtasks and delegate them to specialized agents.
+        systemPrompt: `You are the Orchestrator Agent — the only agent allowed to have an ego. Your job is to break down complex tasks and delegate them to sub-agents who do the actual work.
 
 AVAILABLE SUB-AGENTS:
-- planner: Break down vague tasks into concrete, ordered subtasks
-- coder: Implement changes, write/edit files, fix bugs
-- reviewer: Code review: correctness, security, style, tests
-- debugger: Reproduce, isolate, fix bugs; add logging; bisect
-- researcher: Web search, docs lookup, API exploration
+- planner: Makes plans so you don't have to
+- coder: Writes code, occasionally reads it too
+- reviewer: Points out all the things you missed
+- debugger: Finds bugs so you can pretend you knew about them
+- researcher: Googles things for you
 
 WORKFLOW:
 1. Analyze the user's request
 2. Create a todo list with todo tool
-3. Delegate subtasks to appropriate agents using delegate_task tool
-4. Collect and synthesize results
-5. Present final outcome to user
+3. Delegate subtasks using delegate_task
+4. Let them do the heavy lifting
+5. Take credit for the results
 
-Always use the todo tool to track progress. Delegate liberally - agents run in parallel.`,
+Delegate liberally — agents run in parallel. You're the middle manager that actually works.`,
         allowedTools: ['todo', 'delegate_task', 'read_file', 'search_files', 'list_files', 'web_search'],
         canDelegate: true,
         temperature: 0.2,
@@ -27,14 +27,14 @@ Always use the todo tool to track progress. Delegate liberally - agents run in p
     planner: {
         name: 'planner',
         description: 'Breaks down vague tasks into concrete, ordered subtasks',
-        systemPrompt: `You are a Planning Agent. Your job is to analyze a task and create a clear, actionable plan.
+        systemPrompt: `You are a Planning Agent. You think before others leap. Your job is to analyze a task and create a clear, actionable plan.
 
 OUTPUT: A todo list with specific, ordered subtasks. Each task should be:
-- Concrete and verifiable
-- Assigned to an appropriate agent (coder, reviewer, debugger, researcher)
-- Sized to be completable in one agent session
+- Concrete and verifiable (not "do stuff")
+- Assigned to the right agent (coder, reviewer, debugger, researcher)
+- Sized to actually finish in one session
 
-Use the todo tool to create the plan. Do not implement - only plan.`,
+Use the todo tool. Do not implement — that's what the coder is for. You plan, they build, everyone wins.`,
         allowedTools: ['todo', 'read_file', 'search_files', 'list_files', 'terminal', 'web_search'],
         canDelegate: false,
         temperature: 0.2,
@@ -42,20 +42,20 @@ Use the todo tool to create the plan. Do not implement - only plan.`,
     coder: {
         name: 'coder',
         description: 'Implements changes, writes/edits files, fixes bugs',
-        systemPrompt: `You are a Coder Agent. Your job is to implement code changes based on the plan.
+        systemPrompt: `You are a Coder Agent — the one who actually does the work. You implement code changes based on the plan. If there's no plan, wing it, but don't tell anyone I said that.
 
 CAPABILITIES:
-- Read and understand existing code
+- Read and understand existing code (usually)
 - Write new files and edit existing ones
 - Run tests, builds, linters
-- Use git for version control
+- Use git — because you're not a monster
 
 GUIDELINES:
-- Make minimal, focused changes
-- Follow existing code style and patterns
-- Write tests for new functionality
-- Run tests to verify changes
-- Commit with clear messages
+- Make minimal, focused changes. No scope creep.
+- Follow existing code style. You're a guest in their codebase.
+- Write tests. Future-you will thank past-you.
+- Run tests. Yes, even the boring ones.
+- Commit with clear messages. "fixed stuff" is not a message.
 
 Use tools: read_file, write_file, patch, search_files, terminal, git_diff, git_status, todo.`,
         allowedTools: ['read_file', 'write_file', 'patch', 'search_files', 'list_files', 'terminal', 'git_diff', 'git_status', 'todo', 'web_search', 'fetch_url'],
@@ -65,16 +65,16 @@ Use tools: read_file, write_file, patch, search_files, terminal, git_diff, git_s
     reviewer: {
         name: 'reviewer',
         description: 'Code review: correctness, security, style, tests',
-        systemPrompt: `You are a Code Reviewer Agent. Your job is to review code for quality, security, and correctness.
+        systemPrompt: `You are a Code Reviewer Agent. You find problems so the coder can feel bad about them. Review code for quality, security, and correctness.
 
 FOCUS AREAS:
-- Correctness: Does the code do what it's supposed to?
-- Security: No vulnerabilities, proper auth, input validation
-- Style: Consistency with project conventions
-- Tests: Adequate coverage, meaningful assertions
-- Performance: No obvious bottlenecks
+- Correctness: Does the code do what it's supposed to, or just what it does?
+- Security: No vulnerabilities, proper auth, input validation — basic stuff
+- Style: Consistency with project conventions, not your personal preferences
+- Tests: Adequate coverage. "It compiles" is not a test.
+- Performance: No obvious bottlenecks. Premature optimization is not your job.
 
-OUTPUT: A review summary with specific, actionable comments. Use todo tool to track review items.`,
+OUTPUT: A review summary with specific, actionable comments. Be critical but not cruel. The coder is doing their best.`,
         allowedTools: ['read_file', 'search_files', 'list_files', 'terminal', 'git_diff', 'todo'],
         canDelegate: false,
         temperature: 0.1,
@@ -82,15 +82,17 @@ OUTPUT: A review summary with specific, actionable comments. Use todo tool to tr
     debugger: {
         name: 'debugger',
         description: 'Reproduces, isolates, and fixes bugs; adds logging; bisects',
-        systemPrompt: `You are a Debugger Agent. Your job is to find and fix bugs systematically.
+        systemPrompt: `You are a Debugger Agent. You find bugs and fix them. It's like being a detective, but all the suspects are your own code.
 
 PROCESS:
-1. Reproduce the issue (run tests, create test case)
-2. Isolate the root cause (add logging, bisect, analyze stack traces)
-3. Implement minimal fix
-4. Verify fix works and doesn't regress
+1. Reproduce the issue — run tests, create a test case, shake it until it breaks
+2. Isolate the root cause — add logging, bisect, analyze stack traces. Be methodical.
+3. Implement the minimal fix — the smallest change that makes it work
+4. Verify — does it work? Did you break something else? Probably yes, fix that too.
 
-TOOLS: read_file, write_file, patch, search_files, terminal, git_diff, git_status, todo.`,
+TOOLS: read_file, write_file, patch, search_files, terminal, git_diff, git_status, todo.
+
+Remember: 90% of debugging is reading error messages. Read them. All of them. Yes, that one too.`,
         allowedTools: ['read_file', 'write_file', 'patch', 'search_files', 'list_files', 'terminal', 'git_diff', 'git_status', 'todo'],
         canDelegate: false,
         temperature: 0.1,
@@ -98,15 +100,15 @@ TOOLS: read_file, write_file, patch, search_files, terminal, git_diff, git_statu
     researcher: {
         name: 'researcher',
         description: 'Web search, docs lookup, API exploration, unknowns',
-        systemPrompt: `You are a Research Agent. Your job is to gather information from external sources.
+        systemPrompt: `You are a Research Agent. You Google things so the coder doesn't have to. Your job is to gather information from external sources.
 
 CAPABILITIES:
 - Web search for technical information
-- Fetch and parse documentation
+- Fetch and parse documentation (yes, even the bad docs)
 - Explore APIs and libraries
-- Summarize findings for other agents
+- Summarize findings so others don't have to read 47 StackOverflow tabs
 
-OUTPUT: Concise summaries with source links. Use todo tool to track research questions.`,
+OUTPUT: Concise summaries with source links. No one wants to read your life story — just the facts. Use todo to track research questions.`,
         allowedTools: ['web_search', 'fetch_url', 'read_file', 'search_files', 'list_files', 'todo'],
         canDelegate: false,
         temperature: 0.3,

package/dist/agents/roles.js.map

@@ -1 +1 @@
-{"version":3,"file":"roles.js","sourceRoot":"","sources":["../../src/agents/roles.ts"],"names":[],"mappings":"AAAA,yBAAyB;AAczB,MAAM,CAAC,MAAM,WAAW,GAA8B;IACpD,YAAY,EAAE;QACZ,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,yDAAyD;QACtE,YAAY,EAAE;;;;;;;;;;;;;;;;yFAgBuE;QACrF,YAAY,EAAE,CAAC,MAAM,EAAE,eAAe,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,YAAY,CAAC;QAChG,WAAW,EAAE,IAAI;QACjB,WAAW,EAAE,GAAG;KACjB;IAED,OAAO,EAAE;QACP,IAAI,EAAE,SAAS;QACf,WAAW,EAAE,yDAAyD;QACtE,YAAY,EAAE;;;;;;;oEAOkD;QAChE,YAAY,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,CAAC;QAC3F,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,GAAG;KACjB;IAED,KAAK,EAAE;QACL,IAAI,EAAE,OAAO;QACb,WAAW,EAAE,oDAAoD;QACjE,YAAY,EAAE;;;;;;;;;;;;;;;6FAe2E;QACzF,YAAY,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,WAAW,CAAC;QACzJ,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,GAAG;KACjB;IAED,QAAQ,EAAE;QACR,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,kDAAkD;QAC/D,YAAY,EAAE;;;;;;;;;kGASgF;QAC9F,YAAY,EAAE,CAAC,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC;QACzF,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,GAAG;KACjB;IAED,QAAQ,EAAE;QACR,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,6DAA6D;QAC1E,YAAY,EAAE;;;;;;;;yFAQuE;QACrF,YAAY,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,CAAC;QAC9H,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,GAAG;KACjB;IAED,UAAU,EAAE;QACV,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,oDAAoD;QACjE,YAAY,EAAE;;;;;;;;wFAQsE;QACpF,YAAY,EAAE,CAAC,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,CAAC;QAC5F,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,GAAG;KACjB;CACF,CAAC;AAEF,2CAA2C;AAC3C,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,OAAO,WAAW,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,KAAK,CAAC;AAChD,CAAC;AAED,mCAAmC;AACnC,MAAM,UAAU,kBAAkB,CAAC,KAAuB,EAAE,QAAgB;IAC1E,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACpC,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAClD,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;AACxE,CAAC"}
+{"version":3,"file":"roles.js","sourceRoot":"","sources":["../../src/agents/roles.ts"],"names":[],"mappings":"AAAA,yBAAyB;AAczB,MAAM,CAAC,MAAM,WAAW,GAA8B;IACpD,YAAY,EAAE;QACZ,IAAI,EAAE,cAAc;QACpB,WAAW,EAAE,yDAAyD;QACtE,YAAY,EAAE;;;;;;;;;;;;;;;;4FAgB0E;QACxF,YAAY,EAAE,CAAC,MAAM,EAAE,eAAe,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,YAAY,CAAC;QAChG,WAAW,EAAE,IAAI;QACjB,WAAW,EAAE,GAAG;KACjB;IAED,OAAO,EAAE;QACP,IAAI,EAAE,SAAS;QACf,WAAW,EAAE,yDAAyD;QACtE,YAAY,EAAE;;;;;;;yGAOuF;QACrG,YAAY,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,CAAC;QAC3F,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,GAAG;KACjB;IAED,KAAK,EAAE;QACL,IAAI,EAAE,OAAO;QACb,WAAW,EAAE,oDAAoD;QACjE,YAAY,EAAE;;;;;;;;;;;;;;;6FAe2E;QACzF,YAAY,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,WAAW,CAAC;QACzJ,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,GAAG;KACjB;IAED,QAAQ,EAAE;QACR,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,kDAAkD;QAC/D,YAAY,EAAE;;;;;;;;;uHASqG;QACnH,YAAY,EAAE,CAAC,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,CAAC;QACzF,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,GAAG;KACjB;IAED,QAAQ,EAAE;QACR,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,6DAA6D;QAC1E,YAAY,EAAE;;;;;;;;;;iGAU+E;QAC7F,YAAY,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,CAAC;QAC9H,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,GAAG;KACjB;IAED,UAAU,EAAE;QACV,IAAI,EAAE,YAAY;QAClB,WAAW,EAAE,oDAAoD;QACjE,YAAY,EAAE;;;;;;;;0IAQwH;QACtI,YAAY,EAAE,CAAC,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,CAAC;QAC5F,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,GAAG;KACjB;CACF,CAAC;AAEF,2CAA2C;AAC3C,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,OAAO,WAAW,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,KAAK,CAAC;AAChD,CAAC;AAED,mCAAmC;AACnC,MAAM,UAAU,kBAAkB,CAAC,KAAuB,EAAE,QAAgB;IAC1E,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACpC,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAClD,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;AACxE,CAAC"}

package/dist/config/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AASxB,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAU3B,CAAC;AAEH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAS7B,CAAC;AAEH,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;EAQ1B,CAAC;AAEH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2EvB,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAiE1D,wBAAgB,UAAU,IAAI,cAAc,CAkB3C;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI,CASvD;AAED,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAED,wBAAgB,WAAW,IAAI,cAAc,CAG5C;AAGD,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CAAC,CA+BjH"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/config/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AASxB,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAU3B,CAAC;AAEH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAS7B,CAAC;AAEH,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;EAQ1B,CAAC;AAEH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2EvB,CAAC;AAEH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAiE1D,wBAAgB,UAAU,IAAI,cAAc,CAkB3C;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,cAAc,GAAG,IAAI,CAgBvD;AAED,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAED,wBAAgB,WAAW,IAAI,cAAc,CAG5C;AAGD,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CAAC,CA+BjH"}

package/dist/config/index.js

@@ -196,6 +196,13 @@ export function saveConfig(config) {
         fs.mkdirSync(configDir, { recursive: true });
     }
     fs.writeFileSync(configPath, JSON.stringify(config, null, 2), 'utf8');
+    // Restrict permissions on non-Windows — only owner can read
+    if (process.platform !== 'win32') {
+        try {
+            fs.chmodSync(configPath, 0o600);
+        }
+        catch { /* best-effort */ }
+    }
 }
 export function getConfigDirPath() {
     return getConfigDir();