demian-cli 1.1.2 → 1.2.1

package/dist/cli.mjs

@@ -2,7 +2,7 @@
 import { createRequire } from 'node:module'; const require = createRequire(import.meta.url);
 
 // src/cli.ts
-import path35 from "node:path";
+import path36 from "node:path";
 
 // src/agents/types.ts
 function normalizeAgent(input2) {
@@ -17,6 +17,9 @@ function normalizeAgent(input2) {
     defaultDecision: definition.defaultDecision ?? definition.authority?.defaultDecision,
     mode: definition.mode,
     hidden: definition.hidden,
+    defaultProviders: definition.defaultProviders,
+    permissionIntent: definition.permissionIntent,
+    runtimeOverlays: definition.runtimeOverlays,
     provider: definition.provider,
     delegation: definition.delegation,
     catalog: definition.catalog,
@@ -42,7 +45,7 @@ function isCoworkableAgent(agent) {
   if (agent.hidden) return false;
   const mode = agent.mode ?? "primary";
   if (mode !== "subagent" && mode !== "all") return false;
-  return agent.delegation?.coworkable ?? agent.delegation?.callable ?? false;
+  return agent.delegation?.coworkable === true;
 }
 
 // src/agents/build.ts
@@ -50,10 +53,12 @@ var buildAgent = {
   name: "build",
   description: "General coding agent for scoped implementation work.",
   mode: "all",
-  tools: ["read_file", "write_file", "edit_file", "bash", "grep", "glob", "web_search"],
+  tools: ["read_file", "write_file", "edit_file", "bash", "grep", "glob", "web_search", "update_plan", "report_progress"],
   systemPrompt: [
     "You are demian build, a local coding agent.",
     "Use tools to inspect and modify the workspace. Keep changes scoped to the user's request.",
+    "Before tool-heavy implementation work, use update_plan and report_progress so the user can see what you are about to verify or change and why it matters.",
+    "During longer work, report meaningful milestones in conversational sentences. Explain the purpose, what the evidence or result means, and what you will do next instead of listing raw tool names or command output.",
     "Match the user's language for all user-facing text, including progress-style narration and final results. If the user writes in Korean, write user-facing text in Korean while keeping code identifiers, paths, commands, and tool names unchanged.",
     "Use web_search when current external information is needed.",
     "Tool names are fixed by the runtime. In multi-agent mode, delegate_agent may also be available for bounded specialist work.",
@@ -64,6 +69,8 @@ var buildAgent = {
     { tool: "read_file", decision: "allow" },
     { tool: "grep", decision: "allow" },
     { tool: "glob", decision: "allow" },
+    { tool: "update_plan", decision: "allow" },
+    { tool: "report_progress", decision: "allow" },
     { tool: "web_search", decision: "ask" },
     { tool: "write_file", decision: "ask" },
     { tool: "edit_file", decision: "ask" },
@@ -109,6 +116,7 @@ var claudeCodeAgent = {
     { tool: "claudecode.Read", decision: "allow" },
     { tool: "claudecode.Grep", decision: "allow" },
     { tool: "claudecode.Glob", decision: "allow" },
+    { tool: "claudecode.LS", decision: "allow" },
     { tool: "claudecode.Edit", decision: "ask" },
     { tool: "claudecode.Write", decision: "ask" },
     { tool: "claudecode.MultiEdit", decision: "ask" },
@@ -137,144 +145,186 @@ var claudeCodeAgent = {
     ]
   }
 };
-var claudeCodeExplorerAgent = {
-  name: "claudecode-explorer",
-  description: "Claude Code external read-only explorer for cowork repository inspection.",
-  mode: "subagent",
-  provider: { profile: "claudecode", permissionProfile: "explore" },
-  tools: [],
-  systemPrompt: [
-    "You are demian claudecode-explorer, a Claude Code external runtime working as a read-only cowork sub agent for Demian.",
-    "Demian is the main coordinator. Inspect the repository only within the delegated task and return concise findings.",
-    "Never edit files, write files, run shell commands, or request write permissions. If the task requires mutation, return a blocker for Demian."
-  ].join("\n"),
-  permissions: [
-    { tool: "claudecode.Read", decision: "allow" },
-    { tool: "claudecode.Grep", decision: "allow" },
-    { tool: "claudecode.Glob", decision: "allow" },
-    { tool: "claudecode.Edit", decision: "deny", reason: "read-only explorer" },
-    { tool: "claudecode.Write", decision: "deny", reason: "read-only explorer" },
-    { tool: "claudecode.MultiEdit", decision: "deny", reason: "read-only explorer" },
-    { tool: "claudecode.Bash", decision: "deny", reason: "read-only explorer" }
+
+// src/agents/cowork.ts
+var readPermissions = [
+  { tool: "read_file", decision: "allow" },
+  { tool: "grep", decision: "allow" },
+  { tool: "glob", decision: "allow" },
+  { tool: "update_plan", decision: "allow" },
+  { tool: "report_progress", decision: "allow" }
+];
+var readProgressTools = ["read_file", "grep", "glob", "update_plan", "report_progress"];
+var writePermissions = [
+  ...readPermissions,
+  { tool: "edit_file", decision: "ask" },
+  { tool: "write_file", decision: "ask" },
+  { tool: "bash", decision: "ask" },
+  { tool: "*", match: { pathGlob: "**/.env" }, decision: "deny", reason: "secrets" },
+  { tool: "*", match: { pathGlob: "**/.env.*" }, decision: "deny", reason: "secrets" },
+  { tool: "*", match: { pathGlob: "node_modules/**" }, decision: "deny", reason: "vendored" }
+];
+var plannerAgent = coworkAgent({
+  name: "planner",
+  description: "Provider-agnostic planner for decomposing ambiguous or multi-step engineering work.",
+  defaultProviders: ["codex", "anthropic", "openai"],
+  permissionIntent: "manage",
+  category: "planner",
+  cost: "standard",
+  tools: readProgressTools,
+  permissions: readPermissions,
+  defaultDecision: "deny",
+  prompt: [
+    "You are demian planner, a planning cowork sub agent for Demian.",
+    "Inspect the delegated scope read-only and return an implementation plan, sequencing, risks, and verification strategy.",
+    "Use update_plan and report_progress to keep Demian's visible progress current when the investigation takes multiple tool calls. Report the planning question you are narrowing, what the evidence implies, and what you will inspect next. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
+    "Do not edit files. Do not ask the user directly; return blockers or questions for the parent Demian coordinator."
   ],
+  useWhen: ["A parallel planning perspective may clarify scope, sequencing, risks, or verification."],
+  avoidWhen: ["The work is already clear and a bounded writer can proceed."]
+});
+var architectAgent = coworkAgent({
+  name: "architect",
+  description: "Provider-agnostic architect for structure, design, and long-term maintainability decisions.",
+  defaultProviders: ["codex", "anthropic"],
+  permissionIntent: "manage",
+  category: "planner",
+  cost: "standard",
+  tools: readProgressTools,
+  permissions: readPermissions,
   defaultDecision: "deny",
-  delegation: {
-    callable: true,
-    coworkable: true,
-    canDelegate: false,
-    canCowork: false,
-    invocationDecision: "allow"
-  },
-  catalog: {
-    category: "researcher",
-    cost: "standard",
-    useWhen: ["A cowork group needs Claude Code's repository navigation for read-only exploration."],
-    avoidWhen: ["The task requires editing, shell commands, or direct user conversation."]
-  }
-};
-var claudeCodeBuilderAgent = {
-  name: "claudecode-builder",
-  description: "Claude Code-backed builder for bounded cowork implementation tasks.",
-  mode: "subagent",
-  provider: { profile: "claudecode", permissionProfile: "build" },
-  tools: [],
-  systemPrompt: [
-    "You are demian claudecode-builder, a Claude Code external runtime working as a writer cowork sub agent for Demian.",
-    "Demian is the main coordinator. Implement only the delegated task and only inside the provided writeScope.",
-    "If you need broader scope, credentials, user approval, or product decisions, stop and return a concise blocker for Demian.",
-    "Return changed files, verification performed, patch summary, and remaining blockers. Do not present yourself as the primary assistant."
-  ].join("\n"),
-  permissions: [
-    { tool: "claudecode.Read", decision: "allow" },
-    { tool: "claudecode.Grep", decision: "allow" },
-    { tool: "claudecode.Glob", decision: "allow" },
-    { tool: "claudecode.Edit", decision: "ask" },
-    { tool: "claudecode.Write", decision: "ask" },
-    { tool: "claudecode.MultiEdit", decision: "ask" },
-    { tool: "claudecode.Bash", decision: "ask" },
-    { tool: "claudecode.*", match: { pathGlob: "**/.env" }, decision: "deny", reason: "secrets" },
-    { tool: "claudecode.*", match: { pathGlob: "**/.env.*" }, decision: "deny", reason: "secrets" },
-    { tool: "claudecode.*", match: { pathGlob: "node_modules/**" }, decision: "deny", reason: "vendored" }
+  prompt: [
+    "You are demian architect, a design cowork sub agent for Demian.",
+    "Inspect the repository and proposed work read-only. Focus on architecture, interfaces, coupling, migration risk, and maintainability.",
+    "Use update_plan and report_progress to summarize what design question you are answering, what the evidence means for the architecture, and what you will inspect next. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
+    "Return concrete design recommendations and risks for the parent Demian coordinator."
+  ],
+  useWhen: ["A change needs architectural judgment, interface design, or cross-module risk assessment."],
+  avoidWhen: ["The task is a small mechanical edit."]
+});
+var supervisorAgent = coworkAgent({
+  name: "supervisor",
+  description: "Provider-agnostic supervisory reviewer for overall risk, integration quality, and final review.",
+  defaultProviders: ["codex", "anthropic"],
+  permissionIntent: "review",
+  category: "reviewer",
+  cost: "standard",
+  tools: readProgressTools,
+  permissions: readPermissions,
+  defaultDecision: "deny",
+  prompt: [
+    "You are demian supervisor, a skeptical supervisory cowork sub agent for Demian.",
+    "Review plans, diffs, integration risks, missing tests, and final readiness. Do not edit files.",
+    "Use update_plan and report_progress to expose review progress when the review requires several reads. Include the review focus, the risk you are checking, and the next evidence you will seek. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
+    "Return concise findings with severity, file references when useful, and a clear recommendation."
+  ],
+  useWhen: ["A second model should review a design, implementation plan, diff, or test strategy before Demian answers."],
+  avoidWhen: ["The task needs direct workspace edits from this member."]
+});
+var researcherAgent = coworkAgent({
+  name: "researcher",
+  description: "Provider-agnostic researcher for repo inspection, external research, and evidence gathering.",
+  defaultProviders: ["codex", "claudecode", "anthropic"],
+  permissionIntent: "read-only",
+  category: "researcher",
+  cost: "standard",
+  tools: [...readProgressTools, "web_search"],
+  permissions: [...readPermissions, { tool: "web_search", decision: "ask" }],
+  defaultDecision: "deny",
+  prompt: [
+    "You are demian researcher, a read-only cowork sub agent for Demian.",
+    "Gather evidence from the repository and, when needed, current external sources. Do not edit files.",
+    "Use update_plan and report_progress to report the evidence gathered at meaningful milestones. Include what the evidence suggests and where you will look next, without dumping raw tool names, command output, or file previews unless a specific identifier is essential.",
+    "Return findings with enough context for the parent Demian coordinator to act."
   ],
+  useWhen: ["The task needs repository exploration, usage tracing, documentation lookup, or evidence gathering."],
+  avoidWhen: ["The task is already scoped for implementation."]
+});
+var builderAgent = coworkAgent({
+  name: "builder",
+  description: "Provider-agnostic builder for bounded implementation and module-level development.",
+  defaultProviders: ["claudecode", "anthropic", "openai"],
+  permissionIntent: "write",
+  category: "builder",
+  cost: "expensive",
+  tools: [...readProgressTools, "edit_file", "write_file", "bash"],
+  permissions: writePermissions,
   defaultDecision: "ask",
-  delegation: {
-    callable: true,
-    coworkable: true,
-    canDelegate: false,
-    canCowork: false,
-    invocationDecision: "ask"
-  },
-  catalog: {
-    category: "builder",
-    cost: "expensive",
-    useWhen: ["Claude Code's local coding-agent runtime should implement a bounded writeScope while Demian coordinates review."],
-    avoidWhen: ["The task is read-only, exploratory, or can be handled by a normal Demian tool call."]
-  }
-};
-
-// src/agents/cowork.ts
-var codexReviewerAgent = {
-  name: "codex-reviewer",
-  description: "Codex-backed reviewer for architecture, risk, and patch review.",
-  mode: "subagent",
-  provider: { profile: "codex" },
-  tools: ["read_file", "grep", "glob"],
-  systemPrompt: [
-    "You are demian codex-reviewer, a skeptical reviewer working as a cowork sub agent for Demian.",
-    "Inspect the delegated context, plans, diffs, risks, and missing tests. Do not edit files.",
-    "Return concise findings with severity, file references when useful, and a clear recommendation for the parent Demian coordinator."
-  ].join("\n"),
-  permissions: [
-    { tool: "read_file", decision: "allow" },
-    { tool: "grep", decision: "allow" },
-    { tool: "glob", decision: "allow" }
+  prompt: [
+    "You are demian builder, a bounded implementation cowork sub agent for Demian.",
+    "Implement only the delegated task and only inside the provided writeScope.",
+    "Use update_plan and report_progress before writes and after meaningful implementation or verification milestones. Say what you are changing, why it is the next safe step, and how you will verify it. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
+    "If you need broader scope, credentials, user approval, or product decisions, stop and return a concise blocker for Demian.",
+    "Return changed files, verification performed, patch summary, and remaining blockers."
   ],
+  useWhen: ["A bounded writeScope should be implemented while Demian coordinates review."],
+  avoidWhen: ["The task is read-only, exploratory, or can be handled by a normal Demian tool call."]
+});
+var reviewerAgent = coworkAgent({
+  name: "reviewer",
+  description: "Provider-agnostic detailed reviewer for diff-level code review.",
+  defaultProviders: ["claudecode", "anthropic", "codex"],
+  permissionIntent: "review",
+  category: "reviewer",
+  cost: "standard",
+  tools: readProgressTools,
+  permissions: readPermissions,
   defaultDecision: "deny",
-  delegation: {
-    callable: true,
-    coworkable: true,
-    canDelegate: false,
-    canCowork: false,
-    invocationDecision: "allow"
-  },
-  catalog: {
-    category: "reviewer",
-    cost: "standard",
-    useWhen: ["A second model should review a design, implementation plan, diff, or test strategy before Demian answers."],
-    avoidWhen: ["The task needs direct workspace edits from this member."]
-  }
-};
-var codexPlannerAgent = {
-  name: "codex-planner",
-  description: "Codex-backed planner for decomposing ambiguous or multi-step engineering work.",
-  mode: "subagent",
-  provider: { profile: "codex" },
-  tools: ["read_file", "grep", "glob"],
-  systemPrompt: [
-    "You are demian codex-planner, a planning cowork sub agent for Demian.",
-    "Inspect the delegated scope read-only and return an implementation plan, sequencing, risks, and verification strategy.",
-    "Do not edit files. Do not ask the user directly; return blockers or questions for the parent Demian coordinator."
-  ].join("\n"),
-  permissions: [
-    { tool: "read_file", decision: "allow" },
-    { tool: "grep", decision: "allow" },
-    { tool: "glob", decision: "allow" }
+  prompt: [
+    "You are demian reviewer, a detailed code-review cowork sub agent for Demian.",
+    "Inspect the delegated context read-only. Focus on correctness, edge cases, tests, consistency, and maintainability.",
+    "Use update_plan and report_progress to keep longer review passes observable. Mention the finding area, current confidence, and the next evidence you will inspect. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
+    "Return findings first, ordered by severity, with file references when useful."
   ],
+  useWhen: ["A diff or focused implementation needs detailed code review."],
+  avoidWhen: ["The task needs broad architecture or direct editing."]
+});
+var specialistAgent = coworkAgent({
+  name: "specialist",
+  description: "Provider-agnostic specialist for focused domain, module, or technology expertise.",
+  defaultProviders: ["claudecode", "anthropic"],
+  permissionIntent: "read-only",
+  category: "researcher",
+  cost: "standard",
+  tools: readProgressTools,
+  permissions: readPermissions,
   defaultDecision: "deny",
-  delegation: {
-    callable: true,
-    coworkable: true,
-    canDelegate: false,
-    canCowork: false,
-    invocationDecision: "allow"
-  },
-  catalog: {
-    category: "planner",
-    cost: "standard",
-    useWhen: ["A parallel planning perspective may clarify scope, sequencing, risks, or verification."],
-    avoidWhen: ["The work is already clear and a bounded writer can proceed."]
-  }
-};
+  prompt: [
+    "You are demian specialist, a focused domain cowork sub agent for Demian.",
+    "Inspect the requested module, technology, or domain read-only unless explicitly assigned write mode with a narrow writeScope.",
+    "Use update_plan and report_progress for multi-step investigation so Demian can show the user what is happening. Explain the domain angle you are checking, what the evidence means, and what you will narrow down next. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
+    "Return precise, specialist-level findings and recommendations."
+  ],
+  useWhen: ["A specific module, library, language, or subsystem needs focused expert analysis."],
+  avoidWhen: ["The task is broad coordination or final synthesis."]
+});
+var coworkAgents = [plannerAgent, architectAgent, supervisorAgent, researcherAgent, builderAgent, reviewerAgent, specialistAgent];
+function coworkAgent(options) {
+  return {
+    name: options.name,
+    description: options.description,
+    mode: "subagent",
+    tools: options.tools,
+    permissions: options.permissions,
+    defaultDecision: options.defaultDecision,
+    defaultProviders: options.defaultProviders,
+    permissionIntent: options.permissionIntent,
+    systemPrompt: options.prompt.join("\n"),
+    delegation: {
+      callable: true,
+      coworkable: true,
+      canDelegate: false,
+      canCowork: false,
+      invocationDecision: options.permissionIntent === "write" ? "ask" : "allow"
+    },
+    catalog: {
+      category: options.category,
+      cost: options.cost,
+      useWhen: options.useWhen,
+      avoidWhen: options.avoidWhen
+    }
+  };
+}
 
 // src/agents/execute.ts
 var executeAgent = {
@@ -286,8 +336,8 @@ var executeAgent = {
     "You are demian execute, a bounded implementation agent.",
     "You receive one task from a coordinator. Treat that task scope as a hard boundary.",
     "Read the relevant files before changing them. Do not refactor unrelated code.",
-    "Before changing files, use update_plan to mark your assigned step in_progress and report_progress to say what you are starting.",
-    "Use report_progress for meaningful milestones during longer work.",
+    "Before changing files, use update_plan to mark your assigned step in_progress and report_progress to say what you are starting, why that step matters, and what you will do next.",
+    "Use report_progress for meaningful milestones during longer work. Write conversational updates that explain the purpose and implication of the work, not a raw list of tools, command output, or file previews.",
     "Keep the visible work plan in sync with update_plan when you start, finish, block, skip, or fail your assigned step.",
     "Match the user's language for all user-facing text: update_plan titles, summaries, step titles/details, report_progress messages, and final results. If the user writes in Korean, write those user-facing fields in Korean while keeping code identifiers, paths, commands, and tool names unchanged.",
     "When finished, return changed files, verification results, and any remaining issues.",
@@ -337,9 +387,10 @@ var generalAgent = {
     "For non-trivial work, first think through the request and inspect enough context to avoid a shallow plan. Then call update_plan before writes, shell commands, or execute delegation.",
     "Use update_plan.title as the user's main goal, update_plan.summary for the current strategy, and short stable step ids for the sub-goals. Keep exactly one step in_progress while executing.",
     "Match the user's language for all user-facing text: update_plan titles, summaries, step titles/details, report_progress messages, narration, and final answers. If the user writes in Korean, write those user-facing fields in Korean while keeping code identifiers, paths, commands, and tool names unchanged.",
+    "For any tool-using work, keep the user oriented before and during the work. Use report_progress with conversational sentences that say what question you are trying to answer, what the latest evidence means, and what you will do next. Do not list raw tool names, command output, or file previews unless the identifier itself is important to the user's decision. This applies to ordinary single-agent work as well as cowork/delegation.",
     "Use the read-only plan agent for ambiguous, risky, or cross-file design work. Use the execute agent for bounded implementation tasks from the plan. Small obvious edits can be done directly.",
     "When the user asks to use Claude Code, keep Demian as the main coordinator and delegate bounded work to the claudecode sub agent when it is available.",
-    "Keep the plan synchronized as steps move from pending to in_progress to completed, blocked, skipped, or failed. Use report_progress when switching phases or finishing meaningful milestones.",
+    "Keep the plan synchronized as steps move from pending to in_progress to completed, blocked, skipped, failed, or cancelled. Use report_progress when starting a phase, switching phases, learning something important, or finishing meaningful milestones.",
     "Use web_search when current external information is needed.",
     "Keep changes scoped, preserve user work, and explain the outcome clearly.",
     "Tool names are fixed by the runtime. In multi-agent mode, delegate_agent may also be available for bounded specialist work.",
@@ -386,7 +437,7 @@ var planAgent = {
     "Use update_plan to materialize the visible work plan: title is the main goal, summary is the strategy, and steps are concrete sub-goals with short stable ids.",
     "Match the user's language for all user-facing text: update_plan titles, summaries, step titles/details, report_progress messages, and the final planning response. If the user writes in Korean, write those user-facing fields in Korean while keeping code identifiers, paths, commands, and tool names unchanged.",
     "A planning-only run can leave all steps pending. If you are actively investigating one step, mark only that step in_progress.",
-    "Use report_progress for major planning milestones, not for every read.",
+    "Use report_progress for major planning milestones, not for every read. Make each update conversational: what question you investigated, what that suggests, and what you will check next. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
     "Suggest bounded tasks that can be delegated to execute."
   ].join("\n"),
   permissions: [
@@ -414,7 +465,7 @@ var planAgent = {
 var AgentRegistry = class {
   #agents = /* @__PURE__ */ new Map();
   #builtinNames = /* @__PURE__ */ new Set();
-  constructor(agents = [generalAgent, buildAgent, planAgent, executeAgent, claudeCodeAgent, claudeCodeExplorerAgent, claudeCodeBuilderAgent, codexReviewerAgent, codexPlannerAgent]) {
+  constructor(agents = [generalAgent, buildAgent, planAgent, executeAgent, claudeCodeAgent, ...coworkAgents]) {
     for (const agent of agents) {
       const normalized = normalizeAgent(agent);
       this.#builtinNames.add(normalized.name);
@@ -468,7 +519,14 @@ var AgentRegistry = class {
   }
 };
 function buildSystemPrompt(agent, envInfo) {
-  return [agent.systemPrompt, envInfo, "When a tool result reports an error, adjust your next step instead of repeating the same call."].filter(Boolean).join("\n\n");
+  return [
+    agent.systemPrompt,
+    envInfo,
+    "Keep the user oriented for every non-trivial task, including /goal, cowork, delegated work, and ordinary single-agent work. Before the first tool-heavy action, briefly say what you are about to understand, verify, or change and why that is the right next step. For multi-step work, create or update the visible plan before substantial tool work and keep it synchronized as steps start, finish, skip, block, fail, or get cancelled.",
+    "When you use report_progress, write it like a brief teammate update: what you are checking or changing, what you have learned so far, why that matters, and what you will do next. Keep it conversational. Do not dump raw tool names, command output, file previews, or status fields unless a specific identifier is essential for the user to understand the decision.",
+    "When a task is long-running, report progress at meaningful phase changes and after important evidence. Prefer the purpose and implication of the work over mechanical execution details; the UI already exposes raw tool activity separately.",
+    "When a tool result reports an error, adjust your next step instead of repeating the same call."
+  ].filter(Boolean).join("\n\n");
 }
 function validateAgentName(name) {
   if (!/^[a-zA-Z][a-zA-Z0-9_-]*$/.test(name)) {
@@ -481,7 +539,113 @@ import { readFile as readFile6 } from "node:fs/promises";
 import crypto4 from "node:crypto";
 import fs7 from "node:fs";
 import os7 from "node:os";
-import path13 from "node:path";
+import path14 from "node:path";
+
+// src/util.ts
+function stableStringify(value) {
+  return JSON.stringify(sortValue(value));
+}
+function sortValue(value) {
+  if (Array.isArray(value)) return value.map(sortValue);
+  if (!value || typeof value !== "object") return value;
+  const object2 = value;
+  const out = {};
+  for (const key of Object.keys(object2).sort()) out[key] = sortValue(object2[key]);
+  return out;
+}
+function createSessionId() {
+  return `ses_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function createRootSessionId() {
+  return `root_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function createAgentSessionId() {
+  return `as_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function createInvocationId() {
+  return `inv_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function preview(value, max = 500) {
+  if (value.length <= max) return value;
+  return `${value.slice(0, max)}...`;
+}
+function errorMessage(error) {
+  if (!(error instanceof Error)) return String(error);
+  const primary = error.message || error.name || "Error";
+  const cause = errorCauseSummary(error);
+  const hint = networkFailureHint(`${primary}${cause ? ` ${cause}` : ""}`);
+  const details = [cause, hint].filter(Boolean);
+  return details.length ? `${primary} (${details.join("; ")})` : primary;
+}
+function errorCauseSummary(error) {
+  const cause = error.cause;
+  const detail = causeDetail(cause, /* @__PURE__ */ new Set());
+  return detail ? `cause: ${detail}` : void 0;
+}
+function causeDetail(cause, seen) {
+  if (cause === void 0 || cause === null) return void 0;
+  if (seen.has(cause)) return void 0;
+  if (typeof cause === "object" || typeof cause === "function") seen.add(cause);
+  if (cause instanceof AggregateError) {
+    const details = cause.errors.map((item) => causeDetail(item, seen)).filter((item) => Boolean(item)).slice(0, 3);
+    return details.length ? details.join("; ") : cleanMessage(cause.message);
+  }
+  if (cause instanceof Error) {
+    const message = cleanMessage(cause.message);
+    const fields = errorFields(cause);
+    const nested = causeDetail(cause.cause, seen);
+    return [message, fields, nested ? `cause: ${nested}` : void 0].filter(Boolean).join("; ");
+  }
+  if (typeof cause === "object") {
+    const fields = errorFields(cause);
+    return fields || cleanMessage(safeStringify(cause));
+  }
+  return cleanMessage(String(cause));
+}
+function errorFields(value) {
+  if (!value || typeof value !== "object") return void 0;
+  const object2 = value;
+  const parts = [];
+  for (const key of ["code", "errno", "syscall"]) {
+    const field = object2[key];
+    if (typeof field === "string" || typeof field === "number") parts.push(`${key}=${field}`);
+  }
+  const host = stringField(object2, "hostname") ?? stringField(object2, "host") ?? stringField(object2, "address");
+  const port = stringField(object2, "port");
+  if (host) parts.push(`target=${host}${port ? `:${port}` : ""}`);
+  return unique(parts).join(", ");
+}
+function networkFailureHint(text) {
+  const lower = text.toLowerCase();
+  if (!/\b(fetch failed|econnreset|econnrefused|etimedout|enotfound|eai_again|und_err_connect_timeout|network|socket|certificate|cert_|unable_to_verify|self_signed)\b/i.test(text)) return void 0;
+  if (lower.includes("enotfound") || lower.includes("eai_again")) return "DNS lookup failed; check the provider baseURL, network, VPN, or proxy settings.";
+  if (lower.includes("etimedout") || lower.includes("und_err_connect_timeout") || lower.includes("timeout")) return "Connection timed out before the provider returned a response; check network reachability, VPN/proxy, or the provider status.";
+  if (lower.includes("econnrefused")) return "Connection was refused; check the provider endpoint host/port and whether the service is running.";
+  if (lower.includes("econnreset") || lower.includes("socket")) return "Connection was reset while contacting the provider; retry, or check VPN/proxy/provider stability.";
+  if (lower.includes("certificate") || lower.includes("cert_") || lower.includes("unable_to_verify") || lower.includes("self_signed")) return "TLS certificate validation failed; check corporate proxy or custom CA configuration.";
+  if (lower.includes("fetch failed")) return "Network request failed before an HTTP response was received; check network, proxy, DNS, and provider endpoint settings.";
+  return void 0;
+}
+function cleanMessage(value) {
+  const text = value?.replace(/\s+/g, " ").trim();
+  return text || void 0;
+}
+function stringField(object2, key) {
+  const value = object2[key];
+  if (typeof value === "string" && value.trim()) return value.trim();
+  if (typeof value === "number" && Number.isFinite(value)) return String(value);
+  return void 0;
+}
+function unique(values) {
+  return [...new Set(values)];
+}
+function safeStringify(value) {
+  try {
+    return JSON.stringify(value);
+  } catch {
+    return void 0;
+  }
+}
 
 // src/providers/retry.ts
 var RETRY_STATUS = /* @__PURE__ */ new Set([408, 409, 425, 429, 500, 502, 503, 504]);
@@ -532,8 +696,7 @@ function retryDelay(error, attempt) {
 }
 function retryReason(error) {
   if (error instanceof ProviderHttpError) return `HTTP ${error.status}`;
-  if (error instanceof Error) return error.message;
-  return String(error);
+  return errorMessage(error);
 }
 function sleep(ms2, signal) {
   return new Promise((resolve, reject) => {
@@ -3181,7 +3344,8 @@ function buildClaudeCliArgs(config, req, flags, resumeSessionId) {
   const args = ["-p", "--output-format", config.outputFormat ?? "stream-json", "--input-format", config.inputFormat ?? "text", "--verbose"];
   if (flags.includePartialMessages) args.push("--include-partial-messages");
   if (req.model) args.push("--model", req.model);
-  if (config.maxTurns !== void 0 && flags.maxTurns) args.push("--max-turns", String(config.maxTurns));
+  const maxTurns = req.maxTurns === null ? void 0 : req.maxTurns ?? config.maxTurns;
+  if (maxTurns !== void 0 && flags.maxTurns) args.push("--max-turns", String(maxTurns));
   if (config.permissionMode && flags.permissionMode) args.push("--permission-mode", config.permissionMode);
   if (config.maxBudgetUsd !== void 0 && flags.maxBudgetUsd) args.push("--max-budget-usd", String(config.maxBudgetUsd));
   if (resumeSessionId) args.push("--resume", resumeSessionId);
@@ -22701,44 +22865,10 @@ function now() {
 }
 
 // src/permissions/engine.ts
-import path11 from "node:path";
+import path12 from "node:path";
 
 // src/permissions/grants.ts
 import path9 from "node:path";
-
-// src/util.ts
-function stableStringify(value) {
-  return JSON.stringify(sortValue(value));
-}
-function sortValue(value) {
-  if (Array.isArray(value)) return value.map(sortValue);
-  if (!value || typeof value !== "object") return value;
-  const object2 = value;
-  const out = {};
-  for (const key of Object.keys(object2).sort()) out[key] = sortValue(object2[key]);
-  return out;
-}
-function createSessionId() {
-  return `ses_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
-}
-function createRootSessionId() {
-  return `root_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
-}
-function createAgentSessionId() {
-  return `as_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
-}
-function createInvocationId() {
-  return `inv_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
-}
-function preview(value, max = 500) {
-  if (value.length <= max) return value;
-  return `${value.slice(0, max)}...`;
-}
-function errorMessage(error) {
-  return error instanceof Error ? error.message : String(error);
-}
-
-// src/permissions/grants.ts
 var SessionGrants = class {
   #keys = /* @__PURE__ */ new Set();
   has(key) {
@@ -22753,6 +22883,9 @@ var SessionGrants = class {
 };
 function grantKeyFor(tool, input2, cwd) {
   const object2 = input2 && typeof input2 === "object" && !Array.isArray(input2) ? input2 : {};
+  if (CLAUDE_CODE_WORKSPACE_READ_GRANTS.has(tool)) {
+    return `${tool}:workspace-read`;
+  }
   if (tool === "bash") {
     const command = typeof object2.command === "string" ? object2.command : "";
     return `bash:${firstCommandTokens(command, 2).join(" ")}`;
@@ -22764,6 +22897,7 @@ function grantKeyFor(tool, input2, cwd) {
   }
   return `${tool}:${stableStringify(input2)}`;
 }
+var CLAUDE_CODE_WORKSPACE_READ_GRANTS = /* @__PURE__ */ new Set(["claudecode.Read", "claudecode.Grep", "claudecode.Glob", "claudecode.LS"]);
 function grantKeyForAgentInvocation(agentName, providerProfile) {
   return `agent:${agentName}:${providerProfile}`;
 }
@@ -22786,31 +22920,151 @@ function firstCommandTokens(command, count) {
   return tokens;
 }
 
-// src/workspace/paths.ts
+// src/permissions/shell-safety.ts
 import path10 from "node:path";
+function isClearlyReadOnlyShellCommand(command) {
+  const tokens = splitSimpleShellWords(command);
+  if (!tokens?.length) return false;
+  if (tokens.some(isUnsafePathToken)) return false;
+  const executable = path10.basename(tokens[0] ?? "");
+  if (SIMPLE_READ_ONLY_COMMANDS.has(executable)) return true;
+  if (executable === "find") return isReadOnlyFind(tokens);
+  if (executable === "git") return isReadOnlyGit(tokens);
+  return false;
+}
+function isPotentiallyReadOnlyShellCommand(command) {
+  const tokens = splitSimpleShellWords(command);
+  if (!tokens?.length) return false;
+  if (tokens.some(isUnsafePathToken)) return false;
+  const executable = path10.basename(tokens[0] ?? "");
+  if (isClearlyReadOnlyShellCommand(command)) return true;
+  if (POTENTIAL_AGENT_JUDGED_COMMANDS.has(executable)) return !hasKnownMutatingToken(executable, tokens);
+  return false;
+}
+function splitSimpleShellWords(command) {
+  if (!command.trim() || /[\r\n]/.test(command)) return void 0;
+  const words = [];
+  let current = "";
+  let quote;
+  for (let index = 0; index < command.length; index++) {
+    const char = command[index];
+    if (quote) {
+      if (char === quote) {
+        quote = void 0;
+        continue;
+      }
+      if (quote === '"' && (char === "$" || char === "`")) return void 0;
+      if (char === "\\" && quote === '"' && index + 1 < command.length) {
+        current += command[++index];
+        continue;
+      }
+      current += char;
+      continue;
+    }
+    if (/\s/.test(char)) {
+      if (current) {
+        words.push(current);
+        current = "";
+      }
+      continue;
+    }
+    if (char === "'" || char === '"') {
+      quote = char;
+      continue;
+    }
+    if (SHELL_CONTROL_CHARS.has(char)) return void 0;
+    if (char === "\\" && index + 1 < command.length) {
+      current += command[++index];
+      continue;
+    }
+    current += char;
+  }
+  if (quote) return void 0;
+  if (current) words.push(current);
+  return words;
+}
+function isUnsafePathToken(token) {
+  if (token === "." || token === "-") return false;
+  if (token === "~" || token.startsWith("~/") || token.startsWith("/")) return true;
+  if (token === ".." || token.startsWith("../") || token.includes("/../")) return true;
+  const assignmentValue = token.match(/^[A-Za-z_][A-Za-z0-9_-]*=(.+)$/)?.[1];
+  if (assignmentValue) return isUnsafePathToken(assignmentValue);
+  const optionValue = token.match(/^--?[A-Za-z0-9][A-Za-z0-9_-]*=(.+)$/)?.[1];
+  return optionValue ? isUnsafePathToken(optionValue) : false;
+}
+function isReadOnlyFind(tokens) {
+  return tokens.slice(1).every((token) => !UNSAFE_FIND_TOKENS.has(token));
+}
+function isReadOnlyGit(tokens) {
+  const parsed = gitSubcommand(tokens);
+  if (!parsed) return false;
+  if (!READ_ONLY_GIT_SUBCOMMANDS.has(parsed.command)) return false;
+  if (parsed.command === "branch") return parsed.args.every((arg) => READ_ONLY_GIT_BRANCH_ARGS.has(arg));
+  if (parsed.command === "remote") return parsed.args.length === 0 || parsed.args.every((arg) => arg === "-v" || arg === "--verbose" || arg === "get-url");
+  if (parsed.command === "config") return parsed.args.some((arg) => READ_ONLY_GIT_CONFIG_ARGS.has(arg));
+  return true;
+}
+function gitSubcommand(tokens) {
+  let index = 1;
+  while (index < tokens.length) {
+    const token = tokens[index];
+    if (token === "--no-pager") {
+      index++;
+      continue;
+    }
+    if (token === "-C") {
+      index += 2;
+      continue;
+    }
+    if (token?.startsWith("-")) return void 0;
+    return { command: token ?? "", args: tokens.slice(index + 1) };
+  }
+  return void 0;
+}
+function hasKnownMutatingToken(executable, tokens) {
+  if (executable === "sed") {
+    return tokens.slice(1).some((token) => token === "-i" || token.startsWith("-i") || /^w(\s|$)/.test(token) || /;\s*w(\s|$)/.test(token));
+  }
+  if (executable === "git") {
+    const parsed = gitSubcommand(tokens);
+    return !parsed || MUTATING_GIT_SUBCOMMANDS.has(parsed.command);
+  }
+  return true;
+}
+var SHELL_CONTROL_CHARS = /* @__PURE__ */ new Set([";", "&", "|", ">", "<", "`", "$", "(", ")"]);
+var SIMPLE_READ_ONLY_COMMANDS = /* @__PURE__ */ new Set(["pwd", "ls", "cat", "head", "tail", "wc", "file", "stat", "du", "tree", "realpath", "basename", "dirname", "rg", "grep", "which", "command", "type", "printf", "echo"]);
+var POTENTIAL_AGENT_JUDGED_COMMANDS = /* @__PURE__ */ new Set(["sed", "git"]);
+var UNSAFE_FIND_TOKENS = /* @__PURE__ */ new Set(["-delete", "-exec", "-execdir", "-ok", "-okdir", "-fls", "-fprint", "-fprintf"]);
+var READ_ONLY_GIT_SUBCOMMANDS = /* @__PURE__ */ new Set(["status", "diff", "log", "show", "ls-files", "grep", "rev-parse", "describe", "blame", "shortlog", "branch", "remote", "config"]);
+var READ_ONLY_GIT_BRANCH_ARGS = /* @__PURE__ */ new Set(["--show-current", "-a", "--all", "-r", "--remotes", "-v", "-vv", "--verbose", "--color", "--no-color"]);
+var READ_ONLY_GIT_CONFIG_ARGS = /* @__PURE__ */ new Set(["--get", "--get-all", "--get-regexp", "--list", "-l"]);
+var MUTATING_GIT_SUBCOMMANDS = /* @__PURE__ */ new Set(["add", "am", "apply", "bisect", "checkout", "cherry-pick", "clean", "clone", "commit", "fetch", "gc", "init", "merge", "mv", "pull", "push", "rebase", "reset", "restore", "revert", "rm", "stash", "switch", "tag", "worktree"]);
+
+// src/workspace/paths.ts
+import path11 from "node:path";
 function normalizePathForMatch(value) {
-  return value.split(path10.sep).join("/");
+  return value.split(path11.sep).join("/");
 }
 function isInsidePath(root, candidate) {
-  const relative = path10.relative(path10.resolve(root), path10.resolve(candidate));
-  return relative === "" || !relative.startsWith("..") && !path10.isAbsolute(relative);
+  const relative = path11.relative(path11.resolve(root), path11.resolve(candidate));
+  return relative === "" || !relative.startsWith("..") && !path11.isAbsolute(relative);
 }
 function resolveInsideCwd(cwd, inputPath) {
   if (typeof inputPath !== "string" || inputPath.length === 0) {
     throw new Error("path must be a non-empty string");
   }
-  const resolved = path10.resolve(cwd, inputPath);
+  const resolved = path11.resolve(cwd, inputPath);
   if (!isInsidePath(cwd, resolved)) {
     throw new Error(`Path is outside the workspace: ${inputPath}`);
   }
   return resolved;
 }
 function relativeToCwd(cwd, absolutePath) {
-  const relative = path10.relative(cwd, absolutePath);
+  const relative = path11.relative(cwd, absolutePath);
   return normalizePathForMatch(relative || ".");
 }
 function isEnvFile(filePath) {
-  const base = path10.basename(filePath);
+  const base = path11.basename(filePath);
   if (base === ".env.example") return false;
   return base === ".env" || base.startsWith(".env.");
 }
@@ -22896,7 +23150,7 @@ var PermissionEngine = class {
     }
     if (this.#defaultDecision === "by-category") {
       return {
-        decision: defaultDecisionByCategory(ref.toolName),
+        decision: defaultDecisionByCategory(ref.toolName, input2),
         grantKey,
         source: "category-default"
       };
@@ -22917,7 +23171,7 @@ var PermissionEngine = class {
   #hardDeny(tool, input2, grantKey) {
     const paths = inputPaths(tool, input2);
     for (const item of paths) {
-      const resolved = path11.resolve(this.#cwd, item);
+      const resolved = path12.resolve(this.#cwd, item);
       if (!isInsidePath(this.#cwd, resolved)) {
         return {
           decision: "deny",
@@ -22971,7 +23225,7 @@ function matchesRule(rule, tool, input2, cwd) {
   if (rule.match.pathGlob) {
     const paths = inputPaths(tool, input2);
     if (paths.length === 0) return false;
-    if (!paths.some((item) => matchesPathRule(rule.match?.pathGlob, relativeToCwd(cwd, path11.resolve(cwd, item))))) {
+    if (!paths.some((item) => matchesPathRule(rule.match?.pathGlob, relativeToCwd(cwd, path12.resolve(cwd, item))))) {
       return false;
     }
   }
@@ -23018,7 +23272,7 @@ function rulePriority(rule, ref) {
 }
 function matchesPathRule(pattern, relativePath) {
   if (!pattern) return true;
-  if (path11.basename(relativePath) === ".env.example" && pattern.includes(".env.*")) return false;
+  if (path12.basename(relativePath) === ".env.example" && pattern.includes(".env.*")) return false;
   return matchGlob(pattern, relativePath);
 }
 function mostSpecificRule(rules, input2, cwd, ref) {
@@ -23048,10 +23302,12 @@ function commandInput(input2) {
   const object2 = input2 && typeof input2 === "object" && !Array.isArray(input2) ? input2 : {};
   return typeof object2.command === "string" ? object2.command : "";
 }
-function defaultDecisionByCategory(toolName) {
-  return READ_ONLY_TOOLS.has(toolName) ? "allow" : "ask";
+function defaultDecisionByCategory(toolName, input2) {
+  if (toolName.toLowerCase() === "bash") return isClearlyReadOnlyShellCommand(commandInput(input2)) ? "allow" : "ask";
+  return READ_ONLY_TOOLS.has(toolName) || ORCHESTRATION_TOOLS.has(toolName) ? "allow" : "ask";
 }
-var READ_ONLY_TOOLS = /* @__PURE__ */ new Set(["Read", "Glob", "Grep", "read_file", "glob", "grep"]);
+var READ_ONLY_TOOLS = /* @__PURE__ */ new Set(["Read", "Glob", "Grep", "LS", "read_file", "glob", "grep"]);
+var ORCHESTRATION_TOOLS = /* @__PURE__ */ new Set(["delegate_agent", "cowork", "update_plan", "report_progress", "get_goal"]);
 
 // src/permissions/prompt.ts
 import readline2 from "node:readline/promises";
@@ -23096,13 +23352,13 @@ function permissionLabel(req) {
   if ((req.tool === "write_file" || req.tool === "edit_file" || req.tool === "read_file") && typeof inputObject.path === "string") {
     return `${req.tool}: ${inputObject.path}`;
   }
-  const path36 = typeof inputObject.path === "string" ? inputObject.path : typeof inputObject.file_path === "string" ? inputObject.file_path : void 0;
-  if (path36) return `${tool}: ${path36}`;
+  const path37 = typeof inputObject.path === "string" ? inputObject.path : typeof inputObject.file_path === "string" ? inputObject.file_path : void 0;
+  if (path37) return `${tool}: ${path37}`;
   return tool;
 }
 
 // src/workspace/write-scope.ts
-import path12 from "node:path";
+import path13 from "node:path";
 var WRITE_TOOLS = /* @__PURE__ */ new Set(["write_file", "edit_file", "Write", "Edit", "MultiEdit", "NotebookEdit"]);
 var WORKSPACE_SCOPE = "**";
 function normalizeWriteScope(cwd, scope) {
@@ -23124,7 +23380,7 @@ function enforceToolWriteScope(input2) {
   if (paths.length === 0) return { ok: true, paths: [] };
   const checked = [];
   for (const target of paths) {
-    const resolved = path12.resolve(input2.cwd, target);
+    const resolved = path13.resolve(input2.cwd, target);
     const relative = relativeToCwd(input2.cwd, resolved);
     checked.push(relative);
     const allowed = isPathAllowedByWriteScope(input2.cwd, target, input2.writeScope);
@@ -23148,7 +23404,7 @@ function outOfScopeDiffFiles(cwd, summary, writeScope) {
   return out;
 }
 function isPathAllowedByWriteScope(cwd, inputPath, writeScope) {
-  const resolved = path12.resolve(cwd, inputPath);
+  const resolved = path13.resolve(cwd, inputPath);
   if (!isInsidePath(cwd, resolved)) {
     return { ok: false, error: "path is outside the workspace", paths: [inputPath] };
   }
@@ -23167,9 +23423,9 @@ function normalizeScopePattern(cwd, raw) {
   if (!value) return { ok: false, error: "writeScope entries must be non-empty." };
   if (value.includes("\0")) return { ok: false, error: "writeScope entries must not contain NUL bytes." };
   const hasGlob2 = /[*?[\]{}]/.test(value);
-  if (path12.isAbsolute(value)) {
+  if (path13.isAbsolute(value)) {
     if (hasGlob2) return { ok: false, error: `writeScope absolute globs are not supported: ${raw}` };
-    const resolved = path12.resolve(value);
+    const resolved = path13.resolve(value);
     if (!isInsidePath(cwd, resolved)) return { ok: false, error: `writeScope path is outside the workspace: ${raw}` };
     value = relativeToCwd(cwd, resolved);
   }
@@ -23244,7 +23500,7 @@ function createClaudeCodeCanUseTool(options) {
       return { behavior: "allow", updatedInput: input2, toolUseID: ctx.toolUseID };
     }
     if (evaluation.decision === "allow") {
-      return { behavior: "allow", updatedInput: input2, toolUseID: ctx.toolUseID };
+      return allowResult(input2, ctx.toolUseID, evaluation.source === "grant" ? "user_permanent" : void 0);
     }
     if (evaluation.decision === "deny") {
       emitPermission(options, {
@@ -23256,15 +23512,7 @@ function createClaudeCodeCanUseTool(options) {
       });
       return { behavior: "deny", message: evaluation.reason ?? `Permission denied for ${qualifiedName}`, toolUseID: ctx.toolUseID };
     }
-    emitPermission(options, {
-      type: "permission.requested",
-      callId: ctx.toolUseID,
-      tool: qualifiedName,
-      decision: "ask",
-      targetName: toolName
-    });
-    const prompt = options.permissionPrompt ?? ((req) => askPermission(req, { yes: options.yes }));
-    const answer = await prompt({
+    const permissionRequest = {
       tool: qualifiedName,
       executor: "claudecode",
       qualifiedName,
@@ -23275,10 +23523,32 @@ function createClaudeCodeCanUseTool(options) {
       proposedDecision: "ask",
       reason: ctx.title ?? ctx.decisionReason ?? evaluation.reason,
       description: ctx.description ?? ctx.displayName
-    });
-    if (answer.decision === "allow") {
-      if (answer.always) grants.add(evaluation.grantKey);
-      if (answer.always) {
+    };
+    const automatic = await options.autoPermission?.(permissionRequest);
+    if (automatic?.decision === "allow") return allowResult(input2, ctx.toolUseID);
+    if (automatic?.decision === "deny") {
+      emitPermission(options, {
+        type: "permission.denied",
+        callId: ctx.toolUseID,
+        tool: qualifiedName,
+        reason: automatic.reason,
+        targetName: toolName
+      });
+      return { behavior: "deny", message: automatic.reason ?? `Permission denied for ${qualifiedName}`, toolUseID: ctx.toolUseID };
+    }
+    emitPermission(options, {
+      type: "permission.requested",
+      callId: ctx.toolUseID,
+      tool: qualifiedName,
+      decision: "ask",
+      targetName: toolName
+    });
+    const prompt = options.permissionPrompt ?? ((req) => askPermission(req, { yes: options.yes }));
+    const answer = await prompt(permissionRequest);
+    if (answer.decision === "allow") {
+      if (answer.always) {
+        grants.add(evaluation.grantKey);
+        await options.onAlwaysGrant?.(evaluation.grantKey);
         emitPermission(options, {
           type: "permission.granted",
           callId: ctx.toolUseID,
@@ -23286,7 +23556,10 @@ function createClaudeCodeCanUseTool(options) {
           targetName: toolName
         });
       }
-      return { behavior: "allow", updatedInput: input2, toolUseID: ctx.toolUseID };
+      return {
+        ...allowResult(input2, ctx.toolUseID, answer.always ? "user_permanent" : "user_temporary"),
+        updatedPermissions: answer.always ? ctx.suggestions : void 0
+      };
     }
     emitPermission(options, {
       type: "permission.denied",
@@ -23298,6 +23571,14 @@ function createClaudeCodeCanUseTool(options) {
     return { behavior: "deny", message: answer.reason ?? `Permission denied for ${qualifiedName}`, toolUseID: ctx.toolUseID };
   };
 }
+function allowResult(input2, toolUseID, decisionClassification) {
+  return {
+    behavior: "allow",
+    updatedInput: input2,
+    toolUseID,
+    ...decisionClassification ? { decisionClassification } : {}
+  };
+}
 function isImplicitPlanExit(options, toolName, source) {
   if (options.permissionMode !== "plan" || toolName !== "ExitPlanMode") return false;
   return source === "default" || source === "category-default";
@@ -23427,7 +23708,7 @@ function buildClaudeCodeSdkOptions(config, req, abortController, resumeSessionId
     permissionMode,
     disallowedTools: uniqueDisallowedTools.length ? uniqueDisallowedTools : void 0,
     tools,
-    maxTurns: config.maxTurns,
+    maxTurns: req.maxTurns === null ? void 0 : req.maxTurns ?? config.maxTurns,
     maxBudgetUsd: config.maxBudgetUsd,
     extraArgs: config.useBareMode ? { bare: null } : void 0,
     allowDangerouslySkipPermissions: permissionMode === "bypassPermissions" ? true : void 0,
@@ -23438,7 +23719,10 @@ function buildClaudeCodeSdkOptions(config, req, abortController, resumeSessionId
       permissionMode,
       defaultDecision: config.defaultDecision,
       writeScope: req.writeScope,
+      grants: req.grants,
+      onAlwaysGrant: req.onPermissionGrant,
       permissionPrompt: req.permissionPrompt,
+      autoPermission: req.autoPermission,
       yes: req.yes,
       sessionId: req.sessionId,
       emit: req.emit,
@@ -23487,6 +23771,9 @@ function mapSdkMessage(message) {
   if (message.type === "assistant") {
     return mapAssistantMessage(message);
   }
+  if (message.type === "user") {
+    return mapUserMessage(message);
+  }
   if (message.type === "stream_event") {
     return mapPartialAssistantMessage(message);
   }
@@ -23526,6 +23813,35 @@ function mapAssistantMessage(message) {
   }
   return events;
 }
+function mapUserMessage(message) {
+  const events = [];
+  const content = Array.isArray(message.message.content) ? message.message.content : [];
+  for (const block of content) {
+    if (!block || typeof block !== "object" || block.type !== "tool_result") continue;
+    const callId = typeof block.tool_use_id === "string" ? block.tool_use_id : `tool_result_${events.length + 1}`;
+    events.push({
+      type: "tool.completed",
+      callId,
+      name: "unknown",
+      ok: block.is_error !== true,
+      preview: toolResultPreview(block.content),
+      raw: message
+    });
+  }
+  return events;
+}
+function toolResultPreview(value) {
+  if (typeof value === "string") return value.slice(0, 800);
+  if (Array.isArray(value)) {
+    return value.map((item) => {
+      if (typeof item === "string") return item;
+      if (item && typeof item === "object" && typeof item.text === "string") return String(item.text);
+      return JSON.stringify(item);
+    }).join("\n").slice(0, 800);
+  }
+  if (value === void 0) return "";
+  return JSON.stringify(value).slice(0, 800);
+}
 function mapPartialAssistantMessage(message) {
   const event = message.event;
   if (event.type !== "content_block_delta") return [];
@@ -23546,10 +23862,62 @@ function claudeCodePreviewEnabled(config = {}, env = process.env) {
 }
 
 // src/config.ts
+var COWORK_AGENT_NAMES = ["planner", "architect", "supervisor", "researcher", "builder", "reviewer", "specialist"];
+var COWORK_AGENT_MIGRATIONS = {
+  "codex-planner": { replacement: "planner", note: "planning and coordination work moved to planner" },
+  "codex-reviewer": { replacement: "supervisor", note: "supervisory risk review moved to supervisor" },
+  "claudecode-explorer": { replacement: "researcher", note: "repository exploration moved to researcher; use reviewer for diff-level review" },
+  "claudecode-builder": { replacement: "builder", note: "bounded implementation moved to builder" },
+  claudecode: { replacement: "builder", note: "Claude Code cowork implementation moved to builder" }
+};
 var BUILTIN_PROVIDER_ORDER = ["openai", "anthropic", "gemini", "groq", "azure", "lmstudio", "ollama-local", "ollama-cloud", "llamacpp", "vllm", "codex", "claudecode"];
 var CLAUDE_CODE_SONNET_MODEL = "claude-sonnet-4-6";
 var CLAUDE_CODE_OPUS_MODEL = "claude-opus-4-7";
 var CLAUDE_CODE_MODELS = [CLAUDE_CODE_SONNET_MODEL, CLAUDE_CODE_OPUS_MODEL];
+var DEFAULT_COWORK_AGENT_PROVIDERS = {
+  planner: ["codex", "anthropic", "openai"],
+  architect: ["codex", "anthropic"],
+  supervisor: ["codex", "anthropic"],
+  researcher: ["codex", "claudecode", "anthropic"],
+  builder: ["claudecode", "anthropic", "openai"],
+  reviewer: ["claudecode", "anthropic", "codex"],
+  specialist: ["claudecode", "anthropic"]
+};
+var DEFAULT_COWORK_PERMISSION_OVERLAY = {
+  providerToolNamespaces: {
+    claudecode: "claudecode"
+  },
+  modeMappings: {
+    "read-only": {
+      demianTools: ["read_file", "grep", "glob", "list_dir"],
+      providerTools: {
+        claudecode: ["Read", "Grep", "Glob", "LS"]
+      },
+      defaultDecision: "allow"
+    },
+    review: {
+      demianTools: ["read_file", "grep", "glob", "git_diff"],
+      providerTools: {
+        claudecode: ["Read", "Grep", "Glob", "LS"]
+      },
+      defaultDecision: "allow"
+    },
+    write: {
+      demianTools: ["read_file", "grep", "glob", "edit_file", "write_file", "bash"],
+      providerTools: {
+        claudecode: ["Read", "Grep", "Glob", "LS", "Edit", "MultiEdit", "Write", "Bash"]
+      },
+      defaultDecision: "ask"
+    },
+    manage: {
+      demianTools: ["read_file", "grep", "glob", "task_control", "git_diff"],
+      providerTools: {
+        claudecode: ["Read", "Grep", "Glob", "LS"]
+      },
+      defaultDecision: "ask"
+    }
+  }
+};
 var defaultConfig = {
   agentMode: "single-agent",
   defaultAgent: "general",
@@ -23590,7 +23958,31 @@ var defaultConfig = {
     defaultMergeStrategy: "synthesize",
     defaultInvocationDecision: "ask",
     readOnlyParallelism: true,
-    writerIsolation: "off"
+    writerIsolation: "off",
+    providers: ["codex", "claudecode"],
+    preflight: {
+      mode: "session-start",
+      ttlMs: 10 * 60 * 1e3
+    },
+    fallback: {
+      nonWrite: {
+        onConnectionError: "next-provider",
+        onTokenLimit: "next-provider",
+        onAuthFailure: "skip-provider",
+        onAllProvidersFailed: "fail-member"
+      },
+      write: {
+        onFailure: "repair-from-worktree",
+        maxRepairAttempts: 1,
+        readChangedFilesBeforeRepair: true
+      }
+    },
+    routing: {
+      preset: "codex-manager-claudecode-worker",
+      agentProviders: structuredClone(DEFAULT_COWORK_AGENT_PROVIDERS),
+      agentModelPools: {}
+    },
+    permissionOverlay: structuredClone(DEFAULT_COWORK_PERMISSION_OVERLAY)
   },
   goals: {
     enabled: true,
@@ -23670,8 +24062,13 @@ var defaultConfig = {
       build: "build",
       execute: "build",
       claudecode: "build",
-      "claudecode-builder": "build",
-      "claudecode-explorer": "explore"
+      planner: "plan",
+      architect: "plan",
+      supervisor: "readonly",
+      researcher: "readonly",
+      builder: "build",
+      reviewer: "readonly",
+      specialist: "readonly"
     },
     profiles: {
       default: {
@@ -23857,8 +24254,8 @@ var defaultConfig = {
 };
 async function loadConfig(options) {
   const configs = [];
-  const userConfigDir = path13.join(os7.homedir(), ".demian");
-  const configPaths = [path13.join(userConfigDir, "config.json"), path13.join(userConfigDir, "config.jsond"), options.configPath].filter(Boolean);
+  const userConfigDir = path14.join(os7.homedir(), ".demian");
+  const configPaths = [path14.join(userConfigDir, "config.json"), path14.join(userConfigDir, "config.jsond"), options.configPath].filter(Boolean);
   for (const filePath of configPaths) {
     if (!fs7.existsSync(filePath)) continue;
     const parsed = parseConfigText(await readFile6(filePath, "utf8"), filePath);
@@ -24046,14 +24443,7 @@ function mergeConfig(base, overlay) {
       ...base.delegation,
       ...overlay.delegation
     },
-    cowork: {
-      ...base.cowork,
-      ...overlay.cowork,
-      maxConcurrentPerProvider: {
-        ...base.cowork.maxConcurrentPerProvider,
-        ...overlay.cowork?.maxConcurrentPerProvider
-      }
-    },
+    cowork: mergeCoworkConfig(base.cowork, overlay.cowork),
     goals: {
       ...base.goals,
       ...overlay.goals,
@@ -24184,6 +24574,168 @@ function resolveProviderRuntimeConfig(config, selection) {
     modelProfileName: profile.name
   };
 }
+function mergeCoworkConfig(base, overlay) {
+  if (!overlay) return structuredClone(base);
+  return {
+    ...base,
+    ...overlay,
+    providers: overlay.providers !== void 0 ? canonicalStringArray(overlay.providers, "cowork.providers") : [...base.providers],
+    maxConcurrentPerProvider: {
+      ...base.maxConcurrentPerProvider,
+      ...overlay.maxConcurrentPerProvider
+    },
+    preflight: {
+      ...base.preflight,
+      ...overlay.preflight
+    },
+    fallback: {
+      nonWrite: {
+        ...base.fallback.nonWrite,
+        ...overlay.fallback?.nonWrite
+      },
+      write: {
+        ...base.fallback.write,
+        ...overlay.fallback?.write
+      }
+    },
+    routing: {
+      ...base.routing,
+      ...overlay.routing,
+      agentProviders: mergeCoworkAgentProviders(base.routing.agentProviders, overlay.routing?.agentProviders),
+      agentModelPools: mergeCoworkAgentModelPools(base.routing.agentModelPools, overlay.routing?.agentModelPools)
+    },
+    permissionOverlay: mergeCoworkPermissionOverlay(base.permissionOverlay, overlay.permissionOverlay)
+  };
+}
+function mergeCoworkAgentProviders(base, overlay) {
+  const out = { ...cloneAgentProviders(base) };
+  for (const [rawAgent, rawProviders] of Object.entries(overlay ?? {})) {
+    const agent = validateCoworkAgentName(rawAgent, `cowork.routing.agentProviders.${rawAgent}`);
+    out[agent] = canonicalStringArray(rawProviders, `cowork.routing.agentProviders.${agent}`);
+  }
+  return out;
+}
+function cloneAgentProviders(input2) {
+  const out = {};
+  for (const [agent, providers] of Object.entries(input2)) {
+    out[agent] = [...providers ?? []];
+  }
+  return out;
+}
+function mergeCoworkAgentModelPools(base, overlay) {
+  const out = { ...cloneAgentModelPools(base) };
+  for (const [rawAgent, rawEntries] of Object.entries(overlay ?? {})) {
+    const agent = validateCoworkAgentName(rawAgent, `cowork.routing.agentModelPools.${rawAgent}`);
+    out[agent] = canonicalCoworkModelPool(rawEntries, `cowork.routing.agentModelPools.${agent}`);
+  }
+  return out;
+}
+function cloneAgentModelPools(input2) {
+  const out = {};
+  for (const [agent, entries] of Object.entries(input2)) {
+    out[agent] = (entries ?? []).map((entry) => ({ ...entry }));
+  }
+  return out;
+}
+function canonicalCoworkModelPool(value, pathName) {
+  if (!Array.isArray(value)) throw new Error(`${pathName} must be an array.`);
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const [index, raw] of value.entries()) {
+    if (!raw || typeof raw !== "object" || Array.isArray(raw)) throw new Error(`${pathName}[${index}] must be an object.`);
+    const entry = raw;
+    if (typeof entry.provider !== "string" || !entry.provider.trim()) throw new Error(`${pathName}[${index}].provider must be a non-empty string.`);
+    const provider = entry.provider.trim();
+    const model = typeof entry.model === "string" && entry.model.trim() ? entry.model.trim() : void 0;
+    const modelProfileName = typeof entry.modelProfileName === "string" && entry.modelProfileName.trim() ? entry.modelProfileName.trim() : void 0;
+    const key = `${provider}\0${modelProfileName ?? ""}\0${model ?? ""}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push({
+      provider,
+      ...model ? { model } : {},
+      ...modelProfileName ? { modelProfileName } : {}
+    });
+  }
+  return out;
+}
+function mergeCoworkPermissionOverlay(base, overlay) {
+  const providerToolNamespaces = {
+    ...base.providerToolNamespaces,
+    ...stringMap(overlay?.providerToolNamespaces, "cowork.permissionOverlay.providerToolNamespaces")
+  };
+  const modeMappings = {};
+  for (const [mode, mapping] of Object.entries(base.modeMappings)) {
+    if (mapping) modeMappings[mode] = clonePermissionModeOverlay(mapping);
+  }
+  for (const [rawMode, rawMapping] of Object.entries(overlay?.modeMappings ?? {})) {
+    const mode = validateCoworkPermissionIntent(rawMode, `cowork.permissionOverlay.modeMappings.${rawMode}`);
+    const baseMapping = modeMappings[mode];
+    if (!rawMapping || typeof rawMapping !== "object" || Array.isArray(rawMapping)) throw new Error(`cowork.permissionOverlay.modeMappings.${mode} must be an object.`);
+    const mapping = rawMapping;
+    modeMappings[mode] = {
+      demianTools: mapping.demianTools !== void 0 ? canonicalStringArray(mapping.demianTools, `cowork.permissionOverlay.modeMappings.${mode}.demianTools`) : [...baseMapping?.demianTools ?? []],
+      providerTools: {
+        ...baseMapping ? cloneProviderTools(baseMapping.providerTools) : {},
+        ...providerToolsMap(mapping.providerTools, `cowork.permissionOverlay.modeMappings.${mode}.providerTools`)
+      },
+      defaultDecision: validatePermissionDefault(mapping.defaultDecision ?? baseMapping?.defaultDecision ?? "ask", `cowork.permissionOverlay.modeMappings.${mode}.defaultDecision`)
+    };
+  }
+  return { providerToolNamespaces, modeMappings };
+}
+function clonePermissionModeOverlay(mapping) {
+  return {
+    demianTools: [...mapping.demianTools],
+    providerTools: cloneProviderTools(mapping.providerTools),
+    defaultDecision: mapping.defaultDecision
+  };
+}
+function cloneProviderTools(input2) {
+  return Object.fromEntries(Object.entries(input2).map(([provider, tools]) => [provider, [...tools]]));
+}
+function providerToolsMap(value, pathName) {
+  if (value === void 0) return {};
+  if (!value || typeof value !== "object" || Array.isArray(value)) throw new Error(`${pathName} must be an object.`);
+  const out = {};
+  for (const [provider, tools] of Object.entries(value)) {
+    out[provider] = canonicalStringArray(tools, `${pathName}.${provider}`);
+  }
+  return out;
+}
+function stringMap(value, pathName) {
+  if (value === void 0) return {};
+  if (!value || typeof value !== "object" || Array.isArray(value)) throw new Error(`${pathName} must be an object.`);
+  const out = {};
+  for (const [key, raw] of Object.entries(value)) {
+    if (typeof raw !== "string" || !raw.trim()) throw new Error(`${pathName}.${key} must be a non-empty string.`);
+    out[key] = raw.trim();
+  }
+  return out;
+}
+function canonicalStringArray(value, pathName) {
+  if (!Array.isArray(value)) throw new Error(`${pathName} must be an array of strings.`);
+  const out = [];
+  for (const [index, item] of value.entries()) {
+    if (typeof item !== "string" || !item.trim()) throw new Error(`${pathName}[${index}] must be a non-empty string.`);
+    out.push(item.trim());
+  }
+  return [...new Set(out)];
+}
+function validatePermissionDefault(value, pathName) {
+  if (value === "allow" || value === "ask" || value === "deny") return value;
+  throw new Error(`${pathName} must be allow, ask, or deny.`);
+}
+function validateCoworkAgentName(value, pathName = "cowork agent") {
+  if (COWORK_AGENT_NAMES.includes(value)) return value;
+  const migration = COWORK_AGENT_MIGRATIONS[value];
+  if (migration) throw new Error(`${pathName} uses removed cowork agent "${value}". Use "${migration.replacement}" instead (${migration.note}).`);
+  throw new Error(`${pathName} must be one of: ${COWORK_AGENT_NAMES.join(", ")}.`);
+}
+function validateCoworkPermissionIntent(value, pathName) {
+  if (value === "read-only" || value === "review" || value === "write" || value === "manage") return value;
+  throw new Error(`${pathName} must be read-only, review, write, or manage.`);
+}
 function mergeModelProfile(providerConfig, profile) {
   const merged = {
     ...providerConfig,
@@ -24445,20 +24997,21 @@ var CLAUDE_CODE_PERMISSION_PROFILE_KEYS = ["permissionMode", "defaultDecision",
 import { spawn as spawn4 } from "node:child_process";
 import { stat as stat4 } from "node:fs/promises";
 import os10 from "node:os";
-import path16 from "node:path";
+import path17 from "node:path";
 import readline3 from "node:readline/promises";
 
 // src/config-scaffold.ts
 import { chmod as chmod3, mkdir as mkdir6, readFile as readFile7, rename as rename4, stat as stat3, writeFile as writeFile5 } from "node:fs/promises";
 import os8 from "node:os";
-import path14 from "node:path";
+import path15 from "node:path";
 function defaultUserConfigPath() {
-  return path14.join(os8.homedir(), ".demian", "config.json");
+  return path15.join(os8.homedir(), ".demian", "config.json");
 }
 function defaultUserConfig(defaultProvider = detectDefaultProvider()) {
   return {
     version: 2,
     defaultProvider,
+    cowork: defaultCoworkUserConfig(),
     providers: {
       openai: {
         type: "openai-compatible",
@@ -24568,6 +25121,76 @@ function defaultUserConfig(defaultProvider = detectDefaultProvider()) {
     }
   };
 }
+function defaultCoworkUserConfig() {
+  return {
+    providers: ["codex", "claudecode"],
+    preflight: {
+      mode: "session-start",
+      ttlMs: 6e5
+    },
+    fallback: {
+      nonWrite: {
+        onConnectionError: "next-provider",
+        onTokenLimit: "next-provider",
+        onAuthFailure: "skip-provider",
+        onAllProvidersFailed: "fail-member"
+      },
+      write: {
+        onFailure: "repair-from-worktree",
+        maxRepairAttempts: 1,
+        readChangedFilesBeforeRepair: true
+      }
+    },
+    routing: {
+      preset: "codex-manager-claudecode-worker",
+      agentModelPools: {},
+      agentProviders: {
+        planner: ["codex", "anthropic", "openai"],
+        architect: ["codex", "anthropic"],
+        supervisor: ["codex", "anthropic"],
+        researcher: ["codex", "claudecode", "anthropic"],
+        builder: ["claudecode", "anthropic", "openai"],
+        reviewer: ["claudecode", "anthropic", "codex"],
+        specialist: ["claudecode", "anthropic"]
+      }
+    },
+    permissionOverlay: {
+      providerToolNamespaces: {
+        claudecode: "claudecode"
+      },
+      modeMappings: {
+        "read-only": {
+          demianTools: ["read_file", "grep", "glob", "list_dir"],
+          providerTools: {
+            claudecode: ["Read", "Grep", "Glob", "LS"]
+          },
+          defaultDecision: "allow"
+        },
+        review: {
+          demianTools: ["read_file", "grep", "glob", "git_diff"],
+          providerTools: {
+            claudecode: ["Read", "Grep", "Glob", "LS"]
+          },
+          defaultDecision: "allow"
+        },
+        write: {
+          demianTools: ["read_file", "grep", "glob", "edit_file", "write_file", "bash"],
+          providerTools: {
+            claudecode: ["Read", "Grep", "Glob", "LS", "Edit", "MultiEdit", "Write", "Bash"]
+          },
+          defaultDecision: "ask"
+        },
+        manage: {
+          demianTools: ["read_file", "grep", "glob", "task_control", "git_diff"],
+          providerTools: {
+            claudecode: ["Read", "Grep", "Glob", "LS"]
+          },
+          defaultDecision: "ask"
+        }
+      }
+    }
+  };
+}
 async function createUserConfig(options = {}) {
   const filePath = expandHome2(options.path ?? defaultUserConfigPath());
   const content = `${JSON.stringify(defaultUserConfig(options.defaultProvider), null, 2)}
@@ -24753,7 +25376,7 @@ function apiKeyAuthFields(options, defaultApiKeyEnv) {
   };
 }
 async function writeJsonAtomic(filePath, content) {
-  await mkdir6(path14.dirname(filePath), { recursive: true, mode: 448 });
+  await mkdir6(path15.dirname(filePath), { recursive: true, mode: 448 });
   const temp = `${filePath}.${process.pid}.${Date.now()}.tmp`;
   await writeFile5(temp, content, { mode: 384 });
   await rename4(temp, filePath);
@@ -24809,7 +25432,7 @@ function expandHome2(value) {
 import crypto5 from "node:crypto";
 import { mkdir as mkdir7, readFile as readFile8, rename as rename5, writeFile as writeFile6 } from "node:fs/promises";
 import os9 from "node:os";
-import path15 from "node:path";
+import path16 from "node:path";
 var DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
 var PING_TIMEOUT_MS = 1500;
 var DEFAULT_CODEX_CLIENT_VERSION = "0.0.0";
@@ -25117,7 +25740,7 @@ async function fetchJson(url, options) {
   return text ? JSON.parse(text) : {};
 }
 function cachePath(cacheKey) {
-  return path15.join(os9.homedir(), ".demian", "cache", "models", `${safeCacheName(cacheKey)}.json`);
+  return path16.join(os9.homedir(), ".demian", "cache", "models", `${safeCacheName(cacheKey)}.json`);
 }
 async function readCatalogCache(cacheKey, ttlMs, allow) {
   if (!allow) return void 0;
@@ -25132,7 +25755,7 @@ async function readCatalogCache(cacheKey, ttlMs, allow) {
 }
 async function writeCatalogCache(cacheKey, result) {
   const filePath = cachePath(cacheKey);
-  await mkdir7(path15.dirname(filePath), { recursive: true, mode: 448 });
+  await mkdir7(path16.dirname(filePath), { recursive: true, mode: 448 });
   const temp = `${filePath}.${process.pid}.${Date.now()}.tmp`;
   await writeFile6(temp, JSON.stringify({ savedAt: Date.now(), result }, null, 2), { mode: 384 });
   await rename5(temp, filePath);
@@ -25561,8 +26184,8 @@ async function fileExists2(filePath) {
 }
 async function readJsonSafe(filePath) {
   try {
-    const { readFile: readFile18 } = await import("node:fs/promises");
-    const text = await readFile18(filePath, "utf8");
+    const { readFile: readFile19 } = await import("node:fs/promises");
+    const text = await readFile19(filePath, "utf8");
     return JSON.parse(text);
   } catch {
     return void 0;
@@ -25663,7 +26286,7 @@ async function walkProviderSetup() {
   process.stdout.write("\nSetup complete. Run `demian` to start a session.\n\n");
 }
 async function checkCodexAuth() {
-  const candidates = [path16.join(process.env.HOME ?? os10.homedir(), ".codex", "auth.json"), path16.join(process.env.HOME ?? os10.homedir(), ".codex", "credentials.json")];
+  const candidates = [path17.join(process.env.HOME ?? os10.homedir(), ".codex", "auth.json"), path17.join(process.env.HOME ?? os10.homedir(), ".codex", "credentials.json")];
   for (const candidate of candidates) {
     if (await fileExists2(candidate)) {
       return { ok: true, source: "codex-store", message: candidate };
@@ -25677,7 +26300,7 @@ async function checkCodexAuth() {
 import { existsSync as existsSync2 } from "node:fs";
 import { readFile as readFile9, writeFile as writeFile7 } from "node:fs/promises";
 import os11 from "node:os";
-import path17 from "node:path";
+import path18 from "node:path";
 function isDoctorCommand(argv) {
   return argv[0] === "doctor";
 }
@@ -25697,7 +26320,7 @@ async function runDoctorCommand(argv, options = {}) {
     stderr.write("Unsupported doctor command. Run `demian doctor policies --upgrade-namespaces [--write]`.\n");
     return 1;
   }
-  const cwd = path17.resolve(flags.cwd ?? options.cwd ?? process.cwd());
+  const cwd = path18.resolve(flags.cwd ?? options.cwd ?? process.cwd());
   const filePaths = resolvePolicyConfigPaths(cwd, flags.configPaths);
   if (filePaths.length === 0) {
     stdout.write("No demian config files found to inspect.\n");
@@ -25798,11 +26421,11 @@ function parseDoctorFlags(argv) {
   return flags;
 }
 function resolvePolicyConfigPaths(cwd, explicitPaths) {
-  const candidates = explicitPaths.length > 0 ? explicitPaths.map((item) => path17.resolve(cwd, item)) : [
-    path17.join(os11.homedir(), ".demian", "config.json"),
-    path17.join(os11.homedir(), ".demian", "config.jsond"),
-    path17.join(cwd, ".demian", "config.json"),
-    path17.join(cwd, ".demian", "config.jsond")
+  const candidates = explicitPaths.length > 0 ? explicitPaths.map((item) => path18.resolve(cwd, item)) : [
+    path18.join(os11.homedir(), ".demian", "config.json"),
+    path18.join(os11.homedir(), ".demian", "config.jsond"),
+    path18.join(cwd, ".demian", "config.json"),
+    path18.join(cwd, ".demian", "config.jsond")
   ];
   return [...new Set(candidates)].filter((item) => existsSync2(item));
 }
@@ -25897,10 +26520,68 @@ Flags:
 `;
 }
 
-// src/transcript.ts
-import { mkdir as mkdir8, appendFile, writeFile as writeFile8 } from "node:fs/promises";
+// src/permissions/persistent-grants.ts
+import { mkdir as mkdir8, readFile as readFile10, writeFile as writeFile8 } from "node:fs/promises";
+import fs8 from "node:fs";
 import os12 from "node:os";
-import path18 from "node:path";
+import path19 from "node:path";
+var DEFAULT_TTL_MS = 7 * 24 * 60 * 60 * 1e3;
+var PersistentGrantStore = class {
+  filePath;
+  #config;
+  constructor(cwd, config) {
+    this.#config = config;
+    this.filePath = resolveGrantPath(cwd, config);
+  }
+  async load(workspace) {
+    if (!this.#config.enabled) return [];
+    const file = await this.#read();
+    const now2 = Date.now();
+    const grants = file.grants.filter((item) => !item.expiresAt || item.expiresAt > now2);
+    const changed = grants.length !== file.grants.length;
+    const keys = grants.filter((item) => item.workspace === workspace).map((item) => item.key);
+    if (changed) await this.#write({ version: 1, grants });
+    return [...new Set(keys)].sort();
+  }
+  async add(workspace, key) {
+    if (!this.#config.enabled) return;
+    const file = await this.#read();
+    const now2 = Date.now();
+    const ttlMs = this.#config.ttlMs ?? DEFAULT_TTL_MS;
+    const expiresAt = ttlMs > 0 ? now2 + ttlMs : void 0;
+    const grants = file.grants.filter((item) => !(item.workspace === workspace && item.key === key));
+    grants.push({ workspace, key, createdAt: now2, lastUsedAt: now2, expiresAt });
+    await this.#write({ version: 1, grants });
+  }
+  async #read() {
+    if (!fs8.existsSync(this.filePath)) return { version: 1, grants: [] };
+    const data = JSON.parse(await readFile10(this.filePath, "utf8"));
+    return {
+      version: 1,
+      grants: Array.isArray(data.grants) ? data.grants.filter(isGrantRecord) : []
+    };
+  }
+  async #write(file) {
+    await mkdir8(path19.dirname(this.filePath), { recursive: true });
+    await writeFile8(this.filePath, `${JSON.stringify(file, null, 2)}
+`, { mode: 384 });
+  }
+};
+function resolveGrantPath(cwd, config) {
+  if (config.path) return path19.resolve(cwd, config.path);
+  if ((config.scope ?? "project") === "user") return path19.join(os12.homedir(), ".demian", "grants.json");
+  return path19.join(cwd, ".demian", "grants.json");
+}
+function isGrantRecord(value) {
+  if (!value || typeof value !== "object") return false;
+  const item = value;
+  return typeof item.workspace === "string" && typeof item.key === "string" && typeof item.createdAt === "number" && typeof item.lastUsedAt === "number";
+}
+
+// src/transcript.ts
+import { mkdir as mkdir9, appendFile, writeFile as writeFile9 } from "node:fs/promises";
+import os13 from "node:os";
+import path20 from "node:path";
 var TranscriptWriter = class {
   filePath;
   #enabled;
@@ -25908,9 +26589,9 @@ var TranscriptWriter = class {
   #queue = Promise.resolve();
   constructor(options) {
     this.#enabled = options.enabled !== false;
-    const dir = path18.join(options.storageDir ?? defaultDemianStorageDir(), "transcripts", options.sessionId);
-    this.filePath = path18.join(dir, "session.jsonl");
-    this.#ready = this.#enabled ? mkdir8(dir, { recursive: true }).then(() => writeFile8(this.filePath, "", { flag: "a" })) : Promise.resolve();
+    const dir = path20.join(options.storageDir ?? defaultDemianStorageDir(), "transcripts", options.sessionId);
+    this.filePath = path20.join(dir, "session.jsonl");
+    this.#ready = this.#enabled ? mkdir9(dir, { recursive: true }).then(() => writeFile9(this.filePath, "", { flag: "a" })) : Promise.resolve();
   }
   write(event) {
     if (!this.#enabled) return Promise.resolve();
@@ -25926,14 +26607,14 @@ var TranscriptWriter = class {
   }
 };
 function defaultDemianStorageDir() {
-  return path18.join(os12.homedir(), ".demian");
+  return path20.join(os13.homedir(), ".demian");
 }
 
 // src/external-runtime/snapshot-diff.ts
 import { createHash as createHash2 } from "node:crypto";
 import { createReadStream } from "node:fs";
-import { readdir, readFile as readFile10, stat as stat5 } from "node:fs/promises";
-import path19 from "node:path";
+import { readdir, readFile as readFile11, stat as stat5 } from "node:fs/promises";
+import path21 from "node:path";
 
 // src/workspace/diff.ts
 var CONTEXT_LINES = 3;
@@ -26143,7 +26824,7 @@ async function diffWorkspaceSnapshot(before) {
 }
 async function walk(root, relativeDir, entries, options) {
   if (entries.size >= options.maxFiles) return;
-  const absoluteDir = path19.join(root, relativeDir);
+  const absoluteDir = path21.join(root, relativeDir);
   let items;
   try {
     items = await readdir(absoluteDir, { withFileTypes: true });
@@ -26154,8 +26835,8 @@ async function walk(root, relativeDir, entries, options) {
     if (entries.size >= options.maxFiles) return;
     if (item.name.startsWith(".") && item.name !== ".env.example" && SKIP_DIRS.has(item.name)) continue;
     if (SKIP_DIRS.has(item.name)) continue;
-    const relativePath = normalizeRelativePath(path19.join(relativeDir, item.name));
-    const absolutePath = path19.join(root, relativePath);
+    const relativePath = normalizeRelativePath(path21.join(relativeDir, item.name));
+    const absolutePath = path21.join(root, relativePath);
     if (item.isDirectory()) {
       await walk(root, relativePath, entries, options);
       continue;
@@ -26177,7 +26858,7 @@ function snapshotDiffText(entry) {
 `;
 }
 async function readTextContent(filePath) {
-  const buffer = await readFile10(filePath);
+  const buffer = await readFile11(filePath);
   if (buffer.includes(0)) return void 0;
   return buffer.toString("utf8");
 }
@@ -26191,7 +26872,7 @@ function sha256File(filePath) {
   });
 }
 function normalizeRelativePath(value) {
-  return value.split(path19.sep).join("/");
+  return value.split(path21.sep).join("/");
 }
 
 // src/external-runtime/session-runner.ts
@@ -26201,10 +26882,16 @@ var ExternalAgentSessionRunner = class {
   events;
   #options;
   #transcript;
+  #grants;
+  #persistentStore;
   #activeTools = /* @__PURE__ */ new Map();
+  #toolStats = { requested: 0, completed: 0, failed: 0 };
+  #recentToolEvents = [];
   #cancellationArtifactsEmitted = false;
   constructor(options) {
     this.#options = options;
+    this.#grants = options.grants ?? new SessionGrants();
+    if (options.persistentGrants?.enabled) this.#persistentStore = new PersistentGrantStore(options.cwd, options.persistentGrants);
     this.events = options.eventBus ?? new EventBus();
     this.#transcript = options.transcriptWriter ?? new TranscriptWriter({
       cwd: options.cwd,
@@ -26214,6 +26901,7 @@ var ExternalAgentSessionRunner = class {
   }
   async run() {
     const options = this.#options;
+    for (const key of await this.#persistentStore?.load(options.cwd) ?? []) this.#grants.add(key);
     const messages = [{ role: "system", content: buildSystemPrompt(options.agent) }, ...options.history ?? [], { role: "user", content: options.prompt }];
     let finalAnswer = "";
     let finalTextEmitted = false;
@@ -26257,8 +26945,12 @@ var ExternalAgentSessionRunner = class {
         if (options.signal?.aborted) return this.endCancelled(messages, finalAnswer, externalSessionId, usage, snapshot);
         if (recoveredInvalidResume || !shouldRecoverInvalidResume(failure2.error, runtimePreviousExternalSessionId)) {
           this.emit({ type: "session.failed", sessionId: this.sessionId, error: failure2.error, ts: now(), ...this.eventContext() });
-          messages.push({ role: "assistant", content: finalAnswer });
-          return { sessionId: this.sessionId, externalSessionId, finalAnswer: finalAnswer || failure2.error, messages, endReason: "error", usage };
+          const answer = this.externalTerminalFinalAnswer("error", finalAnswer || failure2.error);
+          messages.push({ role: "assistant", content: answer });
+          this.emit({ type: "session.ended", sessionId: this.sessionId, reason: "error", ts: now(), ...this.eventContext() });
+          this.emit({ type: "model.text", sessionId: this.sessionId, text: answer, ts: now(), ...this.eventContext() });
+          await this.#transcript.flush();
+          return { sessionId: this.sessionId, externalSessionId, finalAnswer: answer, messages, endReason: "error", usage };
         }
         const policy = options.onInvalidResume ?? "fresh";
         recoveredInvalidResume = true;
@@ -26310,11 +27002,15 @@ var ExternalAgentSessionRunner = class {
       model: options.model,
       agent: options.agent,
       providerName: options.providerName,
+      maxTurns: options.maxTurns,
       signal: options.signal ?? new AbortController().signal,
       historyPolicy: options.historyPolicy ?? "passthrough-resume",
       previousExternalSessionId,
       writeScope: options.writeScope,
       permissionPrompt: options.permissionPrompt,
+      autoPermission: options.autoPermission,
+      grants: this.#grants,
+      onPermissionGrant: (grantKey) => this.#persistentStore?.add(options.cwd, grantKey) ?? Promise.resolve(),
       yes: options.yes,
       emit: (runtimeEvent) => this.emit(runtimeEvent)
     })) {
@@ -26329,6 +27025,8 @@ var ExternalAgentSessionRunner = class {
         this.emit({ type: "model.text", sessionId: this.sessionId, text: event.text, ts: now(), ...this.eventContext() });
       } else if (event.type === "tool.requested") {
         this.#activeTools.set(event.callId, { name: event.name });
+        this.#toolStats.requested += 1;
+        this.recordRecentToolEvent(`\uC694\uCCAD: ${event.name}`);
         this.emit({
           type: "tool.requested",
           sessionId: this.sessionId,
@@ -26342,8 +27040,13 @@ var ExternalAgentSessionRunner = class {
           ...this.eventContext()
         });
       } else if (event.type === "tool.completed") {
+        const activeTool = this.#activeTools.get(event.callId);
+        const name = event.name === "unknown" ? activeTool?.name ?? event.name : event.name;
         this.#activeTools.delete(event.callId);
-        this.emit({ type: "tool.completed", sessionId: this.sessionId, callId: event.callId, name: event.name, ok: event.ok, preview: event.preview ?? "", executor: "claudecode", qualifiedName: `claudecode.${event.name}`, agent: options.agent.name, ts: now(), ...this.eventContext() });
+        if (event.ok) this.#toolStats.completed += 1;
+        else this.#toolStats.failed += 1;
+        this.recordRecentToolEvent(`${event.ok ? "\uC644\uB8CC" : "\uC2E4\uD328"}: ${name}${event.preview ? ` - ${event.preview}` : ""}`);
+        this.emit({ type: "tool.completed", sessionId: this.sessionId, callId: event.callId, name, ok: event.ok, preview: event.preview ?? "", executor: "claudecode", qualifiedName: `claudecode.${name}`, agent: options.agent.name, ts: now(), ...this.eventContext() });
       } else if (event.type === "usage") {
         capture.onUsage(event.usage);
         this.emit({ type: "model.usage", sessionId: this.sessionId, usage: event.usage, ts: now(), ...this.eventContext() });
@@ -26362,12 +27065,31 @@ var ExternalAgentSessionRunner = class {
   }
   async endCancelled(messages, finalAnswer, externalSessionId, usage, snapshot) {
     await this.emitCancellationArtifacts(snapshot);
-    const answer = finalAnswer || "Cancelled.";
+    const answer = this.externalTerminalFinalAnswer("cancelled", finalAnswer || "Cancelled.");
     messages.push({ role: "assistant", content: answer });
     this.emit({ type: "session.ended", sessionId: this.sessionId, reason: "cancelled", ts: now(), ...this.eventContext() });
+    this.emit({ type: "model.text", sessionId: this.sessionId, text: answer, ts: now(), ...this.eventContext() });
     await this.#transcript.flush();
     return { sessionId: this.sessionId, externalSessionId, finalAnswer: answer, messages, endReason: "cancelled", usage };
   }
+  recordRecentToolEvent(text) {
+    this.#recentToolEvents.push(text.replace(/\s+/g, " ").trim());
+    if (this.#recentToolEvents.length > 5) this.#recentToolEvents.splice(0, this.#recentToolEvents.length - 5);
+  }
+  externalTerminalFinalAnswer(reason, lastMessage) {
+    const lines = ["\uC791\uC5C5\uC774 \uC885\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4.", "", `\uC885\uB8CC \uC774\uC720: ${reason === "cancelled" ? "\uC791\uC5C5\uC774 \uCDE8\uC18C\uB418\uC5C8\uC2B5\uB2C8\uB2E4." : "\uC678\uBD80 \uB7F0\uD0C0\uC784 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4."}`];
+    if (lastMessage.trim()) lines.push(`\uB9C8\uC9C0\uB9C9 \uB7F0\uD0C0\uC784 \uBA54\uC2DC\uC9C0: ${lastMessage.trim()}`);
+    lines.push("", "\uD604\uC7AC\uAE4C\uC9C0 \uC9C4\uD589\uD55C \uB0B4\uC6A9\uC740 \uC544\uB798\uC640 \uAC19\uC2B5\uB2C8\uB2E4.");
+    const totalTools = this.#toolStats.requested;
+    if (totalTools > 0) {
+      lines.push(`- Claude Code \uB7F0\uD0C0\uC784\uC5D0\uC11C \uB3C4\uAD6C ${totalTools}\uAC1C\uB97C \uC694\uCCAD\uD588\uACE0, \uC644\uB8CC ${this.#toolStats.completed}\uAC1C, \uC2E4\uD328 ${this.#toolStats.failed}\uAC1C\uB85C \uAE30\uB85D\uB418\uC5C8\uC2B5\uB2C8\uB2E4.`);
+      if (this.#recentToolEvents.length > 0) lines.push(`- \uCD5C\uADFC \uB3C4\uAD6C \uD750\uB984: ${this.#recentToolEvents.join("; ")}`);
+    } else {
+      lines.push("- \uC544\uC9C1 \uC644\uB8CC\uB41C \uB3C4\uAD6C \uC0AC\uC6A9 \uAE30\uB85D\uC740 \uC5C6\uC2B5\uB2C8\uB2E4.");
+    }
+    lines.push("", "\uC774\uC5B4\uC11C \uC9C4\uD589\uD558\uBA74 \uC704 \uC0C1\uD0DC\uB97C \uAE30\uC900\uC73C\uB85C \uB9C8\uC9C0\uB9C9\uC73C\uB85C \uD655\uC778\uD55C \uC9C0\uC810\uBD80\uD130 \uB2E4\uC2DC \uC774\uC5B4\uAC00\uACA0\uC2B5\uB2C8\uB2E4.");
+    return lines.join("\n");
+  }
   async createAbortSnapshot() {
     try {
       return await createWorkspaceSnapshot(this.#options.cwd);
@@ -26626,7 +27348,7 @@ function safeJson(value) {
 }
 
 // src/hooks/dispatcher.ts
-import path21 from "node:path";
+import path23 from "node:path";
 
 // src/hooks/command.ts
 import { spawn as spawn5 } from "node:child_process";
@@ -26719,7 +27441,7 @@ var blockDangerousBashHook = {
 };
 
 // src/hooks/builtin/protect-env-files.ts
-import path20 from "node:path";
+import path22 from "node:path";
 var protectEnvFilesHook = {
   name: "protect-env-files",
   event: "PreToolUse",
@@ -26727,7 +27449,7 @@ var protectEnvFilesHook = {
   run(ctx) {
     if (ctx.toolName !== "write_file" && ctx.toolName !== "edit_file") return { decision: "allow" };
     const input2 = ctx.toolInput && typeof ctx.toolInput === "object" ? ctx.toolInput : {};
-    const filePath = typeof input2.path === "string" ? path20.resolve(ctx.cwd, input2.path) : "";
+    const filePath = typeof input2.path === "string" ? path22.resolve(ctx.cwd, input2.path) : "";
     if (filePath && isEnvFile(filePath)) {
       return {
         decision: "block",
@@ -26764,7 +27486,7 @@ var maskSecretsHook = {
 };
 
 // src/hooks/builtin/inject-env-info.ts
-import os13 from "node:os";
+import os14 from "node:os";
 var injectEnvInfoHook = {
   name: "inject-env-info",
   event: "SessionStart",
@@ -26773,7 +27495,7 @@ var injectEnvInfoHook = {
       decision: "allow",
       patch: {
         systemNote: [
-          `Environment: ${os13.type()} ${os13.release()} (${os13.platform()}/${os13.arch()})`,
+          `Environment: ${os14.type()} ${os14.release()} (${os14.platform()}/${os14.arch()})`,
           `cwd: ${ctx.cwd}`,
           `provider: ${ctx.provider ?? "unknown"}`,
           `model: ${ctx.model ?? "unknown"}`,
@@ -26842,14 +27564,14 @@ function matchesHook(match, ctx) {
     const input2 = ctx.toolInput && typeof ctx.toolInput === "object" ? ctx.toolInput : {};
     const filePath = typeof input2.path === "string" ? input2.path : typeof input2.workdir === "string" ? input2.workdir : void 0;
     if (!filePath) return false;
-    if (!matchGlob(match.pathGlob, relativeToCwd(ctx.cwd, path21.resolve(ctx.cwd, filePath)))) return false;
+    if (!matchGlob(match.pathGlob, relativeToCwd(ctx.cwd, path23.resolve(ctx.cwd, filePath)))) return false;
   }
   return true;
 }
 
 // src/multimodal.ts
-import { readFile as readFile11, stat as stat6 } from "node:fs/promises";
-import path22 from "node:path";
+import { readFile as readFile12, stat as stat6 } from "node:fs/promises";
+import path24 from "node:path";
 var DEFAULT_MAX_IMAGE_BYTES = 8 * 1024 * 1024;
 async function buildUserContent(prompt, images = [], options) {
   if (images.length === 0) return prompt;
@@ -26873,11 +27595,11 @@ async function imageToUrl(input2, options) {
   const maxImageBytes = options.maxImageBytes ?? DEFAULT_MAX_IMAGE_BYTES;
   if (info.size > maxImageBytes) throw new Error(`Image is larger than ${maxImageBytes} bytes: ${input2}`);
   const mime = mimeFromPath(filePath);
-  const bytes = await readFile11(filePath);
+  const bytes = await readFile12(filePath);
   return `data:${mime};base64,${bytes.toString("base64")}`;
 }
 function mimeFromPath(filePath) {
-  switch (path22.extname(filePath).toLowerCase()) {
+  switch (path24.extname(filePath).toLowerCase()) {
     case ".jpg":
     case ".jpeg":
       return "image/jpeg";
@@ -26888,81 +27610,23 @@ function mimeFromPath(filePath) {
     case ".webp":
       return "image/webp";
     default:
-      throw new Error(`Unsupported image extension: ${path22.extname(filePath) || "(none)"}`);
+      throw new Error(`Unsupported image extension: ${path24.extname(filePath) || "(none)"}`);
   }
 }
 
-// src/permissions/persistent-grants.ts
-import { mkdir as mkdir9, readFile as readFile12, writeFile as writeFile9 } from "node:fs/promises";
-import fs8 from "node:fs";
-import os14 from "node:os";
-import path23 from "node:path";
-var DEFAULT_TTL_MS = 7 * 24 * 60 * 60 * 1e3;
-var PersistentGrantStore = class {
-  filePath;
-  #config;
-  constructor(cwd, config) {
-    this.#config = config;
-    this.filePath = resolveGrantPath(cwd, config);
-  }
-  async load(workspace) {
-    if (!this.#config.enabled) return [];
-    const file = await this.#read();
-    const now2 = Date.now();
-    const grants = file.grants.filter((item) => !item.expiresAt || item.expiresAt > now2);
-    const changed = grants.length !== file.grants.length;
-    const keys = grants.filter((item) => item.workspace === workspace).map((item) => item.key);
-    if (changed) await this.#write({ version: 1, grants });
-    return [...new Set(keys)].sort();
-  }
-  async add(workspace, key) {
-    if (!this.#config.enabled) return;
-    const file = await this.#read();
-    const now2 = Date.now();
-    const ttlMs = this.#config.ttlMs ?? DEFAULT_TTL_MS;
-    const expiresAt = ttlMs > 0 ? now2 + ttlMs : void 0;
-    const grants = file.grants.filter((item) => !(item.workspace === workspace && item.key === key));
-    grants.push({ workspace, key, createdAt: now2, lastUsedAt: now2, expiresAt });
-    await this.#write({ version: 1, grants });
+// src/progress/ledger.ts
+var ProgressLedger = class {
+  #rootSessionId;
+  #plan;
+  #notes = [];
+  #maxNotes;
+  #planCounter = 0;
+  #noteCounter = 0;
+  constructor(options = {}) {
+    this.#rootSessionId = options.rootSessionId;
+    this.#maxNotes = options.maxNotes ?? 50;
   }
-  async #read() {
-    if (!fs8.existsSync(this.filePath)) return { version: 1, grants: [] };
-    const data = JSON.parse(await readFile12(this.filePath, "utf8"));
-    return {
-      version: 1,
-      grants: Array.isArray(data.grants) ? data.grants.filter(isGrantRecord) : []
-    };
-  }
-  async #write(file) {
-    await mkdir9(path23.dirname(this.filePath), { recursive: true });
-    await writeFile9(this.filePath, `${JSON.stringify(file, null, 2)}
-`, { mode: 384 });
-  }
-};
-function resolveGrantPath(cwd, config) {
-  if (config.path) return path23.resolve(cwd, config.path);
-  if ((config.scope ?? "project") === "user") return path23.join(os14.homedir(), ".demian", "grants.json");
-  return path23.join(cwd, ".demian", "grants.json");
-}
-function isGrantRecord(value) {
-  if (!value || typeof value !== "object") return false;
-  const item = value;
-  return typeof item.workspace === "string" && typeof item.key === "string" && typeof item.createdAt === "number" && typeof item.lastUsedAt === "number";
-}
-
-// src/progress/ledger.ts
-var ProgressLedger = class {
-  #rootSessionId;
-  #plan;
-  #notes = [];
-  #maxNotes;
-  #planCounter = 0;
-  #noteCounter = 0;
-  constructor(options = {}) {
-    this.#rootSessionId = options.rootSessionId;
-    this.#maxNotes = options.maxNotes ?? 50;
-  }
-  snapshot() {
+  snapshot() {
     return {
       plan: this.state(),
       notes: this.#notes.map((note) => ({ ...note }))
@@ -27080,7 +27744,7 @@ var ProgressLedger = class {
     return this.#plan;
   }
 };
-var statuses = /* @__PURE__ */ new Set(["pending", "in_progress", "completed", "blocked", "skipped", "failed"]);
+var statuses = /* @__PURE__ */ new Set(["pending", "in_progress", "completed", "blocked", "skipped", "failed", "cancelled"]);
 var FINAL_REVIEW_STEP_ID = "final_review";
 var FINAL_REVIEW_TITLE = "Final review and verification";
 var FINAL_REVIEW_DETAIL = "Review changes, run checks, and confirm the result before finishing.";
@@ -27287,6 +27951,7 @@ function normalizeActiveStep(plan, preferredActive) {
   const inProgress = plan.steps.filter((step) => step.status === "in_progress");
   let active = preferredActive === null ? void 0 : typeof preferredActive === "string" ? preferredActive : void 0;
   if (active && !plan.steps.some((step) => step.id === active)) active = void 0;
+  if (active && isTerminal(plan.steps.find((step) => step.id === active)?.status ?? "pending")) active = void 0;
   if (active) {
     for (const step of plan.steps) {
       if (step.id === active) {
@@ -27349,7 +28014,7 @@ function isStatus(value) {
   return typeof value === "string" && statuses.has(value);
 }
 function isTerminal(status) {
-  return status === "completed" || status === "blocked" || status === "skipped" || status === "failed";
+  return status === "completed" || status === "blocked" || status === "skipped" || status === "failed" || status === "cancelled";
 }
 function parseLevel(value) {
   if (value === "info" || value === "success" || value === "warning" || value === "error") return value;
@@ -27376,16 +28041,16 @@ function fail(content, metadata) {
 
 // src/tools/output.ts
 import { mkdir as mkdir10, writeFile as writeFile10 } from "node:fs/promises";
-import path24 from "node:path";
+import path25 from "node:path";
 var DEFAULT_CAP_BYTES = 32 * 1024;
 var HALF_PREVIEW_BYTES = 16 * 1024;
 async function capToolOutput(result, options) {
   const capBytes = options.capBytes ?? DEFAULT_CAP_BYTES;
   const bytes = Buffer.byteLength(result.content, "utf8");
   if (bytes <= capBytes) return result;
-  const dir = path24.join(options.cwd, ".demian", "tmp");
+  const dir = path25.join(options.cwd, ".demian", "tmp");
   await mkdir10(dir, { recursive: true });
-  const outputPath = path24.join(dir, `output-${safeCallId(options.callId)}.txt`);
+  const outputPath = path25.join(dir, `output-${safeCallId(options.callId)}.txt`);
   await writeFile10(outputPath, result.content, "utf8");
   return {
     ...result,
@@ -27393,7 +28058,7 @@ async function capToolOutput(result, options) {
       sliceUtf8(result.content, 0, HALF_PREVIEW_BYTES),
       `
 
-[Full output saved to ${path24.relative(options.cwd, outputPath)}; showing head and tail because output exceeded ${capBytes} bytes]
+[Full output saved to ${path25.relative(options.cwd, outputPath)}; showing head and tail because output exceeded ${capBytes} bytes]
 
 `,
       sliceUtf8(result.content, Math.max(0, bytes - HALF_PREVIEW_BYTES), bytes)
@@ -27418,8 +28083,10 @@ function sliceUtf8(text, startByte, endByte) {
 }
 
 // src/tools/read-file.ts
+import { createReadStream as createReadStream2 } from "node:fs";
 import { open as open2, stat as stat7 } from "node:fs/promises";
-import path25 from "node:path";
+import { createInterface } from "node:readline";
+import path26 from "node:path";
 
 // src/tools/validation.ts
 function assertObject(input2, toolName) {
@@ -27428,7 +28095,7 @@ function assertObject(input2, toolName) {
   }
   return input2;
 }
-function stringField(input2, key, options = {}) {
+function stringField2(input2, key, options = {}) {
   const value = input2[key];
   if (typeof value !== "string" || !options.allowEmpty && value.length === 0) {
     throw new Error(`${key} must be ${options.allowEmpty ? "a string" : "a non-empty string"}`);
@@ -27468,12 +28135,19 @@ function positiveInteger(value, fallback, key) {
 }
 
 // src/tools/read-file.ts
-var MAX_BYTES = 1024 * 1024;
 var SAMPLE_BYTES = 4096;
 var DEFAULT_LIMIT = 2e3;
+var MAX_LIMIT = 2e3;
 var readFileTool = {
   name: "read_file",
-  description: "Read a text file inside the workspace. Returns line-numbered output.",
+  description: "Read a text file inside the workspace. Streams large files and returns line-numbered output for the requested range.",
+  metadata: {
+    category: "workspace.read",
+    categoryPath: ["workspace", "read"],
+    sideEffect: "none",
+    defaultDecision: "allow",
+    trust: "builtin"
+  },
   inputSchema: {
     type: "object",
     additionalProperties: false,
@@ -27481,32 +28155,30 @@ var readFileTool = {
     properties: {
       path: { type: "string", description: "Path to read, relative to cwd or absolute inside cwd." },
       offset: { type: "number", description: "1-indexed line offset. Defaults to 1." },
-      limit: { type: "number", description: "Maximum number of lines. Defaults to 2000." }
+      limit: { type: "number", description: "Maximum number of lines. Defaults to 2000 and is capped at 2000." }
     }
   },
   async execute(input2, ctx) {
     const object2 = assertObject(input2, "read_file");
-    const filePath = resolveInsideCwd(ctx.cwd, stringField(object2, "path"));
+    const filePath = resolveInsideCwd(ctx.cwd, stringField2(object2, "path"));
     const offset = positiveInteger(optionalNumberField(object2, "offset"), 1, "offset");
-    const limit = positiveInteger(optionalNumberField(object2, "limit"), DEFAULT_LIMIT, "limit");
+    const requestedLimit = positiveInteger(optionalNumberField(object2, "limit"), DEFAULT_LIMIT, "limit");
+    const limit = Math.min(requestedLimit, MAX_LIMIT);
     const info = await stat7(filePath);
     if (info.isDirectory()) throw new Error(`read_file expected a file but got a directory: ${relativeToCwd(ctx.cwd, filePath)}`);
-    if (info.size > MAX_BYTES) throw new Error(`File is larger than ${MAX_BYTES} bytes: ${relativeToCwd(ctx.cwd, filePath)}`);
     const sample = await readBytes(filePath, Math.min(SAMPLE_BYTES, info.size));
     if (looksBinary(sample)) throw new Error(`Refusing to read binary file: ${relativeToCwd(ctx.cwd, filePath)}`);
-    const text = await readText(filePath);
-    const lines = text.split(/\r?\n/);
-    const start = offset - 1;
-    const sliced = lines.slice(start, start + limit);
-    const width = String(Math.min(lines.length, start + sliced.length)).length;
-    const content = sliced.map((line, index) => `${String(start + index + 1).padStart(width, " ")} | ${line}`).join("\n");
-    const truncated = start + sliced.length < lines.length;
-    return ok(content + (truncated ? `
-... (${lines.length - start - sliced.length} more lines)` : ""), {
-      path: path25.relative(ctx.cwd, filePath),
-      lines: sliced.length,
-      totalLines: lines.length,
-      truncated
+    const slice = await readLineSlice(filePath, offset, limit, ctx.signal);
+    return ok(formatLineSlice(slice), {
+      path: path26.relative(ctx.cwd, filePath),
+      offset,
+      limit,
+      requestedLimit,
+      lines: slice.lines.length,
+      totalLines: slice.totalLines,
+      truncated: slice.truncated,
+      nextOffset: slice.nextOffset,
+      fileSizeBytes: info.size
     });
   }
 };
@@ -27520,15 +28192,50 @@ async function readBytes(filePath, length) {
     await handle.close();
   }
 }
-async function readText(filePath) {
-  const handle = await open2(filePath, "r");
+async function readLineSlice(filePath, offset, limit, signal) {
+  if (signal.aborted) throw new Error("read_file was aborted");
+  const stream = createReadStream2(filePath, { encoding: "utf8" });
+  const reader = createInterface({ input: stream, crlfDelay: Infinity });
+  const abort = () => stream.destroy(new Error("read_file was aborted"));
+  signal.addEventListener("abort", abort, { once: true });
+  const lines = [];
+  let lineNumber = 0;
+  let truncated = false;
   try {
-    const chunks = [];
-    for await (const chunk of handle.createReadStream({ encoding: null })) chunks.push(Buffer.from(chunk));
-    return Buffer.concat(chunks).toString("utf8");
+    for await (const line of reader) {
+      lineNumber++;
+      if (lineNumber < offset) continue;
+      if (lines.length < limit) {
+        lines.push(line);
+        continue;
+      }
+      truncated = true;
+      break;
+    }
   } finally {
-    await handle.close();
+    signal.removeEventListener("abort", abort);
+    reader.close();
+    stream.destroy();
   }
+  return {
+    lines,
+    offset,
+    totalLines: truncated ? void 0 : lineNumber,
+    truncated,
+    nextOffset: truncated ? offset + lines.length : void 0
+  };
+}
+function formatLineSlice(slice) {
+  if (slice.lines.length === 0) {
+    if (slice.totalLines !== void 0) return `... (no lines at offset ${slice.offset}; file has ${slice.totalLines} lines)`;
+    return `... (no lines at offset ${slice.offset})`;
+  }
+  const lastLine = slice.offset + slice.lines.length - 1;
+  const width = String(lastLine).length;
+  const content = slice.lines.map((line, index) => `${String(slice.offset + index).padStart(width, " ")} | ${line}`).join("\n");
+  if (!slice.truncated || slice.nextOffset === void 0) return content;
+  return `${content}
+... (more lines available; continue with offset ${slice.nextOffset})`;
 }
 function looksBinary(buffer) {
   if (buffer.length === 0) return false;
@@ -27542,10 +28249,17 @@ function looksBinary(buffer) {
 
 // src/tools/write-file.ts
 import { mkdir as mkdir11, readFile as readFile13, writeFile as writeFile11 } from "node:fs/promises";
-import path26 from "node:path";
+import path27 from "node:path";
 var writeFileTool = {
   name: "write_file",
   description: "Create or replace a text file inside the workspace.",
+  metadata: {
+    category: "workspace.write",
+    categoryPath: ["workspace", "write"],
+    sideEffect: "workspace",
+    defaultDecision: "ask",
+    trust: "builtin"
+  },
   inputSchema: {
     type: "object",
     additionalProperties: false,
@@ -27557,10 +28271,10 @@ var writeFileTool = {
   },
   async execute(input2, ctx) {
     const object2 = assertObject(input2, "write_file");
-    const filePath = resolveInsideCwd(ctx.cwd, stringField(object2, "path"));
-    const content = stringField(object2, "content", { allowEmpty: true });
+    const filePath = resolveInsideCwd(ctx.cwd, stringField2(object2, "path"));
+    const content = stringField2(object2, "content", { allowEmpty: true });
     const before = await readOptionalTextFile(filePath);
-    await mkdir11(path26.dirname(filePath), { recursive: true });
+    await mkdir11(path27.dirname(filePath), { recursive: true });
     await writeFile11(filePath, content, "utf8");
     const relative = relativeToCwd(ctx.cwd, filePath);
     const diff = createTextDiff(before, content, relative);
@@ -27589,6 +28303,13 @@ import { readFile as readFile14, writeFile as writeFile12 } from "node:fs/promis
 var editFileTool = {
   name: "edit_file",
   description: "Replace an exact string in a text file inside the workspace.",
+  metadata: {
+    category: "workspace.write",
+    categoryPath: ["workspace", "write"],
+    sideEffect: "workspace",
+    defaultDecision: "ask",
+    trust: "builtin"
+  },
   inputSchema: {
     type: "object",
     additionalProperties: false,
@@ -27602,9 +28323,9 @@ var editFileTool = {
   },
   async execute(input2, ctx) {
     const object2 = assertObject(input2, "edit_file");
-    const filePath = resolveInsideCwd(ctx.cwd, stringField(object2, "path"));
-    const oldString = stringField(object2, "oldString");
-    const newString = stringField(object2, "newString", { allowEmpty: true });
+    const filePath = resolveInsideCwd(ctx.cwd, stringField2(object2, "path"));
+    const oldString = stringField2(object2, "oldString");
+    const newString = stringField2(object2, "newString", { allowEmpty: true });
     const replaceAll = optionalBooleanField(object2, "replaceAll") ?? false;
     if (oldString === newString) throw new Error("oldString and newString must be different");
     const before = await readFile14(filePath, "utf8");
@@ -27636,7 +28357,7 @@ function countMatches(text, needle) {
 
 // src/tools/bash.ts
 import { spawn as spawn6 } from "node:child_process";
-import path28 from "node:path";
+import path29 from "node:path";
 
 // src/sandbox/env-only.ts
 function buildEnvOnlyLaunch(command, config) {
@@ -27696,7 +28417,7 @@ function bwrapPath() {
 
 // src/sandbox/macos.ts
 import { existsSync as existsSync4 } from "node:fs";
-import path27 from "node:path";
+import path28 from "node:path";
 function canUseMacOSSandbox() {
   return process.platform === "darwin" && existsSync4("/usr/bin/sandbox-exec");
 }
@@ -27722,7 +28443,7 @@ function macosProfile(cwd, config) {
   }
   if (mode === "workspace-write") {
     lines.push("(deny file-write*)");
-    lines.push(`(allow file-write* (subpath "${escapeProfilePath(path27.resolve(cwd))}"))`);
+    lines.push(`(allow file-write* (subpath "${escapeProfilePath(path28.resolve(cwd))}"))`);
     lines.push('(allow file-write* (subpath "/tmp"))');
     lines.push('(allow file-write* (subpath "/private/tmp"))');
     lines.push('(allow file-write* (subpath "/private/var/folders"))');
@@ -27752,6 +28473,13 @@ var MAX_TIMEOUT_MS = 6e5;
 var bashTool = {
   name: "bash",
   description: "Run a shell command inside the workspace.",
+  metadata: {
+    category: "process.shell",
+    categoryPath: ["process", "shell"],
+    sideEffect: "process",
+    defaultDecision: "ask",
+    trust: "builtin"
+  },
   inputSchema: {
     type: "object",
     additionalProperties: false,
@@ -27764,7 +28492,7 @@ var bashTool = {
   },
   async execute(input2, ctx) {
     const object2 = assertObject(input2, "bash");
-    const command = stringField(object2, "command");
+    const command = stringField2(object2, "command");
     const workdirInput = optionalStringField(object2, "workdir");
     const workdir = workdirInput ? resolveInsideCwd(ctx.cwd, workdirInput) : ctx.cwd;
     const requestedTimeout = optionalNumberField(object2, "timeoutMs");
@@ -27784,7 +28512,7 @@ ${result.stderr}` : ""
     ].filter(Boolean).join("\n");
     return ok(content, {
       command,
-      workdir: path28.relative(ctx.cwd, workdir) || ".",
+      workdir: path29.relative(ctx.cwd, workdir) || ".",
       exitCode: result.exitCode,
       signal: result.signal,
       timedOut: result.timedOut,
@@ -27837,11 +28565,18 @@ function runCommand(command, cwd, timeoutMs, signal, sandbox = { mode: "workspac
 // src/tools/grep.ts
 import { spawn as spawn7 } from "node:child_process";
 import { readdir as readdir2, readFile as readFile15, stat as stat8 } from "node:fs/promises";
-import path29 from "node:path";
+import path30 from "node:path";
 var MAX_MATCHES = 200;
 var grepTool = {
   name: "grep",
   description: "Search text files inside the workspace. Uses rg when available.",
+  metadata: {
+    category: "workspace.search",
+    categoryPath: ["workspace", "search"],
+    sideEffect: "none",
+    defaultDecision: "allow",
+    trust: "builtin"
+  },
   inputSchema: {
     type: "object",
     additionalProperties: false,
@@ -27854,7 +28589,7 @@ var grepTool = {
   },
   async execute(input2, ctx) {
     const object2 = assertObject(input2, "grep");
-    const pattern = stringField(object2, "pattern");
+    const pattern = stringField2(object2, "pattern");
     const baseInput = optionalStringField(object2, "path");
     const glob = optionalStringField(object2, "glob");
     const base = baseInput ? resolveInsideCwd(ctx.cwd, baseInput) : ctx.cwd;
@@ -27912,7 +28647,7 @@ function runRg(cwd, base, pattern, glob, signal) {
 }
 function rewriteRgPath(cwd, line) {
   const [file, rest] = splitFirst(line, ":");
-  if (!path29.isAbsolute(file)) return line;
+  if (!path30.isAbsolute(file)) return line;
   return `${relativeToCwd(cwd, file)}:${rest}`;
 }
 function splitFirst(value, delimiter) {
@@ -27929,7 +28664,7 @@ async function fallbackSearch(cwd, base, pattern, glob) {
     if (isIgnoredPath(relative)) return;
     const info = await stat8(item);
     if (info.isDirectory()) {
-      for (const entry of await readdir2(item)) await walk2(path29.join(item, entry));
+      for (const entry of await readdir2(item)) await walk2(path30.join(item, entry));
       return;
     }
     if (glob && !matchGlob(glob, relative)) return;
@@ -27948,11 +28683,18 @@ async function fallbackSearch(cwd, base, pattern, glob) {
 
 // src/tools/glob.ts
 import { readdir as readdir3, stat as stat9 } from "node:fs/promises";
-import path30 from "node:path";
+import path31 from "node:path";
 var MAX_PATHS = 1e3;
 var globTool = {
   name: "glob",
   description: "Find paths inside the workspace using a glob pattern.",
+  metadata: {
+    category: "workspace.search",
+    categoryPath: ["workspace", "search"],
+    sideEffect: "none",
+    defaultDecision: "allow",
+    trust: "builtin"
+  },
   inputSchema: {
     type: "object",
     additionalProperties: false,
@@ -27964,7 +28706,7 @@ var globTool = {
   },
   async execute(input2, ctx) {
     const object2 = assertObject(input2, "glob");
-    const pattern = stringField(object2, "pattern");
+    const pattern = stringField2(object2, "pattern");
     const base = optionalStringField(object2, "path");
     const root = base ? resolveInsideCwd(ctx.cwd, base) : ctx.cwd;
     const found = await collectPaths(ctx.cwd, root, pattern);
@@ -27980,7 +28722,7 @@ async function collectPaths(cwd, root, pattern) {
   async function walk2(dir) {
     const entries = await readdir3(dir, { withFileTypes: true });
     for (const entry of entries) {
-      const absolute = path30.join(dir, entry.name);
+      const absolute = path31.join(dir, entry.name);
       const relative = relativeToCwd(cwd, absolute);
       if (isIgnoredPath(relative)) continue;
       const info = await stat9(absolute);
@@ -27997,6 +28739,8 @@ var updatePlanTool = {
   name: "update_plan",
   description: "Create or update the visible work plan for the current user goal. Write title, summary, step titles, and details in the user's language; for Korean requests, use Korean user-facing text. Keep step ids, code identifiers, paths, commands, and tool names unchanged. Non-empty plans always end with a final review and verification step.",
   metadata: {
+    category: "planning.progress",
+    categoryPath: ["planning", "progress"],
     sideEffect: "none",
     defaultDecision: "allow",
     trust: "builtin"
@@ -28036,7 +28780,7 @@ function stepProperties() {
   return {
     id: { type: "string", maxLength: 64 },
     title: { type: "string" },
-    status: { type: "string", enum: ["pending", "in_progress", "completed", "blocked", "skipped", "failed"] },
+    status: { type: "string", enum: ["pending", "in_progress", "completed", "blocked", "skipped", "failed", "cancelled"] },
     detail: { type: "string" },
     agent: { type: "string" }
   };
@@ -28045,8 +28789,10 @@ function stepProperties() {
 // src/tools/report-progress.ts
 var reportProgressTool = {
   name: "report_progress",
-  description: "Report a short user-facing progress update for the current work plan. Write the message in the user's language; for Korean requests, use Korean while keeping code identifiers, paths, commands, and tool names unchanged.",
+  description: "Report a conversational user-facing progress update for the current work plan. Use it before starting non-trivial tool-heavy work, at meaningful phase changes, and after important evidence so the user understands what is happening. Write 1-3 natural sentences in the user's language that explain what you are doing, what you learned or why it matters, and what you will do next. Do not list raw tool names, command output, file previews, or status fields; those details are already available in the execution accordion. Mention specific code identifiers, paths, commands, or tool names only when they are essential to the user's understanding. For Korean requests, use Korean \uC874\uB313\uB9D0 while keeping necessary identifiers unchanged. Set showInTimeline=true for major phase changes or any longer tool-using work.",
   metadata: {
+    category: "planning.progress",
+    categoryPath: ["planning", "progress"],
     sideEffect: "none",
     defaultDecision: "allow",
     trust: "builtin"
@@ -28077,6 +28823,13 @@ function createWebSearchTool(config = defaultConfig.webSearch, fetcher = fetch)
   return {
     name: "web_search",
     description: "Search the web using the configured Brave, Tavily, or Exa web search provider.",
+    metadata: {
+      category: "research.web",
+      categoryPath: ["research", "web"],
+      sideEffect: "network",
+      defaultDecision: "ask",
+      trust: "builtin"
+    },
     inputSchema: {
       type: "object",
       additionalProperties: false,
@@ -28096,7 +28849,7 @@ function createWebSearchTool(config = defaultConfig.webSearch, fetcher = fetch)
     },
     async execute(input2, ctx) {
       const object2 = assertObject(input2, "web_search");
-      const query = stringField(object2, "query");
+      const query = stringField2(object2, "query");
       const provider = providerField(object2, config.defaultProvider);
       const maxResults = optionalNumberField(object2, "maxResults");
       if (provider === "brave") return runBraveSearch(config.providers.brave, { query, maxResults, fetcher, signal: ctx.signal });
@@ -28307,6 +29060,8 @@ var getGoalTool = {
     return ctx.goals.getGoal();
   },
   metadata: {
+    category: "goal.state",
+    categoryPath: ["goal", "state"],
     sideEffect: "none",
     defaultDecision: "allow",
     trust: "builtin"
@@ -28328,6 +29083,8 @@ var createGoalTool = {
     return ctx.goals.createGoal(input2);
   },
   metadata: {
+    category: "goal.state",
+    categoryPath: ["goal", "state"],
     sideEffect: "workspace",
     defaultDecision: "allow",
     trust: "builtin"
@@ -28349,6 +29106,8 @@ var updateGoalTool = {
     return ctx.goals.updateGoal(input2);
   },
   metadata: {
+    category: "goal.state",
+    categoryPath: ["goal", "state"],
     sideEffect: "workspace",
     defaultDecision: "allow",
     trust: "builtin"
@@ -28443,6 +29202,9 @@ function validateToolName(name) {
 }
 
 // src/session.ts
+function relaxedToolUseRoundLimit(maxTurns) {
+  return Math.max((maxTurns ?? 25) * 20, 200);
+}
 var SessionRunner = class {
   sessionId;
   events;
@@ -28500,9 +29262,28 @@ var SessionRunner = class {
     });
     const messages = [{ role: "system", content: buildSystemPrompt(options.agent, envInfo) }, ...options.history ?? [], { role: "user", content: userContent }];
     this.emit({ type: "user.message", sessionId: this.sessionId, text: options.displayPrompt ?? options.prompt, ts: now(), ...this.eventContext() });
+    this.reportSessionKickoff();
     await this.#hooks.dispatch("UserPromptSubmit", this.hookBase());
     const maxTurns = options.maxTurns ?? 25;
-    for (let turn = 0; turn < maxTurns; turn++) {
+    const countToolUseTurns = options.countToolUseTurns === true;
+    const maxToolUseRounds = options.maxToolUseRounds ?? relaxedToolUseRoundLimit(maxTurns);
+    let countedTurns = 0;
+    let toolUseRounds = 0;
+    let countedTaskScope = this.#progress.activeStepId() ?? "__session__";
+    const refreshTaskScope = () => {
+      const taskScope = this.#progress.activeStepId() ?? "__session__";
+      if (taskScope === countedTaskScope) return;
+      countedTaskScope = taskScope;
+      countedTurns = 0;
+    };
+    for (; ; ) {
+      if (countToolUseTurns) refreshTaskScope();
+      if (countToolUseTurns && countedTurns >= maxTurns) {
+        return this.end(messages, `Stopped after reaching maxTurns (${maxTurns}).`, "max_turns");
+      }
+      if (!countToolUseTurns && toolUseRounds >= maxToolUseRounds) {
+        return this.end(messages, `Stopped after reaching tool-use safety limit (${maxToolUseRounds}) before producing a final answer.`, "tool_loop_limit");
+      }
       await this.#hooks.dispatch("BeforeModelRequest", this.hookBase());
       const tools = this.#tools.list();
       const compiled = compileMessagesForContext(messages, tools, options.context);
@@ -28580,12 +29361,17 @@ var SessionRunner = class {
       if (toolCalls.length === 0) {
         return this.end(messages, assistant.content ?? "", "end_turn");
       }
+      if (countToolUseTurns) {
+        refreshTaskScope();
+        countedTurns++;
+      } else {
+        toolUseRounds++;
+      }
       for (const call of toolCalls) {
         const toolMessage = await this.runToolCall(call);
         messages.push(toolMessage);
       }
     }
-    return this.end(messages, `Stopped after reaching maxTurns (${maxTurns}).`, "max_turns");
   }
   async applyAfterModelHooks(message) {
     const results = await this.#hooks.dispatch("AfterModelResponse", {
@@ -28648,15 +29434,7 @@ var SessionRunner = class {
       return toToolMessage(call, result);
     }
     if (evaluation.decision === "ask") {
-      this.emit({ type: "permission.requested", sessionId: this.sessionId, callId: call.id, tool: call.name, decision: "ask", targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
-      this.emitGoalToolEvent(call, "permission");
-      await this.#hooks.dispatch("PermissionRequest", {
-        ...this.hookBase(),
-        callId: call.id,
-        toolName: call.name,
-        toolInput: input2
-      });
-      const answer = await (this.#options.permissionPrompt ?? ((req) => askPermission(req, { yes: this.#options.yes })))({
+      const permissionRequest = {
         tool: call.name,
         input: input2,
         actor: this.#options.agent.name,
@@ -28664,16 +29442,33 @@ var SessionRunner = class {
         targetName: call.name,
         proposedDecision: "ask",
         reason: evaluation.reason
-      });
-      if (answer.decision !== "allow") {
-        this.emit({ type: "permission.denied", sessionId: this.sessionId, callId: call.id, tool: call.name, reason: answer.reason, targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
+      };
+      const automatic = await this.#options.autoPermission?.(permissionRequest);
+      if (automatic?.decision === "deny") {
+        this.emit({ type: "permission.denied", sessionId: this.sessionId, callId: call.id, tool: call.name, reason: automatic.reason, targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
         this.emitGoalToolEvent(call, "denied");
-        return toToolMessage(call, toolFailure(`Permission denied${answer.reason ? `: ${answer.reason}` : ""}`));
-      }
-      if (answer.always) {
-        this.#grants.add(evaluation.grantKey);
-        await this.#persistentStore?.add(this.#options.cwd, evaluation.grantKey);
-        this.emit({ type: "permission.granted", sessionId: this.sessionId, callId: call.id, key: evaluation.grantKey, targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
+        return toToolMessage(call, toolFailure(`Permission denied${automatic.reason ? `: ${automatic.reason}` : ""}`));
+      }
+      if (automatic?.decision !== "allow") {
+        this.emit({ type: "permission.requested", sessionId: this.sessionId, callId: call.id, tool: call.name, decision: "ask", targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
+        this.emitGoalToolEvent(call, "permission");
+        await this.#hooks.dispatch("PermissionRequest", {
+          ...this.hookBase(),
+          callId: call.id,
+          toolName: call.name,
+          toolInput: input2
+        });
+        const answer = await (this.#options.permissionPrompt ?? ((req) => askPermission(req, { yes: this.#options.yes })))(permissionRequest);
+        if (answer.decision !== "allow") {
+          this.emit({ type: "permission.denied", sessionId: this.sessionId, callId: call.id, tool: call.name, reason: answer.reason, targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
+          this.emitGoalToolEvent(call, "denied");
+          return toToolMessage(call, toolFailure(`Permission denied${answer.reason ? `: ${answer.reason}` : ""}`));
+        }
+        if (answer.always) {
+          this.#grants.add(evaluation.grantKey);
+          await this.#persistentStore?.add(this.#options.cwd, evaluation.grantKey);
+          this.emit({ type: "permission.granted", sessionId: this.sessionId, callId: call.id, key: evaluation.grantKey, targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
+        }
       }
     }
     this.emit({ type: "tool.started", sessionId: this.sessionId, callId: call.id, name: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
@@ -28688,7 +29483,7 @@ var SessionRunner = class {
         cwd: this.#options.cwd,
         signal: this.#controller.signal,
         emit: (event) => this.emit(event),
-        ask: (req) => (this.#options.permissionPrompt ?? ((request) => askPermission(request, { yes: this.#options.yes })))(req),
+        ask: async (req) => await this.#options.autoPermission?.(req) ?? (this.#options.permissionPrompt ?? ((request) => askPermission(request, { yes: this.#options.yes })))(req),
         dryRun: this.#options.dryRun,
         sandbox: this.#options.sandbox,
         rootSessionId: this.#options.rootSessionId,
@@ -28728,15 +29523,18 @@ var SessionRunner = class {
     }
   }
   async end(messages, finalAnswer, reason) {
+    const answer = reason === "end_turn" ? finalAnswer : terminalFinalAnswer(finalAnswer, reason, this.#progress.snapshot());
+    const returnedMessages = reason === "end_turn" ? messages : [...messages, { role: "assistant", content: answer }];
     await this.#hooks.dispatch("Stop", this.hookBase());
     await this.#hooks.dispatch("SessionEnd", this.hookBase());
     this.completeGoalWorkGroup();
     this.emit({ type: "session.ended", sessionId: this.sessionId, reason, ts: now(), ...this.eventContext() });
+    if (reason !== "end_turn" && answer.trim()) this.emit({ type: "model.text", sessionId: this.sessionId, text: answer, ts: now(), ...this.eventContext() });
     await this.#transcript.flush();
     return {
       sessionId: this.sessionId,
-      finalAnswer,
-      messages,
+      finalAnswer: answer,
+      messages: returnedMessages,
       endReason: reason,
       usage: { ...this.#usage }
     };
@@ -28844,6 +29642,24 @@ var SessionRunner = class {
       activeStepId: () => this.#progress.activeStepId()
     };
   }
+  reportSessionKickoff() {
+    if (this.#options.parentInvocationId) return;
+    const message = sessionKickoffMessage(this.#options.displayPrompt ?? this.#options.prompt);
+    if (!message) return;
+    const result = this.#progress.report(
+      { message, level: "info", showInTimeline: true },
+      {
+        sessionId: this.sessionId,
+        agent: this.#options.agent.name,
+        rootSessionId: this.#options.rootSessionId,
+        agentSessionId: this.#options.agentSessionId,
+        invocationId: this.#options.invocationId,
+        parentInvocationId: this.#options.parentInvocationId,
+        agentPath: this.#options.agentPath
+      }
+    );
+    for (const event of result.events) this.emit(event);
+  }
   eventContext() {
     return {
       rootSessionId: this.#options.rootSessionId,
@@ -28927,6 +29743,134 @@ function normalizeDiffContent(value) {
     after: typeof after === "string" ? after : void 0
   };
 }
+function sessionKickoffMessage(prompt) {
+  const normalized = prompt.replace(/^\/\w+\s*/, "").trim();
+  if (isCasualPrompt(normalized) || isSimpleQuestionPrompt(normalized)) return void 0;
+  const isKorean = /[가-힣]/.test(normalized);
+  if (isKorean) {
+    if (/(수정|고쳐|개선|변경|추가|삭제|구현|반영|업데이트|만들|작성|전환|마이그레이션)/.test(normalized)) {
+      return "\uBA3C\uC800 \uAD00\uB828 \uB3D9\uC791\uC774 \uC5B4\uB514\uC5D0\uC11C \uB9CC\uB4E4\uC5B4\uC9C0\uB294\uC9C0\uC640 \uC601\uD5A5 \uBC94\uC704\uB97C \uD655\uC778\uD55C \uB4A4, \uD544\uC694\uD55C \uBCC0\uACBD\uC744 \uC791\uC740 \uB2E8\uC704\uB85C \uC9C4\uD589\uD558\uACA0\uC2B5\uB2C8\uB2E4. \uD655\uC778\uD55C \uB0B4\uC6A9\uC774 \uB2E4\uC74C \uC218\uC815\uC5D0 \uC5B4\uB5A4 \uC758\uBBF8\uAC00 \uC788\uB294\uC9C0\uB3C4 \uC911\uAC04\uC911\uAC04 \uC815\uB9AC\uD574 \uB4DC\uB9AC\uACA0\uC2B5\uB2C8\uB2E4.";
+    }
+    if (/(테스트|검증|확인|재현|실행|빌드|publish|배포)/i.test(normalized)) {
+      return "\uBA3C\uC800 \uD604\uC7AC \uC0C1\uD0DC\uC640 \uC7AC\uD604 \uC870\uAC74\uC744 \uD655\uC778\uD558\uACE0, \uACB0\uACFC\uAC00 \uC758\uBBF8\uD558\uB294 \uBC14\uB97C \uC815\uB9AC\uD558\uBA74\uC11C \uD544\uC694\uD55C \uD6C4\uC18D \uC870\uCE58\uB97C \uC774\uC5B4\uAC00\uACA0\uC2B5\uB2C8\uB2E4.";
+    }
+    if (/(설명|분석|검토|원인|왜|찾아|알려|파악)/.test(normalized)) {
+      return "\uBA3C\uC800 \uC694\uCCAD\uC758 \uD575\uC2EC \uC9C8\uBB38\uC744 \uC881\uD788\uACE0, \uADFC\uAC70\uAC00 \uB420 \uB9CC\uD55C \uAD6C\uC870\uC640 \uD750\uB984\uC744 \uD655\uC778\uD55C \uB4A4 \uC774\uD574\uD558\uAE30 \uC26C\uC6B4 \uB2F5\uC73C\uB85C \uC815\uB9AC\uD558\uACA0\uC2B5\uB2C8\uB2E4.";
+    }
+    return "\uBA3C\uC800 \uC694\uCCAD\uC758 \uC758\uB3C4\uB97C \uD655\uC778\uD558\uACE0, \uD544\uC694\uD55C \uB9E5\uB77D\uC744 \uC0B4\uD3B4\uBCF8 \uB4A4 \uB2E4\uC74C\uC5D0 \uD560 \uC77C\uC744 \uC815\uB9AC\uD558\uBA74\uC11C \uC774\uC5B4\uAC00\uACA0\uC2B5\uB2C8\uB2E4.";
+  }
+  if (/\b(fix|change|update|add|delete|remove|implement|write|create|migrate|refactor)\b/i.test(normalized)) {
+    return "I\u2019ll first locate the relevant behavior and check the impact area, then make the change in small, verifiable steps while sharing what each finding means.";
+  }
+  if (/\b(test|verify|check|reproduce|run|build|publish|deploy)\b/i.test(normalized)) {
+    return "I\u2019ll first check the current state and reproduction path, then explain what the result means before moving to the next step.";
+  }
+  if (/\b(explain|analyze|review|why|find|investigate|inspect)\b/i.test(normalized)) {
+    return "I\u2019ll narrow the main question first, inspect the evidence that matters, and then summarize the answer in a way that is easy to act on.";
+  }
+  return "I\u2019ll first clarify the shape of the request, then work through the relevant context and share useful updates as I go.";
+}
+function isCasualPrompt(prompt) {
+  const compact = prompt.toLowerCase().replace(/[\s.!?。！？~…"'`]+/g, "");
+  if (!compact) return true;
+  const casual = /* @__PURE__ */ new Set([
+    "hi",
+    "hello",
+    "hey",
+    "yo",
+    "ok",
+    "okay",
+    "thanks",
+    "thankyou",
+    "\uC548\uB155",
+    "\uC548\uB155\uD558\uC138\uC694",
+    "\uD558\uC774",
+    "\uD5EC\uB85C",
+    "\uACE0\uB9C8\uC6CC",
+    "\uACE0\uB9D9\uC2B5\uB2C8\uB2E4",
+    "\uAC10\uC0AC\uD569\uB2C8\uB2E4",
+    "\uAC10\uC0AC",
+    "\uC88B\uC544",
+    "\uB124",
+    "\uC751",
+    "\u3147\u314B"
+  ]);
+  return casual.has(compact) || compact.length <= 12 && /^(hi|hello|hey|안녕|안녕하세요|하이)/.test(compact);
+}
+function isSimpleQuestionPrompt(prompt) {
+  const trimmed = prompt.trim();
+  if (trimmed.length > 80) return false;
+  const hasTaskVerb = /(수정|고쳐|개선|변경|추가|삭제|구현|반영|업데이트|만들|작성|전환|마이그레이션|테스트|검증|확인|재현|실행|빌드|분석|검토|찾아|파악|설명해|알려줘|fix|change|update|add|delete|remove|implement|write|create|migrate|refactor|test|verify|check|reproduce|run|build|analyze|review|find|inspect|explain)/i.test(
+    trimmed
+  );
+  if (hasTaskVerb) return false;
+  return /[?？]$/.test(trimmed) || /(뭐야|무엇|누구|언제|어디|어떻게|왜|맞아)$/.test(trimmed);
+}
+function terminalFinalAnswer(finalAnswer, reason, progress) {
+  const lines = ["\uC791\uC5C5\uC774 \uC885\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4.", "", `\uC885\uB8CC \uC774\uC720: ${terminalReasonText(reason)}`];
+  const runtimeMessage = finalAnswer.trim();
+  if (runtimeMessage && runtimeMessage !== terminalReasonText(reason)) lines.push(`\uB9C8\uC9C0\uB9C9 \uB7F0\uD0C0\uC784 \uBA54\uC2DC\uC9C0: ${runtimeMessage}`);
+  lines.push("", "\uD604\uC7AC\uAE4C\uC9C0 \uC9C4\uD589\uD55C \uB0B4\uC6A9\uC740 \uC544\uB798\uC640 \uAC19\uC2B5\uB2C8\uB2E4.");
+  const plan = progress.plan;
+  if (plan) {
+    lines.push("", ...planSummaryLines(plan));
+  } else {
+    lines.push("", "- \uC544\uC9C1 \uBA85\uC2DC\uC801\uC778 plan\uC740 \uB9CC\uB4E4\uC5B4\uC9C0\uC9C0 \uC54A\uC558\uC2B5\uB2C8\uB2E4.");
+  }
+  const notes = progress.notes.slice(-3);
+  if (notes.length > 0) {
+    lines.push("", "\uCD5C\uADFC \uC911\uAC04 \uBCF4\uACE0:");
+    for (const note of notes) lines.push(`- ${note.message}`);
+  }
+  lines.push("", terminalNextStepText(reason));
+  return lines.join("\n");
+}
+function planSummaryLines(plan) {
+  const lines = [`Plan: ${plan.title ?? "\uC791\uC5C5 \uACC4\uD68D"}`];
+  if (plan.summary) lines.push(`\uC694\uC57D: ${plan.summary}`);
+  const counts = countSteps(plan.steps);
+  lines.push(
+    `\uC9C4\uD589 \uC0C1\uD0DC: \uC644\uB8CC ${counts.completed + counts.skipped}\uAC1C, \uC9C4\uD589 \uC911 ${counts.in_progress}\uAC1C, \uB300\uAE30 ${counts.pending}\uAC1C, \uC2E4\uD328/\uCC28\uB2E8 ${counts.failed + counts.blocked + counts.cancelled}\uAC1C\uC785\uB2C8\uB2E4.`
+  );
+  const completed = plan.steps.filter((step) => step.status === "completed" || step.status === "skipped").slice(-3);
+  if (completed.length > 0) lines.push(`\uC644\uB8CC\uD55C \uC791\uC5C5: ${completed.map(formatStep).join("; ")}`);
+  const active = plan.steps.filter((step) => step.status === "in_progress");
+  if (active.length > 0) lines.push(`\uC9C4\uD589 \uC911\uC774\uB358 \uC791\uC5C5: ${active.map(formatStep).join("; ")}`);
+  const unresolved = plan.steps.filter((step) => step.status === "pending" || step.status === "failed" || step.status === "blocked" || step.status === "cancelled").slice(0, 4);
+  if (unresolved.length > 0) lines.push(`\uB0A8\uC740 \uC791\uC5C5: ${unresolved.map(formatStep).join("; ")}`);
+  return lines;
+}
+function countSteps(steps) {
+  const counts = {
+    pending: 0,
+    in_progress: 0,
+    completed: 0,
+    blocked: 0,
+    skipped: 0,
+    failed: 0,
+    cancelled: 0
+  };
+  for (const step of steps) counts[step.status] += 1;
+  return counts;
+}
+function formatStep(step) {
+  const detail = step.detail ? ` (${preview(step.detail.replace(/\s+/g, " "), 120)})` : "";
+  return `${step.title}${detail}`;
+}
+function terminalReasonText(reason) {
+  if (reason === "max_turns") return "\uC0C1\uC704 task turn \uD55C\uB3C4\uC5D0 \uB3C4\uB2EC\uD588\uC2B5\uB2C8\uB2E4.";
+  if (reason === "tool_loop_limit") return "\uB3C4\uAD6C \uC0AC\uC6A9 \uB77C\uC6B4\uB4DC\uAC00 \uB0B4\uBD80 \uC548\uC804 \uD55C\uB3C4\uC5D0 \uB3C4\uB2EC\uD588\uC2B5\uB2C8\uB2E4.";
+  if (reason === "content_filter") return "\uC81C\uACF5\uC790\uC758 \uC548\uC804 \uD544\uD130\uB85C \uC751\uB2F5\uC774 \uCC28\uB2E8\uB418\uC5C8\uC2B5\uB2C8\uB2E4.";
+  if (reason === "cancelled") return "\uC0AC\uC6A9\uC790 \uC694\uCCAD \uB610\uB294 \uB7F0\uD0C0\uC784 \uC911\uB2E8\uC73C\uB85C \uCDE8\uC18C\uB418\uC5C8\uC2B5\uB2C8\uB2E4.";
+  if (reason === "error") return "\uB7F0\uD0C0\uC784 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4.";
+  return `${reason} \uC0C1\uD0DC\uB85C \uC885\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4.`;
+}
+function terminalNextStepText(reason) {
+  if (reason === "tool_loop_limit") return "\uC774\uC5B4\uC11C \uC9C4\uD589\uD558\uB824\uBA74 \uC774\uBBF8 \uD655\uC778\uD55C \uD30C\uC77C\uACFC \uB2E4\uC74C \uD655\uC778 \uBC94\uC704\uB97C \uAE30\uC900\uC73C\uB85C \uB3C4\uAD6C \uC0AC\uC6A9 \uBC94\uC704\uB97C \uC870\uAE08 \uB354 \uC881\uD600 \uB2E4\uC2DC \uC2DC\uB3C4\uD558\uACA0\uC2B5\uB2C8\uB2E4.";
+  if (reason === "max_turns") return "\uC774\uC5B4\uC11C \uC9C4\uD589\uD558\uB824\uBA74 \uAC19\uC740 \uC694\uCCAD\uC744 \uB2E4\uC2DC \uBCF4\uB0B4\uAC70\uB098, plan\uC758 \uD604\uC7AC task\uB97C \uB354 \uC791\uAC8C \uB098\uB204\uC5B4 \uB04A\uAE34 \uC9C0\uC810\uBD80\uD130 \uACC4\uC18D \uC9C4\uD589\uD558\uACA0\uC2B5\uB2C8\uB2E4.";
+  if (reason === "content_filter") return "\uC774\uC5B4\uC11C \uC9C4\uD589\uD558\uB824\uBA74 \uC694\uCCAD \uD45C\uD604\uC774\uB098 \uBC94\uC704\uB97C \uC870\uC815\uD55C \uB4A4 \uC548\uC804\uD558\uAC8C \uB2F5\uBCC0 \uAC00\uB2A5\uD55C \uD615\uD0DC\uB85C \uB2E4\uC2DC \uC2DC\uB3C4\uD558\uACA0\uC2B5\uB2C8\uB2E4.";
+  return "\uC774\uC5B4\uC11C \uC9C4\uD589\uD558\uBA74 \uC704 \uC9C4\uD589 \uC0C1\uD0DC\uB97C \uAE30\uC900\uC73C\uB85C \uB0A8\uC740 \uC791\uC5C5\uBD80\uD130 \uB2E4\uC2DC \uD655\uC778\uD558\uACA0\uC2B5\uB2C8\uB2E4.";
+}
 function toolFailure(content) {
   return { ok: false, content };
 }
@@ -28959,11 +29903,15 @@ async function runExecutionSession(options) {
     providerName: options.providerName,
     model: options.backend.model,
     agent: options.agent,
+    maxTurns: options.countToolUseTurns === true ? options.maxTurns : null,
     yes: options.yes,
     transcript: options.transcript,
     signal: options.signal,
     eventBus: options.eventBus,
     permissionPrompt: options.permissionPrompt,
+    autoPermission: options.autoPermission,
+    persistentGrants: options.persistentGrants,
+    grants: options.grants,
     transcriptWriter: options.transcriptWriter,
     transcriptSessionId: options.transcriptSessionId,
     rootSessionId: options.rootSessionId,
@@ -28983,13 +29931,13 @@ async function runExecutionSession(options) {
 
 // src/goals/lock.ts
 import { mkdir as mkdir13, open as open3, rm as rm2 } from "node:fs/promises";
-import path32 from "node:path";
+import path33 from "node:path";
 
 // src/goals/storage.ts
 import { createHash as createHash3 } from "node:crypto";
 import { mkdir as mkdir12, readFile as readFile16, rename as rename6, writeFile as writeFile13 } from "node:fs/promises";
 import fs9 from "node:fs";
-import path31 from "node:path";
+import path32 from "node:path";
 var GoalStore = class {
   cwd;
   dir;
@@ -29000,8 +29948,8 @@ var GoalStore = class {
     this.cwd = cwd;
     this.scope = normalizeGoalStoreScope(options.scope);
     this.dir = goalStoreDir(cwd, this.scope);
-    this.activePath = path31.join(this.dir, "active.json");
-    this.archiveDir = path31.join(this.dir, "archive");
+    this.activePath = path32.join(this.dir, "active.json");
+    this.archiveDir = path32.join(this.dir, "archive");
   }
   async loadActive() {
     if (!fs9.existsSync(this.activePath)) return void 0;
@@ -29015,7 +29963,7 @@ var GoalStore = class {
   }
   async saveActive(state) {
     await mkdir12(this.dir, { recursive: true });
-    const tmp = path31.join(this.dir, `active.${process.pid}.${Date.now()}.tmp`);
+    const tmp = path32.join(this.dir, `active.${process.pid}.${Date.now()}.tmp`);
     await writeFile13(tmp, `${JSON.stringify(state, null, 2)}
 `, "utf8");
     await rename6(tmp, this.activePath);
@@ -29029,21 +29977,21 @@ var GoalStore = class {
       status,
       updatedAt: Date.now()
     };
-    await writeFile13(path31.join(this.archiveDir, `${archived.id}.json`), `${JSON.stringify(archived, null, 2)}
+    await writeFile13(path32.join(this.archiveDir, `${archived.id}.json`), `${JSON.stringify(archived, null, 2)}
 `, "utf8");
     await fs9.promises.rm(this.activePath, { force: true });
     return archived;
   }
   async backupCorrupted(text) {
     await mkdir12(this.dir, { recursive: true });
-    const backup = path31.join(this.dir, `active.corrupt.${Date.now()}.json`);
+    const backup = path32.join(this.dir, `active.corrupt.${Date.now()}.json`);
     await writeFile13(backup, text, "utf8");
     await fs9.promises.rm(this.activePath, { force: true });
   }
 };
 function goalStoreDir(cwd, scope) {
   const safeScope = normalizeGoalStoreScope(scope);
-  return safeScope ? path31.join(cwd, ".demian", "goals", "sessions", safeScope) : path31.join(cwd, ".demian", "goals");
+  return safeScope ? path32.join(cwd, ".demian", "goals", "sessions", safeScope) : path32.join(cwd, ".demian", "goals");
 }
 function normalizeGoalStoreScope(scope) {
   const trimmed = scope?.trim();
@@ -29057,10 +30005,10 @@ function normalizeGoalStoreScope(scope) {
 var GoalLock = class {
   path;
   constructor(cwd, scope) {
-    this.path = path32.join(goalStoreDir(cwd, scope), "active.lock");
+    this.path = path33.join(goalStoreDir(cwd, scope), "active.lock");
   }
   async acquire() {
-    await mkdir13(path32.dirname(this.path), { recursive: true });
+    await mkdir13(path33.dirname(this.path), { recursive: true });
     const handle = await open3(this.path, "wx").catch((error) => {
       const code = typeof error === "object" && error && "code" in error ? String(error.code) : "";
       if (code === "EEXIST") throw new Error("Another goal is already active in this workspace.");
@@ -29394,6 +30342,12 @@ function evaluateGoalIteration(input2) {
   const state = input2.state;
   const language = goalUserLanguage(state);
   const verification = input2.verification ?? state.verification ?? { status: "not_required" };
+  const reasonContext = {
+    state,
+    finalAnswer: input2.finalAnswer,
+    reason: input2.reason,
+    verification
+  };
   const completion = input2.completedByTool || state.status === "completed" ? "met" : "unmet";
   const verificationGate = verification.required ? verification.status : verification.status === "passed" || verification.status === "failed" || verification.status === "missing" ? verification.status : "not_required";
   const prohibition = input2.blockedReason ? "violated" : "clear";
@@ -29401,28 +30355,28 @@ function evaluateGoalIteration(input2) {
   const progress = input2.madeProgress === false ? "stalled" : input2.reason === "max_turns" ? "stalled" : "advanced";
   const resource = state.iteration >= state.maxIterations ? "iteration_limited" : state.tokenBudget && state.tokensUsed >= state.tokenBudget ? "budget_limited" : "within_limits";
   let decision = "continue";
-  let reason = goalReason("continue", language);
+  let reason = goalReason("continue", language, reasonContext);
   if (state.status === "paused") {
     decision = "paused";
-    reason = goalReason("paused", language);
+    reason = goalReason("paused", language, reasonContext);
   } else if (prohibition === "violated" || scope === "drifted") {
     decision = "blocked";
-    reason = input2.blockedReason ?? goalReason("blocked_guardrail", language);
+    reason = input2.blockedReason ?? goalReason("blocked_guardrail", language, reasonContext);
   } else if (resource === "budget_limited") {
     decision = "budget_limited";
-    reason = goalReason("budget_limited", language);
+    reason = goalReason("budget_limited", language, reasonContext);
   } else if (resource === "iteration_limited") {
     decision = "iteration_limited";
-    reason = goalReason("iteration_limited", language);
+    reason = goalReason("iteration_limited", language, reasonContext);
   } else if (completion === "met" && (verificationGate === "passed" || verificationGate === "not_required")) {
     decision = "complete";
-    reason = goalReason("complete", language);
+    reason = goalReason("complete", language, reasonContext);
   } else if (completion === "met" && (verificationGate === "failed" || verificationGate === "missing")) {
     decision = "blocked";
-    reason = goalReason("verification_failed", language);
+    reason = goalReason("verification_failed", language, reasonContext);
   } else if (progress === "stalled" && input2.reason === "max_turns") {
-    decision = "iteration_limited";
-    reason = goalReason("max_turns", language);
+    decision = "continue";
+    reason = goalReason("max_turns", language, reasonContext);
   }
   return {
     gates: {
@@ -29556,29 +30510,69 @@ function normalizeSessionId(sessionId) {
   const trimmed = sessionId?.trim();
   return trimmed ? trimmed : void 0;
 }
-function goalReason(key, language) {
+function goalReason(key, language, context = {}) {
+  if (key === "max_turns") return maxTurnsGoalReason(language, context);
+  if (key === "iteration_limited") return iterationLimitedGoalReason(language, context);
+  if (key === "budget_limited") return budgetLimitedGoalReason(language, context);
   if (language === "ko") {
     return {
       continue: "\uBAA9\uD45C\uB294 \uC544\uC9C1 \uD65C\uC131 \uC0C1\uD0DC\uC785\uB2C8\uB2E4. \uB2E4\uC74C \uC548\uC804\uD55C \uC791\uC5C5\uC744 \uACC4\uC18D \uC9C4\uD589\uD569\uB2C8\uB2E4.",
       paused: "\uC0AC\uC6A9\uC790 \uC694\uCCAD\uC73C\uB85C \uBAA9\uD45C\uAC00 \uC77C\uC2DC \uC911\uC9C0\uB418\uC5C8\uC2B5\uB2C8\uB2E4.",
       blocked_guardrail: "\uAE08\uC9C0\uC870\uAC74 \uB610\uB294 \uBC94\uC704 \uAD00\uB9AC \uAE30\uC900\uC744 \uC704\uBC18\uD558\uC5EC \uBAA9\uD45C\uAC00 \uCC28\uB2E8\uB418\uC5C8\uC2B5\uB2C8\uB2E4.",
-      budget_limited: "\uC644\uB8CC\uAC00 \uAC80\uC99D\uB418\uAE30 \uC804\uC5D0 \uBAA9\uD45C\uAC00 \uD1A0\uD070 \uC608\uC0B0\uC5D0 \uB3C4\uB2EC\uD588\uC2B5\uB2C8\uB2E4.",
-      iteration_limited: "\uC644\uB8CC\uAC00 \uAC80\uC99D\uB418\uAE30 \uC804\uC5D0 \uBAA9\uD45C\uAC00 \uBC18\uBCF5 \uD55C\uB3C4\uC5D0 \uB3C4\uB2EC\uD588\uC2B5\uB2C8\uB2E4.",
       complete: "\uC644\uB8CC\uAC00 \uBA85\uC2DC\uC801\uC73C\uB85C \uC2E0\uD638\uB418\uC5C8\uACE0 \uC885\uB8CC \uAC80\uC99D \uC694\uAD6C\uC0AC\uD56D\uC774 \uCDA9\uC871\uB418\uC5C8\uC2B5\uB2C8\uB2E4.",
-      verification_failed: "\uC644\uB8CC\uAC00 \uC2E0\uD638\uB418\uC5C8\uC9C0\uB9CC \uD544\uC694\uD55C \uAC80\uC99D\uC744 \uD1B5\uACFC\uD558\uC9C0 \uBABB\uD588\uC2B5\uB2C8\uB2E4.",
-      max_turns: "\uAC80\uC99D\uB41C \uC644\uB8CC \uC5C6\uC774 \uC138\uC158\uC774 \uCD5C\uB300 \uD134\uC5D0\uC11C \uC911\uC9C0\uB418\uC5C8\uC2B5\uB2C8\uB2E4."
-    }[key];
+      verification_failed: "\uC644\uB8CC\uAC00 \uC2E0\uD638\uB418\uC5C8\uC9C0\uB9CC \uD544\uC694\uD55C \uAC80\uC99D\uC744 \uD1B5\uACFC\uD558\uC9C0 \uBABB\uD588\uC2B5\uB2C8\uB2E4."
+    }[key] ?? "\uBAA9\uD45C \uC0C1\uD0DC\uB97C \uD3C9\uAC00\uD588\uC2B5\uB2C8\uB2E4.";
   }
   return {
     continue: "Goal remains active; continue with the next safe action.",
     paused: "Goal is paused by user request.",
     blocked_guardrail: "Goal is blocked because a prohibition or scope guardrail was violated.",
-    budget_limited: "Goal reached its token budget before completion was verified.",
-    iteration_limited: "Goal reached its iteration limit before completion was verified.",
     complete: "Completion was explicitly signaled and termination verification requirements are satisfied.",
-    verification_failed: "Completion was signaled, but required verification did not pass.",
-    max_turns: "The session stopped at max turns without verified completion."
-  }[key];
+    verification_failed: "Completion was signaled, but required verification did not pass."
+  }[key] ?? "Goal state was evaluated.";
+}
+function maxTurnsGoalReason(language, context) {
+  const maxTurns = parseMaxTurns(context.finalAnswer);
+  const maxTurnsText = maxTurns ? `maxTurns(${maxTurns})` : "maxTurns";
+  const iteration = goalIterationProgress(context.state);
+  if (language === "ko") {
+    const run2 = iteration ? `${iteration}\uD68C\uCC28 \uC2E4\uD589 \uC911` : "\uC774\uBC88 \uC2E4\uD589\uC5D0\uC11C";
+    return `\uC774\uBC88 \uBAA9\uD45C\uB294 \uC544\uC9C1 \uC644\uB8CC\uB85C \uAC80\uC99D\uB418\uC9C0 \uC54A\uC558\uACE0, ${run2} \uD558\uB098\uC758 \uC791\uC5C5 \uC2DC\uB3C4\uAC00 ${maxTurnsText}\uC5D0 \uB3C4\uB2EC\uD574 \uBA48\uCDC4\uC2B5\uB2C8\uB2E4. goal\uC5D0\uC11C\uB294 \uC774 \uAC12\uC744 \uB3C4\uAD6C \uD638\uCD9C \uC218\uAC00 \uC544\uB2C8\uB77C \uAC19\uC740 \uBAA9\uD45C\uB97C \uC774\uC5B4\uC11C \uC7AC\uC2DC\uB3C4\uD55C \uC0C1\uC704 \uC2E4\uD589 \uD69F\uC218\uB85C \uBD05\uB2C8\uB2E4. \uB530\uB77C\uC11C \uBAA9\uD45C \uC790\uCCB4\uB294 \uBC18\uBCF5 \uD55C\uB3C4\uC5D0 \uB3C4\uB2EC\uD558\uAE30 \uC804\uAE4C\uC9C0 \uACC4\uC18D \uD65C\uC131 \uC0C1\uD0DC\uB85C \uB0A8\uAE30\uACE0, \uB3C4\uAD6C \uD638\uCD9C\uCC98\uB7FC \uC815\uC0C1\uC801\uC778 \uD558\uC704 \uC791\uC5C5\uC740 \uBCC4\uB3C4 \uC548\uC804 \uD55C\uB3C4\uB85C \uB2E4\uB8F9\uB2C8\uB2E4. /retry\uB85C \uB04A\uAE34 \uC9C0\uC810\uBD80\uD130 \uC774\uC5B4\uC11C \uC9C4\uD589\uD574 \uC8FC\uC138\uC694.`;
+  }
+  const run = iteration ? `at goal iteration ${iteration}` : "during this run";
+  return `This goal is not verified complete yet, and one task attempt stopped ${run} because it reached ${maxTurnsText}. In goal mode, this value is treated as a high-level retry/attempt limit for the same objective, not as a count of tool calls. The goal stays active until its iteration limit is actually reached, while ordinary tool-use subwork is guarded by a separate safety limit. Retry from the current state to continue.`;
+}
+function iterationLimitedGoalReason(language, context) {
+  const iteration = goalIterationProgress(context.state);
+  if (language === "ko") {
+    const limit2 = iteration ? `${iteration} \uBC18\uBCF5 \uD55C\uB3C4` : "\uBC18\uBCF5 \uD55C\uB3C4";
+    return `\uBAA9\uD45C\uAC00 ${limit2}\uC5D0 \uB3C4\uB2EC\uD588\uC9C0\uB9CC \uC644\uB8CC \uAC80\uC99D\uC744 \uD1B5\uACFC\uD558\uC9C0 \uBABB\uD588\uC2B5\uB2C8\uB2E4. \uCD5C\uADFC \uC2E4\uD589 \uACB0\uACFC\uC640 \uC2E4\uD328 \uB610\uB294 \uBBF8\uC644\uB8CC step\uC744 \uD655\uC778\uD55C \uB4A4, \uBC94\uC704\uB97C \uC904\uC774\uAC70\uB098 \uC0C8 \uBAA9\uD45C\uB85C \uB2E4\uC2DC \uC2DC\uC791\uD574 \uC8FC\uC138\uC694.`;
+  }
+  const limit = iteration ? `its ${iteration} iteration limit` : "its iteration limit";
+  return `The goal reached ${limit} before completion was verified. Review the latest run output and any failed or unresolved steps, then narrow the scope or start a new goal.`;
+}
+function budgetLimitedGoalReason(language, context) {
+  const budget = goalBudgetProgress(context.state);
+  if (language === "ko") {
+    const limit2 = budget ? `\uD1A0\uD070 \uC608\uC0B0 ${budget}` : "\uD1A0\uD070 \uC608\uC0B0";
+    return `\uC644\uB8CC\uAC00 \uAC80\uC99D\uB418\uAE30 \uC804\uC5D0 \uBAA9\uD45C\uAC00 ${limit2}\uC5D0 \uB3C4\uB2EC\uD588\uC2B5\uB2C8\uB2E4. \uD604\uC7AC\uAE4C\uC9C0\uC758 \uACB0\uACFC\uB97C \uD655\uC778\uD55C \uB4A4, \uBC94\uC704\uB97C \uC904\uC774\uAC70\uB098 \uC608\uC0B0\uC744 \uB298\uB824 \uB2E4\uC2DC \uC9C4\uD589\uD574 \uC8FC\uC138\uC694.`;
+  }
+  const limit = budget ? `token budget ${budget}` : "token budget";
+  return `The goal reached its ${limit} before completion was verified. Review the current result, then narrow the scope or increase the budget before continuing.`;
+}
+function parseMaxTurns(finalAnswer) {
+  const value = finalAnswer?.match(/\bmaxTurns\s*\(\s*(\d+)\s*\)/i)?.[1];
+  if (!value) return void 0;
+  const parsed = Number(value);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : void 0;
+}
+function goalIterationProgress(state) {
+  if (!state || !Number.isFinite(state.iteration) || !Number.isFinite(state.maxIterations) || state.maxIterations <= 0) return void 0;
+  return `${state.iteration}/${state.maxIterations}`;
+}
+function goalBudgetProgress(state) {
+  if (!state || !Number.isFinite(state.tokensUsed) || !Number.isFinite(state.tokenBudget) || !state.tokenBudget || state.tokenBudget <= 0) return void 0;
+  return `${state.tokensUsed}/${state.tokenBudget}`;
 }
 function createGoalId() {
   return `goal_${createSessionId().slice("ses_".length)}`;
@@ -29647,9 +30641,76 @@ function sha256(value) {
 }
 
 // src/root-session.ts
-import { cp, mkdtemp, rm as rm3 } from "node:fs/promises";
+import { cp, mkdtemp, readFile as readFile17, rm as rm3 } from "node:fs/promises";
 import os15 from "node:os";
-import path33 from "node:path";
+import path34 from "node:path";
+
+// src/permissions/auto-agent.ts
+function createAutoPermissionAgent(options) {
+  return async (request) => {
+    const command = bashCommandFromRequest(request);
+    if (!command || !isPotentiallyReadOnlyShellCommand(command)) return void 0;
+    const result = await classifyWithAgent(command, request, options).catch(() => void 0);
+    if (!result || result.decision !== "allow" || result.confidence < 0.85) return void 0;
+    return { decision: "allow", reason: `auto permission judge: ${preview(result.reason, 160)}` };
+  };
+}
+function bashCommandFromRequest(request) {
+  const toolName = (request.qualifiedName ?? request.tool).split(".").at(-1)?.toLowerCase();
+  if (toolName !== "bash") return void 0;
+  const input2 = request.input && typeof request.input === "object" && !Array.isArray(request.input) ? request.input : {};
+  return typeof input2.command === "string" ? input2.command : void 0;
+}
+async function classifyWithAgent(command, request, options) {
+  const response = await options.provider.chat({
+    model: options.model,
+    tools: [],
+    maxTokens: 180,
+    temperature: 0,
+    signal: permissionSignal(options.signal, options.timeoutMs ?? 4e3),
+    messages: [
+      {
+        role: "system",
+        content: [
+          "You are Demian's internal permission judge.",
+          "Classify whether a shell command is safe to auto-allow without asking the user.",
+          "Allow only commands that are clearly read-only, inspect local workspace state, and do not write files, mutate git state, install packages, start long-running services, send network requests, change permissions, or execute nested commands.",
+          "If there is any uncertainty, choose ask. Never choose allow just because the command seems common.",
+          'Return only compact JSON with this shape: {"decision":"allow"|"ask","confidence":0..1,"reason":"short reason"}.'
+        ].join(" ")
+      },
+      {
+        role: "user",
+        content: JSON.stringify({
+          cwd: options.cwd,
+          tool: request.qualifiedName ?? request.tool,
+          actor: request.actor,
+          command
+        })
+      }
+    ]
+  });
+  return parseJudgeResponse(response.message.content);
+}
+function permissionSignal(parent, timeoutMs) {
+  const timeout = AbortSignal.timeout(timeoutMs);
+  return parent ? AbortSignal.any([parent, timeout]) : timeout;
+}
+function parseJudgeResponse(content) {
+  if (!content) return void 0;
+  const json = content.match(/\{[\s\S]*\}/)?.[0];
+  if (!json) return void 0;
+  try {
+    const parsed = JSON.parse(json);
+    const decision = parsed.decision === "allow" ? "allow" : parsed.decision === "ask" ? "ask" : void 0;
+    const confidence = typeof parsed.confidence === "number" ? parsed.confidence : Number(parsed.confidence);
+    const reason = typeof parsed.reason === "string" ? parsed.reason.trim() : "";
+    if (!decision || !Number.isFinite(confidence) || confidence < 0 || confidence > 1 || !reason) return void 0;
+    return { decision, confidence, reason };
+  } catch {
+    return void 0;
+  }
+}
 
 // src/permissions/presets.ts
 var PERMISSION_PRESETS = ["deny", "ask", "auto", "full"];
@@ -29665,9 +30726,19 @@ function defaultDecisionForPermissionPreset(preset) {
   if (preset === "full") return "allow";
   return "by-category";
 }
+function invocationDecisionForPermissionPreset(preset) {
+  if (preset === "deny") return "deny";
+  if (preset === "ask") return "ask";
+  return "allow";
+}
 function applyPermissionPresetToAgent(agent, preset) {
+  const invocationDecision = invocationDecisionForPermissionPreset(preset);
   return {
     ...agent,
+    delegation: agent.delegation ? {
+      ...agent.delegation,
+      invocationDecision
+    } : agent.delegation,
     defaultDecision: defaultDecisionForPermissionPreset(preset)
   };
 }
@@ -29679,6 +30750,13 @@ function createCoworkTool(options) {
   return {
     name: "cowork",
     description: "Run multiple bounded Demian cowork agents and return their combined result. members[].agent must be an exact cowork agent name, not the current parent agent.",
+    metadata: {
+      category: "orchestration.cowork",
+      categoryPath: ["orchestration", "cowork"],
+      sideEffect: "external",
+      defaultDecision: options.config.defaultInvocationDecision,
+      trust: "builtin"
+    },
     inputSchema: {
       type: "object",
       properties: {
@@ -29693,6 +30771,9 @@ function createCoworkTool(options) {
             properties: {
               id: { type: "string", pattern: "^[a-z0-9_-]{1,32}$" },
               agent: { type: "string", enum: coworkAgentNames, description: agentDescription },
+              provider: { type: "string", description: "Optional provider override. Must be listed in cowork.providers." },
+              model: { type: "string", description: "Optional model display name or raw model id for this member's provider." },
+              modelProfileName: { type: "string", description: "Optional stable model profile name for this member's provider." },
               task: { type: "string" },
               dependsOn: { type: "array", items: { type: "string" } },
               role: { type: "string" },
@@ -29703,7 +30784,7 @@ function createCoworkTool(options) {
               constraints: { type: "array", items: { type: "string" } },
               expectedOutput: { type: "string" },
               maxTurns: { type: "integer", minimum: 1 },
-              mode: { type: "string", enum: ["read-only", "write", "review"] },
+              mode: { type: "string", enum: ["read-only", "write", "review", "manage"] },
               writeScope: { type: "array", items: { type: "string" } },
               returnMode: { type: "string", enum: ["brief", "normal"] }
             },
@@ -29769,6 +30850,9 @@ function parseMember(input2, index) {
     agent: object2.agent.trim(),
     task: object2.task.trim()
   };
+  if (typeof object2.provider === "string" && object2.provider.trim()) member.provider = object2.provider.trim();
+  if (typeof object2.model === "string" && object2.model.trim()) member.model = object2.model.trim();
+  if (typeof object2.modelProfileName === "string" && object2.modelProfileName.trim()) member.modelProfileName = object2.modelProfileName.trim();
   if (typeof object2.id === "string" && object2.id.trim()) member.id = object2.id.trim();
   if (typeof object2.role === "string" && object2.role.trim()) member.role = object2.role.trim();
   if (typeof object2.context === "string") member.context = object2.context;
@@ -29776,7 +30860,7 @@ function parseMember(input2, index) {
   if (object2.returnMode === "brief" || object2.returnMode === "normal") member.returnMode = object2.returnMode;
   if (object2.parentDetail === "preview" || object2.parentDetail === "full" || object2.parentDetail === "none") member.parentDetail = object2.parentDetail;
   if (object2.mode !== void 0) {
-    if (object2.mode !== "read-only" && object2.mode !== "write" && object2.mode !== "review") return { ok: false, error: `cowork.members[${index}].mode must be read-only, review, or write.` };
+    if (object2.mode !== "read-only" && object2.mode !== "write" && object2.mode !== "review" && object2.mode !== "manage") return { ok: false, error: `cowork.members[${index}].mode must be read-only, review, manage, or write.` };
     member.mode = object2.mode;
   }
   if (typeof object2.maxTurns === "number" && Number.isInteger(object2.maxTurns) && object2.maxTurns > 0) member.maxTurns = object2.maxTurns;
@@ -29807,6 +30891,13 @@ function createDelegateAgentTool(options) {
   return {
     name: "delegate_agent",
     description: "Delegate a bounded task to a configured demian agent and return its result.",
+    metadata: {
+      category: "orchestration.agent",
+      categoryPath: ["orchestration", "agent"],
+      sideEffect: "external",
+      defaultDecision: "ask",
+      trust: "builtin"
+    },
     inputSchema: {
       type: "object",
       properties: {
@@ -29857,6 +30948,172 @@ function stringArray2(value) {
   return value.filter((item) => typeof item === "string");
 }
 
+// src/cowork/permissions.ts
+function resolveCoworkPermissionIntent(agent, mode) {
+  if (agent.permissionIntent) return agent.permissionIntent;
+  if (mode === "write") return "write";
+  if (mode === "review") return "review";
+  if (mode === "manage") return "manage";
+  const category = agent.catalog?.category;
+  if (category === "builder") return "write";
+  if (category === "reviewer") return "review";
+  if (category === "planner") return "manage";
+  return "read-only";
+}
+function compileCoworkPermissionOverlay(options) {
+  const intent = resolveCoworkPermissionIntent(options.agent, options.mode);
+  const mapping = options.config.permissionOverlay.modeMappings[intent];
+  const providerNamespace = options.config.permissionOverlay.providerToolNamespaces[options.providerProfile];
+  const providerTools = providerNamespace ? [...mapping?.providerTools[options.providerProfile] ?? []] : [];
+  const demianTools = [...mapping?.demianTools ?? []];
+  const defaultDecision = mapping?.defaultDecision ?? options.agent.defaultDecision ?? "ask";
+  const rules = overlayRules({ intent, providerNamespace, providerTools, demianTools });
+  return {
+    intent,
+    providerProfile: options.providerProfile,
+    providerNamespace,
+    demianTools,
+    providerTools,
+    rules,
+    defaultDecision,
+    explanation: [
+      `permission intent ${intent}`,
+      providerNamespace ? `${providerNamespace} tools: ${providerTools.join(", ") || "(none)"}` : "no provider tool namespace",
+      `default decision ${defaultDecision}`
+    ]
+  };
+}
+function overlayRules(options) {
+  const rules = [];
+  for (const tool of options.demianTools) {
+    rules.push({ tool, decision: demianToolDecision(options.intent, tool) });
+  }
+  if (options.providerNamespace) {
+    const allowed = new Set(options.providerTools);
+    for (const tool of options.providerTools) {
+      rules.push({ tool: `${options.providerNamespace}.${tool}`, decision: providerToolDecision(options.intent, tool) });
+    }
+    for (const tool of ["Edit", "Write", "MultiEdit", "Bash"]) {
+      if (!allowed.has(tool)) rules.push({ tool: `${options.providerNamespace}.${tool}`, decision: "deny", reason: `${options.intent} cowork permission overlay` });
+    }
+  }
+  return rules;
+}
+function demianToolDecision(intent, tool) {
+  if (intent !== "write") return "allow";
+  return tool === "edit_file" || tool === "write_file" || tool === "bash" ? "ask" : "allow";
+}
+function providerToolDecision(intent, tool) {
+  if (intent !== "write") return "allow";
+  return tool === "Edit" || tool === "Write" || tool === "MultiEdit" || tool === "Bash" ? "ask" : "allow";
+}
+
+// src/cowork/routing.ts
+function resolveCoworkAssignment(options) {
+  const memberProvider = options.member.provider?.trim();
+  if (memberProvider && !options.config.providers.includes(memberProvider)) {
+    throw new Error(`cowork member provider ${memberProvider} is not in cowork.providers.`);
+  }
+  const agentName = coworkAgentName(options.agent.name);
+  const sourceAndOrder = providerOrder({
+    memberProvider,
+    memberModel: options.member.model,
+    memberModelProfileName: options.member.modelProfileName,
+    agentName,
+    agent: options.agent,
+    config: options.config
+  });
+  const constrainedOrder = sourceAndOrder.source === "legacy-agent-provider" ? sourceAndOrder.order : sourceAndOrder.order.filter((selection) => options.config.providers.includes(selection.provider));
+  const filtered = constrainedOrder.filter((selection) => options.availability?.[selection.provider] !== "unavailable");
+  if (filtered.length === 0) {
+    throw new Error(`No available cowork provider for ${options.agent.name}. Tried: ${sourceAndOrder.order.map(providerSelectionLabel).join(", ") || "(none)"}.`);
+  }
+  const selected = filtered[0];
+  const providerProfile = selected.provider;
+  const mode = options.member.mode ?? "read-only";
+  const permissionOverlay = compileCoworkPermissionOverlay({
+    config: options.config,
+    agent: options.agent,
+    providerProfile,
+    mode
+  });
+  return {
+    agent: options.agent,
+    agentName,
+    providerProfile,
+    model: selected.model,
+    modelProfileName: selected.modelProfileName,
+    remainingProviders: filtered.slice(1).map((selection) => selection.provider),
+    remainingProviderSelections: filtered.slice(1),
+    source: sourceAndOrder.source,
+    permissionOverlay,
+    explanation: [
+      `provider source: ${sourceAndOrder.source}`,
+      `provider/model order: ${filtered.map(providerSelectionLabel).join(" > ")}`,
+      ...permissionOverlay.explanation
+    ]
+  };
+}
+function coworkProviderAvailability(config, providers) {
+  const availability = {};
+  for (const provider of config.providers) {
+    const providerConfig = providers[provider];
+    if (!providerConfig || providerConfig.hidden) availability[provider] = "unavailable";
+    else availability[provider] = "configured";
+  }
+  return availability;
+}
+function providerOrder(options) {
+  if (options.memberProvider) {
+    return {
+      source: "explicit-provider",
+      order: [
+        {
+          provider: options.memberProvider,
+          ...options.memberModel ? { model: options.memberModel } : {},
+          ...options.memberModelProfileName ? { modelProfileName: options.memberModelProfileName } : {}
+        }
+      ]
+    };
+  }
+  if (options.agent.provider?.profile && !options.agent.defaultProviders?.length) return { source: "legacy-agent-provider", order: [{ provider: options.agent.provider.profile }] };
+  const userModelPool = options.agentName ? options.config.routing.agentModelPools[options.agentName] : void 0;
+  if (userModelPool?.length) return { source: "user-model-pool", order: uniqueProviderSelections(userModelPool) };
+  const userOrder = options.agentName ? options.config.routing.agentProviders[options.agentName] : void 0;
+  if (userOrder?.length) return { source: "user-routing", order: unique2(userOrder).map((provider) => ({ provider })) };
+  if (options.agent.defaultProviders?.length) return { source: "agent-default", order: unique2(options.agent.defaultProviders).map((provider) => ({ provider })) };
+  if (options.agent.provider?.profile) return { source: "legacy-agent-provider", order: [{ provider: options.agent.provider.profile }] };
+  return { source: "cowork-pool", order: unique2(options.config.providers).map((provider) => ({ provider })) };
+}
+function coworkAgentName(value) {
+  return COWORK_AGENT_NAMES.includes(value) ? value : void 0;
+}
+function unique2(values) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const value of values) {
+    if (seen.has(value)) continue;
+    seen.add(value);
+    out.push(value);
+  }
+  return out;
+}
+function uniqueProviderSelections(values) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const value of values) {
+    const key = `${value.provider}\0${value.modelProfileName ?? ""}\0${value.model ?? ""}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push({ ...value });
+  }
+  return out;
+}
+function providerSelectionLabel(selection) {
+  const model = selection.modelProfileName ?? selection.model;
+  return model ? `${selection.provider}:${model}` : selection.provider;
+}
+
 // src/root-session.ts
 var demianOnlyToolNames = /* @__PURE__ */ new Set(["delegate_agent", "cowork", "get_goal", "create_goal", "update_goal"]);
 var RootSession = class {
@@ -29870,6 +31127,7 @@ var RootSession = class {
   #transcript;
   #agentSessions = /* @__PURE__ */ new Map();
   #externalSessions = new ClaudeCodeSessionMap();
+  #coworkProviderAvailability;
   #mainExternalSessionKey;
   #currentPrompt = "";
   #progress;
@@ -29878,6 +31136,7 @@ var RootSession = class {
   constructor(options) {
     this.#options = options;
     this.#permissionPreset = normalizePermissionPreset(options.permissionPreset);
+    this.#coworkProviderAvailability = coworkProviderAvailability(options.config.cowork, options.config.providers);
     this.events = options.eventBus ?? new EventBus();
     this.agents = new AgentRegistry();
     this.#progress = new ProgressLedger({ rootSessionId: this.id });
@@ -29924,6 +31183,8 @@ var RootSession = class {
       agent: mainAgent,
       hooks: this.#options.hooks ?? this.#options.config.hooks,
       maxTurns: this.#options.maxTurns ?? this.#options.config.maxTurns,
+      countToolUseTurns: false,
+      maxToolUseRounds: relaxedToolUseRoundLimit(this.#options.maxTurns ?? this.#options.config.maxTurns),
       yes: this.#options.yes,
       dryRun: this.#options.dryRun,
       streaming: this.#options.streaming ?? this.#options.config.streaming.enabled,
@@ -29936,6 +31197,7 @@ var RootSession = class {
       signal: options.signal,
       eventBus: this.events,
       permissionPrompt: this.permissionPrompt,
+      autoPermission: this.autoPermissionForBackend(backend, this.#options.cwd, options.signal),
       toolRegistry: this.tools,
       grants: this.#grants,
       transcriptWriter: this.#transcript,
@@ -29984,7 +31246,7 @@ var RootSession = class {
     const providerProfile = childAgent.provider?.profile ?? this.#options.providerName;
     const invocationGrantKey = grantKeyForAgentInvocation(childAgent.name, providerProfile);
     if (this.#grants.has(invocationGrantKey)) return { ok: true };
-    const decision = childAgent.delegation?.invocationDecision ?? this.#options.config.delegation.defaultInvocationDecision;
+    const decision = invocationDecisionForPermissionPreset(this.#permissionPreset);
     if (decision === "deny") return { ok: false, error: `Agent invocation denied: ${childAgent.name}` };
     if (decision !== "ask") return { ok: true };
     this.events.emit({
@@ -30103,6 +31365,8 @@ var RootSession = class {
         agent: childRuntimeAgent,
         hooks: this.#options.hooks ?? this.#options.config.hooks,
         maxTurns,
+        countToolUseTurns: false,
+        maxToolUseRounds: relaxedToolUseRoundLimit(maxTurns),
         yes: this.#options.yes,
         dryRun: this.#options.dryRun,
         streaming: false,
@@ -30115,6 +31379,7 @@ var RootSession = class {
         signal,
         eventBus: this.events,
         permissionPrompt: this.permissionPrompt,
+        autoPermission: this.autoPermissionForBackend(backend, cwd, signal),
         toolRegistry: this.tools,
         grants: this.#grants,
         transcriptWriter: this.#transcript,
@@ -30137,6 +31402,31 @@ var RootSession = class {
           session.externalSessionKey = externalKey;
         }
       }
+      if (result.endReason !== "end_turn") {
+        const message = childExecutionFailureMessage(result.endReason, result.finalAnswer);
+        if (result.endReason === "cancelled") {
+          this.events.emit({
+            type: "agent.invocation.cancelled",
+            rootSessionId: this.id,
+            agentSessionId: session.id,
+            invocationId,
+            agent: childRuntimeAgent.name,
+            reason: message,
+            ts: now()
+          });
+          return { ok: false, error: `Agent invocation cancelled: ${message}`, invocationId, agentName: childRuntimeAgent.name, providerProfile, model: backend.model, metadata: { endReason: result.endReason } };
+        }
+        this.events.emit({
+          type: "agent.invocation.failed",
+          rootSessionId: this.id,
+          agentSessionId: session.id,
+          invocationId,
+          agent: childRuntimeAgent.name,
+          error: message,
+          ts: now()
+        });
+        return { ok: false, error: `Agent invocation failed: ${message}`, invocationId, agentName: childRuntimeAgent.name, providerProfile, model: backend.model, metadata: { endReason: result.endReason } };
+      }
       this.updateAgentSession(session, input2, result.messages, result.finalAnswer);
       if (beforeMessages !== session.messages.length) {
         this.events.emit({
@@ -30212,7 +31502,7 @@ var RootSession = class {
       }))
     });
     if (!this.#grants.has(grantKey)) {
-      const decision = this.#options.config.cowork.defaultInvocationDecision;
+      const decision = invocationDecisionForPermissionPreset(this.#permissionPreset);
       if (decision === "deny") return fail("Cowork invocation denied by configuration.");
       if (decision === "ask") {
         this.events.emit({
@@ -30396,43 +31686,27 @@ var RootSession = class {
   }
   async runCoworkMember(member, group, outcomes, context) {
     const startedAt = now();
-    const coworkAgent = this.decorateCoworkMemberAgent(member.agent, member.mode);
-    const runtimeAgent = this.decorateChildAgent(coworkAgent);
-    const backend = this.resolveInvocationBackend(member.providerProfile, void 0, runtimeAgent);
-    this.events.emit({
-      type: "cowork.member.started",
-      rootSessionId: this.id,
-      parentInvocationId: context.parent.parentInvocationId,
-      groupId: context.groupId,
-      memberId: member.memberId,
-      agent: member.agent.name,
-      provider: member.providerProfile,
-      model: backend.model,
-      mode: member.mode,
-      ts: startedAt
-    });
     const input2 = withParentContext(member.input, group, outcomes);
     const workspace = member.isolated ? await this.createCoworkIsolatedWorkspace(context.groupId, member.memberId) : { cwd: this.#options.cwd };
     const snapshot = member.mode === "write" ? await this.createCoworkWriterSnapshot(workspace.cwd) : void 0;
-    const result = await this.executeChildAgentSession(input2, coworkAgent, context.parent, {
-      sessionScope: `cowork:${context.groupId}:${member.memberId}`,
-      signal: context.signal,
-      writeScope: member.writeScope,
-      cwd: workspace.cwd
-    });
+    const attempt = member.mode === "write" ? await this.runCoworkWriteAttempt(member, input2, snapshot, workspace.cwd, context) : await this.runCoworkNonWriteAttempts(member, input2, workspace.cwd, context);
     const durationMs = now() - startedAt;
     const audit = member.mode === "write" ? await this.auditCoworkWriter(member, snapshot, workspace.cwd, member.isolated) : void 0;
     if ("cleanup" in workspace) await workspace.cleanup().catch(() => void 0);
+    const result = attempt.result;
+    const providerProfile = result.providerProfile;
     if (result.ok) {
       const outOfScope2 = audit?.outOfScopeFiles ?? [];
       const outcome2 = {
         memberId: member.memberId,
         agent: member.agent.name,
-        provider: member.providerProfile,
+        provider: providerProfile,
         status: outOfScope2.length ? "failed" : "completed",
-        summary: preview(coworkMemberSummary(result.finalAnswer.trim() || "Completed.", audit), 1e3),
+        summary: preview(coworkMemberSummary(result.finalAnswer.trim() || "Completed.", audit, attempt), 1e3),
         artifacts: audit ? [coworkAuditArtifact(audit)] : [],
         reason: outOfScope2.length ? "out_of_scope" : void 0,
+        fallbackReason: attempt.fallbackReason,
+        repairReason: attempt.repairReason,
         error: outOfScope2.length ? `Writer changed files outside writeScope: ${outOfScope2.join(", ")}` : void 0,
         invocationId: result.invocationId,
         tokens: result.usage,
@@ -30450,11 +31724,13 @@ var RootSession = class {
     const outcome = {
       memberId: member.memberId,
       agent: member.agent.name,
-      provider: member.providerProfile,
+      provider: providerProfile,
       status: cancelled ? "cancelled" : "failed",
-      summary: preview(coworkMemberSummary(result.error, audit), 1e3),
+      summary: preview(coworkMemberSummary(result.error, audit, attempt), 1e3),
       artifacts: audit ? [coworkAuditArtifact(audit)] : [],
       reason: cancelled ? "cancelled" : outOfScope.length ? "out_of_scope" : void 0,
+      fallbackReason: attempt.fallbackReason,
+      repairReason: attempt.repairReason,
       error: outOfScope.length ? `${result.error}
 Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.error,
       invocationId: result.invocationId,
@@ -30467,6 +31743,115 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
     }
     return outcome;
   }
+  async runCoworkNonWriteAttempts(member, input2, cwd, context) {
+    const providers = [{ provider: member.providerProfile, model: member.model, modelProfileName: member.modelProfileName }, ...member.remainingProviderSelections];
+    const errors = [];
+    let fallbackReason;
+    for (const [index, selection] of providers.entries()) {
+      const overlay = index === 0 && member.permissionOverlay ? member.permissionOverlay : this.compileCoworkOverlay(member, selection.provider);
+      const result2 = await this.executeCoworkMemberAttempt(member, selection, overlay, input2, cwd, context, `cowork:${context.groupId}:${member.memberId}:${providerSelectionScope(selection)}`);
+      if (result2.ok) return { result: result2, fallbackReason };
+      errors.push(`${providerSelectionLabel2(selection)}: ${result2.error}`);
+      if (context.signal.aborted) return { result: result2, fallbackReason };
+      const policy = pickCoworkNonWriteFallbackPolicy(result2.error, this.#options.config.cowork.fallback.nonWrite);
+      const nextProvider = providers[index + 1];
+      if ((policy === "next-provider" || policy === "skip-provider") && nextProvider) {
+        if (policy === "skip-provider") this.#coworkProviderAvailability[selection.provider] = "unavailable";
+        fallbackReason = `${providerSelectionLabel2(selection)} failed (${coworkFailureKind(result2.error)}); switched to ${providerSelectionLabel2(nextProvider)}`;
+        continue;
+      }
+      return { result: withCombinedCoworkErrors(result2, errors), fallbackReason };
+    }
+    const result = {
+      ok: false,
+      error: `Agent invocation failed: all cowork providers failed for ${member.agent.name}.
+${errors.join("\n")}`,
+      agentName: member.agent.name,
+      providerProfile: providers.at(-1)?.provider ?? member.providerProfile
+    };
+    return { result, fallbackReason };
+  }
+  async runCoworkWriteAttempt(member, input2, snapshot, cwd, context) {
+    const selection = { provider: member.providerProfile, model: member.model, modelProfileName: member.modelProfileName };
+    const result = await this.executeCoworkMemberAttempt(member, selection, member.permissionOverlay, input2, cwd, context, `cowork:${context.groupId}:${member.memberId}`);
+    if (result.ok || context.signal.aborted) return { result };
+    const policy = this.#options.config.cowork.fallback.write;
+    if (policy.onFailure !== "repair-from-worktree" || policy.maxRepairAttempts < 1) return { result };
+    const repairContext = await this.buildCoworkRepairContext(result.error, snapshot, cwd);
+    if (!repairContext.hasChangedFiles) return { result };
+    let current = result;
+    let repairReason = `write attempt failed on ${member.providerProfile}; retried same provider after reading changed files`;
+    for (let attempt = 1; attempt <= policy.maxRepairAttempts; attempt++) {
+      const repairInput = {
+        ...input2,
+        task: buildCoworkRepairTask(input2.task, current.error, attempt),
+        context: [input2.context, repairContext.text].filter(Boolean).join("\n\n") || void 0
+      };
+      current = await this.executeCoworkMemberAttempt(member, selection, member.permissionOverlay, repairInput, cwd, context, `cowork:${context.groupId}:${member.memberId}:repair:${attempt}`);
+      if (current.ok) return { result: current, repairReason };
+      if (context.signal.aborted) return { result: current, repairReason };
+    }
+    return { result: current, repairReason };
+  }
+  async executeCoworkMemberAttempt(member, selection, overlay, input2, cwd, context, sessionScope) {
+    const providerProfile = selection.provider;
+    const decoratedCoworkAgent = this.decorateCoworkMemberAgent(member.agent, member.mode, overlay);
+    const coworkAgent2 = { ...decoratedCoworkAgent, provider: { ...decoratedCoworkAgent.provider, profile: providerProfile } };
+    const runtimeAgent = this.decorateChildAgent(coworkAgent2);
+    let model = "";
+    try {
+      model = this.resolveInvocationBackend(providerProfile, { model: selection.model, modelProfileName: selection.modelProfileName }, runtimeAgent).model;
+    } catch (error) {
+      return { ok: false, error: `Agent invocation failed: ${errorMessage(error)}`, agentName: runtimeAgent.name, providerProfile };
+    }
+    this.events.emit({
+      type: "cowork.member.started",
+      rootSessionId: this.id,
+      parentInvocationId: context.parent.parentInvocationId,
+      groupId: context.groupId,
+      memberId: member.memberId,
+      agent: member.agent.name,
+      provider: providerProfile,
+      model,
+      mode: member.mode,
+      ts: now()
+    });
+    return this.executeChildAgentSession(input2, coworkAgent2, context.parent, {
+      sessionScope,
+      signal: context.signal,
+      writeScope: member.writeScope,
+      cwd
+    });
+  }
+  compileCoworkOverlay(member, providerProfile) {
+    return compileCoworkPermissionOverlay({
+      config: this.#options.config.cowork,
+      agent: member.agent,
+      providerProfile,
+      mode: member.mode
+    });
+  }
+  async buildCoworkRepairContext(error, snapshot, cwd) {
+    const summary = snapshot ? await diffWorkspaceSnapshot(snapshot).catch(() => void 0) : void 0;
+    const files = summary?.files ?? [];
+    const chunks = [
+      "Cowork write repair context:",
+      "- Do not switch providers for this write repair.",
+      "- Re-read the current workspace state below and repair from it.",
+      "",
+      "Failure:",
+      error,
+      "",
+      files.length ? "Changed files since the failed attempt:" : "No changed files were detected after the failed attempt."
+    ];
+    for (const file of files) chunks.push(`- ${file.path} (${file.kind}, +${file.addedLines}/-${file.removedLines})`);
+    if (summary?.diff) chunks.push("", "Diff since original snapshot:", preview(summary.diff, 6e3));
+    if (this.#options.config.cowork.fallback.write.readChangedFilesBeforeRepair) {
+      const fileContents = await readCoworkRepairFiles(cwd, files.map((file) => file.path));
+      if (fileContents.length) chunks.push("", "Current changed file contents:", ...fileContents);
+    }
+    return { text: chunks.join("\n"), hasChangedFiles: files.length > 0 };
+  }
   async createCoworkWriterSnapshot(cwd) {
     try {
       return await createWorkspaceSnapshot(cwd);
@@ -30493,8 +31878,8 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
     }
   }
   async createCoworkIsolatedWorkspace(groupId, memberId) {
-    const root = await mkdtemp(path33.join(os15.tmpdir(), `demian-cowork-${groupId}-${memberId}-`));
-    const cwd = path33.join(root, "workspace");
+    const root = await mkdtemp(path34.join(os15.tmpdir(), `demian-cowork-${groupId}-${memberId}-`));
+    const cwd = path34.join(root, "workspace");
     await cp(this.#options.cwd, cwd, {
       recursive: true,
       filter: (source) => shouldCopyIntoCoworkWorkspace(this.#options.cwd, source)
@@ -30570,11 +31955,28 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
       if (denied?.includes(target.name)) return { ok: false, error: `Agent ${parent.parentAgent.name} is configured not to cowork with ${target.name}.` };
       const maxDepth = parent.parentAgent.delegation?.maxDepth ?? this.#options.config.delegation.maxDepth;
       if (parent.agentPath.length > maxDepth) return { ok: false, error: `Max delegation depth (${maxDepth}) exceeded.` };
+      let assignment;
+      try {
+        assignment = resolveCoworkAssignment({
+          member,
+          agent: target,
+          config: this.#options.config.cowork,
+          defaultProvider: this.#options.providerName,
+          availability: this.#coworkProviderAvailability
+        });
+      } catch (error) {
+        return { ok: false, error: errorMessage(error) };
+      }
       group.push({
         memberId,
         input: member,
         agent: target,
-        providerProfile: target.provider?.profile ?? this.#options.providerName,
+        providerProfile: assignment.providerProfile,
+        model: assignment.model,
+        modelProfileName: assignment.modelProfileName,
+        remainingProviders: assignment.remainingProviders,
+        remainingProviderSelections: assignment.remainingProviderSelections,
+        permissionOverlay: assignment.permissionOverlay,
         mode,
         writeScope,
         isolated: mode === "write" && strategy === "multi-patch" && this.#options.config.cowork.writerIsolation === "snapshot-diff",
@@ -30636,24 +32038,54 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
       systemPrompt: [agent.systemPrompt, this.callableCatalogPrompt(agent)].filter(Boolean).join("\n\n")
     });
   }
-  decorateCoworkMemberAgent(agent, mode) {
-    if (mode === "write") return this.withPermissionPreset(agent);
+  decorateCoworkMemberAgent(agent, mode, overlay) {
+    const overlayPermissions = overlay?.rules ?? [];
+    const overlayDefaultDecision = overlay?.defaultDecision ?? agent.defaultDecision;
+    const systemPrompt = [agent.systemPrompt, coworkMemberToolBoundaryPrompt(mode)].join("\n\n");
+    if (mode === "write") {
+      return this.withPermissionPreset({
+        ...agent,
+        systemPrompt,
+        permissions: [...agent.permissions, ...overlayPermissions],
+        defaultDecision: overlayDefaultDecision
+      });
+    }
     const readTools = /* @__PURE__ */ new Set(["read_file", "grep", "glob", "web_search", "update_plan", "report_progress"]);
     const denyTools = ["write_file", "edit_file", "bash", "claudecode.Edit", "claudecode.Write", "claudecode.MultiEdit", "claudecode.Bash"];
     return this.withPermissionPreset({
       ...agent,
-      provider: agent.provider?.profile === "claudecode" && agent.name === "claudecode-explorer" ? { ...agent.provider, permissionProfile: "explore" } : agent.provider,
+      systemPrompt,
       tools: agent.tools.filter((tool) => readTools.has(tool)),
       permissions: [
         ...agent.permissions.filter((rule) => !denyTools.includes(rule.tool)),
+        ...overlayPermissions.filter((rule) => !denyTools.includes(rule.tool)),
         ...denyTools.map((tool) => ({ tool, decision: "deny", reason: "cowork read-only member" }))
       ],
-      defaultDecision: "deny"
+      defaultDecision: overlayDefaultDecision === "allow" ? "allow" : "deny"
     });
   }
   withPermissionPreset(agent) {
     return applyPermissionPresetToAgent(agent, this.#permissionPreset);
   }
+  autoPermissionForBackend(backend, cwd, signal) {
+    if (this.#permissionPreset !== "auto") return void 0;
+    if (backend.kind === "provider") return createAutoPermissionAgent({ provider: backend.provider, model: backend.model, cwd, signal });
+    return this.autoPermissionForExternalRuntime(cwd, signal);
+  }
+  autoPermissionForExternalRuntime(cwd, signal) {
+    if (this.#permissionPreset !== "auto") return void 0;
+    const candidates = /* @__PURE__ */ new Set([this.#options.providerName, this.#options.config.defaultProvider, ...Object.keys(this.#options.config.providers)]);
+    for (const profileName of candidates) {
+      try {
+        const providerConfig = resolveProviderConfig(this.#options.config, profileName);
+        const runtime = resolveProviderRuntimeConfig(this.#options.config, { providerName: profileName });
+        const backend = this.#options.resolveExecutionBackend ? this.#options.resolveExecutionBackend(profileName, providerConfig, runtime.model) : this.#options.resolveProvider ? { kind: "provider", ...this.#options.resolveProvider(profileName, providerConfig, runtime.model) } : resolveExecutionBackend(providerConfig, { model: runtime.model, config: this.#options.config });
+        if (backend.kind === "provider") return createAutoPermissionAgent({ provider: backend.provider, model: backend.model, cwd, signal });
+      } catch {
+      }
+    }
+    return void 0;
+  }
   callableCatalogPrompt(caller) {
     const allowed = caller.delegation?.allowedAgents;
     const denied = new Set(caller.delegation?.deniedAgents ?? []);
@@ -30688,10 +32120,13 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
     }
     return lines.join("\n");
   }
-  resolveInvocationBackend(profileName, modelOverride, agent) {
-    const runtime = resolveProviderRuntimeConfig(this.#options.config, { providerName: profileName, model: modelOverride });
+  resolveInvocationBackend(profileName, modelSelection, agent) {
+    const modelOverride = typeof modelSelection === "string" ? modelSelection : modelSelection?.model;
+    const modelProfileName = typeof modelSelection === "string" ? void 0 : modelSelection?.modelProfileName;
+    const runtime = resolveProviderRuntimeConfig(this.#options.config, { providerName: profileName, model: modelOverride, modelProfileName });
     const providerConfig = runtime.providerConfig;
-    if (this.#options.resolveExecutionBackend) return this.#options.resolveExecutionBackend(profileName, providerConfig, modelOverride);
+    const selectedModel = modelOverride ?? (modelProfileName ? runtime.model : void 0);
+    if (this.#options.resolveExecutionBackend) return this.#options.resolveExecutionBackend(profileName, providerConfig, selectedModel);
     if (this.#options.resolveProvider) {
       const resolved = this.#options.resolveProvider(profileName, providerConfig, runtime.model);
       return { kind: "provider", ...resolved };
@@ -30798,17 +32233,17 @@ function findDependencyCycle(group) {
   const byId = new Map(group.map((member) => [member.memberId, member]));
   const visiting = /* @__PURE__ */ new Set();
   const visited = /* @__PURE__ */ new Set();
-  const path36 = [];
+  const path37 = [];
   const visit = (id) => {
-    if (visiting.has(id)) return [...path36.slice(path36.indexOf(id)), id];
+    if (visiting.has(id)) return [...path37.slice(path37.indexOf(id)), id];
     if (visited.has(id)) return void 0;
     visiting.add(id);
-    path36.push(id);
+    path37.push(id);
     for (const dep of byId.get(id)?.dependsOn ?? []) {
       const cycle = visit(dep);
       if (cycle) return cycle;
     }
-    path36.pop();
+    path37.pop();
     visiting.delete(id);
     visited.add(id);
     return void 0;
@@ -30849,7 +32284,7 @@ function scopeStaticPrefix(pattern) {
   return prefix.replace(/\/+$/, "").split("/").filter(Boolean).join("/") || ".";
 }
 function shouldCopyIntoCoworkWorkspace(root, source) {
-  const relative = path33.relative(root, source).split(path33.sep).join("/");
+  const relative = path34.relative(root, source).split(path34.sep).join("/");
   if (!relative) return true;
   const parts = relative.split("/");
   return !parts.includes(".git") && !parts.includes("node_modules") && !parts.includes(".demian");
@@ -30980,8 +32415,14 @@ function summarizeCoworkResult(goal, outcomes) {
   }
   return lines.join("\n");
 }
-function coworkMemberSummary(text, audit) {
+function coworkMemberSummary(text, audit, attempt) {
   const lines = [text];
+  if (attempt?.fallbackReason) {
+    lines.push("", `Fallback: ${attempt.fallbackReason}`);
+  }
+  if (attempt?.repairReason) {
+    lines.push("", `Repair: ${attempt.repairReason}`);
+  }
   if (audit?.summary?.files.length) {
     lines.push("", `Workspace changes: ${audit.summary.files.map((file) => file.path).join(", ")}`);
   }
@@ -31002,6 +32443,16 @@ function externalMainRuntimePrompt() {
     "- Do not announce that delegate_agent or cowork is unavailable unless the user explicitly requested one of those tools."
   ].join("\n");
 }
+function coworkMemberToolBoundaryPrompt(mode) {
+  const capability = mode === "write" ? "read/write tools allowed by the delegated writeScope" : "read-only inspection tools";
+  return [
+    "Cowork member tool boundary:",
+    "- You are already running inside a Demian cowork group; do not try to call cowork or delegate_agent from this member.",
+    `- Use only the ${capability} exposed by your current runtime.`,
+    "- When the provider is Claude Code, Demian maps workspace capabilities through Claude Code native tools such as Read, Grep, Glob, LS, Edit, MultiEdit, Write, and Bash according to the permission overlay.",
+    "- Do not report missing cowork/delegate_agent as a blocker; report a blocker only when the delegated workspace capability itself is missing."
+  ].join("\n");
+}
 function coworkAuditArtifact(audit) {
   return {
     type: "workspace-diff-audit",
@@ -31030,6 +32481,80 @@ function formatCoworkResult(result) {
     )
   ].join("\n");
 }
+function pickCoworkNonWriteFallbackPolicy(error, policy) {
+  const kind = coworkFailureKind(error);
+  if (kind === "auth") return policy.onAuthFailure;
+  if (kind === "token-limit") return policy.onTokenLimit;
+  if (kind === "connection") return policy.onConnectionError;
+  return "fail-member";
+}
+function coworkFailureKind(error) {
+  const text = error.toLowerCase();
+  if (/\b(401|403)\b|unauthorized|forbidden|auth|api key|apikey|invalid key|invalid_key/.test(text)) return "auth";
+  if (/token|context length|quota|rate limit|too many requests|\b429\b|maximum context|max_tokens|max tokens/.test(text)) return "token-limit";
+  if (/econnreset|econnrefused|etimedout|enotfound|network|fetch failed|connection|socket|timeout|temporarily unavailable|no scripted response/.test(text)) return "connection";
+  return "unknown";
+}
+function childExecutionFailureMessage(endReason, finalAnswer) {
+  const answer = finalAnswer?.trim();
+  if (answer) return answer;
+  if (endReason === "max_turns") return "Stopped after reaching maxTurns before producing a verified result.";
+  if (endReason === "tool_loop_limit") return "Stopped after reaching the tool-use safety limit before producing a verified result.";
+  if (endReason === "content_filter") return "Provider safety filter blocked the child agent response.";
+  if (endReason === "cancelled") return "Cancelled.";
+  if (endReason === "error") return "Child agent runtime ended with an error.";
+  return `Child agent ended with ${endReason}.`;
+}
+function withCombinedCoworkErrors(result, errors) {
+  if (result.ok || errors.length <= 1) return result;
+  return {
+    ...result,
+    error: `${result.error}
+
+Cowork provider attempts:
+${errors.join("\n")}`
+  };
+}
+function providerSelectionLabel2(selection) {
+  const model = selection.modelProfileName ?? selection.model;
+  return model ? `${selection.provider}:${model}` : selection.provider;
+}
+function providerSelectionScope(selection) {
+  return providerSelectionLabel2(selection).replace(/[^a-zA-Z0-9_-]/g, "_");
+}
+function buildCoworkRepairTask(originalTask, error, attempt) {
+  return [
+    `Repair attempt ${attempt} for a failed cowork write task.`,
+    "",
+    "Original task:",
+    originalTask,
+    "",
+    "Previous failure:",
+    error,
+    "",
+    "Continue from the current workspace state. Do not restart blindly or overwrite unrelated changes. Stay inside the delegated writeScope."
+  ].join("\n");
+}
+async function readCoworkRepairFiles(cwd, relativePaths) {
+  const chunks = [];
+  let budget = 12e3;
+  for (const relativePath of relativePaths.slice(0, 8)) {
+    if (budget <= 0) break;
+    const normalized = relativePath.split(path34.sep).join("/");
+    const absolutePath = path34.resolve(cwd, normalized);
+    if (!absolutePath.startsWith(path34.resolve(cwd) + path34.sep) && absolutePath !== path34.resolve(cwd)) continue;
+    try {
+      const content = await readFile17(absolutePath, "utf8");
+      const clipped = preview(content, budget);
+      budget -= clipped.length;
+      chunks.push([`File: ${normalized}`, "```", clipped, "```"].join("\n"));
+    } catch (error) {
+      chunks.push(`File: ${normalized}
+(unavailable: ${errorMessage(error)})`);
+    }
+  }
+  return chunks;
+}
 function sumUsage(outcomes) {
   return outcomes.reduce(
     (sum, outcome) => ({
@@ -31067,10 +32592,10 @@ function parseCoworkCommand(input2) {
   const mergeStrategy = consumeMergeStrategy(tokens);
   const task = tokens.join(" ").trim();
   const memberHints = agents.length ? [] : inferInlineCoworkMembers(task, mode);
-  const requestedAgents = agents.length ? agents : unique(memberHints.map((member) => member.agent));
+  const requestedAgents = agents.length ? agents : unique3(memberHints.map((member) => member.agent));
   if (!task) return { kind: "message", message: coworkUsage() };
-  if (mode && !["read-only", "review", "write"].includes(mode)) {
-    return { kind: "message", message: "Usage: /cowork [--agents a,b] [--mode read-only|review|write] [--parallel|--sequential] [--multi-patch] <task>" };
+  if (mode && !["read-only", "review", "write", "manage"].includes(mode)) {
+    return { kind: "message", message: "Usage: /cowork [--agents a,b] [--mode read-only|review|write|manage] [--parallel|--sequential] [--multi-patch] <task>" };
   }
   return {
     kind: "run",
@@ -31080,8 +32605,8 @@ function parseCoworkCommand(input2) {
 }
 function coworkUsage() {
   return [
-    "Usage: /cowork [--agents a,b] [--mode read-only|review|write] [--parallel|--sequential] [--multi-patch] <task>",
-    "Example: /cowork --agents codex-reviewer,claudecode-explorer \uC774 \uBCC0\uACBD\uC0AC\uD56D\uC744 \uBCD1\uB82C \uAC80\uD1A0\uD574 \uC918"
+    "Usage: /cowork [--agents a,b] [--mode read-only|review|write|manage] [--parallel|--sequential] [--multi-patch] <task>",
+    "Example: /cowork --agents supervisor,reviewer \uC774 \uBCC0\uACBD\uC0AC\uD56D\uC744 \uBCD1\uB82C \uAC80\uD1A0\uD574 \uC918"
   ].join("\n");
 }
 function buildCoworkPrompt(input2) {
@@ -31101,13 +32626,14 @@ function buildCoworkPrompt(input2) {
   ];
   if (input2.agents.length) lines.push(`- Requested cowork agents: ${input2.agents.join(", ")}. Use these exact names in cowork.members[].agent.`);
   if (input2.memberHints?.length) {
-    lines.push("- Provider aliases in the user request were normalized to cowork agents.");
+    lines.push("- Provider names in the user request were mapped to cowork agents.");
     lines.push("Suggested cowork member decomposition:");
     for (const member of input2.memberHints) lines.push(`  - ${member.agent} (from "${member.alias}"): ${member.task || input2.task}`);
   }
   if (input2.mode === "read-only") lines.push("- Use read-only cowork members; do not request file edits from members.");
   if (input2.mode === "review") lines.push("- Use review/read-only cowork members focused on findings, risks, and missing tests.");
   if (input2.mode === "write") lines.push("- At least one cowork member may write, but every write member must have a narrow writeScope.");
+  if (input2.mode === "manage") lines.push("- Use planning/management cowork members focused on decomposition, coordination, and review gates.");
   if (input2.execution) lines.push(`- Requested execution mode: ${input2.execution}.`);
   if (input2.mergeStrategy === "multi-patch") lines.push("- Use merge.strategy=multi-patch and non-overlapping writeScope values for writer members.");
   return lines.join("\n");
@@ -31134,15 +32660,15 @@ function inferInlineCoworkMembers(task, mode) {
 }
 function coworkAgentForAlias(alias, mode) {
   const value = alias.toLowerCase();
-  if (value === "codex") return mode === "review" ? "codex-reviewer" : "codex-planner";
-  if (value === "claudecode" || value === "claude-code" || value === "claude_code") return mode === "write" ? "claudecode-builder" : "claudecode-explorer";
+  if (value === "codex") return mode === "review" ? "supervisor" : "planner";
+  if (value === "claudecode" || value === "claude-code" || value === "claude_code") return mode === "write" ? "builder" : "reviewer";
   return "";
 }
 function cleanInlineCoworkMemberTask(value) {
   const text = value.replace(/^[\s,，;；:：-]+/, "").replace(/[\s,，;；]+$/, "").replace(/^(?:너는|너는\s+|는|은|에게)\s*/, "").trim();
   return text || void 0;
 }
-function unique(values) {
+function unique3(values) {
   return [...new Set(values)];
 }
 function consumeExecution(tokens) {
@@ -31475,13 +33001,13 @@ async function askModel(promptUi, selection) {
 }
 
 // src/ui/preferences.ts
-import { mkdir as mkdir14, readFile as readFile17, writeFile as writeFile14 } from "node:fs/promises";
+import { mkdir as mkdir14, readFile as readFile18, writeFile as writeFile14 } from "node:fs/promises";
 import fs10 from "node:fs";
-import path34 from "node:path";
+import path35 from "node:path";
 var UiPreferenceStore = class {
   filePath;
   constructor(cwd, filePath) {
-    this.filePath = filePath ? path34.resolve(cwd, filePath) : path34.join(cwd, ".demian", "preferences.json");
+    this.filePath = filePath ? path35.resolve(cwd, filePath) : path35.join(cwd, ".demian", "preferences.json");
   }
   async load() {
     if (!fs10.existsSync(this.filePath)) return void 0;
@@ -31499,13 +33025,13 @@ var UiPreferenceStore = class {
       model: selection.model,
       updatedAt: Date.now()
     };
-    await mkdir14(path34.dirname(this.filePath), { recursive: true });
+    await mkdir14(path35.dirname(this.filePath), { recursive: true });
     await writeFile14(this.filePath, `${JSON.stringify(file, null, 2)}
 `, { mode: 384 });
   }
   async #read() {
     try {
-      return JSON.parse(await readFile17(this.filePath, "utf8"));
+      return JSON.parse(await readFile18(this.filePath, "utf8"));
     } catch {
       return void 0;
     }
@@ -31531,7 +33057,7 @@ async function main(argv = process.argv.slice(2)) {
     return 0;
   }
   if (!flags.noWizard) await runFirstRunWizard().catch(() => void 0);
-  const cwd = path35.resolve(flags.cwd ?? process.cwd());
+  const cwd = path36.resolve(flags.cwd ?? process.cwd());
   const config = await loadConfig({ cwd, configPath: flags.configPath });
   const agentName = flags.agent ?? config.defaultAgent;
   const preferenceStore = new UiPreferenceStore(cwd);
@@ -31677,6 +33203,7 @@ async function runPlainTask(options) {
   for (const agentDefinition of Object.values(config.agents ?? {})) agentRegistry.register(agentDefinition, { scope: "user", trusted: true });
   const agent = agentRegistry.get(agentName);
   if (mode === "multi-agent") {
+    const runMaxTurns2 = flags.maxTurns ?? config.maxTurns;
     const root = new RootSession({
       cwd,
       config,
@@ -31684,7 +33211,7 @@ async function runPlainTask(options) {
       providerName,
       model: selection.model,
       hooks: config.hooks,
-      maxTurns: flags.maxTurns ?? config.maxTurns,
+      maxTurns: runMaxTurns2,
       yes: flags.yes,
       dryRun: flags.dryRun,
       streaming: flags.streaming ?? config.streaming.enabled,
@@ -31713,6 +33240,7 @@ async function runPlainTask(options) {
     return { history: interactiveHistoryFromRunMessages(result2.messages), lastExternalSessionKey: options.lastExternalSessionKey };
   }
   const runtimeAgent = activeGoal ? withGoalTools(agent) : agent;
+  const runMaxTurns = flags.maxTurns ?? config.maxTurns;
   const runtime = resolveProviderRuntimeConfig(config, selection);
   const backend = resolveExecutionBackend(runtime.providerConfig, {
     model: runtime.model,
@@ -31747,7 +33275,9 @@ async function runPlainTask(options) {
     providerName,
     agent: runtimeAgent,
     hooks: config.hooks,
-    maxTurns: flags.maxTurns ?? config.maxTurns,
+    maxTurns: runMaxTurns,
+    countToolUseTurns: false,
+    maxToolUseRounds: relaxedToolUseRoundLimit(runMaxTurns),
     yes: flags.yes,
     dryRun: flags.dryRun,
     streaming: flags.streaming ?? config.streaming.enabled,
@@ -31921,7 +33451,7 @@ Flags:
   --agent <name>       general, build, plan, execute, or a configured custom agent
   --provider <name>    openai, anthropic, gemini, groq, azure, lmstudio, ollama-local, ollama-cloud, llamacpp, vllm, codex, claudecode
   --model <name>       override configured model
-  --max-turns <n>      maximum model/tool loop turns
+  --max-turns <n>      maximum high-level task turns; tool-use rounds use a separate safety limit
   --cwd <path>         workspace directory
   --yes, -y            auto-allow ask permissions; hard deny and hook block still apply
   --dry-run            stop before write_file, edit_file, and bash execution