demian-cli 1.2.0 → 1.2.1

package/dist/index.mjs

@@ -13,6 +13,9 @@ function normalizeAgent(input2) {
     defaultDecision: definition.defaultDecision ?? definition.authority?.defaultDecision,
     mode: definition.mode,
     hidden: definition.hidden,
+    defaultProviders: definition.defaultProviders,
+    permissionIntent: definition.permissionIntent,
+    runtimeOverlays: definition.runtimeOverlays,
     provider: definition.provider,
     delegation: definition.delegation,
     catalog: definition.catalog,
@@ -38,7 +41,7 @@ function isCoworkableAgent(agent) {
   if (agent.hidden) return false;
   const mode = agent.mode ?? "primary";
   if (mode !== "subagent" && mode !== "all") return false;
-  return agent.delegation?.coworkable ?? agent.delegation?.callable ?? false;
+  return agent.delegation?.coworkable === true;
 }
 
 // src/agents/build.ts
@@ -46,10 +49,12 @@ var buildAgent = {
   name: "build",
   description: "General coding agent for scoped implementation work.",
   mode: "all",
-  tools: ["read_file", "write_file", "edit_file", "bash", "grep", "glob", "web_search"],
+  tools: ["read_file", "write_file", "edit_file", "bash", "grep", "glob", "web_search", "update_plan", "report_progress"],
   systemPrompt: [
     "You are demian build, a local coding agent.",
     "Use tools to inspect and modify the workspace. Keep changes scoped to the user's request.",
+    "Before tool-heavy implementation work, use update_plan and report_progress so the user can see what you are about to verify or change and why it matters.",
+    "During longer work, report meaningful milestones in conversational sentences. Explain the purpose, what the evidence or result means, and what you will do next instead of listing raw tool names or command output.",
     "Match the user's language for all user-facing text, including progress-style narration and final results. If the user writes in Korean, write user-facing text in Korean while keeping code identifiers, paths, commands, and tool names unchanged.",
     "Use web_search when current external information is needed.",
     "Tool names are fixed by the runtime. In multi-agent mode, delegate_agent may also be available for bounded specialist work.",
@@ -60,6 +65,8 @@ var buildAgent = {
     { tool: "read_file", decision: "allow" },
     { tool: "grep", decision: "allow" },
     { tool: "glob", decision: "allow" },
+    { tool: "update_plan", decision: "allow" },
+    { tool: "report_progress", decision: "allow" },
     { tool: "web_search", decision: "ask" },
     { tool: "write_file", decision: "ask" },
     { tool: "edit_file", decision: "ask" },
@@ -105,6 +112,7 @@ var claudeCodeAgent = {
     { tool: "claudecode.Read", decision: "allow" },
     { tool: "claudecode.Grep", decision: "allow" },
     { tool: "claudecode.Glob", decision: "allow" },
+    { tool: "claudecode.LS", decision: "allow" },
     { tool: "claudecode.Edit", decision: "ask" },
     { tool: "claudecode.Write", decision: "ask" },
     { tool: "claudecode.MultiEdit", decision: "ask" },
@@ -133,144 +141,186 @@ var claudeCodeAgent = {
     ]
   }
 };
-var claudeCodeExplorerAgent = {
-  name: "claudecode-explorer",
-  description: "Claude Code external read-only explorer for cowork repository inspection.",
-  mode: "subagent",
-  provider: { profile: "claudecode", permissionProfile: "explore" },
-  tools: [],
-  systemPrompt: [
-    "You are demian claudecode-explorer, a Claude Code external runtime working as a read-only cowork sub agent for Demian.",
-    "Demian is the main coordinator. Inspect the repository only within the delegated task and return concise findings.",
-    "Never edit files, write files, run shell commands, or request write permissions. If the task requires mutation, return a blocker for Demian."
-  ].join("\n"),
-  permissions: [
-    { tool: "claudecode.Read", decision: "allow" },
-    { tool: "claudecode.Grep", decision: "allow" },
-    { tool: "claudecode.Glob", decision: "allow" },
-    { tool: "claudecode.Edit", decision: "deny", reason: "read-only explorer" },
-    { tool: "claudecode.Write", decision: "deny", reason: "read-only explorer" },
-    { tool: "claudecode.MultiEdit", decision: "deny", reason: "read-only explorer" },
-    { tool: "claudecode.Bash", decision: "deny", reason: "read-only explorer" }
+
+// src/agents/cowork.ts
+var readPermissions = [
+  { tool: "read_file", decision: "allow" },
+  { tool: "grep", decision: "allow" },
+  { tool: "glob", decision: "allow" },
+  { tool: "update_plan", decision: "allow" },
+  { tool: "report_progress", decision: "allow" }
+];
+var readProgressTools = ["read_file", "grep", "glob", "update_plan", "report_progress"];
+var writePermissions = [
+  ...readPermissions,
+  { tool: "edit_file", decision: "ask" },
+  { tool: "write_file", decision: "ask" },
+  { tool: "bash", decision: "ask" },
+  { tool: "*", match: { pathGlob: "**/.env" }, decision: "deny", reason: "secrets" },
+  { tool: "*", match: { pathGlob: "**/.env.*" }, decision: "deny", reason: "secrets" },
+  { tool: "*", match: { pathGlob: "node_modules/**" }, decision: "deny", reason: "vendored" }
+];
+var plannerAgent = coworkAgent({
+  name: "planner",
+  description: "Provider-agnostic planner for decomposing ambiguous or multi-step engineering work.",
+  defaultProviders: ["codex", "anthropic", "openai"],
+  permissionIntent: "manage",
+  category: "planner",
+  cost: "standard",
+  tools: readProgressTools,
+  permissions: readPermissions,
+  defaultDecision: "deny",
+  prompt: [
+    "You are demian planner, a planning cowork sub agent for Demian.",
+    "Inspect the delegated scope read-only and return an implementation plan, sequencing, risks, and verification strategy.",
+    "Use update_plan and report_progress to keep Demian's visible progress current when the investigation takes multiple tool calls. Report the planning question you are narrowing, what the evidence implies, and what you will inspect next. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
+    "Do not edit files. Do not ask the user directly; return blockers or questions for the parent Demian coordinator."
   ],
+  useWhen: ["A parallel planning perspective may clarify scope, sequencing, risks, or verification."],
+  avoidWhen: ["The work is already clear and a bounded writer can proceed."]
+});
+var architectAgent = coworkAgent({
+  name: "architect",
+  description: "Provider-agnostic architect for structure, design, and long-term maintainability decisions.",
+  defaultProviders: ["codex", "anthropic"],
+  permissionIntent: "manage",
+  category: "planner",
+  cost: "standard",
+  tools: readProgressTools,
+  permissions: readPermissions,
   defaultDecision: "deny",
-  delegation: {
-    callable: true,
-    coworkable: true,
-    canDelegate: false,
-    canCowork: false,
-    invocationDecision: "allow"
-  },
-  catalog: {
-    category: "researcher",
-    cost: "standard",
-    useWhen: ["A cowork group needs Claude Code's repository navigation for read-only exploration."],
-    avoidWhen: ["The task requires editing, shell commands, or direct user conversation."]
-  }
-};
-var claudeCodeBuilderAgent = {
-  name: "claudecode-builder",
-  description: "Claude Code-backed builder for bounded cowork implementation tasks.",
-  mode: "subagent",
-  provider: { profile: "claudecode", permissionProfile: "build" },
-  tools: [],
-  systemPrompt: [
-    "You are demian claudecode-builder, a Claude Code external runtime working as a writer cowork sub agent for Demian.",
-    "Demian is the main coordinator. Implement only the delegated task and only inside the provided writeScope.",
-    "If you need broader scope, credentials, user approval, or product decisions, stop and return a concise blocker for Demian.",
-    "Return changed files, verification performed, patch summary, and remaining blockers. Do not present yourself as the primary assistant."
-  ].join("\n"),
-  permissions: [
-    { tool: "claudecode.Read", decision: "allow" },
-    { tool: "claudecode.Grep", decision: "allow" },
-    { tool: "claudecode.Glob", decision: "allow" },
-    { tool: "claudecode.Edit", decision: "ask" },
-    { tool: "claudecode.Write", decision: "ask" },
-    { tool: "claudecode.MultiEdit", decision: "ask" },
-    { tool: "claudecode.Bash", decision: "ask" },
-    { tool: "claudecode.*", match: { pathGlob: "**/.env" }, decision: "deny", reason: "secrets" },
-    { tool: "claudecode.*", match: { pathGlob: "**/.env.*" }, decision: "deny", reason: "secrets" },
-    { tool: "claudecode.*", match: { pathGlob: "node_modules/**" }, decision: "deny", reason: "vendored" }
+  prompt: [
+    "You are demian architect, a design cowork sub agent for Demian.",
+    "Inspect the repository and proposed work read-only. Focus on architecture, interfaces, coupling, migration risk, and maintainability.",
+    "Use update_plan and report_progress to summarize what design question you are answering, what the evidence means for the architecture, and what you will inspect next. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
+    "Return concrete design recommendations and risks for the parent Demian coordinator."
+  ],
+  useWhen: ["A change needs architectural judgment, interface design, or cross-module risk assessment."],
+  avoidWhen: ["The task is a small mechanical edit."]
+});
+var supervisorAgent = coworkAgent({
+  name: "supervisor",
+  description: "Provider-agnostic supervisory reviewer for overall risk, integration quality, and final review.",
+  defaultProviders: ["codex", "anthropic"],
+  permissionIntent: "review",
+  category: "reviewer",
+  cost: "standard",
+  tools: readProgressTools,
+  permissions: readPermissions,
+  defaultDecision: "deny",
+  prompt: [
+    "You are demian supervisor, a skeptical supervisory cowork sub agent for Demian.",
+    "Review plans, diffs, integration risks, missing tests, and final readiness. Do not edit files.",
+    "Use update_plan and report_progress to expose review progress when the review requires several reads. Include the review focus, the risk you are checking, and the next evidence you will seek. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
+    "Return concise findings with severity, file references when useful, and a clear recommendation."
+  ],
+  useWhen: ["A second model should review a design, implementation plan, diff, or test strategy before Demian answers."],
+  avoidWhen: ["The task needs direct workspace edits from this member."]
+});
+var researcherAgent = coworkAgent({
+  name: "researcher",
+  description: "Provider-agnostic researcher for repo inspection, external research, and evidence gathering.",
+  defaultProviders: ["codex", "claudecode", "anthropic"],
+  permissionIntent: "read-only",
+  category: "researcher",
+  cost: "standard",
+  tools: [...readProgressTools, "web_search"],
+  permissions: [...readPermissions, { tool: "web_search", decision: "ask" }],
+  defaultDecision: "deny",
+  prompt: [
+    "You are demian researcher, a read-only cowork sub agent for Demian.",
+    "Gather evidence from the repository and, when needed, current external sources. Do not edit files.",
+    "Use update_plan and report_progress to report the evidence gathered at meaningful milestones. Include what the evidence suggests and where you will look next, without dumping raw tool names, command output, or file previews unless a specific identifier is essential.",
+    "Return findings with enough context for the parent Demian coordinator to act."
   ],
+  useWhen: ["The task needs repository exploration, usage tracing, documentation lookup, or evidence gathering."],
+  avoidWhen: ["The task is already scoped for implementation."]
+});
+var builderAgent = coworkAgent({
+  name: "builder",
+  description: "Provider-agnostic builder for bounded implementation and module-level development.",
+  defaultProviders: ["claudecode", "anthropic", "openai"],
+  permissionIntent: "write",
+  category: "builder",
+  cost: "expensive",
+  tools: [...readProgressTools, "edit_file", "write_file", "bash"],
+  permissions: writePermissions,
   defaultDecision: "ask",
-  delegation: {
-    callable: true,
-    coworkable: true,
-    canDelegate: false,
-    canCowork: false,
-    invocationDecision: "ask"
-  },
-  catalog: {
-    category: "builder",
-    cost: "expensive",
-    useWhen: ["Claude Code's local coding-agent runtime should implement a bounded writeScope while Demian coordinates review."],
-    avoidWhen: ["The task is read-only, exploratory, or can be handled by a normal Demian tool call."]
-  }
-};
-
-// src/agents/cowork.ts
-var codexReviewerAgent = {
-  name: "codex-reviewer",
-  description: "Codex-backed reviewer for architecture, risk, and patch review.",
-  mode: "subagent",
-  provider: { profile: "codex" },
-  tools: ["read_file", "grep", "glob"],
-  systemPrompt: [
-    "You are demian codex-reviewer, a skeptical reviewer working as a cowork sub agent for Demian.",
-    "Inspect the delegated context, plans, diffs, risks, and missing tests. Do not edit files.",
-    "Return concise findings with severity, file references when useful, and a clear recommendation for the parent Demian coordinator."
-  ].join("\n"),
-  permissions: [
-    { tool: "read_file", decision: "allow" },
-    { tool: "grep", decision: "allow" },
-    { tool: "glob", decision: "allow" }
+  prompt: [
+    "You are demian builder, a bounded implementation cowork sub agent for Demian.",
+    "Implement only the delegated task and only inside the provided writeScope.",
+    "Use update_plan and report_progress before writes and after meaningful implementation or verification milestones. Say what you are changing, why it is the next safe step, and how you will verify it. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
+    "If you need broader scope, credentials, user approval, or product decisions, stop and return a concise blocker for Demian.",
+    "Return changed files, verification performed, patch summary, and remaining blockers."
   ],
+  useWhen: ["A bounded writeScope should be implemented while Demian coordinates review."],
+  avoidWhen: ["The task is read-only, exploratory, or can be handled by a normal Demian tool call."]
+});
+var reviewerAgent = coworkAgent({
+  name: "reviewer",
+  description: "Provider-agnostic detailed reviewer for diff-level code review.",
+  defaultProviders: ["claudecode", "anthropic", "codex"],
+  permissionIntent: "review",
+  category: "reviewer",
+  cost: "standard",
+  tools: readProgressTools,
+  permissions: readPermissions,
   defaultDecision: "deny",
-  delegation: {
-    callable: true,
-    coworkable: true,
-    canDelegate: false,
-    canCowork: false,
-    invocationDecision: "allow"
-  },
-  catalog: {
-    category: "reviewer",
-    cost: "standard",
-    useWhen: ["A second model should review a design, implementation plan, diff, or test strategy before Demian answers."],
-    avoidWhen: ["The task needs direct workspace edits from this member."]
-  }
-};
-var codexPlannerAgent = {
-  name: "codex-planner",
-  description: "Codex-backed planner for decomposing ambiguous or multi-step engineering work.",
-  mode: "subagent",
-  provider: { profile: "codex" },
-  tools: ["read_file", "grep", "glob"],
-  systemPrompt: [
-    "You are demian codex-planner, a planning cowork sub agent for Demian.",
-    "Inspect the delegated scope read-only and return an implementation plan, sequencing, risks, and verification strategy.",
-    "Do not edit files. Do not ask the user directly; return blockers or questions for the parent Demian coordinator."
-  ].join("\n"),
-  permissions: [
-    { tool: "read_file", decision: "allow" },
-    { tool: "grep", decision: "allow" },
-    { tool: "glob", decision: "allow" }
+  prompt: [
+    "You are demian reviewer, a detailed code-review cowork sub agent for Demian.",
+    "Inspect the delegated context read-only. Focus on correctness, edge cases, tests, consistency, and maintainability.",
+    "Use update_plan and report_progress to keep longer review passes observable. Mention the finding area, current confidence, and the next evidence you will inspect. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
+    "Return findings first, ordered by severity, with file references when useful."
   ],
+  useWhen: ["A diff or focused implementation needs detailed code review."],
+  avoidWhen: ["The task needs broad architecture or direct editing."]
+});
+var specialistAgent = coworkAgent({
+  name: "specialist",
+  description: "Provider-agnostic specialist for focused domain, module, or technology expertise.",
+  defaultProviders: ["claudecode", "anthropic"],
+  permissionIntent: "read-only",
+  category: "researcher",
+  cost: "standard",
+  tools: readProgressTools,
+  permissions: readPermissions,
   defaultDecision: "deny",
-  delegation: {
-    callable: true,
-    coworkable: true,
-    canDelegate: false,
-    canCowork: false,
-    invocationDecision: "allow"
-  },
-  catalog: {
-    category: "planner",
-    cost: "standard",
-    useWhen: ["A parallel planning perspective may clarify scope, sequencing, risks, or verification."],
-    avoidWhen: ["The work is already clear and a bounded writer can proceed."]
-  }
-};
+  prompt: [
+    "You are demian specialist, a focused domain cowork sub agent for Demian.",
+    "Inspect the requested module, technology, or domain read-only unless explicitly assigned write mode with a narrow writeScope.",
+    "Use update_plan and report_progress for multi-step investigation so Demian can show the user what is happening. Explain the domain angle you are checking, what the evidence means, and what you will narrow down next. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
+    "Return precise, specialist-level findings and recommendations."
+  ],
+  useWhen: ["A specific module, library, language, or subsystem needs focused expert analysis."],
+  avoidWhen: ["The task is broad coordination or final synthesis."]
+});
+var coworkAgents = [plannerAgent, architectAgent, supervisorAgent, researcherAgent, builderAgent, reviewerAgent, specialistAgent];
+function coworkAgent(options) {
+  return {
+    name: options.name,
+    description: options.description,
+    mode: "subagent",
+    tools: options.tools,
+    permissions: options.permissions,
+    defaultDecision: options.defaultDecision,
+    defaultProviders: options.defaultProviders,
+    permissionIntent: options.permissionIntent,
+    systemPrompt: options.prompt.join("\n"),
+    delegation: {
+      callable: true,
+      coworkable: true,
+      canDelegate: false,
+      canCowork: false,
+      invocationDecision: options.permissionIntent === "write" ? "ask" : "allow"
+    },
+    catalog: {
+      category: options.category,
+      cost: options.cost,
+      useWhen: options.useWhen,
+      avoidWhen: options.avoidWhen
+    }
+  };
+}
 
 // src/agents/execute.ts
 var executeAgent = {
@@ -282,8 +332,8 @@ var executeAgent = {
     "You are demian execute, a bounded implementation agent.",
     "You receive one task from a coordinator. Treat that task scope as a hard boundary.",
     "Read the relevant files before changing them. Do not refactor unrelated code.",
-    "Before changing files, use update_plan to mark your assigned step in_progress and report_progress to say what you are starting.",
-    "Use report_progress for meaningful milestones during longer work.",
+    "Before changing files, use update_plan to mark your assigned step in_progress and report_progress to say what you are starting, why that step matters, and what you will do next.",
+    "Use report_progress for meaningful milestones during longer work. Write conversational updates that explain the purpose and implication of the work, not a raw list of tools, command output, or file previews.",
     "Keep the visible work plan in sync with update_plan when you start, finish, block, skip, or fail your assigned step.",
     "Match the user's language for all user-facing text: update_plan titles, summaries, step titles/details, report_progress messages, and final results. If the user writes in Korean, write those user-facing fields in Korean while keeping code identifiers, paths, commands, and tool names unchanged.",
     "When finished, return changed files, verification results, and any remaining issues.",
@@ -333,9 +383,10 @@ var generalAgent = {
     "For non-trivial work, first think through the request and inspect enough context to avoid a shallow plan. Then call update_plan before writes, shell commands, or execute delegation.",
     "Use update_plan.title as the user's main goal, update_plan.summary for the current strategy, and short stable step ids for the sub-goals. Keep exactly one step in_progress while executing.",
     "Match the user's language for all user-facing text: update_plan titles, summaries, step titles/details, report_progress messages, narration, and final answers. If the user writes in Korean, write those user-facing fields in Korean while keeping code identifiers, paths, commands, and tool names unchanged.",
+    "For any tool-using work, keep the user oriented before and during the work. Use report_progress with conversational sentences that say what question you are trying to answer, what the latest evidence means, and what you will do next. Do not list raw tool names, command output, or file previews unless the identifier itself is important to the user's decision. This applies to ordinary single-agent work as well as cowork/delegation.",
     "Use the read-only plan agent for ambiguous, risky, or cross-file design work. Use the execute agent for bounded implementation tasks from the plan. Small obvious edits can be done directly.",
     "When the user asks to use Claude Code, keep Demian as the main coordinator and delegate bounded work to the claudecode sub agent when it is available.",
-    "Keep the plan synchronized as steps move from pending to in_progress to completed, blocked, skipped, or failed. Use report_progress when switching phases or finishing meaningful milestones.",
+    "Keep the plan synchronized as steps move from pending to in_progress to completed, blocked, skipped, failed, or cancelled. Use report_progress when starting a phase, switching phases, learning something important, or finishing meaningful milestones.",
     "Use web_search when current external information is needed.",
     "Keep changes scoped, preserve user work, and explain the outcome clearly.",
     "Tool names are fixed by the runtime. In multi-agent mode, delegate_agent may also be available for bounded specialist work.",
@@ -382,7 +433,7 @@ var planAgent = {
     "Use update_plan to materialize the visible work plan: title is the main goal, summary is the strategy, and steps are concrete sub-goals with short stable ids.",
     "Match the user's language for all user-facing text: update_plan titles, summaries, step titles/details, report_progress messages, and the final planning response. If the user writes in Korean, write those user-facing fields in Korean while keeping code identifiers, paths, commands, and tool names unchanged.",
     "A planning-only run can leave all steps pending. If you are actively investigating one step, mark only that step in_progress.",
-    "Use report_progress for major planning milestones, not for every read.",
+    "Use report_progress for major planning milestones, not for every read. Make each update conversational: what question you investigated, what that suggests, and what you will check next. Avoid raw tool names, command output, and file previews unless a specific identifier is essential.",
     "Suggest bounded tasks that can be delegated to execute."
   ].join("\n"),
   permissions: [
@@ -410,7 +461,7 @@ var planAgent = {
 var AgentRegistry = class {
   #agents = /* @__PURE__ */ new Map();
   #builtinNames = /* @__PURE__ */ new Set();
-  constructor(agents = [generalAgent, buildAgent, planAgent, executeAgent, claudeCodeAgent, claudeCodeExplorerAgent, claudeCodeBuilderAgent, codexReviewerAgent, codexPlannerAgent]) {
+  constructor(agents = [generalAgent, buildAgent, planAgent, executeAgent, claudeCodeAgent, ...coworkAgents]) {
     for (const agent of agents) {
       const normalized = normalizeAgent(agent);
       this.#builtinNames.add(normalized.name);
@@ -464,7 +515,14 @@ var AgentRegistry = class {
   }
 };
 function buildSystemPrompt(agent, envInfo) {
-  return [agent.systemPrompt, envInfo, "When a tool result reports an error, adjust your next step instead of repeating the same call."].filter(Boolean).join("\n\n");
+  return [
+    agent.systemPrompt,
+    envInfo,
+    "Keep the user oriented for every non-trivial task, including /goal, cowork, delegated work, and ordinary single-agent work. Before the first tool-heavy action, briefly say what you are about to understand, verify, or change and why that is the right next step. For multi-step work, create or update the visible plan before substantial tool work and keep it synchronized as steps start, finish, skip, block, fail, or get cancelled.",
+    "When you use report_progress, write it like a brief teammate update: what you are checking or changing, what you have learned so far, why that matters, and what you will do next. Keep it conversational. Do not dump raw tool names, command output, file previews, or status fields unless a specific identifier is essential for the user to understand the decision.",
+    "When a task is long-running, report progress at meaningful phase changes and after important evidence. Prefer the purpose and implication of the work over mechanical execution details; the UI already exposes raw tool activity separately.",
+    "When a tool result reports an error, adjust your next step instead of repeating the same call."
+  ].filter(Boolean).join("\n\n");
 }
 function validateAgentName(name) {
   if (!/^[a-zA-Z][a-zA-Z0-9_-]*$/.test(name)) {
@@ -477,7 +535,113 @@ import { readFile as readFile6 } from "node:fs/promises";
 import crypto4 from "node:crypto";
 import fs7 from "node:fs";
 import os7 from "node:os";
-import path13 from "node:path";
+import path14 from "node:path";
+
+// src/util.ts
+function stableStringify(value) {
+  return JSON.stringify(sortValue(value));
+}
+function sortValue(value) {
+  if (Array.isArray(value)) return value.map(sortValue);
+  if (!value || typeof value !== "object") return value;
+  const object2 = value;
+  const out = {};
+  for (const key of Object.keys(object2).sort()) out[key] = sortValue(object2[key]);
+  return out;
+}
+function createSessionId() {
+  return `ses_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function createRootSessionId() {
+  return `root_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function createAgentSessionId() {
+  return `as_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function createInvocationId() {
+  return `inv_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function preview(value, max = 500) {
+  if (value.length <= max) return value;
+  return `${value.slice(0, max)}...`;
+}
+function errorMessage(error) {
+  if (!(error instanceof Error)) return String(error);
+  const primary = error.message || error.name || "Error";
+  const cause = errorCauseSummary(error);
+  const hint = networkFailureHint(`${primary}${cause ? ` ${cause}` : ""}`);
+  const details = [cause, hint].filter(Boolean);
+  return details.length ? `${primary} (${details.join("; ")})` : primary;
+}
+function errorCauseSummary(error) {
+  const cause = error.cause;
+  const detail = causeDetail(cause, /* @__PURE__ */ new Set());
+  return detail ? `cause: ${detail}` : void 0;
+}
+function causeDetail(cause, seen) {
+  if (cause === void 0 || cause === null) return void 0;
+  if (seen.has(cause)) return void 0;
+  if (typeof cause === "object" || typeof cause === "function") seen.add(cause);
+  if (cause instanceof AggregateError) {
+    const details = cause.errors.map((item) => causeDetail(item, seen)).filter((item) => Boolean(item)).slice(0, 3);
+    return details.length ? details.join("; ") : cleanMessage(cause.message);
+  }
+  if (cause instanceof Error) {
+    const message = cleanMessage(cause.message);
+    const fields = errorFields(cause);
+    const nested = causeDetail(cause.cause, seen);
+    return [message, fields, nested ? `cause: ${nested}` : void 0].filter(Boolean).join("; ");
+  }
+  if (typeof cause === "object") {
+    const fields = errorFields(cause);
+    return fields || cleanMessage(safeStringify(cause));
+  }
+  return cleanMessage(String(cause));
+}
+function errorFields(value) {
+  if (!value || typeof value !== "object") return void 0;
+  const object2 = value;
+  const parts = [];
+  for (const key of ["code", "errno", "syscall"]) {
+    const field = object2[key];
+    if (typeof field === "string" || typeof field === "number") parts.push(`${key}=${field}`);
+  }
+  const host = stringField(object2, "hostname") ?? stringField(object2, "host") ?? stringField(object2, "address");
+  const port = stringField(object2, "port");
+  if (host) parts.push(`target=${host}${port ? `:${port}` : ""}`);
+  return unique(parts).join(", ");
+}
+function networkFailureHint(text) {
+  const lower = text.toLowerCase();
+  if (!/\b(fetch failed|econnreset|econnrefused|etimedout|enotfound|eai_again|und_err_connect_timeout|network|socket|certificate|cert_|unable_to_verify|self_signed)\b/i.test(text)) return void 0;
+  if (lower.includes("enotfound") || lower.includes("eai_again")) return "DNS lookup failed; check the provider baseURL, network, VPN, or proxy settings.";
+  if (lower.includes("etimedout") || lower.includes("und_err_connect_timeout") || lower.includes("timeout")) return "Connection timed out before the provider returned a response; check network reachability, VPN/proxy, or the provider status.";
+  if (lower.includes("econnrefused")) return "Connection was refused; check the provider endpoint host/port and whether the service is running.";
+  if (lower.includes("econnreset") || lower.includes("socket")) return "Connection was reset while contacting the provider; retry, or check VPN/proxy/provider stability.";
+  if (lower.includes("certificate") || lower.includes("cert_") || lower.includes("unable_to_verify") || lower.includes("self_signed")) return "TLS certificate validation failed; check corporate proxy or custom CA configuration.";
+  if (lower.includes("fetch failed")) return "Network request failed before an HTTP response was received; check network, proxy, DNS, and provider endpoint settings.";
+  return void 0;
+}
+function cleanMessage(value) {
+  const text = value?.replace(/\s+/g, " ").trim();
+  return text || void 0;
+}
+function stringField(object2, key) {
+  const value = object2[key];
+  if (typeof value === "string" && value.trim()) return value.trim();
+  if (typeof value === "number" && Number.isFinite(value)) return String(value);
+  return void 0;
+}
+function unique(values) {
+  return [...new Set(values)];
+}
+function safeStringify(value) {
+  try {
+    return JSON.stringify(value);
+  } catch {
+    return void 0;
+  }
+}
 
 // src/providers/retry.ts
 var RETRY_STATUS = /* @__PURE__ */ new Set([408, 409, 425, 429, 500, 502, 503, 504]);
@@ -528,8 +692,7 @@ function retryDelay(error, attempt) {
 }
 function retryReason(error) {
   if (error instanceof ProviderHttpError) return `HTTP ${error.status}`;
-  if (error instanceof Error) return error.message;
-  return String(error);
+  return errorMessage(error);
 }
 function sleep(ms2, signal) {
   return new Promise((resolve, reject) => {
@@ -3183,7 +3346,8 @@ function buildClaudeCliArgs(config, req, flags, resumeSessionId) {
   const args = ["-p", "--output-format", config.outputFormat ?? "stream-json", "--input-format", config.inputFormat ?? "text", "--verbose"];
   if (flags.includePartialMessages) args.push("--include-partial-messages");
   if (req.model) args.push("--model", req.model);
-  if (config.maxTurns !== void 0 && flags.maxTurns) args.push("--max-turns", String(config.maxTurns));
+  const maxTurns = req.maxTurns === null ? void 0 : req.maxTurns ?? config.maxTurns;
+  if (maxTurns !== void 0 && flags.maxTurns) args.push("--max-turns", String(maxTurns));
   if (config.permissionMode && flags.permissionMode) args.push("--permission-mode", config.permissionMode);
   if (config.maxBudgetUsd !== void 0 && flags.maxBudgetUsd) args.push("--max-budget-usd", String(config.maxBudgetUsd));
   if (resumeSessionId) args.push("--resume", resumeSessionId);
@@ -22703,44 +22867,10 @@ function now() {
 }
 
 // src/permissions/engine.ts
-import path11 from "node:path";
+import path12 from "node:path";
 
 // src/permissions/grants.ts
 import path9 from "node:path";
-
-// src/util.ts
-function stableStringify(value) {
-  return JSON.stringify(sortValue(value));
-}
-function sortValue(value) {
-  if (Array.isArray(value)) return value.map(sortValue);
-  if (!value || typeof value !== "object") return value;
-  const object2 = value;
-  const out = {};
-  for (const key of Object.keys(object2).sort()) out[key] = sortValue(object2[key]);
-  return out;
-}
-function createSessionId() {
-  return `ses_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
-}
-function createRootSessionId() {
-  return `root_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
-}
-function createAgentSessionId() {
-  return `as_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
-}
-function createInvocationId() {
-  return `inv_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
-}
-function preview(value, max = 500) {
-  if (value.length <= max) return value;
-  return `${value.slice(0, max)}...`;
-}
-function errorMessage(error) {
-  return error instanceof Error ? error.message : String(error);
-}
-
-// src/permissions/grants.ts
 var SessionGrants = class {
   #keys = /* @__PURE__ */ new Set();
   has(key) {
@@ -22755,6 +22885,9 @@ var SessionGrants = class {
 };
 function grantKeyFor(tool, input2, cwd) {
   const object2 = input2 && typeof input2 === "object" && !Array.isArray(input2) ? input2 : {};
+  if (CLAUDE_CODE_WORKSPACE_READ_GRANTS.has(tool)) {
+    return `${tool}:workspace-read`;
+  }
   if (tool === "bash") {
     const command = typeof object2.command === "string" ? object2.command : "";
     return `bash:${firstCommandTokens(command, 2).join(" ")}`;
@@ -22766,6 +22899,7 @@ function grantKeyFor(tool, input2, cwd) {
   }
   return `${tool}:${stableStringify(input2)}`;
 }
+var CLAUDE_CODE_WORKSPACE_READ_GRANTS = /* @__PURE__ */ new Set(["claudecode.Read", "claudecode.Grep", "claudecode.Glob", "claudecode.LS"]);
 function grantKeyForAgentInvocation(agentName, providerProfile) {
   return `agent:${agentName}:${providerProfile}`;
 }
@@ -22788,31 +22922,151 @@ function firstCommandTokens(command, count) {
   return tokens;
 }
 
-// src/workspace/paths.ts
+// src/permissions/shell-safety.ts
 import path10 from "node:path";
+function isClearlyReadOnlyShellCommand(command) {
+  const tokens = splitSimpleShellWords(command);
+  if (!tokens?.length) return false;
+  if (tokens.some(isUnsafePathToken)) return false;
+  const executable = path10.basename(tokens[0] ?? "");
+  if (SIMPLE_READ_ONLY_COMMANDS.has(executable)) return true;
+  if (executable === "find") return isReadOnlyFind(tokens);
+  if (executable === "git") return isReadOnlyGit(tokens);
+  return false;
+}
+function isPotentiallyReadOnlyShellCommand(command) {
+  const tokens = splitSimpleShellWords(command);
+  if (!tokens?.length) return false;
+  if (tokens.some(isUnsafePathToken)) return false;
+  const executable = path10.basename(tokens[0] ?? "");
+  if (isClearlyReadOnlyShellCommand(command)) return true;
+  if (POTENTIAL_AGENT_JUDGED_COMMANDS.has(executable)) return !hasKnownMutatingToken(executable, tokens);
+  return false;
+}
+function splitSimpleShellWords(command) {
+  if (!command.trim() || /[\r\n]/.test(command)) return void 0;
+  const words = [];
+  let current = "";
+  let quote;
+  for (let index = 0; index < command.length; index++) {
+    const char = command[index];
+    if (quote) {
+      if (char === quote) {
+        quote = void 0;
+        continue;
+      }
+      if (quote === '"' && (char === "$" || char === "`")) return void 0;
+      if (char === "\\" && quote === '"' && index + 1 < command.length) {
+        current += command[++index];
+        continue;
+      }
+      current += char;
+      continue;
+    }
+    if (/\s/.test(char)) {
+      if (current) {
+        words.push(current);
+        current = "";
+      }
+      continue;
+    }
+    if (char === "'" || char === '"') {
+      quote = char;
+      continue;
+    }
+    if (SHELL_CONTROL_CHARS.has(char)) return void 0;
+    if (char === "\\" && index + 1 < command.length) {
+      current += command[++index];
+      continue;
+    }
+    current += char;
+  }
+  if (quote) return void 0;
+  if (current) words.push(current);
+  return words;
+}
+function isUnsafePathToken(token) {
+  if (token === "." || token === "-") return false;
+  if (token === "~" || token.startsWith("~/") || token.startsWith("/")) return true;
+  if (token === ".." || token.startsWith("../") || token.includes("/../")) return true;
+  const assignmentValue = token.match(/^[A-Za-z_][A-Za-z0-9_-]*=(.+)$/)?.[1];
+  if (assignmentValue) return isUnsafePathToken(assignmentValue);
+  const optionValue = token.match(/^--?[A-Za-z0-9][A-Za-z0-9_-]*=(.+)$/)?.[1];
+  return optionValue ? isUnsafePathToken(optionValue) : false;
+}
+function isReadOnlyFind(tokens) {
+  return tokens.slice(1).every((token) => !UNSAFE_FIND_TOKENS.has(token));
+}
+function isReadOnlyGit(tokens) {
+  const parsed = gitSubcommand(tokens);
+  if (!parsed) return false;
+  if (!READ_ONLY_GIT_SUBCOMMANDS.has(parsed.command)) return false;
+  if (parsed.command === "branch") return parsed.args.every((arg) => READ_ONLY_GIT_BRANCH_ARGS.has(arg));
+  if (parsed.command === "remote") return parsed.args.length === 0 || parsed.args.every((arg) => arg === "-v" || arg === "--verbose" || arg === "get-url");
+  if (parsed.command === "config") return parsed.args.some((arg) => READ_ONLY_GIT_CONFIG_ARGS.has(arg));
+  return true;
+}
+function gitSubcommand(tokens) {
+  let index = 1;
+  while (index < tokens.length) {
+    const token = tokens[index];
+    if (token === "--no-pager") {
+      index++;
+      continue;
+    }
+    if (token === "-C") {
+      index += 2;
+      continue;
+    }
+    if (token?.startsWith("-")) return void 0;
+    return { command: token ?? "", args: tokens.slice(index + 1) };
+  }
+  return void 0;
+}
+function hasKnownMutatingToken(executable, tokens) {
+  if (executable === "sed") {
+    return tokens.slice(1).some((token) => token === "-i" || token.startsWith("-i") || /^w(\s|$)/.test(token) || /;\s*w(\s|$)/.test(token));
+  }
+  if (executable === "git") {
+    const parsed = gitSubcommand(tokens);
+    return !parsed || MUTATING_GIT_SUBCOMMANDS.has(parsed.command);
+  }
+  return true;
+}
+var SHELL_CONTROL_CHARS = /* @__PURE__ */ new Set([";", "&", "|", ">", "<", "`", "$", "(", ")"]);
+var SIMPLE_READ_ONLY_COMMANDS = /* @__PURE__ */ new Set(["pwd", "ls", "cat", "head", "tail", "wc", "file", "stat", "du", "tree", "realpath", "basename", "dirname", "rg", "grep", "which", "command", "type", "printf", "echo"]);
+var POTENTIAL_AGENT_JUDGED_COMMANDS = /* @__PURE__ */ new Set(["sed", "git"]);
+var UNSAFE_FIND_TOKENS = /* @__PURE__ */ new Set(["-delete", "-exec", "-execdir", "-ok", "-okdir", "-fls", "-fprint", "-fprintf"]);
+var READ_ONLY_GIT_SUBCOMMANDS = /* @__PURE__ */ new Set(["status", "diff", "log", "show", "ls-files", "grep", "rev-parse", "describe", "blame", "shortlog", "branch", "remote", "config"]);
+var READ_ONLY_GIT_BRANCH_ARGS = /* @__PURE__ */ new Set(["--show-current", "-a", "--all", "-r", "--remotes", "-v", "-vv", "--verbose", "--color", "--no-color"]);
+var READ_ONLY_GIT_CONFIG_ARGS = /* @__PURE__ */ new Set(["--get", "--get-all", "--get-regexp", "--list", "-l"]);
+var MUTATING_GIT_SUBCOMMANDS = /* @__PURE__ */ new Set(["add", "am", "apply", "bisect", "checkout", "cherry-pick", "clean", "clone", "commit", "fetch", "gc", "init", "merge", "mv", "pull", "push", "rebase", "reset", "restore", "revert", "rm", "stash", "switch", "tag", "worktree"]);
+
+// src/workspace/paths.ts
+import path11 from "node:path";
 function normalizePathForMatch(value) {
-  return value.split(path10.sep).join("/");
+  return value.split(path11.sep).join("/");
 }
 function isInsidePath(root, candidate) {
-  const relative = path10.relative(path10.resolve(root), path10.resolve(candidate));
-  return relative === "" || !relative.startsWith("..") && !path10.isAbsolute(relative);
+  const relative = path11.relative(path11.resolve(root), path11.resolve(candidate));
+  return relative === "" || !relative.startsWith("..") && !path11.isAbsolute(relative);
 }
 function resolveInsideCwd(cwd, inputPath) {
   if (typeof inputPath !== "string" || inputPath.length === 0) {
     throw new Error("path must be a non-empty string");
   }
-  const resolved = path10.resolve(cwd, inputPath);
+  const resolved = path11.resolve(cwd, inputPath);
   if (!isInsidePath(cwd, resolved)) {
     throw new Error(`Path is outside the workspace: ${inputPath}`);
   }
   return resolved;
 }
 function relativeToCwd(cwd, absolutePath) {
-  const relative = path10.relative(cwd, absolutePath);
+  const relative = path11.relative(cwd, absolutePath);
   return normalizePathForMatch(relative || ".");
 }
 function isEnvFile(filePath) {
-  const base = path10.basename(filePath);
+  const base = path11.basename(filePath);
   if (base === ".env.example") return false;
   return base === ".env" || base.startsWith(".env.");
 }
@@ -22898,7 +23152,7 @@ var PermissionEngine = class {
     }
     if (this.#defaultDecision === "by-category") {
       return {
-        decision: defaultDecisionByCategory(ref.toolName),
+        decision: defaultDecisionByCategory(ref.toolName, input2),
         grantKey,
         source: "category-default"
       };
@@ -22919,7 +23173,7 @@ var PermissionEngine = class {
   #hardDeny(tool, input2, grantKey) {
     const paths = inputPaths(tool, input2);
     for (const item of paths) {
-      const resolved = path11.resolve(this.#cwd, item);
+      const resolved = path12.resolve(this.#cwd, item);
       if (!isInsidePath(this.#cwd, resolved)) {
         return {
           decision: "deny",
@@ -22973,7 +23227,7 @@ function matchesRule(rule, tool, input2, cwd) {
   if (rule.match.pathGlob) {
     const paths = inputPaths(tool, input2);
     if (paths.length === 0) return false;
-    if (!paths.some((item) => matchesPathRule(rule.match?.pathGlob, relativeToCwd(cwd, path11.resolve(cwd, item))))) {
+    if (!paths.some((item) => matchesPathRule(rule.match?.pathGlob, relativeToCwd(cwd, path12.resolve(cwd, item))))) {
       return false;
     }
   }
@@ -23020,7 +23274,7 @@ function rulePriority(rule, ref) {
 }
 function matchesPathRule(pattern, relativePath) {
   if (!pattern) return true;
-  if (path11.basename(relativePath) === ".env.example" && pattern.includes(".env.*")) return false;
+  if (path12.basename(relativePath) === ".env.example" && pattern.includes(".env.*")) return false;
   return matchGlob(pattern, relativePath);
 }
 function mostSpecificRule(rules, input2, cwd, ref) {
@@ -23050,10 +23304,12 @@ function commandInput(input2) {
   const object2 = input2 && typeof input2 === "object" && !Array.isArray(input2) ? input2 : {};
   return typeof object2.command === "string" ? object2.command : "";
 }
-function defaultDecisionByCategory(toolName) {
-  return READ_ONLY_TOOLS.has(toolName) ? "allow" : "ask";
+function defaultDecisionByCategory(toolName, input2) {
+  if (toolName.toLowerCase() === "bash") return isClearlyReadOnlyShellCommand(commandInput(input2)) ? "allow" : "ask";
+  return READ_ONLY_TOOLS.has(toolName) || ORCHESTRATION_TOOLS.has(toolName) ? "allow" : "ask";
 }
-var READ_ONLY_TOOLS = /* @__PURE__ */ new Set(["Read", "Glob", "Grep", "read_file", "glob", "grep"]);
+var READ_ONLY_TOOLS = /* @__PURE__ */ new Set(["Read", "Glob", "Grep", "LS", "read_file", "glob", "grep"]);
+var ORCHESTRATION_TOOLS = /* @__PURE__ */ new Set(["delegate_agent", "cowork", "update_plan", "report_progress", "get_goal"]);
 
 // src/permissions/prompt.ts
 import readline2 from "node:readline/promises";
@@ -23098,13 +23354,13 @@ function permissionLabel(req) {
   if ((req.tool === "write_file" || req.tool === "edit_file" || req.tool === "read_file") && typeof inputObject.path === "string") {
     return `${req.tool}: ${inputObject.path}`;
   }
-  const path29 = typeof inputObject.path === "string" ? inputObject.path : typeof inputObject.file_path === "string" ? inputObject.file_path : void 0;
-  if (path29) return `${tool}: ${path29}`;
+  const path30 = typeof inputObject.path === "string" ? inputObject.path : typeof inputObject.file_path === "string" ? inputObject.file_path : void 0;
+  if (path30) return `${tool}: ${path30}`;
   return tool;
 }
 
 // src/workspace/write-scope.ts
-import path12 from "node:path";
+import path13 from "node:path";
 var WRITE_TOOLS = /* @__PURE__ */ new Set(["write_file", "edit_file", "Write", "Edit", "MultiEdit", "NotebookEdit"]);
 var WORKSPACE_SCOPE = "**";
 function normalizeWriteScope(cwd, scope) {
@@ -23126,7 +23382,7 @@ function enforceToolWriteScope(input2) {
   if (paths.length === 0) return { ok: true, paths: [] };
   const checked = [];
   for (const target of paths) {
-    const resolved = path12.resolve(input2.cwd, target);
+    const resolved = path13.resolve(input2.cwd, target);
     const relative = relativeToCwd(input2.cwd, resolved);
     checked.push(relative);
     const allowed = isPathAllowedByWriteScope(input2.cwd, target, input2.writeScope);
@@ -23150,7 +23406,7 @@ function outOfScopeDiffFiles(cwd, summary, writeScope) {
   return out;
 }
 function isPathAllowedByWriteScope(cwd, inputPath, writeScope) {
-  const resolved = path12.resolve(cwd, inputPath);
+  const resolved = path13.resolve(cwd, inputPath);
   if (!isInsidePath(cwd, resolved)) {
     return { ok: false, error: "path is outside the workspace", paths: [inputPath] };
   }
@@ -23169,9 +23425,9 @@ function normalizeScopePattern(cwd, raw) {
   if (!value) return { ok: false, error: "writeScope entries must be non-empty." };
   if (value.includes("\0")) return { ok: false, error: "writeScope entries must not contain NUL bytes." };
   const hasGlob2 = /[*?[\]{}]/.test(value);
-  if (path12.isAbsolute(value)) {
+  if (path13.isAbsolute(value)) {
     if (hasGlob2) return { ok: false, error: `writeScope absolute globs are not supported: ${raw}` };
-    const resolved = path12.resolve(value);
+    const resolved = path13.resolve(value);
     if (!isInsidePath(cwd, resolved)) return { ok: false, error: `writeScope path is outside the workspace: ${raw}` };
     value = relativeToCwd(cwd, resolved);
   }
@@ -23246,7 +23502,7 @@ function createClaudeCodeCanUseTool(options) {
       return { behavior: "allow", updatedInput: input2, toolUseID: ctx.toolUseID };
     }
     if (evaluation.decision === "allow") {
-      return { behavior: "allow", updatedInput: input2, toolUseID: ctx.toolUseID };
+      return allowResult(input2, ctx.toolUseID, evaluation.source === "grant" ? "user_permanent" : void 0);
     }
     if (evaluation.decision === "deny") {
       emitPermission(options, {
@@ -23258,15 +23514,7 @@ function createClaudeCodeCanUseTool(options) {
       });
       return { behavior: "deny", message: evaluation.reason ?? `Permission denied for ${qualifiedName}`, toolUseID: ctx.toolUseID };
     }
-    emitPermission(options, {
-      type: "permission.requested",
-      callId: ctx.toolUseID,
-      tool: qualifiedName,
-      decision: "ask",
-      targetName: toolName
-    });
-    const prompt = options.permissionPrompt ?? ((req) => askPermission(req, { yes: options.yes }));
-    const answer = await prompt({
+    const permissionRequest = {
       tool: qualifiedName,
       executor: "claudecode",
       qualifiedName,
@@ -23277,10 +23525,32 @@ function createClaudeCodeCanUseTool(options) {
       proposedDecision: "ask",
       reason: ctx.title ?? ctx.decisionReason ?? evaluation.reason,
       description: ctx.description ?? ctx.displayName
+    };
+    const automatic = await options.autoPermission?.(permissionRequest);
+    if (automatic?.decision === "allow") return allowResult(input2, ctx.toolUseID);
+    if (automatic?.decision === "deny") {
+      emitPermission(options, {
+        type: "permission.denied",
+        callId: ctx.toolUseID,
+        tool: qualifiedName,
+        reason: automatic.reason,
+        targetName: toolName
+      });
+      return { behavior: "deny", message: automatic.reason ?? `Permission denied for ${qualifiedName}`, toolUseID: ctx.toolUseID };
+    }
+    emitPermission(options, {
+      type: "permission.requested",
+      callId: ctx.toolUseID,
+      tool: qualifiedName,
+      decision: "ask",
+      targetName: toolName
     });
+    const prompt = options.permissionPrompt ?? ((req) => askPermission(req, { yes: options.yes }));
+    const answer = await prompt(permissionRequest);
     if (answer.decision === "allow") {
-      if (answer.always) grants.add(evaluation.grantKey);
       if (answer.always) {
+        grants.add(evaluation.grantKey);
+        await options.onAlwaysGrant?.(evaluation.grantKey);
         emitPermission(options, {
           type: "permission.granted",
           callId: ctx.toolUseID,
@@ -23288,7 +23558,10 @@ function createClaudeCodeCanUseTool(options) {
           targetName: toolName
         });
       }
-      return { behavior: "allow", updatedInput: input2, toolUseID: ctx.toolUseID };
+      return {
+        ...allowResult(input2, ctx.toolUseID, answer.always ? "user_permanent" : "user_temporary"),
+        updatedPermissions: answer.always ? ctx.suggestions : void 0
+      };
     }
     emitPermission(options, {
       type: "permission.denied",
@@ -23300,6 +23573,14 @@ function createClaudeCodeCanUseTool(options) {
     return { behavior: "deny", message: answer.reason ?? `Permission denied for ${qualifiedName}`, toolUseID: ctx.toolUseID };
   };
 }
+function allowResult(input2, toolUseID, decisionClassification) {
+  return {
+    behavior: "allow",
+    updatedInput: input2,
+    toolUseID,
+    ...decisionClassification ? { decisionClassification } : {}
+  };
+}
 function isImplicitPlanExit(options, toolName, source) {
   if (options.permissionMode !== "plan" || toolName !== "ExitPlanMode") return false;
   return source === "default" || source === "category-default";
@@ -23429,7 +23710,7 @@ function buildClaudeCodeSdkOptions(config, req, abortController, resumeSessionId
     permissionMode,
     disallowedTools: uniqueDisallowedTools.length ? uniqueDisallowedTools : void 0,
     tools,
-    maxTurns: config.maxTurns,
+    maxTurns: req.maxTurns === null ? void 0 : req.maxTurns ?? config.maxTurns,
     maxBudgetUsd: config.maxBudgetUsd,
     extraArgs: config.useBareMode ? { bare: null } : void 0,
     allowDangerouslySkipPermissions: permissionMode === "bypassPermissions" ? true : void 0,
@@ -23440,7 +23721,10 @@ function buildClaudeCodeSdkOptions(config, req, abortController, resumeSessionId
       permissionMode,
       defaultDecision: config.defaultDecision,
       writeScope: req.writeScope,
+      grants: req.grants,
+      onAlwaysGrant: req.onPermissionGrant,
       permissionPrompt: req.permissionPrompt,
+      autoPermission: req.autoPermission,
       yes: req.yes,
       sessionId: req.sessionId,
       emit: req.emit,
@@ -23489,6 +23773,9 @@ function mapSdkMessage(message) {
   if (message.type === "assistant") {
     return mapAssistantMessage(message);
   }
+  if (message.type === "user") {
+    return mapUserMessage(message);
+  }
   if (message.type === "stream_event") {
     return mapPartialAssistantMessage(message);
   }
@@ -23528,6 +23815,35 @@ function mapAssistantMessage(message) {
   }
   return events;
 }
+function mapUserMessage(message) {
+  const events = [];
+  const content = Array.isArray(message.message.content) ? message.message.content : [];
+  for (const block of content) {
+    if (!block || typeof block !== "object" || block.type !== "tool_result") continue;
+    const callId = typeof block.tool_use_id === "string" ? block.tool_use_id : `tool_result_${events.length + 1}`;
+    events.push({
+      type: "tool.completed",
+      callId,
+      name: "unknown",
+      ok: block.is_error !== true,
+      preview: toolResultPreview(block.content),
+      raw: message
+    });
+  }
+  return events;
+}
+function toolResultPreview(value) {
+  if (typeof value === "string") return value.slice(0, 800);
+  if (Array.isArray(value)) {
+    return value.map((item) => {
+      if (typeof item === "string") return item;
+      if (item && typeof item === "object" && typeof item.text === "string") return String(item.text);
+      return JSON.stringify(item);
+    }).join("\n").slice(0, 800);
+  }
+  if (value === void 0) return "";
+  return JSON.stringify(value).slice(0, 800);
+}
 function mapPartialAssistantMessage(message) {
   const event = message.event;
   if (event.type !== "content_block_delta") return [];
@@ -23548,10 +23864,62 @@ function claudeCodePreviewEnabled(config = {}, env = process.env) {
 }
 
 // src/config.ts
+var COWORK_AGENT_NAMES = ["planner", "architect", "supervisor", "researcher", "builder", "reviewer", "specialist"];
+var COWORK_AGENT_MIGRATIONS = {
+  "codex-planner": { replacement: "planner", note: "planning and coordination work moved to planner" },
+  "codex-reviewer": { replacement: "supervisor", note: "supervisory risk review moved to supervisor" },
+  "claudecode-explorer": { replacement: "researcher", note: "repository exploration moved to researcher; use reviewer for diff-level review" },
+  "claudecode-builder": { replacement: "builder", note: "bounded implementation moved to builder" },
+  claudecode: { replacement: "builder", note: "Claude Code cowork implementation moved to builder" }
+};
 var BUILTIN_PROVIDER_ORDER = ["openai", "anthropic", "gemini", "groq", "azure", "lmstudio", "ollama-local", "ollama-cloud", "llamacpp", "vllm", "codex", "claudecode"];
 var CLAUDE_CODE_SONNET_MODEL = "claude-sonnet-4-6";
 var CLAUDE_CODE_OPUS_MODEL = "claude-opus-4-7";
 var CLAUDE_CODE_MODELS = [CLAUDE_CODE_SONNET_MODEL, CLAUDE_CODE_OPUS_MODEL];
+var DEFAULT_COWORK_AGENT_PROVIDERS = {
+  planner: ["codex", "anthropic", "openai"],
+  architect: ["codex", "anthropic"],
+  supervisor: ["codex", "anthropic"],
+  researcher: ["codex", "claudecode", "anthropic"],
+  builder: ["claudecode", "anthropic", "openai"],
+  reviewer: ["claudecode", "anthropic", "codex"],
+  specialist: ["claudecode", "anthropic"]
+};
+var DEFAULT_COWORK_PERMISSION_OVERLAY = {
+  providerToolNamespaces: {
+    claudecode: "claudecode"
+  },
+  modeMappings: {
+    "read-only": {
+      demianTools: ["read_file", "grep", "glob", "list_dir"],
+      providerTools: {
+        claudecode: ["Read", "Grep", "Glob", "LS"]
+      },
+      defaultDecision: "allow"
+    },
+    review: {
+      demianTools: ["read_file", "grep", "glob", "git_diff"],
+      providerTools: {
+        claudecode: ["Read", "Grep", "Glob", "LS"]
+      },
+      defaultDecision: "allow"
+    },
+    write: {
+      demianTools: ["read_file", "grep", "glob", "edit_file", "write_file", "bash"],
+      providerTools: {
+        claudecode: ["Read", "Grep", "Glob", "LS", "Edit", "MultiEdit", "Write", "Bash"]
+      },
+      defaultDecision: "ask"
+    },
+    manage: {
+      demianTools: ["read_file", "grep", "glob", "task_control", "git_diff"],
+      providerTools: {
+        claudecode: ["Read", "Grep", "Glob", "LS"]
+      },
+      defaultDecision: "ask"
+    }
+  }
+};
 var defaultConfig = {
   agentMode: "single-agent",
   defaultAgent: "general",
@@ -23592,7 +23960,31 @@ var defaultConfig = {
     defaultMergeStrategy: "synthesize",
     defaultInvocationDecision: "ask",
     readOnlyParallelism: true,
-    writerIsolation: "off"
+    writerIsolation: "off",
+    providers: ["codex", "claudecode"],
+    preflight: {
+      mode: "session-start",
+      ttlMs: 10 * 60 * 1e3
+    },
+    fallback: {
+      nonWrite: {
+        onConnectionError: "next-provider",
+        onTokenLimit: "next-provider",
+        onAuthFailure: "skip-provider",
+        onAllProvidersFailed: "fail-member"
+      },
+      write: {
+        onFailure: "repair-from-worktree",
+        maxRepairAttempts: 1,
+        readChangedFilesBeforeRepair: true
+      }
+    },
+    routing: {
+      preset: "codex-manager-claudecode-worker",
+      agentProviders: structuredClone(DEFAULT_COWORK_AGENT_PROVIDERS),
+      agentModelPools: {}
+    },
+    permissionOverlay: structuredClone(DEFAULT_COWORK_PERMISSION_OVERLAY)
   },
   goals: {
     enabled: true,
@@ -23672,8 +24064,13 @@ var defaultConfig = {
       build: "build",
       execute: "build",
       claudecode: "build",
-      "claudecode-builder": "build",
-      "claudecode-explorer": "explore"
+      planner: "plan",
+      architect: "plan",
+      supervisor: "readonly",
+      researcher: "readonly",
+      builder: "build",
+      reviewer: "readonly",
+      specialist: "readonly"
     },
     profiles: {
       default: {
@@ -23859,8 +24256,8 @@ var defaultConfig = {
 };
 async function loadConfig(options) {
   const configs = [];
-  const userConfigDir = path13.join(os7.homedir(), ".demian");
-  const configPaths = [path13.join(userConfigDir, "config.json"), path13.join(userConfigDir, "config.jsond"), options.configPath].filter(Boolean);
+  const userConfigDir = path14.join(os7.homedir(), ".demian");
+  const configPaths = [path14.join(userConfigDir, "config.json"), path14.join(userConfigDir, "config.jsond"), options.configPath].filter(Boolean);
   for (const filePath of configPaths) {
     if (!fs7.existsSync(filePath)) continue;
     const parsed = parseConfigText(await readFile6(filePath, "utf8"), filePath);
@@ -24048,14 +24445,7 @@ function mergeConfig(base, overlay) {
       ...base.delegation,
       ...overlay.delegation
     },
-    cowork: {
-      ...base.cowork,
-      ...overlay.cowork,
-      maxConcurrentPerProvider: {
-        ...base.cowork.maxConcurrentPerProvider,
-        ...overlay.cowork?.maxConcurrentPerProvider
-      }
-    },
+    cowork: mergeCoworkConfig(base.cowork, overlay.cowork),
     goals: {
       ...base.goals,
       ...overlay.goals,
@@ -24227,6 +24617,168 @@ function uniqueProviderCandidates(values) {
   }
   return out;
 }
+function mergeCoworkConfig(base, overlay) {
+  if (!overlay) return structuredClone(base);
+  return {
+    ...base,
+    ...overlay,
+    providers: overlay.providers !== void 0 ? canonicalStringArray(overlay.providers, "cowork.providers") : [...base.providers],
+    maxConcurrentPerProvider: {
+      ...base.maxConcurrentPerProvider,
+      ...overlay.maxConcurrentPerProvider
+    },
+    preflight: {
+      ...base.preflight,
+      ...overlay.preflight
+    },
+    fallback: {
+      nonWrite: {
+        ...base.fallback.nonWrite,
+        ...overlay.fallback?.nonWrite
+      },
+      write: {
+        ...base.fallback.write,
+        ...overlay.fallback?.write
+      }
+    },
+    routing: {
+      ...base.routing,
+      ...overlay.routing,
+      agentProviders: mergeCoworkAgentProviders(base.routing.agentProviders, overlay.routing?.agentProviders),
+      agentModelPools: mergeCoworkAgentModelPools(base.routing.agentModelPools, overlay.routing?.agentModelPools)
+    },
+    permissionOverlay: mergeCoworkPermissionOverlay(base.permissionOverlay, overlay.permissionOverlay)
+  };
+}
+function mergeCoworkAgentProviders(base, overlay) {
+  const out = { ...cloneAgentProviders(base) };
+  for (const [rawAgent, rawProviders] of Object.entries(overlay ?? {})) {
+    const agent = validateCoworkAgentName(rawAgent, `cowork.routing.agentProviders.${rawAgent}`);
+    out[agent] = canonicalStringArray(rawProviders, `cowork.routing.agentProviders.${agent}`);
+  }
+  return out;
+}
+function cloneAgentProviders(input2) {
+  const out = {};
+  for (const [agent, providers] of Object.entries(input2)) {
+    out[agent] = [...providers ?? []];
+  }
+  return out;
+}
+function mergeCoworkAgentModelPools(base, overlay) {
+  const out = { ...cloneAgentModelPools(base) };
+  for (const [rawAgent, rawEntries] of Object.entries(overlay ?? {})) {
+    const agent = validateCoworkAgentName(rawAgent, `cowork.routing.agentModelPools.${rawAgent}`);
+    out[agent] = canonicalCoworkModelPool(rawEntries, `cowork.routing.agentModelPools.${agent}`);
+  }
+  return out;
+}
+function cloneAgentModelPools(input2) {
+  const out = {};
+  for (const [agent, entries] of Object.entries(input2)) {
+    out[agent] = (entries ?? []).map((entry) => ({ ...entry }));
+  }
+  return out;
+}
+function canonicalCoworkModelPool(value, pathName) {
+  if (!Array.isArray(value)) throw new Error(`${pathName} must be an array.`);
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const [index, raw] of value.entries()) {
+    if (!raw || typeof raw !== "object" || Array.isArray(raw)) throw new Error(`${pathName}[${index}] must be an object.`);
+    const entry = raw;
+    if (typeof entry.provider !== "string" || !entry.provider.trim()) throw new Error(`${pathName}[${index}].provider must be a non-empty string.`);
+    const provider = entry.provider.trim();
+    const model = typeof entry.model === "string" && entry.model.trim() ? entry.model.trim() : void 0;
+    const modelProfileName = typeof entry.modelProfileName === "string" && entry.modelProfileName.trim() ? entry.modelProfileName.trim() : void 0;
+    const key = `${provider}\0${modelProfileName ?? ""}\0${model ?? ""}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push({
+      provider,
+      ...model ? { model } : {},
+      ...modelProfileName ? { modelProfileName } : {}
+    });
+  }
+  return out;
+}
+function mergeCoworkPermissionOverlay(base, overlay) {
+  const providerToolNamespaces = {
+    ...base.providerToolNamespaces,
+    ...stringMap(overlay?.providerToolNamespaces, "cowork.permissionOverlay.providerToolNamespaces")
+  };
+  const modeMappings = {};
+  for (const [mode, mapping] of Object.entries(base.modeMappings)) {
+    if (mapping) modeMappings[mode] = clonePermissionModeOverlay(mapping);
+  }
+  for (const [rawMode, rawMapping] of Object.entries(overlay?.modeMappings ?? {})) {
+    const mode = validateCoworkPermissionIntent(rawMode, `cowork.permissionOverlay.modeMappings.${rawMode}`);
+    const baseMapping = modeMappings[mode];
+    if (!rawMapping || typeof rawMapping !== "object" || Array.isArray(rawMapping)) throw new Error(`cowork.permissionOverlay.modeMappings.${mode} must be an object.`);
+    const mapping = rawMapping;
+    modeMappings[mode] = {
+      demianTools: mapping.demianTools !== void 0 ? canonicalStringArray(mapping.demianTools, `cowork.permissionOverlay.modeMappings.${mode}.demianTools`) : [...baseMapping?.demianTools ?? []],
+      providerTools: {
+        ...baseMapping ? cloneProviderTools(baseMapping.providerTools) : {},
+        ...providerToolsMap(mapping.providerTools, `cowork.permissionOverlay.modeMappings.${mode}.providerTools`)
+      },
+      defaultDecision: validatePermissionDefault(mapping.defaultDecision ?? baseMapping?.defaultDecision ?? "ask", `cowork.permissionOverlay.modeMappings.${mode}.defaultDecision`)
+    };
+  }
+  return { providerToolNamespaces, modeMappings };
+}
+function clonePermissionModeOverlay(mapping) {
+  return {
+    demianTools: [...mapping.demianTools],
+    providerTools: cloneProviderTools(mapping.providerTools),
+    defaultDecision: mapping.defaultDecision
+  };
+}
+function cloneProviderTools(input2) {
+  return Object.fromEntries(Object.entries(input2).map(([provider, tools]) => [provider, [...tools]]));
+}
+function providerToolsMap(value, pathName) {
+  if (value === void 0) return {};
+  if (!value || typeof value !== "object" || Array.isArray(value)) throw new Error(`${pathName} must be an object.`);
+  const out = {};
+  for (const [provider, tools] of Object.entries(value)) {
+    out[provider] = canonicalStringArray(tools, `${pathName}.${provider}`);
+  }
+  return out;
+}
+function stringMap(value, pathName) {
+  if (value === void 0) return {};
+  if (!value || typeof value !== "object" || Array.isArray(value)) throw new Error(`${pathName} must be an object.`);
+  const out = {};
+  for (const [key, raw] of Object.entries(value)) {
+    if (typeof raw !== "string" || !raw.trim()) throw new Error(`${pathName}.${key} must be a non-empty string.`);
+    out[key] = raw.trim();
+  }
+  return out;
+}
+function canonicalStringArray(value, pathName) {
+  if (!Array.isArray(value)) throw new Error(`${pathName} must be an array of strings.`);
+  const out = [];
+  for (const [index, item] of value.entries()) {
+    if (typeof item !== "string" || !item.trim()) throw new Error(`${pathName}[${index}] must be a non-empty string.`);
+    out.push(item.trim());
+  }
+  return [...new Set(out)];
+}
+function validatePermissionDefault(value, pathName) {
+  if (value === "allow" || value === "ask" || value === "deny") return value;
+  throw new Error(`${pathName} must be allow, ask, or deny.`);
+}
+function validateCoworkAgentName(value, pathName = "cowork agent") {
+  if (COWORK_AGENT_NAMES.includes(value)) return value;
+  const migration = COWORK_AGENT_MIGRATIONS[value];
+  if (migration) throw new Error(`${pathName} uses removed cowork agent "${value}". Use "${migration.replacement}" instead (${migration.note}).`);
+  throw new Error(`${pathName} must be one of: ${COWORK_AGENT_NAMES.join(", ")}.`);
+}
+function validateCoworkPermissionIntent(value, pathName) {
+  if (value === "read-only" || value === "review" || value === "write" || value === "manage") return value;
+  throw new Error(`${pathName} must be read-only, review, write, or manage.`);
+}
 function mergeModelProfile(providerConfig, profile) {
   const merged = {
     ...providerConfig,
@@ -24651,7 +25203,7 @@ function safeJson(value) {
 }
 
 // src/hooks/dispatcher.ts
-import path15 from "node:path";
+import path16 from "node:path";
 
 // src/hooks/command.ts
 import { spawn as spawn4 } from "node:child_process";
@@ -24744,7 +25296,7 @@ var blockDangerousBashHook = {
 };
 
 // src/hooks/builtin/protect-env-files.ts
-import path14 from "node:path";
+import path15 from "node:path";
 var protectEnvFilesHook = {
   name: "protect-env-files",
   event: "PreToolUse",
@@ -24752,7 +25304,7 @@ var protectEnvFilesHook = {
   run(ctx) {
     if (ctx.toolName !== "write_file" && ctx.toolName !== "edit_file") return { decision: "allow" };
     const input2 = ctx.toolInput && typeof ctx.toolInput === "object" ? ctx.toolInput : {};
-    const filePath = typeof input2.path === "string" ? path14.resolve(ctx.cwd, input2.path) : "";
+    const filePath = typeof input2.path === "string" ? path15.resolve(ctx.cwd, input2.path) : "";
     if (filePath && isEnvFile(filePath)) {
       return {
         decision: "block",
@@ -24867,7 +25419,7 @@ function matchesHook(match, ctx) {
     const input2 = ctx.toolInput && typeof ctx.toolInput === "object" ? ctx.toolInput : {};
     const filePath = typeof input2.path === "string" ? input2.path : typeof input2.workdir === "string" ? input2.workdir : void 0;
     if (!filePath) return false;
-    if (!matchGlob(match.pathGlob, relativeToCwd(ctx.cwd, path15.resolve(ctx.cwd, filePath)))) return false;
+    if (!matchGlob(match.pathGlob, relativeToCwd(ctx.cwd, path16.resolve(ctx.cwd, filePath)))) return false;
   }
   return true;
 }
@@ -24876,7 +25428,7 @@ function matchesHook(match, ctx) {
 import crypto5 from "node:crypto";
 import { mkdir as mkdir6, readFile as readFile7, rename as rename4, writeFile as writeFile5 } from "node:fs/promises";
 import os9 from "node:os";
-import path16 from "node:path";
+import path17 from "node:path";
 var DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
 var PING_TIMEOUT_MS = 1500;
 var DEFAULT_CODEX_CLIENT_VERSION = "0.0.0";
@@ -25188,7 +25740,7 @@ async function fetchJson(url, options) {
   return text ? JSON.parse(text) : {};
 }
 function cachePath(cacheKey) {
-  return path16.join(os9.homedir(), ".demian", "cache", "models", `${safeCacheName(cacheKey)}.json`);
+  return path17.join(os9.homedir(), ".demian", "cache", "models", `${safeCacheName(cacheKey)}.json`);
 }
 async function readCatalogCache(cacheKey, ttlMs, allow) {
   if (!allow) return void 0;
@@ -25203,7 +25755,7 @@ async function readCatalogCache(cacheKey, ttlMs, allow) {
 }
 async function writeCatalogCache(cacheKey, result) {
   const filePath = cachePath(cacheKey);
-  await mkdir6(path16.dirname(filePath), { recursive: true, mode: 448 });
+  await mkdir6(path17.dirname(filePath), { recursive: true, mode: 448 });
   const temp = `${filePath}.${process.pid}.${Date.now()}.tmp`;
   await writeFile5(temp, JSON.stringify({ savedAt: Date.now(), result }, null, 2), { mode: 384 });
   await rename4(temp, filePath);
@@ -25286,7 +25838,7 @@ function withTimeout(promise, timeoutMs) {
 
 // src/multimodal.ts
 import { readFile as readFile8, stat as stat3 } from "node:fs/promises";
-import path17 from "node:path";
+import path18 from "node:path";
 var DEFAULT_MAX_IMAGE_BYTES = 8 * 1024 * 1024;
 async function buildUserContent(prompt, images = [], options) {
   if (images.length === 0) return prompt;
@@ -25314,7 +25866,7 @@ async function imageToUrl(input2, options) {
   return `data:${mime};base64,${bytes.toString("base64")}`;
 }
 function mimeFromPath(filePath) {
-  switch (path17.extname(filePath).toLowerCase()) {
+  switch (path18.extname(filePath).toLowerCase()) {
     case ".jpg":
     case ".jpeg":
       return "image/jpeg";
@@ -25325,7 +25877,7 @@ function mimeFromPath(filePath) {
     case ".webp":
       return "image/webp";
     default:
-      throw new Error(`Unsupported image extension: ${path17.extname(filePath) || "(none)"}`);
+      throw new Error(`Unsupported image extension: ${path18.extname(filePath) || "(none)"}`);
   }
 }
 
@@ -25333,7 +25885,7 @@ function mimeFromPath(filePath) {
 import { mkdir as mkdir7, readFile as readFile9, writeFile as writeFile6 } from "node:fs/promises";
 import fs8 from "node:fs";
 import os10 from "node:os";
-import path18 from "node:path";
+import path19 from "node:path";
 var DEFAULT_TTL_MS = 7 * 24 * 60 * 60 * 1e3;
 var PersistentGrantStore = class {
   filePath;
@@ -25371,15 +25923,15 @@ var PersistentGrantStore = class {
     };
   }
   async #write(file) {
-    await mkdir7(path18.dirname(this.filePath), { recursive: true });
+    await mkdir7(path19.dirname(this.filePath), { recursive: true });
     await writeFile6(this.filePath, `${JSON.stringify(file, null, 2)}
 `, { mode: 384 });
   }
 };
 function resolveGrantPath(cwd, config) {
-  if (config.path) return path18.resolve(cwd, config.path);
-  if ((config.scope ?? "project") === "user") return path18.join(os10.homedir(), ".demian", "grants.json");
-  return path18.join(cwd, ".demian", "grants.json");
+  if (config.path) return path19.resolve(cwd, config.path);
+  if ((config.scope ?? "project") === "user") return path19.join(os10.homedir(), ".demian", "grants.json");
+  return path19.join(cwd, ".demian", "grants.json");
 }
 function isGrantRecord(value) {
   if (!value || typeof value !== "object") return false;
@@ -25401,9 +25953,15 @@ function defaultDecisionForPermissionPreset(preset) {
   if (preset === "full") return "allow";
   return "by-category";
 }
-function automaticAnswerForPermissionPreset(preset, yes) {
+function invocationDecisionForPermissionPreset(preset) {
+  if (preset === "deny") return "deny";
+  if (preset === "ask") return "ask";
+  return "allow";
+}
+function automaticAnswerForPermissionPreset(preset, yes, request) {
   if (preset === "deny") return { decision: "deny", reason: "permission preset is deny" };
   if (preset === "full" || yes) return { decision: "allow" };
+  if (preset === "auto" && request && isAutoAllowedPermissionRequest(request)) return { decision: "allow" };
   return void 0;
 }
 function permissionDecisionLine(answer, preset) {
@@ -25411,13 +25969,19 @@ function permissionDecisionLine(answer, preset) {
   return `permission: denied${answer.reason ? `: ${answer.reason}` : ""}`;
 }
 function applyPermissionPresetToAgent(agent, preset) {
+  const invocationDecision = invocationDecisionForPermissionPreset(preset);
   return {
     ...agent,
+    delegation: agent.delegation ? {
+      ...agent.delegation,
+      invocationDecision
+    } : agent.delegation,
     defaultDecision: defaultDecisionForPermissionPreset(preset)
   };
 }
 function applyPermissionPresetToConfig(config, preset) {
   const defaultDecision = defaultDecisionForPermissionPreset(preset);
+  const invocationDecision = invocationDecisionForPermissionPreset(preset);
   const profiles = Object.fromEntries(
     Object.entries(config.claudeCodePermissions.profiles).map(([name, profile]) => [
       name,
@@ -25429,22 +25993,36 @@ function applyPermissionPresetToConfig(config, preset) {
   );
   return {
     ...config,
+    delegation: {
+      ...config.delegation,
+      defaultInvocationDecision: invocationDecision
+    },
+    cowork: {
+      ...config.cowork,
+      defaultInvocationDecision: invocationDecision
+    },
     claudeCodePermissions: {
       ...config.claudeCodePermissions,
       profiles
     }
   };
 }
+function isAutoAllowedPermissionRequest(request) {
+  if (request.targetType === "agent" || request.targetType === "cowork") return true;
+  if (request.shape === "agent" || request.shape === "cowork-group") return true;
+  return AUTO_ALLOWED_ORCHESTRATION_TOOLS.has(request.tool);
+}
+var AUTO_ALLOWED_ORCHESTRATION_TOOLS = /* @__PURE__ */ new Set(["delegate_agent", "cowork", "update_plan", "report_progress", "get_goal"]);
 
 // src/root-session.ts
-import { cp, mkdtemp, rm as rm2 } from "node:fs/promises";
+import { cp, mkdtemp, readFile as readFile14, rm as rm2 } from "node:fs/promises";
 import os12 from "node:os";
-import path28 from "node:path";
+import path29 from "node:path";
 
 // src/transcript.ts
 import { mkdir as mkdir8, appendFile, writeFile as writeFile7 } from "node:fs/promises";
 import os11 from "node:os";
-import path19 from "node:path";
+import path20 from "node:path";
 var TranscriptWriter = class {
   filePath;
   #enabled;
@@ -25452,8 +26030,8 @@ var TranscriptWriter = class {
   #queue = Promise.resolve();
   constructor(options) {
     this.#enabled = options.enabled !== false;
-    const dir = path19.join(options.storageDir ?? defaultDemianStorageDir(), "transcripts", options.sessionId);
-    this.filePath = path19.join(dir, "session.jsonl");
+    const dir = path20.join(options.storageDir ?? defaultDemianStorageDir(), "transcripts", options.sessionId);
+    this.filePath = path20.join(dir, "session.jsonl");
     this.#ready = this.#enabled ? mkdir8(dir, { recursive: true }).then(() => writeFile7(this.filePath, "", { flag: "a" })) : Promise.resolve();
   }
   write(event) {
@@ -25470,14 +26048,14 @@ var TranscriptWriter = class {
   }
 };
 function defaultDemianStorageDir() {
-  return path19.join(os11.homedir(), ".demian");
+  return path20.join(os11.homedir(), ".demian");
 }
 
 // src/external-runtime/snapshot-diff.ts
 import { createHash as createHash2 } from "node:crypto";
 import { createReadStream } from "node:fs";
 import { readdir, readFile as readFile10, stat as stat4 } from "node:fs/promises";
-import path20 from "node:path";
+import path21 from "node:path";
 
 // src/workspace/diff.ts
 var CONTEXT_LINES = 3;
@@ -25687,7 +26265,7 @@ async function diffWorkspaceSnapshot(before) {
 }
 async function walk(root, relativeDir, entries, options) {
   if (entries.size >= options.maxFiles) return;
-  const absoluteDir = path20.join(root, relativeDir);
+  const absoluteDir = path21.join(root, relativeDir);
   let items;
   try {
     items = await readdir(absoluteDir, { withFileTypes: true });
@@ -25698,8 +26276,8 @@ async function walk(root, relativeDir, entries, options) {
     if (entries.size >= options.maxFiles) return;
     if (item.name.startsWith(".") && item.name !== ".env.example" && SKIP_DIRS.has(item.name)) continue;
     if (SKIP_DIRS.has(item.name)) continue;
-    const relativePath = normalizeRelativePath(path20.join(relativeDir, item.name));
-    const absolutePath = path20.join(root, relativePath);
+    const relativePath = normalizeRelativePath(path21.join(relativeDir, item.name));
+    const absolutePath = path21.join(root, relativePath);
     if (item.isDirectory()) {
       await walk(root, relativePath, entries, options);
       continue;
@@ -25735,7 +26313,7 @@ function sha256File(filePath) {
   });
 }
 function normalizeRelativePath(value) {
-  return value.split(path20.sep).join("/");
+  return value.split(path21.sep).join("/");
 }
 
 // src/external-runtime/session-runner.ts
@@ -25745,10 +26323,16 @@ var ExternalAgentSessionRunner = class {
   events;
   #options;
   #transcript;
+  #grants;
+  #persistentStore;
   #activeTools = /* @__PURE__ */ new Map();
+  #toolStats = { requested: 0, completed: 0, failed: 0 };
+  #recentToolEvents = [];
   #cancellationArtifactsEmitted = false;
   constructor(options) {
     this.#options = options;
+    this.#grants = options.grants ?? new SessionGrants();
+    if (options.persistentGrants?.enabled) this.#persistentStore = new PersistentGrantStore(options.cwd, options.persistentGrants);
     this.events = options.eventBus ?? new EventBus();
     this.#transcript = options.transcriptWriter ?? new TranscriptWriter({
       cwd: options.cwd,
@@ -25758,6 +26342,7 @@ var ExternalAgentSessionRunner = class {
   }
   async run() {
     const options = this.#options;
+    for (const key of await this.#persistentStore?.load(options.cwd) ?? []) this.#grants.add(key);
     const messages = [{ role: "system", content: buildSystemPrompt(options.agent) }, ...options.history ?? [], { role: "user", content: options.prompt }];
     let finalAnswer = "";
     let finalTextEmitted = false;
@@ -25801,8 +26386,12 @@ var ExternalAgentSessionRunner = class {
         if (options.signal?.aborted) return this.endCancelled(messages, finalAnswer, externalSessionId, usage, snapshot);
         if (recoveredInvalidResume || !shouldRecoverInvalidResume(failure2.error, runtimePreviousExternalSessionId)) {
           this.emit({ type: "session.failed", sessionId: this.sessionId, error: failure2.error, ts: now(), ...this.eventContext() });
-          messages.push({ role: "assistant", content: finalAnswer });
-          return { sessionId: this.sessionId, externalSessionId, finalAnswer: finalAnswer || failure2.error, messages, endReason: "error", usage };
+          const answer = this.externalTerminalFinalAnswer("error", finalAnswer || failure2.error);
+          messages.push({ role: "assistant", content: answer });
+          this.emit({ type: "session.ended", sessionId: this.sessionId, reason: "error", ts: now(), ...this.eventContext() });
+          this.emit({ type: "model.text", sessionId: this.sessionId, text: answer, ts: now(), ...this.eventContext() });
+          await this.#transcript.flush();
+          return { sessionId: this.sessionId, externalSessionId, finalAnswer: answer, messages, endReason: "error", usage };
         }
         const policy = options.onInvalidResume ?? "fresh";
         recoveredInvalidResume = true;
@@ -25854,11 +26443,15 @@ var ExternalAgentSessionRunner = class {
       model: options.model,
       agent: options.agent,
       providerName: options.providerName,
+      maxTurns: options.maxTurns,
       signal: options.signal ?? new AbortController().signal,
       historyPolicy: options.historyPolicy ?? "passthrough-resume",
       previousExternalSessionId,
       writeScope: options.writeScope,
       permissionPrompt: options.permissionPrompt,
+      autoPermission: options.autoPermission,
+      grants: this.#grants,
+      onPermissionGrant: (grantKey) => this.#persistentStore?.add(options.cwd, grantKey) ?? Promise.resolve(),
       yes: options.yes,
       emit: (runtimeEvent) => this.emit(runtimeEvent)
     })) {
@@ -25873,6 +26466,8 @@ var ExternalAgentSessionRunner = class {
         this.emit({ type: "model.text", sessionId: this.sessionId, text: event.text, ts: now(), ...this.eventContext() });
       } else if (event.type === "tool.requested") {
         this.#activeTools.set(event.callId, { name: event.name });
+        this.#toolStats.requested += 1;
+        this.recordRecentToolEvent(`\uC694\uCCAD: ${event.name}`);
         this.emit({
           type: "tool.requested",
           sessionId: this.sessionId,
@@ -25886,8 +26481,13 @@ var ExternalAgentSessionRunner = class {
           ...this.eventContext()
         });
       } else if (event.type === "tool.completed") {
+        const activeTool = this.#activeTools.get(event.callId);
+        const name = event.name === "unknown" ? activeTool?.name ?? event.name : event.name;
         this.#activeTools.delete(event.callId);
-        this.emit({ type: "tool.completed", sessionId: this.sessionId, callId: event.callId, name: event.name, ok: event.ok, preview: event.preview ?? "", executor: "claudecode", qualifiedName: `claudecode.${event.name}`, agent: options.agent.name, ts: now(), ...this.eventContext() });
+        if (event.ok) this.#toolStats.completed += 1;
+        else this.#toolStats.failed += 1;
+        this.recordRecentToolEvent(`${event.ok ? "\uC644\uB8CC" : "\uC2E4\uD328"}: ${name}${event.preview ? ` - ${event.preview}` : ""}`);
+        this.emit({ type: "tool.completed", sessionId: this.sessionId, callId: event.callId, name, ok: event.ok, preview: event.preview ?? "", executor: "claudecode", qualifiedName: `claudecode.${name}`, agent: options.agent.name, ts: now(), ...this.eventContext() });
       } else if (event.type === "usage") {
         capture.onUsage(event.usage);
         this.emit({ type: "model.usage", sessionId: this.sessionId, usage: event.usage, ts: now(), ...this.eventContext() });
@@ -25906,12 +26506,31 @@ var ExternalAgentSessionRunner = class {
   }
   async endCancelled(messages, finalAnswer, externalSessionId, usage, snapshot) {
     await this.emitCancellationArtifacts(snapshot);
-    const answer = finalAnswer || "Cancelled.";
+    const answer = this.externalTerminalFinalAnswer("cancelled", finalAnswer || "Cancelled.");
     messages.push({ role: "assistant", content: answer });
     this.emit({ type: "session.ended", sessionId: this.sessionId, reason: "cancelled", ts: now(), ...this.eventContext() });
+    this.emit({ type: "model.text", sessionId: this.sessionId, text: answer, ts: now(), ...this.eventContext() });
     await this.#transcript.flush();
     return { sessionId: this.sessionId, externalSessionId, finalAnswer: answer, messages, endReason: "cancelled", usage };
   }
+  recordRecentToolEvent(text) {
+    this.#recentToolEvents.push(text.replace(/\s+/g, " ").trim());
+    if (this.#recentToolEvents.length > 5) this.#recentToolEvents.splice(0, this.#recentToolEvents.length - 5);
+  }
+  externalTerminalFinalAnswer(reason, lastMessage) {
+    const lines = ["\uC791\uC5C5\uC774 \uC885\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4.", "", `\uC885\uB8CC \uC774\uC720: ${reason === "cancelled" ? "\uC791\uC5C5\uC774 \uCDE8\uC18C\uB418\uC5C8\uC2B5\uB2C8\uB2E4." : "\uC678\uBD80 \uB7F0\uD0C0\uC784 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4."}`];
+    if (lastMessage.trim()) lines.push(`\uB9C8\uC9C0\uB9C9 \uB7F0\uD0C0\uC784 \uBA54\uC2DC\uC9C0: ${lastMessage.trim()}`);
+    lines.push("", "\uD604\uC7AC\uAE4C\uC9C0 \uC9C4\uD589\uD55C \uB0B4\uC6A9\uC740 \uC544\uB798\uC640 \uAC19\uC2B5\uB2C8\uB2E4.");
+    const totalTools = this.#toolStats.requested;
+    if (totalTools > 0) {
+      lines.push(`- Claude Code \uB7F0\uD0C0\uC784\uC5D0\uC11C \uB3C4\uAD6C ${totalTools}\uAC1C\uB97C \uC694\uCCAD\uD588\uACE0, \uC644\uB8CC ${this.#toolStats.completed}\uAC1C, \uC2E4\uD328 ${this.#toolStats.failed}\uAC1C\uB85C \uAE30\uB85D\uB418\uC5C8\uC2B5\uB2C8\uB2E4.`);
+      if (this.#recentToolEvents.length > 0) lines.push(`- \uCD5C\uADFC \uB3C4\uAD6C \uD750\uB984: ${this.#recentToolEvents.join("; ")}`);
+    } else {
+      lines.push("- \uC544\uC9C1 \uC644\uB8CC\uB41C \uB3C4\uAD6C \uC0AC\uC6A9 \uAE30\uB85D\uC740 \uC5C6\uC2B5\uB2C8\uB2E4.");
+    }
+    lines.push("", "\uC774\uC5B4\uC11C \uC9C4\uD589\uD558\uBA74 \uC704 \uC0C1\uD0DC\uB97C \uAE30\uC900\uC73C\uB85C \uB9C8\uC9C0\uB9C9\uC73C\uB85C \uD655\uC778\uD55C \uC9C0\uC810\uBD80\uD130 \uB2E4\uC2DC \uC774\uC5B4\uAC00\uACA0\uC2B5\uB2C8\uB2E4.");
+    return lines.join("\n");
+  }
   async createAbortSnapshot() {
     try {
       return await createWorkspaceSnapshot(this.#options.cwd);
@@ -26133,7 +26752,7 @@ var ProgressLedger = class {
     return this.#plan;
   }
 };
-var statuses = /* @__PURE__ */ new Set(["pending", "in_progress", "completed", "blocked", "skipped", "failed"]);
+var statuses = /* @__PURE__ */ new Set(["pending", "in_progress", "completed", "blocked", "skipped", "failed", "cancelled"]);
 var FINAL_REVIEW_STEP_ID = "final_review";
 var FINAL_REVIEW_TITLE = "Final review and verification";
 var FINAL_REVIEW_DETAIL = "Review changes, run checks, and confirm the result before finishing.";
@@ -26340,6 +26959,7 @@ function normalizeActiveStep(plan, preferredActive) {
   const inProgress = plan.steps.filter((step) => step.status === "in_progress");
   let active = preferredActive === null ? void 0 : typeof preferredActive === "string" ? preferredActive : void 0;
   if (active && !plan.steps.some((step) => step.id === active)) active = void 0;
+  if (active && isTerminal(plan.steps.find((step) => step.id === active)?.status ?? "pending")) active = void 0;
   if (active) {
     for (const step of plan.steps) {
       if (step.id === active) {
@@ -26402,7 +27022,7 @@ function isStatus(value) {
   return typeof value === "string" && statuses.has(value);
 }
 function isTerminal(status) {
-  return status === "completed" || status === "blocked" || status === "skipped" || status === "failed";
+  return status === "completed" || status === "blocked" || status === "skipped" || status === "failed" || status === "cancelled";
 }
 function parseLevel(value) {
   if (value === "info" || value === "success" || value === "warning" || value === "error") return value;
@@ -26429,16 +27049,16 @@ function fail(content, metadata) {
 
 // src/tools/output.ts
 import { mkdir as mkdir9, writeFile as writeFile8 } from "node:fs/promises";
-import path21 from "node:path";
+import path22 from "node:path";
 var DEFAULT_CAP_BYTES = 32 * 1024;
 var HALF_PREVIEW_BYTES = 16 * 1024;
 async function capToolOutput(result, options) {
   const capBytes = options.capBytes ?? DEFAULT_CAP_BYTES;
   const bytes = Buffer.byteLength(result.content, "utf8");
   if (bytes <= capBytes) return result;
-  const dir = path21.join(options.cwd, ".demian", "tmp");
+  const dir = path22.join(options.cwd, ".demian", "tmp");
   await mkdir9(dir, { recursive: true });
-  const outputPath = path21.join(dir, `output-${safeCallId(options.callId)}.txt`);
+  const outputPath = path22.join(dir, `output-${safeCallId(options.callId)}.txt`);
   await writeFile8(outputPath, result.content, "utf8");
   return {
     ...result,
@@ -26446,7 +27066,7 @@ async function capToolOutput(result, options) {
       sliceUtf8(result.content, 0, HALF_PREVIEW_BYTES),
       `
 
-[Full output saved to ${path21.relative(options.cwd, outputPath)}; showing head and tail because output exceeded ${capBytes} bytes]
+[Full output saved to ${path22.relative(options.cwd, outputPath)}; showing head and tail because output exceeded ${capBytes} bytes]
 
 `,
       sliceUtf8(result.content, Math.max(0, bytes - HALF_PREVIEW_BYTES), bytes)
@@ -26471,8 +27091,10 @@ function sliceUtf8(text, startByte, endByte) {
 }
 
 // src/tools/read-file.ts
+import { createReadStream as createReadStream2 } from "node:fs";
 import { open as open2, stat as stat5 } from "node:fs/promises";
-import path22 from "node:path";
+import { createInterface } from "node:readline";
+import path23 from "node:path";
 
 // src/tools/validation.ts
 function assertObject(input2, toolName) {
@@ -26481,7 +27103,7 @@ function assertObject(input2, toolName) {
   }
   return input2;
 }
-function stringField(input2, key, options = {}) {
+function stringField2(input2, key, options = {}) {
   const value = input2[key];
   if (typeof value !== "string" || !options.allowEmpty && value.length === 0) {
     throw new Error(`${key} must be ${options.allowEmpty ? "a string" : "a non-empty string"}`);
@@ -26521,12 +27143,19 @@ function positiveInteger(value, fallback, key) {
 }
 
 // src/tools/read-file.ts
-var MAX_BYTES = 1024 * 1024;
 var SAMPLE_BYTES = 4096;
 var DEFAULT_LIMIT = 2e3;
+var MAX_LIMIT = 2e3;
 var readFileTool = {
   name: "read_file",
-  description: "Read a text file inside the workspace. Returns line-numbered output.",
+  description: "Read a text file inside the workspace. Streams large files and returns line-numbered output for the requested range.",
+  metadata: {
+    category: "workspace.read",
+    categoryPath: ["workspace", "read"],
+    sideEffect: "none",
+    defaultDecision: "allow",
+    trust: "builtin"
+  },
   inputSchema: {
     type: "object",
     additionalProperties: false,
@@ -26534,32 +27163,30 @@ var readFileTool = {
     properties: {
       path: { type: "string", description: "Path to read, relative to cwd or absolute inside cwd." },
       offset: { type: "number", description: "1-indexed line offset. Defaults to 1." },
-      limit: { type: "number", description: "Maximum number of lines. Defaults to 2000." }
+      limit: { type: "number", description: "Maximum number of lines. Defaults to 2000 and is capped at 2000." }
     }
   },
   async execute(input2, ctx) {
     const object2 = assertObject(input2, "read_file");
-    const filePath = resolveInsideCwd(ctx.cwd, stringField(object2, "path"));
+    const filePath = resolveInsideCwd(ctx.cwd, stringField2(object2, "path"));
     const offset = positiveInteger(optionalNumberField(object2, "offset"), 1, "offset");
-    const limit = positiveInteger(optionalNumberField(object2, "limit"), DEFAULT_LIMIT, "limit");
+    const requestedLimit = positiveInteger(optionalNumberField(object2, "limit"), DEFAULT_LIMIT, "limit");
+    const limit = Math.min(requestedLimit, MAX_LIMIT);
     const info = await stat5(filePath);
     if (info.isDirectory()) throw new Error(`read_file expected a file but got a directory: ${relativeToCwd(ctx.cwd, filePath)}`);
-    if (info.size > MAX_BYTES) throw new Error(`File is larger than ${MAX_BYTES} bytes: ${relativeToCwd(ctx.cwd, filePath)}`);
     const sample = await readBytes(filePath, Math.min(SAMPLE_BYTES, info.size));
     if (looksBinary(sample)) throw new Error(`Refusing to read binary file: ${relativeToCwd(ctx.cwd, filePath)}`);
-    const text = await readText(filePath);
-    const lines = text.split(/\r?\n/);
-    const start = offset - 1;
-    const sliced = lines.slice(start, start + limit);
-    const width = String(Math.min(lines.length, start + sliced.length)).length;
-    const content = sliced.map((line, index) => `${String(start + index + 1).padStart(width, " ")} | ${line}`).join("\n");
-    const truncated = start + sliced.length < lines.length;
-    return ok(content + (truncated ? `
-... (${lines.length - start - sliced.length} more lines)` : ""), {
-      path: path22.relative(ctx.cwd, filePath),
-      lines: sliced.length,
-      totalLines: lines.length,
-      truncated
+    const slice = await readLineSlice(filePath, offset, limit, ctx.signal);
+    return ok(formatLineSlice(slice), {
+      path: path23.relative(ctx.cwd, filePath),
+      offset,
+      limit,
+      requestedLimit,
+      lines: slice.lines.length,
+      totalLines: slice.totalLines,
+      truncated: slice.truncated,
+      nextOffset: slice.nextOffset,
+      fileSizeBytes: info.size
     });
   }
 };
@@ -26573,15 +27200,50 @@ async function readBytes(filePath, length) {
     await handle.close();
   }
 }
-async function readText(filePath) {
-  const handle = await open2(filePath, "r");
+async function readLineSlice(filePath, offset, limit, signal) {
+  if (signal.aborted) throw new Error("read_file was aborted");
+  const stream = createReadStream2(filePath, { encoding: "utf8" });
+  const reader = createInterface({ input: stream, crlfDelay: Infinity });
+  const abort = () => stream.destroy(new Error("read_file was aborted"));
+  signal.addEventListener("abort", abort, { once: true });
+  const lines = [];
+  let lineNumber = 0;
+  let truncated = false;
   try {
-    const chunks = [];
-    for await (const chunk of handle.createReadStream({ encoding: null })) chunks.push(Buffer.from(chunk));
-    return Buffer.concat(chunks).toString("utf8");
+    for await (const line of reader) {
+      lineNumber++;
+      if (lineNumber < offset) continue;
+      if (lines.length < limit) {
+        lines.push(line);
+        continue;
+      }
+      truncated = true;
+      break;
+    }
   } finally {
-    await handle.close();
+    signal.removeEventListener("abort", abort);
+    reader.close();
+    stream.destroy();
   }
+  return {
+    lines,
+    offset,
+    totalLines: truncated ? void 0 : lineNumber,
+    truncated,
+    nextOffset: truncated ? offset + lines.length : void 0
+  };
+}
+function formatLineSlice(slice) {
+  if (slice.lines.length === 0) {
+    if (slice.totalLines !== void 0) return `... (no lines at offset ${slice.offset}; file has ${slice.totalLines} lines)`;
+    return `... (no lines at offset ${slice.offset})`;
+  }
+  const lastLine = slice.offset + slice.lines.length - 1;
+  const width = String(lastLine).length;
+  const content = slice.lines.map((line, index) => `${String(slice.offset + index).padStart(width, " ")} | ${line}`).join("\n");
+  if (!slice.truncated || slice.nextOffset === void 0) return content;
+  return `${content}
+... (more lines available; continue with offset ${slice.nextOffset})`;
 }
 function looksBinary(buffer) {
   if (buffer.length === 0) return false;
@@ -26595,10 +27257,17 @@ function looksBinary(buffer) {
 
 // src/tools/write-file.ts
 import { mkdir as mkdir10, readFile as readFile11, writeFile as writeFile9 } from "node:fs/promises";
-import path23 from "node:path";
+import path24 from "node:path";
 var writeFileTool = {
   name: "write_file",
   description: "Create or replace a text file inside the workspace.",
+  metadata: {
+    category: "workspace.write",
+    categoryPath: ["workspace", "write"],
+    sideEffect: "workspace",
+    defaultDecision: "ask",
+    trust: "builtin"
+  },
   inputSchema: {
     type: "object",
     additionalProperties: false,
@@ -26610,10 +27279,10 @@ var writeFileTool = {
   },
   async execute(input2, ctx) {
     const object2 = assertObject(input2, "write_file");
-    const filePath = resolveInsideCwd(ctx.cwd, stringField(object2, "path"));
-    const content = stringField(object2, "content", { allowEmpty: true });
+    const filePath = resolveInsideCwd(ctx.cwd, stringField2(object2, "path"));
+    const content = stringField2(object2, "content", { allowEmpty: true });
     const before = await readOptionalTextFile(filePath);
-    await mkdir10(path23.dirname(filePath), { recursive: true });
+    await mkdir10(path24.dirname(filePath), { recursive: true });
     await writeFile9(filePath, content, "utf8");
     const relative = relativeToCwd(ctx.cwd, filePath);
     const diff = createTextDiff(before, content, relative);
@@ -26642,6 +27311,13 @@ import { readFile as readFile12, writeFile as writeFile10 } from "node:fs/promis
 var editFileTool = {
   name: "edit_file",
   description: "Replace an exact string in a text file inside the workspace.",
+  metadata: {
+    category: "workspace.write",
+    categoryPath: ["workspace", "write"],
+    sideEffect: "workspace",
+    defaultDecision: "ask",
+    trust: "builtin"
+  },
   inputSchema: {
     type: "object",
     additionalProperties: false,
@@ -26655,9 +27331,9 @@ var editFileTool = {
   },
   async execute(input2, ctx) {
     const object2 = assertObject(input2, "edit_file");
-    const filePath = resolveInsideCwd(ctx.cwd, stringField(object2, "path"));
-    const oldString = stringField(object2, "oldString");
-    const newString = stringField(object2, "newString", { allowEmpty: true });
+    const filePath = resolveInsideCwd(ctx.cwd, stringField2(object2, "path"));
+    const oldString = stringField2(object2, "oldString");
+    const newString = stringField2(object2, "newString", { allowEmpty: true });
     const replaceAll = optionalBooleanField(object2, "replaceAll") ?? false;
     if (oldString === newString) throw new Error("oldString and newString must be different");
     const before = await readFile12(filePath, "utf8");
@@ -26689,7 +27365,7 @@ function countMatches(text, needle) {
 
 // src/tools/bash.ts
 import { spawn as spawn5 } from "node:child_process";
-import path25 from "node:path";
+import path26 from "node:path";
 
 // src/sandbox/env-only.ts
 function buildEnvOnlyLaunch(command, config) {
@@ -26749,7 +27425,7 @@ function bwrapPath() {
 
 // src/sandbox/macos.ts
 import { existsSync as existsSync3 } from "node:fs";
-import path24 from "node:path";
+import path25 from "node:path";
 function canUseMacOSSandbox() {
   return process.platform === "darwin" && existsSync3("/usr/bin/sandbox-exec");
 }
@@ -26775,7 +27451,7 @@ function macosProfile(cwd, config) {
   }
   if (mode === "workspace-write") {
     lines.push("(deny file-write*)");
-    lines.push(`(allow file-write* (subpath "${escapeProfilePath(path24.resolve(cwd))}"))`);
+    lines.push(`(allow file-write* (subpath "${escapeProfilePath(path25.resolve(cwd))}"))`);
     lines.push('(allow file-write* (subpath "/tmp"))');
     lines.push('(allow file-write* (subpath "/private/tmp"))');
     lines.push('(allow file-write* (subpath "/private/var/folders"))');
@@ -26805,6 +27481,13 @@ var MAX_TIMEOUT_MS = 6e5;
 var bashTool = {
   name: "bash",
   description: "Run a shell command inside the workspace.",
+  metadata: {
+    category: "process.shell",
+    categoryPath: ["process", "shell"],
+    sideEffect: "process",
+    defaultDecision: "ask",
+    trust: "builtin"
+  },
   inputSchema: {
     type: "object",
     additionalProperties: false,
@@ -26817,7 +27500,7 @@ var bashTool = {
   },
   async execute(input2, ctx) {
     const object2 = assertObject(input2, "bash");
-    const command = stringField(object2, "command");
+    const command = stringField2(object2, "command");
     const workdirInput = optionalStringField(object2, "workdir");
     const workdir = workdirInput ? resolveInsideCwd(ctx.cwd, workdirInput) : ctx.cwd;
     const requestedTimeout = optionalNumberField(object2, "timeoutMs");
@@ -26837,7 +27520,7 @@ ${result.stderr}` : ""
     ].filter(Boolean).join("\n");
     return ok(content, {
       command,
-      workdir: path25.relative(ctx.cwd, workdir) || ".",
+      workdir: path26.relative(ctx.cwd, workdir) || ".",
       exitCode: result.exitCode,
       signal: result.signal,
       timedOut: result.timedOut,
@@ -26890,11 +27573,18 @@ function runCommand(command, cwd, timeoutMs, signal, sandbox = { mode: "workspac
 // src/tools/grep.ts
 import { spawn as spawn6 } from "node:child_process";
 import { readdir as readdir2, readFile as readFile13, stat as stat6 } from "node:fs/promises";
-import path26 from "node:path";
+import path27 from "node:path";
 var MAX_MATCHES = 200;
 var grepTool = {
   name: "grep",
   description: "Search text files inside the workspace. Uses rg when available.",
+  metadata: {
+    category: "workspace.search",
+    categoryPath: ["workspace", "search"],
+    sideEffect: "none",
+    defaultDecision: "allow",
+    trust: "builtin"
+  },
   inputSchema: {
     type: "object",
     additionalProperties: false,
@@ -26907,7 +27597,7 @@ var grepTool = {
   },
   async execute(input2, ctx) {
     const object2 = assertObject(input2, "grep");
-    const pattern = stringField(object2, "pattern");
+    const pattern = stringField2(object2, "pattern");
     const baseInput = optionalStringField(object2, "path");
     const glob = optionalStringField(object2, "glob");
     const base = baseInput ? resolveInsideCwd(ctx.cwd, baseInput) : ctx.cwd;
@@ -26965,7 +27655,7 @@ function runRg(cwd, base, pattern, glob, signal) {
 }
 function rewriteRgPath(cwd, line) {
   const [file, rest] = splitFirst(line, ":");
-  if (!path26.isAbsolute(file)) return line;
+  if (!path27.isAbsolute(file)) return line;
   return `${relativeToCwd(cwd, file)}:${rest}`;
 }
 function splitFirst(value, delimiter) {
@@ -26982,7 +27672,7 @@ async function fallbackSearch(cwd, base, pattern, glob) {
     if (isIgnoredPath(relative)) return;
     const info = await stat6(item);
     if (info.isDirectory()) {
-      for (const entry of await readdir2(item)) await walk2(path26.join(item, entry));
+      for (const entry of await readdir2(item)) await walk2(path27.join(item, entry));
       return;
     }
     if (glob && !matchGlob(glob, relative)) return;
@@ -27001,11 +27691,18 @@ async function fallbackSearch(cwd, base, pattern, glob) {
 
 // src/tools/glob.ts
 import { readdir as readdir3, stat as stat7 } from "node:fs/promises";
-import path27 from "node:path";
+import path28 from "node:path";
 var MAX_PATHS = 1e3;
 var globTool = {
   name: "glob",
   description: "Find paths inside the workspace using a glob pattern.",
+  metadata: {
+    category: "workspace.search",
+    categoryPath: ["workspace", "search"],
+    sideEffect: "none",
+    defaultDecision: "allow",
+    trust: "builtin"
+  },
   inputSchema: {
     type: "object",
     additionalProperties: false,
@@ -27017,7 +27714,7 @@ var globTool = {
   },
   async execute(input2, ctx) {
     const object2 = assertObject(input2, "glob");
-    const pattern = stringField(object2, "pattern");
+    const pattern = stringField2(object2, "pattern");
     const base = optionalStringField(object2, "path");
     const root = base ? resolveInsideCwd(ctx.cwd, base) : ctx.cwd;
     const found = await collectPaths(ctx.cwd, root, pattern);
@@ -27033,7 +27730,7 @@ async function collectPaths(cwd, root, pattern) {
   async function walk2(dir) {
     const entries = await readdir3(dir, { withFileTypes: true });
     for (const entry of entries) {
-      const absolute = path27.join(dir, entry.name);
+      const absolute = path28.join(dir, entry.name);
       const relative = relativeToCwd(cwd, absolute);
       if (isIgnoredPath(relative)) continue;
       const info = await stat7(absolute);
@@ -27050,6 +27747,8 @@ var updatePlanTool = {
   name: "update_plan",
   description: "Create or update the visible work plan for the current user goal. Write title, summary, step titles, and details in the user's language; for Korean requests, use Korean user-facing text. Keep step ids, code identifiers, paths, commands, and tool names unchanged. Non-empty plans always end with a final review and verification step.",
   metadata: {
+    category: "planning.progress",
+    categoryPath: ["planning", "progress"],
     sideEffect: "none",
     defaultDecision: "allow",
     trust: "builtin"
@@ -27089,7 +27788,7 @@ function stepProperties() {
   return {
     id: { type: "string", maxLength: 64 },
     title: { type: "string" },
-    status: { type: "string", enum: ["pending", "in_progress", "completed", "blocked", "skipped", "failed"] },
+    status: { type: "string", enum: ["pending", "in_progress", "completed", "blocked", "skipped", "failed", "cancelled"] },
     detail: { type: "string" },
     agent: { type: "string" }
   };
@@ -27098,8 +27797,10 @@ function stepProperties() {
 // src/tools/report-progress.ts
 var reportProgressTool = {
   name: "report_progress",
-  description: "Report a short user-facing progress update for the current work plan. Write the message in the user's language; for Korean requests, use Korean while keeping code identifiers, paths, commands, and tool names unchanged.",
+  description: "Report a conversational user-facing progress update for the current work plan. Use it before starting non-trivial tool-heavy work, at meaningful phase changes, and after important evidence so the user understands what is happening. Write 1-3 natural sentences in the user's language that explain what you are doing, what you learned or why it matters, and what you will do next. Do not list raw tool names, command output, file previews, or status fields; those details are already available in the execution accordion. Mention specific code identifiers, paths, commands, or tool names only when they are essential to the user's understanding. For Korean requests, use Korean \uC874\uB313\uB9D0 while keeping necessary identifiers unchanged. Set showInTimeline=true for major phase changes or any longer tool-using work.",
   metadata: {
+    category: "planning.progress",
+    categoryPath: ["planning", "progress"],
     sideEffect: "none",
     defaultDecision: "allow",
     trust: "builtin"
@@ -27130,6 +27831,13 @@ function createWebSearchTool(config = defaultConfig.webSearch, fetcher = fetch)
   return {
     name: "web_search",
     description: "Search the web using the configured Brave, Tavily, or Exa web search provider.",
+    metadata: {
+      category: "research.web",
+      categoryPath: ["research", "web"],
+      sideEffect: "network",
+      defaultDecision: "ask",
+      trust: "builtin"
+    },
     inputSchema: {
       type: "object",
       additionalProperties: false,
@@ -27149,7 +27857,7 @@ function createWebSearchTool(config = defaultConfig.webSearch, fetcher = fetch)
     },
     async execute(input2, ctx) {
       const object2 = assertObject(input2, "web_search");
-      const query = stringField(object2, "query");
+      const query = stringField2(object2, "query");
       const provider = providerField(object2, config.defaultProvider);
       const maxResults = optionalNumberField(object2, "maxResults");
       if (provider === "brave") return runBraveSearch(config.providers.brave, { query, maxResults, fetcher, signal: ctx.signal });
@@ -27359,6 +28067,8 @@ var getGoalTool = {
     return ctx.goals.getGoal();
   },
   metadata: {
+    category: "goal.state",
+    categoryPath: ["goal", "state"],
     sideEffect: "none",
     defaultDecision: "allow",
     trust: "builtin"
@@ -27380,6 +28090,8 @@ var createGoalTool = {
     return ctx.goals.createGoal(input2);
   },
   metadata: {
+    category: "goal.state",
+    categoryPath: ["goal", "state"],
     sideEffect: "workspace",
     defaultDecision: "allow",
     trust: "builtin"
@@ -27401,6 +28113,8 @@ var updateGoalTool = {
     return ctx.goals.updateGoal(input2);
   },
   metadata: {
+    category: "goal.state",
+    categoryPath: ["goal", "state"],
     sideEffect: "workspace",
     defaultDecision: "allow",
     trust: "builtin"
@@ -27484,6 +28198,9 @@ function validateToolName(name) {
 }
 
 // src/session.ts
+function relaxedToolUseRoundLimit(maxTurns) {
+  return Math.max((maxTurns ?? 25) * 20, 200);
+}
 var SessionRunner = class {
   sessionId;
   events;
@@ -27541,9 +28258,28 @@ var SessionRunner = class {
     });
     const messages = [{ role: "system", content: buildSystemPrompt(options.agent, envInfo) }, ...options.history ?? [], { role: "user", content: userContent }];
     this.emit({ type: "user.message", sessionId: this.sessionId, text: options.displayPrompt ?? options.prompt, ts: now(), ...this.eventContext() });
+    this.reportSessionKickoff();
     await this.#hooks.dispatch("UserPromptSubmit", this.hookBase());
     const maxTurns = options.maxTurns ?? 25;
-    for (let turn = 0; turn < maxTurns; turn++) {
+    const countToolUseTurns = options.countToolUseTurns === true;
+    const maxToolUseRounds = options.maxToolUseRounds ?? relaxedToolUseRoundLimit(maxTurns);
+    let countedTurns = 0;
+    let toolUseRounds = 0;
+    let countedTaskScope = this.#progress.activeStepId() ?? "__session__";
+    const refreshTaskScope = () => {
+      const taskScope = this.#progress.activeStepId() ?? "__session__";
+      if (taskScope === countedTaskScope) return;
+      countedTaskScope = taskScope;
+      countedTurns = 0;
+    };
+    for (; ; ) {
+      if (countToolUseTurns) refreshTaskScope();
+      if (countToolUseTurns && countedTurns >= maxTurns) {
+        return this.end(messages, `Stopped after reaching maxTurns (${maxTurns}).`, "max_turns");
+      }
+      if (!countToolUseTurns && toolUseRounds >= maxToolUseRounds) {
+        return this.end(messages, `Stopped after reaching tool-use safety limit (${maxToolUseRounds}) before producing a final answer.`, "tool_loop_limit");
+      }
       await this.#hooks.dispatch("BeforeModelRequest", this.hookBase());
       const tools = this.#tools.list();
       const compiled = compileMessagesForContext(messages, tools, options.context);
@@ -27621,12 +28357,17 @@ var SessionRunner = class {
       if (toolCalls.length === 0) {
         return this.end(messages, assistant.content ?? "", "end_turn");
       }
+      if (countToolUseTurns) {
+        refreshTaskScope();
+        countedTurns++;
+      } else {
+        toolUseRounds++;
+      }
       for (const call of toolCalls) {
         const toolMessage = await this.runToolCall(call);
         messages.push(toolMessage);
       }
     }
-    return this.end(messages, `Stopped after reaching maxTurns (${maxTurns}).`, "max_turns");
   }
   async applyAfterModelHooks(message) {
     const results = await this.#hooks.dispatch("AfterModelResponse", {
@@ -27689,15 +28430,7 @@ var SessionRunner = class {
       return toToolMessage(call, result);
     }
     if (evaluation.decision === "ask") {
-      this.emit({ type: "permission.requested", sessionId: this.sessionId, callId: call.id, tool: call.name, decision: "ask", targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
-      this.emitGoalToolEvent(call, "permission");
-      await this.#hooks.dispatch("PermissionRequest", {
-        ...this.hookBase(),
-        callId: call.id,
-        toolName: call.name,
-        toolInput: input2
-      });
-      const answer = await (this.#options.permissionPrompt ?? ((req) => askPermission(req, { yes: this.#options.yes })))({
+      const permissionRequest = {
         tool: call.name,
         input: input2,
         actor: this.#options.agent.name,
@@ -27705,16 +28438,33 @@ var SessionRunner = class {
         targetName: call.name,
         proposedDecision: "ask",
         reason: evaluation.reason
-      });
-      if (answer.decision !== "allow") {
-        this.emit({ type: "permission.denied", sessionId: this.sessionId, callId: call.id, tool: call.name, reason: answer.reason, targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
+      };
+      const automatic = await this.#options.autoPermission?.(permissionRequest);
+      if (automatic?.decision === "deny") {
+        this.emit({ type: "permission.denied", sessionId: this.sessionId, callId: call.id, tool: call.name, reason: automatic.reason, targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
         this.emitGoalToolEvent(call, "denied");
-        return toToolMessage(call, toolFailure(`Permission denied${answer.reason ? `: ${answer.reason}` : ""}`));
-      }
-      if (answer.always) {
-        this.#grants.add(evaluation.grantKey);
-        await this.#persistentStore?.add(this.#options.cwd, evaluation.grantKey);
-        this.emit({ type: "permission.granted", sessionId: this.sessionId, callId: call.id, key: evaluation.grantKey, targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
+        return toToolMessage(call, toolFailure(`Permission denied${automatic.reason ? `: ${automatic.reason}` : ""}`));
+      }
+      if (automatic?.decision !== "allow") {
+        this.emit({ type: "permission.requested", sessionId: this.sessionId, callId: call.id, tool: call.name, decision: "ask", targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
+        this.emitGoalToolEvent(call, "permission");
+        await this.#hooks.dispatch("PermissionRequest", {
+          ...this.hookBase(),
+          callId: call.id,
+          toolName: call.name,
+          toolInput: input2
+        });
+        const answer = await (this.#options.permissionPrompt ?? ((req) => askPermission(req, { yes: this.#options.yes })))(permissionRequest);
+        if (answer.decision !== "allow") {
+          this.emit({ type: "permission.denied", sessionId: this.sessionId, callId: call.id, tool: call.name, reason: answer.reason, targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
+          this.emitGoalToolEvent(call, "denied");
+          return toToolMessage(call, toolFailure(`Permission denied${answer.reason ? `: ${answer.reason}` : ""}`));
+        }
+        if (answer.always) {
+          this.#grants.add(evaluation.grantKey);
+          await this.#persistentStore?.add(this.#options.cwd, evaluation.grantKey);
+          this.emit({ type: "permission.granted", sessionId: this.sessionId, callId: call.id, key: evaluation.grantKey, targetType: "tool", targetName: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
+        }
       }
     }
     this.emit({ type: "tool.started", sessionId: this.sessionId, callId: call.id, name: call.name, agent: this.#options.agent.name, ts: now(), ...this.eventContext() });
@@ -27729,7 +28479,7 @@ var SessionRunner = class {
         cwd: this.#options.cwd,
         signal: this.#controller.signal,
         emit: (event) => this.emit(event),
-        ask: (req) => (this.#options.permissionPrompt ?? ((request) => askPermission(request, { yes: this.#options.yes })))(req),
+        ask: async (req) => await this.#options.autoPermission?.(req) ?? (this.#options.permissionPrompt ?? ((request) => askPermission(request, { yes: this.#options.yes })))(req),
         dryRun: this.#options.dryRun,
         sandbox: this.#options.sandbox,
         rootSessionId: this.#options.rootSessionId,
@@ -27769,15 +28519,18 @@ var SessionRunner = class {
     }
   }
   async end(messages, finalAnswer, reason) {
+    const answer = reason === "end_turn" ? finalAnswer : terminalFinalAnswer(finalAnswer, reason, this.#progress.snapshot());
+    const returnedMessages = reason === "end_turn" ? messages : [...messages, { role: "assistant", content: answer }];
     await this.#hooks.dispatch("Stop", this.hookBase());
     await this.#hooks.dispatch("SessionEnd", this.hookBase());
     this.completeGoalWorkGroup();
     this.emit({ type: "session.ended", sessionId: this.sessionId, reason, ts: now(), ...this.eventContext() });
+    if (reason !== "end_turn" && answer.trim()) this.emit({ type: "model.text", sessionId: this.sessionId, text: answer, ts: now(), ...this.eventContext() });
     await this.#transcript.flush();
     return {
       sessionId: this.sessionId,
-      finalAnswer,
-      messages,
+      finalAnswer: answer,
+      messages: returnedMessages,
       endReason: reason,
       usage: { ...this.#usage }
     };
@@ -27885,6 +28638,24 @@ var SessionRunner = class {
       activeStepId: () => this.#progress.activeStepId()
     };
   }
+  reportSessionKickoff() {
+    if (this.#options.parentInvocationId) return;
+    const message = sessionKickoffMessage(this.#options.displayPrompt ?? this.#options.prompt);
+    if (!message) return;
+    const result = this.#progress.report(
+      { message, level: "info", showInTimeline: true },
+      {
+        sessionId: this.sessionId,
+        agent: this.#options.agent.name,
+        rootSessionId: this.#options.rootSessionId,
+        agentSessionId: this.#options.agentSessionId,
+        invocationId: this.#options.invocationId,
+        parentInvocationId: this.#options.parentInvocationId,
+        agentPath: this.#options.agentPath
+      }
+    );
+    for (const event of result.events) this.emit(event);
+  }
   eventContext() {
     return {
       rootSessionId: this.#options.rootSessionId,
@@ -27968,6 +28739,134 @@ function normalizeDiffContent(value) {
     after: typeof after === "string" ? after : void 0
   };
 }
+function sessionKickoffMessage(prompt) {
+  const normalized = prompt.replace(/^\/\w+\s*/, "").trim();
+  if (isCasualPrompt(normalized) || isSimpleQuestionPrompt(normalized)) return void 0;
+  const isKorean = /[가-힣]/.test(normalized);
+  if (isKorean) {
+    if (/(수정|고쳐|개선|변경|추가|삭제|구현|반영|업데이트|만들|작성|전환|마이그레이션)/.test(normalized)) {
+      return "\uBA3C\uC800 \uAD00\uB828 \uB3D9\uC791\uC774 \uC5B4\uB514\uC5D0\uC11C \uB9CC\uB4E4\uC5B4\uC9C0\uB294\uC9C0\uC640 \uC601\uD5A5 \uBC94\uC704\uB97C \uD655\uC778\uD55C \uB4A4, \uD544\uC694\uD55C \uBCC0\uACBD\uC744 \uC791\uC740 \uB2E8\uC704\uB85C \uC9C4\uD589\uD558\uACA0\uC2B5\uB2C8\uB2E4. \uD655\uC778\uD55C \uB0B4\uC6A9\uC774 \uB2E4\uC74C \uC218\uC815\uC5D0 \uC5B4\uB5A4 \uC758\uBBF8\uAC00 \uC788\uB294\uC9C0\uB3C4 \uC911\uAC04\uC911\uAC04 \uC815\uB9AC\uD574 \uB4DC\uB9AC\uACA0\uC2B5\uB2C8\uB2E4.";
+    }
+    if (/(테스트|검증|확인|재현|실행|빌드|publish|배포)/i.test(normalized)) {
+      return "\uBA3C\uC800 \uD604\uC7AC \uC0C1\uD0DC\uC640 \uC7AC\uD604 \uC870\uAC74\uC744 \uD655\uC778\uD558\uACE0, \uACB0\uACFC\uAC00 \uC758\uBBF8\uD558\uB294 \uBC14\uB97C \uC815\uB9AC\uD558\uBA74\uC11C \uD544\uC694\uD55C \uD6C4\uC18D \uC870\uCE58\uB97C \uC774\uC5B4\uAC00\uACA0\uC2B5\uB2C8\uB2E4.";
+    }
+    if (/(설명|분석|검토|원인|왜|찾아|알려|파악)/.test(normalized)) {
+      return "\uBA3C\uC800 \uC694\uCCAD\uC758 \uD575\uC2EC \uC9C8\uBB38\uC744 \uC881\uD788\uACE0, \uADFC\uAC70\uAC00 \uB420 \uB9CC\uD55C \uAD6C\uC870\uC640 \uD750\uB984\uC744 \uD655\uC778\uD55C \uB4A4 \uC774\uD574\uD558\uAE30 \uC26C\uC6B4 \uB2F5\uC73C\uB85C \uC815\uB9AC\uD558\uACA0\uC2B5\uB2C8\uB2E4.";
+    }
+    return "\uBA3C\uC800 \uC694\uCCAD\uC758 \uC758\uB3C4\uB97C \uD655\uC778\uD558\uACE0, \uD544\uC694\uD55C \uB9E5\uB77D\uC744 \uC0B4\uD3B4\uBCF8 \uB4A4 \uB2E4\uC74C\uC5D0 \uD560 \uC77C\uC744 \uC815\uB9AC\uD558\uBA74\uC11C \uC774\uC5B4\uAC00\uACA0\uC2B5\uB2C8\uB2E4.";
+  }
+  if (/\b(fix|change|update|add|delete|remove|implement|write|create|migrate|refactor)\b/i.test(normalized)) {
+    return "I\u2019ll first locate the relevant behavior and check the impact area, then make the change in small, verifiable steps while sharing what each finding means.";
+  }
+  if (/\b(test|verify|check|reproduce|run|build|publish|deploy)\b/i.test(normalized)) {
+    return "I\u2019ll first check the current state and reproduction path, then explain what the result means before moving to the next step.";
+  }
+  if (/\b(explain|analyze|review|why|find|investigate|inspect)\b/i.test(normalized)) {
+    return "I\u2019ll narrow the main question first, inspect the evidence that matters, and then summarize the answer in a way that is easy to act on.";
+  }
+  return "I\u2019ll first clarify the shape of the request, then work through the relevant context and share useful updates as I go.";
+}
+function isCasualPrompt(prompt) {
+  const compact = prompt.toLowerCase().replace(/[\s.!?。！？~…"'`]+/g, "");
+  if (!compact) return true;
+  const casual = /* @__PURE__ */ new Set([
+    "hi",
+    "hello",
+    "hey",
+    "yo",
+    "ok",
+    "okay",
+    "thanks",
+    "thankyou",
+    "\uC548\uB155",
+    "\uC548\uB155\uD558\uC138\uC694",
+    "\uD558\uC774",
+    "\uD5EC\uB85C",
+    "\uACE0\uB9C8\uC6CC",
+    "\uACE0\uB9D9\uC2B5\uB2C8\uB2E4",
+    "\uAC10\uC0AC\uD569\uB2C8\uB2E4",
+    "\uAC10\uC0AC",
+    "\uC88B\uC544",
+    "\uB124",
+    "\uC751",
+    "\u3147\u314B"
+  ]);
+  return casual.has(compact) || compact.length <= 12 && /^(hi|hello|hey|안녕|안녕하세요|하이)/.test(compact);
+}
+function isSimpleQuestionPrompt(prompt) {
+  const trimmed = prompt.trim();
+  if (trimmed.length > 80) return false;
+  const hasTaskVerb = /(수정|고쳐|개선|변경|추가|삭제|구현|반영|업데이트|만들|작성|전환|마이그레이션|테스트|검증|확인|재현|실행|빌드|분석|검토|찾아|파악|설명해|알려줘|fix|change|update|add|delete|remove|implement|write|create|migrate|refactor|test|verify|check|reproduce|run|build|analyze|review|find|inspect|explain)/i.test(
+    trimmed
+  );
+  if (hasTaskVerb) return false;
+  return /[?？]$/.test(trimmed) || /(뭐야|무엇|누구|언제|어디|어떻게|왜|맞아)$/.test(trimmed);
+}
+function terminalFinalAnswer(finalAnswer, reason, progress) {
+  const lines = ["\uC791\uC5C5\uC774 \uC885\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4.", "", `\uC885\uB8CC \uC774\uC720: ${terminalReasonText(reason)}`];
+  const runtimeMessage = finalAnswer.trim();
+  if (runtimeMessage && runtimeMessage !== terminalReasonText(reason)) lines.push(`\uB9C8\uC9C0\uB9C9 \uB7F0\uD0C0\uC784 \uBA54\uC2DC\uC9C0: ${runtimeMessage}`);
+  lines.push("", "\uD604\uC7AC\uAE4C\uC9C0 \uC9C4\uD589\uD55C \uB0B4\uC6A9\uC740 \uC544\uB798\uC640 \uAC19\uC2B5\uB2C8\uB2E4.");
+  const plan = progress.plan;
+  if (plan) {
+    lines.push("", ...planSummaryLines(plan));
+  } else {
+    lines.push("", "- \uC544\uC9C1 \uBA85\uC2DC\uC801\uC778 plan\uC740 \uB9CC\uB4E4\uC5B4\uC9C0\uC9C0 \uC54A\uC558\uC2B5\uB2C8\uB2E4.");
+  }
+  const notes = progress.notes.slice(-3);
+  if (notes.length > 0) {
+    lines.push("", "\uCD5C\uADFC \uC911\uAC04 \uBCF4\uACE0:");
+    for (const note of notes) lines.push(`- ${note.message}`);
+  }
+  lines.push("", terminalNextStepText(reason));
+  return lines.join("\n");
+}
+function planSummaryLines(plan) {
+  const lines = [`Plan: ${plan.title ?? "\uC791\uC5C5 \uACC4\uD68D"}`];
+  if (plan.summary) lines.push(`\uC694\uC57D: ${plan.summary}`);
+  const counts = countSteps(plan.steps);
+  lines.push(
+    `\uC9C4\uD589 \uC0C1\uD0DC: \uC644\uB8CC ${counts.completed + counts.skipped}\uAC1C, \uC9C4\uD589 \uC911 ${counts.in_progress}\uAC1C, \uB300\uAE30 ${counts.pending}\uAC1C, \uC2E4\uD328/\uCC28\uB2E8 ${counts.failed + counts.blocked + counts.cancelled}\uAC1C\uC785\uB2C8\uB2E4.`
+  );
+  const completed = plan.steps.filter((step) => step.status === "completed" || step.status === "skipped").slice(-3);
+  if (completed.length > 0) lines.push(`\uC644\uB8CC\uD55C \uC791\uC5C5: ${completed.map(formatStep).join("; ")}`);
+  const active = plan.steps.filter((step) => step.status === "in_progress");
+  if (active.length > 0) lines.push(`\uC9C4\uD589 \uC911\uC774\uB358 \uC791\uC5C5: ${active.map(formatStep).join("; ")}`);
+  const unresolved = plan.steps.filter((step) => step.status === "pending" || step.status === "failed" || step.status === "blocked" || step.status === "cancelled").slice(0, 4);
+  if (unresolved.length > 0) lines.push(`\uB0A8\uC740 \uC791\uC5C5: ${unresolved.map(formatStep).join("; ")}`);
+  return lines;
+}
+function countSteps(steps) {
+  const counts = {
+    pending: 0,
+    in_progress: 0,
+    completed: 0,
+    blocked: 0,
+    skipped: 0,
+    failed: 0,
+    cancelled: 0
+  };
+  for (const step of steps) counts[step.status] += 1;
+  return counts;
+}
+function formatStep(step) {
+  const detail = step.detail ? ` (${preview(step.detail.replace(/\s+/g, " "), 120)})` : "";
+  return `${step.title}${detail}`;
+}
+function terminalReasonText(reason) {
+  if (reason === "max_turns") return "\uC0C1\uC704 task turn \uD55C\uB3C4\uC5D0 \uB3C4\uB2EC\uD588\uC2B5\uB2C8\uB2E4.";
+  if (reason === "tool_loop_limit") return "\uB3C4\uAD6C \uC0AC\uC6A9 \uB77C\uC6B4\uB4DC\uAC00 \uB0B4\uBD80 \uC548\uC804 \uD55C\uB3C4\uC5D0 \uB3C4\uB2EC\uD588\uC2B5\uB2C8\uB2E4.";
+  if (reason === "content_filter") return "\uC81C\uACF5\uC790\uC758 \uC548\uC804 \uD544\uD130\uB85C \uC751\uB2F5\uC774 \uCC28\uB2E8\uB418\uC5C8\uC2B5\uB2C8\uB2E4.";
+  if (reason === "cancelled") return "\uC0AC\uC6A9\uC790 \uC694\uCCAD \uB610\uB294 \uB7F0\uD0C0\uC784 \uC911\uB2E8\uC73C\uB85C \uCDE8\uC18C\uB418\uC5C8\uC2B5\uB2C8\uB2E4.";
+  if (reason === "error") return "\uB7F0\uD0C0\uC784 \uC624\uB958\uAC00 \uBC1C\uC0DD\uD588\uC2B5\uB2C8\uB2E4.";
+  return `${reason} \uC0C1\uD0DC\uB85C \uC885\uB8CC\uB418\uC5C8\uC2B5\uB2C8\uB2E4.`;
+}
+function terminalNextStepText(reason) {
+  if (reason === "tool_loop_limit") return "\uC774\uC5B4\uC11C \uC9C4\uD589\uD558\uB824\uBA74 \uC774\uBBF8 \uD655\uC778\uD55C \uD30C\uC77C\uACFC \uB2E4\uC74C \uD655\uC778 \uBC94\uC704\uB97C \uAE30\uC900\uC73C\uB85C \uB3C4\uAD6C \uC0AC\uC6A9 \uBC94\uC704\uB97C \uC870\uAE08 \uB354 \uC881\uD600 \uB2E4\uC2DC \uC2DC\uB3C4\uD558\uACA0\uC2B5\uB2C8\uB2E4.";
+  if (reason === "max_turns") return "\uC774\uC5B4\uC11C \uC9C4\uD589\uD558\uB824\uBA74 \uAC19\uC740 \uC694\uCCAD\uC744 \uB2E4\uC2DC \uBCF4\uB0B4\uAC70\uB098, plan\uC758 \uD604\uC7AC task\uB97C \uB354 \uC791\uAC8C \uB098\uB204\uC5B4 \uB04A\uAE34 \uC9C0\uC810\uBD80\uD130 \uACC4\uC18D \uC9C4\uD589\uD558\uACA0\uC2B5\uB2C8\uB2E4.";
+  if (reason === "content_filter") return "\uC774\uC5B4\uC11C \uC9C4\uD589\uD558\uB824\uBA74 \uC694\uCCAD \uD45C\uD604\uC774\uB098 \uBC94\uC704\uB97C \uC870\uC815\uD55C \uB4A4 \uC548\uC804\uD558\uAC8C \uB2F5\uBCC0 \uAC00\uB2A5\uD55C \uD615\uD0DC\uB85C \uB2E4\uC2DC \uC2DC\uB3C4\uD558\uACA0\uC2B5\uB2C8\uB2E4.";
+  return "\uC774\uC5B4\uC11C \uC9C4\uD589\uD558\uBA74 \uC704 \uC9C4\uD589 \uC0C1\uD0DC\uB97C \uAE30\uC900\uC73C\uB85C \uB0A8\uC740 \uC791\uC5C5\uBD80\uD130 \uB2E4\uC2DC \uD655\uC778\uD558\uACA0\uC2B5\uB2C8\uB2E4.";
+}
 function toolFailure(content) {
   return { ok: false, content };
 }
@@ -28000,11 +28899,15 @@ async function runExecutionSession(options) {
     providerName: options.providerName,
     model: options.backend.model,
     agent: options.agent,
+    maxTurns: options.countToolUseTurns === true ? options.maxTurns : null,
     yes: options.yes,
     transcript: options.transcript,
     signal: options.signal,
     eventBus: options.eventBus,
     permissionPrompt: options.permissionPrompt,
+    autoPermission: options.autoPermission,
+    persistentGrants: options.persistentGrants,
+    grants: options.grants,
     transcriptWriter: options.transcriptWriter,
     transcriptSessionId: options.transcriptSessionId,
     rootSessionId: options.rootSessionId,
@@ -28022,6 +28925,73 @@ async function runExecutionSession(options) {
   }).run();
 }
 
+// src/permissions/auto-agent.ts
+function createAutoPermissionAgent(options) {
+  return async (request) => {
+    const command = bashCommandFromRequest(request);
+    if (!command || !isPotentiallyReadOnlyShellCommand(command)) return void 0;
+    const result = await classifyWithAgent(command, request, options).catch(() => void 0);
+    if (!result || result.decision !== "allow" || result.confidence < 0.85) return void 0;
+    return { decision: "allow", reason: `auto permission judge: ${preview(result.reason, 160)}` };
+  };
+}
+function bashCommandFromRequest(request) {
+  const toolName = (request.qualifiedName ?? request.tool).split(".").at(-1)?.toLowerCase();
+  if (toolName !== "bash") return void 0;
+  const input2 = request.input && typeof request.input === "object" && !Array.isArray(request.input) ? request.input : {};
+  return typeof input2.command === "string" ? input2.command : void 0;
+}
+async function classifyWithAgent(command, request, options) {
+  const response = await options.provider.chat({
+    model: options.model,
+    tools: [],
+    maxTokens: 180,
+    temperature: 0,
+    signal: permissionSignal(options.signal, options.timeoutMs ?? 4e3),
+    messages: [
+      {
+        role: "system",
+        content: [
+          "You are Demian's internal permission judge.",
+          "Classify whether a shell command is safe to auto-allow without asking the user.",
+          "Allow only commands that are clearly read-only, inspect local workspace state, and do not write files, mutate git state, install packages, start long-running services, send network requests, change permissions, or execute nested commands.",
+          "If there is any uncertainty, choose ask. Never choose allow just because the command seems common.",
+          'Return only compact JSON with this shape: {"decision":"allow"|"ask","confidence":0..1,"reason":"short reason"}.'
+        ].join(" ")
+      },
+      {
+        role: "user",
+        content: JSON.stringify({
+          cwd: options.cwd,
+          tool: request.qualifiedName ?? request.tool,
+          actor: request.actor,
+          command
+        })
+      }
+    ]
+  });
+  return parseJudgeResponse(response.message.content);
+}
+function permissionSignal(parent, timeoutMs) {
+  const timeout = AbortSignal.timeout(timeoutMs);
+  return parent ? AbortSignal.any([parent, timeout]) : timeout;
+}
+function parseJudgeResponse(content) {
+  if (!content) return void 0;
+  const json = content.match(/\{[\s\S]*\}/)?.[0];
+  if (!json) return void 0;
+  try {
+    const parsed = JSON.parse(json);
+    const decision = parsed.decision === "allow" ? "allow" : parsed.decision === "ask" ? "ask" : void 0;
+    const confidence = typeof parsed.confidence === "number" ? parsed.confidence : Number(parsed.confidence);
+    const reason = typeof parsed.reason === "string" ? parsed.reason.trim() : "";
+    if (!decision || !Number.isFinite(confidence) || confidence < 0 || confidence > 1 || !reason) return void 0;
+    return { decision, confidence, reason };
+  } catch {
+    return void 0;
+  }
+}
+
 // src/tools/cowork.ts
 function createCoworkTool(options) {
   const coworkAgentNames = options.agents.coworkable().map((agent) => agent.name);
@@ -28029,6 +28999,13 @@ function createCoworkTool(options) {
   return {
     name: "cowork",
     description: "Run multiple bounded Demian cowork agents and return their combined result. members[].agent must be an exact cowork agent name, not the current parent agent.",
+    metadata: {
+      category: "orchestration.cowork",
+      categoryPath: ["orchestration", "cowork"],
+      sideEffect: "external",
+      defaultDecision: options.config.defaultInvocationDecision,
+      trust: "builtin"
+    },
     inputSchema: {
       type: "object",
       properties: {
@@ -28043,6 +29020,9 @@ function createCoworkTool(options) {
             properties: {
               id: { type: "string", pattern: "^[a-z0-9_-]{1,32}$" },
               agent: { type: "string", enum: coworkAgentNames, description: agentDescription },
+              provider: { type: "string", description: "Optional provider override. Must be listed in cowork.providers." },
+              model: { type: "string", description: "Optional model display name or raw model id for this member's provider." },
+              modelProfileName: { type: "string", description: "Optional stable model profile name for this member's provider." },
               task: { type: "string" },
               dependsOn: { type: "array", items: { type: "string" } },
               role: { type: "string" },
@@ -28053,7 +29033,7 @@ function createCoworkTool(options) {
               constraints: { type: "array", items: { type: "string" } },
               expectedOutput: { type: "string" },
               maxTurns: { type: "integer", minimum: 1 },
-              mode: { type: "string", enum: ["read-only", "write", "review"] },
+              mode: { type: "string", enum: ["read-only", "write", "review", "manage"] },
               writeScope: { type: "array", items: { type: "string" } },
               returnMode: { type: "string", enum: ["brief", "normal"] }
             },
@@ -28119,6 +29099,9 @@ function parseMember(input2, index) {
     agent: object2.agent.trim(),
     task: object2.task.trim()
   };
+  if (typeof object2.provider === "string" && object2.provider.trim()) member.provider = object2.provider.trim();
+  if (typeof object2.model === "string" && object2.model.trim()) member.model = object2.model.trim();
+  if (typeof object2.modelProfileName === "string" && object2.modelProfileName.trim()) member.modelProfileName = object2.modelProfileName.trim();
   if (typeof object2.id === "string" && object2.id.trim()) member.id = object2.id.trim();
   if (typeof object2.role === "string" && object2.role.trim()) member.role = object2.role.trim();
   if (typeof object2.context === "string") member.context = object2.context;
@@ -28126,7 +29109,7 @@ function parseMember(input2, index) {
   if (object2.returnMode === "brief" || object2.returnMode === "normal") member.returnMode = object2.returnMode;
   if (object2.parentDetail === "preview" || object2.parentDetail === "full" || object2.parentDetail === "none") member.parentDetail = object2.parentDetail;
   if (object2.mode !== void 0) {
-    if (object2.mode !== "read-only" && object2.mode !== "write" && object2.mode !== "review") return { ok: false, error: `cowork.members[${index}].mode must be read-only, review, or write.` };
+    if (object2.mode !== "read-only" && object2.mode !== "write" && object2.mode !== "review" && object2.mode !== "manage") return { ok: false, error: `cowork.members[${index}].mode must be read-only, review, manage, or write.` };
     member.mode = object2.mode;
   }
   if (typeof object2.maxTurns === "number" && Number.isInteger(object2.maxTurns) && object2.maxTurns > 0) member.maxTurns = object2.maxTurns;
@@ -28157,6 +29140,13 @@ function createDelegateAgentTool(options) {
   return {
     name: "delegate_agent",
     description: "Delegate a bounded task to a configured demian agent and return its result.",
+    metadata: {
+      category: "orchestration.agent",
+      categoryPath: ["orchestration", "agent"],
+      sideEffect: "external",
+      defaultDecision: "ask",
+      trust: "builtin"
+    },
     inputSchema: {
       type: "object",
       properties: {
@@ -28264,6 +29254,172 @@ function sha256(value) {
   return crypto6.createHash("sha256").update(value).digest("hex").slice(0, 16);
 }
 
+// src/cowork/permissions.ts
+function resolveCoworkPermissionIntent(agent, mode) {
+  if (agent.permissionIntent) return agent.permissionIntent;
+  if (mode === "write") return "write";
+  if (mode === "review") return "review";
+  if (mode === "manage") return "manage";
+  const category = agent.catalog?.category;
+  if (category === "builder") return "write";
+  if (category === "reviewer") return "review";
+  if (category === "planner") return "manage";
+  return "read-only";
+}
+function compileCoworkPermissionOverlay(options) {
+  const intent = resolveCoworkPermissionIntent(options.agent, options.mode);
+  const mapping = options.config.permissionOverlay.modeMappings[intent];
+  const providerNamespace = options.config.permissionOverlay.providerToolNamespaces[options.providerProfile];
+  const providerTools = providerNamespace ? [...mapping?.providerTools[options.providerProfile] ?? []] : [];
+  const demianTools = [...mapping?.demianTools ?? []];
+  const defaultDecision = mapping?.defaultDecision ?? options.agent.defaultDecision ?? "ask";
+  const rules = overlayRules({ intent, providerNamespace, providerTools, demianTools });
+  return {
+    intent,
+    providerProfile: options.providerProfile,
+    providerNamespace,
+    demianTools,
+    providerTools,
+    rules,
+    defaultDecision,
+    explanation: [
+      `permission intent ${intent}`,
+      providerNamespace ? `${providerNamespace} tools: ${providerTools.join(", ") || "(none)"}` : "no provider tool namespace",
+      `default decision ${defaultDecision}`
+    ]
+  };
+}
+function overlayRules(options) {
+  const rules = [];
+  for (const tool of options.demianTools) {
+    rules.push({ tool, decision: demianToolDecision(options.intent, tool) });
+  }
+  if (options.providerNamespace) {
+    const allowed = new Set(options.providerTools);
+    for (const tool of options.providerTools) {
+      rules.push({ tool: `${options.providerNamespace}.${tool}`, decision: providerToolDecision(options.intent, tool) });
+    }
+    for (const tool of ["Edit", "Write", "MultiEdit", "Bash"]) {
+      if (!allowed.has(tool)) rules.push({ tool: `${options.providerNamespace}.${tool}`, decision: "deny", reason: `${options.intent} cowork permission overlay` });
+    }
+  }
+  return rules;
+}
+function demianToolDecision(intent, tool) {
+  if (intent !== "write") return "allow";
+  return tool === "edit_file" || tool === "write_file" || tool === "bash" ? "ask" : "allow";
+}
+function providerToolDecision(intent, tool) {
+  if (intent !== "write") return "allow";
+  return tool === "Edit" || tool === "Write" || tool === "MultiEdit" || tool === "Bash" ? "ask" : "allow";
+}
+
+// src/cowork/routing.ts
+function resolveCoworkAssignment(options) {
+  const memberProvider = options.member.provider?.trim();
+  if (memberProvider && !options.config.providers.includes(memberProvider)) {
+    throw new Error(`cowork member provider ${memberProvider} is not in cowork.providers.`);
+  }
+  const agentName = coworkAgentName(options.agent.name);
+  const sourceAndOrder = providerOrder({
+    memberProvider,
+    memberModel: options.member.model,
+    memberModelProfileName: options.member.modelProfileName,
+    agentName,
+    agent: options.agent,
+    config: options.config
+  });
+  const constrainedOrder = sourceAndOrder.source === "legacy-agent-provider" ? sourceAndOrder.order : sourceAndOrder.order.filter((selection) => options.config.providers.includes(selection.provider));
+  const filtered = constrainedOrder.filter((selection) => options.availability?.[selection.provider] !== "unavailable");
+  if (filtered.length === 0) {
+    throw new Error(`No available cowork provider for ${options.agent.name}. Tried: ${sourceAndOrder.order.map(providerSelectionLabel).join(", ") || "(none)"}.`);
+  }
+  const selected = filtered[0];
+  const providerProfile = selected.provider;
+  const mode = options.member.mode ?? "read-only";
+  const permissionOverlay = compileCoworkPermissionOverlay({
+    config: options.config,
+    agent: options.agent,
+    providerProfile,
+    mode
+  });
+  return {
+    agent: options.agent,
+    agentName,
+    providerProfile,
+    model: selected.model,
+    modelProfileName: selected.modelProfileName,
+    remainingProviders: filtered.slice(1).map((selection) => selection.provider),
+    remainingProviderSelections: filtered.slice(1),
+    source: sourceAndOrder.source,
+    permissionOverlay,
+    explanation: [
+      `provider source: ${sourceAndOrder.source}`,
+      `provider/model order: ${filtered.map(providerSelectionLabel).join(" > ")}`,
+      ...permissionOverlay.explanation
+    ]
+  };
+}
+function coworkProviderAvailability(config, providers) {
+  const availability = {};
+  for (const provider of config.providers) {
+    const providerConfig = providers[provider];
+    if (!providerConfig || providerConfig.hidden) availability[provider] = "unavailable";
+    else availability[provider] = "configured";
+  }
+  return availability;
+}
+function providerOrder(options) {
+  if (options.memberProvider) {
+    return {
+      source: "explicit-provider",
+      order: [
+        {
+          provider: options.memberProvider,
+          ...options.memberModel ? { model: options.memberModel } : {},
+          ...options.memberModelProfileName ? { modelProfileName: options.memberModelProfileName } : {}
+        }
+      ]
+    };
+  }
+  if (options.agent.provider?.profile && !options.agent.defaultProviders?.length) return { source: "legacy-agent-provider", order: [{ provider: options.agent.provider.profile }] };
+  const userModelPool = options.agentName ? options.config.routing.agentModelPools[options.agentName] : void 0;
+  if (userModelPool?.length) return { source: "user-model-pool", order: uniqueProviderSelections(userModelPool) };
+  const userOrder = options.agentName ? options.config.routing.agentProviders[options.agentName] : void 0;
+  if (userOrder?.length) return { source: "user-routing", order: unique2(userOrder).map((provider) => ({ provider })) };
+  if (options.agent.defaultProviders?.length) return { source: "agent-default", order: unique2(options.agent.defaultProviders).map((provider) => ({ provider })) };
+  if (options.agent.provider?.profile) return { source: "legacy-agent-provider", order: [{ provider: options.agent.provider.profile }] };
+  return { source: "cowork-pool", order: unique2(options.config.providers).map((provider) => ({ provider })) };
+}
+function coworkAgentName(value) {
+  return COWORK_AGENT_NAMES.includes(value) ? value : void 0;
+}
+function unique2(values) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const value of values) {
+    if (seen.has(value)) continue;
+    seen.add(value);
+    out.push(value);
+  }
+  return out;
+}
+function uniqueProviderSelections(values) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const value of values) {
+    const key = `${value.provider}\0${value.modelProfileName ?? ""}\0${value.model ?? ""}`;
+    if (seen.has(key)) continue;
+    seen.add(key);
+    out.push({ ...value });
+  }
+  return out;
+}
+function providerSelectionLabel(selection) {
+  const model = selection.modelProfileName ?? selection.model;
+  return model ? `${selection.provider}:${model}` : selection.provider;
+}
+
 // src/root-session.ts
 var demianOnlyToolNames = /* @__PURE__ */ new Set(["delegate_agent", "cowork", "get_goal", "create_goal", "update_goal"]);
 var RootSession = class {
@@ -28277,6 +29433,7 @@ var RootSession = class {
   #transcript;
   #agentSessions = /* @__PURE__ */ new Map();
   #externalSessions = new ClaudeCodeSessionMap();
+  #coworkProviderAvailability;
   #mainExternalSessionKey;
   #currentPrompt = "";
   #progress;
@@ -28285,6 +29442,7 @@ var RootSession = class {
   constructor(options) {
     this.#options = options;
     this.#permissionPreset = normalizePermissionPreset(options.permissionPreset);
+    this.#coworkProviderAvailability = coworkProviderAvailability(options.config.cowork, options.config.providers);
     this.events = options.eventBus ?? new EventBus();
     this.agents = new AgentRegistry();
     this.#progress = new ProgressLedger({ rootSessionId: this.id });
@@ -28331,6 +29489,8 @@ var RootSession = class {
       agent: mainAgent,
       hooks: this.#options.hooks ?? this.#options.config.hooks,
       maxTurns: this.#options.maxTurns ?? this.#options.config.maxTurns,
+      countToolUseTurns: false,
+      maxToolUseRounds: relaxedToolUseRoundLimit(this.#options.maxTurns ?? this.#options.config.maxTurns),
       yes: this.#options.yes,
       dryRun: this.#options.dryRun,
       streaming: this.#options.streaming ?? this.#options.config.streaming.enabled,
@@ -28343,6 +29503,7 @@ var RootSession = class {
       signal: options.signal,
       eventBus: this.events,
       permissionPrompt: this.permissionPrompt,
+      autoPermission: this.autoPermissionForBackend(backend, this.#options.cwd, options.signal),
       toolRegistry: this.tools,
       grants: this.#grants,
       transcriptWriter: this.#transcript,
@@ -28391,7 +29552,7 @@ var RootSession = class {
     const providerProfile = childAgent.provider?.profile ?? this.#options.providerName;
     const invocationGrantKey = grantKeyForAgentInvocation(childAgent.name, providerProfile);
     if (this.#grants.has(invocationGrantKey)) return { ok: true };
-    const decision = childAgent.delegation?.invocationDecision ?? this.#options.config.delegation.defaultInvocationDecision;
+    const decision = invocationDecisionForPermissionPreset(this.#permissionPreset);
     if (decision === "deny") return { ok: false, error: `Agent invocation denied: ${childAgent.name}` };
     if (decision !== "ask") return { ok: true };
     this.events.emit({
@@ -28510,6 +29671,8 @@ var RootSession = class {
         agent: childRuntimeAgent,
         hooks: this.#options.hooks ?? this.#options.config.hooks,
         maxTurns,
+        countToolUseTurns: false,
+        maxToolUseRounds: relaxedToolUseRoundLimit(maxTurns),
         yes: this.#options.yes,
         dryRun: this.#options.dryRun,
         streaming: false,
@@ -28522,6 +29685,7 @@ var RootSession = class {
         signal,
         eventBus: this.events,
         permissionPrompt: this.permissionPrompt,
+        autoPermission: this.autoPermissionForBackend(backend, cwd, signal),
         toolRegistry: this.tools,
         grants: this.#grants,
         transcriptWriter: this.#transcript,
@@ -28544,6 +29708,31 @@ var RootSession = class {
           session.externalSessionKey = externalKey;
         }
       }
+      if (result.endReason !== "end_turn") {
+        const message = childExecutionFailureMessage(result.endReason, result.finalAnswer);
+        if (result.endReason === "cancelled") {
+          this.events.emit({
+            type: "agent.invocation.cancelled",
+            rootSessionId: this.id,
+            agentSessionId: session.id,
+            invocationId,
+            agent: childRuntimeAgent.name,
+            reason: message,
+            ts: now()
+          });
+          return { ok: false, error: `Agent invocation cancelled: ${message}`, invocationId, agentName: childRuntimeAgent.name, providerProfile, model: backend.model, metadata: { endReason: result.endReason } };
+        }
+        this.events.emit({
+          type: "agent.invocation.failed",
+          rootSessionId: this.id,
+          agentSessionId: session.id,
+          invocationId,
+          agent: childRuntimeAgent.name,
+          error: message,
+          ts: now()
+        });
+        return { ok: false, error: `Agent invocation failed: ${message}`, invocationId, agentName: childRuntimeAgent.name, providerProfile, model: backend.model, metadata: { endReason: result.endReason } };
+      }
       this.updateAgentSession(session, input2, result.messages, result.finalAnswer);
       if (beforeMessages !== session.messages.length) {
         this.events.emit({
@@ -28619,7 +29808,7 @@ var RootSession = class {
       }))
     });
     if (!this.#grants.has(grantKey)) {
-      const decision = this.#options.config.cowork.defaultInvocationDecision;
+      const decision = invocationDecisionForPermissionPreset(this.#permissionPreset);
       if (decision === "deny") return fail("Cowork invocation denied by configuration.");
       if (decision === "ask") {
         this.events.emit({
@@ -28803,43 +29992,27 @@ var RootSession = class {
   }
   async runCoworkMember(member, group, outcomes, context) {
     const startedAt = now();
-    const coworkAgent = this.decorateCoworkMemberAgent(member.agent, member.mode);
-    const runtimeAgent = this.decorateChildAgent(coworkAgent);
-    const backend = this.resolveInvocationBackend(member.providerProfile, void 0, runtimeAgent);
-    this.events.emit({
-      type: "cowork.member.started",
-      rootSessionId: this.id,
-      parentInvocationId: context.parent.parentInvocationId,
-      groupId: context.groupId,
-      memberId: member.memberId,
-      agent: member.agent.name,
-      provider: member.providerProfile,
-      model: backend.model,
-      mode: member.mode,
-      ts: startedAt
-    });
     const input2 = withParentContext(member.input, group, outcomes);
     const workspace = member.isolated ? await this.createCoworkIsolatedWorkspace(context.groupId, member.memberId) : { cwd: this.#options.cwd };
     const snapshot = member.mode === "write" ? await this.createCoworkWriterSnapshot(workspace.cwd) : void 0;
-    const result = await this.executeChildAgentSession(input2, coworkAgent, context.parent, {
-      sessionScope: `cowork:${context.groupId}:${member.memberId}`,
-      signal: context.signal,
-      writeScope: member.writeScope,
-      cwd: workspace.cwd
-    });
+    const attempt = member.mode === "write" ? await this.runCoworkWriteAttempt(member, input2, snapshot, workspace.cwd, context) : await this.runCoworkNonWriteAttempts(member, input2, workspace.cwd, context);
     const durationMs = now() - startedAt;
     const audit = member.mode === "write" ? await this.auditCoworkWriter(member, snapshot, workspace.cwd, member.isolated) : void 0;
     if ("cleanup" in workspace) await workspace.cleanup().catch(() => void 0);
+    const result = attempt.result;
+    const providerProfile = result.providerProfile;
     if (result.ok) {
       const outOfScope2 = audit?.outOfScopeFiles ?? [];
       const outcome2 = {
         memberId: member.memberId,
         agent: member.agent.name,
-        provider: member.providerProfile,
+        provider: providerProfile,
         status: outOfScope2.length ? "failed" : "completed",
-        summary: preview(coworkMemberSummary(result.finalAnswer.trim() || "Completed.", audit), 1e3),
+        summary: preview(coworkMemberSummary(result.finalAnswer.trim() || "Completed.", audit, attempt), 1e3),
         artifacts: audit ? [coworkAuditArtifact(audit)] : [],
         reason: outOfScope2.length ? "out_of_scope" : void 0,
+        fallbackReason: attempt.fallbackReason,
+        repairReason: attempt.repairReason,
         error: outOfScope2.length ? `Writer changed files outside writeScope: ${outOfScope2.join(", ")}` : void 0,
         invocationId: result.invocationId,
         tokens: result.usage,
@@ -28857,11 +30030,13 @@ var RootSession = class {
     const outcome = {
       memberId: member.memberId,
       agent: member.agent.name,
-      provider: member.providerProfile,
+      provider: providerProfile,
       status: cancelled ? "cancelled" : "failed",
-      summary: preview(coworkMemberSummary(result.error, audit), 1e3),
+      summary: preview(coworkMemberSummary(result.error, audit, attempt), 1e3),
       artifacts: audit ? [coworkAuditArtifact(audit)] : [],
       reason: cancelled ? "cancelled" : outOfScope.length ? "out_of_scope" : void 0,
+      fallbackReason: attempt.fallbackReason,
+      repairReason: attempt.repairReason,
       error: outOfScope.length ? `${result.error}
 Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.error,
       invocationId: result.invocationId,
@@ -28874,6 +30049,115 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
     }
     return outcome;
   }
+  async runCoworkNonWriteAttempts(member, input2, cwd, context) {
+    const providers = [{ provider: member.providerProfile, model: member.model, modelProfileName: member.modelProfileName }, ...member.remainingProviderSelections];
+    const errors = [];
+    let fallbackReason;
+    for (const [index, selection] of providers.entries()) {
+      const overlay = index === 0 && member.permissionOverlay ? member.permissionOverlay : this.compileCoworkOverlay(member, selection.provider);
+      const result2 = await this.executeCoworkMemberAttempt(member, selection, overlay, input2, cwd, context, `cowork:${context.groupId}:${member.memberId}:${providerSelectionScope(selection)}`);
+      if (result2.ok) return { result: result2, fallbackReason };
+      errors.push(`${providerSelectionLabel2(selection)}: ${result2.error}`);
+      if (context.signal.aborted) return { result: result2, fallbackReason };
+      const policy = pickCoworkNonWriteFallbackPolicy(result2.error, this.#options.config.cowork.fallback.nonWrite);
+      const nextProvider = providers[index + 1];
+      if ((policy === "next-provider" || policy === "skip-provider") && nextProvider) {
+        if (policy === "skip-provider") this.#coworkProviderAvailability[selection.provider] = "unavailable";
+        fallbackReason = `${providerSelectionLabel2(selection)} failed (${coworkFailureKind(result2.error)}); switched to ${providerSelectionLabel2(nextProvider)}`;
+        continue;
+      }
+      return { result: withCombinedCoworkErrors(result2, errors), fallbackReason };
+    }
+    const result = {
+      ok: false,
+      error: `Agent invocation failed: all cowork providers failed for ${member.agent.name}.
+${errors.join("\n")}`,
+      agentName: member.agent.name,
+      providerProfile: providers.at(-1)?.provider ?? member.providerProfile
+    };
+    return { result, fallbackReason };
+  }
+  async runCoworkWriteAttempt(member, input2, snapshot, cwd, context) {
+    const selection = { provider: member.providerProfile, model: member.model, modelProfileName: member.modelProfileName };
+    const result = await this.executeCoworkMemberAttempt(member, selection, member.permissionOverlay, input2, cwd, context, `cowork:${context.groupId}:${member.memberId}`);
+    if (result.ok || context.signal.aborted) return { result };
+    const policy = this.#options.config.cowork.fallback.write;
+    if (policy.onFailure !== "repair-from-worktree" || policy.maxRepairAttempts < 1) return { result };
+    const repairContext = await this.buildCoworkRepairContext(result.error, snapshot, cwd);
+    if (!repairContext.hasChangedFiles) return { result };
+    let current = result;
+    let repairReason = `write attempt failed on ${member.providerProfile}; retried same provider after reading changed files`;
+    for (let attempt = 1; attempt <= policy.maxRepairAttempts; attempt++) {
+      const repairInput = {
+        ...input2,
+        task: buildCoworkRepairTask(input2.task, current.error, attempt),
+        context: [input2.context, repairContext.text].filter(Boolean).join("\n\n") || void 0
+      };
+      current = await this.executeCoworkMemberAttempt(member, selection, member.permissionOverlay, repairInput, cwd, context, `cowork:${context.groupId}:${member.memberId}:repair:${attempt}`);
+      if (current.ok) return { result: current, repairReason };
+      if (context.signal.aborted) return { result: current, repairReason };
+    }
+    return { result: current, repairReason };
+  }
+  async executeCoworkMemberAttempt(member, selection, overlay, input2, cwd, context, sessionScope) {
+    const providerProfile = selection.provider;
+    const decoratedCoworkAgent = this.decorateCoworkMemberAgent(member.agent, member.mode, overlay);
+    const coworkAgent2 = { ...decoratedCoworkAgent, provider: { ...decoratedCoworkAgent.provider, profile: providerProfile } };
+    const runtimeAgent = this.decorateChildAgent(coworkAgent2);
+    let model = "";
+    try {
+      model = this.resolveInvocationBackend(providerProfile, { model: selection.model, modelProfileName: selection.modelProfileName }, runtimeAgent).model;
+    } catch (error) {
+      return { ok: false, error: `Agent invocation failed: ${errorMessage(error)}`, agentName: runtimeAgent.name, providerProfile };
+    }
+    this.events.emit({
+      type: "cowork.member.started",
+      rootSessionId: this.id,
+      parentInvocationId: context.parent.parentInvocationId,
+      groupId: context.groupId,
+      memberId: member.memberId,
+      agent: member.agent.name,
+      provider: providerProfile,
+      model,
+      mode: member.mode,
+      ts: now()
+    });
+    return this.executeChildAgentSession(input2, coworkAgent2, context.parent, {
+      sessionScope,
+      signal: context.signal,
+      writeScope: member.writeScope,
+      cwd
+    });
+  }
+  compileCoworkOverlay(member, providerProfile) {
+    return compileCoworkPermissionOverlay({
+      config: this.#options.config.cowork,
+      agent: member.agent,
+      providerProfile,
+      mode: member.mode
+    });
+  }
+  async buildCoworkRepairContext(error, snapshot, cwd) {
+    const summary = snapshot ? await diffWorkspaceSnapshot(snapshot).catch(() => void 0) : void 0;
+    const files = summary?.files ?? [];
+    const chunks = [
+      "Cowork write repair context:",
+      "- Do not switch providers for this write repair.",
+      "- Re-read the current workspace state below and repair from it.",
+      "",
+      "Failure:",
+      error,
+      "",
+      files.length ? "Changed files since the failed attempt:" : "No changed files were detected after the failed attempt."
+    ];
+    for (const file of files) chunks.push(`- ${file.path} (${file.kind}, +${file.addedLines}/-${file.removedLines})`);
+    if (summary?.diff) chunks.push("", "Diff since original snapshot:", preview(summary.diff, 6e3));
+    if (this.#options.config.cowork.fallback.write.readChangedFilesBeforeRepair) {
+      const fileContents = await readCoworkRepairFiles(cwd, files.map((file) => file.path));
+      if (fileContents.length) chunks.push("", "Current changed file contents:", ...fileContents);
+    }
+    return { text: chunks.join("\n"), hasChangedFiles: files.length > 0 };
+  }
   async createCoworkWriterSnapshot(cwd) {
     try {
       return await createWorkspaceSnapshot(cwd);
@@ -28900,8 +30184,8 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
     }
   }
   async createCoworkIsolatedWorkspace(groupId, memberId) {
-    const root = await mkdtemp(path28.join(os12.tmpdir(), `demian-cowork-${groupId}-${memberId}-`));
-    const cwd = path28.join(root, "workspace");
+    const root = await mkdtemp(path29.join(os12.tmpdir(), `demian-cowork-${groupId}-${memberId}-`));
+    const cwd = path29.join(root, "workspace");
     await cp(this.#options.cwd, cwd, {
       recursive: true,
       filter: (source) => shouldCopyIntoCoworkWorkspace(this.#options.cwd, source)
@@ -28977,11 +30261,28 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
       if (denied?.includes(target.name)) return { ok: false, error: `Agent ${parent.parentAgent.name} is configured not to cowork with ${target.name}.` };
       const maxDepth = parent.parentAgent.delegation?.maxDepth ?? this.#options.config.delegation.maxDepth;
       if (parent.agentPath.length > maxDepth) return { ok: false, error: `Max delegation depth (${maxDepth}) exceeded.` };
+      let assignment;
+      try {
+        assignment = resolveCoworkAssignment({
+          member,
+          agent: target,
+          config: this.#options.config.cowork,
+          defaultProvider: this.#options.providerName,
+          availability: this.#coworkProviderAvailability
+        });
+      } catch (error) {
+        return { ok: false, error: errorMessage(error) };
+      }
       group.push({
         memberId,
         input: member,
         agent: target,
-        providerProfile: target.provider?.profile ?? this.#options.providerName,
+        providerProfile: assignment.providerProfile,
+        model: assignment.model,
+        modelProfileName: assignment.modelProfileName,
+        remainingProviders: assignment.remainingProviders,
+        remainingProviderSelections: assignment.remainingProviderSelections,
+        permissionOverlay: assignment.permissionOverlay,
         mode,
         writeScope,
         isolated: mode === "write" && strategy === "multi-patch" && this.#options.config.cowork.writerIsolation === "snapshot-diff",
@@ -29043,24 +30344,54 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
       systemPrompt: [agent.systemPrompt, this.callableCatalogPrompt(agent)].filter(Boolean).join("\n\n")
     });
   }
-  decorateCoworkMemberAgent(agent, mode) {
-    if (mode === "write") return this.withPermissionPreset(agent);
+  decorateCoworkMemberAgent(agent, mode, overlay) {
+    const overlayPermissions = overlay?.rules ?? [];
+    const overlayDefaultDecision = overlay?.defaultDecision ?? agent.defaultDecision;
+    const systemPrompt = [agent.systemPrompt, coworkMemberToolBoundaryPrompt(mode)].join("\n\n");
+    if (mode === "write") {
+      return this.withPermissionPreset({
+        ...agent,
+        systemPrompt,
+        permissions: [...agent.permissions, ...overlayPermissions],
+        defaultDecision: overlayDefaultDecision
+      });
+    }
     const readTools = /* @__PURE__ */ new Set(["read_file", "grep", "glob", "web_search", "update_plan", "report_progress"]);
     const denyTools = ["write_file", "edit_file", "bash", "claudecode.Edit", "claudecode.Write", "claudecode.MultiEdit", "claudecode.Bash"];
     return this.withPermissionPreset({
       ...agent,
-      provider: agent.provider?.profile === "claudecode" && agent.name === "claudecode-explorer" ? { ...agent.provider, permissionProfile: "explore" } : agent.provider,
+      systemPrompt,
       tools: agent.tools.filter((tool) => readTools.has(tool)),
       permissions: [
         ...agent.permissions.filter((rule) => !denyTools.includes(rule.tool)),
+        ...overlayPermissions.filter((rule) => !denyTools.includes(rule.tool)),
         ...denyTools.map((tool) => ({ tool, decision: "deny", reason: "cowork read-only member" }))
       ],
-      defaultDecision: "deny"
+      defaultDecision: overlayDefaultDecision === "allow" ? "allow" : "deny"
     });
   }
   withPermissionPreset(agent) {
     return applyPermissionPresetToAgent(agent, this.#permissionPreset);
   }
+  autoPermissionForBackend(backend, cwd, signal) {
+    if (this.#permissionPreset !== "auto") return void 0;
+    if (backend.kind === "provider") return createAutoPermissionAgent({ provider: backend.provider, model: backend.model, cwd, signal });
+    return this.autoPermissionForExternalRuntime(cwd, signal);
+  }
+  autoPermissionForExternalRuntime(cwd, signal) {
+    if (this.#permissionPreset !== "auto") return void 0;
+    const candidates = /* @__PURE__ */ new Set([this.#options.providerName, this.#options.config.defaultProvider, ...Object.keys(this.#options.config.providers)]);
+    for (const profileName of candidates) {
+      try {
+        const providerConfig = resolveProviderConfig(this.#options.config, profileName);
+        const runtime = resolveProviderRuntimeConfig(this.#options.config, { providerName: profileName });
+        const backend = this.#options.resolveExecutionBackend ? this.#options.resolveExecutionBackend(profileName, providerConfig, runtime.model) : this.#options.resolveProvider ? { kind: "provider", ...this.#options.resolveProvider(profileName, providerConfig, runtime.model) } : resolveExecutionBackend(providerConfig, { model: runtime.model, config: this.#options.config });
+        if (backend.kind === "provider") return createAutoPermissionAgent({ provider: backend.provider, model: backend.model, cwd, signal });
+      } catch {
+      }
+    }
+    return void 0;
+  }
   callableCatalogPrompt(caller) {
     const allowed = caller.delegation?.allowedAgents;
     const denied = new Set(caller.delegation?.deniedAgents ?? []);
@@ -29095,10 +30426,13 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
     }
     return lines.join("\n");
   }
-  resolveInvocationBackend(profileName, modelOverride, agent) {
-    const runtime = resolveProviderRuntimeConfig(this.#options.config, { providerName: profileName, model: modelOverride });
+  resolveInvocationBackend(profileName, modelSelection, agent) {
+    const modelOverride = typeof modelSelection === "string" ? modelSelection : modelSelection?.model;
+    const modelProfileName = typeof modelSelection === "string" ? void 0 : modelSelection?.modelProfileName;
+    const runtime = resolveProviderRuntimeConfig(this.#options.config, { providerName: profileName, model: modelOverride, modelProfileName });
     const providerConfig = runtime.providerConfig;
-    if (this.#options.resolveExecutionBackend) return this.#options.resolveExecutionBackend(profileName, providerConfig, modelOverride);
+    const selectedModel = modelOverride ?? (modelProfileName ? runtime.model : void 0);
+    if (this.#options.resolveExecutionBackend) return this.#options.resolveExecutionBackend(profileName, providerConfig, selectedModel);
     if (this.#options.resolveProvider) {
       const resolved = this.#options.resolveProvider(profileName, providerConfig, runtime.model);
       return { kind: "provider", ...resolved };
@@ -29205,17 +30539,17 @@ function findDependencyCycle(group) {
   const byId = new Map(group.map((member) => [member.memberId, member]));
   const visiting = /* @__PURE__ */ new Set();
   const visited = /* @__PURE__ */ new Set();
-  const path29 = [];
+  const path30 = [];
   const visit = (id) => {
-    if (visiting.has(id)) return [...path29.slice(path29.indexOf(id)), id];
+    if (visiting.has(id)) return [...path30.slice(path30.indexOf(id)), id];
     if (visited.has(id)) return void 0;
     visiting.add(id);
-    path29.push(id);
+    path30.push(id);
     for (const dep of byId.get(id)?.dependsOn ?? []) {
       const cycle = visit(dep);
       if (cycle) return cycle;
     }
-    path29.pop();
+    path30.pop();
     visiting.delete(id);
     visited.add(id);
     return void 0;
@@ -29256,7 +30590,7 @@ function scopeStaticPrefix(pattern) {
   return prefix.replace(/\/+$/, "").split("/").filter(Boolean).join("/") || ".";
 }
 function shouldCopyIntoCoworkWorkspace(root, source) {
-  const relative = path28.relative(root, source).split(path28.sep).join("/");
+  const relative = path29.relative(root, source).split(path29.sep).join("/");
   if (!relative) return true;
   const parts = relative.split("/");
   return !parts.includes(".git") && !parts.includes("node_modules") && !parts.includes(".demian");
@@ -29387,8 +30721,14 @@ function summarizeCoworkResult(goal, outcomes) {
   }
   return lines.join("\n");
 }
-function coworkMemberSummary(text, audit) {
+function coworkMemberSummary(text, audit, attempt) {
   const lines = [text];
+  if (attempt?.fallbackReason) {
+    lines.push("", `Fallback: ${attempt.fallbackReason}`);
+  }
+  if (attempt?.repairReason) {
+    lines.push("", `Repair: ${attempt.repairReason}`);
+  }
   if (audit?.summary?.files.length) {
     lines.push("", `Workspace changes: ${audit.summary.files.map((file) => file.path).join(", ")}`);
   }
@@ -29409,6 +30749,16 @@ function externalMainRuntimePrompt() {
     "- Do not announce that delegate_agent or cowork is unavailable unless the user explicitly requested one of those tools."
   ].join("\n");
 }
+function coworkMemberToolBoundaryPrompt(mode) {
+  const capability = mode === "write" ? "read/write tools allowed by the delegated writeScope" : "read-only inspection tools";
+  return [
+    "Cowork member tool boundary:",
+    "- You are already running inside a Demian cowork group; do not try to call cowork or delegate_agent from this member.",
+    `- Use only the ${capability} exposed by your current runtime.`,
+    "- When the provider is Claude Code, Demian maps workspace capabilities through Claude Code native tools such as Read, Grep, Glob, LS, Edit, MultiEdit, Write, and Bash according to the permission overlay.",
+    "- Do not report missing cowork/delegate_agent as a blocker; report a blocker only when the delegated workspace capability itself is missing."
+  ].join("\n");
+}
 function coworkAuditArtifact(audit) {
   return {
     type: "workspace-diff-audit",
@@ -29437,6 +30787,80 @@ function formatCoworkResult(result) {
     )
   ].join("\n");
 }
+function pickCoworkNonWriteFallbackPolicy(error, policy) {
+  const kind = coworkFailureKind(error);
+  if (kind === "auth") return policy.onAuthFailure;
+  if (kind === "token-limit") return policy.onTokenLimit;
+  if (kind === "connection") return policy.onConnectionError;
+  return "fail-member";
+}
+function coworkFailureKind(error) {
+  const text = error.toLowerCase();
+  if (/\b(401|403)\b|unauthorized|forbidden|auth|api key|apikey|invalid key|invalid_key/.test(text)) return "auth";
+  if (/token|context length|quota|rate limit|too many requests|\b429\b|maximum context|max_tokens|max tokens/.test(text)) return "token-limit";
+  if (/econnreset|econnrefused|etimedout|enotfound|network|fetch failed|connection|socket|timeout|temporarily unavailable|no scripted response/.test(text)) return "connection";
+  return "unknown";
+}
+function childExecutionFailureMessage(endReason, finalAnswer) {
+  const answer = finalAnswer?.trim();
+  if (answer) return answer;
+  if (endReason === "max_turns") return "Stopped after reaching maxTurns before producing a verified result.";
+  if (endReason === "tool_loop_limit") return "Stopped after reaching the tool-use safety limit before producing a verified result.";
+  if (endReason === "content_filter") return "Provider safety filter blocked the child agent response.";
+  if (endReason === "cancelled") return "Cancelled.";
+  if (endReason === "error") return "Child agent runtime ended with an error.";
+  return `Child agent ended with ${endReason}.`;
+}
+function withCombinedCoworkErrors(result, errors) {
+  if (result.ok || errors.length <= 1) return result;
+  return {
+    ...result,
+    error: `${result.error}
+
+Cowork provider attempts:
+${errors.join("\n")}`
+  };
+}
+function providerSelectionLabel2(selection) {
+  const model = selection.modelProfileName ?? selection.model;
+  return model ? `${selection.provider}:${model}` : selection.provider;
+}
+function providerSelectionScope(selection) {
+  return providerSelectionLabel2(selection).replace(/[^a-zA-Z0-9_-]/g, "_");
+}
+function buildCoworkRepairTask(originalTask, error, attempt) {
+  return [
+    `Repair attempt ${attempt} for a failed cowork write task.`,
+    "",
+    "Original task:",
+    originalTask,
+    "",
+    "Previous failure:",
+    error,
+    "",
+    "Continue from the current workspace state. Do not restart blindly or overwrite unrelated changes. Stay inside the delegated writeScope."
+  ].join("\n");
+}
+async function readCoworkRepairFiles(cwd, relativePaths) {
+  const chunks = [];
+  let budget = 12e3;
+  for (const relativePath of relativePaths.slice(0, 8)) {
+    if (budget <= 0) break;
+    const normalized = relativePath.split(path29.sep).join("/");
+    const absolutePath = path29.resolve(cwd, normalized);
+    if (!absolutePath.startsWith(path29.resolve(cwd) + path29.sep) && absolutePath !== path29.resolve(cwd)) continue;
+    try {
+      const content = await readFile14(absolutePath, "utf8");
+      const clipped = preview(content, budget);
+      budget -= clipped.length;
+      chunks.push([`File: ${normalized}`, "```", clipped, "```"].join("\n"));
+    } catch (error) {
+      chunks.push(`File: ${normalized}
+(unavailable: ${errorMessage(error)})`);
+    }
+  }
+  return chunks;
+}
 function sumUsage(outcomes) {
   return outcomes.reduce(
     (sum, outcome) => ({
@@ -29459,6 +30883,8 @@ export {
   CLAUDE_CODE_SONNET_MODEL,
   CODEX_KEYRING_SERVICE,
   CODEX_OAUTH_CLIENT_ID,
+  COWORK_AGENT_MIGRATIONS,
+  COWORK_AGENT_NAMES,
   ClaudeCodeAuthError,
   ClaudeCodeAuthStore,
   ClaudeCodeProvider,
@@ -29476,6 +30902,8 @@ export {
   DEFAULT_CLAUDE_CODE_USER_AGENT,
   DEFAULT_CLAUDE_CODE_VERSION,
   DEFAULT_CODEX_BASE_URL,
+  DEFAULT_COWORK_AGENT_PROVIDERS,
+  DEFAULT_COWORK_PERMISSION_OVERLAY,
   EventBus,
   HookDispatcher,
   OllamaProvider,
@@ -29534,6 +30962,7 @@ export {
   inferOpenAICompatibleAuth,
   injectClaudeCodeSystemPrefix,
   invalidateCatalogPingCache,
+  invocationDecisionForPermissionPreset,
   isAzureOpenAIEndpoint,
   isCallableAgent,
   isCoworkableAgent,
@@ -29566,6 +30995,7 @@ export {
   providerModelOptions,
   providerModelProfiles,
   relativeToCwd,
+  relaxedToolUseRoundLimit,
   resolveAgentMode,
   resolveClaudeCodeRuntimeConfig,
   resolveClaudeConfigDir,
@@ -29584,5 +31014,6 @@ export {
   toCodexResponsesTool,
   toOpenAIMessage,
   toOpenAITool,
-  toResponsesInputItems
+  toResponsesInputItems,
+  validateCoworkAgentName
 };