droid-mode 0.2.0 → 0.2.1

package/README.md

@@ -17,6 +17,16 @@ Access MCP tools on-demand without loading schemas into your context window.
 
 ---
 
+## A Personal Note
+
+> I spend most of my time in Factory.ai's Droid CLI, and I'm a big believer in MCP - it's the right abstraction for giving AI agents access to external tools. But I kept bumping into an interesting constraint. Every MCP server adds its tool schemas to the context window, which means adding servers costs tokens whether you use those tools or not. I wanted ten servers available; I didn't want to pay for ten servers in every prompt. This seemed like a solvable inefficiency, and I was curious enough to dig in.
+>
+> Droid Mode is what emerged: a Skill that provides daemon-backed MCP access with progressive disclosure. Built on 28 years of Linux system administration experience, it treats MCP servers as infrastructure - persistent connections, lazy schema loading, code-mode execution outside the context window. The result is zero token overhead and 13% better latency than native MCP. Per-project daemon isolation handles governance, and everything is traced for accountability. It's experimental research software, but I've tested it thoroughly and use it daily. I'm sharing it as an early AI explorer who believes we're just scratching the surface of what performant agent architectures can look like.
+>
+> \- [GitMaxd](https://github.com/Gitmaxd)
+
+---
+
 ## The Problem
 
 When you configure MCP servers in Factory.ai Droid, **all tool schemas get injected into every prompt** ([source](https://www.anthropic.com/engineering/code-execution-with-mcp)). This creates a compounding cost:

package/dist/cli.js

@@ -83,7 +83,7 @@ var init = defineCommand({
       console.error("\u274C Templates directory not found. Package may be corrupted.");
       process.exit(1);
     }
-    if (await pathExists(skillDir)) {
+    if (await pathExists(skillDir) && !args.force) {
       console.log("\u26A0\uFE0F  .factory/skills/droid-mode already exists");
       console.log("   Scaffolding new files only (existing files will NOT be overwritten)\n");
     }
@@ -100,8 +100,10 @@ var init = defineCommand({
             return true;
           }
           if (await pathExists(dest)) {
-            const relativePath2 = dest.replace(targetDir, ".");
-            console.log(`\u23ED\uFE0F  Skipped: ${relativePath2} (already exists)`);
+            if (!args.force) {
+              const relativePath2 = dest.replace(targetDir, ".");
+              console.log(`\u23ED\uFE0F  Skipped: ${relativePath2} (already exists)`);
+            }
             skipped++;
             return false;
           }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "droid-mode",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Progressive Code-Mode MCP integration for Factory.ai Droid - access MCP tools without context bloat",
   "type": "module",
   "main": "dist/cli.js",

package/templates/skills/droid-mode/README.md

@@ -2,9 +2,19 @@
 
 Progressive Code-Mode MCP integration for Factory Droid. Access MCP tools without loading them into context.
 
+---
+
+> I spend most of my time in Factory.ai's Droid CLI, and I'm a big believer in MCP - it's the right abstraction for giving AI agents access to external tools. But I kept bumping into an interesting constraint. Every MCP server adds its tool schemas to the context window, which means adding servers costs tokens whether you use those tools or not. I wanted ten servers available; I didn't want to pay for ten servers in every prompt. This seemed like a solvable inefficiency, and I was curious enough to dig in.
+>
+> Droid Mode is what emerged: a Skill that provides daemon-backed MCP access with progressive disclosure. Built on 28 years of Linux system administration experience, it treats MCP servers as infrastructure - persistent connections, lazy schema loading, code-mode execution outside the context window. The result is zero token overhead and 13% better latency than native MCP. Per-project daemon isolation handles governance, and everything is traced for accountability. It's experimental research software, but I've tested it thoroughly and use it daily. I'm sharing it as an early AI explorer who believes we're just scratching the surface of what performant agent architectures can look like.
+>
+> \- [GitMaxd](https://github.com/Gitmaxd)
+
+---
+
 ## Installation
 
-### Option A — Project skill (recommended for teams)
+### Option A - Project skill (recommended for teams)
 
 Copy this directory to `<repo>/.factory/skills/droid-mode/`
 
@@ -12,7 +22,7 @@ Copy this directory to `<repo>/.factory/skills/droid-mode/`
 ./.factory/skills/droid-mode/bin/dm --help
 ```
 
-### Option B — User skill (personal)
+### Option B - User skill (personal)
 
 Copy to `~/.factory/skills/droid-mode/`
 
@@ -20,7 +30,7 @@ Copy to `~/.factory/skills/droid-mode/`
 ~/.factory/skills/droid-mode/bin/dm --help
 ```
 
-### Option C — npx (scaffolding)
+### Option C - npx (scaffolding)
 
 ```bash
 npx droid-mode init
@@ -76,7 +86,7 @@ For CI or quick experiments:
 
 ## Commands
 
-### `dm servers` — List available MCP servers
+### `dm servers` - List available MCP servers
 
 ```bash
 dm servers
@@ -84,7 +94,7 @@ dm servers
 
 Shows all servers from `mcp.json`. Servers with `disabled: true` show as "disabled (good!)".
 
-### `dm doctor` — Sanity check
+### `dm doctor` - Sanity check
 
 ```bash
 dm doctor --server contextrepo
@@ -92,7 +102,7 @@ dm doctor --server contextrepo
 
 Checks: finds `mcp.json`, resolves server, attempts `initialize` + `tools/list`.
 
-### `dm index` — List tools (compact)
+### `dm index` - List tools (compact)
 
 ```bash
 dm index --server contextrepo
@@ -101,7 +111,7 @@ dm index --server contextrepo --json
 
 Outputs a compact table (name + description + required params).
 
-### `dm search` — Find tools by keyword
+### `dm search` - Find tools by keyword
 
 ```bash
 dm search "semantic search over docs" --limit 8 --server contextrepo
@@ -109,18 +119,18 @@ dm search "semantic search over docs" --limit 8 --server contextrepo
 
 Searches the cached index.
 
-### `dm hydrate` — Get full schemas
+### `dm hydrate` - Get full schemas
 
 ```bash
 dm hydrate search_documents get_document --server contextrepo
 ```
 
 Writes to `.factory/droid-mode/hydrated/<server>/<timestamp>/`:
-- `tools.json` — full tool definitions
-- `types.d.ts` — TypeScript types
-- `toolmap.json` — safe JS identifiers → tool names
+- `tools.json` - full tool definitions
+- `types.d.ts` - TypeScript types
+- `toolmap.json` - safe JS identifiers → tool names
 
-### `dm run` — Execute workflow
+### `dm run` - Execute workflow
 
 ```bash
 dm run --server contextrepo --tools search_documents,get_document --workflow workflow.js
@@ -196,7 +206,7 @@ dm daemon list           # Alias for status --all
 dm daemon warm [server]  # Pre-warm connections
 ```
 
-The daemon is optional—without it, everything works as before.
+The daemon is optional-without it, everything works as before.
 
 ---
 
@@ -213,4 +223,4 @@ Optional: Add a **PreToolUse hook** to block direct `mcp__*` calls. See `example
 
 ## Design Philosophy
 
-Treat MCP as infrastructure. Treat Skills as capability boundaries. Treat code as a reasoning amplifier — not as authority.
+Treat MCP as infrastructure. Treat Skills as capability boundaries. Treat code as a reasoning amplifier - not as authority.

package/templates/skills/droid-mode/SKILL.md

@@ -56,9 +56,9 @@ This is the entire point of the skill.
 ## Idempotency
 
 All droid-mode commands are safe to rerun:
-- `dm servers` / `dm index` — read-only discovery
-- `dm hydrate` — overwrites previous hydration (timestamped)
-- `dm run` — each run creates a new timestamped trace
+- `dm servers` / `dm index`: read-only discovery
+- `dm hydrate`: overwrites previous hydration (timestamped)
+- `dm run`: each run creates a new timestamped trace
 
 No cleanup required between invocations.
 
@@ -192,19 +192,19 @@ Command should exit 0.
 
 All outputs written to `.factory/droid-mode/`:
 
-- `cache/<server>/tools.json` — tool inventory
-- `hydrated/<server>/<ts>/` — schemas + types
-- `runs/<server>/<ts>/run.json` — execution trace
+- `cache/<server>/tools.json`: tool inventory
+- `hydrated/<server>/<ts>/`: schemas + types
+- `runs/<server>/<ts>/run.json`: execution trace
 
 All JSON artifacts are machine-parseable for downstream skill chaining. Workflows can read `tools.json` or `run.json` to inform subsequent steps.
 
 ## Supporting Files
 
-- `bin/dm` — CLI entry point
-- `lib/` — implementation modules
-- `examples/workflows/` — sample workflow files
-- `examples/hooks/` — PreToolUse hook examples
-- `README.md` — full documentation
+- `bin/dm`: CLI entry point
+- `lib/`: implementation modules
+- `examples/workflows/`: sample workflow files
+- `examples/hooks/`: PreToolUse hook examples
+- `README.md`: full documentation
 
 ## Quick Reference
 
@@ -230,10 +230,10 @@ For personal skill, replace `./.factory/` with `~/.factory/`.
 ## References
 
 For project-specific conventions, see:
-- `AGENTS.md` — project-wide agent guidance (if present)
-- `mcp.json` — MCP server configuration
-- `.factory/skills/*/SKILL.md` — related skills that may chain with droid-mode
+- `AGENTS.md`: project-wide agent guidance (if present)
+- `mcp.json`: MCP server configuration
+- `.factory/skills/*/SKILL.md`: related skills that may chain with droid-mode
 
 For droid-mode internals:
-- `README.md` — full CLI documentation
-- `examples/` — sample workflows and hooks
+- `README.md`: full CLI documentation
+- `examples/`: sample workflows and hooks

package/templates/skills/droid-mode/bin/dm

@@ -13,7 +13,7 @@ import { setServerAutoWarm, getServerState } from "../lib/state.mjs";
 
 function usage() {
   return `
-Droid Mode (dm) — Progressive Code‑Mode MCP workflows for Factory Droid
+Droid Mode (dm) - Progressive Code-Mode MCP workflows for Factory Droid
 
 Usage:
   dm servers [--json]
@@ -21,7 +21,7 @@ Usage:
   dm index   --server <name> [--refresh] [--json]
   dm search  "<query>" --server <name> [--limit 8] [--refresh] [--json]
   dm hydrate <tool1> <tool2> ... --server <name> [--out <dir>] [--refresh] [--json]
-  dm run     --workflow <file.js> --tools <a,b,...> --server <name> [--retries 3] [--timeout-ms 300000] [--json]
+  dm run     --workflow <file.js> --tools <a,b,...> --server <name> [--retries 3] [--timeout-ms 300000]
   dm call    <tool> --server <name> [--args '{...}'] [--args-file path.json] [--json] [--no-daemon]
 
 Daemon (persistent connections for faster calls):

package/templates/skills/droid-mode/lib/__tests__/run.test.mjs

@@ -0,0 +1,248 @@
+import { stripCommentsAndStrings, validateWorkflowSource } from "../run.mjs";
+
+let passed = 0;
+let failed = 0;
+
+function test(name, fn) {
+  try {
+    fn();
+    passed++;
+    console.log(`  ✓ ${name}`);
+  } catch (err) {
+    failed++;
+    console.log(`  ✗ ${name}`);
+    console.log(`    ${err.message}`);
+  }
+}
+
+function assertEqual(actual, expected, msg = "") {
+  if (actual !== expected) {
+    throw new Error(`${msg}\n    Expected: ${JSON.stringify(expected)}\n    Got: ${JSON.stringify(actual)}`);
+  }
+}
+
+function assertNoThrow(fn, msg = "") {
+  try {
+    fn();
+  } catch (err) {
+    throw new Error(`${msg} - Unexpected error: ${err.message}`);
+  }
+}
+
+function assertThrows(fn, msg = "") {
+  try {
+    fn();
+    throw new Error(`${msg} - Expected to throw but did not`);
+  } catch (err) {
+    if (err.message.includes("Expected to throw")) throw err;
+  }
+}
+
+console.log("\n=== stripCommentsAndStrings ===\n");
+
+test("strips single-line comments", () => {
+  const input = 'const x = 1; // process is here';
+  const result = stripCommentsAndStrings(input);
+  assertEqual(result.includes("process"), false, "Should strip comment");
+  assertEqual(result.includes("const x = 1;"), true, "Should keep code");
+});
+
+test("strips multi-line comments", () => {
+  const input = 'const x = 1; /* process\n is here */ const y = 2;';
+  const result = stripCommentsAndStrings(input);
+  assertEqual(result.includes("process"), false, "Should strip comment");
+  assertEqual(result.includes("const x = 1;"), true, "Should keep code before");
+  assertEqual(result.includes("const y = 2;"), true, "Should keep code after");
+});
+
+test("strips double-quoted strings", () => {
+  const input = 'log("process completed");';
+  const result = stripCommentsAndStrings(input);
+  assertEqual(result.includes("process"), false, "Should strip string");
+  assertEqual(result.includes("log"), true, "Should keep function name");
+});
+
+test("strips single-quoted strings", () => {
+  const input = "log('process completed');";
+  const result = stripCommentsAndStrings(input);
+  assertEqual(result.includes("process"), false, "Should strip string");
+});
+
+test("strips template literals but keeps expressions", () => {
+  const input = 'const x = `prefix ${process.env} suffix`;';
+  const result = stripCommentsAndStrings(input);
+  assertEqual(result.includes("prefix"), false, "Should strip literal text");
+  assertEqual(result.includes("suffix"), false, "Should strip literal text");
+  assertEqual(result.includes("process"), true, "Should keep expression code");
+});
+
+test("handles escaped quotes", () => {
+  const input = 'const x = "hello \\"process\\" world";';
+  const result = stripCommentsAndStrings(input);
+  assertEqual(result.includes("process"), false, "Should strip escaped content");
+});
+
+test("handles regex literals", () => {
+  const input = 'const re = /process/g;';
+  const result = stripCommentsAndStrings(input);
+  assertEqual(result.includes("process"), false, "Should strip regex content");
+  assertEqual(result.includes("const re ="), true, "Should keep assignment");
+});
+
+test("preserves actual code", () => {
+  const input = 'const process = {}; process.start();';
+  const result = stripCommentsAndStrings(input);
+  assertEqual(result.includes("process"), true, "Should keep actual code");
+});
+
+console.log("\n=== validateWorkflowSource ===\n");
+
+// Cases that should PASS (false positives we're fixing)
+const passCases = [
+  ['log("process completed")', "string with process"],
+  ['// process this data', "comment with process"],
+  ["/* process */", "block comment with process"],
+  ['const x = "require this"', "string with require"],
+  ['`processing ${data}`', "template literal with process text"],
+  ['const re = /process/', "regex with process"],
+  ['obj.process.start()', "property named process"],
+  ['log("use fetch API")', "string with fetch"],
+  ['// import something', "comment with import"],
+  ['const msg = "eval this"', "string with eval"],
+];
+
+for (const [code, desc] of passCases) {
+  test(`passes: ${desc}`, () => {
+    assertNoThrow(() => validateWorkflowSource(code), desc);
+  });
+}
+
+// Cases that should FAIL (real violations)
+const failCases = [
+  ['process.exit()', "actual process access"],
+  ['require("fs")', "actual require call"],
+  ['import fs from "fs"', "static import"],
+  ['import("fs")', "dynamic import"],
+  ['eval("code")', "eval call"],
+  ['new Function("code")', "Function constructor"],
+  ['fetch("url")', "fetch call"],
+  ['const { exit } = process', "process destructuring"],
+  ['child_process.spawn()', "child_process access"],
+  ['WebAssembly.compile()', "WebAssembly access"],
+];
+
+for (const [code, desc] of failCases) {
+  test(`blocks: ${desc}`, () => {
+    assertThrows(() => validateWorkflowSource(code), desc);
+  });
+}
+
+// Edge cases
+console.log("\n=== Edge Cases ===\n");
+
+test("handles nested template expressions", () => {
+  const input = 'const x = `outer ${inner ? `nested ${process}` : "no"} end`;';
+  const result = stripCommentsAndStrings(input);
+  assertEqual(result.includes("process"), true, "Should keep nested expression");
+});
+
+test("handles empty strings", () => {
+  assertNoThrow(() => validateWorkflowSource('const x = "";'));
+});
+
+test("handles complex workflow", () => {
+  const workflow = `
+    // This workflow processes data
+    workflow = async () => {
+      const msg = "Processing started";
+      log(msg);
+      const result = await t.someApiCall({ query: "process" });
+      /* Multi-line
+         comment about process */
+      return { ok: true, data: "process complete" };
+    };
+  `;
+  assertNoThrow(() => validateWorkflowSource(workflow), "Complex workflow should pass");
+});
+
+test("blocks process even with tricky formatting", () => {
+  assertThrows(() => validateWorkflowSource('process\n.exit()'), "newline between process and method");
+});
+
+test("allowUnsafe option bypasses validation", () => {
+  assertNoThrow(() => validateWorkflowSource('process.exit()', { allowUnsafe: true }));
+});
+
+// Review-identified edge cases
+console.log("\n=== Review Edge Cases (Critical/Major fixes) ===\n");
+
+test("CRITICAL: brace in string inside template expression doesn't break parsing", () => {
+  // This was bypassing the scanner because "}" inside the string closed braceDepth
+  const code = 'const x = `${"}"}` + process.exit()';
+  assertThrows(() => validateWorkflowSource(code), "Should still catch process.exit()");
+});
+
+test("CRITICAL: brace bypass attempt with actual dangerous code", () => {
+  const code = '`${"}" + process.exit()}`';
+  assertThrows(() => validateWorkflowSource(code), "Should catch process in expression");
+});
+
+test("MAJOR: strings inside template expressions are stripped", () => {
+  // String "process" inside ${} should not cause false positive
+  const code = '`${log("process finished")}`';
+  assertNoThrow(() => validateWorkflowSource(code), "String in template expr should be stripped");
+});
+
+test("MAJOR: comments inside template expressions are stripped", () => {
+  const code = '`${/*process*/ 42}`';
+  assertNoThrow(() => validateWorkflowSource(code), "Comment in template expr should be stripped");
+});
+
+test("MAJOR: regex after return is detected", () => {
+  const code = 'return /process/';
+  const result = stripCommentsAndStrings(code);
+  assertEqual(result.includes("process"), false, "Regex after return should be stripped");
+});
+
+test("MAJOR: regex after case is detected", () => {
+  const code = 'case /process/: break;';
+  const result = stripCommentsAndStrings(code);
+  assertEqual(result.includes("process"), false, "Regex after case should be stripped");
+});
+
+test("MAJOR: regex after throw is detected", () => {
+  const code = 'throw /process/';
+  const result = stripCommentsAndStrings(code);
+  assertEqual(result.includes("process"), false, "Regex after throw should be stripped");
+});
+
+test("MAJOR: regex after typeof is detected", () => {
+  const code = 'typeof /process/';
+  const result = stripCommentsAndStrings(code);
+  assertEqual(result.includes("process"), false, "Regex after typeof should be stripped");
+});
+
+test("handles regex with character class containing slash", () => {
+  const code = 'const re = /[/]/';
+  const result = stripCommentsAndStrings(code);
+  assertEqual(result.includes("const re ="), true, "Should parse regex with char class");
+});
+
+test("deeply nested template with dangerous code is caught", () => {
+  const code = '`outer ${`inner ${process.exit()}`}`';
+  assertThrows(() => validateWorkflowSource(code), "Nested template with process should fail");
+});
+
+test("safe deeply nested template passes", () => {
+  const code = '`outer ${`inner ${"process"}`}`';
+  assertNoThrow(() => validateWorkflowSource(code), "Nested template with string should pass");
+});
+
+// Summary
+console.log(`\n${"=".repeat(40)}`);
+console.log(`Results: ${passed} passed, ${failed} failed`);
+console.log("=".repeat(40) + "\n");
+
+if (failed > 0) {
+  process.exit(1);
+}

package/templates/skills/droid-mode/lib/config.mjs

@@ -3,9 +3,29 @@ import path from "node:path";
 import os from "node:os";
 import { findProjectRoot, readJsonFileIfExists, redactEnvForDisplay } from "./util.mjs";
 
+// Module-level cache for mcp.json configs (invalidated by mtime changes)
+let _configCache = null;
+
+function getMtime(filePath) {
+  if (!filePath) return null;
+  try {
+    return fs.statSync(filePath).mtimeMs;
+  } catch {
+    return null;
+  }
+}
+
+function isCacheValid() {
+  if (!_configCache) return false;
+  const projectMtime = getMtime(_configCache.projectPath);
+  const userMtime = getMtime(_configCache.userPath);
+  return projectMtime === _configCache.projectMtime && userMtime === _configCache.userMtime;
+}
+
 /**
  * Read project and user mcp.json, merge according to Factory's layering rules:
  * - user servers override project servers with the same name
+ * - Results are cached and invalidated when file mtimes change
  * @returns {{
  *   projectPath: string|null,
  *   userPath: string,
@@ -15,6 +35,10 @@ import { findProjectRoot, readJsonFileIfExists, redactEnvForDisplay } from "./ut
  * }}
  */
 export function loadMcpConfigs() {
+  if (isCacheValid()) {
+    return _configCache.result;
+  }
+
   const projectRoot = findProjectRoot();
   const projectPath = projectRoot ? path.join(projectRoot, ".factory", "mcp.json") : null;
   const userPath = path.join(os.homedir(), ".factory", "mcp.json");
@@ -26,7 +50,17 @@ export function loadMcpConfigs() {
   const userServers = (user && user.mcpServers) || {};
 
   const merged = { ...projectServers, ...userServers };
-  return { projectPath, userPath, project, user, mergedServers: merged };
+  const result = { projectPath, userPath, project, user, mergedServers: merged };
+
+  _configCache = {
+    projectPath,
+    userPath,
+    projectMtime: getMtime(projectPath),
+    userMtime: getMtime(userPath),
+    result,
+  };
+
+  return result;
 }
 
 /**

package/templates/skills/droid-mode/lib/daemon.mjs

@@ -9,6 +9,7 @@ import { getDaemonPaths, findProjectRoot, getRunDir } from "./util.mjs";
 
 const IDLE_TIMEOUT_MS = parseInt(process.env.DM_DAEMON_IDLE_MS || "600000", 10); // 10 minutes default
 const MAX_CONNECTIONS = 50;
+const WARM_CONCURRENCY = 4; // Max parallel server warm operations
 
 // Daemon paths are set via env vars from client, or computed from cwd
 function resolveDaemonConfig() {
@@ -114,13 +115,18 @@ class ConnectionPool {
     const warmed = [];
     const failed = [];
 
-    // Warm in parallel with concurrency limit
-    const results = await Promise.allSettled(
-      toWarm.map(async (name) => {
-        const success = await this.warmServer(name);
-        return { name, success };
-      })
-    );
+    // Warm in batches with concurrency limit
+    const results = [];
+    for (let i = 0; i < toWarm.length; i += WARM_CONCURRENCY) {
+      const batch = toWarm.slice(i, i + WARM_CONCURRENCY);
+      const batchResults = await Promise.allSettled(
+        batch.map(async (name) => {
+          const success = await this.warmServer(name);
+          return { name, success };
+        })
+      );
+      results.push(...batchResults);
+    }
 
     for (const result of results) {
       if (result.status === "fulfilled" && result.value.success) {

package/templates/skills/droid-mode/lib/run.mjs

@@ -6,28 +6,261 @@ import { nowIsoCompact, sha256Hex, uniqueSafeToolMap, ensureDir, getDroidModeDat
 /**
  * Static, best-effort disallow list for sandboxed workflows.
  * This is not meant to be perfect security; it is intended to prevent accidental escalation.
+ * The vm sandbox is the real security boundary - these checks provide clearer error messages.
  */
 const DEFAULT_BANNED_PATTERNS = [
   /\brequire\s*\(/,
   /\bimport\s+/,
-  /\bimport\s*\(/,          // dynamic import
-  /\bprocess\b/,
+  /\bimport\s*\(/,
+  /(?<![.])process\b/,       // process but not .process (property access is ok)
   /\bchild_process\b/,
-  /node:(?:fs|http|https|net)\b/,  // Node built-in modules (allows plain URLs)
-  /\bfetch\b/,
+  /node:(?:fs|http|https|net)\b/,
+  /(?<![.])fetch\b/,         // fetch but not .fetch (property access is ok)
   /\beval\s*\(/,
   /\bFunction\s*\(/,
   /\bWebAssembly\b/,
 ];
 
+/**
+ * Check if we're in a regex-allowed context by looking at the last meaningful token.
+ * Returns true if a `/` at this position would start a regex literal, not division.
+ * @param {string} codeSoFar - Code processed so far (with literals stripped)
+ * @returns {boolean}
+ */
+function isRegexContext(codeSoFar) {
+  const trimmed = codeSoFar.trimEnd();
+  if (!trimmed) return true;
+  
+  // Check for keywords that precede regex (return /x/, case /x/:, throw /x/, etc.)
+  const keywordMatch = trimmed.match(/\b(return|case|throw|typeof|void|delete|in|instanceof|new|else|do)\s*$/);
+  if (keywordMatch) return true;
+  
+  // Check for operators and punctuation that precede regex
+  const lastChar = trimmed.slice(-1);
+  return ["=", "(", ",", "[", "!", "&", "|", ":", ";", "{", "}", "?", "\n", "+", "-", "*", "%", "<", ">", "~", "^"].includes(lastChar);
+}
+
+/**
+ * Extract a template expression ${...} handling nested braces, strings, and templates correctly.
+ * @param {string} source - Full source
+ * @param {number} start - Position of the `$` in `${`
+ * @returns {{ content: string, endIndex: number }} - Expression content and position after closing `}`
+ */
+function extractTemplateExpression(source, start) {
+  let i = start + 2; // Skip `${`
+  let content = "";
+  let braceDepth = 1;
+  const len = source.length;
+  
+  while (i < len && braceDepth > 0) {
+    // Handle nested template literals
+    if (source[i] === "`") {
+      content += "`";
+      i++;
+      while (i < len && source[i] !== "`") {
+        if (source[i] === "$" && source[i + 1] === "{") {
+          const nested = extractTemplateExpression(source, i);
+          content += "${" + nested.content + "}";
+          i = nested.endIndex;
+        } else if (source[i] === "\\") {
+          content += source.slice(i, i + 2);
+          i += 2;
+        } else {
+          content += source[i];
+          i++;
+        }
+      }
+      if (i < len) {
+        content += "`";
+        i++;
+      }
+      continue;
+    }
+    
+    // Handle strings inside expression (so } inside strings don't count)
+    if (source[i] === '"' || source[i] === "'") {
+      const quote = source[i];
+      content += quote;
+      i++;
+      while (i < len && source[i] !== quote) {
+        if (source[i] === "\\") {
+          content += source.slice(i, i + 2);
+          i += 2;
+        } else {
+          content += source[i];
+          i++;
+        }
+      }
+      if (i < len) {
+        content += quote;
+        i++;
+      }
+      continue;
+    }
+    
+    // Handle comments
+    if (source[i] === "/" && source[i + 1] === "/") {
+      while (i < len && source[i] !== "\n") {
+        content += source[i];
+        i++;
+      }
+      continue;
+    }
+    if (source[i] === "/" && source[i + 1] === "*") {
+      content += "/*";
+      i += 2;
+      while (i < len && !(source[i] === "*" && source[i + 1] === "/")) {
+        content += source[i];
+        i++;
+      }
+      if (i < len) {
+        content += "*/";
+        i += 2;
+      }
+      continue;
+    }
+    
+    // Track braces
+    if (source[i] === "{") braceDepth++;
+    else if (source[i] === "}") braceDepth--;
+    
+    if (braceDepth > 0) {
+      content += source[i];
+      i++;
+    }
+  }
+  
+  return { content, endIndex: i + 1 }; // +1 to skip the closing `}`
+}
+
+/**
+ * Strip comments and string literals from source code to avoid false positives
+ * when scanning for banned patterns. Replaces content with whitespace to preserve positions.
+ * Template expressions ${...} are recursively processed to strip their literals too.
+ * @param {string} source
+ * @returns {string}
+ */
+export function stripCommentsAndStrings(source) {
+  let result = "";
+  let i = 0;
+  const len = source.length;
+
+  while (i < len) {
+    // Single-line comment
+    if (source[i] === "/" && source[i + 1] === "/") {
+      const start = i;
+      i += 2;
+      while (i < len && source[i] !== "\n") i++;
+      result += " ".repeat(i - start);
+      continue;
+    }
+
+    // Multi-line comment
+    if (source[i] === "/" && source[i + 1] === "*") {
+      const start = i;
+      i += 2;
+      while (i < len && !(source[i] === "*" && source[i + 1] === "/")) i++;
+      i += 2;
+      result += " ".repeat(i - start);
+      continue;
+    }
+
+    // Template literal (backtick) - preserve ${...} expressions but strip their literals
+    if (source[i] === "`") {
+      result += " ";
+      i++;
+      while (i < len && source[i] !== "`") {
+        if (source[i] === "$" && source[i + 1] === "{") {
+          const expr = extractTemplateExpression(source, i);
+          // Recursively strip literals from the expression content
+          const strippedExpr = stripCommentsAndStrings(expr.content);
+          result += "${" + strippedExpr + "}";
+          i = expr.endIndex;
+        } else if (source[i] === "\\") {
+          result += "  ";
+          i += 2;
+        } else {
+          result += " ";
+          i++;
+        }
+      }
+      if (i < len) {
+        result += " ";
+        i++;
+      }
+      continue;
+    }
+
+    // Double-quoted string
+    if (source[i] === '"') {
+      const start = i;
+      i++;
+      while (i < len && source[i] !== '"') {
+        if (source[i] === "\\") i++;
+        i++;
+      }
+      i++;
+      result += " ".repeat(i - start);
+      continue;
+    }
+
+    // Single-quoted string
+    if (source[i] === "'") {
+      const start = i;
+      i++;
+      while (i < len && source[i] !== "'") {
+        if (source[i] === "\\") i++;
+        i++;
+      }
+      i++;
+      result += " ".repeat(i - start);
+      continue;
+    }
+
+    // Regex literal - detect using context analysis
+    if (source[i] === "/" && i > 0 && source[i + 1] !== "/" && source[i + 1] !== "*") {
+      if (isRegexContext(result)) {
+        const start = i;
+        i++;
+        while (i < len && source[i] !== "/") {
+          if (source[i] === "\\") i++;
+          if (source[i] === "[") {
+            // Character class - / doesn't end regex here
+            i++;
+            while (i < len && source[i] !== "]") {
+              if (source[i] === "\\") i++;
+              i++;
+            }
+          }
+          i++;
+        }
+        i++;
+        // Skip flags
+        while (i < len && /[gimsuy]/.test(source[i])) i++;
+        result += " ".repeat(i - start);
+        continue;
+      }
+    }
+
+    result += source[i];
+    i++;
+  }
+
+  return result;
+}
+
 /**
  * @param {string} source
  * @param {{ allowUnsafe?: boolean }} opts
  */
 export function validateWorkflowSource(source, opts = {}) {
   if (opts.allowUnsafe) return;
+  
+  // Strip comments and strings to avoid false positives like log("process completed")
+  const codeOnly = stripCommentsAndStrings(source);
+  
   for (const re of DEFAULT_BANNED_PATTERNS) {
-    if (re.test(source)) {
+    if (re.test(codeOnly)) {
       throw new Error(
         `Workflow source contains a disallowed pattern (${re}).\n` +
           `This runner executes workflows in a restricted sandbox; ` +

package/templates/skills/droid-mode/lib/tool_index.mjs

@@ -1,19 +1,40 @@
 import path from "node:path";
 import { getDroidModeDataDir, readJsonFileIfExists, writeJson, serverNameToDirName } from "./util.mjs";
 
+const DEFAULT_MAX_PAGES = 100;
+const DEFAULT_MAX_TOOLS = 1000;
+
 /**
  * @param {import("./mcp_client.mjs").McpClient} client
+ * @param {{ maxPages?: number, maxTools?: number }} opts
+ * @returns {Promise<{ tools: any[], truncated: boolean, truncationReason?: string }>}
  */
-export async function fetchAllTools(client) {
+export async function fetchAllTools(client, opts = {}) {
+  const maxPages = opts.maxPages ?? DEFAULT_MAX_PAGES;
+  const maxTools = opts.maxTools ?? DEFAULT_MAX_TOOLS;
   const tools = [];
   let cursor = undefined;
-  for (let i = 0; i < 10_000; i++) {
+  let truncated = false;
+  let truncationReason;
+
+  for (let i = 0; i < maxPages; i++) {
     const res = await client.listTools({ cursor, timeoutMs: 60_000 });
     if (Array.isArray(res?.tools)) tools.push(...res.tools);
     cursor = res?.nextCursor;
+
+    if (tools.length >= maxTools) {
+      truncated = true;
+      truncationReason = `max_tools (${maxTools})`;
+      break;
+    }
     if (!cursor) break;
+    if (i === maxPages - 1 && cursor) {
+      truncated = true;
+      truncationReason = `max_pages (${maxPages})`;
+    }
   }
-  return tools;
+
+  return { tools, truncated, truncationReason };
 }
 
 /**
@@ -43,7 +64,7 @@ export async function getToolsCached(opts) {
 
   // Refresh
   await opts.client.init();
-  const tools = await fetchAllTools(opts.client);
+  const { tools, truncated, truncationReason } = await fetchAllTools(opts.client);
   const payload = {
     fetchedAt: new Date().toISOString(),
     serverName: opts.serverName,
@@ -51,6 +72,9 @@ export async function getToolsCached(opts) {
     protocolVersion: opts.client.negotiatedProtocolVersion,
     serverInfo: opts.client.serverInfo,
     capabilities: opts.client.serverCapabilities,
+    truncated,
+    truncationReason,
+    toolCount: tools.length,
     tools,
   };
   writeJson(cacheFile, payload);