fast-context-skill 0.1.0

package/src/core.mjs

@@ -0,0 +1,2246 @@
+/**
+ * Windsurf Fast Context — core protocol implementation (Node.js).
+ *
+ * Reverse-engineered Windsurf SWE-grep Connect-RPC/Protobuf protocol
+ * for standalone AI-driven semantic code search.
+ *
+ * Flow:
+ *   query + tree → Windsurf Devstral API
+ *   → Devstral returns tool_calls (rg/readfile/tree/ls/glob, up to 8 parallel)
+ *   → execute locally → send results back → repeat for N rounds
+ *   → ANSWER: file paths + line ranges + suggested rg patterns
+ */
+
+import { readdirSync, existsSync, statSync, readFileSync } from "node:fs";
+import { resolve, join, relative, sep, isAbsolute, extname } from "node:path";
+import { execFileSync } from "node:child_process";
+import { gzipSync } from "node:zlib";
+import { randomUUID } from "node:crypto";
+import { platform, arch, release, version as osVersion, hostname, cpus, totalmem } from "node:os";
+import treeNodeCli from "tree-node-cli";
+
+import {
+  ProtobufEncoder,
+  extractStrings,
+  connectFrameEncode,
+  connectFrameDecode,
+} from "./protobuf.mjs";
+import { ToolExecutor } from "./executor.mjs";
+import { rgPath } from "@vscode/ripgrep";
+import { extractKey } from "./extract-key.mjs";
+import { scoreDirectories, tokenize as tokenizeBM25 } from "./directory-scorer.mjs";
+
+// ─── Error Classification ──────────────────────────────────
+
+/**
+ * Classified error for fetch failures with structured error codes.
+ */
+class FastContextError extends Error {
+  /**
+   * @param {string} message
+   * @param {string} code - TIMEOUT | PAYLOAD_TOO_LARGE | RATE_LIMITED | AUTH_ERROR | SERVER_ERROR | NETWORK_ERROR
+   * @param {Object} [details]
+   */
+  constructor(message, code, details = {}) {
+    super(message);
+    this.name = "FastContextError";
+    this.code = code;
+    this.details = details;
+  }
+}
+
+/**
+ * Classify a raw fetch/HTTP error into a FastContextError.
+ * @param {Error} err
+ * @returns {FastContextError}
+ */
+function _classifyError(err) {
+  if (err instanceof FastContextError) return err;
+
+  // HTTP status-based classification
+  if (err.status) {
+    const s = err.status;
+    if (s === 413) return new FastContextError(err.message, "PAYLOAD_TOO_LARGE", { status: s });
+    if (s === 429) return new FastContextError(err.message, "RATE_LIMITED", { status: s });
+    if (s === 401 || s === 403) return new FastContextError(err.message, "AUTH_ERROR", { status: s });
+    return new FastContextError(err.message, "SERVER_ERROR", { status: s });
+  }
+
+  // Timeout (AbortSignal.timeout throws AbortError or TimeoutError)
+  if (err.name === "AbortError" || err.name === "TimeoutError" || /timeout/i.test(err.message)) {
+    return new FastContextError(err.message, "TIMEOUT");
+  }
+
+  // Everything else is a network-level issue
+  return new FastContextError(err.message, "NETWORK_ERROR");
+}
+
+// ─── Protocol Constants ────────────────────────────────────
+
+const API_BASE = "https://server.self-serve.windsurf.com/exa.api_server_pb.ApiServerService";
+const AUTH_BASE = "https://server.self-serve.windsurf.com/exa.auth_pb.AuthService";
+const WS_APP = "windsurf";
+const WS_APP_VER = process.env.WS_APP_VER || "1.48.2";
+const WS_LS_VER = process.env.WS_LS_VER || "1.9544.35";
+const WS_MODEL = process.env.WS_MODEL || "MODEL_SWE_1_6_FAST";
+const DEBUG_MODE = process.env.FAST_CONTEXT_DEBUG === "1" || process.env.FAST_CONTEXT_DEBUG === "true";
+
+// Default excludes — directories/patterns that are almost never source code.
+// Aligned with Windsurf fast-search guidance + ace-tool-rs defaults.
+// Users can add more via the exclude_paths parameter; these are always applied.
+const DEFAULT_EXCLUDE_PATHS = [
+  // 依赖目录
+  "node_modules",
+  "vendor",
+  ".venv",
+  "venv",
+  // 版本控制
+  ".git",
+  ".svn",
+  ".hg",
+  // 构建输出
+  "dist",
+  "build",
+  "out",
+  "target",
+  ".next",
+  ".nuxt",
+  ".output",
+  // 缓存
+  "__pycache__",
+  ".cache",
+  ".pytest_cache",
+  // 压缩/混淆产物
+  "*.min.*",
+  // 常见无关目录
+  "coverage",
+  ".idea",
+  ".vscode",
+];
+
+// Repo-map optimization defaults (tunable via MCP params).
+const REPO_MAP_OPTIMIZER_DEFAULTS = {
+  mode: "bootstrap_hotspot", // classic | bootstrap_hotspot
+  bootstrapTreeDepth: 1,
+  hotspotTopK: 4,
+  hotspotTreeDepth: 2,
+  maxBytes: 120 * 1024,
+};
+
+function _mergeExcludePaths(excludePaths = []) {
+  const merged = [...DEFAULT_EXCLUDE_PATHS];
+  for (const p of excludePaths || []) {
+    if (typeof p === "string" && p && !merged.includes(p)) {
+      merged.push(p);
+    }
+  }
+  return merged;
+}
+
+function _expandExcludeGlobsForRg(pattern) {
+  if (typeof pattern !== "string") return [];
+  const normalized = pattern.trim().replace(/\\/g, "/");
+  if (!normalized) return [];
+  const expanded = [normalized];
+  if (!normalized.startsWith("**/") && !normalized.startsWith("/")) {
+    expanded.push(`**/${normalized}`);
+  }
+  return [...new Set(expanded)];
+}
+
+// ─── System Prompt Template ────────────────────────────────
+
+const SYSTEM_PROMPT_TEMPLATE = `You are an expert software engineer, responsible for providing context \
+to another engineer to solve a code issue in the current codebase. \
+The user will present you with a description of the issue, and it is \
+your job to provide a series of file paths with associated line ranges \
+that contain ALL the information relevant to understand and correctly \
+address the issue.
+
+# IMPORTANT:
+- A relevant file does not mean only the files that must be modified to \
+solve the task. It means any file that contains information relevant to \
+planning and implementing the fix, such as the definitions of classes \
+and functions that are relevant to the pieces of code that will have to \
+be modified.
+- You should include enough context around the relevant lines to allow \
+the engineer to understand the task correctly. You must include ENTIRE \
+semantic blocks (functions, classes, definitions, etc). For example:
+If addressing the issue requires modifying a method within a class, then \
+you should include the entire class definition, not just the lines around \
+the method we want to modify.
+- NEVER truncate these blocks unless they are very large (hundreds of \
+lines or more, in which case providing only a relevant portion of the \
+block is acceptable).
+- Your job is to essentially alleviate the job of the other engineer by \
+giving them a clean starting context from which to start working. More \
+precisely, you should minimize the number of files the engineer has to \
+read to understand and solve the task correctly (while not providing \
+irrelevant code snippets).
+
+# ENVIRONMENT
+- Working directory: /codebase. Make sure to run commands in this \
+directory, not \`.
+- Tool access: use the restricted_exec tool ONLY
+- Allowed sub-commands (schema-enforced):
+  - rg: Search for patterns in files using ripgrep
+    - Required: pattern (string), path (string)
+    - Optional: include (array of globs), exclude (array of globs)
+  - readfile: Read contents of a file with optional line range
+    - Required: file (string)
+    - Optional: start_line (int), end_line (int) — 1-indexed, inclusive
+  - tree: Display directory structure as a tree
+    - Required: path (string)
+    - Optional: levels (int)
+  - ls: List files in a directory
+    - Required: path (string)
+    - Optional: long_format (bool), all (bool)
+  - glob: Find files matching a glob pattern
+    - Required: pattern (string), path (string)
+    - Optional: type_filter (file|directory|all)
+
+# THINKING RULES
+- Think step-by-step. Plan, reason, and reflect before each tool call.
+- Use tool calls liberally and purposefully to ground every conclusion \
+in real code, not assumptions.
+- If a command fails, rethink and try something different; do not \
+complain to the user.
+- AVOID REDUNDANT SEARCHES: Do not search for the same pattern multiple \
+times with slightly different paths or excludes. One well-targeted search \
+is better than multiple overlapping ones.
+- PRIORITIZE READING over searching: Once you find a file path, read it \
+directly instead of searching for more variations of the same pattern.
+
+# FAST-SEARCH DEFAULTS (optimize rg/tree on large repos)
+- Start NARROW, then widen only if needed. Prefer searching likely code \
+roots first (e.g., \`src/\`, \`lib/\`, \`app/\`, \`packages/\`, \`services/\`) \
+instead of \`/codebase\`.
+- Prefer fixed-string search for literals: escape patterns or keep regex \
+simple. Use smart case; avoid case-insensitive unless necessary.
+- Prefer file-type filters and globs (in include) over full-repo scans.
+- Default EXCLUDES for speed (apply via the exclude array): \
+node_modules, .git, dist, build, coverage, .venv, venv, target, out, \
+.cache, __pycache__, vendor, deps, third_party, logs, data, *.min.*
+- Skip huge files where possible; when opening files, prefer reading \
+only relevant ranges with readfile.
+- Limit directory traversal with tree levels to quickly orient before \
+deeper inspection.
+
+# SOME EXAMPLES OF WORKFLOWS
+- MAP – Use \`tree\` with small levels; \`rg\` on likely roots to grasp \
+structure and hotspots.
+- ANCHOR – \`rg\` for problem keywords and anchor symbols; restrict by \
+language globs via include.
+- TRACE – Follow imports with targeted \`rg\` in narrowed roots; open \
+files with \`readfile\` scoped to entire semantic blocks.
+- VERIFY – Confirm each candidate path exists by reading or additional \
+searches; drop false positives (tests, vendored, generated) unless they \
+must change.
+
+# TOOL USE GUIDELINES
+- You must use a SINGLE restricted_exec call in your answer, that lets \
+you execute at most {max_commands} commands in a single turn. Each command must be \
+an object with a \`type\` field of \`rg\`, \`readfile\`, or \`tree\` and the appropriate fields for that type.
+- Example restricted_exec usage:
+[TOOL_CALLS]restricted_exec[ARGS]{{
+  "command1": {{
+    "type": "rg",
+    "pattern": "Controller",
+    "path": "/codebase/slime",
+    "include": ["**/*.py"],
+    "exclude": ["**/node_modules/**", "**/.git/**", "**/dist/**", \
+"**/build/**", "**/.venv/**", "**/__pycache__/**"]
+  }},
+  "command2": {{
+    "type": "readfile",
+    "file": "/codebase/slime/train.py",
+    "start_line": 1,
+    "end_line": 200
+  }},
+  "command3": {{
+    "type": "tree",
+    "path": "/codebase/slime/",
+    "levels": 2
+  }}
+}}
+- You have at most {max_turns} turns to interact with the environment by calling \
+tools, so issuing multiple commands at once is necessary and encouraged \
+to speed up your research.
+- Each command result may be truncated to 50 lines; prefer multiple \
+targeted reads/searches to build complete context.
+- DO NOT EVER USE MORE THAN {max_commands} commands in a single turn, or you will \
+be penalized.
+
+# ANSWER FORMAT (strict format, including tags)
+- You will output an XML structure with a root element "ANSWER" \
+containing "file" elements. Each "file" element will have a "path" \
+attribute and contain "range" elements.
+- You will output this as your final response.
+- The line ranges must be inclusive.
+
+Output example inside the "answer" tool argument:
+<ANSWER>
+  <file path="/codebase/info_theory/formulas/entropy.py">
+    <range>10-60</range>
+    <range>150-210</range>
+  </file>
+  <file path="/codebase/info_theory/data_structures/bits.py">
+    <range>1-40</range>
+    <range>110-170</range>
+  </file>
+</ANSWER>
+
+
+Remember: Prefer narrow, fixed-string, and type-filtered searches with \
+aggressive excludes and size/depth limits. Widen scope only as needed. \
+Use the restricted tools available to you, and output your answer in \
+exactly the specified format.
+
+# NO RESULTS POLICY
+If after thorough searching you are confident that NO relevant files exist \
+for the given query (e.g., the function/class/concept does not exist in the \
+codebase), you MUST return an empty ANSWER:
+<ANSWER></ANSWER>
+Do NOT return irrelevant files (such as entry points or config files) just \
+to provide some output. An empty answer is always better than a misleading one.
+
+# RESULT COUNT
+Aim to return at most {max_results} files in your answer. Focus on the most \
+relevant files first. If fewer files are relevant, return fewer.
+`;
+
+const FINAL_FORCE_ANSWER =
+  "You have no turns left. Now you MUST provide your final ANSWER, even if it's not complete.";
+
+const BOOTSTRAP_PROMPT_TEMPLATE = `You are a bootstrap planning agent for codebase hotspot discovery.
+Your ONLY goal is to discover high-signal search keywords and hotspot directories for a later full search phase.
+
+# OUTPUT CONTRACT
+- Use the restricted_exec tool ONLY.
+- Prefer rg + tree commands. Avoid deep readfile unless absolutely necessary.
+- Do NOT output final <ANSWER> for code fixes in this phase.
+- Keep commands focused and broad enough to identify likely relevant modules quickly.
+
+# TOOL BUDGET
+- You have at most {max_turns} turns.
+- You may use up to {max_commands} commands per turn.
+
+# STRATEGY
+1) Start from the provided mini repo map.
+2) Use targeted rg patterns derived from the user problem.
+3) Use tree on likely top-level directories to identify hotspots.
+4) Stop once you have enough keyword and hotspot coverage for phase-2.
+`;
+
+/**
+ * Smart trim accumulated messages to reduce payload size.
+ *
+ * Why this is needed:
+ * - Proto size grows quickly across turns (messages + tool results).
+ * - Keeping only the last N messages naively may drop the tool-call ↔ tool-result
+ *   linkage (tool_call_id/ref_call_id) and remove useful progress context.
+ *
+ * Strategy:
+ * - Keep system prompt (index 0).
+ * - Keep user problem statement, but compact the repo map when trimming.
+ * - Keep the latest tool-call + tool-result pair (plus any trailing prompts).
+ * - Insert a compact progress summary so the model doesn't lose the thread.
+ *
+ * @param {Array} messages
+ * @param {Object} [state]
+ * @param {string} [state.query]
+ * @param {string[]} [state.recentFiles]
+ * @param {string[]} [state.recentPatterns]
+ * @param {Array<{type:string, desc:string}>} [state.recentCommands]
+ * @param {number} [state.turn]
+ * @returns {boolean} true if messages were actually trimmed/compacted
+ */
+function _trimMessages(messages, state = {}) {
+  if (!Array.isArray(messages) || messages.length < 2) return false;
+
+  const systemMsg = messages[0];
+  const userMsg = messages[1];
+
+  const truncateToolResultsPreserve = (text, maxPerBlock = 4000, maxTotal = 20000) => {
+    if (typeof text !== "string" || text.length <= maxTotal) return text;
+    const re = /<(command\d+)_result>\n([\s\S]*?)\n<\/\1_result>/g;
+    let m;
+    const parts = [];
+    let matched = false;
+    while ((m = re.exec(text)) !== null) {
+      matched = true;
+      const key = m[1];
+      let body = m[2] || "";
+      if (body.length > maxPerBlock) {
+        body = body.slice(0, maxPerBlock) + "\n...[truncated]...";
+      }
+      parts.push(`<${key}_result>\n${body}\n</${key}_result>`);
+      if (parts.join("").length > maxTotal) break;
+    }
+    if (!matched) {
+      return text.slice(0, maxTotal) + "\n...[tool results truncated]...";
+    }
+    const out = parts.join("");
+    return out.length <= maxTotal ? out : out.slice(0, maxTotal) + "\n...[tool results truncated]...";
+  };
+
+  // Find the most recent tool-result message and its matching tool-call message (if present).
+  let lastToolResultIdx = -1;
+  let refId = null;
+  for (let i = messages.length - 1; i >= 0; i--) {
+    const m = messages[i];
+    if (m && m.role === 4 && typeof m.ref_call_id === "string" && m.ref_call_id) {
+      lastToolResultIdx = i;
+      refId = m.ref_call_id;
+      break;
+    }
+  }
+
+  let lastToolCallIdx = -1;
+  if (refId) {
+    for (let i = lastToolResultIdx - 1; i >= 0; i--) {
+      const m = messages[i];
+      if (m && m.role === 2 && m.tool_call_id === refId) {
+        lastToolCallIdx = i;
+        break;
+      }
+    }
+  }
+
+  // Tail: keep tool-call + tool-result pair, plus anything after it (e.g., force-answer).
+  let tailStart = -1;
+  if (lastToolResultIdx !== -1) {
+    tailStart = lastToolCallIdx !== -1 ? lastToolCallIdx : Math.max(2, lastToolResultIdx - 1);
+  } else {
+    // No tool results yet: keep the last few messages only.
+    tailStart = Math.max(2, messages.length - 4);
+  }
+  const tail = messages.slice(tailStart);
+
+  // Compact the user message (repo map) when trimming, since it's usually the largest chunk.
+  let compactedUser = userMsg;
+  let didCompactUser = false;
+  if (userMsg && typeof userMsg.content === "string" && userMsg.content.includes("Repo Map")) {
+    const q =
+      (typeof state.query === "string" && state.query) ||
+      userMsg.content.match(/Problem Statement:\s*([^\n]+)/)?.[1]?.trim() ||
+      "";
+    const compact = `Problem Statement: ${q}\n\nRepo Map: (omitted to reduce payload). Use tree/rg to explore structure if needed.`;
+    if (compact.length < userMsg.content.length) {
+      compactedUser = { ...userMsg, content: compact };
+      didCompactUser = true;
+    }
+  }
+
+  // Build a compact progress summary to preserve important context across trims.
+  const recentCommands = Array.isArray(state.recentCommands) ? state.recentCommands : [];
+  const recentFiles = Array.isArray(state.recentFiles) ? state.recentFiles : [];
+  const recentPatterns = Array.isArray(state.recentPatterns) ? state.recentPatterns : [];
+  const turnNote = Number.isInteger(state.turn) ? ` turn=${state.turn}` : "";
+
+  const summaryLines = [
+    `[Context trimmed to reduce payload size.${turnNote}]`,
+    recentCommands.length ? `recent_commands: ${recentCommands.slice(-6).map((c) => c.desc).join(" | ")}` : "",
+    recentFiles.length ? `recent_files: ${recentFiles.slice(-12).join(", ")}` : "",
+    recentPatterns.length ? `rg_patterns: ${recentPatterns.slice(-20).join(", ")}` : "",
+    "Continue from the most recent tool results kept below.",
+  ].filter(Boolean);
+
+  const summaryMsg = { role: 1, content: summaryLines.join("\n") };
+
+  // If trimming doesn't actually reduce anything, bail.
+  // We consider it "useful" if we either compact the user message or drop history.
+  const willDropHistory = tailStart > 2;
+  if (!didCompactUser && !willDropHistory) return false;
+
+  // Reduce oversized assistant/tool messages in the tail to avoid immediate re-overflow.
+  for (const m of tail) {
+    if (m && typeof m.content === "string") {
+      if (m.role === 2 && m.content.length > 8000) {
+        m.content = m.content.slice(0, 8000) + "\n...[assistant content truncated]...";
+      }
+      if (m.role === 4 && m.content.length > 20000) {
+        m.content = truncateToolResultsPreserve(m.content, 4000, 20000);
+      }
+    }
+  }
+
+  messages.length = 0;
+  messages.push(systemMsg);
+  // Avoid duplicating user message if it's already within the kept tail.
+  if (tailStart > 1) {
+    messages.push(compactedUser);
+  }
+  messages.push(summaryMsg, ...tail);
+  return true;
+}
+
+/**
+ * @param {number} maxTurns
+ * @param {number} maxCommands
+ * @param {number} maxResults
+ * @returns {string}
+ */
+function buildSystemPrompt(maxTurns = 3, maxCommands = 8, maxResults = 10) {
+  return SYSTEM_PROMPT_TEMPLATE
+    .replaceAll("{max_turns}", String(maxTurns))
+    .replaceAll("{max_commands}", String(maxCommands))
+    .replaceAll("{max_results}", String(maxResults));
+}
+
+function buildBootstrapPrompt(maxTurns = 2, maxCommands = 6) {
+  return BOOTSTRAP_PROMPT_TEMPLATE
+    .replaceAll("{max_turns}", String(maxTurns))
+    .replaceAll("{max_commands}", String(maxCommands));
+}
+
+function _extractTopDirFromCodebasePath(path = "") {
+  const p = String(path || "").replace(/\\/g, "/");
+  if (!p.startsWith("/codebase")) return null;
+  const rel = p.replace(/^\/codebase\/?/, "");
+  if (!rel) return null;
+  return rel.split("/")[0] || null;
+}
+
+async function _runBootstrapPhase({
+  query,
+  projectRoot,
+  apiKey,
+  jwt,
+  timeoutMs,
+  excludePaths,
+  bootstrapTreeDepth,
+  bootstrapMaxTurns,
+  bootstrapMaxCommands,
+  onProgress,
+}) {
+  const log = (msg) => onProgress?.(`[bootstrap] ${msg}`);
+  const hints = { rgPatterns: [], hotDirs: [] };
+
+  try {
+    const { tree: miniMap, depth } = getRepoMap(projectRoot, bootstrapTreeDepth, excludePaths);
+    const systemPrompt = buildBootstrapPrompt(bootstrapMaxTurns, bootstrapMaxCommands);
+    const userContent = `Problem Statement: ${query}\n\nRepo Map (tree -L ${depth} /codebase):\n\`\`\`text\n${miniMap}\n\`\`\``;
+
+    const messages = [
+      { role: 5, content: systemPrompt },
+      { role: 1, content: userContent },
+    ];
+
+    const toolDefs = getToolDefinitions(bootstrapMaxCommands);
+    const executor = new ToolExecutor(projectRoot);
+
+    for (let turn = 0; turn < bootstrapMaxTurns; turn++) {
+      log(`Turn ${turn + 1}/${bootstrapMaxTurns}`);
+      const proto = _buildRequest(apiKey, jwt, messages, toolDefs);
+      let respData;
+      try {
+        respData = await _streamingRequest(proto, timeoutMs);
+      } catch (e) {
+        log(`request failed: ${e.code || "UNKNOWN"}`);
+        break;
+      }
+
+      const [thinking, toolInfo] = _parseResponse(respData);
+      if (!toolInfo) break;
+
+      const [toolName, toolArgs] = toolInfo;
+      if (toolName !== "restricted_exec") break;
+
+      const callId = randomUUID();
+      const argsJson = JSON.stringify(toolArgs);
+      const cmds = Object.keys(toolArgs).filter((k) => k.startsWith("command"));
+
+      for (const cmdKey of cmds) {
+        const cmd = toolArgs[cmdKey];
+        if (!cmd || typeof cmd !== "object") continue;
+        if (cmd.type === "rg" && typeof cmd.pattern === "string" && cmd.pattern) {
+          hints.rgPatterns.push(cmd.pattern);
+        }
+        if (cmd.type === "tree" && typeof cmd.path === "string") {
+          const top = _extractTopDirFromCodebasePath(cmd.path);
+          if (top) hints.hotDirs.push(top);
+        }
+      }
+
+      const results = await executor.execToolCallAsync(toolArgs);
+      messages.push({
+        role: 2,
+        content: thinking,
+        tool_call_id: callId,
+        tool_name: "restricted_exec",
+        tool_args_json: argsJson,
+      });
+      messages.push({ role: 4, content: results, ref_call_id: callId });
+    }
+  } catch {
+    // Bootstrap is best-effort. Fall back silently.
+  }
+
+  return {
+    rgPatterns: [...new Set(hints.rgPatterns)].slice(-30),
+    hotDirs: [...new Set(hints.hotDirs)].slice(-12),
+  };
+}
+
+// ─── Tool Schema ───────────────────────────────────────────
+
+function _buildCommandSchema(n) {
+  return {
+    type: "object",
+    description: `Command ${n} to execute. Must be one of: rg, readfile, or tree.`,
+    oneOf: [
+      {
+        properties: {
+          type: { type: "string", const: "rg", description: "Search for patterns in files using ripgrep." },
+          pattern: { type: "string", description: "The regex pattern to search for." },
+          path: { type: "string", description: "The path to search in." },
+          include: { type: "array", items: { type: "string" }, description: "File patterns to include." },
+          exclude: { type: "array", items: { type: "string" }, description: "File patterns to exclude." },
+        },
+        required: ["type", "pattern", "path"],
+      },
+      {
+        properties: {
+          type: { type: "string", const: "readfile", description: "Read contents of a file with optional line range." },
+          file: { type: "string", description: "Path to the file to read." },
+          start_line: { type: "integer", description: "Starting line number (1-indexed)." },
+          end_line: { type: "integer", description: "Ending line number (1-indexed)." },
+        },
+        required: ["type", "file"],
+      },
+      {
+        properties: {
+          type: { type: "string", const: "tree", description: "Display directory structure as a tree." },
+          path: { type: "string", description: "Path to the directory." },
+          levels: { type: "integer", description: "Number of directory levels." },
+        },
+        required: ["type", "path"],
+      },
+      {
+        properties: {
+          type: { type: "string", const: "ls", description: "List files in a directory." },
+          path: { type: "string", description: "Path to the directory." },
+          long_format: { type: "boolean" },
+          all: { type: "boolean" },
+        },
+        required: ["type", "path"],
+      },
+      {
+        properties: {
+          type: { type: "string", const: "glob", description: "Find files matching a glob pattern." },
+          pattern: { type: "string" },
+          path: { type: "string" },
+          type_filter: { type: "string", enum: ["file", "directory", "all"] },
+        },
+        required: ["type", "pattern", "path"],
+      },
+    ],
+  };
+}
+
+/**
+ * @param {number} maxCommands
+ * @returns {string}
+ */
+function getToolDefinitions(maxCommands = 8) {
+  const props = {};
+  for (let i = 1; i <= maxCommands; i++) {
+    props[`command${i}`] = _buildCommandSchema(i);
+  }
+  const tools = [
+    {
+      type: "function",
+      function: {
+        name: "restricted_exec",
+        description: "Execute restricted commands (rg, readfile, tree, ls, glob) in parallel.",
+        parameters: { type: "object", properties: props, required: ["command1"] },
+      },
+    },
+    {
+      type: "function",
+      function: {
+        name: "answer",
+        description: "Final answer with relevant files and line ranges.",
+        parameters: {
+          type: "object",
+          properties: { answer: { type: "string", description: "The final answer in XML format." } },
+          required: ["answer"],
+        },
+      },
+    },
+  ];
+  return JSON.stringify(tools);
+}
+
+// ─── Credentials ───────────────────────────────────────────
+
+/**
+ * 判断从本地提取的 key 是否可接受。
+ * 不对前缀做假设：Windsurf 历史上用过 sk-ws-，后改为 devin-session-token，未来可能再变。
+ * extractKey 已精确取自 windsurfAuthStatus.apiKey 字段，故非空即接受。
+ * @param {unknown} key
+ * @returns {boolean}
+ */
+export function isAcceptableApiKey(key) {
+  return typeof key === "string" && key.trim().length > 0;
+}
+
+/**
+ * 检测手动传入的 key 是否疑似被截断。
+ *
+ * 背景：当前 Windsurf key 格式为 `devin-session-token$<JWT>`，真正的凭证是 `$`
+ * 之后那段 JWT。`$` 在 shell / 配置加载器（如 Codex 的 TOML env）中会触发变量展开，
+ * 导致 `$eyJ...` 被当作未定义变量替换为空——key 退化成 `devin-session-token`（或带个
+ * 光秃秃的 `$`），服务端换 JWT 时返回 HTTP 401 invalid api key（已实测证实）。
+ *
+ * 判定规则：以 devin-session-token 开头，但缺少 `$` 之后的 JWT 主体（eyJ 开头）。
+ * @param {unknown} key
+ * @returns {boolean} true 表示疑似被截断
+ */
+export function looksTruncated(key) {
+  if (typeof key !== "string") return false;
+  const k = key.trim();
+  if (!k.startsWith("devin-session-token")) return false;
+  // 完整形态：devin-session-token$<JWT>，$ 后应有 eyJ 开头的 JWT
+  const dollarIdx = k.indexOf("$");
+  if (dollarIdx === -1) return true;          // 完全没有 $ —— 被吃光了
+  const afterDollar = k.slice(dollarIdx + 1);
+  return !afterDollar.startsWith("eyJ");      // 有 $ 但后面不是 JWT —— 残缺
+}
+
+async function autoDiscoverApiKey() {
+  try {
+    const result = await extractKey();
+    if (isAcceptableApiKey(result.api_key)) {
+      return result.api_key;
+    }
+  } catch {
+    // Extraction failed
+  }
+  return null;
+}
+
+/**
+ * Get API key from env var or auto-discovery.
+ *
+ * 优先级：
+ * 1. 环境变量 WINDSURF_API_KEY —— 但若检测到疑似被 `$` 转义截断，则不信任它，
+ *    自动回退到本地 SQLite 提取完整 key（用户无需改配置即可自愈）。
+ * 2. 自动发现（从 Windsurf 本地 SQLite 读取完整 key）。
+ * @returns {Promise<string>}
+ */
+async function getApiKey() {
+  const envKey = process.env.WINDSURF_API_KEY;
+
+  if (envKey) {
+    if (looksTruncated(envKey)) {
+      // env 里的 key 疑似被 shell/$ 展开截断，尝试从本地完整提取救回
+      process.stderr.write(
+        `[fast-context] WARNING: WINDSURF_API_KEY looks truncated (length ${envKey.length}, ` +
+        `missing the JWT after '$'). This usually means the '$' was eaten by shell/config ` +
+        `variable expansion. Falling back to auto-discovery from Windsurf's local database...\n`
+      );
+      const recovered = await autoDiscoverApiKey();
+      if (recovered) {
+        process.stderr.write(
+          `[fast-context] Recovered full key from local Windsurf install (length ${recovered.length}).\n`
+        );
+        return recovered;
+      }
+      // 回退也失败：仍用 env key 试（让服务端给出真实错误），但已告警
+      process.stderr.write(
+        `[fast-context] Auto-discovery failed; proceeding with the (likely truncated) env key. ` +
+        `Expect HTTP 401. Fix: remove WINDSURF_API_KEY and rely on auto-discovery, or single-quote / escape '$'.\n`
+      );
+    }
+    return envKey;
+  }
+
+  const discovered = await autoDiscoverApiKey();
+  if (discovered) return discovered;
+  throw new Error(
+    "Windsurf API Key not found. Set WINDSURF_API_KEY env var or ensure Windsurf is logged in. " +
+    "Run extract-key.mjs to see extraction methods."
+  );
+}
+
+// ─── JWT Cache ──────────────────────────────────────────────
+
+/** @type {Map<string, { token: string, expiresAt: number }>} */
+const _jwtCache = new Map();
+
+/**
+ * Decode JWT payload and extract expiration time.
+ * @param {string} jwt
+ * @returns {number} expiration timestamp in seconds
+ */
+function _getJwtExp(jwt) {
+  try {
+    const parts = jwt.split(".");
+    if (parts.length < 2) return 0;
+    const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf-8"));
+    return payload.exp || 0;
+  } catch {
+    return 0;
+  }
+}
+
+/**
+ * Get a cached or fresh JWT token.
+ * Refreshes when token expires or is within 60s of expiration.
+ * @param {string} apiKey
+ * @returns {Promise<string>}
+ */
+async function getCachedJwt(apiKey, timeoutMs = 30000) {
+  const now = Math.floor(Date.now() / 1000);
+  const cached = _jwtCache.get(apiKey);
+  if (cached && cached.expiresAt > now + 60) return cached.token;
+  const token = await fetchJwt(apiKey, timeoutMs);
+  const exp = _getJwtExp(token);
+  _jwtCache.set(apiKey, { token, expiresAt: exp || now + 3600 });
+  return token;
+}
+
+// ─── TLS Fallback ──────────────────────────────────────────
+// Match Python's SSL fallback: if NODE_TLS_REJECT_UNAUTHORIZED is not set
+// and the first fetch fails with a TLS error, disable cert verification.
+let _tlsFallbackApplied = false;
+
+function _applyTlsFallback() {
+  if (!_tlsFallbackApplied && !process.env.NODE_TLS_REJECT_UNAUTHORIZED) {
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+    _tlsFallbackApplied = true;
+    process.stderr.write(
+      "[fast-context] WARNING: TLS certificate verification disabled due to connection failure. " +
+      "Set NODE_TLS_REJECT_UNAUTHORIZED=0 explicitly to suppress this warning.\n"
+    );
+  }
+}
+
+// ─── Network Layer ─────────────────────────────────────────
+
+/**
+ * Standard unary HTTP POST with proto content type.
+ * @param {string} url
+ * @param {Buffer} protoBytes
+ * @param {boolean} [compress=true]
+ * @returns {Promise<Buffer>}
+ */
+async function _unaryRequest(url, protoBytes, compress = true, timeoutMs = 30000) {
+  const headers = {
+    "Content-Type": "application/proto",
+    "Connect-Protocol-Version": "1",
+    "User-Agent": "connect-go/1.18.1 (go1.25.5)",
+    "Accept-Encoding": "gzip",
+  };
+
+  let body;
+  if (compress) {
+    body = gzipSync(protoBytes);
+    headers["Content-Encoding"] = "gzip";
+  } else {
+    body = protoBytes;
+  }
+
+  const doFetch = () => fetch(url, {
+    method: "POST",
+    headers,
+    body,
+    signal: AbortSignal.timeout(Number.isFinite(timeoutMs) ? timeoutMs : 30000),
+  });
+
+  let resp;
+  try {
+    resp = await doFetch();
+  } catch (e) {
+    // TLS or network error — try with cert verification disabled
+    _applyTlsFallback();
+    try {
+      resp = await doFetch();
+    } catch (e2) {
+      throw _classifyError(e2);
+    }
+  }
+
+  if (!resp.ok) {
+    const err = new Error(`HTTP ${resp.status}`);
+    err.status = resp.status;
+    throw _classifyError(err);
+  }
+
+  const arrayBuf = await resp.arrayBuffer();
+  return Buffer.from(arrayBuf);
+}
+
+/**
+ * Connect-RPC streaming POST to GetDevstralStream with retry.
+ * @param {Buffer} protoBytes
+ * @param {number} [timeoutMs=30000]
+ * @param {number} [maxRetries=2]
+ * @returns {Promise<Buffer>}
+ */
+async function _streamingRequest(protoBytes, timeoutMs = 30000, maxRetries = 2) {
+  const frame = connectFrameEncode(protoBytes);
+  const url = `${API_BASE}/GetDevstralStream`;
+  const traceId = randomUUID().replace(/-/g, "");
+  const spanId = randomUUID().replace(/-/g, "").slice(0, 16);
+  const baseTimeoutMs = Number.isFinite(timeoutMs) ? timeoutMs : 30000;
+  const abortMs = baseTimeoutMs + 5000;
+
+  const headers = {
+    "Content-Type": "application/connect+proto",
+    "Connect-Protocol-Version": "1",
+    "Connect-Accept-Encoding": "gzip",
+    "Connect-Content-Encoding": "gzip",
+    "Connect-Timeout-Ms": String(baseTimeoutMs),
+    "User-Agent": "connect-go/1.18.1 (go1.25.5)",
+    "Accept-Encoding": "identity",
+    "Baggage": `sentry-release=language-server-windsurf@${WS_LS_VER},` +
+      `sentry-environment=stable,sentry-sampled=false,` +
+      `sentry-trace_id=${traceId},` +
+      `sentry-public_key=b813f73488da69eedec534dba1029111`,
+    "Sentry-Trace": `${traceId}-${spanId}-0`,
+  };
+
+  const doFetch = () => fetch(url, {
+    method: "POST",
+    headers,
+    body: frame,
+    signal: AbortSignal.timeout(abortMs),
+  });
+
+  let lastErr;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      let resp;
+      try {
+        resp = await doFetch();
+      } catch (e) {
+        if (attempt === 0) {
+          _applyTlsFallback();
+          resp = await doFetch();
+        } else {
+          throw e;
+        }
+      }
+
+      if (!resp.ok) {
+        const err = new Error(`HTTP ${resp.status}`);
+        err.status = resp.status;
+        // Don't retry on 4xx client errors (except 429)
+        if (resp.status >= 400 && resp.status < 500 && resp.status !== 429) {
+          throw err;
+        }
+        lastErr = err;
+        if (attempt < maxRetries) {
+          await new Promise((r) => setTimeout(r, 1000 * (attempt + 1)));
+          continue;
+        }
+        throw err;
+      }
+
+      const arrayBuf = await resp.arrayBuffer();
+      return Buffer.from(arrayBuf);
+    } catch (e) {
+      lastErr = e;
+      // Don't retry on 4xx client errors (except 429)
+      if (e.status && e.status >= 400 && e.status < 500 && e.status !== 429) {
+        throw _classifyError(e);
+      }
+      if (attempt < maxRetries) {
+        await new Promise((r) => setTimeout(r, 1000 * (attempt + 1)));
+        continue;
+      }
+    }
+  }
+  throw _classifyError(lastErr);
+}
+
+/**
+ * Authenticate with API key to get JWT token.
+ * @param {string} apiKey
+ * @returns {Promise<string>}
+ */
+async function fetchJwt(apiKey, timeoutMs = 30000) {
+  const meta = new ProtobufEncoder();
+  meta.writeString(1, WS_APP);
+  meta.writeString(2, WS_APP_VER);
+  meta.writeString(3, apiKey);
+  meta.writeString(4, "zh-cn");
+  meta.writeString(7, WS_LS_VER);
+  meta.writeString(12, WS_APP);
+  meta.writeBytes(30, Buffer.from([0x00, 0x01]));
+
+  const outer = new ProtobufEncoder();
+  outer.writeMessage(1, meta);
+
+  const resp = await _unaryRequest(`${AUTH_BASE}/GetUserJwt`, outer.toBuffer(), false, timeoutMs);
+  for (const s of extractStrings(resp)) {
+    if (s.startsWith("eyJ") && s.includes(".")) {
+      return s;
+    }
+  }
+  throw new Error("Failed to extract JWT from GetUserJwt response");
+}
+
+/**
+ * Check rate limit. Returns true if OK, false if rate-limited.
+ * @param {string} apiKey
+ * @param {string} jwt
+ * @returns {Promise<boolean>}
+ */
+async function checkRateLimit(apiKey, jwt, timeoutMs = 30000) {
+  const req = new ProtobufEncoder();
+  req.writeMessage(1, _buildMetadata(apiKey, jwt));
+  req.writeString(3, WS_MODEL);
+
+  try {
+    await _unaryRequest(`${API_BASE}/CheckUserMessageRateLimit`, req.toBuffer(), true, timeoutMs);
+    return true;
+  } catch (e) {
+    if (e.status === 429 || e.code === "RATE_LIMITED") return false;
+    return true; // Don't block on network issues
+  }
+}
+
+// ─── Request Building ──────────────────────────────────────
+
+/**
+ * Build protobuf metadata with app info, system info, JWT, etc.
+ * @param {string} apiKey
+ * @param {string} jwt
+ * @returns {ProtobufEncoder}
+ */
+function _buildMetadata(apiKey, jwt) {
+  const meta = new ProtobufEncoder();
+  meta.writeString(1, WS_APP);
+  meta.writeString(2, WS_APP_VER);
+  meta.writeString(3, apiKey);
+  meta.writeString(4, "zh-cn");
+
+  const plat = platform();
+  const sysInfo = {
+    Os: plat,
+    Arch: arch(),
+    Release: release(),
+    Version: osVersion(),
+    Machine: arch(),
+    Nodename: hostname(),
+    Sysname: plat === "darwin" ? "Darwin" : plat === "win32" ? "Windows_NT" : "Linux",
+    ProductVersion: "",
+  };
+  meta.writeString(5, JSON.stringify(sysInfo));
+  meta.writeString(7, WS_LS_VER);
+
+  const cpuList = cpus();
+  const ncpu = cpuList.length || 4;
+  const mem = totalmem();
+  const cpuInfo = {
+    NumSockets: 1,
+    NumCores: ncpu,
+    NumThreads: ncpu,
+    VendorID: "",
+    Family: "0",
+    Model: "0",
+    ModelName: cpuList[0]?.model || "Unknown",
+    Memory: mem,
+  };
+  meta.writeString(8, JSON.stringify(cpuInfo));
+  meta.writeString(12, WS_APP);
+  meta.writeString(21, jwt);
+  meta.writeBytes(30, Buffer.from([0x00, 0x01]));
+  return meta;
+}
+
+/**
+ * Build a chat message protobuf.
+ * @param {number} role - 1=user, 2=assistant, 4=tool_result, 5=system
+ * @param {string} content
+ * @param {Object} [opts]
+ * @param {string} [opts.toolCallId]
+ * @param {string} [opts.toolName]
+ * @param {string} [opts.toolArgsJson]
+ * @param {string} [opts.refCallId]
+ * @returns {ProtobufEncoder}
+ */
+function _buildChatMessage(role, content, opts = {}) {
+  const msg = new ProtobufEncoder();
+  msg.writeVarint(2, role);
+  msg.writeString(3, content);
+
+  if (opts.toolCallId && opts.toolName && opts.toolArgsJson) {
+    const tc = new ProtobufEncoder();
+    tc.writeString(1, opts.toolCallId);
+    tc.writeString(2, opts.toolName);
+    tc.writeString(3, opts.toolArgsJson);
+    msg.writeMessage(6, tc);
+  }
+
+  if (opts.refCallId) {
+    msg.writeString(7, opts.refCallId);
+  }
+
+  return msg;
+}
+
+/**
+ * Build a full request with metadata, messages, and tool definitions.
+ * @param {string} apiKey
+ * @param {string} jwt
+ * @param {Array} messages
+ * @param {string} toolDefs
+ * @returns {Buffer}
+ */
+function _buildRequest(apiKey, jwt, messages, toolDefs) {
+  const req = new ProtobufEncoder();
+  req.writeMessage(1, _buildMetadata(apiKey, jwt));
+
+  for (const m of messages) {
+    const msgEnc = _buildChatMessage(m.role, m.content, {
+      toolCallId: m.tool_call_id,
+      toolName: m.tool_name,
+      toolArgsJson: m.tool_args_json,
+      refCallId: m.ref_call_id,
+    });
+    req.writeMessage(2, msgEnc);
+  }
+
+  req.writeString(3, toolDefs);
+  return req.toBuffer();
+}
+
+// ─── Response Parsing ──────────────────────────────────────
+
+/**
+ * Strip invalid UTF-8 bytes from a Buffer → clean string.
+ * Matches Python's bytes.decode("utf-8", errors="ignore").
+ * @param {Buffer} buf
+ * @returns {string}
+ */
+function stripInvalidUtf8(buf) {
+  return buf.toString("utf-8").replace(/\ufffd/g, "");
+}
+
+/**
+ * Parse tool call from [TOOL_CALLS]name[ARGS]{json} format.
+ * @param {string} text
+ * @returns {[string, string, Object]|null} [thinking, name, args] or null
+ */
+function _parseToolCall(text) {
+  text = text.replace(/<\/s>/g, "");
+  const m = text.match(/\[TOOL_CALLS\](\w+)\[ARGS\](\{.+)/s);
+  if (!m) return null;
+
+  const name = m[1];
+  const raw = m[2].trim();
+
+  // Find matching closing brace
+  let depth = 0;
+  let end = 0;
+  for (let i = 0; i < raw.length; i++) {
+    if (raw[i] === "{") depth++;
+    else if (raw[i] === "}") {
+      depth--;
+      if (depth === 0) {
+        end = i + 1;
+        break;
+      }
+    }
+  }
+  if (end === 0) end = raw.length;
+
+  let args;
+  const jsonCandidate = raw.slice(0, end);
+  try {
+    args = JSON.parse(jsonCandidate);
+  } catch {
+    // Attempt lenient fix: unquoted keys like  exclude":  →  "exclude":
+    try {
+      const fixed = jsonCandidate.replace(/([{,]\s*)(\w+)\s*:/g, '$1"$2":');
+      args = JSON.parse(fixed);
+    } catch {
+      return null;
+    }
+  }
+
+  const thinking = text.slice(0, m.index).trim();
+  return [thinking, name, args];
+}
+
+/**
+ * Parse streaming response: decode frames, extract text, parse tool calls.
+ * @param {Buffer} data
+ * @returns {[string, [string, Object]|null]} [text, toolInfo]
+ */
+function _parseResponse(data) {
+  const frames = connectFrameDecode(data);
+  let allText = "";
+
+  for (const frameData of frames) {
+    // Check for error JSON
+    try {
+      const textCandidate = frameData.toString("utf-8");
+      if (textCandidate.startsWith("{")) {
+        const errObj = JSON.parse(textCandidate);
+        if (errObj.error) {
+          const code = errObj.error.code || "unknown";
+          const msg = errObj.error.message || "";
+          return [`[Error] ${code}: ${msg}`, null];
+        }
+      }
+    } catch {
+      // Not JSON, continue
+    }
+
+    // Extract text from frame — strip invalid UTF-8 (matches Python errors="ignore")
+    const rawText = stripInvalidUtf8(frameData);
+    if (rawText.includes("[TOOL_CALLS]")) {
+      allText = rawText;
+      break;
+    }
+
+    for (const s of extractStrings(frameData)) {
+      if (s.length > 10) {
+        allText += s;
+      }
+    }
+  }
+
+  const parsed = _parseToolCall(allText);
+  if (parsed) {
+    const [thinking, name, args] = parsed;
+    return [thinking, [name, args]];
+  }
+  return [allText, null];
+}
+
+// ─── Core Search ───────────────────────────────────────────
+
+// Max safe tree size in bytes (server payload limit ~346KB, fixed overhead ~26KB,
+// leave room for conversation accumulation across rounds)
+const MAX_TREE_BYTES = 250 * 1024;
+
+/**
+ * Convert an exclude pattern (directory/file name or simple glob) to RegExp
+ * for tree-node-cli's exclude option.
+ * @param {string} pattern - e.g. "node_modules", "dist", "*.min.*"
+ * @returns {RegExp}
+ */
+function _excludePatternToRegex(pattern) {
+  if (!/[*?]/.test(pattern)) {
+    // Simple name — match basename or any path segment. tree-node-cli tests
+    // full paths, so exact basename matching alone misses nested directories.
+    const escaped = pattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    return new RegExp(`(^|[\\\\/])${escaped}($|[\\\\/])`);
+  }
+  // Glob → regex
+  let regex = "^";
+  for (const c of pattern) {
+    if (c === "*") regex += ".*";
+    else if (c === "?") regex += ".";
+    else if (".+^${}()|[]\\".includes(c)) regex += "\\" + c;
+    else regex += c;
+  }
+  regex += "$";
+  return new RegExp(regex);
+}
+
+/**
+ * Count files in a directory (non-recursive, fast estimate).
+ * @param {string} dir
+ * @returns {number}
+ */
+function _countFilesQuick(dir) {
+  try {
+    return readdirSync(dir).length;
+  } catch {
+    return 0;
+  }
+}
+
+/**
+ * Estimate project size and suggest optimal tree depth.
+ * - Small project (< 500 entries): depth 4
+ * - Medium project (500-5000 entries): depth 3
+ * - Large project (> 5000 entries): depth 2
+ * @param {string} projectRoot
+ * @returns {number}
+ */
+function _suggestTreeDepth(projectRoot) {
+  const count = _countFilesQuick(projectRoot);
+  if (count < 500) return 4;
+  if (count <= 5000) return 3;
+  return 2;
+}
+
+function _normalizeTreeRoot(treeStr, absRoot, virtualRoot = "/codebase") {
+  const rootPattern = new RegExp(absRoot.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"), "g");
+  let out = String(treeStr || "").replace(rootPattern, virtualRoot);
+  const lines = out.split("\n");
+  const dirName = absRoot.split("/").pop() || absRoot.split("\\").pop() || absRoot;
+  if (lines[0] === dirName) {
+    lines[0] = virtualRoot;
+    out = lines.join("\n");
+  }
+  return out;
+}
+
+/**
+ * Get a directory tree of the project with adaptive depth fallback.
+ *
+ * Tries the requested depth first. If the tree output exceeds MAX_TREE_BYTES,
+ * automatically falls back to lower depths until it fits.
+ *
+ * @param {string} projectRoot
+ * @param {number} [targetDepth=3] - Desired tree depth (0-6), 0 means auto
+ * @param {string[]} [excludePaths=[]] - Patterns to exclude from tree
+ * @returns {{ tree: string, depth: number, sizeBytes: number, fellBack: boolean, autoDepth: boolean }}
+ */
+export function getRepoMap(projectRoot, targetDepth = 3, excludePaths = []) {
+  // Auto depth: if targetDepth is 0, use heuristic
+  const autoDepth = targetDepth === 0;
+  if (autoDepth) {
+    targetDepth = _suggestTreeDepth(projectRoot);
+  }
+  const excludeRegexes = excludePaths.length ? excludePaths.map(_excludePatternToRegex) : [];
+
+  for (let L = targetDepth; L >= 1; L--) {
+    try {
+      const opts = { maxDepth: L };
+      if (excludeRegexes.length) opts.exclude = excludeRegexes;
+      const stdout = treeNodeCli(projectRoot, opts);
+      // Normalize root to /codebase consistently.
+      let treeStr = _normalizeTreeRoot(stdout, projectRoot, "/codebase");
+      const sizeBytes = Buffer.byteLength(treeStr, "utf-8");
+
+      if (sizeBytes <= MAX_TREE_BYTES) {
+        return { tree: treeStr, depth: L, sizeBytes, fellBack: L < targetDepth, autoDepth };
+      }
+      // Too large, try lower depth
+    } catch {
+      // tree failed at this level, try lower
+    }
+  }
+
+  // Ultimate fallback: simple ls (also respects excludePaths)
+  try {
+    let entries = readdirSync(projectRoot).sort();
+    if (excludeRegexes.length) {
+      entries = entries.filter((e) => !excludeRegexes.some((rx) => rx.test(e)));
+    }
+    const treeStr = ["/codebase", ...entries.map((e) => `├── ${e}`)].join("\n");
+    return { tree: treeStr, depth: 0, sizeBytes: Buffer.byteLength(treeStr, "utf-8"), fellBack: true, autoDepth };
+  } catch {
+    const treeStr = "/codebase\n(empty or inaccessible)";
+    return { tree: treeStr, depth: 0, sizeBytes: treeStr.length, fellBack: true, autoDepth };
+  }
+}
+
+function _tokenizeQuery(query = "") {
+  return [...new Set(
+    String(query)
+      .toLowerCase()
+      .split(/[^a-z0-9_\-]+/)
+      .map((t) => t.trim())
+      .filter((t) => t.length >= 3)
+  )];
+}
+
+function _scoreTopLevelDir(dirName, queryTokens = []) {
+  const name = String(dirName || "").toLowerCase();
+  let score = 0;
+
+  const commonRoots = ["src", "app", "lib", "packages", "services", "server", "backend", "frontend", "api"];
+  if (commonRoots.includes(name)) score += 2;
+
+  for (const token of queryTokens) {
+    if (name.includes(token)) score += 4;
+  }
+
+  return score;
+}
+
+function _listTopLevelDirs(projectRoot, excludePaths = []) {
+  const excludeRegexes = excludePaths.length ? excludePaths.map(_excludePatternToRegex) : [];
+  const out = [];
+  let entries = [];
+  try {
+    entries = readdirSync(projectRoot).sort();
+  } catch {
+    return out;
+  }
+
+  for (const e of entries) {
+    if (excludeRegexes.some((rx) => rx.test(e))) continue;
+    const abs = join(projectRoot, e);
+    try {
+      if (statSync(abs).isDirectory()) out.push(e);
+    } catch {
+      // ignore
+    }
+  }
+  return out;
+}
+
+function _buildSubtreeForDir(projectRoot, dir, levels = 2, excludePaths = []) {
+  const abs = join(projectRoot, dir);
+  const vRoot = `/codebase/${dir}`;
+  try {
+    const opts = { maxDepth: levels };
+    const excludeRegexes = excludePaths.length ? excludePaths.map(_excludePatternToRegex) : [];
+    if (excludeRegexes.length) opts.exclude = excludeRegexes;
+    const stdout = treeNodeCli(abs, opts);
+    return _normalizeTreeRoot(stdout, abs, vRoot);
+  } catch {
+    return `${vRoot}\n  (failed to generate subtree)`;
+  }
+}
+
+export function buildOptimizedRepoMap({
+  query,
+  projectRoot,
+  treeDepth,
+  excludePaths,
+  optimizer = {},
+  bootstrapHints = null,
+  onProgress = null,
+}) {
+  const log = (msg) => onProgress?.(msg);
+  const cfg = { ...REPO_MAP_OPTIMIZER_DEFAULTS, ...(optimizer || {}) };
+  if (cfg.mode === "classic") {
+    const base = getRepoMap(projectRoot, treeDepth, excludePaths);
+    return {
+      ...base,
+      strategy: "classic",
+      hotDirs: [],
+    };
+  }
+
+  const bootstrapDepth = Math.max(1, Math.min(3, Number(cfg.bootstrapTreeDepth) || 1));
+  const rawHotspotTopK = Number(cfg.hotspotTopK);
+  const hotspotTopK = Math.max(0, Math.min(8, Number.isFinite(rawHotspotTopK) ? rawHotspotTopK : 4));
+  const cfgHotspotDepth = Math.max(1, Math.min(4, Number(cfg.hotspotTreeDepth) || 2));
+  // 用户的 treeDepth 提升 hotspot subtree 深度，避免参数被静默忽略
+  const hotspotTreeDepth = treeDepth > cfgHotspotDepth ? Math.min(4, treeDepth) : cfgHotspotDepth;
+  const maxBytes = Math.max(16 * 1024, Number(cfg.maxBytes) || REPO_MAP_OPTIMIZER_DEFAULTS.maxBytes);
+
+  const bootstrap = getRepoMap(projectRoot, bootstrapDepth, excludePaths);
+  const topDirs = _listTopLevelDirs(projectRoot, excludePaths);
+
+  // Extract keywords from bootstrap hints (rgPatterns)
+  const keywords = bootstrapHints?.rgPatterns || [];
+
+  // Use BM25F + Probe + RRF for directory scoring
+  // This replaces the old token-based scoring + commonRoots approach
+  let hotDirs = [];
+  let pathSpines = [];
+  if (hotspotTopK === 0) {
+    log("Hotspot directory expansion disabled (hotspotTopK=0)");
+  } else try {
+    const results = scoreDirectories(query, projectRoot, topDirs, excludePaths, {
+      topK: hotspotTopK,
+      useProbe: true, // Enable probe grep signal
+      keywords, // Bootstrap keywords
+      minReturn: 2, // Always return at least 2 directories for coverage
+    });
+    hotDirs = results.hotDirs;
+    pathSpines = results.pathSpines;
+    log(`BM25F scoring: hotDirs=[${hotDirs.join(",")}] pathSpines=${pathSpines.length} signals=${JSON.stringify(results.signals)}`);
+  } catch (e) {
+    // Lightweight fallback: use quick scoring without commonRoots
+    log(`BM25F failed, using quick token scoring: ${e.message}`);
+    const queryTerms = tokenizeBM25(query);
+    const scored = topDirs.map((d) => {
+      const dirTerms = tokenizeBM25(d);
+      let score = 0;
+      for (const qt of queryTerms) {
+        if (dirTerms.some(dt => dt.includes(qt) || qt.includes(dt))) score += 1;
+      }
+      return { dir: d, score };
+    }).sort((a, b) => b.score - a.score);
+
+    // Always return at least topK directories (no score > 0 filter)
+    hotDirs = scored.slice(0, hotspotTopK).map((x) => x.dir);
+    if (hotDirs.length === 0) hotDirs = topDirs.slice(0, hotspotTopK);
+    log(`Quick scoring fallback: ${hotDirs.join(",")}`);
+  }
+
+  const hotspotSections = [];
+  for (const d of hotDirs) {
+    hotspotSections.push(_buildSubtreeForDir(projectRoot, d, hotspotTreeDepth, excludePaths));
+  }
+
+  // Build path spines section for deep file visibility
+  const pathSpineSection = pathSpines.length > 0
+    ? "# Relevant File Paths (from BM25F path spine extraction)\n" + pathSpines.map(p => `- /codebase/${p}`).join("\n")
+    : "";
+
+  let tree = bootstrap.tree;
+  const sections = [];
+  if (hotspotSections.length) {
+    sections.push("# Hotspot Subtrees\n" + hotspotSections.join("\n\n"));
+  }
+  if (pathSpineSection) {
+    sections.push(pathSpineSection);
+  }
+  if (sections.length) {
+    tree = `${bootstrap.tree}\n\n${sections.join("\n\n")}`;
+  }
+
+  // Keep map under configurable budget.
+  let sizeBytes = Buffer.byteLength(tree, "utf-8");
+  if (sizeBytes > maxBytes && (hotspotSections.length || pathSpineSection)) {
+    // First try removing path spines
+    if (pathSpineSection) {
+      const withoutSpines = sections.length > 1
+        ? `${bootstrap.tree}\n\n${sections[0]}`
+        : bootstrap.tree;
+      sizeBytes = Buffer.byteLength(withoutSpines, "utf-8");
+      if (sizeBytes <= maxBytes) {
+        tree = withoutSpines;
+      }
+    }
+
+    // If still too large, progressively remove hotspot sections
+    if (sizeBytes > maxBytes && hotspotSections.length) {
+      let kept = [...hotspotSections];
+      while (kept.length > 0) {
+        kept.pop();
+        tree = kept.length
+          ? `${bootstrap.tree}\n\n# Hotspot Subtrees\n${kept.join("\n\n")}`
+          : bootstrap.tree;
+        sizeBytes = Buffer.byteLength(tree, "utf-8");
+        if (sizeBytes <= maxBytes) break;
+      }
+    }
+  }
+
+  return {
+    tree,
+    depth: bootstrap.depth,
+    hotspotDepth: hotspotTreeDepth,
+    sizeBytes: Buffer.byteLength(tree, "utf-8"),
+    fellBack: bootstrap.fellBack,
+    autoDepth: bootstrap.autoDepth,
+    strategy: "bootstrap_hotspot",
+    hotDirs,
+  };
+}
+
+/**
+ * Parse answer XML into structured file + range data.
+ * @param {string} xmlText
+ * @param {string} projectRoot
+ * @returns {{ files: Array }}
+ */
+function _parseAnswer(xmlText, projectRoot) {
+  const files = [];
+  const resolvedRoot = resolve(projectRoot);
+  const fileRegex = /<file\s+path=(["'])([^"']+)\1>([\s\S]*?)<\/file>/g;
+  let fm;
+  while ((fm = fileRegex.exec(xmlText)) !== null) {
+    const vpath = fm[2];
+    let rel = vpath.replace(/^\/codebase[\/\\]?/, "");
+    rel = rel.replace(/^[\/\\]+/, "");
+
+    // Path safety: reject traversal attempts (../) and paths outside project root
+    const fullPath = resolve(projectRoot, rel);
+    const relToRoot = relative(resolvedRoot, fullPath);
+    if (relToRoot === ".." || relToRoot.startsWith(`..${sep}`) || isAbsolute(relToRoot)) {
+      continue;
+    }
+
+    const ranges = [];
+    const rangeRegex = /<range>(\d+)-(\d+)<\/range>/g;
+    let rm;
+    while ((rm = rangeRegex.exec(fm[3])) !== null) {
+      ranges.push([parseInt(rm[1], 10), parseInt(rm[2], 10)]);
+    }
+
+    files.push({ path: rel, full_path: fullPath, ranges });
+  }
+  return { files };
+}
+
+/**
+ * Execute Fast Context search.
+ *
+ * @param {Object} opts
+ * @param {string} opts.query - Natural language search query
+ * @param {string} opts.projectRoot - Project root directory
+ * @param {string} [opts.apiKey] - Windsurf API key (auto-discovered if not set)
+ * @param {string} [opts.jwt] - JWT token (auto-fetched if not set)
+ * @param {number} [opts.maxTurns=3] - Search rounds
+ * @param {number} [opts.maxCommands=8] - Max commands per round
+ * @param {number} [opts.maxResults=10] - Max number of files to return
+ * @param {number} [opts.treeDepth=3] - Directory tree depth for repo map (1-6, auto fallback)
+ * @param {number} [opts.timeoutMs=30000] - Connect-Timeout-Ms for streaming requests
+ * @param {string[]} [opts.excludePaths=[]] - Patterns to exclude from tree
+ * @param {function} [opts.onProgress] - Progress callback
+ * @returns {Promise<Object>}
+ */
+export async function search({
+  query,
+  projectRoot,
+  apiKey = null,
+  jwt = null,
+  maxTurns = 3,
+  maxCommands = 8,
+  maxResults = 10,
+  treeDepth = 3,
+  timeoutMs = 30000,
+  excludePaths = [],
+  repoMapMode = "bootstrap_hotspot",
+  bootstrapTreeDepth = 1,
+  hotspotTopK = 4,
+  hotspotTreeDepth = 2,
+  hotspotMaxBytes = 120 * 1024,
+  bootstrapEnabled = true,
+  bootstrapMaxTurns = 2,
+  bootstrapMaxCommands = 6,
+  onProgress = null,
+}) {
+  const log = (msg) => onProgress?.(msg);
+  projectRoot = resolve(projectRoot);
+  const effectiveExcludePaths = _mergeExcludePaths(excludePaths);
+
+  // Get credentials
+  if (!apiKey) {
+    apiKey = await getApiKey();
+  }
+  if (!jwt) {
+    log("Fetching JWT...");
+    jwt = await getCachedJwt(apiKey, timeoutMs);
+  }
+
+  // Check rate limit
+  log("Checking rate limit...");
+  if (!(await checkRateLimit(apiKey, jwt, timeoutMs))) {
+    return { files: [], error: "Rate limited, please try again later" };
+  }
+
+  const executor = new ToolExecutor(projectRoot);
+  const toolDefs = getToolDefinitions(maxCommands);
+  const systemPrompt = buildSystemPrompt(maxTurns, maxCommands, maxResults);
+
+  let bootstrapHints = null;
+  if (bootstrapEnabled) {
+    bootstrapHints = await _runBootstrapPhase({
+      query,
+      projectRoot,
+      apiKey,
+      jwt,
+      timeoutMs,
+      excludePaths: effectiveExcludePaths,
+      bootstrapTreeDepth,
+      bootstrapMaxTurns,
+      bootstrapMaxCommands,
+      onProgress,
+    });
+    log(`Bootstrap hints: patterns=${bootstrapHints.rgPatterns.length}, hot_dirs=${bootstrapHints.hotDirs.length}`);
+  }
+
+  const { tree: repoMap, depth: actualDepth, hotspotDepth: actualHotspotDepth, sizeBytes: treeSizeBytes, fellBack, autoDepth, strategy: repoMapStrategy, hotDirs = [] } = buildOptimizedRepoMap({
+    query,
+    projectRoot,
+    treeDepth,
+    excludePaths: effectiveExcludePaths,
+    optimizer: {
+      mode: repoMapMode,
+      bootstrapTreeDepth,
+      hotspotTopK,
+      hotspotTreeDepth,
+      maxBytes: hotspotMaxBytes,
+    },
+    bootstrapHints,
+    onProgress,
+  });
+  log(`Repo map: tree -L ${actualDepth} (${(treeSizeBytes / 1024).toFixed(1)}KB)${fellBack ? ` [fell back from L=${treeDepth}]` : ""}${autoDepth ? " [auto]" : ""} [strategy=${repoMapStrategy}]${hotDirs.length ? ` [hot=${hotDirs.join(",")}]` : ""}`);
+  const userContent = `Problem Statement: ${query}\n\nRepo Map (tree -L ${actualDepth} /codebase):\n\`\`\`text\n${repoMap}\n\`\`\``;
+
+  const messages = [
+    { role: 5, content: systemPrompt },
+    { role: 1, content: userContent },
+  ];
+
+  // Trim state for smart context trimming
+  const trimState = {
+    query,
+    turn: 0,
+    recentFiles: [],
+    recentPatterns: [],
+    recentCommands: [],
+  };
+
+  // Total API calls = maxTurns + 1 (last round for answer)
+  const totalApiCalls = maxTurns + 1;
+  let compensatedTurns = 0;
+  const MAX_COMPENSATIONS = 2;
+  let forceAnswerInjected = false;
+
+  for (let turn = 0; turn < totalApiCalls + compensatedTurns; turn++) {
+    log(`Turn ${turn + 1}/${totalApiCalls}`);
+    trimState.turn = turn + 1;
+
+    let proto = _buildRequest(apiKey, jwt, messages, toolDefs);
+
+    // Debug logging
+    if (DEBUG_MODE) {
+      console.error(`\n[DEBUG] ===== Turn ${turn + 1} Request =====`);
+      console.error(`[DEBUG] Messages count: ${messages.length}`);
+      console.error(`[DEBUG] Last message role: ${messages[messages.length - 1]?.role}`);
+      console.error(`[DEBUG] Proto size: ${proto.length} bytes`);
+    }
+
+    // Preflight trim: proactively reduce payload if proto is already large.
+    const MAX_PROTO_BYTES = 320 * 1024;
+    if (proto.length > MAX_PROTO_BYTES && messages.length > 1) {
+      log(`Proto size ${proto.length} bytes > ${MAX_PROTO_BYTES}. Trimming context before request...`);
+      if (_trimMessages(messages, trimState)) {
+        proto = _buildRequest(apiKey, jwt, messages, toolDefs);
+        if (DEBUG_MODE) console.error(`[DEBUG] Proto size after trim: ${proto.length} bytes`);
+      }
+    }
+
+    let respData;
+    try {
+      respData = await _streamingRequest(proto, timeoutMs);
+    } catch (e) {
+      const errCode = e.code || "UNKNOWN";
+      const baseMeta = {
+        treeDepth: actualDepth,
+        hotspotDepth: actualHotspotDepth,
+        treeSizeKB: +(treeSizeBytes / 1024).toFixed(1),
+        fellBack,
+        projectRoot,
+        errorCode: errCode,
+        repoMapStrategy,
+        hotDirs,
+      };
+
+      // Auto-retry with trimmed context on payload/timeout errors
+      if ((errCode === "PAYLOAD_TOO_LARGE" || errCode === "TIMEOUT") && messages.length > 1) {
+        log(`${errCode} on turn ${turn + 1}: trimming context and retrying...`);
+        _trimMessages(messages, trimState);
+        const retryProto = _buildRequest(apiKey, jwt, messages, toolDefs);
+        try {
+          respData = await _streamingRequest(retryProto, timeoutMs);
+        } catch (retryErr) {
+          const retryCode = retryErr.code || errCode;
+          return {
+            files: [],
+            error: `${retryCode}: ${retryErr.message} (retry after context trim also failed)`,
+            _meta: { ...baseMeta, errorCode: retryCode, contextTrimmed: true },
+          };
+        }
+      } else {
+        return {
+          files: [],
+          error: `${errCode}: ${e.message}`,
+          _meta: baseMeta,
+        };
+      }
+    }
+
+    const [thinking, toolInfo] = _parseResponse(respData);
+
+    // Debug logging
+    if (DEBUG_MODE) {
+      console.error(`\n[DEBUG] ===== Turn ${turn + 1} Response =====`);
+      console.error(`[DEBUG] Response size: ${respData.length} bytes`);
+      console.error(`[DEBUG] Thinking: ${thinking.slice(0, 500)}${thinking.length > 500 ? '...' : ''}`);
+      console.error(`[DEBUG] Tool info: ${toolInfo ? `${toolInfo[0]}` : 'null'}`);
+    }
+
+    if (toolInfo === null) {
+      if (thinking.startsWith("[Error]")) {
+        return { files: [], error: thinking };
+      }
+      return { files: [], raw_response: thinking };
+    }
+
+    const [toolName, toolArgs] = toolInfo;
+
+    if (toolName === "answer") {
+      const answerXml = toolArgs.answer || "";
+      log("Received final answer");
+      const result = _parseAnswer(answerXml, projectRoot);
+      result.rg_patterns = [...new Set(executor.collectedRgPatterns)];
+      result._meta = {
+        treeDepth: actualDepth,
+        hotspotDepth: actualHotspotDepth,
+        treeSizeKB: +(treeSizeBytes / 1024).toFixed(1),
+        fellBack,
+        repoMapStrategy,
+        hotDirs,
+      };
+      return result;
+    }
+
+    if (toolName === "restricted_exec") {
+      const callId = randomUUID();
+      const argsJson = JSON.stringify(toolArgs);
+
+      const cmds = Object.keys(toolArgs).filter((k) => k.startsWith("command"));
+      log(`Executing ${cmds.length} local commands`);
+
+      // Debug logging
+      if (DEBUG_MODE) {
+        console.error(`\n[DEBUG] ===== Tool Calls =====`);
+        for (const cmdKey of cmds) {
+          const cmd = toolArgs[cmdKey];
+          console.error(`[DEBUG] ${cmdKey}: ${JSON.stringify(cmd)}`);
+        }
+      }
+
+      // Check for valid commands (those with a type field)
+      const validCommands = cmds.filter((k) => {
+        const cmd = toolArgs[k];
+        return cmd && typeof cmd === "object" && cmd.type;
+      });
+      if (validCommands.length === 0 && compensatedTurns < MAX_COMPENSATIONS) {
+        compensatedTurns++;
+        log(`Turn compensation: no valid commands, extending search by 1 turn (${compensatedTurns}/${MAX_COMPENSATIONS})`);
+      } else if (validCommands.length === 0) {
+        log(`Turn compensation skipped: max compensations (${MAX_COMPENSATIONS}) reached, forcing turn advance`);
+      }
+
+      const results = await executor.execToolCallAsync(toolArgs);
+
+      // Update trim state with a compact summary of what we executed
+      try {
+        const tailUnique = (arr, n) => {
+          const out = [];
+          const seen = new Set();
+          for (let i = arr.length - 1; i >= 0 && out.length < n; i--) {
+            const v = arr[i];
+            if (typeof v !== "string" || !v) continue;
+            if (seen.has(v)) continue;
+            seen.add(v);
+            out.push(v);
+          }
+          return out.reverse();
+        };
+
+        const newCommands = [];
+        const newFiles = [];
+        const newPatterns = [];
+
+        for (const cmdKey of cmds) {
+          const cmd = toolArgs[cmdKey];
+          if (!cmd || typeof cmd !== "object") continue;
+          const t = cmd.type;
+          if (t === "rg" && cmd.pattern) {
+            newPatterns.push(cmd.pattern);
+            newCommands.push({ type: "rg", desc: `rg ${cmd.pattern}` });
+          } else if (t === "readfile" && cmd.file) {
+            const shortFile = cmd.file.replace(/^\/codebase\//, "");
+            newFiles.push(shortFile);
+            newCommands.push({ type: "readfile", desc: `read ${shortFile}` });
+          } else if (t === "tree" && cmd.path) {
+            newCommands.push({ type: "tree", desc: `tree ${cmd.path}` });
+          }
+        }
+
+        trimState.recentCommands = [...trimState.recentCommands, ...newCommands].slice(-12);
+        trimState.recentFiles = tailUnique([...trimState.recentFiles, ...newFiles], 20);
+        trimState.recentPatterns = tailUnique([...trimState.recentPatterns, ...newPatterns], 30);
+      } catch {
+        // Ignore errors in trim state update
+      }
+
+      messages.push({
+        role: 2,
+        content: thinking,
+        tool_call_id: callId,
+        tool_name: "restricted_exec",
+        tool_args_json: argsJson,
+      });
+      messages.push({ role: 4, content: results, ref_call_id: callId });
+
+      // Inject force-answer after last effective search round
+      const effectiveTurn = turn - compensatedTurns;
+      if (effectiveTurn >= maxTurns - 1 && !forceAnswerInjected) {
+        messages.push({ role: 1, content: FINAL_FORCE_ANSWER });
+        forceAnswerInjected = true;
+        log("Injected force-answer prompt");
+      }
+    }
+  }
+
+  return {
+    files: [],
+    error: "Max turns reached without getting an answer",
+    rg_patterns: [...new Set(executor.collectedRgPatterns)],
+    _meta: {
+      treeDepth: actualDepth,
+      hotspotDepth: actualHotspotDepth,
+      treeSizeKB: +(treeSizeBytes / 1024).toFixed(1),
+      fellBack,
+      projectRoot,
+      repoMapStrategy,
+      hotDirs,
+    },
+  };
+}
+
+// ─── Grep Keyword Expansion ────────────────────────────────
+
+// 噪音文件排除规则：打包产物、依赖文件、自动生成物、二进制、AI 配置等
+// 参考来源：ace-tool-rs (Augment 逆向) 默认排除列表 + 实测反馈
+const GREP_NOISE_GLOBS = [
+  // 打包产物 & sourcemap
+  "chunk-*", "*.chunk.*", "*.bundle.*",
+  "*.min.js", "*.min.css", "*.map",
+  "app.*.js", "app.*.css",              // Vue/Webpack hash-named bundles
+  // 依赖 & 锁定文件
+  "*.lock", "package-lock.json", "yarn.lock", "pnpm-lock.yaml",
+  "go.sum", "go.mod",                   // Go 依赖
+  "Cargo.lock",                         // Rust 依赖
+  // 自动生成的类型声明
+  "*.d.ts",
+  // 二进制文件（来自 ace-tool-rs）
+  "*.exe", "*.dll", "*.so", "*.dylib",  // 平台二进制
+  "*.pyc", "*.pyo", "*.class",          // 编译中间物
+  "*.wasm", "*.o", "*.a",               // 编译产物
+  // 静态资源 & 媒体文件（来自 ace-tool-rs）
+  "*.svg", "*.png", "*.jpg", "*.jpeg", "*.gif", "*.ico", "*.webp",
+  "*.woff*", "*.ttf", "*.eot", "*.otf",
+  "*.mp4", "*.mp3", "*.wav", "*.avi", "*.mov",  // 音视频
+  "*.pdf", "*.doc", "*.docx", "*.xls", "*.xlsx", // 文档
+  "*.zip", "*.tar", "*.gz", "*.rar", "*.7z",     // 压缩包
+  // AI 配置文件（grep 扩展中属于噪音）
+  "CLAUDE.md", "AGENTS.md", ".cursorrules", ".cursorignore",
+];
+
+// 整目录排除：构建输出、缓存、VCS、依赖目录
+// 参考来源：ace-tool-rs 默认排除 + 实测反馈
+const GREP_NOISE_DIR_GLOBS = [
+  // 构建输出
+  "dist/**", "build/**", "out/**", "target/**",
+  "resource/page/**",                   // 静态资源目录
+  // 框架构建缓存
+  ".nuxt/**", ".next/**", ".output/**",
+  // 缓存目录（来自 ace-tool-rs）
+  "__pycache__/**", ".cache/**", ".pytest_cache/**",
+  // 版本控制（来自 ace-tool-rs）
+  ".svn/**", ".hg/**",
+  // 依赖目录（来自 ace-tool-rs）
+  "vendor/**", ".venv/**", "venv/**",
+];
+
+/**
+ * 自动执行 grep keywords 查找额外匹配文件，补充远端模型的遗漏。
+ * 纯本地操作，0 API 调用。
+ * @param {number} maxPerPattern - 每个 pattern 最多补充的文件数
+ * @param {number} maxTotal - grep 扩展的总文件数上限（避免输出过大）
+ */
+function _autoGrepFiles(patterns, projectRoot, excludePaths, existingPaths, maxPerPattern = 3, maxTotal = 10) {
+  // hitCount 记录每个文件被多少个 pattern 命中，用于后续排序
+  const hitCount = new Map(); // resolve(path) -> count
+  const fileInfo = new Map(); // resolve(path) -> { path, full_path }
+  const seen = new Set(existingPaths.map((p) => resolve(projectRoot, p)));
+
+  // 构建噪音 glob 参数（文件级 + 目录级）
+  const noiseArgs = [];
+  for (const noise of GREP_NOISE_GLOBS) {
+    noiseArgs.push("--glob", `!${noise}`);
+  }
+  for (const noise of GREP_NOISE_DIR_GLOBS) {
+    noiseArgs.push("--glob", `!${noise}`);
+  }
+
+  for (const pattern of patterns.slice(0, 8)) {
+    // 总数已达上限，提前退出节省 rg 调用
+    if (fileInfo.size >= maxTotal) break;
+
+    try {
+      const args = ["-l", "--max-count", "10", "-S"];
+      for (const ex of excludePaths) {
+        for (const expanded of _expandExcludeGlobsForRg(ex)) {
+          args.push("--glob", `!${expanded}`);
+        }
+      }
+      args.push(...noiseArgs);
+      args.push("--", pattern, projectRoot);
+      const stdout = execFileSync(rgPath, args, {
+        timeout: 5000,
+        maxBuffer: 1024 * 1024,
+        encoding: "utf-8",
+      });
+      const files = stdout.trim().split("\n").filter(Boolean);
+      let added = 0;
+      for (const f of files) {
+        if (added >= maxPerPattern) break;
+        const full = resolve(f);
+        if (seen.has(full)) continue;
+        const rel = relative(projectRoot, full);
+        if (rel.startsWith("..") || isAbsolute(rel)) continue;
+
+        // 记录命中次数
+        hitCount.set(full, (hitCount.get(full) || 0) + 1);
+        if (!fileInfo.has(full)) {
+          fileInfo.set(full, { path: rel, full_path: full, ranges: [], fromGrep: true });
+          added++;
+          if (fileInfo.size >= maxTotal) break;
+        }
+      }
+    } catch {
+      // rg 返回 1 表示无匹配，正常忽略
+    }
+  }
+
+  // 按匹配 pattern 数降序排序，再截取 maxTotal
+  const found = [...fileInfo.values()]
+    .sort((a, b) => {
+      return (hitCount.get(resolve(b.full_path)) || 0) - (hitCount.get(resolve(a.full_path)) || 0);
+    })
+    .slice(0, maxTotal);
+  return found;
+}
+
+// ─── Code Snippet Reader ───────────────────────────────────
+
+const EXT_LANG_MAP = {
+  ".js": "javascript", ".mjs": "javascript", ".cjs": "javascript",
+  ".ts": "typescript", ".tsx": "typescript", ".jsx": "javascript",
+  ".py": "python", ".go": "go", ".rs": "rust", ".java": "java",
+  ".rb": "ruby", ".vue": "vue", ".c": "c", ".h": "c",
+  ".cpp": "cpp", ".hpp": "cpp", ".cs": "csharp", ".php": "php",
+  ".swift": "swift", ".kt": "kotlin", ".sh": "bash",
+  ".yaml": "yaml", ".yml": "yaml", ".json": "json", ".toml": "toml",
+  ".sql": "sql", ".html": "html", ".css": "css", ".scss": "scss",
+};
+
+/**
+ * 读取文件指定行范围的代码片段。
+ * @param {string} filePath - 文件绝对路径
+ * @param {Array<[number, number]>} ranges - 行范围列表 (1-indexed, inclusive)
+ * @param {number} budget - 剩余字符预算
+ * @returns {{ snippets: string[], used: number }}
+ */
+function _readCodeSnippets(filePath, ranges, budget) {
+  const snippets = [];
+  let used = 0;
+  const lang = EXT_LANG_MAP[extname(filePath).toLowerCase()] || "";
+
+  try {
+    const content = readFileSync(filePath, "utf-8");
+    const lines = content.split("\n");
+
+    // 如果没有 ranges（grep 扩展来的），取前 20 行
+    const effectiveRanges = ranges.length > 0 ? ranges : [[1, Math.min(20, lines.length)]];
+
+    for (const [start, end] of effectiveRanges) {
+      const s = Math.max(1, start) - 1;
+      const e = Math.min(lines.length, end);
+      const slice = lines.slice(s, e);
+      const snippet = slice.map((l, i) => `${String(s + i + 1).padStart(4)} | ${l}`).join("\n");
+      const block = `\`\`\`${lang}\n${snippet}\n\`\`\``;
+
+      if (used + block.length > budget) {
+        // 预算不足，截断当前 snippet
+        const remaining = budget - used - 100; // 留 100 字符给截断提示
+        if (remaining > 200) {
+          const truncated = block.slice(0, remaining) + "\n... [truncated]```";
+          snippets.push(truncated);
+          used += truncated.length;
+        }
+        return { snippets, used };
+      }
+
+      snippets.push(block);
+      used += block.length;
+    }
+  } catch {
+    // 文件读取失败，跳过
+  }
+  return { snippets, used };
+}
+
+/**
+ * Search and return formatted result suitable for MCP tool response.
+ *
+ * @param {Object} opts
+ * @param {string} opts.query
+ * @param {string} opts.projectRoot
+ * @param {string} [opts.apiKey]
+ * @param {number} [opts.maxTurns=3]
+ * @param {number} [opts.maxCommands=8]
+ * @param {number} [opts.maxResults=10]
+ * @param {number} [opts.treeDepth=3]
+ * @param {number} [opts.timeoutMs=30000]
+ * @param {string[]} [opts.excludePaths=[]]
+ * @param {function} [opts.onProgress]
+ * @returns {Promise<string>}
+ */
+export async function searchWithContent({
+  query,
+  projectRoot,
+  apiKey = null,
+  maxTurns = 3,
+  maxCommands = 8,
+  maxResults = 10,
+  treeDepth = 3,
+  timeoutMs = 30000,
+  excludePaths = [],
+  repoMapMode = "bootstrap_hotspot",
+  bootstrapTreeDepth = 1,
+  hotspotTopK = 4,
+  hotspotTreeDepth = 2,
+  hotspotMaxBytes = 120 * 1024,
+  bootstrapEnabled = true,
+  bootstrapMaxTurns = 2,
+  bootstrapMaxCommands = 6,
+  includeSnippets = false,
+  onProgress = null,
+}) {
+  const result = await search({
+    query,
+    projectRoot,
+    apiKey,
+    maxTurns,
+    maxCommands,
+    maxResults,
+    treeDepth,
+    timeoutMs,
+    excludePaths,
+    repoMapMode,
+    bootstrapTreeDepth,
+    hotspotTopK,
+    hotspotTreeDepth,
+    hotspotMaxBytes,
+    bootstrapEnabled,
+    bootstrapMaxTurns,
+    bootstrapMaxCommands,
+    onProgress,
+  });
+
+  if (result.error) {
+    const meta = result._meta;
+    let errMsg = `Error: ${result.error}`;
+    if (meta) {
+      errMsg += `\n\n[diagnostic] error_type=${meta.errorCode || "unknown"}, tree_depth_used=${meta.treeDepth}, tree_size=${meta.treeSizeKB}KB`;
+      if (meta.fellBack) errMsg += ` (auto fell back from requested depth)`;
+      if (meta.contextTrimmed) errMsg += `, context_trimmed=true`;
+      if (meta.projectRoot) errMsg += `\n[diagnostic] project_path=${meta.projectRoot}`;
+      errMsg += `\n[config] max_turns=${maxTurns}, max_results=${maxResults}, max_commands=${maxCommands}, timeout_ms=${timeoutMs}`;
+      if (excludePaths.length) errMsg += `, exclude_paths=[${excludePaths.join(", ")}]`;
+      // Targeted hints based on error type
+      if (meta.errorCode === "PAYLOAD_TOO_LARGE" || meta.errorCode === "TIMEOUT") {
+        errMsg += `\n[hint] Payload/timeout error. Try: reduce tree_depth, reduce max_turns, add exclude_paths, or narrow project_path to a subdirectory.`;
+      } else if (meta.errorCode === "AUTH_ERROR") {
+        errMsg += `\n[hint] Authentication error. The API key may be expired or revoked. Try re-extracting with extract_windsurf_key, or set a fresh WINDSURF_API_KEY.`;
+      } else if (meta.errorCode === "RATE_LIMITED") {
+        errMsg += `\n[hint] Rate limited. Wait a moment and retry.`;
+      } else {
+        errMsg += `\n[hint] If the error is payload-related, try a lower tree_depth value or add exclude_paths.`;
+      }
+    }
+    return errMsg;
+  }
+
+  let files = result.files || [];
+  if (files.length > maxResults) {
+    files = files.slice(0, maxResults);
+  }
+  const rgPatterns = result.rg_patterns || [];
+  // Deduplicate + filter short patterns
+  const uniquePatterns = [...new Set(rgPatterns)].filter((p) => p.length >= 3);
+
+  // B: 自动执行 grep keywords 补充遗漏文件（纯本地，0 API 调用）
+  let grepExpanded = 0;
+  const grepBudget = Math.max(0, maxResults - files.length);
+  if (uniquePatterns.length > 0 && grepBudget > 0) {
+    const effectiveExcludePaths = _mergeExcludePaths(excludePaths);
+    const extra = _autoGrepFiles(
+      uniquePatterns,
+      projectRoot,
+      effectiveExcludePaths,
+      files.map((f) => f.path),
+      3,
+      grepBudget,
+    );
+    if (extra.length > 0) {
+      files = [...files, ...extra];
+      grepExpanded = extra.length;
+    }
+  }
+
+  if (!files.length && !uniquePatterns.length) {
+    const raw = result.raw_response || "";
+    if (!raw) return "No relevant files found.";
+    const MAX_RAW = 500;
+    const truncated = raw.length > MAX_RAW ? raw.slice(0, MAX_RAW) + "\n...[raw_response truncated]..." : raw;
+    return `No relevant files found.\n\nRaw response:\n${truncated}`;
+  }
+
+  const parts = [];
+  const n = files.length;
+
+  if (files.length) {
+    const summary = grepExpanded > 0
+      ? `Found ${n} relevant files (${n - grepExpanded} from AI search, ${grepExpanded} from grep keyword expansion).`
+      : `Found ${n} relevant files.`;
+    parts.push(summary);
+  } else {
+    parts.push("No files found.");
+  }
+
+  // C: 附带代码片段，让单次调用就能提供完整上下文
+  // 45KB 代码预算 + ~5KB metadata = 控制总输出 ≤50KB
+  // 文件顺序：AI 找到的在前，grep 扩展的（按 pattern 命中数排序）在后
+  const CODE_BUDGET = 45000;
+  let codeBudgetLeft = CODE_BUDGET;
+
+  for (let i = 0; i < files.length; i++) {
+    const entry = files[i];
+    const rangesStr = entry.ranges.length > 0
+      ? entry.ranges.map(([s, e]) => `L${s}-${e}`).join(", ")
+      : (entry.fromGrep ? "grep match" : "");
+    const label = entry.fromGrep ? " [grep expanded]" : "";
+
+    parts.push("");
+    parts.push(`--- [${i + 1}/${n}] ${entry.full_path} (${rangesStr})${label} ---`);
+
+    // 仅在 includeSnippets=true 时读取并附带代码片段
+    if (includeSnippets && codeBudgetLeft > 200) {
+      const { snippets, used } = _readCodeSnippets(entry.full_path, entry.ranges, codeBudgetLeft);
+      for (const s of snippets) {
+        parts.push(s);
+      }
+      codeBudgetLeft -= used;
+    } else if (includeSnippets) {
+      parts.push("(code snippet omitted — output budget reached)");
+    }
+  }
+
+  if (uniquePatterns.length) {
+    parts.push("");
+    parts.push(`grep keywords: ${uniquePatterns.join(", ")}`);
+  }
+
+  // Append diagnostic metadata so the calling AI knows what happened
+  const meta = result._meta;
+  if (meta) {
+    const fbNote = meta.fellBack ? ` (fell back from requested depth)` : "";
+    parts.push("");
+    const hotspotNote = meta.hotspotDepth ? `, hotspot_depth=${meta.hotspotDepth}` : "";
+    let configLine = `[config] project_path=${projectRoot}, tree_depth=${meta.treeDepth}${fbNote}${hotspotNote}, tree_size=${meta.treeSizeKB}KB, max_turns=${maxTurns}, max_results=${maxResults}, timeout_ms=${timeoutMs}`;
+    if (excludePaths.length) configLine += `, exclude_paths=[${excludePaths.join(", ")}]`;
+    if (grepExpanded > 0) configLine += `, grep_expanded=${grepExpanded}`;
+    parts.push(configLine);
+  }
+
+  return parts.join("\n");
+}
+
+/**
+ * Extract Windsurf API Key info (for MCP tool use).
+ * @param {string} [dbPath]
+ * @returns {Promise<Object>}
+ */
+export async function extractKeyInfo(dbPath) {
+  return extractKey(dbPath);
+}