fengming 0.3.4 → 0.3.5

package/dist/bash-tools-DLiUXfaS.js

@@ -0,0 +1,3497 @@
+import { a as normalizeLowercaseStringOrEmpty, c as normalizeOptionalString, o as normalizeNullableString, s as normalizeOptionalLowercaseString } from "./string-coerce-DKw2K5wM.js";
+import { a as asFiniteNumber } from "./number-coercion-D1aDmIZp.js";
+import { o as isRecord } from "./record-coerce-Btbek4uV.js";
+import { i as formatErrorMessage } from "./errors-5ePGD43N.js";
+import { t as createLazyImportLoader } from "./lazy-promise-Djskx0qC.js";
+import { l as normalizeStringEntries } from "./string-normalization-B8G0vlWE.js";
+import { s as sanitizeHostExecEnvWithDiagnostics } from "./host-env-security-BujxmR07.js";
+import "./utils-v5zGdVpj.js";
+import { t as escapeRegExp } from "./regexp-gnNKXe6h.js";
+import { a as isSubagentSessionKey, c as parseAgentSessionKey, i as isCronSessionKey } from "./session-key-utils-CdfsDYvz.js";
+import { d as resolveAgentIdFromSessionKey, l as normalizeAgentId } from "./session-key-CJf5_zWs.js";
+import { a as logWarn, r as logInfo } from "./logger-BZdGwGcr.js";
+import { J as getShellPathFromLoginShell, Y as resolveShellEnvFallbackTimeoutMs } from "./io-DAZXanmU.js";
+import { f as resolveApprovalAuditTrustPath } from "./exec-safe-bin-trust-BavWgRnC.js";
+import { O as normalizeExecutableToken, c as isShellWrapperExecutable, k as splitShellArgs, t as POSIX_SHELL_WRAPPERS, u as resolveShellWrapperTransportArgv } from "./shell-wrapper-resolution-Cl9437dq.js";
+import { t as killProcessTree } from "./kill-tree-kSm0C74g.js";
+import { i as INTERNAL_MESSAGE_CHANNEL } from "./message-channel-core-rOsWksPZ.js";
+import { i as normalizeMessageChannel, n as isGatewayMessageChannel } from "./message-channel-normalize-CaOaCinb.js";
+import "./message-channel-DcN_7tYD.js";
+import { n as addSafeTimeoutDelayGraceMs } from "./timeouts-tJvqW40V.js";
+import { n as APPROVALS_SCOPE, o as WRITE_SCOPE } from "./operator-scopes-DGvgHuOd.js";
+import { o as normalizeDeliveryContext } from "./delivery-context.shared-CHlZnq4E.js";
+import { C as parseExecApprovalResultText, S as isExecDeniedResultText, d as sanitizeUserFacingText, x as formatExecDeniedUserMessage } from "./sanitize-user-facing-text-B7CiNPI8.js";
+import { n as getDiagnosticSessionState } from "./diagnostic-session-state-DwjGSduD.js";
+import { c as EXEC_TOOL_DISPLAY_SUMMARY, l as PROCESS_TOOL_DISPLAY_SUMMARY } from "./tool-catalog-BfQXK2pl.js";
+import { C as textResult, o as failedTextResult } from "./common-CoOYhmSg.js";
+import { t as callGatewayTool } from "./gateway-DTi2D7ZS.js";
+import { c as describeInterpreterInlineEval, t as buildCommandPayloadCandidates } from "./risks-DM4Eigd_.js";
+import { l as analyzeShellCommand, n as evaluateShellAllowlist, u as buildEnforcedShellCommand } from "./exec-approvals-allowlist-au7CtSQ2.js";
+import { A as resolveExecApprovals, C as recordAllowlistMatchesUse, D as requiresExecApproval, E as requireValidExecTarget, F as resolveExecModePolicy, O as resolveExecApprovalAllowedDecisions, d as loadExecApprovals, f as maxAsk, g as normalizeExecAsk, j as resolveExecApprovalsFromFile, l as hasDurableExecApproval, m as minSecurity, o as addDurableCommandApproval, s as commandRequiresSecurityAuditSuppressionApproval, x as persistAllowAlwaysPatterns } from "./exec-approvals-OmSY2hSB.js";
+import { r as resolveExecSafeBinRuntimePolicy } from "./exec-safe-bin-runtime-policy-D8i-qd_X.js";
+import { n as describeProcessTool, t as describeExecTool } from "./bash-tools.descriptions-CmnntKkL.js";
+import { n as processSchema, t as execSchema } from "./bash-tools.schemas-DHPBVmIy.js";
+import "./delivery-context-D5p4ZNuR.js";
+import { t as resolveExternalBestEffortDeliveryTarget } from "./best-effort-delivery-B8Rfs1sR.js";
+import { t as sendMessage } from "./message-BeGCG-D8.js";
+import { i as resolveNodeIdFromList, t as listNodes } from "./nodes-utils-c4k31OaG.js";
+import { t as formatDurationCompact } from "./format-duration-BrZ-AaEJ.js";
+import { a as coerceEnv, c as readEnvInt, d as sliceLogLines, f as truncateMiddle, i as clampWithDefault, l as resolveSandboxWorkdir, n as buildSandboxEnv, o as deriveSessionName, s as pad, u as resolveWorkdir } from "./bash-tools.shared-Bb5t2u25.js";
+import { a as drainSession, c as listFinishedSessions, d as markExited, f as setJobTtlMs, i as deleteSession, l as listRunningSessions, o as getFinishedSession, p as tail, s as getSession, u as markBackgrounded } from "./bash-process-registry-DExu0hla.js";
+import { _ as normalizePathPrepend, a as DEFAULT_PENDING_MAX_OUTPUT, c as createApprovalSlug, f as resolveApprovalRunningNoticeMs, g as applyPathPrepend, h as renderExecOutputText, i as DEFAULT_PATH, m as runExecProcess, n as DEFAULT_APPROVAL_TIMEOUT_MS, o as applyShellPath, p as resolveExecTarget, r as DEFAULT_MAX_OUTPUT, s as buildApprovalPendingMessage, t as DEFAULT_APPROVAL_REQUEST_TIMEOUT_MS, u as normalizeNotifyOutput } from "./bash-tools.exec-runtime-DucFjdEu.js";
+import { t as getProcessSupervisor } from "./supervisor-DMuvlusb.js";
+import { i as resolveExecApprovalInitiatingSurfaceState } from "./exec-approval-surface-CwdMVtrH.js";
+import { u as buildExecApprovalUnavailableReplyPayload } from "./exec-approval-reply-D3XuHTa1.js";
+import { n as detectPolicyInlineEval } from "./policy-D0zs1tEW.js";
+import { i as defaultExecAutoReviewer, t as createModelExecAutoReviewer } from "./exec-auto-reviewer-Dqx7I88Z.js";
+import { i as registerExecApprovalFollowupRuntimeHandoff, t as buildExecApprovalFollowupIdempotencyKey } from "./bash-tools.exec-approval-followup-state-CZKm2nN5.js";
+import { n as formatExecCommand, r as resolveSystemRunCommandRequest, t as extractShellCommandFromArgv } from "./system-run-command-5NffG1dK.js";
+import { t as parsePreparedSystemRunPayload } from "./system-run-approval-context-Mn9Sfzu2.js";
+import { n as recordCommandPoll, r as resetCommandPollCount } from "./command-poll-backoff-DmjJeZIx.js";
+import { constants } from "node:fs";
+import path from "node:path";
+import fs$1 from "node:fs/promises";
+import crypto, { randomUUID } from "node:crypto";
+//#region src/agents/bash-tools.exec-approval-request.ts
+let execApprovalCommandSpansRuntimePromise = null;
+const POSIX_COMMAND_HIGHLIGHT_SHELLS = POSIX_SHELL_WRAPPERS;
+function loadExecApprovalCommandSpansRuntime() {
+	execApprovalCommandSpansRuntimePromise ??= import("./bash-tools.exec-approval-request.runtime.js");
+	return execApprovalCommandSpansRuntimePromise;
+}
+function buildExecApprovalRequestToolParams(params) {
+	return {
+		id: params.id,
+		...params.command ? { command: params.command } : {},
+		...params.commandArgv ? { commandArgv: params.commandArgv } : {},
+		systemRunPlan: params.systemRunPlan,
+		env: params.env,
+		cwd: params.cwd,
+		nodeId: params.nodeId,
+		host: params.host,
+		security: params.security,
+		ask: params.ask,
+		warningText: params.warningText,
+		commandSpans: params.commandSpans,
+		agentId: params.agentId,
+		resolvedPath: params.resolvedPath,
+		sessionKey: params.sessionKey,
+		turnSourceChannel: params.turnSourceChannel,
+		turnSourceTo: params.turnSourceTo,
+		turnSourceAccountId: params.turnSourceAccountId,
+		turnSourceThreadId: params.turnSourceThreadId,
+		requireDeliveryRoute: params.requireDeliveryRoute,
+		suppressDelivery: params.suppressDelivery,
+		timeoutMs: DEFAULT_APPROVAL_TIMEOUT_MS,
+		twoPhase: true
+	};
+}
+function parseDecision(value) {
+	if (!value || typeof value !== "object") return {
+		present: false,
+		value: null
+	};
+	if (!Object.hasOwn(value, "decision")) return {
+		present: false,
+		value: null
+	};
+	const decision = value.decision;
+	return {
+		present: true,
+		value: typeof decision === "string" ? decision : null
+	};
+}
+function parseExpiresAtMs(value) {
+	return asFiniteNumber(value);
+}
+async function registerExecApprovalRequest(params) {
+	const registrationResult = await callGatewayTool("exec.approval.request", { timeoutMs: DEFAULT_APPROVAL_REQUEST_TIMEOUT_MS }, buildExecApprovalRequestToolParams(params), { expectFinal: false });
+	const decision = parseDecision(registrationResult);
+	const id = normalizeOptionalString(registrationResult?.id) ?? params.id;
+	const expiresAtMs = parseExpiresAtMs(registrationResult?.expiresAtMs) ?? Date.now() + DEFAULT_APPROVAL_TIMEOUT_MS;
+	if (decision.present) return {
+		id,
+		expiresAtMs,
+		finalDecision: decision.value
+	};
+	return {
+		id,
+		expiresAtMs
+	};
+}
+async function waitForExecApprovalDecision(id) {
+	try {
+		return parseDecision(await callGatewayTool("exec.approval.waitDecision", { timeoutMs: DEFAULT_APPROVAL_REQUEST_TIMEOUT_MS }, { id })).value;
+	} catch (err) {
+		if (normalizeLowercaseStringOrEmpty(String(err)).includes("approval expired or not found")) return null;
+		throw err;
+	}
+}
+async function resolveRegisteredExecApprovalDecision(params) {
+	if (params.preResolvedDecision !== void 0) return params.preResolvedDecision ?? null;
+	return await waitForExecApprovalDecision(params.approvalId);
+}
+function buildExecApprovalRequesterContext(params) {
+	return {
+		agentId: params.agentId,
+		sessionKey: params.sessionKey
+	};
+}
+function buildExecApprovalTurnSourceContext(params) {
+	return {
+		turnSourceChannel: params.turnSourceChannel,
+		turnSourceTo: params.turnSourceTo,
+		turnSourceAccountId: params.turnSourceAccountId,
+		turnSourceThreadId: params.turnSourceThreadId
+	};
+}
+async function resolveCommandSpans(command) {
+	if (!command) return;
+	try {
+		const { resolveExecApprovalCommandSpans } = await loadExecApprovalCommandSpansRuntime();
+		return await resolveExecApprovalCommandSpans(command);
+	} catch {
+		return;
+	}
+}
+function hasUnsupportedShellArgv(argv) {
+	if (!argv?.length) return false;
+	const executable = (resolveShellWrapperTransportArgv([...argv]) ?? argv)[0];
+	if (!executable) return false;
+	const normalizedExecutable = normalizeExecutableToken(executable);
+	return isShellWrapperExecutable(normalizedExecutable) && !POSIX_COMMAND_HIGHLIGHT_SHELLS.has(normalizedExecutable);
+}
+function shouldSkipGeneratedCommandSpans(params) {
+	if (params.host === "gateway" && process.platform === "win32") return true;
+	return hasUnsupportedShellArgv(params.commandArgv?.length ? params.commandArgv : params.systemRunPlan?.argv);
+}
+async function buildHostApprovalDecisionParams(params) {
+	const commandSpans = params.commandHighlighting === true ? params.commandSpans ?? (shouldSkipGeneratedCommandSpans(params) ? void 0 : await resolveCommandSpans(params.command ?? params.systemRunPlan?.commandText)) : void 0;
+	return {
+		id: params.approvalId,
+		command: params.command,
+		commandArgv: params.commandArgv,
+		systemRunPlan: params.systemRunPlan,
+		env: params.env,
+		cwd: params.workdir,
+		nodeId: params.nodeId,
+		host: params.host,
+		security: params.security,
+		ask: params.ask,
+		warningText: params.warningText,
+		commandSpans,
+		...buildExecApprovalRequesterContext({
+			agentId: params.agentId,
+			sessionKey: params.sessionKey
+		}),
+		resolvedPath: params.resolvedPath,
+		requireDeliveryRoute: params.requireDeliveryRoute,
+		suppressDelivery: params.suppressDelivery,
+		...buildExecApprovalTurnSourceContext(params)
+	};
+}
+async function registerExecApprovalRequestForHost(params) {
+	return await registerExecApprovalRequest(await buildHostApprovalDecisionParams(params));
+}
+async function registerExecApprovalRequestForHostOrThrow(params) {
+	try {
+		return await registerExecApprovalRequestForHost(params);
+	} catch (err) {
+		throw new Error(`Exec approval registration failed: ${String(err)}`, { cause: err });
+	}
+}
+//#endregion
+//#region src/agents/bash-tools.exec-approval-followup.ts
+function buildExecDeniedFollowupPrompt(resultText) {
+	return [
+		"An async command did not run.",
+		"Do not run the command again.",
+		"There is no new command output.",
+		"Do not mention, summarize, or reuse output from any earlier run in this session.",
+		"",
+		"Exact completion details:",
+		resultText.trim(),
+		"",
+		"Reply to the user in a helpful way.",
+		"Explain that the command did not run and why.",
+		"Do not claim there is new command output."
+	].join("\n");
+}
+function formatUnknownError(error) {
+	if (error instanceof Error) return error.message;
+	if (typeof error === "string") return error;
+	try {
+		return JSON.stringify(error);
+	} catch {
+		return "unknown error";
+	}
+}
+function buildExecApprovalFollowupPrompt(resultText) {
+	const trimmed = resultText.trim();
+	if (isExecDeniedResultText(trimmed)) return buildExecDeniedFollowupPrompt(trimmed);
+	return [
+		"An async command the user already approved has completed.",
+		"Do not run the command again.",
+		"If the task requires more steps, continue from this result before replying to the user.",
+		"Only ask the user for help if you are actually blocked.",
+		"",
+		"Exact completion details:",
+		trimmed,
+		"",
+		"Continue the task if needed, then reply to the user in a helpful way.",
+		"If it succeeded, share the relevant output.",
+		"If it failed, explain what went wrong."
+	].join("\n");
+}
+function shouldSuppressExecDeniedFollowup(sessionKey) {
+	return isSubagentSessionKey(sessionKey) || isCronSessionKey(sessionKey);
+}
+function formatDirectExecApprovalFollowupText(resultText, opts = {}) {
+	const parsed = parseExecApprovalResultText(resultText);
+	if (parsed.kind === "other" && !parsed.raw) return null;
+	if (parsed.kind === "denied") return opts.allowDenied ? formatExecDeniedUserMessage(parsed.raw) : null;
+	if (parsed.kind === "finished") {
+		const metadata = normalizeLowercaseStringOrEmpty(parsed.metadata);
+		const body = sanitizeUserFacingText(parsed.body, { errorContext: !metadata.includes("code 0") }).trim();
+		let prefix = "";
+		if (!body) prefix = metadata.includes("code 0") ? "Background command finished." : metadata.includes("signal") ? "Background command stopped unexpectedly." : "Background command finished with an error.";
+		return body ? `${prefix ? `${prefix}\n\n` : ""}${body}` : prefix || null;
+	}
+	if (parsed.kind === "completed") return sanitizeUserFacingText(parsed.body, { errorContext: true }).trim() || "Background command finished.";
+	return sanitizeUserFacingText(parsed.raw, { errorContext: true }).trim() || null;
+}
+function buildSessionResumeFallbackPrefix() {
+	return "Automatic session resume failed, so sending the status directly.\n\n";
+}
+function readGatewayStatus(value) {
+	return value && typeof value === "object" && !Array.isArray(value) ? normalizeOptionalString(value.status) : void 0;
+}
+function readGatewayRunId(value) {
+	return value && typeof value === "object" && !Array.isArray(value) ? normalizeOptionalString(value.runId) : void 0;
+}
+function buildFollowupWaitError(params) {
+	const suffix = typeof params.error === "string" && params.error.trim() ? `: ${params.error.trim()}` : params.status ? `: ${params.status}` : "";
+	return /* @__PURE__ */ new Error(`exec approval followup session resume failed${suffix}`);
+}
+function isSuccessfulFollowupStatus(status) {
+	return status === "ok";
+}
+async function waitForAgentFollowupRun(params) {
+	const wait = await callGatewayTool("agent.wait", { timeoutMs: params.timeoutMs + 2e3 }, {
+		runId: params.runId,
+		timeoutMs: params.timeoutMs
+	});
+	const status = readGatewayStatus(wait);
+	if (isSuccessfulFollowupStatus(status)) return;
+	throw buildFollowupWaitError({
+		status,
+		error: wait.error
+	});
+}
+function shouldPrefixDirectFollowupWithSessionResumeFailure(params) {
+	if (!params.sessionError) return false;
+	const parsed = parseExecApprovalResultText(params.resultText);
+	if (parsed.kind !== "finished") return true;
+	return !normalizeLowercaseStringOrEmpty(parsed.metadata).includes("code 0");
+}
+function canDirectSendDeniedFollowup(sessionError) {
+	return sessionError !== null;
+}
+function buildAgentFollowupArgs(params) {
+	const { deliveryTarget, sessionOnlyOriginChannel } = params;
+	const fallbackChannel = sessionOnlyOriginChannel ?? params.turnSourceChannel;
+	return {
+		sessionKey: params.sessionKey,
+		message: buildExecApprovalFollowupPrompt(params.resultText),
+		deliver: deliveryTarget.deliver,
+		...deliveryTarget.deliver ? { bestEffortDeliver: true } : {},
+		channel: deliveryTarget.deliver ? deliveryTarget.channel : fallbackChannel,
+		to: deliveryTarget.deliver ? deliveryTarget.to : sessionOnlyOriginChannel ? params.turnSourceTo : void 0,
+		accountId: deliveryTarget.deliver ? deliveryTarget.accountId : sessionOnlyOriginChannel ? params.turnSourceAccountId : void 0,
+		threadId: deliveryTarget.deliver ? deliveryTarget.threadId : sessionOnlyOriginChannel ? params.turnSourceThreadId : void 0,
+		idempotencyKey: params.idempotencyKey ?? buildExecApprovalFollowupIdempotencyKey({ approvalId: params.approvalId }),
+		...params.internalRuntimeHandoffId ? { internalRuntimeHandoffId: params.internalRuntimeHandoffId } : {}
+	};
+}
+async function sendDirectFollowupFallback(params) {
+	const directText = formatDirectExecApprovalFollowupText(params.resultText, { allowDenied: params.allowDenied ?? canDirectSendDeniedFollowup(params.sessionError) });
+	if (!params.deliveryTarget.deliver || !directText) return false;
+	const prefix = !params.allowDenied && shouldPrefixDirectFollowupWithSessionResumeFailure(params) ? buildSessionResumeFallbackPrefix() : "";
+	await sendMessage({
+		channel: params.deliveryTarget.channel,
+		to: params.deliveryTarget.to ?? "",
+		accountId: params.deliveryTarget.accountId,
+		threadId: params.deliveryTarget.threadId,
+		content: `${prefix}${directText}`,
+		agentId: void 0,
+		idempotencyKey: `exec-approval-followup:${params.approvalId}`
+	});
+	return true;
+}
+async function sendExecApprovalFollowup(params) {
+	const sessionKey = params.sessionKey?.trim();
+	const resultText = params.resultText.trim();
+	if (!resultText) return false;
+	const isDenied = isExecDeniedResultText(resultText);
+	const deliveryTarget = resolveExternalBestEffortDeliveryTarget({
+		channel: params.turnSourceChannel,
+		to: params.turnSourceTo,
+		accountId: params.turnSourceAccountId,
+		threadId: params.turnSourceThreadId
+	});
+	const normalizedTurnSourceChannel = normalizeMessageChannel(params.turnSourceChannel);
+	const sessionOnlyOriginChannel = normalizedTurnSourceChannel && isGatewayMessageChannel(normalizedTurnSourceChannel) ? normalizedTurnSourceChannel : void 0;
+	if (isDenied) {
+		if (!sessionKey || shouldSuppressExecDeniedFollowup(sessionKey)) return false;
+		return await sendDirectFollowupFallback({
+			approvalId: params.approvalId,
+			deliveryTarget,
+			resultText,
+			sessionError: null,
+			allowDenied: true
+		});
+	}
+	let sessionError = null;
+	if (sessionKey && params.direct !== true) try {
+		const agentArgs = buildAgentFollowupArgs({
+			approvalId: params.approvalId,
+			sessionKey,
+			resultText,
+			deliveryTarget,
+			sessionOnlyOriginChannel,
+			turnSourceChannel: params.turnSourceChannel,
+			turnSourceTo: params.turnSourceTo,
+			turnSourceAccountId: params.turnSourceAccountId,
+			turnSourceThreadId: params.turnSourceThreadId,
+			internalRuntimeHandoffId: params.internalRuntimeHandoffId,
+			idempotencyKey: params.idempotencyKey
+		});
+		const accepted = await callGatewayTool("agent", { timeoutMs: 6e4 }, agentArgs);
+		const status = readGatewayStatus(accepted);
+		if (isSuccessfulFollowupStatus(status)) return true;
+		if (status === "accepted" || status === "in_flight" || status === "pending") {
+			const runId = readGatewayRunId(accepted) ?? normalizeOptionalString(agentArgs.idempotencyKey);
+			if (!runId) throw buildFollowupWaitError({ status: "missing-run-id" });
+			await waitForAgentFollowupRun({
+				runId,
+				timeoutMs: 6e4
+			});
+			return true;
+		}
+		throw buildFollowupWaitError({
+			status,
+			error: accepted.error
+		});
+	} catch (err) {
+		sessionError = err;
+	}
+	if (await sendDirectFollowupFallback({
+		approvalId: params.approvalId,
+		deliveryTarget,
+		resultText,
+		sessionError
+	})) return true;
+	if (sessionError) throw new Error(`Session followup failed: ${formatUnknownError(sessionError)}`);
+	if (isDenied) return false;
+	throw new Error("需要会话密钥或可投递来源路由");
+}
+const loggedExecApprovalFollowupFailures = /* @__PURE__ */ new Set();
+function rememberExecApprovalFollowupFailureKey(key) {
+	if (loggedExecApprovalFollowupFailures.has(key)) return false;
+	loggedExecApprovalFollowupFailures.add(key);
+	if (loggedExecApprovalFollowupFailures.size > 256) {
+		const oldestKey = loggedExecApprovalFollowupFailures.values().next().value;
+		if (typeof oldestKey === "string") loggedExecApprovalFollowupFailures.delete(oldestKey);
+	}
+	return true;
+}
+function isHeadlessExecTrigger(trigger) {
+	return trigger === "cron";
+}
+function createExecApprovalPendingState(params) {
+	return {
+		warningText: params.warnings.length ? `${params.warnings.join("\n")}\n\n` : "",
+		expiresAtMs: Date.now() + params.timeoutMs,
+		preResolvedDecision: void 0
+	};
+}
+function createExecApprovalRequestState(params) {
+	return {
+		...createExecApprovalPendingState({
+			warnings: params.warnings,
+			timeoutMs: params.timeoutMs
+		}),
+		noticeSeconds: Math.max(1, Math.round(params.approvalRunningNoticeMs / 1e3))
+	};
+}
+function createExecApprovalRequestContext(params) {
+	const approvalId = crypto.randomUUID();
+	return {
+		...createExecApprovalRequestState({
+			warnings: params.warnings,
+			timeoutMs: params.timeoutMs,
+			approvalRunningNoticeMs: params.approvalRunningNoticeMs
+		}),
+		approvalId,
+		approvalSlug: params.createApprovalSlug(approvalId),
+		contextKey: `exec:${approvalId}`
+	};
+}
+function createDefaultExecApprovalRequestContext(params) {
+	return createExecApprovalRequestContext({
+		warnings: params.warnings,
+		timeoutMs: DEFAULT_APPROVAL_TIMEOUT_MS,
+		approvalRunningNoticeMs: params.approvalRunningNoticeMs,
+		createApprovalSlug: params.createApprovalSlug
+	});
+}
+function resolveBaseExecApprovalDecision(params) {
+	if (params.decision === "deny") return {
+		approvedByAsk: false,
+		deniedReason: "user-denied",
+		timedOut: false
+	};
+	if (!params.decision) {
+		if (params.askFallback === "full") return {
+			approvedByAsk: true,
+			deniedReason: null,
+			timedOut: true
+		};
+		if (params.askFallback === "deny") return {
+			approvedByAsk: false,
+			deniedReason: "approval-timeout",
+			timedOut: true
+		};
+		return {
+			approvedByAsk: false,
+			deniedReason: null,
+			timedOut: true
+		};
+	}
+	return {
+		approvedByAsk: false,
+		deniedReason: null,
+		timedOut: false
+	};
+}
+function resolveExecHostApprovalContext(params) {
+	const approvals = resolveExecApprovals(params.agentId, {
+		security: params.security,
+		ask: params.ask
+	});
+	const hostSecurity = minSecurity(params.security, approvals.agent.security);
+	const hostAsk = maxAsk(params.ask, approvals.agent.ask);
+	const askFallback = minSecurity(hostSecurity, approvals.agent.askFallback);
+	if (hostSecurity === "deny") throw new Error(`exec denied: host=${params.host} security=deny`);
+	return {
+		approvals,
+		hostSecurity,
+		hostAsk,
+		askFallback
+	};
+}
+async function resolveApprovalDecisionOrUndefined(params) {
+	try {
+		return await resolveRegisteredExecApprovalDecision({
+			approvalId: params.approvalId,
+			preResolvedDecision: params.preResolvedDecision
+		});
+	} catch {
+		params.onFailure();
+		return;
+	}
+}
+function resolveExecApprovalUnavailableState(params) {
+	const initiatingSurface = resolveExecApprovalInitiatingSurfaceState({
+		channel: params.turnSourceChannel,
+		accountId: params.turnSourceAccountId
+	});
+	return {
+		initiatingSurface,
+		sentApproverDms: false,
+		unavailableReason: params.preResolvedDecision === null ? "no-approval-route" : initiatingSurface.kind === "disabled" ? "initiating-platform-disabled" : initiatingSurface.kind === "unsupported" ? "initiating-platform-unsupported" : null
+	};
+}
+async function createAndRegisterDefaultExecApprovalRequest(params) {
+	const { approvalId, approvalSlug, warningText, expiresAtMs: defaultExpiresAtMs, preResolvedDecision: defaultPreResolvedDecision } = createDefaultExecApprovalRequestContext({
+		warnings: params.warnings,
+		approvalRunningNoticeMs: params.approvalRunningNoticeMs,
+		createApprovalSlug: params.createApprovalSlug
+	});
+	const registration = await params.register(approvalId);
+	const preResolvedDecision = registration.finalDecision;
+	const { initiatingSurface, sentApproverDms, unavailableReason } = resolveExecApprovalUnavailableState({
+		turnSourceChannel: params.turnSourceChannel,
+		turnSourceAccountId: params.turnSourceAccountId,
+		preResolvedDecision
+	});
+	return {
+		approvalId,
+		approvalSlug,
+		warningText,
+		expiresAtMs: registration.expiresAtMs ?? defaultExpiresAtMs,
+		preResolvedDecision: registration.finalDecision === void 0 ? defaultPreResolvedDecision : registration.finalDecision,
+		initiatingSurface,
+		sentApproverDms,
+		unavailableReason
+	};
+}
+function buildDefaultExecApprovalRequestArgs(params) {
+	return {
+		warnings: params.warnings,
+		approvalRunningNoticeMs: params.approvalRunningNoticeMs,
+		createApprovalSlug: params.createApprovalSlug,
+		turnSourceChannel: params.turnSourceChannel,
+		turnSourceAccountId: params.turnSourceAccountId
+	};
+}
+function buildExecApprovalFollowupTarget(params) {
+	return {
+		approvalId: params.approvalId,
+		sessionKey: params.sessionKey,
+		turnSourceChannel: params.turnSourceChannel,
+		turnSourceTo: params.turnSourceTo,
+		turnSourceAccountId: params.turnSourceAccountId,
+		turnSourceThreadId: params.turnSourceThreadId,
+		direct: params.direct,
+		bashElevated: params.bashElevated
+	};
+}
+function createExecApprovalDecisionState(params) {
+	const baseDecision = resolveBaseExecApprovalDecision({
+		decision: params.decision ?? null,
+		askFallback: params.askFallback
+	});
+	return {
+		baseDecision,
+		approvedByAsk: baseDecision.approvedByAsk,
+		deniedReason: baseDecision.deniedReason
+	};
+}
+function enforceStrictInlineEvalApprovalBoundary(params) {
+	const requiresRealApproval = params.requiresInlineEvalApproval || params.requiresAutoReviewHumanApproval === true;
+	if (!params.baseDecision.timedOut || !requiresRealApproval || !params.approvedByAsk) return {
+		approvedByAsk: params.approvedByAsk,
+		deniedReason: params.deniedReason
+	};
+	return {
+		approvedByAsk: false,
+		deniedReason: params.deniedReason ?? "approval-timeout"
+	};
+}
+function shouldResolveExecApprovalUnavailableInline(params) {
+	return isHeadlessExecTrigger(params.trigger) && params.unavailableReason === "no-approval-route" && params.preResolvedDecision === null;
+}
+function buildHeadlessExecApprovalDeniedMessage(params) {
+	return [
+		`exec denied: ${params.trigger === "cron" ? "Cron runs" : "Headless runs"} cannot wait for interactive exec approval.`,
+		`Effective host exec policy: security=${params.security} ask=${params.ask} askFallback=${params.askFallback}`,
+		"Stricter values from tools.exec and ~/.fengming/exec-approvals.json both apply.",
+		"Fix one of these:",
+		"- align both files to security=\"full\" and ask=\"off\" for trusted local automation",
+		"- keep allowlist mode and add an explicit allowlist entry for this command",
+		"- enable Web UI, terminal UI, or chat exec approvals and rerun interactively",
+		"Tip: run \"fengming doctor\" and \"fengming approvals get --gateway\" to inspect the effective policy."
+	].join("\n");
+}
+async function sendExecApprovalFollowupResult(target, resultText, deps = {}) {
+	const send = deps.sendExecApprovalFollowup ?? sendExecApprovalFollowup;
+	const warn = deps.logWarn ?? logWarn;
+	const runtimeHandoff = target.direct === true || !target.sessionKey || isExecDeniedResultText(resultText) ? void 0 : registerExecApprovalFollowupRuntimeHandoff({
+		approvalId: target.approvalId,
+		sessionKey: target.sessionKey,
+		bashElevated: target.bashElevated
+	});
+	await send({
+		approvalId: target.approvalId,
+		sessionKey: target.sessionKey,
+		turnSourceChannel: target.turnSourceChannel,
+		turnSourceTo: target.turnSourceTo,
+		turnSourceAccountId: target.turnSourceAccountId,
+		turnSourceThreadId: target.turnSourceThreadId,
+		resultText,
+		direct: target.direct,
+		...runtimeHandoff ? {
+			internalRuntimeHandoffId: runtimeHandoff.handoffId,
+			idempotencyKey: runtimeHandoff.idempotencyKey
+		} : {}
+	}).catch((error) => {
+		const message = formatErrorMessage(error);
+		if (!rememberExecApprovalFollowupFailureKey(`${target.approvalId}:${message}`)) return;
+		warn(`exec approval followup dispatch failed (id=${target.approvalId}): ${message}`);
+	});
+}
+function buildExecApprovalPendingToolResult(params) {
+	const allowedDecisions = params.allowedDecisions ?? resolveExecApprovalAllowedDecisions();
+	return {
+		content: [{
+			type: "text",
+			text: params.unavailableReason !== null ? buildExecApprovalUnavailableReplyPayload({
+				warningText: params.warningText,
+				reason: params.unavailableReason,
+				channel: params.initiatingSurface.channel,
+				channelLabel: params.initiatingSurface.channelLabel,
+				accountId: params.initiatingSurface.accountId,
+				sentApproverDms: params.sentApproverDms
+			}).text ?? "" : buildApprovalPendingMessage({
+				warningText: params.warningText,
+				approvalSlug: params.approvalSlug,
+				approvalId: params.approvalId,
+				allowedDecisions,
+				command: params.command,
+				cwd: params.cwd,
+				host: params.host,
+				nodeId: params.nodeId
+			})
+		}],
+		details: params.unavailableReason !== null ? {
+			status: "approval-unavailable",
+			reason: params.unavailableReason,
+			channel: params.initiatingSurface.channel,
+			channelLabel: params.initiatingSurface.channelLabel,
+			accountId: params.initiatingSurface.accountId,
+			sentApproverDms: params.sentApproverDms,
+			host: params.host,
+			command: params.command,
+			cwd: params.cwd,
+			nodeId: params.nodeId,
+			warningText: params.warningText
+		} : {
+			status: "approval-pending",
+			approvalId: params.approvalId,
+			approvalSlug: params.approvalSlug,
+			expiresAtMs: params.expiresAtMs,
+			allowedDecisions,
+			host: params.host,
+			command: params.command,
+			cwd: params.cwd,
+			nodeId: params.nodeId,
+			warningText: params.warningText
+		}
+	};
+}
+//#endregion
+//#region src/agents/bash-tools.exec-host-gateway.ts
+function hasGatewayAllowlistMiss(params) {
+	return params.hostSecurity === "allowlist" && (!params.analysisOk || !params.allowlistSatisfied) && !params.durableApprovalSatisfied;
+}
+function resolveGatewayAutoReviewReason(params) {
+	if (params.requiresInlineEvalApproval) return "strict-inline-eval";
+	if (params.requiresHeredocApproval) return "heredoc";
+	if (params.requiresAllowlistPlanApproval) return "execution-plan-miss";
+	if (hasGatewayAllowlistMiss({
+		hostSecurity: params.hostSecurity,
+		analysisOk: params.analysisOk,
+		allowlistSatisfied: params.allowlistSatisfied,
+		durableApprovalSatisfied: params.durableApprovalSatisfied
+	})) return "allowlist-miss";
+	return "approval-required";
+}
+function formatOutcomeExitLabel(outcome) {
+	return outcome.timedOut ? "timeout" : `code ${outcome.exitCode ?? "?"}`;
+}
+function formatBytes(value) {
+	if (typeof value !== "number" || !Number.isFinite(value)) return null;
+	return `${Math.max(0, Math.round(value))} bytes`;
+}
+function formatDiagnosticsContents(manifest) {
+	const contents = Array.isArray(manifest.contents) ? manifest.contents : [];
+	if (contents.length === 0) return [];
+	const lines = [`Contents (${contents.length} files):`];
+	for (const entry of contents.slice(0, 12)) {
+		if (!isRecord(entry)) continue;
+		const path = typeof entry.path === "string" ? entry.path : "";
+		if (!path) continue;
+		const bytes = formatBytes(entry.bytes);
+		lines.push(`- ${bytes ? `${path} (${bytes})` : path}`);
+	}
+	if (contents.length > 12) lines.push(`- ... ${contents.length - 12} more`);
+	return lines;
+}
+function formatDiagnosticsPrivacy(manifest) {
+	const privacy = isRecord(manifest.privacy) ? manifest.privacy : null;
+	if (!privacy) return [];
+	const lines = ["Privacy:"];
+	if (typeof privacy.payloadFree === "boolean") lines.push(`- payload-free: ${privacy.payloadFree ? "yes" : "no"}`);
+	if (typeof privacy.rawLogsIncluded === "boolean") lines.push(`- raw logs included: ${privacy.rawLogsIncluded ? "yes" : "no"}`);
+	const notes = Array.isArray(privacy.notes) ? privacy.notes.filter((note) => typeof note === "string") : [];
+	for (const note of notes.slice(0, 4)) lines.push(`- ${note}`);
+	return lines.length > 1 ? lines : [];
+}
+function formatDiagnosticsExportSuccess(aggregated) {
+	const trimmed = aggregated.trim();
+	if (!trimmed) return "Diagnostics export completed, but no JSON output was returned.";
+	try {
+		const parsed = JSON.parse(trimmed);
+		if (!isRecord(parsed)) return trimmed;
+		const manifest = isRecord(parsed.manifest) ? parsed.manifest : {};
+		const lines = [
+			"Diagnostics export created.",
+			"",
+			"Local Gateway bundle:"
+		];
+		const bundlePath = typeof parsed.path === "string" ? parsed.path : "";
+		if (bundlePath) lines.push(`Path: ${bundlePath}`);
+		const bytes = formatBytes(parsed.bytes);
+		if (bytes) lines.push(`Size: ${bytes}`);
+		if (typeof manifest.generatedAt === "string") lines.push(`Generated at: ${manifest.generatedAt}`);
+		if (typeof manifest.fengmingVersion === "string") lines.push(`FengMing version: ${manifest.fengmingVersion}`);
+		const contents = formatDiagnosticsContents(manifest);
+		if (contents.length > 0) lines.push("", ...contents);
+		const privacy = formatDiagnosticsPrivacy(manifest);
+		if (privacy.length > 0) lines.push("", ...privacy);
+		return lines.join("\n");
+	} catch {
+		return trimmed;
+	}
+}
+function formatDiagnosticsExportFailure(params) {
+	const output = normalizeNotifyOutput(tail(params.outcome.aggregated || "", 4e3));
+	const lines = [`Diagnostics export failed (${params.exitLabel}).`];
+	if (params.outcome.reason) lines.push(params.outcome.reason);
+	if (output) lines.push("", output);
+	return lines.join("\n");
+}
+function buildGatewayExecApprovalFollowupSummary(params) {
+	const exitLabel = formatOutcomeExitLabel(params.outcome);
+	if (params.trigger === "diagnostics") {
+		const body = [params.outcome.status === "completed" && params.outcome.exitCode === 0 ? formatDiagnosticsExportSuccess(params.outcome.aggregated) : formatDiagnosticsExportFailure({
+			outcome: params.outcome,
+			exitLabel
+		}), params.approvalFollowupText?.trim()].filter(Boolean).join("\n\n");
+		return `Exec finished (gateway id=${params.approvalId}, session=${params.sessionId}, ${exitLabel})\n${body}`;
+	}
+	const output = normalizeNotifyOutput(tail(params.outcome.aggregated || "", 400));
+	return output ? `Exec finished (gateway id=${params.approvalId}, session=${params.sessionId}, ${exitLabel})\n${output}` : `Exec finished (gateway id=${params.approvalId}, session=${params.sessionId}, ${exitLabel})`;
+}
+function shouldAwaitGatewayApprovalInline(params) {
+	if (params.approvalFollowupMode === "direct") return false;
+	return normalizeMessageChannel(params.turnSourceChannel) === INTERNAL_MESSAGE_CHANNEL;
+}
+function buildGatewayExecApprovalDeniedToolResult(params) {
+	const text = `Exec denied (gateway id=${params.approvalId}, ${params.deniedReason}): ${params.command}`;
+	return {
+		content: [{
+			type: "text",
+			text
+		}],
+		details: {
+			status: "failed",
+			exitCode: null,
+			durationMs: 0,
+			aggregated: text,
+			timedOut: params.deniedReason.includes("timeout"),
+			cwd: params.cwd
+		}
+	};
+}
+async function resolveGatewayExecApprovalFollowupText(params) {
+	if (!params.approvalFollowup) return;
+	try {
+		return await params.approvalFollowup({
+			approvalId: params.approvalId,
+			sessionId: params.sessionId,
+			trigger: params.trigger,
+			outcome: params.outcome
+		});
+	} catch (error) {
+		return `Diagnostics follow-up failed: ${error instanceof Error ? error.message : String(error)}`;
+	}
+}
+async function processGatewayAllowlist(params) {
+	const { approvals, hostSecurity, hostAsk, askFallback } = resolveExecHostApprovalContext({
+		agentId: params.agentId,
+		security: params.security,
+		ask: params.ask,
+		host: "gateway"
+	});
+	const allowlistEval = evaluateShellAllowlist({
+		command: params.command,
+		allowlist: approvals.allowlist,
+		safeBins: params.safeBins,
+		safeBinProfiles: params.safeBinProfiles,
+		cwd: params.workdir,
+		env: params.env,
+		platform: process.platform,
+		trustedSafeBinDirs: params.trustedSafeBinDirs
+	});
+	const allowlistMatches = allowlistEval.allowlistMatches;
+	const analysisOk = allowlistEval.analysisOk;
+	const allowlistSatisfied = hostSecurity === "allowlist" && analysisOk ? allowlistEval.allowlistSatisfied : false;
+	const durableApprovalSatisfied = hasDurableExecApproval({
+		analysisOk,
+		segmentAllowlistEntries: allowlistEval.segmentAllowlistEntries,
+		allowlist: approvals.allowlist,
+		commandText: params.command
+	});
+	const inlineEvalHit = params.strictInlineEval === true ? detectPolicyInlineEval(allowlistEval.segments) : null;
+	if (inlineEvalHit) params.warnings.push(`Warning: strict inline-eval mode requires reviewer or explicit approval for ${describeInterpreterInlineEval(inlineEvalHit)}.`);
+	let enforcedCommand;
+	let allowlistPlanUnavailableReason = null;
+	if (hostSecurity === "allowlist" && analysisOk && allowlistSatisfied) {
+		const enforced = buildEnforcedShellCommand({
+			command: params.command,
+			segments: allowlistEval.segments,
+			platform: process.platform
+		});
+		if (!enforced.ok || !enforced.command) allowlistPlanUnavailableReason = enforced.reason ?? "unsupported platform";
+		else enforcedCommand = enforced.command;
+	}
+	const recordMatchedAllowlistUse = (resolvedPath) => recordAllowlistMatchesUse({
+		approvals: approvals.file,
+		agentId: params.agentId,
+		matches: allowlistMatches,
+		command: params.command,
+		resolvedPath
+	});
+	const hasHeredocSegment = allowlistEval.segments.some((segment) => segment.argv.some((token) => token.startsWith("<<")));
+	const requiresHeredocApproval = hostSecurity === "allowlist" && analysisOk && allowlistSatisfied && hasHeredocSegment;
+	const requiresInlineEvalApproval = inlineEvalHit !== null;
+	const requiresAllowlistPlanApproval = hostSecurity === "allowlist" && analysisOk && allowlistSatisfied && !enforcedCommand && allowlistPlanUnavailableReason !== null;
+	const requiresSecurityAuditSuppressionApproval = commandRequiresSecurityAuditSuppressionApproval({
+		command: params.command,
+		cwd: params.workdir,
+		env: params.env,
+		segments: allowlistEval.segments
+	}) && !(hostSecurity === "full" && hostAsk === "off");
+	const requiresAsk = requiresExecApproval({
+		ask: hostAsk,
+		security: hostSecurity,
+		analysisOk,
+		allowlistSatisfied,
+		durableApprovalSatisfied
+	}) || requiresAllowlistPlanApproval || requiresHeredocApproval || requiresInlineEvalApproval || requiresSecurityAuditSuppressionApproval;
+	if (requiresHeredocApproval) params.warnings.push("Warning: heredoc execution requires reviewer or explicit approval in allowlist mode.");
+	if (requiresAllowlistPlanApproval) params.warnings.push(`Warning: allowlist auto-execution is unavailable on ${process.platform}; reviewer or explicit approval is required.`);
+	if (requiresSecurityAuditSuppressionApproval) params.warnings.push("Warning: security audit suppression changes require explicit approval unless exec is running in yolo mode.");
+	if (requiresAsk) {
+		const [autoReviewSegment] = allowlistEval.segments;
+		const autoReviewArgv = allowlistEval.segments.length === 1 && (autoReviewSegment?.raw === void 0 || autoReviewSegment.raw.trim() === params.command.trim()) ? autoReviewSegment.argv : void 0;
+		const autoReviewHasBoundCommand = analysisOk && autoReviewArgv !== void 0;
+		const canAutoReviewApprovalMiss = params.autoReview === true && hostAsk !== "always" && autoReviewHasBoundCommand && !requiresSecurityAuditSuppressionApproval;
+		let autoReviewRequiresHumanApproval = params.autoReview === true && hostAsk !== "always" && !autoReviewHasBoundCommand || requiresSecurityAuditSuppressionApproval;
+		if (canAutoReviewApprovalMiss) {
+			const decision = await (params.autoReviewer ?? defaultExecAutoReviewer)({
+				command: params.command,
+				argv: autoReviewArgv,
+				cwd: params.workdir,
+				envKeys: Object.keys(params.requestedEnv ?? {}).toSorted(),
+				host: "gateway",
+				reason: resolveGatewayAutoReviewReason({
+					requiresInlineEvalApproval,
+					requiresHeredocApproval,
+					requiresAllowlistPlanApproval,
+					hostSecurity,
+					analysisOk,
+					allowlistSatisfied,
+					durableApprovalSatisfied
+				}),
+				analysis: {
+					parsed: analysisOk,
+					allowlistMatched: allowlistSatisfied,
+					durableApprovalMatched: durableApprovalSatisfied,
+					inlineEval: requiresInlineEvalApproval,
+					heredoc: requiresHeredocApproval
+				},
+				agent: {
+					id: params.agentId,
+					sessionKey: params.sessionKey
+				}
+			});
+			if (decision.decision === "allow-once") {
+				params.warnings.push(`Exec auto-review allowed once (risk=${decision.risk}): ${decision.rationale}`);
+				recordMatchedAllowlistUse(resolveApprovalAuditTrustPath(allowlistEval.segments[0]?.resolution ?? null, params.workdir));
+				return {
+					execCommandOverride: enforcedCommand,
+					allowWithoutEnforcedCommand: enforcedCommand === void 0
+				};
+			}
+			params.warnings.push(`Exec auto-review deferred to human approval (risk=${decision.risk}): ${decision.rationale}`);
+			autoReviewRequiresHumanApproval = true;
+		}
+		const requestArgs = buildDefaultExecApprovalRequestArgs({
+			warnings: params.warnings,
+			approvalRunningNoticeMs: params.approvalRunningNoticeMs,
+			createApprovalSlug,
+			turnSourceChannel: params.turnSourceChannel,
+			turnSourceAccountId: params.turnSourceAccountId
+		});
+		const registerGatewayApproval = async (approvalId) => await registerExecApprovalRequestForHostOrThrow({
+			approvalId,
+			command: params.command,
+			env: params.requestedEnv,
+			workdir: params.workdir,
+			host: "gateway",
+			security: hostSecurity,
+			ask: hostAsk,
+			commandHighlighting: params.commandHighlighting,
+			warningText: params.warnings.join("\n").trim() || void 0,
+			...buildExecApprovalRequesterContext({
+				agentId: params.agentId,
+				sessionKey: params.sessionKey
+			}),
+			resolvedPath: resolveApprovalAuditTrustPath(allowlistEval.segments[0]?.resolution ?? null, params.workdir),
+			...buildExecApprovalTurnSourceContext(params)
+		});
+		const { approvalId, approvalSlug, warningText, expiresAtMs, preResolvedDecision, initiatingSurface, sentApproverDms, unavailableReason } = await createAndRegisterDefaultExecApprovalRequest({
+			...requestArgs,
+			register: registerGatewayApproval
+		});
+		if (shouldResolveExecApprovalUnavailableInline({
+			trigger: params.trigger,
+			unavailableReason,
+			preResolvedDecision
+		})) {
+			const { baseDecision, approvedByAsk, deniedReason } = createExecApprovalDecisionState({
+				decision: preResolvedDecision,
+				askFallback
+			});
+			const strictInlineEvalDecision = enforceStrictInlineEvalApprovalBoundary({
+				baseDecision,
+				approvedByAsk,
+				deniedReason,
+				requiresInlineEvalApproval,
+				requiresAutoReviewHumanApproval: autoReviewRequiresHumanApproval
+			});
+			if (strictInlineEvalDecision.deniedReason || !strictInlineEvalDecision.approvedByAsk) throw new Error(buildHeadlessExecApprovalDeniedMessage({
+				trigger: params.trigger,
+				host: "gateway",
+				security: hostSecurity,
+				ask: hostAsk,
+				askFallback
+			}));
+			recordMatchedAllowlistUse(resolveApprovalAuditTrustPath(allowlistEval.segments[0]?.resolution ?? null, params.workdir));
+			return {
+				execCommandOverride: enforcedCommand,
+				allowWithoutEnforcedCommand: enforcedCommand === void 0
+			};
+		}
+		const resolvedPath = resolveApprovalAuditTrustPath(allowlistEval.segments[0]?.resolution ?? null, params.workdir);
+		const resolveApprovalForExecution = async (onFailure) => {
+			const decision = await resolveApprovalDecisionOrUndefined({
+				approvalId,
+				preResolvedDecision,
+				onFailure
+			});
+			if (decision === void 0) return {
+				deniedReason: "approval-request-failed",
+				requestFailed: true
+			};
+			const { baseDecision, approvedByAsk: initialApprovedByAsk, deniedReason: initialDeniedReason } = createExecApprovalDecisionState({
+				decision,
+				askFallback
+			});
+			let approvedByAsk = initialApprovedByAsk;
+			let deniedReason = initialDeniedReason;
+			if (baseDecision.timedOut && askFallback === "allowlist") if (!analysisOk || !allowlistSatisfied) deniedReason = "approval-timeout: allowlist-miss";
+			else approvedByAsk = true;
+			else if (decision === "allow-once") approvedByAsk = true;
+			else if (decision === "allow-always") {
+				approvedByAsk = true;
+				if (!requiresInlineEvalApproval) {
+					if (persistAllowAlwaysPatterns({
+						approvals: approvals.file,
+						agentId: params.agentId,
+						segments: allowlistEval.segments,
+						cwd: params.workdir,
+						env: params.env,
+						platform: process.platform,
+						strictInlineEval: params.strictInlineEval === true
+					}).length === 0) addDurableCommandApproval(approvals.file, params.agentId, params.command);
+				}
+			}
+			({approvedByAsk, deniedReason} = enforceStrictInlineEvalApprovalBoundary({
+				baseDecision,
+				approvedByAsk,
+				deniedReason,
+				requiresInlineEvalApproval,
+				requiresAutoReviewHumanApproval: autoReviewRequiresHumanApproval
+			}));
+			if (!approvedByAsk && hasGatewayAllowlistMiss({
+				hostSecurity,
+				analysisOk,
+				allowlistSatisfied,
+				durableApprovalSatisfied
+			})) deniedReason = deniedReason ?? "allowlist-miss";
+			return {
+				deniedReason,
+				requestFailed: false
+			};
+		};
+		if (unavailableReason === null && shouldAwaitGatewayApprovalInline(params)) {
+			const approvalDecision = await resolveApprovalForExecution(() => void 0);
+			if (approvalDecision.deniedReason) return { deniedResult: buildGatewayExecApprovalDeniedToolResult({
+				approvalId,
+				deniedReason: approvalDecision.deniedReason,
+				command: params.command,
+				cwd: params.workdir
+			}) };
+			recordMatchedAllowlistUse(resolvedPath ?? void 0);
+			return {
+				execCommandOverride: enforcedCommand,
+				allowWithoutEnforcedCommand: enforcedCommand === void 0
+			};
+		}
+		const effectiveTimeout = typeof params.timeoutSec === "number" ? params.timeoutSec : params.defaultTimeoutSec;
+		const followupTarget = buildExecApprovalFollowupTarget({
+			approvalId,
+			sessionKey: params.notifySessionKey ?? params.sessionKey,
+			bashElevated: params.bashElevated,
+			turnSourceChannel: params.turnSourceChannel,
+			turnSourceTo: params.turnSourceTo,
+			turnSourceAccountId: params.turnSourceAccountId,
+			turnSourceThreadId: params.turnSourceThreadId,
+			direct: params.approvalFollowupMode === "direct"
+		});
+		(async () => {
+			const approvalDecision = await resolveApprovalForExecution(() => void sendExecApprovalFollowupResult(followupTarget, `Exec denied (gateway id=${approvalId}, approval-request-failed): ${params.command}`));
+			if (approvalDecision.requestFailed) return;
+			if (approvalDecision.deniedReason) {
+				await sendExecApprovalFollowupResult(followupTarget, `Exec denied (gateway id=${approvalId}, ${approvalDecision.deniedReason}): ${params.command}`);
+				return;
+			}
+			recordMatchedAllowlistUse(resolvedPath ?? void 0);
+			let run = null;
+			try {
+				run = await runExecProcess({
+					command: params.command,
+					execCommand: enforcedCommand,
+					workdir: params.workdir,
+					env: params.env,
+					pathPrepend: params.pathPrepend,
+					sandbox: void 0,
+					containerWorkdir: null,
+					usePty: params.pty,
+					warnings: params.warnings,
+					maxOutput: params.maxOutput,
+					pendingMaxOutput: params.pendingMaxOutput,
+					notifyOnExit: false,
+					notifyOnExitEmptySuccess: false,
+					scopeKey: params.scopeKey,
+					sessionKey: params.notifySessionKey ?? params.sessionKey,
+					timeoutSec: effectiveTimeout
+				});
+			} catch {
+				await sendExecApprovalFollowupResult(followupTarget, `Exec denied (gateway id=${approvalId}, spawn-failed): ${params.command}`);
+				return;
+			}
+			markBackgrounded(run.session);
+			const outcome = await run.promise;
+			const dynamicFollowupText = await resolveGatewayExecApprovalFollowupText({
+				approvalFollowup: params.approvalFollowup,
+				approvalId,
+				sessionId: run.session.id,
+				trigger: params.trigger,
+				outcome
+			});
+			const approvalFollowupText = normalizeStringEntries([params.approvalFollowupText ?? "", dynamicFollowupText ?? ""]).join("\n\n");
+			await sendExecApprovalFollowupResult(followupTarget, buildGatewayExecApprovalFollowupSummary({
+				approvalId,
+				sessionId: run.session.id,
+				outcome,
+				trigger: params.trigger,
+				approvalFollowupText
+			}));
+		})();
+		return { pendingResult: buildExecApprovalPendingToolResult({
+			host: "gateway",
+			command: params.command,
+			cwd: params.workdir,
+			warningText,
+			approvalId,
+			approvalSlug,
+			expiresAtMs,
+			initiatingSurface,
+			sentApproverDms,
+			unavailableReason,
+			allowedDecisions: resolveExecApprovalAllowedDecisions({ ask: hostAsk })
+		}) };
+	}
+	if (hasGatewayAllowlistMiss({
+		hostSecurity,
+		analysisOk,
+		allowlistSatisfied,
+		durableApprovalSatisfied
+	})) throw new Error("exec denied: allowlist miss");
+	recordMatchedAllowlistUse(resolveApprovalAuditTrustPath(allowlistEval.segments[0]?.resolution ?? null, params.workdir));
+	return { execCommandOverride: enforcedCommand };
+}
+//#endregion
+//#region src/infra/node-shell.ts
+function buildNodeShellCommand(command, platform) {
+	if (normalizeLowercaseStringOrEmpty((platform ?? "").trim()).startsWith("win")) return [
+		"cmd.exe",
+		"/d",
+		"/s",
+		"/c",
+		command
+	];
+	return [
+		"/bin/sh",
+		"-lc",
+		command
+	];
+}
+//#endregion
+//#region src/agents/bash-tools.exec-host-node-phases.ts
+function resolveNodeRunTimeoutSec(timeoutSec, defaultTimeoutSec) {
+	return typeof timeoutSec === "number" && Number.isFinite(timeoutSec) ? timeoutSec : defaultTimeoutSec;
+}
+function resolveNodeInvokeTimeoutMs(runTimeoutSec, defaultTimeoutSec) {
+	const baseTimeoutSec = Number.isFinite(runTimeoutSec) && runTimeoutSec > 0 ? runTimeoutSec : defaultTimeoutSec;
+	if (!Number.isFinite(baseTimeoutSec) || baseTimeoutSec <= 0) return 1e4;
+	return Math.max(1e4, addSafeTimeoutDelayGraceMs(baseTimeoutSec * 1e3, 5e3));
+}
+function resolveNodeRunTimeoutMs(runTimeoutSec) {
+	return Number.isFinite(runTimeoutSec) && runTimeoutSec > 0 ? addSafeTimeoutDelayGraceMs(runTimeoutSec * 1e3, 0, { minMs: 0 }) : 0;
+}
+function hasExactCommandDurableApproval(params) {
+	const normalizedCommand = params.commandText.trim();
+	if (!normalizedCommand) return false;
+	const commandPattern = `=command:${crypto.createHash("sha256").update(normalizedCommand).digest("hex").slice(0, 16)}`;
+	return params.allowlist.some((entry) => entry.source === "allow-always" && (entry.pattern === commandPattern || typeof entry.commandText === "string" && entry.commandText.trim() === normalizedCommand));
+}
+function extractPreparedNodeShellPayload(argv) {
+	const extracted = extractShellCommandFromArgv([...argv]);
+	if (extracted) return extracted;
+	const executable = argv[0]?.split(/[\\/]/).pop()?.toLowerCase();
+	const flag = argv[1]?.trim();
+	const payload = argv[2]?.trim();
+	if (argv.length === 3 && executable === "sh" && flag === "-lc" && payload) return payload;
+	return null;
+}
+function shouldSkipNodeApprovalPrepare(params) {
+	return params.hostSecurity === "full" && params.hostAsk === "off" && params.strictInlineEval !== true;
+}
+function formatNodeRunToolResult(params) {
+	const payload = params.raw && typeof params.raw === "object" ? params.raw.payload : void 0;
+	const payloadObj = payload && typeof payload === "object" ? payload : {};
+	const stdout = typeof payloadObj.stdout === "string" ? payloadObj.stdout : "";
+	const stderr = typeof payloadObj.stderr === "string" ? payloadObj.stderr : "";
+	const errorText = typeof payloadObj.error === "string" ? payloadObj.error : "";
+	const success = typeof payloadObj.success === "boolean" ? payloadObj.success : false;
+	const exitCode = typeof payloadObj.exitCode === "number" ? payloadObj.exitCode : null;
+	return {
+		content: [{
+			type: "text",
+			text: renderExecOutputText(stdout || stderr || errorText)
+		}],
+		details: {
+			status: success ? "completed" : "failed",
+			exitCode,
+			durationMs: Date.now() - params.startedAt,
+			aggregated: [
+				stdout,
+				stderr,
+				errorText
+			].filter(Boolean).join("\n"),
+			cwd: params.cwd
+		}
+	};
+}
+async function resolveNodeExecutionTarget(params) {
+	if (params.boundNode && params.requestedNode && params.boundNode !== params.requestedNode) throw new Error(`exec node not allowed (bound to ${params.boundNode})`);
+	const nodeQuery = params.boundNode || params.requestedNode;
+	const nodes = await listNodes({});
+	if (nodes.length === 0) throw new Error("exec host=node requires a paired node (none available). This requires a companion app or node host.");
+	let nodeId;
+	try {
+		nodeId = resolveNodeIdFromList(nodes, nodeQuery, !nodeQuery);
+	} catch (err) {
+		if (!nodeQuery && String(err).includes("node required")) throw new Error("exec host=node requires a node id when multiple nodes are available (set tools.exec.node or exec.node).", { cause: err });
+		throw err;
+	}
+	const nodeInfo = nodes.find((entry) => entry.nodeId === nodeId);
+	if (nodeInfo?.connected === false) throw new Error(`exec host=node requires a connected node (${nodeId} is currently disconnected). Start or reconnect the companion app or node host, or select a connected node.`);
+	const declaredCommands = Array.isArray(nodeInfo?.commands) ? nodeInfo.commands : [];
+	if (!declaredCommands.includes("system.run")) throw new Error("exec host=node requires a node that supports system.run (companion app or node host).");
+	const runTimeoutSec = resolveNodeRunTimeoutSec(params.timeoutSec, params.defaultTimeoutSec);
+	return {
+		nodeId,
+		platform: nodeInfo?.platform,
+		argv: buildNodeShellCommand(params.command, nodeInfo?.platform),
+		env: params.requestedEnv ? { ...params.requestedEnv } : void 0,
+		invokeTimeoutMs: resolveNodeInvokeTimeoutMs(runTimeoutSec, params.defaultTimeoutSec),
+		runTimeoutSec,
+		supportsSystemRunPrepare: declaredCommands.includes("system.run.prepare")
+	};
+}
+function buildNodeSystemRunInvoke(params) {
+	const timeoutMs = resolveNodeRunTimeoutMs(params.target.runTimeoutSec);
+	const runId = params.runId ?? crypto.randomUUID();
+	return {
+		nodeId: params.target.nodeId,
+		command: "system.run",
+		params: {
+			command: params.command,
+			rawCommand: params.rawCommand,
+			...params.systemRunPlan ? { systemRunPlan: params.systemRunPlan } : {},
+			...params.cwd != null ? { cwd: params.cwd } : {},
+			env: params.target.env,
+			timeoutMs,
+			agentId: params.agentId,
+			sessionKey: params.sessionKey,
+			...params.turnSourceChannel != null ? { turnSourceChannel: params.turnSourceChannel } : {},
+			...params.turnSourceTo != null ? { turnSourceTo: params.turnSourceTo } : {},
+			...params.turnSourceAccountId != null ? { turnSourceAccountId: params.turnSourceAccountId } : {},
+			...params.turnSourceThreadId != null ? { turnSourceThreadId: params.turnSourceThreadId } : {},
+			approved: params.approved,
+			approvalDecision: params.approvalDecision ?? void 0,
+			runId,
+			suppressNotifyOnExit: params.suppressNotifyOnExit === true || params.notifyOnExit === false ? true : void 0
+		},
+		idempotencyKey: crypto.randomUUID()
+	};
+}
+async function invokeNodeSystemRunDirect(params) {
+	const startedAt = Date.now();
+	return formatNodeRunToolResult({
+		raw: await callGatewayTool("node.invoke", { timeoutMs: params.target.invokeTimeoutMs }, buildNodeSystemRunInvoke({
+			target: params.target,
+			command: params.target.argv,
+			rawCommand: params.request.command,
+			cwd: params.request.workdir,
+			agentId: params.request.agentId,
+			sessionKey: params.request.sessionKey,
+			notifyOnExit: params.request.notifyOnExit
+		})),
+		startedAt,
+		cwd: params.request.workdir
+	});
+}
+async function prepareNodeSystemRun(params) {
+	if (!params.target.supportsSystemRunPrepare) return buildLocalPreparedNodeRun(params);
+	const prepared = parsePreparedSystemRunPayload((await callGatewayTool("node.invoke", { timeoutMs: 15e3 }, {
+		nodeId: params.target.nodeId,
+		command: "system.run.prepare",
+		params: {
+			command: params.target.argv,
+			rawCommand: params.request.command,
+			...params.request.workdir != null ? { cwd: params.request.workdir } : {},
+			agentId: params.request.agentId,
+			sessionKey: params.request.sessionKey
+		},
+		idempotencyKey: crypto.randomUUID()
+	}))?.payload);
+	if (!prepared) throw new Error("invalid system.run.prepare response");
+	return {
+		plan: prepared.plan,
+		argv: prepared.plan.argv,
+		rawCommand: prepared.plan.commandText,
+		cwd: prepared.plan.cwd ?? params.request.workdir,
+		agentId: prepared.plan.agentId ?? params.request.agentId,
+		sessionKey: prepared.plan.sessionKey ?? params.request.sessionKey,
+		...prepared.execPolicy ? { execPolicy: prepared.execPolicy } : {}
+	};
+}
+function buildLocalPreparedNodeRun(params) {
+	const rawCommand = formatExecCommand(params.target.argv);
+	const command = resolveSystemRunCommandRequest({
+		command: params.target.argv,
+		rawCommand
+	});
+	if (!command.ok) throw new Error(command.message);
+	if (command.argv.length === 0) throw new Error("命令是必需的");
+	const commandText = formatExecCommand(command.argv);
+	const previewText = params.request.command.trim() || command.previewText?.trim();
+	const commandPreview = previewText && previewText !== commandText ? previewText : null;
+	const plan = {
+		argv: [...command.argv],
+		cwd: normalizeNullableString(params.request.workdir),
+		commandText,
+		commandPreview,
+		agentId: normalizeNullableString(params.request.agentId),
+		sessionKey: normalizeNullableString(params.request.sessionKey)
+	};
+	return {
+		plan,
+		argv: plan.argv,
+		rawCommand: plan.commandText,
+		cwd: plan.cwd ?? params.request.workdir,
+		agentId: plan.agentId ?? params.request.agentId,
+		sessionKey: plan.sessionKey ?? params.request.sessionKey
+	};
+}
+async function analyzeNodeApprovalRequirement(params) {
+	const approvalCommand = params.prepared.rawCommand;
+	const approvalCwd = params.prepared.cwd ?? params.request.workdir;
+	const baseAllowlistEval = evaluateShellAllowlist({
+		command: approvalCommand,
+		allowlist: [],
+		safeBins: /* @__PURE__ */ new Set(),
+		cwd: approvalCwd,
+		env: params.request.env,
+		platform: params.target.platform,
+		trustedSafeBinDirs: params.request.trustedSafeBinDirs
+	});
+	const bindingCommandEvals = [{
+		command: approvalCommand,
+		cwd: approvalCwd,
+		allowlistEval: baseAllowlistEval
+	}];
+	const addCommandEval = (entries, command, cwd) => {
+		const normalizedCommand = command?.trim();
+		if (!normalizedCommand) return;
+		if (entries.some((entry) => entry.command.trim() === normalizedCommand && entry.cwd === cwd)) return;
+		entries.push({
+			command: normalizedCommand,
+			cwd,
+			allowlistEval: evaluateShellAllowlist({
+				command: normalizedCommand,
+				allowlist: [],
+				safeBins: /* @__PURE__ */ new Set(),
+				cwd,
+				env: params.request.env,
+				platform: params.target.platform,
+				trustedSafeBinDirs: params.request.trustedSafeBinDirs
+			})
+		});
+	};
+	const preparedCommand = resolveSystemRunCommandRequest({
+		command: params.prepared.argv,
+		rawCommand: params.prepared.rawCommand
+	});
+	const preparedShellPayload = extractPreparedNodeShellPayload(params.prepared.argv) ?? (preparedCommand.ok ? preparedCommand.shellPayload : null);
+	addCommandEval(bindingCommandEvals, preparedShellPayload, approvalCwd);
+	const autoReviewBindingCommand = preparedShellPayload?.trim() || approvalCommand;
+	const autoReviewBindingEval = bindingCommandEvals.find((entry) => entry.command.trim() === autoReviewBindingCommand.trim() && entry.cwd === approvalCwd)?.allowlistEval ?? baseAllowlistEval;
+	const policyCommandEvals = [...bindingCommandEvals];
+	addCommandEval(policyCommandEvals, params.prepared.plan.commandPreview, approvalCwd);
+	addCommandEval(policyCommandEvals, params.request.command, params.request.workdir);
+	let analysisOk = baseAllowlistEval.analysisOk;
+	let allowlistSatisfied = false;
+	let durableApprovalSatisfied = false;
+	let nodeApprovalsFileKnown = false;
+	const inlineEvalHit = params.request.strictInlineEval === true ? policyCommandEvals.map((entry) => detectPolicyInlineEval(entry.allowlistEval.segments)).find((hit) => hit !== null) ?? null : null;
+	if (inlineEvalHit) params.request.warnings.push(`Warning: strict inline-eval mode requires reviewer or explicit approval for ${describeInterpreterInlineEval(inlineEvalHit)}.`);
+	const requiresSecurityAuditSuppressionApproval = (preparedShellPayload && preparedShellPayload.trim().length > 0 ? policyCommandEvals.filter((entry) => entry.command.trim() !== approvalCommand.trim() || entry.cwd !== approvalCwd) : policyCommandEvals).some((entry) => commandRequiresSecurityAuditSuppressionApproval({
+		command: entry.command,
+		cwd: entry.cwd,
+		env: params.request.env,
+		segments: entry.allowlistEval.segments
+	})) && !(params.hostSecurity === "full" && params.hostAsk === "off");
+	if ((params.hostAsk === "always" || params.hostSecurity === "allowlist" || params.request.autoReview === true) && analysisOk) try {
+		const approvalsSnapshot = await callGatewayTool("exec.approvals.node.get", { timeoutMs: 1e4 }, { nodeId: params.target.nodeId });
+		const approvalsFile = approvalsSnapshot && typeof approvalsSnapshot === "object" ? approvalsSnapshot.file : void 0;
+		if (approvalsFile && typeof approvalsFile === "object") {
+			nodeApprovalsFileKnown = true;
+			const resolved = resolveExecApprovalsFromFile({
+				file: approvalsFile,
+				agentId: params.prepared.agentId,
+				overrides: { security: "full" }
+			});
+			const allowlistEvals = bindingCommandEvals.map((entry) => {
+				const allowlistEval = evaluateShellAllowlist({
+					command: entry.command,
+					allowlist: resolved.allowlist,
+					safeBins: /* @__PURE__ */ new Set(),
+					cwd: entry.cwd,
+					env: params.request.env,
+					platform: params.target.platform,
+					trustedSafeBinDirs: params.request.trustedSafeBinDirs
+				});
+				return {
+					command: entry.command,
+					allowlistEligible: !preparedShellPayload || entry.command.trim() === preparedShellPayload.trim(),
+					exactDurableApprovalSatisfied: hasExactCommandDurableApproval({
+						allowlist: resolved.allowlist,
+						commandText: entry.command
+					}),
+					allowlistEval,
+					durableApprovalSatisfied: hasDurableExecApproval({
+						analysisOk: allowlistEval.analysisOk,
+						segmentAllowlistEntries: allowlistEval.segmentAllowlistEntries,
+						allowlist: resolved.allowlist,
+						commandText: entry.command
+					})
+				};
+			});
+			durableApprovalSatisfied = allowlistEvals.some((entry) => entry.durableApprovalSatisfied && (entry.allowlistEligible || entry.exactDurableApprovalSatisfied));
+			allowlistSatisfied = allowlistEvals.some((entry) => entry.allowlistEligible && entry.allowlistEval.allowlistSatisfied);
+			analysisOk = allowlistEvals.some((entry) => entry.allowlistEval.analysisOk);
+		}
+	} catch {}
+	return {
+		analysisOk,
+		allowlistSatisfied,
+		durableApprovalSatisfied,
+		nodeApprovalPolicyKnown: nodeApprovalsFileKnown && params.prepared.execPolicy !== void 0,
+		nodeSecurity: params.prepared.execPolicy?.security,
+		nodeAsk: params.prepared.execPolicy?.ask,
+		inlineEvalHit,
+		requiresSecurityAuditSuppressionApproval,
+		autoReviewArgv: autoReviewBindingEval.segments.length === 1 && (autoReviewBindingEval.segments[0]?.raw === void 0 || autoReviewBindingEval.segments[0].raw.trim() === autoReviewBindingCommand.trim()) ? autoReviewBindingEval.segments[0].argv : void 0
+	};
+}
+//#endregion
+//#region src/agents/bash-tools.exec-host-node.ts
+const APPROVED_NODE_INVOKE_SCOPES = [WRITE_SCOPE, APPROVALS_SCOPE];
+function resolveNodeAutoReviewReason(params) {
+	if (params.inlineEvalHit !== null) return "strict-inline-eval";
+	if (params.hostSecurity === "allowlist" && (!params.analysisOk || !params.allowlistSatisfied) && !params.durableApprovalSatisfied) return "allowlist-miss";
+	return "approval-required";
+}
+function execSecurityFloorRank(security) {
+	switch (security) {
+		case "full": return 0;
+		case "allowlist": return 1;
+		case "deny": return 2;
+	}
+	throw new Error("不支持的执行安全下限");
+}
+function nodePolicyBlocksAutoReview(params) {
+	return !params.nodeApprovalPolicyKnown || params.nodeAsk === "always" || params.nodeSecurity !== void 0 && execSecurityFloorRank(params.nodeSecurity) > execSecurityFloorRank(params.hostSecurity);
+}
+async function executeNodeHostCommand(params) {
+	const { hostSecurity, hostAsk, askFallback } = resolveExecHostApprovalContext({
+		agentId: params.agentId,
+		security: params.security,
+		ask: params.ask,
+		host: "node"
+	});
+	const target = await resolveNodeExecutionTarget(params);
+	if (shouldSkipNodeApprovalPrepare({
+		hostSecurity,
+		hostAsk,
+		strictInlineEval: params.strictInlineEval
+	})) return await invokeNodeSystemRunDirect({
+		request: params,
+		target
+	});
+	const prepared = await prepareNodeSystemRun({
+		request: params,
+		target
+	});
+	const { analysisOk, allowlistSatisfied, durableApprovalSatisfied, nodeApprovalPolicyKnown, nodeSecurity, nodeAsk, inlineEvalHit, requiresSecurityAuditSuppressionApproval, autoReviewArgv } = await analyzeNodeApprovalRequirement({
+		request: params,
+		target,
+		prepared,
+		hostSecurity,
+		hostAsk
+	});
+	const requiresAsk = requiresExecApproval({
+		ask: hostAsk,
+		security: hostSecurity,
+		analysisOk,
+		allowlistSatisfied,
+		durableApprovalSatisfied
+	}) || inlineEvalHit !== null || requiresSecurityAuditSuppressionApproval;
+	if (requiresSecurityAuditSuppressionApproval) params.warnings.push("Warning: security audit suppression changes require explicit approval unless exec is running in yolo mode.");
+	const registerNodeApproval = async (approvalId, options = {}) => await registerExecApprovalRequestForHostOrThrow({
+		approvalId,
+		systemRunPlan: prepared.plan,
+		env: target.env,
+		workdir: prepared.cwd,
+		host: "node",
+		nodeId: target.nodeId,
+		security: hostSecurity,
+		ask: hostAsk,
+		commandHighlighting: params.commandHighlighting,
+		...buildExecApprovalRequesterContext({
+			agentId: prepared.agentId,
+			sessionKey: prepared.sessionKey
+		}),
+		...options.requireDeliveryRoute !== void 0 ? { requireDeliveryRoute: options.requireDeliveryRoute } : {},
+		...options.suppressDelivery !== void 0 ? { suppressDelivery: options.suppressDelivery } : {},
+		...buildExecApprovalTurnSourceContext(params)
+	});
+	let inlineApprovedByAsk = false;
+	let inlineApprovalDecision = null;
+	let inlineApprovalId;
+	if (requiresAsk) {
+		const autoReviewHasBoundCommand = analysisOk && autoReviewArgv !== void 0;
+		const autoReviewBlockedByNodePolicy = params.autoReview === true && hostAsk !== "always" && nodePolicyBlocksAutoReview({
+			hostSecurity,
+			nodeApprovalPolicyKnown,
+			nodeSecurity,
+			nodeAsk
+		});
+		let autoReviewRequiresHumanApproval = autoReviewBlockedByNodePolicy || params.autoReview === true && hostAsk !== "always" && !autoReviewHasBoundCommand || requiresSecurityAuditSuppressionApproval;
+		if (params.autoReview === true && hostAsk !== "always" && autoReviewHasBoundCommand && !autoReviewBlockedByNodePolicy && !requiresSecurityAuditSuppressionApproval) {
+			const decision = await (params.autoReviewer ?? defaultExecAutoReviewer)({
+				command: prepared.rawCommand,
+				argv: autoReviewArgv,
+				cwd: prepared.cwd,
+				envKeys: Object.keys(params.requestedEnv ?? {}).toSorted(),
+				host: "node",
+				reason: resolveNodeAutoReviewReason({
+					inlineEvalHit,
+					hostSecurity,
+					analysisOk,
+					allowlistSatisfied,
+					durableApprovalSatisfied
+				}),
+				analysis: {
+					parsed: analysisOk,
+					allowlistMatched: allowlistSatisfied,
+					durableApprovalMatched: durableApprovalSatisfied,
+					inlineEval: inlineEvalHit !== null
+				},
+				agent: {
+					id: prepared.agentId,
+					sessionKey: prepared.sessionKey
+				}
+			});
+			if (decision.decision === "allow-once") {
+				const approvalId = randomUUID();
+				await registerNodeApproval(approvalId, {
+					requireDeliveryRoute: false,
+					suppressDelivery: true
+				});
+				await callGatewayTool("exec.approval.resolve", { timeoutMs: 15e3 }, {
+					id: approvalId,
+					decision: "allow-once"
+				}, { scopes: [APPROVALS_SCOPE] });
+				inlineApprovedByAsk = true;
+				inlineApprovalDecision = "allow-once";
+				inlineApprovalId = approvalId;
+			}
+			if (decision.decision !== "allow-once") {
+				autoReviewRequiresHumanApproval = true;
+				params.warnings.push(`Exec auto-review deferred to human approval (risk=${decision.risk}): ${decision.rationale}`);
+			}
+		}
+		if (!inlineApprovedByAsk) {
+			const { approvalId, approvalSlug, warningText, expiresAtMs, preResolvedDecision, initiatingSurface, sentApproverDms, unavailableReason } = await createAndRegisterDefaultExecApprovalRequest({
+				...buildDefaultExecApprovalRequestArgs({
+					warnings: params.warnings,
+					approvalRunningNoticeMs: params.approvalRunningNoticeMs,
+					createApprovalSlug,
+					turnSourceChannel: params.turnSourceChannel,
+					turnSourceAccountId: params.turnSourceAccountId
+				}),
+				register: registerNodeApproval
+			});
+			if (shouldResolveExecApprovalUnavailableInline({
+				trigger: params.trigger,
+				unavailableReason,
+				preResolvedDecision
+			})) {
+				const { baseDecision, approvedByAsk, deniedReason } = createExecApprovalDecisionState({
+					decision: preResolvedDecision,
+					askFallback
+				});
+				const strictInlineEvalDecision = enforceStrictInlineEvalApprovalBoundary({
+					baseDecision,
+					approvedByAsk,
+					deniedReason,
+					requiresInlineEvalApproval: inlineEvalHit !== null,
+					requiresAutoReviewHumanApproval: autoReviewRequiresHumanApproval
+				});
+				if (strictInlineEvalDecision.deniedReason || !strictInlineEvalDecision.approvedByAsk) throw new Error(buildHeadlessExecApprovalDeniedMessage({
+					trigger: params.trigger,
+					host: "node",
+					security: hostSecurity,
+					ask: hostAsk,
+					askFallback
+				}));
+				inlineApprovedByAsk = strictInlineEvalDecision.approvedByAsk;
+				inlineApprovalDecision = strictInlineEvalDecision.approvedByAsk ? "allow-once" : null;
+				inlineApprovalId = approvalId;
+			} else {
+				const followupTarget = buildExecApprovalFollowupTarget({
+					approvalId,
+					sessionKey: params.notifySessionKey ?? params.sessionKey,
+					bashElevated: params.bashElevated,
+					turnSourceChannel: params.turnSourceChannel,
+					turnSourceTo: params.turnSourceTo,
+					turnSourceAccountId: params.turnSourceAccountId,
+					turnSourceThreadId: params.turnSourceThreadId
+				});
+				(async () => {
+					const decision = await resolveApprovalDecisionOrUndefined({
+						approvalId,
+						preResolvedDecision,
+						onFailure: () => void sendExecApprovalFollowupResult(followupTarget, `Exec denied (node=${target.nodeId} id=${approvalId}, approval-request-failed): ${params.command}`)
+					});
+					if (decision === void 0) return;
+					const { baseDecision, approvedByAsk: initialApprovedByAsk, deniedReason: initialDeniedReason } = createExecApprovalDecisionState({
+						decision,
+						askFallback
+					});
+					let approvedByAsk = initialApprovedByAsk;
+					let approvalDecision = null;
+					let deniedReason = initialDeniedReason;
+					if (baseDecision.timedOut && askFallback === "full" && approvedByAsk) approvalDecision = "allow-once";
+					else if (decision === "allow-once") {
+						approvedByAsk = true;
+						approvalDecision = "allow-once";
+					} else if (decision === "allow-always") {
+						approvedByAsk = true;
+						approvalDecision = "allow-always";
+					}
+					({approvedByAsk, deniedReason} = enforceStrictInlineEvalApprovalBoundary({
+						baseDecision,
+						approvedByAsk,
+						deniedReason,
+						requiresInlineEvalApproval: inlineEvalHit !== null,
+						requiresAutoReviewHumanApproval: autoReviewRequiresHumanApproval
+					}));
+					if (deniedReason) approvalDecision = null;
+					if (deniedReason) {
+						await sendExecApprovalFollowupResult(followupTarget, `Exec denied (node=${target.nodeId} id=${approvalId}, ${deniedReason}): ${params.command}`);
+						return;
+					}
+					try {
+						const raw = await callGatewayTool("node.invoke", { timeoutMs: target.invokeTimeoutMs }, buildNodeSystemRunInvoke({
+							target,
+							command: prepared.argv,
+							rawCommand: prepared.rawCommand,
+							cwd: prepared.cwd,
+							agentId: prepared.agentId,
+							sessionKey: prepared.sessionKey,
+							turnSourceChannel: params.turnSourceChannel,
+							turnSourceTo: params.turnSourceTo,
+							turnSourceAccountId: params.turnSourceAccountId,
+							turnSourceThreadId: params.turnSourceThreadId,
+							approved: approvedByAsk,
+							approvalDecision: approvalDecision === "allow-always" && inlineEvalHit !== null ? "allow-once" : approvalDecision,
+							runId: approvalId,
+							suppressNotifyOnExit: true,
+							notifyOnExit: params.notifyOnExit,
+							systemRunPlan: prepared.plan
+						}), { scopes: APPROVED_NODE_INVOKE_SCOPES });
+						const payload = raw?.payload && typeof raw.payload === "object" ? raw.payload : {};
+						const output = normalizeNotifyOutput([
+							payload.stdout,
+							payload.stderr,
+							payload.error
+						].filter(Boolean).join("\n").slice(-400));
+						const exitLabel = payload.timedOut ? "timeout" : `code ${payload.exitCode ?? "?"}`;
+						await sendExecApprovalFollowupResult(followupTarget, output ? `Exec finished (node=${target.nodeId} id=${approvalId}, ${exitLabel})\n${output}` : `Exec finished (node=${target.nodeId} id=${approvalId}, ${exitLabel})`);
+					} catch {
+						await sendExecApprovalFollowupResult(followupTarget, `Exec denied (node=${target.nodeId} id=${approvalId}, invoke-failed): ${params.command}`);
+					}
+				})();
+				return buildExecApprovalPendingToolResult({
+					host: "node",
+					command: params.command,
+					cwd: params.workdir,
+					warningText,
+					approvalId,
+					approvalSlug,
+					expiresAtMs,
+					initiatingSurface,
+					sentApproverDms,
+					unavailableReason,
+					allowedDecisions: resolveExecApprovalAllowedDecisions({ ask: hostAsk }),
+					nodeId: target.nodeId
+				});
+			}
+		}
+	}
+	const startedAt = Date.now();
+	const invoke = buildNodeSystemRunInvoke({
+		target,
+		command: prepared.argv,
+		rawCommand: prepared.rawCommand,
+		cwd: prepared.cwd,
+		agentId: prepared.agentId,
+		sessionKey: prepared.sessionKey,
+		approved: inlineApprovedByAsk,
+		approvalDecision: inlineApprovalDecision,
+		runId: inlineApprovalId,
+		notifyOnExit: params.notifyOnExit,
+		systemRunPlan: prepared.plan
+	});
+	return formatNodeRunToolResult({
+		raw: inlineApprovedByAsk && inlineApprovalId ? await callGatewayTool("node.invoke", { timeoutMs: target.invokeTimeoutMs }, invoke, { scopes: APPROVED_NODE_INVOKE_SCOPES }) : await callGatewayTool("node.invoke", { timeoutMs: target.invokeTimeoutMs }, invoke),
+		startedAt,
+		cwd: params.workdir
+	});
+}
+//#endregion
+//#region src/agents/bash-tools.exec.ts
+function buildExecForegroundResult(params) {
+	const warningText = params.warningText?.trim() ? `${params.warningText}\n\n` : "";
+	if (params.outcome.status === "failed") return failedTextResult(`${warningText}${params.outcome.reason}`, {
+		status: "failed",
+		exitCode: params.outcome.exitCode ?? null,
+		durationMs: params.outcome.durationMs,
+		aggregated: params.outcome.aggregated,
+		timedOut: params.outcome.timedOut,
+		cwd: params.cwd
+	});
+	return textResult(`${warningText}${renderExecOutputText(params.outcome.aggregated)}`, {
+		status: "completed",
+		exitCode: params.outcome.exitCode,
+		durationMs: params.outcome.durationMs,
+		aggregated: params.outcome.aggregated,
+		cwd: params.cwd
+	});
+}
+const PREFLIGHT_ENV_OPTIONS_WITH_VALUES = new Set([
+	"-C",
+	"-S",
+	"-u",
+	"--argv0",
+	"--block-signal",
+	"--chdir",
+	"--default-signal",
+	"--ignore-signal",
+	"--split-string",
+	"--unset"
+]);
+const SKIPPABLE_SCRIPT_PREFLIGHT_FS_ERROR_CODES = new Set([
+	"EACCES",
+	"EISDIR",
+	"ELOOP",
+	"EINVAL",
+	"ENAMETOOLONG",
+	"ENOENT",
+	"ENOTDIR",
+	"EPERM"
+]);
+const SCRIPT_PREFLIGHT_MAX_BYTES = 512 * 1024;
+const FS_CONSTANTS_WITH_OPTIONAL_NONBLOCK = constants;
+const SCRIPT_PREFLIGHT_OPEN_FLAGS = constants.O_RDONLY | (FS_CONSTANTS_WITH_OPTIONAL_NONBLOCK.O_NONBLOCK ?? 0);
+function getNodeErrorCode(error) {
+	if (typeof error !== "object" || error === null || !("code" in error)) return;
+	return String(error.code);
+}
+const fsSafeModuleLoader = createLazyImportLoader(() => import("./fs-safe-DWIAc9pN.js"));
+async function loadFsSafeModule() {
+	return await fsSafeModuleLoader.load();
+}
+function shouldSkipScriptPreflightPathError(error, FsSafeError) {
+	if (error instanceof FsSafeError) return true;
+	const errorCode = getNodeErrorCode(error);
+	return !!(errorCode && SKIPPABLE_SCRIPT_PREFLIGHT_FS_ERROR_CODES.has(errorCode));
+}
+function resolvePreflightRelativePath(params) {
+	const root = path.resolve(params.rootDir);
+	const candidate = path.resolve(params.absPath);
+	const relative = path.relative(root, candidate);
+	if (/^\.\.(?:[\\/]|$)/u.test(relative) || path.isAbsolute(relative)) return null;
+	return relative;
+}
+function hasLeadingTildePathSegment(relativePath) {
+	return /^~(?:$|[\\/])/u.test(relativePath);
+}
+async function readLiteralTildePreflightScript(params) {
+	let handle;
+	try {
+		handle = await fs$1.open(params.absPath, SCRIPT_PREFLIGHT_OPEN_FLAGS);
+		const stat = await handle.stat();
+		if (!stat.isFile()) throw new params.fsSafe.FsSafeError("not-file", "not a file");
+		if (stat.size > SCRIPT_PREFLIGHT_MAX_BYTES) throw new params.fsSafe.FsSafeError("too-large", `file exceeds limit of ${SCRIPT_PREFLIGHT_MAX_BYTES} bytes (got ${stat.size})`);
+		const realPath = await params.fsSafe.resolveOpenedFileRealPathForHandle(handle, params.absPath);
+		if (!params.fsSafe.isPathInside(params.workspaceRoot.rootReal, realPath)) throw new params.fsSafe.FsSafeError("outside-workspace", "file is outside workspace root");
+		const buffer = await handle.readFile();
+		if (buffer.byteLength > SCRIPT_PREFLIGHT_MAX_BYTES) throw new params.fsSafe.FsSafeError("too-large", `file exceeds limit of ${SCRIPT_PREFLIGHT_MAX_BYTES} bytes (got ${buffer.byteLength})`);
+		return buffer.toString("utf-8");
+	} finally {
+		await handle?.close().catch(() => void 0);
+	}
+}
+function isShellEnvAssignmentToken(token) {
+	return /^[A-Za-z_][A-Za-z0-9_]*=.*$/u.test(token);
+}
+function isEnvExecutableToken(token) {
+	if (!token) return false;
+	const base = normalizeOptionalLowercaseString(token.split(/[\\/]/u).at(-1)) ?? "";
+	return (base.endsWith(".exe") ? base.slice(0, -4) : base) === "env";
+}
+function stripPreflightEnvPrefix(argv) {
+	if (argv.length === 0) return argv;
+	let idx = 0;
+	while (idx < argv.length && isShellEnvAssignmentToken(argv[idx])) idx += 1;
+	if (!isEnvExecutableToken(argv[idx])) return argv;
+	idx += 1;
+	while (idx < argv.length) {
+		const token = argv[idx];
+		if (token === "--") {
+			idx += 1;
+			break;
+		}
+		if (isShellEnvAssignmentToken(token)) {
+			idx += 1;
+			continue;
+		}
+		if (!token.startsWith("-") || token === "-") break;
+		idx += 1;
+		const option = token.split("=", 1)[0];
+		if (PREFLIGHT_ENV_OPTIONS_WITH_VALUES.has(option) && !token.includes("=") && idx < argv.length) idx += 1;
+	}
+	return argv.slice(idx);
+}
+function findFirstPythonScriptArg(tokens) {
+	const optionsWithSeparateValue = new Set([
+		"-W",
+		"-X",
+		"-Q",
+		"--check-hash-based-pycs"
+	]);
+	for (let i = 0; i < tokens.length; i += 1) {
+		const token = tokens[i];
+		if (token === "--") {
+			const next = tokens[i + 1];
+			return normalizeLowercaseStringOrEmpty(next).endsWith(".py") ? next : null;
+		}
+		if (token === "-") return null;
+		if (token === "-c" || token === "-m") return null;
+		if ((token.startsWith("-c") || token.startsWith("-m")) && token.length > 2) return null;
+		if (optionsWithSeparateValue.has(token)) {
+			i += 1;
+			continue;
+		}
+		if (token.startsWith("-")) continue;
+		return normalizeLowercaseStringOrEmpty(token).endsWith(".py") ? token : null;
+	}
+	return null;
+}
+function findNodeScriptArgs(tokens) {
+	const optionsWithSeparateValue = new Set([
+		"-r",
+		"--require",
+		"--import"
+	]);
+	const preloadScripts = [];
+	let entryScript = null;
+	let hasInlineEvalOrPrint = false;
+	for (let i = 0; i < tokens.length; i += 1) {
+		const token = tokens[i];
+		if (token === "--") {
+			if (!hasInlineEvalOrPrint && !entryScript) {
+				const next = tokens[i + 1];
+				if (normalizeLowercaseStringOrEmpty(next).endsWith(".js")) entryScript = next;
+			}
+			break;
+		}
+		if (token === "-e" || token === "-p" || token === "--eval" || token === "--print" || token.startsWith("--eval=") || token.startsWith("--print=") || (token.startsWith("-e") || token.startsWith("-p")) && token.length > 2) {
+			hasInlineEvalOrPrint = true;
+			if (token === "-e" || token === "-p" || token === "--eval" || token === "--print") i += 1;
+			continue;
+		}
+		if (optionsWithSeparateValue.has(token)) {
+			const next = tokens[i + 1];
+			if (normalizeLowercaseStringOrEmpty(next).endsWith(".js")) preloadScripts.push(next);
+			i += 1;
+			continue;
+		}
+		if (token.startsWith("-r") && token.length > 2 || token.startsWith("--require=") || token.startsWith("--import=")) {
+			const inlineValue = token.startsWith("-r") ? token.slice(2) : token.slice(token.indexOf("=") + 1);
+			if (normalizeLowercaseStringOrEmpty(inlineValue).endsWith(".js")) preloadScripts.push(inlineValue);
+			continue;
+		}
+		if (token.startsWith("-")) continue;
+		if (!hasInlineEvalOrPrint && !entryScript && normalizeLowercaseStringOrEmpty(token).endsWith(".js")) entryScript = token;
+		break;
+	}
+	const targets = [...preloadScripts];
+	if (entryScript) targets.push(entryScript);
+	return targets;
+}
+function extractInterpreterScriptTargetFromArgv(argv) {
+	if (!argv || argv.length === 0) return null;
+	let commandIdx = 0;
+	while (commandIdx < argv.length && /^[A-Za-z_][A-Za-z0-9_]*=.*$/u.test(argv[commandIdx])) commandIdx += 1;
+	const executable = normalizeOptionalLowercaseString(argv[commandIdx]);
+	if (!executable) return null;
+	const args = argv.slice(commandIdx + 1);
+	if (/^python(?:3(?:\.\d+)?)?$/i.test(executable)) {
+		const script = findFirstPythonScriptArg(args);
+		if (script) return {
+			kind: "python",
+			relOrAbsPaths: [script]
+		};
+		return null;
+	}
+	if (executable === "node") {
+		const scripts = findNodeScriptArgs(args);
+		if (scripts.length > 0) return {
+			kind: "node",
+			relOrAbsPaths: scripts
+		};
+		return null;
+	}
+	return null;
+}
+function extractInterpreterScriptPathsFromSegment(rawSegment) {
+	const argv = splitShellArgs(rawSegment.trim());
+	if (!argv || argv.length === 0) return [];
+	return extractInterpreterScriptTargetFromArgv(stripPreflightEnvPrefix(/^(?:if|then|do|elif|else|while|until|time)$/i.test(argv[0] ?? "") ? argv.slice(1) : argv))?.relOrAbsPaths ?? [];
+}
+function extractScriptTargetFromCommand(command) {
+	const raw = command.trim();
+	const splitShellArgsPreservingBackslashes = (value) => {
+		const tokens = [];
+		let buf = "";
+		let inSingle = false;
+		let inDouble = false;
+		const pushToken = () => {
+			if (buf.length > 0) {
+				tokens.push(buf);
+				buf = "";
+			}
+		};
+		for (let i = 0; i < value.length; i += 1) {
+			const ch = value[i];
+			if (inSingle) {
+				if (ch === "'") inSingle = false;
+				else buf += ch;
+				continue;
+			}
+			if (inDouble) {
+				if (ch === "\"") inDouble = false;
+				else buf += ch;
+				continue;
+			}
+			if (ch === "'") {
+				inSingle = true;
+				continue;
+			}
+			if (ch === "\"") {
+				inDouble = true;
+				continue;
+			}
+			if (/\s/.test(ch)) {
+				pushToken();
+				continue;
+			}
+			buf += ch;
+		}
+		if (inSingle || inDouble) return null;
+		pushToken();
+		return tokens;
+	};
+	const candidateArgv = process.platform === "win32" && /(?:^|[\s"'`])(?:[A-Za-z]:\\|\\\\|[^\s"'`|&;()<>]+\\[^\s"'`|&;()<>]+)/.test(raw) ? [splitShellArgsPreservingBackslashes(raw)] : [splitShellArgs(raw)];
+	for (const argv of candidateArgv) {
+		const attempts = [argv, argv ? stripPreflightEnvPrefix(argv) : null];
+		for (const attempt of attempts) {
+			const target = extractInterpreterScriptTargetFromArgv(attempt);
+			if (target) return target;
+		}
+	}
+	return null;
+}
+function extractUnquotedShellText(raw) {
+	let out = "";
+	let inSingle = false;
+	let inDouble = false;
+	let escaped = false;
+	for (let i = 0; i < raw.length; i += 1) {
+		const ch = raw[i];
+		if (escaped) {
+			if (!inSingle && !inDouble) out += `\\${ch}`;
+			escaped = false;
+			continue;
+		}
+		if (!inSingle && ch === "\\") {
+			escaped = true;
+			continue;
+		}
+		if (inSingle) {
+			if (ch === "'") inSingle = false;
+			continue;
+		}
+		if (inDouble) {
+			const next = raw[i + 1];
+			if (ch === "\\" && next && /[\\'"$`\n\r]/.test(next)) {
+				i += 1;
+				continue;
+			}
+			if (ch === "\"") inDouble = false;
+			continue;
+		}
+		if (ch === "'") {
+			inSingle = true;
+			continue;
+		}
+		if (ch === "\"") {
+			inDouble = true;
+			continue;
+		}
+		out += ch;
+	}
+	if (escaped || inSingle || inDouble) return null;
+	return out;
+}
+function splitShellSegmentsOutsideQuotes(rawText, params) {
+	const segments = [];
+	let buf = "";
+	let inSingle = false;
+	let inDouble = false;
+	let escaped = false;
+	const pushSegment = () => {
+		if (buf.trim().length > 0) segments.push(buf);
+		buf = "";
+	};
+	for (let i = 0; i < rawText.length; i += 1) {
+		const ch = rawText[i];
+		const next = rawText[i + 1];
+		if (escaped) {
+			buf += ch;
+			escaped = false;
+			continue;
+		}
+		if (!inSingle && ch === "\\") {
+			buf += ch;
+			escaped = true;
+			continue;
+		}
+		if (inSingle) {
+			buf += ch;
+			if (ch === "'") inSingle = false;
+			continue;
+		}
+		if (inDouble) {
+			buf += ch;
+			if (ch === "\"") inDouble = false;
+			continue;
+		}
+		if (ch === "'") {
+			inSingle = true;
+			buf += ch;
+			continue;
+		}
+		if (ch === "\"") {
+			inDouble = true;
+			buf += ch;
+			continue;
+		}
+		if (ch === "\n" || ch === "\r") {
+			pushSegment();
+			continue;
+		}
+		if (ch === ";") {
+			pushSegment();
+			continue;
+		}
+		if (ch === "&" && next === "&") {
+			pushSegment();
+			i += 1;
+			continue;
+		}
+		if (ch === "|" && next === "|") {
+			pushSegment();
+			i += 1;
+			continue;
+		}
+		if (params.splitPipes && ch === "|") {
+			pushSegment();
+			continue;
+		}
+		buf += ch;
+	}
+	pushSegment();
+	return segments;
+}
+function isInterpreterExecutable(executable) {
+	if (!executable) return false;
+	return /^python(?:3(?:\.\d+)?)?$/i.test(executable) || executable === "node";
+}
+function hasUnescapedSequence(raw, sequence) {
+	if (sequence.length === 0) return false;
+	let escaped = false;
+	for (let i = 0; i < raw.length; i += 1) {
+		const ch = raw[i];
+		if (escaped) {
+			escaped = false;
+			continue;
+		}
+		if (ch === "\\") {
+			escaped = true;
+			continue;
+		}
+		if (raw.startsWith(sequence, i)) return true;
+	}
+	return false;
+}
+function hasUnquotedScriptHint(raw) {
+	let inSingle = false;
+	let inDouble = false;
+	let escaped = false;
+	let token = "";
+	const flushToken = () => {
+		const normalizedToken = normalizeLowercaseStringOrEmpty(token);
+		if (normalizedToken.endsWith(".py") || normalizedToken.endsWith(".js")) return true;
+		token = "";
+		return false;
+	};
+	for (let i = 0; i < raw.length; i += 1) {
+		const ch = raw[i];
+		if (escaped) {
+			if (!inSingle && !inDouble) token += ch;
+			escaped = false;
+			continue;
+		}
+		if (!inSingle && ch === "\\") {
+			escaped = true;
+			continue;
+		}
+		if (inSingle) {
+			if (ch === "'") inSingle = false;
+			continue;
+		}
+		if (inDouble) {
+			if (ch === "\"") inDouble = false;
+			continue;
+		}
+		if (ch === "'") {
+			if (flushToken()) return true;
+			inSingle = true;
+			continue;
+		}
+		if (ch === "\"") {
+			if (flushToken()) return true;
+			inDouble = true;
+			continue;
+		}
+		if (/\s/u.test(ch) || "|&;()<>".includes(ch)) {
+			if (flushToken()) return true;
+			continue;
+		}
+		token += ch;
+	}
+	return flushToken();
+}
+function resolveLeadingShellSegmentExecutable(rawSegment) {
+	const argv = splitShellArgs((extractUnquotedShellText(rawSegment) ?? rawSegment).trim());
+	if (!argv || argv.length === 0) return;
+	const withoutLeadingKeyword = /^(?:if|then|do|elif|else|while|until|time)$/i.test(argv[0] ?? "") ? argv.slice(1) : argv;
+	if (withoutLeadingKeyword.length === 0) return;
+	const normalizedArgv = stripPreflightEnvPrefix(withoutLeadingKeyword);
+	let commandIdx = 0;
+	while (commandIdx < normalizedArgv.length && /^[A-Za-z_][A-Za-z0-9_]*=.*$/u.test(normalizedArgv[commandIdx] ?? "")) commandIdx += 1;
+	return normalizeOptionalLowercaseString(normalizedArgv[commandIdx]);
+}
+function analyzeInterpreterHeuristicsFromUnquoted(raw) {
+	const hasPython = splitShellSegmentsOutsideQuotes(raw, { splitPipes: true }).some((segment) => /^python(?:3(?:\.\d+)?)?$/i.test(resolveLeadingShellSegmentExecutable(segment) ?? ""));
+	const hasNode = splitShellSegmentsOutsideQuotes(raw, { splitPipes: true }).some((segment) => resolveLeadingShellSegmentExecutable(segment) === "node");
+	const hasProcessSubstitution = hasUnescapedSequence(raw, "<(") || hasUnescapedSequence(raw, ">(");
+	return {
+		hasPython,
+		hasNode,
+		hasComplexSyntax: hasUnescapedSequence(raw, "|") || hasUnescapedSequence(raw, "&&") || hasUnescapedSequence(raw, "||") || hasUnescapedSequence(raw, ";") || raw.includes("\n") || raw.includes("\r") || hasUnescapedSequence(raw, "$(") || hasUnescapedSequence(raw, "`") || hasProcessSubstitution,
+		hasProcessSubstitution,
+		hasScriptHint: hasUnquotedScriptHint(raw)
+	};
+}
+function extractShellWrappedCommandPayload(executable, args) {
+	if (!executable) return null;
+	const executableBase = normalizeOptionalLowercaseString(executable.split(/[\\/]/u).at(-1)) ?? "";
+	const normalizedExecutable = executableBase.endsWith(".exe") ? executableBase.slice(0, -4) : executableBase;
+	if (!/^(?:bash|dash|fish|ksh|sh|zsh)$/i.test(normalizedExecutable)) return null;
+	const shortOptionsWithSeparateValue = new Set(["-O", "-o"]);
+	for (let i = 0; i < args.length; i += 1) {
+		const arg = args[i];
+		if (arg === "--") return null;
+		if (arg === "-c") return args[i + 1] ?? null;
+		if (/^-[A-Za-z]+$/u.test(arg)) {
+			if (arg.includes("c")) return args[i + 1] ?? null;
+			if (shortOptionsWithSeparateValue.has(arg)) i += 1;
+			continue;
+		}
+		if (/^--[A-Za-z0-9][A-Za-z0-9-]*(?:=.*)?$/u.test(arg)) {
+			if (!arg.includes("=")) {
+				const next = args[i + 1];
+				if (next && next !== "--" && !next.startsWith("-")) i += 1;
+			}
+			continue;
+		}
+		return null;
+	}
+	return null;
+}
+function shouldFailClosedInterpreterPreflight(command) {
+	const raw = command.trim();
+	const rawArgv = splitShellArgs(raw);
+	const argv = rawArgv ? stripPreflightEnvPrefix(rawArgv) : null;
+	let commandIdx = 0;
+	if (argv) while (commandIdx < argv.length && /^[A-Za-z_][A-Za-z0-9_]*=.*$/u.test(argv[commandIdx] ?? "")) commandIdx += 1;
+	const directExecutable = normalizeOptionalLowercaseString(argv?.[commandIdx]);
+	const args = argv ? argv.slice(commandIdx + 1) : [];
+	const isDirectInterpreterCommand = Boolean(directExecutable && /^python(?:3(?:\.\d+)?)?$/i.test(directExecutable)) || directExecutable === "node";
+	const topLevel = analyzeInterpreterHeuristicsFromUnquoted(extractUnquotedShellText(raw) ?? raw);
+	const shellWrappedPayload = extractShellWrappedCommandPayload(directExecutable, args);
+	const nestedUnquoted = shellWrappedPayload ? extractUnquotedShellText(shellWrappedPayload) ?? shellWrappedPayload : "";
+	const nested = shellWrappedPayload ? analyzeInterpreterHeuristicsFromUnquoted(nestedUnquoted) : {
+		hasPython: false,
+		hasNode: false,
+		hasComplexSyntax: false,
+		hasProcessSubstitution: false,
+		hasScriptHint: false
+	};
+	const hasInterpreterInvocationInSegment = (rawSegment) => isInterpreterExecutable(resolveLeadingShellSegmentExecutable(rawSegment));
+	const isScriptExecutingInterpreterCommand = (rawCommand) => {
+		const argv = splitShellArgs(rawCommand.trim());
+		if (!argv || argv.length === 0) return false;
+		const withoutLeadingKeyword = /^(?:if|then|do|elif|else|while|until|time)$/i.test(argv[0] ?? "") ? argv.slice(1) : argv;
+		if (withoutLeadingKeyword.length === 0) return false;
+		const normalizedArgv = stripPreflightEnvPrefix(withoutLeadingKeyword);
+		let commandIdx = 0;
+		while (commandIdx < normalizedArgv.length && /^[A-Za-z_][A-Za-z0-9_]*=.*$/u.test(normalizedArgv[commandIdx] ?? "")) commandIdx += 1;
+		const executable = normalizeOptionalLowercaseString(normalizedArgv[commandIdx]);
+		if (!executable) return false;
+		const args = normalizedArgv.slice(commandIdx + 1);
+		if (/^python(?:3(?:\.\d+)?)?$/i.test(executable)) {
+			const pythonInfoOnlyFlags = new Set([
+				"-V",
+				"--version",
+				"-h",
+				"--help"
+			]);
+			if (args.some((arg) => pythonInfoOnlyFlags.has(arg))) return false;
+			if (args.some((arg) => arg === "-c" || arg === "-m" || arg.startsWith("-c") || arg.startsWith("-m") || arg === "--check-hash-based-pycs")) return false;
+			return true;
+		}
+		if (executable === "node") {
+			const nodeInfoOnlyFlags = new Set([
+				"-v",
+				"--version",
+				"-h",
+				"--help",
+				"-c",
+				"--check"
+			]);
+			if (args.some((arg) => nodeInfoOnlyFlags.has(arg))) return false;
+			if (args.some((arg) => arg === "-e" || arg === "-p" || arg === "--eval" || arg === "--print" || arg.startsWith("--eval=") || arg.startsWith("--print=") || (arg.startsWith("-e") || arg.startsWith("-p")) && arg.length > 2)) return false;
+			return true;
+		}
+		return false;
+	};
+	const hasScriptHintInSegment = (segment) => extractInterpreterScriptPathsFromSegment(segment).length > 0 || hasUnquotedScriptHint(segment);
+	const hasInterpreterAndScriptHintInSameSegment = (rawText) => {
+		return splitShellSegmentsOutsideQuotes(rawText, { splitPipes: true }).some((segment) => {
+			if (!isScriptExecutingInterpreterCommand(segment)) return false;
+			return hasScriptHintInSegment(segment);
+		});
+	};
+	const hasInterpreterPipelineScriptHintInSameSegment = (rawText) => {
+		return splitShellSegmentsOutsideQuotes(rawText, { splitPipes: false }).some((segment) => {
+			if (!splitShellSegmentsOutsideQuotes(segment, { splitPipes: true }).slice(1).some((pipelineCommand) => isScriptExecutingInterpreterCommand(pipelineCommand))) return false;
+			return hasScriptHintInSegment(segment);
+		});
+	};
+	const hasInterpreterSegmentScriptHint = hasInterpreterAndScriptHintInSameSegment(raw) || shellWrappedPayload !== null && hasInterpreterAndScriptHintInSameSegment(shellWrappedPayload);
+	const hasInterpreterPipelineScriptHint = hasInterpreterPipelineScriptHintInSameSegment(raw) || shellWrappedPayload !== null && hasInterpreterPipelineScriptHintInSameSegment(shellWrappedPayload);
+	const hasShellWrappedInterpreterSegmentScriptHint = shellWrappedPayload !== null && hasInterpreterAndScriptHintInSameSegment(shellWrappedPayload);
+	const hasShellWrappedInterpreterInvocation = (nested.hasPython || nested.hasNode) && (hasShellWrappedInterpreterSegmentScriptHint || nested.hasScriptHint || nested.hasComplexSyntax || nested.hasProcessSubstitution);
+	const hasTopLevelInterpreterInvocation = splitShellSegmentsOutsideQuotes(raw, { splitPipes: true }).some((segment) => hasInterpreterInvocationInSegment(segment));
+	return {
+		hasInterpreterInvocation: isDirectInterpreterCommand || hasShellWrappedInterpreterInvocation || hasTopLevelInterpreterInvocation,
+		hasComplexSyntax: topLevel.hasComplexSyntax || hasShellWrappedInterpreterInvocation,
+		hasProcessSubstitution: topLevel.hasProcessSubstitution || nested.hasProcessSubstitution,
+		hasInterpreterSegmentScriptHint,
+		hasInterpreterPipelineScriptHint,
+		isDirectInterpreterCommand
+	};
+}
+async function validateScriptFileForShellBleed(params) {
+	const target = extractScriptTargetFromCommand(params.command);
+	if (!target) {
+		const { hasInterpreterInvocation, hasComplexSyntax, hasProcessSubstitution, hasInterpreterSegmentScriptHint, hasInterpreterPipelineScriptHint, isDirectInterpreterCommand } = shouldFailClosedInterpreterPreflight(params.command);
+		if (hasInterpreterInvocation && hasComplexSyntax && (hasInterpreterSegmentScriptHint || hasInterpreterPipelineScriptHint || hasProcessSubstitution && isDirectInterpreterCommand)) throw new Error("exec preflight: complex interpreter invocation detected; refusing to run without script preflight validation. Use a direct `python <file>.py` or `node <file>.js` command.");
+		return;
+	}
+	const fsSafe = await loadFsSafeModule();
+	const { FsSafeError, root: fsRoot } = fsSafe;
+	const workspaceRoot = await fsRoot(params.workdir);
+	for (const relOrAbsPath of target.relOrAbsPaths) {
+		const absPath = path.isAbsolute(relOrAbsPath) ? path.resolve(relOrAbsPath) : path.resolve(params.workdir, relOrAbsPath);
+		const relativePath = resolvePreflightRelativePath({
+			rootDir: params.workdir,
+			absPath
+		});
+		if (!relativePath) continue;
+		let content;
+		try {
+			content = hasLeadingTildePathSegment(relativePath) ? await readLiteralTildePreflightScript({
+				absPath,
+				fsSafe,
+				workspaceRoot
+			}) : (await workspaceRoot.read(relativePath, {
+				nonBlockingRead: true,
+				symlinks: "follow-within-root",
+				maxBytes: SCRIPT_PREFLIGHT_MAX_BYTES
+			})).buffer.toString("utf-8");
+		} catch (error) {
+			if (shouldSkipScriptPreflightPathError(error, FsSafeError)) continue;
+			throw error;
+		}
+		const first = /\$[A-Z_][A-Z0-9_]{1,}/g.exec(content);
+		if (first) {
+			const idx = first.index;
+			const line = content.slice(0, idx).split("\n").length;
+			const token = first[0];
+			throw new Error([
+				`exec preflight: detected likely shell variable injection (${token}) in ${target.kind} script: ${path.basename(absPath)}:${line}.`,
+				target.kind === "python" ? `In Python, use os.environ.get(${JSON.stringify(token.slice(1))}) instead of raw ${token}.` : `In Node.js, use process.env[${JSON.stringify(token.slice(1))}] instead of raw ${token}.`,
+				"(If this is inside a string literal on purpose, escape it or restructure the code.)"
+			].join("\n"));
+		}
+		if (target.kind === "node") {
+			const firstNonEmpty = content.split(/\r?\n/).map((l) => l.trim()).find((l) => l.length > 0);
+			if (firstNonEmpty && /^NODE\b/.test(firstNonEmpty)) throw new Error(`exec preflight: JS file starts with shell syntax (${firstNonEmpty}). This looks like a shell command, not JavaScript.`);
+		}
+	}
+}
+function shouldSkipExecScriptPreflight(params) {
+	return params.host === "gateway" && params.security === "full" && params.ask === "off";
+}
+function parseExecApprovalShellCommand(raw) {
+	const match = raw.trimStart().match(/^\/approve(?:@[^\s]+)?\s+([A-Za-z0-9][A-Za-z0-9._:-]*)\s+(allow-once|allow-always|always|deny)\b/i);
+	if (!match) return null;
+	return {
+		approvalId: match[1],
+		decision: normalizeLowercaseStringOrEmpty(match[2]) === "always" ? "allow-always" : normalizeLowercaseStringOrEmpty(match[2])
+	};
+}
+function normalizeCommandBaseName(token) {
+	if (!token) return "";
+	return normalizeLowercaseStringOrEmpty(token.split(/[\\/]/u).at(-1)).replace(/\.(?:cmd|exe)$/u, "");
+}
+function stripFengMingPackageRunner(argv) {
+	const commandName = normalizeCommandBaseName(argv[0]);
+	if (commandName === "fengming") return argv;
+	if ((commandName === "pnpm" || commandName === "npm" || commandName === "yarn") && normalizeCommandBaseName(argv[1]) === "fengming") return argv.slice(1);
+	if ((commandName === "pnpm" || commandName === "npm" || commandName === "yarn") && (argv[1] === "exec" || argv[1] === "dlx" || argv[1] === "run") && normalizeCommandBaseName(argv[2]) === "fengming") return argv.slice(2);
+	if (commandName === "npx" || commandName === "bunx") {
+		let idx = 1;
+		while (idx < argv.length) {
+			const token = argv[idx];
+			if (token === "--") {
+				idx += 1;
+				break;
+			}
+			if (!token.startsWith("-") || token === "-") break;
+			idx += 1;
+			if ((token === "-p" || token === "--package") && idx < argv.length) idx += 1;
+		}
+		if (normalizeCommandBaseName(argv[idx]) === "fengming") return argv.slice(idx);
+	}
+	return argv;
+}
+function parseFengMingChannelsLoginShellCommand(raw) {
+	const argv = splitShellArgs(raw);
+	if (!argv) return false;
+	const fengmingArgv = stripFengMingPackageRunner(argv);
+	return normalizeCommandBaseName(fengmingArgv[0]) === "fengming" && (fengmingArgv[1] === "channels" || fengmingArgv[1] === "channel") && fengmingArgv[2] === "login";
+}
+function rejectUnsafeControlShellCommand(command) {
+	const rawCommand = command.trim();
+	const analysis = analyzeShellCommand({ command: rawCommand });
+	const candidates = analysis.ok ? analysis.segments.flatMap((segment) => buildCommandPayloadCandidates(segment.argv)) : normalizeStringEntries(rawCommand.split(/\r?\n/)).flatMap((line) => {
+		const argv = splitShellArgs(line);
+		return argv ? buildCommandPayloadCandidates(argv) : [line];
+	});
+	for (const candidate of candidates) {
+		if (parseExecApprovalShellCommand(candidate)) throw new Error(["exec cannot run /approve commands.", "Show the /approve command to the user as chat text, or route it through the approval command handler instead of shell execution."].join(" "));
+		if (parseFengMingChannelsLoginShellCommand(candidate)) throw new Error(["exec cannot run interactive FengMing channel login commands.", "Run `fengming channels login` in a terminal on the gateway host, or use the channel-specific login agent tool when available (for WhatsApp: `whatsapp_login`)."].join(" "));
+	}
+}
+function resolveExecReviewerDefaults(params) {
+	if (params.defaults?.reviewer) return params.defaults.reviewer;
+	const cfg = params.defaults?.config;
+	const agentId = params.agentId ? normalizeAgentId(params.agentId) : void 0;
+	return (agentId ? cfg?.agents?.list?.find((entry) => normalizeAgentId(entry.id) === agentId)?.tools?.exec : void 0)?.reviewer ?? cfg?.tools?.exec?.reviewer;
+}
+function createExecTool(defaults) {
+	const defaultBackgroundMs = clampWithDefault(defaults?.backgroundMs ?? readEnvInt("FENGMING_BASH_YIELD_MS", "PI_BASH_YIELD_MS"), 1e4, 10, 12e4);
+	const allowBackground = defaults?.allowBackground ?? true;
+	const defaultTimeoutSec = typeof defaults?.timeoutSec === "number" && defaults.timeoutSec > 0 ? defaults.timeoutSec : 1800;
+	const defaultPathPrepend = normalizePathPrepend(defaults?.pathPrepend);
+	const { safeBins, safeBinProfiles, trustedSafeBinDirs, unprofiledSafeBins, unprofiledInterpreterSafeBins } = resolveExecSafeBinRuntimePolicy({
+		local: {
+			safeBins: defaults?.safeBins,
+			safeBinTrustedDirs: defaults?.safeBinTrustedDirs,
+			safeBinProfiles: defaults?.safeBinProfiles
+		},
+		onWarning: (message) => {
+			logInfo(message);
+		}
+	});
+	if (unprofiledSafeBins.length > 0) logInfo(`exec: ignoring unprofiled safeBins entries (${unprofiledSafeBins.toSorted().join(", ")}); use allowlist or define tools.exec.safeBinProfiles.<bin>`);
+	if (unprofiledInterpreterSafeBins.length > 0) logInfo(`exec: interpreter/runtime binaries in safeBins (${unprofiledInterpreterSafeBins.join(", ")}) are unsafe without explicit hardened profiles; prefer allowlist entries`);
+	const notifyOnExit = defaults?.notifyOnExit !== false;
+	const notifyOnExitEmptySuccess = defaults?.notifyOnExitEmptySuccess === true;
+	const notifySessionKey = normalizeOptionalString(defaults?.sessionKey);
+	const notifyDeliveryContext = normalizeDeliveryContext({
+		channel: defaults?.messageProvider,
+		to: defaults?.currentChannelId,
+		accountId: defaults?.accountId,
+		threadId: defaults?.currentThreadTs
+	});
+	const approvalRunningNoticeMs = resolveApprovalRunningNoticeMs(defaults?.approvalRunningNoticeMs);
+	const parsedAgentSession = parseAgentSessionKey(defaults?.sessionKey);
+	const agentId = defaults?.agentId ?? (parsedAgentSession ? resolveAgentIdFromSessionKey(defaults?.sessionKey) : void 0);
+	const autoReviewer = defaults?.autoReviewer ?? createModelExecAutoReviewer({
+		cfg: defaults?.config,
+		agentId,
+		reviewer: resolveExecReviewerDefaults({
+			defaults,
+			agentId
+		})
+	});
+	return {
+		name: "exec",
+		label: "exec",
+		displaySummary: EXEC_TOOL_DISPLAY_SUMMARY,
+		get description() {
+			return describeExecTool({
+				agentId,
+				hasCronTool: defaults?.hasCronTool === true
+			});
+		},
+		parameters: execSchema,
+		execute: async (_toolCallId, args, signal, onUpdate) => {
+			const params = args;
+			if (!params.command) throw new Error("Provide a command to start.");
+			const maxOutput = DEFAULT_MAX_OUTPUT;
+			const pendingMaxOutput = DEFAULT_PENDING_MAX_OUTPUT;
+			const warnings = [];
+			const approvalWarningText = normalizeOptionalString(defaults?.approvalWarningText);
+			if (approvalWarningText) warnings.push(approvalWarningText);
+			let execCommandOverride;
+			const backgroundRequested = params.background === true;
+			const yieldRequested = typeof params.yieldMs === "number";
+			if (!allowBackground && (backgroundRequested || yieldRequested)) warnings.push("Warning: background execution is disabled; running synchronously.");
+			const yieldWindow = allowBackground ? backgroundRequested ? 0 : clampWithDefault(params.yieldMs ?? defaultBackgroundMs, defaultBackgroundMs, 10, 12e4) : null;
+			const elevatedDefaults = defaults?.elevated;
+			const elevatedAllowed = Boolean(elevatedDefaults?.enabled && elevatedDefaults.allowed);
+			const elevatedDefaultMode = elevatedDefaults?.defaultLevel === "full" ? "full" : elevatedDefaults?.defaultLevel === "ask" ? "ask" : elevatedDefaults?.defaultLevel === "on" ? "ask" : "off";
+			const effectiveDefaultMode = elevatedAllowed ? elevatedDefaultMode : "off";
+			const elevatedMode = typeof params.elevated === "boolean" ? params.elevated ? elevatedDefaultMode === "full" ? "full" : "ask" : "off" : effectiveDefaultMode;
+			const elevatedRequested = elevatedMode !== "off";
+			if (elevatedRequested) {
+				if (!elevatedDefaults?.enabled || !elevatedDefaults.allowed) {
+					const runtime = defaults?.sandbox ? "sandboxed" : "direct";
+					const gates = [];
+					const contextParts = [];
+					const provider = normalizeOptionalString(defaults?.messageProvider);
+					const sessionKey = normalizeOptionalString(defaults?.sessionKey);
+					if (provider) contextParts.push(`provider=${provider}`);
+					if (sessionKey) contextParts.push(`session=${sessionKey}`);
+					if (!elevatedDefaults?.enabled) gates.push("enabled (tools.elevated.enabled / agents.list[].tools.elevated.enabled)");
+					else gates.push("allowFrom (tools.elevated.allowFrom.<provider> / agents.list[].tools.elevated.allowFrom.<provider>)");
+					throw new Error([
+						`elevated is not available right now (runtime=${runtime}).`,
+						`Failing gates: ${gates.join(", ")}`,
+						contextParts.length > 0 ? `Context: ${contextParts.join(" ")}` : void 0,
+						"Fix-it keys:",
+						"- tools.elevated.enabled",
+						"- tools.elevated.allowFrom.<provider>",
+						"- agents.list[].tools.elevated.enabled",
+						"- agents.list[].tools.elevated.allowFrom.<provider>"
+					].filter(Boolean).join("\n"));
+				}
+			}
+			if (elevatedRequested) logInfo(`exec: elevated command ${truncateMiddle(params.command, 120)}`);
+			const requestedTarget = requireValidExecTarget(params.host);
+			const target = resolveExecTarget({
+				configuredTarget: defaults?.host,
+				requestedTarget,
+				elevatedRequested,
+				sandboxAvailable: Boolean(defaults?.sandbox)
+			});
+			const host = target.effectiveHost;
+			const explicitSecurity = defaults?.security;
+			const configuredSecurity = explicitSecurity ?? (host === "sandbox" ? "deny" : "full");
+			const modePolicy = resolveExecModePolicy({
+				mode: defaults?.mode,
+				security: configuredSecurity,
+				ask: defaults?.ask ?? "off"
+			});
+			const approvalPolicy = host === "sandbox" ? void 0 : resolveExecApprovalsFromFile({
+				file: loadExecApprovals(),
+				agentId,
+				overrides: {
+					security: "full",
+					ask: "off"
+				}
+			}).agent;
+			let security = minSecurity(modePolicy.security, approvalPolicy?.security ?? modePolicy.security);
+			if (security === "deny" && (host !== "sandbox" || defaults?.mode === "deny" || explicitSecurity === "deny")) throw new Error(`exec denied: host=${host} security=deny`);
+			const hostPolicyAllowsFullBypass = (approvalPolicy?.security ?? "full") === "full" && (approvalPolicy?.ask ?? "off") === "off";
+			const modePolicyAllowsFullBypass = modePolicy.security === "full" && modePolicy.ask === "off";
+			if (elevatedRequested && elevatedMode === "full" && modePolicyAllowsFullBypass && hostPolicyAllowsFullBypass) security = "full";
+			const requestedAsk = normalizeExecAsk(params.ask);
+			const hostAsk = maxAsk(modePolicy.ask, approvalPolicy?.ask ?? modePolicy.ask);
+			let ask = maxAsk(hostAsk, requestedAsk ?? hostAsk);
+			const bypassApprovals = elevatedRequested && elevatedMode === "full" && modePolicyAllowsFullBypass && hostPolicyAllowsFullBypass;
+			if (bypassApprovals) ask = "off";
+			const autoReview = modePolicy.autoReview && ask === modePolicy.ask && !bypassApprovals;
+			const sandbox = host === "sandbox" ? defaults?.sandbox : void 0;
+			if (target.selectedTarget === "sandbox" && !sandbox) throw new Error(["exec host=sandbox requires a sandbox runtime for this session.", "Enable sandbox mode (`agents.defaults.sandbox.mode=\"non-main\"` or `\"all\"`) or use host=auto/gateway/node."].join("\n"));
+			const explicitWorkdir = normalizeOptionalString(params.workdir);
+			const defaultWorkdir = normalizeOptionalString(defaults?.cwd);
+			let workdir;
+			let containerWorkdir = sandbox?.containerWorkdir;
+			if (sandbox) {
+				const resolved = await resolveSandboxWorkdir({
+					workdir: explicitWorkdir ?? defaultWorkdir ?? process.cwd(),
+					sandbox,
+					warnings
+				});
+				workdir = resolved.hostWorkdir;
+				containerWorkdir = resolved.containerWorkdir;
+			} else if (host === "node") workdir = explicitWorkdir;
+			else workdir = resolveWorkdir(explicitWorkdir ?? defaultWorkdir ?? process.cwd(), warnings);
+			rejectUnsafeControlShellCommand(params.command);
+			const inheritedBaseEnv = coerceEnv(process.env);
+			const hostEnvResult = host === "sandbox" ? null : sanitizeHostExecEnvWithDiagnostics({
+				baseEnv: inheritedBaseEnv,
+				overrides: params.env,
+				blockPathOverrides: true
+			});
+			if (hostEnvResult && params.env && (hostEnvResult.rejectedOverrideBlockedKeys.length > 0 || hostEnvResult.rejectedOverrideInvalidKeys.length > 0)) {
+				const blockedKeys = hostEnvResult.rejectedOverrideBlockedKeys;
+				const invalidKeys = hostEnvResult.rejectedOverrideInvalidKeys;
+				const pathBlocked = blockedKeys.includes("PATH");
+				if (pathBlocked && blockedKeys.length === 1 && invalidKeys.length === 0) throw new Error("Security Violation: Custom 'PATH' variable is forbidden during host execution.");
+				if (blockedKeys.length === 1 && invalidKeys.length === 0) throw new Error(`Security Violation: Environment variable '${blockedKeys[0]}' is forbidden during host execution.`);
+				const details = [];
+				if (blockedKeys.length > 0) details.push(`blocked override keys: ${blockedKeys.join(", ")}`);
+				if (invalidKeys.length > 0) details.push(`invalid non-portable override keys: ${invalidKeys.join(", ")}`);
+				const suffix = details.join("; ");
+				if (pathBlocked) throw new Error(`Security Violation: Custom 'PATH' variable is forbidden during host execution (${suffix}).`);
+				throw new Error(`Security Violation: ${suffix}.`);
+			}
+			const env = sandbox && host === "sandbox" ? buildSandboxEnv({
+				defaultPath: DEFAULT_PATH,
+				paramsEnv: params.env,
+				sandboxEnv: sandbox.env,
+				containerWorkdir: containerWorkdir ?? sandbox.containerWorkdir
+			}) : hostEnvResult?.env ?? inheritedBaseEnv;
+			if (!sandbox && host === "gateway" && !params.env?.PATH) applyShellPath(env, getShellPathFromLoginShell({
+				env: process.env,
+				timeoutMs: resolveShellEnvFallbackTimeoutMs(process.env)
+			}));
+			if (host === "node" && defaultPathPrepend.length > 0) warnings.push("Warning: tools.exec.pathPrepend is ignored for host=node. Configure PATH on the node host/service instead.");
+			else applyPathPrepend(env, defaultPathPrepend);
+			if (host === "node") return executeNodeHostCommand({
+				command: params.command,
+				workdir,
+				env,
+				requestedEnv: params.env,
+				requestedNode: params.node?.trim(),
+				boundNode: defaults?.node?.trim(),
+				sessionKey: defaults?.sessionKey,
+				bashElevated: elevatedDefaults,
+				turnSourceChannel: defaults?.messageProvider,
+				turnSourceTo: defaults?.currentChannelId,
+				turnSourceAccountId: defaults?.accountId,
+				turnSourceThreadId: defaults?.currentThreadTs,
+				agentId,
+				security,
+				ask,
+				autoReview,
+				autoReviewer,
+				strictInlineEval: defaults?.strictInlineEval,
+				commandHighlighting: defaults?.commandHighlighting,
+				trigger: defaults?.trigger,
+				timeoutSec: params.timeout,
+				defaultTimeoutSec,
+				approvalRunningNoticeMs,
+				warnings,
+				notifySessionKey,
+				notifyOnExit,
+				trustedSafeBinDirs
+			});
+			if (!workdir) throw new Error("exec internal error: local execution requires a resolved workdir");
+			if (host === "gateway" && !bypassApprovals) {
+				const gatewayResult = await processGatewayAllowlist({
+					command: params.command,
+					workdir,
+					env,
+					pathPrepend: defaultPathPrepend,
+					requestedEnv: params.env,
+					pty: params.pty === true && !sandbox,
+					timeoutSec: params.timeout,
+					defaultTimeoutSec,
+					security,
+					ask,
+					autoReview,
+					autoReviewer,
+					safeBins,
+					safeBinProfiles,
+					strictInlineEval: defaults?.strictInlineEval,
+					commandHighlighting: defaults?.commandHighlighting,
+					trigger: defaults?.trigger,
+					agentId,
+					sessionKey: defaults?.sessionKey,
+					bashElevated: elevatedDefaults,
+					turnSourceChannel: defaults?.messageProvider,
+					turnSourceTo: defaults?.currentChannelId,
+					turnSourceAccountId: defaults?.accountId,
+					turnSourceThreadId: defaults?.currentThreadTs,
+					scopeKey: defaults?.scopeKey,
+					approvalFollowupText: defaults?.approvalFollowupText,
+					approvalFollowup: defaults?.approvalFollowup,
+					approvalFollowupMode: defaults?.approvalFollowupMode,
+					warnings,
+					notifySessionKey,
+					approvalRunningNoticeMs,
+					maxOutput,
+					pendingMaxOutput,
+					trustedSafeBinDirs
+				});
+				if (gatewayResult.pendingResult) return gatewayResult.pendingResult;
+				if (gatewayResult.deniedResult) return gatewayResult.deniedResult;
+				execCommandOverride = gatewayResult.execCommandOverride;
+				if (gatewayResult.allowWithoutEnforcedCommand) execCommandOverride = void 0;
+			}
+			const effectiveTimeout = (typeof params.timeout === "number" ? params.timeout : null) ?? defaultTimeoutSec;
+			const getWarningText = () => warnings.length ? `${warnings.join("\n")}\n\n` : "";
+			const usePty = params.pty === true && !sandbox;
+			if (!shouldSkipExecScriptPreflight({
+				host,
+				security,
+				ask
+			})) await validateScriptFileForShellBleed({
+				command: params.command,
+				workdir
+			});
+			const run = await runExecProcess({
+				command: params.command,
+				execCommand: execCommandOverride,
+				workdir,
+				env,
+				pathPrepend: defaultPathPrepend,
+				sandbox,
+				containerWorkdir,
+				usePty,
+				warnings,
+				maxOutput,
+				pendingMaxOutput,
+				notifyOnExit,
+				notifyOnExitEmptySuccess,
+				scopeKey: defaults?.scopeKey,
+				sessionKey: notifySessionKey,
+				mainKey: defaults?.mainKey,
+				sessionScope: defaults?.sessionScope,
+				eventRouting: defaults?.eventRouting,
+				notifyDeliveryContext,
+				timeoutSec: effectiveTimeout,
+				onUpdate
+			});
+			let yielded = false;
+			let yieldTimer = null;
+			let registeredAbortSignal = null;
+			const onAbortSignal = () => {
+				run.disableUpdates();
+				if (yielded || run.session.backgrounded) return;
+				run.kill();
+			};
+			const cleanupToolRunListeners = () => {
+				if (registeredAbortSignal) {
+					registeredAbortSignal.removeEventListener("abort", onAbortSignal);
+					registeredAbortSignal = null;
+				}
+				if (yieldTimer) {
+					clearTimeout(yieldTimer);
+					yieldTimer = null;
+				}
+			};
+			if (signal?.aborted) onAbortSignal();
+			else if (signal) {
+				signal.addEventListener("abort", onAbortSignal, { once: true });
+				registeredAbortSignal = signal;
+			}
+			return new Promise((resolve, reject) => {
+				const resolveRunning = () => {
+					cleanupToolRunListeners();
+					resolve({
+						content: [{
+							type: "text",
+							text: `${getWarningText()}Command still running (session ${run.session.id}, pid ${run.session.pid ?? "n/a"}). Use process (list/poll/log/write/send-keys/submit/paste/kill/clear/remove) for follow-up.`
+						}],
+						details: {
+							status: "running",
+							sessionId: run.session.id,
+							pid: run.session.pid ?? void 0,
+							startedAt: run.startedAt,
+							cwd: run.session.cwd,
+							tail: run.session.tail
+						}
+					});
+				};
+				const onYieldNow = () => {
+					if (yielded) return;
+					yielded = true;
+					markBackgrounded(run.session);
+					resolveRunning();
+				};
+				if (allowBackground && yieldWindow !== null) if (yieldWindow === 0) onYieldNow();
+				else yieldTimer = setTimeout(() => {
+					if (yielded) return;
+					yielded = true;
+					markBackgrounded(run.session);
+					resolveRunning();
+				}, yieldWindow);
+				run.promise.then((outcome) => {
+					cleanupToolRunListeners();
+					if (yielded || run.session.backgrounded) return;
+					resolve(buildExecForegroundResult({
+						outcome,
+						cwd: run.session.cwd,
+						warningText: getWarningText()
+					}));
+				}).catch((err) => {
+					cleanupToolRunListeners();
+					if (yielded || run.session.backgrounded) return;
+					reject(err);
+				});
+			});
+		}
+	};
+}
+const execTool = createExecTool();
+//#endregion
+//#region src/agents/pty-keys.ts
+const ESC = "\x1B";
+const CR = "\r";
+const TAB = "	";
+const BACKSPACE = "";
+const BRACKETED_PASTE_START = `${ESC}[200~`;
+const BRACKETED_PASTE_END = `${ESC}[201~`;
+/** SS3 sequences for DECCKM application cursor key mode (smkx). */
+const DECCKM_SS3_KEYS = {
+	up: `${ESC}OA`,
+	down: `${ESC}OB`,
+	right: `${ESC}OC`,
+	left: `${ESC}OD`,
+	home: `${ESC}OH`,
+	end: `${ESC}OF`
+};
+const namedKeyMap = new Map([
+	["enter", CR],
+	["return", CR],
+	["tab", TAB],
+	["escape", ESC],
+	["esc", ESC],
+	["space", " "],
+	["bspace", BACKSPACE],
+	["backspace", BACKSPACE],
+	["up", `${ESC}[A`],
+	["down", `${ESC}[B`],
+	["right", `${ESC}[C`],
+	["left", `${ESC}[D`],
+	["home", `${ESC}[1~`],
+	["end", `${ESC}[4~`],
+	["pageup", `${ESC}[5~`],
+	["pgup", `${ESC}[5~`],
+	["ppage", `${ESC}[5~`],
+	["pagedown", `${ESC}[6~`],
+	["pgdn", `${ESC}[6~`],
+	["npage", `${ESC}[6~`],
+	["insert", `${ESC}[2~`],
+	["ic", `${ESC}[2~`],
+	["delete", `${ESC}[3~`],
+	["del", `${ESC}[3~`],
+	["dc", `${ESC}[3~`],
+	["btab", `${ESC}[Z`],
+	["f1", `${ESC}OP`],
+	["f2", `${ESC}OQ`],
+	["f3", `${ESC}OR`],
+	["f4", `${ESC}OS`],
+	["f5", `${ESC}[15~`],
+	["f6", `${ESC}[17~`],
+	["f7", `${ESC}[18~`],
+	["f8", `${ESC}[19~`],
+	["f9", `${ESC}[20~`],
+	["f10", `${ESC}[21~`],
+	["f11", `${ESC}[23~`],
+	["f12", `${ESC}[24~`],
+	["kp/", `${ESC}Oo`],
+	["kp*", `${ESC}Oj`],
+	["kp-", `${ESC}Om`],
+	["kp+", `${ESC}Ok`],
+	["kp7", `${ESC}Ow`],
+	["kp8", `${ESC}Ox`],
+	["kp9", `${ESC}Oy`],
+	["kp4", `${ESC}Ot`],
+	["kp5", `${ESC}Ou`],
+	["kp6", `${ESC}Ov`],
+	["kp1", `${ESC}Oq`],
+	["kp2", `${ESC}Or`],
+	["kp3", `${ESC}Os`],
+	["kp0", `${ESC}Op`],
+	["kp.", `${ESC}On`],
+	["kpenter", `${ESC}OM`]
+]);
+const modifiableNamedKeys = new Set([
+	"up",
+	"down",
+	"left",
+	"right",
+	"home",
+	"end",
+	"pageup",
+	"pgup",
+	"ppage",
+	"pagedown",
+	"pgdn",
+	"npage",
+	"insert",
+	"ic",
+	"delete",
+	"del",
+	"dc"
+]);
+function hasCursorModeSensitiveKeys(request) {
+	return request.keys?.some((raw) => {
+		const token = raw.trim();
+		if (!token) return false;
+		const parsed = parseModifiers(token);
+		if (hasAnyModifier(parsed.mods)) return false;
+		return normalizeLowercaseStringOrEmpty(parsed.base) in DECCKM_SS3_KEYS;
+	}) ?? false;
+}
+function encodeKeySequence(request, cursorKeyMode) {
+	const warnings = [];
+	let data = "";
+	if (request.literal) data += request.literal;
+	if (request.hex?.length) for (const raw of request.hex) {
+		const byte = parseHexByte(raw);
+		if (byte === null) {
+			warnings.push(`Invalid hex byte: ${raw}`);
+			continue;
+		}
+		data += String.fromCharCode(byte);
+	}
+	if (request.keys?.length) for (const token of request.keys) data += encodeKeyToken(token, warnings, cursorKeyMode);
+	return {
+		data,
+		warnings
+	};
+}
+function encodePaste(text, bracketed = true) {
+	if (!bracketed) return text;
+	return `${BRACKETED_PASTE_START}${text}${BRACKETED_PASTE_END}`;
+}
+function encodeKeyToken(raw, warnings, cursorKeyMode) {
+	const token = raw.trim();
+	if (!token) return "";
+	if (token.length === 2 && token.startsWith("^")) {
+		const ctrl = toCtrlChar(token[1]);
+		if (ctrl) return ctrl;
+	}
+	const parsed = parseModifiers(token);
+	const base = parsed.base;
+	const baseLower = normalizeLowercaseStringOrEmpty(base);
+	if (baseLower === "tab" && parsed.mods.shift) return `${ESC}[Z`;
+	if (modifiableNamedKeys.has(baseLower) && cursorKeyMode === "application" && !hasAnyModifier(parsed.mods)) {
+		const ss3Seq = DECCKM_SS3_KEYS[baseLower];
+		if (ss3Seq) return ss3Seq;
+	}
+	const baseSeq = namedKeyMap.get(baseLower);
+	if (baseSeq) {
+		let seq = baseSeq;
+		if (modifiableNamedKeys.has(baseLower) && hasAnyModifier(parsed.mods)) {
+			const mod = xtermModifier(parsed.mods);
+			if (mod > 1) {
+				const modified = applyXtermModifier(seq, mod);
+				if (modified) {
+					seq = modified;
+					return seq;
+				}
+			}
+		}
+		if (parsed.mods.alt) return `${ESC}${seq}`;
+		return seq;
+	}
+	if (base.length === 1) return applyCharModifiers(base, parsed.mods);
+	if (parsed.hasModifiers) warnings.push(`Unknown key "${base}" for modifiers; sending literal.`);
+	return base;
+}
+function parseModifiers(token) {
+	const mods = {
+		ctrl: false,
+		alt: false,
+		shift: false
+	};
+	let rest = token;
+	let sawModifiers = false;
+	while (rest.length > 2 && rest[1] === "-") {
+		const mod = normalizeLowercaseStringOrEmpty(rest[0]);
+		if (mod === "c") mods.ctrl = true;
+		else if (mod === "m") mods.alt = true;
+		else if (mod === "s") mods.shift = true;
+		else break;
+		sawModifiers = true;
+		rest = rest.slice(2);
+	}
+	return {
+		mods,
+		base: rest,
+		hasModifiers: sawModifiers
+	};
+}
+function applyCharModifiers(char, mods) {
+	let value = char;
+	if (mods.shift && value.length === 1 && /[a-z]/.test(value)) value = value.toUpperCase();
+	if (mods.ctrl) {
+		const ctrl = toCtrlChar(value);
+		if (ctrl) value = ctrl;
+	}
+	if (mods.alt) value = `${ESC}${value}`;
+	return value;
+}
+function toCtrlChar(char) {
+	if (char.length !== 1) return null;
+	if (char === "?") return "";
+	const code = char.toUpperCase().charCodeAt(0);
+	if (code >= 64 && code <= 95) return String.fromCharCode(code & 31);
+	return null;
+}
+function xtermModifier(mods) {
+	let mod = 1;
+	if (mods.shift) mod += 1;
+	if (mods.alt) mod += 2;
+	if (mods.ctrl) mod += 4;
+	return mod;
+}
+function applyXtermModifier(sequence, modifier) {
+	const escPattern = escapeRegExp(ESC);
+	const csiNumber = new RegExp(`^${escPattern}\\[(\\d+)([~A-Z])$`);
+	const csiArrow = new RegExp(`^${escPattern}\\[(A|B|C|D|H|F)$`);
+	const numberMatch = sequence.match(csiNumber);
+	if (numberMatch) return `${ESC}[${numberMatch[1]};${modifier}${numberMatch[2]}`;
+	const arrowMatch = sequence.match(csiArrow);
+	if (arrowMatch) return `${ESC}[1;${modifier}${arrowMatch[1]}`;
+	return null;
+}
+function hasAnyModifier(mods) {
+	return mods.ctrl || mods.alt || mods.shift;
+}
+function parseHexByte(raw) {
+	const lower = normalizeLowercaseStringOrEmpty(raw);
+	const normalized = lower.startsWith("0x") ? lower.slice(2) : lower;
+	if (!/^[0-9a-f]{1,2}$/.test(normalized)) return null;
+	const value = Number.parseInt(normalized, 16);
+	if (Number.isNaN(value) || value < 0 || value > 255) return null;
+	return value;
+}
+//#endregion
+//#region src/agents/bash-tools.process-send-keys.ts
+function failText$1(text) {
+	return {
+		content: [{
+			type: "text",
+			text
+		}],
+		details: { status: "failed" }
+	};
+}
+async function writeToStdin(stdin, data) {
+	await new Promise((resolve, reject) => {
+		stdin.write(data, (err) => {
+			if (err) reject(err);
+			else resolve();
+		});
+	});
+}
+async function handleProcessSendKeys(params) {
+	const request = {
+		keys: params.keys,
+		hex: params.hex,
+		literal: params.literal
+	};
+	if (params.session.cursorKeyMode === "unknown" && hasCursorModeSensitiveKeys(request)) return failText$1(`Session ${params.sessionId} cursor key mode is not known yet. Poll or log until startup output appears, then retry send-keys.`);
+	const { data, warnings } = encodeKeySequence(request, params.session.cursorKeyMode === "unknown" ? void 0 : params.session.cursorKeyMode);
+	if (!data) return failText$1("No key data provided.");
+	await writeToStdin(params.stdin, data);
+	return {
+		content: [{
+			type: "text",
+			text: `Sent ${data.length} bytes to session ${params.sessionId}.` + (warnings.length ? `\nWarnings:\n- ${warnings.join("\n- ")}` : "")
+		}],
+		details: {
+			status: "running",
+			sessionId: params.sessionId,
+			name: deriveSessionName(params.session.command)
+		}
+	};
+}
+//#endregion
+//#region src/agents/bash-tools.process.ts
+const DEFAULT_LOG_TAIL_LINES = 200;
+const DEFAULT_INPUT_WAIT_IDLE_MS = 15e3;
+const MIN_INPUT_WAIT_IDLE_MS = 1e3;
+const MAX_INPUT_WAIT_IDLE_MS = 600 * 1e3;
+function resolveLogSliceWindow(offset, limit) {
+	const usingDefaultTail = offset === void 0 && limit === void 0;
+	return {
+		effectiveOffset: offset,
+		effectiveLimit: typeof limit === "number" && Number.isFinite(limit) ? limit : usingDefaultTail ? DEFAULT_LOG_TAIL_LINES : void 0,
+		usingDefaultTail
+	};
+}
+function defaultTailNote(totalLines, usingDefaultTail) {
+	if (!usingDefaultTail || totalLines <= DEFAULT_LOG_TAIL_LINES) return "";
+	return `\n\n[showing last ${DEFAULT_LOG_TAIL_LINES} of ${totalLines} lines; pass offset/limit to page]`;
+}
+const MAX_POLL_WAIT_MS = 3e4;
+function resolveSessionStdin(session) {
+	return session.stdin ?? session.child?.stdin;
+}
+function isWritableStdin(stdin) {
+	if (!stdin || stdin.destroyed) return false;
+	if (stdin.writable === false || stdin.writableEnded === true || stdin.writableFinished === true) return false;
+	return true;
+}
+function runningSessionInputDetails(runtime) {
+	return {
+		stdinWritable: runtime.stdinWritable,
+		waitingForInput: runtime.waitingForInput,
+		idleMs: runtime.idleMs,
+		lastOutputAt: runtime.lastOutputAt
+	};
+}
+function resolvePollWaitMs(value) {
+	if (typeof value === "number" && Number.isFinite(value)) return Math.max(0, Math.min(MAX_POLL_WAIT_MS, Math.floor(value)));
+	if (typeof value === "string" && /^[+-]?\d+$/.test(value.trim())) {
+		const parsed = Number(value.trim());
+		if (Number.isSafeInteger(parsed)) return Math.max(0, Math.min(MAX_POLL_WAIT_MS, parsed));
+	}
+	return 0;
+}
+function failText(text) {
+	return {
+		content: [{
+			type: "text",
+			text
+		}],
+		details: { status: "failed" }
+	};
+}
+function recordPollRetrySuggestion(sessionId, hasNewOutput) {
+	try {
+		return recordCommandPoll(getDiagnosticSessionState({ sessionId }), sessionId, hasNewOutput);
+	} catch {
+		return;
+	}
+}
+function resetPollRetrySuggestion(sessionId) {
+	try {
+		resetCommandPollCount(getDiagnosticSessionState({ sessionId }), sessionId);
+	} catch {}
+}
+function createAbortError(reason) {
+	if (reason instanceof Error) return reason;
+	const error = new Error(typeof reason === "string" ? reason : "Aborted");
+	error.name = "AbortError";
+	return error;
+}
+async function sleepPollInterval(ms, signal) {
+	if (signal?.aborted) throw createAbortError(signal.reason);
+	await new Promise((resolve, reject) => {
+		let timer;
+		let onAbort;
+		const cleanup = () => {
+			if (timer) clearTimeout(timer);
+			if (onAbort) signal?.removeEventListener("abort", onAbort);
+		};
+		const onResolve = () => {
+			cleanup();
+			resolve();
+		};
+		onAbort = () => {
+			cleanup();
+			reject(createAbortError(signal?.reason));
+		};
+		timer = setTimeout(onResolve, ms);
+		timer.unref?.();
+		signal?.addEventListener("abort", onAbort, { once: true });
+	});
+}
+function createProcessTool(defaults) {
+	if (defaults?.cleanupMs !== void 0) setJobTtlMs(defaults.cleanupMs);
+	const scopeKey = defaults?.scopeKey;
+	const supervisor = getProcessSupervisor();
+	const inputWaitIdleMs = clampWithDefault(defaults?.inputWaitIdleMs ?? readEnvInt("FENGMING_PROCESS_INPUT_WAIT_IDLE_MS"), DEFAULT_INPUT_WAIT_IDLE_MS, MIN_INPUT_WAIT_IDLE_MS, MAX_INPUT_WAIT_IDLE_MS);
+	const isInScope = (session) => !scopeKey || session?.scopeKey === scopeKey;
+	const describeRunningSession = (session) => {
+		const lastOutputAt = supervisor.getRecord(session.id)?.lastOutputAtMs ?? session.startedAt;
+		const idleMs = Math.max(0, Date.now() - lastOutputAt);
+		const stdinWritable = isWritableStdin(resolveSessionStdin(session));
+		return {
+			stdinWritable,
+			waitingForInput: stdinWritable && idleMs >= inputWaitIdleMs,
+			idleMs,
+			lastOutputAt
+		};
+	};
+	const buildInputWaitHint = (runtime) => {
+		if (!runtime?.waitingForInput) return "";
+		return `\n\nNo new output for ${formatDurationCompact(runtime.idleMs) ?? `${runtime.idleMs}ms`}; this session may be waiting for input. Use process write, send-keys, submit, or paste to provide input.`;
+	};
+	const cancelManagedSession = (sessionId) => {
+		const record = supervisor.getRecord(sessionId);
+		if (!record || record.state === "exited") return false;
+		supervisor.cancel(sessionId, "manual-cancel");
+		return true;
+	};
+	const terminateSessionFallback = (session) => {
+		const pid = session.pid ?? session.child?.pid;
+		if (typeof pid !== "number" || !Number.isFinite(pid) || pid <= 0) return false;
+		killProcessTree(pid);
+		return true;
+	};
+	return {
+		name: "process",
+		label: "process",
+		displaySummary: PROCESS_TOOL_DISPLAY_SUMMARY,
+		description: describeProcessTool({ hasCronTool: defaults?.hasCronTool === true }),
+		parameters: processSchema,
+		execute: async (_toolCallId, args, signal, _onUpdate) => {
+			const params = args;
+			if (params.action === "list") {
+				const running = listRunningSessions().filter((s) => isInScope(s)).map((s) => {
+					const runtime = describeRunningSession(s);
+					return {
+						sessionId: s.id,
+						status: "running",
+						pid: s.pid ?? void 0,
+						startedAt: s.startedAt,
+						runtimeMs: Date.now() - s.startedAt,
+						cwd: s.cwd,
+						command: s.command,
+						name: deriveSessionName(s.command),
+						tail: s.tail,
+						truncated: s.truncated,
+						stdinWritable: runtime.stdinWritable,
+						waitingForInput: runtime.waitingForInput,
+						idleMs: runtime.idleMs,
+						lastOutputAt: runtime.lastOutputAt
+					};
+				});
+				const finished = listFinishedSessions().filter((s) => isInScope(s)).map((s) => ({
+					sessionId: s.id,
+					status: s.status,
+					startedAt: s.startedAt,
+					endedAt: s.endedAt,
+					runtimeMs: s.endedAt - s.startedAt,
+					cwd: s.cwd,
+					command: s.command,
+					name: deriveSessionName(s.command),
+					tail: s.tail,
+					truncated: s.truncated,
+					exitCode: s.exitCode ?? void 0,
+					exitSignal: s.exitSignal ?? void 0
+				}));
+				return {
+					content: [{
+						type: "text",
+						text: [...running, ...finished].toSorted((a, b) => b.startedAt - a.startedAt).map((s) => {
+							const label = s.name ? truncateMiddle(s.name, 80) : truncateMiddle(s.command, 120);
+							const marker = "waitingForInput" in s && s.waitingForInput ? " [input-wait]" : "";
+							return `${s.sessionId} ${pad(s.status, 9)} ${formatDurationCompact(s.runtimeMs) ?? "n/a"}${marker} :: ${label}`;
+						}).join("\n") || "No running or recent sessions."
+					}],
+					details: {
+						status: "completed",
+						sessions: [...running, ...finished]
+					}
+				};
+			}
+			if (!params.sessionId) return {
+				content: [{
+					type: "text",
+					text: "sessionId is required for this action."
+				}],
+				details: { status: "failed" }
+			};
+			const session = getSession(params.sessionId);
+			const finished = getFinishedSession(params.sessionId);
+			const scopedSession = isInScope(session) ? session : void 0;
+			const scopedFinished = isInScope(finished) ? finished : void 0;
+			const failedResult = (text) => ({
+				content: [{
+					type: "text",
+					text
+				}],
+				details: { status: "failed" }
+			});
+			const resolveBackgroundedWritableStdin = () => {
+				if (!scopedSession) return {
+					ok: false,
+					result: failedResult(`No active session found for ${params.sessionId}`)
+				};
+				if (!scopedSession.backgrounded) return {
+					ok: false,
+					result: failedResult(`Session ${params.sessionId} is not backgrounded.`)
+				};
+				const stdin = resolveSessionStdin(scopedSession);
+				if (!isWritableStdin(stdin)) return {
+					ok: false,
+					result: failedResult(`Session ${params.sessionId} stdin is not writable.`)
+				};
+				return {
+					ok: true,
+					session: scopedSession,
+					stdin
+				};
+			};
+			const writeToStdin = async (stdin, data) => {
+				await new Promise((resolve, reject) => {
+					stdin.write(data, (err) => {
+						if (err) reject(err);
+						else resolve();
+					});
+				});
+			};
+			const runningSessionResult = (session, text) => ({
+				content: [{
+					type: "text",
+					text
+				}],
+				details: {
+					status: "running",
+					sessionId: params.sessionId,
+					name: deriveSessionName(session.command)
+				}
+			});
+			switch (params.action) {
+				case "poll": {
+					if (!scopedSession) {
+						if (scopedFinished) {
+							resetPollRetrySuggestion(params.sessionId);
+							return {
+								content: [{
+									type: "text",
+									text: (scopedFinished.tail || `(no output recorded${scopedFinished.truncated ? " — truncated to cap" : ""})`) + `\n\nProcess exited with ${scopedFinished.exitSignal ? `signal ${scopedFinished.exitSignal}` : `code ${scopedFinished.exitCode ?? 0}`}.`
+								}],
+								details: {
+									status: scopedFinished.status === "completed" ? "completed" : "failed",
+									sessionId: params.sessionId,
+									exitCode: scopedFinished.exitCode ?? void 0,
+									aggregated: scopedFinished.aggregated,
+									name: deriveSessionName(scopedFinished.command)
+								}
+							};
+						}
+						resetPollRetrySuggestion(params.sessionId);
+						return failText(`No session found for ${params.sessionId}`);
+					}
+					if (!scopedSession.backgrounded) return failText(`Session ${params.sessionId} is not backgrounded.`);
+					const pollWaitMs = resolvePollWaitMs(params.timeout);
+					if (pollWaitMs > 0 && !scopedSession.exited) {
+						const deadline = Date.now() + pollWaitMs;
+						while (!scopedSession.exited && Date.now() < deadline) await sleepPollInterval(Math.max(0, Math.min(250, deadline - Date.now())), signal);
+					}
+					const { stdout, stderr } = drainSession(scopedSession);
+					const exited = scopedSession.exited;
+					const exitCode = scopedSession.exitCode ?? 0;
+					const exitSignal = scopedSession.exitSignal ?? void 0;
+					if (exited) {
+						const status = exitCode === 0 && exitSignal == null ? "completed" : "failed";
+						markExited(scopedSession, scopedSession.exitCode ?? null, scopedSession.exitSignal ?? null, status);
+					}
+					const status = exited ? exitCode === 0 && exitSignal == null ? "completed" : "failed" : "running";
+					const output = [stdout.trimEnd(), stderr.trimEnd()].filter(Boolean).join("\n").trim();
+					const hasNewOutput = output.length > 0;
+					const retryInMs = exited ? void 0 : recordPollRetrySuggestion(params.sessionId, hasNewOutput);
+					if (exited) resetPollRetrySuggestion(params.sessionId);
+					const runtime = exited ? void 0 : describeRunningSession(scopedSession);
+					return {
+						content: [{
+							type: "text",
+							text: (output || "(no new output)") + (exited ? `\n\nProcess exited with ${exitSignal ? `signal ${exitSignal}` : `code ${exitCode}`}.` : buildInputWaitHint(runtime) || "\n\nProcess still running.")
+						}],
+						details: {
+							status,
+							sessionId: params.sessionId,
+							exitCode: exited ? exitCode : void 0,
+							aggregated: scopedSession.aggregated,
+							name: deriveSessionName(scopedSession.command),
+							...runtime ? runningSessionInputDetails(runtime) : {},
+							...typeof retryInMs === "number" ? { retryInMs } : {}
+						}
+					};
+				}
+				case "log":
+					if (scopedSession) {
+						if (!scopedSession.backgrounded) return {
+							content: [{
+								type: "text",
+								text: `Session ${params.sessionId} is not backgrounded.`
+							}],
+							details: { status: "failed" }
+						};
+						const window = resolveLogSliceWindow(params.offset, params.limit);
+						const { slice, totalLines, totalChars } = sliceLogLines(scopedSession.aggregated, window.effectiveOffset, window.effectiveLimit);
+						const runtime = describeRunningSession(scopedSession);
+						const logDefaultTailNote = defaultTailNote(totalLines, window.usingDefaultTail);
+						return {
+							content: [{
+								type: "text",
+								text: (slice || "(no output yet)") + logDefaultTailNote + buildInputWaitHint(runtime)
+							}],
+							details: {
+								status: scopedSession.exited ? "completed" : "running",
+								sessionId: params.sessionId,
+								total: totalLines,
+								totalLines,
+								totalChars,
+								truncated: scopedSession.truncated,
+								name: deriveSessionName(scopedSession.command),
+								...runningSessionInputDetails(runtime)
+							}
+						};
+					}
+					if (scopedFinished) {
+						const window = resolveLogSliceWindow(params.offset, params.limit);
+						const { slice, totalLines, totalChars } = sliceLogLines(scopedFinished.aggregated, window.effectiveOffset, window.effectiveLimit);
+						const status = scopedFinished.status === "completed" ? "completed" : "failed";
+						const logDefaultTailNote = defaultTailNote(totalLines, window.usingDefaultTail);
+						return {
+							content: [{
+								type: "text",
+								text: (slice || "(no output recorded)") + logDefaultTailNote
+							}],
+							details: {
+								status,
+								sessionId: params.sessionId,
+								total: totalLines,
+								totalLines,
+								totalChars,
+								truncated: scopedFinished.truncated,
+								exitCode: scopedFinished.exitCode ?? void 0,
+								exitSignal: scopedFinished.exitSignal ?? void 0,
+								name: deriveSessionName(scopedFinished.command)
+							}
+						};
+					}
+					return {
+						content: [{
+							type: "text",
+							text: `No session found for ${params.sessionId}`
+						}],
+						details: { status: "failed" }
+					};
+				case "write": {
+					const resolved = resolveBackgroundedWritableStdin();
+					if (!resolved.ok) return resolved.result;
+					await writeToStdin(resolved.stdin, params.data ?? "");
+					if (params.eof) resolved.stdin.end();
+					return runningSessionResult(resolved.session, `Wrote ${(params.data ?? "").length} bytes to session ${params.sessionId}${params.eof ? " (stdin closed)" : ""}.`);
+				}
+				case "send-keys": {
+					const resolved = resolveBackgroundedWritableStdin();
+					if (!resolved.ok) return resolved.result;
+					return await handleProcessSendKeys({
+						sessionId: params.sessionId,
+						session: resolved.session,
+						stdin: resolved.stdin,
+						keys: params.keys,
+						hex: params.hex,
+						literal: params.literal
+					});
+				}
+				case "submit": {
+					const resolved = resolveBackgroundedWritableStdin();
+					if (!resolved.ok) return resolved.result;
+					await writeToStdin(resolved.stdin, "\r");
+					return runningSessionResult(resolved.session, `Submitted session ${params.sessionId} (sent CR).`);
+				}
+				case "paste": {
+					const resolved = resolveBackgroundedWritableStdin();
+					if (!resolved.ok) return resolved.result;
+					const payload = encodePaste(params.text ?? "", params.bracketed !== false);
+					if (!payload) return {
+						content: [{
+							type: "text",
+							text: "No paste text provided."
+						}],
+						details: { status: "failed" }
+					};
+					await writeToStdin(resolved.stdin, payload);
+					return runningSessionResult(resolved.session, `Pasted ${params.text?.length ?? 0} chars to session ${params.sessionId}.`);
+				}
+				case "kill": {
+					if (!scopedSession) return failText(`No active session found for ${params.sessionId}`);
+					if (!scopedSession.backgrounded) return failText(`Session ${params.sessionId} is not backgrounded.`);
+					const canceled = cancelManagedSession(scopedSession.id);
+					if (!canceled) {
+						if (!terminateSessionFallback(scopedSession)) return failText(`Unable to terminate session ${params.sessionId}: no active supervisor run or process id.`);
+						markExited(scopedSession, null, "SIGKILL", "failed");
+					}
+					resetPollRetrySuggestion(params.sessionId);
+					return {
+						content: [{
+							type: "text",
+							text: canceled ? `Termination requested for session ${params.sessionId}.` : `Killed session ${params.sessionId}.`
+						}],
+						details: {
+							status: "failed",
+							name: scopedSession ? deriveSessionName(scopedSession.command) : void 0
+						}
+					};
+				}
+				case "clear":
+					if (scopedFinished) {
+						resetPollRetrySuggestion(params.sessionId);
+						deleteSession(params.sessionId);
+						return {
+							content: [{
+								type: "text",
+								text: `Cleared session ${params.sessionId}.`
+							}],
+							details: { status: "completed" }
+						};
+					}
+					return {
+						content: [{
+							type: "text",
+							text: `No finished session found for ${params.sessionId}`
+						}],
+						details: { status: "failed" }
+					};
+				case "remove":
+					if (scopedSession) {
+						const canceled = cancelManagedSession(scopedSession.id);
+						if (canceled) {
+							scopedSession.backgrounded = false;
+							deleteSession(params.sessionId);
+						} else {
+							if (!terminateSessionFallback(scopedSession)) return failText(`Unable to remove session ${params.sessionId}: no active supervisor run or process id.`);
+							markExited(scopedSession, null, "SIGKILL", "failed");
+							deleteSession(params.sessionId);
+						}
+						resetPollRetrySuggestion(params.sessionId);
+						return {
+							content: [{
+								type: "text",
+								text: canceled ? `Removed session ${params.sessionId} (termination requested).` : `Removed session ${params.sessionId}.`
+							}],
+							details: {
+								status: "failed",
+								name: scopedSession ? deriveSessionName(scopedSession.command) : void 0
+							}
+						};
+					}
+					if (scopedFinished) {
+						resetPollRetrySuggestion(params.sessionId);
+						deleteSession(params.sessionId);
+						return {
+							content: [{
+								type: "text",
+								text: `Removed session ${params.sessionId}.`
+							}],
+							details: { status: "completed" }
+						};
+					}
+					return {
+						content: [{
+							type: "text",
+							text: `No session found for ${params.sessionId}`
+						}],
+						details: { status: "failed" }
+					};
+			}
+			return {
+				content: [{
+					type: "text",
+					text: `Unknown action ${params.action}`
+				}],
+				details: { status: "failed" }
+			};
+		}
+	};
+}
+const processTool = createProcessTool();
+//#endregion
+export { execTool as i, processTool as n, createExecTool as r, createProcessTool as t };