npm - iosm-cli - Versions diffs - 0.2.15 → 0.2.17 - Mend

iosm-cli 0.2.15 → 0.2.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (160) hide show

package/CHANGELOG.md +39 -0
package/README.md +23 -1
package/dist/cli/args.d.ts +2 -1
package/dist/cli/args.d.ts.map +1 -1
package/dist/cli/args.js +16 -3
package/dist/cli/args.js.map +1 -1
package/dist/core/agent-profiles.d.ts.map +1 -1
package/dist/core/agent-profiles.js +3 -0
package/dist/core/agent-profiles.js.map +1 -1
package/dist/core/agent-session.d.ts +2 -0
package/dist/core/agent-session.d.ts.map +1 -1
package/dist/core/agent-session.js +26 -10
package/dist/core/agent-session.js.map +1 -1
package/dist/core/agent-teams.d.ts.map +1 -1
package/dist/core/agent-teams.js +12 -9
package/dist/core/agent-teams.js.map +1 -1
package/dist/core/checkpoint/fs-checkpoint.d.ts +14 -0
package/dist/core/checkpoint/fs-checkpoint.d.ts.map +1 -0
package/dist/core/checkpoint/fs-checkpoint.js +211 -0
package/dist/core/checkpoint/fs-checkpoint.js.map +1 -0
package/dist/core/command-dispatcher.d.ts +2 -0
package/dist/core/command-dispatcher.d.ts.map +1 -1
package/dist/core/command-dispatcher.js +78 -13
package/dist/core/command-dispatcher.js.map +1 -1
package/dist/core/mcp/cli.d.ts.map +1 -1
package/dist/core/mcp/cli.js +26 -0
package/dist/core/mcp/cli.js.map +1 -1
package/dist/core/mcp/config.d.ts.map +1 -1
package/dist/core/mcp/config.js +55 -0
package/dist/core/mcp/config.js.map +1 -1
package/dist/core/mcp/index.d.ts +1 -1
package/dist/core/mcp/index.d.ts.map +1 -1
package/dist/core/mcp/index.js.map +1 -1
package/dist/core/mcp/runtime.d.ts +3 -1
package/dist/core/mcp/runtime.d.ts.map +1 -1
package/dist/core/mcp/runtime.js +21 -2
package/dist/core/mcp/runtime.js.map +1 -1
package/dist/core/mcp/types.d.ts +30 -2
package/dist/core/mcp/types.d.ts.map +1 -1
package/dist/core/mcp/types.js.map +1 -1
package/dist/core/package-manager.d.ts +10 -0
package/dist/core/package-manager.d.ts.map +1 -1
package/dist/core/package-manager.js +100 -2
package/dist/core/package-manager.js.map +1 -1
package/dist/core/policy/engine.d.ts +77 -0
package/dist/core/policy/engine.d.ts.map +1 -0
package/dist/core/policy/engine.js +614 -0
package/dist/core/policy/engine.js.map +1 -0
package/dist/core/policy/index.d.ts +2 -0
package/dist/core/policy/index.d.ts.map +1 -0
package/dist/core/policy/index.js +2 -0
package/dist/core/policy/index.js.map +1 -0
package/dist/core/sandbox/executor.d.ts +13 -0
package/dist/core/sandbox/executor.d.ts.map +1 -0
package/dist/core/sandbox/executor.js +64 -0
package/dist/core/sandbox/executor.js.map +1 -0
package/dist/core/sdk.d.ts +2 -2
package/dist/core/sdk.d.ts.map +1 -1
package/dist/core/sdk.js +3 -3
package/dist/core/sdk.js.map +1 -1
package/dist/core/security/index.d.ts +3 -0
package/dist/core/security/index.d.ts.map +1 -0
package/dist/core/security/index.js +3 -0
package/dist/core/security/index.js.map +1 -0
package/dist/core/security/source-security.d.ts +43 -0
package/dist/core/security/source-security.d.ts.map +1 -0
package/dist/core/security/source-security.js +94 -0
package/dist/core/security/source-security.js.map +1 -0
package/dist/core/security/trust-ledger.d.ts +24 -0
package/dist/core/security/trust-ledger.d.ts.map +1 -0
package/dist/core/security/trust-ledger.js +66 -0
package/dist/core/security/trust-ledger.js.map +1 -0
package/dist/core/session-manager.d.ts.map +1 -1
package/dist/core/session-manager.js +128 -15
package/dist/core/session-manager.js.map +1 -1
package/dist/core/settings-manager.d.ts +6 -0
package/dist/core/settings-manager.d.ts.map +1 -1
package/dist/core/settings-manager.js +36 -1
package/dist/core/settings-manager.js.map +1 -1
package/dist/core/settings.schema.json +71 -0
package/dist/core/system-prompt.d.ts.map +1 -1
package/dist/core/system-prompt.js +9 -2
package/dist/core/system-prompt.js.map +1 -1
package/dist/core/task-plan.d.ts +1 -0
package/dist/core/task-plan.d.ts.map +1 -1
package/dist/core/task-plan.js +103 -0
package/dist/core/task-plan.js.map +1 -1
package/dist/core/tools/apply-patch.d.ts +29 -0
package/dist/core/tools/apply-patch.d.ts.map +1 -0
package/dist/core/tools/apply-patch.js +167 -0
package/dist/core/tools/apply-patch.js.map +1 -0
package/dist/core/tools/bash.d.ts.map +1 -1
package/dist/core/tools/bash.js +15 -1
package/dist/core/tools/bash.js.map +1 -1
package/dist/core/tools/git-common.d.ts.map +1 -1
package/dist/core/tools/git-common.js +15 -1
package/dist/core/tools/git-common.js.map +1 -1
package/dist/core/tools/index.d.ts +20 -2
package/dist/core/tools/index.d.ts.map +1 -1
package/dist/core/tools/index.js +85 -25
package/dist/core/tools/index.js.map +1 -1
package/dist/core/tools/permissions.d.ts +16 -0
package/dist/core/tools/permissions.d.ts.map +1 -1
package/dist/core/tools/permissions.js +34 -1
package/dist/core/tools/permissions.js.map +1 -1
package/dist/core/tools/task.d.ts.map +1 -1
package/dist/core/tools/task.js +68 -24
package/dist/core/tools/task.js.map +1 -1
package/dist/core/tools/tool-search.d.ts +24 -0
package/dist/core/tools/tool-search.d.ts.map +1 -0
package/dist/core/tools/tool-search.js +85 -0
package/dist/core/tools/tool-search.js.map +1 -0
package/dist/core/tools/tool-suggest.d.ts +18 -0
package/dist/core/tools/tool-suggest.d.ts.map +1 -0
package/dist/core/tools/tool-suggest.js +94 -0
package/dist/core/tools/tool-suggest.js.map +1 -0
package/dist/core/tools/verification-runner.d.ts.map +1 -1
package/dist/core/tools/verification-runner.js +15 -1
package/dist/core/tools/verification-runner.js.map +1 -1
package/dist/core/unified-exec.d.ts +39 -0
package/dist/core/unified-exec.d.ts.map +1 -0
package/dist/core/unified-exec.js +286 -0
package/dist/core/unified-exec.js.map +1 -0
package/dist/main.d.ts.map +1 -1
package/dist/main.js +93 -11
package/dist/main.js.map +1 -1
package/dist/modes/acp/acp-mode.d.ts +17 -0
package/dist/modes/acp/acp-mode.d.ts.map +1 -0
package/dist/modes/acp/acp-mode.js +352 -0
package/dist/modes/acp/acp-mode.js.map +1 -0
package/dist/modes/index.d.ts +2 -1
package/dist/modes/index.d.ts.map +1 -1
package/dist/modes/index.js +1 -0
package/dist/modes/index.js.map +1 -1
package/dist/modes/interactive/components/tool-execution.d.ts.map +1 -1
package/dist/modes/interactive/components/tool-execution.js +217 -0
package/dist/modes/interactive/components/tool-execution.js.map +1 -1
package/dist/modes/interactive/interactive-mode.d.ts +8 -0
package/dist/modes/interactive/interactive-mode.d.ts.map +1 -1
package/dist/modes/interactive/interactive-mode.js +159 -72
package/dist/modes/interactive/interactive-mode.js.map +1 -1
package/dist/modes/rpc/rpc-client.d.ts +25 -1
package/dist/modes/rpc/rpc-client.d.ts.map +1 -1
package/dist/modes/rpc/rpc-client.js +33 -0
package/dist/modes/rpc/rpc-client.js.map +1 -1
package/dist/modes/rpc/rpc-mode.d.ts +13 -1
package/dist/modes/rpc/rpc-mode.d.ts.map +1 -1
package/dist/modes/rpc/rpc-mode.js +189 -28
package/dist/modes/rpc/rpc-mode.js.map +1 -1
package/dist/modes/rpc/rpc-types.d.ts +54 -1
package/dist/modes/rpc/rpc-types.d.ts.map +1 -1
package/dist/modes/rpc/rpc-types.js.map +1 -1
package/dist/utils/tools-manager.d.ts.map +1 -1
package/dist/utils/tools-manager.js +96 -9
package/dist/utils/tools-manager.js.map +1 -1
package/docs/README.md +2 -0
package/docs/acp-rpc-mapping.md +38 -0
package/docs/configuration.generated.md +81 -0
package/docs/configuration.md +7 -0
package/package.json +6 -3

package/dist/modes/interactive/interactive-mode.js CHANGED Viewed

@@ -35,13 +35,15 @@ import { createAgentSession } from "../../core/sdk.js";
 import { createTeamRun, getTeamRun, listTeamRuns } from "../../core/agent-teams.js";
 import { buildSwarmPlanFromSingular, buildSwarmPlanFromTask, runSwarmScheduler, SwarmStateStore, } from "../../core/swarm/index.js";
 import { loadCustomSubagents, resolveCustomSubagentReference, } from "../../core/subagents.js";
+import { evaluatePermissionWithPolicy } from "../../core/policy/index.js";
 import { getSubagentRun, listSubagentRuns } from "../../core/subagent-runs.js";
 import { getBackgroundProcess, listBackgroundProcesses, pruneBackgroundProcesses, readBackgroundProcessLogTail, stopBackgroundProcess, } from "../../core/background-processes.js";
 import { getSubagentBackgroundRun, listSubagentBackgroundRuns, pruneSubagentBackgroundRuns, readSubagentBackgroundRunLogTail, requestStopAllSubagentBackgroundRuns, requestStopSubagentBackgroundRun, } from "../../core/subagent-background-runs.js";
 import { SessionManager } from "../../core/session-manager.js";
 import { SettingsManager } from "../../core/settings-manager.js";
 import { BUILTIN_SLASH_COMMANDS } from "../../core/slash-commands.js";
-import { isTaskPlanSnapshot, TASK_PLAN_CUSTOM_TYPE } from "../../core/task-plan.js";
+import { getToolPermissionSignature } from "../../core/tools/index.js";
+import { coerceTaskPlanSnapshot, TASK_PLAN_CUSTOM_TYPE, } from "../../core/task-plan.js";
 import { buildIosmAutomationPrompt, buildIosmAgentVerificationPrompt, buildIosmGuideAuthoringPrompt, buildIosmPriorityChecklist, createMetricSnapshot, extractAssistantText, evaluateIosmAutomationProgress, formatMetricSnapshot, hasReachedIosmTarget, getIosmGuidePath, initIosmWorkspace, inspectIosmCycle, listIosmCycles, loadIosmConfig, planIosmCycle, readIosmCycleReport, recordIosmCycleHistory, resolveIosmAutomationSettings, summarizeMetricDelta, normalizeIosmGuideMarkdown, writeIosmGuideDocument, } from "../../iosm/index.js";
 import { getChangelogPath, getNewEntries, parseChangelog } from "../../utils/changelog.js";
 import { copyToClipboard } from "../../utils/clipboard.js";
@@ -414,9 +416,12 @@ async function promptMetaWithParallelismGuard(input) {
     };
     const unsubscribe = input.session.subscribe((event) => {
         if (event.type === "message_end" && event.message.role === "custom") {
-            if (event.message.customType === TASK_PLAN_CUSTOM_TYPE && isTaskPlanSnapshot(event.message.details)) {
-                taskPlanSnapshot = event.message.details;
-                maybeScheduleCorrection();
+            if (event.message.customType === TASK_PLAN_CUSTOM_TYPE) {
+                const snapshot = coerceTaskPlanSnapshot(event.message.details);
+                if (snapshot) {
+                    taskPlanSnapshot = snapshot;
+                    maybeScheduleCorrection();
+                }
             }
             return;
         }
@@ -932,6 +937,7 @@ export class InteractiveMode {
         this.permissionAllowRules = [];
         this.permissionDenyRules = [];
         this.permissionPromptLock = Promise.resolve();
+        this.turnAllowedToolSignatures = new Set();
         this.sessionAllowedToolSignatures = new Set();
         this.singularLastEffectiveContract = {};
         this.swarmActiveRunId = undefined;
@@ -1046,6 +1052,7 @@ export class InteractiveMode {
         this.activeProfileName = profile.name;
         this.profilePromptSuffix = profile.systemPromptAppend || undefined;
         this.mcpRuntime = options.mcpRuntime;
+        this.policyEngine = options.policyEngine;
         this.contractService = new ContractService({ cwd: this.sessionManager.getCwd() });
         this.singularService = new SingularService({ cwd: this.sessionManager.getCwd() });
         // Apply plan mode and profile badges immediately if set
@@ -1056,8 +1063,9 @@ export class InteractiveMode {
         this.session.setIosmAutopilotEnabled(this.activeProfileName === "iosm");
         this.syncRuntimePromptSuffix();
         this.permissionMode = this.settingsManager.getPermissionMode();
-        this.permissionAllowRules = this.settingsManager.getPermissionAllowRules();
-        this.permissionDenyRules = this.settingsManager.getPermissionDenyRules();
+        this.policyEngine?.refresh();
+        this.permissionAllowRules = this.policyEngine?.getLegacyRules("allow") ?? this.settingsManager.getPermissionAllowRules();
+        this.permissionDenyRules = this.policyEngine?.getLegacyRules("deny") ?? this.settingsManager.getPermissionDenyRules();
         this.session.setToolPermissionHandler((request) => this.requestToolPermission(request));
         this.mcpRuntime?.setPermissionGuard((request) => this.requestToolPermission(request));
         // Load hide thinking block setting
@@ -1105,8 +1113,7 @@ export class InteractiveMode {
         return [...new Set(nextActiveTools)];
     }
     getToolPermissionSignature(request) {
-        const summary = request.summary.trim().replace(/\s+/g, " ");
-        return `${request.toolName}:${summary}`;
+        return getToolPermissionSignature(request);
     }
     matchesPermissionRule(rule, request) {
         const [ruleToolRaw, ...rest] = rule.split(":");
@@ -1137,54 +1144,77 @@ export class InteractiveMode {
             : false;
         if (this.activeProfileName === "meta" &&
             !this.currentTurnSawTaskToolCall &&
-            (request.toolName === "bash" || request.toolName === "edit" || request.toolName === "write")) {
+            (request.toolName === "bash" || request.toolName === "edit" || request.toolName === "write" || request.toolName === "apply_patch")) {
             this.showWarning(`META mode orchestration guard: direct ${request.toolName} is blocked before the first task call in a turn. Launch subagents via task or switch profile to full.`);
             return false;
         }
         if (isReadOnlyProfileName(this.activeProfileName) &&
-            (request.toolName === "bash" || request.toolName === "edit" || request.toolName === "write")) {
+            (request.toolName === "bash" || request.toolName === "edit" || request.toolName === "write" || request.toolName === "apply_patch")) {
             this.showWarning(`Tool ${request.toolName} is disabled in ${this.activeProfileName} profile. Switch to full/meta/iosm for mutating operations.`);
             return false;
         }
-        for (const rule of this.permissionDenyRules) {
-            if (this.matchesPermissionRule(rule, request)) {
-                this.showWarning(`Denied by rule: ${rule}`);
+        if (this.policyEngine) {
+            this.policyEngine.refresh();
+            const evaluated = evaluatePermissionWithPolicy(this.policyEngine, request, {
+                profile: this.activeProfileName,
+                runtimeMode: "interactive",
+                permissionMode: this.permissionMode,
+                strictExtensionToolEnforcement,
+            });
+            if (evaluated.outcome === "deny") {
+                this.showWarning(evaluated.reason);
                 return false;
             }
-        }
-        for (const rule of this.permissionAllowRules) {
-            if (this.matchesPermissionRule(rule, request)) {
+            if (evaluated.outcome === "allow") {
                 return true;
             }
         }
-        if (strictExtensionToolEnforcement && request.toolSource === "extension") {
-            if (this.permissionMode === "auto") {
-                if (request.requiredPermission === "read-only") {
+        else {
+            for (const rule of this.permissionDenyRules) {
+                if (this.matchesPermissionRule(rule, request)) {
+                    this.showWarning(`Denied by rule: ${rule}`);
+                    return false;
+                }
+            }
+            for (const rule of this.permissionAllowRules) {
+                if (this.matchesPermissionRule(rule, request)) {
                     return true;
                 }
-                if (!request.requiredPermission) {
-                    this.showWarning(`Extension tool ${request.toolName} is missing requiredPermission metadata. Add an allow rule or switch to ask/yolo mode.`);
-                    return false;
+            }
+            if (strictExtensionToolEnforcement && request.toolSource === "extension") {
+                if (this.permissionMode === "auto") {
+                    if (request.requiredPermission === "read-only") {
+                        return true;
+                    }
+                    if (!request.requiredPermission) {
+                        this.showWarning(`Extension tool ${request.toolName} is missing requiredPermission metadata. Add an allow rule or switch to ask/yolo mode.`);
+                        return false;
+                    }
                 }
             }
-        }
-        if (this.permissionMode === "yolo") {
-            return true;
-        }
-        if (this.permissionMode === "auto") {
-            // Auto mode mirrors "accept edits": allow edit/write without prompts,
-            // still ask for shell execution.
-            if (request.toolName === "edit" || request.toolName === "write") {
+            if (this.permissionMode === "yolo") {
                 return true;
             }
+            if (this.permissionMode === "auto") {
+                // Auto mode mirrors "accept edits": allow edit/write without prompts,
+                // still ask for shell execution.
+                if (request.toolName === "edit" || request.toolName === "write" || request.toolName === "apply_patch") {
+                    return true;
+                }
+            }
         }
         const signature = this.getToolPermissionSignature(request);
+        if (this.turnAllowedToolSignatures?.has(signature)) {
+            return true;
+        }
         if (this.sessionAllowedToolSignatures.has(signature)) {
             return true;
         }
         return this.withPermissionDialogLock(async () => {
             if (this.permissionMode === "yolo")
                 return true;
+            if (this.turnAllowedToolSignatures?.has(signature))
+                return true;
             if (this.sessionAllowedToolSignatures.has(signature))
                 return true;
             const tierLabel = request.requiredPermission ? ` [${request.requiredPermission}]` : "";
@@ -1192,6 +1222,7 @@ export class InteractiveMode {
             const label = `${request.toolName}${tierLabel}${sourceLabel}: ${request.summary}`;
             const choice = await this.showExtensionSelector("Permission required", [
                 "Allow once",
+                "Allow this turn",
                 "Deny",
                 "Always allow this command (session)",
             ]);
@@ -1199,6 +1230,12 @@ export class InteractiveMode {
                 this.showWarning(`Permission denied: ${label}`);
                 return false;
             }
+            if (choice === "Allow this turn") {
+                if (!this.turnAllowedToolSignatures) {
+                    this.turnAllowedToolSignatures = new Set();
+                }
+                this.turnAllowedToolSignatures.add(signature);
+            }
             if (choice === "Always allow this command (session)") {
                 this.sessionAllowedToolSignatures.add(signature);
             }
@@ -1251,6 +1288,59 @@ export class InteractiveMode {
             : "";
         return `Permissions: ${this.permissionMode}${this.permissionAllowRules.length > 0 ? ` · allow rules: ${this.permissionAllowRules.length}` : ""}${this.permissionDenyRules.length > 0 ? ` · deny rules: ${this.permissionDenyRules.length}` : ""}${hookSegment}`;
     }
+    refreshPermissionRulesFromPolicy() {
+        if (!this.policyEngine)
+            return;
+        this.policyEngine.refresh();
+        this.permissionAllowRules = this.policyEngine.getLegacyRules("allow");
+        this.permissionDenyRules = this.policyEngine.getLegacyRules("deny");
+    }
+    addPermissionRule(kind, rawRule) {
+        const normalized = rawRule.trim();
+        if (!normalized || !normalized.includes(":"))
+            return false;
+        if (this.policyEngine) {
+            const added = this.policyEngine.addLegacyRule(kind, normalized);
+            this.refreshPermissionRulesFromPolicy();
+            return added;
+        }
+        if (kind === "allow") {
+            if (this.permissionAllowRules.includes(normalized))
+                return false;
+            this.permissionAllowRules.push(normalized);
+            this.settingsManager.setPermissionAllowRules(this.permissionAllowRules);
+            return true;
+        }
+        if (this.permissionDenyRules.includes(normalized))
+            return false;
+        this.permissionDenyRules.push(normalized);
+        this.settingsManager.setPermissionDenyRules(this.permissionDenyRules);
+        return true;
+    }
+    removePermissionRule(kind, rawRule) {
+        const normalized = rawRule.trim();
+        if (!normalized)
+            return false;
+        if (this.policyEngine) {
+            const removed = this.policyEngine.removeLegacyRule(kind, normalized);
+            this.refreshPermissionRulesFromPolicy();
+            return removed;
+        }
+        if (kind === "allow") {
+            const next = this.permissionAllowRules.filter((rule) => rule !== normalized);
+            if (next.length === this.permissionAllowRules.length)
+                return false;
+            this.permissionAllowRules = next;
+            this.settingsManager.setPermissionAllowRules(this.permissionAllowRules);
+            return true;
+        }
+        const next = this.permissionDenyRules.filter((rule) => rule !== normalized);
+        if (next.length === this.permissionDenyRules.length)
+            return false;
+        this.permissionDenyRules = next;
+        this.settingsManager.setPermissionDenyRules(this.permissionDenyRules);
+        return true;
+    }
     async runPermissionRulesMenu(kind) {
         while (true) {
             const isAllow = kind === "allow";
@@ -1281,18 +1371,7 @@ export class InteractiveMode {
                     this.showWarning(`Invalid rule "${rawRule || "(empty)"}". Expected <tool:match>.`);
                     continue;
                 }
-                if (isAllow) {
-                    if (!this.permissionAllowRules.includes(rawRule)) {
-                        this.permissionAllowRules.push(rawRule);
-                        this.settingsManager.setPermissionAllowRules(this.permissionAllowRules);
-                    }
-                }
-                else {
-                    if (!this.permissionDenyRules.includes(rawRule)) {
-                        this.permissionDenyRules.push(rawRule);
-                        this.settingsManager.setPermissionDenyRules(this.permissionDenyRules);
-                    }
-                }
+                this.addPermissionRule(isAllow ? "allow" : "deny", rawRule);
                 this.showStatus(`Added ${kind} rule: ${rawRule}`);
                 continue;
             }
@@ -1304,14 +1383,7 @@ export class InteractiveMode {
                 const pickedRule = await this.showExtensionSelector(`/permissions ${kind}: remove rule`, rules.map((rule) => rule));
                 if (!pickedRule)
                     continue;
-                if (isAllow) {
-                    this.permissionAllowRules = this.permissionAllowRules.filter((rule) => rule !== pickedRule);
-                    this.settingsManager.setPermissionAllowRules(this.permissionAllowRules);
-                }
-                else {
-                    this.permissionDenyRules = this.permissionDenyRules.filter((rule) => rule !== pickedRule);
-                    this.settingsManager.setPermissionDenyRules(this.permissionDenyRules);
-                }
+                this.removePermissionRule(isAllow ? "allow" : "deny", pickedRule);
                 this.showStatus(`Removed ${kind} rule: ${pickedRule}`);
             }
         }
@@ -1380,6 +1452,7 @@ export class InteractiveMode {
         }
     }
     async handlePermissionsCommand(text) {
+        this.refreshPermissionRulesFromPolicy();
         const args = this.parseSlashArgs(text).slice(1);
         const value = args[0]?.toLowerCase();
         if (!value) {
@@ -1426,10 +1499,7 @@ export class InteractiveMode {
                     this.showWarning("Usage: /permissions allow add <tool:match>");
                     return;
                 }
-                if (!this.permissionAllowRules.includes(rawRule)) {
-                    this.permissionAllowRules.push(rawRule);
-                    this.settingsManager.setPermissionAllowRules(this.permissionAllowRules);
-                }
+                this.addPermissionRule("allow", rawRule);
                 this.showStatus(`Added allow rule: ${rawRule}`);
                 return;
             }
@@ -1439,8 +1509,7 @@ export class InteractiveMode {
                     this.showWarning("Usage: /permissions allow remove <tool:match>");
                     return;
                 }
-                this.permissionAllowRules = this.permissionAllowRules.filter((r) => r !== rawRule);
-                this.settingsManager.setPermissionAllowRules(this.permissionAllowRules);
+                this.removePermissionRule("allow", rawRule);
                 this.showStatus(`Removed allow rule: ${rawRule}`);
                 return;
             }
@@ -1463,10 +1532,7 @@ export class InteractiveMode {
                     this.showWarning("Usage: /permissions deny add <tool:match>");
                     return;
                 }
-                if (!this.permissionDenyRules.includes(rawRule)) {
-                    this.permissionDenyRules.push(rawRule);
-                    this.settingsManager.setPermissionDenyRules(this.permissionDenyRules);
-                }
+                this.addPermissionRule("deny", rawRule);
                 this.showStatus(`Added deny rule: ${rawRule}`);
                 return;
             }
@@ -1476,8 +1542,7 @@ export class InteractiveMode {
                     this.showWarning("Usage: /permissions deny remove <tool:match>");
                     return;
                 }
-                this.permissionDenyRules = this.permissionDenyRules.filter((r) => r !== rawRule);
-                this.settingsManager.setPermissionDenyRules(this.permissionDenyRules);
+                this.removePermissionRule("deny", rawRule);
                 this.showStatus(`Removed deny rule: ${rawRule}`);
                 return;
             }
@@ -3822,6 +3887,7 @@ export class InteractiveMode {
             case "agent_start":
                 this.currentTurnSawAssistantMessage = false;
                 this.currentTurnSawTaskToolCall = false;
+                this.turnAllowedToolSignatures.clear();
                 // Restore main escape handler if retry handler is still active
                 // (retry success event fires later, but we need main handler now)
                 if (this.retryEscapeHandler) {
@@ -4383,17 +4449,19 @@ export class InteractiveMode {
             case "custom": {
                 this.handleInternalUiMetaMessage(message);
                 if (message.display) {
-                    if (message.customType === TASK_PLAN_CUSTOM_TYPE && isTaskPlanSnapshot(message.details)) {
-                        const component = new TaskPlanMessageComponent(message.details);
-                        component.setExpanded(this.toolOutputExpanded);
-                        this.chatContainer.addChild(component);
-                    }
-                    else {
-                        const renderer = this.session.extensionRunner?.getMessageRenderer(message.customType);
-                        const component = new CustomMessageComponent(message, renderer, this.getMarkdownThemeWithSettings());
-                        component.setExpanded(this.toolOutputExpanded);
-                        this.chatContainer.addChild(component);
+                    if (message.customType === TASK_PLAN_CUSTOM_TYPE) {
+                        const snapshot = coerceTaskPlanSnapshot(message.details);
+                        if (snapshot) {
+                            const component = new TaskPlanMessageComponent(snapshot);
+                            component.setExpanded(this.toolOutputExpanded);
+                            this.chatContainer.addChild(component);
+                            break;
+                        }
                     }
+                    const renderer = this.session.extensionRunner?.getMessageRenderer(message.customType);
+                    const component = new CustomMessageComponent(message, renderer, this.getMarkdownThemeWithSettings());
+                    component.setExpanded(this.toolOutputExpanded);
+                    this.chatContainer.addChild(component);
                 }
                 break;
             }
@@ -13182,6 +13250,25 @@ export class InteractiveMode {
             cwd,
             agentDir: getAgentDir(),
             settingsManager: this.settingsManager,
+            allowedSourceHosts: this.policyEngine?.getAllowedSourceHosts(),
+            trustConsentProvider: async (request) => {
+                const details = [
+                    `Source: ${request.source}`,
+                    `Host: ${request.host}`,
+                    `Identity: ${request.identity}`,
+                    `Fingerprint: ${request.fingerprint}`,
+                ];
+                if (request.previousFingerprint) {
+                    details.push(`Previous fingerprint: ${request.previousFingerprint}`);
+                }
+                const answer = await this.showExtensionSelector(`Trust ${request.sourceType} ${request.action}?`, ["Trust and continue", "Deny"]);
+                if (answer !== "Trust and continue") {
+                    this.showWarning(`Blocked untrusted source: ${request.source}`);
+                    return false;
+                }
+                this.showCommandTextBlock("Trust Decision", details.join("\n"));
+                return true;
+            },
         });
     }
     normalizeExtensionOverrideTarget(target) {