jeo-code 0.4.9 → 0.5.1

package/README.ja.md

@@ -150,11 +150,11 @@ CI は `.github/workflows/npm-publish.yml` で公開します — GitHub リリ
 ## 変更履歴 (Changelog)
 
 <!-- CHANGELOG:START (auto-generated from CHANGELOG.md — run `bun run changelog:sync`) -->
+- **[0.5.1]** (2026-06-14) — cmd-mode `!<command>` shell escape — run a shell command without engaging the agent.
+- **[0.5.0]** (2026-06-14) — Performance: workspace-scan, workflow-state, and DNA-Claw HUD caches; plus a credential-safety fix that never wipes OAuth over an invalid config.
 - **[0.4.9]** (2026-06-14) — Live-frame width-clamp (content-sized height) replaces the constant-height approach, typed text shows during a running turn, and a docs/AGENTS refresh.
 - **[0.4.8]** (2026-06-14) — Live-frame stability: constant-height live turn, renderer self-heal off-by-one fix, and frame-safe child-stdout sanitizing — no more duplicate model bar or torn escapes.
 - **[0.4.7]** (2026-06-14) — Detached subagents + `subagent` control tool, live shaded in-flight output, registry-driven providers, fuller `read` budget, styled italics in the final report, and `gjc` retired.
-- **[0.4.6]** (2026-06-14) — Width-correct forge cards for CJK/emoji, red borders on failed tool cards, aligned `ooo ralph` monitor HUD, and a per-theme user-card palette.
-- **[0.4.5]** (2026-06-14) — First-class filesystem make/remove tools.
 
 See [CHANGELOG.md](CHANGELOG.md) for the full history.
 <!-- CHANGELOG:END -->

package/README.ko.md

@@ -150,11 +150,11 @@ CI는 `.github/workflows/npm-publish.yml`로 배포합니다 — GitHub 릴리
 ## 변경 이력 (Changelog)
 
 <!-- CHANGELOG:START (auto-generated from CHANGELOG.md — run `bun run changelog:sync`) -->
+- **[0.5.1]** (2026-06-14) — cmd-mode `!<command>` shell escape — run a shell command without engaging the agent.
+- **[0.5.0]** (2026-06-14) — Performance: workspace-scan, workflow-state, and DNA-Claw HUD caches; plus a credential-safety fix that never wipes OAuth over an invalid config.
 - **[0.4.9]** (2026-06-14) — Live-frame width-clamp (content-sized height) replaces the constant-height approach, typed text shows during a running turn, and a docs/AGENTS refresh.
 - **[0.4.8]** (2026-06-14) — Live-frame stability: constant-height live turn, renderer self-heal off-by-one fix, and frame-safe child-stdout sanitizing — no more duplicate model bar or torn escapes.
 - **[0.4.7]** (2026-06-14) — Detached subagents + `subagent` control tool, live shaded in-flight output, registry-driven providers, fuller `read` budget, styled italics in the final report, and `gjc` retired.
-- **[0.4.6]** (2026-06-14) — Width-correct forge cards for CJK/emoji, red borders on failed tool cards, aligned `ooo ralph` monitor HUD, and a per-theme user-card palette.
-- **[0.4.5]** (2026-06-14) — First-class filesystem make/remove tools.
 
 See [CHANGELOG.md](CHANGELOG.md) for the full history.
 <!-- CHANGELOG:END -->

package/README.md

@@ -150,11 +150,11 @@ Required npm token permissions (repository secret `NPM_TOKEN`):
 ## Changelog
 
 <!-- CHANGELOG:START (auto-generated from CHANGELOG.md — run `bun run changelog:sync`) -->
+- **[0.5.1]** (2026-06-14) — cmd-mode `!<command>` shell escape — run a shell command without engaging the agent.
+- **[0.5.0]** (2026-06-14) — Performance: workspace-scan, workflow-state, and DNA-Claw HUD caches; plus a credential-safety fix that never wipes OAuth over an invalid config.
 - **[0.4.9]** (2026-06-14) — Live-frame width-clamp (content-sized height) replaces the constant-height approach, typed text shows during a running turn, and a docs/AGENTS refresh.
 - **[0.4.8]** (2026-06-14) — Live-frame stability: constant-height live turn, renderer self-heal off-by-one fix, and frame-safe child-stdout sanitizing — no more duplicate model bar or torn escapes.
 - **[0.4.7]** (2026-06-14) — Detached subagents + `subagent` control tool, live shaded in-flight output, registry-driven providers, fuller `read` budget, styled italics in the final report, and `gjc` retired.
-- **[0.4.6]** (2026-06-14) — Width-correct forge cards for CJK/emoji, red borders on failed tool cards, aligned `ooo ralph` monitor HUD, and a per-theme user-card palette.
-- **[0.4.5]** (2026-06-14) — First-class filesystem make/remove tools.
 
 See [CHANGELOG.md](CHANGELOG.md) for the full history.
 <!-- CHANGELOG:END -->

package/README.zh.md

@@ -150,11 +150,11 @@ CI 通过 `.github/workflows/npm-publish.yml` 发布 — GitHub 发布 release
 ## 更新日志 (Changelog)
 
 <!-- CHANGELOG:START (auto-generated from CHANGELOG.md — run `bun run changelog:sync`) -->
+- **[0.5.1]** (2026-06-14) — cmd-mode `!<command>` shell escape — run a shell command without engaging the agent.
+- **[0.5.0]** (2026-06-14) — Performance: workspace-scan, workflow-state, and DNA-Claw HUD caches; plus a credential-safety fix that never wipes OAuth over an invalid config.
 - **[0.4.9]** (2026-06-14) — Live-frame width-clamp (content-sized height) replaces the constant-height approach, typed text shows during a running turn, and a docs/AGENTS refresh.
 - **[0.4.8]** (2026-06-14) — Live-frame stability: constant-height live turn, renderer self-heal off-by-one fix, and frame-safe child-stdout sanitizing — no more duplicate model bar or torn escapes.
 - **[0.4.7]** (2026-06-14) — Detached subagents + `subagent` control tool, live shaded in-flight output, registry-driven providers, fuller `read` budget, styled italics in the final report, and `gjc` retired.
-- **[0.4.6]** (2026-06-14) — Width-correct forge cards for CJK/emoji, red borders on failed tool cards, aligned `ooo ralph` monitor HUD, and a per-theme user-card palette.
-- **[0.4.5]** (2026-06-14) — First-class filesystem make/remove tools.
 
 See [CHANGELOG.md](CHANGELOG.md) for the full history.
 <!-- CHANGELOG:END -->

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "jeo-code",
-  "version": "0.4.9",
+  "version": "0.5.1",
   "description": "Clean, highly optimized AI coding agent using spec-first loop",
   "type": "module",
   "main": "src/cli.ts",

package/src/agent/context-files.ts

@@ -78,7 +78,10 @@ const EXPLICIT_GUIDANCE_FILES = [".agents/oma-config.yaml", ".agents/oma-config.
 
 // Module-level cache of the downward scan, keyed by resolved cwd. The scan is
 // independent of $HOME (it only walks the cwd subtree), so caching by cwd is safe.
+// Bounded LRU: a long-running session that scans many distinct cwds (subagents,
+// worktrees, /view of other trees) must not grow this Map without bound.
 const workspaceScanCache = new Map<string, WorkspaceScan>();
+const WORKSPACE_SCAN_CACHE_CAP = 32;
 
 function segsEqual(a: readonly string[], b: readonly string[]): boolean {
   if (a.length !== b.length) return false;
@@ -161,8 +164,18 @@ async function scanWorkspaceDownwards(resolvedCwd: string): Promise<WorkspaceSca
 async function getWorkspaceScan(cwd: string): Promise<WorkspaceScan> {
   const resolvedCwd = path.resolve(cwd);
   const cached = workspaceScanCache.get(resolvedCwd);
-  if (cached) return cached;
+  if (cached) {
+    // LRU refresh: re-insert so the most-recently-used entry is evicted last.
+    workspaceScanCache.delete(resolvedCwd);
+    workspaceScanCache.set(resolvedCwd, cached);
+    return cached;
+  }
   const scan = await scanWorkspaceDownwards(resolvedCwd);
+  // Evict the oldest entry (Map preserves insertion order) once at capacity.
+  if (workspaceScanCache.size >= WORKSPACE_SCAN_CACHE_CAP) {
+    const oldest = workspaceScanCache.keys().next().value;
+    if (oldest !== undefined) workspaceScanCache.delete(oldest);
+  }
   workspaceScanCache.set(resolvedCwd, scan);
   return scan;
 }

package/src/agent/state.ts

@@ -233,7 +233,7 @@ type ParsedFile =
   | { kind: "ok"; config: Config }
   | { kind: "missing" }
   | { kind: "bad-json"; warned: boolean }
-  | { kind: "invalid"; message: string; warned: boolean };
+  | { kind: "invalid"; message: string; warned: boolean; rawObject?: unknown };
 const configReadCache = new Map<string, { mtimeMs: number; size: number; parsed: ParsedFile }>();
 const CONFIG_CACHE_CAP = 8;
 
@@ -259,7 +259,9 @@ async function readParsedConfigFile(): Promise<ParsedFile> {
     const result = parseConfig(raw);
     parsed = result.ok
       ? { kind: "ok", config: result.config as Config }
-      : { kind: "invalid", message: result.message, warned: false };
+      // Keep the raw JSON object on a schema-invalid (but JSON-valid) config so
+      // readRawGlobalConfig can salvage the credential blocks instead of dropping them.
+      : { kind: "invalid", message: result.message, warned: false, rawObject: raw };
   } catch {
     parsed = { kind: "bad-json", warned: false };
   }
@@ -271,6 +273,20 @@ async function readParsedConfigFile(): Promise<ParsedFile> {
   return parsed;
 }
 
+/** Overlay the `oauth` + `providers` credential blocks from a schema-invalid (but
+ *  JSON-valid) config's raw object onto `base`. A single bad scalar field (e.g. a
+ *  non-string defaultModel) must never cost the user their stored credentials — neither
+ *  when resolving them at runtime (readGlobalConfig) nor when persisting (readRawGlobalConfig). */
+function salvageCredentials(base: Config, parsed: ParsedFile): Config {
+  if (parsed.kind !== "invalid" || !parsed.rawObject || typeof parsed.rawObject !== "object") return base;
+  const ro = parsed.rawObject as Record<string, unknown>;
+  if (ro.oauth && typeof ro.oauth === "object") base.oauth = structuredClone(ro.oauth) as Config["oauth"];
+  if (ro.providers && typeof ro.providers === "object") {
+    base.providers = { ...base.providers, ...(structuredClone(ro.providers) as Config["providers"]) };
+  }
+  return base;
+}
+
 export async function readGlobalConfig(): Promise<Config> {
   const parsed = await readParsedConfigFile();
   if (parsed.kind === "bad-json" || parsed.kind === "invalid") {
@@ -280,7 +296,9 @@ export async function readGlobalConfig(): Promise<Config> {
       const detail = parsed.kind === "invalid" ? ` is invalid (${parsed.message})` : " is not valid JSON";
       process.stderr.write(`[jeo] ${globalConfigPath()}${detail}; using environment defaults.\n`);
     }
-    return withEnvOverlay(envDefaultConfig());
+    // Credential salvage: keep oauth/providers from a JSON-valid-but-schema-invalid
+    // config so the runtime stays authenticated (and a later write repairs the file).
+    return withEnvOverlay(salvageCredentials(envDefaultConfig(), parsed));
   }
   if (parsed.kind === "missing") return withEnvOverlay(envDefaultConfig());
   return withEnvOverlay(structuredClone(parsed.config));
@@ -307,9 +325,15 @@ export async function saveGlobalConfig(config: Config): Promise<void> {
  *  JEO_*_MODEL role tiers, OLLAMA_HOST/OPENAI_BASE_URL) are never baked into
  *  ~/.jeo/config.json by an unrelated `/agents`/`/roles`/`/model save`. */
 export async function readRawGlobalConfig(): Promise<Config> {
-  const clean: Config = { providers: {}, defaultModel: DEFAULT_MODEL, thinkingLevel: "medium" };
   const parsed = await readParsedConfigFile();
-  return parsed.kind === "ok" ? structuredClone(parsed.config) : clean;
+  if (parsed.kind === "ok") return structuredClone(parsed.config);
+  // CREDENTIAL SAFETY: when the on-disk config is JSON-valid but fails schema validation
+  // on some unrelated field, salvage the `oauth` + `providers` blocks. Without this, the
+  // next saveConfigPatch (e.g. an auto token refresh that patches ONE provider) bases on
+  // a clean config and silently wipes every OTHER stored credential — the "OAuth de-authed
+  // after a session" bug. The invalid scalar field is dropped (reset to default).
+  const clean: Config = { providers: {}, defaultModel: DEFAULT_MODEL, thinkingLevel: "medium" };
+  return salvageCredentials(clean, parsed);
 }
 
 /** Merge a patch onto the RAW on-disk config and persist. The `build` callback
@@ -326,17 +350,65 @@ export function getLocalJeoDir(cwd: string = process.cwd()): string {
   return path.join(cwd, ".jeo");
 }
 
+// mtime+size-validated cache for the small per-skill workflow-state JSON. readWorkflowState
+// runs repeatedly (the mutation guard reads before every mutating tool), so re-reading +
+// re-parsing each call is wasteful. CROSS-PROCESS-SAFE: a write by another process bumps
+// mtime/size → forces a fresh read, so the security-sensitive guard never serves a stale
+// lock. Same-process write/clear update or drop the entry directly. LRU-capped.
+const workflowStateCache = new Map<string, { mtimeMs: number; size: number; value: WorkflowState | null }>();
+const WORKFLOW_STATE_CACHE_CAP = 16;
+
+function cacheWorkflowState(statePath: string, mtimeMs: number, size: number, value: WorkflowState | null): void {
+  workflowStateCache.delete(statePath);
+  if (workflowStateCache.size >= WORKFLOW_STATE_CACHE_CAP) {
+    const oldest = workflowStateCache.keys().next().value;
+    if (oldest !== undefined) workflowStateCache.delete(oldest);
+  }
+  workflowStateCache.set(statePath, { mtimeMs, size, value });
+}
+
+async function loadWorkflowStateFile(statePath: string, strict: boolean): Promise<WorkflowState | null> {
+  let st: { mtimeMs: number; size: number };
+  try {
+    st = await fs.stat(statePath);
+  } catch (err) {
+    workflowStateCache.delete(statePath);
+    if ((err as NodeJS.ErrnoException).code === "ENOENT") return null;
+    if (strict) throw err;
+    return null;
+  }
+  const hit = workflowStateCache.get(statePath);
+  if (hit && hit.mtimeMs === st.mtimeMs && hit.size === st.size) {
+    workflowStateCache.delete(statePath); // LRU refresh
+    workflowStateCache.set(statePath, hit);
+    return hit.value;
+  }
+  let data: string;
+  try {
+    data = await fs.readFile(statePath, "utf-8");
+  } catch (err) {
+    workflowStateCache.delete(statePath);
+    if ((err as NodeJS.ErrnoException).code === "ENOENT") return null;
+    if (strict) throw err;
+    return null;
+  }
+  try {
+    const parsed = JSON.parse(data) as WorkflowState;
+    cacheWorkflowState(statePath, st.mtimeMs, st.size, parsed);
+    return parsed;
+  } catch {
+    workflowStateCache.delete(statePath);
+    if (strict) throw new Error(`workflow state ${statePath} is corrupt (invalid JSON)`);
+    return null;
+  }
+}
+
 export async function readWorkflowState(
   skill: "deep-interview" | "ralplan" | "team" | "ultragoal",
   cwd: string = process.cwd()
 ): Promise<WorkflowState | null> {
   const statePath = path.join(getLocalJeoDir(cwd), "state", `${skill}-state.json`);
-  try {
-    const data = await fs.readFile(statePath, "utf-8");
-    return JSON.parse(data) as WorkflowState;
-  } catch {
-    return null;
-  }
+  return loadWorkflowStateFile(statePath, false);
 }
 
 /**
@@ -349,18 +421,7 @@ export async function readWorkflowStateStrict(
   cwd: string = process.cwd()
 ): Promise<WorkflowState | null> {
   const statePath = path.join(getLocalJeoDir(cwd), "state", `${skill}-state.json`);
-  let data: string;
-  try {
-    data = await fs.readFile(statePath, "utf-8");
-  } catch (err) {
-    if ((err as NodeJS.ErrnoException).code === "ENOENT") return null;
-    throw err;
-  }
-  try {
-    return JSON.parse(data) as WorkflowState;
-  } catch {
-    throw new Error(`workflow state ${statePath} is corrupt (invalid JSON)`);
-  }
+  return loadWorkflowStateFile(statePath, true);
 }
 
 export async function writeWorkflowState(
@@ -382,6 +443,14 @@ export async function writeWorkflowState(
     await fs.unlink(tmpPath).catch(() => {});
     throw err;
   }
+  // Cache the just-written state keyed on the new file fingerprint so the next read
+  // (often the mutation guard milliseconds later) is served from memory.
+  try {
+    const st = await fs.stat(statePath);
+    cacheWorkflowState(statePath, st.mtimeMs, st.size, state);
+  } catch {
+    workflowStateCache.delete(statePath);
+  }
   return statePath;
 }
 
@@ -393,6 +462,7 @@ export async function clearWorkflowState(
   try {
     await fs.unlink(statePath);
   } catch {}
+  workflowStateCache.delete(statePath);
 }
 
 /**

package/src/commands/launch.ts

@@ -66,7 +66,7 @@ import { stripMarkdown } from "../tui/components/markdown-text";
 import { summarizeForgeInvocation } from "../tui/components/forge";
 import { formatDuration, formatUsage } from "../tui/components/duration";
 
-import { findTool, searchTool } from "../agent/tools";
+import { findTool, searchTool, bashTool } from "../agent/tools";
 import { loadProjectContext, withProjectContext } from "../agent/context-files";
 import { maybeCompact, historyTokens } from "../agent/compaction";
 import * as path from "node:path";
@@ -2998,9 +2998,29 @@ export async function runLaunchCommand(args: string[]): Promise<void> {
         if (pendingImages.length === 0) continue;
         input = "Please look at the attached image(s)."; // image-only submit
       }
+      // gjc-parity shell escape: `!<cmd>` runs the command directly in cmd-mode and
+      // prints its output WITHOUT engaging the agent (history untouched), like a REPL
+      // shell escape. The user is explicitly driving their own shell, so the deep-interview
+      // mutation guard (which gates the AGENT's tools) does not apply here.
+      if (input.startsWith("!")) {
+        const cmd = input.slice(1).trim();
+        if (!cmd) {
+          console.log("Usage: !<shell command>   (run a command in cmd-mode; the agent and history are untouched)");
+          continue;
+        }
+        try {
+          const res = await bashTool(cmd, cwd);
+          if (res.output) console.log(res.output);
+          if (!res.success && res.error) console.log(chalk.red(res.error));
+        } catch (err) {
+          console.log(chalk.red(`! command failed: ${(err as Error).message}`));
+        }
+        continue;
+      }
       if (input === "/" || input === "/?" || input === "/help") {
         logLines(formatSlashCommandList(input === "/help" ? "/" : input, skillSlashDetails));
         console.log("Tools: read / write / edit / bash / find / search. Sessions persist to .jeo/sessions/.");
+        console.log("Shell: !<command>   runs a command in cmd-mode directly (agent/history untouched).");
         const tip = getEvolutionTip(history.length, flags.maxSteps > 0 ? flags.maxSteps : initialStepLimit);
         console.log(`\n${chalk.cyan("Evolutionary Tip:")} ${tip}`);
         continue;

package/src/tui/components/ascii-art.ts

@@ -524,6 +524,15 @@ export const DNA_CLAW_ART_GRAND_ASCII: string[] = [
   "        [ D N A . C L A W ]         "
 ];
 
+// Bounded memo of fully-rendered DNA Claw frames keyed by every input that affects
+// output (grand/unicode/cols/color/colorLevel/phase/frame). The live HUD cycles a
+// FIXED ~60-frame set (3 twists × 20 gradient phases) at ~120ms; without this each
+// recurrence recomputed per-line animatedGradientText (ANSI gradient) from scratch.
+// The memo makes the 2nd+ cycle O(1) lookups, cutting steady-state HUD CPU. LRU-capped.
+const dnaClawMemo = new Map<string, string[]>();
+const DNA_CLAW_MEMO_CAP = 256;
+const EMPTY_DNA_FRAME: string[] = [];
+
 export function renderDnaClaw(opts: {
   cols?: number;
   phase?: number;
@@ -537,6 +546,9 @@ export function renderDnaClaw(opts: {
    *  `phase` this animates the forge identity without any frame-count growth. */
   frame?: number;
 }): string[] {
+  const memoKey = `${opts.grand ? "g" : "c"}|${opts.unicode !== false ? 1 : 0}|${opts.cols ?? -1}|${opts.color !== false ? 1 : 0}|${opts.colorLevel ?? ColorLevel.TrueColor}|${opts.phase ?? 0}|${opts.frame ?? 0}`;
+  const memoHit = dnaClawMemo.get(memoKey);
+  if (memoHit) return memoHit;
   const useUnicode = opts.unicode !== false;
   let source: string[];
   if (opts.grand) {
@@ -549,7 +561,8 @@ export function renderDnaClaw(opts: {
   const width = Math.max(0, ...source.map(l => l.length));
 
   if (opts.cols !== undefined && opts.cols < width) {
-    return [];
+    dnaClawMemo.set(memoKey, EMPTY_DNA_FRAME);
+    return EMPTY_DNA_FRAME;
   }
 
   const phase = opts.phase ?? 0;
@@ -557,13 +570,20 @@ export function renderDnaClaw(opts: {
   const colorLevel = opts.colorLevel ?? ColorLevel.TrueColor;
   const palette = DNA_FLOW_PALETTE;
 
-  return source.map((line, idx) => {
+  const result = source.map((line, idx) => {
     const padded = line.length < width ? line + " ".repeat(width - line.length) : line;
     if (!useColor || colorLevel < ColorLevel.TrueColor) {
       return padded;
     }
     return animatedGradientText(padded, palette, phase + idx * 0.07, { colorLevel });
   });
+
+  if (dnaClawMemo.size >= DNA_CLAW_MEMO_CAP) {
+    const oldest = dnaClawMemo.keys().next().value;
+    if (oldest !== undefined) dnaClawMemo.delete(oldest);
+  }
+  dnaClawMemo.set(memoKey, result);
+  return result;
 }
 
 /** The DNA Claw identity palette (emerald → cyan → violet helix flow). Shared by