jinzd-ai-cli 0.4.103 → 0.4.105

package/dist/electron-server.js

@@ -36,7 +36,7 @@ import {
   VERSION,
   buildUserIdentityPrompt,
   runTestsTool
-} from "./chunk-DGXUO7D4.js";
+} from "./chunk-VOF6OTZB.js";
 import {
   hasSemanticIndex,
   semanticSearch
@@ -51,12 +51,13 @@ import {
   searchChatMemory
 } from "./chunk-5S3PIG5O.js";
 import "./chunk-JV5N65KN.js";
+import "./chunk-3RG5ZIWI.js";
 
 // src/web/server.ts
 import express from "express";
 import { createServer } from "http";
 import { WebSocketServer } from "ws";
-import { join as join15, dirname as dirname5, resolve as resolve5, relative as relative3, sep as sep2 } from "path";
+import { join as join15, dirname as dirname5, resolve as resolve6, relative as relative3, sep as sep3 } from "path";
 import { existsSync as existsSync22, readFileSync as readFileSync15, readdirSync as readdirSync11, statSync as statSync9, realpathSync } from "fs";
 import { networkInterfaces } from "os";
 
@@ -512,11 +513,17 @@ function getDangerLevel(toolName, args) {
     const cmd = String(args["command"] ?? "");
     if (/\brm\s+[^\n]*(?:-\w*[rRfF]\w*|--recursive|--force)\b/.test(cmd)) return "destructive";
     if (/\brm\s+\S/.test(cmd)) return "destructive";
-    if (/\brmdir\b|\bformat\b|\bmkfs\b/.test(cmd)) return "destructive";
-    if (/\bRemove-Item\b.*(?:-Recurse|-Force)|\bri\s+.*-(?:Recurse|Force)\b|\brd\s+\/s\b|\brmdir\s+\/s\b/i.test(cmd)) return "destructive";
+    if (/\brmdir\b|\bformat\b|\bmkfs\b|\bdd\s+if=|\bshred\b|\bfdisk\b|\bparted\b/.test(cmd)) return "destructive";
+    if (/\bshutdown\b|\breboot\b|\bhalt\b|\bpoweroff\b/.test(cmd)) return "destructive";
+    if (/\bkill\s+-9\b|\bkillall\b/.test(cmd)) return "destructive";
+    if (/\bRemove-Item\b|\bri\s+\S/i.test(cmd)) return "destructive";
+    if (/\brd\s+\/s\b|\brmdir\s+\/s\b/i.test(cmd)) return "destructive";
     if (/\bdel\s+\S/.test(cmd)) return "destructive";
-    if (/\becho\b.*>>?|\btee\b|\bcp\b|\bmv\b/.test(cmd)) return "write";
-    if (/\bSet-Content\b|\bOut-File\b|\bAdd-Content\b|\bCopy-Item\b|\bMove-Item\b/i.test(cmd)) return "write";
+    if (/\bShutdown(-Computer)?\b|\bRestart-Computer\b/i.test(cmd)) return "destructive";
+    if (/(?:^|[\s|;&])>>?\s*\S/.test(cmd)) return "write";
+    if (/\btee\b|\bcp\b|\bmv\b|\bln\s+-s/.test(cmd)) return "write";
+    if (/\bchmod\b|\bchown\b/.test(cmd)) return "write";
+    if (/\bSet-Content\b|\bOut-File\b|\bAdd-Content\b|\bCopy-Item\b|\bMove-Item\b|\bSet-ItemProperty\b|\bNew-ItemProperty\b/i.test(cmd)) return "write";
     return "safe";
   }
   if (toolName === "write_file") return "write";
@@ -4053,10 +4060,10 @@ function createCell(cellType, content) {
 // src/tools/builtin/read-file.ts
 var MAX_FILE_BYTES = 10 * 1024 * 1024;
 function getSensitiveWarning(normalizedPath) {
-  const home = homedir2();
+  const home2 = homedir2();
   const p = normalizedPath.toLowerCase();
   const base = basename(normalizedPath).toLowerCase();
-  if (normalizedPath.startsWith(home) && p.includes(".aicli") && base === "config.json") {
+  if (normalizedPath.startsWith(home2) && p.includes(".aicli") && base === "config.json") {
     return "[\u26A0 Security Warning: This file contains API keys. Be careful not to share this content.]\n\n";
   }
   if (base === ".env" || base.startsWith(".env.") || base.endsWith(".env")) {
@@ -4550,8 +4557,14 @@ function checkPermission(toolName, args, dangerLevel, rules, defaultAction = "co
     if (rule.when) {
       if (rule.when.dangerLevel && rule.when.dangerLevel !== dangerLevel) continue;
       if (rule.when.pathPattern) {
-        const path3 = String(args["path"] ?? args["command"] ?? "");
-        if (!path3.includes(rule.when.pathPattern)) continue;
+        if (toolName === "bash" && rule.action === "auto-approve") {
+          const cmd = String(args["command"] ?? "").trim();
+          if (/[;&|`$<>]/.test(cmd) || /\$\(/.test(cmd)) continue;
+          if (!cmd.startsWith(rule.when.pathPattern)) continue;
+        } else {
+          const path3 = String(args["path"] ?? args["command"] ?? "");
+          if (!path3.includes(rule.when.pathPattern)) continue;
+        }
       }
     }
     return rule.action;
@@ -4958,7 +4971,7 @@ var ToolExecutor = class {
     rl.resume();
     process.stdout.write(prompt);
     this.confirming = true;
-    return new Promise((resolve6) => {
+    return new Promise((resolve7) => {
       let completed = false;
       const cleanup = (result) => {
         if (completed) return;
@@ -4968,7 +4981,7 @@ var ToolExecutor = class {
         rl.pause();
         rlAny.output = savedOutput;
         this.confirming = false;
-        resolve6(result);
+        resolve7(result);
       };
       const onLine = (line) => {
         const trimmed = line.trim();
@@ -5138,7 +5151,7 @@ var ToolExecutor = class {
     rl.resume();
     process.stdout.write(color("Proceed? [y/N] (type y + Enter to confirm) "));
     this.confirming = true;
-    return new Promise((resolve6) => {
+    return new Promise((resolve7) => {
       let completed = false;
       const cleanup = (answer) => {
         if (completed) return;
@@ -5148,7 +5161,7 @@ var ToolExecutor = class {
         rl.pause();
         rlAny.output = savedOutput;
         this.confirming = false;
-        resolve6(answer === "y");
+        resolve7(answer === "y");
       };
       const onLine = (line) => {
         const trimmed = line.trim();
@@ -5175,6 +5188,99 @@ var ToolExecutor = class {
   }
 };
 
+// src/tools/sensitive-paths.ts
+import { resolve as resolve3, sep as sep2, basename as basename2 } from "path";
+import { homedir as homedir3 } from "os";
+var home = homedir3();
+function norm(p) {
+  const abs = resolve3(p);
+  return process.platform === "win32" ? abs.toLowerCase() : abs;
+}
+function homeRel(p) {
+  const abs = norm(p);
+  const h = norm(home);
+  if (abs === h) return ".";
+  if (abs.startsWith(h + (process.platform === "win32" ? "\\" : "/"))) {
+    return abs.slice(h.length + 1);
+  }
+  return null;
+}
+function classifyWritePath(path3) {
+  if (!path3) return { sensitive: false };
+  const abs = norm(path3);
+  const base = basename2(abs);
+  const rel = homeRel(path3);
+  if (rel) {
+    const shellRc = /* @__PURE__ */ new Set([
+      ".bashrc",
+      ".bash_profile",
+      ".bash_login",
+      ".profile",
+      ".zshrc",
+      ".zprofile",
+      ".zshenv",
+      ".zlogin",
+      ".kshrc",
+      ".cshrc",
+      ".tcshrc",
+      ".fish_config"
+    ]);
+    if (shellRc.has(base)) {
+      return { sensitive: true, reason: `shell startup file (${rel})` };
+    }
+  }
+  const sshDir = `${sep2}.ssh${sep2}`;
+  if (abs.includes(sshDir.toLowerCase()) || abs.includes(sshDir)) {
+    return { sensitive: true, reason: `SSH directory (${rel ?? abs})` };
+  }
+  const credPaths = [
+    `${sep2}.aws${sep2}credentials`,
+    `${sep2}.aws${sep2}config`,
+    `${sep2}.gcp${sep2}`,
+    `${sep2}.azure${sep2}`,
+    `${sep2}.config${sep2}gcloud${sep2}`,
+    `${sep2}.kube${sep2}config`,
+    `${sep2}.docker${sep2}config.json`,
+    `${sep2}.netrc`
+  ];
+  for (const c of credPaths) {
+    const lc = process.platform === "win32" ? c.toLowerCase() : c;
+    if (abs.includes(lc)) return { sensitive: true, reason: `cloud/auth credential file (${rel ?? abs})` };
+  }
+  if (rel && (rel === ".aicli" || rel.startsWith(".aicli" + (process.platform === "win32" ? "\\" : "/")))) {
+    if (base === "config.json" || base === "users.json") {
+      return { sensitive: true, reason: `ai-cli internal config (${rel})` };
+    }
+  }
+  if (abs.includes(`${sep2}.git${sep2}hooks${sep2}`) || abs.includes(`${sep2}.git${sep2}hooks${sep2}`.toLowerCase())) {
+    return { sensitive: true, reason: ".git/hooks/* \u2014 runs on next git operation" };
+  }
+  if (abs.includes(`${sep2}.git${sep2}config`) || abs.includes(`${sep2}.git${sep2}config`.toLowerCase())) {
+    return { sensitive: true, reason: ".git/config \u2014 repository identity" };
+  }
+  if (process.platform !== "win32") {
+    const sysPrefixes = ["/etc/", "/usr/bin/", "/usr/sbin/", "/bin/", "/sbin/", "/boot/"];
+    for (const pre of sysPrefixes) {
+      if (abs.startsWith(pre)) return { sensitive: true, reason: `system path (${pre})` };
+    }
+  } else {
+    const winSys = ["c:\\windows\\system32\\", "c:\\windows\\syswow64\\", "c:\\program files\\", "c:\\program files (x86)\\"];
+    for (const pre of winSys) {
+      if (abs.startsWith(pre)) return { sensitive: true, reason: `system path (${pre})` };
+    }
+  }
+  if (abs.includes(`${sep2}cron.d${sep2}`) || abs.startsWith("/etc/cron") || abs.startsWith("/var/spool/cron/")) {
+    return { sensitive: true, reason: "cron scheduling" };
+  }
+  if (rel && (rel.startsWith("Library/LaunchAgents/") || rel.startsWith("Library/LaunchDaemons/"))) {
+    return { sensitive: true, reason: "macOS launch agent" };
+  }
+  return { sensitive: false };
+}
+var subAgentGuard = {
+  active: false
+};
+
 // src/tools/builtin/write-file.ts
 var writeFileTool = {
   definition: {
@@ -5217,6 +5323,13 @@ Do NOT split a long document into many write_file(append=true) calls. That patte
     const encoding = args["encoding"] ?? "utf-8";
     const appendMode = String(args["append"] ?? "false").toLowerCase() === "true";
     if (!filePath) throw new ToolError("write_file", "path is required");
+    const verdict = classifyWritePath(filePath);
+    if (verdict.sensitive && subAgentGuard.active) {
+      throw new ToolError(
+        "write_file",
+        `Refused: sub-agents cannot write to sensitive paths \u2014 ${verdict.reason}. If this is genuinely needed, ask the parent agent to perform the write so the user can approve it.`
+      );
+    }
     undoStack.push(filePath, `write_file${appendMode ? " (append)" : ""}: ${filePath}`);
     fileCheckpoints.snapshot(filePath, ToolExecutor.currentMessageIndex);
     mkdirSync3(dirname2(filePath), { recursive: true });
@@ -5229,7 +5342,7 @@ Do NOT split a long document into many write_file(append=true) calls. That patte
     const mode = appendMode ? "appended" : "written";
     void (async () => {
       try {
-        const { updateFile } = await import("./indexer-O5FCGFBJ.js");
+        const { updateFile } = await import("./indexer-Z6AQTGBK.js");
         await updateFile(process.cwd(), filePath);
       } catch {
       }
@@ -5601,6 +5714,13 @@ Note: Path can be absolute or relative to cwd.`,
     const encoding = args["encoding"] ?? "utf-8";
     if (!filePath) throw new ToolError("edit_file", "path is required");
     if (!existsSync7(filePath)) throw new ToolError("edit_file", `File not found: ${filePath}`);
+    const verdict = classifyWritePath(filePath);
+    if (verdict.sensitive && subAgentGuard.active) {
+      throw new ToolError(
+        "edit_file",
+        `Refused: sub-agents cannot edit sensitive paths \u2014 ${verdict.reason}. If this is genuinely needed, ask the parent agent to perform the edit so the user can approve it.`
+      );
+    }
     const original = readFileSync6(filePath, encoding);
     if (args["patch"] !== void 0) {
       const patchText = String(args["patch"] ?? "");
@@ -5760,7 +5880,7 @@ function truncatePreview(str, maxLen = 80) {
 
 // src/tools/builtin/list-dir.ts
 import { readdirSync as readdirSync4, statSync as statSync3, existsSync as existsSync8 } from "fs";
-import { join as join3, basename as basename2 } from "path";
+import { join as join3, basename as basename3 } from "path";
 var listDirTool = {
   definition: {
     name: "list_dir",
@@ -5783,7 +5903,7 @@ var listDirTool = {
     const dirPath = String(args["path"] ?? process.cwd());
     const recursive = Boolean(args["recursive"] ?? false);
     if (!existsSync8(dirPath)) {
-      const targetName = basename2(dirPath).toLowerCase();
+      const targetName = basename3(dirPath).toLowerCase();
       const cwd = process.cwd();
       const suggestions = [];
       try {
@@ -6098,7 +6218,7 @@ function searchInFile(fullPath, displayPath, regex, contextLines, maxResults, re
 
 // src/tools/builtin/glob-files.ts
 import { readdirSync as readdirSync6, statSync as statSync5, existsSync as existsSync10 } from "fs";
-import { join as join5, relative as relative2, basename as basename3 } from "path";
+import { join as join5, relative as relative2, basename as basename4 } from "path";
 var globFilesTool = {
   definition: {
     name: "glob_files",
@@ -6214,7 +6334,7 @@ function collectMatchingFiles(dirPath, rootPath, regex, results, maxResults) {
       collectMatchingFiles(fullPath, rootPath, regex, results, maxResults);
     } else if (entry.isFile()) {
       const relPath = relative2(rootPath, fullPath).replace(/\\/g, "/");
-      if (regex.test(relPath) || regex.test(basename3(relPath))) {
+      if (regex.test(relPath) || regex.test(basename4(relPath))) {
         try {
           const stat = statSync5(fullPath);
           results.push({ relPath, absPath: fullPath, mtime: stat.mtimeMs });
@@ -6290,7 +6410,7 @@ var runInteractiveTool = {
       PYTHONDONTWRITEBYTECODE: "1"
     };
     const prefixWarnings = [argsTypeWarning, stdinTypeWarning].filter(Boolean).join("");
-    return new Promise((resolve6) => {
+    return new Promise((resolve7) => {
       const child = spawn2(executable, cmdArgs.map(String), {
         cwd: process.cwd(),
         env,
@@ -6323,22 +6443,22 @@ var runInteractiveTool = {
       setTimeout(writeNextLine, 400);
       const timer = setTimeout(() => {
         child.kill();
-        resolve6(`${prefixWarnings}[Timeout after ${timeout}ms]
+        resolve7(`${prefixWarnings}[Timeout after ${timeout}ms]
 ${buildOutput(stdout, stderr)}`);
       }, timeout);
       child.on("close", (code) => {
         clearTimeout(timer);
         const output = buildOutput(stdout, stderr);
         if (code !== 0 && code !== null) {
-          resolve6(`${prefixWarnings}Exit code ${code}:
+          resolve7(`${prefixWarnings}Exit code ${code}:
 ${output}`);
         } else {
-          resolve6(`${prefixWarnings}${output || "(no output)"}`);
+          resolve7(`${prefixWarnings}${output || "(no output)"}`);
         }
       });
       child.on("error", (err) => {
         clearTimeout(timer);
-        resolve6(
+        resolve7(
           `${prefixWarnings}Failed to start process "${executable}": ${err.message}
 Hint: On Windows, use the full path to the executable, e.g.:
   C:\\Users\\Jinzd\\anaconda3\\envs\\python312\\python.exe`
@@ -6608,9 +6728,9 @@ Any of these triggers means use save_last_response, NOT write_file:
 // src/tools/builtin/save-memory.ts
 import { existsSync as existsSync11, statSync as statSync6, appendFileSync as appendFileSync2, mkdirSync as mkdirSync5 } from "fs";
 import { join as join6 } from "path";
-import { homedir as homedir3 } from "os";
+import { homedir as homedir4 } from "os";
 function getMemoryFilePath() {
-  return join6(homedir3(), CONFIG_DIR_NAME, MEMORY_FILE_NAME);
+  return join6(homedir4(), CONFIG_DIR_NAME, MEMORY_FILE_NAME);
 }
 function formatTimestamp() {
   const now = /* @__PURE__ */ new Date();
@@ -6634,7 +6754,7 @@ var saveMemoryTool = {
     const content = String(args["content"] ?? "").trim();
     if (!content) throw new ToolError("save_memory", "content is required");
     const memoryPath = getMemoryFilePath();
-    const configDir = join6(homedir3(), CONFIG_DIR_NAME);
+    const configDir = join6(homedir4(), CONFIG_DIR_NAME);
     if (!existsSync11(configDir)) {
       mkdirSync5(configDir, { recursive: true });
     }
@@ -6689,7 +6809,7 @@ function promptUser(rl, question) {
   console.log();
   console.log(chalk4.cyan("\u2753 ") + chalk4.bold(question));
   process.stdout.write(chalk4.cyan("> "));
-  return new Promise((resolve6) => {
+  return new Promise((resolve7) => {
     let completed = false;
     const cleanup = (answer) => {
       if (completed) return;
@@ -6699,7 +6819,7 @@ function promptUser(rl, question) {
       rl.pause();
       rlAny.output = savedOutput;
       askUserContext.prompting = false;
-      resolve6(answer);
+      resolve7(answer);
     };
     const onLine = (line) => {
       cleanup(line);
@@ -7196,37 +7316,43 @@ var spawnAgentTool = {
     if (!ctx.provider) {
       throw new ToolError("spawn_agent", "provider not initialized (context not injected)");
     }
-    if (singleTask) {
-      const { content, usage } = await runSubAgent(singleTask, maxRounds, null, ctx);
-      return [
-        "## Sub-Agent Result",
-        "",
-        content,
-        "",
-        "---",
-        `Token usage: ${usage.inputTokens} input, ${usage.outputTokens} output`
-      ].join("\n");
+    const guardWasActive = subAgentGuard.active;
+    subAgentGuard.active = true;
+    try {
+      if (singleTask) {
+        const { content, usage } = await runSubAgent(singleTask, maxRounds, null, ctx);
+        return [
+          "## Sub-Agent Result",
+          "",
+          content,
+          "",
+          "---",
+          `Token usage: ${usage.inputTokens} input, ${usage.outputTokens} output`
+        ].join("\n");
+      }
+      console.log();
+      console.log(theme.toolCall(`\u{1F916} Spawning ${tasksArr.length} sub-agents in parallel...`));
+      const results = await Promise.all(
+        tasksArr.map((t, i) => runSubAgent(t, maxRounds, i + 1, ctx))
+      );
+      const totalIn = results.reduce((s, r) => s + r.usage.inputTokens, 0);
+      const totalOut = results.reduce((s, r) => s + r.usage.outputTokens, 0);
+      const lines = [`## Parallel Sub-Agent Results (${results.length} agents)`, ""];
+      results.forEach((r, i) => {
+        lines.push(`### Sub-Agent #${i + 1}`);
+        lines.push(`**Task**: ${tasksArr[i].slice(0, 200)}${tasksArr[i].length > 200 ? "..." : ""}`);
+        lines.push("");
+        lines.push(r.content);
+        lines.push("");
+        lines.push(`*Tokens: ${r.usage.inputTokens} in / ${r.usage.outputTokens} out*`);
+        lines.push("");
+      });
+      lines.push("---");
+      lines.push(`Total token usage: ${totalIn} input, ${totalOut} output`);
+      return lines.join("\n");
+    } finally {
+      subAgentGuard.active = guardWasActive;
     }
-    console.log();
-    console.log(theme.toolCall(`\u{1F916} Spawning ${tasksArr.length} sub-agents in parallel...`));
-    const results = await Promise.all(
-      tasksArr.map((t, i) => runSubAgent(t, maxRounds, i + 1, ctx))
-    );
-    const totalIn = results.reduce((s, r) => s + r.usage.inputTokens, 0);
-    const totalOut = results.reduce((s, r) => s + r.usage.outputTokens, 0);
-    const lines = [`## Parallel Sub-Agent Results (${results.length} agents)`, ""];
-    results.forEach((r, i) => {
-      lines.push(`### Sub-Agent #${i + 1}`);
-      lines.push(`**Task**: ${tasksArr[i].slice(0, 200)}${tasksArr[i].length > 200 ? "..." : ""}`);
-      lines.push("");
-      lines.push(r.content);
-      lines.push("");
-      lines.push(`*Tokens: ${r.usage.inputTokens} in / ${r.usage.outputTokens} out*`);
-      lines.push("");
-    });
-    lines.push("---");
-    lines.push(`Total token usage: ${totalIn} input, ${totalOut} output`);
-    return lines.join("\n");
   }
 };
 
@@ -7691,7 +7817,7 @@ ${commitOutput.trim()}`;
 // src/tools/builtin/notebook-edit.ts
 import { readFileSync as readFileSync8, existsSync as existsSync13 } from "fs";
 import { writeFile } from "fs/promises";
-import { resolve as resolve3, extname as extname2 } from "path";
+import { resolve as resolve4, extname as extname2 } from "path";
 var notebookEditTool = {
   definition: {
     name: "notebook_edit",
@@ -7740,7 +7866,7 @@ var notebookEditTool = {
     if (!Number.isInteger(cellIndexRaw) || cellIndexRaw < 1) {
       throw new ToolError("notebook_edit", "cell_index must be a positive integer (1-based)");
     }
-    const absPath = resolve3(filePath);
+    const absPath = resolve4(filePath);
     if (extname2(absPath).toLowerCase() !== ".ipynb") {
       throw new ToolError("notebook_edit", "path must point to a .ipynb file");
     }
@@ -8512,7 +8638,7 @@ var McpClient = class {
   // 内部方法：JSON-RPC 通信
   // ══════════════════════════════════════════════════════════════════
   sendRequest(method, params) {
-    return new Promise((resolve6, reject) => {
+    return new Promise((resolve7, reject) => {
       if (!this.process?.stdin?.writable) {
         return reject(new Error(`MCP server [${this.serverId}] stdin not writable`));
       }
@@ -8536,7 +8662,7 @@ var McpClient = class {
       this.pendingRequests.set(id, {
         resolve: (result) => {
           cleanup();
-          resolve6(result);
+          resolve7(result);
         },
         reject: (error) => {
           cleanup();
@@ -8613,13 +8739,13 @@ var McpClient = class {
   }
   /** Promise 超时包装 */
   withTimeout(promise, ms, label) {
-    return new Promise((resolve6, reject) => {
+    return new Promise((resolve7, reject) => {
       const timer = setTimeout(() => {
         reject(new Error(`MCP [${this.serverId}] ${label} timed out after ${ms}ms`));
       }, ms);
       promise.then((val) => {
         clearTimeout(timer);
-        resolve6(val);
+        resolve7(val);
       }).catch((err) => {
         clearTimeout(timer);
         reject(err);
@@ -8892,7 +9018,7 @@ import { join as join9 } from "path";
 
 // src/skills/types.ts
 import { readFileSync as readFileSync9 } from "fs";
-import { basename as basename4 } from "path";
+import { basename as basename5 } from "path";
 function parseSimpleYaml(yaml) {
   const result = {};
   for (const line of yaml.split("\n")) {
@@ -8921,7 +9047,7 @@ function parseSkillFile(filePath) {
   if (!frontmatterMatch) {
     return {
       meta: {
-        name: basename4(filePath, ".md"),
+        name: basename5(filePath, ".md"),
         description: ""
       },
       content: raw.trim(),
@@ -8932,7 +9058,7 @@ function parseSkillFile(filePath) {
   const parsed = parseSimpleYaml(yaml);
   return {
     meta: {
-      name: parsed["name"] ?? basename4(filePath, ".md"),
+      name: parsed["name"] ?? basename5(filePath, ".md"),
       description: parsed["description"] ?? "",
       tools: parsed["tools"] ? parseYamlArray(parsed["tools"]) : void 0
     },
@@ -9086,33 +9212,33 @@ var ToolExecutorWeb = class _ToolExecutorWeb {
   }
   /** Resolve a pending confirm from client response */
   resolveConfirm(requestId, approved) {
-    const resolve6 = this.pendingConfirms.get(requestId);
-    if (resolve6) {
+    const resolve7 = this.pendingConfirms.get(requestId);
+    if (resolve7) {
       this.clearPendingTimer(requestId);
       this.pendingConfirms.delete(requestId);
       this.confirming = false;
-      resolve6(approved);
+      resolve7(approved);
     }
   }
   /** Resolve a pending batch confirm from client response */
   resolveBatchConfirm(requestId, decision) {
-    const resolve6 = this.pendingBatchConfirms.get(requestId);
-    if (resolve6) {
+    const resolve7 = this.pendingBatchConfirms.get(requestId);
+    if (resolve7) {
       this.clearPendingTimer(requestId);
       this.pendingBatchConfirms.delete(requestId);
       this.confirming = false;
       if (decision === "all" || decision === "none") {
-        resolve6(decision);
+        resolve7(decision);
       } else {
-        resolve6(new Set(decision));
+        resolve7(new Set(decision));
       }
     }
   }
   /** Cancel all pending confirms (e.g., on disconnect) */
   cancelAll() {
-    for (const resolve6 of this.pendingConfirms.values()) resolve6(false);
+    for (const resolve7 of this.pendingConfirms.values()) resolve7(false);
     this.pendingConfirms.clear();
-    for (const resolve6 of this.pendingBatchConfirms.values()) resolve6("none");
+    for (const resolve7 of this.pendingBatchConfirms.values()) resolve7("none");
     this.pendingBatchConfirms.clear();
     this.confirming = false;
   }
@@ -9188,8 +9314,8 @@ var ToolExecutorWeb = class _ToolExecutorWeb {
       diff: this.getDiffPreview(call)
     };
     this.send(msg);
-    return new Promise((resolve6) => {
-      this.pendingConfirms.set(requestId, resolve6);
+    return new Promise((resolve7) => {
+      this.pendingConfirms.set(requestId, resolve7);
       this.pendingTimers.set(requestId, setTimeout(() => {
         if (this.pendingConfirms.has(requestId)) {
           this.resolveConfirm(requestId, false);
@@ -9213,8 +9339,8 @@ var ToolExecutorWeb = class _ToolExecutorWeb {
       files
     };
     this.send(msg);
-    return new Promise((resolve6) => {
-      this.pendingBatchConfirms.set(requestId, resolve6);
+    return new Promise((resolve7) => {
+      this.pendingBatchConfirms.set(requestId, resolve7);
       this.pendingTimers.set(requestId, setTimeout(() => {
         if (this.pendingBatchConfirms.has(requestId)) {
           this.resolveBatchConfirm(requestId, "none");
@@ -9365,9 +9491,9 @@ import { join as join11 } from "path";
 // src/repl/dev-state.ts
 import { existsSync as existsSync17, readFileSync as readFileSync11, writeFileSync as writeFileSync7, unlinkSync as unlinkSync3, mkdirSync as mkdirSync8 } from "fs";
 import { join as join10 } from "path";
-import { homedir as homedir4 } from "os";
+import { homedir as homedir5 } from "os";
 function getDevStatePath() {
-  return join10(homedir4(), CONFIG_DIR_NAME, DEV_STATE_FILE_NAME);
+  return join10(homedir5(), CONFIG_DIR_NAME, DEV_STATE_FILE_NAME);
 }
 function loadDevState() {
   const path3 = getDevStatePath();
@@ -9627,7 +9753,7 @@ function autoTrimSessionIfNeeded(session, sizeLimit = SESSION_SIZE_LIMIT) {
 
 // src/web/session-handler.ts
 import { existsSync as existsSync20, readFileSync as readFileSync13, appendFileSync as appendFileSync3, writeFileSync as writeFileSync8, mkdirSync as mkdirSync9, readdirSync as readdirSync9, statSync as statSync8, createWriteStream } from "fs";
-import { join as join13, resolve as resolve4, dirname as dirname4 } from "path";
+import { join as join13, resolve as resolve5, dirname as dirname4 } from "path";
 import { execSync as execSync3 } from "child_process";
 
 // src/tools/git-context.ts
@@ -9861,10 +9987,10 @@ var SessionHandler = class _SessionHandler {
         return;
       }
       case "ask_user_response": {
-        const resolve6 = this.pendingAskUser.get(msg.requestId);
-        if (resolve6) {
+        const resolve7 = this.pendingAskUser.get(msg.requestId);
+        if (resolve7) {
           this.pendingAskUser.delete(msg.requestId);
-          resolve6(msg.answer);
+          resolve7(msg.answer);
         }
         return;
       }
@@ -9875,10 +10001,10 @@ var SessionHandler = class _SessionHandler {
       case "memory_rebuild":
         return this.handleMemoryRebuild(Boolean(msg.full));
       case "auto_pause_response": {
-        const resolve6 = this.pendingAutoPause.get(msg.requestId);
-        if (resolve6) {
+        const resolve7 = this.pendingAutoPause.get(msg.requestId);
+        if (resolve7) {
           this.pendingAutoPause.delete(msg.requestId);
-          resolve6({ action: msg.action, message: msg.message });
+          resolve7({ action: msg.action, message: msg.message });
         }
         return;
       }
@@ -9895,9 +10021,9 @@ var SessionHandler = class _SessionHandler {
   onDisconnect() {
     this.toolExecutor.cancelAll();
     if (this.abortController) this.abortController.abort();
-    for (const resolve6 of this.pendingAskUser.values()) resolve6(null);
+    for (const resolve7 of this.pendingAskUser.values()) resolve7(null);
     this.pendingAskUser.clear();
-    for (const resolve6 of this.pendingAutoPause.values()) resolve6({ action: "stop" });
+    for (const resolve7 of this.pendingAutoPause.values()) resolve7({ action: "stop" });
     this.pendingAutoPause.clear();
     this.saveIfNeeded();
   }
@@ -10281,8 +10407,9 @@ Details: ${errMsg.split("\n")[0]}
           const alreadyWrote = hadPreviousWriteToolCalls(extraMessages);
           if (hasWriteTools && !alreadyWrote && detectsHallucinatedFileOp(result.content) && round < maxToolRounds - 1) {
             this.send({ type: "info", message: "\u26A0 Hallucinated completion detected, forcing retry..." });
+            const reasoningField = result.reasoningContent ? { reasoning_content: result.reasoningContent } : this.currentProvider === "deepseek" ? { reasoning_content: "" } : {};
             extraMessages.push(
-              { role: "assistant", content: result.content },
+              { role: "assistant", content: result.content, ...reasoningField },
               { role: "user", content: HALLUCINATION_CORRECTION_MESSAGE }
             );
             continue;
@@ -10390,8 +10517,8 @@ ${systemPromptVolatile}` : systemPrompt;
           }
           const toolSummary = [...toolCounts.entries()].sort((a, b) => b[1] - a[1]).map(([name, count]) => count > 1 ? `${name}\xD7${count}` : name).join(", ");
           const requestId = `pause_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
-          const pauseResp = await new Promise((resolve6) => {
-            this.pendingAutoPause.set(requestId, resolve6);
+          const pauseResp = await new Promise((resolve7) => {
+            this.pendingAutoPause.set(requestId, resolve7);
             this.send({
               type: "auto_pause_request",
               requestId,
@@ -10526,8 +10653,8 @@ ${summaryResult.content}`,
         }
         if (chunk.done) break;
       }
-      await new Promise((resolve6, reject) => {
-        fileStream.end((err) => err ? reject(err) : resolve6());
+      await new Promise((resolve7, reject) => {
+        fileStream.end((err) => err ? reject(err) : resolve7());
       });
       const lines = fullContent.split("\n").length;
       const bytes = Buffer.byteLength(fullContent, "utf-8");
@@ -10542,7 +10669,7 @@ ${summaryResult.content}`,
     } catch (err) {
       if (fileStream) {
         try {
-          await new Promise((resolve6) => fileStream.end(() => resolve6()));
+          await new Promise((resolve7) => fileStream.end(() => resolve7()));
         } catch {
         }
       }
@@ -11210,7 +11337,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
           break;
         }
         const sub = args[0]?.toLowerCase();
-        const resolve6 = (ref) => {
+        const resolve7 = (ref) => {
           const r = session.resolveBranchRef(ref);
           if (r.ok) return r.id;
           if (r.reason === "ambiguous") {
@@ -11264,7 +11391,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
             this.send({ type: "error", message: "Usage: /branch switch <id|title>" });
             break;
           }
-          const id = resolve6(ref);
+          const id = resolve7(ref);
           if (!id) break;
           const ok = session.switchBranch(id);
           if (ok) {
@@ -11284,7 +11411,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
             this.send({ type: "error", message: "Usage: /branch delete <id|title>" });
             break;
           }
-          const id = resolve6(ref);
+          const id = resolve7(ref);
           if (!id) break;
           const ok = session.deleteBranch(id);
           if (ok) {
@@ -11303,7 +11430,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
             this.send({ type: "error", message: "Usage: /branch rename <id|title> <new title>" });
             break;
           }
-          const id = resolve6(ref);
+          const id = resolve7(ref);
           if (!id) break;
           const ok = session.renameBranch(id, title);
           if (ok) {
@@ -11321,7 +11448,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
             this.send({ type: "error", message: "Usage: /branch diff <id|title>" });
             break;
           }
-          const id = resolve6(ref);
+          const id = resolve7(ref);
           if (!id) break;
           const d = session.diffBranches(id);
           if (!d) {
@@ -11363,7 +11490,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
             this.send({ type: "error", message: "Usage: /branch cherry-pick <source-id|title> <msg-index>" });
             break;
           }
-          const id = resolve6(ref);
+          const id = resolve7(ref);
           if (!id) break;
           const idx = parseInt(idxStr, 10);
           if (Number.isNaN(idx)) {
@@ -11389,9 +11516,9 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
       case "index": {
         const sub = (args[0] ?? "status").toLowerCase();
         const root = process.cwd();
-        const { loadIndex: loadIndex2, clearIndex } = await import("./store-247B3TAU.js");
-        const { indexProject: indexProject2 } = await import("./indexer-O5FCGFBJ.js");
-        const { loadVectorStore, clearVectorStore } = await import("./vector-store-NDUFLNGN.js");
+        const { loadIndex: loadIndex2, clearIndex } = await import("./store-Q7NMUCPP.js");
+        const { indexProject: indexProject2 } = await import("./indexer-Z6AQTGBK.js");
+        const { loadVectorStore, clearVectorStore } = await import("./vector-store-AK6J3RIA.js");
         if (sub === "status") {
           const idx = loadIndex2(root);
           const vec = loadVectorStore(root);
@@ -11440,7 +11567,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
             message: `Building semantic index for ${idx.symbolCount} symbols\u2026 (first run downloads ~117 MB model)`
           });
           try {
-            const { rebuildSemanticIndex } = await import("./semantic-3KJPAUW6.js");
+            const { rebuildSemanticIndex } = await import("./semantic-FR2ZSQLY.js");
             const stats = await rebuildSemanticIndex(root);
             const first = stats.modelFirstLoadMs ? ` (model load+first batch ${stats.modelFirstLoadMs}ms)` : "";
             this.send({
@@ -11588,7 +11715,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
         if (rewindSub === "list" || !rewindSub) {
           const lines = [`Conversation messages (${session.messages.length} total):
 `];
-          const cpIndices = (await import("./file-checkpoint-CGH6OJVI.js")).fileCheckpoints.getMessageIndices();
+          const cpIndices = (await import("./file-checkpoint-UHSMHCRU.js")).fileCheckpoints.getMessageIndices();
           for (let i = 0; i < session.messages.length; i++) {
             const m = session.messages[i];
             const text = getContentText(m.content).replace(/\n/g, " ").slice(0, 60);
@@ -11604,7 +11731,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
           this.send({ type: "error", message: `Invalid message number: ${rewindSub}. Range: 1-${session.messages.length}` });
           break;
         }
-        const { fileCheckpoints: fc } = await import("./file-checkpoint-CGH6OJVI.js");
+        const { fileCheckpoints: fc } = await import("./file-checkpoint-UHSMHCRU.js");
         const rewindRemoved = session.messages.length - rewindN;
         const rewindResult = fc.restoreToMessageIndex(rewindN);
         session.messages = session.messages.slice(0, rewindN);
@@ -11627,7 +11754,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
       case "test": {
         this.send({ type: "info", message: "\u{1F9EA} Running tests..." });
         try {
-          const { executeTests } = await import("./run-tests-SN74WT4Z.js");
+          const { executeTests } = await import("./run-tests-IMVI43CZ.js");
           const argStr = args.join(" ").trim();
           let testArgs = {};
           if (argStr) {
@@ -11812,7 +11939,7 @@ ${this.config.toFormattedJSON()}
         };
         checkLayer("Global", configDir);
         checkLayer("Project", projectRoot);
-        if (resolve4(cwd) !== resolve4(projectRoot)) {
+        if (resolve5(cwd) !== resolve5(projectRoot)) {
           checkLayer("Subdir", cwd);
         }
         layers.push("");
@@ -11883,7 +12010,7 @@ Use /add-dir remove to clear.` : "No directories added.\nUsage: /add-dir <path>
           this.send({ type: "info", message: "\u2713 All added directories removed from context." });
           break;
         }
-        const dirPath = resolve4(sub);
+        const dirPath = resolve5(sub);
         if (!existsSync20(dirPath)) {
           this.send({ type: "error", message: `Directory not found: ${dirPath}` });
           break;
@@ -12151,7 +12278,7 @@ Add .md files to create commands.` });
       return;
     }
     try {
-      const { searchChatMemory: searchChatMemory2, loadChatIndex: loadChatIndex2 } = await import("./chat-index-QKFH7ZP6.js");
+      const { searchChatMemory: searchChatMemory2, loadChatIndex: loadChatIndex2 } = await import("./chat-index-ADG2GPCC.js");
       const loaded = loadChatIndex2();
       if (!loaded || loaded.idx.chunks.length === 0) {
         this.send({ type: "memory_hits", query: q, hits: [], indexMissing: true });
@@ -12187,7 +12314,7 @@ Add .md files to create commands.` });
   }
   async handleMemoryStatus() {
     try {
-      const { getChatIndexStatus } = await import("./chat-index-QKFH7ZP6.js");
+      const { getChatIndexStatus } = await import("./chat-index-ADG2GPCC.js");
       const s = getChatIndexStatus();
       this.send({
         type: "memory_status",
@@ -12212,7 +12339,7 @@ Add .md files to create commands.` });
         type: "info",
         message: full ? "\u{1F9E0} Rebuilding chat memory index (this may take a while on first run \u2014 ~117 MB embedder)." : "\u{1F9E0} Refreshing chat memory index (incremental)\u2026"
       });
-      const { buildChatIndex } = await import("./chat-index-QKFH7ZP6.js");
+      const { buildChatIndex } = await import("./chat-index-ADG2GPCC.js");
       const stats = await buildChatIndex({
         full,
         onProgress: (p) => {
@@ -12591,7 +12718,7 @@ If none found: "\u2705 No security vulnerabilities detected"`;
     const projectRoot = gitRoot ?? cwd;
     const projectCtx = this.findContextFile(projectRoot);
     if (projectCtx) parts.push(projectCtx);
-    if (resolve4(cwd) !== resolve4(projectRoot)) {
+    if (resolve5(cwd) !== resolve5(projectRoot)) {
       const localCtx = this.findContextFile(cwd);
       if (localCtx) parts.push(localCtx);
     }
@@ -12831,7 +12958,7 @@ function getModuleDir() {
     }
   } catch {
   }
-  return resolve5(".");
+  return resolve6(".");
 }
 async function startWebServer(options = {}) {
   const port = options.port ?? 3e3;
@@ -12860,7 +12987,18 @@ async function startWebServer(options = {}) {
   console.log(`   Providers: ${availableProviders.map((p) => p.info.id).join(", ")}`);
   let mcpManager = null;
   const globalMcpServers = config.get("mcpServers") ?? {};
-  const projectMcpServers = loadProjectMcpConfig() ?? {};
+  const projectMcpResolved = resolveProjectMcpPath();
+  let projectMcpServers = {};
+  if (projectMcpResolved) {
+    const { checkTrust } = await import("./project-trust-EBGHD7LE.js");
+    const verdict = checkTrust(config.getConfigDir(), projectMcpResolved);
+    if (verdict.trusted) {
+      projectMcpServers = loadProjectMcpConfig() ?? {};
+    } else {
+      console.log(`   \u26A0 Project .mcp.json found at ${projectMcpResolved} but not trusted (${verdict.reason}).`);
+      console.log(`     Skipped to prevent unintended RCE. Run "aicli" then "/mcp trust-project" to approve.`);
+    }
+  }
   const mergedMcpServers = { ...globalMcpServers, ...projectMcpServers };
   if (Object.keys(mergedMcpServers).length > 0) {
     mcpManager = new McpManager();
@@ -12955,6 +13093,17 @@ async function startWebServer(options = {}) {
   });
   app.use(express.json());
   app.post("/api/auth/register", (req, res) => {
+    const firstRun = !authManager.hasUsers();
+    if (!firstRun) {
+      const authHeader = req.headers.authorization;
+      const token2 = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+      const cookieToken = parseCookie(req.headers.cookie ?? "")["aicli_token"];
+      const effectiveToken = token2 ?? cookieToken;
+      if (!effectiveToken || !authManager.verifyToken(effectiveToken)) {
+        res.status(403).json({ error: "Registration is closed. Use `aicli user create` on the host to add users." });
+        return;
+      }
+    }
     const { username, password } = req.body ?? {};
     if (!username || !password) {
       res.status(400).json({ error: "Username and password required" });
@@ -12966,7 +13115,7 @@ async function startWebServer(options = {}) {
       return;
     }
     const token = authManager.login(username, password);
-    console.log(`   \u2713 User registered via API: ${username}`);
+    console.log(`   \u2713 User registered via API: ${username}${firstRun ? " (first-run)" : ""}`);
     res.cookie("aicli_token", token, { httpOnly: true, sameSite: "strict", maxAge: 7 * 24 * 3600 * 1e3 });
     res.json({ success: true, token, username });
   });
@@ -12975,9 +13124,9 @@ async function startWebServer(options = {}) {
     const prefix = req.query.prefix || "";
     const targetDir = join15(cwd, prefix);
     try {
-      const canonicalTarget = realpathSync(resolve5(targetDir));
-      const canonicalCwd = realpathSync(resolve5(cwd));
-      if (!canonicalTarget.startsWith(canonicalCwd + sep2) && canonicalTarget !== canonicalCwd) {
+      const canonicalTarget = realpathSync(resolve6(targetDir));
+      const canonicalCwd = realpathSync(resolve6(cwd));
+      if (!canonicalTarget.startsWith(canonicalCwd + sep3) && canonicalTarget !== canonicalCwd) {
         res.json({ files: [] });
         return;
       }
@@ -13034,7 +13183,7 @@ async function startWebServer(options = {}) {
       try {
         const canonicalFile = realpathSync(filePath);
         const canonicalDir = realpathSync(histDir);
-        if (!canonicalFile.startsWith(canonicalDir + sep2)) {
+        if (!canonicalFile.startsWith(canonicalDir + sep3)) {
           res.status(404).json({ error: "Session not found" });
           return;
         }
@@ -13055,11 +13204,11 @@ async function startWebServer(options = {}) {
       return;
     }
     const cwd = process.cwd();
-    const fullPath = resolve5(join15(cwd, filePath));
+    const fullPath = resolve6(join15(cwd, filePath));
     try {
       const canonicalFull = realpathSync(fullPath);
-      const canonicalCwd = realpathSync(resolve5(cwd));
-      if (!canonicalFull.startsWith(canonicalCwd + sep2) && canonicalFull !== canonicalCwd) {
+      const canonicalCwd = realpathSync(resolve6(cwd));
+      if (!canonicalFull.startsWith(canonicalCwd + sep3) && canonicalFull !== canonicalCwd) {
         res.json({ error: "Access denied" });
         return;
       }
@@ -13193,6 +13342,10 @@ async function startWebServer(options = {}) {
         if (parsed.type === "auth") {
           const { action, username, password } = parsed;
           if (action === "register") {
+            if (authManager.hasUsers() && !authenticatedUser) {
+              ws.send(JSON.stringify({ type: "auth_result", success: false, error: "Registration is closed. Use `aicli user create` on the host to add users." }));
+              return;
+            }
             const err = authManager.register(username, password);
             if (err) {
               ws.send(JSON.stringify({ type: "auth_result", success: false, error: err }));
@@ -13272,7 +13425,7 @@ async function startWebServer(options = {}) {
   });
   const MAX_PORT_ATTEMPTS = 10;
   let actualPort = port;
-  const result = await new Promise((resolve6, reject) => {
+  const result = await new Promise((resolve7, reject) => {
     const tryListen = (attempt) => {
       server.once("error", (err) => {
         if (err.code === "EADDRINUSE" && attempt < MAX_PORT_ATTEMPTS) {
@@ -13303,7 +13456,7 @@ async function startWebServer(options = {}) {
         }
         console.log(`   Press Ctrl+C to stop
 `);
-        resolve6({ port: actualPort, host, url });
+        resolve7({ port: actualPort, host, url });
       });
     };
     tryListen(1);
@@ -13319,6 +13472,13 @@ async function startWebServer(options = {}) {
   });
   return result;
 }
+function resolveProjectMcpPath() {
+  const cwd = process.cwd();
+  const gitRoot = getGitRoot(cwd);
+  const projectRoot = gitRoot ?? cwd;
+  const configPath = join15(projectRoot, MCP_PROJECT_CONFIG_NAME);
+  return existsSync22(configPath) ? configPath : null;
+}
 function loadProjectMcpConfig() {
   const cwd = process.cwd();
   const gitRoot = getGitRoot(cwd);