mixdog 0.7.1

package/src/agent/orchestrator/tools/env-scrub.mjs

@@ -0,0 +1,100 @@
+// R11: scrub dangerous loader/execution env vars from a model-spawned
+// subprocess environment. Defense-in-depth on top of R5's secret scrub
+// (provider/cloud tokens). These vars let an attacker (or model error)
+// inject code before the user's command runs — NODE_OPTIONS can preload
+// arbitrary --require modules, LD_PRELOAD / DYLD_INSERT_LIBRARIES inject
+// shared libraries, PYTHONPATH / RUBYLIB / PERL5LIB hijack imports,
+// BASH_ENV / ENV runs a script on shell startup, SHELLOPTS toggles
+// dangerous shell flags, GLOBIGNORE silently hides files from expansion.
+// CDPATH redirects `cd` to attacker-controlled dirs, PROMPT_COMMAND runs
+// arbitrary code on every prompt, BASHOPTS toggles shell options, IFS
+// rewrites word splitting, SSH_AUTH_SOCK / GPG_AGENT_INFO / GNUPGHOME
+// expose live agent credentials to the child.
+// PATH is intentionally preserved — subprocesses need it to find tools.
+const LOADER_VARS = [
+    'NODE_OPTIONS',
+    'NODE_PATH',
+    'LD_PRELOAD',
+    'LD_LIBRARY_PATH',
+    'DYLD_INSERT_LIBRARIES',
+    'DYLD_LIBRARY_PATH',
+    'PYTHONPATH',
+    'RUBYLIB',
+    'PERL5LIB',
+    'BASH_ENV',
+    'ENV',
+    'SHELLOPTS',
+    'GLOBIGNORE',
+    'CDPATH',
+    'PROMPT_COMMAND',
+    'BASHOPTS',
+    'IFS',
+    'SSH_AUTH_SOCK',
+    'GPG_AGENT_INFO',
+    'GNUPGHOME',
+];
+
+// R5: provider / cloud / secret-family scrub. Shared across all spawn
+// sites so the suffix and exact lists never drift. Broad provider-family
+// prefixes (AWS_/GITHUB_/NPM_/VERCEL_/…) were removed: they nuked
+// non-secret config like AWS_REGION, GITHUB_WORKSPACE, NPM_CONFIG_CACHE,
+// VERCEL_ENV and broke subprocess tooling. Match instead by secret-
+// shaped SUFFIX (covers `*_API_KEY`, `*_SECRET`, `*_TOKEN`, `*_PASSWORD`,
+// `*_CREDENTIALS`, `*_PRIVATE_KEY`, `*_KEY`, …) and an explicit EXACT
+// set for non-suffix secrets (AWS access ids, DATABASE_URL, named
+// provider keys, GOOGLE_APPLICATION_CREDENTIALS).
+// Secret-shaped suffixes. The bare `_KEY` suffix was dropped — it deleted
+// non-secret public keys (GPG_KEY, NEXT_PUBLIC_*_KEY). `_API_KEY` is kept for
+// broad provider coverage (e.g. XAI_API_KEY) but is guarded by PUBLIC_PREFIX_RE
+// so client-exposed build vars (VITE_FIREBASE_API_KEY, NEXT_PUBLIC_*) survive.
+const SECRET_SUFFIX_RE = /(_SECRET_ACCESS_KEY|_ACCESS_KEY|_SESSION_TOKEN|_AUTH_TOKEN|_API_KEY|_TOKEN|_SECRET|_PASSWORD|_CREDENTIALS|_PRIVATE_KEY|_PAT)$/;
+// By-convention client-PUBLIC env prefixes: these are intentionally bundled to
+// the browser and must never be scrubbed as secrets even with an _API_KEY/_KEY
+// shape. Excludes them from the secret match below.
+const PUBLIC_PREFIX_RE = /^(?:NEXT_PUBLIC_|NUXT_PUBLIC_|VITE_|REACT_APP_|VUE_APP_|EXPO_PUBLIC_|GATSBY_|STORYBOOK_|PUBLIC_)/;
+const SECRET_EXACT = new Set([
+    'AWS_ACCESS_KEY_ID',
+    'AWS_SECRET_ACCESS_KEY',
+    'AWS_SESSION_TOKEN',
+    'AWS_WEB_IDENTITY_TOKEN_FILE',
+    'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI',
+    'AWS_CONTAINER_CREDENTIALS_FULL_URI',
+    'DATABASE_URL',
+    'ANTHROPIC_API_KEY',
+    'OPENAI_API_KEY',
+    'GEMINI_API_KEY',
+    'GOOGLE_API_KEY',
+    'GOOGLE_APPLICATION_CREDENTIALS',
+    'GITHUB_PAT',
+    'STRIPE_SECRET_KEY',
+    'SUPABASE_SERVICE_ROLE_KEY',
+    'NPM_CONFIG__AUTH',
+    'npm_config__auth',
+]);
+
+export function scrubLoaderVars(env) {
+    if (!env || typeof env !== 'object') return env;
+    for (const k of LOADER_VARS) delete env[k];
+    // Wildcard sweep: the exact-name list covers the common loader vars but
+    // the DYLD_/LD_ families have many siblings (DYLD_FRAMEWORK_PATH,
+    // DYLD_FALLBACK_LIBRARY_PATH, LD_AUDIT, LD_BIND_NOW, …). Delete every
+    // key under those prefixes so a new variant doesn't sneak through.
+    for (const k of Object.keys(env)) {
+        if (/^DYLD_/.test(k) || /^LD_/.test(k)) delete env[k];
+    }
+    return env;
+}
+
+// R5: strip provider/cloud/secret-family keys from a spawn env in place.
+// Shared by bash-session, shell-jobs, shell-snapshot, and bash-tool so
+// the prefix/suffix lists never drift across spawn sites. PATH is not
+// matched by any family here and is preserved.
+export function scrubProviderSecrets(env) {
+    if (!env || typeof env !== 'object') return env;
+    for (const k of Object.keys(env)) {
+        if (!PUBLIC_PREFIX_RE.test(k) && (SECRET_EXACT.has(k) || SECRET_SUFFIX_RE.test(k))) {
+            delete env[k];
+        }
+    }
+    return env;
+}

package/src/agent/orchestrator/tools/graph-binary-fetcher.mjs

@@ -0,0 +1,144 @@
+// graph-binary-fetcher.mjs — fetches the prebuilt mixdog-graph native binary
+// from the GitHub release manifest. The code graph has NO JS parse fallback,
+// so the binary is required; ensureGraphBinary downloads + sha256-verifies it
+// on first use and caches it under <dataDir>/graph-bin/. Mirrors the runtime
+// fetcher pattern (memory/lib/runtime-fetcher.mjs) but for a single binary —
+// no tar extraction.
+//
+// Public API:
+//   ensureGraphBinary(dataDir) -> absolute path to the verified binary.
+//     Throws if no asset matches the platform, or download/verify fails.
+//   findCachedGraphBinary(dataDir) -> path | null (sync, no network).
+
+import { createHash } from 'node:crypto';
+import {
+  chmodSync, createWriteStream, existsSync, mkdirSync,
+  readFileSync, readdirSync, renameSync, rmSync,
+} from 'node:fs';
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { pipeline } from 'node:stream/promises';
+
+// Bundled fallback manifest shipped with the plugin. CI rewrites this on each
+// release with the per-platform asset URLs + sha256.
+const BUNDLED_MANIFEST_PATH = fileURLToPath(new URL('./graph-manifest.json', import.meta.url));
+
+// GitHub raw fallback — only consulted when neither cached nor bundled exists.
+const MANIFEST_URL = 'https://raw.githubusercontent.com/trib-plugin/mixdog/main/src/agent/orchestrator/tools/graph-manifest.json';
+
+function binSuffix() {
+  return process.platform === 'win32' ? '.exe' : '';
+}
+
+function platformKey() {
+  const os = process.platform === 'win32' ? 'win32' : process.platform;
+  return `${os}-${process.arch}`;
+}
+
+function graphBinDir(dataDir) {
+  return join(dataDir, 'graph-bin');
+}
+
+async function loadManifest(dataDir) {
+  const cached = join(graphBinDir(dataDir), 'manifest.json');
+  if (existsSync(cached)) {
+    try { return JSON.parse(readFileSync(cached, 'utf8')); } catch { /* fall through */ }
+  }
+  if (existsSync(BUNDLED_MANIFEST_PATH)) {
+    return JSON.parse(readFileSync(BUNDLED_MANIFEST_PATH, 'utf8'));
+  }
+  const res = await fetch(MANIFEST_URL, { signal: AbortSignal.timeout(30_000) });
+  if (!res.ok) throw new Error(`[graph-fetcher] manifest fetch failed: ${res.status} ${res.statusText}`);
+  return res.json();
+}
+
+async function sha256File(filePath) {
+  return createHash('sha256').update(await readFile(filePath)).digest('hex');
+}
+
+async function downloadWithRetry(url, destPath) {
+  // 4 attempts total (1 + 3 retries); backoff 1s/3s/9s. 4xx is terminal.
+  const delays = [1000, 3000, 9000];
+  let lastErr;
+  for (let attempt = 0; attempt < 4; attempt++) {
+    try {
+      const res = await fetch(url, { signal: AbortSignal.timeout(180_000) });
+      if (res.status >= 400 && res.status < 500) {
+        throw new Error(`[graph-fetcher] asset HTTP ${res.status} (terminal) — ${url}`);
+      }
+      if (!res.ok) throw new Error(`[graph-fetcher] asset HTTP ${res.status} — ${url}`);
+      await pipeline(res.body, createWriteStream(destPath));
+      return;
+    } catch (err) {
+      lastErr = err;
+      if (String(err?.message || '').includes('(terminal)')) throw err;
+      if (attempt < 3) {
+        process.stderr.write(`[graph-fetcher] download attempt ${attempt + 1} failed (${err?.message}), retrying in ${delays[attempt]}ms…\n`);
+        await new Promise((r) => setTimeout(r, delays[attempt]));
+      }
+    }
+  }
+  throw lastErr;
+}
+
+// Remove stale binaries + tmp files, keeping the active one.
+function gcGraphBin(dir, keepFile) {
+  try {
+    for (const name of readdirSync(dir)) {
+      if (name === 'manifest.json' || name === keepFile) continue;
+      if (name.startsWith('mixdog-graph')) {
+        try { rmSync(join(dir, name), { force: true }); } catch { /* best-effort */ }
+      }
+    }
+  } catch { /* dir may not exist yet */ }
+}
+
+// Sync, network-free lookup of an already-cached binary. Used by the sync
+// _graphBinaryPath() resolver before falling back to an async fetch.
+export function findCachedGraphBinary(dataDir) {
+  try {
+    const dir = graphBinDir(dataDir);
+    const hit = readdirSync(dir).find(
+      (n) => n.startsWith('mixdog-graph') && !n.endsWith('.json') && !n.includes('.tmp-'),
+    );
+    return hit ? join(dir, hit) : null;
+  } catch {
+    return null;
+  }
+}
+
+let _inflight = null;
+
+export function ensureGraphBinary(dataDir) {
+  // Single-flight: concurrent callers (prewarm + cache-miss) share one download.
+  if (_inflight) return _inflight;
+  _inflight = (async () => {
+    const manifest = await loadManifest(dataDir);
+    const pkey = platformKey();
+    const asset = manifest.assets?.[pkey];
+    if (!asset || !asset.url || !asset.sha256) {
+      throw new Error(`[graph-fetcher] no prebuilt mixdog-graph asset for platform ${pkey}`);
+    }
+    const version = String(manifest.version || '0');
+    const dir = graphBinDir(dataDir);
+    mkdirSync(dir, { recursive: true });
+    const fileName = `mixdog-graph-${version}${binSuffix()}`;
+    const destPath = join(dir, fileName);
+    if (existsSync(destPath)) {
+      try { if (await sha256File(destPath) === asset.sha256) return destPath; } catch { /* re-download */ }
+    }
+    const tmpPath = `${destPath}.tmp-${process.pid}-${Date.now()}`;
+    await downloadWithRetry(asset.url, tmpPath);
+    const actual = await sha256File(tmpPath);
+    if (actual !== asset.sha256) {
+      try { rmSync(tmpPath, { force: true }); } catch { /* best-effort */ }
+      throw new Error(`[graph-fetcher] sha256 mismatch for ${pkey}: expected ${asset.sha256}, got ${actual}`);
+    }
+    renameSync(tmpPath, destPath);
+    if (process.platform !== 'win32') { try { chmodSync(destPath, 0o755); } catch { /* best-effort */ } }
+    gcGraphBin(dir, fileName);
+    return destPath;
+  })().finally(() => { _inflight = null; });
+  return _inflight;
+}

package/src/agent/orchestrator/tools/graph-manifest.json

@@ -0,0 +1,26 @@
+{
+  "version": "0.6.5",
+  "_comment": "Rewritten by .github/workflows/graph-release.yml on each tagged release. assets maps platformKey (process.platform-process.arch, e.g. win32-x64, linux-x64, darwin-arm64) to { url, sha256 } of the mixdog-graph binary on the GitHub release. A local cargo build under native/mixdog-graph/target/release always takes precedence at runtime. (v0.5.236 entries were filled manually after CI's commit step hit detached HEAD; the workflow now checks out ref: main so future releases self-update.)",
+  "assets": {
+    "darwin-arm64": {
+      "url": "https://github.com/trib-plugin/mixdog/releases/download/v0.6.5/mixdog-graph-darwin-arm64",
+      "sha256": "7016c273a07d19ca9e2f56e8fa7f273fdd40fc41bdc7fef206bf23e31a21a736"
+    },
+    "darwin-x64": {
+      "url": "https://github.com/trib-plugin/mixdog/releases/download/v0.6.5/mixdog-graph-darwin-x64",
+      "sha256": "d076e97da4420f49a6c726bc088a3321e2e7f6a9bfb32d39162c8c53045cfcdb"
+    },
+    "linux-arm64": {
+      "url": "https://github.com/trib-plugin/mixdog/releases/download/v0.6.5/mixdog-graph-linux-arm64",
+      "sha256": "74754562b3c080868738c032c5b6e0e13bc53d7a5277002176b036f8d6681f39"
+    },
+    "linux-x64": {
+      "url": "https://github.com/trib-plugin/mixdog/releases/download/v0.6.5/mixdog-graph-linux-x64",
+      "sha256": "0d8e8bbdd49b18746ed3f972fc3719731a1143ee03ac9e6d86586788b0b431f8"
+    },
+    "win32-x64": {
+      "url": "https://github.com/trib-plugin/mixdog/releases/download/v0.6.5/mixdog-graph-win32-x64.exe",
+      "sha256": "1a671558e5a5f13c7429ff9987a46ad72a71e52241e200d2da820a13d7cbdae7"
+    }
+  }
+}

package/src/agent/orchestrator/tools/host-input.mjs

@@ -0,0 +1,204 @@
+// Host-terminal input injection.
+//
+// Exposes `inject_input` as an MCP tool that types text into the *host*
+// terminal currently running Claude Code (and therefore this MCP server,
+// which Claude Code spawned as a child).
+//
+// Strategy:
+//   1. Walk the parent-process chain starting at this Node process.
+//   2. Find the first ancestor whose image name identifies a supported
+//      terminal host (currently: powershell / pwsh).
+//   3. Dispatch via a per-host handler map. Adding cmd / Windows Terminal /
+//      VS Code / Claude Desktop later means dropping a new entry into
+//      `HOST_HANDLERS` — no branching surgery in the dispatcher.
+//
+// The PowerShell handler reuses the proven helper script
+// `scripts/inject-input.ps1` (AttachConsole + CreateFileW("CONIN$") +
+// WriteConsoleInputW, with the stale-STD_INPUT_HANDLE workaround). We
+// shell out to the script rather than reimplementing the FFI in Node so
+// the C# console-input typedef stays in one place.
+//
+// Returned JSON shape: { ok, host, pid, exitCode, stderr? }.
+
+import { spawnSync, execFileSync } from 'node:child_process'
+import { writeFileSync, mkdtempSync, rmSync } from 'node:fs'
+import { join, dirname } from 'node:path'
+import { tmpdir } from 'node:os'
+import { fileURLToPath } from 'node:url'
+
+const __dirname = dirname(fileURLToPath(import.meta.url))
+// trib-plugin/src/agent/orchestrator/tools/host-input.mjs
+//   __dirname = .../trib-plugin/src/agent/orchestrator/tools
+//   → trib-plugin requires four `..` (orchestrator → agent → src → root).
+const PLUGIN_ROOT = join(__dirname, '..', '..', '..', '..')
+const PS_HELPER = join(PLUGIN_ROOT, 'scripts', 'inject-input.ps1')
+
+// ── Parent-chain walker (Windows) ─────────────────────────────────────
+//
+// Uses one wmic / Get-CimInstance call to read the full Win32_Process
+// table once, then walks PPID links in-process. Keeps the cost to one
+// process spawn regardless of chain depth.
+function readProcessTable() {
+  // Prefer PowerShell + Get-CimInstance — wmic.exe is deprecated and
+  // missing on newer Windows builds.
+  try {
+    const out = execFileSync(
+      'powershell.exe',
+      [
+        '-NoProfile', '-NonInteractive', '-Command',
+        "Get-CimInstance Win32_Process | Select-Object ProcessId,ParentProcessId,Name | ConvertTo-Json -Compress",
+      ],
+      { encoding: 'utf8', windowsHide: true, timeout: 8000, maxBuffer: 16 * 1024 * 1024 },
+    )
+    const parsed = JSON.parse(out)
+    const rows = Array.isArray(parsed) ? parsed : [parsed]
+    const byPid = new Map()
+    for (const row of rows) {
+      if (!row || row.ProcessId == null) continue
+      byPid.set(Number(row.ProcessId), {
+        pid: Number(row.ProcessId),
+        ppid: Number(row.ParentProcessId ?? 0),
+        name: String(row.Name ?? ''),
+      })
+    }
+    return byPid
+  } catch (e) {
+    throw new Error(`failed to read process table: ${e?.message || e}`)
+  }
+}
+
+// Image-name → host-tag map. Lower-case match.
+const HOST_BY_IMAGE = {
+  'pwsh.exe': 'powershell',
+  'powershell.exe': 'powershell',
+  // Future:
+  // 'cmd.exe': 'cmd',
+  // 'windowsterminal.exe': 'windows-terminal',
+  // 'code.exe': 'vscode-terminal',
+  // 'claude.exe': 'claude-desktop',
+}
+
+function classifyHost(imageName) {
+  if (!imageName) return null
+  return HOST_BY_IMAGE[imageName.toLowerCase()] ?? null
+}
+
+// Walk parent chain from the given pid, returning the first ancestor whose
+// image maps to a known host. Bounded to 32 hops and skips PID 0 / orphan.
+function findHostAncestor(startPid) {
+  const table = readProcessTable()
+  let cur = table.get(Number(startPid))
+  let hops = 0
+  const trail = []
+  while (cur && hops < 32) {
+    trail.push({ pid: cur.pid, name: cur.name })
+    const tag = classifyHost(cur.name)
+    if (tag) return { host: tag, pid: cur.pid, name: cur.name, trail }
+    if (!cur.ppid || cur.ppid === cur.pid) break
+    cur = table.get(cur.ppid)
+    hops += 1
+  }
+  return { host: null, pid: null, name: null, trail }
+}
+
+// ── Per-host handlers ─────────────────────────────────────────────────
+
+function handlePowerShell(text, pid) {
+  // Pass the payload via a temp file rather than a command-line arg so
+  // arbitrary characters (quotes, backticks, $, newlines) survive without
+  // any shell or PowerShell parsing pitfalls. The .ps1 helper is invoked
+  // directly via powershell.exe -File, no -Command interpolation.
+  const tmpDir = mkdtempSync(join(tmpdir(), 'mixdog-inject-'))
+  const payloadPath = join(tmpDir, 'payload.txt')
+  let result
+  try {
+    writeFileSync(payloadPath, String(text), 'utf8')
+    // The helper script's -Text param expects a single string. Read the
+    // payload file inside a tiny -Command shim so we don't have to touch
+    // the existing helper. -Raw preserves embedded newlines and trailing
+    // whitespace exactly as the caller wrote them.
+    const psCommand =
+      `$ErrorActionPreference='Stop'; ` +
+      `$txt = Get-Content -LiteralPath ${psQuote(payloadPath)} -Raw -Encoding UTF8; ` +
+      `& ${psQuote(PS_HELPER)} -TargetPid ${Number(pid)} -Text $txt`
+    result = spawnSync(
+      'powershell.exe',
+      ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Bypass', '-Command', psCommand],
+      { encoding: 'utf8', windowsHide: true, timeout: 15000 },
+    )
+  } finally {
+    try { rmSync(tmpDir, { recursive: true, force: true }) } catch {}
+  }
+  const exitCode = result.status ?? -1
+  const stderr = (result.stderr || '').trim()
+  const ok = exitCode === 0
+  const out = { ok, exitCode }
+  if (!ok && stderr) out.stderr = stderr
+  return out
+}
+
+// PowerShell single-quoted literal: escape ' as ''. Wraps the whole value
+// in single quotes so $ / backtick / parentheses are taken literally.
+function psQuote(s) {
+  return `'${String(s).replace(/'/g, "''")}'`
+}
+
+const HOST_HANDLERS = {
+  powershell: handlePowerShell,
+  // cmd: handleCmd,
+  // 'windows-terminal': handleWT,
+  // 'vscode-terminal': handleVSCode,
+  // 'claude-desktop': handleClaudeDesktop,
+}
+
+// ── Public entry ──────────────────────────────────────────────────────
+
+export const HOST_INPUT_TOOL_DEFS = [
+  {
+    name: 'inject_input',
+    title: 'Inject Input',
+    annotations: { title: 'Inject Input', readOnlyHint: false, destructiveHint: true, idempotentHint: false, openWorldHint: true, compressible: false },
+    description: 'Inject text into the host session as if the user typed it at the prompt. Requires text.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        text: { type: 'string', minLength: 1 },
+      },
+      required: ['text'],
+      additionalProperties: false,
+    },
+  },
+]
+
+export async function executeHostInputTool(name, args /*, cwd */) {
+  if (name !== 'inject_input') throw new Error(`Unknown host-input tool: ${name}`)
+  const text = args?.text
+  if (typeof text !== 'string' || text.length === 0) {
+    throw new Error('inject_input: `text` (string, non-empty) is required')
+  }
+  if (process.platform !== 'win32') {
+    throw new Error(`inject_input: only supported on Windows (got platform=${process.platform})`)
+  }
+
+  // Always submit: append a trailing newline if the caller didn't.
+  const payload = text.endsWith('\n') ? text : text + '\n'
+
+  const { host, pid, name: imageName, trail } = findHostAncestor(process.pid)
+  if (!host) {
+    const trailStr = trail.map(t => `${t.pid}:${t.name}`).join(' → ')
+    throw new Error(`inject_input: no supported terminal host found in parent chain (${trailStr || '<empty>'})`)
+  }
+  const handler = HOST_HANDLERS[host]
+  if (typeof handler !== 'function') {
+    throw new Error(`inject_input: host "${host}" not supported yet (resolved image=${imageName} pid=${pid})`)
+  }
+
+  const result = handler(payload, pid)
+  return JSON.stringify({
+    ok: !!result.ok,
+    host,
+    pid,
+    exitCode: result.exitCode,
+    ...(result.stderr ? { stderr: result.stderr } : {}),
+  })
+}

package/src/agent/orchestrator/tools/mutation-content-cache.mjs

@@ -0,0 +1,67 @@
+import * as nodeBuffer from 'node:buffer';
+import { readFileSync } from 'node:fs';
+import { readFile as readFileAsync } from 'node:fs/promises';
+import { decodeRawBufferForSnapshotCheck } from './builtin/snapshot-helpers.mjs';
+
+function keyForPath(fullPath) {
+  const text = String(fullPath || '');
+  return process.platform === 'win32' ? text.toLowerCase() : text;
+}
+
+export function isValidUtf8Buffer(buf) {
+  if (typeof nodeBuffer.isUtf8 === 'function') return nodeBuffer.isUtf8(buf);
+  if (typeof Buffer.isUtf8 === 'function') return Buffer.isUtf8(buf);
+  return Buffer.from(buf.toString('utf-8'), 'utf-8').equals(buf);
+}
+
+export function createMutationContentCache() {
+  const entries = new Map();
+
+  function getOrCreate(fullPath) {
+    const key = keyForPath(fullPath);
+    let entry = entries.get(key);
+    if (!entry) {
+      entry = { fullPath, rawBuf: null, content: null };
+      entries.set(key, entry);
+    }
+    return entry;
+  }
+
+  function seedBuffer(fullPath, rawBuf) {
+    const entry = getOrCreate(fullPath);
+    entry.rawBuf = rawBuf;
+    entry.content = null;
+    return entry;
+  }
+
+  function readBufferSync(fullPath) {
+    const entry = getOrCreate(fullPath);
+    if (!Buffer.isBuffer(entry.rawBuf)) entry.rawBuf = readFileSync(fullPath);
+    return entry.rawBuf;
+  }
+
+  async function readBuffer(fullPath) {
+    const entry = getOrCreate(fullPath);
+    if (!Buffer.isBuffer(entry.rawBuf)) entry.rawBuf = await readFileAsync(fullPath);
+    return entry.rawBuf;
+  }
+
+  function readTextSync(fullPath) {
+    const entry = getOrCreate(fullPath);
+    if (typeof entry.content !== 'string') {
+      entry.content = decodeRawBufferForSnapshotCheck(readBufferSync(fullPath));
+    }
+    return entry.content;
+  }
+
+  function getEntry(fullPath) {
+    return entries.get(keyForPath(fullPath)) || null;
+  }
+
+  function clear(fullPath = null) {
+    if (fullPath) entries.delete(keyForPath(fullPath));
+    else entries.clear();
+  }
+
+  return { seedBuffer, readBuffer, readBufferSync, readTextSync, getEntry, clear };
+}

package/src/agent/orchestrator/tools/mutation-planner.mjs

@@ -0,0 +1,75 @@
+// NOTE: post-edit V4A fallback was removed.
+//
+// The removed V4A edit reroute used to emit every `old_string` line as a
+// `-` with zero context_before/after,
+// which meant the V4A matcher had to find the same byte slice the exact
+// edit just failed on. Code 8 ("old_string not found") is by definition a
+// byte/context mismatch (tab-vs-space drift, stale snapshot, fold-tier
+// miss), so the V4A engine fails for the same reason and the user sees a
+// noisy double-error block. The exact-unique byte path now handles large
+// chunks natively, so the V4A pre-route is dead and has been removed.
+
+export function planEditMutationRoute() {
+    // Large-chunk V4A reroute removed: an EXACT-UNIQUE byte match is safe
+    // at any size, so the edit-exact tier handles >=30-line chunks
+    // natively (size gate now guards only the fold/fuzzy fallback). The
+    // V4A pre-route used to fail anchor-not-found on bytes the exact tier
+    // WOULD match, then priorResult short-circuited and surfaced a noisy
+    // double-error block. Always route through edit-exact.
+    return { engine: 'edit-exact', reason: 'default' };
+}
+
+export function isMutationPlanRoutable(plan) {
+    return plan?.engine === 'v4a-patch' && plan?.patchArgs?.patch;
+}
+
+export function formatMutationRouteLine(plan = {}, extras = {}) {
+    const source = plan.sourceTool || extras.sourceTool || 'unknown';
+    const engine = plan.engine || extras.engine || 'unknown';
+    const reason = plan.reason || extras.reason || 'unknown';
+    const suffix = Object.entries(extras)
+        .filter(([key, value]) => key !== 'sourceTool' && key !== 'engine' && key !== 'reason' && value !== undefined && value !== null && value !== '')
+        .map(([key, value]) => `${key}=${String(value).replace(/\s+/g, '-')}`)
+        .join(' ');
+    return `mutation_route: source=${source} engine=${engine} reason=${reason}${suffix ? ` ${suffix}` : ''}`;
+}
+
+export function wrapMutationRouteOutput(text, plan = {}, extras = {}) {
+    const body = String(text ?? '');
+    if (/^mutation_route:/i.test(body.trimStart())) return body;
+    return `${formatMutationRouteLine(plan, extras)}\n${body}`;
+}
+
+export async function executeMutationPlan(plan, context = {}) {
+    if (!isMutationPlanRoutable(plan)) return null;
+    const { executePatchTool } = await import('./patch.mjs');
+    let out;
+    try {
+        out = await executePatchTool('apply_patch', {
+            base_path: context.workDir,
+            ...plan.patchArgs,
+        }, context.workDir, {
+            ...context.options,
+            readStateScope: context.readStateScope,
+            sessionId: context.options?.sessionId,
+            mutationPlan: plan,
+        });
+    } catch (err) {
+        return { ok: false, text: err?.message || String(err), plan };
+    }
+    const text = String(out ?? '');
+    if (/^Error:/i.test(text.trimStart())) {
+        return { ok: false, text: out, plan };
+    }
+    return {
+        ok: true,
+        text: wrapMutationRouteOutput(text, plan),
+        plan,
+    };
+}
+
+export function appendMutationPlanFailure(originalResult, plannedResult) {
+    if (!plannedResult || plannedResult.ok) return originalResult;
+    const plan = plannedResult.plan || {};
+    return `${originalResult}\nmutation_route: source=${plan.sourceTool || 'unknown'} engine=${plan.engine || 'unknown'} reason=${plan.reason || 'unknown'} failed\n${plannedResult.text}`;
+}

package/src/agent/orchestrator/tools/next-call-utils.mjs

@@ -0,0 +1,48 @@
+export function parseJsonNextCalls(text) {
+  const input = String(text ?? '');
+  if (!input.includes('next_call:')) return [];
+  const out = [];
+  const re = /next_call:\s*([A-Za-z_][\w]*)\(/g;
+  for (const match of input.matchAll(re)) {
+    const parsed = parseNextCallArgs(input, match.index + match[0].length);
+    if (!parsed) continue;
+    out.push({ tool: match[1], args: parsed.args, start: match.index, end: parsed.end });
+  }
+  return out;
+}
+
+export function countJsonNextCalls(text) {
+  return parseJsonNextCalls(text).length;
+}
+
+function parseNextCallArgs(text, start) {
+  let i = start;
+  while (i < text.length && /\s/.test(text[i])) i++;
+  if (text[i] !== '{') return null;
+  let depth = 0;
+  let inString = false;
+  let escaped = false;
+  for (; i < text.length; i++) {
+    const ch = text[i];
+    if (inString) {
+      if (escaped) escaped = false;
+      else if (ch === '\\') escaped = true;
+      else if (ch === '"') inString = false;
+      continue;
+    }
+    if (ch === '"') inString = true;
+    else if (ch === '{') depth++;
+    else if (ch === '}') {
+      depth--;
+      if (depth === 0) {
+        const raw = text.slice(start, i + 1).trim();
+        let j = i + 1;
+        while (j < text.length && /\s/.test(text[j])) j++;
+        if (text[j] !== ')') return null;
+        try { return { args: JSON.parse(raw), end: j + 1 }; }
+        catch { return null; }
+      }
+    }
+  }
+  return null;
+}