muonroi-cli 1.4.1 → 1.5.0

package/dist/src/tools/git-safety.test.js

@@ -0,0 +1,111 @@
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { __resetGitSafetyState, analyzeGitCommand, checkPushGate, detectSensitiveStaging, recordCommandOutcome, stagingWarning, } from "./git-safety.js";
+describe("analyzeGitCommand", () => {
+    it("detects git push (with flags and chained)", () => {
+        expect(analyzeGitCommand("git push").isPush).toBe(true);
+        expect(analyzeGitCommand("git push origin main").isPush).toBe(true);
+        expect(analyzeGitCommand("git -c x=y push --force").isPush).toBe(true);
+        expect(analyzeGitCommand("git add -A && git commit -m x && git push origin main").isPush).toBe(true);
+    });
+    it("does not match 'push' inside a quoted commit message", () => {
+        expect(analyzeGitCommand('git commit -m "fix git push regression"').isPush).toBe(false);
+    });
+    it("detects a real push on its own line in a multi-line script", () => {
+        expect(analyzeGitCommand("git config user.name x\ngit push origin main").isPush).toBe(true);
+    });
+    it("does not bleed across a newline into an unrelated command", () => {
+        // 'git status' then a separate line with the word 'push' is NOT a git push.
+        expect(analyzeGitCommand("git status\necho push-notification").isPush).toBe(false);
+        expect(analyzeGitCommand("git log\nrm push.txt").isPush).toBe(false);
+    });
+    it("detects broad staging (-A / . / --all / commit -a)", () => {
+        expect(analyzeGitCommand("git add -A").isBroadStage).toBe(true);
+        expect(analyzeGitCommand("git add .").isBroadStage).toBe(true);
+        expect(analyzeGitCommand("git add --all").isBroadStage).toBe(true);
+        expect(analyzeGitCommand("git commit -am 'x'").isBroadStage).toBe(true);
+        expect(analyzeGitCommand("git commit -a").isBroadStage).toBe(true);
+    });
+    it("detects broad staging even with git global options before the subcommand", () => {
+        expect(analyzeGitCommand("git -c core.editor=true commit -a").isBroadStage).toBe(true);
+        expect(analyzeGitCommand("git -c x=y add -A").isBroadStage).toBe(true);
+    });
+    it("does not flag explicit/narrow staging or non-staging flags", () => {
+        expect(analyzeGitCommand("git add src/foo.ts src/bar.ts").isBroadStage).toBe(false);
+        expect(analyzeGitCommand("git add ./src/foo.ts").isBroadStage).toBe(false);
+        expect(analyzeGitCommand("git commit -m 'message'").isBroadStage).toBe(false);
+        expect(analyzeGitCommand("git commit --amend").isBroadStage).toBe(false);
+        // -a must be a clean flag cluster — a malformed `-a--otherflag` is not `-a`.
+        expect(analyzeGitCommand("git commit -a--otherflag").isBroadStage).toBe(false);
+    });
+});
+describe("push gate", () => {
+    beforeEach(() => {
+        __resetGitSafetyState();
+        delete process.env.MUONROI_ALLOW_PUSH_ON_RED;
+    });
+    afterEach(() => {
+        delete process.env.MUONROI_ALLOW_PUSH_ON_RED;
+    });
+    it("does not block when no verification has failed", () => {
+        expect(checkPushGate("s1").blocked).toBe(false);
+    });
+    it("blocks push after a verification command fails", () => {
+        recordCommandOutcome("s1", "npm test", false);
+        const gate = checkPushGate("s1");
+        expect(gate.blocked).toBe(true);
+        expect(gate.failed).toContain("npm test");
+    });
+    it("clears the block when that same command re-runs green", () => {
+        recordCommandOutcome("s1", "npm test", false);
+        expect(checkPushGate("s1").blocked).toBe(true);
+        recordCommandOutcome("s1", "npm test", true);
+        expect(checkPushGate("s1").blocked).toBe(false);
+    });
+    it("a different verify passing does NOT clear an unrelated failed verify", () => {
+        recordCommandOutcome("s1", "npm test", false);
+        recordCommandOutcome("s1", "npm run build", true); // build green, tests still red
+        expect(checkPushGate("s1").blocked).toBe(true);
+        expect(checkPushGate("s1").failed).toEqual(["npm test"]);
+    });
+    it("is session-scoped (one session's failure does not gate another)", () => {
+        recordCommandOutcome("s1", "vitest run", false);
+        expect(checkPushGate("s1").blocked).toBe(true);
+        expect(checkPushGate("s2").blocked).toBe(false);
+    });
+    it("ignores non-verification command outcomes", () => {
+        recordCommandOutcome("s1", "git status", false);
+        recordCommandOutcome("s1", "ls -la", false);
+        expect(checkPushGate("s1").blocked).toBe(false);
+    });
+    it("respects the MUONROI_ALLOW_PUSH_ON_RED override", () => {
+        recordCommandOutcome("s1", "npm test", false);
+        process.env.MUONROI_ALLOW_PUSH_ON_RED = "1";
+        expect(checkPushGate("s1").blocked).toBe(false);
+    });
+});
+describe("sensitive staging detection", () => {
+    let dir;
+    beforeEach(() => {
+        dir = mkdtempSync(join(tmpdir(), "git-safety-"));
+    });
+    afterEach(() => {
+        rmSync(dir, { recursive: true, force: true });
+    });
+    it("flags .env and .muonroi-cli present in the repo root", () => {
+        writeFileSync(join(dir, ".env"), "SECRET=1");
+        writeFileSync(join(dir, ".muonroi-cli"), ""); // a file is enough for existsSync
+        const found = detectSensitiveStaging(dir);
+        expect(found).toContain(".env");
+        expect(found).toContain(".muonroi-cli");
+        expect(stagingWarning(dir)).toMatch(/WARNING/);
+    });
+    it("returns no warning for a clean repo", () => {
+        writeFileSync(join(dir, "README.md"), "# ok");
+        expect(detectSensitiveStaging(dir)).toEqual([]);
+        expect(stagingWarning(dir)).toBe("");
+    });
+});
+//# sourceMappingURL=git-safety.test.js.map

package/dist/src/tools/native-tools.d.ts

@@ -0,0 +1,31 @@
+/**
+ * src/tools/native-tools.ts
+ *
+ * NATIVE in-process builtins for the capabilities that muonroi-tools previously
+ * exposed only via a self-spawned MCP subprocess: ee_health, ee_feedback,
+ * usage_forensics, lsp_query, setup_guide, and selfverify_* (start/status/
+ * result/list/cancel).
+ *
+ * Why native: muonroi-tools is THIS CLI. Self-spawning a 137MB CLI as an MCP
+ * server per turn cold-started ~2-3.5s and overran the build deadline (and a
+ * seed-time bug once persisted a vitest-worker command that crashed on launch).
+ * For the CLI's OWN inner agent these tools should run in-process — no subprocess,
+ * no MCP round-trip, no cold-start. The muonroi-tools MCP server (tools-server.ts)
+ * stays for EXTERNAL agents (Claude Code etc.). `ee_query` is already native
+ * (registry.ts) and is intentionally NOT duplicated here.
+ *
+ * Each tool reuses the SAME core the MCP server wraps (ee/search, cli/cost-
+ * forensics, lsp/runtime, the shared self-verify JobManager), so behaviour is
+ * identical across the two surfaces.
+ */
+import { type ToolSet } from "ai";
+/** The native tool names this module registers — used by the MCP-twin dedup. */
+export declare const NATIVE_MUONROI_TOOL_NAMES: readonly ["ee_health", "ee_feedback", "usage_forensics", "lsp_query", "setup_guide", "selfverify_start", "selfverify_status", "selfverify_result", "selfverify_list", "selfverify_cancel"];
+export interface NativeToolOpts {
+    /** Workspace cwd for lsp_query. Defaults to process.cwd(). */
+    cwd?: string;
+}
+/**
+ * Add the native muonroi-tools builtins to `tools`. Mutates and returns it.
+ */
+export declare function registerNativeMuonroiTools(tools: ToolSet, opts?: NativeToolOpts): ToolSet;

package/dist/src/tools/native-tools.js

@@ -0,0 +1,273 @@
+/**
+ * src/tools/native-tools.ts
+ *
+ * NATIVE in-process builtins for the capabilities that muonroi-tools previously
+ * exposed only via a self-spawned MCP subprocess: ee_health, ee_feedback,
+ * usage_forensics, lsp_query, setup_guide, and selfverify_* (start/status/
+ * result/list/cancel).
+ *
+ * Why native: muonroi-tools is THIS CLI. Self-spawning a 137MB CLI as an MCP
+ * server per turn cold-started ~2-3.5s and overran the build deadline (and a
+ * seed-time bug once persisted a vitest-worker command that crashed on launch).
+ * For the CLI's OWN inner agent these tools should run in-process — no subprocess,
+ * no MCP round-trip, no cold-start. The muonroi-tools MCP server (tools-server.ts)
+ * stays for EXTERNAL agents (Claude Code etc.). `ee_query` is already native
+ * (registry.ts) and is intentionally NOT duplicated here.
+ *
+ * Each tool reuses the SAME core the MCP server wraps (ee/search, cli/cost-
+ * forensics, lsp/runtime, the shared self-verify JobManager), so behaviour is
+ * identical across the two surfaces.
+ */
+import { dynamicTool, jsonSchema } from "ai";
+import { LSP_TOOL_OPERATIONS } from "../lsp/types.js";
+import { getSelfVerifyJobManager } from "../mcp/self-verify-runner.js";
+import { SETUP_GUIDE_TEXT } from "../mcp/setup-guide-text.js";
+/** The native tool names this module registers — used by the MCP-twin dedup. */
+export const NATIVE_MUONROI_TOOL_NAMES = [
+    "ee_health",
+    "ee_feedback",
+    "usage_forensics",
+    "lsp_query",
+    "setup_guide",
+    "selfverify_start",
+    "selfverify_status",
+    "selfverify_result",
+    "selfverify_list",
+    "selfverify_cancel",
+];
+const json = (data) => JSON.stringify(data);
+const errLine = (error, message) => `ERROR ${error}: ${message}`;
+/**
+ * Add the native muonroi-tools builtins to `tools`. Mutates and returns it.
+ */
+export function registerNativeMuonroiTools(tools, opts = {}) {
+    // ── Experience Engine: health + feedback (ee_query is already native) ──────
+    tools.ee_health = dynamicTool({
+        description: "Check Experience Engine server reachability (returns {ok, status}).",
+        inputSchema: jsonSchema({ type: "object", properties: {}, additionalProperties: false }),
+        execute: async () => {
+            try {
+                const { healthEE } = await import("../ee/search.js");
+                return json(await healthEE());
+            }
+            catch (e) {
+                return errLine("ee_unavailable", e instanceof Error ? e.message : String(e));
+            }
+        },
+    });
+    tools.ee_feedback = dynamicTool({
+        description: "Rate an Experience Engine recall entry so the brain keeps what helped and prunes the rest. Call after " +
+            "acting on an ee_query result — once per `[id col]` you used or judged. verdict: 'followed' (you changed " +
+            "your approach because of it), 'ignored' (topical but did not apply this time), 'noise' (wrong by category — " +
+            "REQUIRES reason: wrong_repo | wrong_language | wrong_task | stale_rule). id may be a short prefix.",
+        inputSchema: jsonSchema({
+            type: "object",
+            properties: {
+                id: { type: "string", description: "Entry id (short prefix accepted)" },
+                collection: { type: "string", description: "EE collection the entry came from" },
+                verdict: { type: "string", enum: ["followed", "ignored", "noise"] },
+                reason: { type: "string", enum: ["wrong_repo", "wrong_language", "wrong_task", "stale_rule"] },
+            },
+            required: ["id", "collection", "verdict"],
+        }),
+        execute: async (input) => {
+            const id = typeof input?.id === "string" ? input.id.trim() : "";
+            const collection = typeof input?.collection === "string" ? input.collection.trim() : "";
+            const verdict = input?.verdict;
+            const reason = input?.reason;
+            if (!id || !collection || !verdict) {
+                return errLine("invalid_args", "ee_feedback requires id, collection, and verdict");
+            }
+            if (verdict === "noise" && !reason) {
+                return errLine("reason_required", "verdict 'noise' requires reason: wrong_repo | wrong_language | wrong_task | stale_rule");
+            }
+            try {
+                const { feedbackEE } = await import("../ee/search.js");
+                const { sessionRecallLedger } = await import("../ee/recall-ledger.js");
+                const result = await feedbackEE(id, collection, verdict, reason);
+                if (!result.ok)
+                    return errLine("feedback_failed", result.error ?? "feedback POST failed");
+                const clearedId = result.resolvedId ?? id;
+                sessionRecallLedger.clear(clearedId);
+                sessionRecallLedger.clear(id);
+                return json({
+                    ok: true,
+                    id: clearedId,
+                    verdict: result.verdict,
+                    ...(result.reason ? { reason: result.reason } : {}),
+                    pendingRemaining: sessionRecallLedger.pendingCount(),
+                });
+            }
+            catch (e) {
+                return errLine("feedback_failed", e instanceof Error ? e.message : String(e));
+            }
+        },
+    });
+    // ── Self-diagnostics: usage_forensics ─────────────────────────────────────
+    tools.usage_forensics = dynamicTool({
+        description: "Per-session token-cost forensics by session-id prefix: peak input, cache-hit ratio, per-event breakdown.",
+        inputSchema: jsonSchema({
+            type: "object",
+            properties: { prefix: { type: "string", description: "Session id prefix (1-100 chars)" } },
+            required: ["prefix"],
+        }),
+        execute: async (input) => {
+            const prefix = typeof input?.prefix === "string" ? input.prefix.trim() : "";
+            if (!prefix)
+                return errLine("invalid_args", "usage_forensics requires a non-empty prefix");
+            try {
+                const { resolveSessionIds, collectCostForensics } = await import("../cli/cost-forensics.js");
+                const ids = await resolveSessionIds(prefix);
+                if (ids.length === 0)
+                    return errLine("not_found", `no session matches prefix '${prefix}'`);
+                if (ids.length > 1)
+                    return errLine("ambiguous", `prefix '${prefix}' matched ${ids.length} sessions`);
+                return json(await collectCostForensics(ids[0]));
+            }
+            catch (e) {
+                return errLine("db_error", e instanceof Error ? e.message : String(e));
+            }
+        },
+    });
+    // ── Code intelligence: lsp_query ──────────────────────────────────────────
+    tools.lsp_query = dynamicTool({
+        description: "Semantic code intelligence via language servers. operation is one of: goToDefinition, findReferences, hover, documentSymbol, workspaceSymbol, goToImplementation, prepareCallHierarchy, incomingCalls, outgoingCalls. " +
+            "filePath: absolute, or relative to the workspace root. line/character: 1-based — required for position-based ops; omit for documentSymbol; use query (not position) for workspaceSymbol. Returns {success, output}.",
+        inputSchema: jsonSchema({
+            type: "object",
+            properties: {
+                operation: { type: "string", enum: [...LSP_TOOL_OPERATIONS] },
+                filePath: { type: "string", description: "Absolute or workspace-relative path" },
+                line: { type: "number", description: "1-based line (position ops)" },
+                character: { type: "number", description: "1-based character (position ops)" },
+                query: { type: "string", description: "Symbol query (workspaceSymbol)" },
+            },
+            required: ["operation", "filePath"],
+        }),
+        execute: async (input) => {
+            const cwd = opts.cwd ?? process.cwd();
+            try {
+                const { queryLsp, isLspToolEnabled } = await import("../lsp/runtime.js");
+                if (!(await isLspToolEnabled(cwd))) {
+                    return errLine("lsp_disabled", "LSP tool is disabled in settings (lsp.enabled / lsp.tool)");
+                }
+                return json(await queryLsp(cwd, input));
+            }
+            catch (e) {
+                return errLine("lsp_error", e instanceof Error ? e.message : String(e));
+            }
+        },
+    });
+    // ── Onboarding: setup_guide ───────────────────────────────────────────────
+    tools.setup_guide = dynamicTool({
+        description: "Returns the up-to-date setup / install / first-run / MCP wiring / verify guide for muonroi-cli. Call this " +
+            "when the user asks how to set up, install, or get started — instead of guessing, reading files, or shelling commands.",
+        inputSchema: jsonSchema({ type: "object", properties: {}, additionalProperties: false }),
+        execute: async () => SETUP_GUIDE_TEXT,
+    });
+    // ── Self-QA harness: selfverify_* (shared JobManager, in-process) ──────────
+    tools.selfverify_start = dynamicTool({
+        description: "Start a self-verify run (mode=tier1 heuristic, or mode=agentic LLM-driven). Returns {runId} immediately; " +
+            "poll selfverify_status, then selfverify_result.",
+        inputSchema: jsonSchema({
+            type: "object",
+            properties: {
+                mode: { type: "string", enum: ["tier1", "agentic"] },
+                since: { type: "string" },
+                max: { type: "number" },
+                emit: { type: "boolean" },
+                out: { type: "string" },
+                goal: { type: "string" },
+                llm: { type: "string" },
+                turns: { type: "number" },
+            },
+            required: ["mode"],
+        }),
+        execute: async (input) => {
+            const jm = getSelfVerifyJobManager();
+            if (input?.mode === "agentic") {
+                if (!input?.goal || !input?.llm)
+                    return errLine("invalid_args", "agentic mode requires both goal and llm");
+                const { getModelInfo } = await import("../models/registry.js");
+                if (!getModelInfo(input.llm))
+                    return errLine("unknown_model", `llm '${input.llm}' is not in catalog.json`);
+                return json({ runId: jm.start({ kind: "agentic", goal: input.goal, llm: input.llm, turns: input.turns }) });
+            }
+            return json({
+                runId: jm.start({ kind: "tier1", since: input?.since, max: input?.max, emit: input?.emit, out: input?.out }),
+            });
+        },
+    });
+    tools.selfverify_status = dynamicTool({
+        description: "Get status + log tail of a self-verify run.",
+        inputSchema: jsonSchema({
+            type: "object",
+            properties: { runId: { type: "string" } },
+            required: ["runId"],
+        }),
+        execute: async (input) => {
+            const job = getSelfVerifyJobManager().status(input?.runId);
+            if (!job)
+                return errLine("not_found", `runId ${input?.runId} not found`);
+            const summary = job.report && job.kind === "tier1" && "summary" in job.report
+                ? job.report.summary
+                : job.report && job.kind === "agentic" && "verdict" in job.report
+                    ? { verdict: job.report.verdict }
+                    : null;
+            return json({
+                runId: job.runId,
+                status: job.status,
+                kind: job.kind,
+                startedAt: job.startedAt,
+                finishedAt: job.finishedAt,
+                elapsedMs: (job.finishedAt ?? Date.now()) - job.startedAt,
+                logTail: job.logBuffer.slice(-40),
+                summary,
+                error: job.error,
+            });
+        },
+    });
+    tools.selfverify_result = dynamicTool({
+        description: "Fetch the full report of a completed self-verify run.",
+        inputSchema: jsonSchema({
+            type: "object",
+            properties: { runId: { type: "string" } },
+            required: ["runId"],
+        }),
+        execute: async (input) => {
+            const job = getSelfVerifyJobManager().status(input?.runId);
+            if (!job)
+                return errLine("not_found", `runId ${input?.runId} not found`);
+            if (job.status === "running")
+                return errLine("still_running", "run not finished; poll selfverify_status first");
+            if (job.status === "error")
+                return errLine("run_error", job.error ?? "unknown error");
+            if (job.status === "cancelled")
+                return errLine("cancelled", "run was cancelled");
+            return json(job.report ?? {});
+        },
+    });
+    tools.selfverify_list = dynamicTool({
+        description: "List recent self-verify runs.",
+        inputSchema: jsonSchema({ type: "object", properties: {}, additionalProperties: false }),
+        execute: async () => json(getSelfVerifyJobManager()
+            .list()
+            .map((j) => ({
+            runId: j.runId,
+            kind: j.kind,
+            status: j.status,
+            elapsedMs: (j.finishedAt ?? Date.now()) - j.startedAt,
+        }))),
+    });
+    tools.selfverify_cancel = dynamicTool({
+        description: "Cancel a running self-verify run (best-effort).",
+        inputSchema: jsonSchema({
+            type: "object",
+            properties: { runId: { type: "string" } },
+            required: ["runId"],
+        }),
+        execute: async (input) => json({ cancelled: getSelfVerifyJobManager().cancel(input?.runId) }),
+    });
+    return tools;
+}
+//# sourceMappingURL=native-tools.js.map

package/dist/src/tools/registry-git-safety.test.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Integration: git-safety guards wired into the bash tool (registry.ts).
+ * Unit logic lives in git-safety.test.ts; this asserts the WIRING — a blocked
+ * push returns the block message WITHOUT executing, and a broad stage appends
+ * the sensitive-path warning to the tool output.
+ */
+export {};

package/dist/src/tools/registry-git-safety.test.js

@@ -0,0 +1,92 @@
+/**
+ * Integration: git-safety guards wired into the bash tool (registry.ts).
+ * Unit logic lives in git-safety.test.ts; this asserts the WIRING — a blocked
+ * push returns the block message WITHOUT executing, and a broad stage appends
+ * the sensitive-path warning to the tool output.
+ */
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import os from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { BashTool } from "./bash.js";
+import { clearBashOutputCache } from "./bash-output-cache.js";
+import { __resetGitSafetyState, recordCommandOutcome } from "./git-safety.js";
+import { createBuiltinTools } from "./registry.js";
+async function runBash(tools, args) {
+    const t = tools.bash;
+    if (!t?.execute)
+        throw new Error("bash tool has no execute");
+    const out = await t.execute(args);
+    return typeof out === "string" ? out : JSON.stringify(out);
+}
+describe("git-safety wiring in bash tool", () => {
+    beforeEach(() => {
+        clearBashOutputCache();
+        globalThis.__muonroiBashRepeatState = new Map();
+        __resetGitSafetyState();
+        delete process.env.MUONROI_ALLOW_PUSH_ON_RED;
+    });
+    afterEach(() => {
+        delete process.env.MUONROI_ALLOW_PUSH_ON_RED;
+    });
+    it("BLOCKS git push (without executing) after a verification failed this session", async () => {
+        const bash = new BashTool(os.tmpdir());
+        const tools = createBuiltinTools(bash, "agent", { sessionId: "GS1" });
+        // Simulate a failed test earlier in the session.
+        recordCommandOutcome("GS1", "npm test", false);
+        const out = await runBash(tools, { command: "git push origin main", timeout: 10_000 });
+        expect(out).toMatch(/^BLOCKED:/);
+        expect(out).toMatch(/npm test/);
+        // The distinctive block message proves git push never ran (a real push in
+        // tmpdir would fail with a git error like "not a git repository", not this).
+        expect(out).not.toMatch(/not a git repository|fatal:/i);
+    }, 20_000);
+    it("ALLOWS git push once the failed verification re-runs green", async () => {
+        const bash = new BashTool(os.tmpdir());
+        const tools = createBuiltinTools(bash, "agent", { sessionId: "GS2" });
+        recordCommandOutcome("GS2", "npm test", false);
+        recordCommandOutcome("GS2", "npm test", true); // re-ran green
+        const out = await runBash(tools, { command: "git push origin main", timeout: 10_000 });
+        expect(out).not.toMatch(/^BLOCKED:/);
+    }, 20_000);
+    it("respects MUONROI_ALLOW_PUSH_ON_RED override", async () => {
+        process.env.MUONROI_ALLOW_PUSH_ON_RED = "1";
+        const bash = new BashTool(os.tmpdir());
+        const tools = createBuiltinTools(bash, "agent", { sessionId: "GS3" });
+        recordCommandOutcome("GS3", "vitest run", false);
+        const out = await runBash(tools, { command: "git push", timeout: 10_000 });
+        expect(out).not.toMatch(/^BLOCKED:/);
+    }, 20_000);
+    it("blocks push across registry rebuilds even with NO sessionId (stable process key)", async () => {
+        // Regression for the anon-key false negative: createBuiltinTools() without a
+        // sessionId must still gate the push, because production call sites
+        // (message-processor) don't thread sessionId and rebuild the registry every
+        // turn. A failing verify in one anon registry must block a push in the next.
+        const bash = new BashTool(os.tmpdir());
+        // `npm test` is a recognized verification command and fails fast here
+        // (no package.json in a temp dir) → recorded as a failed verify under the
+        // stable process key.
+        const toolsA = createBuiltinTools(bash, "agent"); // no sessionId
+        const failOut = await runBash(toolsA, { command: "npm test", timeout: 20_000 });
+        expect(failOut).toMatch(/ERROR/); // the verify failed
+        // Fresh anon registry (simulates the per-turn rebuild).
+        const toolsB = createBuiltinTools(bash, "agent"); // no sessionId
+        const pushOut = await runBash(toolsB, { command: "git push origin main", timeout: 10_000 });
+        expect(pushOut).toMatch(/^BLOCKED:/);
+    }, 30_000);
+    it("appends a sensitive-path WARNING on a broad git add when secrets exist", async () => {
+        const dir = mkdtempSync(join(os.tmpdir(), "gs-stage-"));
+        writeFileSync(join(dir, ".env"), "API_KEY=secret");
+        try {
+            const bash = new BashTool(dir);
+            const tools = createBuiltinTools(bash, "agent", { sessionId: "GS4" });
+            const out = await runBash(tools, { command: "git add -A", timeout: 10_000 });
+            expect(out).toMatch(/\[WARNING:/);
+            expect(out).toMatch(/\.env/);
+        }
+        finally {
+            rmSync(dir, { recursive: true, force: true });
+        }
+    }, 20_000);
+});
+//# sourceMappingURL=registry-git-safety.test.js.map

package/dist/src/tools/registry.js

@@ -12,7 +12,9 @@ import { needsVisionProxy } from "../providers/vision-proxy.js";
 import { getBashRun, sliceBashOutput } from "./bash-output-cache.js";
 import { editFile, readFile, writeFile } from "./file.js";
 import { FileTracker } from "./file-tracker.js";
+import { analyzeGitCommand, checkPushGate, pushBlockedMessage, recordCommandOutcome, stagingWarning, } from "./git-safety.js";
 import { executeGrep } from "./grep.js";
+import { registerNativeMuonroiTools } from "./native-tools.js";
 import { VISION_TOOL_NAMES } from "./vision-gate.js";
 function getBashRepeatState() {
     if (!globalThis.__muonroiBashRepeatState) {
@@ -124,6 +126,15 @@ export function createBuiltinTools(bash, mode, opts) {
     // user turns / askcards no longer wipes it. See getBashRepeatState().
     const repeatState = getBashRepeatState();
     const repeatKey = resolveBashRepeatKey(opts?.sessionId);
+    // Git-safety state key. MUST be stable across createBuiltinTools() rebuilds
+    // within one process — otherwise a failed-test record made before a registry
+    // rebuild (askcard answer, sub-agent turn) would be invisible to the push
+    // gate after the rebuild. Unlike resolveBashRepeatKey's anon fallback (which
+    // intentionally generates a fresh key per instance to isolate repeat-reminder
+    // state), we want the gate to PERSIST: use the real sessionId when present,
+    // else a single process-stable key. Over-sharing here is the safe direction
+    // (it can only over-block a push, never wrongly allow one).
+    const gitSafetyKey = opts?.sessionId && opts.sessionId.length > 0 ? opts.sessionId : `__proc_default__:${process.pid}`;
     tools.bash = dynamicTool({
         description: "Execute a shell command. Output is automatically cached — every call returns a " +
             "run_id you can re-query via bash_output_get(run_id, mode=tail|head|grep|lines). " +
@@ -149,19 +160,36 @@ export function createBuiltinTools(bash, mode, opts) {
             if (typeof input.command !== "string" || input.command.trim() === "") {
                 return 'ERROR: the `bash` tool requires a non-empty "command" string, but the call had empty arguments. Provide the shell command to run, e.g. {"command":"ls -la"}.';
             }
+            const cmd = typeof input.command === "string" ? input.command : "";
+            // Git safety (pre-execution). Block `git push` while a verification
+            // command failed this session and was not re-run green; warn on broad
+            // `git add -A` / `git commit -a` when sensitive paths exist. Applied to
+            // BOTH foreground and background paths. See git-safety.ts for the audit
+            // motivation (session 18285908637a). gitSafetyKey is STABLE per process
+            // (or the real sessionId) — unlike repeatKey, whose anon fallback changes
+            // on every registry rebuild and would silently drop the gate across turns.
+            const gitShape = analyzeGitCommand(cmd);
+            const stageWarn = gitShape.isBroadStage ? stagingWarning(bash.getCwd()) : "";
+            if (gitShape.isPush) {
+                const gate = checkPushGate(gitSafetyKey);
+                if (gate.blocked) {
+                    return `${pushBlockedMessage(gate.failed)}${stageWarn}`;
+                }
+            }
             if (input.background) {
                 const result = await bash.startBackground(input.command);
-                return formatResult(result);
+                return `${formatResult(result)}${stageWarn}`;
             }
             // 3-3: compute canonical form BEFORE running so we can attach an
             // inline reminder if it matches the previous bash call.
-            const cmd = typeof input.command === "string" ? input.command : "";
             const canonical = cmd ? canonicalizeBashCommand(cmd) : "";
             const entry = repeatState.get(repeatKey) ?? { lastCanonical: null, lastRunId: null };
             const repeatedIntent = canonical !== "" && canonical === entry.lastCanonical && entry.lastRunId !== null;
             const prevRunId = entry.lastRunId;
             const result = await bash.execute(input.command, input.timeout ?? 30000);
             const formatted = formatResult(result);
+            // Record verification outcome so a later `git push` can be gated on it.
+            recordCommandOutcome(gitSafetyKey, canonical, result.success);
             // Update last-canonical state AFTER we compared, so the current call's
             // runId becomes the comparison target for the next one. Session-scoped
             // map persists across createBuiltinTools() rebuilds (Phase 4R).
@@ -185,9 +213,9 @@ export function createBuiltinTools(bash, mode, opts) {
                 const hint = chars >= 4_000
                     ? ` — ${chars} chars cached; use bash_output_get(run_id, mode=tail|head|grep|lines) to re-query`
                     : "";
-                return `${formatted}\n\n[bash_run_id: ${result.bashRunId}${hint}]${reminder}`;
+                return `${formatted}\n\n[bash_run_id: ${result.bashRunId}${hint}]${reminder}${stageWarn}`;
             }
-            return formatted;
+            return `${formatted}${stageWarn}`;
         },
     });
     // bash_output_get — re-query the cached full output of a previous bash run.
@@ -473,6 +501,13 @@ export function createBuiltinTools(bash, mode, opts) {
                 }
             },
         });
+        // Native muonroi-tools builtins — ee_health, ee_feedback, usage_forensics,
+        // lsp_query, setup_guide, selfverify_*. These run IN-PROCESS; the CLI no
+        // longer self-spawns itself as an MCP server to expose them to its own inner
+        // agent (that self-spawn cold-started 2-3.5s and overran the build deadline,
+        // and a seed-time bug once persisted a crashing vitest-worker command). The
+        // muonroi-tools MCP server stays only for EXTERNAL agents. See native-tools.ts.
+        registerNativeMuonroiTools(tools, { cwd: bash.getCwd() });
     }
     // Vision proxy tools — only for text-only models (DeepSeek, etc.)
     if (opts?.modelId && needsVisionProxy(opts.modelId)) {

package/dist/src/ui/__tests__/markdown-render.test.d.ts

@@ -0,0 +1 @@
+export {};