noumen 0.1.0 → 0.3.0

package/dist/chunk-HL6JCRZJ.js

@@ -0,0 +1,3112 @@
+import {
+  formatZodValidationError
+} from "./chunk-3SK5GCI6.js";
+import {
+  IMAGE_EXTENSIONS,
+  compressImageBufferWithTokenLimit,
+  createImageMetadataText,
+  maybeResizeAndDownsampleImageBuffer
+} from "./chunk-5GEX6ZSB.js";
+import {
+  contentToString
+} from "./chunk-JACGEMTF.js";
+
+// src/tools/tool-search.ts
+var TOOL_SEARCH_NAME = "ToolSearch";
+function isDeferredTool(tool) {
+  if (tool.alwaysLoad === true) return false;
+  if (tool.mcpInfo !== void 0) return true;
+  if (tool.name === TOOL_SEARCH_NAME) return false;
+  return tool.shouldDefer === true;
+}
+function formatDeferredToolLine(tool) {
+  const desc = tool.description.split(".")[0];
+  return `- ${tool.name}: ${desc}`;
+}
+function parseToolName(name) {
+  if (name.startsWith("mcp__") || name.includes("__")) {
+    const withoutPrefix = name.replace(/^mcp__/, "").toLowerCase();
+    const parts2 = withoutPrefix.split("__").flatMap((p) => p.split("_"));
+    return { parts: parts2.filter(Boolean), full: withoutPrefix.replace(/__/g, " ").replace(/_/g, " "), isMcp: true };
+  }
+  const parts = name.replace(/([a-z])([A-Z])/g, "$1 $2").replace(/_/g, " ").toLowerCase().split(/\s+/).filter(Boolean);
+  return { parts, full: parts.join(" "), isMcp: false };
+}
+function escapeRegExp(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function searchToolsWithKeywords(query, deferredTools, allTools, maxResults) {
+  const queryLower = query.toLowerCase().trim();
+  const exactMatch = deferredTools.find((t) => t.name.toLowerCase() === queryLower) ?? allTools.find((t) => t.name.toLowerCase() === queryLower);
+  if (exactMatch) return [exactMatch.name];
+  if (queryLower.startsWith("mcp__") && queryLower.length > 5) {
+    const prefixMatches = deferredTools.filter((t) => t.name.toLowerCase().startsWith(queryLower)).slice(0, maxResults).map((t) => t.name);
+    if (prefixMatches.length > 0) return prefixMatches;
+  }
+  const queryTerms = queryLower.split(/\s+/).filter((t) => t.length > 0);
+  const requiredTerms = [];
+  const optionalTerms = [];
+  for (const term of queryTerms) {
+    if (term.startsWith("+") && term.length > 1) {
+      requiredTerms.push(term.slice(1));
+    } else {
+      optionalTerms.push(term);
+    }
+  }
+  const allScoringTerms = requiredTerms.length > 0 ? [...requiredTerms, ...optionalTerms] : queryTerms;
+  const termPatterns = /* @__PURE__ */ new Map();
+  for (const term of allScoringTerms) {
+    if (!termPatterns.has(term)) {
+      termPatterns.set(term, new RegExp(`\\b${escapeRegExp(term)}\\b`));
+    }
+  }
+  let candidates = deferredTools;
+  if (requiredTerms.length > 0) {
+    candidates = deferredTools.filter((tool) => {
+      const parsed = parseToolName(tool.name);
+      const descLower = tool.description.toLowerCase();
+      return requiredTerms.every((term) => {
+        const pattern = termPatterns.get(term);
+        return parsed.parts.includes(term) || parsed.parts.some((part) => part.includes(term)) || pattern.test(descLower);
+      });
+    });
+  }
+  const scored = candidates.map((tool) => {
+    const parsed = parseToolName(tool.name);
+    const descLower = tool.description.toLowerCase();
+    let score = 0;
+    for (const term of allScoringTerms) {
+      const pattern = termPatterns.get(term);
+      if (parsed.parts.includes(term)) {
+        score += parsed.isMcp ? 12 : 10;
+      } else if (parsed.parts.some((part) => part.includes(term))) {
+        score += parsed.isMcp ? 6 : 5;
+      }
+      if (parsed.full.includes(term) && score === 0) {
+        score += 3;
+      }
+      if (pattern.test(descLower)) {
+        score += 2;
+      }
+    }
+    return { name: tool.name, score };
+  });
+  return scored.filter((item) => item.score > 0).sort((a, b) => b.score - a.score).slice(0, maxResults).map((item) => item.name);
+}
+function formatToolSchemas(tools) {
+  if (tools.length === 0) return "No matching deferred tools found.";
+  const lines = tools.map((t) => {
+    const schema = {
+      description: t.description,
+      name: t.name,
+      parameters: t.parameters
+    };
+    return `<function>${JSON.stringify(schema)}</function>`;
+  });
+  return `<functions>
+${lines.join("\n")}
+</functions>`;
+}
+function createToolSearchTool(getDeferredTools, getAllTools, getToolsByNames, onDiscovered) {
+  return {
+    name: TOOL_SEARCH_NAME,
+    description: 'Fetches full schema definitions for deferred tools so they can be called. Deferred tools appear by name in <available-deferred-tools> sections. Until fetched, only the name is known \u2014 there is no parameter schema, so the tool cannot be invoked. Use this tool to load tool schemas.\n\nQuery forms:\n- "select:Read,Edit,Grep" \u2014 fetch these exact tools by name\n- "notebook jupyter" \u2014 keyword search, up to max_results best matches\n- "+slack send" \u2014 require "slack" in the name, rank by remaining terms',
+    isReadOnly: true,
+    isConcurrencySafe: true,
+    parameters: {
+      type: "object",
+      properties: {
+        query: {
+          type: "string",
+          description: 'Query to find deferred tools. Use "select:<tool_name>" for direct selection, or keywords to search.'
+        },
+        max_results: {
+          type: "number",
+          description: "Maximum number of results to return (default: 5)"
+        }
+      },
+      required: ["query"]
+    },
+    async call(args) {
+      const query = args.query;
+      const maxResults = args.max_results ?? 5;
+      const deferredTools = getDeferredTools();
+      const allTools = getAllTools();
+      const selectMatch = query.match(/^select:(.+)$/i);
+      if (selectMatch) {
+        const requested = selectMatch[1].split(",").map((s) => s.trim()).filter(Boolean);
+        const found = [];
+        for (const toolName of requested) {
+          const match = deferredTools.find((t) => t.name.toLowerCase() === toolName.toLowerCase()) ?? allTools.find((t) => t.name.toLowerCase() === toolName.toLowerCase());
+          if (match && !found.includes(match.name)) {
+            found.push(match.name);
+          }
+        }
+        if (found.length === 0) {
+          return {
+            content: JSON.stringify({
+              matches: [],
+              query,
+              total_deferred_tools: deferredTools.length
+            })
+          };
+        }
+        onDiscovered(found);
+        const matchedTools2 = getToolsByNames(found);
+        return { content: formatToolSchemas(matchedTools2) };
+      }
+      const matches = searchToolsWithKeywords(query, deferredTools, allTools, maxResults);
+      if (matches.length === 0) {
+        return {
+          content: JSON.stringify({
+            matches: [],
+            query,
+            total_deferred_tools: deferredTools.length
+          })
+        };
+      }
+      onDiscovered(matches);
+      const matchedTools = getToolsByNames(matches);
+      return { content: formatToolSchemas(matchedTools) };
+    }
+  };
+}
+
+// src/tools/prompts/read.ts
+var READ_PROMPT = `Reads a file from the local filesystem. You can access any file directly by using this tool.
+Assume this tool is able to read all files on the machine. If the User provides a path to a file assume that path is valid. It is okay to read a file that does not exist; an error will be returned.
+
+Usage:
+- The file_path parameter must be an absolute path, not a relative path.
+- By default, it reads the entire file. Use offset and limit to read specific portions of large files.
+- Lines in the output are numbered with the format: LINE_NUMBER|LINE_CONTENT
+- If you read a file that exists but has empty contents you will receive a notice in place of file contents.
+- This tool can read image files (e.g. PNG, JPG) when the provider supports multimodal input.
+- This tool can read Jupyter notebooks (.ipynb files) and returns all cells with their outputs.
+- This tool can only read files, not directories. To list a directory, use an ls command via the Bash tool.
+- If the file has not changed since the last read, a "file_unchanged" result is returned to save context tokens.
+`;
+
+// src/tools/read.ts
+import * as path from "path";
+var DEFAULT_MAX_IMAGE_TOKENS = 1600;
+var MAX_FILE_SIZE = 256 * 1024;
+var BLOCKED_DEVICE_PATHS = /* @__PURE__ */ new Set([
+  "/dev/zero",
+  "/dev/random",
+  "/dev/urandom",
+  "/dev/full",
+  "/dev/stdin",
+  "/dev/tty",
+  "/dev/console",
+  "/dev/stdout",
+  "/dev/stderr",
+  "/dev/fd/0",
+  "/dev/fd/1",
+  "/dev/fd/2"
+]);
+var BINARY_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".bin",
+  ".zip",
+  ".tar",
+  ".gz",
+  ".bz2",
+  ".xz",
+  ".7z",
+  ".rar",
+  ".wasm",
+  ".o",
+  ".a",
+  ".obj",
+  ".lib",
+  ".class",
+  ".pyc",
+  ".pyo",
+  ".jar",
+  ".war",
+  ".ear",
+  ".iso",
+  ".img",
+  ".dmg",
+  ".msi",
+  ".deb",
+  ".rpm",
+  ".apk",
+  ".ipa"
+]);
+var readFileTool = {
+  name: "ReadFile",
+  description: "Read a file from the filesystem. Returns the file content with line numbers. For image files (.png, .jpg, .jpeg, .gif, .webp), returns the image data directly. Use offset and limit to read specific portions of large text files.",
+  prompt: READ_PROMPT,
+  isReadOnly: true,
+  isConcurrencySafe: true,
+  parameters: {
+    type: "object",
+    properties: {
+      file_path: {
+        type: "string",
+        description: "The path of the file to read (absolute or relative to cwd)"
+      },
+      offset: {
+        type: "number",
+        description: "Line number to start reading from (1-indexed). Defaults to 1.",
+        minimum: 1
+      },
+      limit: {
+        type: "number",
+        description: "Maximum number of lines to read. If omitted, reads entire file.",
+        minimum: 1
+      }
+    },
+    required: ["file_path"]
+  },
+  async call(args, ctx) {
+    const filePath = args.file_path;
+    const offset = args.offset ?? 1;
+    const limit = args.limit;
+    if (filePath.startsWith("\\\\") || filePath.startsWith("//")) {
+      return { content: "Error: UNC paths are not allowed", isError: true };
+    }
+    try {
+      const resolved = path.resolve(ctx.cwd, filePath);
+      if (BLOCKED_DEVICE_PATHS.has(resolved)) {
+        return {
+          content: `Error: Cannot read device file ${filePath}.`,
+          isError: true
+        };
+      }
+      if (resolved.startsWith("/proc/") && (resolved.endsWith("/fd/0") || resolved.endsWith("/fd/1") || resolved.endsWith("/fd/2"))) {
+        return {
+          content: `Error: Cannot read process file descriptor ${filePath}.`,
+          isError: true
+        };
+      }
+      const ext = path.extname(filePath).toLowerCase();
+      if (BINARY_EXTENSIONS.has(ext)) {
+        return {
+          content: `Error: Cannot read binary ${ext} file. This tool only reads text files.`,
+          isError: true
+        };
+      }
+      if (IMAGE_EXTENSIONS.has(ext) && ctx.fs.readFileBytes) {
+        return readImageFile(filePath, ext, ctx);
+      }
+      try {
+        const stat = await ctx.fs.stat(filePath);
+        if (stat.size !== void 0 && stat.size > MAX_FILE_SIZE && !limit) {
+          return {
+            content: `Error: File is too large (${Math.round(stat.size / 1024)}KB, max ${MAX_FILE_SIZE / 1024}KB). Use offset/limit to read specific portions.`,
+            isError: true
+          };
+        }
+      } catch {
+      }
+      if (ctx.fileStateCache) {
+        const cached = ctx.fileStateCache.get(filePath);
+        if (cached && !cached.isPartialView && cached.offset !== void 0 && cached.offset === offset && cached.limit === limit) {
+          try {
+            const stat = await ctx.fs.stat(filePath);
+            const mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
+            if (mtime === cached.timestamp) {
+              return { content: "file_unchanged" };
+            }
+          } catch {
+          }
+        }
+      }
+      const maxReadBytes = limit ? Math.min((limit + (offset - 1)) * 500, 10 * 1024 * 1024) : void 0;
+      const content = await ctx.fs.readFile(
+        filePath,
+        maxReadBytes ? { maxBytes: maxReadBytes } : void 0
+      );
+      const lines = content.split("\n");
+      const startIdx = Math.max(0, offset - 1);
+      const endIdx = limit ? Math.min(lines.length, startIdx + limit) : lines.length;
+      const selectedLines = lines.slice(startIdx, endIdx);
+      const numbered = selectedLines.map(
+        (line, i) => `${String(startIdx + i + 1).padStart(6)}|${line}`
+      );
+      let result = numbered.join("\n");
+      if (endIdx < lines.length) {
+        result += `
+... ${lines.length - endIdx} lines not shown ...`;
+      }
+      if (ctx.fileStateCache) {
+        let mtime = 0;
+        try {
+          const stat = await ctx.fs.stat(filePath);
+          mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
+        } catch {
+        }
+        ctx.fileStateCache.set(filePath, {
+          content: selectedLines.join("\n"),
+          timestamp: mtime,
+          offset,
+          limit,
+          isPartialView: !!(limit || offset > 1)
+        });
+      }
+      return { content: result || "File is empty." };
+    } catch (err) {
+      return {
+        content: `Error reading file: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+};
+async function readImageFile(filePath, ext, ctx) {
+  const imageBuffer = await ctx.fs.readFileBytes(filePath);
+  const originalSize = imageBuffer.length;
+  const formatExt = ext.replace(/^\./, "");
+  const resized = await maybeResizeAndDownsampleImageBuffer(
+    imageBuffer,
+    originalSize,
+    formatExt
+  );
+  let base64 = resized.buffer.toString("base64");
+  let mediaType = resized.mediaType;
+  const estimatedTokens = Math.ceil(base64.length * 0.125);
+  if (estimatedTokens > DEFAULT_MAX_IMAGE_TOKENS) {
+    try {
+      const compressed = await compressImageBufferWithTokenLimit(
+        imageBuffer,
+        DEFAULT_MAX_IMAGE_TOKENS,
+        `image/${formatExt}`
+      );
+      base64 = compressed.base64;
+      mediaType = compressed.mediaType;
+    } catch {
+    }
+  }
+  const parts = [
+    {
+      type: "image",
+      data: base64,
+      media_type: `image/${mediaType}`
+    }
+  ];
+  if (resized.dimensions) {
+    parts.push({
+      type: "text",
+      text: createImageMetadataText(resized.dimensions)
+    });
+  }
+  return { content: parts };
+}
+
+// src/permissions/types.ts
+var RULE_SOURCE_PRECEDENCE = [
+  "policy",
+  "project",
+  "user",
+  "session"
+];
+
+// src/permissions/rules.ts
+import * as path2 from "path";
+import * as fs from "fs";
+function toolMatchesRule(toolName, rule, mcpInfo) {
+  if (rule.toolName === toolName) return true;
+  if (mcpInfo) {
+    const serverPrefix = parseMcpServerPrefix(rule.toolName);
+    if (serverPrefix && serverPrefix === mcpInfo.serverName) {
+      return true;
+    }
+  }
+  return false;
+}
+function parseMcpServerPrefix(ruleName) {
+  const parts = ruleName.split("__");
+  if (parts.length !== 2 || parts[0] !== "mcp" || !parts[1]) return null;
+  return parts[1];
+}
+var SAFE_WRAPPERS = ["timeout", "time", "nice", "nohup", "stdbuf"];
+var COMPOUND_OPERATORS_RE = /\s*(?:;|&&|\|\||\|)\s*/;
+function stripForRuleMatching(command) {
+  let cmd = command.trim();
+  while (/^[A-Za-z_][A-Za-z0-9_]*=\S*\s/.test(cmd)) {
+    cmd = cmd.replace(/^[A-Za-z_][A-Za-z0-9_]*=\S*\s+/, "");
+  }
+  let changed = true;
+  while (changed) {
+    changed = false;
+    for (const wrapper of SAFE_WRAPPERS) {
+      if (cmd.startsWith(wrapper + " ")) {
+        cmd = cmd.slice(wrapper.length).trim();
+        while (cmd.startsWith("-")) {
+          const spaceIdx = cmd.indexOf(" ");
+          if (spaceIdx === -1) break;
+          cmd = cmd.slice(spaceIdx).trim();
+        }
+        while (/^[A-Za-z_][A-Za-z0-9_]*=\S*\s/.test(cmd)) {
+          cmd = cmd.replace(/^[A-Za-z_][A-Za-z0-9_]*=\S*\s+/, "");
+        }
+        changed = true;
+      }
+    }
+  }
+  return cmd;
+}
+function isCompoundCommand(content) {
+  return COMPOUND_OPERATORS_RE.test(content);
+}
+function contentMatchesRule(content, ruleContent) {
+  if (ruleContent.endsWith(":*")) {
+    const prefix = ruleContent.slice(0, -2);
+    const matches = content === prefix || content.startsWith(prefix + " ");
+    if (matches && isCompoundCommand(content)) return false;
+    if (matches) return true;
+    const stripped2 = stripForRuleMatching(content);
+    if (stripped2 !== content) {
+      const strippedMatches = stripped2 === prefix || stripped2.startsWith(prefix + " ");
+      if (strippedMatches && isCompoundCommand(stripped2)) return false;
+      return strippedMatches;
+    }
+    return false;
+  }
+  if (ruleContent.includes("*")) {
+    if (matchSimpleGlob(ruleContent, content)) return true;
+    const stripped2 = stripForRuleMatching(content);
+    if (stripped2 !== content) return matchSimpleGlob(ruleContent, stripped2);
+    return false;
+  }
+  if (ruleContent === content) return true;
+  const stripped = stripForRuleMatching(content);
+  return stripped !== content && ruleContent === stripped;
+}
+function matchSimpleGlob(pattern, value) {
+  let regex = "^";
+  let i = 0;
+  while (i < pattern.length) {
+    if (pattern[i] === "*" && pattern[i + 1] === "*") {
+      regex += ".*";
+      i += 2;
+      if (pattern[i] === "/") i++;
+    } else if (pattern[i] === "*") {
+      regex += "[^/]*";
+      i++;
+    } else if (pattern[i] === "?") {
+      regex += "[^/]";
+      i++;
+    } else {
+      regex += escapeRegex(pattern[i]);
+      i++;
+    }
+  }
+  regex += "$";
+  return new RegExp(regex).test(value);
+}
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function getMatchingRules(context, toolName, behavior, content, mcpInfo) {
+  const matched = context.rules.filter((rule) => {
+    if (rule.behavior !== behavior) return false;
+    if (!toolMatchesRule(toolName, rule, mcpInfo)) return false;
+    if (rule.ruleContent !== void 0) {
+      if (content === void 0) return false;
+      return contentMatchesRule(content, rule.ruleContent);
+    }
+    return true;
+  });
+  matched.sort((a, b) => {
+    const aIdx = a.source ? RULE_SOURCE_PRECEDENCE.indexOf(a.source) : RULE_SOURCE_PRECEDENCE.length;
+    const bIdx = b.source ? RULE_SOURCE_PRECEDENCE.indexOf(b.source) : RULE_SOURCE_PRECEDENCE.length;
+    return aIdx - bIdx;
+  });
+  return matched;
+}
+function containsShellExpansion(p) {
+  if (p.includes("$") || p.includes("%") || p.startsWith("=")) return true;
+  if (p.includes("`")) return true;
+  if (/^~[^/]/.test(p)) return true;
+  if (p.startsWith("\\\\")) return true;
+  return false;
+}
+function isPathInWorkingDirectories(filePath, workingDirectories) {
+  if (workingDirectories.length === 0) return false;
+  if (containsShellExpansion(filePath)) return false;
+  const normalized = normalizePath(filePath);
+  return workingDirectories.some((dir) => {
+    const normalizedDir = normalizePath(dir);
+    return normalized === normalizedDir || normalized.startsWith(normalizedDir + "/");
+  });
+}
+function normalizePath(p) {
+  let result = path2.resolve(p);
+  try {
+    result = fs.realpathSync(result);
+  } catch {
+  }
+  while (result.endsWith("/") && result.length > 1) {
+    result = result.slice(0, -1);
+  }
+  if (process.platform === "darwin" || process.platform === "win32") {
+    result = result.toLowerCase();
+  }
+  return result;
+}
+
+// src/permissions/classifier.ts
+var DEFAULT_CLASSIFIER_PROMPT = `You are a security classifier for an AI coding agent. 
+Your job is to determine whether a tool call should be automatically approved or blocked.
+
+Automatically APPROVE tool calls that:
+- Read files within the project directory
+- Write/edit files within the project directory  
+- Run common development commands (build, test, lint, format, git status/diff/log)
+- Search for files or code patterns
+- Create or update task items
+
+Automatically BLOCK tool calls that:
+- Execute potentially destructive commands (rm -rf, drop database, force push)
+- Access files outside the project directory
+- Make network requests to unknown hosts
+- Run commands that could affect the system (install packages globally, modify system files)
+- Access secrets, credentials, or environment variables
+
+Respond with a JSON object: {"shouldBlock": boolean, "reason": "brief explanation"}`;
+async function classifyPermission(toolName, args, recentMessages, provider, opts) {
+  const model = opts?.classifierModel ?? opts?.model;
+  if (!model) {
+    return { shouldBlock: true, reason: "No model configured for classifier." };
+  }
+  const contextWindow = recentMessages.slice(-6);
+  const contextText = contextWindow.map((m) => `${m.role}: ${contentToString(m.content).slice(0, 200)}`).join("\n");
+  const userPrompt = `Tool: ${toolName}
+Arguments: ${JSON.stringify(args, null, 2).slice(0, 1e3)}
+
+Recent conversation context:
+${contextText}`;
+  const params = {
+    model,
+    system: opts?.classifierPrompt ?? DEFAULT_CLASSIFIER_PROMPT,
+    messages: [{ role: "user", content: userPrompt }],
+    max_tokens: 256,
+    temperature: 0,
+    outputFormat: {
+      type: "json_schema",
+      schema: {
+        type: "object",
+        properties: {
+          shouldBlock: { type: "boolean" },
+          reason: { type: "string" }
+        },
+        required: ["shouldBlock", "reason"],
+        additionalProperties: false
+      },
+      name: "classifier_result",
+      strict: true
+    }
+  };
+  try {
+    let text = "";
+    for await (const chunk of provider.chat(params)) {
+      if (opts?.signal?.aborted) break;
+      for (const choice of chunk.choices) {
+        if (choice.delta.content) {
+          text += choice.delta.content;
+        }
+      }
+    }
+    if (opts?.signal?.aborted) {
+      throw new DOMException("Aborted", "AbortError");
+    }
+    const parsed = JSON.parse(text);
+    return {
+      shouldBlock: parsed.shouldBlock ?? false,
+      reason: parsed.reason ?? "unknown"
+    };
+  } catch {
+    return { shouldBlock: true, reason: "Classifier failed; defaulting to block." };
+  }
+}
+
+// src/tools/shell-safety/git-safety.ts
+var GIT_INTERNAL_PATTERNS = [
+  /\.git\/hooks\//,
+  /\.git\/config$/,
+  /\.git\/info\//,
+  /\.git\/objects\//,
+  /\.git\/refs\//,
+  /\.git\/HEAD$/,
+  /\.git\/index$/,
+  /\.git\/packed-refs$/,
+  /\.git\/shallow$/,
+  /\.git\/modules\//
+];
+function isGitInternalPath(path6) {
+  const normalized = path6.replace(/\\/g, "/");
+  return GIT_INTERNAL_PATTERNS.some((p) => p.test(normalized));
+}
+var BARE_REPO_MARKERS = ["HEAD", "objects", "refs"];
+function looksLikeBareRepo(dirEntries) {
+  const entrySet = new Set(dirEntries.map((e) => e.replace(/\/$/, "")));
+  if (entrySet.has(".git")) return false;
+  return BARE_REPO_MARKERS.every((m) => entrySet.has(m));
+}
+var BARE_REPO_INTERNAL_PATTERNS = [
+  /^hooks\//,
+  /^config$/,
+  /^info\//,
+  /^objects\//,
+  /^refs\//,
+  /^HEAD$/,
+  /^index$/,
+  /^packed-refs$/,
+  /^shallow$/,
+  /^modules\//
+];
+function isBareRepoInternalPath(filePath) {
+  const normalized = filePath.replace(/\\/g, "/").replace(/^\.\//, "");
+  return BARE_REPO_INTERNAL_PATTERNS.some((p) => p.test(normalized));
+}
+function commandWritesGitInternals(command) {
+  const redirectPattern = /(?:>{1,2}|tee\s+)\s*(\S+)/g;
+  let match;
+  while ((match = redirectPattern.exec(command)) !== null) {
+    if (isGitInternalPath(match[1]) || isBareRepoInternalPath(match[1])) return true;
+  }
+  const copyPatternDotGit = /\b(?:cp|mv|ln)\b.*\s(\S*\.git\/\S+)/;
+  const copyMatchDotGit = command.match(copyPatternDotGit);
+  if (copyMatchDotGit && isGitInternalPath(copyMatchDotGit[1])) return true;
+  const copyPatternBare = /\b(?:cp|mv|ln)\b.*\s(\S+)/g;
+  let bareMatch;
+  while ((bareMatch = copyPatternBare.exec(command)) !== null) {
+    if (isBareRepoInternalPath(bareMatch[1])) return true;
+  }
+  return false;
+}
+
+// src/tools/shell-safety/command-classification.ts
+var READ_ONLY_COMMANDS = /* @__PURE__ */ new Set([
+  "cat",
+  "head",
+  "tail",
+  "less",
+  "more",
+  "wc",
+  "file",
+  "which",
+  "whence",
+  "where",
+  "whereis",
+  "type",
+  "pwd",
+  "uname",
+  "whoami",
+  "id",
+  "groups",
+  "ls",
+  "ll",
+  "la",
+  "dir",
+  "stat",
+  "du",
+  "df",
+  "free",
+  "uptime",
+  "ps",
+  "top",
+  "htop",
+  "lsof",
+  "ss",
+  "netstat",
+  "ifconfig",
+  "ip",
+  "ping",
+  "dig",
+  "nslookup",
+  "host",
+  "traceroute",
+  "grep",
+  "egrep",
+  "fgrep",
+  "rg",
+  "ag",
+  "ack",
+  "locate",
+  "readlink",
+  "realpath",
+  "basename",
+  "dirname",
+  "diff",
+  "comm",
+  "sort",
+  "uniq",
+  "cut",
+  "tr",
+  "jq",
+  "yq",
+  "xxd",
+  "hexdump",
+  "od",
+  "md5sum",
+  "sha256sum",
+  "shasum",
+  "base64",
+  "true",
+  "false",
+  "test",
+  "[",
+  "[[",
+  "man",
+  "help",
+  "nproc",
+  "arch",
+  "lscpu",
+  "lsb_release",
+  "sw_vers",
+  "sysctl",
+  "getconf"
+]);
+var CONDITIONAL_READ_ONLY = {
+  awk: () => false,
+  // awk has system() — never read-only
+  sed: (_cmd, tokens) => !tokens.some(
+    (t) => t === "-i" || t === "--in-place" || t.startsWith("-") && !t.startsWith("--") && t.includes("i")
+  ),
+  find: (cmd) => !/\b(-exec\b|-execdir\b|-ok\b|-okdir\b|-delete\b|-fprint\b|-fls\b|-fprintf\b)/.test(cmd),
+  fd: (_cmd, tokens) => !tokens.some((t) => ["-x", "--exec", "-X", "--exec-batch"].includes(t)),
+  fdfind: (_cmd, tokens) => !tokens.some((t) => ["-x", "--exec", "-X", "--exec-batch"].includes(t)),
+  date: (_cmd, tokens) => !tokens.some((t) => ["-s", "--set"].includes(t)),
+  hostname: (_cmd, tokens) => {
+    const positional = tokens.filter((t) => !t.startsWith("-"));
+    return positional.length === 0;
+  },
+  info: (_cmd, tokens) => !tokens.some((t) => ["-o", "--output", "--dribble", "--init-file"].includes(t)),
+  tree: (_cmd, tokens) => !tokens.some((t) => t === "-R"),
+  dotnet: (_cmd, tokens) => {
+    const positional = tokens.filter((t) => !t.startsWith("-"));
+    if (positional.length === 0) return true;
+    const sub = positional[0];
+    return ["--version", "--info", "--list-sdks", "--list-runtimes"].includes(sub) || tokens.includes("--version") || tokens.includes("--info") || tokens.includes("--list-sdks") || tokens.includes("--list-runtimes");
+  }
+};
+var GIT_READ_ONLY_SUBCOMMANDS = /* @__PURE__ */ new Set([
+  "status",
+  "log",
+  "diff",
+  "show",
+  "blame",
+  "shortlog",
+  "describe",
+  "rev-parse",
+  "rev-list",
+  "cat-file",
+  "ls-files",
+  "ls-tree",
+  "ls-remote",
+  "name-rev",
+  "for-each-ref",
+  "count-objects",
+  "fsck",
+  "verify-pack",
+  "stash",
+  // "stash list" / "stash show" — stash apply/pop are not here
+  "reflog",
+  // bare / "reflog show" / "reflog list" — expire/delete caught below
+  "tag",
+  // "tag -l" is safe; "tag <name>" creates — caught below
+  "branch",
+  // "branch --list" is safe; "branch <name>" creates — caught below
+  "remote",
+  // "remote -v" safe; "remote add/remove" — caught below
+  "config",
+  // "config --list/--get" safe
+  "help",
+  "version",
+  "--version",
+  "--help"
+]);
+var GIT_READ_ONLY_WRITE_FLAGS = /* @__PURE__ */ new Set([
+  "--output"
+]);
+var GIT_MUTATING_SUBCOMMANDS = /* @__PURE__ */ new Set([
+  "push",
+  "pull",
+  "fetch",
+  "merge",
+  "rebase",
+  "cherry-pick",
+  "revert",
+  "commit",
+  "add",
+  "rm",
+  "mv",
+  "init",
+  "clone",
+  "checkout",
+  "switch",
+  "restore",
+  "reset",
+  "clean",
+  "bisect",
+  "am",
+  "apply",
+  "format-patch",
+  "submodule",
+  "worktree"
+]);
+var DESTRUCTIVE_PATTERNS = [
+  // rm -rf / rm -r / rm --recursive (but not plain rm single-file)
+  /\brm\s+(-[a-zA-Z]*[rR][a-zA-Z]*|--recursive)\b/,
+  // rm on root-like paths
+  /\brm\s+.*\s+\/($|\s)/,
+  // git force operations
+  /\bgit\s+push\s+.*--force\b/,
+  /\bgit\s+push\s+-f\b/,
+  /\bgit\s+reset\s+--hard\b/,
+  /\bgit\s+clean\s+.*-[a-zA-Z]*f/,
+  /\bgit\s+checkout\s+--\s+\./,
+  // Filesystem destruction
+  /\bchmod\s+(-[a-zA-Z]*R[a-zA-Z]*|--recursive)\s+777\b/,
+  /\bchown\s+(-[a-zA-Z]*R[a-zA-Z]*|--recursive)\b/,
+  /\bdd\s+/,
+  /\bmkfs\b/,
+  /\bformat\b/,
+  /\bfdisk\b/,
+  // Dangerous redirects
+  />\s*\/dev\/sd[a-z]/,
+  // Database destructive operations
+  /\bDROP\s+(TABLE|DATABASE|SCHEMA)\b/i,
+  /\bTRUNCATE\s+TABLE\b/i,
+  /\bDELETE\s+FROM\b/i,
+  // sed in-place (matches -i anywhere in args, not just first flag)
+  /\bsed\b.*\s(-[a-zA-Z]*i[a-zA-Z]*|--in-place)\b/,
+  // Container/system destruction
+  /\bdocker\s+(rm|rmi|system\s+prune|volume\s+rm)\b/,
+  /\bkubectl\s+delete\b/,
+  // Kill processes
+  /\bkill\s+-9\b/,
+  /\bkillall\b/,
+  /\bpkill\b/,
+  // Recursive operations on root
+  /\bfind\s+\/\s+.*-delete\b/,
+  /\bfind\s+\/\s+.*-exec\s+rm\b/
+];
+var SAFE_ECHO_RE = /^(?:echo|printf)(?:\s+(?:'[^']*'|[^|;&`$(){}><#\\!"'\s]+))*(?:\s+2>&1)?\s*$/;
+function hasTokenFlag(tokens, ...flags) {
+  return tokens.some((t) => flags.includes(t));
+}
+function splitCompoundCommand(command) {
+  return command.split(/\s*(?:;|&&|\|\||(?<!\|)\|(?!\|))\s*/).map((s) => s.trim()).filter(Boolean);
+}
+var DANGEROUS_ENV_VARS = /* @__PURE__ */ new Set([
+  "GIT_CONFIG_GLOBAL",
+  "GIT_CONFIG_SYSTEM",
+  "GIT_DIR",
+  "GIT_WORK_TREE",
+  "GIT_EXEC_PATH",
+  "GIT_TEMPLATE_DIR",
+  "LD_PRELOAD",
+  "LD_LIBRARY_PATH",
+  "PATH",
+  "PYTHONPATH",
+  "NODE_PATH",
+  "PERL5LIB"
+]);
+function hasDangerousEnvVars(command) {
+  const envPattern = /^[A-Za-z_][A-Za-z0-9_]*(?==)/;
+  let cmd = command.trim();
+  while (/^[A-Za-z_][A-Za-z0-9_]*=\S*\s/.test(cmd)) {
+    const match = cmd.match(envPattern);
+    if (match && DANGEROUS_ENV_VARS.has(match[0])) return true;
+    cmd = cmd.replace(/^[A-Za-z_][A-Za-z0-9_]*=\S*\s+/, "");
+  }
+  return false;
+}
+var ZSH_DANGEROUS_COMMANDS = /* @__PURE__ */ new Set([
+  "zmodload",
+  "emulate",
+  "sysopen",
+  "sysread",
+  "syswrite",
+  "sysseek",
+  "zpty",
+  "ztcp",
+  "zsocket",
+  "zf_rm",
+  "zf_mv",
+  "zf_ln",
+  "zf_chmod",
+  "zf_chown",
+  "zf_mkdir",
+  "zf_rmdir",
+  "zf_chgrp"
+]);
+var MAX_SUBCOMMANDS = 50;
+function detectInjectionPatterns(command) {
+  if (/>\(/.test(command)) return "Output process substitution >(...)";
+  if (/=\(/.test(command)) return "Zsh =(...) process substitution";
+  if (/\$\{[^}]*[`$]/.test(command)) return "Nested expansion in ${...}";
+  if (/[\x00-\x08\x0e-\x1f\x7f]/.test(command)) return "Control character injection";
+  if (/[\u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\u200B-\u200D\uFEFF]/.test(command)) {
+    return "Unicode whitespace injection";
+  }
+  if (/\w#/.test(command) && !/['"][^'"]*#/.test(command)) {
+    const stripped = command.replace(/'[^']*'/g, "").replace(/"[^"]*"/g, "");
+    if (/\w#/.test(stripped)) return "Mid-word comment injection";
+  }
+  if (/\\n/.test(command)) {
+    const stripped = command.replace(/'[^']*'/g, "");
+    if (/\$'[^']*\\n/.test(stripped)) return "Escaped newline in $'...' string";
+  }
+  return null;
+}
+function hasCommandSubstitution(command) {
+  return /\$\(/.test(command) || /`[^`]+`/.test(command) || /<\(/.test(command);
+}
+function hasUnquotedExpansion(command) {
+  let inSingle = false;
+  for (let i = 0; i < command.length; i++) {
+    const ch = command[i];
+    if (ch === "'" && !inSingle) {
+      inSingle = true;
+      continue;
+    }
+    if (ch === "'" && inSingle) {
+      inSingle = false;
+      continue;
+    }
+    if (inSingle) continue;
+    if (ch === "\\" && i + 1 < command.length) {
+      i++;
+      continue;
+    }
+    if (ch === "$" && i + 1 < command.length) {
+      const next = command[i + 1];
+      if (next === "(") continue;
+      if (next === "{" || next >= "A" && next <= "Z" || next >= "a" && next <= "z" || next === "_") {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+var WRAPPER_COMMANDS = ["sudo", "env", "nohup", "time", "nice", "ionice", "strace", "ltrace", "stdbuf"];
+var WRAPPER_WITH_DURATION = /* @__PURE__ */ new Set(["timeout"]);
+function stripEnvVars(cmd) {
+  let result = cmd.trim();
+  while (/^[A-Za-z_][A-Za-z0-9_]*=\S*\s/.test(result)) {
+    result = result.replace(/^[A-Za-z_][A-Za-z0-9_]*=\S*\s+/, "");
+  }
+  return result;
+}
+function stripWrappers(cmd) {
+  let result = cmd.trim();
+  let prev = "";
+  while (prev !== result) {
+    prev = result;
+    for (const prefix of WRAPPER_COMMANDS) {
+      if (result.startsWith(prefix + " ")) {
+        result = result.slice(prefix.length).trim();
+        while (result.startsWith("-")) {
+          const spaceIdx = result.indexOf(" ");
+          if (spaceIdx === -1) break;
+          result = result.slice(spaceIdx).trim();
+        }
+      }
+    }
+    for (const prefix of WRAPPER_WITH_DURATION) {
+      if (result.startsWith(prefix + " ")) {
+        result = result.slice(prefix.length).trim();
+        while (result.startsWith("-")) {
+          const spaceIdx = result.indexOf(" ");
+          if (spaceIdx === -1) break;
+          result = result.slice(spaceIdx).trim();
+        }
+        if (result && !result.startsWith("-")) {
+          const spaceIdx = result.indexOf(" ");
+          if (spaceIdx !== -1) {
+            result = result.slice(spaceIdx).trim();
+          }
+        }
+      }
+    }
+  }
+  return result;
+}
+function stripPrefixes(command) {
+  let cmd = command.trim();
+  let prev = "";
+  while (prev !== cmd) {
+    prev = cmd;
+    cmd = stripEnvVars(cmd);
+    cmd = stripWrappers(cmd);
+  }
+  return cmd;
+}
+function extractCommandName(command) {
+  const cmd = stripPrefixes(command);
+  const firstToken = cmd.split(/\s/)[0] ?? "";
+  const base = firstToken.includes("/") ? firstToken.split("/").pop() : firstToken;
+  return base;
+}
+function classifyGitCommand(command) {
+  if (/\bgit\s+--version\b/.test(command)) {
+    return { isReadOnly: true, isDestructive: false, reason: "git --version is read-only" };
+  }
+  if (/\bgit\s+--help\b/.test(command)) {
+    return { isReadOnly: true, isDestructive: false, reason: "git --help is read-only" };
+  }
+  if (/\bgit\s+(-c\s|--exec-path=|--config-env=)/.test(command)) {
+    return { isReadOnly: false, isDestructive: true, reason: "git config injection vector (-c/--exec-path/--config-env)" };
+  }
+  const match = command.match(/\bgit\s+(?:--[a-z-]+=?\S*\s+)*([a-z][a-z-]*)/);
+  if (!match) {
+    return { isReadOnly: false, isDestructive: false, reason: "Cannot parse git subcommand" };
+  }
+  const subcommand = match[1];
+  if (GIT_READ_ONLY_SUBCOMMANDS.has(subcommand)) {
+    const afterSubcmd = command.slice(command.indexOf(subcommand) + subcommand.length).trim();
+    const tokens = afterSubcmd.split(/\s+/).filter(Boolean);
+    const positional = tokens.filter((t) => !t.startsWith("-"));
+    const flags = tokens.filter((t) => t.startsWith("-"));
+    if (subcommand === "branch") {
+      if (hasTokenFlag(flags, "--list", "-l")) {
+        return { isReadOnly: true, isDestructive: false, reason: "git branch --list is read-only" };
+      }
+      if (hasTokenFlag(flags, "-d", "-D", "--delete")) {
+        return { isReadOnly: false, isDestructive: true, reason: "git branch delete" };
+      }
+      if (positional.length > 0) {
+        return { isReadOnly: false, isDestructive: false, reason: "git branch create" };
+      }
+    }
+    if (subcommand === "tag") {
+      if (hasTokenFlag(flags, "-l", "--list")) {
+        return { isReadOnly: true, isDestructive: false, reason: "git tag --list is read-only" };
+      }
+      if (hasTokenFlag(flags, "-d", "-D", "--delete")) {
+        return { isReadOnly: false, isDestructive: true, reason: "git tag delete" };
+      }
+      if (positional.length > 0) {
+        return { isReadOnly: false, isDestructive: false, reason: "git tag create" };
+      }
+    }
+    if (subcommand === "stash") {
+      const stashSubcmd = positional[0];
+      if (stashSubcmd === "list" || stashSubcmd === "show") {
+        return { isReadOnly: true, isDestructive: false, reason: `git stash ${stashSubcmd} is read-only` };
+      }
+      if (stashSubcmd === "drop" || stashSubcmd === "clear") {
+        return { isReadOnly: false, isDestructive: true, reason: "git stash destructive operation" };
+      }
+      return { isReadOnly: false, isDestructive: false, reason: "git stash mutating operation" };
+    }
+    if (subcommand === "reflog") {
+      const reflogSubcmd = positional[0];
+      if (!reflogSubcmd || reflogSubcmd === "show" || reflogSubcmd === "list") {
+        return { isReadOnly: true, isDestructive: false, reason: `git reflog${reflogSubcmd ? " " + reflogSubcmd : ""} is read-only` };
+      }
+      if (reflogSubcmd === "expire" || reflogSubcmd === "delete") {
+        return { isReadOnly: false, isDestructive: true, reason: `git reflog ${reflogSubcmd} is destructive` };
+      }
+      return { isReadOnly: false, isDestructive: false, reason: `git reflog ${reflogSubcmd} is mutating` };
+    }
+    if (subcommand === "config") {
+      if (hasTokenFlag(flags, "--set", "--add", "--unset", "--unset-all", "--replace-all", "--rename-section", "--remove-section")) {
+        return { isReadOnly: false, isDestructive: false, reason: "git config write operation" };
+      }
+      if (positional.length >= 2) {
+        return { isReadOnly: false, isDestructive: false, reason: "git config set key value" };
+      }
+    }
+    if (subcommand === "remote") {
+      const remoteSubcmd = positional[0];
+      if (remoteSubcmd && ["add", "remove", "rename", "set-url", "set-branches", "prune"].includes(remoteSubcmd)) {
+        return { isReadOnly: false, isDestructive: false, reason: "git remote mutating operation" };
+      }
+    }
+    for (const flag of flags) {
+      const flagName = flag.split("=")[0];
+      if (GIT_READ_ONLY_WRITE_FLAGS.has(flagName)) {
+        return { isReadOnly: false, isDestructive: false, reason: `git ${subcommand} with ${flagName} may write files` };
+      }
+    }
+    return { isReadOnly: true, isDestructive: false, reason: `git ${subcommand} is read-only` };
+  }
+  if (GIT_MUTATING_SUBCOMMANDS.has(subcommand)) {
+    for (const pattern of DESTRUCTIVE_PATTERNS) {
+      if (pattern.test(command)) {
+        return { isReadOnly: false, isDestructive: true, reason: `Destructive: ${pattern.source}` };
+      }
+    }
+    return { isReadOnly: false, isDestructive: false, reason: `git ${subcommand} is mutating` };
+  }
+  return { isReadOnly: false, isDestructive: false, reason: `Unknown git subcommand: ${subcommand}` };
+}
+function classifySingleCommand(command, config) {
+  const name = extractCommandName(command);
+  if (!name) {
+    return { isReadOnly: false, isDestructive: false, reason: "Empty command" };
+  }
+  const injectionReason = detectInjectionPatterns(command);
+  if (injectionReason) {
+    return {
+      isReadOnly: false,
+      isDestructive: true,
+      reason: `Injection detected: ${injectionReason}`
+    };
+  }
+  if (ZSH_DANGEROUS_COMMANDS.has(name)) {
+    return {
+      isReadOnly: false,
+      isDestructive: true,
+      reason: `Zsh dangerous command: ${name}`
+    };
+  }
+  const allDestructive = [
+    ...DESTRUCTIVE_PATTERNS,
+    ...config?.extraDestructivePatterns ?? []
+  ];
+  for (const pattern of allDestructive) {
+    if (pattern.test(command)) {
+      return {
+        isReadOnly: false,
+        isDestructive: true,
+        reason: `Matches destructive pattern: ${pattern.source}`
+      };
+    }
+  }
+  if (name === "git") {
+    return classifyGitCommand(command);
+  }
+  if (name === "xargs" && /\bgit\b/.test(command)) {
+    return classifyGitCommand(command);
+  }
+  if (hasCommandSubstitution(command)) {
+    return { isReadOnly: false, isDestructive: false, reason: `Command contains command substitution` };
+  }
+  if (hasUnquotedExpansion(command)) {
+    return { isReadOnly: false, isDestructive: false, reason: `Command contains unquoted variable expansion` };
+  }
+  if (hasDangerousEnvVars(command)) {
+    return { isReadOnly: false, isDestructive: false, reason: `Command uses dangerous environment variable prefix` };
+  }
+  if ((name === "echo" || name === "printf") && SAFE_ECHO_RE.test(stripPrefixes(command).trim())) {
+    return { isReadOnly: true, isDestructive: false, reason: `${name} with safe arguments is read-only` };
+  }
+  const conditionalCheck = CONDITIONAL_READ_ONLY[name];
+  if (conditionalCheck) {
+    const stripped = stripPrefixes(command).trim();
+    const tokens = stripped.split(/\s+/).slice(1);
+    if (conditionalCheck(command, tokens)) {
+      return { isReadOnly: true, isDestructive: false, reason: `${name} is read-only (flags validated)` };
+    }
+    return { isReadOnly: false, isDestructive: false, reason: `${name} has potentially dangerous flags` };
+  }
+  const extraReadOnly = new Set(config?.extraReadOnlyCommands ?? []);
+  if (READ_ONLY_COMMANDS.has(name) || extraReadOnly.has(name)) {
+    return { isReadOnly: true, isDestructive: false, reason: `${name} is read-only` };
+  }
+  return {
+    isReadOnly: false,
+    isDestructive: false,
+    reason: `${name} is not in the read-only allowlist`
+  };
+}
+function classifyCommand(command, config) {
+  if (!command.trim()) {
+    return { isReadOnly: true, isDestructive: false, reason: "Empty command" };
+  }
+  const subCommands = splitCompoundCommand(command);
+  if (subCommands.length === 0) {
+    return { isReadOnly: true, isDestructive: false, reason: "Empty command" };
+  }
+  if (subCommands.length > MAX_SUBCOMMANDS) {
+    return {
+      isReadOnly: false,
+      isDestructive: false,
+      reason: `Too many subcommands (${subCommands.length} > ${MAX_SUBCOMMANDS})`
+    };
+  }
+  if (subCommands.length > 1) {
+    const hasCd = subCommands.some((s) => /^(cd|pushd)\s/.test(s.trim()));
+    const hasGit = subCommands.some((s) => {
+      const n = extractCommandName(s);
+      return n === "git" || n === "xargs" && /\bgit\b/.test(s);
+    });
+    if (hasCd && hasGit) {
+      return {
+        isReadOnly: false,
+        isDestructive: false,
+        reason: "cd + git compound may escape working directory (bare-repo risk)"
+      };
+    }
+    if (hasGit && commandWritesGitInternals(command)) {
+      return {
+        isReadOnly: false,
+        isDestructive: true,
+        reason: "Compound command writes to git internal paths before running git"
+      };
+    }
+  }
+  let allReadOnly = true;
+  let anyDestructive = false;
+  const reasons = [];
+  for (const sub of subCommands) {
+    const result = classifySingleCommand(sub, config);
+    if (!result.isReadOnly) allReadOnly = false;
+    if (result.isDestructive) anyDestructive = true;
+    if (result.reason) reasons.push(result.reason);
+  }
+  return {
+    isReadOnly: allReadOnly,
+    isDestructive: anyDestructive,
+    reason: reasons.join("; ")
+  };
+}
+
+// src/permissions/pipeline.ts
+import * as path5 from "path";
+import * as fs2 from "fs";
+
+// src/tools/write.ts
+import * as nodePath from "path";
+
+// src/tools/prompts/write.ts
+var WRITE_PROMPT = `Writes a file to the local filesystem. Parent directories are created automatically if they don't exist.
+
+Usage:
+- This tool will overwrite the existing file if there is one at the provided path.
+- If this is an existing file, you MUST use the ReadFile tool first to read the file's contents. This tool will fail if you did not read the file first.
+- Prefer the EditFile tool for modifying existing files \u2014 it only sends the diff. Only use this tool to create new files or for complete rewrites.
+- NEVER create documentation files (*.md) or README files unless explicitly requested by the User.
+- Only use emojis if the user explicitly requests it. Avoid writing emojis to files unless asked.
+`;
+
+// src/tools/file-lock.ts
+var fileLocks = /* @__PURE__ */ new Map();
+async function withFileLock(filePath, fn) {
+  const prev = fileLocks.get(filePath) ?? Promise.resolve();
+  let release;
+  const lock = new Promise((resolve4) => {
+    release = resolve4;
+  });
+  fileLocks.set(filePath, lock);
+  await prev;
+  try {
+    return await fn();
+  } finally {
+    release();
+    if (fileLocks.get(filePath) === lock) {
+      fileLocks.delete(filePath);
+    }
+  }
+}
+
+// src/tools/write.ts
+var writeFileTool = {
+  name: "WriteFile",
+  description: "Create or overwrite a file with the given content. Parent directories are created automatically if they don't exist.",
+  prompt: WRITE_PROMPT,
+  isReadOnly: false,
+  checkPermissions(args, ctx) {
+    const filePath = args.file_path;
+    if (filePath.startsWith("\\\\") || filePath.startsWith("//")) {
+      return {
+        behavior: "deny",
+        message: "Error: UNC paths are not allowed"
+      };
+    }
+    if (isDangerousPath(filePath, ctx.cwd)) {
+      return {
+        behavior: "ask",
+        message: `Write targets sensitive path: ${filePath}`,
+        reason: "safetyCheck"
+      };
+    }
+    return {
+      behavior: "passthrough",
+      message: `Write to ${filePath}`
+    };
+  },
+  parameters: {
+    type: "object",
+    properties: {
+      file_path: {
+        type: "string",
+        description: "The path of the file to write (absolute or relative to cwd)"
+      },
+      content: {
+        type: "string",
+        description: "The content to write to the file"
+      }
+    },
+    required: ["file_path", "content"]
+  },
+  async call(args, ctx) {
+    const filePath = args.file_path;
+    const content = args.content;
+    try {
+      if (ctx.checkpointManager && ctx.currentMessageId) {
+        await ctx.checkpointManager.trackEdit(filePath, ctx.currentMessageId, ctx.sessionId ?? "");
+      }
+      const existed = await ctx.fs.exists(filePath);
+      if (existed && ctx.fileStateCache) {
+        const cached = ctx.fileStateCache.get(filePath);
+        if (!cached) {
+          return {
+            content: `Error: File ${filePath} exists but has not been read yet. Read it first before overwriting.`,
+            isError: true
+          };
+        }
+        try {
+          const stat = await ctx.fs.stat(filePath);
+          const mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
+          if (mtime > cached.timestamp) {
+            const currentContent = await ctx.fs.readFile(filePath);
+            if (currentContent !== cached.content) {
+              return {
+                content: `Error: ${filePath} has been modified since last read. Re-read the file before overwriting.`,
+                isError: true
+              };
+            }
+          }
+        } catch {
+        }
+      }
+      const dir = nodePath.dirname(filePath);
+      if (dir && dir !== "." && dir !== "/") {
+        await ctx.fs.mkdir(dir, { recursive: true }).catch(() => {
+        });
+      }
+      await withFileLock(filePath, async () => {
+        await ctx.fs.writeFile(filePath, content);
+      });
+      ctx.notifyHook?.("FileWrite", {
+        event: "FileWrite",
+        sessionId: ctx.sessionId ?? "",
+        toolName: "WriteFile",
+        filePath,
+        isNew: !existed
+      }).catch(() => {
+      });
+      if (ctx.fileStateCache) {
+        let mtime = 0;
+        try {
+          const stat = await ctx.fs.stat(filePath);
+          mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
+        } catch {
+        }
+        ctx.fileStateCache.set(filePath, {
+          content,
+          timestamp: mtime
+        });
+      }
+      return {
+        content: existed ? `File updated successfully at: ${filePath}` : `File created successfully at: ${filePath}`
+      };
+    } catch (err) {
+      return {
+        content: `Error writing file: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+};
+
+// src/tools/edit.ts
+import * as nodePath2 from "path";
+
+// src/tools/edit-utils.ts
+var LEFT_SINGLE_CURLY = "\u2018";
+var RIGHT_SINGLE_CURLY = "\u2019";
+var LEFT_DOUBLE_CURLY = "\u201C";
+var RIGHT_DOUBLE_CURLY = "\u201D";
+function normalizeQuotes(str) {
+  return str.replaceAll(LEFT_SINGLE_CURLY, "'").replaceAll(RIGHT_SINGLE_CURLY, "'").replaceAll(LEFT_DOUBLE_CURLY, '"').replaceAll(RIGHT_DOUBLE_CURLY, '"');
+}
+function findActualString(fileContent, searchString) {
+  if (fileContent.includes(searchString)) {
+    return searchString;
+  }
+  const normalizedSearch = normalizeQuotes(searchString);
+  const normalizedFile = normalizeQuotes(fileContent);
+  const searchIndex = normalizedFile.indexOf(normalizedSearch);
+  if (searchIndex !== -1) {
+    return fileContent.substring(searchIndex, searchIndex + searchString.length);
+  }
+  return null;
+}
+function countOccurrences(haystack, needle) {
+  const normalizedNeedle = normalizeQuotes(needle);
+  const normalizedHaystack = normalizeQuotes(haystack);
+  let count = 0;
+  let pos = 0;
+  while (true) {
+    const idx = normalizedHaystack.indexOf(normalizedNeedle, pos);
+    if (idx === -1) break;
+    count++;
+    pos = idx + 1;
+  }
+  return count;
+}
+function usesCurlyQuotes(str) {
+  return {
+    singleCurly: str.includes(LEFT_SINGLE_CURLY) || str.includes(RIGHT_SINGLE_CURLY),
+    doubleCurly: str.includes(LEFT_DOUBLE_CURLY) || str.includes(RIGHT_DOUBLE_CURLY)
+  };
+}
+function preserveQuoteStyle(oldString, actualOldString, newString) {
+  if (oldString === actualOldString) {
+    return newString;
+  }
+  const fileStyle = usesCurlyQuotes(actualOldString);
+  let result = newString;
+  if (fileStyle.singleCurly) {
+    result = convertStraightToCurlySingle(result);
+  }
+  if (fileStyle.doubleCurly) {
+    result = convertStraightToCurlyDouble(result);
+  }
+  return result;
+}
+function convertStraightToCurlySingle(str) {
+  let result = "";
+  let inWord = false;
+  for (let i = 0; i < str.length; i++) {
+    const ch = str[i];
+    if (ch === "'") {
+      const prev = i > 0 ? str[i - 1] : " ";
+      if (/\s/.test(prev) || prev === "(" || prev === "[" || prev === "{") {
+        result += LEFT_SINGLE_CURLY;
+        inWord = true;
+      } else {
+        result += RIGHT_SINGLE_CURLY;
+        inWord = false;
+      }
+    } else {
+      result += ch;
+      inWord = /\w/.test(ch);
+    }
+  }
+  return result;
+}
+function convertStraightToCurlyDouble(str) {
+  let result = "";
+  let open = true;
+  for (let i = 0; i < str.length; i++) {
+    const ch = str[i];
+    if (ch === '"') {
+      result += open ? LEFT_DOUBLE_CURLY : RIGHT_DOUBLE_CURLY;
+      open = !open;
+    } else {
+      result += ch;
+    }
+  }
+  return result;
+}
+function stripTrailingWhitespace(str) {
+  const parts = str.split(/(\r\n|\n|\r)/);
+  const result = [];
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i];
+    if (i % 2 === 0) {
+      result.push(part.replace(/[\t ]+$/, ""));
+    } else {
+      result.push(part);
+    }
+  }
+  return result.join("");
+}
+
+// src/tools/prompts/edit.ts
+var EDIT_PROMPT = `Performs exact string replacements in files.
+
+Usage:
+- You must use the ReadFile tool at least once before editing a file. This tool will error if you attempt an edit without reading the file first.
+- When editing text from ReadFile output, ensure you preserve the exact indentation (tabs/spaces) as it appears AFTER the line number prefix. The line number prefix format is: spaces + line number + pipe. Everything after that is the actual file content to match. Never include any part of the line number prefix in the old_string or new_string.
+- ALWAYS prefer editing existing files in the codebase. NEVER write new files unless explicitly required.
+- Only use emojis if the user explicitly requests it. Avoid adding emojis to files unless asked.
+- The edit will FAIL if \`old_string\` is not unique in the file. Either provide a larger string with more surrounding context to make it unique or use \`replace_all\` to change every instance of \`old_string\`.
+- Use \`replace_all\` for replacing and renaming strings across the file. This parameter is useful if you want to rename a variable for instance.
+`;
+
+// src/tools/edit.ts
+var editFileTool = {
+  name: "EditFile",
+  description: "Edit a file by replacing an exact string match with new content. The old_string must match exactly (including whitespace and indentation). Set replace_all to true to replace all occurrences.",
+  prompt: EDIT_PROMPT,
+  isReadOnly: false,
+  checkPermissions(args, ctx) {
+    const filePath = args.file_path;
+    if (filePath.startsWith("\\\\") || filePath.startsWith("//")) {
+      return {
+        behavior: "deny",
+        message: "Error: UNC paths are not allowed"
+      };
+    }
+    if (isDangerousPath(filePath, ctx.cwd)) {
+      return {
+        behavior: "ask",
+        message: `Edit targets sensitive path: ${filePath}`,
+        reason: "safetyCheck"
+      };
+    }
+    return {
+      behavior: "passthrough",
+      message: `Edit ${filePath}`
+    };
+  },
+  parameters: {
+    type: "object",
+    properties: {
+      file_path: {
+        type: "string",
+        description: "The path of the file to edit"
+      },
+      old_string: {
+        type: "string",
+        description: "The exact string to find and replace"
+      },
+      new_string: {
+        type: "string",
+        description: "The replacement string"
+      },
+      replace_all: {
+        type: "boolean",
+        description: "If true, replace all occurrences of old_string. Defaults to false."
+      }
+    },
+    required: ["file_path", "old_string", "new_string"]
+  },
+  async call(args, ctx) {
+    const filePath = args.file_path;
+    const oldString = args.old_string;
+    const newString = args.new_string;
+    const replaceAll = args.replace_all ?? false;
+    if (filePath.endsWith(".ipynb")) {
+      return {
+        content: `Error: ${filePath} is a Jupyter Notebook. Use the NotebookEdit tool to edit notebook files.`,
+        isError: true
+      };
+    }
+    if (oldString === newString) {
+      return {
+        content: "No changes to make: old_string and new_string are exactly the same.",
+        isError: true
+      };
+    }
+    if (oldString === "") {
+      const exists = await ctx.fs.exists(filePath);
+      if (!exists) {
+        if (ctx.checkpointManager && ctx.currentMessageId) {
+          await ctx.checkpointManager.trackEdit(filePath, ctx.currentMessageId, ctx.sessionId ?? "");
+        }
+        await ctx.fs.writeFile(filePath, newString);
+        ctx.notifyHook?.("FileWrite", {
+          event: "FileWrite",
+          sessionId: ctx.sessionId ?? "",
+          toolName: "EditFile",
+          filePath,
+          isNew: true
+        }).catch(() => {
+        });
+        if (ctx.fileStateCache) {
+          ctx.fileStateCache.set(filePath, { content: newString, timestamp: Date.now() });
+        }
+        return { content: `Created new file ${filePath}.` };
+      }
+      const existing = await ctx.fs.readFile(filePath);
+      if (existing.trim() !== "") {
+        return {
+          content: "Error: old_string is empty but file already has content. Use WriteFile to overwrite, or provide the exact text to replace.",
+          isError: true
+        };
+      }
+      if (ctx.checkpointManager && ctx.currentMessageId) {
+        await ctx.checkpointManager.trackEdit(filePath, ctx.currentMessageId, ctx.sessionId ?? "");
+      }
+      await ctx.fs.writeFile(filePath, newString);
+      if (ctx.fileStateCache) {
+        ctx.fileStateCache.set(filePath, { content: newString, timestamp: Date.now() });
+      }
+      return { content: `File ${filePath} has been updated successfully.` };
+    }
+    const MAX_EDIT_FILE_SIZE = 1024 * 1024 * 1024;
+    try {
+      try {
+        const stat = await ctx.fs.stat(filePath);
+        if (stat.size !== void 0 && stat.size > MAX_EDIT_FILE_SIZE) {
+          return {
+            content: `Error: File is too large to edit (${Math.round(stat.size / 1024 / 1024)} MiB). Max: 1 GiB.`,
+            isError: true
+          };
+        }
+      } catch {
+      }
+      if (ctx.fileStateCache) {
+        const cached = ctx.fileStateCache.get(filePath);
+        if (!cached || cached.isPartialView) {
+          return {
+            content: `Error: File has not been read yet. Use ReadFile on ${filePath} before editing.`,
+            isError: true
+          };
+        }
+        try {
+          const stat = await ctx.fs.stat(filePath);
+          const mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
+          if (mtime > cached.timestamp) {
+            const currentContent = await ctx.fs.readFile(filePath);
+            if (currentContent !== cached.content) {
+              return {
+                content: `Error: ${filePath} has been modified since last read. Re-read the file before editing.`,
+                isError: true
+              };
+            }
+          }
+        } catch {
+        }
+      }
+      if (ctx.checkpointManager && ctx.currentMessageId) {
+        await ctx.checkpointManager.trackEdit(filePath, ctx.currentMessageId, ctx.sessionId ?? "");
+      }
+      const dir = nodePath2.dirname(filePath);
+      if (dir && dir !== "." && dir !== "/") {
+        await ctx.fs.mkdir(dir, { recursive: true }).catch(() => {
+        });
+      }
+      const updated = await withFileLock(filePath, async () => {
+        const rawContent = await ctx.fs.readFile(filePath);
+        const hasCRLF = rawContent.includes("\r\n");
+        const content = hasCRLF ? rawContent.replaceAll("\r\n", "\n") : rawContent;
+        const actualOldString = findActualString(content, oldString);
+        if (!actualOldString) {
+          return {
+            error: `Error: old_string not found in ${filePath}. Make sure the string matches exactly, including whitespace and indentation.`
+          };
+        }
+        if (!replaceAll) {
+          const count = content.split(actualOldString).length - 1;
+          if (count > 1) {
+            return {
+              error: `Error: old_string appears ${count} times in ${filePath}. Provide more context to make it unique, or set replace_all to true.`
+            };
+          }
+        }
+        const actualNewString = preserveQuoteStyle(oldString, actualOldString, newString);
+        let result;
+        if (replaceAll) {
+          result = content.split(actualOldString).join(actualNewString);
+        } else if (actualNewString === "") {
+          const hasTrailingNewline = !actualOldString.endsWith("\n") && content.includes(actualOldString + "\n");
+          const deleteTarget = hasTrailingNewline ? actualOldString + "\n" : actualOldString;
+          result = content.replace(deleteTarget, () => actualNewString);
+        } else {
+          result = content.replace(actualOldString, () => actualNewString);
+        }
+        if (hasCRLF) {
+          result = result.replaceAll("\n", "\r\n");
+        }
+        await ctx.fs.writeFile(filePath, result);
+        return { content: result };
+      });
+      if ("error" in updated) {
+        return { content: String(updated.error), isError: true };
+      }
+      const editedContent = updated.content;
+      ctx.notifyHook?.("FileWrite", {
+        event: "FileWrite",
+        sessionId: ctx.sessionId ?? "",
+        toolName: "EditFile",
+        filePath,
+        isNew: false
+      }).catch(() => {
+      });
+      if (ctx.fileStateCache) {
+        let mtime = 0;
+        try {
+          const stat = await ctx.fs.stat(filePath);
+          mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
+        } catch {
+        }
+        ctx.fileStateCache.set(filePath, {
+          content: editedContent,
+          timestamp: mtime
+        });
+      }
+      return {
+        content: `File ${filePath} has been updated successfully.`
+      };
+    } catch (err) {
+      return {
+        content: `Error editing file: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+};
+
+// src/tools/shell-safety/git-tracking.ts
+function detectGitOperations(command, stdout) {
+  const events = [];
+  const cmd = command.trim();
+  if (/\bgit\s+commit\b/.test(cmd)) {
+    const shaMatch = stdout.match(/\[[\w/.-]+\s+([0-9a-f]{7,40})\]/);
+    const sha = shaMatch ? shaMatch[1] : "unknown";
+    events.push({ type: "commit", details: `commit ${sha}` });
+  }
+  if (/\bgit\s+merge\b/.test(cmd)) {
+    const branchMatch = cmd.match(/\bgit\s+merge\s+(?:--\S+\s+)*(\S+)/);
+    const branch = branchMatch ? branchMatch[1] : "unknown";
+    events.push({ type: "merge", details: `merge ${branch}` });
+  }
+  if (/\bgit\s+rebase\b/.test(cmd)) {
+    const branchMatch = cmd.match(/\bgit\s+rebase\s+(?:--\S+\s+)*(\S+)/);
+    const branch = branchMatch ? branchMatch[1] : "unknown";
+    events.push({ type: "rebase", details: `rebase onto ${branch}` });
+  }
+  if (/\bgit\s+push\b/.test(cmd)) {
+    const remoteMatch = cmd.match(/\bgit\s+push\s+(?:--\S+\s+)*(\S+)/);
+    const remote = remoteMatch ? remoteMatch[1] : "origin";
+    const branchMatch = stdout.match(/\S+\s+->\s+(\S+)/);
+    const branch = branchMatch ? branchMatch[1] : "";
+    events.push({
+      type: "push",
+      details: `push to ${remote}${branch ? ` (${branch})` : ""}`
+    });
+  }
+  if (/\b(gh\s+pr\s+create|glab\s+mr\s+create)\b/.test(cmd)) {
+    const urlMatch = stdout.match(/(https?:\/\/\S+(?:pull|merge_requests)\/\d+)/);
+    const url = urlMatch ? urlMatch[1] : "";
+    events.push({
+      type: "pr_create",
+      details: url ? `PR created: ${url}` : "PR created"
+    });
+  }
+  return events;
+}
+function hasGitIndexLockError(output) {
+  return /\.git\/index\.lock/.test(output);
+}
+
+// src/tools/prompts/bash.ts
+var BASH_PROMPT = `Executes a given bash command and returns its output.
+
+The working directory persists between commands, but shell state does not.
+
+IMPORTANT: Avoid using this tool to run \`find\`, \`grep\`, \`cat\`, \`head\`, \`tail\`, \`sed\`, \`awk\`, or \`echo\` commands, unless explicitly instructed or after you have verified that a dedicated tool cannot accomplish your task. Instead, use the appropriate dedicated tool:
+
+- File search: Use Glob (NOT find or ls)
+- Content search: Use Grep (NOT grep or rg)
+- Read files: Use ReadFile (NOT cat/head/tail)
+- Edit files: Use EditFile (NOT sed/awk)
+- Write files: Use WriteFile (NOT echo >/cat <<EOF)
+- Communication: Output text directly (NOT echo/printf)
+
+While the Bash tool can do similar things, the built-in tools are preferred as they provide better structured output and integrate with the permission system.
+
+# Instructions
+
+- If your command will create new directories or files, first use this tool to run \`ls\` to verify the parent directory exists and is the correct location.
+- Always quote file paths that contain spaces with double quotes (e.g., cd "path with spaces/file.txt").
+- Try to maintain your current working directory throughout the session by using absolute paths and avoiding usage of \`cd\`. You may use \`cd\` if the User explicitly requests it.
+- You may specify an optional timeout in milliseconds (up to 600000ms / 10 minutes). By default, your command will timeout after 30000ms (0.5 minutes).
+- When issuing multiple commands:
+  - If the commands are independent and can run in parallel, make multiple Bash tool calls in a single message.
+  - If the commands depend on each other and must run sequentially, use a single Bash call with '&&' to chain them together.
+  - Use ';' only when you need to run commands sequentially but don't care if earlier commands fail.
+  - DO NOT use newlines to separate commands (newlines are ok in quoted strings).
+- For git commands:
+  - Prefer to create a new commit rather than amending an existing commit.
+  - Before running destructive operations (e.g., git reset --hard, git push --force, git checkout --), consider whether there is a safer alternative. Only use destructive operations when they are truly the best approach.
+  - Never skip hooks (--no-verify) or bypass signing (--no-gpg-sign) unless the user has explicitly asked for it. If a hook fails, investigate and fix the underlying issue.
+- Avoid unnecessary \`sleep\` commands:
+  - Do not sleep between commands that can run immediately \u2014 just run them.
+  - Do not retry failing commands in a sleep loop \u2014 diagnose the root cause.
+  - If you must sleep, keep the duration short (1-5 seconds) to avoid blocking the user.
+`;
+
+// src/tools/bash.ts
+var MAX_OUTPUT_CHARS = 1e5;
+var NON_ERROR_EXIT1_COMMANDS = /* @__PURE__ */ new Set([
+  "grep",
+  "egrep",
+  "fgrep",
+  "rg",
+  "ag",
+  "ack",
+  "diff",
+  "comm"
+]);
+function isExpectedNonZeroExit(command, exitCode) {
+  if (exitCode !== 1) return false;
+  const name = extractCommandName(command);
+  return NON_ERROR_EXIT1_COMMANDS.has(name);
+}
+var bashTool = {
+  name: "Bash",
+  description: "Execute a bash shell command. Use this for running scripts, installing packages, git operations, and other system commands.",
+  prompt: BASH_PROMPT,
+  isReadOnly(args) {
+    const command = args.command;
+    return classifyCommand(command).isReadOnly;
+  },
+  isDestructive(args) {
+    const command = args.command;
+    return classifyCommand(command).isDestructive;
+  },
+  checkPermissions(args) {
+    const command = args.command;
+    const classification = classifyCommand(command);
+    if (classification.isDestructive) {
+      return {
+        behavior: "ask",
+        message: `Destructive command: ${command}${classification.reason ? ` (${classification.reason})` : ""}`
+      };
+    }
+    if (commandWritesGitInternals(command)) {
+      return {
+        behavior: "ask",
+        message: `Command writes to .git/ internals: ${command}`
+      };
+    }
+    return {
+      behavior: "passthrough",
+      message: `Execute: ${command}`
+    };
+  },
+  parameters: {
+    type: "object",
+    properties: {
+      command: {
+        type: "string",
+        description: "The bash command to execute"
+      },
+      timeout: {
+        type: "number",
+        description: "Timeout in milliseconds (default: 30000)"
+      },
+      description: {
+        type: "string",
+        description: "Short description of what this command does (5-10 words)"
+      }
+    },
+    required: ["command"]
+  },
+  async call(args, ctx) {
+    const command = args.command;
+    const timeout = args.timeout;
+    try {
+      const result = await ctx.computer.executeCommand(command, {
+        timeout,
+        cwd: ctx.cwd
+      });
+      let output = "";
+      if (result.stdout) {
+        output += result.stdout;
+      }
+      if (result.stderr) {
+        if (output) output += "\n";
+        output += `STDERR:
+${result.stderr}`;
+      }
+      if (!output.trim()) {
+        output = "(no output)";
+      }
+      if (output.length > MAX_OUTPUT_CHARS) {
+        const headSize = Math.floor(MAX_OUTPUT_CHARS * 0.8);
+        const tailSize = MAX_OUTPUT_CHARS - headSize;
+        const dropped = output.length - MAX_OUTPUT_CHARS;
+        output = output.slice(0, headSize) + `
+
+... ${dropped} chars truncated ...
+
+` + output.slice(-tailSize);
+      }
+      const isSemanticError = result.exitCode !== 0 && !isExpectedNonZeroExit(command, result.exitCode);
+      if (result.exitCode !== 0) {
+        output = `Exit code: ${result.exitCode}
+${output}`;
+      }
+      const toolResult = {
+        content: output,
+        isError: isSemanticError
+      };
+      if (result.exitCode === 0) {
+        const gitOps = detectGitOperations(command, result.stdout ?? "");
+        if (gitOps.length > 0) {
+          toolResult.metadata = { gitOperations: gitOps };
+        }
+      }
+      return toolResult;
+    } catch (err) {
+      return {
+        content: `Error executing command: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+};
+
+// src/tools/glob.ts
+import * as path3 from "path";
+
+// src/tools/prompts/glob.ts
+var GLOB_PROMPT = `Fast file pattern matching tool that works with any codebase size.
+
+- Supports glob patterns like "**/*.js" or "src/**/*.ts"
+- Returns matching file paths sorted by modification time
+- Use this tool when you need to find files by name patterns
+- When you are doing an open-ended search that may require multiple rounds of globbing and grepping, use the Agent tool instead
+`;
+
+// src/utils/shell-escape.ts
+function shellEscape(s) {
+  return "'" + s.replace(/'/g, "'\\''") + "'";
+}
+
+// src/tools/glob.ts
+var MAX_RESULTS = 200;
+var globTool = {
+  name: "Glob",
+  description: "Find files matching a glob pattern. Uses ripgrep (rg --files --glob) for fast, gitignore-aware file discovery. Returns matching file paths sorted by modification time.",
+  prompt: GLOB_PROMPT,
+  isReadOnly: true,
+  isConcurrencySafe: true,
+  parameters: {
+    type: "object",
+    properties: {
+      pattern: {
+        type: "string",
+        description: 'Glob pattern to match files (e.g. "*.ts", "src/**/*.tsx")'
+      },
+      path: {
+        type: "string",
+        description: "Directory to search in (defaults to cwd)"
+      }
+    },
+    required: ["pattern"]
+  },
+  async call(args, ctx) {
+    const pattern = args.pattern;
+    const searchPath = args.path ?? ctx.cwd;
+    const fullPattern = pattern.startsWith("**/") || path3.isAbsolute(pattern) ? pattern : `**/${pattern}`;
+    const resolvedPath = searchPath === ctx.cwd ? "." : searchPath;
+    const command = `rg --files --hidden --glob ${shellEscape(fullPattern)} --sortr=modified ${shellEscape(resolvedPath)} | head -n ${String(MAX_RESULTS + 1)}`;
+    try {
+      let result = await ctx.computer.executeCommand(command, {
+        cwd: ctx.cwd
+      });
+      if (result.exitCode === 127 || result.stderr?.includes("not found")) {
+        const findCommand = `find ${shellEscape(resolvedPath)} -name ${shellEscape(pattern)} -type f | head -n ${String(MAX_RESULTS + 1)}`;
+        result = await ctx.computer.executeCommand(findCommand, {
+          cwd: ctx.cwd
+        });
+      }
+      if (result.exitCode > 1) {
+        return {
+          content: `Glob error: ${result.stderr || result.stdout}`,
+          isError: true
+        };
+      }
+      const lines = result.stdout.split("\n").filter((l) => l.trim() !== "");
+      if (lines.length === 0) {
+        return { content: "No files found matching the pattern." };
+      }
+      const truncated = lines.length > MAX_RESULTS;
+      const files = truncated ? lines.slice(0, MAX_RESULTS) : lines;
+      let output = files.join("\n");
+      if (truncated) {
+        output += `
+
+(Results truncated. More than ${MAX_RESULTS} files match.)`;
+      }
+      return { content: output };
+    } catch (err) {
+      return {
+        content: `Error searching files: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+};
+
+// src/tools/prompts/grep.ts
+var GREP_PROMPT = `A powerful search tool built on ripgrep.
+
+Usage:
+- ALWAYS use Grep for search tasks. NEVER invoke \`grep\` or \`rg\` as a Bash command. The Grep tool has been optimized for correct permissions and access.
+- Supports full regex syntax (e.g., "log.*Error", "function\\s+\\w+")
+- Filter files with the glob parameter (e.g., "*.js", "**/*.tsx")
+- Returns matching lines with file paths and line numbers
+- Use the Agent tool for open-ended searches requiring multiple rounds
+- Pattern syntax: Uses ripgrep (not grep) \u2014 literal braces need escaping (use \`interface\\{\\}\` to find \`interface{}\` in Go code)
+- Multiline matching: By default patterns match within single lines only. For cross-line patterns like \`struct \\{[\\s\\S]*?field\`, pass a context_lines parameter.
+`;
+
+// src/tools/grep.ts
+var MAX_MATCHES = 250;
+var grepTool = {
+  name: "Grep",
+  description: "Search file contents using ripgrep (rg). Supports regex patterns. Returns matching lines with file paths and line numbers.",
+  prompt: GREP_PROMPT,
+  isReadOnly: true,
+  isConcurrencySafe: true,
+  parameters: {
+    type: "object",
+    properties: {
+      pattern: {
+        type: "string",
+        description: "Regular expression pattern to search for"
+      },
+      path: {
+        type: "string",
+        description: "File or directory to search in (defaults to cwd)"
+      },
+      glob: {
+        type: "string",
+        description: 'Glob pattern to filter files (e.g. "*.ts", "*.{js,jsx}")'
+      },
+      case_insensitive: {
+        type: "boolean",
+        description: "Case insensitive search (default: false)"
+      },
+      context_lines: {
+        type: "number",
+        description: "Number of context lines to show before and after each match"
+      }
+    },
+    required: ["pattern"]
+  },
+  async call(args, ctx) {
+    const pattern = args.pattern;
+    const searchPath = args.path ?? ctx.cwd;
+    const glob = args.glob;
+    const caseInsensitive = args.case_insensitive;
+    const contextLines = args.context_lines;
+    const rgArgs = [
+      "rg",
+      "--line-number",
+      "--no-heading",
+      "--color=never",
+      "--hidden",
+      "--glob",
+      "'!.git'",
+      "--glob",
+      "'!.svn'",
+      "--glob",
+      "'!.hg'",
+      "--glob",
+      "'!.bzr'",
+      "--glob",
+      "'!.jj'",
+      "--glob",
+      "'!.sl'",
+      "--max-columns",
+      "500",
+      `--max-count=${MAX_MATCHES}`
+    ];
+    if (caseInsensitive) rgArgs.push("-i");
+    if (contextLines !== void 0) rgArgs.push(`-C${contextLines}`);
+    if (glob) rgArgs.push(`--glob`, shellEscape(glob));
+    const resolvedPath = searchPath === ctx.cwd ? "." : searchPath;
+    rgArgs.push("--", shellEscape(pattern), shellEscape(resolvedPath));
+    const command = rgArgs.join(" ");
+    try {
+      const result = await ctx.computer.executeCommand(command, {
+        cwd: ctx.cwd
+      });
+      if (result.exitCode === 1 && !result.stdout.trim()) {
+        return { content: "No matches found." };
+      }
+      if (result.exitCode > 1) {
+        return {
+          content: `Grep error: ${result.stderr || result.stdout}`,
+          isError: true
+        };
+      }
+      const lines = result.stdout.split("\n");
+      let output = result.stdout;
+      if (lines.length > MAX_MATCHES) {
+        output = lines.slice(0, MAX_MATCHES).join("\n") + `
+
+(Results truncated at ${MAX_MATCHES} matches.)`;
+      }
+      return { content: output || "No matches found." };
+    } catch (err) {
+      return {
+        content: `Error searching: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+};
+
+// src/tools/web-fetch.ts
+import * as dns from "dns";
+
+// src/tools/prompts/web-fetch.ts
+var WEB_FETCH_PROMPT = `Fetches content from a specified URL and returns it in a readable format.
+
+- Takes a URL and fetches the page content, converting HTML to markdown
+- Returns the processed content for analysis
+- Use this tool when you need to retrieve and analyze web content
+
+Usage notes:
+- The URL must be a fully-formed valid URL
+- HTTP URLs will be automatically upgraded to HTTPS
+- This tool is read-only and does not modify any files
+- Results may be summarized if the content is very large
+- When a URL redirects to a different host, the tool will inform you and provide the redirect URL. You should then make a new WebFetch request with the redirect URL.
+- For GitHub URLs, prefer using the gh CLI via Bash instead (e.g., gh pr view, gh issue view, gh api).
+`;
+
+// src/tools/web-fetch.ts
+function stripWww(hostname) {
+  return hostname.replace(/^www\./, "");
+}
+var MAX_CONTENT_LENGTH = 5 * 1024 * 1024;
+var FETCH_TIMEOUT_MS = 3e4;
+var MAX_OUTPUT_CHARS2 = 1e5;
+var MAX_REDIRECTS = 5;
+function isPrivateIP(ip) {
+  const stripped = ip.replace(/^\[|\]$/g, "");
+  if (stripped === "::1" || stripped === "0.0.0.0" || stripped === "::") return true;
+  if (stripped.startsWith("fe80:")) return true;
+  const firstTwo = stripped.slice(0, 2).toLowerCase();
+  if (firstTwo === "fc" || firstTwo === "fd") return true;
+  if (stripped.toLowerCase().startsWith("::ffff:")) {
+    const embedded = stripped.slice(7);
+    return embedded.includes(".") ? isPrivateIP(embedded) : true;
+  }
+  const parts = stripped.split(".");
+  if (parts.length === 4 && parts.every((p) => /^\d+$/.test(p))) {
+    const [a, b] = parts.map(Number);
+    if (a === 127) return true;
+    if (a === 10) return true;
+    if (a === 172 && b >= 16 && b <= 31) return true;
+    if (a === 192 && b === 168) return true;
+    if (a === 169 && b === 254) return true;
+    if (a === 0) return true;
+  }
+  return false;
+}
+function isPrivateHost(hostname) {
+  if (hostname === "localhost" || hostname === "[::1]" || hostname === "0.0.0.0") {
+    return true;
+  }
+  if (isPrivateIP(hostname)) return true;
+  if (hostname.startsWith("fe80:") || hostname.startsWith("[fe80:")) return true;
+  return false;
+}
+async function checkDnsRebinding(hostname) {
+  if (/^\d+\.\d+\.\d+\.\d+$/.test(hostname) || hostname.includes(":")) {
+    return isPrivateIP(hostname) ? hostname : null;
+  }
+  try {
+    const addrs = await dns.promises.resolve4(hostname);
+    for (const addr of addrs) {
+      if (isPrivateIP(addr)) return addr;
+    }
+  } catch {
+  }
+  try {
+    const addrs6 = await dns.promises.resolve6(hostname);
+    for (const addr of addrs6) {
+      if (isPrivateIP(addr)) return addr;
+    }
+  } catch {
+  }
+  return null;
+}
+var webFetchTool = {
+  name: "WebFetch",
+  description: "Fetch a URL and return its contents as markdown. Useful for reading web pages, documentation, API responses, and other online content. Provide an optional prompt to extract specific information.",
+  prompt: WEB_FETCH_PROMPT,
+  isReadOnly: true,
+  isConcurrencySafe: true,
+  parameters: {
+    type: "object",
+    properties: {
+      url: {
+        type: "string",
+        description: "The URL to fetch (must be a valid http/https URL)"
+      },
+      prompt: {
+        type: "string",
+        description: "Optional instruction for what to extract from the page content"
+      }
+    },
+    required: ["url"]
+  },
+  async call(args, _ctx) {
+    const url = args.url;
+    const prompt = args.prompt;
+    let parsedUrl;
+    try {
+      parsedUrl = new URL(url);
+    } catch {
+      return { content: `Invalid URL: ${url}`, isError: true };
+    }
+    if (parsedUrl.username || parsedUrl.password) {
+      return { content: `Blocked: URLs with embedded credentials are not allowed`, isError: true };
+    }
+    if (parsedUrl.protocol === "http:") {
+      parsedUrl.protocol = "https:";
+    }
+    if (isPrivateHost(parsedUrl.hostname)) {
+      return { content: `Blocked: "${parsedUrl.hostname}" resolves to a private/internal address`, isError: true };
+    }
+    const rebindIP = await checkDnsRebinding(parsedUrl.hostname);
+    if (rebindIP) {
+      return { content: `Blocked: "${parsedUrl.hostname}" resolves to private address ${rebindIP}`, isError: true };
+    }
+    try {
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+      let currentUrl = parsedUrl.toString();
+      const originalHost = stripWww(parsedUrl.hostname);
+      let response;
+      for (let redirects = 0; redirects <= MAX_REDIRECTS; redirects++) {
+        response = await fetch(currentUrl, {
+          signal: controller.signal,
+          headers: {
+            "User-Agent": "noumen-agent/1.0",
+            Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,text/plain;q=0.8,*/*;q=0.7"
+          },
+          redirect: "manual"
+        });
+        if (response.status >= 300 && response.status < 400) {
+          const location = response.headers.get("location");
+          if (!location) break;
+          const redirectUrl = new URL(location, currentUrl);
+          if (stripWww(redirectUrl.hostname) !== originalHost) {
+            clearTimeout(timeoutId);
+            return { content: `Blocked: redirect to different host "${redirectUrl.hostname}" (original: "${parsedUrl.hostname}")`, isError: true };
+          }
+          if (isPrivateHost(redirectUrl.hostname)) {
+            clearTimeout(timeoutId);
+            return { content: `Blocked: redirect to private/internal address "${redirectUrl.hostname}"`, isError: true };
+          }
+          const redirectRebind = await checkDnsRebinding(redirectUrl.hostname);
+          if (redirectRebind) {
+            clearTimeout(timeoutId);
+            return { content: `Blocked: redirect target "${redirectUrl.hostname}" resolves to private address ${redirectRebind}`, isError: true };
+          }
+          currentUrl = redirectUrl.toString();
+          continue;
+        }
+        break;
+      }
+      clearTimeout(timeoutId);
+      if (!response || !response.ok) {
+        return {
+          content: `HTTP ${response?.status ?? "unknown"}: ${response?.statusText ?? "no response"}`,
+          isError: true
+        };
+      }
+      const contentType = response.headers.get("content-type") ?? "";
+      const contentLength = parseInt(
+        response.headers.get("content-length") ?? "0",
+        10
+      );
+      if (contentLength > MAX_CONTENT_LENGTH) {
+        return {
+          content: `Response too large (${contentLength} bytes, limit ${MAX_CONTENT_LENGTH})`,
+          isError: true
+        };
+      }
+      let text = "";
+      let bytesRead = 0;
+      const reader = response.body?.getReader();
+      const decoder = new TextDecoder();
+      if (reader) {
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+          bytesRead += value.byteLength;
+          if (bytesRead > MAX_CONTENT_LENGTH) {
+            reader.cancel();
+            return {
+              content: `Response too large (>${MAX_CONTENT_LENGTH} bytes streamed, limit ${MAX_CONTENT_LENGTH})`,
+              isError: true
+            };
+          }
+          text += decoder.decode(value, { stream: true });
+        }
+        text += decoder.decode();
+      } else {
+        text = await response.text();
+      }
+      let markdown;
+      if (contentType.includes("text/html") || contentType.includes("xhtml")) {
+        const { NodeHtmlMarkdown } = await import("node-html-markdown");
+        markdown = NodeHtmlMarkdown.translate(text);
+      } else {
+        markdown = text;
+      }
+      if (markdown.length > MAX_OUTPUT_CHARS2) {
+        const totalChars = markdown.length;
+        markdown = markdown.slice(0, MAX_OUTPUT_CHARS2) + `
+
+... content truncated (${totalChars} total chars)`;
+      }
+      let result = `# Content from ${url}
+
+${markdown}`;
+      if (prompt) {
+        result = `## Extraction prompt: ${prompt}
+
+${result}`;
+      }
+      return { content: result };
+    } catch (err) {
+      if (err instanceof Error && err.name === "AbortError") {
+        return { content: `Fetch timed out after ${FETCH_TIMEOUT_MS}ms`, isError: true };
+      }
+      return {
+        content: `Fetch error: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+};
+
+// src/tools/prompts/notebook.ts
+var NOTEBOOK_PROMPT = `Completely replaces the contents of a specific cell in a Jupyter notebook (.ipynb file) with new source. Jupyter notebooks are interactive documents that combine code, text, and visualizations, commonly used for data analysis and scientific computing. The notebook_path parameter must be an absolute path, not a relative path. The cell_number is 0-indexed. Use edit_mode=insert to add a new cell at the index specified by cell_number. Use edit_mode=delete to delete the cell at the index specified by cell_number.`;
+
+// src/tools/notebook.ts
+var notebookEditTool = {
+  name: "NotebookEdit",
+  description: "Edit a Jupyter notebook (.ipynb) file. Can replace, insert, or delete cells. The notebook is pure JSON \u2014 no kernel execution.",
+  prompt: NOTEBOOK_PROMPT,
+  isReadOnly: false,
+  isConcurrencySafe: false,
+  parameters: {
+    type: "object",
+    properties: {
+      notebook_path: {
+        type: "string",
+        description: "Path to the .ipynb file"
+      },
+      cell_index: {
+        type: "number",
+        description: "0-based index of the cell to edit. For insert, the new cell is placed at this index."
+      },
+      new_source: {
+        type: "string",
+        description: "The new cell source content. Each line becomes an element in the source array."
+      },
+      cell_type: {
+        type: "string",
+        description: 'Cell type: "code" or "markdown" (default: "code")'
+      },
+      edit_mode: {
+        type: "string",
+        description: '"replace" (default) \u2014 replace existing cell source; "insert" \u2014 insert a new cell at cell_index; "delete" \u2014 delete the cell at cell_index (new_source is ignored)'
+      }
+    },
+    required: ["notebook_path", "cell_index"]
+  },
+  async call(args, ctx) {
+    const path6 = args.notebook_path;
+    const cellIndex = args.cell_index;
+    const newSource = args.new_source ?? "";
+    const cellType = args.cell_type ?? "code";
+    const editMode = args.edit_mode ?? "replace";
+    try {
+      const raw = await ctx.fs.readFile(path6);
+      let notebook;
+      try {
+        notebook = JSON.parse(raw);
+      } catch {
+        return { content: `Not a valid JSON notebook: ${path6}`, isError: true };
+      }
+      if (!Array.isArray(notebook.cells)) {
+        return { content: "Notebook has no cells array.", isError: true };
+      }
+      const sourceLines = newSource.split("\n").map(
+        (line, i, arr) => i < arr.length - 1 ? line + "\n" : line
+      );
+      switch (editMode) {
+        case "replace": {
+          if (cellIndex < 0 || cellIndex >= notebook.cells.length) {
+            return {
+              content: `Cell index ${cellIndex} out of range (0-${notebook.cells.length - 1}).`,
+              isError: true
+            };
+          }
+          notebook.cells[cellIndex].source = sourceLines;
+          notebook.cells[cellIndex].cell_type = cellType;
+          break;
+        }
+        case "insert": {
+          if (cellIndex < 0 || cellIndex > notebook.cells.length) {
+            return {
+              content: `Insert index ${cellIndex} out of range (0-${notebook.cells.length}).`,
+              isError: true
+            };
+          }
+          const newCell = {
+            cell_type: cellType,
+            source: sourceLines,
+            metadata: {},
+            ...cellType === "code" ? { outputs: [], execution_count: null } : {}
+          };
+          notebook.cells.splice(cellIndex, 0, newCell);
+          break;
+        }
+        case "delete": {
+          if (cellIndex < 0 || cellIndex >= notebook.cells.length) {
+            return {
+              content: `Cell index ${cellIndex} out of range (0-${notebook.cells.length - 1}).`,
+              isError: true
+            };
+          }
+          notebook.cells.splice(cellIndex, 1);
+          break;
+        }
+        default:
+          return {
+            content: `Unknown edit_mode: ${editMode}. Use "replace", "insert", or "delete".`,
+            isError: true
+          };
+      }
+      await ctx.fs.writeFile(path6, JSON.stringify(notebook, null, 1) + "\n");
+      const action = editMode === "delete" ? `Deleted cell ${cellIndex}` : editMode === "insert" ? `Inserted new ${cellType} cell at index ${cellIndex}` : `Replaced cell ${cellIndex} content`;
+      return { content: `${action} in ${path6}. Notebook now has ${notebook.cells.length} cells.` };
+    } catch (err) {
+      return {
+        content: `Error editing notebook: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+};
+
+// src/tools/ask-user.ts
+var askUserTool = {
+  name: "AskUser",
+  description: "Ask the user a question and wait for their response. Use when you need clarification, confirmation, or additional information before proceeding.",
+  isReadOnly: true,
+  isConcurrencySafe: false,
+  requiresUserInteraction: true,
+  parameters: {
+    type: "object",
+    properties: {
+      question: {
+        type: "string",
+        description: "The question to ask the user"
+      }
+    },
+    required: ["question"]
+  },
+  async call(args, ctx) {
+    const question = args.question;
+    if (!ctx.userInputHandler) {
+      return {
+        content: "Cannot ask user: no userInputHandler configured. Set userInputHandler in AgentOptions or ThreadConfig.",
+        isError: true
+      };
+    }
+    try {
+      const answer = await ctx.userInputHandler(question);
+      return { content: answer };
+    } catch (err) {
+      return {
+        content: `Error getting user input: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+};
+
+// src/tools/registry.ts
+function resolveToolPrompt(tool) {
+  if (tool.prompt === void 0) return tool.description;
+  return typeof tool.prompt === "function" ? tool.prompt() : tool.prompt;
+}
+function resolveToolFlag(flag, args, defaultValue = false) {
+  if (flag === void 0) return defaultValue;
+  if (typeof flag === "function") {
+    try {
+      return flag(args);
+    } catch {
+      return defaultValue;
+    }
+  }
+  return flag;
+}
+var ToolRegistry = class {
+  tools = /* @__PURE__ */ new Map();
+  _discoveredTools = /* @__PURE__ */ new Set();
+  _toolSearchEnabled = false;
+  constructor(additionalTools) {
+    const builtIn = [
+      readFileTool,
+      writeFileTool,
+      editFileTool,
+      bashTool,
+      globTool,
+      grepTool,
+      webFetchTool,
+      notebookEditTool,
+      askUserTool
+    ];
+    for (const tool of builtIn) {
+      this.tools.set(tool.name, tool);
+    }
+    if (additionalTools) {
+      for (const tool of additionalTools) {
+        this.tools.set(tool.name, tool);
+      }
+    }
+  }
+  enableToolSearch() {
+    this._toolSearchEnabled = true;
+  }
+  register(tool) {
+    this.tools.set(tool.name, tool);
+  }
+  get(name) {
+    return this.tools.get(name);
+  }
+  async execute(name, args, ctx) {
+    const tool = this.tools.get(name);
+    if (!tool) {
+      return {
+        content: `Unknown tool: ${name}`,
+        isError: true
+      };
+    }
+    let validatedArgs = args;
+    if (tool.inputSchema) {
+      const parsed = tool.inputSchema.safeParse(args);
+      if (!parsed.success) {
+        return {
+          content: formatZodValidationError(name, parsed.error),
+          isError: true
+        };
+      }
+      validatedArgs = parsed.data;
+    }
+    try {
+      return await tool.call(validatedArgs, ctx);
+    } catch (err) {
+      return {
+        content: `Error executing ${name}: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+  toToolDefinitions() {
+    return Array.from(this.tools.values()).map((tool) => ({
+      type: "function",
+      function: {
+        name: tool.name,
+        description: resolveToolPrompt(tool),
+        parameters: tool.parameters
+      }
+    }));
+  }
+  /**
+   * Get tool definitions filtered by tool search. Eager tools (always sent)
+   * plus any deferred tools the model has discovered via ToolSearch.
+   * Falls back to all tools when tool search is not enabled.
+   */
+  getActiveToolDefinitions() {
+    if (!this._toolSearchEnabled) return this.toToolDefinitions();
+    return Array.from(this.tools.values()).filter((tool) => !isDeferredTool(tool) || this._discoveredTools.has(tool.name)).map((tool) => ({
+      type: "function",
+      function: {
+        name: tool.name,
+        description: resolveToolPrompt(tool),
+        parameters: tool.parameters
+      }
+    }));
+  }
+  getEagerTools() {
+    return Array.from(this.tools.values()).filter((tool) => !isDeferredTool(tool));
+  }
+  getDeferredTools() {
+    return Array.from(this.tools.values()).filter(isDeferredTool);
+  }
+  getToolsByNames(names) {
+    return names.map((name) => this.tools.get(name)).filter((t) => t !== void 0);
+  }
+  markDiscovered(names) {
+    for (const name of names) {
+      this._discoveredTools.add(name);
+    }
+  }
+  get discoveredTools() {
+    return this._discoveredTools;
+  }
+  listTools() {
+    return Array.from(this.tools.values());
+  }
+};
+
+// src/permissions/helpers.ts
+import * as path4 from "path";
+var ACCEPT_EDITS_BASH_ALLOWLIST = /* @__PURE__ */ new Set([
+  "mkdir",
+  "touch",
+  "mv",
+  "cp",
+  "sed",
+  "chmod"
+]);
+function extractContentHint(tool, input) {
+  if (typeof input.file_path === "string") return input.file_path;
+  if (typeof input.command === "string") return input.command;
+  if (typeof input.path === "string") return input.path;
+  return void 0;
+}
+function resolveAcceptEditsDecision(params) {
+  const { toolName, input, effectiveInput, isReadOnly, isDestructive, workingDirectories } = params;
+  if (isDestructive) {
+    return {
+      behavior: "ask",
+      message: `Tool "${toolName}" is destructive and requires approval in acceptEdits mode.`,
+      reason: "mode"
+    };
+  }
+  if (toolName === "Bash") {
+    const cmd = typeof input.command === "string" ? input.command : "";
+    const subCommands = splitCompoundCommand(cmd);
+    for (const sub of subCommands) {
+      const baseName = extractCommandName(sub);
+      if (!ACCEPT_EDITS_BASH_ALLOWLIST.has(baseName)) {
+        return {
+          behavior: "ask",
+          message: `Tool "${toolName}" (${baseName}) is not in the acceptEdits allowlist.`,
+          reason: "mode"
+        };
+      }
+    }
+    if (workingDirectories.length > 0) {
+      for (const sub of subCommands) {
+        const tokens = sub.trim().split(/\s+/).slice(1);
+        for (const token of tokens) {
+          if (token.startsWith("-")) continue;
+          if (path4.isAbsolute(token) && !isPathInWorkingDirectories(token, workingDirectories)) {
+            return {
+              behavior: "ask",
+              message: `Bash command references path "${token}" outside working directories.`,
+              reason: "workingDirectory"
+            };
+          }
+        }
+      }
+    }
+  }
+  if (workingDirectories.length > 0) {
+    const filePath = typeof input.file_path === "string" ? input.file_path : typeof input.path === "string" ? input.path : void 0;
+    if (filePath && !isPathInWorkingDirectories(filePath, workingDirectories)) {
+      return {
+        behavior: "ask",
+        message: `Path "${filePath}" is outside working directories in acceptEdits mode.`,
+        reason: "workingDirectory"
+      };
+    }
+  }
+  const hasFilePath = typeof input.file_path === "string" || typeof input.path === "string";
+  if (!isReadOnly && !hasFilePath && toolName !== "Bash") {
+    return {
+      behavior: "ask",
+      message: `Tool "${toolName}" requires approval in acceptEdits mode.`,
+      reason: "mode"
+    };
+  }
+  return {
+    behavior: "allow",
+    updatedInput: effectiveInput,
+    reason: "mode"
+  };
+}
+function resolveAutoModeDecision(params) {
+  const { toolName, effectiveInput, classifierResult, denialTracker, requiresUserInteraction } = params;
+  if (classifierResult.shouldBlock) {
+    if (denialTracker) {
+      denialTracker.recordDenial();
+      const fallback = denialTracker.shouldFallback();
+      if (fallback.triggered) {
+        if (fallback.reason === "repeated_consecutive") {
+          return {
+            behavior: "deny",
+            message: `Auto-mode classifier denied too many actions without user approval. Aborting.`,
+            reason: "denial_limit"
+          };
+        }
+        denialTracker.resetAfterFallback(fallback.reason);
+        return {
+          behavior: "ask",
+          message: `Auto-mode classifier denied too many consecutive actions. Falling back to user prompt.`,
+          reason: "denial_limit"
+        };
+      }
+    }
+    return {
+      behavior: "deny",
+      message: `Auto-mode classifier flagged this call: ${classifierResult.reason}`,
+      reason: "classifier"
+    };
+  }
+  if (requiresUserInteraction) {
+    return {
+      behavior: "ask",
+      message: `Tool "${toolName}" requires user interaction.`,
+      reason: "interaction"
+    };
+  }
+  denialTracker?.recordSuccess();
+  return {
+    behavior: "allow",
+    updatedInput: effectiveInput,
+    reason: "classifier"
+  };
+}
+
+// src/permissions/pipeline.ts
+var DANGEROUS_PATH_PATTERNS = [
+  /(?:^|\/)\.git(?:\/|$)/,
+  /(?:^|\/)\.bashrc$/,
+  /(?:^|\/)\.bash_profile$/,
+  /(?:^|\/)\.zshrc$/,
+  /(?:^|\/)\.zprofile$/,
+  /(?:^|\/)\.profile$/,
+  /(?:^|\/)\.ssh(?:\/|$)/,
+  /(?:^|\/)\.env$/,
+  /(?:^|\/)\.npmrc$/,
+  /(?:^|\/)\.vscode(?:\/|$)/,
+  /(?:^|\/)\.idea(?:\/|$)/,
+  /(?:^|\/)\.claude(?:\/|$)/,
+  /(?:^|\/)\.noumen(?:\/|$)/,
+  /(?:^|\/)\.gitconfig$/,
+  /(?:^|\/)\.gitmodules$/,
+  /(?:^|\/)\.mcp\.json$/,
+  /(?:^|\/)\.ripgreprc$/,
+  /(?:^|\/)\.noumen\.json$/
+];
+async function resolvePermission(tool, input, ctx, permCtx, opts) {
+  const toolName = tool.name;
+  const contentHint = extractContentHint(tool, input);
+  const wholeDenyRules = getMatchingRules(
+    permCtx,
+    toolName,
+    "deny",
+    void 0,
+    tool.mcpInfo
+  );
+  if (wholeDenyRules.length > 0) {
+    return {
+      behavior: "deny",
+      message: `Tool "${toolName}" is denied by rule.`,
+      reason: "rule"
+    };
+  }
+  if (contentHint !== void 0) {
+    const contentDenyRules = getMatchingRules(
+      permCtx,
+      toolName,
+      "deny",
+      contentHint,
+      tool.mcpInfo
+    );
+    if (contentDenyRules.length > 0) {
+      return {
+        behavior: "deny",
+        message: `Tool "${toolName}" with "${contentHint}" is denied by rule.`,
+        reason: "rule"
+      };
+    }
+  }
+  const wholeAskRules = getMatchingRules(
+    permCtx,
+    toolName,
+    "ask",
+    void 0,
+    tool.mcpInfo
+  );
+  if (wholeAskRules.length > 0) {
+    return {
+      behavior: "ask",
+      message: `Tool "${toolName}" requires approval.`,
+      reason: "rule"
+    };
+  }
+  if (contentHint !== void 0) {
+    const contentAskRules = getMatchingRules(
+      permCtx,
+      toolName,
+      "ask",
+      contentHint,
+      tool.mcpInfo
+    );
+    if (contentAskRules.length > 0) {
+      return {
+        behavior: "ask",
+        message: `Tool "${toolName}" with "${contentHint}" requires approval.`,
+        reason: "rule"
+      };
+    }
+  }
+  const dangerousFilePath = typeof input.file_path === "string" ? input.file_path : typeof input.path === "string" ? input.path : void 0;
+  if (dangerousFilePath && isDangerousPath(dangerousFilePath, ctx.cwd)) {
+    return {
+      behavior: "ask",
+      message: `Path "${dangerousFilePath}" targets a sensitive location.`,
+      reason: "safetyCheck"
+    };
+  }
+  if (toolName === "Bash" && typeof input.command === "string") {
+    const subCommands = splitCompoundCommand(input.command);
+    for (const sub of subCommands) {
+      const tokens = sub.trim().split(/\s+/);
+      for (const token of tokens) {
+        if (token.startsWith("-")) continue;
+        if (isDangerousPath(token, ctx.cwd)) {
+          return {
+            behavior: "ask",
+            message: `Bash command references sensitive path "${token}".`,
+            reason: "safetyCheck"
+          };
+        }
+      }
+    }
+  }
+  let toolResult;
+  if (tool.checkPermissions) {
+    if (opts?.signal?.aborted) {
+      throw new DOMException("Aborted", "AbortError");
+    }
+    try {
+      toolResult = await tool.checkPermissions(input, ctx);
+    } catch (err) {
+      if (err instanceof DOMException && err.name === "AbortError") throw err;
+      if (err instanceof Error && err.name === "AbortError") throw err;
+      console.warn(`[noumen/permissions] checkPermissions error for "${toolName}":`, err);
+    }
+    if (toolResult?.behavior === "deny") {
+      return {
+        behavior: "deny",
+        message: toolResult.message,
+        reason: toolResult.reason ?? "tool"
+      };
+    }
+    if (toolResult?.behavior === "ask") {
+      const isSafetyCheck = toolResult.reason === "safetyCheck";
+      const isInteractive = !!tool.requiresUserInteraction;
+      if (isSafetyCheck || isInteractive) {
+        return {
+          behavior: "ask",
+          message: toolResult.message,
+          reason: toolResult.reason ?? "tool",
+          suggestions: toolResult.suggestions
+        };
+      }
+      if (permCtx.mode !== "bypassPermissions") {
+      }
+    }
+  }
+  const effectiveInput = toolResult?.behavior === "allow" && toolResult.updatedInput ? toolResult.updatedInput : input;
+  if (tool.requiresUserInteraction && permCtx.mode === "bypassPermissions") {
+    return {
+      behavior: "ask",
+      message: `Tool "${toolName}" requires user interaction.`,
+      reason: "interaction"
+    };
+  }
+  if (permCtx.mode === "bypassPermissions") {
+    return {
+      behavior: "allow",
+      updatedInput: effectiveInput,
+      reason: "mode"
+    };
+  }
+  const isReadOnly = resolveToolFlag(tool.isReadOnly, input);
+  const isDestructive = resolveToolFlag(tool.isDestructive, input);
+  if (permCtx.mode === "plan" && !isReadOnly) {
+    return {
+      behavior: "deny",
+      message: `Tool "${toolName}" is not allowed in plan mode (read-only).`,
+      reason: "mode"
+    };
+  }
+  if (permCtx.mode === "acceptEdits") {
+    return resolveAcceptEditsDecision({
+      toolName,
+      input,
+      effectiveInput,
+      isReadOnly,
+      isDestructive,
+      workingDirectories: permCtx.workingDirectories
+    });
+  }
+  if (permCtx.mode === "auto" && opts?.autoModeConfig) {
+    if (!opts.provider) {
+      return {
+        behavior: "ask",
+        message: `Auto-mode requires an AI provider for classification. Falling back to ask.`,
+        reason: "classifier"
+      };
+    }
+    const classifierResult = await classifyPermission(
+      toolName,
+      input,
+      opts.recentMessages ?? [],
+      opts.provider,
+      {
+        classifierPrompt: opts.autoModeConfig.classifierPrompt,
+        classifierModel: opts.autoModeConfig.classifierModel,
+        model: opts.model,
+        signal: opts.signal
+      }
+    );
+    return resolveAutoModeDecision({
+      toolName,
+      effectiveInput,
+      classifierResult,
+      denialTracker: opts.denialTracker,
+      requiresUserInteraction: !!tool.requiresUserInteraction
+    });
+  }
+  if (toolResult?.behavior === "allow") {
+    return {
+      behavior: "allow",
+      updatedInput: effectiveInput,
+      reason: toolResult.reason ?? "tool"
+    };
+  }
+  if (isReadOnly && toolResult?.behavior !== "ask") {
+    return {
+      behavior: "allow",
+      updatedInput: effectiveInput,
+      reason: "readOnly"
+    };
+  }
+  if (permCtx.workingDirectories.length > 0) {
+    const filePath = typeof input.file_path === "string" ? input.file_path : typeof input.path === "string" ? input.path : void 0;
+    if (filePath && !isPathInWorkingDirectories(filePath, permCtx.workingDirectories)) {
+      return {
+        behavior: "ask",
+        message: `Path "${filePath}" is outside configured working directories.`,
+        reason: "workingDirectory"
+      };
+    }
+  }
+  if (contentHint !== void 0) {
+    const contentAllowRules = getMatchingRules(
+      permCtx,
+      toolName,
+      "allow",
+      contentHint,
+      tool.mcpInfo
+    );
+    if (contentAllowRules.length > 0) {
+      return {
+        behavior: "allow",
+        updatedInput: effectiveInput,
+        reason: "rule"
+      };
+    }
+  }
+  const wholeAllowRules = getMatchingRules(
+    permCtx,
+    toolName,
+    "allow",
+    void 0,
+    tool.mcpInfo
+  );
+  if (wholeAllowRules.length > 0) {
+    return {
+      behavior: "allow",
+      updatedInput: effectiveInput,
+      reason: "rule"
+    };
+  }
+  let finalAsk;
+  if (toolResult?.behavior === "ask") {
+    finalAsk = {
+      behavior: "ask",
+      message: toolResult.message,
+      reason: toolResult.reason ?? "tool",
+      suggestions: toolResult.suggestions
+    };
+  }
+  if (!finalAsk) {
+    const message = toolResult?.behavior === "passthrough" ? toolResult.message : `Tool "${toolName}" requires approval.`;
+    const suggestions = toolResult?.behavior === "passthrough" ? toolResult.suggestions : void 0;
+    finalAsk = {
+      behavior: "ask",
+      message,
+      reason: "default",
+      suggestions
+    };
+  }
+  if (permCtx.mode === "dontAsk") {
+    return {
+      behavior: "deny",
+      message: `Tool "${toolName}" requires approval, but mode is "dontAsk".`,
+      reason: "mode"
+    };
+  }
+  return finalAsk;
+}
+function isDangerousPath(filePath, basePath) {
+  const base = basePath ?? process.cwd();
+  const resolved = path5.resolve(base, filePath);
+  const relative2 = path5.relative(base, resolved);
+  const candidate = (relative2.startsWith("..") ? resolved.replace(/^\/+/, "") : relative2).toLowerCase();
+  if (DANGEROUS_PATH_PATTERNS.some((p) => p.test(candidate))) return true;
+  try {
+    const realPath = fs2.realpathSync(resolved);
+    if (realPath !== resolved) {
+      const realRelative = path5.relative(base, realPath);
+      const realCandidate = (realRelative.startsWith("..") ? realPath.replace(/^\/+/, "") : realRelative).toLowerCase();
+      if (DANGEROUS_PATH_PATTERNS.some((p) => p.test(realCandidate))) return true;
+    }
+  } catch {
+  }
+  return false;
+}
+
+export {
+  TOOL_SEARCH_NAME,
+  isDeferredTool,
+  formatDeferredToolLine,
+  searchToolsWithKeywords,
+  createToolSearchTool,
+  readFileTool,
+  RULE_SOURCE_PRECEDENCE,
+  toolMatchesRule,
+  contentMatchesRule,
+  matchSimpleGlob,
+  getMatchingRules,
+  isPathInWorkingDirectories,
+  classifyPermission,
+  isGitInternalPath,
+  looksLikeBareRepo,
+  commandWritesGitInternals,
+  extractCommandName,
+  classifyCommand,
+  resolvePermission,
+  writeFileTool,
+  normalizeQuotes,
+  findActualString,
+  countOccurrences,
+  preserveQuoteStyle,
+  stripTrailingWhitespace,
+  editFileTool,
+  detectGitOperations,
+  hasGitIndexLockError,
+  bashTool,
+  globTool,
+  grepTool,
+  webFetchTool,
+  notebookEditTool,
+  askUserTool,
+  resolveToolFlag,
+  ToolRegistry
+};
+//# sourceMappingURL=chunk-HL6JCRZJ.js.map