noumen 0.2.0 → 0.4.0

package/dist/{chunk-QTJ7VTJY.js → chunk-HL6JCRZJ.js}

@@ -1,9 +1,15 @@
+import {
+  formatZodValidationError
+} from "./chunk-3SK5GCI6.js";
 import {
   IMAGE_EXTENSIONS,
   compressImageBufferWithTokenLimit,
   createImageMetadataText,
   maybeResizeAndDownsampleImageBuffer
 } from "./chunk-5GEX6ZSB.js";
+import {
+  contentToString
+} from "./chunk-JACGEMTF.js";
 
 // src/tools/tool-search.ts
 var TOOL_SEARCH_NAME = "ToolSearch";
@@ -166,75 +172,6 @@ function createToolSearchTool(getDeferredTools, getAllTools, getToolsByNames, on
   };
 }
 
-// src/utils/zod.ts
-var cache = /* @__PURE__ */ new WeakMap();
-function zodToJsonSchema(schema) {
-  const hit = cache.get(schema);
-  if (hit) return hit;
-  const zod = schema._zod ? schema : void 0;
-  if (!zod) {
-    throw new Error(
-      "zodToJsonSchema requires a Zod v4 schema. Install zod and pass a z.object(\u2026) schema."
-    );
-  }
-  let toJSONSchema;
-  try {
-    const sAny = schema;
-    if (typeof sAny._toJSONSchema === "function") {
-      const result = sAny._toJSONSchema();
-      cache.set(schema, result);
-      return result;
-    }
-    toJSONSchema = globalThis.__noumen_toJSONSchema;
-  } catch {
-  }
-  if (toJSONSchema) {
-    const result = toJSONSchema(schema);
-    cache.set(schema, result);
-    return result;
-  }
-  throw new Error(
-    "Could not convert Zod schema to JSON Schema. Call `registerZodToJsonSchema(toJSONSchema)` from zod/v4 or upgrade to Zod v4."
-  );
-}
-function registerZodToJsonSchema(fn) {
-  globalThis.__noumen_toJSONSchema = fn;
-}
-function formatZodValidationError(toolName, issues) {
-  if (!issues || !issues.issues.length) {
-    return `${toolName}: validation failed with unknown error`;
-  }
-  const parts = [];
-  const missing = issues.issues.filter(
-    (i) => i.code === "invalid_type" && i.message.includes("required")
-  );
-  const unrecognized = issues.issues.filter(
-    (i) => i.code === "unrecognized_keys"
-  );
-  const other = issues.issues.filter(
-    (i) => !missing.includes(i) && !unrecognized.includes(i)
-  );
-  if (missing.length) {
-    parts.push(
-      `Missing required parameter${missing.length > 1 ? "s" : ""}: ${missing.map((m) => formatPath(m.path)).join(", ")}`
-    );
-  }
-  if (unrecognized.length) {
-    parts.push(
-      `Unrecognized parameter${unrecognized.length > 1 ? "s" : ""}: ${unrecognized.map((u) => u.message).join(", ")}`
-    );
-  }
-  for (const issue of other) {
-    const path2 = formatPath(issue.path);
-    parts.push(`${path2 ? path2 + ": " : ""}${issue.message}`);
-  }
-  return `${toolName} failed due to the following ${parts.length > 1 ? "issues" : "issue"}:
-${parts.join("\n")}`;
-}
-function formatPath(path2) {
-  return path2.map((p, i) => typeof p === "number" ? `[${p}]` : i > 0 ? `.${p}` : p).join("");
-}
-
 // src/tools/prompts/read.ts
 var READ_PROMPT = `Reads a file from the local filesystem. You can access any file directly by using this tool.
 Assume this tool is able to read all files on the machine. If the User provides a path to a file assume that path is valid. It is okay to read a file that does not exist; an error will be returned.
@@ -253,7 +190,7 @@ Usage:
 // src/tools/read.ts
 import * as path from "path";
 var DEFAULT_MAX_IMAGE_TOKENS = 1600;
-var MAX_FILE_SIZE = 10 * 1024 * 1024;
+var MAX_FILE_SIZE = 256 * 1024;
 var BLOCKED_DEVICE_PATHS = /* @__PURE__ */ new Set([
   "/dev/zero",
   "/dev/random",
@@ -331,6 +268,9 @@ var readFileTool = {
     const filePath = args.file_path;
     const offset = args.offset ?? 1;
     const limit = args.limit;
+    if (filePath.startsWith("\\\\") || filePath.startsWith("//")) {
+      return { content: "Error: UNC paths are not allowed", isError: true };
+    }
     try {
       const resolved = path.resolve(ctx.cwd, filePath);
       if (BLOCKED_DEVICE_PATHS.has(resolved)) {
@@ -339,6 +279,12 @@ var readFileTool = {
           isError: true
         };
       }
+      if (resolved.startsWith("/proc/") && (resolved.endsWith("/fd/0") || resolved.endsWith("/fd/1") || resolved.endsWith("/fd/2"))) {
+        return {
+          content: `Error: Cannot read process file descriptor ${filePath}.`,
+          isError: true
+        };
+      }
       const ext = path.extname(filePath).toLowerCase();
       if (BINARY_EXTENSIONS.has(ext)) {
         return {
@@ -351,9 +297,9 @@ var readFileTool = {
       }
       try {
         const stat = await ctx.fs.stat(filePath);
-        if (stat.size !== void 0 && stat.size > MAX_FILE_SIZE) {
+        if (stat.size !== void 0 && stat.size > MAX_FILE_SIZE && !limit) {
           return {
-            content: `Error: File is too large (${Math.round(stat.size / 1024 / 1024)}MB). Use offset/limit to read specific portions.`,
+            content: `Error: File is too large (${Math.round(stat.size / 1024)}KB, max ${MAX_FILE_SIZE / 1024}KB). Use offset/limit to read specific portions.`,
             isError: true
           };
         }
@@ -372,7 +318,11 @@ var readFileTool = {
           }
         }
       }
-      const content = await ctx.fs.readFile(filePath);
+      const maxReadBytes = limit ? Math.min((limit + (offset - 1)) * 500, 10 * 1024 * 1024) : void 0;
+      const content = await ctx.fs.readFile(
+        filePath,
+        maxReadBytes ? { maxBytes: maxReadBytes } : void 0
+      );
       const lines = content.split("\n");
       const startIdx = Math.max(0, offset - 1);
       const endIdx = limit ? Math.min(lines.length, startIdx + limit) : lines.length;
@@ -396,7 +346,8 @@ var readFileTool = {
           content: selectedLines.join("\n"),
           timestamp: mtime,
           offset,
-          limit
+          limit,
+          isPartialView: !!(limit || offset > 1)
         });
       }
       return { content: result || "File is empty." };
@@ -448,347 +399,233 @@ async function readImageFile(filePath, ext, ctx) {
   return { content: parts };
 }
 
-// src/tools/prompts/write.ts
-var WRITE_PROMPT = `Writes a file to the local filesystem. Parent directories are created automatically if they don't exist.
-
-Usage:
-- This tool will overwrite the existing file if there is one at the provided path.
-- If this is an existing file, you MUST use the ReadFile tool first to read the file's contents. This tool will fail if you did not read the file first.
-- Prefer the EditFile tool for modifying existing files \u2014 it only sends the diff. Only use this tool to create new files or for complete rewrites.
-- NEVER create documentation files (*.md) or README files unless explicitly requested by the User.
-- Only use emojis if the user explicitly requests it. Avoid writing emojis to files unless asked.
-`;
+// src/permissions/types.ts
+var RULE_SOURCE_PRECEDENCE = [
+  "policy",
+  "project",
+  "user",
+  "session"
+];
 
-// src/tools/write.ts
-var writeFileTool = {
-  name: "WriteFile",
-  description: "Create or overwrite a file with the given content. Parent directories are created automatically if they don't exist.",
-  prompt: WRITE_PROMPT,
-  isReadOnly: false,
-  checkPermissions(args) {
-    const filePath = args.file_path;
-    return {
-      behavior: "passthrough",
-      message: `Write to ${filePath}`
-    };
-  },
-  parameters: {
-    type: "object",
-    properties: {
-      file_path: {
-        type: "string",
-        description: "The path of the file to write (absolute or relative to cwd)"
-      },
-      content: {
-        type: "string",
-        description: "The content to write to the file"
-      }
-    },
-    required: ["file_path", "content"]
-  },
-  async call(args, ctx) {
-    const filePath = args.file_path;
-    const content = args.content;
-    try {
-      if (ctx.checkpointManager && ctx.currentMessageId) {
-        await ctx.checkpointManager.trackEdit(filePath, ctx.currentMessageId, ctx.sessionId ?? "");
-      }
-      const existed = await ctx.fs.exists(filePath);
-      if (existed && ctx.fileStateCache) {
-        const cached = ctx.fileStateCache.get(filePath);
-        if (!cached) {
-          return {
-            content: `Error: File ${filePath} exists but has not been read yet. Read it first before overwriting.`,
-            isError: true
-          };
-        }
-      }
-      await ctx.fs.writeFile(filePath, content);
-      ctx.notifyHook?.("FileWrite", {
-        event: "FileWrite",
-        sessionId: ctx.sessionId ?? "",
-        toolName: "WriteFile",
-        filePath,
-        isNew: !existed
-      }).catch(() => {
-      });
-      if (ctx.fileStateCache) {
-        let mtime = 0;
-        try {
-          const stat = await ctx.fs.stat(filePath);
-          mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
-        } catch {
-        }
-        ctx.fileStateCache.set(filePath, {
-          content,
-          timestamp: mtime
-        });
-      }
-      return {
-        content: existed ? `File updated successfully at: ${filePath}` : `File created successfully at: ${filePath}`
-      };
-    } catch (err) {
-      return {
-        content: `Error writing file: ${err instanceof Error ? err.message : String(err)}`,
-        isError: true
-      };
+// src/permissions/rules.ts
+import * as path2 from "path";
+import * as fs from "fs";
+function toolMatchesRule(toolName, rule, mcpInfo) {
+  if (rule.toolName === toolName) return true;
+  if (mcpInfo) {
+    const serverPrefix = parseMcpServerPrefix(rule.toolName);
+    if (serverPrefix && serverPrefix === mcpInfo.serverName) {
+      return true;
     }
   }
-};
-
-// src/tools/edit-utils.ts
-var LEFT_SINGLE_CURLY = "\u2018";
-var RIGHT_SINGLE_CURLY = "\u2019";
-var LEFT_DOUBLE_CURLY = "\u201C";
-var RIGHT_DOUBLE_CURLY = "\u201D";
-function normalizeQuotes(str) {
-  return str.replaceAll(LEFT_SINGLE_CURLY, "'").replaceAll(RIGHT_SINGLE_CURLY, "'").replaceAll(LEFT_DOUBLE_CURLY, '"').replaceAll(RIGHT_DOUBLE_CURLY, '"');
+  return false;
 }
-function findActualString(fileContent, searchString) {
-  if (fileContent.includes(searchString)) {
-    return searchString;
-  }
-  const normalizedSearch = normalizeQuotes(searchString);
-  const normalizedFile = normalizeQuotes(fileContent);
-  const searchIndex = normalizedFile.indexOf(normalizedSearch);
-  if (searchIndex !== -1) {
-    return fileContent.substring(searchIndex, searchIndex + searchString.length);
-  }
-  return null;
+function parseMcpServerPrefix(ruleName) {
+  const parts = ruleName.split("__");
+  if (parts.length !== 2 || parts[0] !== "mcp" || !parts[1]) return null;
+  return parts[1];
 }
-function countOccurrences(haystack, needle) {
-  const normalizedNeedle = normalizeQuotes(needle);
-  const normalizedHaystack = normalizeQuotes(haystack);
-  let count = 0;
-  let pos = 0;
-  while (true) {
-    const idx = normalizedHaystack.indexOf(normalizedNeedle, pos);
-    if (idx === -1) break;
-    count++;
-    pos = idx + 1;
+var SAFE_WRAPPERS = ["timeout", "time", "nice", "nohup", "stdbuf"];
+var COMPOUND_OPERATORS_RE = /\s*(?:;|&&|\|\||\|)\s*/;
+function stripForRuleMatching(command) {
+  let cmd = command.trim();
+  while (/^[A-Za-z_][A-Za-z0-9_]*=\S*\s/.test(cmd)) {
+    cmd = cmd.replace(/^[A-Za-z_][A-Za-z0-9_]*=\S*\s+/, "");
   }
-  return count;
+  let changed = true;
+  while (changed) {
+    changed = false;
+    for (const wrapper of SAFE_WRAPPERS) {
+      if (cmd.startsWith(wrapper + " ")) {
+        cmd = cmd.slice(wrapper.length).trim();
+        while (cmd.startsWith("-")) {
+          const spaceIdx = cmd.indexOf(" ");
+          if (spaceIdx === -1) break;
+          cmd = cmd.slice(spaceIdx).trim();
+        }
+        while (/^[A-Za-z_][A-Za-z0-9_]*=\S*\s/.test(cmd)) {
+          cmd = cmd.replace(/^[A-Za-z_][A-Za-z0-9_]*=\S*\s+/, "");
+        }
+        changed = true;
+      }
+    }
+  }
+  return cmd;
 }
-function usesCurlyQuotes(str) {
-  return {
-    singleCurly: str.includes(LEFT_SINGLE_CURLY) || str.includes(RIGHT_SINGLE_CURLY),
-    doubleCurly: str.includes(LEFT_DOUBLE_CURLY) || str.includes(RIGHT_DOUBLE_CURLY)
-  };
+function isCompoundCommand(content) {
+  return COMPOUND_OPERATORS_RE.test(content);
 }
-function preserveQuoteStyle(oldString, actualOldString, newString) {
-  if (oldString === actualOldString) {
-    return newString;
-  }
-  const fileStyle = usesCurlyQuotes(actualOldString);
-  let result = newString;
-  if (fileStyle.singleCurly) {
-    result = convertStraightToCurlySingle(result);
+function contentMatchesRule(content, ruleContent) {
+  if (ruleContent.endsWith(":*")) {
+    const prefix = ruleContent.slice(0, -2);
+    const matches = content === prefix || content.startsWith(prefix + " ");
+    if (matches && isCompoundCommand(content)) return false;
+    if (matches) return true;
+    const stripped2 = stripForRuleMatching(content);
+    if (stripped2 !== content) {
+      const strippedMatches = stripped2 === prefix || stripped2.startsWith(prefix + " ");
+      if (strippedMatches && isCompoundCommand(stripped2)) return false;
+      return strippedMatches;
+    }
+    return false;
   }
-  if (fileStyle.doubleCurly) {
-    result = convertStraightToCurlyDouble(result);
+  if (ruleContent.includes("*")) {
+    if (matchSimpleGlob(ruleContent, content)) return true;
+    const stripped2 = stripForRuleMatching(content);
+    if (stripped2 !== content) return matchSimpleGlob(ruleContent, stripped2);
+    return false;
   }
-  return result;
+  if (ruleContent === content) return true;
+  const stripped = stripForRuleMatching(content);
+  return stripped !== content && ruleContent === stripped;
 }
-function convertStraightToCurlySingle(str) {
-  let result = "";
-  let inWord = false;
-  for (let i = 0; i < str.length; i++) {
-    const ch = str[i];
-    if (ch === "'") {
-      const prev = i > 0 ? str[i - 1] : " ";
-      if (/\s/.test(prev) || prev === "(" || prev === "[" || prev === "{") {
-        result += LEFT_SINGLE_CURLY;
-        inWord = true;
-      } else {
-        result += RIGHT_SINGLE_CURLY;
-        inWord = false;
-      }
+function matchSimpleGlob(pattern, value) {
+  let regex = "^";
+  let i = 0;
+  while (i < pattern.length) {
+    if (pattern[i] === "*" && pattern[i + 1] === "*") {
+      regex += ".*";
+      i += 2;
+      if (pattern[i] === "/") i++;
+    } else if (pattern[i] === "*") {
+      regex += "[^/]*";
+      i++;
+    } else if (pattern[i] === "?") {
+      regex += "[^/]";
+      i++;
     } else {
-      result += ch;
-      inWord = /\w/.test(ch);
+      regex += escapeRegex(pattern[i]);
+      i++;
     }
   }
-  return result;
+  regex += "$";
+  return new RegExp(regex).test(value);
 }
-function convertStraightToCurlyDouble(str) {
-  let result = "";
-  let open = true;
-  for (let i = 0; i < str.length; i++) {
-    const ch = str[i];
-    if (ch === '"') {
-      result += open ? LEFT_DOUBLE_CURLY : RIGHT_DOUBLE_CURLY;
-      open = !open;
-    } else {
-      result += ch;
-    }
-  }
-  return result;
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
-function stripTrailingWhitespace(str) {
-  const parts = str.split(/(\r\n|\n|\r)/);
-  const result = [];
-  for (let i = 0; i < parts.length; i++) {
-    const part = parts[i];
-    if (i % 2 === 0) {
-      result.push(part.replace(/[\t ]+$/, ""));
-    } else {
-      result.push(part);
+function getMatchingRules(context, toolName, behavior, content, mcpInfo) {
+  const matched = context.rules.filter((rule) => {
+    if (rule.behavior !== behavior) return false;
+    if (!toolMatchesRule(toolName, rule, mcpInfo)) return false;
+    if (rule.ruleContent !== void 0) {
+      if (content === void 0) return false;
+      return contentMatchesRule(content, rule.ruleContent);
     }
+    return true;
+  });
+  matched.sort((a, b) => {
+    const aIdx = a.source ? RULE_SOURCE_PRECEDENCE.indexOf(a.source) : RULE_SOURCE_PRECEDENCE.length;
+    const bIdx = b.source ? RULE_SOURCE_PRECEDENCE.indexOf(b.source) : RULE_SOURCE_PRECEDENCE.length;
+    return aIdx - bIdx;
+  });
+  return matched;
+}
+function containsShellExpansion(p) {
+  if (p.includes("$") || p.includes("%") || p.startsWith("=")) return true;
+  if (p.includes("`")) return true;
+  if (/^~[^/]/.test(p)) return true;
+  if (p.startsWith("\\\\")) return true;
+  return false;
+}
+function isPathInWorkingDirectories(filePath, workingDirectories) {
+  if (workingDirectories.length === 0) return false;
+  if (containsShellExpansion(filePath)) return false;
+  const normalized = normalizePath(filePath);
+  return workingDirectories.some((dir) => {
+    const normalizedDir = normalizePath(dir);
+    return normalized === normalizedDir || normalized.startsWith(normalizedDir + "/");
+  });
+}
+function normalizePath(p) {
+  let result = path2.resolve(p);
+  try {
+    result = fs.realpathSync(result);
+  } catch {
   }
-  return result.join("");
+  while (result.endsWith("/") && result.length > 1) {
+    result = result.slice(0, -1);
+  }
+  if (process.platform === "darwin" || process.platform === "win32") {
+    result = result.toLowerCase();
+  }
+  return result;
 }
 
-// src/tools/prompts/edit.ts
-var EDIT_PROMPT = `Performs exact string replacements in files.
+// src/permissions/classifier.ts
+var DEFAULT_CLASSIFIER_PROMPT = `You are a security classifier for an AI coding agent. 
+Your job is to determine whether a tool call should be automatically approved or blocked.
 
-Usage:
-- You must use the ReadFile tool at least once before editing a file. This tool will error if you attempt an edit without reading the file first.
-- When editing text from ReadFile output, ensure you preserve the exact indentation (tabs/spaces) as it appears AFTER the line number prefix. The line number prefix format is: spaces + line number + pipe. Everything after that is the actual file content to match. Never include any part of the line number prefix in the old_string or new_string.
-- ALWAYS prefer editing existing files in the codebase. NEVER write new files unless explicitly required.
-- Only use emojis if the user explicitly requests it. Avoid adding emojis to files unless asked.
-- The edit will FAIL if \`old_string\` is not unique in the file. Either provide a larger string with more surrounding context to make it unique or use \`replace_all\` to change every instance of \`old_string\`.
-- Use \`replace_all\` for replacing and renaming strings across the file. This parameter is useful if you want to rename a variable for instance.
-`;
+Automatically APPROVE tool calls that:
+- Read files within the project directory
+- Write/edit files within the project directory  
+- Run common development commands (build, test, lint, format, git status/diff/log)
+- Search for files or code patterns
+- Create or update task items
 
-// src/tools/edit.ts
-var editFileTool = {
-  name: "EditFile",
-  description: "Edit a file by replacing an exact string match with new content. The old_string must match exactly (including whitespace and indentation). Set replace_all to true to replace all occurrences.",
-  prompt: EDIT_PROMPT,
-  isReadOnly: false,
-  checkPermissions(args) {
-    const filePath = args.file_path;
+Automatically BLOCK tool calls that:
+- Execute potentially destructive commands (rm -rf, drop database, force push)
+- Access files outside the project directory
+- Make network requests to unknown hosts
+- Run commands that could affect the system (install packages globally, modify system files)
+- Access secrets, credentials, or environment variables
+
+Respond with a JSON object: {"shouldBlock": boolean, "reason": "brief explanation"}`;
+async function classifyPermission(toolName, args, recentMessages, provider, opts) {
+  const model = opts?.classifierModel ?? opts?.model;
+  if (!model) {
+    return { shouldBlock: true, reason: "No model configured for classifier." };
+  }
+  const contextWindow = recentMessages.slice(-6);
+  const contextText = contextWindow.map((m) => `${m.role}: ${contentToString(m.content).slice(0, 200)}`).join("\n");
+  const userPrompt = `Tool: ${toolName}
+Arguments: ${JSON.stringify(args, null, 2).slice(0, 1e3)}
+
+Recent conversation context:
+${contextText}`;
+  const params = {
+    model,
+    system: opts?.classifierPrompt ?? DEFAULT_CLASSIFIER_PROMPT,
+    messages: [{ role: "user", content: userPrompt }],
+    max_tokens: 256,
+    temperature: 0,
+    outputFormat: {
+      type: "json_schema",
+      schema: {
+        type: "object",
+        properties: {
+          shouldBlock: { type: "boolean" },
+          reason: { type: "string" }
+        },
+        required: ["shouldBlock", "reason"],
+        additionalProperties: false
+      },
+      name: "classifier_result",
+      strict: true
+    }
+  };
+  try {
+    let text = "";
+    for await (const chunk of provider.chat(params)) {
+      if (opts?.signal?.aborted) break;
+      for (const choice of chunk.choices) {
+        if (choice.delta.content) {
+          text += choice.delta.content;
+        }
+      }
+    }
+    if (opts?.signal?.aborted) {
+      throw new DOMException("Aborted", "AbortError");
+    }
+    const parsed = JSON.parse(text);
     return {
-      behavior: "passthrough",
-      message: `Edit ${filePath}`
+      shouldBlock: parsed.shouldBlock ?? false,
+      reason: parsed.reason ?? "unknown"
     };
-  },
-  parameters: {
-    type: "object",
-    properties: {
-      file_path: {
-        type: "string",
-        description: "The path of the file to edit"
-      },
-      old_string: {
-        type: "string",
-        description: "The exact string to find and replace"
-      },
-      new_string: {
-        type: "string",
-        description: "The replacement string"
-      },
-      replace_all: {
-        type: "boolean",
-        description: "If true, replace all occurrences of old_string. Defaults to false."
-      }
-    },
-    required: ["file_path", "old_string", "new_string"]
-  },
-  async call(args, ctx) {
-    const filePath = args.file_path;
-    const oldString = args.old_string;
-    const newString = args.new_string;
-    const replaceAll = args.replace_all ?? false;
-    if (filePath.endsWith(".ipynb")) {
-      return {
-        content: `Error: ${filePath} is a Jupyter Notebook. Use the NotebookEdit tool to edit notebook files.`,
-        isError: true
-      };
-    }
-    if (oldString === newString) {
-      return {
-        content: "No changes to make: old_string and new_string are exactly the same.",
-        isError: true
-      };
-    }
-    try {
-      if (ctx.fileStateCache) {
-        const cached = ctx.fileStateCache.get(filePath);
-        if (!cached || cached.isPartialView) {
-          return {
-            content: `Error: File has not been read yet. Use ReadFile on ${filePath} before editing.`,
-            isError: true
-          };
-        }
-        try {
-          const stat = await ctx.fs.stat(filePath);
-          const mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
-          if (mtime > cached.timestamp) {
-            const currentContent = await ctx.fs.readFile(filePath);
-            if (currentContent !== cached.content) {
-              return {
-                content: `Error: ${filePath} has been modified since last read. Re-read the file before editing.`,
-                isError: true
-              };
-            }
-          }
-        } catch {
-        }
-      }
-      if (ctx.checkpointManager && ctx.currentMessageId) {
-        await ctx.checkpointManager.trackEdit(filePath, ctx.currentMessageId, ctx.sessionId ?? "");
-      }
-      const content = await ctx.fs.readFile(filePath);
-      const actualOldString = findActualString(content, oldString);
-      if (!actualOldString) {
-        return {
-          content: `Error: old_string not found in ${filePath}. Make sure the string matches exactly, including whitespace and indentation.`,
-          isError: true
-        };
-      }
-      if (!replaceAll) {
-        const count = content.split(actualOldString).length - 1;
-        if (count > 1) {
-          return {
-            content: `Error: old_string appears ${count} times in ${filePath}. Provide more context to make it unique, or set replace_all to true.`,
-            isError: true
-          };
-        }
-      }
-      const actualNewString = preserveQuoteStyle(oldString, actualOldString, newString);
-      let updated;
-      if (replaceAll) {
-        updated = content.split(actualOldString).join(actualNewString);
-      } else if (actualNewString === "") {
-        const hasTrailingNewline = !actualOldString.endsWith("\n") && content.includes(actualOldString + "\n");
-        const deleteTarget = hasTrailingNewline ? actualOldString + "\n" : actualOldString;
-        updated = content.replace(deleteTarget, () => actualNewString);
-      } else {
-        updated = content.replace(actualOldString, () => actualNewString);
-      }
-      await ctx.fs.writeFile(filePath, updated);
-      ctx.notifyHook?.("FileWrite", {
-        event: "FileWrite",
-        sessionId: ctx.sessionId ?? "",
-        toolName: "EditFile",
-        filePath,
-        isNew: false
-      }).catch(() => {
-      });
-      if (ctx.fileStateCache) {
-        let mtime = 0;
-        try {
-          const stat = await ctx.fs.stat(filePath);
-          mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
-        } catch {
-        }
-        ctx.fileStateCache.set(filePath, {
-          content: updated,
-          timestamp: mtime
-        });
-      }
-      return {
-        content: `File ${filePath} has been updated successfully.`
-      };
-    } catch (err) {
-      return {
-        content: `Error editing file: ${err instanceof Error ? err.message : String(err)}`,
-        isError: true
-      };
-    }
+  } catch {
+    return { shouldBlock: true, reason: "Classifier failed; defaulting to block." };
   }
-};
+}
 
 // src/tools/shell-safety/git-safety.ts
 var GIT_INTERNAL_PATTERNS = [
@@ -803,8 +640,8 @@ var GIT_INTERNAL_PATTERNS = [
   /\.git\/shallow$/,
   /\.git\/modules\//
 ];
-function isGitInternalPath(path2) {
-  const normalized = path2.replace(/\\/g, "/");
+function isGitInternalPath(path6) {
+  const normalized = path6.replace(/\\/g, "/");
   return GIT_INTERNAL_PATTERNS.some((p) => p.test(normalized));
 }
 var BARE_REPO_MARKERS = ["HEAD", "objects", "refs"];
@@ -813,15 +650,36 @@ function looksLikeBareRepo(dirEntries) {
   if (entrySet.has(".git")) return false;
   return BARE_REPO_MARKERS.every((m) => entrySet.has(m));
 }
+var BARE_REPO_INTERNAL_PATTERNS = [
+  /^hooks\//,
+  /^config$/,
+  /^info\//,
+  /^objects\//,
+  /^refs\//,
+  /^HEAD$/,
+  /^index$/,
+  /^packed-refs$/,
+  /^shallow$/,
+  /^modules\//
+];
+function isBareRepoInternalPath(filePath) {
+  const normalized = filePath.replace(/\\/g, "/").replace(/^\.\//, "");
+  return BARE_REPO_INTERNAL_PATTERNS.some((p) => p.test(normalized));
+}
 function commandWritesGitInternals(command) {
   const redirectPattern = /(?:>{1,2}|tee\s+)\s*(\S+)/g;
   let match;
   while ((match = redirectPattern.exec(command)) !== null) {
-    if (isGitInternalPath(match[1])) return true;
+    if (isGitInternalPath(match[1]) || isBareRepoInternalPath(match[1])) return true;
+  }
+  const copyPatternDotGit = /\b(?:cp|mv|ln)\b.*\s(\S*\.git\/\S+)/;
+  const copyMatchDotGit = command.match(copyPatternDotGit);
+  if (copyMatchDotGit && isGitInternalPath(copyMatchDotGit[1])) return true;
+  const copyPatternBare = /\b(?:cp|mv|ln)\b.*\s(\S+)/g;
+  let bareMatch;
+  while ((bareMatch = copyPatternBare.exec(command)) !== null) {
+    if (isBareRepoInternalPath(bareMatch[1])) return true;
   }
-  const copyPattern = /\b(?:cp|mv|ln)\b.*\s(\S*\.git\/\S+)/;
-  const copyMatch = command.match(copyPattern);
-  if (copyMatch && isGitInternalPath(copyMatch[1])) return true;
   return false;
 }
 
@@ -840,9 +698,7 @@ var READ_ONLY_COMMANDS = /* @__PURE__ */ new Set([
   "whereis",
   "type",
   "pwd",
-  "date",
   "uname",
-  "hostname",
   "whoami",
   "id",
   "groups",
@@ -850,7 +706,6 @@ var READ_ONLY_COMMANDS = /* @__PURE__ */ new Set([
   "ll",
   "la",
   "dir",
-  "tree",
   "stat",
   "du",
   "df",
@@ -875,9 +730,6 @@ var READ_ONLY_COMMANDS = /* @__PURE__ */ new Set([
   "rg",
   "ag",
   "ack",
-  "find",
-  "fd",
-  "fdfind",
   "locate",
   "readlink",
   "realpath",
@@ -889,9 +741,6 @@ var READ_ONLY_COMMANDS = /* @__PURE__ */ new Set([
   "uniq",
   "cut",
   "tr",
-  "awk",
-  "sed",
-  // sed -i is destructive but caught by destructive patterns
   "jq",
   "yq",
   "xxd",
@@ -908,17 +757,37 @@ var READ_ONLY_COMMANDS = /* @__PURE__ */ new Set([
   "[[",
   "man",
   "help",
-  "info",
   "nproc",
   "arch",
   "lscpu",
   "lsb_release",
   "sw_vers",
   "sysctl",
-  "getconf",
-  "dotnet"
-  // dotnet --info, dotnet --list-sdks
+  "getconf"
 ]);
+var CONDITIONAL_READ_ONLY = {
+  awk: () => false,
+  // awk has system() — never read-only
+  sed: (_cmd, tokens) => !tokens.some(
+    (t) => t === "-i" || t === "--in-place" || t.startsWith("-") && !t.startsWith("--") && t.includes("i")
+  ),
+  find: (cmd) => !/\b(-exec\b|-execdir\b|-ok\b|-okdir\b|-delete\b|-fprint\b|-fls\b|-fprintf\b)/.test(cmd),
+  fd: (_cmd, tokens) => !tokens.some((t) => ["-x", "--exec", "-X", "--exec-batch"].includes(t)),
+  fdfind: (_cmd, tokens) => !tokens.some((t) => ["-x", "--exec", "-X", "--exec-batch"].includes(t)),
+  date: (_cmd, tokens) => !tokens.some((t) => ["-s", "--set"].includes(t)),
+  hostname: (_cmd, tokens) => {
+    const positional = tokens.filter((t) => !t.startsWith("-"));
+    return positional.length === 0;
+  },
+  info: (_cmd, tokens) => !tokens.some((t) => ["-o", "--output", "--dribble", "--init-file"].includes(t)),
+  tree: (_cmd, tokens) => !tokens.some((t) => t === "-R"),
+  dotnet: (_cmd, tokens) => {
+    const positional = tokens.filter((t) => !t.startsWith("-"));
+    if (positional.length === 0) return true;
+    const sub = positional[0];
+    return ["--version", "--info", "--list-sdks", "--list-runtimes"].includes(sub) || tokens.includes("--version") || tokens.includes("--info") || tokens.includes("--list-sdks") || tokens.includes("--list-runtimes");
+  }
+};
 var GIT_READ_ONLY_SUBCOMMANDS = /* @__PURE__ */ new Set([
   "status",
   "log",
@@ -938,9 +807,10 @@ var GIT_READ_ONLY_SUBCOMMANDS = /* @__PURE__ */ new Set([
   "count-objects",
   "fsck",
   "verify-pack",
-  "reflog",
   "stash",
   // "stash list" / "stash show" — stash apply/pop are not here
+  "reflog",
+  // bare / "reflog show" / "reflog list" — expire/delete caught below
   "tag",
   // "tag -l" is safe; "tag <name>" creates — caught below
   "branch",
@@ -954,6 +824,9 @@ var GIT_READ_ONLY_SUBCOMMANDS = /* @__PURE__ */ new Set([
   "--version",
   "--help"
 ]);
+var GIT_READ_ONLY_WRITE_FLAGS = /* @__PURE__ */ new Set([
+  "--output"
+]);
 var GIT_MUTATING_SUBCOMMANDS = /* @__PURE__ */ new Set([
   "push",
   "pull",
@@ -1004,8 +877,8 @@ var DESTRUCTIVE_PATTERNS = [
   /\bDROP\s+(TABLE|DATABASE|SCHEMA)\b/i,
   /\bTRUNCATE\s+TABLE\b/i,
   /\bDELETE\s+FROM\b/i,
-  // sed in-place
-  /\bsed\s+(-[a-zA-Z]*i[a-zA-Z]*|--in-place)\b/,
+  // sed in-place (matches -i anywhere in args, not just first flag)
+  /\bsed\b.*\s(-[a-zA-Z]*i[a-zA-Z]*|--in-place)\b/,
   // Container/system destruction
   /\bdocker\s+(rm|rmi|system\s+prune|volume\s+rm)\b/,
   /\bkubectl\s+delete\b/,
@@ -1024,24 +897,149 @@ function hasTokenFlag(tokens, ...flags) {
 function splitCompoundCommand(command) {
   return command.split(/\s*(?:;|&&|\|\||(?<!\|)\|(?!\|))\s*/).map((s) => s.trim()).filter(Boolean);
 }
-function stripPrefixes(command) {
+var DANGEROUS_ENV_VARS = /* @__PURE__ */ new Set([
+  "GIT_CONFIG_GLOBAL",
+  "GIT_CONFIG_SYSTEM",
+  "GIT_DIR",
+  "GIT_WORK_TREE",
+  "GIT_EXEC_PATH",
+  "GIT_TEMPLATE_DIR",
+  "LD_PRELOAD",
+  "LD_LIBRARY_PATH",
+  "PATH",
+  "PYTHONPATH",
+  "NODE_PATH",
+  "PERL5LIB"
+]);
+function hasDangerousEnvVars(command) {
+  const envPattern = /^[A-Za-z_][A-Za-z0-9_]*(?==)/;
   let cmd = command.trim();
   while (/^[A-Za-z_][A-Za-z0-9_]*=\S*\s/.test(cmd)) {
+    const match = cmd.match(envPattern);
+    if (match && DANGEROUS_ENV_VARS.has(match[0])) return true;
     cmd = cmd.replace(/^[A-Za-z_][A-Za-z0-9_]*=\S*\s+/, "");
   }
-  for (const prefix of ["sudo", "env", "nohup", "time", "nice", "ionice", "strace", "ltrace"]) {
-    if (cmd.startsWith(prefix + " ")) {
-      cmd = cmd.slice(prefix.length).trim();
-      while (cmd.startsWith("-")) {
-        const spaceIdx = cmd.indexOf(" ");
-        if (spaceIdx === -1) break;
-        cmd = cmd.slice(spaceIdx).trim();
+  return false;
+}
+var ZSH_DANGEROUS_COMMANDS = /* @__PURE__ */ new Set([
+  "zmodload",
+  "emulate",
+  "sysopen",
+  "sysread",
+  "syswrite",
+  "sysseek",
+  "zpty",
+  "ztcp",
+  "zsocket",
+  "zf_rm",
+  "zf_mv",
+  "zf_ln",
+  "zf_chmod",
+  "zf_chown",
+  "zf_mkdir",
+  "zf_rmdir",
+  "zf_chgrp"
+]);
+var MAX_SUBCOMMANDS = 50;
+function detectInjectionPatterns(command) {
+  if (/>\(/.test(command)) return "Output process substitution >(...)";
+  if (/=\(/.test(command)) return "Zsh =(...) process substitution";
+  if (/\$\{[^}]*[`$]/.test(command)) return "Nested expansion in ${...}";
+  if (/[\x00-\x08\x0e-\x1f\x7f]/.test(command)) return "Control character injection";
+  if (/[\u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\u200B-\u200D\uFEFF]/.test(command)) {
+    return "Unicode whitespace injection";
+  }
+  if (/\w#/.test(command) && !/['"][^'"]*#/.test(command)) {
+    const stripped = command.replace(/'[^']*'/g, "").replace(/"[^"]*"/g, "");
+    if (/\w#/.test(stripped)) return "Mid-word comment injection";
+  }
+  if (/\\n/.test(command)) {
+    const stripped = command.replace(/'[^']*'/g, "");
+    if (/\$'[^']*\\n/.test(stripped)) return "Escaped newline in $'...' string";
+  }
+  return null;
+}
+function hasCommandSubstitution(command) {
+  return /\$\(/.test(command) || /`[^`]+`/.test(command) || /<\(/.test(command);
+}
+function hasUnquotedExpansion(command) {
+  let inSingle = false;
+  for (let i = 0; i < command.length; i++) {
+    const ch = command[i];
+    if (ch === "'" && !inSingle) {
+      inSingle = true;
+      continue;
+    }
+    if (ch === "'" && inSingle) {
+      inSingle = false;
+      continue;
+    }
+    if (inSingle) continue;
+    if (ch === "\\" && i + 1 < command.length) {
+      i++;
+      continue;
+    }
+    if (ch === "$" && i + 1 < command.length) {
+      const next = command[i + 1];
+      if (next === "(") continue;
+      if (next === "{" || next >= "A" && next <= "Z" || next >= "a" && next <= "z" || next === "_") {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+var WRAPPER_COMMANDS = ["sudo", "env", "nohup", "time", "nice", "ionice", "strace", "ltrace", "stdbuf"];
+var WRAPPER_WITH_DURATION = /* @__PURE__ */ new Set(["timeout"]);
+function stripEnvVars(cmd) {
+  let result = cmd.trim();
+  while (/^[A-Za-z_][A-Za-z0-9_]*=\S*\s/.test(result)) {
+    result = result.replace(/^[A-Za-z_][A-Za-z0-9_]*=\S*\s+/, "");
+  }
+  return result;
+}
+function stripWrappers(cmd) {
+  let result = cmd.trim();
+  let prev = "";
+  while (prev !== result) {
+    prev = result;
+    for (const prefix of WRAPPER_COMMANDS) {
+      if (result.startsWith(prefix + " ")) {
+        result = result.slice(prefix.length).trim();
+        while (result.startsWith("-")) {
+          const spaceIdx = result.indexOf(" ");
+          if (spaceIdx === -1) break;
+          result = result.slice(spaceIdx).trim();
+        }
       }
-      while (/^[A-Za-z_][A-Za-z0-9_]*=\S*\s/.test(cmd)) {
-        cmd = cmd.replace(/^[A-Za-z_][A-Za-z0-9_]*=\S*\s+/, "");
+    }
+    for (const prefix of WRAPPER_WITH_DURATION) {
+      if (result.startsWith(prefix + " ")) {
+        result = result.slice(prefix.length).trim();
+        while (result.startsWith("-")) {
+          const spaceIdx = result.indexOf(" ");
+          if (spaceIdx === -1) break;
+          result = result.slice(spaceIdx).trim();
+        }
+        if (result && !result.startsWith("-")) {
+          const spaceIdx = result.indexOf(" ");
+          if (spaceIdx !== -1) {
+            result = result.slice(spaceIdx).trim();
+          }
+        }
       }
     }
   }
+  return result;
+}
+function stripPrefixes(command) {
+  let cmd = command.trim();
+  let prev = "";
+  while (prev !== cmd) {
+    prev = cmd;
+    cmd = stripEnvVars(cmd);
+    cmd = stripWrappers(cmd);
+  }
   return cmd;
 }
 function extractCommandName(command) {
@@ -1102,6 +1100,16 @@ function classifyGitCommand(command) {
       }
       return { isReadOnly: false, isDestructive: false, reason: "git stash mutating operation" };
     }
+    if (subcommand === "reflog") {
+      const reflogSubcmd = positional[0];
+      if (!reflogSubcmd || reflogSubcmd === "show" || reflogSubcmd === "list") {
+        return { isReadOnly: true, isDestructive: false, reason: `git reflog${reflogSubcmd ? " " + reflogSubcmd : ""} is read-only` };
+      }
+      if (reflogSubcmd === "expire" || reflogSubcmd === "delete") {
+        return { isReadOnly: false, isDestructive: true, reason: `git reflog ${reflogSubcmd} is destructive` };
+      }
+      return { isReadOnly: false, isDestructive: false, reason: `git reflog ${reflogSubcmd} is mutating` };
+    }
     if (subcommand === "config") {
       if (hasTokenFlag(flags, "--set", "--add", "--unset", "--unset-all", "--replace-all", "--rename-section", "--remove-section")) {
         return { isReadOnly: false, isDestructive: false, reason: "git config write operation" };
@@ -1116,6 +1124,12 @@ function classifyGitCommand(command) {
         return { isReadOnly: false, isDestructive: false, reason: "git remote mutating operation" };
       }
     }
+    for (const flag of flags) {
+      const flagName = flag.split("=")[0];
+      if (GIT_READ_ONLY_WRITE_FLAGS.has(flagName)) {
+        return { isReadOnly: false, isDestructive: false, reason: `git ${subcommand} with ${flagName} may write files` };
+      }
+    }
     return { isReadOnly: true, isDestructive: false, reason: `git ${subcommand} is read-only` };
   }
   if (GIT_MUTATING_SUBCOMMANDS.has(subcommand)) {
@@ -1133,6 +1147,21 @@ function classifySingleCommand(command, config) {
   if (!name) {
     return { isReadOnly: false, isDestructive: false, reason: "Empty command" };
   }
+  const injectionReason = detectInjectionPatterns(command);
+  if (injectionReason) {
+    return {
+      isReadOnly: false,
+      isDestructive: true,
+      reason: `Injection detected: ${injectionReason}`
+    };
+  }
+  if (ZSH_DANGEROUS_COMMANDS.has(name)) {
+    return {
+      isReadOnly: false,
+      isDestructive: true,
+      reason: `Zsh dangerous command: ${name}`
+    };
+  }
   const allDestructive = [
     ...DESTRUCTIVE_PATTERNS,
     ...config?.extraDestructivePatterns ?? []
@@ -1152,9 +1181,27 @@ function classifySingleCommand(command, config) {
   if (name === "xargs" && /\bgit\b/.test(command)) {
     return classifyGitCommand(command);
   }
+  if (hasCommandSubstitution(command)) {
+    return { isReadOnly: false, isDestructive: false, reason: `Command contains command substitution` };
+  }
+  if (hasUnquotedExpansion(command)) {
+    return { isReadOnly: false, isDestructive: false, reason: `Command contains unquoted variable expansion` };
+  }
+  if (hasDangerousEnvVars(command)) {
+    return { isReadOnly: false, isDestructive: false, reason: `Command uses dangerous environment variable prefix` };
+  }
   if ((name === "echo" || name === "printf") && SAFE_ECHO_RE.test(stripPrefixes(command).trim())) {
     return { isReadOnly: true, isDestructive: false, reason: `${name} with safe arguments is read-only` };
   }
+  const conditionalCheck = CONDITIONAL_READ_ONLY[name];
+  if (conditionalCheck) {
+    const stripped = stripPrefixes(command).trim();
+    const tokens = stripped.split(/\s+/).slice(1);
+    if (conditionalCheck(command, tokens)) {
+      return { isReadOnly: true, isDestructive: false, reason: `${name} is read-only (flags validated)` };
+    }
+    return { isReadOnly: false, isDestructive: false, reason: `${name} has potentially dangerous flags` };
+  }
   const extraReadOnly = new Set(config?.extraReadOnlyCommands ?? []);
   if (READ_ONLY_COMMANDS.has(name) || extraReadOnly.has(name)) {
     return { isReadOnly: true, isDestructive: false, reason: `${name} is read-only` };
@@ -1173,6 +1220,13 @@ function classifyCommand(command, config) {
   if (subCommands.length === 0) {
     return { isReadOnly: true, isDestructive: false, reason: "Empty command" };
   }
+  if (subCommands.length > MAX_SUBCOMMANDS) {
+    return {
+      isReadOnly: false,
+      isDestructive: false,
+      reason: `Too many subcommands (${subCommands.length} > ${MAX_SUBCOMMANDS})`
+    };
+  }
   if (subCommands.length > 1) {
     const hasCd = subCommands.some((s) => /^(cd|pushd)\s/.test(s.trim()));
     const hasGit = subCommands.some((s) => {
@@ -1181,34 +1235,515 @@ function classifyCommand(command, config) {
     });
     if (hasCd && hasGit) {
       return {
-        isReadOnly: false,
-        isDestructive: false,
-        reason: "cd + git compound may escape working directory (bare-repo risk)"
+        isReadOnly: false,
+        isDestructive: false,
+        reason: "cd + git compound may escape working directory (bare-repo risk)"
+      };
+    }
+    if (hasGit && commandWritesGitInternals(command)) {
+      return {
+        isReadOnly: false,
+        isDestructive: true,
+        reason: "Compound command writes to git internal paths before running git"
+      };
+    }
+  }
+  let allReadOnly = true;
+  let anyDestructive = false;
+  const reasons = [];
+  for (const sub of subCommands) {
+    const result = classifySingleCommand(sub, config);
+    if (!result.isReadOnly) allReadOnly = false;
+    if (result.isDestructive) anyDestructive = true;
+    if (result.reason) reasons.push(result.reason);
+  }
+  return {
+    isReadOnly: allReadOnly,
+    isDestructive: anyDestructive,
+    reason: reasons.join("; ")
+  };
+}
+
+// src/permissions/pipeline.ts
+import * as path5 from "path";
+import * as fs2 from "fs";
+
+// src/tools/write.ts
+import * as nodePath from "path";
+
+// src/tools/prompts/write.ts
+var WRITE_PROMPT = `Writes a file to the local filesystem. Parent directories are created automatically if they don't exist.
+
+Usage:
+- This tool will overwrite the existing file if there is one at the provided path.
+- If this is an existing file, you MUST use the ReadFile tool first to read the file's contents. This tool will fail if you did not read the file first.
+- Prefer the EditFile tool for modifying existing files \u2014 it only sends the diff. Only use this tool to create new files or for complete rewrites.
+- NEVER create documentation files (*.md) or README files unless explicitly requested by the User.
+- Only use emojis if the user explicitly requests it. Avoid writing emojis to files unless asked.
+`;
+
+// src/tools/file-lock.ts
+var fileLocks = /* @__PURE__ */ new Map();
+async function withFileLock(filePath, fn) {
+  const prev = fileLocks.get(filePath) ?? Promise.resolve();
+  let release;
+  const lock = new Promise((resolve4) => {
+    release = resolve4;
+  });
+  fileLocks.set(filePath, lock);
+  await prev;
+  try {
+    return await fn();
+  } finally {
+    release();
+    if (fileLocks.get(filePath) === lock) {
+      fileLocks.delete(filePath);
+    }
+  }
+}
+
+// src/tools/write.ts
+var writeFileTool = {
+  name: "WriteFile",
+  description: "Create or overwrite a file with the given content. Parent directories are created automatically if they don't exist.",
+  prompt: WRITE_PROMPT,
+  isReadOnly: false,
+  checkPermissions(args, ctx) {
+    const filePath = args.file_path;
+    if (filePath.startsWith("\\\\") || filePath.startsWith("//")) {
+      return {
+        behavior: "deny",
+        message: "Error: UNC paths are not allowed"
+      };
+    }
+    if (isDangerousPath(filePath, ctx.cwd)) {
+      return {
+        behavior: "ask",
+        message: `Write targets sensitive path: ${filePath}`,
+        reason: "safetyCheck"
+      };
+    }
+    return {
+      behavior: "passthrough",
+      message: `Write to ${filePath}`
+    };
+  },
+  parameters: {
+    type: "object",
+    properties: {
+      file_path: {
+        type: "string",
+        description: "The path of the file to write (absolute or relative to cwd)"
+      },
+      content: {
+        type: "string",
+        description: "The content to write to the file"
+      }
+    },
+    required: ["file_path", "content"]
+  },
+  async call(args, ctx) {
+    const filePath = args.file_path;
+    const content = args.content;
+    try {
+      if (ctx.checkpointManager && ctx.currentMessageId) {
+        await ctx.checkpointManager.trackEdit(filePath, ctx.currentMessageId, ctx.sessionId ?? "");
+      }
+      const existed = await ctx.fs.exists(filePath);
+      if (existed && ctx.fileStateCache) {
+        const cached = ctx.fileStateCache.get(filePath);
+        if (!cached) {
+          return {
+            content: `Error: File ${filePath} exists but has not been read yet. Read it first before overwriting.`,
+            isError: true
+          };
+        }
+        try {
+          const stat = await ctx.fs.stat(filePath);
+          const mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
+          if (mtime > cached.timestamp) {
+            const currentContent = await ctx.fs.readFile(filePath);
+            if (currentContent !== cached.content) {
+              return {
+                content: `Error: ${filePath} has been modified since last read. Re-read the file before overwriting.`,
+                isError: true
+              };
+            }
+          }
+        } catch {
+        }
+      }
+      const dir = nodePath.dirname(filePath);
+      if (dir && dir !== "." && dir !== "/") {
+        await ctx.fs.mkdir(dir, { recursive: true }).catch(() => {
+        });
+      }
+      await withFileLock(filePath, async () => {
+        await ctx.fs.writeFile(filePath, content);
+      });
+      ctx.notifyHook?.("FileWrite", {
+        event: "FileWrite",
+        sessionId: ctx.sessionId ?? "",
+        toolName: "WriteFile",
+        filePath,
+        isNew: !existed
+      }).catch(() => {
+      });
+      if (ctx.fileStateCache) {
+        let mtime = 0;
+        try {
+          const stat = await ctx.fs.stat(filePath);
+          mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
+        } catch {
+        }
+        ctx.fileStateCache.set(filePath, {
+          content,
+          timestamp: mtime
+        });
+      }
+      return {
+        content: existed ? `File updated successfully at: ${filePath}` : `File created successfully at: ${filePath}`
+      };
+    } catch (err) {
+      return {
+        content: `Error writing file: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
+    }
+  }
+};
+
+// src/tools/edit.ts
+import * as nodePath2 from "path";
+
+// src/tools/edit-utils.ts
+var LEFT_SINGLE_CURLY = "\u2018";
+var RIGHT_SINGLE_CURLY = "\u2019";
+var LEFT_DOUBLE_CURLY = "\u201C";
+var RIGHT_DOUBLE_CURLY = "\u201D";
+function normalizeQuotes(str) {
+  return str.replaceAll(LEFT_SINGLE_CURLY, "'").replaceAll(RIGHT_SINGLE_CURLY, "'").replaceAll(LEFT_DOUBLE_CURLY, '"').replaceAll(RIGHT_DOUBLE_CURLY, '"');
+}
+function findActualString(fileContent, searchString) {
+  if (fileContent.includes(searchString)) {
+    return searchString;
+  }
+  const normalizedSearch = normalizeQuotes(searchString);
+  const normalizedFile = normalizeQuotes(fileContent);
+  const searchIndex = normalizedFile.indexOf(normalizedSearch);
+  if (searchIndex !== -1) {
+    return fileContent.substring(searchIndex, searchIndex + searchString.length);
+  }
+  return null;
+}
+function countOccurrences(haystack, needle) {
+  const normalizedNeedle = normalizeQuotes(needle);
+  const normalizedHaystack = normalizeQuotes(haystack);
+  let count = 0;
+  let pos = 0;
+  while (true) {
+    const idx = normalizedHaystack.indexOf(normalizedNeedle, pos);
+    if (idx === -1) break;
+    count++;
+    pos = idx + 1;
+  }
+  return count;
+}
+function usesCurlyQuotes(str) {
+  return {
+    singleCurly: str.includes(LEFT_SINGLE_CURLY) || str.includes(RIGHT_SINGLE_CURLY),
+    doubleCurly: str.includes(LEFT_DOUBLE_CURLY) || str.includes(RIGHT_DOUBLE_CURLY)
+  };
+}
+function preserveQuoteStyle(oldString, actualOldString, newString) {
+  if (oldString === actualOldString) {
+    return newString;
+  }
+  const fileStyle = usesCurlyQuotes(actualOldString);
+  let result = newString;
+  if (fileStyle.singleCurly) {
+    result = convertStraightToCurlySingle(result);
+  }
+  if (fileStyle.doubleCurly) {
+    result = convertStraightToCurlyDouble(result);
+  }
+  return result;
+}
+function convertStraightToCurlySingle(str) {
+  let result = "";
+  let inWord = false;
+  for (let i = 0; i < str.length; i++) {
+    const ch = str[i];
+    if (ch === "'") {
+      const prev = i > 0 ? str[i - 1] : " ";
+      if (/\s/.test(prev) || prev === "(" || prev === "[" || prev === "{") {
+        result += LEFT_SINGLE_CURLY;
+        inWord = true;
+      } else {
+        result += RIGHT_SINGLE_CURLY;
+        inWord = false;
+      }
+    } else {
+      result += ch;
+      inWord = /\w/.test(ch);
+    }
+  }
+  return result;
+}
+function convertStraightToCurlyDouble(str) {
+  let result = "";
+  let open = true;
+  for (let i = 0; i < str.length; i++) {
+    const ch = str[i];
+    if (ch === '"') {
+      result += open ? LEFT_DOUBLE_CURLY : RIGHT_DOUBLE_CURLY;
+      open = !open;
+    } else {
+      result += ch;
+    }
+  }
+  return result;
+}
+function stripTrailingWhitespace(str) {
+  const parts = str.split(/(\r\n|\n|\r)/);
+  const result = [];
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i];
+    if (i % 2 === 0) {
+      result.push(part.replace(/[\t ]+$/, ""));
+    } else {
+      result.push(part);
+    }
+  }
+  return result.join("");
+}
+
+// src/tools/prompts/edit.ts
+var EDIT_PROMPT = `Performs exact string replacements in files.
+
+Usage:
+- You must use the ReadFile tool at least once before editing a file. This tool will error if you attempt an edit without reading the file first.
+- When editing text from ReadFile output, ensure you preserve the exact indentation (tabs/spaces) as it appears AFTER the line number prefix. The line number prefix format is: spaces + line number + pipe. Everything after that is the actual file content to match. Never include any part of the line number prefix in the old_string or new_string.
+- ALWAYS prefer editing existing files in the codebase. NEVER write new files unless explicitly required.
+- Only use emojis if the user explicitly requests it. Avoid adding emojis to files unless asked.
+- The edit will FAIL if \`old_string\` is not unique in the file. Either provide a larger string with more surrounding context to make it unique or use \`replace_all\` to change every instance of \`old_string\`.
+- Use \`replace_all\` for replacing and renaming strings across the file. This parameter is useful if you want to rename a variable for instance.
+`;
+
+// src/tools/edit.ts
+var editFileTool = {
+  name: "EditFile",
+  description: "Edit a file by replacing an exact string match with new content. The old_string must match exactly (including whitespace and indentation). Set replace_all to true to replace all occurrences.",
+  prompt: EDIT_PROMPT,
+  isReadOnly: false,
+  checkPermissions(args, ctx) {
+    const filePath = args.file_path;
+    if (filePath.startsWith("\\\\") || filePath.startsWith("//")) {
+      return {
+        behavior: "deny",
+        message: "Error: UNC paths are not allowed"
+      };
+    }
+    if (isDangerousPath(filePath, ctx.cwd)) {
+      return {
+        behavior: "ask",
+        message: `Edit targets sensitive path: ${filePath}`,
+        reason: "safetyCheck"
+      };
+    }
+    return {
+      behavior: "passthrough",
+      message: `Edit ${filePath}`
+    };
+  },
+  parameters: {
+    type: "object",
+    properties: {
+      file_path: {
+        type: "string",
+        description: "The path of the file to edit"
+      },
+      old_string: {
+        type: "string",
+        description: "The exact string to find and replace"
+      },
+      new_string: {
+        type: "string",
+        description: "The replacement string"
+      },
+      replace_all: {
+        type: "boolean",
+        description: "If true, replace all occurrences of old_string. Defaults to false."
+      }
+    },
+    required: ["file_path", "old_string", "new_string"]
+  },
+  async call(args, ctx) {
+    const filePath = args.file_path;
+    const oldString = args.old_string;
+    const newString = args.new_string;
+    const replaceAll = args.replace_all ?? false;
+    if (filePath.endsWith(".ipynb")) {
+      return {
+        content: `Error: ${filePath} is a Jupyter Notebook. Use the NotebookEdit tool to edit notebook files.`,
+        isError: true
+      };
+    }
+    if (oldString === newString) {
+      return {
+        content: "No changes to make: old_string and new_string are exactly the same.",
+        isError: true
+      };
+    }
+    if (oldString === "") {
+      const exists = await ctx.fs.exists(filePath);
+      if (!exists) {
+        if (ctx.checkpointManager && ctx.currentMessageId) {
+          await ctx.checkpointManager.trackEdit(filePath, ctx.currentMessageId, ctx.sessionId ?? "");
+        }
+        await ctx.fs.writeFile(filePath, newString);
+        ctx.notifyHook?.("FileWrite", {
+          event: "FileWrite",
+          sessionId: ctx.sessionId ?? "",
+          toolName: "EditFile",
+          filePath,
+          isNew: true
+        }).catch(() => {
+        });
+        if (ctx.fileStateCache) {
+          ctx.fileStateCache.set(filePath, { content: newString, timestamp: Date.now() });
+        }
+        return { content: `Created new file ${filePath}.` };
+      }
+      const existing = await ctx.fs.readFile(filePath);
+      if (existing.trim() !== "") {
+        return {
+          content: "Error: old_string is empty but file already has content. Use WriteFile to overwrite, or provide the exact text to replace.",
+          isError: true
+        };
+      }
+      if (ctx.checkpointManager && ctx.currentMessageId) {
+        await ctx.checkpointManager.trackEdit(filePath, ctx.currentMessageId, ctx.sessionId ?? "");
+      }
+      await ctx.fs.writeFile(filePath, newString);
+      if (ctx.fileStateCache) {
+        ctx.fileStateCache.set(filePath, { content: newString, timestamp: Date.now() });
+      }
+      return { content: `File ${filePath} has been updated successfully.` };
+    }
+    const MAX_EDIT_FILE_SIZE = 1024 * 1024 * 1024;
+    try {
+      try {
+        const stat = await ctx.fs.stat(filePath);
+        if (stat.size !== void 0 && stat.size > MAX_EDIT_FILE_SIZE) {
+          return {
+            content: `Error: File is too large to edit (${Math.round(stat.size / 1024 / 1024)} MiB). Max: 1 GiB.`,
+            isError: true
+          };
+        }
+      } catch {
+      }
+      if (ctx.fileStateCache) {
+        const cached = ctx.fileStateCache.get(filePath);
+        if (!cached || cached.isPartialView) {
+          return {
+            content: `Error: File has not been read yet. Use ReadFile on ${filePath} before editing.`,
+            isError: true
+          };
+        }
+        try {
+          const stat = await ctx.fs.stat(filePath);
+          const mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
+          if (mtime > cached.timestamp) {
+            const currentContent = await ctx.fs.readFile(filePath);
+            if (currentContent !== cached.content) {
+              return {
+                content: `Error: ${filePath} has been modified since last read. Re-read the file before editing.`,
+                isError: true
+              };
+            }
+          }
+        } catch {
+        }
+      }
+      if (ctx.checkpointManager && ctx.currentMessageId) {
+        await ctx.checkpointManager.trackEdit(filePath, ctx.currentMessageId, ctx.sessionId ?? "");
+      }
+      const dir = nodePath2.dirname(filePath);
+      if (dir && dir !== "." && dir !== "/") {
+        await ctx.fs.mkdir(dir, { recursive: true }).catch(() => {
+        });
+      }
+      const updated = await withFileLock(filePath, async () => {
+        const rawContent = await ctx.fs.readFile(filePath);
+        const hasCRLF = rawContent.includes("\r\n");
+        const content = hasCRLF ? rawContent.replaceAll("\r\n", "\n") : rawContent;
+        const actualOldString = findActualString(content, oldString);
+        if (!actualOldString) {
+          return {
+            error: `Error: old_string not found in ${filePath}. Make sure the string matches exactly, including whitespace and indentation.`
+          };
+        }
+        if (!replaceAll) {
+          const count = content.split(actualOldString).length - 1;
+          if (count > 1) {
+            return {
+              error: `Error: old_string appears ${count} times in ${filePath}. Provide more context to make it unique, or set replace_all to true.`
+            };
+          }
+        }
+        const actualNewString = preserveQuoteStyle(oldString, actualOldString, newString);
+        let result;
+        if (replaceAll) {
+          result = content.split(actualOldString).join(actualNewString);
+        } else if (actualNewString === "") {
+          const hasTrailingNewline = !actualOldString.endsWith("\n") && content.includes(actualOldString + "\n");
+          const deleteTarget = hasTrailingNewline ? actualOldString + "\n" : actualOldString;
+          result = content.replace(deleteTarget, () => actualNewString);
+        } else {
+          result = content.replace(actualOldString, () => actualNewString);
+        }
+        if (hasCRLF) {
+          result = result.replaceAll("\n", "\r\n");
+        }
+        await ctx.fs.writeFile(filePath, result);
+        return { content: result };
+      });
+      if ("error" in updated) {
+        return { content: String(updated.error), isError: true };
+      }
+      const editedContent = updated.content;
+      ctx.notifyHook?.("FileWrite", {
+        event: "FileWrite",
+        sessionId: ctx.sessionId ?? "",
+        toolName: "EditFile",
+        filePath,
+        isNew: false
+      }).catch(() => {
+      });
+      if (ctx.fileStateCache) {
+        let mtime = 0;
+        try {
+          const stat = await ctx.fs.stat(filePath);
+          mtime = stat.modifiedAt ? Math.floor(stat.modifiedAt.getTime()) : 0;
+        } catch {
+        }
+        ctx.fileStateCache.set(filePath, {
+          content: editedContent,
+          timestamp: mtime
+        });
+      }
+      return {
+        content: `File ${filePath} has been updated successfully.`
       };
-    }
-    if (hasGit && commandWritesGitInternals(command)) {
+    } catch (err) {
       return {
-        isReadOnly: false,
-        isDestructive: true,
-        reason: "Compound command writes to git internal paths before running git"
+        content: `Error editing file: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
       };
     }
   }
-  let allReadOnly = true;
-  let anyDestructive = false;
-  const reasons = [];
-  for (const sub of subCommands) {
-    const result = classifySingleCommand(sub, config);
-    if (!result.isReadOnly) allReadOnly = false;
-    if (result.isDestructive) anyDestructive = true;
-    if (result.reason) reasons.push(result.reason);
-  }
-  return {
-    isReadOnly: allReadOnly,
-    isDestructive: anyDestructive,
-    reason: reasons.join("; ")
-  };
-}
+};
 
 // src/tools/shell-safety/git-tracking.ts
 function detectGitOperations(command, stdout) {
@@ -1292,6 +1827,21 @@ While the Bash tool can do similar things, the built-in tools are preferred as t
 
 // src/tools/bash.ts
 var MAX_OUTPUT_CHARS = 1e5;
+var NON_ERROR_EXIT1_COMMANDS = /* @__PURE__ */ new Set([
+  "grep",
+  "egrep",
+  "fgrep",
+  "rg",
+  "ag",
+  "ack",
+  "diff",
+  "comm"
+]);
+function isExpectedNonZeroExit(command, exitCode) {
+  if (exitCode !== 1) return false;
+  const name = extractCommandName(command);
+  return NON_ERROR_EXIT1_COMMANDS.has(name);
+}
 var bashTool = {
   name: "Bash",
   description: "Execute a bash shell command. Use this for running scripts, installing packages, git operations, and other system commands.",
@@ -1363,17 +1913,23 @@ ${result.stderr}`;
         output = "(no output)";
       }
       if (output.length > MAX_OUTPUT_CHARS) {
-        const totalChars = output.length;
-        output = output.slice(0, MAX_OUTPUT_CHARS) + `
-... output truncated (${totalChars} total chars)`;
+        const headSize = Math.floor(MAX_OUTPUT_CHARS * 0.8);
+        const tailSize = MAX_OUTPUT_CHARS - headSize;
+        const dropped = output.length - MAX_OUTPUT_CHARS;
+        output = output.slice(0, headSize) + `
+
+... ${dropped} chars truncated ...
+
+` + output.slice(-tailSize);
       }
+      const isSemanticError = result.exitCode !== 0 && !isExpectedNonZeroExit(command, result.exitCode);
       if (result.exitCode !== 0) {
         output = `Exit code: ${result.exitCode}
 ${output}`;
       }
       const toolResult = {
         content: output,
-        isError: result.exitCode !== 0
+        isError: isSemanticError
       };
       if (result.exitCode === 0) {
         const gitOps = detectGitOperations(command, result.stdout ?? "");
@@ -1391,6 +1947,9 @@ ${output}`;
   }
 };
 
+// src/tools/glob.ts
+import * as path3 from "path";
+
 // src/tools/prompts/glob.ts
 var GLOB_PROMPT = `Fast file pattern matching tool that works with any codebase size.
 
@@ -1430,12 +1989,19 @@ var globTool = {
   async call(args, ctx) {
     const pattern = args.pattern;
     const searchPath = args.path ?? ctx.cwd;
-    const fullPattern = pattern.startsWith("**/") ? pattern : `**/${pattern}`;
-    const command = `rg --files --glob ${shellEscape(fullPattern)} --sort=modified | head -n ${String(MAX_RESULTS + 1)}`;
+    const fullPattern = pattern.startsWith("**/") || path3.isAbsolute(pattern) ? pattern : `**/${pattern}`;
+    const resolvedPath = searchPath === ctx.cwd ? "." : searchPath;
+    const command = `rg --files --hidden --glob ${shellEscape(fullPattern)} --sortr=modified ${shellEscape(resolvedPath)} | head -n ${String(MAX_RESULTS + 1)}`;
     try {
-      const result = await ctx.computer.executeCommand(command, {
-        cwd: searchPath
+      let result = await ctx.computer.executeCommand(command, {
+        cwd: ctx.cwd
       });
+      if (result.exitCode === 127 || result.stderr?.includes("not found")) {
+        const findCommand = `find ${shellEscape(resolvedPath)} -name ${shellEscape(pattern)} -type f | head -n ${String(MAX_RESULTS + 1)}`;
+        result = await ctx.computer.executeCommand(findCommand, {
+          cwd: ctx.cwd
+        });
+      }
       if (result.exitCode > 1) {
         return {
           content: `Glob error: ${result.stderr || result.stdout}`,
@@ -1522,16 +2088,32 @@ var grepTool = {
       "--line-number",
       "--no-heading",
       "--color=never",
+      "--hidden",
+      "--glob",
+      "'!.git'",
+      "--glob",
+      "'!.svn'",
+      "--glob",
+      "'!.hg'",
+      "--glob",
+      "'!.bzr'",
+      "--glob",
+      "'!.jj'",
+      "--glob",
+      "'!.sl'",
+      "--max-columns",
+      "500",
       `--max-count=${MAX_MATCHES}`
     ];
     if (caseInsensitive) rgArgs.push("-i");
     if (contextLines !== void 0) rgArgs.push(`-C${contextLines}`);
     if (glob) rgArgs.push(`--glob`, shellEscape(glob));
-    rgArgs.push("--", shellEscape(pattern), ".");
+    const resolvedPath = searchPath === ctx.cwd ? "." : searchPath;
+    rgArgs.push("--", shellEscape(pattern), shellEscape(resolvedPath));
     const command = rgArgs.join(" ");
     try {
       const result = await ctx.computer.executeCommand(command, {
-        cwd: searchPath
+        cwd: ctx.cwd
       });
       if (result.exitCode === 1 && !result.stdout.trim()) {
         return { content: "No matches found." };
@@ -1559,6 +2141,9 @@ var grepTool = {
   }
 };
 
+// src/tools/web-fetch.ts
+import * as dns from "dns";
+
 // src/tools/prompts/web-fetch.ts
 var WEB_FETCH_PROMPT = `Fetches content from a specified URL and returns it in a readable format.
 
@@ -1576,9 +2161,63 @@ Usage notes:
 `;
 
 // src/tools/web-fetch.ts
+function stripWww(hostname) {
+  return hostname.replace(/^www\./, "");
+}
 var MAX_CONTENT_LENGTH = 5 * 1024 * 1024;
 var FETCH_TIMEOUT_MS = 3e4;
 var MAX_OUTPUT_CHARS2 = 1e5;
+var MAX_REDIRECTS = 5;
+function isPrivateIP(ip) {
+  const stripped = ip.replace(/^\[|\]$/g, "");
+  if (stripped === "::1" || stripped === "0.0.0.0" || stripped === "::") return true;
+  if (stripped.startsWith("fe80:")) return true;
+  const firstTwo = stripped.slice(0, 2).toLowerCase();
+  if (firstTwo === "fc" || firstTwo === "fd") return true;
+  if (stripped.toLowerCase().startsWith("::ffff:")) {
+    const embedded = stripped.slice(7);
+    return embedded.includes(".") ? isPrivateIP(embedded) : true;
+  }
+  const parts = stripped.split(".");
+  if (parts.length === 4 && parts.every((p) => /^\d+$/.test(p))) {
+    const [a, b] = parts.map(Number);
+    if (a === 127) return true;
+    if (a === 10) return true;
+    if (a === 172 && b >= 16 && b <= 31) return true;
+    if (a === 192 && b === 168) return true;
+    if (a === 169 && b === 254) return true;
+    if (a === 0) return true;
+  }
+  return false;
+}
+function isPrivateHost(hostname) {
+  if (hostname === "localhost" || hostname === "[::1]" || hostname === "0.0.0.0") {
+    return true;
+  }
+  if (isPrivateIP(hostname)) return true;
+  if (hostname.startsWith("fe80:") || hostname.startsWith("[fe80:")) return true;
+  return false;
+}
+async function checkDnsRebinding(hostname) {
+  if (/^\d+\.\d+\.\d+\.\d+$/.test(hostname) || hostname.includes(":")) {
+    return isPrivateIP(hostname) ? hostname : null;
+  }
+  try {
+    const addrs = await dns.promises.resolve4(hostname);
+    for (const addr of addrs) {
+      if (isPrivateIP(addr)) return addr;
+    }
+  } catch {
+  }
+  try {
+    const addrs6 = await dns.promises.resolve6(hostname);
+    for (const addr of addrs6) {
+      if (isPrivateIP(addr)) return addr;
+    }
+  } catch {
+  }
+  return null;
+}
 var webFetchTool = {
   name: "WebFetch",
   description: "Fetch a URL and return its contents as markdown. Useful for reading web pages, documentation, API responses, and other online content. Provide an optional prompt to extract specific information.",
@@ -1602,26 +2241,66 @@ var webFetchTool = {
   async call(args, _ctx) {
     const url = args.url;
     const prompt = args.prompt;
+    let parsedUrl;
     try {
-      new URL(url);
+      parsedUrl = new URL(url);
     } catch {
       return { content: `Invalid URL: ${url}`, isError: true };
     }
+    if (parsedUrl.username || parsedUrl.password) {
+      return { content: `Blocked: URLs with embedded credentials are not allowed`, isError: true };
+    }
+    if (parsedUrl.protocol === "http:") {
+      parsedUrl.protocol = "https:";
+    }
+    if (isPrivateHost(parsedUrl.hostname)) {
+      return { content: `Blocked: "${parsedUrl.hostname}" resolves to a private/internal address`, isError: true };
+    }
+    const rebindIP = await checkDnsRebinding(parsedUrl.hostname);
+    if (rebindIP) {
+      return { content: `Blocked: "${parsedUrl.hostname}" resolves to private address ${rebindIP}`, isError: true };
+    }
     try {
       const controller = new AbortController();
       const timeoutId = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
-      const response = await fetch(url, {
-        signal: controller.signal,
-        headers: {
-          "User-Agent": "noumen-agent/1.0",
-          Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,text/plain;q=0.8,*/*;q=0.7"
-        },
-        redirect: "follow"
-      });
+      let currentUrl = parsedUrl.toString();
+      const originalHost = stripWww(parsedUrl.hostname);
+      let response;
+      for (let redirects = 0; redirects <= MAX_REDIRECTS; redirects++) {
+        response = await fetch(currentUrl, {
+          signal: controller.signal,
+          headers: {
+            "User-Agent": "noumen-agent/1.0",
+            Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,text/plain;q=0.8,*/*;q=0.7"
+          },
+          redirect: "manual"
+        });
+        if (response.status >= 300 && response.status < 400) {
+          const location = response.headers.get("location");
+          if (!location) break;
+          const redirectUrl = new URL(location, currentUrl);
+          if (stripWww(redirectUrl.hostname) !== originalHost) {
+            clearTimeout(timeoutId);
+            return { content: `Blocked: redirect to different host "${redirectUrl.hostname}" (original: "${parsedUrl.hostname}")`, isError: true };
+          }
+          if (isPrivateHost(redirectUrl.hostname)) {
+            clearTimeout(timeoutId);
+            return { content: `Blocked: redirect to private/internal address "${redirectUrl.hostname}"`, isError: true };
+          }
+          const redirectRebind = await checkDnsRebinding(redirectUrl.hostname);
+          if (redirectRebind) {
+            clearTimeout(timeoutId);
+            return { content: `Blocked: redirect target "${redirectUrl.hostname}" resolves to private address ${redirectRebind}`, isError: true };
+          }
+          currentUrl = redirectUrl.toString();
+          continue;
+        }
+        break;
+      }
       clearTimeout(timeoutId);
-      if (!response.ok) {
+      if (!response || !response.ok) {
         return {
-          content: `HTTP ${response.status}: ${response.statusText}`,
+          content: `HTTP ${response?.status ?? "unknown"}: ${response?.statusText ?? "no response"}`,
           isError: true
         };
       }
@@ -1729,18 +2408,18 @@ var notebookEditTool = {
     required: ["notebook_path", "cell_index"]
   },
   async call(args, ctx) {
-    const path2 = args.notebook_path;
+    const path6 = args.notebook_path;
     const cellIndex = args.cell_index;
     const newSource = args.new_source ?? "";
     const cellType = args.cell_type ?? "code";
     const editMode = args.edit_mode ?? "replace";
     try {
-      const raw = await ctx.fs.readFile(path2);
+      const raw = await ctx.fs.readFile(path6);
       let notebook;
       try {
         notebook = JSON.parse(raw);
       } catch {
-        return { content: `Not a valid JSON notebook: ${path2}`, isError: true };
+        return { content: `Not a valid JSON notebook: ${path6}`, isError: true };
       }
       if (!Array.isArray(notebook.cells)) {
         return { content: "Notebook has no cells array.", isError: true };
@@ -1792,9 +2471,9 @@ var notebookEditTool = {
             isError: true
           };
       }
-      await ctx.fs.writeFile(path2, JSON.stringify(notebook, null, 1) + "\n");
+      await ctx.fs.writeFile(path6, JSON.stringify(notebook, null, 1) + "\n");
       const action = editMode === "delete" ? `Deleted cell ${cellIndex}` : editMode === "insert" ? `Inserted new ${cellType} cell at index ${cellIndex}` : `Replaced cell ${cellIndex} content`;
-      return { content: `${action} in ${path2}. Notebook now has ${notebook.cells.length} cells.` };
+      return { content: `${action} in ${path6}. Notebook now has ${notebook.cells.length} cells.` };
     } catch (err) {
       return {
         content: `Error editing notebook: ${err instanceof Error ? err.message : String(err)}`,
@@ -1899,6 +2578,7 @@ var ToolRegistry = class {
         isError: true
       };
     }
+    let validatedArgs = args;
     if (tool.inputSchema) {
       const parsed = tool.inputSchema.safeParse(args);
       if (!parsed.success) {
@@ -1907,8 +2587,16 @@ var ToolRegistry = class {
           isError: true
         };
       }
+      validatedArgs = parsed.data;
+    }
+    try {
+      return await tool.call(validatedArgs, ctx);
+    } catch (err) {
+      return {
+        content: `Error executing ${name}: ${err instanceof Error ? err.message : String(err)}`,
+        isError: true
+      };
     }
-    return tool.call(args, ctx);
   }
   toToolDefinitions() {
     return Array.from(this.tools.values()).map((tool) => ({
@@ -1958,16 +2646,451 @@ var ToolRegistry = class {
   }
 };
 
+// src/permissions/helpers.ts
+import * as path4 from "path";
+var ACCEPT_EDITS_BASH_ALLOWLIST = /* @__PURE__ */ new Set([
+  "mkdir",
+  "touch",
+  "mv",
+  "cp",
+  "sed",
+  "chmod"
+]);
+function extractContentHint(tool, input) {
+  if (typeof input.file_path === "string") return input.file_path;
+  if (typeof input.command === "string") return input.command;
+  if (typeof input.path === "string") return input.path;
+  return void 0;
+}
+function resolveAcceptEditsDecision(params) {
+  const { toolName, input, effectiveInput, isReadOnly, isDestructive, workingDirectories } = params;
+  if (isDestructive) {
+    return {
+      behavior: "ask",
+      message: `Tool "${toolName}" is destructive and requires approval in acceptEdits mode.`,
+      reason: "mode"
+    };
+  }
+  if (toolName === "Bash") {
+    const cmd = typeof input.command === "string" ? input.command : "";
+    const subCommands = splitCompoundCommand(cmd);
+    for (const sub of subCommands) {
+      const baseName = extractCommandName(sub);
+      if (!ACCEPT_EDITS_BASH_ALLOWLIST.has(baseName)) {
+        return {
+          behavior: "ask",
+          message: `Tool "${toolName}" (${baseName}) is not in the acceptEdits allowlist.`,
+          reason: "mode"
+        };
+      }
+    }
+    if (workingDirectories.length > 0) {
+      for (const sub of subCommands) {
+        const tokens = sub.trim().split(/\s+/).slice(1);
+        for (const token of tokens) {
+          if (token.startsWith("-")) continue;
+          if (path4.isAbsolute(token) && !isPathInWorkingDirectories(token, workingDirectories)) {
+            return {
+              behavior: "ask",
+              message: `Bash command references path "${token}" outside working directories.`,
+              reason: "workingDirectory"
+            };
+          }
+        }
+      }
+    }
+  }
+  if (workingDirectories.length > 0) {
+    const filePath = typeof input.file_path === "string" ? input.file_path : typeof input.path === "string" ? input.path : void 0;
+    if (filePath && !isPathInWorkingDirectories(filePath, workingDirectories)) {
+      return {
+        behavior: "ask",
+        message: `Path "${filePath}" is outside working directories in acceptEdits mode.`,
+        reason: "workingDirectory"
+      };
+    }
+  }
+  const hasFilePath = typeof input.file_path === "string" || typeof input.path === "string";
+  if (!isReadOnly && !hasFilePath && toolName !== "Bash") {
+    return {
+      behavior: "ask",
+      message: `Tool "${toolName}" requires approval in acceptEdits mode.`,
+      reason: "mode"
+    };
+  }
+  return {
+    behavior: "allow",
+    updatedInput: effectiveInput,
+    reason: "mode"
+  };
+}
+function resolveAutoModeDecision(params) {
+  const { toolName, effectiveInput, classifierResult, denialTracker, requiresUserInteraction } = params;
+  if (classifierResult.shouldBlock) {
+    if (denialTracker) {
+      denialTracker.recordDenial();
+      const fallback = denialTracker.shouldFallback();
+      if (fallback.triggered) {
+        if (fallback.reason === "repeated_consecutive") {
+          return {
+            behavior: "deny",
+            message: `Auto-mode classifier denied too many actions without user approval. Aborting.`,
+            reason: "denial_limit"
+          };
+        }
+        denialTracker.resetAfterFallback(fallback.reason);
+        return {
+          behavior: "ask",
+          message: `Auto-mode classifier denied too many consecutive actions. Falling back to user prompt.`,
+          reason: "denial_limit"
+        };
+      }
+    }
+    return {
+      behavior: "deny",
+      message: `Auto-mode classifier flagged this call: ${classifierResult.reason}`,
+      reason: "classifier"
+    };
+  }
+  if (requiresUserInteraction) {
+    return {
+      behavior: "ask",
+      message: `Tool "${toolName}" requires user interaction.`,
+      reason: "interaction"
+    };
+  }
+  denialTracker?.recordSuccess();
+  return {
+    behavior: "allow",
+    updatedInput: effectiveInput,
+    reason: "classifier"
+  };
+}
+
+// src/permissions/pipeline.ts
+var DANGEROUS_PATH_PATTERNS = [
+  /(?:^|\/)\.git(?:\/|$)/,
+  /(?:^|\/)\.bashrc$/,
+  /(?:^|\/)\.bash_profile$/,
+  /(?:^|\/)\.zshrc$/,
+  /(?:^|\/)\.zprofile$/,
+  /(?:^|\/)\.profile$/,
+  /(?:^|\/)\.ssh(?:\/|$)/,
+  /(?:^|\/)\.env$/,
+  /(?:^|\/)\.npmrc$/,
+  /(?:^|\/)\.vscode(?:\/|$)/,
+  /(?:^|\/)\.idea(?:\/|$)/,
+  /(?:^|\/)\.claude(?:\/|$)/,
+  /(?:^|\/)\.noumen(?:\/|$)/,
+  /(?:^|\/)\.gitconfig$/,
+  /(?:^|\/)\.gitmodules$/,
+  /(?:^|\/)\.mcp\.json$/,
+  /(?:^|\/)\.ripgreprc$/,
+  /(?:^|\/)\.noumen\.json$/
+];
+async function resolvePermission(tool, input, ctx, permCtx, opts) {
+  const toolName = tool.name;
+  const contentHint = extractContentHint(tool, input);
+  const wholeDenyRules = getMatchingRules(
+    permCtx,
+    toolName,
+    "deny",
+    void 0,
+    tool.mcpInfo
+  );
+  if (wholeDenyRules.length > 0) {
+    return {
+      behavior: "deny",
+      message: `Tool "${toolName}" is denied by rule.`,
+      reason: "rule"
+    };
+  }
+  if (contentHint !== void 0) {
+    const contentDenyRules = getMatchingRules(
+      permCtx,
+      toolName,
+      "deny",
+      contentHint,
+      tool.mcpInfo
+    );
+    if (contentDenyRules.length > 0) {
+      return {
+        behavior: "deny",
+        message: `Tool "${toolName}" with "${contentHint}" is denied by rule.`,
+        reason: "rule"
+      };
+    }
+  }
+  const wholeAskRules = getMatchingRules(
+    permCtx,
+    toolName,
+    "ask",
+    void 0,
+    tool.mcpInfo
+  );
+  if (wholeAskRules.length > 0) {
+    return {
+      behavior: "ask",
+      message: `Tool "${toolName}" requires approval.`,
+      reason: "rule"
+    };
+  }
+  if (contentHint !== void 0) {
+    const contentAskRules = getMatchingRules(
+      permCtx,
+      toolName,
+      "ask",
+      contentHint,
+      tool.mcpInfo
+    );
+    if (contentAskRules.length > 0) {
+      return {
+        behavior: "ask",
+        message: `Tool "${toolName}" with "${contentHint}" requires approval.`,
+        reason: "rule"
+      };
+    }
+  }
+  const dangerousFilePath = typeof input.file_path === "string" ? input.file_path : typeof input.path === "string" ? input.path : void 0;
+  if (dangerousFilePath && isDangerousPath(dangerousFilePath, ctx.cwd)) {
+    return {
+      behavior: "ask",
+      message: `Path "${dangerousFilePath}" targets a sensitive location.`,
+      reason: "safetyCheck"
+    };
+  }
+  if (toolName === "Bash" && typeof input.command === "string") {
+    const subCommands = splitCompoundCommand(input.command);
+    for (const sub of subCommands) {
+      const tokens = sub.trim().split(/\s+/);
+      for (const token of tokens) {
+        if (token.startsWith("-")) continue;
+        if (isDangerousPath(token, ctx.cwd)) {
+          return {
+            behavior: "ask",
+            message: `Bash command references sensitive path "${token}".`,
+            reason: "safetyCheck"
+          };
+        }
+      }
+    }
+  }
+  let toolResult;
+  if (tool.checkPermissions) {
+    if (opts?.signal?.aborted) {
+      throw new DOMException("Aborted", "AbortError");
+    }
+    try {
+      toolResult = await tool.checkPermissions(input, ctx);
+    } catch (err) {
+      if (err instanceof DOMException && err.name === "AbortError") throw err;
+      if (err instanceof Error && err.name === "AbortError") throw err;
+      console.warn(`[noumen/permissions] checkPermissions error for "${toolName}":`, err);
+    }
+    if (toolResult?.behavior === "deny") {
+      return {
+        behavior: "deny",
+        message: toolResult.message,
+        reason: toolResult.reason ?? "tool"
+      };
+    }
+    if (toolResult?.behavior === "ask") {
+      const isSafetyCheck = toolResult.reason === "safetyCheck";
+      const isInteractive = !!tool.requiresUserInteraction;
+      if (isSafetyCheck || isInteractive) {
+        return {
+          behavior: "ask",
+          message: toolResult.message,
+          reason: toolResult.reason ?? "tool",
+          suggestions: toolResult.suggestions
+        };
+      }
+      if (permCtx.mode !== "bypassPermissions") {
+      }
+    }
+  }
+  const effectiveInput = toolResult?.behavior === "allow" && toolResult.updatedInput ? toolResult.updatedInput : input;
+  if (tool.requiresUserInteraction && permCtx.mode === "bypassPermissions") {
+    return {
+      behavior: "ask",
+      message: `Tool "${toolName}" requires user interaction.`,
+      reason: "interaction"
+    };
+  }
+  if (permCtx.mode === "bypassPermissions") {
+    return {
+      behavior: "allow",
+      updatedInput: effectiveInput,
+      reason: "mode"
+    };
+  }
+  const isReadOnly = resolveToolFlag(tool.isReadOnly, input);
+  const isDestructive = resolveToolFlag(tool.isDestructive, input);
+  if (permCtx.mode === "plan" && !isReadOnly) {
+    return {
+      behavior: "deny",
+      message: `Tool "${toolName}" is not allowed in plan mode (read-only).`,
+      reason: "mode"
+    };
+  }
+  if (permCtx.mode === "acceptEdits") {
+    return resolveAcceptEditsDecision({
+      toolName,
+      input,
+      effectiveInput,
+      isReadOnly,
+      isDestructive,
+      workingDirectories: permCtx.workingDirectories
+    });
+  }
+  if (permCtx.mode === "auto" && opts?.autoModeConfig) {
+    if (!opts.provider) {
+      return {
+        behavior: "ask",
+        message: `Auto-mode requires an AI provider for classification. Falling back to ask.`,
+        reason: "classifier"
+      };
+    }
+    const classifierResult = await classifyPermission(
+      toolName,
+      input,
+      opts.recentMessages ?? [],
+      opts.provider,
+      {
+        classifierPrompt: opts.autoModeConfig.classifierPrompt,
+        classifierModel: opts.autoModeConfig.classifierModel,
+        model: opts.model,
+        signal: opts.signal
+      }
+    );
+    return resolveAutoModeDecision({
+      toolName,
+      effectiveInput,
+      classifierResult,
+      denialTracker: opts.denialTracker,
+      requiresUserInteraction: !!tool.requiresUserInteraction
+    });
+  }
+  if (toolResult?.behavior === "allow") {
+    return {
+      behavior: "allow",
+      updatedInput: effectiveInput,
+      reason: toolResult.reason ?? "tool"
+    };
+  }
+  if (isReadOnly && toolResult?.behavior !== "ask") {
+    return {
+      behavior: "allow",
+      updatedInput: effectiveInput,
+      reason: "readOnly"
+    };
+  }
+  if (permCtx.workingDirectories.length > 0) {
+    const filePath = typeof input.file_path === "string" ? input.file_path : typeof input.path === "string" ? input.path : void 0;
+    if (filePath && !isPathInWorkingDirectories(filePath, permCtx.workingDirectories)) {
+      return {
+        behavior: "ask",
+        message: `Path "${filePath}" is outside configured working directories.`,
+        reason: "workingDirectory"
+      };
+    }
+  }
+  if (contentHint !== void 0) {
+    const contentAllowRules = getMatchingRules(
+      permCtx,
+      toolName,
+      "allow",
+      contentHint,
+      tool.mcpInfo
+    );
+    if (contentAllowRules.length > 0) {
+      return {
+        behavior: "allow",
+        updatedInput: effectiveInput,
+        reason: "rule"
+      };
+    }
+  }
+  const wholeAllowRules = getMatchingRules(
+    permCtx,
+    toolName,
+    "allow",
+    void 0,
+    tool.mcpInfo
+  );
+  if (wholeAllowRules.length > 0) {
+    return {
+      behavior: "allow",
+      updatedInput: effectiveInput,
+      reason: "rule"
+    };
+  }
+  let finalAsk;
+  if (toolResult?.behavior === "ask") {
+    finalAsk = {
+      behavior: "ask",
+      message: toolResult.message,
+      reason: toolResult.reason ?? "tool",
+      suggestions: toolResult.suggestions
+    };
+  }
+  if (!finalAsk) {
+    const message = toolResult?.behavior === "passthrough" ? toolResult.message : `Tool "${toolName}" requires approval.`;
+    const suggestions = toolResult?.behavior === "passthrough" ? toolResult.suggestions : void 0;
+    finalAsk = {
+      behavior: "ask",
+      message,
+      reason: "default",
+      suggestions
+    };
+  }
+  if (permCtx.mode === "dontAsk") {
+    return {
+      behavior: "deny",
+      message: `Tool "${toolName}" requires approval, but mode is "dontAsk".`,
+      reason: "mode"
+    };
+  }
+  return finalAsk;
+}
+function isDangerousPath(filePath, basePath) {
+  const base = basePath ?? process.cwd();
+  const resolved = path5.resolve(base, filePath);
+  const relative2 = path5.relative(base, resolved);
+  const candidate = (relative2.startsWith("..") ? resolved.replace(/^\/+/, "") : relative2).toLowerCase();
+  if (DANGEROUS_PATH_PATTERNS.some((p) => p.test(candidate))) return true;
+  try {
+    const realPath = fs2.realpathSync(resolved);
+    if (realPath !== resolved) {
+      const realRelative = path5.relative(base, realPath);
+      const realCandidate = (realRelative.startsWith("..") ? realPath.replace(/^\/+/, "") : realRelative).toLowerCase();
+      if (DANGEROUS_PATH_PATTERNS.some((p) => p.test(realCandidate))) return true;
+    }
+  } catch {
+  }
+  return false;
+}
+
 export {
   TOOL_SEARCH_NAME,
   isDeferredTool,
   formatDeferredToolLine,
   searchToolsWithKeywords,
   createToolSearchTool,
-  zodToJsonSchema,
-  registerZodToJsonSchema,
-  formatZodValidationError,
   readFileTool,
+  RULE_SOURCE_PRECEDENCE,
+  toolMatchesRule,
+  contentMatchesRule,
+  matchSimpleGlob,
+  getMatchingRules,
+  isPathInWorkingDirectories,
+  classifyPermission,
+  isGitInternalPath,
+  looksLikeBareRepo,
+  commandWritesGitInternals,
+  extractCommandName,
+  classifyCommand,
+  resolvePermission,
   writeFileTool,
   normalizeQuotes,
   findActualString,
@@ -1975,11 +3098,6 @@ export {
   preserveQuoteStyle,
   stripTrailingWhitespace,
   editFileTool,
-  isGitInternalPath,
-  looksLikeBareRepo,
-  commandWritesGitInternals,
-  extractCommandName,
-  classifyCommand,
   detectGitOperations,
   hasGitIndexLockError,
   bashTool,
@@ -1991,4 +3109,4 @@ export {
   resolveToolFlag,
   ToolRegistry
 };
-//# sourceMappingURL=chunk-QTJ7VTJY.js.map
+//# sourceMappingURL=chunk-HL6JCRZJ.js.map