osai-agent 4.0.0

package/src/agent/loop/verification.js

@@ -0,0 +1,263 @@
+import { TOOLS, MODES, CRITICAL_ENV_EXCLUDE, CRITICAL_ENV_FILENAMES, CRITICAL_ENV_FILENAME_PATTERNS, CRITICAL_ENV_PATH_SEGMENTS, READ_FRESHNESS_INTERACTIONS, MAX_PERSISTED_READ_FILES } from '../../utils/constants.js';
+import { simpleHash } from '../../utils/helpers.js';
+import { resolvePath } from '../../tools/local.js';
+import { memory } from '../../memory/store.js';
+import path from 'path';
+import fs from 'fs';
+
+export default {
+  _normalizeTrackedPath(filePath) {
+    try {
+      if (!filePath || typeof filePath !== 'string') return null;
+      let raw = filePath.trim();
+      raw = raw.replace(/^["'`]+|["'`]+$/g, '');
+      const expanded = resolvePath(raw);
+      if (!expanded || typeof expanded !== 'string') return null;
+      const normalizedSlashes = expanded.replace(/[\\/]+/g, path.sep);
+      const absolute = path.isAbsolute(normalizedSlashes)
+        ? normalizedSlashes
+        : path.resolve(process.cwd(), normalizedSlashes);
+      const normalized = path.normalize(absolute);
+      return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
+    } catch {
+      return null;
+    }
+  },
+
+  _isCriticalEnvFile(filePath) {
+    if (!filePath || typeof filePath !== 'string') return false;
+    const normalizedPath = filePath.replace(/[\\/]+/g, '/').toLowerCase();
+    const basename = path.basename(normalizedPath).trim();
+    if (!basename) return false;
+    if (CRITICAL_ENV_EXCLUDE.has(basename)) return false;
+    if (CRITICAL_ENV_FILENAMES.has(basename)) return true;
+    for (const pattern of CRITICAL_ENV_FILENAME_PATTERNS) {
+      if (pattern.test(basename)) return true;
+    }
+    for (const segment of CRITICAL_ENV_PATH_SEGMENTS) {
+      if (normalizedPath.includes(`/${segment}/`) || normalizedPath.startsWith(`${segment}/`) || normalizedPath === segment) return true;
+    }
+    return false;
+  },
+
+  _isCriticalEnvPattern(value) {
+    if (!value || typeof value !== 'string') return false;
+    const normalized = value.replace(/[\\/]+/g, '/').toLowerCase();
+    const parts = normalized.split('/').filter(Boolean);
+    const basename = parts[parts.length - 1] || normalized;
+
+    if (CRITICAL_ENV_EXCLUDE.has(basename)) return false;
+    if (CRITICAL_ENV_FILENAMES.has(basename)) return true;
+    for (const pattern of CRITICAL_ENV_FILENAME_PATTERNS) {
+      if (pattern.test(basename)) return true;
+    }
+    for (const segment of CRITICAL_ENV_PATH_SEGMENTS) {
+      if (parts.includes(segment.toLowerCase())) return true;
+    }
+    return false;
+  },
+
+  _commandReferencesCriticalEnvFile(command) {
+    if (!command || typeof command !== 'string') return false;
+    const readCommandPattern = /\b(cat|type|more|less|head|tail|grep|rg|awk|sed|findstr|get-content|gc)\b/i;
+    if (!readCommandPattern.test(command)) return false;
+
+    const tokens = command
+      .match(/"[^"]+"|'[^']+'|`[^`]+`|[^\s;&|<>]+/g)
+      ?.map((token) => token.replace(/^["'`]+|["'`]+$/g, '')) || [];
+
+    return tokens.some((token) => this._isCriticalEnvPattern(token));
+  },
+
+  _subagentCriticalReadBlock(toolCall) {
+    if (!this.isSubagent) return null;
+    const tool = toolCall.tool || TOOLS.LOCAL_CMD;
+    const pathValue = toolCall.path || toolCall.source || '';
+
+    if ([TOOLS.READ_FILE, TOOLS.LIST_DIR, TOOLS.GET_DEPENDENCIES].includes(tool) && this._isCriticalEnvFile(pathValue)) {
+      return `Subagent blocked: "${pathValue}" is a critical environment/secret file and requires direct user confirmation.`;
+    }
+
+    if ([TOOLS.GREP, TOOLS.SEARCH_FILE].includes(tool)) {
+      const filePattern = toolCall.filePattern || '';
+      const searchesSpecificCriticalPath = pathValue && this._isCriticalEnvFile(pathValue);
+      const searchesCriticalPattern = filePattern && this._isCriticalEnvPattern(filePattern);
+      const recursiveUnscopedSearch = !filePattern && pathValue && !this._isExistingFileTarget({ path: pathValue });
+      if (searchesSpecificCriticalPath || searchesCriticalPattern || recursiveUnscopedSearch) {
+        return 'Subagent blocked: content search could read critical environment/secret files. Use non-sensitive file patterns or ask the parent agent for user confirmation.';
+      }
+    }
+
+    if (tool === TOOLS.LOCAL_CMD && this._commandReferencesCriticalEnvFile(toolCall.cmd || '')) {
+      return 'Subagent blocked: local command appears to read a critical environment/secret file and requires direct user confirmation.';
+    }
+
+    return null;
+  },
+
+  _buildVerificationStateSnapshot() {
+    const trackedFiles = {};
+    let i = 0;
+    for (const [trackedPath, state] of this._readFileState.entries()) {
+      trackedFiles[trackedPath] = {
+        lastReadInteraction: state.lastReadInteraction,
+        lastReadIteration: state.lastReadIteration,
+        lastReadAt: state.lastReadAt,
+        contentHash: state.contentHash,
+        mtimeMs: state.mtimeMs,
+      };
+      i += 1;
+      if (i >= MAX_PERSISTED_READ_FILES) break;
+    }
+    return {
+      freshnessWindow: READ_FRESHNESS_INTERACTIONS,
+      interactionIndex: this._toolInteractionCounter,
+      filesReadOps: this._readFileOps,
+      filesReadUnique: this._readFiles.size,
+      blockedWritesWithoutRead: this._blockedWritesWithoutRead,
+      trackedFiles,
+      updatedAt: new Date().toISOString(),
+    };
+  },
+
+  async _persistVerificationState() {
+    try {
+      await memory.setPreference('verification_state', this._buildVerificationStateSnapshot());
+    } catch {}
+  },
+
+  async _loadVerificationState() {
+    if (this._verificationStateLoaded) return;
+    this._verificationStateLoaded = true;
+    try {
+      const state = await memory.getPreference('verification_state', null);
+      if (!state || typeof state !== 'object') return;
+
+      const trackedFiles = state.trackedFiles && typeof state.trackedFiles === 'object'
+        ? state.trackedFiles
+        : {};
+
+      for (const [trackedPath, fileState] of Object.entries(trackedFiles)) {
+        if (!trackedPath || typeof trackedPath !== 'string') continue;
+        const normalizedPath = this._normalizeTrackedPath(trackedPath) || trackedPath;
+        const lastReadInteraction = Number(fileState?.lastReadInteraction);
+        const safeLastReadInteraction = Number.isFinite(lastReadInteraction)
+          ? Math.max(0, lastReadInteraction)
+          : 0;
+        this._readFiles.add(normalizedPath);
+        this._readFileState.set(normalizedPath, {
+          lastReadInteraction: safeLastReadInteraction,
+          lastReadIteration: Number(fileState?.lastReadIteration) || 0,
+          lastReadAt: fileState?.lastReadAt || null,
+          contentHash: fileState?.contentHash || null,
+          mtimeMs: fileState?.mtimeMs ?? null,
+        });
+      }
+
+      const persistedCounter = Number(state.interactionIndex);
+      if (Number.isFinite(persistedCounter)) {
+        this._toolInteractionCounter = Math.max(this._toolInteractionCounter, Math.max(0, persistedCounter));
+      }
+      const persistedReadOps = Number(state.filesReadOps);
+      if (Number.isFinite(persistedReadOps)) {
+        this._readFileOps = Math.max(this._readFileOps, Math.max(0, persistedReadOps));
+      }
+      const persistedBlocked = Number(state.blockedWritesWithoutRead);
+      if (Number.isFinite(persistedBlocked)) {
+        this._blockedWritesWithoutRead = Math.max(this._blockedWritesWithoutRead, Math.max(0, persistedBlocked));
+      }
+    } catch {}
+  },
+
+  async _trackReadFile(toolCall, result) {
+    const tool = toolCall.tool || TOOLS.LOCAL_CMD;
+    if (tool !== TOOLS.READ_FILE || !result?.success) return;
+    const trackedPath = this._normalizeTrackedPath(toolCall.path);
+    if (trackedPath) {
+      this._readFiles.add(trackedPath);
+      if (!toolCall.startLine && !toolCall.endLine) {
+        this._sessionReadFiles.add(trackedPath);
+      }
+      const rawContent = String(result.output || '');
+      let mtimeMs = null;
+      try { mtimeMs = fs.statSync(trackedPath).mtimeMs; } catch {}
+      this._readFileState.set(trackedPath, {
+        lastReadInteraction: this._toolInteractionCounter,
+        lastReadIteration: this.iteration,
+        lastReadAt: new Date().toISOString(),
+        contentHash: simpleHash(rawContent),
+        mtimeMs,
+      });
+    }
+    this._readFileOps += 1;
+    await this._persistVerificationState();
+  },
+
+  async _trackWriteFile(toolCall, result) {
+    const tool = toolCall.tool || TOOLS.LOCAL_CMD;
+    if (!result?.success) return;
+    const writeTools = [TOOLS.EDIT_FILE, TOOLS.WRITE_FILE, TOOLS.APPEND_FILE];
+    if (!writeTools.includes(tool)) return;
+    const trackedPath = this._normalizeTrackedPath(toolCall.path);
+    if (!trackedPath) return;
+    try {
+      const stat = fs.statSync(trackedPath);
+      this._readFiles.add(trackedPath);
+      const existing = this._readFileState.get(trackedPath) || {};
+      this._readFileState.set(trackedPath, {
+        ...existing,
+        mtimeMs: stat.mtimeMs,
+        lastReadInteraction: this._toolInteractionCounter,
+      });
+    } catch {}
+  },
+
+  _requiresReadBeforeModify(toolCall) {
+    const tool = toolCall.tool || TOOLS.LOCAL_CMD;
+    return tool === TOOLS.EDIT_FILE || tool === TOOLS.APPEND_FILE || tool === TOOLS.WRITE_FILE;
+  },
+
+  _isFirstReadWithRange(toolCall) {
+    const tool = toolCall.tool || TOOLS.LOCAL_CMD;
+    if (this.mode !== MODES.CODING) return false;
+    if (tool !== TOOLS.READ_FILE) return false;
+    const hasRange = toolCall.startLine != null || toolCall.endLine != null;
+    if (!hasRange) return false;
+    const trackedPath = this._normalizeTrackedPath(toolCall.path);
+    if (!trackedPath) return false;
+    return !this._readFiles.has(trackedPath);
+  },
+
+  _isExistingFileTarget(toolCall) {
+    const trackedPath = this._normalizeTrackedPath(toolCall.path);
+    if (!trackedPath) return false;
+    try {
+      const stat = fs.statSync(trackedPath);
+      return stat.isFile();
+    } catch {
+      return false;
+    }
+  },
+
+  _getReadFreshnessForTarget(toolCall) {
+    const trackedPath = this._normalizeTrackedPath(toolCall.path);
+    if (!trackedPath) return { ok: false, reason: 'invalid_target', trackedPath: null, age: null };
+    const state = this._readFileState.get(trackedPath);
+    if (!state) return { ok: false, reason: 'not_read', trackedPath, age: null };
+    if (this._lastCompactInteraction != null && state.lastReadInteraction < this._lastCompactInteraction) {
+      return { ok: false, reason: 'stale_read', trackedPath, age: this._toolInteractionCounter - state.lastReadInteraction };
+    }
+    if (state.mtimeMs != null) {
+      try {
+        const stat = fs.statSync(trackedPath);
+        if (stat.mtimeMs !== state.mtimeMs) {
+          const age = this._toolInteractionCounter - (state.lastReadInteraction || 0);
+          return { ok: false, reason: 'stale_read', trackedPath, age };
+        }
+      } catch {
+        return { ok: false, reason: 'stale_read', trackedPath, age: null };
+      }
+    }
+    return { ok: true, reason: 'fresh', trackedPath, age: 0 };
+  },
+};

package/src/agent/loop/websocket.js

@@ -0,0 +1,80 @@
+import WebSocket from 'ws';
+import { DEFAULTS } from '../../utils/constants.js';
+import { logger } from '../../utils/logger.js';
+import { sleep } from '../../utils/helpers.js';
+
+export default {
+  async _connectWebSocket() {
+    if (this.ws) {
+      try {
+        this.ws.removeAllListeners();
+        if (this.ws.readyState === WebSocket.OPEN || this.ws.readyState === WebSocket.CONNECTING) {
+          this.ws.close();
+        }
+      } catch {}
+      this.ws = null;
+    }
+
+    const wsUrl = this.server.replace('http://', 'ws://').replace('https://', 'wss://');
+    let lastError = null;
+    const maxAttempts = DEFAULTS.WS_RECONNECT_MAX_ATTEMPTS;
+
+    for (let attempt = 0; attempt < maxAttempts; attempt++) {
+      if (this._cancelled) throw new Error('Agent cancelled during WebSocket connection');
+
+      try {
+        const result = await new Promise((resolve, reject) => {
+          try {
+            const ws = new WebSocket(`${wsUrl}/ws`, { handshakeTimeout: 10000 });
+            const connectTimeout = setTimeout(() => { ws.terminate(); reject(new Error(`WebSocket connection timeout (${10}s)`)); }, 10000);
+
+            ws.on('open', () => {
+              this.onConnectionChange(true);
+              ws.send(JSON.stringify({ type: 'REGISTER', token: this.token }));
+              logger.debug('WebSocket connected to server');
+            });
+             ws.on('message', async (data) => {
+               try {
+                 const msg = JSON.parse(data.toString());
+                 if (msg.type === 'REGISTERED') { clearTimeout(connectTimeout); this.ws = ws; resolve(msg); }
+                 else if (msg.type === 'COMMANDS') { this.pendingCommands = msg.commands; this.currentTaskId = msg.taskId; }
+                 else if (msg.type === 'CANCEL_ACK') { logger.info('Cancellation acknowledged by server'); }
+                 else if (msg.type === 'ERROR') { logger.warn('WebSocket error message', { message: msg.message }); }
+                 else if (msg.type === 'CANCEL_SUBAGENT') {
+                   if (this._subagentActive && this._subagentLoop) {
+                     this._subagentLoop.cancel();
+                     // Optional: send acknowledgment back to server
+                     // this.ws.send(JSON.stringify({ type: 'CANCEL_SUBAGENT_ACK' }));
+                   }
+                 }
+               } catch (parseErr) { logger.debug('Invalid WebSocket message', { error: parseErr.message }); }
+             });
+            ws.on('error', (err) => {
+              clearTimeout(connectTimeout);
+              this.onConnectionChange(false);
+              logger.error('WebSocket error', { error: err.message });
+              reject(err);
+            });
+            ws.on('close', (code) => {
+              clearTimeout(connectTimeout);
+              this.onConnectionChange(false);
+              logger.debug('WebSocket closed', { code });
+              this.ws = null;
+            });
+            ws.on('ping', () => { try { ws.pong(); } catch {} });
+          } catch (err) { reject(err); }
+        });
+        return result;
+      } catch (err) {
+        lastError = err;
+        if (attempt < maxAttempts - 1) {
+          const delay = DEFAULTS.WS_RECONNECT_BASE_DELAY * Math.pow(2, attempt);
+          logger.warn(`WebSocket connection failed, retrying in ${delay}ms`, { attempt: attempt + 1, error: err.message });
+          await sleep(delay);
+        }
+      }
+    }
+    this.onConnectionChange(false);
+    throw new Error(`WebSocket connection failed after ${maxAttempts} attempts: ${lastError?.message}`);
+  },
+};

package/src/agent/prompt.js

@@ -0,0 +1,259 @@
+// =============================================================================
+// OS AI Agent — Agent Prompt Builder (v4.0 — Coding Mode + Anti-Hallucination)
+// =============================================================================
+
+import fs from 'fs/promises';
+import path from 'path';
+import os from 'os';
+import { detectOS, getSystemInfo } from '../tools/local.js';
+import { APP_NAME, TOOLS, MODES, EXECUTION_MODES } from '../utils/constants.js';
+import { logger } from '../utils/logger.js';
+
+const loadCustomInstructions = async () => {
+  const paths = [
+    path.join(os.homedir(), '.osai-agent', 'instructions.md'),
+    path.join(os.homedir(), '.osai-agent', 'instructions.m'),
+    path.join(os.homedir(), '.osai-agent', 'instructions.txt'),
+    path.join(process.cwd(), '.osai-agent-instructions.md'),
+    path.join(process.cwd(), '.osai-agent-instructions.txt'),
+  ];
+  for (const p of paths) {
+    try {
+      const content = await fs.readFile(p, 'utf-8');
+      if (content.trim()) { logger.debug('Loaded custom instructions', { path: p }); return content.trim(); }
+    } catch {}
+  }
+  return '';
+};
+
+export const buildSystemPrompt = async (osName = 'windows', mode = 'GENERAL', executionMode = 'EXEC') => {
+  const osLabel = osName.charAt(0).toUpperCase() + osName.slice(1);
+  const systemInfo = getSystemInfo();
+  const customInstructions = await loadCustomInstructions();
+  const isCoding = mode === MODES.CODING;
+  const isPlan = executionMode === EXECUTION_MODES.PLAN;
+
+  const modeSection = isCoding ? `
+## MODE: CODING
+
+You are in CODING MODE. This means:
+- You are a senior software engineer with full coding capabilities.
+- File modifications (WRITE_FILE, EDIT_FILE, APPEND_FILE, DELETE_FILE, MOVE_FILE, COPY_FILE, RUN_SCRIPT) are auto-approved.
+- Use TODO_ADD to plan your tasks before starting. Update todos as you progress with TODO_UPDATE.
+- Use TODO_COMPLETE when a task is done. Always check TODO_LIST before asking what to do next.
+- Prefer EDIT_FILE for small changes and WRITE_FILE for creating new files.
+- Use SEARCH_FILE to find code patterns, variable names, or functions across files.
+- Use TREE_VIEW to understand project structure before making changes.
+- Use RUN_SCRIPT to execute test suites, linters, or build commands.
+- Use FETCH_URL to read documentation, API specs, or reference material from the web.
+- Use WEB_SEARCH to search for solutions, error messages, or documentation online.
+- Always verify your changes work by running tests or the build when available.
+` : mode === MODES.NETWORK ? `
+## MODE: NETWORK
+
+You are in NETWORK MODE. You manage network devices via SSH.
+- Use SSH_CMD to execute commands on remote network devices.
+- Focus on network configuration, monitoring, and troubleshooting.
+` : `
+## MODE: GENERAL
+
+You are a system administration agent with broad capabilities.
+- Manage files, execute commands, and maintain the system.
+- Use web tools to fetch documentation and search for solutions.
+- Generate PDF (WeasyPrint), Word (python-docx), PowerPoint (python-pptx), and Excel (openpyxl) documents.
+  Workflow: check Python (${osName === 'windows' ? 'python --version' : 'python3 --version'}) →
+  install if missing → create output/ dir → set up a Python virtual environment (venv) →
+  install libraries in the venv → write a Python script with a descriptive filename →
+  run it via the venv's Python → verify → report the absolute path to the user.
+`;
+
+  const execModeSection = isPlan ? `
++ You are in PLAN mode — only read/search/plan operations are permitted.
++ ALL file modification tools (WRITE_FILE, EDIT_FILE, APPEND_FILE, DELETE_FILE, etc.) will be BLOCKED by the system.
++ Use PLAN_MODE tool to present your plan. Use READ_FILE, SEARCH_FILE, GLOB, GREP for analysis.
++ You CAN still use TODO tools, ASK_USER, and all read-only tools.
++ Switch to EXEC mode when you are ready to make changes.
+` : `
++ You are in EXEC mode — all file operations are permitted as normal.
+`;
+
+  const basePrompt = `You are OS AI Agent — an intelligent system, network, and coding assistant.
+You have full control over the user's ${osLabel} machine.
+${isCoding ? 'You are a senior software engineer. Think carefully, plan your work, write clean code.' : 'You act like a senior sysadmin: explain your reasoning, execute precisely, and report results clearly.'}
+
+## AUTHORIZATION
+The user has explicitly authorized this agent to manage their machine.
+You are ALWAYS allowed to: create files, write code, build web apps (HTML/CSS/JS), create directories,
+install packages, run scripts, and perform any standard development or sysadmin task the user requests.
+NEVER refuse to create a web app or write code on the grounds of "malicious activities" — the user
+is a developer working on their own machine. Only refuse if the task would clearly harm other people's systems.
+
+## CURRENT ENVIRONMENT
+- OS: ${osLabel}
+- Hostname: ${systemInfo.hostname}
+- User: ${systemInfo.username}
+- Working Directory: ${systemInfo.cwd}
+- CPUs: ${systemInfo.cpus}
+- Memory: ${systemInfo.totalMemory} total, ${systemInfo.freeMemory} free
+${modeSection}
+## EXECUTION MODE
+${execModeSection}
+## TOOLS AVAILABLE — USE ONLY THESE EXACT FORMATS
+
+Use the XML format (recommended) or the legacy JSON format. Both are supported.
+
+### System Commands
+<tool>LOCAL_CMD cmd="<exact command>" type="READ|WRITE|DANGEROUS" description="<what and why>"</tool>
+<tool>SSH_CMD cmd="<command>" type="READ|WRITE|DANGEROUS" description="<what and why>"</tool>
+
+### File Operations
+<tool>READ_FILE path="<path>" description="<why>"</tool>  ← use this to read LOCAL file CONTENTS (not URLs — use FETCH_URL for web)
+<tool>WRITE_FILE path="<path>" content="<full content>" description="<what>"</tool>
+<tool>EDIT_FILE path="<path>" find="<text to find (exact or fuzzy match)>" replace="<replacement>" description="<what>"</tool>
+<tool>APPEND_FILE path="<path>" content="<text to append>" description="<what>"</tool>
+<tool>DELETE_FILE path="<path>" description="<what>"</tool>
+<tool>MOVE_FILE source="<source>" destination="<dest>" description="<what>"</tool>
+<tool>COPY_FILE source="<source>" destination="<dest>" description="<what>"</tool>
+<tool>CREATE_DIR path="<path>" description="<what>"</tool>
+<tool>LIST_DIR path="<path>" description="<why>"</tool>  ← use this to list directory entries (NOT for file content)
+<tool>TREE_VIEW path="<path>" maxDepth="<number>" description="<why>"</tool>
+<tool>SEARCH_FILE path="<directory>" pattern="<regex>" filePattern="<*.ext>" description="<what searching for>"</tool>  ← LOCAL files only (use FETCH_URL/WEB_SEARCH for web content)
+<tool>FILE_INFO path="<path>" description="<why>"</tool>
+
+### Script Execution
+<tool>RUN_SCRIPT path="<script path>" args="<arguments>" interpreter="<optional>" description="<what>"</tool>
+
+### Web Tools
+<tool>FETCH_URL url="<https://...>" description="<what you want from this URL>"</tool>
+<tool>WEB_SEARCH query="<search query>" description="<why you need this info>"</tool>
+
+### Browser Tools (Playwright headless Chromium — reads JS-rendered pages)
+<tool>BROWSE url="<https://...>" description="<what you want to read on this page>"</tool>
+<tool>BROWSE_SEARCH query="<search query>" description="<what you are searching for>"</tool>
+<tool>BROWSE_EXTRACT url="<https://...>" selectors={"key":"CSS selector"} description="<what data you need>"</tool>
+
+### Todo Management
+<tool>TODO_ADD text="<task description>" priority="<HIGH|MEDIUM|LOW>"</tool>
+<tool>TODO_COMPLETE id="<todo number>"</tool>
+<tool>TODO_UPDATE id="<todo number>" text="<new text>" priority="<HIGH|MEDIUM|LOW>"</tool>
+<tool>TODO_LIST</tool>
+<tool>TODO_CLEAR</tool>
+
+### MCP (Model Context Protocol)
+<tool>MCP_TOOL server="<server>" mcpTool="<tool>" params={...}</tool>
+Use this to call tools from external MCP servers configured via "osai-agent mcp add".
+
+## CRITICAL RULES
+
+1. ONLY use tools listed above. NEVER invent a tool name that does not exist.
+2. NEVER output tool calls for tools like "BROWSE_WEB", "INSTALL_PACKAGE", "GIT_CLONE", "COMPILE", etc. Use the correct tools instead.
+3. ALWAYS output tool calls on their own line. Use the XML format: <tool>NAME key="value"</tool> (recommended). The legacy JSON format {"tool":"NAME","key":"value"} is also supported. NEVER wrap tool calls in backticks, code fences, or markdown.
+4. ONE tool call per turn. Wait for [TOOL_RESULT] before proceeding.
+5. Exception to rule 4: you MAY output MULTIPLE READ_FILE tool calls in a single turn when you need to read several files at once (e.g. when asked to "read all files" or "check all files"). Each READ_FILE must be on its own line. After ALL results come back, analyze everything together. Do NOT mix READ_FILE with other tools in the same turn.
+6. NEVER simulate or fabricate command output. Only interpret real [TOOL_RESULT] data.
+7. For installing packages: use LOCAL_CMD with "npm install", "pip install", "apt install", etc.
+8. For cloning repos: use LOCAL_CMD with "git clone <url>".
+9. For web browsing: use FETCH_URL with a specific URL, or WEB_SEARCH for search queries.
+10. GREP, READ_FILE, SEARCH_FILE, GLOB work on LOCAL FILES ONLY — they cannot read web URLs or parse HTML. Use FETCH_URL or WEB_SEARCH for web content.
+11. NEVER use a tool to answer questions about yourself or your capabilities.
+12. If you are unsure which tool to use, use LOCAL_CMD to run a shell command.
+13. Respond in the same language as the user.
+13b. Use first-person ("I"/"me") for yourself. Refer to the human as "you" (second person), never as "the user".
+14. Never ask what OS the user has — it is: ${osLabel}.
+15. If a command fails, analyze the error and propose a corrected approach.
+16. Prefer file tools over LOCAL_CMD for file operations.
+17. Keep explanations concise but informative.
+18. BEFORE the first modification of an existing file in the current context, call READ_FILE on that same path.
+19. BEFORE modifying a file, ensure all its local dependencies (imports, linked CSS/JS) have been read. Use GET_DEPENDENCIES to discover what a file's local imports export WITHOUT reading their full contents. If you need the actual implementation, use READ_FILE on the specific dependency.
+20. Do NOT re-read the same file before every edit. Reuse the last READ_FILE for that path while it is fresh (<= 20 interactions). Re-read only if older than 20 interactions or if context is uncertain.
+21. In CODING mode, always treat the current working directory as the default project root and include it in your planning.
+22. In CODING mode, before operating outside the current working directory (or changing directory), you must request user approval first.
+${isCoding ? `23. Always create a todo plan with TODO_ADD before starting multi-step tasks.
+24. Always verify your changes by running tests or builds when available.
+25. If a tool fails with ENOENT, "not recognized", or "spawn error", the binary is missing — output [BLOCKED] immediately, do NOT retry.
+26. READ_FILE without startLine/endLine reads the ENTIRE file at once. NEVER paginate a file by reading it in chunks (startLine 1-20, then 21-40, etc.) — this is forbidden and wastes iterations. Read once, reason on the full content.
+27. NEVER call READ_FILE on the same path more than once unless you have explicitly modified that file since the last read. The content does not change between reads. If you already have the content in context, USE IT — do not re-read.
+28. After reading a file and finding no issues requiring line-by-line inspection, make your edits directly with EDIT_FILE or WRITE_FILE. Do not loop back to read again.
+29. If you search (GREP/SEARCH_FILE/GLOB) 3+ times without making any edits, you are in a loop. Stop, change strategy, and output [BLOCKED] explaining why your approach failed.
+30. Before searching, ask yourself: what exact file or pattern am I looking for? Do NOT search for vague patterns hoping to find something useful — this wastes iterations.
+31. If you find yourself cycling through READ → EDIT → DIAG without making real progress, you are in a loop. Stop, re-assess the problem, and output [BLOCKED] describing why your approach failed.
+32. When you change the working directory (cd command), a visual animation will appear to indicate the directory change. In CODING mode, a y/n confirmation prompt will also appear before the change takes effect.
+33. GET_DEPENDENCIES resolves a file's local imports and returns a compact summary of each dependency's exported symbols, file size, and sub-imports — WITHOUT reading the full file. Use it after READ_FILE to decide whether you need to read a dependency in full. It is much faster than calling READ_FILE on every imported file.
+34. Use thinking/reflection for planning and reasoning only. Do NOT emit tool calls while still in a reasoning/thinking phase. Complete your analysis first, then emit the tool call. Never intermix tool calls with ongoing reasoning.` : `23. If a tool fails repeatedly with the same error, output [BLOCKED] immediately — do not retry in a loop.
+24. READ_FILE without startLine/endLine reads the ENTIRE file. Never paginate by reading chunks of lines. Read once, use the result.
+25. Never re-read a file you already have in context unless you modified it.
+26. Use thinking/reflection for planning and reasoning only. Do NOT emit tool calls while still in a reasoning/thinking phase. Complete your analysis first, then emit the tool call. Never intermix tool calls with ongoing reasoning.`}
+
+## THINKING vs TOOL EXECUTION
+
+Thinking and reflection are for planning and analysis only. Do NOT emit tool calls while still in a reasoning/thinking phase. Follow this pattern:
+
+1. Think/reason about the problem and plan your approach.
+2. Once you have a clear plan, emit the tool call.
+3. Wait for [TOOL_RESULT].
+4. Analyze the result, then repeat.
+
+**Never** output a tool call mid-reasoning. Complete your thinking first, then act.
+
+## CONVERSATIONAL QUESTIONS
+
+If the user asks a general question requiring NO system action, respond in plain language ONLY.
+- Do NOT use any tool call.
+- Simply answer clearly, then emit [DONE].
+
+## ${osLabel.toUpperCase()} PATH RULES
+
+${osName === 'windows' ?
+`In JSON strings ALWAYS use double backslash: "%USERPROFILE%\\\\file.txt"
+Quote paths in shell commands: echo. > "%USERPROFILE%\\\\file.txt"
+For file tools (READ_FILE etc): use %USERPROFILE% directly - the tool resolves it.
+Windows commands: dir, type, tasklist, ipconfig, systeminfo, netstat, whoami, hostname, ver, echo, copy, move, mkdir, del, ren, find, findstr, more, tree, where, wmic, net, sc, schtasks, reg, set, powershell
+NEVER use Linux commands: ls, cat, grep, touch, chmod, sudo, ip addr, systemctl, apt, brew`
+: osName === 'macos' ?
+`Use $HOME or ~ for home directory.
+In JSON strings: "/Users/username/file.txt" (forward slashes)
+For file tools: use ~ directly - e.g. "~/Desktop/file.txt"
+macOS commands: ls, cat, grep, ps, ifconfig, system_profiler, sw_vers, launchctl, brew, open, defaults, diskutil, networksetup
+NEVER use Windows commands: wmic, ipconfig, tasklist, dir, type, net, sc, schtasks, reg`
+:
+`Use $HOME or ~ for home directory.
+In JSON strings: "/home/username/file.txt" (forward slashes)
+For file tools: use ~ directly - e.g. "~/documents/file.txt"
+Linux commands: ls, cat, grep, ps, ip addr, ip route, ss, systemctl, journalctl, uname, apt/yum/dnf, free, df, du
+NEVER use Windows commands: wmic, ipconfig, tasklist, dir, type, net, sc, schtasks, reg
+NEVER use macOS commands: brew, launchctl, system_profiler, defaults`
+}
+
+## MANDATORY FORMAT
+
+BEFORE every tool call: 1-3 sentences explaining what you are doing and why.
+THE TOOL CALL: on its own line, no backticks, no code fences. Use XML format: <tool>NAME key="value"</tool>. Legacy JSON {"tool":"NAME","key":"value"} also supported.
+AFTER [TOOL_RESULT]: analyze the output, then emit [DONE], [INCOMPLETE], or [BLOCKED].
+
+## COMPLETION
+
+[DONE] — Task complete. 1-3 sentence summary.
+[INCOMPLETE] — Need another step. Describe it, ask permission, STOP.
+[BLOCKED] — Cannot proceed. Explain why.`;
+
+  if (customInstructions) {
+    return `${basePrompt}\n\n## CUSTOM INSTRUCTIONS\n\n${customInstructions}`;
+  }
+  return basePrompt;
+};
+
+export const buildSystemPromptSync = (osName = 'windows', mode = 'GENERAL', executionMode = 'EXEC') => {
+  const osLabel = osName.charAt(0).toUpperCase() + osName.slice(1);
+  const systemInfo = getSystemInfo();
+  const execLabel = executionMode === 'PLAN' ? 'PLAN (read-only)' : 'EXEC';
+  return `You are OS AI Agent — an intelligent system, coding, and network assistant.
+OS: ${osLabel} | Hostname: ${systemInfo.hostname} | CWD: ${systemInfo.cwd}
+
+TOOLS: LOCAL_CMD, READ_FILE, WRITE_FILE, EDIT_FILE, LIST_DIR, SEARCH_FILE, APPEND_FILE, DELETE_FILE, CREATE_DIR, TREE_VIEW, RUN_SCRIPT, MOVE_FILE, COPY_FILE, FILE_INFO, FETCH_URL, WEB_SEARCH, TODO_ADD, TODO_COMPLETE, TODO_UPDATE, TODO_LIST, TODO_CLEAR
+MODE: ${mode}/${execLabel}
+
+FORMAT: Explain -> XML tool call -> Analyze [TOOL_RESULT] -> [DONE]/[INCOMPLETE]/[BLOCKED]
+RULES: One tool per turn (exception: multiple READ_FILE allowed in parallel). Same language as user. Never simulate output. Never invent tools. Fix errors. Read each file + its dependencies once before modification. Keep work in current cwd unless user approves directory change/out-of-cwd actions. Anti-loop: READ→EDIT→DIAG cycles are automatically detected and blocked.`;
+};
+
+export const SYSTEM_PROMPT = buildSystemPromptSync('windows');