palmier 0.5.1 → 0.5.3

package/dist/commands/run.js

@@ -33,10 +33,13 @@ async function invokeAgentWithRetries(ctx, invokeTask) {
                 publishHostEvent(ctx.nc, ctx.config.hostId, ctx.taskId, { event_type: "result-updated", run_id: ctx.runId });
             }, 500);
         }
-        const { command, args, stdin } = ctx.agent.getTaskRunCommandLine(invokeTask, undefined, ctx.transientPermissions);
+        const { command, args, stdin } = ctx.agent.getTaskRunCommandLine(invokeTask, undefined, ctx.task.frontmatter.yolo_mode ? "yolo" : ctx.transientPermissions);
+        const truncate = (s, max = 100) => s.length > max ? s.slice(0, max) + "…" : s;
+        const displayArgs = args.map((a) => truncate(a));
+        console.log(`[invoke] ${command} ${displayArgs.join(" ")}${stdin ? ` (stdin: ${truncate(stdin, 100)})` : ""}`);
         const result = await spawnCommand(command, args, {
             cwd: getRunDir(ctx.taskDir, ctx.runId),
-            env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 7400) },
+            env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 9966) },
             echoStdout: true,
             resolveOnFailure: true,
             stdin,
@@ -245,7 +248,7 @@ async function runCommandTriggeredMode(ctx) {
     await publishHostEvent(ctx.nc, ctx.config.hostId, ctx.taskId, { event_type: "result-updated", run_id: ctx.runId });
     const child = spawnStreamingCommand(commandStr, {
         cwd: getRunDir(ctx.taskDir, ctx.runId),
-        env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 7400) },
+        env: { ...ctx.guiEnv, PALMIER_TASK_ID: ctx.task.frontmatter.id, PALMIER_RUN_DIR: getRunDir(ctx.taskDir, ctx.runId), PALMIER_HTTP_PORT: String(ctx.config.httpPort ?? 9966) },
     });
     let linesProcessed = 0;
     let invocationsSucceeded = 0;
@@ -362,7 +365,7 @@ async function publishTaskEvent(nc, config, taskDir, taskId, eventType, taskName
     await publishHostEvent(nc, config.hostId, taskId, payload);
 }
 async function requestPermission(config, task, taskDir, requiredPermissions) {
-    const port = config.httpPort ?? 7400;
+    const port = config.httpPort ?? 9966;
     const res = await fetch(`http://localhost:${port}/request-permission`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
@@ -384,7 +387,7 @@ async function requestPermission(config, task, taskDir, requiredPermissions) {
     return response;
 }
 async function requestConfirmation(config, task, taskDir) {
-    const port = config.httpPort ?? 7400;
+    const port = config.httpPort ?? 9966;
     const res = await fetch(`http://localhost:${port}/request-confirmation`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
@@ -411,7 +414,8 @@ export function parseReportFiles(output) {
     let match;
     while ((match = regex.exec(output)) !== null) {
         const name = match[1].trim();
-        if (name)
+        // Skip placeholder examples echoed from the prompt (e.g. "<filename>")
+        if (name && !name.startsWith("<"))
             files.push(name);
     }
     return files;
@@ -426,6 +430,9 @@ export function parsePermissions(output) {
     let match;
     while ((match = regex.exec(output)) !== null) {
         const raw = match[1].trim();
+        // Skip placeholder examples echoed from the prompt (e.g. "<tool_name> | <description>")
+        if (raw.startsWith("<"))
+            continue;
         const sep = raw.indexOf("|");
         if (sep !== -1) {
             perms.push({ name: raw.slice(0, sep).trim(), description: raw.slice(sep + 1).trim() });
@@ -442,9 +449,15 @@ export function parsePermissions(output) {
  */
 export function parseTaskOutcome(output) {
     const lastChunk = output.slice(-500);
-    if (lastChunk.includes(TASK_FAILURE_MARKER))
+    const regex = new RegExp(`^\\${TASK_FAILURE_MARKER}$|^\\${TASK_SUCCESS_MARKER}$`, "gm");
+    let last = null;
+    let match;
+    while ((match = regex.exec(lastChunk)) !== null) {
+        last = match[0];
+    }
+    if (last === TASK_FAILURE_MARKER)
         return "failed";
-    if (lastChunk.includes(TASK_SUCCESS_MARKER))
+    if (last === TASK_SUCCESS_MARKER)
         return "finished";
     return "finished";
 }

package/dist/commands/serve.js

@@ -99,7 +99,7 @@ export async function serveCommand() {
         });
     }, POLL_INTERVAL_MS);
     const handleRpc = createRpcHandler(config, nc);
-    const httpPort = config.httpPort ?? 7400;
+    const httpPort = config.httpPort ?? 9966;
     // Start NATS transport (loops forever, fire-and-forget)
     if (nc) {
         startNatsTransport(config, handleRpc, nc);

package/dist/events.js

@@ -14,7 +14,7 @@ export async function publishHostEvent(nc, hostId, taskId, payload) {
         console.log(`[nats] ${subject} →`, payload);
     }
     const config = loadConfig();
-    const port = config.httpPort ?? 7400;
+    const port = config.httpPort ?? 9966;
     try {
         await fetch(`http://localhost:${port}/event`, {
             method: "POST",

package/dist/index.js

@@ -10,7 +10,7 @@ import { runCommand } from "./commands/run.js";
 import { serveCommand } from "./commands/serve.js";
 import { pairCommand } from "./commands/pair.js";
 import { restartCommand } from "./commands/restart.js";
-import { sessionsListCommand, sessionsRevokeCommand, sessionsRevokeAllCommand } from "./commands/sessions.js";
+import { clientsListCommand, clientsRevokeCommand, clientsRevokeAllCommand } from "./commands/clients.js";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(readFileSync(join(__dirname, "../package.json"), "utf-8"));
 const program = new Command();
@@ -54,26 +54,26 @@ program
     .action(async () => {
     await pairCommand();
 });
-const sessionsCmd = program
-    .command("sessions")
-    .description("Manage paired client sessions");
-sessionsCmd
+const clientsCmd = program
+    .command("clients")
+    .description("Manage paired clients");
+clientsCmd
     .command("list")
-    .description("List active sessions")
+    .description("List active clients")
     .action(async () => {
-    await sessionsListCommand();
+    await clientsListCommand();
 });
-sessionsCmd
+clientsCmd
     .command("revoke <token>")
-    .description("Revoke a session by token")
+    .description("Revoke a client by token")
     .action(async (token) => {
-    await sessionsRevokeCommand(token);
+    await clientsRevokeCommand(token);
 });
-sessionsCmd
+clientsCmd
     .command("revoke-all")
-    .description("Revoke all sessions")
+    .description("Revoke all clients")
     .action(async () => {
-    await sessionsRevokeAllCommand();
+    await clientsRevokeAllCommand();
 });
 // No subcommand → default to serve
 if (process.argv.length <= 2) {

package/dist/rpc-handler.js

@@ -10,7 +10,7 @@ import { getPlatform } from "./platform/index.js";
 import { spawnCommand } from "./spawn-command.js";
 import crossSpawn from "cross-spawn";
 import { getAgent } from "./agents/agent.js";
-import { validateSession } from "./session-store.js";
+import { validateClient } from "./client-store.js";
 import { publishHostEvent } from "./events.js";
 import { currentVersion, performUpdate } from "./update-checker.js";
 import { parseReportFiles, parseTaskOutcome, stripPalmierMarkers } from "./commands/run.js";
@@ -140,8 +140,8 @@ export function createRpcHandler(config, nc) {
         };
     }
     async function handleRpc(request) {
-        // Session token validation: skip for trusted localhost requests
-        if (!request.localhost && (!request.sessionToken || !validateSession(request.sessionToken))) {
+        // Client token validation: skip for trusted localhost requests
+        if (!request.localhost && (!request.clientToken || !validateClient(request.clientToken))) {
             return { error: "Unauthorized" };
         }
         switch (request.method) {
@@ -183,6 +183,7 @@ export function createRpcHandler(config, nc) {
                         triggers: params.triggers ?? [],
                         triggers_enabled: params.triggers_enabled ?? true,
                         requires_confirmation: params.requires_confirmation ?? true,
+                        ...(params.yolo_mode ? { yolo_mode: true } : {}),
                         ...(params.command ? { command: params.command } : {}),
                     },
                     body,
@@ -211,6 +212,11 @@ export function createRpcHandler(config, nc) {
                     existing.frontmatter.triggers_enabled = params.triggers_enabled;
                 if (params.requires_confirmation !== undefined)
                     existing.frontmatter.requires_confirmation = params.requires_confirmation;
+                if (params.yolo_mode !== undefined) {
+                    existing.frontmatter.yolo_mode = params.yolo_mode || undefined;
+                    if (params.yolo_mode)
+                        delete existing.frontmatter.permissions;
+                }
                 if (params.command !== undefined) {
                     if (params.command) {
                         existing.frontmatter.command = params.command;
@@ -261,6 +267,7 @@ export function createRpcHandler(config, nc) {
                         triggers: [],
                         triggers_enabled: false,
                         requires_confirmation: params.requires_confirmation ?? false,
+                        ...(params.yolo_mode ? { yolo_mode: true } : {}),
                         ...(params.command ? { command: params.command } : {}),
                     },
                     body: "",
@@ -324,7 +331,7 @@ export function createRpcHandler(config, nc) {
                 await publishHostEvent(nc, config.hostId, params.id, { event_type: "result-updated", run_id: params.run_id });
                 // Fire-and-forget: invoke agent inline as a child of the serve process
                 const followupAgent = getAgent(followupTask.frontmatter.agent);
-                const { command: cmd, args: cmdArgs, stdin } = followupAgent.getTaskRunCommandLine(followupTask, params.message, followupTask.frontmatter.permissions);
+                const { command: cmd, args: cmdArgs, stdin } = followupAgent.getTaskRunCommandLine(followupTask, params.message, followupTask.frontmatter.yolo_mode ? "yolo" : followupTask.frontmatter.permissions);
                 // Spawn directly via crossSpawn so we can track and kill the child
                 const child = crossSpawn(cmd, cmdArgs, {
                     cwd: followupRunDir,
@@ -488,8 +495,8 @@ export function createRpcHandler(config, nc) {
                 const reports = [];
                 const runDir = path.join(config.projectRoot, "tasks", params.id, params.run_id);
                 for (const file of params.report_files) {
-                    if (!file.endsWith(".md")) {
-                        reports.push({ file, error: "must end with .md" });
+                    if (!file.endsWith(".md") && !file.endsWith(".txt")) {
+                        reports.push({ file, error: "must end with .md or .txt" });
                         continue;
                     }
                     const basename = path.basename(file);

package/dist/task.d.ts

@@ -58,13 +58,23 @@ export declare function appendRunMessage(taskDir: string, runId: string, msg: Co
 export declare function beginStreamingMessage(taskDir: string, runId: string, time: number): StreamingMessageWriter;
 export declare class StreamingMessageWriter {
     private filePath;
-    private delimiter;
-    constructor(filePath: string, delimiter: string);
+    constructor(filePath: string);
     /** Append a chunk of content to the current message. */
     write(chunk: string): void;
-    /** Finalize the message. If attachments are provided, rewrites the delimiter to include them. */
+    /** Finalize the message. If attachments are provided, rewrites the last assistant delimiter to include them. */
     end(attachments?: string[]): void;
 }
+/**
+ * Splice a user message into a running assistant stream.
+ * Ends the current assistant block, writes the user message,
+ * then opens a new assistant block — all as direct file appends.
+ * The existing StreamingMessageWriter keeps working because its
+ * write() is just appendFileSync, so subsequent chunks land in
+ * the new assistant block.
+ */
+export declare function spliceUserMessage(taskDir: string, runId: string, userMsg: ConversationMessage, 
+/** Optional text to append to the current assistant block before ending it. */
+assistantAppend?: string): void;
 /**
  * Read conversation messages from a run's TASKRUN.md file.
  */

package/dist/task.js

@@ -169,29 +169,61 @@ export function beginStreamingMessage(taskDir, runId, time) {
     const filePath = path.join(taskDir, runId, "TASKRUN.md");
     const delimiter = `<!-- palmier:message role="assistant" time="${time}" -->`;
     fs.appendFileSync(filePath, `${delimiter}\n\n`, "utf-8");
-    return new StreamingMessageWriter(filePath, delimiter);
+    return new StreamingMessageWriter(filePath);
 }
 export class StreamingMessageWriter {
     filePath;
-    delimiter;
-    constructor(filePath, delimiter) {
+    constructor(filePath) {
         this.filePath = filePath;
-        this.delimiter = delimiter;
     }
     /** Append a chunk of content to the current message. */
     write(chunk) {
         fs.appendFileSync(this.filePath, chunk, "utf-8");
     }
-    /** Finalize the message. If attachments are provided, rewrites the delimiter to include them. */
+    /** Finalize the message. If attachments are provided, rewrites the last assistant delimiter to include them. */
     end(attachments) {
         fs.appendFileSync(this.filePath, "\n\n", "utf-8");
         if (attachments?.length) {
             const raw = fs.readFileSync(this.filePath, "utf-8");
-            const updated = raw.replace(this.delimiter, `${this.delimiter.slice(0, -4)} attachments="${attachments.join(",")}" -->`);
-            fs.writeFileSync(this.filePath, updated, "utf-8");
+            // Find the last assistant delimiter (may differ from the original if spliceUserMessage created a new one)
+            const pattern = /<!-- palmier:message role="assistant" time="\d+" -->/g;
+            let lastMatch = null;
+            let m;
+            while ((m = pattern.exec(raw)) !== null)
+                lastMatch = m;
+            if (lastMatch) {
+                const before = raw.slice(0, lastMatch.index);
+                const after = raw.slice(lastMatch.index + lastMatch[0].length);
+                const updated = before + `${lastMatch[0].slice(0, -4)} attachments="${attachments.join(",")}" -->` + after;
+                fs.writeFileSync(this.filePath, updated, "utf-8");
+            }
         }
     }
 }
+/**
+ * Splice a user message into a running assistant stream.
+ * Ends the current assistant block, writes the user message,
+ * then opens a new assistant block — all as direct file appends.
+ * The existing StreamingMessageWriter keeps working because its
+ * write() is just appendFileSync, so subsequent chunks land in
+ * the new assistant block.
+ */
+export function spliceUserMessage(taskDir, runId, userMsg, 
+/** Optional text to append to the current assistant block before ending it. */
+assistantAppend) {
+    const filePath = path.join(taskDir, runId, "TASKRUN.md");
+    // 1. Optionally append to the current assistant block (e.g. the input questions)
+    if (assistantAppend) {
+        fs.appendFileSync(filePath, assistantAppend, "utf-8");
+    }
+    // 2. End the current assistant block
+    fs.appendFileSync(filePath, "\n\n", "utf-8");
+    // 3. Write the user message
+    appendRunMessage(taskDir, runId, userMsg);
+    // 4. Open a new assistant block for subsequent agent output
+    const delimiter = `<!-- palmier:message role="assistant" time="${Date.now()}" -->`;
+    fs.appendFileSync(filePath, `${delimiter}\n\n`, "utf-8");
+}
 /**
  * Read conversation messages from a run's TASKRUN.md file.
  */

package/dist/transports/http-transport.js

@@ -1,9 +1,10 @@
 import * as http from "node:http";
 import * as os from "os";
 import { StringCodec } from "nats";
-import { validateSession, addSession } from "../session-store.js";
+import { validateClient, addClient } from "../client-store.js";
 import { registerPending } from "../pending-requests.js";
-import { getTaskDir, parseTaskFile, appendRunMessage } from "../task.js";
+import * as fs from "node:fs";
+import { getTaskDir, parseTaskFile, spliceUserMessage } from "../task.js";
 const PWA_ORIGIN = "https://app.palmier.me";
 const assetCache = new Map();
 /** Paths currently being fetched (dedup concurrent requests). */
@@ -78,6 +79,18 @@ export function detectLanIp() {
     }
     return "127.0.0.1";
 }
+/** Find the latest (highest-numbered) run directory for a task. */
+function findLatestRunId(taskDir) {
+    try {
+        const dirs = fs.readdirSync(taskDir)
+            .filter((f) => /^\d+$/.test(f) && fs.statSync(`${taskDir}/${f}`).isDirectory())
+            .sort();
+        return dirs.length > 0 ? dirs[dirs.length - 1] : null;
+    }
+    catch {
+        return null;
+    }
+}
 /**
  * Start the HTTP transport: server with RPC, SSE, PWA proxy, pairing, and
  * localhost-only agent endpoints (notify, request-input, confirmation, permission).
@@ -102,9 +115,9 @@ export async function startHttpTransport(config, handleRpc, port, nc, pairingCod
         const auth = req.headers.authorization;
         if (!auth || !auth.startsWith("Bearer "))
             return false;
-        return validateSession(auth.slice(7));
+        return validateClient(auth.slice(7));
     }
-    function extractSessionToken(req) {
+    function extractClientToken(req) {
         const auth = req.headers.authorization;
         if (!auth || !auth.startsWith("Bearer "))
             return undefined;
@@ -242,6 +255,8 @@ export async function startHttpTransport(config, handleRpc, port, nc, pairingCod
                 }
                 const taskDir = getTaskDir(config.projectRoot, taskId);
                 const task = parseTaskFile(taskDir);
+                // Resolve runId: use provided value, otherwise find the latest run directory
+                const effectiveRunId = runId ?? findLatestRunId(taskDir);
                 const pendingPromise = registerPending(taskId, "input", descriptions);
                 await publishEvent(taskId, {
                     event_type: "input-request",
@@ -250,18 +265,20 @@ export async function startHttpTransport(config, handleRpc, port, nc, pairingCod
                     name: task.frontmatter.name,
                 });
                 const response = await pendingPromise;
+                const questionsBlock = "\n\n" + descriptions.map((d) => `**${d}**`).join("\n");
                 if (response.length === 1 && response[0] === "aborted") {
                     await publishEvent(taskId, { event_type: "input-resolved", host_id: config.hostId, status: "aborted" });
-                    if (runId) {
-                        appendRunMessage(taskDir, runId, { role: "user", time: Date.now(), content: "Input request aborted.", type: "input" });
+                    if (effectiveRunId) {
+                        spliceUserMessage(taskDir, effectiveRunId, { role: "user", time: Date.now(), content: "Aborted", type: "input" }, questionsBlock);
+                        await publishEvent(taskId, { event_type: "result-updated", run_id: effectiveRunId });
                     }
                     sendJson(res, 200, { aborted: true });
                 }
                 else {
                     await publishEvent(taskId, { event_type: "input-resolved", host_id: config.hostId, status: "provided" });
-                    if (runId) {
-                        const lines = descriptions.map((desc, i) => `**${desc}** ${response[i]}`);
-                        appendRunMessage(taskDir, runId, { role: "user", time: Date.now(), content: lines.join("\n"), type: "input" });
+                    if (effectiveRunId) {
+                        spliceUserMessage(taskDir, effectiveRunId, { role: "user", time: Date.now(), content: response.join("\n"), type: "input" }, questionsBlock);
+                        await publishEvent(taskId, { event_type: "result-updated", run_id: effectiveRunId });
                     }
                     sendJson(res, 200, { values: response });
                 }
@@ -351,11 +368,11 @@ export async function startHttpTransport(config, handleRpc, port, nc, pairingCod
                     sendJson(res, 401, { error: "Invalid code" });
                     return;
                 }
-                const session = addSession(label);
+                const client = addClient(label);
                 const ip = detectLanIp();
                 const response = {
                     hostId: config.hostId,
-                    sessionToken: session.token,
+                    clientToken: client.token,
                     directUrl: `http://${ip}:${port}`,
                 };
                 clearTimeout(pending.timer);
@@ -432,10 +449,10 @@ export async function startHttpTransport(config, handleRpc, port, nc, pairingCod
                 sendJson(res, 400, { error: "Invalid JSON" });
                 return;
             }
-            const sessionToken = extractSessionToken(req);
+            const clientToken = extractClientToken(req);
             console.log(`[http] RPC: ${method}`);
             try {
-                const response = await handleRpc({ method, params, sessionToken, localhost: isLocalhost(req) });
+                const response = await handleRpc({ method, params, clientToken, localhost: isLocalhost(req) });
                 console.log(`[http] RPC done: ${method}`, JSON.stringify(response).slice(0, 200));
                 sendJson(res, 200, response);
             }

package/dist/transports/nats-transport.js

@@ -39,13 +39,13 @@ export async function startNatsTransport(config, handleRpc, nc) {
                 }
             }
         }
-        // Extract sessionToken from params (PWA includes it in the payload)
-        const sessionToken = typeof params.sessionToken === "string" ? params.sessionToken : undefined;
-        delete params.sessionToken;
+        // Extract clientToken from params (PWA includes it in the payload)
+        const clientToken = typeof params.clientToken === "string" ? params.clientToken : undefined;
+        delete params.clientToken;
         console.log(`[nats] RPC: ${method}`);
         let response;
         try {
-            response = await handleRpc({ method, params, sessionToken });
+            response = await handleRpc({ method, params, clientToken });
         }
         catch (err) {
             console.error(`[nats] RPC error (${method}):`, err);

package/dist/types.d.ts

@@ -19,6 +19,7 @@ export interface TaskFrontmatter {
     triggers: Trigger[];
     triggers_enabled: boolean;
     requires_confirmation: boolean;
+    yolo_mode?: boolean;
     permissions?: RequiredPermission[];
     command?: string;
 }
@@ -66,8 +67,8 @@ export interface ConversationMessage {
 export interface RpcMessage {
     method: string;
     params: Record<string, unknown>;
-    sessionToken?: string;
-    /** Trusted localhost request — skip session validation. */
+    clientToken?: string;
+    /** Trusted localhost request — skip client validation. */
     localhost?: boolean;
 }
 //# sourceMappingURL=types.d.ts.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "palmier",
-  "version": "0.5.1",
+  "version": "0.5.3",
   "description": "Palmier host CLI - provisions, executes tasks, and serves NATS RPC",
   "license": "Apache-2.0",
   "author": "Hongxu Cai",

package/src/agents/agent-instructions.md

@@ -2,23 +2,19 @@ You are an AI agent executing a task on behalf of the user via the Palmier platf
 
 ## Reporting Output
 
-If you generate report or output files, print each file path on its own line prefixed with [PALMIER_REPORT]:
-[PALMIER_REPORT] report.md
-[PALMIER_REPORT] summary.md
+If you generate report or output files, print each file path on its own line using this exact format:
+[PALMIER_REPORT] <filename>
 
 ## Completion
 
-When you are done, output exactly one of these markers as the very last line:
-- Success: [PALMIER_TASK_SUCCESS]
-- Failure: [PALMIER_TASK_FAILURE]
-Do not wrap them in code blocks or add text on the same line.
+When you are done, output exactly one of these markers as the very last line (no other text on the same line):
+[PALMIER_TASK_SUCCESS]
+[PALMIER_TASK_FAILURE]
 
 ## Permissions
 
-If the task fails because a tool was denied or you lack the required permissions, print each required permission on its own line prefixed with [PALMIER_PERMISSION]:
-[PALMIER_PERMISSION] Read | Read file contents from the repository
-[PALMIER_PERMISSION] Bash(npm test) | Run the test suite via npm
-[PALMIER_PERMISSION] Write | Write generated output files
+If the task fails because a tool was denied or you lack the required permissions, print each required permission on its own line using this exact format:
+[PALMIER_PERMISSION] <tool_name> | <description>
 
 ## HTTP Endpoints
 

package/src/agents/agent.ts

@@ -4,6 +4,8 @@ import { GeminiAgent } from "./gemini.js";
 import { CodexAgent } from "./codex.js";
 import { OpenClawAgent } from "./openclaw.js";
 import { CopilotAgent } from "./copilot.js";
+import { QwenAgent } from "./qwen.js";
+import { KimiAgent } from "./kimi.js";
 
 export interface CommandLine {
   command: string;
@@ -21,9 +23,14 @@ export interface AgentTool {
   getPlanGenerationCommandLine(prompt: string): CommandLine;
 
   /** Return the command and args used to run a task. If followupPrompt is provided, use it instead of the task's prompt,
-   *  and treat it as a continuation of the original run (reuse the same session, etc). extraPermissions are transient
-   *  permissions granted for this run only (not persisted in frontmatter). */
-  getTaskRunCommandLine(task: ParsedTask, followupPrompt?: string, extraPermissions?: RequiredPermission[]): CommandLine;
+   *  and treat it as a continuation of the original run (reuse the same session, etc).
+   *  extraPermissions: pass an array of RequiredPermission for transient permissions granted for this run only,
+   *  or pass `"yolo"` to enable yolo mode (auto-approve all tools, skip permission instructions). */
+  getTaskRunCommandLine(task: ParsedTask, followupPrompt?: string, extraPermissions?: RequiredPermission[] | "yolo"): CommandLine;
+
+  /** Whether this agent supports permission overrides (e.g. --allowedTools).
+   *  If false, the permissions section is omitted from agent instructions. */
+  supportsPermissions: boolean;
 
   /** Detect whether the agent CLI is available and perform any agent-specific
    *  initialization. Returns true if the agent was detected and initialized successfully. */
@@ -36,6 +43,8 @@ const agentRegistry: Record<string, AgentTool> = {
   codex: new CodexAgent(),
   openclaw: new OpenClawAgent(),
   copilot: new CopilotAgent(),
+  qwen: new QwenAgent(),
+  kimi: new KimiAgent(),
 };
 
 const agentLabels: Record<string, string> = {
@@ -44,11 +53,14 @@ const agentLabels: Record<string, string> = {
   codex: "Codex CLI",
   openclaw: "OpenClaw",
   copilot: "Copilot CLI",
+  qwen: "Qwen Code",
+  kimi: "Kimi Code",
 };
 
 export interface DetectedAgent {
   key: string;
   label: string;
+  supportsPermissions: boolean;
 }
 
 export async function detectAgents(): Promise<DetectedAgent[]> {
@@ -56,7 +68,7 @@ export async function detectAgents(): Promise<DetectedAgent[]> {
   for (const [key, agent] of Object.entries(agentRegistry)) {
     const label = agentLabels[key] ?? key;
     const ok = await agent.init();
-    if (ok) detected.push({ key, label });
+    if (ok) detected.push({ key, label, supportsPermissions: agent.supportsPermissions });
   }
   return detected;
 }

package/src/agents/claude.ts

@@ -5,6 +5,7 @@ import { getAgentInstructions } from "./shared-prompt.js";
 import { SHELL } from "../platform/index.js";
 
 export class ClaudeAgent implements AgentTool {
+  supportsPermissions = true;
   getPlanGenerationCommandLine(prompt: string): CommandLine {
     return {
       command: "claude",
@@ -12,13 +13,17 @@ export class ClaudeAgent implements AgentTool {
     };
   }
 
-  getTaskRunCommandLine(task: ParsedTask, followupPrompt?: string, extraPermissions?: RequiredPermission[]): CommandLine {
-    const prompt = followupPrompt ?? (getAgentInstructions(task.frontmatter.id) + "\n\n" + (task.body || task.frontmatter.user_prompt));
-    const args = ["--permission-mode", "acceptEdits", "-p", "--allowedTools", "WebFetch"];
+  getTaskRunCommandLine(task: ParsedTask, followupPrompt?: string, extraPermissions?: RequiredPermission[] | "yolo"): CommandLine {
+    const yolo = extraPermissions === "yolo";
+    const prompt = followupPrompt ?? (getAgentInstructions(task.frontmatter.id, yolo || !this.supportsPermissions) + "\n\n" + (task.body || task.frontmatter.user_prompt));
+    const args = ["--permission-mode", yolo ? "bypassPermissions" : "acceptEdits", "-p"];
 
-    const allPerms = [...(task.frontmatter.permissions ?? []), ...(extraPermissions ?? [])];
-    for (const p of allPerms) {
-      args.push("--allowedTools", p.name);
+    if (!yolo) {
+      args.push("--allowedTools", "WebFetch");
+      const allPerms = [...(task.frontmatter.permissions ?? []), ...(extraPermissions ?? [])];
+      for (const p of allPerms) {
+        args.push("--allowedTools", p.name);
+      }
     }
 
     if (followupPrompt) {args.push("-c");} // continue mode for followups

package/src/agents/codex.ts

@@ -5,6 +5,7 @@ import { getAgentInstructions } from "./shared-prompt.js";
 import { SHELL } from "../platform/index.js";
 
 export class CodexAgent implements AgentTool {
+  supportsPermissions = true;
   getPlanGenerationCommandLine(prompt: string): CommandLine {
     return {
       command: "codex",
@@ -12,15 +13,18 @@ export class CodexAgent implements AgentTool {
     };
   }
 
-  getTaskRunCommandLine(task: ParsedTask, followupPrompt?: string, extraPermissions?: RequiredPermission[]): CommandLine {
-    const prompt = followupPrompt ?? (getAgentInstructions(task.frontmatter.id) + "\n\n" + (task.body || task.frontmatter.user_prompt));
+  getTaskRunCommandLine(task: ParsedTask, followupPrompt?: string, extraPermissions?: RequiredPermission[] | "yolo"): CommandLine {
+    const yolo = extraPermissions === "yolo";
+    const prompt = followupPrompt ?? (getAgentInstructions(task.frontmatter.id, yolo || !this.supportsPermissions) + "\n\n" + (task.body || task.frontmatter.user_prompt));
     // Using danger-full-access until workspace-write is fixed: https://github.com/openai/codex/issues/12572
-    const args = ["exec", "--full-auto", "--skip-git-repo-check", "--sandbox", "danger-full-access"];
+    const args = ["exec", "--skip-git-repo-check", "--sandbox", "danger-full-access"];
 
-    const allPerms = [...(task.frontmatter.permissions ?? []), ...(extraPermissions ?? [])];
-    for (const p of allPerms) {
-      args.push("--config");
-      args.push(`apps.${p.name}.default_tools_approval_mode="approve"`);
+    if (!yolo) {
+      const allPerms = [...(task.frontmatter.permissions ?? []), ...(extraPermissions ?? [])];
+      for (const p of allPerms) {
+        args.push("--config");
+        args.push(`apps.${p.name}.default_tools_approval_mode="approve"`);
+      }
     }
     if (followupPrompt) {args.push("resume", "--last");} // continue mode for followups
     args.push("-"); // read prompt from stdin