qlogicagent 2.11.2 → 2.11.4

package/dist/types/runtime/pet/pet-soul-service.d.ts

@@ -1,5 +1,5 @@
-import type { PetSoul, PetStats } from "./pet-types.js";
-export declare function hasPetAgentBoundaryViolationText(value: string): boolean;
+import { hasPetAgentBoundaryViolationText, type PetSoul, type PetStats } from "@xiaozhiclaw/pet-core";
+export { hasPetAgentBoundaryViolationText };
 export declare class PetSoulService {
     private soul;
     private profileService;

package/dist/types/runtime/pet/pet-types.d.ts

@@ -1,32 +1 @@
-export interface PetStats {
-    grip: number;
-    patience: number;
-    curiosity: number;
-    appetite: number;
-    humor: number;
-}
-export interface PetSoul {
-    name: string;
-    species: string;
-    personality: string;
-    catchphrase: string;
-    stats: PetStats;
-    rarity: string;
-    breed?: string;
-    breedColors?: {
-        primary: string;
-        secondary: string;
-    };
-    level: number;
-    experience: number;
-    hatchedAt: string;
-}
-export interface PetBreed {
-    id: string;
-    name: string;
-    colors: {
-        primary: string;
-        secondary: string;
-    };
-    rarity: string;
-}
+export type { PetStats, PetSoul, PetBreed } from "@xiaozhiclaw/pet-core";

package/dist/types/runtime/pet/petdex-asset.d.ts

@@ -1,111 +1,6 @@
-export declare const PETDEX_SCHEMA: "qlogic.petdex.asset.v1";
-export declare const PETDEX_VALIDATION_SCHEMA: "qlogic.petdex.validation.v1";
-export declare const PETDEX_ATLAS_CONTRACT: {
-    readonly format: "webp";
-    readonly columns: 8;
-    readonly rows: 9;
-    readonly frameCount: 72;
-    readonly cellWidth: 192;
-    readonly cellHeight: 208;
-    readonly width: 1536;
-    readonly height: 1872;
-};
-export declare const PETDEX_ANIMATION_IDS: readonly ["idle", "thinking", "working", "done", "happy", "error", "attention", "dragging", "sleeping"];
-export type PetdexAnimationId = typeof PETDEX_ANIMATION_IDS[number];
-export interface PetdexAnimation {
-    frames: number[];
-    fps: number;
-    loop: boolean;
-}
-export interface PetdexAtlas {
-    image: "spritesheet.webp";
-    format: "webp";
-    columns: 8;
-    rows: 9;
-    frameCount: 72;
-    cellWidth: 192;
-    cellHeight: 208;
-    width: 1536;
-    height: 1872;
-    sha256: string;
-    imageUrl?: string;
-}
-export interface PetdexAssetSource {
-    kind: "builtin" | "upload" | "forge";
-    prompt: string | null;
-}
-export interface PetdexPetAsset {
-    schema: typeof PETDEX_SCHEMA;
-    id: string;
-    assetKind: "petdex";
-    name: string;
-    description: string;
-    createdAt: string;
-    updatedAt: string;
-    source: PetdexAssetSource;
-    atlas: PetdexAtlas;
-    animations: Record<PetdexAnimationId, PetdexAnimation>;
-    thumbnail: {
-        frame: number;
-    };
-    sourcePrompt?: string;
-}
-export type PetdexAssetManifest = PetdexPetAsset;
-export interface PetdexPetAssetSummary {
-    id: string;
-    assetKind: "petdex";
-    sourceKind: PetdexAssetSource["kind"];
-    name: string;
-    description: string;
-    createdAt: string;
-    updatedAt: string;
-    atlas: Omit<PetdexAtlas, "image" | "imageUrl"> & {
-        imageUrl?: string;
-    };
-    animations?: Record<PetdexAnimationId, PetdexAnimation>;
-    thumbnail?: {
-        frame: number;
-    };
-}
-export interface PetdexValidationReport {
-    schema: typeof PETDEX_VALIDATION_SCHEMA;
-    assetId: string;
-    valid: boolean;
-    validatedAt: string;
-    errors: string[];
-    warnings: string[];
-    atlas: {
-        format: "webp";
-        columns: 8;
-        rows: 9;
-        frameCount: 72;
-        cellWidth: 192;
-        cellHeight: 208;
-        width: number;
-        height: number;
-        sha256: string;
-    };
-    animations: {
-        ids: PetdexAnimationId[];
-        minFrame: number;
-        maxFrame: number;
-    };
-}
-export interface LoadedPetdexPackage {
-    manifest: PetdexPetAsset;
-    spritesheet: Buffer;
-    validation: PetdexValidationReport;
-}
-export type PetdexAssetPackage = LoadedPetdexPackage;
-export type PetdexAssetValidation = PetdexValidationReport;
-export interface PetdexImportResult {
-    asset: PetdexPetAsset;
-    summary: PetdexPetAssetSummary;
-    validation: PetdexValidationReport;
-}
-export declare function createDefaultPetdexAnimations(): Record<PetdexAnimationId, PetdexAnimation>;
-export declare function toPetdexAssetSummary(asset: PetdexPetAsset, imageUrl?: string): PetdexPetAssetSummary;
-export declare function validatePetdexAssetManifest(manifest: unknown, spritesheet: Buffer): PetdexValidationReport;
+import { type PetdexAssetSource, type PetdexPetAsset, type PetdexValidationReport, type LoadedPetdexPackage, type PetdexImportResult } from "@xiaozhiclaw/pet-core";
+export { PETDEX_SCHEMA, PETDEX_VALIDATION_SCHEMA, PETDEX_ATLAS_CONTRACT, PETDEX_ANIMATION_IDS, createDefaultPetdexAnimations, toPetdexAssetSummary, validatePetdexAssetManifest, petdexImageDataUrl, } from "@xiaozhiclaw/pet-core";
+export type { PetdexAnimationId, PetdexAnimation, PetdexAtlas, PetdexAssetSource, PetdexPetAsset, PetdexAssetManifest, PetdexPetAssetSummary, PetdexValidationReport, LoadedPetdexPackage, PetdexAssetPackage, PetdexAssetValidation, PetdexImportResult, } from "@xiaozhiclaw/pet-core";
 export declare function loadPetdexAssetPackage(filePath: string): Promise<LoadedPetdexPackage>;
 export declare function buildPetdexAssetImport(filePath: string, targetDir: string): Promise<PetdexImportResult>;
 export declare function writePetdexAssetPackage(params: {
@@ -135,4 +30,3 @@ export declare function listBuiltinPetdexAssets(): Promise<Array<{
     spritesheet: Buffer;
     validation: PetdexValidationReport;
 }>>;
-export declare function petdexImageDataUrl(spritesheet: Buffer): string;

package/dist/types/runtime/pet/petdex-forge-service.d.ts

@@ -1,84 +1,6 @@
-import { PETDEX_ATLAS_CONTRACT, type PetdexAnimationId, type PetdexPetAsset, type PetdexValidationReport } from "./petdex-asset.js";
-export interface PetdexForgeRequest {
-    id?: string;
-    name: string;
-    description: string;
-    prompt?: string | null;
-    referenceImageUrl?: string;
-    referenceMode?: "identity" | "refine";
-    baseSpritesheet?: Buffer;
-    refineAnimationId?: PetdexAnimationId;
-    refineFrameIndexes?: number[];
-}
-export interface PetdexImageGenerationRequest {
-    prompt: string;
-    purpose: "petdex-reference" | "petdex-row-strip";
-    animationId?: PetdexAnimationId;
-    style: string;
-    size: string;
-    imageUrl?: string;
-    referenceImages?: PetdexProductionReferenceImage[];
-    n: 1;
-    quality: "auto";
-}
-export interface PetdexImageGenerationResult {
-    mediaUrls: string[];
-    model?: string;
-    size?: string;
-    durationMs?: number;
-    provider?: string;
-    billingUnit?: string;
-    billingQuantity?: number;
-}
-export interface PetdexForgeOutput {
-    asset: PetdexPetAsset;
-    spritesheet: Buffer;
-    validation: PetdexValidationReport;
-    prompt: string;
-    productionRun: PetdexProductionRun;
-    model?: string;
-    size?: string;
-    durationMs?: number;
-    mediaUsage?: {
-        provider: string;
-        model: string;
-        billingUnit: string;
-        billingQuantity: number;
-    };
-}
-export declare const PETDEX_PRODUCTION_SCHEMA: "qlogic.petdex.production.v1";
-export interface PetdexProductionReferenceImage {
-    role: "canonical-reference" | "layout-guide" | "existing-atlas";
-    imageUrl: string;
-}
-export interface PetdexProductionJob {
-    id: string;
-    kind: "reference" | "row-strip";
-    status: "complete";
-    animationId?: PetdexAnimationId;
-    prompt: string;
-    inputImages: PetdexProductionReferenceImage[];
-    outputUrl: string;
-}
-export interface PetdexProductionRun {
-    schema: typeof PETDEX_PRODUCTION_SCHEMA;
-    status: "complete";
-    sourceMode: "text" | "reference" | "refine";
-    contract: typeof PETDEX_ATLAS_CONTRACT;
-    jobs: PetdexProductionJob[];
-    qa: {
-        contactSheet: {
-            rows: typeof PETDEX_ATLAS_CONTRACT.rows;
-            columns: typeof PETDEX_ATLAS_CONTRACT.columns;
-            frameCount: typeof PETDEX_ATLAS_CONTRACT.frameCount;
-        };
-        rowReports: Array<{
-            animationId: PetdexAnimationId;
-            status: "pass";
-            frames: typeof PETDEX_ATLAS_CONTRACT.columns;
-        }>;
-    };
-}
+import { type PetdexForgeRequest, type PetdexForgeOutput, type GeneratePetdexImage, type UploadPetdexReferenceImage, type PetdexProductionOptions } from "@xiaozhiclaw/pet-core";
+export { PETDEX_PRODUCTION_SCHEMA, } from "@xiaozhiclaw/pet-core";
+export type { PetdexForgeRequest, PetdexImageGenerationRequest, PetdexImageGenerationResult, PetdexForgeOutput, PetdexProductionRun, PetdexProductionJob, PetdexProductionReferenceImage, GeneratePetdexImage, UploadPetdexReferenceImage, PetdexProductionOptions, } from "@xiaozhiclaw/pet-core";
 export interface PetdexForgePackageOutput extends PetdexForgeOutput {
     packagePath: string;
     assetDir: string;
@@ -87,15 +9,6 @@ export interface PetdexForgePackageOutput extends PetdexForgeOutput {
     validationPath: string;
     productionRunPath: string;
 }
-export type GeneratePetdexImage = (request: PetdexImageGenerationRequest) => Promise<PetdexImageGenerationResult>;
-export type UploadPetdexReferenceImage = (input: {
-    buffer: Buffer;
-    mimeType: string;
-    filename: string;
-}) => Promise<string>;
-export interface PetdexProductionOptions {
-    uploadReferenceImage?: UploadPetdexReferenceImage;
-}
 export declare function forgePetdexAsset(input: PetdexForgeRequest, generateImage: GeneratePetdexImage, options?: PetdexProductionOptions): Promise<PetdexForgeOutput>;
 export declare function forgePetdexAssetPackage(params: {
     input: PetdexForgeRequest;
@@ -103,8 +16,4 @@ export declare function forgePetdexAssetPackage(params: {
     generateImage: GeneratePetdexImage;
     uploadReferenceImage?: UploadPetdexReferenceImage;
 }): Promise<PetdexForgePackageOutput>;
-export declare function buildPetdexAtlasPrompt(description: string, prompt?: string | null, referenceMode?: "identity" | "refine"): string;
-export declare function buildPetdexCharacterPrompt(description: string, prompt?: string | null, referenceMode?: "identity" | "refine"): string;
-export declare function buildPetdexReferencePrompt(description: string, prompt?: string | null, referenceMode?: "identity" | "refine"): string;
-export declare function buildPetdexRowPrompt(animationId: PetdexAnimationId, description: string, prompt?: string | null, referenceMode?: "identity" | "refine"): string;
 export declare function readGeneratedPetdexImage(mediaUrl: string): Promise<Buffer>;

package/dist/types/runtime/ports/path-service.d.ts

@@ -1,6 +1,16 @@
 export interface PathService {
     getActiveProjectRoot(): string;
     setActiveWorkdir(dir: string): void;
+    /**
+     * The directory the file/exec tools actually operate in (where relative tool
+     * paths resolve and the shell session's cwd lives). This is the value last set
+     * via setActiveWorkdir — it is the authoritative "active workdir" used by the
+     * permission pipeline to classify cross-workspace operations. It can differ
+     * from getActiveProjectRoot() (which feeds memory/sessions/project-agent-dir):
+     * getActiveProjectRoot may be a captured snapshot, while this always tracks the
+     * live tool workdir. Falls back to getActiveProjectRoot() if never set.
+     */
+    getActiveWorkdir(): string;
     resolveProjectDir(projectId?: string): string | undefined;
     resolveActiveOwnerUserId(): string;
     getUserAgentHome(): string;

package/dist/types/runtime/ports/permission-contracts.d.ts

@@ -1,9 +1,11 @@
 export type PermissionMode = "default" | "auto" | "full_access";
 export declare const PERMISSION_MODES: readonly PermissionMode[];
 export type PermissionBehavior = "allow" | "ask" | "deny";
+export type PermissionPromptCategory = "cross_workspace" | "high_risk_delete" | "high_risk_egress" | "destructive";
 export type PermissionRiskLevel = "read" | "write" | "system" | "external_egress";
 export interface PermissionRuleEntry {
     pattern: string;
+    pathPrefix?: string;
     behavior: PermissionBehavior;
     reason?: string;
     source?: string;
@@ -45,6 +47,12 @@ export interface PermissionAskResult {
     message: string;
     toolName: string;
     input?: Record<string, unknown>;
+    category?: PermissionPromptCategory;
+    semanticCheck?: "delete" | "egress";
+    rememberScope?: {
+        kind: "directory";
+        path: string;
+    };
     decisionReason?: PermissionDecisionReason;
 }
 export interface PermissionDenyResult {
@@ -58,7 +66,6 @@ export interface PermissionConfig {
 }
 export interface PermissionEngineConfig extends PermissionConfig {
     rules: PermissionRuleEntry[];
-    defaultBehavior: PermissionBehavior;
 }
 export interface ToolPermissionCheckInput {
     toolName: string;
@@ -69,6 +76,9 @@ export interface ToolPermissionCheckInput {
         isDangerous?: boolean;
         requiresApproval?: boolean;
         parallelSafe?: boolean;
+        isDelete?: boolean;
+        isEgress?: boolean;
+        egressCarriesData?: boolean;
     };
 }
 export interface ApprovalRequest {
@@ -77,19 +87,26 @@ export interface ApprovalRequest {
     toolName: string;
     arguments?: Record<string, unknown>;
     message: string;
+    /** Prompt category carried through from the decision pipeline (UI hint). */
+    category?: PermissionPromptCategory;
+    /** When set, the host may offer a "remember this directory" scope option. */
+    rememberScope?: {
+        kind: "directory";
+        path: string;
+    };
 }
 export interface ApprovalResponse {
     approvalId: string;
     decision: "allow" | "deny";
     updatedInput?: Record<string, unknown>;
+    /** Approval scope chosen by the user: just this call, or the whole directory. */
+    scope?: "once" | "directory";
 }
 export interface PermissionRuleEnginePort {
     getMode(): PermissionMode;
     setMode(mode: PermissionMode): void;
     getRules(): readonly PermissionRuleEntry[];
     replaceRules(rules: PermissionRuleEntry[]): void;
-    getDefaultBehavior(): PermissionBehavior;
-    setDefaultBehavior(behavior: PermissionBehavior): void;
 }
 export interface PermissionApprovalResolver {
     resolveApproval(response: ApprovalResponse): void;

package/dist/types/runtime/ports/tool-contracts.d.ts

@@ -21,6 +21,9 @@ export interface RuntimeToolContract {
     isConcurrencySafe?: boolean;
     isReadOnly?: boolean;
     riskLevel?: PermissionRiskLevel;
+    isDelete?: boolean;
+    isEgress?: boolean;
+    egressCarriesData?: boolean;
     isEnabled?: () => boolean;
     shouldDefer?: boolean;
     execute?(toolCallId: string, params: any, signal?: AbortSignal): Promise<{

package/dist/types/runtime/ports/tool-risk.d.ts

@@ -0,0 +1,7 @@
+import type { PermissionRiskLevel, ToolPermissionCheckInput } from "./permission-contracts.js";
+/**
+ * 唯一风险分级核心。优先级:显式 riskLevel > isDangerous("system") > isReadOnly("read") > isEgress("external_egress") > 默认 "write"。
+ * isDangerous 优先于 isReadOnly:工具不应同时为二者,冲突时取更危险的分级。
+ * 调用点(tools.ts 的 manifest 构建、tool-eligibility 的资格判定)各自在其上叠加专属逻辑(category 推断 / name-pattern 升级)。
+ */
+export declare function resolveToolRisk(meta: ToolPermissionCheckInput["meta"]): PermissionRiskLevel;

package/dist/types/runtime/prompt/fresh-workspace-evidence.d.ts

@@ -15,5 +15,6 @@ export interface FreshWorkspaceEvidencePolicy {
     allowedToolNames: string[];
 }
 export declare function getFreshWorkspaceEvidencePolicy(messages: readonly PromptMessageLike[] | string): FreshWorkspaceEvidencePolicy;
+export declare function isLightweightChatTurn(messages: readonly PromptMessageLike[] | string): boolean;
 export declare function selectFreshWorkspaceEvidenceTools<TTool extends ToolNameLike>(tools: readonly TTool[], policy: FreshWorkspaceEvidencePolicy): TTool[];
 export declare function createFreshWorkspaceEvidenceSection(policy: FreshWorkspaceEvidencePolicy): SystemPromptSection | null;

package/dist/types/runtime/session/session-locator.d.ts

@@ -21,4 +21,6 @@ export declare class SessionLocator {
     getActiveProjectWorkspaceDir(): string;
     /** Get the active project's ID. */
     getActiveProjectId(): string;
+    /** Get the default project's ID for external personal channel sessions. */
+    getDefaultProjectId(): string;
 }

package/dist/types/runtime/session/session-persistence.d.ts

@@ -16,6 +16,7 @@
  *   3. Feed messages as initial context to agent
  */
 import type { ChatMessage } from "../../protocol/wire/index.js";
+import type { TokenUsage } from "../../agent/types.js";
 import type { SessionUsageSnapshot } from "./session-state.js";
 export interface SessionMetadata {
     sessionId: string;
@@ -35,6 +36,7 @@ export interface SessionMetadata {
     previousSessionId?: string;
     carryoverSummary?: string;
     type?: "personal" | "group";
+    ownerPlatform?: string;
     ownerId?: string;
     groupKey?: string;
     groupName?: string;
@@ -52,7 +54,12 @@ export interface SessionMetadata {
 }
 export interface PersistedSession {
     metadata: SessionMetadata;
-    messages: ChatMessage[];
+    messages: PersistedChatMessage[];
+}
+export interface PersistedChatMessage extends ChatMessage {
+    timestamp?: string;
+    turnId?: string;
+    usage?: TokenUsage;
 }
 export interface SessionListEntry {
     sessionId: string;
@@ -84,7 +91,9 @@ export declare function getSessionMetadata(sessionId: string, projectRoot: strin
  * Robustness: catches disk-full and I/O errors without crashing the agent.
  * Returns false if the write fails.
  */
-export declare function appendMessage(sessionId: string, message: ChatMessage, projectRoot: string, turnId?: string): Promise<boolean>;
+export declare function appendMessage(sessionId: string, message: ChatMessage, projectRoot: string, turnId?: string, metadata?: {
+    usage?: TokenUsage;
+}): Promise<boolean>;
 /**
  * Save session metadata + usage stats atomically (flat structure).
  */
@@ -92,6 +101,9 @@ export declare function saveSessionState(sessionId: string, usageSnapshot: Sessi
 /**
  * Update specific metadata fields of a session without touching cost data.
  * Used by session CRUD RPC (rename, pin, archive, move-to-project).
+ *
+ * Concurrency-bounded via withSessionWriteLimit (see above) so a burst of parallel
+ * updates cannot exhaust the fs thread pool and wedge the RPC channel.
  */
 export declare function updateSessionMetadata(sessionId: string, patch: Partial<Record<keyof SessionMetadata, SessionMetadata[keyof SessionMetadata] | null>>, projectRoot: string): Promise<SessionMetadata | null>;
 /**
@@ -99,7 +111,9 @@ export declare function updateSessionMetadata(sessionId: string, patch: Partial<
  *
  * Returns null if the session doesn't exist or is corrupted.
  */
-export declare function loadSessionForResume(sessionId: string, projectRoot: string): Promise<PersistedSession | null>;
+export declare function loadSessionForResume(sessionId: string, projectRoot: string, options?: {
+    includeDisplayMetadata?: boolean;
+}): Promise<PersistedSession | null>;
 /**
  * List available sessions for resume CC ResumeConversation picker.
  * Returns most-recent-first, up to `limit` entries.

package/dist/types/skills/permissions/hook-runner.d.ts

@@ -9,6 +9,8 @@ export type PermissionRole = "interactive" | "coordinator" | "worker";
 export interface PermissionCheckerDeps {
     ruleEngine: PermissionRuleEngine;
     hookRegistry: HookRegistry;
+    /** Returns the current workspace root for operation classification. */
+    getWorkspaceRoot(): string;
     /**
      * Callback to send an approval request to the host (Gateway/Electron).
      * Must return a promise that resolves when the user responds.
@@ -52,6 +54,7 @@ export interface PermissionCheckerDeps {
 export declare class PermissionChecker {
     private readonly ruleEngine;
     private readonly hookRegistry;
+    private readonly getWorkspaceRoot;
     private readonly onRequestApproval;
     private readonly onDenied;
     private readonly classifierLLMCall;

package/dist/types/skills/permissions/operation-classifier.d.ts

@@ -0,0 +1,36 @@
+import type { ToolPermissionCheckInput } from "../../runtime/ports/permission-contracts.js";
+/**
+ * 确定性操作归类。注意两个危险信号是分工的、互不包含:
+ * - `isDestructive`:shell 破坏性操作(rm -rf、dd、管道下载执行等)+ 递归删除 → 下游走"无条件保底必弹"。
+ * - `isDelete`:任意删除(含 meta 标注的删除工具)→ 下游单独走"该文件是否有用"的语义复核,不并入 isDestructive。
+ * 消费方(决策流水线)分别独立检查 isDestructive 与 isDelete。
+ */
+export interface OperationClassification {
+    targetPaths: string[];
+    inWorkspace: boolean;
+    crossWorkspace: boolean;
+    isDelete: boolean;
+    isRecursiveDelete: boolean;
+    isEgress: boolean;
+    egressCarriesData: boolean;
+    isDestructive: boolean;
+}
+export interface ClassifyContext {
+    workspaceRoot: string;
+}
+/**
+ * Canonical set of shell-command tool names. This is the single source of truth,
+ * imported and used by BOTH `classifyOperation` (below) AND hook-runner's bash
+ * pre-filter, so the two stay aligned. Includes the `Bash` case-variant.
+ */
+export declare const SHELL_TOOL_NAMES: Set<string>;
+export declare function isWithinWorkspace(resolved: string, root: string): boolean;
+/**
+ * 提取 shell 命令引用的路径(重定向目标 + Unix/Windows/相对路径),解析为绝对路径。
+ * 移植自 exec validateCommand;win32 下把 /c/Users → C:\Users;跳过单字母 flag(/c /s …);
+ * /dev/null 不计入(由绝对底线另处理)。供 classifyOperation 与 exec validateCommand 共用(单一源)。
+ * 扫描层用聚焦 shell tokenizer(替代正则):正确处理带空格的引号路径、管道/&& 后的路径、
+ * 以及单/双引号内的字面 `>`(不当作重定向)。push() 的过滤/解析逻辑保持不变。
+ */
+export declare function extractCommandPaths(command: string, root: string): string[];
+export declare function classifyOperation(input: ToolPermissionCheckInput, ctx: ClassifyContext): OperationClassification;

package/dist/types/skills/permissions/rule-engine.d.ts

@@ -1,34 +1,39 @@
+import type { OperationClassification } from "./operation-classifier.js";
 import type { PermissionMode, PermissionBehavior, PermissionResult, PermissionRuleEntry, PermissionEngineConfig, ToolPermissionCheckInput } from "./types.js";
 export declare class PermissionRuleEngine {
     private mode;
     private rules;
-    private defaultBehavior;
+    private sessionRules;
     private compiledPatterns;
     constructor(config: PermissionEngineConfig);
     getMode(): PermissionMode;
     setMode(mode: PermissionMode): void;
     getRules(): readonly PermissionRuleEntry[];
-    getDefaultBehavior(): PermissionBehavior;
-    /** Replace all rules at once (for settings hot-reload). */
+    /** Replace all persistent rules at once (for settings hot-reload). Session rules are preserved. */
     replaceRules(rules: PermissionRuleEntry[]): void;
-    /** Update the default behavior (for settings hot-reload). */
-    setDefaultBehavior(behavior: PermissionBehavior): void;
     addRule(rule: PermissionRuleEntry): void;
+    /** Add a session-scoped rule (e.g. "remember directory" approvals). */
+    addSessionRule(rule: {
+        pathPrefix?: string;
+        pattern?: string;
+        behavior?: PermissionBehavior;
+    }): void;
+    /** sandbox 可写根:rules + sessionRules 中 allow 且带 pathPrefix 的目录(去重)。 */
+    getAllowedWriteDirectories(): string[];
     /**
-     * 4-layer permission check (cc hasPermissionsToUseTool parity).
+     * Workspace + danger decision pipeline.
      *
-     * Layer 0: Mode override
-     * Layer 1: Explicit rules (first match wins)
-     * Layer 2: Unified tool risk metadata
-     * Layer 3: Default behavior
+     * `op` is optional and defaults to an all-false classification so callers
+     * that have not yet been wired to the classifier keep compiling.
      */
-    check(input: ToolPermissionCheckInput): PermissionResult;
-    private compileRules;
+    check(input: ToolPermissionCheckInput, op?: OperationClassification): PermissionResult;
+    /** Rebuild compiledPatterns: [persistent-deny] → [session] → [persistent non-deny]. */
+    private recompile;
 }
 /**
  * Parse permission config from Gateway-injected or local settings.
  *
- * Accepts only the user-facing permission mode. Historical rules/defaultBehavior
- * fields are ignored so old config cannot create a fourth user permission mode.
+ * Accepts the user-facing permission mode plus the persistent `rules` channel.
+ * Legacy top-level alias keys (allow/deny/ask arrays, default) are still rejected.
  */
 export declare function parsePermissionConfig(raw: unknown): PermissionEngineConfig;

package/dist/types/skills/portable-tool.d.ts

@@ -104,6 +104,24 @@ export interface PortableTool<TParams = Record<string, unknown>> {
      * Used by permission system to require confirmation.
      */
     isDestructive?: boolean;
+    /**
+     * Whether this tool deletes data (files, records, resources).
+     * Distinct from isDestructive (shell-level) — this is a semantic annotation
+     * on tools that explicitly delete. Downstream uses separate delete-specific
+     * confirmation logic from the general destructive-shell path.
+     */
+    isDelete?: boolean;
+    /**
+     * Whether this tool sends data to an external service (egress).
+     * When true, the tool is classified as external_egress risk.
+     */
+    isEgress?: boolean;
+    /**
+     * Whether egress carries user data (as opposed to read-only queries).
+     * Only meaningful when isEgress is true.
+     * Examples: send_message (true), web_search (false).
+     */
+    egressCarriesData?: boolean;
     /**
      * Tool-specific permission check before execution.
      * CC parity: Tool.checkPermissions — returns allow/deny with reason.

package/dist/types/skills/tools/exec-tool.d.ts

@@ -1,5 +1,6 @@
 import type { PortableTool } from "../portable-tool.js";
 import type { CommandClassification } from "./shell/command-classification.js";
+import type { SandboxConfig } from "./shell/sandbox/sandbox-types.js";
 export declare const EXEC_TOOL_NAME: "exec";
 export interface ExecToolParams {
     command: string;
@@ -72,6 +73,12 @@ export interface ExecToolHost {
      * Returns null/undefined if allowed, or an error message if blocked.
      */
     validateCommand?(command: string): Promise<string | null | undefined>;
+    /**
+     * Resolve the OS-sandbox context for this exec (snapshot of the permission
+     * single-source: mode + active workdir + approved dirs + helper availability).
+     * Returns undefined to disable the OS sandbox (degrade to prompt-only).
+     */
+    resolveSandbox?(): SandboxConfig | undefined;
     /**
      * Interpret a non-zero exit code.
      * E.g. 127 → "command not found", 137 → "killed by SIGKILL".

package/dist/types/skills/tools/patch-tool.d.ts

@@ -41,5 +41,12 @@ interface MatchResult {
     strategy: MatchStrategy;
 }
 declare function fuzzyFind(content: string, search: string, replaceAll: boolean): MatchResult[];
+export interface PatchTargets {
+    /** Every file path the patch adds, updates, deletes, or moves (source + destination). */
+    paths: string[];
+    /** Paths removed via a *** Delete File: directive. */
+    deletes: string[];
+}
+export declare function extractPatchTargets(input: string): PatchTargets;
 export declare function createPatchTool(deps: PatchToolDeps): PortableTool<PatchToolParams>;
 export { fuzzyFind, type MatchResult };