reasonix 0.27.2 → 0.28.0

package/dist/cli/{prompt-YUL7CYKY.js → prompt-VF7B6BWR.js}

@@ -2,9 +2,9 @@
 import {
   CODE_SYSTEM_PROMPT,
   codeSystemPrompt
-} from "./chunk-R2L5YEEF.js";
+} from "./chunk-COFBA5FV.js";
 export {
   CODE_SYSTEM_PROMPT,
   codeSystemPrompt
 };
-//# sourceMappingURL=prompt-YUL7CYKY.js.map
+//# sourceMappingURL=prompt-VF7B6BWR.js.map

package/dist/index.d.ts

@@ -259,6 +259,27 @@ type ChoiceVerdict = {
 } | {
     type: "cancel";
 };
+type ToolConfirmationAuditEvent = {
+    type: "tool.confirm.allow";
+    kind: "run_command" | "run_background";
+    payload: {
+        command: string;
+    };
+} | {
+    type: "tool.confirm.deny";
+    kind: "run_command" | "run_background";
+    payload: {
+        command: string;
+    };
+    denyContext?: string;
+} | {
+    type: "tool.confirm.always_allow";
+    kind: "run_command" | "run_background";
+    payload: {
+        command: string;
+    };
+    prefix: string;
+};
 interface PauseResponseMap {
     run_command: ConfirmationChoice;
     run_background: ConfirmationChoice;
@@ -303,6 +324,7 @@ type PauseRequest = {
     payload: unknown;
 };
 type GateListener = (request: PauseRequest) => void;
+type AuditListener = (event: ToolConfirmationAuditEvent) => void;
 /** Named options for PauseGate.ask() — makes it obvious which field is kind vs payload. */
 interface PauseAskOpts<K extends PauseKind = PauseKind> {
     kind: K;
@@ -312,15 +334,18 @@ declare class PauseGate {
     private _nextId;
     private _pending;
     private _listeners;
+    private _auditListener;
     /** Block until the user responds. Takes a named options object so the
      *  kind and payload fields don't get confused at the call site. */
     ask<K extends PauseKind>(opts: PauseAskOpts<K>): Promise<PauseResponseMap[K]>;
     /** Resolve a pending request. Called by the App's modal callback. */
     resolve(id: number, data: unknown): void;
+    setAuditListener(fn: AuditListener | null): void;
     /** Subscribe to new pause requests. Returns an unsubscribe function. */
     on(fn: GateListener): () => void;
     /** Current pending request, if any (polling fallback). */
     get current(): PauseRequest | null;
+    private emitAuditEvent;
 }
 
 /** Shell-command hooks; project scope first, then global. Exit 0=pass, 2=block on Pre*, other=warn. */
@@ -429,46 +454,30 @@ interface RunHooksOptions {
 /** Stops at first `block` so a gating hook can prevent later hooks running against a phantom success. */
 declare function runHooks(opts: RunHooksOptions): Promise<HookReport>;
 
-interface ImmutablePrefixOptions {
-    system: string;
-    toolSpecs?: readonly ToolSpec[];
-    fewShots?: readonly ChatMessage[];
-}
-declare class ImmutablePrefix {
-    readonly system: string;
-    /** Each `addTool` costs one cache-miss turn — DeepSeek's prefix cache is keyed by full tool list. */
-    private _toolSpecs;
-    readonly fewShots: readonly ChatMessage[];
-    /** Invalidated only via `addTool`; bypassing it leaves cache stale → fingerprint diverges from sent prefix. */
-    private _fingerprintCache;
-    constructor(opts: ImmutablePrefixOptions);
-    get toolSpecs(): readonly ToolSpec[];
-    toMessages(): ChatMessage[];
-    tools(): ToolSpec[];
-    addTool(spec: ToolSpec): boolean;
-    /** Mirror of addTool for MCP hot-unbridge. Same cache-miss cost — prefix changes shape. */
-    removeTool(name: string): boolean;
-    get fingerprint(): string;
-    /** Dev/test only — throws on cache drift, which always means a non-`addTool` mutation slipped in. */
-    verifyFingerprint(): string;
-    private computeFingerprint;
-}
-declare class AppendOnlyLog {
-    private _entries;
-    append(message: ChatMessage): void;
-    extend(messages: ChatMessage[]): void;
-    /** The one append-only-breaking path — reserved for `/compact` + recovery. Use `append()` otherwise. */
-    compactInPlace(replacement: ChatMessage[]): void;
-    get entries(): readonly ChatMessage[];
-    toMessages(): ChatMessage[];
-    get length(): number;
-}
-declare class VolatileScratch {
-    reasoning: string | null;
-    planState: Record<string, unknown> | null;
-    notes: string[];
-    reset(): void;
-}
+/** Single text-layer DeepSeek-error formatter — 429/5xx never reach here (retry.ts swallows). */
+declare function formatLoopError(err: Error): string;
+
+/** Drops both unpaired assistant.tool_calls and stray tool messages — DeepSeek 400s on either. */
+declare function fixToolCallPairing(messages: ChatMessage[]): {
+    messages: ChatMessage[];
+    droppedAssistantCalls: number;
+    droppedStrayTools: number;
+};
+declare function healLoadedMessages(messages: ChatMessage[], maxChars: number): {
+    messages: ChatMessage[];
+    healedCount: number;
+    healedFrom: number;
+};
+/** Token-cap variant — char cap would let CJK slip past at 2× the intended token cost. */
+declare function healLoadedMessagesByTokens(messages: ChatMessage[], maxTokens: number): {
+    messages: ChatMessage[];
+    healedCount: number;
+    tokensSaved: number;
+    charsSaved: number;
+};
+
+/** Strip hallucinated tool-call envelopes — `tools: undefined` doesn't always force prose. */
+declare function stripHallucinatedToolMarkup(s: string): string;
 
 /** Mutating calls clear prior read-only entries so a post-edit re-read isn't flagged as repeat. */
 type IsMutating = (call: ToolCall) => boolean;
@@ -587,6 +596,91 @@ declare class SessionStats {
     summary(): SessionSummary;
 }
 
+type EventRole = "assistant_delta" | "assistant_final"
+/** Only liveness signal during a large-args tool call (no content/reasoning bytes). */
+ | "tool_call_delta"
+/** Pre-dispatch ping so the TUI can show a spinner during long tool awaits. */
+ | "tool_start" | "tool" | "done" | "error" | "warning"
+/** Transient indicator for silent phases; UI clears on next primary event. */
+ | "status" | "branch_start" | "branch_progress" | "branch_done";
+interface BranchSummary {
+    budget: number;
+    chosenIndex: number;
+    uncertainties: number[];
+    temperatures: number[];
+}
+interface BranchProgress {
+    completed: number;
+    total: number;
+    latestIndex: number;
+    latestTemperature: number;
+    latestUncertainties: number;
+}
+interface LoopEvent {
+    turn: number;
+    role: EventRole;
+    content: string;
+    reasoningDelta?: string;
+    toolName?: string;
+    /** Raw args JSON — needed by `reasonix diff` to explain why a tool was called. */
+    toolArgs?: string;
+    /** Cumulative arguments-string length for `role === "tool_call_delta"`. */
+    toolCallArgsChars?: number;
+    /** Zero-based index of the tool call this delta belongs to (multi-tool progress). */
+    toolCallIndex?: number;
+    /** Count of tool calls whose args have parsed as valid JSON (UI progress, not dispatch gate). */
+    toolCallReadyCount?: number;
+    stats?: TurnStats;
+    planState?: TypedPlanState;
+    repair?: RepairReport;
+    branch?: BranchSummary;
+    branchProgress?: BranchProgress;
+    error?: string;
+    /** Display-only — code-mode applier MUST skip SEARCH/REPLACE in forced-summary text. */
+    forcedSummary?: boolean;
+}
+
+interface ImmutablePrefixOptions {
+    system: string;
+    toolSpecs?: readonly ToolSpec[];
+    fewShots?: readonly ChatMessage[];
+}
+declare class ImmutablePrefix {
+    readonly system: string;
+    /** Each `addTool` costs one cache-miss turn — DeepSeek's prefix cache is keyed by full tool list. */
+    private _toolSpecs;
+    readonly fewShots: readonly ChatMessage[];
+    /** Invalidated only via `addTool`; bypassing it leaves cache stale → fingerprint diverges from sent prefix. */
+    private _fingerprintCache;
+    constructor(opts: ImmutablePrefixOptions);
+    get toolSpecs(): readonly ToolSpec[];
+    toMessages(): ChatMessage[];
+    tools(): ToolSpec[];
+    addTool(spec: ToolSpec): boolean;
+    /** Mirror of addTool for MCP hot-unbridge. Same cache-miss cost — prefix changes shape. */
+    removeTool(name: string): boolean;
+    get fingerprint(): string;
+    /** Dev/test only — throws on cache drift, which always means a non-`addTool` mutation slipped in. */
+    verifyFingerprint(): string;
+    private computeFingerprint;
+}
+declare class AppendOnlyLog {
+    private _entries;
+    append(message: ChatMessage): void;
+    extend(messages: ChatMessage[]): void;
+    /** The one append-only-breaking path — reserved for `/compact` + recovery. Use `append()` otherwise. */
+    compactInPlace(replacement: ChatMessage[]): void;
+    get entries(): readonly ChatMessage[];
+    toMessages(): ChatMessage[];
+    get length(): number;
+}
+declare class VolatileScratch {
+    reasoning: string | null;
+    planState: Record<string, unknown> | null;
+    notes: string[];
+    reset(): void;
+}
+
 interface ToolCallContext {
     signal?: AbortSignal;
     /** Inject a mock PauseGate for tests. When absent, tools use the singleton. */
@@ -606,6 +700,11 @@ interface ToolRegistryOptions {
     /** Auto-flatten + re-nest at dispatch; default true. */
     autoFlatten?: boolean;
 }
+type ToolCallAuditEvent = {
+    name: string;
+    args: Record<string, unknown>;
+};
+type ToolCallAuditListener = (event: ToolCallAuditEvent) => void;
 /** String return short-circuits dispatch; null/undefined falls through to the tool fn. */
 type ToolInterceptor = (name: string, args: Record<string, unknown>) => string | null | undefined | Promise<string | null | undefined>;
 declare class ToolRegistry {
@@ -613,6 +712,7 @@ declare class ToolRegistry {
     private readonly _autoFlatten;
     private _planMode;
     private _interceptor;
+    private _auditListener;
     constructor(opts?: ToolRegistryOptions);
     /** Enable / disable plan-mode enforcement at dispatch. */
     setPlanMode(on: boolean): void;
@@ -620,6 +720,7 @@ declare class ToolRegistry {
     get planMode(): boolean;
     /** At most one interceptor active; calling twice replaces. */
     setToolInterceptor(fn: ToolInterceptor | null): void;
+    setAuditListener(fn: ToolCallAuditListener | null): void;
     register<A, R>(def: ToolDefinition<A, R>): this;
     /** Drop a registered tool. Returns true if the name was present. Used by MCP hot-unbridge. */
     unregister(name: string): boolean;
@@ -638,49 +739,6 @@ declare class ToolRegistry {
     }): Promise<string>;
 }
 
-type EventRole = "assistant_delta" | "assistant_final"
-/** Only liveness signal during a large-args tool call (no content/reasoning bytes). */
- | "tool_call_delta"
-/** Pre-dispatch ping so the TUI can show a spinner during long tool awaits. */
- | "tool_start" | "tool" | "done" | "error" | "warning"
-/** Transient indicator for silent phases; UI clears on next primary event. */
- | "status" | "branch_start" | "branch_progress" | "branch_done";
-interface BranchSummary {
-    budget: number;
-    chosenIndex: number;
-    uncertainties: number[];
-    temperatures: number[];
-}
-interface BranchProgress {
-    completed: number;
-    total: number;
-    latestIndex: number;
-    latestTemperature: number;
-    latestUncertainties: number;
-}
-interface LoopEvent {
-    turn: number;
-    role: EventRole;
-    content: string;
-    reasoningDelta?: string;
-    toolName?: string;
-    /** Raw args JSON — needed by `reasonix diff` to explain why a tool was called. */
-    toolArgs?: string;
-    /** Cumulative arguments-string length for `role === "tool_call_delta"`. */
-    toolCallArgsChars?: number;
-    /** Zero-based index of the tool call this delta belongs to (multi-tool progress). */
-    toolCallIndex?: number;
-    /** Count of tool calls whose args have parsed as valid JSON (UI progress, not dispatch gate). */
-    toolCallReadyCount?: number;
-    stats?: TurnStats;
-    planState?: TypedPlanState;
-    repair?: RepairReport;
-    branch?: BranchSummary;
-    branchProgress?: BranchProgress;
-    error?: string;
-    /** Display-only — code-mode applier MUST skip SEARCH/REPLACE in forced-summary text. */
-    forcedSummary?: boolean;
-}
 interface CacheFirstLoopOptions {
     client: DeepSeekClient;
     prefix: ImmutablePrefix;
@@ -746,11 +804,11 @@ declare class CacheFirstLoop {
     private _turnAbort;
     private _proArmedForNextTurn;
     private _escalateThisTurn;
-    private _turnFailureCount;
-    private _turnFailureTypes;
+    private readonly _turnFailures;
     private _turnSelfCorrected;
     private _foldedThisTurn;
     private context;
+    get currentTurn(): number;
     constructor(opts: CacheFirstLoopOptions);
     /** Replace older turns with one summary message; keep tail within keepRecentTokens budget. */
     compactHistory(opts?: {
@@ -780,49 +838,16 @@ declare class CacheFirstLoop {
     /** UI surface — true while the current turn is running on pro (armed or auto-escalated). */
     get escalatedThisTurn(): boolean;
     private modelForCurrentCall;
-    /** Anchored to lead — mid-text matches are normal content (user asking about the marker). */
-    private parseEscalationMarker;
-    /** Convenience boolean — same gate the streaming path used to call. */
-    private isEscalationRequest;
-    /** Drives streaming flush — while plausibly partial, keep accumulating; else flush. */
-    private looksLikePartialEscalationMarker;
     /** Returns true ONLY on the tipping call — caller surfaces a one-shot warning. */
     private noteToolFailureSignal;
-    private formatFailureBreakdown;
     private buildMessages;
     abort(): void;
     /** Drop the last user message + everything after; caller re-sends. Persists to session file. */
     retryLastUser(): string | null;
     step(userInput: string): AsyncGenerator<LoopEvent>;
-    private forceSummaryAfterIterLimit;
+    private summaryContext;
     run(userInput: string, onEvent?: (ev: LoopEvent) => void): Promise<string>;
-    /** Thinking-mode producer ⇒ reasoning_content MUST be set (even ""), or next call 400s. */
-    private assistantMessage;
-    /** Abort notices etc — uses this.model as stand-in producer for the thinking-mode stamp. */
-    private syntheticAssistantMessage;
 }
-/** Strip hallucinated tool-call envelopes — `tools: undefined` doesn't always force prose. */
-declare function stripHallucinatedToolMarkup(s: string): string;
-/** Drops both unpaired assistant.tool_calls and stray tool messages — DeepSeek 400s on either. */
-declare function fixToolCallPairing(messages: ChatMessage[]): {
-    messages: ChatMessage[];
-    droppedAssistantCalls: number;
-    droppedStrayTools: number;
-};
-declare function healLoadedMessages(messages: ChatMessage[], maxChars: number): {
-    messages: ChatMessage[];
-    healedCount: number;
-    healedFrom: number;
-};
-/** Token-cap variant — char cap would let CJK slip past at 2× the intended token cost. */
-declare function healLoadedMessagesByTokens(messages: ChatMessage[], maxTokens: number): {
-    messages: ChatMessage[];
-    healedCount: number;
-    tokensSaved: number;
-    charsSaved: number;
-};
-/** Single text-layer DeepSeek-error formatter — 429/5xx never reach here (retry.ts swallows). */
-declare function formatLoopError(err: Error): string;
 
 /** Expand `@path` mentions inline. Paths must resolve inside rootDir; escapes / oversize get a skip note, not content. */
 /** Caps match tool-result dispatch truncation (0.5.2). */
@@ -1177,26 +1202,6 @@ interface JobReadResult {
     spawnError?: string;
 }
 
-/** cwd pinned to root; non-allowlisted commands throw to a UI confirm gate; spawn is `shell: false`, tokenized argv only. */
-
-interface ShellToolsOptions {
-    /** Directory to run commands in. Must be an absolute path. */
-    rootDir: string;
-    /** Seconds before an individual command is killed. Default: 60. */
-    timeoutSec?: number;
-    maxOutputChars?: number;
-    /** Getter form is load-bearing — newly-persisted "always allow" prefixes MUST take effect mid-session. */
-    extraAllowed?: readonly string[] | (() => readonly string[]);
-    /** Getter form lets `editMode === "yolo"` flip mid-session without re-registering tools. */
-    allowAll?: boolean | (() => boolean);
-    jobs?: JobRegistry;
-}
-/** No env / glob / backtick / `$(…)` expansion — prevents bypass of allowlist via concatenation. */
-declare function tokenizeCommand(cmd: string): string[];
-/** Up-front detection — without it, `dir | findstr foo` quotes `|` literal and pipe silently fails. */
-declare function detectShellOperator(cmd: string): string | null;
-/** Allowlist match on leading argv tokens; demoted by `RISKY_ARGS` when a destructive flag appears in the tail. */
-declare function isAllowed(cmd: string, extra?: readonly string[]): boolean;
 interface RunCommandResult {
     exitCode: number | null;
     /** Combined stdout+stderr, truncated to `maxOutputChars` with a marker. */
@@ -1233,6 +1238,28 @@ declare function injectPowerShellUtf8(args: readonly string[]): string[] | null;
 declare function withUtf8Codepage(cmdline: string): string;
 /** Doubles embedded quotes per cmd.exe's `""` escape rule; bare alnum passes through unquoted. */
 declare function quoteForCmdExe(arg: string): string;
+
+/** No env / glob / backtick / `$(…)` expansion — prevents bypass of allowlist via concatenation. */
+declare function tokenizeCommand(cmd: string): string[];
+/** Up-front detection — without it, `dir | findstr foo` quotes `|` literal and pipe silently fails. */
+declare function detectShellOperator(cmd: string): string | null;
+/** Allowlist match on leading argv tokens; demoted by `RISKY_ARGS` when a destructive flag appears in the tail. */
+declare function isAllowed(cmd: string, extra?: readonly string[]): boolean;
+
+/** cwd pinned to root; non-allowlisted commands throw to a UI confirm gate; spawn is `shell: false`, tokenized argv only. */
+
+interface ShellToolsOptions {
+    /** Directory to run commands in. Must be an absolute path. */
+    rootDir: string;
+    /** Seconds before an individual command is killed. Default: 60. */
+    timeoutSec?: number;
+    maxOutputChars?: number;
+    /** Getter form is load-bearing — newly-persisted "always allow" prefixes MUST take effect mid-session. */
+    extraAllowed?: readonly string[] | (() => readonly string[]);
+    /** Getter form lets `editMode === "yolo"` flip mid-session without re-registering tools. */
+    allowAll?: boolean | (() => boolean);
+    jobs?: JobRegistry;
+}
 /** Error thrown by `run_command` when the command isn't allowlisted. */
 declare class NeedsConfirmationError extends Error {
     readonly command: string;