reasonix 0.4.15 → 0.4.16

package/dist/index.d.ts

@@ -762,6 +762,91 @@ interface FilesystemToolsOptions {
 }
 declare function registerFilesystemTools(registry: ToolRegistry, opts: FilesystemToolsOptions): ToolRegistry;
 
+/**
+ * Native shell tool — lets the model run commands inside the sandbox
+ * root so it can actually verify its own work (run tests, check git
+ * status, inspect a lockfile, etc.). Without this the coding-mode
+ * loop is "write code, hope it works, ask the user to run it" —
+ * defeats the purpose.
+ *
+ * Safety model:
+ *   - Commands run with `cwd` pinned to the registered root. No
+ *     path traversal via the command itself is enforced (users can
+ *     `cat ../outside.txt`); the trust boundary is the directory
+ *     you opened Reasonix from.
+ *   - Commands are matched against a read-only / testing allowlist.
+ *     Allowlisted commands execute immediately and return stdout +
+ *     stderr merged. Everything else throws with a clear message —
+ *     the UI translates that into an `/apply`-style confirm gate so
+ *     the user sees the exact command before it runs.
+ *   - Default timeout: 60s. Output cap: matches tool-result budget.
+ *   - Every command that DOES run is spawned with `shell: false` and
+ *     a tokenized argv — no string-to-shell interpolation, so the
+ *     model can't accidentally construct a chained `rm` via quoting.
+ *
+ * This is intentionally narrower than what Claude Code / Aider ship:
+ * we gate more commands behind confirmation by default. Users who
+ * trust the model can widen the allowlist by instantiating their
+ * own tool registry.
+ */
+
+interface ShellToolsOptions {
+    /** Directory to run commands in. Must be an absolute path. */
+    rootDir: string;
+    /** Seconds before an individual command is killed. Default: 60. */
+    timeoutSec?: number;
+    /**
+     * Per-command stdout+stderr cap in characters. Default: 32_000 to
+     * match the tool-result budget.
+     */
+    maxOutputChars?: number;
+    /**
+     * Extra command-name prefixes the user explicitly trusts. Added on
+     * top of the built-in allowlist. Examples: `["my-ci-script", "lint"]`.
+     */
+    extraAllowed?: string[];
+    /**
+     * When true, skip the allowlist entirely and auto-run every command.
+     * Off by default — this is an escape hatch for non-interactive use
+     * (CI, benchmarks) where a human can't be in the loop to confirm.
+     */
+    allowAll?: boolean;
+}
+/**
+ * Tokenize a shell-ish command string into argv. Handles single/double
+ * quoting; rejects unclosed quotes. Does NOT expand env vars, globs,
+ * backticks, or `$(…)` — the goal is to prevent the model from
+ * accidentally (or not) sneaking arbitrary shells past the allowlist
+ * via concatenation. Exported for testing.
+ */
+declare function tokenizeCommand(cmd: string): string[];
+/**
+ * Return true when `cmd` matches an allowlisted prefix. Exported for
+ * testing. Match is on the space-normalized leading tokens so
+ * `git   status  -s ` and `git status` both match `git status`.
+ */
+declare function isAllowed(cmd: string, extra?: readonly string[]): boolean;
+interface RunCommandResult {
+    exitCode: number | null;
+    /** Combined stdout+stderr, truncated to `maxOutputChars` with a marker. */
+    output: string;
+    /** True when the process was killed for exceeding `timeoutSec`. */
+    timedOut: boolean;
+}
+declare function runCommand(cmd: string, opts: {
+    cwd: string;
+    timeoutSec?: number;
+    maxOutputChars?: number;
+    signal?: AbortSignal;
+}): Promise<RunCommandResult>;
+/** Error thrown by `run_command` when the command isn't allowlisted. */
+declare class NeedsConfirmationError extends Error {
+    readonly command: string;
+    constructor(command: string);
+}
+declare function registerShellTools(registry: ToolRegistry, opts: ShellToolsOptions): ToolRegistry;
+declare function formatCommandResult(cmd: string, r: RunCommandResult): string;
+
 /**
  * Built-in web search + fetch tools.
  *
@@ -1844,6 +1929,17 @@ interface ReasonixConfig {
      * endpoint). Set to `false` to keep the session offline.
      */
     search?: boolean;
+    /**
+     * Per-project state keyed by absolute directory path. Written by the
+     * "always allow" choice on a shell confirmation prompt; merged into
+     * `registerShellTools({ extraAllowed })` when `reasonix code` runs
+     * against that directory again.
+     */
+    projects?: {
+        [absoluteRootDir: string]: {
+            shellAllowed?: string[];
+        };
+    };
 }
 declare function defaultConfigPath(): string;
 declare function readConfig(path?: string): ReasonixConfig;
@@ -1857,6 +1953,6 @@ declare function redactKey(key: string): string;
 
 /** Reasonix — DeepSeek-native agent framework. Library entry point. */
 
-declare const VERSION = "0.4.15";
+declare const VERSION = "0.4.16";
 
-export { AppendOnlyLog, type ApplyResult, type ApplyStatus, type BranchOptions, type BranchProgress, type BranchResult, type BranchSample, type BranchSelector, type BranchSummary, type BridgeOptions, type BridgeResult, CODE_SYSTEM_PROMPT, CacheFirstLoop, type CacheFirstLoopOptions, type CallToolResult, type ChatMessage, type ChatResponse, DEFAULT_MAX_RESULT_CHARS, DeepSeekClient, type DeepSeekClientOptions, type RenderOptions as DiffRenderOptions, type DiffReport, type DiffSide, type EditBlock, type EditSnapshot, type EventRole, type FilesystemToolsOptions, type FlattenDecision, type FlattenOptions, type GetPromptResult, type HarvestOptions, ImmutablePrefix, type ImmutablePrefixOptions, type InitializeResult, type InspectionReport, type JSONSchema, type JsonRpcMessage, type JsonRpcRequest, type JsonRpcResponse, type ListPromptsResult, type ListResourcesResult, type ListToolsResult, type LoopEvent, MCP_PROTOCOL_VERSION, McpClient, type McpClientOptions, type McpContentBlock, type McpProgressHandler, type McpProgressInfo, type McpPrompt, type McpPromptArgument, type McpPromptMessage, type McpPromptResourceBlock, type McpResource, type McpResourceContents, type McpResourceContentsBlob, type McpResourceContentsText, type McpSpec, type McpTool, type McpToolSchema, type McpTransport, type PageContent, type ProgressNotificationParams, type ReadResourceResult, type ReadTranscriptResult, type ReasonixConfig, type ReconfigurableOptions, type RepairReport, type ReplayStats, type RetryInfo, type RetryOptions, type Role, type ScavengeOptions, type ScavengeResult, type SearchResult, type SectionResult, type SessionInfo, SessionStats, type SessionSummary, type SseMcpSpec, SseTransport, type SseTransportOptions, type StdioMcpSpec, StdioTransport, type StdioTransportOptions, StormBreaker, type StreamChunk, type ToolCall, type ToolCallContext, ToolCallRepair, type ToolCallRepairOptions, type ToolDefinition, type ToolFunctionSpec, ToolRegistry, type ToolSpec, type TranscriptMeta, type TranscriptRecord, type TruncationRepairResult, type TurnPair, type TurnStats, type TypedPlanState, Usage, VERSION, VolatileScratch, type WebFetchOptions, type WebSearchOptions, type WebToolsOptions, aggregateBranchUsage, analyzeSchema, appendSessionMessage, applyEditBlock, applyEditBlocks, bridgeMcpTools, claudeEquivalentCost, codeSystemPrompt, computeReplayStats, costUsd, defaultConfigPath, defaultSelector, deleteSession, diffTranscripts, emptyPlanState, fetchWithRetry, flattenMcpResult, flattenSchema, formatLoopError, formatSearchResults, harvest, healLoadedMessages, htmlToText, inputCostUsd, inspectMcpServer, isJsonRpcError, isPlanStateEmpty, isPlausibleKey, listSessions, loadApiKey, loadDotenv, loadSessionMessages, nestArguments, openTranscriptFile, outputCostUsd, parseEditBlocks, parseMcpSpec, parseMojeekResults, parseTranscript, readConfig, readTranscript, recordFromLoopEvent, redactKey, registerFilesystemTools, registerWebTools, renderMarkdown as renderDiffMarkdown, renderSummaryTable as renderDiffSummary, repairTruncatedJson, replayFromFile, restoreSnapshots, runBranches, sanitizeName as sanitizeSessionName, saveApiKey, scavengeToolCalls, sessionPath, sessionsDir, similarity, snapshotBeforeEdits, stripHallucinatedToolMarkup, truncateForModel, webFetch, webSearch, writeConfig, writeMeta, writeRecord };
+export { AppendOnlyLog, type ApplyResult, type ApplyStatus, type BranchOptions, type BranchProgress, type BranchResult, type BranchSample, type BranchSelector, type BranchSummary, type BridgeOptions, type BridgeResult, CODE_SYSTEM_PROMPT, CacheFirstLoop, type CacheFirstLoopOptions, type CallToolResult, type ChatMessage, type ChatResponse, DEFAULT_MAX_RESULT_CHARS, DeepSeekClient, type DeepSeekClientOptions, type RenderOptions as DiffRenderOptions, type DiffReport, type DiffSide, type EditBlock, type EditSnapshot, type EventRole, type FilesystemToolsOptions, type FlattenDecision, type FlattenOptions, type GetPromptResult, type HarvestOptions, ImmutablePrefix, type ImmutablePrefixOptions, type InitializeResult, type InspectionReport, type JSONSchema, type JsonRpcMessage, type JsonRpcRequest, type JsonRpcResponse, type ListPromptsResult, type ListResourcesResult, type ListToolsResult, type LoopEvent, MCP_PROTOCOL_VERSION, McpClient, type McpClientOptions, type McpContentBlock, type McpProgressHandler, type McpProgressInfo, type McpPrompt, type McpPromptArgument, type McpPromptMessage, type McpPromptResourceBlock, type McpResource, type McpResourceContents, type McpResourceContentsBlob, type McpResourceContentsText, type McpSpec, type McpTool, type McpToolSchema, type McpTransport, NeedsConfirmationError, type PageContent, type ProgressNotificationParams, type ReadResourceResult, type ReadTranscriptResult, type ReasonixConfig, type ReconfigurableOptions, type RepairReport, type ReplayStats, type RetryInfo, type RetryOptions, type Role, type RunCommandResult, type ScavengeOptions, type ScavengeResult, type SearchResult, type SectionResult, type SessionInfo, SessionStats, type SessionSummary, type ShellToolsOptions, type SseMcpSpec, SseTransport, type SseTransportOptions, type StdioMcpSpec, StdioTransport, type StdioTransportOptions, StormBreaker, type StreamChunk, type ToolCall, type ToolCallContext, ToolCallRepair, type ToolCallRepairOptions, type ToolDefinition, type ToolFunctionSpec, ToolRegistry, type ToolSpec, type TranscriptMeta, type TranscriptRecord, type TruncationRepairResult, type TurnPair, type TurnStats, type TypedPlanState, Usage, VERSION, VolatileScratch, type WebFetchOptions, type WebSearchOptions, type WebToolsOptions, aggregateBranchUsage, analyzeSchema, appendSessionMessage, applyEditBlock, applyEditBlocks, bridgeMcpTools, claudeEquivalentCost, codeSystemPrompt, computeReplayStats, costUsd, defaultConfigPath, defaultSelector, deleteSession, diffTranscripts, emptyPlanState, fetchWithRetry, flattenMcpResult, flattenSchema, formatCommandResult, formatLoopError, formatSearchResults, harvest, healLoadedMessages, htmlToText, inputCostUsd, inspectMcpServer, isAllowed, isJsonRpcError, isPlanStateEmpty, isPlausibleKey, listSessions, loadApiKey, loadDotenv, loadSessionMessages, nestArguments, openTranscriptFile, outputCostUsd, parseEditBlocks, parseMcpSpec, parseMojeekResults, parseTranscript, readConfig, readTranscript, recordFromLoopEvent, redactKey, registerFilesystemTools, registerShellTools, registerWebTools, renderMarkdown as renderDiffMarkdown, renderSummaryTable as renderDiffSummary, repairTruncatedJson, replayFromFile, restoreSnapshots, runBranches, runCommand, sanitizeName as sanitizeSessionName, saveApiKey, scavengeToolCalls, sessionPath, sessionsDir, similarity, snapshotBeforeEdits, stripHallucinatedToolMarkup, tokenizeCommand, truncateForModel, webFetch, webSearch, writeConfig, writeMeta, writeRecord };

package/dist/index.js

@@ -47,8 +47,8 @@ function computeWait(attempt, initial, cap, retryAfter) {
 }
 function sleep(ms, signal) {
   if (ms <= 0) return Promise.resolve();
-  return new Promise((resolve4, reject) => {
-    const timer = setTimeout(resolve4, ms);
+  return new Promise((resolve5, reject) => {
+    const timer = setTimeout(resolve5, ms);
     if (signal) {
       const onAbort = () => {
         clearTimeout(timer);
@@ -1488,8 +1488,8 @@ var CacheFirstLoop = class {
             }
           );
           for (let k = 0; k < budget; k++) {
-            const sample = queue.shift() ?? await new Promise((resolve4) => {
-              waiter = resolve4;
+            const sample = queue.shift() ?? await new Promise((resolve5) => {
+              waiter = resolve5;
             });
             yield {
               turn: this._turn,
@@ -2183,6 +2183,221 @@ function lineDiff(a, b) {
   return out;
 }
 
+// src/tools/shell.ts
+import { spawn } from "child_process";
+import * as pathMod2 from "path";
+var DEFAULT_TIMEOUT_SEC = 60;
+var DEFAULT_MAX_OUTPUT_CHARS = 32e3;
+var BUILTIN_ALLOWLIST = [
+  // Repo inspection
+  "git status",
+  "git diff",
+  "git log",
+  "git show",
+  "git blame",
+  "git branch",
+  "git remote",
+  "git rev-parse",
+  "git config --get",
+  // Filesystem inspection
+  "ls",
+  "pwd",
+  "cat",
+  "head",
+  "tail",
+  "wc",
+  "file",
+  "tree",
+  "find",
+  "grep",
+  "rg",
+  // Language version probes
+  "node --version",
+  "node -v",
+  "npm --version",
+  "npx --version",
+  "python --version",
+  "python3 --version",
+  "cargo --version",
+  "go version",
+  "rustc --version",
+  "deno --version",
+  "bun --version",
+  // Test runners (non-destructive by convention)
+  "npm test",
+  "npm run test",
+  "npx vitest run",
+  "npx vitest",
+  "npx jest",
+  "pytest",
+  "python -m pytest",
+  "cargo test",
+  "cargo check",
+  "cargo clippy",
+  "go test",
+  "go vet",
+  "deno test",
+  "bun test",
+  // Linters / typecheckers (read-only by convention)
+  "npm run lint",
+  "npm run typecheck",
+  "npx tsc --noEmit",
+  "npx biome check",
+  "npx eslint",
+  "npx prettier --check",
+  "ruff",
+  "mypy"
+];
+function tokenizeCommand(cmd) {
+  const out = [];
+  let cur = "";
+  let quote = null;
+  for (let i = 0; i < cmd.length; i++) {
+    const ch = cmd[i];
+    if (quote) {
+      if (ch === quote) {
+        quote = null;
+      } else if (ch === "\\" && quote === '"' && i + 1 < cmd.length) {
+        cur += cmd[++i];
+      } else {
+        cur += ch;
+      }
+      continue;
+    }
+    if (ch === '"' || ch === "'") {
+      quote = ch;
+      continue;
+    }
+    if (ch === " " || ch === "	") {
+      if (cur.length > 0) {
+        out.push(cur);
+        cur = "";
+      }
+      continue;
+    }
+    cur += ch;
+  }
+  if (quote) throw new Error(`unclosed ${quote} in command`);
+  if (cur.length > 0) out.push(cur);
+  return out;
+}
+function isAllowed(cmd, extra = []) {
+  const normalized = cmd.trim().replace(/\s+/g, " ");
+  const allowlist = [...BUILTIN_ALLOWLIST, ...extra];
+  for (const prefix of allowlist) {
+    if (normalized === prefix) return true;
+    if (normalized.startsWith(`${prefix} `)) return true;
+  }
+  return false;
+}
+async function runCommand(cmd, opts) {
+  const argv = tokenizeCommand(cmd);
+  if (argv.length === 0) throw new Error("run_command: empty command");
+  const timeoutMs = (opts.timeoutSec ?? DEFAULT_TIMEOUT_SEC) * 1e3;
+  const maxChars = opts.maxOutputChars ?? DEFAULT_MAX_OUTPUT_CHARS;
+  const spawnOpts = {
+    cwd: opts.cwd,
+    shell: false,
+    // no shell-expansion — see header comment
+    windowsHide: true,
+    env: process.env
+  };
+  return await new Promise((resolve5, reject) => {
+    let child;
+    try {
+      child = spawn(argv[0], argv.slice(1), spawnOpts);
+    } catch (err) {
+      reject(err);
+      return;
+    }
+    let buf = "";
+    let timedOut = false;
+    const killTimer = setTimeout(() => {
+      timedOut = true;
+      child.kill("SIGKILL");
+    }, timeoutMs);
+    const onAbort = () => child.kill("SIGKILL");
+    opts.signal?.addEventListener("abort", onAbort, { once: true });
+    const onData = (chunk) => {
+      buf += chunk.toString();
+      if (buf.length > maxChars * 2) buf = `${buf.slice(0, maxChars * 2)}`;
+    };
+    child.stdout?.on("data", onData);
+    child.stderr?.on("data", onData);
+    child.on("error", (err) => {
+      clearTimeout(killTimer);
+      opts.signal?.removeEventListener("abort", onAbort);
+      reject(err);
+    });
+    child.on("close", (code) => {
+      clearTimeout(killTimer);
+      opts.signal?.removeEventListener("abort", onAbort);
+      const output = buf.length > maxChars ? `${buf.slice(0, maxChars)}
+
+[\u2026 truncated ${buf.length - maxChars} chars \u2026]` : buf;
+      resolve5({ exitCode: code, output, timedOut });
+    });
+  });
+}
+var NeedsConfirmationError = class extends Error {
+  command;
+  constructor(command) {
+    super(
+      `run_command: "${command}" needs the user's approval before it runs. STOP calling tools now \u2014 the TUI has already prompted the user to press y (run) or n (deny). Wait for their next message; it will either be the command's output (if they approved) or an instruction to continue without it (if they denied). Don't retry the command or call other shell commands in the meantime.`
+    );
+    this.name = "NeedsConfirmationError";
+    this.command = command;
+  }
+};
+function registerShellTools(registry, opts) {
+  const rootDir = pathMod2.resolve(opts.rootDir);
+  const timeoutSec = opts.timeoutSec ?? DEFAULT_TIMEOUT_SEC;
+  const maxOutputChars = opts.maxOutputChars ?? DEFAULT_MAX_OUTPUT_CHARS;
+  const extraAllowed = opts.extraAllowed ?? [];
+  const allowAll = opts.allowAll ?? false;
+  registry.register({
+    name: "run_command",
+    description: "Run a shell command in the project root and return its combined stdout+stderr. Read-only and test commands (git status, ls, npm test, pytest, cargo test, grep, etc.) run immediately. Anything that could mutate state (npm install, git commit, rm, chmod) is refused and the user has to confirm in the TUI. Prefer this over asking the user to run a command manually \u2014 after edits, run the project's tests to verify.",
+    parameters: {
+      type: "object",
+      properties: {
+        command: {
+          type: "string",
+          description: "Full command line, e.g. 'npm test' or 'git diff src/foo.ts'. Tokenized with POSIX-ish quoting; no shell expansion, no pipes, no redirects."
+        },
+        timeoutSec: {
+          type: "integer",
+          description: `Override the default ${timeoutSec}s timeout for a single command.`
+        }
+      },
+      required: ["command"]
+    },
+    fn: async (args, ctx) => {
+      const cmd = args.command.trim();
+      if (!cmd) throw new Error("run_command: empty command");
+      if (!allowAll && !isAllowed(cmd, extraAllowed)) {
+        throw new NeedsConfirmationError(cmd);
+      }
+      const effectiveTimeout = Math.max(1, Math.min(600, args.timeoutSec ?? timeoutSec));
+      const result = await runCommand(cmd, {
+        cwd: rootDir,
+        timeoutSec: effectiveTimeout,
+        maxOutputChars,
+        signal: ctx?.signal
+      });
+      return formatCommandResult(cmd, result);
+    }
+  });
+  return registry;
+}
+function formatCommandResult(cmd, r) {
+  const header = r.timedOut ? `$ ${cmd}
+[killed after timeout]` : `$ ${cmd}
+[exit ${r.exitCode ?? "?"}]`;
+  return r.output ? `${header}
+${r.output}` : header;
+}
+
 // src/tools/web.ts
 var DEFAULT_FETCH_MAX_CHARS = 32e3;
 var DEFAULT_FETCH_TIMEOUT_MS = 15e3;
@@ -2366,11 +2581,11 @@ ${i + 1}. ${r.title}`);
 
 // src/env.ts
 import { readFileSync as readFileSync2 } from "fs";
-import { resolve as resolve2 } from "path";
+import { resolve as resolve3 } from "path";
 function loadDotenv(path = ".env") {
   let raw;
   try {
-    raw = readFileSync2(resolve2(process.cwd(), path), "utf8");
+    raw = readFileSync2(resolve3(process.cwd(), path), "utf8");
   } catch {
     return;
   }
@@ -3052,7 +3267,7 @@ var McpClient = class {
     const id = this.nextId++;
     const frame = { jsonrpc: "2.0", id, method, params };
     let abortHandler = null;
-    const promise = new Promise((resolve4, reject) => {
+    const promise = new Promise((resolve5, reject) => {
       const timeout = setTimeout(() => {
         this.pending.delete(id);
         if (abortHandler && signal) signal.removeEventListener("abort", abortHandler);
@@ -3061,7 +3276,7 @@ var McpClient = class {
         );
       }, this.requestTimeoutMs);
       this.pending.set(id, {
-        resolve: resolve4,
+        resolve: resolve5,
         reject,
         timeout
       });
@@ -3143,7 +3358,7 @@ var McpClient = class {
 };
 
 // src/mcp/stdio.ts
-import { spawn } from "child_process";
+import { spawn as spawn2 } from "child_process";
 var StdioTransport = class {
   child;
   queue = [];
@@ -3158,14 +3373,14 @@ var StdioTransport = class {
         opts.command,
         ...(opts.args ?? []).map((a) => quoteArg(a, process.platform === "win32"))
       ].join(" ");
-      this.child = spawn(line, [], {
+      this.child = spawn2(line, [], {
         env,
         cwd: opts.cwd,
         stdio: ["pipe", "pipe", "inherit"],
         shell: true
       });
     } else {
-      this.child = spawn(opts.command, opts.args ?? [], {
+      this.child = spawn2(opts.command, opts.args ?? [], {
         env,
         cwd: opts.cwd,
         stdio: ["pipe", "pipe", "inherit"]
@@ -3184,12 +3399,12 @@ var StdioTransport = class {
   }
   async send(message) {
     if (this.closed) throw new Error("MCP transport is closed");
-    return new Promise((resolve4, reject) => {
+    return new Promise((resolve5, reject) => {
       const line = `${JSON.stringify(message)}
 `;
       this.child.stdin.write(line, "utf8", (err) => {
         if (err) reject(err);
-        else resolve4();
+        else resolve5();
       });
     });
   }
@@ -3200,8 +3415,8 @@ var StdioTransport = class {
         continue;
       }
       if (this.closed) return;
-      const next = await new Promise((resolve4) => {
-        this.waiters.push(resolve4);
+      const next = await new Promise((resolve5) => {
+        this.waiters.push(resolve5);
       });
       if (next === null) return;
       yield next;
@@ -3267,8 +3482,8 @@ var SseTransport = class {
   constructor(opts) {
     this.url = opts.url;
     this.headers = opts.headers ?? {};
-    this.endpointReady = new Promise((resolve4, reject) => {
-      this.resolveEndpoint = resolve4;
+    this.endpointReady = new Promise((resolve5, reject) => {
+      this.resolveEndpoint = resolve5;
       this.rejectEndpoint = reject;
     });
     this.endpointReady.catch(() => void 0);
@@ -3295,8 +3510,8 @@ var SseTransport = class {
         continue;
       }
       if (this.closed) return;
-      const next = await new Promise((resolve4) => {
-        this.waiters.push(resolve4);
+      const next = await new Promise((resolve5) => {
+        this.waiters.push(resolve5);
       });
       if (next === null) return;
       yield next;
@@ -3496,7 +3711,7 @@ async function trySection(load) {
 
 // src/code/edit-blocks.ts
 import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync4, unlinkSync as unlinkSync2, writeFileSync as writeFileSync2 } from "fs";
-import { dirname as dirname3, resolve as resolve3 } from "path";
+import { dirname as dirname3, resolve as resolve4 } from "path";
 var BLOCK_RE = /^(\S[^\n]*)\n<{7} SEARCH\n([\s\S]*?)\n?={7}\n([\s\S]*?)\n?>{7} REPLACE/gm;
 function parseEditBlocks(text) {
   const out = [];
@@ -3514,8 +3729,8 @@ function parseEditBlocks(text) {
   return out;
 }
 function applyEditBlock(block, rootDir) {
-  const absRoot = resolve3(rootDir);
-  const absTarget = resolve3(absRoot, block.path);
+  const absRoot = resolve4(rootDir);
+  const absTarget = resolve4(absRoot, block.path);
   if (absTarget !== absRoot && !absTarget.startsWith(`${absRoot}${sep()}`)) {
     return {
       path: block.path,
@@ -3565,13 +3780,13 @@ function applyEditBlocks(blocks, rootDir) {
   return blocks.map((b) => applyEditBlock(b, rootDir));
 }
 function snapshotBeforeEdits(blocks, rootDir) {
-  const absRoot = resolve3(rootDir);
+  const absRoot = resolve4(rootDir);
   const seen = /* @__PURE__ */ new Set();
   const snapshots = [];
   for (const b of blocks) {
     if (seen.has(b.path)) continue;
     seen.add(b.path);
-    const abs = resolve3(absRoot, b.path);
+    const abs = resolve4(absRoot, b.path);
     if (!existsSync2(abs)) {
       snapshots.push({ path: b.path, prevContent: null });
       continue;
@@ -3585,9 +3800,9 @@ function snapshotBeforeEdits(blocks, rootDir) {
   return snapshots;
 }
 function restoreSnapshots(snapshots, rootDir) {
-  const absRoot = resolve3(rootDir);
+  const absRoot = resolve4(rootDir);
   return snapshots.map((snap) => {
-    const abs = resolve3(absRoot, snap.path);
+    const abs = resolve4(absRoot, snap.path);
     if (abs !== absRoot && !abs.startsWith(`${absRoot}${sep()}`)) {
       return {
         path: snap.path,
@@ -3737,7 +3952,7 @@ function redactKey(key) {
 }
 
 // src/index.ts
-var VERSION = "0.4.15";
+var VERSION = "0.4.16";
 export {
   AppendOnlyLog,
   CODE_SYSTEM_PROMPT,
@@ -3747,6 +3962,7 @@ export {
   ImmutablePrefix,
   MCP_PROTOCOL_VERSION,
   McpClient,
+  NeedsConfirmationError,
   SessionStats,
   SseTransport,
   StdioTransport,
@@ -3774,6 +3990,7 @@ export {
   fetchWithRetry,
   flattenMcpResult,
   flattenSchema,
+  formatCommandResult,
   formatLoopError,
   formatSearchResults,
   harvest,
@@ -3781,6 +3998,7 @@ export {
   htmlToText,
   inputCostUsd,
   inspectMcpServer,
+  isAllowed,
   isJsonRpcError,
   isPlanStateEmpty,
   isPlausibleKey,
@@ -3800,6 +4018,7 @@ export {
   recordFromLoopEvent,
   redactKey,
   registerFilesystemTools,
+  registerShellTools,
   registerWebTools,
   renderMarkdown as renderDiffMarkdown,
   renderSummaryTable as renderDiffSummary,
@@ -3807,6 +4026,7 @@ export {
   replayFromFile,
   restoreSnapshots,
   runBranches,
+  runCommand,
   sanitizeName as sanitizeSessionName,
   saveApiKey,
   scavengeToolCalls,
@@ -3815,6 +4035,7 @@ export {
   similarity,
   snapshotBeforeEdits,
   stripHallucinatedToolMarkup,
+  tokenizeCommand,
   truncateForModel,
   webFetch,
   webSearch,