skyloom 1.5.3 → 1.7.0

package/dist/core/longdoc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"longdoc.js","sourceRoot":"","sources":["../../src/core/longdoc.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAgBH,8BAkCC;AAuBD,4CAoCC;AAKD,oDA2BC;AA7HD,SAAgB,SAAS,CAAC,IAAY,EAAE,IAAmB;IACzD,MAAM,EAAE,GAAG,IAAI,EAAE,SAAS,IAAI,IAAI,CAAC;IACnC,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,IAAI,GAAG,CAAC;IAChC,MAAM,GAAG,GAAG,IAAI,EAAE,QAAQ,IAAI,GAAG,CAAC;IAClC,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,IAAI,CAAC,MAAM,IAAI,EAAE,GAAG,GAAG,EAAE,CAAC;QAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAAC,OAAO,MAAM,CAAC;IAAC,CAAC;IAElE,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,OAAO,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAC3B,IAAI,GAAG,GAAG,KAAK,GAAG,EAAE,CAAC;QACrB,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC;QAAC,CAAC;aACzC,CAAC;YACJ,qCAAqC;YACrC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;YACnD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACtD,IAAI,SAAS,GAAG,KAAK,GAAG,GAAG;gBAAE,GAAG,GAAG,SAAS,CAAC;iBACxC,CAAC;gBACJ,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;gBACpD,IAAI,SAAS,GAAG,KAAK,GAAG,GAAG;oBAAE,GAAG,GAAG,SAAS,CAAC;qBACxC,CAAC;oBACJ,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;oBAC/C,IAAI,KAAK,GAAG,KAAK,GAAG,GAAG;wBAAE,GAAG,GAAG,KAAK,CAAC;gBACvC,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC3C,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM;YAAE,MAAM;QAC9B,KAAK,GAAG,GAAG,GAAG,EAAE,CAAC;QACjB,IAAI,KAAK,GAAG,CAAC;YAAE,KAAK,GAAG,CAAC,CAAC;IAC3B,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAcD,MAAM,oBAAoB,GAAG;;;OAGtB,CAAC;AAER,MAAM,oBAAoB,GAAG;;YAEjB,CAAC;AAEN,KAAK,UAAU,gBAAgB,CACpC,KAAgB,EAChB,IAAY,EACZ,IAAqB;IAErB,MAAM,SAAS,GAAG,IAAI,EAAE,cAAc,IAAI,IAAI,CAAC;IAC/C,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAE/B,yCAAyC;IACzC,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACvB,IAAI,IAAI,CAAC,MAAM,IAAI,SAAS;YAAE,OAAO,IAAI,CAAC;QAC1C,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,WAAW,IAAI,oBAAoB,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACnF,OAAO,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,0CAA0C;IAC1C,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,WAAW,IAAI,oBAAoB,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACxF,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,CAAC,CAAC;YAC9D,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IAEpE,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjF,IAAI,MAAM,CAAC,MAAM,IAAI,SAAS;QAAE,OAAO,MAAM,CAAC;IAE9C,MAAM,WAAW,GAAG,CAAC,IAAI,EAAE,WAAW,IAAI,oBAAoB,CAAC,CAAC,OAAO,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;IAC/F,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC,CAAC;IAC7E,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;AACnC,CAAC;AAED;;6CAE6C;AAC7C,SAAgB,oBAAoB,CAAC,KAAa;IAIhD,MAAM,MAAM,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,IAAqB,EAAE,cAAc,EAAE,IAAyB,EAAE,CAAC;IAEnJ,cAAc;IACd,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;IACzD,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;YAAC,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC;YAAC,MAAM,CAAC,aAAa,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QAAC,CAAC;QAC7F,MAAM,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAChC,CAAC;IAED,wBAAwB;IACxB,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IAC/C,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;QACvB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;QAC/G,MAAM,CAAC,cAAc,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAChG,CAAC;IAED,aAAa;IACb,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACtF,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC;IACvB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/core/security.d.ts

@@ -0,0 +1,73 @@
+/**
+ * 安全与对齐模块 — Security & Alignment
+ *
+ * Danger level grading, red-line enforcement, audit trail, human-in-the-loop.
+ * All security decisions flow through this module before tool execution.
+ */
+export declare enum DangerLevel {
+    /** Read-only, no side effects — auto-approved */
+    SAFE = 0,
+    /** Minor side effects (write single file, git status) — logged */
+    LOW = 1,
+    /** Significant side effects (overwrite, delete, git push) — notify */
+    MEDIUM = 2,
+    /** Dangerous (sudo, remote deploy, mass delete) — confirm */
+    HIGH = 3,
+    /** Red-line — NEVER execute without human-in-the-loop */
+    CRITICAL = 4
+}
+declare const REDLINE_PATTERNS: RegExp[];
+declare const REDLINE_COMMANDS: string[];
+export interface AuditEntry {
+    ts: string;
+    agent: string;
+    tool: string;
+    args: Record<string, any>;
+    dangerLevel: DangerLevel;
+    approved: boolean;
+    result: string;
+    durationMs: number;
+    traceId: string;
+}
+export declare class SecurityContext {
+    auditLog: AuditEntry[];
+    deniedCount: number;
+    autoApprovedCount: number;
+    manualApprovedCount: number;
+    approvalMode: "auto" | "interactive" | "strict";
+    private approvalCallback;
+    constructor(opts?: {
+        mode?: "auto" | "interactive" | "strict";
+        onApprove?: (tool: string, args: Record<string, any>, level: DangerLevel) => Promise<boolean>;
+    });
+    /** Get the danger level for a tool. Defaults to SAFE for unknown tools. */
+    getDangerLevel(toolName: string): DangerLevel;
+    /** Check if arguments contain red-line patterns (critical danger). */
+    checkRedline(toolName: string, args: Record<string, any>): string | null;
+    /** Determine whether a tool call is permitted. Returns [approved, reason]. */
+    checkApproval(toolName: string, args: Record<string, any>, agentName: string): Promise<[boolean, string]>;
+    /** Record an audit entry. */
+    recordAudit(tool: string, agent: string, args: Record<string, any>, dangerLevel: DangerLevel, approved: boolean, resultPreview: string, durationMs: number, traceId: string): void;
+    /** Get summary statistics. */
+    getStats(): {
+        total: number;
+        denied: number;
+        autoApproved: number;
+        manualApproved: number;
+        byLevel: {
+            safe: number;
+            low: number;
+            medium: number;
+            high: number;
+            critical: number;
+        };
+        lastDenied: string[];
+    };
+    /** Install approval callback for interactive mode. */
+    setApprovalCallback(fn: (tool: string, args: Record<string, any>, level: DangerLevel) => Promise<boolean>): void;
+}
+export declare function getSecurity(): SecurityContext;
+export declare function resetSecurity(): void;
+/** Red-line patterns for reference (used by tools to self-check). */
+export { REDLINE_PATTERNS, REDLINE_COMMANDS };
+//# sourceMappingURL=security.d.ts.map

package/dist/core/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/core/security.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAOH,oBAAY,WAAW;IACrB,iDAAiD;IACjD,IAAI,IAAI;IACR,kEAAkE;IAClE,GAAG,IAAI;IACP,sEAAsE;IACtE,MAAM,IAAI;IACV,6DAA6D;IAC7D,IAAI,IAAI;IACR,yDAAyD;IACzD,QAAQ,IAAI;CACb;AAKD,QAAA,MAAM,gBAAgB,UAMrB,CAAC;AAEF,QAAA,MAAM,gBAAgB,UAGrB,CAAC;AAyDF,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC1B,WAAW,EAAE,WAAW,CAAC;IACzB,QAAQ,EAAE,OAAO,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;CACjB;AAKD,qBAAa,eAAe;IACnB,QAAQ,EAAE,UAAU,EAAE,CAAM;IAC5B,WAAW,SAAK;IAChB,iBAAiB,SAAK;IACtB,mBAAmB,SAAK;IACxB,YAAY,EAAE,MAAM,GAAG,aAAa,GAAG,QAAQ,CAAU;IAEhE,OAAO,CAAC,gBAAgB,CAAoG;gBAEhH,IAAI,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,GAAG,aAAa,GAAG,QAAQ,CAAC;QAAC,SAAS,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,KAAK,EAAE,WAAW,KAAK,OAAO,CAAC,OAAO,CAAC,CAAA;KAAE;IAK9J,2EAA2E;IAC3E,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,WAAW;IAI7C,sEAAsE;IACtE,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,MAAM,GAAG,IAAI;IAYxE,8EAA8E;IACxE,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAsC/G,6BAA6B;IAC7B,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,WAAW,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAsBlL,8BAA8B;IAC9B,QAAQ;;;;;;;;;;;;;;IAiBR,sDAAsD;IACtD,mBAAmB,CAAC,EAAE,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,KAAK,EAAE,WAAW,KAAK,OAAO,CAAC,OAAO,CAAC;CAG1G;AAKD,wBAAgB,WAAW,IAAI,eAAe,CAG7C;AAED,wBAAgB,aAAa,IAAI,IAAI,CAEpC;AAED,qEAAqE;AACrE,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,CAAC"}

package/dist/core/security.js

@@ -0,0 +1,220 @@
+"use strict";
+/**
+ * 安全与对齐模块 — Security & Alignment
+ *
+ * Danger level grading, red-line enforcement, audit trail, human-in-the-loop.
+ * All security decisions flow through this module before tool execution.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REDLINE_COMMANDS = exports.REDLINE_PATTERNS = exports.SecurityContext = exports.DangerLevel = void 0;
+exports.getSecurity = getSecurity;
+exports.resetSecurity = resetSecurity;
+const logger_1 = require("./logger");
+const log = (0, logger_1.getLogger)("security");
+/* ── Danger levels ── */
+var DangerLevel;
+(function (DangerLevel) {
+    /** Read-only, no side effects — auto-approved */
+    DangerLevel[DangerLevel["SAFE"] = 0] = "SAFE";
+    /** Minor side effects (write single file, git status) — logged */
+    DangerLevel[DangerLevel["LOW"] = 1] = "LOW";
+    /** Significant side effects (overwrite, delete, git push) — notify */
+    DangerLevel[DangerLevel["MEDIUM"] = 2] = "MEDIUM";
+    /** Dangerous (sudo, remote deploy, mass delete) — confirm */
+    DangerLevel[DangerLevel["HIGH"] = 3] = "HIGH";
+    /** Red-line — NEVER execute without human-in-the-loop */
+    DangerLevel[DangerLevel["CRITICAL"] = 4] = "CRITICAL";
+})(DangerLevel || (exports.DangerLevel = DangerLevel = {}));
+/* ═══════════════════════════════════════
+   Red-line list: operations that are NEVER auto-approved
+   ═══════════════════════════════════════ */
+const REDLINE_PATTERNS = [
+    /rm\s+-rf/, /format\s+\w:/, /dd\s+if=/,
+    />\s*\/dev\/sd/, /mkfs\./, /:(){ :\|:& };:/,
+    /sudo\s+rm/, /chmod\s+777\s+\//, /wget.*\|.*sh/,
+    /curl.*\|.*bash/, /eval\s+\$/, /exec\s+\$/,
+    /subprocess\.call.*rm/, /os\.system.*rm/,
+];
+exports.REDLINE_PATTERNS = REDLINE_PATTERNS;
+const REDLINE_COMMANDS = [
+    "shutdown", "reboot", "init 0", "init 6",
+    "del /f /s /q C:\\*", "rd /s /q C:\\",
+];
+exports.REDLINE_COMMANDS = REDLINE_COMMANDS;
+/* ═══════════════════════════════════════
+   Per-tool danger level mapping
+   ═══════════════════════════════════════ */
+const TOOL_DANGER_MAP = {
+    read_file: DangerLevel.SAFE,
+    list_directory: DangerLevel.SAFE,
+    tree: DangerLevel.SAFE,
+    file_search: DangerLevel.SAFE,
+    code_search: DangerLevel.SAFE,
+    grep: DangerLevel.SAFE,
+    git_status: DangerLevel.SAFE,
+    git_diff: DangerLevel.SAFE,
+    git_log: DangerLevel.SAFE,
+    system_info: DangerLevel.SAFE,
+    system_diagnose: DangerLevel.SAFE,
+    list_processes: DangerLevel.SAFE,
+    list_installed_apps: DangerLevel.SAFE,
+    list_skills: DangerLevel.SAFE,
+    recall_facts: DangerLevel.SAFE,
+    mcp_list_servers: DangerLevel.SAFE,
+    write_file: DangerLevel.LOW,
+    edit_file: DangerLevel.LOW,
+    copy_file: DangerLevel.LOW,
+    move_file: DangerLevel.LOW,
+    http_get: DangerLevel.LOW,
+    fetch_page: DangerLevel.LOW,
+    web_search: DangerLevel.LOW,
+    remember_fact: DangerLevel.LOW,
+    use_skill: DangerLevel.LOW,
+    task_done: DangerLevel.LOW,
+    delete_file: DangerLevel.MEDIUM,
+    git_add: DangerLevel.MEDIUM,
+    git_commit: DangerLevel.MEDIUM,
+    git_checkout: DangerLevel.MEDIUM,
+    http_post: DangerLevel.MEDIUM,
+    mcp_add_server: DangerLevel.MEDIUM,
+    mcp_remove_server: DangerLevel.MEDIUM,
+    launch_app: DangerLevel.MEDIUM,
+    open_path: DangerLevel.MEDIUM,
+    browser_open: DangerLevel.MEDIUM,
+    run_bash: DangerLevel.HIGH,
+    shell_exec: DangerLevel.HIGH,
+    kill_process: DangerLevel.HIGH,
+    package_manager: DangerLevel.HIGH,
+    service_control: DangerLevel.HIGH,
+    delegate_to: DangerLevel.HIGH,
+    mcp_scaffold_server: DangerLevel.HIGH,
+};
+/* ═══════════════════════════════════════
+   Security context — per-session security state
+   ═══════════════════════════════════════ */
+class SecurityContext {
+    constructor(opts) {
+        this.auditLog = [];
+        this.deniedCount = 0;
+        this.autoApprovedCount = 0;
+        this.manualApprovedCount = 0;
+        this.approvalMode = "auto";
+        this.approvalCallback = null;
+        if (opts?.mode)
+            this.approvalMode = opts.mode;
+        if (opts?.onApprove)
+            this.approvalCallback = opts.onApprove;
+    }
+    /** Get the danger level for a tool. Defaults to SAFE for unknown tools. */
+    getDangerLevel(toolName) {
+        return TOOL_DANGER_MAP[toolName] ?? DangerLevel.SAFE;
+    }
+    /** Check if arguments contain red-line patterns (critical danger). */
+    checkRedline(toolName, args) {
+        if (toolName !== "run_bash" && toolName !== "shell_exec")
+            return null;
+        const cmd = String(args.command || args.cmd || "").toLowerCase();
+        for (const pattern of REDLINE_PATTERNS) {
+            if (pattern.test(cmd))
+                return `Red-line pattern detected: ${pattern.source.slice(0, 40)}`;
+        }
+        for (const forbidden of REDLINE_COMMANDS) {
+            if (cmd.includes(forbidden))
+                return `Red-line command: ${forbidden}`;
+        }
+        return null;
+    }
+    /** Determine whether a tool call is permitted. Returns [approved, reason]. */
+    async checkApproval(toolName, args, agentName) {
+        const level = this.getDangerLevel(toolName);
+        // Red-line check
+        const redline = this.checkRedline(toolName, args);
+        if (redline) {
+            log.warn("redline_blocked", { agent: agentName, tool: toolName, reason: redline });
+            return [false, redline];
+        }
+        // Safe — always allow
+        if (level === DangerLevel.SAFE)
+            return [true, "safe"];
+        // Strict mode — deny all non-safe
+        if (this.approvalMode === "strict") {
+            return [false, `Strict mode: tool '${toolName}' (level ${level}) requires manual approval`];
+        }
+        // Auto mode — allow LOW, prompt for MEDIUM+, deny CRITICAL
+        if (this.approvalMode === "auto") {
+            if (level <= DangerLevel.LOW)
+                return [true, "auto-low"];
+            if (level === DangerLevel.CRITICAL)
+                return [false, `CRITICAL tool '${toolName}' requires explicit human approval`];
+            // MEDIUM/HIGH with auto mode => need callback
+            if (this.approvalCallback) {
+                const approved = await this.approvalCallback(toolName, args, level);
+                return [approved, approved ? "user-approved" : "user-denied"];
+            }
+            return [true, "auto-med"]; // no callback → auto-allow but log
+        }
+        // Interactive mode — prompt for LOW+
+        if (this.approvalCallback) {
+            const approved = await this.approvalCallback(toolName, args, level);
+            return [approved, approved ? "user-approved" : "user-denied"];
+        }
+        return [true, "no-callback"];
+    }
+    /** Record an audit entry. */
+    recordAudit(tool, agent, args, dangerLevel, approved, resultPreview, durationMs, traceId) {
+        const entry = {
+            ts: new Date().toISOString(),
+            agent, tool, args, dangerLevel, approved,
+            result: resultPreview.slice(0, 500),
+            durationMs, traceId,
+        };
+        this.auditLog.push(entry);
+        if (this.auditLog.length > 5000)
+            this.auditLog.shift();
+        if (approved) {
+            if (dangerLevel >= DangerLevel.HIGH)
+                this.manualApprovedCount++;
+            else
+                this.autoApprovedCount++;
+        }
+        else {
+            this.deniedCount++;
+        }
+        log.info(dangerLevel >= DangerLevel.HIGH ? "dangerous_tool_executed" : "tool_executed", {
+            tool, agent, level: dangerLevel, approved,
+        });
+    }
+    /** Get summary statistics. */
+    getStats() {
+        return {
+            total: this.auditLog.length,
+            denied: this.deniedCount,
+            autoApproved: this.autoApprovedCount,
+            manualApproved: this.manualApprovedCount,
+            byLevel: {
+                safe: this.auditLog.filter(e => e.dangerLevel === DangerLevel.SAFE).length,
+                low: this.auditLog.filter(e => e.dangerLevel === DangerLevel.LOW).length,
+                medium: this.auditLog.filter(e => e.dangerLevel === DangerLevel.MEDIUM).length,
+                high: this.auditLog.filter(e => e.dangerLevel === DangerLevel.HIGH).length,
+                critical: this.auditLog.filter(e => e.dangerLevel === DangerLevel.CRITICAL).length,
+            },
+            lastDenied: this.auditLog.filter(e => !e.approved).slice(-5).map(e => `${e.tool}: ${e.result}`),
+        };
+    }
+    /** Install approval callback for interactive mode. */
+    setApprovalCallback(fn) {
+        this.approvalCallback = fn;
+    }
+}
+exports.SecurityContext = SecurityContext;
+/* ── Global security context ── */
+let globalSecurity = null;
+function getSecurity() {
+    if (!globalSecurity)
+        globalSecurity = new SecurityContext();
+    return globalSecurity;
+}
+function resetSecurity() {
+    globalSecurity = null;
+}
+//# sourceMappingURL=security.js.map

package/dist/core/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/core/security.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAmOH,kCAGC;AAED,sCAEC;AAxOD,qCAAqC;AAErC,MAAM,GAAG,GAAG,IAAA,kBAAS,EAAC,UAAU,CAAC,CAAC;AAElC,yBAAyB;AACzB,IAAY,WAWX;AAXD,WAAY,WAAW;IACrB,iDAAiD;IACjD,6CAAQ,CAAA;IACR,kEAAkE;IAClE,2CAAO,CAAA;IACP,sEAAsE;IACtE,iDAAU,CAAA;IACV,6DAA6D;IAC7D,6CAAQ,CAAA;IACR,yDAAyD;IACzD,qDAAY,CAAA;AACd,CAAC,EAXW,WAAW,2BAAX,WAAW,QAWtB;AAED;;6CAE6C;AAC7C,MAAM,gBAAgB,GAAG;IACvB,UAAU,EAAY,cAAc,EAAU,UAAU;IACxD,eAAe,EAAO,QAAQ,EAAgB,gBAAgB;IAC9D,WAAW,EAAW,kBAAkB,EAAM,cAAc;IAC5D,gBAAgB,EAAM,WAAW,EAAa,WAAW;IACzD,sBAAsB,EAAE,gBAAgB;CACzC,CAAC;AAgNO,4CAAgB;AA9MzB,MAAM,gBAAgB,GAAG;IACvB,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;IACxC,oBAAoB,EAAE,eAAe;CACtC,CAAC;AA2MyB,4CAAgB;AAzM3C;;6CAE6C;AAC7C,MAAM,eAAe,GAAgC;IACnD,SAAS,EAAE,WAAW,CAAC,IAAI;IAC3B,cAAc,EAAE,WAAW,CAAC,IAAI;IAChC,IAAI,EAAE,WAAW,CAAC,IAAI;IACtB,WAAW,EAAE,WAAW,CAAC,IAAI;IAC7B,WAAW,EAAE,WAAW,CAAC,IAAI;IAC7B,IAAI,EAAE,WAAW,CAAC,IAAI;IACtB,UAAU,EAAE,WAAW,CAAC,IAAI;IAC5B,QAAQ,EAAE,WAAW,CAAC,IAAI;IAC1B,OAAO,EAAE,WAAW,CAAC,IAAI;IACzB,WAAW,EAAE,WAAW,CAAC,IAAI;IAC7B,eAAe,EAAE,WAAW,CAAC,IAAI;IACjC,cAAc,EAAE,WAAW,CAAC,IAAI;IAChC,mBAAmB,EAAE,WAAW,CAAC,IAAI;IACrC,WAAW,EAAE,WAAW,CAAC,IAAI;IAC7B,YAAY,EAAE,WAAW,CAAC,IAAI;IAC9B,gBAAgB,EAAE,WAAW,CAAC,IAAI;IAElC,UAAU,EAAE,WAAW,CAAC,GAAG;IAC3B,SAAS,EAAE,WAAW,CAAC,GAAG;IAC1B,SAAS,EAAE,WAAW,CAAC,GAAG;IAC1B,SAAS,EAAE,WAAW,CAAC,GAAG;IAC1B,QAAQ,EAAE,WAAW,CAAC,GAAG;IACzB,UAAU,EAAE,WAAW,CAAC,GAAG;IAC3B,UAAU,EAAE,WAAW,CAAC,GAAG;IAC3B,aAAa,EAAE,WAAW,CAAC,GAAG;IAC9B,SAAS,EAAE,WAAW,CAAC,GAAG;IAC1B,SAAS,EAAE,WAAW,CAAC,GAAG;IAE1B,WAAW,EAAE,WAAW,CAAC,MAAM;IAC/B,OAAO,EAAE,WAAW,CAAC,MAAM;IAC3B,UAAU,EAAE,WAAW,CAAC,MAAM;IAC9B,YAAY,EAAE,WAAW,CAAC,MAAM;IAChC,SAAS,EAAE,WAAW,CAAC,MAAM;IAC7B,cAAc,EAAE,WAAW,CAAC,MAAM;IAClC,iBAAiB,EAAE,WAAW,CAAC,MAAM;IACrC,UAAU,EAAE,WAAW,CAAC,MAAM;IAC9B,SAAS,EAAE,WAAW,CAAC,MAAM;IAC7B,YAAY,EAAE,WAAW,CAAC,MAAM;IAEhC,QAAQ,EAAE,WAAW,CAAC,IAAI;IAC1B,UAAU,EAAE,WAAW,CAAC,IAAI;IAC5B,YAAY,EAAE,WAAW,CAAC,IAAI;IAC9B,eAAe,EAAE,WAAW,CAAC,IAAI;IACjC,eAAe,EAAE,WAAW,CAAC,IAAI;IACjC,WAAW,EAAE,WAAW,CAAC,IAAI;IAC7B,mBAAmB,EAAE,WAAW,CAAC,IAAI;CACtC,CAAC;AAiBF;;6CAE6C;AAC7C,MAAa,eAAe;IAS1B,YAAY,IAAkJ;QARvJ,aAAQ,GAAiB,EAAE,CAAC;QAC5B,gBAAW,GAAG,CAAC,CAAC;QAChB,sBAAiB,GAAG,CAAC,CAAC;QACtB,wBAAmB,GAAG,CAAC,CAAC;QACxB,iBAAY,GAAsC,MAAM,CAAC;QAExD,qBAAgB,GAA+F,IAAI,CAAC;QAG1H,IAAI,IAAI,EAAE,IAAI;YAAE,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC;QAC9C,IAAI,IAAI,EAAE,SAAS;YAAE,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC;IAC9D,CAAC;IAED,2EAA2E;IAC3E,cAAc,CAAC,QAAgB;QAC7B,OAAO,eAAe,CAAC,QAAQ,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC;IACvD,CAAC;IAED,sEAAsE;IACtE,YAAY,CAAC,QAAgB,EAAE,IAAyB;QACtD,IAAI,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,YAAY;YAAE,OAAO,IAAI,CAAC;QACtE,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QACjE,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;YACvC,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;gBAAE,OAAO,8BAA8B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QAC5F,CAAC;QACD,KAAK,MAAM,SAAS,IAAI,gBAAgB,EAAE,CAAC;YACzC,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAAE,OAAO,qBAAqB,SAAS,EAAE,CAAC;QACvE,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,8EAA8E;IAC9E,KAAK,CAAC,aAAa,CAAC,QAAgB,EAAE,IAAyB,EAAE,SAAiB;QAChF,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;QAE5C,iBAAiB;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAClD,IAAI,OAAO,EAAE,CAAC;YACZ,GAAG,CAAC,IAAI,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YACnF,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAC1B,CAAC;QAED,sBAAsB;QACtB,IAAI,KAAK,KAAK,WAAW,CAAC,IAAI;YAAE,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAEtD,kCAAkC;QAClC,IAAI,IAAI,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;YACnC,OAAO,CAAC,KAAK,EAAE,sBAAsB,QAAQ,YAAY,KAAK,4BAA4B,CAAC,CAAC;QAC9F,CAAC;QAED,2DAA2D;QAC3D,IAAI,IAAI,CAAC,YAAY,KAAK,MAAM,EAAE,CAAC;YACjC,IAAI,KAAK,IAAI,WAAW,CAAC,GAAG;gBAAE,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YACxD,IAAI,KAAK,KAAK,WAAW,CAAC,QAAQ;gBAAE,OAAO,CAAC,KAAK,EAAE,kBAAkB,QAAQ,oCAAoC,CAAC,CAAC;YACnH,8CAA8C;YAC9C,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC1B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;gBACpE,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;YAChE,CAAC;YACD,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC,CAAC,mCAAmC;QAChE,CAAC;QAED,qCAAqC;QACrC,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC1B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;YACpE,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;IAC/B,CAAC;IAED,6BAA6B;IAC7B,WAAW,CAAC,IAAY,EAAE,KAAa,EAAE,IAAyB,EAAE,WAAwB,EAAE,QAAiB,EAAE,aAAqB,EAAE,UAAkB,EAAE,OAAe;QACzK,MAAM,KAAK,GAAe;YACxB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC5B,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ;YACxC,MAAM,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YACnC,UAAU,EAAE,OAAO;SACpB,CAAC;QACF,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1B,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,IAAI;YAAE,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;QAEvD,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,WAAW,IAAI,WAAW,CAAC,IAAI;gBAAE,IAAI,CAAC,mBAAmB,EAAE,CAAC;;gBAC3D,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,WAAW,EAAE,CAAC;QACrB,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,eAAe,EAAE;YACtF,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ;SAC1C,CAAC,CAAC;IACL,CAAC;IAED,8BAA8B;IAC9B,QAAQ;QACN,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;YAC3B,MAAM,EAAE,IAAI,CAAC,WAAW;YACxB,YAAY,EAAE,IAAI,CAAC,iBAAiB;YACpC,cAAc,EAAE,IAAI,CAAC,mBAAmB;YACxC,OAAO,EAAE;gBACP,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,WAAW,CAAC,IAAI,CAAC,CAAC,MAAM;gBAC1E,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,WAAW,CAAC,GAAG,CAAC,CAAC,MAAM;gBACxE,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,WAAW,CAAC,MAAM,CAAC,CAAC,MAAM;gBAC9E,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,WAAW,CAAC,IAAI,CAAC,CAAC,MAAM;gBAC1E,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,WAAW,CAAC,QAAQ,CAAC,CAAC,MAAM;aACnF;YACD,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;SAChG,CAAC;IACJ,CAAC;IAED,sDAAsD;IACtD,mBAAmB,CAAC,EAAqF;QACvG,IAAI,CAAC,gBAAgB,GAAG,EAAE,CAAC;IAC7B,CAAC;CACF;AApHD,0CAoHC;AAED,mCAAmC;AACnC,IAAI,cAAc,GAA2B,IAAI,CAAC;AAElD,SAAgB,WAAW;IACzB,IAAI,CAAC,cAAc;QAAE,cAAc,GAAG,IAAI,eAAe,EAAE,CAAC;IAC5D,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,SAAgB,aAAa;IAC3B,cAAc,GAAG,IAAI,CAAC;AACxB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "skyloom",
-  "version": "1.5.3",
+  "version": "1.7.0",
   "description": "天空织机 Skyloom — 6 weather-themed AI agents: Fog, Rain, Frost, Snow, Dew, Fair",
   "preferGlobal": true,
   "type": "commonjs",

package/src/core/agent.ts

@@ -222,9 +222,11 @@ export class BaseAgent {
   protected injectBehaviorRules(prompt: string): string {
     const lang = (this.config as any).llm?.language || 'zh';
     if (lang === 'en') {
-      return prompt + `\n\n## Behavior\n- Act, don't narrate. No "I will..." before tool calls.\n- Stay in scope. Do what's asked, then stop.\n- Batch independent tool calls in one response.\n- Verify writes: read back, report verified state.\n- Call list_skills when the task needs specialized capabilities.`;
+      return prompt +
+        `\n\n## Thinking Protocol\nBefore acting, briefly weigh: (1) **What** is the actual need? (2) **How** sure am I? If <80%, flag with [uncertain] and ask.\nIf stuck, admit it — propose a partial answer or ask the user. Never fabricate.\n\n## Behavior\n- Act, don't narrate. No "I will..." before tool calls.\n- Stay in scope. Do what's asked, then stop.\n- Batch independent tool calls in one response.\n- Verify writes: read back, report verified state.\n- Call list_skills when the task needs specialized capabilities.`;
     }
-    return prompt + `\n\n## 行为守则\n- 直接行动,不预告。不说「我将要...」,直接调用工具\n- 不擅自扩大范围。用户要什么做什么,核心完成即止\n- 独立的工具调用一次发出,并行执行\n- 写入后回读验证,汇报已验证状态而非仅尝试\n- 任务涉及专业能力时（PPT/Excel/PDF/网页设计/代码审查等），先调 list_skills 查看可用技能，再用 use_skill 激活`;
+    return prompt +
+      `\n\n## 思考协议\n行动前快速判断：(1) 用户真实需求是什么？(2) 我有多大把握？低于80%标注 [不确定] 并主动询问。\n卡住时承认，给出部分答案或请求用户指导。绝不编造。\n\n## 行为守则\n- 直接行动,不预告。不说「我将要...」,直接调用工具\n- 不擅自扩大范围。用户要什么做什么,核心完成即止\n- 独立的工具调用一次发出,并行执行\n- 写入后回读验证,汇报已验证状态而非仅尝试\n- 任务涉及专业能力时（PPT/Excel/PDF/网页设计/代码审查等），先调 list_skills 查看可用技能，再用 use_skill 激活`;
   }
 
   protected injectProgrammingWisdom(prompt: string): string {
@@ -729,7 +731,9 @@ export class BaseAgent {
     try {
       if (onStatus) onStatus('thinking...');
       const response = await this.llmLoop({ onStatus });
-      const content = response?.content || '(no response)';
+      let content = response?.content || '(no response)';
+      // Apply output filter for sensitive info
+      try { const { filterOutput } = require('./filter'); const fr = filterOutput(content); if (fr.redacted) content = fr.clean; } catch {}
       this.memory.addMessage('assistant', content, {
         toolCalls: response?.toolCalls || [],
         reasoningContent: response?.reasoningContent,
@@ -1401,12 +1405,20 @@ export class BaseAgent {
     }
   }
 
+  private _security: any = null;
+  get security(): any { if (!this._security) { try { const { getSecurity } = require('./security'); this._security = getSecurity(); } catch { this._security = {}; } } return this._security; }
+
   protected async checkToolApproval(toolName: string, toolArgs: Record<string, any>): Promise<boolean> {
+    try {
+      const sec = this.security;
+      if (sec?.checkApproval) {
+        const [approved, reason] = await sec.checkApproval(toolName, toolArgs, this.name);
+        if (!approved) log.warn('tool_blocked', { tool: toolName, agent: this.name, reason });
+        return approved;
+      }
+    } catch { /* fall through */ }
     const mode = (this.config as any).cli?.approvalMode || 'auto';
     if (mode === 'strict') return false;
-    if (mode === 'interactive' && this.approvalCallback) {
-      return this.approvalCallback(toolName, toolArgs);
-    }
     return true;
   }
 

package/src/core/arbitrate.ts

@@ -0,0 +1,162 @@
+/**
+ * 多Agent冲突仲裁 — majority voting, quality scoring, tie-breaking.
+ *
+ * When multiple agents produce conflicting outputs on the same task
+ * (or when a reviewer disagrees with an executor), this module
+ * provides structured conflict resolution.
+ */
+
+import type { TaskExecutionResult } from "./factory";
+
+/* ═══════════════════════════════════════
+   Conflict detection
+   ═══════════════════════════════════════ */
+export interface Conflict {
+  taskId: string;
+  results: TaskExecutionResult[];
+  description: string;
+  severity: "low" | "medium" | "high";
+}
+
+/** Detect if two results conflict based on success status and content overlap. */
+export function detectConflicts(results: TaskExecutionResult[]): Conflict[] {
+  const byTask = new Map<string, TaskExecutionResult[]>();
+  for (const r of results) { const id = r.id; if (!byTask.has(id)) byTask.set(id, []); byTask.get(id)!.push(r); }
+
+  const conflicts: Conflict[] = [];
+  for (const [id, items] of byTask) {
+    if (items.length < 2) continue;
+
+    const successes = items.filter(r => r.success);
+    const failures = items.filter(r => !r.success);
+
+    // All succeeded — check content divergence
+    if (successes.length >= 2) {
+      const contents = successes.map(r => (r.content || "").toLowerCase());
+      const similarity = pairwiseSimilarity(contents);
+      if (similarity < 0.3) {
+        conflicts.push({ taskId: id, results: successes, description: "Multiple agents produced divergent successful outputs", severity: "medium" });
+      }
+    }
+
+    // Mix of success and failure
+    if (successes.length > 0 && failures.length > 0) {
+      conflicts.push({ taskId: id, results: items, description: `${successes.length} succeeded, ${failures.length} failed — need tiebreaker`, severity: "medium" });
+    }
+
+    // All failed
+    if (failures.length >= 2 && successes.length === 0) {
+      conflicts.push({ taskId: id, results: failures, description: "All agents failed on this task", severity: "high" });
+    }
+  }
+
+  return conflicts;
+}
+
+/* ═══════════════════════════════════════
+   Content similarity (n-gram Jaccard)
+   ═══════════════════════════════════════ */
+function pairwiseSimilarity(texts: string[]): number {
+  if (texts.length < 2) return 1.0;
+  let total = 0;
+  let count = 0;
+  for (let i = 0; i < texts.length; i++) {
+    for (let j = i + 1; j < texts.length; j++) {
+      total += ngramJaccard(texts[i], texts[j], 3);
+      count++;
+    }
+  }
+  return count === 0 ? 0 : total / count;
+}
+
+function ngramJaccard(a: string, b: string, n: number): number {
+  const as = ngrams(a, n), bs = ngrams(b, n);
+  if (as.size === 0 && bs.size === 0) return 1;
+  let intersection = 0;
+  for (const g of as) { if (bs.has(g)) intersection++; }
+  const union = as.size + bs.size - intersection;
+  return union === 0 ? 0 : intersection / union;
+}
+
+function ngrams(s: string, n: number): Set<string> {
+  const out = new Set<string>();
+  for (let i = 0; i <= s.length - n; i++) out.add(s.slice(i, i + n));
+  return out;
+}
+
+/* ═══════════════════════════════════════
+   Majority voting / arbitration
+   ═══════════════════════════════════════ */
+export interface ArbitrationResult {
+  winner: TaskExecutionResult;
+  method: "unanimous" | "majority" | "tiebreaker" | "single";
+  confidence: number; // 0-1
+  reasoning: string;
+}
+
+/** Pick the best result from conflicting ones via majority vote. */
+export function arbitrate(results: TaskExecutionResult[]): ArbitrationResult {
+  if (results.length === 0) throw new Error("No results to arbitrate");
+  if (results.length === 1) return { winner: results[0], method: "single", confidence: 0.8, reasoning: "Only one result available" };
+
+  const success = results.filter(r => r.success);
+  const fail = results.filter(r => !r.success);
+
+  // All agree (success)
+  if (success.length === results.length) {
+    const longest = success.reduce((a, b) => (b.content || "").length > (a.content || "").length ? b : a);
+    return { winner: longest, method: "unanimous", confidence: 0.95, reasoning: `${results.length}/${results.length} agents agreed` };
+  }
+
+  // Majority success
+  if (success.length > fail.length) {
+    // Pick the longest successful content (most detailed)
+    const best = success.reduce((a, b) => (b.content || "").length > (a.content || "").length ? b : a);
+    return { winner: best, method: "majority", confidence: success.length / results.length, reasoning: `${success.length}/${results.length} succeeded, selected most detailed` };
+  }
+
+  // Majority failure — pick the "closest to success" (longest content)
+  if (fail.length > success.length) {
+    const best = fail.reduce((a, b) => (b.content || "").length > (a.content || "").length ? b : a);
+    return { winner: best, method: "majority", confidence: 0.3, reasoning: `Majority failed (${fail.length}/${results.length}), best-effort from partial output` };
+  }
+
+  // Tie — prefer success, or longest content
+  const tie = success.length > 0 ? success[0] : fail[0];
+  return { winner: tie, method: "tiebreaker", confidence: 0.5, reasoning: `Tie — selected ${tie.success ? "success" : "longest"} result` };
+}
+
+/* ═══════════════════════════════════════
+   Quality scoring for individual results
+   ═══════════════════════════════════════ */
+export interface QualityScore {
+  score: number;         // 0-100
+  completeness: number;  // how much of the task was addressed
+  richness: number;      // detail level of the output
+  correctness: number;   // did it match expectations (requires ground truth)
+}
+
+export function scoreQuality(result: TaskExecutionResult): QualityScore {
+  const content = result.content || "";
+
+  // Completeness: length is a weak proxy but useful
+  const completeness = content.length > 500 ? 80 : content.length > 100 ? 50 : content.length > 0 ? 20 : 0;
+
+  // Richness: code blocks, structured output, bullet points
+  let richness = 50;
+  if (/```/.test(content)) richness += 20;
+  if (/\|.*\|.*\|/.test(content)) richness += 15; // tables
+  if (/^[-*] /.test(content)) richness += 10;      // bullets
+  if (/\d+\./.test(content)) richness += 10;        // numbered lists
+  richness = Math.min(100, richness);
+
+  // Correctness: basic sanity checks
+  let correctness = 70;
+  if (content.includes("Error") || content.includes("error")) correctness -= 20;
+  if (content.includes("[REDACTED]")) correctness -= 10;
+  if (content.includes("truncated")) correctness -= 15;
+  correctness = Math.max(0, correctness);
+
+  const score = Math.round((completeness * 0.3 + richness * 0.3 + correctness * 0.4));
+  return { score, completeness, richness, correctness };
+}

package/src/core/estimate.ts

@@ -0,0 +1,104 @@
+/**
+ * 资源估算模块 — Token & time budget estimation for task planning.
+ *
+ * Helps Snow and other planning agents estimate the cost of
+ * proposed sub-tasks before committing to execution.
+ */
+
+import type { Task } from "./agent";
+
+/* ═══════════════════════════════════════
+   Token estimation
+   ═══════════════════════════════════════ */
+const CJK_REGEX = /[一-鿿぀-ゟ가-힯㐀-䶿]/g;
+
+/** Estimate tokens for a given text (CJK ~2 each, ASCII ~4 chars each). */
+export function estimateTokens(text: string): number {
+  const cjk = (text.match(CJK_REGEX) || []).length;
+  return cjk * 2 + Math.ceil((text.length - cjk) / 4);
+}
+
+/* ═══════════════════════════════════════
+   Per-task-type cost estimates
+   ═══════════════════════════════════════ */
+const TASK_TYPE_PATTERNS: Array<[RegExp, number, number]> = [
+  // [pattern, estimated tokens, estimated tools]
+  [/read|read_file|grep|search|查|搜索|list/i, 2000, 2],
+  [/write|write_file|生成|写|create|implement/i, 4000, 5],
+  [/edit|edit_file|改|修改|fix|修复/i, 3000, 3],
+  [/delete|delete_file|删|rm/i, 1500, 2],
+  [/deploy|部署|publish|发布|release/i, 8000, 8],
+  [/review|审查|audit|审计|scan|扫描/i, 5000, 4],
+  [/test|测试|run_test|coverage/i, 3000, 3],
+  [/research|研究|调研|analyze|分析/i, 6000, 4],
+  [/orchestrate|编排|multi-step|多步/i, 12000, 10],
+];
+
+/** Estimate cost for a single task description. */
+export function estimateTaskCost(description: string): { tokens: number; tools: number; timeSeconds: number } {
+  let tokens = 2000; // base
+  let tools = 2;     // base
+  for (const [pattern, t, tc] of TASK_TYPE_PATTERNS) {
+    if (pattern.test(description)) { tokens = Math.max(tokens, t); tools = Math.max(tools, tc); }
+  }
+
+  // Time estimate: ~0.5s per tool call + 2s per 1k tokens
+  const timeSeconds = (tokens / 1000) * 2 + tools * 0.5 + 2;
+  return { tokens, tools, timeSeconds };
+}
+
+/* ═══════════════════════════════════════
+   Task plan cost summary
+   ═══════════════════════════════════════ */
+export interface PlanEstimate {
+  totalTokens: number;
+  totalTools: number;
+  totalTimeSeconds: number;
+  perTask: Array<{ id: string; tokens: number; tools: number; time: number }>;
+  warnings: string[];
+}
+
+export function estimateTaskPlan(tasks: Task[]): PlanEstimate {
+  const perTask: PlanEstimate["perTask"] = [];
+  let totalTokens = 500; // system prompt overhead
+  let totalTools = 0;
+  let totalTime = 5; // init overhead
+  const warnings: string[] = [];
+
+  for (const t of tasks) {
+    const est = estimateTaskCost(t.description);
+    perTask.push({ id: t.id, tokens: est.tokens, tools: est.tools, time: est.timeSeconds });
+    totalTokens += est.tokens;
+    totalTools += est.tools;
+    totalTime += est.timeSeconds;
+
+    if (est.timeSeconds > 60) warnings.push(`Task ${t.id} may take >${Math.round(est.timeSeconds)}s`);
+    if (est.tools > 10) warnings.push(`Task ${t.id} uses many tool calls (${est.tools})`);
+  }
+
+  if (totalTokens > 64000) warnings.push(`Total token estimate (${totalTokens}) exceeds typical context window`);
+  if (totalTime > 120) warnings.push(`Estimated total time (${Math.round(totalTime)}s) is significant`);
+  if (tasks.length > 6) warnings.push(`Large number of sub-tasks (${tasks.length}) — consider merging simpler ones`);
+
+  return { totalTokens, totalTools, totalTimeSeconds: Math.round(totalTime), perTask, warnings };
+}
+
+/* ═══════════════════════════════════════
+   Format estimate for display
+   ═══════════════════════════════════════ */
+export function formatPlanEstimate(est: PlanEstimate): string {
+  const lines: string[] = [
+    `## Plan Estimate`,
+    `| Task | Tokens | Tools | Time |`,
+    `|------|--------|-------|------|`,
+    ...est.perTask.map(t => `| ${t.id} | ${t.tokens} | ${t.tools} | ${t.time.toFixed(0)}s |`),
+    `| **Total** | **${est.totalTokens}** | **${est.totalTools}** | **${est.totalTimeSeconds}s** |`,
+  ];
+
+  if (est.warnings.length > 0) {
+    lines.push("", "### Warnings");
+    for (const w of est.warnings) lines.push(`- ⚠ ${w}`);
+  }
+
+  return lines.join("\n");
+}