tarsk 0.5.34 → 0.5.36

package/dist/index.js

@@ -191,18 +191,18 @@ __export(database_exports, {
   initializeSchema: () => initializeSchema
 });
 import { createClient } from "@libsql/client";
-import { join as join3 } from "path";
-import { homedir as homedir3 } from "os";
+import { join as join2 } from "path";
+import { homedir as homedir2 } from "os";
 import { mkdirSync } from "fs";
 function getDatabasePath() {
-  const appSupportDir = join3(homedir3(), "Library", "Application Support", "Tarsk");
-  const dataDir = join3(appSupportDir, "data");
-  return join3(dataDir, "tarsk.db");
+  const appSupportDir = join2(homedir2(), "Library", "Application Support", "Tarsk");
+  const dataDir = join2(appSupportDir, "data");
+  return join2(dataDir, "tarsk.db");
 }
 async function initializeDatabase() {
   const dbPath = getDatabasePath();
   try {
-    const dataDir = join3(homedir3(), "Library", "Application Support", "Tarsk", "data");
+    const dataDir = join2(homedir2(), "Library", "Application Support", "Tarsk", "data");
     mkdirSync(dataDir, { recursive: true });
     const db = createClient({
       url: `file:${dbPath}`
@@ -900,6 +900,27 @@ async function runMigrations(db) {
         CREATE INDEX idx_project_scripts_projectId ON project_scripts(projectId)
       `);
     }
+    const projectEnvVarsExists = await db.execute(
+      `SELECT name FROM sqlite_master WHERE type='table' AND name='project_env_vars'`
+    );
+    if (projectEnvVarsExists.rows.length === 0) {
+      tarskDebugLog("[db] Running migration: Creating project_env_vars table");
+      await db.execute(`
+        CREATE TABLE project_env_vars (
+          id TEXT PRIMARY KEY,
+          projectId TEXT NOT NULL,
+          name TEXT NOT NULL,
+          encryptedValue TEXT NOT NULL,
+          createdAt TEXT NOT NULL,
+          updatedAt TEXT NOT NULL,
+          FOREIGN KEY (projectId) REFERENCES projects(id) ON DELETE CASCADE,
+          UNIQUE(projectId, name)
+        )
+      `);
+      await db.execute(`
+        CREATE INDEX idx_project_env_vars_projectId ON project_env_vars(projectId)
+      `);
+    }
   } catch (error) {
     console.error("Failed to run migrations:", error);
     throw error;
@@ -927,7 +948,7 @@ var init_database = __esm({
 });
 
 // src/server.ts
-import { serve } from "@hono/node-server";
+import { createAdaptorServer } from "@hono/node-server";
 import { serveStatic } from "@hono/node-server/serve-static";
 
 // ../shared/dist/programs.js
@@ -1554,6 +1575,59 @@ function isSameFetchHost(a, b) {
   return normalizeFetchHostname(a) === normalizeFetchHostname(b);
 }
 
+// ../shared/dist/explorer-media.js
+var EXPLORER_IMAGE_EXTENSIONS = /* @__PURE__ */ new Set([
+  "png",
+  "jpg",
+  "jpeg",
+  "gif",
+  "webp",
+  "svg",
+  "ico",
+  "bmp",
+  "tiff",
+  "tif"
+]);
+var EXPLORER_VIDEO_EXTENSIONS = /* @__PURE__ */ new Set(["mp4", "webm", "mov", "avi"]);
+var EXPLORER_MEDIA_MIME_TYPES = {
+  png: "image/png",
+  jpg: "image/jpeg",
+  jpeg: "image/jpeg",
+  gif: "image/gif",
+  webp: "image/webp",
+  svg: "image/svg+xml",
+  ico: "image/x-icon",
+  bmp: "image/bmp",
+  tiff: "image/tiff",
+  tif: "image/tiff",
+  mp4: "video/mp4",
+  webm: "video/webm",
+  mov: "video/quicktime",
+  avi: "video/x-msvideo"
+};
+function getFileExtension(filename) {
+  const trimmed = filename.trim();
+  const basename5 = trimmed.split(/[/\\]/).pop() ?? trimmed;
+  const dotIndex = basename5.lastIndexOf(".");
+  if (dotIndex <= 0 || dotIndex === basename5.length - 1) {
+    return "";
+  }
+  return basename5.slice(dotIndex + 1).toLowerCase();
+}
+function getExplorerFileMediaType(path7, name) {
+  const ext = getFileExtension(path7) || (name ? getFileExtension(name) : "");
+  if (!ext) {
+    return null;
+  }
+  if (EXPLORER_IMAGE_EXTENSIONS.has(ext)) {
+    return "image";
+  }
+  if (EXPLORER_VIDEO_EXTENSIONS.has(ext)) {
+    return "video";
+  }
+  return null;
+}
+
 // src/server.ts
 import fs3 from "fs";
 import { Hono as Hono26 } from "hono";
@@ -1580,10 +1654,10 @@ function createMcpThinkingEvent(content) {
 // src/tools/bash.ts
 init_tarsk_debug();
 init_utils();
-import { randomBytes } from "node:crypto";
+import { randomBytes as randomBytes2 } from "node:crypto";
 import { createWriteStream, existsSync as existsSync3 } from "node:fs";
 import { tmpdir } from "node:os";
-import { join as join2 } from "node:path";
+import { join as join3 } from "node:path";
 import { Type } from "@sinclair/typebox";
 
 // src/tools/shell.ts
@@ -1718,172 +1792,649 @@ function killProcessTree(pid) {
   }
 }
 
-// src/tools/truncate.ts
-var DEFAULT_MAX_LINES = 2e3;
-var DEFAULT_MAX_BYTES = 50 * 1024;
-var GREP_MAX_LINE_LENGTH = 500;
-function formatSize(bytes) {
-  if (bytes < 1024) {
-    return `${bytes}B`;
-  } else if (bytes < 1024 * 1024) {
-    return `${(bytes / 1024).toFixed(1)}KB`;
-  } else {
-    return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
-  }
-}
-function truncateHead(content, options = {}) {
-  const maxLines = options.maxLines ?? DEFAULT_MAX_LINES;
-  const maxBytes = options.maxBytes ?? DEFAULT_MAX_BYTES;
-  const totalBytes = Buffer.byteLength(content, "utf-8");
-  const lines = content.split("\n");
-  const totalLines = lines.length;
-  if (totalLines <= maxLines && totalBytes <= maxBytes) {
-    return {
-      content,
-      truncated: false,
-      truncatedBy: null,
-      totalLines,
-      totalBytes,
-      outputLines: totalLines,
-      outputBytes: totalBytes,
-      lastLinePartial: false,
-      firstLineExceedsLimit: false,
-      maxLines,
-      maxBytes
-    };
-  }
-  const firstLineBytes = Buffer.byteLength(lines[0], "utf-8");
-  if (firstLineBytes > maxBytes) {
-    return {
-      content: "",
-      truncated: true,
-      truncatedBy: "bytes",
-      totalLines,
-      totalBytes,
-      outputLines: 0,
-      outputBytes: 0,
-      lastLinePartial: false,
-      firstLineExceedsLimit: true,
-      maxLines,
-      maxBytes
-    };
-  }
-  const outputLinesArr = [];
-  let outputBytesCount = 0;
-  let truncatedBy = "lines";
-  for (let i = 0; i < lines.length && i < maxLines; i++) {
-    const line = lines[i];
-    const lineBytes = Buffer.byteLength(line, "utf-8") + (i > 0 ? 1 : 0);
-    if (outputBytesCount + lineBytes > maxBytes) {
-      truncatedBy = "bytes";
-      break;
+// src/features/projects/project-env-vars.ts
+init_database();
+
+// src/core/crypto.ts
+init_database();
+import { createCipheriv, createDecipheriv, randomBytes, createHash } from "crypto";
+import { networkInterfaces, hostname } from "os";
+var ALGORITHM = "aes-256-gcm";
+var IV_LENGTH = 16;
+function getMachineKey() {
+  try {
+    const interfaces = networkInterfaces();
+    let macAddress = "";
+    for (const name of Object.keys(interfaces)) {
+      const iface = interfaces[name];
+      if (iface) {
+        for (const addr of iface) {
+          if (addr.mac && addr.mac !== "00:00:00:00:00:00" && !addr.internal) {
+            macAddress = addr.mac;
+            break;
+          }
+        }
+        if (macAddress) break;
+      }
     }
-    outputLinesArr.push(line);
-    outputBytesCount += lineBytes;
-  }
-  if (outputLinesArr.length >= maxLines && outputBytesCount <= maxBytes) {
-    truncatedBy = "lines";
+    const host = hostname();
+    const homeDir = process.env.HOME ?? process.env.USERPROFILE ?? "";
+    const machineId = `${macAddress}-${host}-${homeDir}`;
+    return createHash("sha256").update(machineId).digest();
+  } catch {
+    return Buffer.from("Invalid", "utf8");
   }
-  const outputContent = outputLinesArr.join("\n");
-  const finalOutputBytes = Buffer.byteLength(outputContent, "utf-8");
-  return {
-    content: outputContent,
-    truncated: true,
-    truncatedBy,
-    totalLines,
-    totalBytes,
-    outputLines: outputLinesArr.length,
-    outputBytes: finalOutputBytes,
-    lastLinePartial: false,
-    firstLineExceedsLimit: false,
-    maxLines,
-    maxBytes
-  };
 }
-function truncateTail(content, options = {}) {
-  const maxLines = options.maxLines ?? DEFAULT_MAX_LINES;
-  const maxBytes = options.maxBytes ?? DEFAULT_MAX_BYTES;
-  const totalBytes = Buffer.byteLength(content, "utf-8");
-  const lines = content.split("\n");
-  const totalLines = lines.length;
-  if (totalLines <= maxLines && totalBytes <= maxBytes) {
-    return {
-      content,
-      truncated: false,
-      truncatedBy: null,
-      totalLines,
-      totalBytes,
-      outputLines: totalLines,
-      outputBytes: totalBytes,
-      lastLinePartial: false,
-      firstLineExceedsLimit: false,
-      maxLines,
-      maxBytes
-    };
-  }
-  const outputLinesArr = [];
-  let outputBytesCount = 0;
-  let truncatedBy = "lines";
-  let lastLinePartial = false;
-  for (let i = lines.length - 1; i >= 0 && outputLinesArr.length < maxLines; i--) {
-    const line = lines[i];
-    const lineBytes = Buffer.byteLength(line, "utf-8") + (outputLinesArr.length > 0 ? 1 : 0);
-    if (outputBytesCount + lineBytes > maxBytes) {
-      truncatedBy = "bytes";
-      if (outputLinesArr.length === 0) {
-        const truncatedLine = truncateStringToBytesFromEnd(line, maxBytes);
-        outputLinesArr.unshift(truncatedLine);
-        outputBytesCount = Buffer.byteLength(truncatedLine, "utf-8");
-        lastLinePartial = true;
+async function getEncryptionKey() {
+  try {
+    const db = await getDatabase();
+    const result = await db.execute({
+      sql: "SELECT value FROM state WHERE key = ?",
+      args: ["encryption_key"]
+    });
+    if (result.rows.length > 0 && result.rows[0].value) {
+      const storedValue = result.rows[0].value;
+      try {
+        const parsed = JSON.parse(storedValue);
+        return Buffer.from(parsed, "base64");
+      } catch {
+        return Buffer.from(storedValue, "base64");
       }
-      break;
     }
-    outputLinesArr.unshift(line);
-    outputBytesCount += lineBytes;
-  }
-  if (outputLinesArr.length >= maxLines && outputBytesCount <= maxBytes) {
-    truncatedBy = "lines";
+    const machineKey = getMachineKey();
+    await db.execute({
+      sql: "INSERT OR REPLACE INTO state (key, value) VALUES (?, ?)",
+      args: ["encryption_key", machineKey.toString("base64")]
+    });
+    return machineKey;
+  } catch {
+    return getMachineKey();
   }
-  const outputContent = outputLinesArr.join("\n");
-  const finalOutputBytes = Buffer.byteLength(outputContent, "utf-8");
-  return {
-    content: outputContent,
-    truncated: true,
-    truncatedBy,
-    totalLines,
-    totalBytes,
-    outputLines: outputLinesArr.length,
-    outputBytes: finalOutputBytes,
-    lastLinePartial,
-    firstLineExceedsLimit: false,
-    maxLines,
-    maxBytes
-  };
 }
-function truncateStringToBytesFromEnd(str, maxBytes) {
-  const buf = Buffer.from(str, "utf-8");
-  if (buf.length <= maxBytes) {
-    return str;
-  }
-  let start = buf.length - maxBytes;
-  while (start < buf.length && (buf[start] & 192) === 128) {
-    start++;
+async function encrypt(plaintext) {
+  if (!plaintext) {
+    return "";
   }
-  return buf.slice(start).toString("utf-8");
+  const key = await getEncryptionKey();
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  let encrypted = cipher.update(plaintext, "utf8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag();
+  const result = `${iv.toString("base64")}:${authTag.toString("base64")}:${encrypted}`;
+  return result;
 }
-function truncateLine(line, maxChars = GREP_MAX_LINE_LENGTH) {
-  if (line.length <= maxChars) {
-    return { text: line, wasTruncated: false };
+async function decrypt(encryptedData) {
+  if (!encryptedData) {
+    return "";
   }
-  return { text: `${line.slice(0, maxChars)}... [truncated]`, wasTruncated: true };
-}
-
-// src/tools/bash.ts
-function getTempFilePath() {
-  return join2(tmpdir(), `tarsk-bash-${randomBytes(8).toString("hex")}.log`);
-}
-var bashSchema = Type.Object({
-  command: Type.String({ description: "Bash command to execute" }),
+  try {
+    const parts = encryptedData.split(":");
+    if (parts.length !== 3) {
+      throw new Error("Invalid encrypted data format");
+    }
+    const [ivBase64, authTagBase64, encrypted] = parts;
+    const key = await getEncryptionKey();
+    const iv = Buffer.from(ivBase64, "base64");
+    const authTag = Buffer.from(authTagBase64, "base64");
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encrypted, "base64", "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+  } catch (error) {
+    throw new Error(
+      `Decryption failed: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+}
+function isEncrypted(value) {
+  if (!value) {
+    return false;
+  }
+  const parts = value.split(":");
+  if (parts.length !== 3) {
+    return false;
+  }
+  const base64Regex = /^[A-Za-z0-9+/]+=*$/;
+  return parts.every((part) => base64Regex.test(part));
+}
+
+// src/database/database.encryption.ts
+async function encryptProviderKey(key) {
+  if (!key) {
+    return "";
+  }
+  return await encrypt(key);
+}
+async function decryptProviderKey(encrypted) {
+  if (!encrypted) {
+    return "";
+  }
+  try {
+    return await decrypt(encrypted);
+  } catch (error) {
+    console.error("Failed to decrypt provider key:", error);
+    throw error;
+  }
+}
+function isEncryptedKey(value) {
+  return isEncrypted(value);
+}
+
+// src/features/projects/project-env-vars.database.ts
+import { randomUUID } from "node:crypto";
+async function listProjectEnvVarNames(db, projectId) {
+  const result = await db.execute(
+    `SELECT name FROM project_env_vars WHERE projectId = ? ORDER BY name ASC`,
+    [projectId]
+  );
+  return result.rows;
+}
+async function listProjectEnvVars(db, projectId) {
+  const result = await db.execute(
+    `SELECT id, projectId, name, encryptedValue, createdAt, updatedAt
+     FROM project_env_vars WHERE projectId = ? ORDER BY name ASC`,
+    [projectId]
+  );
+  return result.rows;
+}
+async function upsertProjectEnvVar(db, projectId, name, value) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const encryptedValue = await encryptProviderKey(value);
+  const existing = await db.execute(
+    `SELECT id FROM project_env_vars WHERE projectId = ? AND name = ?`,
+    [projectId, name]
+  );
+  if (existing.rows.length > 0) {
+    await db.execute(
+      `UPDATE project_env_vars SET encryptedValue = ?, updatedAt = ? WHERE projectId = ? AND name = ?`,
+      [encryptedValue, now, projectId, name]
+    );
+    return;
+  }
+  await db.execute(
+    `INSERT INTO project_env_vars (id, projectId, name, encryptedValue, createdAt, updatedAt)
+     VALUES (?, ?, ?, ?, ?, ?)`,
+    [randomUUID(), projectId, name, encryptedValue, now, now]
+  );
+}
+async function deleteProjectEnvVarsNotIn(db, projectId, names) {
+  if (names.length === 0) {
+    await db.execute(`DELETE FROM project_env_vars WHERE projectId = ?`, [projectId]);
+    return;
+  }
+  const placeholders = names.map(() => "?").join(", ");
+  await db.execute(
+    `DELETE FROM project_env_vars WHERE projectId = ? AND name NOT IN (${placeholders})`,
+    [projectId, ...names]
+  );
+}
+
+// src/features/projects/project-env-vars.ts
+function isValidProjectEnvVarName(name) {
+  return /^[A-Z_][A-Z0-9_]*$/.test(name);
+}
+async function getDecryptedProjectEnvVars(projectId) {
+  const db = await getDatabase();
+  const rows = await listProjectEnvVars(db, projectId);
+  const env = {};
+  for (const row of rows) {
+    env[row.name] = await decryptProviderKey(row.encryptedValue);
+  }
+  return env;
+}
+function mergeEnvVars(baseEnv, projectEnv) {
+  if (!projectEnv || Object.keys(projectEnv).length === 0) {
+    return baseEnv;
+  }
+  return { ...baseEnv, ...projectEnv };
+}
+
+// src/features/shell-permissions/command-pattern.ts
+var ENV_ASSIGNMENT_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*=/;
+function stripLeadingEnvAssignments(command) {
+  let remaining = command.trim();
+  while (remaining.length > 0) {
+    const tokenMatch = remaining.match(/^(\S+)\s*/);
+    if (!tokenMatch) {
+      break;
+    }
+    const token = tokenMatch[1];
+    if (!ENV_ASSIGNMENT_PATTERN.test(token)) {
+      break;
+    }
+    remaining = remaining.slice(tokenMatch[0].length).trimStart();
+  }
+  return remaining;
+}
+function tokenizeCommand(command) {
+  const tokens = [];
+  let current = "";
+  let quote = null;
+  let escaped = false;
+  for (const char of command) {
+    if (escaped) {
+      current += char;
+      escaped = false;
+      continue;
+    }
+    if (char === "\\") {
+      escaped = true;
+      continue;
+    }
+    if (quote) {
+      if (char === quote) {
+        quote = null;
+      } else {
+        current += char;
+      }
+      continue;
+    }
+    if (char === "'" || char === '"') {
+      quote = char;
+      continue;
+    }
+    if (/\s/.test(char)) {
+      if (current.length > 0) {
+        tokens.push(current);
+        current = "";
+      }
+      continue;
+    }
+    current += char;
+  }
+  if (current.length > 0) {
+    tokens.push(current);
+  }
+  return tokens;
+}
+function getCommandTokens(command) {
+  return tokenizeCommand(stripLeadingEnvAssignments(command));
+}
+function buildWildcardPattern(tokens, wildcardTokenCount) {
+  const prefix = tokens.slice(0, wildcardTokenCount);
+  if (prefix.length === 0) {
+    return commandToPatternString(tokens);
+  }
+  return `${prefix.join(" ")} *`;
+}
+function commandToPatternString(tokens) {
+  return tokens.join(" ");
+}
+function buildWildcardOptions(command) {
+  const tokens = getCommandTokens(command);
+  const options = [];
+  if (tokens.length >= 1) {
+    const oneTokenPattern = buildWildcardPattern(tokens, 1);
+    options.push(
+      {
+        label: `Allow ${oneTokenPattern} (this session)`,
+        pattern: oneTokenPattern,
+        scope: "session"
+      },
+      {
+        label: `Allow ${oneTokenPattern} (always for this project)`,
+        pattern: oneTokenPattern,
+        scope: "project"
+      }
+    );
+  }
+  if (tokens.length >= 2) {
+    const twoTokenPattern = buildWildcardPattern(tokens, 2);
+    options.push(
+      {
+        label: `Allow ${twoTokenPattern} (this session)`,
+        pattern: twoTokenPattern,
+        scope: "session"
+      },
+      {
+        label: `Allow ${twoTokenPattern} (always for this project)`,
+        pattern: twoTokenPattern,
+        scope: "project"
+      }
+    );
+  }
+  return options;
+}
+function parsePattern(pattern) {
+  const trimmed = pattern.trim();
+  if (trimmed.endsWith(" *")) {
+    return {
+      tokens: tokenizeCommand(trimmed.slice(0, -2).trim()),
+      hasWildcard: true
+    };
+  }
+  return {
+    tokens: tokenizeCommand(trimmed),
+    hasWildcard: false
+  };
+}
+function commandMatchesPattern(command, pattern) {
+  const commandTokens = getCommandTokens(command);
+  const parsedPattern = parsePattern(pattern);
+  if (!parsedPattern.hasWildcard) {
+    return command.trim() === pattern.trim();
+  }
+  if (parsedPattern.tokens.length === 0) {
+    return false;
+  }
+  if (commandTokens.length < parsedPattern.tokens.length) {
+    return false;
+  }
+  for (let index = 0; index < parsedPattern.tokens.length; index++) {
+    if (commandTokens[index] !== parsedPattern.tokens[index]) {
+      return false;
+    }
+  }
+  return true;
+}
+function commandMatchesAnyPattern(command, patterns) {
+  return patterns.some((pattern) => commandMatchesPattern(command, pattern));
+}
+
+// src/tools/path-utils.ts
+import { accessSync, constants } from "node:fs";
+import * as os from "node:os";
+import { isAbsolute, resolve as resolvePath, relative } from "node:path";
+var UNICODE_SPACES = /[\u00A0\u2000-\u200A\u202F\u205F\u3000]/g;
+var NARROW_NO_BREAK_SPACE = "\u202F";
+function normalizeUnicodeSpaces(str) {
+  return str.replace(UNICODE_SPACES, " ");
+}
+function tryMacOSScreenshotPath(filePath) {
+  return filePath.replace(/ (AM|PM)\./g, `${NARROW_NO_BREAK_SPACE}$1.`);
+}
+function tryNFDVariant(filePath) {
+  return filePath.normalize("NFD");
+}
+function tryCurlyQuoteVariant(filePath) {
+  return filePath.replace(/'/g, "\u2019");
+}
+function fileExists(filePath) {
+  try {
+    accessSync(filePath, constants.F_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function normalizeAtPrefix(filePath) {
+  return filePath.startsWith("@") ? filePath.slice(1) : filePath;
+}
+function expandPath(filePath) {
+  const normalized = normalizeUnicodeSpaces(normalizeAtPrefix(filePath));
+  if (normalized === "~") {
+    return os.homedir();
+  }
+  if (normalized.startsWith("~/")) {
+    return os.homedir() + normalized.slice(1);
+  }
+  return normalized;
+}
+function resolveToCwd(filePath, cwd) {
+  const expanded = expandPath(filePath);
+  if (isAbsolute(expanded)) {
+    return expanded;
+  }
+  return resolvePath(cwd, expanded);
+}
+function validatePathWithinCwd(resolvedPath2, cwd) {
+  const relativePath = relative(cwd, resolvedPath2);
+  if (relativePath.startsWith("..") || isAbsolute(relativePath)) {
+    throw new Error(
+      `Access denied: Path is outside the allowed directory. Requested: ${resolvedPath2}, Allowed root: ${cwd}`
+    );
+  }
+}
+function resolveReadPath(filePath, cwd) {
+  const resolved = resolveToCwd(filePath, cwd);
+  if (fileExists(resolved)) {
+    return resolved;
+  }
+  const amPmVariant = tryMacOSScreenshotPath(resolved);
+  if (amPmVariant !== resolved && fileExists(amPmVariant)) {
+    return amPmVariant;
+  }
+  const nfdVariant = tryNFDVariant(resolved);
+  if (nfdVariant !== resolved && fileExists(nfdVariant)) {
+    return nfdVariant;
+  }
+  const curlyVariant = tryCurlyQuoteVariant(resolved);
+  if (curlyVariant !== resolved && fileExists(curlyVariant)) {
+    return curlyVariant;
+  }
+  const nfdCurlyVariant = tryCurlyQuoteVariant(nfdVariant);
+  if (nfdCurlyVariant !== resolved && fileExists(nfdCurlyVariant)) {
+    return nfdCurlyVariant;
+  }
+  return resolved;
+}
+
+// src/tools/bash-command-guard.ts
+var BROAD_SEARCH_ROOTS = /* @__PURE__ */ new Set(["/", "~"]);
+var FIND_OPTIONS_WITH_ARG = /* @__PURE__ */ new Set([
+  "-name",
+  "-iname",
+  "-path",
+  "-ipath",
+  "-wholename",
+  "-iwholename",
+  "-perm",
+  "-user",
+  "-group",
+  "-size",
+  "-type",
+  "-maxdepth",
+  "-mindepth",
+  "-mtime",
+  "-atime",
+  "-ctime",
+  "-newer",
+  "-anewer",
+  "-cnewer"
+]);
+function getFindSearchRoot(tokens) {
+  for (let i = 1; i < tokens.length; i++) {
+    const token = tokens[i];
+    if (!token.startsWith("-")) {
+      return token;
+    }
+    if (FIND_OPTIONS_WITH_ARG.has(token)) {
+      i++;
+    }
+  }
+  return void 0;
+}
+function validateBashFilesystemSearch(command, cwd) {
+  const tokens = getCommandTokens(command);
+  if (tokens[0] !== "find") {
+    return;
+  }
+  const searchRoot = getFindSearchRoot(tokens);
+  if (!searchRoot) {
+    return;
+  }
+  if (BROAD_SEARCH_ROOTS.has(searchRoot) || searchRoot === "$HOME" || searchRoot.startsWith("~/")) {
+    throw new Error(
+      'Searching outside the project directory is not allowed. Use the find tool with a glob pattern (e.g. **/filename.png), or run find . -name "filename" from the project root.'
+    );
+  }
+  try {
+    validatePathWithinCwd(resolveToCwd(searchRoot, cwd), cwd);
+  } catch {
+    throw new Error(
+      "find search path must stay within the project directory. Use the find tool with a glob pattern instead."
+    );
+  }
+}
+
+// src/tools/truncate.ts
+var DEFAULT_MAX_LINES = 2e3;
+var DEFAULT_MAX_BYTES = 50 * 1024;
+var GREP_MAX_LINE_LENGTH = 500;
+function formatSize(bytes) {
+  if (bytes < 1024) {
+    return `${bytes}B`;
+  } else if (bytes < 1024 * 1024) {
+    return `${(bytes / 1024).toFixed(1)}KB`;
+  } else {
+    return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
+  }
+}
+function truncateHead(content, options = {}) {
+  const maxLines = options.maxLines ?? DEFAULT_MAX_LINES;
+  const maxBytes = options.maxBytes ?? DEFAULT_MAX_BYTES;
+  const totalBytes = Buffer.byteLength(content, "utf-8");
+  const lines = content.split("\n");
+  const totalLines = lines.length;
+  if (totalLines <= maxLines && totalBytes <= maxBytes) {
+    return {
+      content,
+      truncated: false,
+      truncatedBy: null,
+      totalLines,
+      totalBytes,
+      outputLines: totalLines,
+      outputBytes: totalBytes,
+      lastLinePartial: false,
+      firstLineExceedsLimit: false,
+      maxLines,
+      maxBytes
+    };
+  }
+  const firstLineBytes = Buffer.byteLength(lines[0], "utf-8");
+  if (firstLineBytes > maxBytes) {
+    return {
+      content: "",
+      truncated: true,
+      truncatedBy: "bytes",
+      totalLines,
+      totalBytes,
+      outputLines: 0,
+      outputBytes: 0,
+      lastLinePartial: false,
+      firstLineExceedsLimit: true,
+      maxLines,
+      maxBytes
+    };
+  }
+  const outputLinesArr = [];
+  let outputBytesCount = 0;
+  let truncatedBy = "lines";
+  for (let i = 0; i < lines.length && i < maxLines; i++) {
+    const line = lines[i];
+    const lineBytes = Buffer.byteLength(line, "utf-8") + (i > 0 ? 1 : 0);
+    if (outputBytesCount + lineBytes > maxBytes) {
+      truncatedBy = "bytes";
+      break;
+    }
+    outputLinesArr.push(line);
+    outputBytesCount += lineBytes;
+  }
+  if (outputLinesArr.length >= maxLines && outputBytesCount <= maxBytes) {
+    truncatedBy = "lines";
+  }
+  const outputContent = outputLinesArr.join("\n");
+  const finalOutputBytes = Buffer.byteLength(outputContent, "utf-8");
+  return {
+    content: outputContent,
+    truncated: true,
+    truncatedBy,
+    totalLines,
+    totalBytes,
+    outputLines: outputLinesArr.length,
+    outputBytes: finalOutputBytes,
+    lastLinePartial: false,
+    firstLineExceedsLimit: false,
+    maxLines,
+    maxBytes
+  };
+}
+function truncateTail(content, options = {}) {
+  const maxLines = options.maxLines ?? DEFAULT_MAX_LINES;
+  const maxBytes = options.maxBytes ?? DEFAULT_MAX_BYTES;
+  const totalBytes = Buffer.byteLength(content, "utf-8");
+  const lines = content.split("\n");
+  const totalLines = lines.length;
+  if (totalLines <= maxLines && totalBytes <= maxBytes) {
+    return {
+      content,
+      truncated: false,
+      truncatedBy: null,
+      totalLines,
+      totalBytes,
+      outputLines: totalLines,
+      outputBytes: totalBytes,
+      lastLinePartial: false,
+      firstLineExceedsLimit: false,
+      maxLines,
+      maxBytes
+    };
+  }
+  const outputLinesArr = [];
+  let outputBytesCount = 0;
+  let truncatedBy = "lines";
+  let lastLinePartial = false;
+  for (let i = lines.length - 1; i >= 0 && outputLinesArr.length < maxLines; i--) {
+    const line = lines[i];
+    const lineBytes = Buffer.byteLength(line, "utf-8") + (outputLinesArr.length > 0 ? 1 : 0);
+    if (outputBytesCount + lineBytes > maxBytes) {
+      truncatedBy = "bytes";
+      if (outputLinesArr.length === 0) {
+        const truncatedLine = truncateStringToBytesFromEnd(line, maxBytes);
+        outputLinesArr.unshift(truncatedLine);
+        outputBytesCount = Buffer.byteLength(truncatedLine, "utf-8");
+        lastLinePartial = true;
+      }
+      break;
+    }
+    outputLinesArr.unshift(line);
+    outputBytesCount += lineBytes;
+  }
+  if (outputLinesArr.length >= maxLines && outputBytesCount <= maxBytes) {
+    truncatedBy = "lines";
+  }
+  const outputContent = outputLinesArr.join("\n");
+  const finalOutputBytes = Buffer.byteLength(outputContent, "utf-8");
+  return {
+    content: outputContent,
+    truncated: true,
+    truncatedBy,
+    totalLines,
+    totalBytes,
+    outputLines: outputLinesArr.length,
+    outputBytes: finalOutputBytes,
+    lastLinePartial,
+    firstLineExceedsLimit: false,
+    maxLines,
+    maxBytes
+  };
+}
+function truncateStringToBytesFromEnd(str, maxBytes) {
+  const buf = Buffer.from(str, "utf-8");
+  if (buf.length <= maxBytes) {
+    return str;
+  }
+  let start = buf.length - maxBytes;
+  while (start < buf.length && (buf[start] & 192) === 128) {
+    start++;
+  }
+  return buf.slice(start).toString("utf-8");
+}
+function truncateLine(line, maxChars = GREP_MAX_LINE_LENGTH) {
+  if (line.length <= maxChars) {
+    return { text: line, wasTruncated: false };
+  }
+  return { text: `${line.slice(0, maxChars)}... [truncated]`, wasTruncated: true };
+}
+
+// src/tools/bash.ts
+function getTempFilePath() {
+  return join3(tmpdir(), `tarsk-bash-${randomBytes2(8).toString("hex")}.log`);
+}
+var bashSchema = Type.Object({
+  command: Type.String({ description: "Bash command to execute" }),
   timeout: Type.Optional(Type.Number({ description: "Timeout in seconds (optional)" }))
 });
 var defaultBashOperations = {
@@ -1946,15 +2497,17 @@ function createBashTool(cwd, options) {
   const ops = options?.operations ?? defaultBashOperations;
   const commandPrefix = options?.commandPrefix;
   const shellPermissionGate = options?.shellPermissionGate;
+  const projectEnv = options?.projectEnv;
   return {
     name: "bash",
     label: "bash",
-    description: `Execute a bash command in the current working directory. Output truncated to last ${DEFAULT_MAX_LINES} lines or ${DEFAULT_MAX_BYTES / 1024}KB. Optionally provide a timeout in seconds.`,
+    description: `Execute a bash command in the current working directory. Do not search the filesystem from / or ~; use the find tool for file discovery. Output truncated to last ${DEFAULT_MAX_LINES} lines or ${DEFAULT_MAX_BYTES / 1024}KB. Optionally provide a timeout in seconds.`,
     parameters: bashSchema,
     execute: async (toolCallId, { command, timeout }, signal, onUpdate) => {
       const resolvedCommand = commandPrefix ? `${commandPrefix}
 ${command}` : command;
       tarskDebugLog(`[ai] bash-start: ${resolvedCommand}`);
+      validateBashFilesystemSearch(resolvedCommand, cwd);
       if (shellPermissionGate) {
         await shellPermissionGate.ensureAllowed(toolCallId, resolvedCommand, "bash", signal);
       }
@@ -1991,7 +2544,12 @@ ${command}` : command;
             });
           }
         };
-        ops.exec(resolvedCommand, cwd, { onData: handleData, signal, timeout, env: getShellEnv() }).then(({ exitCode }) => {
+        ops.exec(resolvedCommand, cwd, {
+          onData: handleData,
+          signal,
+          timeout,
+          env: mergeEnvVars(getShellEnv(), projectEnv)
+        }).then(({ exitCode }) => {
           tarskDebugLog(`[ai] bash-end: ${resolvedCommand}`);
           if (tempFileStream) tempFileStream.end();
           const fullOutput = Buffer.concat(chunks).toString("utf-8");
@@ -2101,157 +2659,79 @@ function fuzzyFindText(content, oldText) {
     found: true,
     index: fuzzyIndex,
     matchLength: fuzzyOldText.length,
-    usedFuzzyMatch: true,
-    contentForReplacement: fuzzyContent
-  };
-}
-function stripBom(content) {
-  return content.startsWith("\uFEFF") ? { bom: "\uFEFF", text: content.slice(1) } : { bom: "", text: content };
-}
-function generateDiffString(oldContent, newContent, contextLines = 4) {
-  const parts = Diff.diffLines(oldContent, newContent);
-  const output = [];
-  const oldLines = oldContent.split("\n");
-  const newLines = newContent.split("\n");
-  const maxLineNum = Math.max(oldLines.length, newLines.length);
-  const lineNumWidth = String(maxLineNum).length;
-  let oldLineNum = 1;
-  let newLineNum = 1;
-  let lastWasChange = false;
-  let firstChangedLine;
-  for (let i = 0; i < parts.length; i++) {
-    const part = parts[i];
-    const raw = part.value.split("\n");
-    if (raw[raw.length - 1] === "") {
-      raw.pop();
-    }
-    if (part.added || part.removed) {
-      firstChangedLine ??= newLineNum;
-      for (const line of raw) {
-        if (part.added) {
-          output.push(`+${String(newLineNum).padStart(lineNumWidth, " ")} ${line}`);
-          newLineNum++;
-        } else {
-          output.push(`-${String(oldLineNum).padStart(lineNumWidth, " ")} ${line}`);
-          oldLineNum++;
-        }
-      }
-      lastWasChange = true;
-    } else {
-      const nextPartIsChange = i < parts.length - 1 && (parts[i + 1].added || parts[i + 1].removed);
-      if (lastWasChange || nextPartIsChange) {
-        let linesToShow = raw;
-        let skipStart = 0;
-        let skipEnd = 0;
-        if (!lastWasChange) {
-          skipStart = Math.max(0, raw.length - contextLines);
-          linesToShow = raw.slice(skipStart);
-        }
-        if (!nextPartIsChange && linesToShow.length > contextLines) {
-          skipEnd = linesToShow.length - contextLines;
-          linesToShow = linesToShow.slice(0, contextLines);
-        }
-        if (skipStart > 0) {
-          output.push(` ${"".padStart(lineNumWidth, " ")} ...`);
-          oldLineNum += skipStart;
-          newLineNum += skipStart;
-        }
-        for (const line of linesToShow) {
-          output.push(` ${String(oldLineNum).padStart(lineNumWidth, " ")} ${line}`);
-          oldLineNum++;
-          newLineNum++;
-        }
-        if (skipEnd > 0) {
-          output.push(` ${"".padStart(lineNumWidth, " ")} ...`);
-          oldLineNum += skipEnd;
-          newLineNum += skipEnd;
-        }
-      } else {
-        oldLineNum += raw.length;
-        newLineNum += raw.length;
-      }
-      lastWasChange = false;
-    }
-  }
-  return { diff: output.join("\n"), firstChangedLine };
-}
-
-// src/tools/path-utils.ts
-import { accessSync, constants } from "node:fs";
-import * as os from "node:os";
-import { isAbsolute, resolve as resolvePath, relative } from "node:path";
-var UNICODE_SPACES = /[\u00A0\u2000-\u200A\u202F\u205F\u3000]/g;
-var NARROW_NO_BREAK_SPACE = "\u202F";
-function normalizeUnicodeSpaces(str) {
-  return str.replace(UNICODE_SPACES, " ");
-}
-function tryMacOSScreenshotPath(filePath) {
-  return filePath.replace(/ (AM|PM)\./g, `${NARROW_NO_BREAK_SPACE}$1.`);
-}
-function tryNFDVariant(filePath) {
-  return filePath.normalize("NFD");
-}
-function tryCurlyQuoteVariant(filePath) {
-  return filePath.replace(/'/g, "\u2019");
-}
-function fileExists(filePath) {
-  try {
-    accessSync(filePath, constants.F_OK);
-    return true;
-  } catch {
-    return false;
-  }
-}
-function normalizeAtPrefix(filePath) {
-  return filePath.startsWith("@") ? filePath.slice(1) : filePath;
-}
-function expandPath(filePath) {
-  const normalized = normalizeUnicodeSpaces(normalizeAtPrefix(filePath));
-  if (normalized === "~") {
-    return os.homedir();
-  }
-  if (normalized.startsWith("~/")) {
-    return os.homedir() + normalized.slice(1);
-  }
-  return normalized;
-}
-function resolveToCwd(filePath, cwd) {
-  const expanded = expandPath(filePath);
-  if (isAbsolute(expanded)) {
-    return expanded;
-  }
-  return resolvePath(cwd, expanded);
-}
-function validatePathWithinCwd(resolvedPath2, cwd) {
-  const relativePath = relative(cwd, resolvedPath2);
-  if (relativePath.startsWith("..") || isAbsolute(relativePath)) {
-    throw new Error(
-      `Access denied: Path is outside the allowed directory. Requested: ${resolvedPath2}, Allowed root: ${cwd}`
-    );
-  }
-}
-function resolveReadPath(filePath, cwd) {
-  const resolved = resolveToCwd(filePath, cwd);
-  if (fileExists(resolved)) {
-    return resolved;
-  }
-  const amPmVariant = tryMacOSScreenshotPath(resolved);
-  if (amPmVariant !== resolved && fileExists(amPmVariant)) {
-    return amPmVariant;
-  }
-  const nfdVariant = tryNFDVariant(resolved);
-  if (nfdVariant !== resolved && fileExists(nfdVariant)) {
-    return nfdVariant;
-  }
-  const curlyVariant = tryCurlyQuoteVariant(resolved);
-  if (curlyVariant !== resolved && fileExists(curlyVariant)) {
-    return curlyVariant;
-  }
-  const nfdCurlyVariant = tryCurlyQuoteVariant(nfdVariant);
-  if (nfdCurlyVariant !== resolved && fileExists(nfdCurlyVariant)) {
-    return nfdCurlyVariant;
+    usedFuzzyMatch: true,
+    contentForReplacement: fuzzyContent
+  };
+}
+function stripBom(content) {
+  return content.startsWith("\uFEFF") ? { bom: "\uFEFF", text: content.slice(1) } : { bom: "", text: content };
+}
+function generateDiffString(oldContent, newContent, contextLines = 4) {
+  const parts = Diff.diffLines(oldContent, newContent);
+  const output = [];
+  const oldLines = oldContent.split("\n");
+  const newLines = newContent.split("\n");
+  const maxLineNum = Math.max(oldLines.length, newLines.length);
+  const lineNumWidth = String(maxLineNum).length;
+  let oldLineNum = 1;
+  let newLineNum = 1;
+  let lastWasChange = false;
+  let firstChangedLine;
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i];
+    const raw = part.value.split("\n");
+    if (raw[raw.length - 1] === "") {
+      raw.pop();
+    }
+    if (part.added || part.removed) {
+      firstChangedLine ??= newLineNum;
+      for (const line of raw) {
+        if (part.added) {
+          output.push(`+${String(newLineNum).padStart(lineNumWidth, " ")} ${line}`);
+          newLineNum++;
+        } else {
+          output.push(`-${String(oldLineNum).padStart(lineNumWidth, " ")} ${line}`);
+          oldLineNum++;
+        }
+      }
+      lastWasChange = true;
+    } else {
+      const nextPartIsChange = i < parts.length - 1 && (parts[i + 1].added || parts[i + 1].removed);
+      if (lastWasChange || nextPartIsChange) {
+        let linesToShow = raw;
+        let skipStart = 0;
+        let skipEnd = 0;
+        if (!lastWasChange) {
+          skipStart = Math.max(0, raw.length - contextLines);
+          linesToShow = raw.slice(skipStart);
+        }
+        if (!nextPartIsChange && linesToShow.length > contextLines) {
+          skipEnd = linesToShow.length - contextLines;
+          linesToShow = linesToShow.slice(0, contextLines);
+        }
+        if (skipStart > 0) {
+          output.push(` ${"".padStart(lineNumWidth, " ")} ...`);
+          oldLineNum += skipStart;
+          newLineNum += skipStart;
+        }
+        for (const line of linesToShow) {
+          output.push(` ${String(oldLineNum).padStart(lineNumWidth, " ")} ${line}`);
+          oldLineNum++;
+          newLineNum++;
+        }
+        if (skipEnd > 0) {
+          output.push(` ${"".padStart(lineNumWidth, " ")} ...`);
+          oldLineNum += skipEnd;
+          newLineNum += skipEnd;
+        }
+      } else {
+        oldLineNum += raw.length;
+        newLineNum += raw.length;
+      }
+      lastWasChange = false;
+    }
   }
-  return resolved;
+  return { diff: output.join("\n"), firstChangedLine };
 }
 
 // src/tools/tool-helpers.ts
@@ -4360,7 +4840,7 @@ import { Type as Type13 } from "@sinclair/typebox";
 
 // src/features/todos/todos.database.ts
 init_database();
-import { randomUUID } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 async function fetchAllTodos(db, threadId) {
   const result = await db.execute({
     sql: `SELECT id, threadId, description, status, assignedTo, passes, createdAt, updatedAt
@@ -4376,7 +4856,7 @@ async function addTodos(threadId, descriptions, assignedTo = "agent") {
   const db = await getDatabase();
   const baseTime = Date.now();
   for (let i = 0; i < descriptions.length; i++) {
-    const id = randomUUID();
+    const id = randomUUID2();
     const ts = new Date(baseTime + i).toISOString();
     await db.execute({
       sql: `INSERT INTO todos (id, threadId, description, status, assignedTo, passes, createdAt, updatedAt)
@@ -4850,7 +5330,7 @@ function describeMCPServerConnection(config) {
   }
   return "(invalid config)";
 }
-function createMCPClientTransport(config) {
+function createMCPClientTransport(config, additionalEnv) {
   if (isRemoteMCPServer(config)) {
     const url = new URL(config.url.trim());
     const transport = resolveRemoteTransport(config, url);
@@ -4869,7 +5349,7 @@ function createMCPClientTransport(config) {
   return new StdioClientTransport({
     command: config.command,
     args: config.args,
-    env: config.env
+    env: additionalEnv && config.env ? { ...additionalEnv, ...config.env } : additionalEnv ?? config.env
   });
 }
 
@@ -4946,6 +5426,10 @@ var MCPManagerImpl = class {
   configCache = /* @__PURE__ */ new Map();
   serverInstances = /* @__PURE__ */ new Map();
   toolWrappers = /* @__PURE__ */ new Map();
+  projectEnv;
+  constructor(options) {
+    this.projectEnv = options?.projectEnv;
+  }
   /**
    * Load MCP configuration from file
    */
@@ -5078,7 +5562,7 @@ var MCPManagerImpl = class {
       const connection = describeMCPServerConnection(serverConfig);
       logMCPConnecting(serverName, connection, options);
       tarskDebugLog(`[MCP] Connecting to server ${serverName}: ${connection}`);
-      const transport = createMCPClientTransport(serverConfig);
+      const transport = createMCPClientTransport(serverConfig, this.projectEnv);
       const client = new Client(
         {
           name: "tarsk-cli",
@@ -5199,7 +5683,7 @@ var MCPManagerImpl = class {
 
 // src/tools/mcp-tools.ts
 async function createMCPTools(projectPath, options) {
-  const mcpManager = new MCPManagerImpl();
+  const mcpManager = new MCPManagerImpl({ projectEnv: options?.projectEnv });
   const logOptions = options?.onMcpStatus ? { onStatus: options.onMcpStatus } : void 0;
   try {
     const mcpTools = await mcpManager.createToolWrappers(projectPath, logOptions);
@@ -5223,6 +5707,10 @@ async function createMCPTools(projectPath, options) {
     return [];
   }
 }
+function clearMCPToolCache(projectPath) {
+  const mcpManager = new MCPManagerImpl();
+  mcpManager.clearCache(projectPath);
+}
 
 // src/tools/generate-image.ts
 import { Type as Type14 } from "@sinclair/typebox";
@@ -7584,7 +8072,7 @@ function buildCrossHostRedirectResult(redirectUrl) {
 // src/features/web-fetch/web-fetch.client.ts
 import { mkdir, writeFile as writeFile2 } from "fs/promises";
 import { join as join11, extname as extname3 } from "path";
-import { createHash } from "crypto";
+import { createHash as createHash2 } from "crypto";
 
 // src/features/web-fetch/web-fetch-cache.ts
 var WebFetchCache = class {
@@ -7690,7 +8178,7 @@ async function readResponseBody(response, signal) {
 async function saveBinaryContent(body, contentType, url) {
   const downloadsDir = join11(getDataDir(), "fetch-downloads");
   await mkdir(downloadsDir, { recursive: true });
-  const hash = createHash("sha256").update(url).digest("hex").slice(0, 12);
+  const hash = createHash2("sha256").update(url).digest("hex").slice(0, 12);
   let extension = extname3(new URL(url).pathname);
   if (!extension && contentType) {
     if (contentType.includes("pdf")) extension = ".pdf";
@@ -8218,7 +8706,7 @@ function isSessionDomainAllowed(projectId, hostname2) {
 // src/features/web-fetch-permissions/web-fetch-permission.gate.ts
 var WEB_FETCH_PERMISSION_SKIP_MESSAGE_PREFIX = "User declined to fetch from this domain:";
 var pendingPermissions = /* @__PURE__ */ new Map();
-function buildWildcardOptions(hostname2) {
+function buildWildcardOptions2(hostname2) {
   return [
     {
       label: `Always allow ${hostname2} (this project)`,
@@ -8271,7 +8759,7 @@ var WebFetchPermissionGate = class {
       toolCallId,
       hostname: normalized,
       url,
-      wildcardOptions: buildWildcardOptions(normalized)
+      wildcardOptions: buildWildcardOptions2(normalized)
     };
     this.config.onPermissionRequired?.(request);
     return new Promise((resolve6, reject) => {
@@ -8415,7 +8903,8 @@ function applyCodeSearchInvalidationHooks(tools, threadId) {
 async function createCodingTools(cwd, options) {
   const deferOption = options?.deferTools ?? true;
   const shellPermissionGate = options?.shellPermissionGate;
-  const bashOptions = shellPermissionGate ? { ...options?.bash, shellPermissionGate } : options?.bash;
+  const projectEnv = options?.projectId ? await getDecryptedProjectEnvVars(options.projectId) : void 0;
+  const bashOptions = shellPermissionGate || projectEnv ? { ...options?.bash, shellPermissionGate, projectEnv } : options?.bash;
   const coreTools = filterEnabledTools([
     createReadTool(cwd, options?.read),
     createBashTool(cwd, bashOptions),
@@ -8449,7 +8938,7 @@ async function createCodingTools(cwd, options) {
   if (options?.loadMcpTools !== false && isToolEnabled("mcp")) {
     try {
       mcpTools = filterEnabledTools(
-        await createMCPTools(cwd, { onMcpStatus: options?.onMcpStatus })
+        await createMCPTools(cwd, { onMcpStatus: options?.onMcpStatus, projectEnv })
       );
     } catch (error) {
       console.warn(`[Tools] Failed to load MCP tools for ${cwd}:`, error);
@@ -8586,6 +9075,16 @@ var EventQueue = class {
   errorOccurred = false;
   toolCallCount = 0;
   lastErrorMessage;
+  setLastErrorMessage(message) {
+    if (typeof message !== "string") {
+      return;
+    }
+    const trimmedMessage = message.trim();
+    if (!trimmedMessage) {
+      return;
+    }
+    this.lastErrorMessage = trimmedMessage;
+  }
   /**
    * Processes Pi Agent events and transforms them into AgentEvent format
    */
@@ -8691,7 +9190,7 @@ var EventQueue = class {
       const messages = event.messages;
       const lastAssistant = [...messages].reverse().find((m) => "role" in m && m.role === "assistant");
       if (lastAssistant && "errorMessage" in lastAssistant && typeof lastAssistant.errorMessage === "string") {
-        this.lastErrorMessage = lastAssistant.errorMessage;
+        this.setLastErrorMessage(lastAssistant.errorMessage);
       }
       if (lastAssistant) {
         const extracted = extractTextFromAssistantMessage(lastAssistant);
@@ -9646,231 +10145,89 @@ async function loadPromptSections(threadPath, tools, skills, planMode, agents, d
 }
 function formatSkillsSection(skills) {
   if (!skills || skills.length === 0) {
-    return "";
-  }
-  let skillsSection = "\n\n# Available Skills\n\n";
-  skillsSection += "The following skills are available for this session. Use them to enhance your capabilities:\n\n";
-  for (const skill of skills) {
-    skillsSection += `## ${skill.name}
-
-`;
-    skillsSection += `**Description**: ${skill.description}
-
-`;
-    if (skill.compatibility) {
-      skillsSection += `**Compatibility**: ${skill.compatibility}
-
-`;
-    }
-    skillsSection += skill.instructions;
-    skillsSection += "\n\n---\n\n";
-  }
-  tarskDebugLog(
-    `[ai] Injected ${skills.length} skill(s) into system prompt: ${skills.map((s) => s.name).join(", ")}`
-  );
-  return skillsSection;
-}
-function formatAgentsSection(agents) {
-  const invocable = agents.filter((a) => !a.disableModelInvocation);
-  if (invocable.length === 0) return "";
-  let section = "\n\n# Available Agents\n\nUse the `agent` tool to delegate focused subtasks to these specialized agents. Each agent runs in an isolated context and returns its result.\n\n";
-  for (const agent of invocable) {
-    section += `## ${agent.name}
-
-`;
-    section += `**Description**: ${agent.description}
-`;
-    section += `**Invoke as**: \`agentName: "${agent.name}"\`
-
-`;
-  }
-  tarskDebugLog(
-    `[ai] Injected ${invocable.length} agent(s) into system prompt: ${invocable.map((a) => a.name).join(", ")}`
-  );
-  return section;
-}
-async function loadAgentSystemPrompt(threadPath, tools, skills, planMode, agents, deferredTools, ralphMode, overrideOptions) {
-  let prompt = resolveEffectiveSystemPrompt(buildDefaultPrompt(tools), overrideOptions);
-  const agentsContent = loadDeveloperContext(threadPath);
-  if (agentsContent) {
-    prompt += "\n\n# Developer Context\n\n" + agentsContent;
-  }
-  const rulesSection = await loadRulesSection(threadPath);
-  if (rulesSection) {
-    prompt += rulesSection;
-  }
-  const projectAnalysisSection = loadProjectAnalysisSection(threadPath);
-  if (projectAnalysisSection) {
-    prompt += projectAnalysisSection;
-  }
-  const devServerSection = await loadDevServerSection(threadPath);
-  if (devServerSection) {
-    prompt += devServerSection;
-  }
-  if (planMode) {
-    prompt += PLAN_MODE_INSTRUCTIONS;
-  }
-  if (ralphMode) {
-    prompt += RALPH_MODE_INSTRUCTIONS;
-    const progressContent = await readProgress(threadPath);
-    if (progressContent.trim()) {
-      prompt += "\n\n# Prior Learnings (from progress.txt)\n\n" + progressContent;
-    }
-  }
-  const skillsSection = formatSkillsSection(skills ?? []);
-  if (skillsSection) {
-    prompt += skillsSection;
-  }
-  const agentsSection = formatAgentsSection(agents ?? []);
-  if (agentsSection) {
-    prompt += agentsSection;
-  }
-  if (deferredTools && deferredTools.size > 0) {
-    prompt += formatDeferredToolsList(deferredTools);
-  }
-  return prompt;
-}
-
-// src/features/shell-permissions/command-pattern.ts
-var ENV_ASSIGNMENT_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*=/;
-function stripLeadingEnvAssignments(command) {
-  let remaining = command.trim();
-  while (remaining.length > 0) {
-    const tokenMatch = remaining.match(/^(\S+)\s*/);
-    if (!tokenMatch) {
-      break;
-    }
-    const token = tokenMatch[1];
-    if (!ENV_ASSIGNMENT_PATTERN.test(token)) {
-      break;
-    }
-    remaining = remaining.slice(tokenMatch[0].length).trimStart();
-  }
-  return remaining;
-}
-function tokenizeCommand(command) {
-  const tokens = [];
-  let current = "";
-  let quote = null;
-  let escaped = false;
-  for (const char of command) {
-    if (escaped) {
-      current += char;
-      escaped = false;
-      continue;
-    }
-    if (char === "\\") {
-      escaped = true;
-      continue;
-    }
-    if (quote) {
-      if (char === quote) {
-        quote = null;
-      } else {
-        current += char;
-      }
-      continue;
-    }
-    if (char === "'" || char === '"') {
-      quote = char;
-      continue;
-    }
-    if (/\s/.test(char)) {
-      if (current.length > 0) {
-        tokens.push(current);
-        current = "";
-      }
-      continue;
-    }
-    current += char;
-  }
-  if (current.length > 0) {
-    tokens.push(current);
-  }
-  return tokens;
-}
-function getCommandTokens(command) {
-  return tokenizeCommand(stripLeadingEnvAssignments(command));
-}
-function buildWildcardPattern(tokens, wildcardTokenCount) {
-  const prefix = tokens.slice(0, wildcardTokenCount);
-  if (prefix.length === 0) {
-    return commandToPatternString(tokens);
-  }
-  return `${prefix.join(" ")} *`;
-}
-function commandToPatternString(tokens) {
-  return tokens.join(" ");
-}
-function buildWildcardOptions2(command) {
-  const tokens = getCommandTokens(command);
-  const options = [];
-  if (tokens.length >= 1) {
-    const oneTokenPattern = buildWildcardPattern(tokens, 1);
-    options.push(
-      {
-        label: `Allow ${oneTokenPattern} (this session)`,
-        pattern: oneTokenPattern,
-        scope: "session"
-      },
-      {
-        label: `Allow ${oneTokenPattern} (always for this project)`,
-        pattern: oneTokenPattern,
-        scope: "project"
-      }
-    );
+    return "";
   }
-  if (tokens.length >= 2) {
-    const twoTokenPattern = buildWildcardPattern(tokens, 2);
-    options.push(
-      {
-        label: `Allow ${twoTokenPattern} (this session)`,
-        pattern: twoTokenPattern,
-        scope: "session"
-      },
-      {
-        label: `Allow ${twoTokenPattern} (always for this project)`,
-        pattern: twoTokenPattern,
-        scope: "project"
-      }
-    );
+  let skillsSection = "\n\n# Available Skills\n\n";
+  skillsSection += "The following skills are available for this session. Use them to enhance your capabilities:\n\n";
+  for (const skill of skills) {
+    skillsSection += `## ${skill.name}
+
+`;
+    skillsSection += `**Description**: ${skill.description}
+
+`;
+    if (skill.compatibility) {
+      skillsSection += `**Compatibility**: ${skill.compatibility}
+
+`;
+    }
+    skillsSection += skill.instructions;
+    skillsSection += "\n\n---\n\n";
   }
-  return options;
+  tarskDebugLog(
+    `[ai] Injected ${skills.length} skill(s) into system prompt: ${skills.map((s) => s.name).join(", ")}`
+  );
+  return skillsSection;
 }
-function parsePattern(pattern) {
-  const trimmed = pattern.trim();
-  if (trimmed.endsWith(" *")) {
-    return {
-      tokens: tokenizeCommand(trimmed.slice(0, -2).trim()),
-      hasWildcard: true
-    };
+function formatAgentsSection(agents) {
+  const invocable = agents.filter((a) => !a.disableModelInvocation);
+  if (invocable.length === 0) return "";
+  let section = "\n\n# Available Agents\n\nUse the `agent` tool to delegate focused subtasks to these specialized agents. Each agent runs in an isolated context and returns its result.\n\n";
+  for (const agent of invocable) {
+    section += `## ${agent.name}
+
+`;
+    section += `**Description**: ${agent.description}
+`;
+    section += `**Invoke as**: \`agentName: "${agent.name}"\`
+
+`;
   }
-  return {
-    tokens: tokenizeCommand(trimmed),
-    hasWildcard: false
-  };
+  tarskDebugLog(
+    `[ai] Injected ${invocable.length} agent(s) into system prompt: ${invocable.map((a) => a.name).join(", ")}`
+  );
+  return section;
 }
-function commandMatchesPattern(command, pattern) {
-  const commandTokens = getCommandTokens(command);
-  const parsedPattern = parsePattern(pattern);
-  if (!parsedPattern.hasWildcard) {
-    return command.trim() === pattern.trim();
+async function loadAgentSystemPrompt(threadPath, tools, skills, planMode, agents, deferredTools, ralphMode, overrideOptions) {
+  let prompt = resolveEffectiveSystemPrompt(buildDefaultPrompt(tools), overrideOptions);
+  const agentsContent = loadDeveloperContext(threadPath);
+  if (agentsContent) {
+    prompt += "\n\n# Developer Context\n\n" + agentsContent;
   }
-  if (parsedPattern.tokens.length === 0) {
-    return false;
+  const rulesSection = await loadRulesSection(threadPath);
+  if (rulesSection) {
+    prompt += rulesSection;
   }
-  if (commandTokens.length < parsedPattern.tokens.length) {
-    return false;
+  const projectAnalysisSection = loadProjectAnalysisSection(threadPath);
+  if (projectAnalysisSection) {
+    prompt += projectAnalysisSection;
   }
-  for (let index = 0; index < parsedPattern.tokens.length; index++) {
-    if (commandTokens[index] !== parsedPattern.tokens[index]) {
-      return false;
+  const devServerSection = await loadDevServerSection(threadPath);
+  if (devServerSection) {
+    prompt += devServerSection;
+  }
+  if (planMode) {
+    prompt += PLAN_MODE_INSTRUCTIONS;
+  }
+  if (ralphMode) {
+    prompt += RALPH_MODE_INSTRUCTIONS;
+    const progressContent = await readProgress(threadPath);
+    if (progressContent.trim()) {
+      prompt += "\n\n# Prior Learnings (from progress.txt)\n\n" + progressContent;
     }
   }
-  return true;
-}
-function commandMatchesAnyPattern(command, patterns) {
-  return patterns.some((pattern) => commandMatchesPattern(command, pattern));
+  const skillsSection = formatSkillsSection(skills ?? []);
+  if (skillsSection) {
+    prompt += skillsSection;
+  }
+  const agentsSection = formatAgentsSection(agents ?? []);
+  if (agentsSection) {
+    prompt += agentsSection;
+  }
+  if (deferredTools && deferredTools.size > 0) {
+    prompt += formatDeferredToolsList(deferredTools);
+  }
+  return prompt;
 }
 
 // src/features/shell-permissions/shell-permission.store.ts
@@ -9946,7 +10303,7 @@ var ShellPermissionGate = class {
       toolCallId,
       command: command.trim(),
       source,
-      wildcardOptions: buildWildcardOptions2(command)
+      wildcardOptions: buildWildcardOptions(command)
     };
     this.config.onPermissionRequired?.(request);
     return new Promise((resolve6, reject) => {
@@ -10219,6 +10576,7 @@ var PiExecutorImpl = class {
         skills: context.skills,
         threadId: context.threadId,
         threadPath: cwd,
+        projectId: context.projectId,
         metadataManager: this.metadataManager,
         shellPermissionGate,
         webFetchPermissionGate
@@ -10368,6 +10726,7 @@ ${userPrompt}`;
           eventQueue.notify();
         }).catch((err) => {
           const errMessage = err instanceof Error ? err.message : String(err);
+          eventQueue.setLastErrorMessage(errMessage);
           console.error(`[ai] Agent prompt failed:`, {
             request: promptRequest,
             error: serializeLogValue(err),
@@ -10428,7 +10787,7 @@ ${userPrompt}`;
               console.log("[ai] \u26A0\uFE0F  Agent ended with no text content and no tool calls.");
               const upstreamError = eventQueue.lastErrorMessage ? { message: eventQueue.lastErrorMessage } : void 0;
               const noResponseMessage = `The model ${model} from ${providerName} did not provide a response to your prompt. Check your API key and balance and try again.`;
-              const content = upstreamError ? `${noResponseMessage} ${upstreamError.message}` : noResponseMessage;
+              const content = upstreamError?.message ?? noResponseMessage;
               console.error("[ai] Agent ended without text content:", {
                 request: promptRequest,
                 upstreamError,
@@ -10440,7 +10799,7 @@ ${userPrompt}`;
                 content,
                 error: {
                   code: "NO_CONTENT_NO_TOOLS",
-                  message: `The model ${model} from ${providerName} did not provide a response to your prompt.`,
+                  message: upstreamError?.message ?? noResponseMessage,
                   details: upstreamError
                 }
               };
@@ -10610,7 +10969,7 @@ async function readEnvFile() {
 import { Hono } from "hono";
 
 // src/agent/agent-run-guard.ts
-import { randomUUID as randomUUID2 } from "crypto";
+import { randomUUID as randomUUID3 } from "crypto";
 var DEFAULT_LONG_RUNNING_TURN_LIMIT = 50;
 var LONG_RUNNING_CONFIRMATION_QUESTION = "The agent has been working for a long time. Do you want to continue?";
 var LONG_RUNNING_CONFIRMATION_OPTIONS = ["Yes", "No"];
@@ -10652,7 +11011,7 @@ function shouldPromptForLongRunningConfirmation(state) {
   return state.turnCount >= state.maximumTurnCount;
 }
 function createLongRunningConfirmationRequest(maximumTurnCount) {
-  const toolCallId = `long-running-confirmation-${randomUUID2()}`;
+  const toolCallId = `long-running-confirmation-${randomUUID3()}`;
   const event = {
     type: "long_running_confirmation",
     prompt: {
@@ -11028,7 +11387,7 @@ function createWebFetchPermissionRoutes() {
 import { Hono as Hono4 } from "hono";
 
 // src/features/chat/chat-post.route.ts
-import { randomUUID as randomUUID5 } from "crypto";
+import { randomUUID as randomUUID6 } from "crypto";
 
 // src/features/skills/skills.manager.ts
 import { readdir as readdir4, readFile as readFile6 } from "fs/promises";
@@ -11602,7 +11961,7 @@ import { join as join17 } from "path";
 
 // src/features/project-todos/project-todos.database.ts
 init_database();
-import { randomUUID as randomUUID3 } from "crypto";
+import { randomUUID as randomUUID4 } from "crypto";
 function serializeTodo(row) {
   return {
     ...row,
@@ -11627,7 +11986,7 @@ async function getTodoById(db, todoId) {
 }
 async function insertTodo(projectId, title, description) {
   const db = await getDatabase();
-  const id = randomUUID3();
+  const id = randomUUID4();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   await db.execute({
     sql: `INSERT INTO project_todos (id, projectId, title, description, status, working, createdAt, updatedAt)
@@ -11708,155 +12067,48 @@ async function getGitStatusCache(db, threadId) {
     return null;
   }
 }
-async function setGitStatusCache(db, threadId, data) {
-  await db.execute(
-    "INSERT OR REPLACE INTO git_status_cache (threadId, data, cachedAt) VALUES (?, ?, ?)",
-    [threadId, JSON.stringify(data), (/* @__PURE__ */ new Date()).toISOString()]
-  );
-}
-async function getGitStatusCacheAnyAge(db, threadId) {
-  const result = await db.execute("SELECT data FROM git_status_cache WHERE threadId = ?", [
-    threadId
-  ]);
-  const row = result.rows[0];
-  if (!row) return null;
-  try {
-    return JSON.parse(row.data);
-  } catch {
-    return null;
-  }
-}
-async function getGitStatusCacheBulk(db, threadIds) {
-  if (threadIds.length === 0) return /* @__PURE__ */ new Map();
-  const placeholders = threadIds.map(() => "?").join(", ");
-  const result = await db.execute(
-    `SELECT threadId, data FROM git_status_cache WHERE threadId IN (${placeholders})`,
-    threadIds
-  );
-  const map = /* @__PURE__ */ new Map();
-  for (const row of result.rows) {
-    const r = row;
-    try {
-      map.set(r.threadId, JSON.parse(r.data));
-    } catch {
-    }
-  }
-  return map;
-}
-async function invalidateGitStatusCache(db, threadId) {
-  await db.execute("DELETE FROM git_status_cache WHERE threadId = ?", [threadId]);
-}
-
-// src/features/account/account-get-info.route.ts
-init_database();
-import { randomUUID as randomUUID4 } from "crypto";
-
-// src/core/crypto.ts
-init_database();
-import { createCipheriv, createDecipheriv, randomBytes as randomBytes2, createHash as createHash2 } from "crypto";
-import { networkInterfaces, hostname } from "os";
-var ALGORITHM = "aes-256-gcm";
-var IV_LENGTH = 16;
-function getMachineKey() {
-  try {
-    const interfaces = networkInterfaces();
-    let macAddress = "";
-    for (const name of Object.keys(interfaces)) {
-      const iface = interfaces[name];
-      if (iface) {
-        for (const addr of iface) {
-          if (addr.mac && addr.mac !== "00:00:00:00:00:00" && !addr.internal) {
-            macAddress = addr.mac;
-            break;
-          }
-        }
-        if (macAddress) break;
-      }
-    }
-    const host = hostname();
-    const homeDir = process.env.HOME ?? process.env.USERPROFILE ?? "";
-    const machineId = `${macAddress}-${host}-${homeDir}`;
-    return createHash2("sha256").update(machineId).digest();
-  } catch {
-    return Buffer.from("Invalid", "utf8");
-  }
-}
-async function getEncryptionKey() {
-  try {
-    const db = await getDatabase();
-    const result = await db.execute({
-      sql: "SELECT value FROM state WHERE key = ?",
-      args: ["encryption_key"]
-    });
-    if (result.rows.length > 0 && result.rows[0].value) {
-      const storedValue = result.rows[0].value;
-      try {
-        const parsed = JSON.parse(storedValue);
-        return Buffer.from(parsed, "base64");
-      } catch {
-        return Buffer.from(storedValue, "base64");
-      }
-    }
-    const machineKey = getMachineKey();
-    await db.execute({
-      sql: "INSERT OR REPLACE INTO state (key, value) VALUES (?, ?)",
-      args: ["encryption_key", machineKey.toString("base64")]
-    });
-    return machineKey;
-  } catch {
-    return getMachineKey();
-  }
-}
-async function encrypt(plaintext) {
-  if (!plaintext) {
-    return "";
-  }
-  const key = await getEncryptionKey();
-  const iv = randomBytes2(IV_LENGTH);
-  const cipher = createCipheriv(ALGORITHM, key, iv);
-  let encrypted = cipher.update(plaintext, "utf8", "base64");
-  encrypted += cipher.final("base64");
-  const authTag = cipher.getAuthTag();
-  const result = `${iv.toString("base64")}:${authTag.toString("base64")}:${encrypted}`;
-  return result;
-}
-async function decrypt(encryptedData) {
-  if (!encryptedData) {
-    return "";
-  }
-  try {
-    const parts = encryptedData.split(":");
-    if (parts.length !== 3) {
-      throw new Error("Invalid encrypted data format");
-    }
-    const [ivBase64, authTagBase64, encrypted] = parts;
-    const key = await getEncryptionKey();
-    const iv = Buffer.from(ivBase64, "base64");
-    const authTag = Buffer.from(authTagBase64, "base64");
-    const decipher = createDecipheriv(ALGORITHM, key, iv);
-    decipher.setAuthTag(authTag);
-    let decrypted = decipher.update(encrypted, "base64", "utf8");
-    decrypted += decipher.final("utf8");
-    return decrypted;
-  } catch (error) {
-    throw new Error(
-      `Decryption failed: ${error instanceof Error ? error.message : "Unknown error"}`
-    );
-  }
-}
-function isEncrypted(value) {
-  if (!value) {
-    return false;
+async function setGitStatusCache(db, threadId, data) {
+  await db.execute(
+    "INSERT OR REPLACE INTO git_status_cache (threadId, data, cachedAt) VALUES (?, ?, ?)",
+    [threadId, JSON.stringify(data), (/* @__PURE__ */ new Date()).toISOString()]
+  );
+}
+async function getGitStatusCacheAnyAge(db, threadId) {
+  const result = await db.execute("SELECT data FROM git_status_cache WHERE threadId = ?", [
+    threadId
+  ]);
+  const row = result.rows[0];
+  if (!row) return null;
+  try {
+    return JSON.parse(row.data);
+  } catch {
+    return null;
   }
-  const parts = value.split(":");
-  if (parts.length !== 3) {
-    return false;
+}
+async function getGitStatusCacheBulk(db, threadIds) {
+  if (threadIds.length === 0) return /* @__PURE__ */ new Map();
+  const placeholders = threadIds.map(() => "?").join(", ");
+  const result = await db.execute(
+    `SELECT threadId, data FROM git_status_cache WHERE threadId IN (${placeholders})`,
+    threadIds
+  );
+  const map = /* @__PURE__ */ new Map();
+  for (const row of result.rows) {
+    const r = row;
+    try {
+      map.set(r.threadId, JSON.parse(r.data));
+    } catch {
+    }
   }
-  const base64Regex = /^[A-Za-z0-9+/]+=*$/;
-  return parts.every((part) => base64Regex.test(part));
+  return map;
+}
+async function invalidateGitStatusCache(db, threadId) {
+  await db.execute("DELETE FROM git_status_cache WHERE threadId = ?", [threadId]);
 }
 
 // src/features/account/account-get-info.route.ts
+init_database();
+import { randomUUID as randomUUID5 } from "crypto";
 var KEY_BALANCE = "PromptBalance";
 var KEY_VERIFICATION = "PromptBalanceVerification";
 var KEY_PLAN = "Plan";
@@ -11902,7 +12154,7 @@ async function getOrCreateClientReferenceId() {
   if (existing !== null && existing !== void 0) {
     return existing;
   }
-  const id = randomUUID4();
+  const id = randomUUID5();
   await setState(db, KEY_CLIENT_REFERENCE_ID, id);
   return id;
 }
@@ -12101,6 +12353,7 @@ async function deleteProject(db, id) {
       );
       await db.execute("DELETE FROM threads WHERE projectId = ?", [id]);
       await db.execute("DELETE FROM project_todos WHERE projectId = ?", [id]);
+      await db.execute("DELETE FROM project_env_vars WHERE projectId = ?", [id]);
       await db.execute("DELETE FROM projects WHERE id = ?", [id]);
     } finally {
       await db.execute("PRAGMA foreign_keys = ON");
@@ -12318,7 +12571,7 @@ async function postChatMessage(c, threadManager, agentExecutor, conversationMana
     }
     let conversationId = thread.currentConversationId;
     if (!conversationId) {
-      conversationId = randomUUID5();
+      conversationId = randomUUID6();
       const db2 = await getDatabase();
       await db2.execute({
         sql: "DELETE FROM todos WHERE threadId = ?",
@@ -12628,7 +12881,7 @@ ${result.output}`;
             };
             processingStateManager.pushEvent(threadId, iterationEvent);
             yield iterationEvent;
-            const newConversationId = randomUUID5();
+            const newConversationId = randomUUID6();
             await threadManager.updateThread(threadId, {
               currentConversationId: newConversationId
             });
@@ -13061,7 +13314,7 @@ ${summary}`;
 }
 
 // src/features/chat/chat-delete.route.ts
-import { randomUUID as randomUUID6 } from "crypto";
+import { randomUUID as randomUUID7 } from "crypto";
 init_database();
 async function deleteChat(c, threadManager) {
   try {
@@ -13083,7 +13336,7 @@ async function deleteChat(c, threadManager) {
       sql: "DELETE FROM todos WHERE threadId = ?",
       args: [threadId]
     });
-    const newConversationId = randomUUID6();
+    const newConversationId = randomUUID7();
     await threadManager.updateThread(threadId, { currentConversationId: newConversationId });
     return successResponse(
       c,
@@ -13207,10 +13460,10 @@ function createChatRoutes(threadManager, agentExecutor, conversationManager, pro
 init_database();
 
 // src/features/conversations/conversations.database.ts
-import { randomUUID as randomUUID7 } from "crypto";
+import { randomUUID as randomUUID8 } from "crypto";
 async function insertMessage(db, threadId, conversationId, message, model, attachments, planMode, imageMode, ralphMode, checkpointRef) {
   try {
-    const messageId = randomUUID7();
+    const messageId = randomUUID8();
     const timestamp = (/* @__PURE__ */ new Date()).toISOString();
     await db.execute(
       `
@@ -14717,28 +14970,6 @@ function deserializeThread(row) {
   };
 }
 
-// src/database/database.encryption.ts
-async function encryptProviderKey(key) {
-  if (!key) {
-    return "";
-  }
-  return await encrypt(key);
-}
-async function decryptProviderKey(encrypted) {
-  if (!encrypted) {
-    return "";
-  }
-  try {
-    return await decrypt(encrypted);
-  } catch (error) {
-    console.error("Failed to decrypt provider key:", error);
-    throw error;
-  }
-}
-function isEncryptedKey(value) {
-  return isEncrypted(value);
-}
-
 // src/features/metadata/metadata.manager.ts
 init_tarsk_debug();
 function normalizeProviderSlug(provider) {
@@ -16815,6 +17046,111 @@ async function handleGetSystemPrompt(c, projectManager) {
   }
 }
 
+// src/features/projects/projects-env-vars.route.ts
+init_database();
+async function handleGetProjectEnvVars(c, projectManager) {
+  try {
+    const projectId = c.req.param("id");
+    if (!projectId) {
+      return errorResponse(c, ErrorCodes.INVALID_REQUEST, "Project ID is required", 400);
+    }
+    const project = await projectManager.getProject(projectId);
+    if (!project) {
+      return errorResponse(c, ErrorCodes.PROJECT_NOT_FOUND, `Project not found: ${projectId}`, 404);
+    }
+    const db = await getDatabase();
+    const rows = await listProjectEnvVarNames(db, projectId);
+    const vars = rows.map((row) => ({
+      name: row.name,
+      hasValue: true
+    }));
+    return c.json({ vars });
+  } catch (error) {
+    return errorResponse(
+      c,
+      ErrorCodes.GET_PROJECT_ERROR,
+      "Failed to get project environment variables",
+      500,
+      error instanceof Error ? error.message : String(error)
+    );
+  }
+}
+async function handleSyncProjectEnvVars(c, projectManager) {
+  try {
+    const projectId = c.req.param("id");
+    if (!projectId) {
+      return errorResponse(c, ErrorCodes.INVALID_REQUEST, "Project ID is required", 400);
+    }
+    const project = await projectManager.getProject(projectId);
+    if (!project) {
+      return errorResponse(c, ErrorCodes.PROJECT_NOT_FOUND, `Project not found: ${projectId}`, 404);
+    }
+    const body = await c.req.json();
+    if (!body.vars || !Array.isArray(body.vars)) {
+      return errorResponse(c, ErrorCodes.INVALID_REQUEST, "vars array is required", 400);
+    }
+    const seenNames = /* @__PURE__ */ new Set();
+    const namesToKeep = [];
+    for (const entry of body.vars) {
+      if (!entry || typeof entry.name !== "string") {
+        return errorResponse(c, ErrorCodes.INVALID_REQUEST, "Each variable must have a name", 400);
+      }
+      const name = entry.name.trim();
+      if (!name) {
+        return errorResponse(c, ErrorCodes.INVALID_REQUEST, "Variable name cannot be empty", 400);
+      }
+      if (!isValidProjectEnvVarName(name)) {
+        return errorResponse(
+          c,
+          ErrorCodes.INVALID_REQUEST,
+          `Invalid environment variable name: ${name}`,
+          400
+        );
+      }
+      if (seenNames.has(name)) {
+        return errorResponse(
+          c,
+          ErrorCodes.INVALID_REQUEST,
+          `Duplicate environment variable name: ${name}`,
+          400
+        );
+      }
+      seenNames.add(name);
+      namesToKeep.push(name);
+    }
+    const db = await getDatabase();
+    const existingRows = await listProjectEnvVarNames(db, projectId);
+    const existingNames = new Set(existingRows.map((row) => row.name));
+    for (const entry of body.vars) {
+      const name = entry.name.trim();
+      const value = typeof entry.value === "string" ? entry.value : "";
+      if (value) {
+        await upsertProjectEnvVar(db, projectId, name, value);
+        continue;
+      }
+      if (!existingNames.has(name)) {
+        return errorResponse(
+          c,
+          ErrorCodes.INVALID_REQUEST,
+          `Value is required for new environment variable: ${name}`,
+          400
+        );
+      }
+    }
+    await deleteProjectEnvVarsNotIn(db, projectId, namesToKeep);
+    clearMCPToolCache(project.path);
+    return c.json({ success: true });
+  } catch (error) {
+    return errorResponse(
+      c,
+      ErrorCodes.UPDATE_PROJECT_ERROR,
+      "Failed to save project environment variables",
+      500,
+      error instanceof Error ? error.message : String(error)
+    );
+  }
+}
+
 // src/features/projects/projects.routes.ts
 function createProjectRoutes(projectManager, threadManager) {
   const router = new Hono8();
@@ -16886,6 +17222,12 @@ function createProjectRoutes(projectManager, threadManager) {
   router.get("/:id/system-prompt", async (c) => {
     return handleGetSystemPrompt(c, projectManager);
   });
+  router.get("/:id/env-vars", async (c) => {
+    return handleGetProjectEnvVars(c, projectManager);
+  });
+  router.put("/:id/env-vars", async (c) => {
+    return handleSyncProjectEnvVars(c, projectManager);
+  });
   return router;
 }
 
@@ -17112,7 +17454,7 @@ var ProcessManager = class extends EventEmitter {
 
 // src/features/projects/projects.creator.ts
 init_utils();
-import { randomUUID as randomUUID8 } from "crypto";
+import { randomUUID as randomUUID9 } from "crypto";
 import { basename as basename2, join as join23, relative as relative5 } from "path";
 import { access as access3, mkdir as mkdir4, rm as rm3, stat as stat3, readdir as readdir8 } from "fs/promises";
 
@@ -18298,16 +18640,25 @@ var ProjectCreator = class {
     }
     let initialThreadId;
     try {
-      const projectId = randomUUID8();
+      const projectId = randomUUID9();
       const existingProjects = await this.metadataManager.loadProjects();
       const existingNames = existingProjects.map((p) => p.name);
       const projectName = this.ensureUniqueProjectName(
         this.deriveProjectName(gitUrl),
         existingNames
       );
-      initialThreadId = randomUUID8();
+      initialThreadId = randomUUID9();
       const initialThreadTitle = generateRandomThreadName();
-      const firstThreadPath = this.generateThreadPath(projectId, initialThreadId);
+      const baseFolderName = this.toFolderName(this.deriveProjectName(gitUrl));
+      if (!baseFolderName) {
+        yield {
+          type: "error",
+          message: "Git URL must produce a valid folder name"
+        };
+        return;
+      }
+      const uniqueFolderName = await this.ensureUniqueFolderName(baseFolderName);
+      const firstThreadPath = join23(this.rootFolder, uniqueFolderName);
       this.processingStateManager?.setProcessing(initialThreadId);
       yield {
         type: "progress",
@@ -18445,8 +18796,8 @@ var ProjectCreator = class {
       };
       return;
     }
-    const projectId = randomUUID8();
-    const initialThreadId = randomUUID8();
+    const projectId = randomUUID9();
+    const initialThreadId = randomUUID9();
     const initialThreadTitle = generateRandomThreadName();
     this.processingStateManager?.setProcessing(initialThreadId);
     try {
@@ -18557,20 +18908,14 @@ var ProjectCreator = class {
       };
       return;
     }
-    const projectId = randomUUID8();
-    const initialThreadId = randomUUID8();
+    const projectId = randomUUID9();
+    const initialThreadId = randomUUID9();
     const initialThreadTitle = generateRandomThreadName();
     let folderPath;
     let projectMetadataSaved = false;
     this.processingStateManager?.setProcessing(initialThreadId);
     try {
-      const existingProjects = await this.metadataManager.loadProjects();
-      const existingNames = existingProjects.map((p) => p.name);
-      const uniqueProjectName = this.ensureUniqueProjectName(trimmedProjectName, existingNames);
-      const uniqueFolderName = this.toFolderName(uniqueProjectName);
-      if (!uniqueFolderName) {
-        throw new Error("Unique project name must produce a valid folder name");
-      }
+      const uniqueFolderName = await this.ensureUniqueFolderName(folderName);
       folderPath = join23(this.rootFolder, uniqueFolderName);
       yield {
         type: "progress",
@@ -18582,7 +18927,7 @@ var ProjectCreator = class {
       await this.gitManager.initRepository(folderPath);
       const project = {
         id: projectId,
-        name: uniqueProjectName,
+        name: trimmedProjectName,
         gitUrl: "",
         path: folderPath,
         createdAt: /* @__PURE__ */ new Date(),
@@ -18607,7 +18952,7 @@ var ProjectCreator = class {
       this.processingStateManager?.clearProcessing(initialThreadId);
       yield {
         type: "progress",
-        message: `Folder project "${uniqueProjectName}" created successfully`
+        message: `Folder project "${trimmedProjectName}" created successfully`
       };
       yield {
         type: "complete",
@@ -18663,6 +19008,23 @@ var ProjectCreator = class {
   toFolderName(name) {
     return name.trim().toLowerCase().replace(/[\\/]+/g, " ").replace(/[^a-z0-9._ -]+/g, "").replace(/\s+/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
   }
+  async folderExists(folderPath) {
+    try {
+      await stat3(folderPath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async ensureUniqueFolderName(baseFolderName) {
+    let candidate = baseFolderName;
+    let counter = 1;
+    while (await this.folderExists(join23(this.rootFolder, candidate))) {
+      candidate = `${baseFolderName}-${counter}`;
+      counter++;
+    }
+    return candidate;
+  }
   async *createProjectFromFolder() {
     await loadUtils();
     if (!Utils) {
@@ -18689,8 +19051,8 @@ var ProjectCreator = class {
       yield { type: "error", message: `Cannot access folder: ${folderPath}` };
       return;
     }
-    const projectId = randomUUID8();
-    const initialThreadId = randomUUID8();
+    const projectId = randomUUID9();
+    const initialThreadId = randomUUID9();
     const initialThreadTitle = generateRandomThreadName();
     this.processingStateManager?.setProcessing(initialThreadId);
     try {
@@ -20729,7 +21091,7 @@ function createRuleRoutes(router, projectManager) {
 
 // src/features/threads/threads.manager.ts
 init_utils();
-import { randomUUID as randomUUID9 } from "crypto";
+import { randomUUID as randomUUID10 } from "crypto";
 import { join as join26 } from "path";
 import { execSync as execSync3 } from "child_process";
 import { rm as rm5, stat as stat4, mkdir as mkdir6 } from "fs/promises";
@@ -20796,7 +21158,7 @@ var ThreadManagerImpl = class {
       } catch {
         await mkdir6(project.path, { recursive: true });
       }
-      threadId = randomUUID9();
+      threadId = randomUUID10();
       const threadPath = this.generateThreadPath(projectId, threadId);
       const existingThreads = await this.metadataManager.loadThreads();
       const existingTitles = new Set(
@@ -21354,7 +21716,7 @@ import { glob as glob2 } from "glob";
 
 // src/features/project-scripts/project-scripts.database.ts
 init_database();
-import { randomUUID as randomUUID10 } from "crypto";
+import { randomUUID as randomUUID11 } from "crypto";
 async function getScriptsByProject(db, projectId) {
   const result = await db.execute({
     sql: `SELECT id, projectId, workspace, name, command, friendlyName, updatedAt
@@ -21371,7 +21733,7 @@ async function upsertProjectScripts(projectId, scripts) {
       sql: `INSERT OR REPLACE INTO project_scripts (id, projectId, workspace, name, command, friendlyName, updatedAt)
             VALUES (?, ?, ?, ?, ?, ?, ?)`,
       args: [
-        randomUUID10(),
+        randomUUID11(),
         projectId,
         script.workspace,
         script.name,
@@ -22153,22 +22515,7 @@ async function handleCreateExplorerFile(c, threadManager) {
     );
   }
 }
-var MEDIA_MIME_TYPES = {
-  png: "image/png",
-  jpg: "image/jpeg",
-  jpeg: "image/jpeg",
-  gif: "image/gif",
-  webp: "image/webp",
-  svg: "image/svg+xml",
-  ico: "image/x-icon",
-  bmp: "image/bmp",
-  tiff: "image/tiff",
-  tif: "image/tiff",
-  mp4: "video/mp4",
-  webm: "video/webm",
-  mov: "video/quicktime",
-  avi: "video/x-msvideo"
-};
+var MEDIA_MIME_TYPES = EXPLORER_MEDIA_MIME_TYPES;
 async function handleGetExplorerMedia(c, threadManager) {
   try {
     const threadId = c.req.param("id");
@@ -22195,10 +22542,15 @@ async function handleGetExplorerMedia(c, threadManager) {
     } catch {
       return c.json({ error: { code: "NOT_FOUND", message: `File not found: ${filePath}` } }, 404);
     }
-    const ext = filePath.split(".").pop()?.toLowerCase() ?? "";
+    const ext = getFileExtension(filePath);
     const contentType = MEDIA_MIME_TYPES[ext] ?? "application/octet-stream";
     const data = await readFile14(absPath);
-    return new Response(data, { headers: { "Content-Type": contentType } });
+    return new Response(data, {
+      headers: {
+        "Content-Type": contentType,
+        "Cross-Origin-Resource-Policy": "cross-origin"
+      }
+    });
   } catch (error) {
     return errorResponse(
       c,
@@ -22564,6 +22916,17 @@ Links to important documentation, tools, or references.
     if (fileStat.isDirectory()) {
       return c.json({ error: { code: "BAD_REQUEST", message: "Cannot read a directory" } }, 400);
     }
+    if (getExplorerFileMediaType(filePath)) {
+      return c.json(
+        {
+          error: {
+            code: "BAD_REQUEST",
+            message: "Binary media files cannot be read as text. Use the explorer media endpoint."
+          }
+        },
+        400
+      );
+    }
     const content = await readFile15(absPath, "utf-8");
     return c.json({ content, path: filePath });
   } catch (error) {
@@ -25910,11 +26273,81 @@ function createProjectTodosRoutes(metadataManager) {
 // src/features/account/account.routes.ts
 import { Hono as Hono19 } from "hono";
 
+// src/core/network-addresses.ts
+import { networkInterfaces as networkInterfaces2 } from "os";
+function isIPv4Address(family) {
+  return family === "IPv4" || family === 4;
+}
+function getLocalNetworkAddresses() {
+  const addresses = /* @__PURE__ */ new Set();
+  for (const iface of Object.values(networkInterfaces2())) {
+    if (!iface) {
+      continue;
+    }
+    for (const config of iface) {
+      if (config.internal || !isIPv4Address(config.family)) {
+        continue;
+      }
+      addresses.add(config.address);
+    }
+  }
+  return [...addresses].sort();
+}
+
+// src/core/server-bind-mode-store.ts
+import { existsSync as existsSync23, mkdirSync as mkdirSync2, readFileSync as readFileSync8, writeFileSync } from "fs";
+import { join as join32 } from "path";
+
+// src/core/server-bind-mode.ts
+var DEFAULT_SERVER_BIND_MODE = "local";
+function normalizeServerBindMode(value) {
+  return value === "network" ? "network" : "local";
+}
+function getServerBindHostname(mode) {
+  return mode === "network" ? "0.0.0.0" : void 0;
+}
+
+// src/core/server-bind-mode-store.ts
+var SERVER_BIND_MODE_FILE = join32(DATA_DIR, "server-bind-mode.json");
+function hasServerBindModeFile() {
+  return existsSync23(SERVER_BIND_MODE_FILE);
+}
+function readServerBindMode() {
+  try {
+    if (!existsSync23(SERVER_BIND_MODE_FILE)) {
+      return DEFAULT_SERVER_BIND_MODE;
+    }
+    const raw = readFileSync8(SERVER_BIND_MODE_FILE, "utf8");
+    const parsed = JSON.parse(raw);
+    return normalizeServerBindMode(parsed.serverBindMode);
+  } catch {
+    return DEFAULT_SERVER_BIND_MODE;
+  }
+}
+function writeServerBindMode(mode) {
+  mkdirSync2(DATA_DIR, { recursive: true });
+  writeFileSync(
+    SERVER_BIND_MODE_FILE,
+    `${JSON.stringify({ serverBindMode: mode }, null, 2)}
+`,
+    "utf8"
+  );
+}
+
 // src/features/account/account-settings.route.ts
 init_database();
 var DEFAULT_MAXIMUM_TURN_COUNT = 50;
 var KEY_MAXIMUM_TURN_COUNT = "MaximumTurnCount";
 var KEY_USE_TOOLS_THROUGH_CODE = "UseToolsThroughCode";
+var LEGACY_KEY_SERVER_BIND_MODE = "ServerBindMode";
+function buildAccountSettingsResponse(rawMaximumTurnCount, rawUseToolsThroughCode, serverBindMode) {
+  return {
+    maximumTurnCount: normalizeMaximumTurnCount(rawMaximumTurnCount),
+    useToolsThroughCode: rawUseToolsThroughCode !== false,
+    serverBindMode,
+    networkAddresses: serverBindMode === "network" ? getLocalNetworkAddresses() : []
+  };
+}
 function normalizeMaximumTurnCount(value) {
   if (typeof value !== "number" || !Number.isFinite(value)) {
     return DEFAULT_MAXIMUM_TURN_COUNT;
@@ -25925,14 +26358,27 @@ function normalizeMaximumTurnCount(value) {
   }
   return normalized;
 }
+async function getServerBindModeSetting() {
+  if (hasServerBindModeFile()) {
+    return readServerBindMode();
+  }
+  const db = await getDatabase();
+  const legacyValue = await getState(db, LEGACY_KEY_SERVER_BIND_MODE);
+  if (legacyValue === null) {
+    return DEFAULT_SERVER_BIND_MODE;
+  }
+  const migratedMode = normalizeServerBindMode(legacyValue);
+  writeServerBindMode(migratedMode);
+  return migratedMode;
+}
 async function getAccountSettings(c) {
   const db = await getDatabase();
   const rawUseToolsThroughCode = await getState(db, KEY_USE_TOOLS_THROUGH_CODE);
   const rawMaximumTurnCount = await getState(db, KEY_MAXIMUM_TURN_COUNT);
-  return c.json({
-    maximumTurnCount: normalizeMaximumTurnCount(rawMaximumTurnCount),
-    useToolsThroughCode: rawUseToolsThroughCode !== false
-  });
+  const serverBindMode = await getServerBindModeSetting();
+  return c.json(
+    buildAccountSettingsResponse(rawMaximumTurnCount, rawUseToolsThroughCode, serverBindMode)
+  );
 }
 async function updateAccountSettings(c) {
   const body = await c.req.json();
@@ -25943,12 +26389,15 @@ async function updateAccountSettings(c) {
   if (body.maximumTurnCount !== void 0) {
     await setState(db, KEY_MAXIMUM_TURN_COUNT, normalizeMaximumTurnCount(body.maximumTurnCount));
   }
+  if (body.serverBindMode !== void 0) {
+    writeServerBindMode(normalizeServerBindMode(body.serverBindMode));
+  }
   const rawUseToolsThroughCode = await getState(db, KEY_USE_TOOLS_THROUGH_CODE);
   const rawMaximumTurnCount = await getState(db, KEY_MAXIMUM_TURN_COUNT);
-  return c.json({
-    maximumTurnCount: normalizeMaximumTurnCount(rawMaximumTurnCount),
-    useToolsThroughCode: rawUseToolsThroughCode !== false
-  });
+  const serverBindMode = readServerBindMode();
+  return c.json(
+    buildAccountSettingsResponse(rawMaximumTurnCount, rawUseToolsThroughCode, serverBindMode)
+  );
 }
 
 // src/features/account/account.routes.ts
@@ -26209,7 +26658,7 @@ async function clipboardWriteImage(c) {
 }
 
 // src/features/image/image-save.route.ts
-import { join as join32 } from "path";
+import { join as join33 } from "path";
 var Utils5 = null;
 var utilsLoaded5 = false;
 async function loadUtils5() {
@@ -26246,7 +26695,7 @@ async function saveImage(c) {
       return c.json({ error: "imageUrl or imageData is required" }, 400);
     }
     const name = filename ?? `generated-image-${Date.now()}.png`;
-    const savePath = join32(Utils5.paths.downloads, name);
+    const savePath = join33(Utils5.paths.downloads, name);
     await Bun.write(savePath, data);
     return c.json({ success: true, path: savePath });
   } catch (error) {
@@ -26452,7 +26901,7 @@ import { Hono as Hono25 } from "hono";
 
 // src/features/user-tasks/user-tasks.database.ts
 init_database();
-import { randomUUID as randomUUID11 } from "crypto";
+import { randomUUID as randomUUID12 } from "crypto";
 async function getUserTasksByThread(db, threadId) {
   const result = await db.execute({
     sql: `SELECT id, threadId, content, createdAt, updatedAt
@@ -26465,7 +26914,7 @@ async function getUserTasksByThread(db, threadId) {
 }
 async function insertUserTask(threadId, content) {
   const db = await getDatabase();
-  const id = randomUUID11();
+  const id = randomUUID12();
   const now = (/* @__PURE__ */ new Date()).toISOString();
   await db.execute({
     sql: `INSERT INTO user_tasks (id, threadId, content, createdAt, updatedAt)
@@ -26518,7 +26967,15 @@ function createUserTaskRoutes() {
 // src/server.ts
 var __filename = fileURLToPath2(import.meta.url);
 var __dirname = path5.dirname(__filename);
+var startPromise = null;
 async function startTarskServer(options) {
+  if (startPromise) {
+    return startPromise;
+  }
+  startPromise = startTarskServerInternal(options);
+  return startPromise;
+}
+async function startTarskServerInternal(options) {
   const { isDebug: isDebug2, publicDir: publicDirOverride } = options;
   const port = isDebug2 ? 462 : process.env.PORT ? parseInt(process.env.PORT) : 641;
   const app = new Hono26();
@@ -26652,22 +27109,58 @@ async function startTarskServer(options) {
     };
     return c.json(errorResponse2, 404);
   });
+  const serverBindMode = readServerBindMode();
+  const hostname2 = getServerBindHostname(serverBindMode);
   const url = `http://localhost:${port}`;
-  process.stdout.write(`Tarsk started on ${url}
+  const bound = await listenForTarskServer({
+    fetch: app.fetch,
+    hostname: hostname2,
+    onListening: () => {
+      process.stdout.write(`Tarsk started on ${url}
 `);
-  serve(
-    {
-      fetch: app.fetch,
-      port
-    },
-    () => {
+      if (serverBindMode === "network") {
+        for (const address of getLocalNetworkAddresses()) {
+          process.stdout.write(`  Network: http://${address}:${port}
+`);
+        }
+      }
       if (options.openBrowser) {
         open3(url).catch(() => {
         });
       }
+    },
+    port
+  });
+  if (!bound) {
+    return { url, port, bound: false };
+  }
+  return { url, port, bound: true };
+}
+async function listenForTarskServer(options) {
+  const server = createAdaptorServer({
+    fetch: options.fetch,
+    hostname: options.hostname,
+    port: options.port
+  });
+  return new Promise((resolve6, reject) => {
+    server.once("error", (error) => {
+      if (error.code === "EADDRINUSE") {
+        resolve6(false);
+        return;
+      }
+      startPromise = null;
+      reject(error);
+    });
+    function onListening() {
+      options.onListening();
+      resolve6(true);
     }
-  );
-  return { url, port };
+    if (options.hostname) {
+      server.listen(options.port, options.hostname, onListening);
+    } else {
+      server.listen(options.port, onListening);
+    }
+  });
 }
 
 // src/index.ts
@@ -26675,7 +27168,7 @@ import fs4 from "fs";
 import path6 from "path";
 var args = process.argv.slice(2);
 var isDebug = args.includes("--debug");
-var shouldOpenBrowser = args.includes("--open");
+var isServerOnly = args.includes("--server");
 if (!isDebug) {
   console.log = () => {
   };
@@ -26709,5 +27202,5 @@ if (!isDebug) {
 var isDevelopment = process.env.MODE === "development";
 await startTarskServer({
   isDebug,
-  openBrowser: shouldOpenBrowser || !isDevelopment
+  openBrowser: !isServerOnly && !isDevelopment
 });