thinkpool-pair 0.6.0 → 0.6.2

package/bridge.mjs

@@ -124,6 +124,10 @@ const headless = argv.includes('--headless')
 // relay. Default OFF — the PTY path is untouched. Only applies to `claude`.
 // Spec: docs/specs/2026-06-11-code-structured-reader.md
 const STRUCTURED = process.env.TP_STRUCTURED === '1' || argv.includes('--structured')
+// Claude Code runs as a STRUCTURED Agent-SDK session by default now (the picked
+// design — structured reader, risk-tiered permissions). Other CLIs keep the PTY
+// relay. TP_PTY=1 forces claude back to the raw PTY if ever needed.
+const wantStructured = (cmd) => /(^|[/\\])claude$/.test(cmd || '') && process.env.TP_PTY !== '1'
 const installedAgents = KNOWN_AGENTS.filter(a => onPath(a.cmd))
 const dashIdx = argv.indexOf('--')
 // Own flags are only read from BEFORE `--`; after it, every token belongs
@@ -383,6 +387,11 @@ channel
       const agent = KNOWN_AGENTS.find(a => a.cmd === payload.cmd)
       if (agent?.resume) { try { if (agent.resume.probe()) args = [...agent.resume.args] } catch { /* fresh */ } }
     }
+    if (wantStructured(payload.cmd)) {
+      openStructured({ id: payload.id })
+      process.stderr.write(`\n  ◆ web opened a structured "${payload.cmd}" session.\n`)
+      return
+    }
     openTerm({ id: payload.id, cmd: payload.cmd, args })
     process.stderr.write(`\n  ◆ web opened a "${payload.cmd}"${args.length ? ' (continue)' : ''} terminal (headless).\n`)
   })
@@ -435,7 +444,17 @@ channel
   })
   .on('broadcast', { event: 'code-turn' }, ({ payload }) => {
     const s = payload?.term && sessions.get(payload.term)
-    if (s && payload.text != null) s.session.sendTurn(payload.text)
+    if (s && payload.text != null) {
+      s.session.sendTurn(payload.text)
+      // Echo the turn so BOTH readers (and late joiners, via the log) show who
+      // said what — UNLESS silent (an @pool synthesis, which renders as its own
+      // 'pool' line). The sender rendered it optimistically; partner gets this.
+      if (!payload.silent) {
+        const evt = { kind: 'you', text: payload.text, cid: payload.cid, by: payload.by }
+        s.log.push(evt); if (s.log.length > STRUCTURED_LOG_MAX) s.log.shift()
+        bcast('code-event', { term: payload.term, evt })
+      }
+    }
   })
   .on('broadcast', { event: 'code-perm' }, ({ payload }) => {
     const s = payload?.term && sessions.get(payload.term)
@@ -456,7 +475,7 @@ channel
       channel.track({ name, role: 'bridge' })
       if (attachedCmd && !terms.size && !sessions.size) {
         // Claude + structured mode → Agent SDK session; everything else → PTY.
-        if (STRUCTURED && /(^|[/\\])claude$/.test(attachedCmd)) openStructured({ id: randomUUID() })
+        if (wantStructured(attachedCmd)) openStructured({ id: randomUUID() })
         else openTerm({ id: randomUUID(), cmd: attachedCmd, args: attachedArgs, attached: true })
       }
       announce()

package/claude-session.mjs

@@ -18,7 +18,10 @@ import { query } from '@anthropic-ai/claude-agent-sdk'
 // ── risk classification — the accent/danger tier of the permission card ──
 // low (read-only) · medium (writes/runs) · network (leaves the machine) ·
 // high (destructive, deny-first). See the permission spec + mockups.
-const DESTRUCTIVE = /\brm\s+-[a-z]*[rf]|\bgit\s+(push\s+(-f|--force)|reset\s+--hard|clean\s+-[a-z]*f)|\bdrop\s+(table|database)\b|\b(mkfs|dd)\b|\bsudo\b|>\s*\/dev\/|\bchmod\s+-R|\bchown\s+-R|\bkillall\b|\btruncate\b/i
+// Any `rm`/`rmdir` with an argument is destructive (a bare `rm NOTES.md`
+// deletes just as permanently as `rm -rf`). Plus force-push, hard reset,
+// clean -f, DROP, mkfs/dd, sudo, /dev redirects, recursive chmod/chown, etc.
+const DESTRUCTIVE = /\brm\s+\S|\brmdir\s+\S|\bgit\s+(push\s+(-f|--force)|reset\s+--hard|clean\s+-[a-z]*f)|\bdrop\s+(table|database)\b|\b(mkfs|dd)\b|\bsudo\b|>\s*\/dev\/|\bchmod\s+-R|\bchown\s+-R|\bkillall\b|\btruncate\b/i
 const READONLY_TOOLS = new Set(['Read', 'Grep', 'Glob', 'NotebookRead', 'TodoRead', 'LS'])
 const NETWORK_TOOLS = new Set(['WebFetch', 'WebSearch'])
 const WRITE_TOOLS = new Set(['Edit', 'Write', 'MultiEdit', 'NotebookEdit', 'TodoWrite'])
@@ -96,12 +99,17 @@ export function startClaudeSession({ cwd, model, resume, onEvent, requestPermiss
     try {
       decision = await requestPermission?.({ id: randomUUID(), toolName, input: toolInput, risk }) ?? 'allow'
     } catch { decision = 'deny' } // a broken permission path must fail safe (deny)
+    // On deny, permissionDecisionReason IS what the model receives as the
+    // tool error — make it a real instruction, not an opaque tag.
+    const denied = decision === 'deny'
     return {
       continue: true,
       hookSpecificOutput: {
         hookEventName: 'PreToolUse',
-        permissionDecision: decision === 'deny' ? 'deny' : 'allow',
-        permissionDecisionReason: 'thinkpool-room',
+        permissionDecision: denied ? 'deny' : 'allow',
+        permissionDecisionReason: denied
+          ? 'Denied by the user in the ThinkPool room. Do not retry this tool — ask what to do instead.'
+          : 'Approved in the ThinkPool room.',
       },
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thinkpool-pair",
-  "version": "0.6.0",
+  "version": "0.6.2",
   "description": "Share a local coding-agent CLI (Claude Code, Codex, Gemini, Aider, …) into a ThinkPool Code room, live.",
   "type": "module",
   "bin": {