wave-agent-sdk 0.10.4 → 0.11.1

package/src/managers/mcpManager.ts

@@ -347,6 +347,7 @@ export class McpManager {
   async executeMcpTool(
     toolName: string,
     args: Record<string, unknown>,
+    context?: ToolContext,
   ): Promise<{
     success: boolean;
     content: string;
@@ -360,6 +361,23 @@ export class McpManager {
       );
     }
 
+    // Permission check
+    if (context?.permissionManager) {
+      const permissionContext = context.permissionManager.createContext(
+        toolName,
+        context.permissionMode || "default",
+        context.canUseToolCallback,
+        args,
+        context.toolCallId,
+      );
+
+      const decision =
+        await context.permissionManager.checkPermission(permissionContext);
+      if (decision.behavior === "deny") {
+        throw new Error(decision.message || "Permission denied");
+      }
+    }
+
     const parts = toolName.split("__");
     if (parts.length < 3) {
       throw new Error(
@@ -479,8 +497,11 @@ export class McpManager {
         const plugin = createMcpToolPlugin(
           tool,
           server.name,
-          (name: string, args: Record<string, unknown>) =>
-            this.executeMcpTool(name, args),
+          (
+            name: string,
+            args: Record<string, unknown>,
+            context?: ToolContext,
+          ) => this.executeMcpTool(name, args, context),
         );
         mcpTools.set(plugin.name, plugin);
       }

package/src/managers/messageManager.ts

@@ -45,12 +45,6 @@ export interface MessageManagerCallbacks {
   onErrorBlockAdded?: (error: string) => void;
   onCompressBlockAdded?: (content: string) => void;
   onCompressionStateChange?: (isCompressing: boolean) => void;
-  onMemoryBlockAdded?: (
-    content: string,
-    success: boolean,
-    type: "project" | "user",
-    storagePath: string,
-  ) => void;
   // Bang callback
   onAddBangMessage?: (command: string) => void;
   onUpdateBangMessage?: (command: string, output: string) => void;

package/src/managers/permissionManager.ts

@@ -92,12 +92,16 @@ const DEFAULT_ALLOWED_RULES = [
 import { logger } from "../utils/globalLogger.js";
 
 export interface PermissionManagerOptions {
-  /** Configured default permission mode from settings */
-  configuredDefaultMode?: PermissionMode;
+  /** Configured permission mode from settings */
+  configuredPermissionMode?: PermissionMode;
   /** Allowed rules from settings */
   allowedRules?: string[];
   /** Denied rules from settings */
   deniedRules?: string[];
+  /** Instance-specific allowed rules (from AgentOptions) */
+  instanceAllowedRules?: string[];
+  /** Instance-specific denied rules (from AgentOptions) */
+  instanceDeniedRules?: string[];
   /** Additional directories considered part of the Safe Zone */
   additionalDirectories?: string[];
   /** The main working directory */
@@ -109,61 +113,70 @@ export interface PermissionManagerOptions {
 }
 
 export class PermissionManager {
-  private configuredDefaultMode?: PermissionMode;
+  private configuredPermissionMode?: PermissionMode;
   private allowedRules: string[] = [];
   private deniedRules: string[] = [];
+  private instanceAllowedRules: string[] = [];
+  private instanceDeniedRules: string[] = [];
   private temporaryRules: string[] = [];
   private additionalDirectories: string[] = [];
   private systemAdditionalDirectories: string[] = [];
   private workdir?: string;
   private planFilePath?: string;
-  private onConfiguredDefaultModeChange?: (mode: PermissionMode) => void;
+  private worktreeName?: string;
+  private mainRepoRoot?: string;
+  private onConfiguredPermissionModeChange?: (mode: PermissionMode) => void;
   private _logger?: Logger;
 
   constructor(
     private container: Container,
     options: PermissionManagerOptions = {},
   ) {
-    this.configuredDefaultMode = options.configuredDefaultMode;
+    this.configuredPermissionMode = options.configuredPermissionMode;
     this.allowedRules = options.allowedRules || [];
     this.deniedRules = options.deniedRules || [];
+    this.instanceAllowedRules = options.instanceAllowedRules || [];
+    this.instanceDeniedRules = options.instanceDeniedRules || [];
     this.workdir = options.workdir;
     this.planFilePath = options.planFilePath;
     this._logger = options.logger;
     this.updateAdditionalDirectories(options.additionalDirectories || []);
+
+    this.worktreeName = this.container.get<string>("WorktreeName");
+    this.mainRepoRoot = this.container.get<string>("MainRepoRoot");
   }
 
   /**
    * Set a callback to be notified when the effective permission mode changes due to configuration updates
    */
-  public setOnConfiguredDefaultModeChange(
+  public setOnConfiguredPermissionModeChange(
     callback: (mode: PermissionMode) => void,
   ): void {
-    this.onConfiguredDefaultModeChange = callback;
+    this.onConfiguredPermissionModeChange = callback;
   }
 
   /**
    * Update the configured default mode (e.g., when configuration reloads)
    */
-  updateConfiguredDefaultMode(defaultMode?: PermissionMode): void {
+  updateConfiguredPermissionMode(permissionMode?: PermissionMode): void {
     const oldEffectiveMode = this.getCurrentEffectiveMode();
 
-    this.configuredDefaultMode = defaultMode;
+    this.configuredPermissionMode = permissionMode;
 
     const newEffectiveMode = this.getCurrentEffectiveMode();
     if (
       oldEffectiveMode !== newEffectiveMode &&
-      this.onConfiguredDefaultModeChange
+      this.onConfiguredPermissionModeChange
     ) {
-      this.onConfiguredDefaultModeChange(newEffectiveMode);
+      this.onConfiguredPermissionModeChange(newEffectiveMode);
     }
   }
 
   /**
    * Get the configured default mode
    */
-  public getConfiguredDefaultMode(): PermissionMode | undefined {
-    return this.configuredDefaultMode;
+  public getConfiguredPermissionMode(): PermissionMode | undefined {
+    return this.configuredPermissionMode;
   }
 
   /**
@@ -180,6 +193,20 @@ export class PermissionManager {
     return [...this.deniedRules];
   }
 
+  /**
+   * Get all instance-specific allowed rules
+   */
+  public getInstanceAllowedRules(): string[] {
+    return [...this.instanceAllowedRules];
+  }
+
+  /**
+   * Get all instance-specific denied rules
+   */
+  public getInstanceDeniedRules(): string[] {
+    return [...this.instanceDeniedRules];
+  }
+
   /**
    * Get all additional directories
    */
@@ -325,8 +352,8 @@ export class PermissionManager {
     }
 
     // Use configured default mode if available
-    if (this.configuredDefaultMode !== undefined) {
-      return this.configuredDefaultMode;
+    if (this.configuredPermissionMode !== undefined) {
+      return this.configuredPermissionMode;
     }
 
     // Fall back to system default
@@ -340,6 +367,54 @@ export class PermissionManager {
   async checkPermission(
     context: ToolPermissionContext,
   ): Promise<PermissionDecision> {
+    // 0. Check instance-specific denied rules first - Deny always takes precedence
+    for (const rule of this.instanceDeniedRules) {
+      if (this.matchesRule(context, rule)) {
+        logger?.warn("Permission denied by instance rule", {
+          toolName: context.toolName,
+          rule,
+        });
+        return {
+          behavior: "deny",
+          message: `Access to tool '${context.toolName}' is explicitly denied by instance rule: ${rule}`,
+        };
+      }
+    }
+
+    // 0. Check worktree safety for Write and Edit tools
+    if (
+      this.worktreeName &&
+      this.mainRepoRoot &&
+      this.workdir &&
+      (context.toolName === WRITE_TOOL_NAME ||
+        context.toolName === EDIT_TOOL_NAME)
+    ) {
+      const targetPath = context.toolInput?.file_path as string | undefined;
+      if (targetPath) {
+        const absoluteTargetPath = path.resolve(this.workdir, targetPath);
+        const isInsideMainRepo = isPathInside(
+          absoluteTargetPath,
+          this.mainRepoRoot,
+        );
+        const isInsideWorktree = isPathInside(absoluteTargetPath, this.workdir);
+
+        // If it's inside the main repo but NOT inside the current worktree
+        if (isInsideMainRepo && !isInsideWorktree) {
+          logger?.warn("Worktree safety violation", {
+            toolName: context.toolName,
+            targetPath,
+            worktreeName: this.worktreeName,
+            mainRepoRoot: this.mainRepoRoot,
+            workdir: this.workdir,
+          });
+          return {
+            behavior: "deny",
+            message: `Access denied: You are currently in a worktree session ("${this.worktreeName}"). Modifying files in the main repository (outside the worktree) is not allowed. Please only modify files within the worktree directory: ${this.workdir}`,
+          };
+        }
+      }
+    }
+
     // 0. Check denied rules first - Deny always takes precedence
     for (const rule of this.deniedRules) {
       if (this.matchesRule(context, rule)) {
@@ -359,7 +434,7 @@ export class PermissionManager {
       return { behavior: "allow" };
     }
 
-    // 1.1 If acceptEdits mode, allow Edit, Write
+    // 1.1 If acceptEdits mode, allow Edit, Write, and mkdir in safe zone
     if (context.permissionMode === "acceptEdits") {
       const autoAcceptedTools = [EDIT_TOOL_NAME, WRITE_TOOL_NAME];
       if (autoAcceptedTools.includes(context.toolName)) {
@@ -387,6 +462,40 @@ export class PermissionManager {
           }
         }
       }
+
+      // Special case for mkdir in Bash tool
+      if (context.toolName === BASH_TOOL_NAME && context.toolInput?.command) {
+        const command = String(context.toolInput.command).trim();
+        if (command.startsWith("mkdir ")) {
+          const parts = splitBashCommand(command);
+          // Check if it's a simple mkdir command (first part is mkdir)
+          if (parts.length === 1) {
+            const processedPart = stripEnvVars(parts[0]);
+            if (processedPart.startsWith("mkdir ")) {
+              const args = processedPart.slice(6).trim();
+              const pathArgs =
+                (args.match(/(?:[^\s"']+|"[^"]*"|'[^']*')+/g) || []).filter(
+                  (arg) => !arg.startsWith("-"),
+                ) || [];
+
+              if (pathArgs.length > 0) {
+                const allPathsSafe = pathArgs.every((pathArg) => {
+                  const cleanPath = pathArg.replace(/^['"](.*)['"]$/, "$1");
+                  const { isInside } = this.isInsideSafeZone(
+                    cleanPath,
+                    context.toolInput?.workdir as string | undefined,
+                  );
+                  return isInside;
+                });
+
+                if (allPathsSafe) {
+                  return { behavior: "allow" };
+                }
+              }
+            }
+          }
+        }
+      }
     }
 
     // 1.2 Check if tool call is allowed by persistent or temporary rules
@@ -475,7 +584,27 @@ export class PermissionManager {
    * Determine if a tool requires permission checks based on its name
    */
   isRestrictedTool(toolName: string): boolean {
-    return (RESTRICTED_TOOLS as readonly string[]).includes(toolName);
+    return (
+      (RESTRICTED_TOOLS as readonly string[]).includes(toolName) ||
+      toolName.startsWith("mcp__")
+    );
+  }
+
+  /**
+   * Check if a tool is completely denied by name in instance or global rules
+   */
+  public isToolDenied(toolName: string): boolean {
+    // Check instance-specific denied rules
+    if (this.instanceDeniedRules.includes(toolName)) {
+      return true;
+    }
+
+    // Check global denied rules
+    if (this.deniedRules.includes(toolName)) {
+      return true;
+    }
+
+    return false;
   }
 
   /**
@@ -497,6 +626,8 @@ export class PermissionManager {
         const processedPart = stripRedirections(stripEnvVars(parts[0]));
         suggestedPrefix = getSmartPrefix(processedPart) ?? undefined;
       }
+    } else if (toolName.startsWith("mcp__")) {
+      suggestedPrefix = toolName;
     }
 
     const context: ToolPermissionContext = {
@@ -742,7 +873,12 @@ export class PermissionManager {
       return rules.some((rule) => this.matchesRule(ctx, rule));
     };
 
-    // Check temporary rules first
+    // Check instance-specific allowed rules first
+    if (isAllowedByRuleList(context, this.instanceAllowedRules)) {
+      return true;
+    }
+
+    // Check temporary rules
     if (isAllowedByRuleList(context, this.temporaryRules)) {
       return true;
     }

package/src/managers/slashCommandManager.ts

@@ -16,7 +16,6 @@ import {
   replaceBashCommandsWithOutput,
   executeBashCommands,
 } from "../utils/markdownParser.js";
-import { INIT_PROMPT } from "../prompts/index.js";
 import type { SkillManager } from "./skillManager.js";
 import type { SkillMetadata } from "../types/skills.js";
 
@@ -73,21 +72,15 @@ export class SlashCommandManager {
   }
 
   private initializeBuiltinCommands(): void {
-    // Register built-in init command
+    // Register built-in clear command
     this.registerCommand({
-      id: "init",
-      name: "init",
-      description:
-        "Initialize repository for AI agents by generating AGENTS.md",
+      id: "clear",
+      name: "clear",
+      description: "Clear conversation history and reset session",
       handler: async () => {
-        // Add custom command message to show the command being executed
-        this.messageManager.addUserMessage({
-          content: "/init",
-          customCommandContent: INIT_PROMPT,
-        });
-
-        // Execute the AI conversation with the init prompt
-        await this.aiManager.sendAIMessage();
+        this.aiManager.abortAIMessage();
+        this.messageManager.clearMessages();
+        await this.taskManager.syncWithSession();
       },
     });
   }

package/src/managers/subagentManager.ts

@@ -80,6 +80,7 @@ export interface SubagentManagerOptions {
   workdir: string;
   callbacks?: SubagentManagerCallbacks; // Use SubagentManagerCallbacks instead of parentCallbacks
   onUsageAdded?: (usage: Usage) => void;
+  stream: boolean;
 }
 
 export class SubagentManager {
@@ -90,12 +91,14 @@ export class SubagentManager {
   private callbacks?: SubagentManagerCallbacks; // Use SubagentManagerCallbacks instead of parentCallbacks
   private onUsageAdded?: (usage: Usage) => void;
   private container: Container;
+  private stream: boolean;
 
   constructor(container: Container, options: SubagentManagerOptions) {
     this.container = container;
     this.workdir = options.workdir;
     this.callbacks = options.callbacks; // Store SubagentManagerCallbacks
     this.onUsageAdded = options.onUsageAdded;
+    this.stream = options.stream;
   }
 
   private get configurationService(): ConfigurationService {
@@ -155,6 +158,7 @@ export class SubagentManager {
       subagent_type: string;
       allowedTools?: string[];
       model?: string;
+      stream?: boolean;
     },
     runInBackground?: boolean,
     onUpdate?: () => void,
@@ -178,10 +182,16 @@ export class SubagentManager {
       this.container.get<PermissionManager>("PermissionManager");
     const subagentPermissionManager = new PermissionManager(subagentContainer, {
       workdir: this.workdir,
-      configuredDefaultMode:
-        parentPermissionManager?.getConfiguredDefaultMode(),
+      configuredPermissionMode:
+        parentPermissionManager?.getConfiguredPermissionMode(),
       allowedRules: parentPermissionManager?.getAllowedRules(),
       deniedRules: parentPermissionManager?.getDeniedRules(),
+      instanceAllowedRules:
+        parentPermissionManager?.getInstanceAllowedRules?.(),
+      instanceDeniedRules: [
+        ...(parentPermissionManager?.getInstanceDeniedRules?.() || []),
+        AGENT_TOOL_NAME, // Always deny Agent tool in subagents to prevent recursion
+      ],
       additionalDirectories:
         parentPermissionManager?.getAdditionalDirectories(),
       planFilePath: parentPermissionManager?.getPlanFilePath(),
@@ -222,6 +232,7 @@ export class SubagentManager {
       systemPrompt: configuration.systemPrompt,
       subagentType: parameters.subagent_type, // Pass subagent type for hook context
       modelOverride: parameters.model || configuration.model, // Pass model override
+      stream: parameters.stream ?? this.stream, // Pass streaming mode flag
       callbacks: {
         onUsageAdded: this.onUsageAdded,
       },
@@ -410,24 +421,9 @@ export class SubagentManager {
       // Add the user's prompt as a message
       instance.messageManager.addUserMessage({ content: prompt });
 
-      // Create enabled tools list - always exclude Agent tool to prevent subagent recursion
-      // Use instance.configuration.tools if provided, otherwise fallback to all tools
-      let enabledTools = instance.configuration.tools;
-
-      // Always filter out the Agent tool to prevent subagents from creating sub-subagents
-      if (enabledTools) {
-        enabledTools = enabledTools.filter((tool) => tool !== AGENT_TOOL_NAME);
-      } else {
-        // If no tools specified, get all tools except Agent
-        const allTools = instance.toolManager.list().map((tool) => tool.name);
-        enabledTools = allTools.filter((tool) => tool !== AGENT_TOOL_NAME);
-      }
-
-      // Execute the AI request with tool restrictions
+      // Execute the AI request
       // The AIManager will handle abort signals through its own abort controllers
-      const executeAI = instance.aiManager.sendAIMessage({
-        tools: enabledTools,
-      });
+      const executeAI = instance.aiManager.sendAIMessage();
 
       // If we have an abort signal, race against it using utilities to prevent listener accumulation
       if (abortSignal && !instance.backgroundTaskId) {

package/src/managers/toolManager.ts

@@ -6,6 +6,9 @@ import { editTool } from "../tools/editTool.js";
 import { writeTool } from "../tools/writeTool.js";
 import { exitPlanModeTool } from "../tools/exitPlanMode.js";
 import { askUserQuestionTool } from "../tools/askUserQuestion.js";
+import { cronCreateTool } from "../tools/cronCreateTool.js";
+import { cronDeleteTool } from "../tools/cronDeleteTool.js";
+import { cronListTool } from "../tools/cronListTool.js";
 // New tools
 import { globTool } from "../tools/globTool.js";
 import { grepTool } from "../tools/grepTool.js";
@@ -114,6 +117,9 @@ class ToolManager {
       taskGetTool,
       taskUpdateTool,
       taskListTool,
+      cronCreateTool,
+      cronDeleteTool,
+      cronListTool,
     ];
 
     for (const tool of builtInTools) {
@@ -124,9 +130,17 @@ class ToolManager {
   }
 
   /**
-   * Check if a tool should be enabled based on tools configuration
+   * Check if a tool should be enabled based on tools configuration and permission rules
    */
   private shouldEnableTool(name: string): boolean {
+    const permissionManager =
+      this.container.get<PermissionManager>("PermissionManager");
+
+    // If tool is explicitly denied by name in permission rules, filter it out
+    if (permissionManager?.isToolDenied(name)) {
+      return false;
+    }
+
     if (!this.tools) {
       return true;
     }
@@ -194,6 +208,11 @@ class ToolManager {
       skillManager: this.container.has("SkillManager")
         ? this.container.get<SkillManager>("SkillManager")
         : undefined,
+      cronManager: this.container.has("CronManager")
+        ? this.container.get<import("./cronManager.js").CronManager>(
+            "CronManager",
+          )
+        : undefined,
       sessionId: context.sessionId,
       toolCallId: context.toolCallId,
     };
@@ -241,8 +260,14 @@ class ToolManager {
   }
 
   list(): ToolPlugin[] {
-    const builtInTools = Array.from(this.toolsRegistry.values());
-    const mcpTools = this.mcpManager.getMcpToolPlugins();
+    const permissionManager =
+      this.container.get<PermissionManager>("PermissionManager");
+    const builtInTools = Array.from(this.toolsRegistry.values()).filter(
+      (tool) => !permissionManager?.isToolDenied(tool.name),
+    );
+    const mcpTools = this.mcpManager
+      .getMcpToolPlugins()
+      .filter((tool) => !permissionManager?.isToolDenied(tool.name));
     return [...builtInTools, ...mcpTools];
   }
 
@@ -251,9 +276,15 @@ class ToolManager {
     availableSkills?: SkillMetadata[];
     workdir?: string;
   }): ChatCompletionFunctionTool[] {
+    const permissionManager =
+      this.container.get<PermissionManager>("PermissionManager");
     const effectivePermissionMode = this.getPermissionMode();
     const builtInToolsConfig = Array.from(this.toolsRegistry.values())
       .filter((tool) => {
+        // If tool is explicitly denied by name in permission rules, filter it out
+        if (permissionManager?.isToolDenied(tool.name)) {
+          return false;
+        }
         if (effectivePermissionMode === "bypassPermissions") {
           if (tool.name === "ExitPlanMode" || tool.name === "AskUserQuestion") {
             return false;
@@ -278,7 +309,9 @@ class ToolManager {
         }
         return config;
       });
-    const mcpToolsConfig = this.mcpManager.getMcpToolsConfig();
+    const mcpToolsConfig = this.mcpManager
+      .getMcpToolsConfig()
+      .filter((tool) => !permissionManager?.isToolDenied(tool.function.name));
     return [...builtInToolsConfig, ...mcpToolsConfig];
   }