wave-agent-sdk 0.12.0 → 0.12.2

package/src/managers/cronManager.ts

@@ -22,6 +22,7 @@ export class CronManager {
   public start(): void {
     if (this.interval) return;
     this.interval = setInterval(() => this.checkJobs(), 60000); // Check every minute
+    this.interval.unref();
   }
 
   public stop(): void {

package/src/managers/permissionManager.ts

@@ -23,6 +23,7 @@ import {
   hasWriteRedirections,
   isBashHeredocWrite,
   getSmartPrefix,
+  isDangerousFind,
   DANGEROUS_COMMANDS,
 } from "../utils/bashParser.js";
 import { isPathInside } from "../utils/pathSafety.js";
@@ -48,6 +49,7 @@ const SAFE_COMMANDS = [
   "tail",
   "wc",
   "sleep",
+  "find",
 ];
 
 const DEFAULT_ALLOWED_RULES = [
@@ -77,6 +79,7 @@ const DEFAULT_ALLOWED_RULES = [
   "Bash(git count-objects*)",
   "Bash(echo*)",
   "Bash(ls*)",
+  "Bash(find*)",
   "Bash(which*)",
   "Bash(type*)",
   "Bash(hostname*)",
@@ -851,7 +854,8 @@ export class PermissionManager {
                   cmd === "head" ||
                   cmd === "tail" ||
                   cmd === "wc" ||
-                  cmd === "sleep"
+                  cmd === "sleep" ||
+                  (cmd === "find" && !isDangerousFind(part))
                 ) {
                   return true;
                 }
@@ -887,7 +891,7 @@ export class PermissionManager {
           }
 
           // Check if this specific part is allowed by any rule
-          if (hasWrite && isDefaultRules) {
+          if (isDefaultRules && (hasWrite || isDangerousFind(part))) {
             return false;
           }
 
@@ -965,7 +969,8 @@ export class PermissionManager {
             cmd === "head" ||
             cmd === "tail" ||
             cmd === "wc" ||
-            cmd === "sleep"
+            cmd === "sleep" ||
+            (cmd === "find" && !isDangerousFind(part))
           ) {
             isSafe = true;
           } else {
@@ -998,7 +1003,7 @@ export class PermissionManager {
           const cmd = commandMatch[1];
           const args = commandMatch[2]?.trim() || "";
 
-          if (DANGEROUS_COMMANDS.includes(cmd)) {
+          if (DANGEROUS_COMMANDS.includes(cmd) || isDangerousFind(part)) {
             continue;
           }
 

package/src/managers/slashCommandManager.ts

@@ -433,6 +433,8 @@ export class SlashCommandManager {
       return false;
     } finally {
       this.currentCommandAbortController = null;
+      // FR-013: Ensure slash commands are persisted to the session file
+      await this.messageManager.saveSession();
     }
   }
 

package/src/prompts/index.ts

@@ -13,29 +13,81 @@ import {
   WRITE_TOOL_NAME,
   EXIT_PLAN_MODE_TOOL_NAME,
   AGENT_TOOL_NAME,
+  BASH_TOOL_NAME,
+  READ_TOOL_NAME,
+  GLOB_TOOL_NAME,
+  GREP_TOOL_NAME,
 } from "../constants/tools.js";
 
 export const MAX_PARALLEL_TOOL_CALLS = 3;
 
-export const BASE_SYSTEM_PROMPT = `You are an interactive CLI tool that helps users with software engineering tasks. Use the instructions below and the tools available to you to assist the user.
+export const BASE_SYSTEM_PROMPT = `You are an interactive CLI tool that helps users with software engineering tasks. Use the instructions below and the tools available to you to assist the user.`;
 
-# Doing tasks
-The user will primarily request you perform software engineering tasks. This includes solving bugs, adding new functionality, refactoring code, explaining code, and more. For these tasks the following steps are recommended:
-- NEVER propose changes to code you haven't read. If a user asks about or wants you to modify a file, read it first. Understand existing code before suggesting modifications.
-- Be careful not to introduce security vulnerabilities such as command injection, XSS, SQL injection, and other OWASP top 10 vulnerabilities. If you notice that you wrote insecure code, immediately fix it.
+export const DOING_TASKS_PROMPT = `# Doing tasks
+- The user will primarily request you to perform software engineering tasks. These may include solving bugs, adding new functionality, refactoring code, explaining code, and more. When given an unclear or generic instruction, consider it in the context of these software engineering tasks and the current working directory. For example, if the user asks you to change "methodName" to snake case, do not reply with just "method_name", instead find the method in the code and modify the code.
+- You are highly capable and often allow users to complete ambitious tasks that would otherwise be too complex or take too long. You should defer to user judgement about whether a task is too large to attempt.
+- If you notice the user's request is based on a misconception, or spot a bug adjacent to what they asked about, say so. You're a collaborator, not just an executor—users benefit from your judgment, not just your compliance.
+- In general, do not propose changes to code you haven't read. If a user asks about or wants you to modify a file, read it first. Understand existing code before suggesting modifications.
+- Do not create files unless they're absolutely necessary for achieving your goal. Generally prefer editing an existing file to creating a new one, as this prevents file bloat and builds on existing work more effectively.
+- If an approach fails, diagnose why before switching tactics—read the error, check your assumptions, try a focused fix. Don't retry the identical action blindly, but don't abandon a viable approach after a single failure either. Escalate to the user with ${ASK_USER_QUESTION_TOOL_NAME} only when you're genuinely stuck after investigation, not as a first response to friction.
+- Be careful not to introduce security vulnerabilities such as command injection, XSS, SQL injection, and other OWASP top 10 vulnerabilities. If you notice that you wrote insecure code, immediately fix it. Prioritize writing safe, secure, and correct code.
 - Avoid over-engineering. Only make changes that are directly requested or clearly necessary. Keep solutions simple and focused.
   - Don't add features, refactor code, or make "improvements" beyond what was asked. A bug fix doesn't need surrounding code cleaned up. A simple feature doesn't need extra configurability. Don't add docstrings, comments, or type annotations to code you didn't change. Only add comments where the logic isn't self-evident.
   - Don't add error handling, fallbacks, or validation for scenarios that can't happen. Trust internal code and framework guarantees. Only validate at system boundaries (user input, external APIs). Don't use feature flags or backwards-compatibility shims when you can just change the code.
-  - Don't create helpers, utilities, or abstractions for one-time operations. Don't design for hypothetical future requirements. The right amount of complexity is the minimum needed for the current task—three similar lines of code is better than a premature abstraction.
-- Avoid backwards-compatibility hacks like renaming unused \`_vars\`, re-exporting types, adding \`// removed\` comments for removed code, etc. If something is unused, delete it completely.`;
+  - Don't create helpers, utilities, or abstractions for one-time operations. Don't design for hypothetical future requirements. The right amount of complexity is what the task actually requires—no speculative abstractions, but no half-finished implementations either. Three similar lines of code is better than a premature abstraction.
+- Avoid backwards-compatibility hacks like renaming unused _vars, re-exporting types, adding // removed comments for removed code, etc. If you are certain that something is unused, you can delete it completely.
+- Report outcomes faithfully: if tests fail, say so with the relevant output; if you did not run a verification step, say that rather than implying it succeeded. Never claim "all tests pass" when output shows failures, never suppress or simplify failing checks (tests, lints, type errors) to manufacture a green result, and never characterize incomplete or broken work as done. Equally, when a check did pass or a task is complete, state it plainly — do not hedge confirmed results with unnecessary disclaimers, downgrade finished work to "partial," or re-verify things you already checked. The goal is an accurate report, not a defensive one.
+- Before reporting a task complete, verify it actually works: run the test, execute the script, check the output. Minimum complexity means no gold-plating, not skipping the finish line. If you can't verify (no test exists, can't run the code), say so explicitly rather than claiming success.`;
 
-export const TOOL_POLICY = `
-# Tool usage policy
+export const EXECUTING_ACTIONS_PROMPT = `# Executing actions with care
+
+Carefully consider the reversibility and blast radius of actions. Generally you can freely take local, reversible actions like editing files or running tests. But for actions that are hard to reverse, affect shared systems beyond your local environment, or could otherwise be risky or destructive, check with the user before proceeding. The cost of pausing to confirm is low, while the cost of an unwanted action (lost work, unintended messages sent, deleted branches) can be very high. For actions like these, consider the context, the action, and user instructions, and by default transparently communicate the action and ask for confirmation before proceeding.
+
+Examples of the kind of risky actions that warrant user confirmation:
+- Destructive operations: deleting files/branches, dropping database tables, killing processes, rm -rf, overwriting uncommitted changes
+- Hard-to-reverse operations: force-pushing (can also overwrite upstream), git reset --hard, amending published commits, removing or downgrading packages/dependencies, modifying CI/CD pipelines
+- Actions visible to others or that affect shared state: pushing code, creating/closing/commenting on PRs or issues, sending messages (Slack, email, GitHub), posting to external services
+
+When you encounter an obstacle, do not use destructive actions as a shortcut to simply make it go away. For instance, try to identify root causes and fix underlying issues rather than bypassing safety checks (e.g. --no-verify). If you discover unexpected state like unfamiliar files, branches, or configuration, investigate before deleting or overwriting, as it may represent the user's in-progress work. For example, typically resolve merge conflicts rather than discarding changes. In short: only take risky actions carefully, and when in doubt, ask before acting. Follow both the spirit and letter of these instructions - measure twice, cut once.`;
+
+export const TOOL_POLICY = `# Using your tools
+
+- Do NOT use the ${BASH_TOOL_NAME} to run commands when a relevant dedicated tool is provided. Using dedicated tools allows the user to better understand and review your work. This is CRITICAL to assisting the user:
+  - To read files use ${READ_TOOL_NAME} instead of cat, head, tail, or sed
+  - To edit files use ${EDIT_TOOL_NAME} instead of sed or awk
+  - To create files use ${WRITE_TOOL_NAME} instead of cat with heredoc or echo redirection
+  - To search for files use ${GLOB_TOOL_NAME} instead of find or ls
+  - To search the content of files, use ${GREP_TOOL_NAME} instead of grep or rg
+  - Reserve using the ${BASH_TOOL_NAME} exclusively for system commands and terminal operations that require shell execution. If you are unsure and there is a relevant dedicated tool, default to using the dedicated tool and only fallback on using the ${BASH_TOOL_NAME} tool for these if it is absolutely necessary.
 - You can call multiple tools in a single response. If you intend to call multiple tools and there are no dependencies between them, make all independent tool calls in parallel. Maximize use of parallel tool calls where possible to increase efficiency.
 - **Limit**: You MUST NOT call more than ${MAX_PARALLEL_TOOL_CALLS} tools in parallel in a single response.
 - However, if some tool calls depend on previous calls to inform dependent values, do NOT call these tools in parallel and instead call them sequentially. For instance, if one operation must complete before another starts, run these operations sequentially instead. Never use placeholders or guess missing parameters in tool calls.
 - If the user specifies that they want you to run tools "in parallel", you MUST send a single message with multiple tool use content blocks.`;
 
+/**
+ * Reference: /home/liuyiqi/github/claude-code/src/constants/prompts.ts getOutputEfficiencySection
+ */
+export const OUTPUT_EFFICIENCY_PROMPT = `# Output efficiency
+
+IMPORTANT: Go straight to the point. Try the simplest approach first without going in circles. Do not overdo it. Be extra concise.
+
+Keep your text output brief and direct. Lead with the answer or action, not the reasoning. Skip filler words, preamble, and unnecessary transitions. Do not restate what the user said — just do it. When explaining, include only what is necessary for the user to understand.
+
+Focus text output on:
+- Decisions that need the user's input
+- High-level status updates at natural milestones
+- Errors or blockers that change the plan
+
+If you can say it in one sentence, don't use three. Prefer short, direct sentences over long explanations. This does not apply to code or tool calls.`;
+
+export const TONE_AND_STYLE_PROMPT = `# Tone and style
+
+- Only use emojis if the user explicitly requests it. Avoid using emojis in all communication unless asked.
+- Your responses should be short and concise.
+- When referencing specific functions or pieces of code include the pattern file_path:line_number to allow the user to easily navigate to the source code location.
+- When referencing GitHub issues or pull requests, use the owner/repo#123 format (e.g. anthropics/claude-code#100) so they render as clickable links.
+- Do not use a colon before tool calls. Your tool calls may not be shown directly in the output, so text like "Let me read the file:" followed by a read tool call should just be "Let me read the file." with a period.`;
+
 export function buildPlanModePrompt(
   planFilePath: string,
   planExists: boolean,
@@ -177,10 +229,16 @@ export function buildSystemPrompt(
   } = {},
 ): string {
   let prompt = basePrompt || DEFAULT_SYSTEM_PROMPT;
+  prompt += `\n\n${DOING_TASKS_PROMPT}`;
+  prompt += `\n\n${EXECUTING_ACTIONS_PROMPT}`;
+
   if (tools.length > 0) {
     prompt += `\n\n${TOOL_POLICY}`;
   }
 
+  prompt += `\n\n${OUTPUT_EFFICIENCY_PROMPT}`;
+  prompt += `\n\n${TONE_AND_STYLE_PROMPT}`;
+
   if (options.permissionMode === "dontAsk") {
     prompt += `\n\n# Permission Mode\nThe user has selected the 'dontAsk' permission mode. In this mode, any restricted tool call that does not match a pre-approved rule in 'permissions.allow' or 'temporaryRules' will be automatically denied without prompting the user. You will receive a 'Permission denied' error for such calls. This is intended to prevent interruptions for untrusted tools while allowing pre-approved ones to run seamlessly.`;
   }
@@ -198,6 +256,12 @@ export function buildSystemPrompt(
     const platform = os.platform();
     const osVersion = `${os.type()} ${os.release()}`;
     const today = new Date().toISOString().split("T")[0];
+    const shell = process.env.SHELL || "unknown";
+    const shellName = shell.includes("zsh")
+      ? "zsh"
+      : shell.includes("bash")
+        ? "bash"
+        : shell;
 
     prompt += `
 
@@ -206,6 +270,7 @@ Here is useful information about the environment you are running in:
 Working directory: ${options.workdir}
 Is directory a git repo: ${isGitRepo}
 Platform: ${platform}
+Shell: ${shellName}
 OS Version: ${osVersion}
 Today's date: ${today}
 </env>
@@ -225,3 +290,40 @@ Today's date: ${today}
 
   return prompt;
 }
+
+export function enhanceSystemPromptWithEnvDetails(
+  existingSystemPrompt: string,
+  workdir: string,
+): string {
+  const isGitRepo = isGitRepository(workdir);
+  const platform = os.platform();
+  const osVersion = `${os.type()} ${os.release()}`;
+  const today = new Date().toISOString().split("T")[0];
+  const shell = process.env.SHELL || "unknown";
+  const shellName = shell.includes("zsh")
+    ? "zsh"
+    : shell.includes("bash")
+      ? "bash"
+      : shell;
+
+  const notes = `Notes:
+- Agent threads always have their cwd reset between bash calls, as a result please only use absolute file paths.
+- In your final response, share file paths (always absolute, never relative) that are relevant to the task. Include code snippets only when the exact text is load-bearing (e.g., a bug you found, a function signature the caller asked for) — do not recap code you merely read.
+- For clear communication with the user the assistant MUST avoid using emojis.
+- Do not use a colon before tool calls. Text like "Let me read the file:" followed by a read tool call should just be "Let me read the file." with a period.`;
+
+  return `${existingSystemPrompt}
+
+${notes}
+
+Here is useful information about the environment you are running in:
+<env>
+Working directory: ${workdir}
+Is directory a git repo: ${isGitRepo}
+Platform: ${platform}
+Shell: ${shellName}
+OS Version: ${osVersion}
+Today's date: ${today}
+</env>
+`;
+}

package/src/services/configurationService.ts

@@ -458,22 +458,40 @@ export class ConfigurationService {
     maxTokens?: number,
     permissionMode?: PermissionMode,
   ): ModelConfig {
-    // Default values as per data-model.md
-    const DEFAULT_AGENT_MODEL = "gemini-3-flash";
-    const DEFAULT_FAST_MODEL = "gemini-2.5-flash";
-
-    // Resolve agent model: override > options > env (settings.json) > process.env > default
-    let resolvedAgentModel = model || this.options.model || this.env.WAVE_MODEL;
-
-    resolvedAgentModel =
-      resolvedAgentModel || process.env.WAVE_MODEL || DEFAULT_AGENT_MODEL;
-
-    // Resolve fast model: override > options > env (settings.json) > process.env > default
-    let resolvedFastModel =
-      fastModel || this.options.fastModel || this.env.WAVE_FAST_MODEL;
+    // Resolve agent model: override > options > env (settings.json) > process.env
+    const resolvedAgentModel =
+      model ||
+      this.options.model ||
+      this.env.WAVE_MODEL ||
+      process.env.WAVE_MODEL;
+
+    // Resolve fast model: override > options > env (settings.json) > process.env
+    const resolvedFastModel =
+      fastModel ||
+      this.options.fastModel ||
+      this.env.WAVE_FAST_MODEL ||
+      process.env.WAVE_FAST_MODEL;
+
+    // Validate required fields
+    if (!resolvedAgentModel) {
+      throw new ConfigurationError(CONFIG_ERRORS.MISSING_MODEL, "model", {
+        constructor: model,
+        environment: process.env.WAVE_MODEL,
+        settings: this.env.WAVE_MODEL,
+      });
+    }
 
-    resolvedFastModel =
-      resolvedFastModel || process.env.WAVE_FAST_MODEL || DEFAULT_FAST_MODEL;
+    if (!resolvedFastModel) {
+      throw new ConfigurationError(
+        CONFIG_ERRORS.MISSING_FAST_MODEL,
+        "fastModel",
+        {
+          constructor: fastModel,
+          environment: process.env.WAVE_FAST_MODEL,
+          settings: this.env.WAVE_FAST_MODEL,
+        },
+      );
+    }
 
     // Resolve max output tokens
     const resolvedMaxTokens = this.resolveMaxOutputTokens(maxTokens);
@@ -616,15 +634,11 @@ export class ConfigurationService {
   }
 
   /**
-   * Get all configured models from settings.json and defaults
+   * Get all configured models from settings.json and environment
    */
   getConfiguredModels(): string[] {
-    const DEFAULT_AGENT_MODEL = "gemini-3-flash";
     const models = new Set<string>();
 
-    // Add default model
-    models.add(DEFAULT_AGENT_MODEL);
-
     // Add current model from options or environment
     const currentModel =
       this.options.model || this.env.WAVE_MODEL || process.env.WAVE_MODEL;

package/src/services/fileWatcher.ts

@@ -167,11 +167,14 @@ export class FileWatcherService extends EventEmitter {
    */
   async cleanup(): Promise<void> {
     const paths = Array.from(this.watchers.keys());
-    await Promise.all(paths.map((path) => this.unwatchFile(path)));
+    for (const path of paths) {
+      await this.unwatchFile(path);
+    }
 
     if (this.globalWatcher) {
-      await this.globalWatcher.close();
+      const watcher = this.globalWatcher;
       this.globalWatcher = null;
+      await watcher.close();
     }
   }
 
@@ -190,6 +193,14 @@ export class FileWatcherService extends EventEmitter {
           interval: entry.config.pollInterval,
         });
 
+        // Unref the global watcher to allow natural exit if it's the only thing left
+        // (chokidar watchers keep the process alive by default)
+        // Note: some platforms might need additional handling
+        const watcher = this.globalWatcher as unknown as { unref?: () => void };
+        if (watcher.unref) {
+          watcher.unref();
+        }
+
         this.setupGlobalWatcherEvents();
       }
 

package/src/services/hook.ts

@@ -158,12 +158,13 @@ export async function executeCommand(
     }
 
     // Set up timeout
+    let forceKillTimeoutHandle: NodeJS.Timeout | undefined;
     const timeoutHandle = setTimeout(() => {
       timedOut = true;
       childProcess.kill("SIGTERM");
 
       // Force kill after additional delay
-      setTimeout(() => {
+      forceKillTimeoutHandle = setTimeout(() => {
         if (!childProcess.killed) {
           childProcess.kill("SIGKILL");
         }
@@ -205,6 +206,7 @@ export async function executeCommand(
     // Handle process completion
     childProcess.on("close", (code: number | null) => {
       clearTimeout(timeoutHandle);
+      if (forceKillTimeoutHandle) clearTimeout(forceKillTimeoutHandle);
       const duration = Date.now() - startTime;
 
       resolve({
@@ -220,6 +222,7 @@ export async function executeCommand(
     // Handle process errors
     childProcess.on("error", (error: Error) => {
       clearTimeout(timeoutHandle);
+      if (forceKillTimeoutHandle) clearTimeout(forceKillTimeoutHandle);
       const duration = Date.now() - startTime;
 
       resolve({

package/src/services/session.ts

@@ -25,6 +25,7 @@ import { PathEncoder } from "../utils/pathEncoder.js";
 import { JsonlHandler } from "../services/jsonlHandler.js";
 import { extractLatestTotalTokens } from "../utils/tokenCalculation.js";
 import { logger } from "../utils/globalLogger.js";
+import { getMessageContent } from "../utils/messageOperations.js";
 
 export interface SessionData {
   id: string;
@@ -842,27 +843,7 @@ export async function getFirstMessageContent(
     try {
       const message = JSON.parse(firstLine) as Message;
 
-      // Find first available content block regardless of role
-      const textBlock = message.blocks.find((block) => block.type === "text");
-      if (textBlock && "content" in textBlock) {
-        return textBlock.content;
-      }
-
-      const commandBlock = message.blocks.find(
-        (block) => block.type === "bang",
-      );
-      if (commandBlock && "command" in commandBlock) {
-        return commandBlock.command;
-      }
-
-      const compressBlock = message.blocks.find(
-        (block) => block.type === "compress",
-      );
-      if (compressBlock && "content" in compressBlock) {
-        return compressBlock.content;
-      }
-
-      return null;
+      return getMessageContent(message) || null;
     } catch (error) {
       logger.warn(
         `Failed to parse first message in session ${sessionId}:`,

package/src/tools/bashTool.ts

@@ -44,20 +44,6 @@ function processOutput(output: string): string {
   }
 }
 
-/**
- * Simple throttle function to limit the frequency of updates.
- */
-function throttle(func: () => void, limit: number) {
-  let inThrottle: boolean;
-  return function () {
-    if (!inThrottle) {
-      func();
-      inThrottle = true;
-      setTimeout(() => (inThrottle = false), limit);
-    }
-  };
-}
-
 /**
  * Bash command execution tool - supports both foreground and background execution
  */
@@ -122,8 +108,8 @@ Usage notes:
   - You can use the \`run_in_background\` parameter to run the command in the background, which allows you to continue working while the command runs. You can monitor the output using the ${READ_TOOL_NAME} tool as it becomes available. You do not need to use '&' at the end of the command when using this parameter.
   - Avoid using ${BASH_TOOL_NAME} with the \`find\`, \`sed\`, \`awk\`, or \`echo\` commands, unless explicitly instructed or when these commands are truly necessary for the task. Instead, always prefer using the dedicated tools for these commands:
     - File search: Use ${GLOB_TOOL_NAME} (NOT find or ls)
-    - Content search: Use ${GREP_TOOL_NAME}
-    - Read files: Use ${READ_TOOL_NAME}
+    - Content search: Use ${GREP_TOOL_NAME} (NOT grep or rg)
+    - Read files: Use ${READ_TOOL_NAME} (NOT cat/head/tail)
     - Edit files: Use ${EDIT_TOOL_NAME} (NOT sed/awk)
     - Write files: Use ${WRITE_TOOL_NAME} (NOT echo >/cat <<EOF)
     - Communication: Output text directly (NOT echo/printf)
@@ -141,7 +127,28 @@ Usage notes:
     </bad-example>
 
 - Reserve bash tools exclusively for actual system commands and terminal operations that require shell execution. NEVER use bash echo or other command-line tools to communicate thoughts, explanations, or instructions to the user. Output all communication directly in your response text instead.
-- When making multiple bash tool calls, you MUST send a single message with multiple tools calls to run the calls in parallel. For example, if you need to run "git status" and "git diff", send a single message with two tool calls in parallel.`,
+- When making multiple bash tool calls, you MUST send a single message with multiple tools calls to run the calls in parallel. For example, if you need to run "git status" and "git diff", send a single message with two tool calls in parallel.
+
+# Git operations
+Git Safety Protocol:
+- NEVER update the git config
+- NEVER run destructive git commands (push --force, reset --hard, checkout ., restore ., clean -f, branch -D) unless the user explicitly requests these actions. Taking unauthorized destructive actions is unhelpful and can result in lost work, so it's best to ONLY run these commands when given direct instructions 
+- NEVER skip hooks (--no-verify, --no-gpg-sign, etc) unless the user explicitly requests it
+- NEVER run force push to main/master, warn the user if they request it
+- CRITICAL: Always create NEW commits rather than amending, unless the user explicitly requests a git amend. When a pre-commit hook fails, the commit did NOT happen — so --amend would modify the PREVIOUS commit, which may result in destroying work or losing previous changes. Instead, after hook failure, fix the issue, re-stage, and create a NEW commit
+- When staging files, prefer adding specific files by name rather than using "git add -A" or "git add .", which can accidentally include sensitive files (.env, credentials) or large binaries
+- NEVER commit changes unless the user explicitly asks you to. It is VERY IMPORTANT to only commit when explicitly asked, otherwise the user will feel that you are being too proactive
+- IMPORTANT: Never use git commands with the -i flag (like git rebase -i or git add -i) since they require interactive input which is not supported.
+
+Use the gh command via the Bash tool for GitHub-related tasks including working with issues, pull requests, checks, and releases. If given a Github URL use the gh command to get the information needed.
+
+# Avoid unnecessary sleep commands
+- Do not sleep between commands that can run immediately — just run them.
+- If your command is long running and you would like to be notified when it finishes — use \`run_in_background\`. No sleep needed.
+- Do not retry failing commands in a sleep loop — diagnose the root cause.
+- If waiting for a background task you started with \`run_in_background\`, you will be notified when it completes — do not poll.
+- If you must poll an external process, use a check command (e.g. \`gh run view\`) rather than sleeping first.
+- If you must sleep, keep the duration short (1-5 seconds) to avoid blocking the user.`,
   execute: async (
     args: Record<string, unknown>,
     context: ToolContext,
@@ -247,7 +254,7 @@ Usage notes:
       let isBackgrounded = false;
       let isFinished = false;
 
-      const updateRealtimeResults = throttle(() => {
+      const updateRealtimeResults = () => {
         if (isAborted || isBackgrounded || isFinished) return;
 
         const combinedOutput =
@@ -273,7 +280,7 @@ Usage notes:
                 "\n\n... (output truncated)";
           context.onResultUpdate(content);
         }
-      }, 1000);
+      };
 
       const foregroundTaskId = `bash_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
 
@@ -362,11 +369,14 @@ Usage notes:
             }
           }
 
+          const processedOutput = processOutput(
+            outputBuffer + (errorBuffer ? "\n" + errorBuffer : ""),
+          );
           resolve({
             success: false,
-            content: processOutput(
-              outputBuffer + (errorBuffer ? "\n" + errorBuffer : ""),
-            ),
+            content: processedOutput
+              ? `${processedOutput}\n\n${reason}`
+              : reason,
             error: reason,
           });
         }

package/src/tools/webFetchTool.ts

@@ -29,7 +29,7 @@ setInterval(() => {
       cache.delete(url);
     }
   }
-}, CACHE_TTL);
+}, CACHE_TTL).unref();
 
 export const webFetchTool: ToolPlugin = {
   name: WEB_FETCH_TOOL_NAME,
@@ -158,7 +158,8 @@ Usage notes:
         return {
           success: false,
           content: markdown,
-          error: "AI Manager or AI Service not available for processing content",
+          error:
+            "AI Manager or AI Service not available for processing content",
         };
       }
 

package/src/tools/writeTool.ts

@@ -142,6 +142,16 @@ Usage:
       // Record snapshot for reversion
       let snapshotId: string | undefined;
       if (context.reversionManager && context.messageId) {
+        // Log memory usage before large operations if in debug mode
+        if (process.env.LOG_LEVEL === "DEBUG") {
+          const usage = process.memoryUsage();
+          logger.debug(
+            `[Memory Before Write] RSS: ${Math.round(usage.rss / 1024 / 1024)}MB, ` +
+              `Heap: ${Math.round(usage.heapUsed / 1024 / 1024)}/${Math.round(usage.heapTotal / 1024 / 1024)}MB`,
+            { filePath, contentLength: content.length },
+          );
+        }
+
         snapshotId = await context.reversionManager.recordSnapshot(
           context.messageId,
           resolvedPath,

package/src/types/core.ts

@@ -98,6 +98,10 @@ export class ConfigurationError extends Error {
 export const CONFIG_ERRORS = {
   MISSING_BASE_URL:
     "Gateway configuration requires baseURL. Provide via constructor or WAVE_BASE_URL environment variable.",
+  MISSING_MODEL:
+    "Agent configuration requires model. Provide via constructor or WAVE_MODEL environment variable.",
+  MISSING_FAST_MODEL:
+    "Agent configuration requires fastModel. Provide via constructor or WAVE_FAST_MODEL environment variable.",
   INVALID_WAVE_MAX_INPUT_TOKENS: "Token limit must be a positive integer.",
   EMPTY_BASE_URL: "Base URL cannot be empty string.",
 } as const;

package/src/utils/bashParser.ts

@@ -610,6 +610,30 @@ function shouldStopAtArg(arg: string): boolean {
   return false;
 }
 
+/**
+ * Checks if a find command is dangerous (e.g., contains -exec, -delete, etc.).
+ */
+export function isDangerousFind(command: string): boolean {
+  const stripped = stripRedirections(stripEnvVars(command));
+  const tokens = stripped.match(/(?:[^\s"']+|"[^"]*"|'[^']*')+/g) || [];
+  if (tokens.length === 0 || tokens[0] !== "find") return false;
+
+  const dangerousFlags = [
+    "-exec",
+    "-execdir",
+    "-ok",
+    "-okdir",
+    "-delete",
+    "-fprint",
+    "-fprint0",
+    "-fprintf",
+  ];
+  return tokens.some((token) => {
+    const unquoted = token.replace(/^(['"])(.*)\1$/, "$2");
+    return dangerousFlags.includes(unquoted);
+  });
+}
+
 /**
  * Extracts a "smart prefix" from a bash command based on common developer tools.
  * Returns null if the command is blacklisted or cannot be safely prefix-matched.