wave-agent-sdk 0.16.10 → 0.16.12

package/src/services/authService.ts

@@ -12,6 +12,7 @@ import {
   chmodSync,
   rmSync,
   mkdirSync,
+  statSync,
 } from "fs";
 import * as path from "path";
 import * as os from "os";
@@ -20,7 +21,8 @@ import { createServer, Server } from "http";
 import { URL } from "url";
 import { execFile } from "child_process";
 import { promisify } from "util";
-import type { AuthConfig, AuthUser } from "../types/auth.js";
+import type { AuthConfig, AuthUser, TokenResponse } from "../types/auth.js";
+import { logger } from "../utils/globalLogger.js";
 
 /** Persistent anonymous ID for telemetry fallback when SSO is not authenticated. */
 let _anonymousId: string | undefined;
@@ -32,6 +34,9 @@ export class AuthService {
   private _serverUrl: string | undefined;
   private onAuthChangeCallbacks: Array<(event: "login" | "logout") => void> =
     [];
+  private _refreshPromise: Promise<boolean> | null = null;
+  private _authFileMtime: number = 0;
+  private static readonly REFRESH_BUFFER_MS = 5 * 60 * 1000;
 
   static getInstance(): AuthService {
     if (!AuthService.instance) {
@@ -83,6 +88,12 @@ export class AuthService {
     }
     try {
       const content = readFileSync(authPath, "utf-8");
+      // Best-effort mtime tracking for multi-process detection
+      try {
+        this._authFileMtime = statSync(authPath).mtimeMs;
+      } catch {
+        // ignore stat errors
+      }
       return JSON.parse(content) as AuthConfig;
     } catch {
       return {};
@@ -97,11 +108,19 @@ export class AuthService {
     }
     writeFileSync(authPath, JSON.stringify(config, null, 2), "utf-8");
     chmodSync(authPath, 0o600);
+    // Update mtime after write
+    try {
+      this._authFileMtime = statSync(authPath).mtimeMs;
+    } catch {
+      // ignore stat errors
+    }
   }
 
   clearAuth(): void {
     const config = this.loadAuth();
     delete config.SSO_TOKEN;
+    delete config.SSO_REFRESH_TOKEN;
+    delete config.SSO_TOKEN_EXPIRES_AT;
     if (Object.keys(config).length === 0) {
       const authPath = this.getAuthPath();
       if (existsSync(authPath)) {
@@ -145,11 +164,22 @@ export class AuthService {
     });
 
     // Exchange authorization code for JWT (includes user info)
-    const { token, user } = await this.exchangeCode(serverUrl, code);
+    const { token, refreshToken, expiresIn, user } = await this.exchangeCode(
+      serverUrl,
+      code,
+    );
 
     // Save the token and user info (preserve existing keys)
     const existing = this.loadAuth();
-    this.saveAuth({ ...existing, SSO_TOKEN: token, user });
+    this.saveAuth({
+      ...existing,
+      SSO_TOKEN: token,
+      SSO_REFRESH_TOKEN: refreshToken,
+      SSO_TOKEN_EXPIRES_AT: expiresIn
+        ? Date.now() + expiresIn * 1000
+        : undefined,
+      user,
+    });
 
     this.notifyAuthChange("login");
 
@@ -158,32 +188,31 @@ export class AuthService {
 
   /**
    * Exchange a short-lived authorization code for a JWT token.
-   * Returns both the token and user info.
+   * Returns token, optional refresh token, optional expiresIn, and user info.
    */
   private async exchangeCode(
     serverUrl: string,
     code: string,
-  ): Promise<{ token: string; user: AuthUser }> {
-    const exchangeUrl = `${serverUrl}/api/auth/exchange`;
+  ): Promise<TokenResponse> {
+    const exchangeUrl = `${serverUrl}/api/auth/token`;
+    logger.info(`[Auth] Exchanging authorization code at ${exchangeUrl}`);
     const response = await fetch(exchangeUrl, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ code }),
+      body: JSON.stringify({ grant_type: "authorization_code", code }),
     });
 
     if (!response.ok) {
       const text = await response.text();
+      logger.info(
+        `[Auth] Authorization code exchange failed (${response.status}): ${text}`,
+      );
       throw new Error(`Token exchange failed (${response.status}): ${text}`);
     }
 
-    const data = (await response.json()) as {
-      token: string;
-      user: { id: string; email?: string };
-    };
-    return {
-      token: data.token,
-      user: { id: data.user.id, email: data.user.email },
-    };
+    const data = (await response.json()) as TokenResponse;
+    logger.info("[Auth] Authorization code exchanged successfully");
+    return data;
   }
 
   private startLocalAuthServer(
@@ -306,7 +335,149 @@ export class AuthService {
   }
 
   isSSOAuthenticated(): boolean {
-    return this.getSSOToken() !== undefined;
+    const config = this.loadAuth();
+    if (!config.SSO_TOKEN) return false;
+    if (
+      config.SSO_TOKEN_EXPIRES_AT &&
+      Date.now() >= config.SSO_TOKEN_EXPIRES_AT
+    )
+      return false;
+    return true;
+  }
+
+  /**
+   * Check if the current token is expired or within the refresh buffer.
+   * Returns false if no expiry info (backward compat — treated as never-expiring).
+   */
+  isTokenExpired(): boolean {
+    const config = this.loadAuth();
+    if (!config.SSO_TOKEN_EXPIRES_AT) return false;
+    const expiresAt = config.SSO_TOKEN_EXPIRES_AT;
+    const bufferMs = AuthService.REFRESH_BUFFER_MS;
+    const now = Date.now();
+    const remaining = expiresAt - now;
+    const expired = now >= expiresAt - bufferMs;
+    if (expired) {
+      logger.info(
+        `[Auth] Token expired or within refresh buffer: remaining=${Math.round(remaining / 1000)}s, buffer=${bufferMs / 1000}s`,
+      );
+    }
+    return expired;
+  }
+
+  /**
+   * Check if the token needs refresh and refresh it if possible.
+   * Deduplicates concurrent refresh calls (401 dedup).
+   */
+  async checkAndRefreshTokenIfNeeded(): Promise<boolean> {
+    if (!this.isTokenExpired()) return true;
+    // Dedup: if a refresh is already in-flight, reuse the same promise
+    if (this._refreshPromise) {
+      logger.info(
+        "[Auth] Token refresh already in-flight, reusing existing promise",
+      );
+      return this._refreshPromise;
+    }
+    logger.info("[Auth] Starting token refresh");
+    this._refreshPromise = this.refreshToken();
+    try {
+      return await this._refreshPromise;
+    } finally {
+      this._refreshPromise = null;
+    }
+  }
+
+  /**
+   * Refresh the access token using the stored refresh token.
+   * Returns true on success, false on failure.
+   */
+  private async refreshToken(): Promise<boolean> {
+    const config = this.loadAuth();
+    if (!config.SSO_REFRESH_TOKEN) {
+      logger.info("[Auth] No refresh token available, cannot refresh");
+      return false;
+    }
+
+    const serverUrl = this.getServerUrl();
+    try {
+      logger.info(`[Auth] Refreshing token via ${serverUrl}/api/auth/token`);
+      const response = await fetch(`${serverUrl}/api/auth/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          grant_type: "refresh_token",
+          refresh_token: config.SSO_REFRESH_TOKEN,
+        }),
+      });
+
+      if (response.status === 400 || response.status === 401) {
+        // Refresh token revoked — clear auth
+        logger.info(
+          `[Auth] Refresh token rejected (${response.status}), clearing auth`,
+        );
+        this.clearAuth();
+        return false;
+      }
+
+      if (!response.ok) {
+        logger.info(
+          `[Auth] Token refresh failed with status ${response.status}`,
+        );
+        return false;
+      }
+
+      const data = (await response.json()) as TokenResponse;
+      const newExpiresAt = data.expiresIn
+        ? Date.now() + data.expiresIn * 1000
+        : undefined;
+      this.saveAuth({
+        ...config,
+        SSO_TOKEN: data.token,
+        SSO_REFRESH_TOKEN: data.refreshToken ?? config.SSO_REFRESH_TOKEN,
+        SSO_TOKEN_EXPIRES_AT: newExpiresAt,
+        user: data.user
+          ? { id: data.user.id, email: data.user.email }
+          : config.user,
+      });
+      logger.info(
+        `[Auth] Token refreshed successfully, new token expires at ${newExpiresAt ? new Date(newExpiresAt).toISOString() : "never"}`,
+      );
+      this.notifyAuthChange("login");
+      return true;
+    } catch (err) {
+      // Network error — don't clear auth (might be transient)
+      logger.info(`[Auth] Token refresh failed with network error: ${err}`);
+      return false;
+    }
+  }
+
+  /**
+   * Check if another process has refreshed the token on disk.
+   * Returns true if a fresh token was found and loaded.
+   */
+  /** @internal Check if another process has refreshed the token on disk */
+  tryReadRefreshedTokenFromDisk(): boolean {
+    try {
+      const authPath = this.getAuthPath();
+      if (!existsSync(authPath)) return false;
+      const stat = statSync(authPath);
+      if (stat.mtimeMs <= this._authFileMtime) return false;
+      // File was modified by another process — check if token is fresh
+      const config = this.loadAuth();
+      if (
+        config.SSO_TOKEN_EXPIRES_AT &&
+        Date.now() < config.SSO_TOKEN_EXPIRES_AT
+      ) {
+        logger.info(
+          `[Auth] Detected token refreshed by another process (auth.json mtime changed)`,
+        );
+        this._authFileMtime = stat.mtimeMs;
+        return true;
+      }
+      return false;
+    } catch {
+      return false;
+    }
   }
 
   getAuthUser(): AuthUser | undefined {
@@ -317,6 +488,62 @@ export class AuthService {
 
 export const authService = AuthService.getInstance();
 
+/**
+ * Create a fetch wrapper that handles SSO token refresh transparently.
+ *
+ * 1. Proactive refresh: calls checkAndRefreshTokenIfNeeded() before each request
+ * 2. Updates Authorization header with fresh token
+ * 3. Reactive 401/403 recovery: tries disk refresh then force refresh, retries once
+ */
+export function createAuthAwareFetch(innerFetch: typeof fetch): typeof fetch {
+  return async (input: RequestInfo | URL, init?: RequestInit) => {
+    // Proactive refresh
+    await authService.checkAndRefreshTokenIfNeeded();
+
+    // Update Authorization header with fresh token
+    const freshToken = authService.getSSOToken();
+    const headers = new Headers(init?.headers);
+    if (freshToken) {
+      headers.set("Authorization", `Bearer ${freshToken}`);
+    }
+    const modifiedInit = { ...init, headers };
+
+    const response = await innerFetch(input, modifiedInit);
+
+    // Reactive 401/403 recovery (single retry)
+    if (response.status === 401 || response.status === 403) {
+      logger.info(
+        `[Auth] Received ${response.status}, attempting token recovery`,
+      );
+      // Try disk refresh first (another process may have refreshed)
+      if (authService.tryReadRefreshedTokenFromDisk()) {
+        const retryToken = authService.getSSOToken();
+        const retryHeaders = new Headers(init?.headers);
+        if (retryToken) {
+          retryHeaders.set("Authorization", `Bearer ${retryToken}`);
+        }
+        logger.info("[Auth] Retrying request with disk-refreshed token");
+        return innerFetch(input, { ...init, headers: retryHeaders });
+      }
+
+      // Try force refresh
+      if (await authService.checkAndRefreshTokenIfNeeded()) {
+        const retryToken = authService.getSSOToken();
+        if (retryToken) {
+          const retryHeaders = new Headers(init?.headers);
+          retryHeaders.set("Authorization", `Bearer ${retryToken}`);
+          logger.info("[Auth] Retrying request with force-refreshed token");
+          return innerFetch(input, { ...init, headers: retryHeaders });
+        }
+      }
+
+      logger.info("[Auth] Token recovery failed, returning original response");
+    }
+
+    return response;
+  };
+}
+
 /**
  * Get or create a persistent anonymous ID for telemetry.
  *

package/src/services/configurationService.ts

@@ -48,6 +48,7 @@ import {
   getRemoteSettingsSync,
   mergeRemoteSettings,
 } from "./remoteSettingsService.js";
+import { createAuthAwareFetch } from "./authService.js";
 
 /**
  * Default ConfigurationService implementation
@@ -423,6 +424,10 @@ export class ConfigurationService {
     const ssoToken = this.readSSOToken();
     const serverUrl = this.options.serverUrl || process.env.WAVE_SERVER_URL;
     if (ssoToken && serverUrl) {
+      const baseFetch = fetch ?? this.options.fetch ?? globalThis.fetch;
+      const authAwareFetch = createAuthAwareFetch(
+        baseFetch as typeof globalThis.fetch,
+      ) as ClientOptions["fetch"];
       return {
         apiKey: ssoToken,
         baseURL: `${serverUrl}/api/v1`,
@@ -431,7 +436,7 @@ export class ConfigurationService {
             ? defaultHeaders
             : undefined,
         fetchOptions: fetchOptions ?? this.options.fetchOptions,
-        fetch: fetch ?? this.options.fetch,
+        fetch: authAwareFetch,
       };
     }
 

package/src/services/hook.ts

@@ -277,6 +277,21 @@ export async function executeCommands(
   return results;
 }
 
+/**
+ * Execute a CwdChanged hook
+ */
+export async function executeCwdChangedHooks(
+  oldCwd: string,
+  newCwd: string,
+  context: ExtendedHookExecutionContext,
+): Promise<HookExecutionResult[]> {
+  // CwdChanged hooks are executed through HookManager.executeCwdChangedHooks()
+  void context;
+  void oldCwd;
+  void newCwd;
+  return [];
+}
+
 /**
  * Validate command safety (basic checks)
  */

package/src/services/interactionService.ts

@@ -7,7 +7,6 @@ import type { ConfigurationService } from "./configurationService.js";
 import type { AIManager } from "../managers/aiManager.js";
 import type { SubagentManager } from "../managers/subagentManager.js";
 import type { TaskManager } from "./taskManager.js";
-import type { NotificationQueue } from "../managers/notificationQueue.js";
 
 export interface InteractionContext {
   messageManager: MessageManager;
@@ -62,23 +61,6 @@ export class InteractionService {
         // Don't add to history, let normal message processing logic below handle it
       }
 
-      // Inject pending notifications from background tasks
-      const notificationQueue = context.aiManager["container"].has(
-        "NotificationQueue",
-      )
-        ? context.aiManager["container"].get<NotificationQueue>(
-            "NotificationQueue",
-          )
-        : undefined;
-      if (notificationQueue && notificationQueue.hasPending()) {
-        const notifications = notificationQueue.dequeueAll();
-        for (const notification of notifications) {
-          messageManager.addUserMessage({
-            content: notification,
-          });
-        }
-      }
-
       // Handle normal AI message
       // Add user message first, will automatically sync to UI
       messageManager.addUserMessage({

package/src/services/remoteSettingsService.ts

@@ -2,7 +2,7 @@ import * as fs from "node:fs";
 import { homedir } from "node:os";
 import * as path from "node:path";
 
-import { authService } from "./authService.js";
+import { authService, createAuthAwareFetch } from "./authService.js";
 import type {
   RemoteSettingsCache,
   RemoteSettingsFetchResult,
@@ -85,7 +85,8 @@ async function fetchRemoteSettings(): Promise<RemoteSettingsFetchResult> {
   }
 
   try {
-    const response = await fetch(`${serverUrl}/api/wave/settings`, {
+    const authFetch = createAuthAwareFetch(globalThis.fetch);
+    const response = await authFetch(`${serverUrl}/api/wave/settings`, {
       method: "GET",
       headers,
       signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),

package/src/tools/bashTool.ts

@@ -4,6 +4,8 @@ import * as path from "path";
 import * as os from "os";
 import { logger } from "../utils/globalLogger.js";
 import { stripAnsiColors } from "../utils/stringUtils.js";
+import { processToolResult } from "../utils/toolResultStorage.js";
+import { BASH_MAX_OUTPUT_CHARS } from "../constants/toolLimits.js";
 import type { ToolPlugin, ToolResult, ToolContext } from "./types.js";
 import {
   BASH_TOOL_NAME,
@@ -14,36 +16,8 @@ import {
   WRITE_TOOL_NAME,
 } from "../constants/tools.js";
 
-const MAX_OUTPUT_LENGTH = 30000;
 const BASH_DEFAULT_TIMEOUT_MS = 120000;
 
-/**
- * Helper function to handle large output by truncation and persistence to a temporary file.
- */
-function processOutput(output: string): string {
-  if (output.length <= MAX_OUTPUT_LENGTH) {
-    return output;
-  }
-
-  try {
-    const tempDir = os.tmpdir();
-    const fileName = `bash_output_${Date.now()}_${Math.random().toString(36).substring(2, 11)}.txt`;
-    const filePath = path.join(tempDir, fileName);
-    fs.writeFileSync(filePath, output, "utf8");
-
-    return (
-      output.substring(0, MAX_OUTPUT_LENGTH) +
-      `\n\n... (output truncated)\nFull output persisted to: ${filePath}`
-    );
-  } catch (error) {
-    logger.error("Failed to persist large bash output:", error);
-    return (
-      output.substring(0, MAX_OUTPUT_LENGTH) +
-      "\n\n... (output truncated, failed to persist full output)"
-    );
-  }
-}
-
 /**
  * Bash command execution tool - supports both foreground and background execution
  */
@@ -104,7 +78,7 @@ Usage notes:
   - The command argument is required.
   - You can specify an optional timeout in milliseconds (up to ${BASH_DEFAULT_TIMEOUT_MS}ms / ${BASH_DEFAULT_TIMEOUT_MS / 60000} minutes). If not specified, commands will timeout after ${BASH_DEFAULT_TIMEOUT_MS}ms (${BASH_DEFAULT_TIMEOUT_MS / 60000} minutes).
   - It is very helpful if you write a clear, concise description of what this command does in 5-10 words.
-  - If the output exceeds ${MAX_OUTPUT_LENGTH} characters, output will be truncated and the full output will be persisted to a temporary file.
+  - If the output exceeds ${BASH_MAX_OUTPUT_CHARS.toLocaleString()} characters, output will be truncated and the full output will be persisted to a file you can read with the Read tool.
   - You can use the \`run_in_background\` parameter to run the command in the background, which allows you to continue working while the command runs. You can monitor the output using the ${READ_TOOL_NAME} tool as it becomes available. You do not need to use '&' at the end of the command when using this parameter.
   - Avoid using ${BASH_TOOL_NAME} with the \`find\`, \`sed\`, \`awk\`, or \`echo\` commands, unless explicitly instructed or when these commands are truly necessary for the task. Instead, always prefer using the dedicated tools for these commands:
     - File search: Use ${GLOB_TOOL_NAME} (NOT find or ls)
@@ -139,7 +113,10 @@ Use the gh command via the Bash tool for GitHub-related tasks including working
 - Do not retry failing commands in a sleep loop — diagnose the root cause.
 - If waiting for a background task you started with \`run_in_background\`, you will be notified when it completes — do not poll.
 - If you must poll an external process, use a check command (e.g. \`gh run view\`) rather than sleeping first.
-- If you must sleep, keep the duration short (1-5 seconds) to avoid blocking the user.`,
+- If you must sleep, keep the duration short (1-5 seconds) to avoid blocking the user.
+
+# CWD management
+The working directory persists between commands. Try to maintain your current working directory throughout the session by using absolute paths and avoiding usage of \`cd\`. You may use \`cd\` if the User explicitly requests it.`,
   execute: async (
     args: Record<string, unknown>,
     context: ToolContext,
@@ -237,7 +214,14 @@ Use the gh command via the Bash tool for GitHub-related tasks including working
 
     // Foreground execution (original behavior)
     return new Promise((resolve) => {
-      const child: ChildProcess = spawn(command, {
+      // Create a temporary file to store the CWD
+      const tempCwdFile = path.join(
+        os.tmpdir(),
+        `wave_cwd_${Date.now()}_${Math.random().toString(36).substring(2, 11)}.tmp`,
+      );
+      const wrappedCommand = `${command} && pwd -P >| ${tempCwdFile}`;
+
+      const child: ChildProcess = spawn(wrappedCommand, {
         shell: true,
         stdio: "pipe",
         detached: true,
@@ -270,12 +254,12 @@ Use the gh command via the Bash tool for GitHub-related tasks including working
           context.onShortResultUpdate(shortResult);
         }
 
-        // Update full result
+        // Update full result (simple truncation for streaming — persistence happens at final result)
         if (context.onResultUpdate) {
           const content =
-            combinedOutput.length <= MAX_OUTPUT_LENGTH
+            combinedOutput.length <= BASH_MAX_OUTPUT_CHARS
               ? combinedOutput
-              : combinedOutput.substring(0, MAX_OUTPUT_LENGTH) +
+              : combinedOutput.substring(0, BASH_MAX_OUTPUT_CHARS) +
                 "\n\n... (output truncated)";
           context.onResultUpdate(content);
         }
@@ -368,8 +352,10 @@ Use the gh command via the Bash tool for GitHub-related tasks including working
             }
           }
 
-          const processedOutput = processOutput(
+          const processedOutput = processToolResult(
             outputBuffer + (errorBuffer ? "\n" + errorBuffer : ""),
+            BASH_MAX_OUTPUT_CHARS,
+            "bash",
           );
           resolve({
             success: false,
@@ -422,14 +408,60 @@ Use the gh command via the Bash tool for GitHub-related tasks including working
             clearTimeout(timeoutHandle);
           }
 
+          // Read the new CWD from the temporary file
+          let newCwd: string | undefined;
+          try {
+            if (fs.existsSync(tempCwdFile)) {
+              newCwd = fs.readFileSync(tempCwdFile, "utf8").trim();
+              // Validate the path exists before calling the callback
+              fs.accessSync(newCwd, fs.constants.F_OK);
+            }
+          } catch (fileError) {
+            logger.warn(
+              `Could not read or validate new CWD from temp file ${tempCwdFile}:`,
+              fileError,
+            );
+            newCwd = undefined;
+          } finally {
+            // Ensure temp file is cleaned up even if reading fails
+            try {
+              if (fs.existsSync(tempCwdFile)) {
+                fs.unlinkSync(tempCwdFile);
+              }
+            } catch (fileError) {
+              logger.error("Failed to clean up temp CWD file:", fileError);
+            }
+          }
+
+          // If CWD changed, call the onCwdChange callback and add notification
+          let cwdResetMessage: string | undefined;
+          if (newCwd && newCwd !== context.workdir && context.onCwdChange) {
+            const isInSafeZone =
+              context.permissionManager?.isPathInSafeZone?.(newCwd) ?? true;
+
+            if (isInSafeZone) {
+              context.onCwdChange(newCwd);
+            } else if (context.originalWorkdir) {
+              context.onCwdChange(context.originalWorkdir);
+              cwdResetMessage = `Shell cwd was reset to ${context.originalWorkdir}`;
+            } else {
+              context.onCwdChange(newCwd);
+            }
+          }
+
           const exitCode = code ?? 0;
           const combinedOutput =
             outputBuffer + (errorBuffer ? "\n" + errorBuffer : "");
 
-          // Handle large output by truncation and persistence if needed
+          // Prepend CWD reset message to output if present (like Claude Code's stderr approach)
           const finalOutput =
-            combinedOutput || `Command executed with exit code: ${exitCode}`;
-          const content = processOutput(finalOutput);
+            (cwdResetMessage ? cwdResetMessage + "\n" : "") +
+            (combinedOutput || `Command executed with exit code: ${exitCode}`);
+          const content = processToolResult(
+            finalOutput,
+            BASH_MAX_OUTPUT_CHARS,
+            "bash",
+          );
 
           const lines = combinedOutput.trim().split("\n");
           const shortResult =

package/src/tools/types.ts

@@ -107,4 +107,8 @@ export interface ToolContext {
   readFileState?: Map<string, { mtime: number; hash: string }>;
   /** Hook manager instance for executing hooks */
   hookManager?: import("../managers/hookManager.js").HookManager;
+  /** Callback to notify when the current working directory changes */
+  onCwdChange?: (newCwd: string) => void;
+  /** Original working directory (before any cd changes) for CWD reset */
+  originalWorkdir?: string;
 }

package/src/types/agent.ts

@@ -14,6 +14,7 @@ import type { MessageManagerCallbacks } from "../managers/messageManager.js";
 import type { BackgroundTaskManagerCallbacks } from "../managers/backgroundTaskManager.js";
 import type { McpManagerCallbacks } from "../managers/mcpManager.js";
 import type { SubagentManagerCallbacks } from "../managers/subagentManager.js";
+import type { PartialHookConfiguration } from "./configuration.js";
 import type { ToolPlugin } from "../tools/types.js";
 
 /**
@@ -89,6 +90,11 @@ export interface AgentOptions {
   mcpServers?: Record<string, McpServerConfig>;
   /** Custom tools provided by the SDK user, registered alongside built-in tools */
   customTools?: ToolPlugin[];
+  /**
+   * Optional hook configuration to inject at creation time.
+   * File-based hooks (from config.json/.waverc.json) merge on top of these.
+   */
+  hooks?: PartialHookConfiguration;
   [key: string]: unknown;
 }
 
@@ -109,5 +115,6 @@ export interface AgentCallbacks
   onConfiguredModelsChange?: (models: string[]) => void;
   onLoadingChange?: (loading: boolean) => void;
   onCommandRunningChange?: (running: boolean) => void;
+  onWorkdirChange?: (newCwd: string) => void;
   onQueuedMessagesChange?: (messages: QueuedMessage[]) => void;
 }

package/src/types/auth.ts

@@ -5,5 +5,15 @@ export interface AuthUser {
 
 export interface AuthConfig {
   SSO_TOKEN?: string;
+  SSO_REFRESH_TOKEN?: string;
+  SSO_TOKEN_EXPIRES_AT?: number; // Unix timestamp (ms) when SSO_TOKEN expires
   user?: AuthUser;
 }
+
+/** Server response from POST /api/auth/token */
+export interface TokenResponse {
+  token: string;
+  refreshToken?: string;
+  expiresIn?: number; // seconds until token expires
+  user: { id: string; email?: string };
+}