wave-agent-sdk 0.16.9 → 0.16.12

package/src/services/remoteSettingsService.ts

@@ -0,0 +1,315 @@
+import * as fs from "node:fs";
+import { homedir } from "node:os";
+import * as path from "node:path";
+
+import { authService, createAuthAwareFetch } from "./authService.js";
+import type {
+  RemoteSettingsCache,
+  RemoteSettingsFetchResult,
+  RemoteSettingsResponse,
+} from "../types/configuration.js";
+import type { WaveConfiguration } from "../types/configuration.js";
+import type { HookEvent, HookEventConfig } from "../types/hooks.js";
+import { logger } from "../utils/globalLogger.js";
+
+const CACHE_FILE = path.join(homedir(), ".wave", "remote-settings.json");
+const POLLING_INTERVAL_MS = 60 * 60 * 1000; // 60 minutes
+const FETCH_TIMEOUT_MS = 10_000;
+
+let _cachedSettings: RemoteSettingsCache | null = null;
+let _pollingTimer: ReturnType<typeof setInterval> | null = null;
+
+function loadCacheFromDisk(): void {
+  try {
+    if (!fs.existsSync(CACHE_FILE)) {
+      return;
+    }
+    const raw = fs.readFileSync(CACHE_FILE, "utf-8");
+    const parsed: RemoteSettingsCache = JSON.parse(raw);
+    _cachedSettings = parsed;
+    logger.debug("remoteSettings: loaded cache from disk", {
+      checksum: parsed.checksum,
+    });
+  } catch (err) {
+    logger.debug("remoteSettings: failed to load cache from disk", { err });
+  }
+}
+
+function writeCacheToDisk(): void {
+  if (!_cachedSettings) {
+    return;
+  }
+  try {
+    const dir = path.dirname(CACHE_FILE);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+    fs.writeFileSync(CACHE_FILE, JSON.stringify(_cachedSettings, null, 2), {
+      mode: 0o600,
+    });
+    logger.debug("remoteSettings: wrote cache to disk", {
+      checksum: _cachedSettings.checksum,
+    });
+  } catch (err) {
+    logger.debug("remoteSettings: failed to write cache to disk", { err });
+  }
+}
+
+function removeCacheFromDisk(): void {
+  try {
+    if (fs.existsSync(CACHE_FILE)) {
+      fs.unlinkSync(CACHE_FILE);
+    }
+  } catch (err) {
+    logger.debug("remoteSettings: failed to remove cache file", { err });
+  }
+}
+
+async function fetchRemoteSettings(): Promise<RemoteSettingsFetchResult> {
+  if (!authService.isSSOAuthenticated()) {
+    logger.debug("remoteSettings: skipping fetch — not SSO authenticated");
+    return { success: false, error: "Not SSO authenticated" };
+  }
+
+  const token = authService.getSSOToken();
+  const serverUrl = authService.getServerUrl();
+  if (!token || !serverUrl) {
+    return { success: false, error: "Missing SSO token or server URL" };
+  }
+
+  const headers: Record<string, string> = {
+    Authorization: `Bearer ${token}`,
+  };
+  if (_cachedSettings?.checksum) {
+    headers["If-None-Match"] = _cachedSettings.checksum;
+  }
+
+  try {
+    const authFetch = createAuthAwareFetch(globalThis.fetch);
+    const response = await authFetch(`${serverUrl}/api/wave/settings`, {
+      method: "GET",
+      headers,
+      signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+    });
+
+    if (response.status === 304) {
+      logger.debug("remoteSettings: 304 unchanged", {
+        checksum: _cachedSettings?.checksum,
+      });
+      return {
+        success: true,
+        settings: _cachedSettings!.settings,
+        checksum: _cachedSettings!.checksum,
+      };
+    }
+
+    if (response.status === 404) {
+      logger.debug("remoteSettings: 404 not configured — clearing stale cache");
+      _cachedSettings = null;
+      removeCacheFromDisk();
+      return { success: true, notConfigured: true, settings: null };
+    }
+
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      logger.debug("remoteSettings: fetch failed", {
+        status: response.status,
+        body: body.slice(0, 200),
+      });
+      return {
+        success: false,
+        error: `HTTP ${response.status}`,
+        settings: _cachedSettings?.settings ?? null,
+      };
+    }
+
+    const data = (await response.json()) as RemoteSettingsResponse;
+    _cachedSettings = {
+      uuid: data.uuid,
+      checksum: data.checksum,
+      settings: data.settings,
+      fetchedAt: new Date().toISOString(),
+    };
+    writeCacheToDisk();
+    logger.debug("remoteSettings: fetched new settings", {
+      checksum: data.checksum,
+    });
+    return {
+      success: true,
+      settings: data.settings,
+      checksum: data.checksum,
+    };
+  } catch (err) {
+    logger.debug("remoteSettings: network error, using cache", { err });
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : String(err),
+      settings: _cachedSettings?.settings ?? null,
+    };
+  }
+}
+
+function startPolling(): void {
+  if (_pollingTimer) {
+    return;
+  }
+  _pollingTimer = setInterval(async () => {
+    try {
+      await fetchRemoteSettings();
+    } catch (err) {
+      logger.debug("remoteSettings: polling fetch error", { err });
+    }
+  }, POLLING_INTERVAL_MS);
+  _pollingTimer.unref();
+}
+
+export function initialize(): void {
+  loadCacheFromDisk();
+  // Fire-and-forget the initial fetch, then start background polling
+  fetchRemoteSettings()
+    .then(() => startPolling())
+    .catch((err) => {
+      logger.debug("remoteSettings: initial fetch failed", { err });
+      startPolling();
+    });
+}
+
+export function getRemoteSettingsSync(): WaveConfiguration | null {
+  return _cachedSettings?.settings ?? null;
+}
+
+export async function refresh(): Promise<RemoteSettingsFetchResult> {
+  // Clear in-memory so we force a fresh fetch
+  _cachedSettings = null;
+  removeCacheFromDisk();
+  return fetchRemoteSettings();
+}
+
+export function clear(): void {
+  _cachedSettings = null;
+  removeCacheFromDisk();
+  if (_pollingTimer) {
+    clearInterval(_pollingTimer);
+    _pollingTimer = null;
+  }
+}
+
+export function shutdown(): void {
+  if (_pollingTimer) {
+    clearInterval(_pollingTimer);
+    _pollingTimer = null;
+  }
+}
+
+function dedupe(arr: string[]): string[] {
+  return [...new Set(arr)];
+}
+
+function mergeHooks(
+  local: Partial<Record<HookEvent, HookEventConfig[]>> | undefined,
+  remote: Partial<Record<HookEvent, HookEventConfig[]>> | undefined,
+): Partial<Record<HookEvent, HookEventConfig[]>> | undefined {
+  if (!remote && !local) {
+    return undefined;
+  }
+  if (!remote) {
+    return local;
+  }
+  if (!local) {
+    return remote;
+  }
+  const merged: Partial<Record<HookEvent, HookEventConfig[]>> = { ...local };
+  for (const [event, remoteHooks] of Object.entries(remote)) {
+    const localHooks = merged[event as HookEvent] ?? [];
+    // Concatenate + dedupe by JSON serialization
+    const combined = [...localHooks, ...(remoteHooks ?? [])];
+    const seen = new Set<string>();
+    merged[event as HookEvent] = combined.filter((h) => {
+      const key = JSON.stringify(h);
+      if (seen.has(key)) {
+        return false;
+      }
+      seen.add(key);
+      return true;
+    });
+  }
+  return merged;
+}
+
+export function mergeRemoteSettings(
+  localMerged: WaveConfiguration,
+  remote: WaveConfiguration,
+): WaveConfiguration {
+  const result: WaveConfiguration = { ...localMerged };
+
+  // env: merge by key, remote wins per-key
+  if (remote.env || localMerged.env) {
+    result.env = { ...localMerged.env, ...remote.env };
+  }
+
+  // permissions
+  if (remote.permissions || localMerged.permissions) {
+    const lp = localMerged.permissions ?? {};
+    const rp = remote.permissions ?? {};
+    result.permissions = {
+      // allow: concatenate + dedupe
+      allow:
+        lp.allow || rp.allow
+          ? dedupe([...(lp.allow ?? []), ...(rp.allow ?? [])])
+          : undefined,
+      // deny: concatenate + dedupe
+      deny:
+        lp.deny || rp.deny
+          ? dedupe([...(lp.deny ?? []), ...(rp.deny ?? [])])
+          : undefined,
+      // permissionMode: remote wins (scalar)
+      permissionMode: rp.permissionMode ?? lp.permissionMode,
+      // additionalDirectories: concatenate + dedupe
+      additionalDirectories:
+        lp.additionalDirectories || rp.additionalDirectories
+          ? dedupe([
+              ...(lp.additionalDirectories ?? []),
+              ...(rp.additionalDirectories ?? []),
+            ])
+          : undefined,
+    };
+    // Clean up undefined keys
+    if (!result.permissions.allow) delete result.permissions.allow;
+    if (!result.permissions.deny) delete result.permissions.deny;
+    if (!result.permissions.permissionMode)
+      delete result.permissions.permissionMode;
+    if (!result.permissions.additionalDirectories)
+      delete result.permissions.additionalDirectories;
+  }
+
+  // hooks: concatenate per-event
+  result.hooks = mergeHooks(localMerged.hooks, remote.hooks);
+
+  // Scalar / last-write-wins fields: remote wins
+  if (remote.language !== undefined) result.language = remote.language;
+  if (remote.model !== undefined) result.model = remote.model;
+  if (remote.autoMemoryEnabled !== undefined)
+    result.autoMemoryEnabled = remote.autoMemoryEnabled;
+  if (remote.autoMemoryFrequency !== undefined)
+    result.autoMemoryFrequency = remote.autoMemoryFrequency;
+  if (remote.models !== undefined) result.models = remote.models;
+  if (remote.marketplaces !== undefined)
+    result.marketplaces = remote.marketplaces;
+  if (remote.enabledPlugins !== undefined)
+    result.enabledPlugins = remote.enabledPlugins;
+
+  return result;
+}
+
+/**
+ * Singleton object for consumers that prefer a namespace-style import.
+ * Usage: import { remoteSettingsService } from "./remoteSettingsService.js"
+ */
+export const remoteSettingsService = {
+  initialize,
+  getRemoteSettingsSync,
+  refresh,
+  clear,
+  shutdown,
+  mergeRemoteSettings,
+} as const;

package/src/tools/bashTool.ts

@@ -4,6 +4,8 @@ import * as path from "path";
 import * as os from "os";
 import { logger } from "../utils/globalLogger.js";
 import { stripAnsiColors } from "../utils/stringUtils.js";
+import { processToolResult } from "../utils/toolResultStorage.js";
+import { BASH_MAX_OUTPUT_CHARS } from "../constants/toolLimits.js";
 import type { ToolPlugin, ToolResult, ToolContext } from "./types.js";
 import {
   BASH_TOOL_NAME,
@@ -14,36 +16,8 @@ import {
   WRITE_TOOL_NAME,
 } from "../constants/tools.js";
 
-const MAX_OUTPUT_LENGTH = 30000;
 const BASH_DEFAULT_TIMEOUT_MS = 120000;
 
-/**
- * Helper function to handle large output by truncation and persistence to a temporary file.
- */
-function processOutput(output: string): string {
-  if (output.length <= MAX_OUTPUT_LENGTH) {
-    return output;
-  }
-
-  try {
-    const tempDir = os.tmpdir();
-    const fileName = `bash_output_${Date.now()}_${Math.random().toString(36).substring(2, 11)}.txt`;
-    const filePath = path.join(tempDir, fileName);
-    fs.writeFileSync(filePath, output, "utf8");
-
-    return (
-      output.substring(0, MAX_OUTPUT_LENGTH) +
-      `\n\n... (output truncated)\nFull output persisted to: ${filePath}`
-    );
-  } catch (error) {
-    logger.error("Failed to persist large bash output:", error);
-    return (
-      output.substring(0, MAX_OUTPUT_LENGTH) +
-      "\n\n... (output truncated, failed to persist full output)"
-    );
-  }
-}
-
 /**
  * Bash command execution tool - supports both foreground and background execution
  */
@@ -104,7 +78,7 @@ Usage notes:
   - The command argument is required.
   - You can specify an optional timeout in milliseconds (up to ${BASH_DEFAULT_TIMEOUT_MS}ms / ${BASH_DEFAULT_TIMEOUT_MS / 60000} minutes). If not specified, commands will timeout after ${BASH_DEFAULT_TIMEOUT_MS}ms (${BASH_DEFAULT_TIMEOUT_MS / 60000} minutes).
   - It is very helpful if you write a clear, concise description of what this command does in 5-10 words.
-  - If the output exceeds ${MAX_OUTPUT_LENGTH} characters, output will be truncated and the full output will be persisted to a temporary file.
+  - If the output exceeds ${BASH_MAX_OUTPUT_CHARS.toLocaleString()} characters, output will be truncated and the full output will be persisted to a file you can read with the Read tool.
   - You can use the \`run_in_background\` parameter to run the command in the background, which allows you to continue working while the command runs. You can monitor the output using the ${READ_TOOL_NAME} tool as it becomes available. You do not need to use '&' at the end of the command when using this parameter.
   - Avoid using ${BASH_TOOL_NAME} with the \`find\`, \`sed\`, \`awk\`, or \`echo\` commands, unless explicitly instructed or when these commands are truly necessary for the task. Instead, always prefer using the dedicated tools for these commands:
     - File search: Use ${GLOB_TOOL_NAME} (NOT find or ls)
@@ -139,7 +113,10 @@ Use the gh command via the Bash tool for GitHub-related tasks including working
 - Do not retry failing commands in a sleep loop — diagnose the root cause.
 - If waiting for a background task you started with \`run_in_background\`, you will be notified when it completes — do not poll.
 - If you must poll an external process, use a check command (e.g. \`gh run view\`) rather than sleeping first.
-- If you must sleep, keep the duration short (1-5 seconds) to avoid blocking the user.`,
+- If you must sleep, keep the duration short (1-5 seconds) to avoid blocking the user.
+
+# CWD management
+The working directory persists between commands. Try to maintain your current working directory throughout the session by using absolute paths and avoiding usage of \`cd\`. You may use \`cd\` if the User explicitly requests it.`,
   execute: async (
     args: Record<string, unknown>,
     context: ToolContext,
@@ -237,7 +214,14 @@ Use the gh command via the Bash tool for GitHub-related tasks including working
 
     // Foreground execution (original behavior)
     return new Promise((resolve) => {
-      const child: ChildProcess = spawn(command, {
+      // Create a temporary file to store the CWD
+      const tempCwdFile = path.join(
+        os.tmpdir(),
+        `wave_cwd_${Date.now()}_${Math.random().toString(36).substring(2, 11)}.tmp`,
+      );
+      const wrappedCommand = `${command} && pwd -P >| ${tempCwdFile}`;
+
+      const child: ChildProcess = spawn(wrappedCommand, {
         shell: true,
         stdio: "pipe",
         detached: true,
@@ -270,12 +254,12 @@ Use the gh command via the Bash tool for GitHub-related tasks including working
           context.onShortResultUpdate(shortResult);
         }
 
-        // Update full result
+        // Update full result (simple truncation for streaming — persistence happens at final result)
         if (context.onResultUpdate) {
           const content =
-            combinedOutput.length <= MAX_OUTPUT_LENGTH
+            combinedOutput.length <= BASH_MAX_OUTPUT_CHARS
               ? combinedOutput
-              : combinedOutput.substring(0, MAX_OUTPUT_LENGTH) +
+              : combinedOutput.substring(0, BASH_MAX_OUTPUT_CHARS) +
                 "\n\n... (output truncated)";
           context.onResultUpdate(content);
         }
@@ -368,8 +352,10 @@ Use the gh command via the Bash tool for GitHub-related tasks including working
             }
           }
 
-          const processedOutput = processOutput(
+          const processedOutput = processToolResult(
             outputBuffer + (errorBuffer ? "\n" + errorBuffer : ""),
+            BASH_MAX_OUTPUT_CHARS,
+            "bash",
           );
           resolve({
             success: false,
@@ -422,14 +408,60 @@ Use the gh command via the Bash tool for GitHub-related tasks including working
             clearTimeout(timeoutHandle);
           }
 
+          // Read the new CWD from the temporary file
+          let newCwd: string | undefined;
+          try {
+            if (fs.existsSync(tempCwdFile)) {
+              newCwd = fs.readFileSync(tempCwdFile, "utf8").trim();
+              // Validate the path exists before calling the callback
+              fs.accessSync(newCwd, fs.constants.F_OK);
+            }
+          } catch (fileError) {
+            logger.warn(
+              `Could not read or validate new CWD from temp file ${tempCwdFile}:`,
+              fileError,
+            );
+            newCwd = undefined;
+          } finally {
+            // Ensure temp file is cleaned up even if reading fails
+            try {
+              if (fs.existsSync(tempCwdFile)) {
+                fs.unlinkSync(tempCwdFile);
+              }
+            } catch (fileError) {
+              logger.error("Failed to clean up temp CWD file:", fileError);
+            }
+          }
+
+          // If CWD changed, call the onCwdChange callback and add notification
+          let cwdResetMessage: string | undefined;
+          if (newCwd && newCwd !== context.workdir && context.onCwdChange) {
+            const isInSafeZone =
+              context.permissionManager?.isPathInSafeZone?.(newCwd) ?? true;
+
+            if (isInSafeZone) {
+              context.onCwdChange(newCwd);
+            } else if (context.originalWorkdir) {
+              context.onCwdChange(context.originalWorkdir);
+              cwdResetMessage = `Shell cwd was reset to ${context.originalWorkdir}`;
+            } else {
+              context.onCwdChange(newCwd);
+            }
+          }
+
           const exitCode = code ?? 0;
           const combinedOutput =
             outputBuffer + (errorBuffer ? "\n" + errorBuffer : "");
 
-          // Handle large output by truncation and persistence if needed
+          // Prepend CWD reset message to output if present (like Claude Code's stderr approach)
           const finalOutput =
-            combinedOutput || `Command executed with exit code: ${exitCode}`;
-          const content = processOutput(finalOutput);
+            (cwdResetMessage ? cwdResetMessage + "\n" : "") +
+            (combinedOutput || `Command executed with exit code: ${exitCode}`);
+          const content = processToolResult(
+            finalOutput,
+            BASH_MAX_OUTPUT_CHARS,
+            "bash",
+          );
 
           const lines = combinedOutput.trim().split("\n");
           const shortResult =

package/src/tools/types.ts

@@ -107,4 +107,8 @@ export interface ToolContext {
   readFileState?: Map<string, { mtime: number; hash: string }>;
   /** Hook manager instance for executing hooks */
   hookManager?: import("../managers/hookManager.js").HookManager;
+  /** Callback to notify when the current working directory changes */
+  onCwdChange?: (newCwd: string) => void;
+  /** Original working directory (before any cd changes) for CWD reset */
+  originalWorkdir?: string;
 }

package/src/types/agent.ts

@@ -14,6 +14,7 @@ import type { MessageManagerCallbacks } from "../managers/messageManager.js";
 import type { BackgroundTaskManagerCallbacks } from "../managers/backgroundTaskManager.js";
 import type { McpManagerCallbacks } from "../managers/mcpManager.js";
 import type { SubagentManagerCallbacks } from "../managers/subagentManager.js";
+import type { PartialHookConfiguration } from "./configuration.js";
 import type { ToolPlugin } from "../tools/types.js";
 
 /**
@@ -89,6 +90,11 @@ export interface AgentOptions {
   mcpServers?: Record<string, McpServerConfig>;
   /** Custom tools provided by the SDK user, registered alongside built-in tools */
   customTools?: ToolPlugin[];
+  /**
+   * Optional hook configuration to inject at creation time.
+   * File-based hooks (from config.json/.waverc.json) merge on top of these.
+   */
+  hooks?: PartialHookConfiguration;
   [key: string]: unknown;
 }
 
@@ -109,5 +115,6 @@ export interface AgentCallbacks
   onConfiguredModelsChange?: (models: string[]) => void;
   onLoadingChange?: (loading: boolean) => void;
   onCommandRunningChange?: (running: boolean) => void;
+  onWorkdirChange?: (newCwd: string) => void;
   onQueuedMessagesChange?: (messages: QueuedMessage[]) => void;
 }

package/src/types/auth.ts

@@ -5,5 +5,15 @@ export interface AuthUser {
 
 export interface AuthConfig {
   SSO_TOKEN?: string;
+  SSO_REFRESH_TOKEN?: string;
+  SSO_TOKEN_EXPIRES_AT?: number; // Unix timestamp (ms) when SSO_TOKEN expires
   user?: AuthUser;
 }
+
+/** Server response from POST /api/auth/token */
+export interface TokenResponse {
+  token: string;
+  refreshToken?: string;
+  expiresIn?: number; // seconds until token expires
+  user: { id: string; email?: string };
+}

package/src/types/configuration.ts

@@ -44,6 +44,8 @@ export interface WaveConfiguration {
   autoMemoryEnabled?: boolean;
   /** Frequency of auto-memory extraction turns */
   autoMemoryFrequency?: number;
+  /** Persisted model selection (from /model command) */
+  model?: string;
   /** Model-specific configuration overrides */
   models?: Record<string, Partial<ModelConfig>>;
   /** Scoped marketplace declarations */
@@ -138,3 +140,24 @@ interface Logger {
   info: (...args: unknown[]) => void;
   debug: (...args: unknown[]) => void;
 }
+
+export interface RemoteSettingsResponse {
+  uuid: string;
+  checksum: string;
+  settings: WaveConfiguration;
+}
+
+export interface RemoteSettingsCache {
+  uuid: string;
+  checksum: string;
+  settings: WaveConfiguration;
+  fetchedAt: string;
+}
+
+export interface RemoteSettingsFetchResult {
+  success: boolean;
+  settings?: WaveConfiguration | null;
+  checksum?: string;
+  error?: string;
+  notConfigured?: boolean;
+}

package/src/types/hooks.ts

@@ -22,6 +22,7 @@ export type HookEvent =
   | "PermissionRequest"
   | "WorktreeCreate"
   | "WorktreeRemove"
+  | "CwdChanged"
   | "SessionStart"
   | "SessionEnd";
 
@@ -113,6 +114,7 @@ export function isValidHookEvent(event: string): event is HookEvent {
     "PermissionRequest",
     "WorktreeCreate",
     "WorktreeRemove",
+    "CwdChanged",
     "SessionStart",
     "SessionEnd",
   ].includes(event);
@@ -171,7 +173,7 @@ export interface HookJsonInput {
   session_id: string; // Format: "wave_session_{uuid}_{shortId}"
   transcript_path: string; // Format: "~/.wave/sessions/session_{shortId}.json"
   cwd: string; // Absolute path to current working directory
-  hook_event_name: HookEvent; // "PreToolUse" | "PostToolUse" | "UserPromptSubmit" | "Stop" | "SubagentStop" | "PermissionRequest" | "WorktreeCreate" | "SessionStart"
+  hook_event_name: HookEvent; // "PreToolUse" | "PostToolUse" | "UserPromptSubmit" | "Stop" | "SubagentStop" | "PermissionRequest" | "WorktreeCreate" | "CwdChanged" | "SessionStart"
 
   // Optional fields based on event type
   tool_name?: string; // Present for PreToolUse, PostToolUse, PermissionRequest
@@ -180,6 +182,8 @@ export interface HookJsonInput {
   user_prompt?: string; // Present for UserPromptSubmit only
   subagent_type?: string; // Present when hook is executed by a subagent
   name?: string; // Present for WorktreeCreate events
+  old_cwd?: string; // Present for CwdChanged events
+  new_cwd?: string; // Present for CwdChanged events
   source?: SessionStartSource; // Present for SessionStart events
   agent_type?: string; // Present for SessionStart events
   end_source?: SessionEndSource; // Present for SessionEnd events
@@ -196,6 +200,8 @@ export interface ExtendedHookExecutionContext extends HookExecutionContext {
   userPrompt?: string; // User prompt text (UserPromptSubmit only)
   subagentType?: string; // Subagent type when hook is executed by a subagent
   worktreeName?: string; // Worktree name (WorktreeCreate only)
+  oldCwd?: string; // Previous working directory (CwdChanged only)
+  newCwd?: string; // New working directory (CwdChanged only)
   source?: SessionStartSource; // Session start source (SessionStart only)
   agentType?: string; // Agent type identifier (SessionStart only)
   endSource?: SessionEndSource; // Session end source (SessionEnd only)

package/src/types/mcp.ts

@@ -26,7 +26,7 @@ export interface McpTool {
 export interface McpServerStatus {
   name: string;
   config: McpServerConfig;
-  /** Pre-resolution URL with template variables (e.g. ${WAVE_SSO_TOKEN}) preserved for safe display */
+  /** Pre-resolution URL with template variables preserved for safe display */
   originalUrl?: string;
   status:
     | "disconnected"

package/src/utils/containerSetup.ts

@@ -39,6 +39,7 @@ import type {
 
 import { logger } from "./globalLogger.js";
 import { authService } from "../services/authService.js";
+import { remoteSettingsService } from "../services/remoteSettingsService.js";
 
 export interface AgentContainerSetupOptions {
   options: AgentOptions;
@@ -146,8 +147,6 @@ export function setupAgentContainer(
   });
   container.register("BackgroundTaskManager", backgroundTaskManager);
 
-  const ssoToken = authService.getSSOToken();
-  const serverUrl = options.serverUrl || process.env.WAVE_SERVER_URL;
   if (options.serverUrl) {
     authService.setServerUrl(options.serverUrl);
   }
@@ -156,17 +155,15 @@ export function setupAgentContainer(
     mcpServers: options.mcpServers as
       | Record<string, McpServerConfig>
       | undefined,
-    serverUrl,
-    ssoToken,
   });
   container.register("McpManager", mcpManager);
 
-  // Wire up auth change callback to reconnect MCP servers after SSO login
+  // Wire up auth change callback to refresh/clear remote settings
   authService.onAuthChange((event) => {
     if (event === "login") {
-      const newServerUrl = options.serverUrl || process.env.WAVE_SERVER_URL;
-      const newToken = authService.getSSOToken();
-      mcpManager.refreshCredentials(newServerUrl, newToken);
+      remoteSettingsService.refresh();
+    } else if (event === "logout") {
+      remoteSettingsService.clear();
     }
   });
 
@@ -192,6 +189,9 @@ export function setupAgentContainer(
   container.register("PlanManager", planManager);
 
   const hookManager = new HookManager(container, workdir);
+  if (options.hooks) {
+    hookManager.loadConfiguration(options.hooks);
+  }
   container.register("HookManager", hookManager);
 
   const skillManager = new SkillManager(container, {