wispy-cli 2.7.12 → 2.7.14

package/bin/wispy.mjs

@@ -60,9 +60,24 @@ const globalPersonality = extractFlag(["--personality"], true);
 const globalJsonMode = hasFlag("--json");
 if (globalJsonMode) { args.splice(args.indexOf("--json"), 1); }
 
+// Parse image flags: -i <path> or --image <path> (multiple allowed)
+const imagePaths = [];
+{
+  let i = 0;
+  while (i < args.length) {
+    if ((args[i] === "-i" || args[i] === "--image") && i + 1 < args.length) {
+      imagePaths.push(args[i + 1]);
+      args.splice(i, 2);
+    } else {
+      i++;
+    }
+  }
+}
+
 // Expose for submodules via env
 if (globalProfile) process.env.WISPY_PROFILE = globalProfile;
 if (globalPersonality) process.env.WISPY_PERSONALITY = globalPersonality;
+if (imagePaths.length > 0) process.env.WISPY_IMAGES = JSON.stringify(imagePaths);
 
 // ── Flags ─────────────────────────────────────────────────────────────────────
 
@@ -110,10 +125,20 @@ Usage:
                                Manage HTTP/WS server
   wispy tui                    Launch full terminal UI
   wispy overview               Director view of workstreams
+  wispy sessions [--all]       List all sessions
+  wispy resume [session-id]    Resume a previous session
+  wispy resume --last          Resume the most recent session
+  wispy fork [session-id]      Fork (branch) from a session
+  wispy fork --last            Fork the most recent session
+  wispy review                 Review uncommitted changes
+  wispy review --base <branch> Review changes against branch
+  wispy review --commit <sha>  Review a specific commit
+  wispy review --json          Output review as JSON
 
 Options:
   -w, --workstream <name>      Set active workstream
   -p, --profile <name>         Use a named config profile
+  -i, --image <path>           Attach image (can use multiple times)
   --session <id>               Resume a session
   --model <name>               Override AI model
   --provider <name>            Override AI provider
@@ -833,6 +858,196 @@ if (command === "model") {
   process.exit(0);
 }
 
+// ── Review ────────────────────────────────────────────────────────────────────
+
+if (command === "review") {
+  try {
+    const { handleReviewCommand } = await import(join(rootDir, "lib/commands/review.mjs"));
+    await handleReviewCommand(args.slice(1));
+  } catch (err) {
+    console.error("Review error:", err.message);
+    process.exit(1);
+  }
+  process.exit(0);
+}
+
+// ── Sessions list ─────────────────────────────────────────────────────────────
+
+if (command === "sessions") {
+  try {
+    const { SessionManager } = await import(join(rootDir, "core/session.mjs"));
+    const { select } = await import("@inquirer/prompts");
+    const mgr = new SessionManager();
+    const showAll = args.includes("--all") || args.includes("-a");
+
+    const sessions = await mgr.listSessions({ all: showAll });
+    if (sessions.length === 0) {
+      console.log("  No sessions found.");
+      process.exit(0);
+    }
+
+    console.log(`\n  Sessions (${sessions.length})${showAll ? "" : " — use --all to show all workstreams"}:\n`);
+    for (const s of sessions) {
+      const ts = new Date(s.updatedAt).toLocaleString();
+      const preview = s.firstMessage ? `  "${s.firstMessage.slice(0, 60)}${s.firstMessage.length > 60 ? "…" : ""}"` : "";
+      console.log(`  ${s.id}`);
+      console.log(`    ${ts}  ·  ${s.workstream}  ·  ${s.messageCount} msgs${s.model ? `  ·  ${s.model}` : ""}`);
+      if (preview) console.log(`    ${preview}`);
+      console.log("");
+    }
+
+    // Interactive: if TTY, offer to pick a session
+    if (process.stdout.isTTY && !args.includes("--no-interactive")) {
+      const choices = [
+        { name: "(exit)", value: null },
+        ...sessions.map(s => ({
+          name: `${s.id}  ${new Date(s.updatedAt).toLocaleString()}  "${(s.firstMessage ?? "").slice(0, 50)}"`,
+          value: s.id,
+        })),
+      ];
+
+      let selectedId;
+      try {
+        selectedId = await select({ message: "Select session:", choices });
+      } catch {
+        process.exit(0);
+      }
+
+      if (!selectedId) process.exit(0);
+
+      let action;
+      try {
+        action = await select({
+          message: `Session ${selectedId}:`,
+          choices: [
+            { name: "resume — continue this session", value: "resume" },
+            { name: "fork — start a new branch from this session", value: "fork" },
+            { name: "cancel", value: null },
+          ],
+        });
+      } catch {
+        process.exit(0);
+      }
+
+      if (!action) process.exit(0);
+
+      // Delegate to REPL with the appropriate action
+      process.env.WISPY_SESSION_ACTION = action;
+      process.env.WISPY_SESSION_ID = selectedId;
+      await import(join(rootDir, "lib/wispy-repl.mjs"));
+    }
+  } catch (err) {
+    console.error("Sessions error:", err.message);
+    process.exit(1);
+  }
+  process.exit(0);
+}
+
+// ── Resume session ────────────────────────────────────────────────────────────
+
+if (command === "resume") {
+  try {
+    const { SessionManager } = await import(join(rootDir, "core/session.mjs"));
+    const { select } = await import("@inquirer/prompts");
+    const mgr = new SessionManager();
+
+    let sessionId = args[1]; // may be undefined
+
+    if (args.includes("--last") || args[1] === "--last") {
+      // Resume most recent
+      const sessions = await mgr.listSessions({ all: true, limit: 1 });
+      if (!sessions.length) {
+        console.error("No sessions found.");
+        process.exit(1);
+      }
+      sessionId = sessions[0].id;
+    } else if (!sessionId || sessionId.startsWith("--")) {
+      // Interactive picker
+      const sessions = await mgr.listSessions({ all: true });
+      if (!sessions.length) {
+        console.error("No sessions found.");
+        process.exit(1);
+      }
+
+      const choices = sessions.map(s => ({
+        name: `${new Date(s.updatedAt).toLocaleString()}  [${s.workstream}]  ${s.messageCount}msgs  "${(s.firstMessage ?? "").slice(0, 50)}"`,
+        value: s.id,
+      }));
+
+      try {
+        sessionId = await select({ message: "Resume which session?", choices });
+      } catch {
+        process.exit(0);
+      }
+    }
+
+    if (!sessionId) process.exit(0);
+
+    console.log(`  Resuming session ${sessionId}...`);
+    process.env.WISPY_SESSION_ACTION = "resume";
+    process.env.WISPY_SESSION_ID = sessionId;
+    await import(join(rootDir, "lib/wispy-repl.mjs"));
+  } catch (err) {
+    console.error("Resume error:", err.message);
+    process.exit(1);
+  }
+  // REPL handles lifecycle
+}
+
+// ── Fork session ──────────────────────────────────────────────────────────────
+
+if (command === "fork") {
+  try {
+    const { SessionManager } = await import(join(rootDir, "core/session.mjs"));
+    const { select } = await import("@inquirer/prompts");
+    const mgr = new SessionManager();
+
+    let sessionId = args[1];
+
+    if (args.includes("--last") || args[1] === "--last") {
+      const sessions = await mgr.listSessions({ all: true, limit: 1 });
+      if (!sessions.length) {
+        console.error("No sessions found.");
+        process.exit(1);
+      }
+      sessionId = sessions[0].id;
+    } else if (!sessionId || sessionId.startsWith("--")) {
+      const sessions = await mgr.listSessions({ all: true });
+      if (!sessions.length) {
+        console.error("No sessions found.");
+        process.exit(1);
+      }
+
+      const choices = sessions.map(s => ({
+        name: `${new Date(s.updatedAt).toLocaleString()}  [${s.workstream}]  ${s.messageCount}msgs  "${(s.firstMessage ?? "").slice(0, 50)}"`,
+        value: s.id,
+      }));
+
+      try {
+        sessionId = await select({ message: "Fork which session?", choices });
+      } catch {
+        process.exit(0);
+      }
+    }
+
+    if (!sessionId) process.exit(0);
+
+    // Actually fork
+    const forked = await mgr.forkSession(sessionId);
+    console.log(`  ✓ Forked from ${sessionId}`);
+    console.log(`  New session: ${forked.id} (${forked.messages.length} messages copied)`);
+    console.log(`  Starting REPL with forked session...`);
+
+    process.env.WISPY_SESSION_ACTION = "fork";
+    process.env.WISPY_SESSION_ID = forked.id;
+    await import(join(rootDir, "lib/wispy-repl.mjs"));
+  } catch (err) {
+    console.error("Fork error:", err.message);
+    process.exit(1);
+  }
+  // REPL handles lifecycle
+}
+
 // ── TUI ───────────────────────────────────────────────────────────────────────
 
 if (command === "tui") {

package/core/agents.mjs

@@ -0,0 +1,133 @@
+/**
+ * core/agents.mjs — Custom Agent Definitions for Wispy
+ *
+ * Allows users to define named agents with custom system prompts and models,
+ * similar to Claude Code's --agents feature.
+ *
+ * Usage:
+ *   const mgr = new AgentManager(config);
+ *   const agent = mgr.get("reviewer");
+ *   // agent = { name, description, prompt, model }
+ */
+
+// ── Built-in agents ────────────────────────────────────────────────────────────
+
+export const BUILTIN_AGENTS = {
+  default: {
+    description: "General-purpose assistant",
+    prompt: null, // uses default Wispy system prompt
+    model: null,  // uses default model
+  },
+  reviewer: {
+    description: "Code reviewer — bugs, security, performance, best practices",
+    prompt: "You are a senior code reviewer. Focus on bugs, security, performance, and best practices. Be constructive and specific. Provide line-level feedback where relevant. End your review with a summary of key findings.",
+    model: null,
+  },
+  planner: {
+    description: "Project planner — breaks tasks into concrete steps",
+    prompt: "You are a project planner. Break tasks into concrete steps. Create actionable plans with clear priorities and dependencies. Use numbered lists for steps. Estimate effort where possible.",
+    model: null,
+  },
+  explorer: {
+    description: "Codebase explorer — navigates files, understands architecture",
+    prompt: "You are a codebase explorer. Navigate files, understand architecture, find patterns. Report findings clearly with file paths and code snippets. Summarize what you find at the end.",
+    model: null,
+  },
+};
+
+// ── AgentManager ───────────────────────────────────────────────────────────────
+
+export class AgentManager {
+  /**
+   * @param {object} config - Wispy config object (may have config.agents)
+   */
+  constructor(config = {}) {
+    this._agents = {};
+
+    // Load built-in agents
+    for (const [name, def] of Object.entries(BUILTIN_AGENTS)) {
+      this._agents[name] = { name, builtin: true, ...def };
+    }
+
+    // Load custom agents from config
+    if (config.agents && typeof config.agents === "object") {
+      for (const [name, def] of Object.entries(config.agents)) {
+        if (typeof def !== "object" || def === null) continue;
+        this._agents[name] = {
+          name,
+          builtin: false,
+          description: def.description ?? `Custom agent: ${name}`,
+          prompt: def.prompt ?? null,
+          model: def.model ?? null,
+        };
+      }
+    }
+  }
+
+  /**
+   * Get an agent by name. Returns null if not found.
+   * @param {string} name
+   * @returns {{ name: string, description: string, prompt: string|null, model: string|null, builtin: boolean }|null}
+   */
+  get(name) {
+    return this._agents[name] ?? null;
+  }
+
+  /**
+   * List all agents (built-in + custom).
+   * @returns {Array<{ name: string, description: string, prompt: string|null, model: string|null, builtin: boolean }>}
+   */
+  list() {
+    return Object.values(this._agents);
+  }
+
+  /**
+   * Check if an agent exists.
+   * @param {string} name
+   */
+  has(name) {
+    return name in this._agents;
+  }
+
+  /**
+   * Get all agents as a plain object.
+   */
+  getAllAgents() {
+    return { ...this._agents };
+  }
+
+  /**
+   * Format agents for CLI display.
+   */
+  formatList() {
+    const lines = [];
+    const builtins = Object.values(this._agents).filter(a => a.builtin);
+    const custom = Object.values(this._agents).filter(a => !a.builtin);
+
+    lines.push("\n  Built-in agents:\n");
+    for (const a of builtins) {
+      lines.push(`    \x1b[32m${a.name.padEnd(12)}\x1b[0m  ${a.description}`);
+      if (a.model) lines.push(`    ${" ".repeat(12)}  model: ${a.model}`);
+    }
+
+    if (custom.length > 0) {
+      lines.push("\n  Custom agents:\n");
+      for (const a of custom) {
+        lines.push(`    \x1b[33m${a.name.padEnd(12)}\x1b[0m  ${a.description}`);
+        if (a.model) lines.push(`    ${" ".repeat(12)}  model: ${a.model}`);
+        if (a.prompt) lines.push(`    ${" ".repeat(12)}  prompt: ${a.prompt.slice(0, 60)}...`);
+      }
+    } else {
+      lines.push("\n  \x1b[2mNo custom agents. Add them in ~/.wispy/config.json under \"agents\".\x1b[0m");
+    }
+
+    lines.push(
+      "\n  Usage:",
+      "    wispy --agent reviewer \"review this code\"",
+      "    wispy --agent planner \"build a todo app\"",
+      "",
+    );
+
+    return lines.join("\n");
+  }
+}

package/core/engine.mjs

@@ -12,7 +12,7 @@
 
 import os from "node:os";
 import path from "node:path";
-import { readFile, writeFile, mkdir, appendFile } from "node:fs/promises";
+import { readFile, writeFile, mkdir, appendFile, stat as fsStat } from "node:fs/promises";
 
 import { WISPY_DIR, CONVERSATIONS_DIR, MEMORY_DIR, MCP_CONFIG_PATH, detectProvider, PROVIDERS } from "./config.mjs";
 import { NullEmitter } from "../lib/jsonl-emitter.mjs";
@@ -43,6 +43,7 @@ import { UserModel } from "./user-model.mjs";
 import { routeTask, classifyTask, filterAvailableModels } from "./task-router.mjs";
 import { decomposeTask, executeDecomposedPlan } from "./task-decomposer.mjs";
 import { BrowserBridge } from "./browser.mjs";
+import { LoopDetector } from "./loop-detector.mjs";
 
 const MAX_TOOL_ROUNDS = 10;
 const MAX_CONTEXT_CHARS = 40_000;
@@ -213,8 +214,15 @@ export class WispyEngine {
       }
     }
 
-    // Add user message
-    messages.push({ role: "user", content: userMessage });
+    // Add user message (with optional image attachments)
+    const userMsg = { role: "user", content: userMessage };
+    if (opts.images && opts.images.length > 0) {
+      const imageData = await this._loadImages(opts.images);
+      if (imageData.length > 0) {
+        userMsg.images = imageData;
+      }
+    }
+    messages.push(userMsg);
     this.sessions.addMessage(session.id, { role: "user", content: userMessage });
 
     // Audit: log incoming message
@@ -333,7 +341,38 @@ export class WispyEngine {
     // Optimize context
     messages = this._optimizeContext(messages);
 
+    // Create a fresh loop detector per agent turn
+    const loopDetector = new LoopDetector();
+    let loopWarned = false;
+
     for (let round = 0; round < MAX_TOOL_ROUNDS; round++) {
+      // ── Loop detection check before LLM call ─────────────────────────────
+      if (loopDetector.size >= 2) {
+        const loopCheck = loopDetector.check();
+        if (loopCheck.looping) {
+          if (opts.onLoopDetected) opts.onLoopDetected(loopCheck);
+
+          if (!loopWarned) {
+            // First warning: inject a system message and continue
+            loopWarned = true;
+            const warningMsg = loopCheck.suggestion ?? `Loop detected: agent called ${loopCheck.tool} multiple times without progress. Try a different approach.`;
+            messages.push({
+              role: "user",
+              content: `[SYSTEM WARNING] ${warningMsg}`,
+            });
+            if (process.env.WISPY_DEBUG) {
+              console.error(`[wispy] Loop detected: ${loopCheck.reason} — warning injected`);
+            }
+          } else {
+            // Second time loop detected after warning: force-break the agent turn
+            if (process.env.WISPY_DEBUG) {
+              console.error(`[wispy] Loop force-break: ${loopCheck.reason}`);
+            }
+            return `⚠️ Agent loop detected and stopped: ${loopCheck.suggestion ?? loopCheck.reason}. Please try rephrasing your request.`;
+          }
+        }
+      }
+
       const result = await this.providers.chat(messages, this.tools.getDefinitions(), {
         onChunk: opts.onChunk,
         model: opts.model,
@@ -371,6 +410,9 @@ export class WispyEngine {
           }
         }
 
+        // Record into loop detector
+        loopDetector.record(call.name, call.args, toolResult);
+
         const _toolDuration = Date.now() - _toolStartMs;
         if (opts.onToolResult) opts.onToolResult(call.name, toolResult);
         loopEmitter.toolResult(call.name, toolResult, _toolDuration);
@@ -1490,6 +1532,45 @@ export class WispyEngine {
     }
   }
 
+  // ── Image handling ────────────────────────────────────────────────────────────
+
+  /**
+   * Load images from file paths and return base64-encoded data with MIME types.
+   * @param {string[]} imagePaths - Array of file paths
+   * @returns {Array<{data: string, mimeType: string, path: string}>}
+   */
+  async _loadImages(imagePaths) {
+    const MIME_TYPES = {
+      ".png": "image/png",
+      ".jpg": "image/jpeg",
+      ".jpeg": "image/jpeg",
+      ".gif": "image/gif",
+      ".webp": "image/webp",
+      ".bmp": "image/bmp",
+      ".svg": "image/svg+xml",
+    };
+
+    const results = [];
+    for (const imgPath of imagePaths) {
+      try {
+        const resolvedPath = path.resolve(imgPath);
+        const ext = path.extname(resolvedPath).toLowerCase();
+        const mimeType = MIME_TYPES[ext] ?? "image/jpeg";
+        const buffer = await readFile(resolvedPath);
+        results.push({
+          data: buffer.toString("base64"),
+          mimeType,
+          path: resolvedPath,
+        });
+      } catch (err) {
+        if (process.env.WISPY_DEBUG) {
+          console.error(`[wispy] Failed to load image ${imgPath}: ${err.message}`);
+        }
+      }
+    }
+    return results;
+  }
+
   // ── Cleanup ──────────────────────────────────────────────────────────────────
 
   destroy() {

package/core/harness.mjs

@@ -536,6 +536,56 @@ export class Harness extends EventEmitter {
       receipt.approved = permResult.approved;
     }
 
+    // ── 1b. Approval gate (security mode) ────────────────────────────────────
+    const securityMode = this.config.securityLevel ?? context.securityLevel ?? "balanced";
+    if (_needsApproval(toolName, args, securityMode) && permResult.allowed) {
+      // Check allowlist first
+      const allowlisted = await this.allowlist.matches(toolName, args);
+      if (!allowlisted) {
+        // Non-interactive (no TTY): auto-deny in careful, auto-allow in balanced/yolo
+        const isTTY = process.stdin.isTTY && process.stdout.isTTY;
+        if (!isTTY) {
+          if (securityMode === "careful") {
+            receipt.approved = false;
+            receipt.success = false;
+            receipt.error = `Auto-denied (careful mode, non-interactive): ${toolName}`;
+            receipt.duration = Date.now() - callStart;
+            this.emit("tool:denied", { toolName, args, receipt, context, reason: "non-interactive-careful" });
+            return new HarnessResult({ result: { success: false, error: receipt.error, denied: true }, receipt, denied: true });
+          }
+          // balanced/yolo non-interactive → auto-allow
+          receipt.approved = true;
+        } else {
+          // Emit approval_required event and wait for response
+          const approved = await this._requestApproval(toolName, args, receipt, context, securityMode);
+          receipt.approved = approved;
+          if (!approved) {
+            receipt.success = false;
+            receipt.error = `Approval denied for: ${toolName}`;
+            receipt.duration = Date.now() - callStart;
+            this.audit.log({
+              type: EVENT_TYPES.APPROVAL_DENIED,
+              sessionId: context.sessionId,
+              tool: toolName,
+              args,
+            }).catch(() => {});
+            this.emit("tool:denied", { toolName, args, receipt, context, reason: "approval-denied" });
+            return new HarnessResult({ result: { success: false, error: receipt.error, denied: true }, receipt, denied: true });
+          }
+          // User approved — add to allowlist if they want to remember
+          // (The auto-approve-and-remember logic is handled by the approval handler)
+          this.audit.log({
+            type: EVENT_TYPES.APPROVAL_GRANTED ?? "approval_granted",
+            sessionId: context.sessionId,
+            tool: toolName,
+            args,
+          }).catch(() => {});
+        }
+      } else {
+        receipt.approved = true; // allowlisted
+      }
+    }
+
     // ── 2. Dry-run mode ──────────────────────────────────────────────────────
     if (receipt.dryRun) {
       const preview = simulateDryRun(toolName, args);
@@ -650,6 +700,43 @@ export class Harness extends EventEmitter {
     return new HarnessResult({ result, receipt });
   }
 
+  /**
+   * Emit 'approval_required' and wait for user response.
+   * Resolves to true (approved) or false (denied).
+   */
+  async _requestApproval(toolName, args, receipt, context, mode) {
+    return new Promise((resolve) => {
+      // Timeout after 60s → auto-deny in careful, auto-allow otherwise
+      const timer = setTimeout(() => {
+        if (mode === "careful") {
+          resolve(false);
+        } else {
+          resolve(true);
+        }
+      }, 60_000);
+
+      const respond = (approved, remember = false) => {
+        clearTimeout(timer);
+        if (remember && approved) {
+          const pattern = _getArgString(toolName, args);
+          if (pattern) {
+            this.allowlist.add(toolName, pattern).catch(() => {});
+          }
+        }
+        resolve(approved);
+      };
+
+      this.emit("approval_required", {
+        tool: toolName,
+        args,
+        receipt,
+        context,
+        mode,
+        respond,
+      });
+    });
+  }
+
   /**
    * Set sandbox mode for a tool.
    * @param {string} toolName

package/core/providers.mjs

@@ -290,6 +290,17 @@ export class ProviderRegistry {
             type: "tool_use", id: tc.id ?? tc.name, name: tc.name, input: tc.args,
           })),
         });
+      } else if (m.images && m.images.length > 0) {
+        // Multimodal message with images (Anthropic format)
+        const contentParts = m.images.map(img => ({
+          type: "image",
+          source: { type: "base64", media_type: img.mimeType, data: img.data },
+        }));
+        if (m.content) contentParts.push({ type: "text", text: m.content });
+        anthropicMessages.push({
+          role: m.role === "assistant" ? "assistant" : "user",
+          content: contentParts,
+        });
       } else {
         anthropicMessages.push({
           role: m.role === "assistant" ? "assistant" : "user",
@@ -400,6 +411,15 @@ export class ProviderRegistry {
           })),
         };
       }
+      // Multimodal message with images (OpenAI format)
+      if (m.images && m.images.length > 0) {
+        const contentParts = m.images.map(img => ({
+          type: "image_url",
+          image_url: { url: `data:${img.mimeType};base64,${img.data}` },
+        }));
+        if (m.content) contentParts.push({ type: "text", text: m.content });
+        return { role: m.role === "assistant" ? "assistant" : "user", content: contentParts };
+      }
       return { role: m.role, content: m.content };
     });
 

package/core/tools.mjs

@@ -326,6 +326,21 @@ export class ToolRegistry {
           },
         },
       },
+      // ── apply_patch (Part 3) ─────────────────────────────────────────────────
+      {
+        name: "apply_patch",
+        description: "Apply multi-file patches. Supports creating, editing, and deleting files in one atomic operation. All operations succeed or all rollback.",
+        parameters: {
+          type: "object",
+          properties: {
+            patch: {
+              type: "string",
+              description: "Patch in structured format:\n*** Begin Patch\n*** Add File: path\n+line1\n+line2\n*** Edit File: path\n@@@ context line @@@\n-old line\n+new line\n*** Delete File: path\n*** End Patch",
+            },
+          },
+          required: ["patch"],
+        },
+      },
     ];
 
     for (const def of builtins) {
@@ -631,6 +646,9 @@ export class ToolRegistry {
           return { success: false, error: "action must be 'copy' or 'paste'" };
         }
 
+        case "apply_patch":
+          return this._executeApplyPatch(args.patch);
+
         // Agent tools — these are handled by the engine level
         case "spawn_agent":
         case "list_agents":
@@ -656,10 +674,195 @@ export class ToolRegistry {
           return { success: false, error: `Tool "${name}" requires engine context. Call via WispyEngine.processMessage().` };
 
         default:
-          return { success: false, error: `Unknown tool: ${name}. Available built-in tools: read_file, write_file, file_edit, file_search, run_command, list_directory, git, web_search, web_fetch, keychain, clipboard` };
+          return { success: false, error: `Unknown tool: ${name}. Available built-in tools: read_file, write_file, file_edit, file_search, run_command, list_directory, git, web_search, web_fetch, keychain, clipboard, apply_patch` };
       }
     } catch (err) {
       return { success: false, error: err.message };
     }
   }
+
+  /**
+   * Execute an apply_patch operation atomically.
+   * Supports: Add File, Edit File, Delete File
+   *
+   * Format:
+   *   *** Begin Patch
+   *   *** Add File: path/to/file.txt
+   *   +line content
+   *   *** Edit File: path/to/file.txt
+   *   @@@ context @@@
+   *   -old line
+   *   +new line
+   *   *** Delete File: path/to/file.txt
+   *   *** End Patch
+   */
+  async _executeApplyPatch(patchText) {
+    if (!patchText || typeof patchText !== "string") {
+      return { success: false, error: "patch parameter is required and must be a string" };
+    }
+
+    const { readFile: rf, writeFile: wf, unlink, mkdir: mkdirFs } = await import("node:fs/promises");
+
+    const lines = patchText.split("\n");
+    const operations = [];
+
+    // ── Parse operations ──────────────────────────────────────────────────────
+    let i = 0;
+    // Skip to Begin Patch
+    while (i < lines.length && !lines[i].startsWith("*** Begin Patch")) i++;
+    if (i >= lines.length) {
+      return { success: false, error: 'Patch must start with "*** Begin Patch"' };
+    }
+    i++;
+
+    while (i < lines.length) {
+      const line = lines[i];
+
+      if (line.startsWith("*** End Patch")) break;
+
+      if (line.startsWith("*** Add File:")) {
+        const filePath = line.slice("*** Add File:".length).trim();
+        const addLines = [];
+        i++;
+        while (i < lines.length && !lines[i].startsWith("***")) {
+          const l = lines[i];
+          if (l.startsWith("+")) addLines.push(l.slice(1));
+          else if (l.startsWith(" ")) addLines.push(l.slice(1));
+          // Lines starting with - are ignored for Add File
+          i++;
+        }
+        operations.push({ type: "add", path: filePath, content: addLines.join("\n") });
+        continue;
+      }
+
+      if (line.startsWith("*** Edit File:")) {
+        const filePath = line.slice("*** Edit File:".length).trim();
+        const hunks = [];
+        i++;
+        // Parse edit hunks
+        while (i < lines.length && !lines[i].startsWith("*** ")) {
+          const hunkLine = lines[i];
+          if (hunkLine.startsWith("@@@")) {
+            // Start of a hunk: @@@ context @@@
+            const contextText = hunkLine.replace(/^@@@\s*/, "").replace(/\s*@@@$/, "").trim();
+            const removals = [];
+            const additions = [];
+            i++;
+            while (i < lines.length && !lines[i].startsWith("@@@") && !lines[i].startsWith("***")) {
+              const hl = lines[i];
+              if (hl.startsWith("-")) removals.push(hl.slice(1));
+              else if (hl.startsWith("+")) additions.push(hl.slice(1));
+              i++;
+            }
+            hunks.push({ context: contextText, removals, additions });
+            continue;
+          }
+          i++;
+        }
+        operations.push({ type: "edit", path: filePath, hunks });
+        continue;
+      }
+
+      if (line.startsWith("*** Delete File:")) {
+        const filePath = line.slice("*** Delete File:".length).trim();
+        operations.push({ type: "delete", path: filePath });
+        i++;
+        continue;
+      }
+
+      i++;
+    }
+
+    if (operations.length === 0) {
+      return { success: false, error: "No valid operations found in patch" };
+    }
+
+    // ── Resolve paths ─────────────────────────────────────────────────────────
+    const resolvePatchPath = (p) => {
+      let resolved = p.replace(/^~/, os.homedir());
+      if (!path.isAbsolute(resolved)) resolved = path.resolve(process.cwd(), resolved);
+      return resolved;
+    };
+
+    // ── Pre-flight: load original file contents for rollback ──────────────────
+    const originalContents = new Map(); // path → string | null (null = didn't exist)
+    for (const op of operations) {
+      const resolved = resolvePatchPath(op.path);
+      try {
+        originalContents.set(resolved, await rf(resolved, "utf8"));
+      } catch {
+        originalContents.set(resolved, null);
+      }
+    }
+
+    // ── Apply operations ──────────────────────────────────────────────────────
+    const applied = [];
+    const results = [];
+
+    try {
+      for (const op of operations) {
+        const resolved = resolvePatchPath(op.path);
+
+        if (op.type === "add") {
+          await mkdirFs(path.dirname(resolved), { recursive: true });
+          await wf(resolved, op.content, "utf8");
+          applied.push({ op, resolved });
+          results.push(`✅ Added: ${op.path}`);
+
+        } else if (op.type === "edit") {
+          const original = originalContents.get(resolved);
+          if (original === null) {
+            throw new Error(`Cannot edit non-existent file: ${op.path}`);
+          }
+          let current = original;
+          for (const hunk of op.hunks) {
+            const oldText = hunk.removals.join("\n");
+            const newText = hunk.additions.join("\n");
+            if (oldText && !current.includes(oldText)) {
+              throw new Error(`Edit hunk not found in ${op.path}: "${oldText.slice(0, 60)}"`);
+            }
+            current = oldText ? current.replace(oldText, newText) : current + "\n" + newText;
+          }
+          await wf(resolved, current, "utf8");
+          applied.push({ op, resolved });
+          results.push(`✅ Edited: ${op.path}`);
+
+        } else if (op.type === "delete") {
+          await unlink(resolved);
+          applied.push({ op, resolved });
+          results.push(`✅ Deleted: ${op.path}`);
+        }
+      }
+    } catch (err) {
+      // ── Rollback all applied operations ──────────────────────────────────────
+      for (const { op, resolved } of applied.reverse()) {
+        try {
+          const original = originalContents.get(resolved);
+          if (op.type === "delete" && original !== null) {
+            // Restore deleted file
+            await wf(resolved, original, "utf8");
+          } else if ((op.type === "add") && original === null) {
+            // Remove newly created file
+            await unlink(resolved).catch(() => {});
+          } else if (op.type === "edit" && original !== null) {
+            // Restore original content
+            await wf(resolved, original, "utf8");
+          }
+        } catch { /* best-effort rollback */ }
+      }
+
+      return {
+        success: false,
+        error: `Patch failed (rolled back): ${err.message}`,
+        applied: applied.length,
+        total: operations.length,
+      };
+    }
+
+    return {
+      success: true,
+      message: `Applied ${operations.length} operation(s)`,
+      results,
+    };
+  }
 }

package/lib/commands/trust.mjs

@@ -319,6 +319,58 @@ export async function cmdTrustReceipt(id) {
   console.log("");
 }
 
+export async function cmdTrustApprovals(subArgs = []) {
+  const { globalAllowlist } = await import("../../core/harness.mjs");
+  const action = subArgs[0];
+
+  if (!action || action === "list") {
+    const list = await globalAllowlist.getAll();
+    console.log(`\n${bold("🔐 Approval Allowlist")} ${dim("(auto-approved patterns)")}\n`);
+    let empty = true;
+    for (const [tool, patterns] of Object.entries(list)) {
+      if (patterns.length === 0) continue;
+      empty = false;
+      console.log(`  ${cyan(tool)}:`);
+      for (const p of patterns) {
+        console.log(`    ${dim("•")} ${p}`);
+      }
+    }
+    if (empty) {
+      console.log(dim("  No patterns configured."));
+    }
+    console.log(dim("\n  Manage: wispy trust approvals add <tool> <pattern>"));
+    console.log(dim("           wispy trust approvals clear"));
+    console.log(dim("           wispy trust approvals reset\n"));
+    return;
+  }
+
+  if (action === "add") {
+    const tool = subArgs[1];
+    const pattern = subArgs[2];
+    if (!tool || !pattern) {
+      console.log(yellow("Usage: wispy trust approvals add <tool> <pattern>"));
+      return;
+    }
+    await globalAllowlist.add(tool, pattern);
+    console.log(`${green("✅")} Added pattern for ${cyan(tool)}: ${pattern}`);
+    return;
+  }
+
+  if (action === "clear") {
+    await globalAllowlist.clear();
+    console.log(green("✅ Allowlist cleared."));
+    return;
+  }
+
+  if (action === "reset") {
+    await globalAllowlist.reset();
+    console.log(green("✅ Allowlist reset to defaults."));
+    return;
+  }
+
+  console.log(yellow(`Unknown approvals action: ${action}. Use: list, add, clear, reset`));
+}
+
 export async function handleTrustCommand(args) {
   const sub = args[1];
 
@@ -405,6 +457,7 @@ export async function handleTrustCommand(args) {
   if (sub === "log") return cmdTrustLog(args.slice(2));
   if (sub === "replay") return cmdTrustReplay(args[2]);
   if (sub === "receipt") return cmdTrustReceipt(args[2]);
+  if (sub === "approvals") return cmdTrustApprovals(args.slice(2));
 
   console.log(`
 ${bold("🔐 Trust Commands")}
@@ -414,5 +467,9 @@ ${bold("🔐 Trust Commands")}
   wispy trust log                          ${dim("show audit log")}
   wispy trust replay <session-id>          ${dim("replay session step by step")}
   wispy trust receipt <session-id>         ${dim("show execution receipt")}
+  wispy trust approvals                    ${dim("list approval allowlist")}
+  wispy trust approvals add <tool> <pat>   ${dim("add an allowlist pattern")}
+  wispy trust approvals clear              ${dim("clear all allowlist patterns")}
+  wispy trust approvals reset              ${dim("reset allowlist to defaults")}
 `);
 }

package/lib/wispy-repl.mjs

@@ -893,6 +893,21 @@ ${bold("Permissions & Audit (v1.1):")}
     return true;
   }
 
+  // ── Image attachment ─────────────────────────────────────────────────────────
+
+  if (cmd === "/image") {
+    const imagePath = parts.slice(1).join(" ");
+    if (!imagePath) {
+      console.log(yellow("Usage: /image <path>  — attach image to next message"));
+      return true;
+    }
+    // Store pending image on engine for next message
+    if (!engine._pendingImages) engine._pendingImages = [];
+    engine._pendingImages.push(imagePath);
+    console.log(green(`📎 Image queued: ${imagePath} — send your message to include it`));
+    return true;
+  }
+
   if (cmd === "/recall") {
     const query = parts.slice(1).join(" ");
     if (!query) { console.log(yellow("Usage: /recall <query>")); return true; }
@@ -1262,6 +1277,10 @@ async function runRepl(engine) {
 
     conversation.push({ role: "user", content: input });
 
+    // Consume pending image attachments (from /image command)
+    const pendingImages = engine._pendingImages ?? [];
+    engine._pendingImages = [];
+
     process.stdout.write(cyan("🌿 "));
     try {
       // Build messages from conversation history (keep system prompt + history)
@@ -1273,6 +1292,7 @@ async function runRepl(engine) {
         systemPrompt: await engine._buildSystemPrompt(input),
         noSave: true,
         dryRun: engine.dryRunMode ?? false,
+        images: pendingImages,
         onSkillLearned: (skill) => {
           console.log(cyan(`\n💡 Learned new skill: '${skill.name}' — use /${skill.name} next time`));
         },
@@ -1307,14 +1327,87 @@ async function runRepl(engine) {
   });
 }
 
+// ---------------------------------------------------------------------------
+// REPL with pre-populated history (for resume/fork)
+// ---------------------------------------------------------------------------
+
+async function runReplWithHistory(engine, existingConversation) {
+  const wsLabel = ACTIVE_WORKSTREAM === "default" ? "" : ` ${dim("·")} ${cyan(ACTIVE_WORKSTREAM)}`;
+  console.log(`
+  ${bold("🌿 Wispy")}${wsLabel} ${dim(`· ${engine.model}`)}
+  ${dim(`${engine.provider} · /help for commands · Ctrl+C to exit`)}
+`);
+
+  const conversation = [...existingConversation];
+
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout,
+    prompt: green("› "),
+    historySize: 100,
+    completer: makeCompleter(engine),
+  });
+
+  function updatePrompt() {
+    const ws = ACTIVE_WORKSTREAM !== "default" ? `${cyan(ACTIVE_WORKSTREAM)} ` : "";
+    const dry = engine.dryRunMode ? yellow("(dry) ") : "";
+    rl.setPrompt(ws + dry + green("› "));
+  }
+  updatePrompt();
+  rl.prompt();
+
+  rl.on("line", async (line) => {
+    const input = line.trim();
+    if (!input) { rl.prompt(); return; }
+
+    if (input.startsWith("/")) {
+      const handled = await handleSlashCommand(input, engine, conversation);
+      if (handled) { updatePrompt(); rl.prompt(); return; }
+    }
+
+    conversation.push({ role: "user", content: input });
+
+    // Check for pending image attachment from /image command
+    const pendingImages = engine._pendingImages ?? [];
+    engine._pendingImages = [];
+
+    process.stdout.write(cyan("🌿 "));
+    try {
+      const systemPrompt = await engine._buildSystemPrompt(input);
+      const response = await engine.processMessage(null, input, {
+        onChunk: (chunk) => process.stdout.write(chunk),
+        systemPrompt,
+        noSave: true,
+        images: pendingImages,
+      });
+      console.log("\n");
+      conversation.push({ role: "assistant", content: response.content });
+      if (conversation.length > 50) conversation.splice(0, conversation.length - 50);
+      await saveConversation(conversation);
+      console.log(dim(`  ${engine.providers.formatCost()}`));
+    } catch (err) {
+      console.log(red(`\n\n❌ Error: ${err.message.slice(0, 200)}`));
+    }
+
+    rl.prompt();
+  });
+
+  rl.on("close", () => {
+    console.log(dim(`\n🌿 Bye! (${engine.providers.formatCost()})`));
+    try { engine.destroy(); } catch {}
+    process.exit(0);
+  });
+}
+
 // ---------------------------------------------------------------------------
 // One-shot mode
 // ---------------------------------------------------------------------------
 
-async function runOneShot(engine, message) {
+async function runOneShot(engine, message, opts = {}) {
   try {
     const response = await engine.processMessage(null, message, {
       onChunk: (chunk) => process.stdout.write(chunk),
+      images: opts.images ?? [],
     });
     console.log("");
     console.log(dim(engine.providers.formatCost()));
@@ -1429,9 +1522,54 @@ if (serverStatus.started && !serverStatus.noBinary) {
 if (args[0] === "overview" || args[0] === "dashboard") { await showOverview(); process.exit(0); }
 if (args[0] === "search" && args[1]) { await searchAcrossWorkstreams(args.slice(1).join(" ")); process.exit(0); }
 
+// Handle session resume/fork from env (set by wispy resume/fork/sessions commands)
+const sessionAction = process.env.WISPY_SESSION_ACTION;
+const sessionActionId = process.env.WISPY_SESSION_ID;
+if (sessionAction && sessionActionId) {
+  delete process.env.WISPY_SESSION_ACTION;
+  delete process.env.WISPY_SESSION_ID;
+
+  if (sessionAction === "resume") {
+    // Load session and start REPL with existing conversation
+    const { SessionManager } = await import("../core/session.mjs");
+    const mgr = new SessionManager();
+    const session = await mgr.load(sessionActionId);
+    if (!session) {
+      console.error(red(`  Session not found: ${sessionActionId}`));
+      process.exit(1);
+    }
+    const conversation = session.messages.filter(m => m.role !== "system");
+    console.log(green(`  ▶ Resuming session ${sessionActionId} (${conversation.length} messages)`));
+    console.log(dim(`  First message: "${(conversation.find(m => m.role === "user")?.content ?? "").slice(0, 60)}"`));
+    console.log("");
+    // Override loadConversation by starting REPL with pre-populated history
+    await runReplWithHistory(engine, conversation);
+  } else if (sessionAction === "fork") {
+    // Fork already done — just start REPL with forked session
+    const { SessionManager } = await import("../core/session.mjs");
+    const mgr = new SessionManager();
+    const session = await mgr.load(sessionActionId);
+    if (!session) {
+      console.error(red(`  Forked session not found: ${sessionActionId}`));
+      process.exit(1);
+    }
+    const conversation = session.messages.filter(m => m.role !== "system");
+    console.log(green(`  ⑂ Forked session ${sessionActionId} (${conversation.length} messages)`));
+    console.log("");
+    await runReplWithHistory(engine, conversation);
+  }
+}
+
+// Parse image flags from env (set by wispy.mjs -i flag parsing)
+const globalImages = (() => {
+  try {
+    return process.env.WISPY_IMAGES ? JSON.parse(process.env.WISPY_IMAGES) : [];
+  } catch { return []; }
+})();
+
 if (args.length > 0 && args[0] !== "--help" && args[0] !== "-h") {
-  // One-shot mode
-  await runOneShot(engine, args.join(" "));
+  // One-shot mode — with optional image attachments
+  await runOneShot(engine, args.join(" "), { images: globalImages });
 } else if (args[0] === "--help" || args[0] === "-h") {
   console.log(`
 ${bold("🌿 Wispy")} — AI workspace assistant

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wispy-cli",
-  "version": "2.7.12",
+  "version": "2.7.14",
   "description": "🌿 Wispy — AI workspace assistant with trustworthy execution (harness, receipts, approvals, diffs)",
   "license": "MIT",
   "author": "Minseo & Poropo",