xiaotime 0.2.1 → 0.4.0

package/dist/display.d.ts

@@ -8,4 +8,23 @@ export declare function printTurnEnd(costUsd: number): void;
 export declare function printError(message: string): void;
 export declare function printSessionList(sessions: Session[]): void;
 export declare function printPrompt(): void;
+/**
+ * Render a single inline log line for a server-side tool invocation.
+ *
+ * SPRINT-CLI-APPROVAL-MENU-1 (#6509) PR3 — pre-#6509 the 15 tools in
+ * terminal_orchestrator/main.py's SERVER_TOOLS set executed silently
+ * from the user's perspective. This helper renders the
+ * `server_tool_call` WS event the orchestrator now emits before each
+ * server-side dispatch, matching the visual style of the existing
+ * client-tool inline logs in cli/src/tools.ts (`[read_file] /path
+ * (N lines)`, `[git_status]`, etc.).
+ *
+ * `inputSummary` is built server-side (see
+ * `terminal_orchestrator/main.py::_build_server_tool_input_summary`)
+ * — ≤120 chars, preferred-keys-per-tool, middle-truncated values,
+ * no newlines. Empty inputSummary (e.g. librarian_list_collections,
+ * which has no meaningful input to render) drops to just the
+ * `[server:<name>]` prefix.
+ */
+export declare function printServerToolCall(name: string, inputSummary: string): void;
 //# sourceMappingURL=display.d.ts.map

package/dist/display.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"display.d.ts","sourceRoot":"","sources":["../src/display.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,QAQjH;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,QAE1C;AAED,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,QAG3C;AAED,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,QAEzC;AAED,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,OAAO,EAAE,QAoBnD;AAED,wBAAgB,WAAW,SAE1B"}
+{"version":3,"file":"display.d.ts","sourceRoot":"","sources":["../src/display.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,QAQjH;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,QAE1C;AAED,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,QAG3C;AAED,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,QAEzC;AAED,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,OAAO,EAAE,QAoBnD;AAED,wBAAgB,WAAW,SAE1B;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,IAAI,CAG5E"}

package/dist/display.js

@@ -12,6 +12,7 @@ exports.printTurnEnd = printTurnEnd;
 exports.printError = printError;
 exports.printSessionList = printSessionList;
 exports.printPrompt = printPrompt;
+exports.printServerToolCall = printServerToolCall;
 const chalk_1 = __importDefault(require("chalk"));
 function printWelcome(sessionId, sessionName, resumed, messageCount) {
     const name = sessionName || sessionId.slice(0, 8);
@@ -55,4 +56,26 @@ function printSessionList(sessions) {
 function printPrompt() {
     process.stdout.write(chalk_1.default.bold("you: "));
 }
+/**
+ * Render a single inline log line for a server-side tool invocation.
+ *
+ * SPRINT-CLI-APPROVAL-MENU-1 (#6509) PR3 — pre-#6509 the 15 tools in
+ * terminal_orchestrator/main.py's SERVER_TOOLS set executed silently
+ * from the user's perspective. This helper renders the
+ * `server_tool_call` WS event the orchestrator now emits before each
+ * server-side dispatch, matching the visual style of the existing
+ * client-tool inline logs in cli/src/tools.ts (`[read_file] /path
+ * (N lines)`, `[git_status]`, etc.).
+ *
+ * `inputSummary` is built server-side (see
+ * `terminal_orchestrator/main.py::_build_server_tool_input_summary`)
+ * — ≤120 chars, preferred-keys-per-tool, middle-truncated values,
+ * no newlines. Empty inputSummary (e.g. librarian_list_collections,
+ * which has no meaningful input to render) drops to just the
+ * `[server:<name>]` prefix.
+ */
+function printServerToolCall(name, inputSummary) {
+    const tail = inputSummary ? ` ${inputSummary}` : "";
+    console.log(chalk_1.default.dim(`  [server:${name}]${tail}`));
+}
 //# sourceMappingURL=display.js.map

package/dist/display.js.map

@@ -1 +1 @@
-{"version":3,"file":"display.js","sourceRoot":"","sources":["../src/display.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;AAKH,oCAQC;AAED,wCAEC;AAED,oCAGC;AAED,gCAEC;AAED,4CAoBC;AAED,kCAEC;AAlDD,kDAA0B;AAG1B,SAAgB,YAAY,CAAC,SAAiB,EAAE,WAA0B,EAAE,OAAgB,EAAE,YAAoB;IAChH,MAAM,IAAI,GAAG,WAAW,IAAI,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAClD,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,iBAAiB,IAAI,KAAK,YAAY,kBAAkB,CAAC,CAAC,CAAC;IACpF,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,SAAgB,cAAc,CAAC,IAAY;IACzC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED,SAAgB,YAAY,CAAC,OAAe;IAC1C,MAAM,OAAO,GAAG,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,eAAK,CAAC,GAAG,CAAC,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1E,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,OAAO,MAAM,CAAC,CAAC;AAC3C,CAAC;AAED,SAAgB,UAAU,CAAC,OAAe;IACxC,OAAO,CAAC,KAAK,CAAC,eAAK,CAAC,GAAG,CAAC,YAAY,OAAO,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,SAAgB,gBAAgB,CAAC,QAAmB;IAClD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;QAC7C,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC;IACzC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,CAAC,CAAC,YAAY,IAAI,eAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,eAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACvC,MAAM,KAAK,GAAG,GAAG,CAAC,CAAC,aAAa,QAAQ,CAAC;QACzC,MAAM,IAAI,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;QACvD,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,cAAc,EAAE,CAAC;QAC/D,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,eAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEzE,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,IAAI,kBAAkB,UAAU,EAAE,CAAC,CAAC,CAAC;QAC9E,OAAO,CAAC,GAAG,EAAE,CAAC;IAChB,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC,CAAC;AAChE,CAAC;AAED,SAAgB,WAAW;IACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;AAC5C,CAAC"}
+{"version":3,"file":"display.js","sourceRoot":"","sources":["../src/display.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;AAKH,oCAQC;AAED,wCAEC;AAED,oCAGC;AAED,gCAEC;AAED,4CAoBC;AAED,kCAEC;AAoBD,kDAGC;AAzED,kDAA0B;AAG1B,SAAgB,YAAY,CAAC,SAAiB,EAAE,WAA0B,EAAE,OAAgB,EAAE,YAAoB;IAChH,MAAM,IAAI,GAAG,WAAW,IAAI,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAClD,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,iBAAiB,IAAI,KAAK,YAAY,kBAAkB,CAAC,CAAC,CAAC;IACpF,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC,CAAC;AACjE,CAAC;AAED,SAAgB,cAAc,CAAC,IAAY;IACzC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC;AAED,SAAgB,YAAY,CAAC,OAAe;IAC1C,MAAM,OAAO,GAAG,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,eAAK,CAAC,GAAG,CAAC,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1E,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,OAAO,MAAM,CAAC,CAAC;AAC3C,CAAC;AAED,SAAgB,UAAU,CAAC,OAAe;IACxC,OAAO,CAAC,KAAK,CAAC,eAAK,CAAC,GAAG,CAAC,YAAY,OAAO,IAAI,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,SAAgB,gBAAgB,CAAC,QAAmB;IAClD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC;QAC7C,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC;IACzC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,CAAC,CAAC,YAAY,IAAI,eAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,eAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACvC,MAAM,KAAK,GAAG,GAAG,CAAC,CAAC,aAAa,QAAQ,CAAC;QACzC,MAAM,IAAI,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;QACvD,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,cAAc,EAAE,CAAC;QAC/D,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,eAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEzE,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,IAAI,kBAAkB,UAAU,EAAE,CAAC,CAAC,CAAC;QAC9E,OAAO,CAAC,GAAG,EAAE,CAAC;IAChB,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC,CAAC;AAChE,CAAC;AAED,SAAgB,WAAW;IACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,mBAAmB,CAAC,IAAY,EAAE,YAAoB;IACpE,MAAM,IAAI,GAAG,YAAY,CAAC,CAAC,CAAC,IAAI,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACpD,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,GAAG,CAAC,aAAa,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC;AACtD,CAAC"}

package/dist/settings.d.ts

@@ -0,0 +1,109 @@
+/**
+ * Per-user CLI settings + approval allowlist.
+ *
+ * SPRINT-CLI-APPROVAL-MENU-1 (#6509) PR2.
+ *
+ * Backs the option-2 "Run and don't ask again" path of
+ * `promptApprovalMenu`. Allowlist is persisted to
+ * `~/.xiaotime/settings.json` (mode 0600) and consulted before every
+ * `executeTool` invocation of the three prompting client-side tools
+ * (`shell_command` / `write_file` / `git_commit`). A match short-
+ * circuits the menu entirely; the inline log line gets an
+ * ` (auto-approved)` suffix so the user can still see what ran.
+ *
+ * Schema is `version: 1`; missing/malformed/unknown-version files
+ * fall back to an empty allowlist (with a stderr warning for
+ * malformed/unknown cases) — never crash the CLI on corrupted local
+ * config (ISC-6509-007).
+ *
+ * Pattern derivation differs per tool (see D2 in the sprint spec):
+ *   - shell_command: argv[0] + leading flags + first subcommand
+ *     token. `npm install --no-save lodash` → "npm install".
+ *     Multi-level subcommand grammars (gh issue list) collapse to
+ *     the first 2 tokens; users can hand-edit settings.json for
+ *     finer-grained patterns.
+ *   - write_file: `dirname(path) + "/**"`. Glob-matched against
+ *     subsequent write_file invocations so allowlisting a write to
+ *     `/repo/foo.ts` covers `/repo/bar.ts`.
+ *   - git_commit: literal `"*"` — allowlisting one commit
+ *     allowlists all future commits (the commit message + staged
+ *     files vary by definition; there's no meaningful pattern
+ *     parameter to narrow on).
+ *
+ * Distinct from `terminal_orchestrator/task_manager.py:57`'s
+ * server-side allowlist (EXACT-NAME on argv[0] basename, binary `gh`
+ * only). That's a security perimeter for `task_create`'s long-running
+ * managed-task envelope; this is a UX gate for client-side tool
+ * approvals. Two allowlists, two audiences, two update cadences.
+ */
+export type AllowlistTool = "shell_command" | "write_file" | "git_commit";
+export interface AllowlistEntry {
+    tool: AllowlistTool;
+    pattern: string;
+    added_at: string;
+}
+/**
+ * Settings-file location. Resolved lazily per call so the
+ * `XIAOTIME_SETTINGS_PATH` env-var override can redirect (used by
+ * tests to avoid touching the real `~/.xiaotime/settings.json`).
+ * Default: `~/.xiaotime/settings.json`.
+ */
+export declare function _settingsPath(): string;
+/**
+ * Read the allowlist from disk. Returns [] for any of:
+ *   - file missing (first run; not an error)
+ *   - file unreadable (permissions; logged + treated as empty)
+ *   - malformed JSON (logged + treated as empty)
+ *   - unknown schema version (logged + treated as empty)
+ *   - shape doesn't match SettingsV1 (silently treated as empty)
+ *
+ * Never throws. The CLI must remain usable when the user has a
+ * corrupted local config (ISC-6509-007).
+ */
+export declare function loadAllowlist(): AllowlistEntry[];
+/**
+ * Append a new entry to the allowlist + persist. Creates
+ * ~/.xiaotime/ with mode 0700 if it doesn't exist; writes
+ * settings.json with mode 0600. Idempotent on duplicate
+ * (tool, pattern) — duplicate appends are silently dropped.
+ */
+export declare function appendAllowlist(entry: {
+    tool: AllowlistTool;
+    pattern: string;
+}): void;
+/**
+ * Derive the allowlist pattern for a tool invocation. Returns null
+ * if the input shape is unusable (empty command, missing path). The
+ * pattern is used both at write time (option-2 selection persists
+ * `derivePattern(tool, input)`) and at read time (the next call's
+ * derived pattern feeds `matchAllowlist`).
+ *
+ * Per D2 in the sprint spec, derivation is coarse on purpose. For
+ * shell_command, the v1 rule captures argv[0] + leading flags + at
+ * most one subcommand token. Multi-level grammars (gh issue list,
+ * git remote add) collapse to 2-token prefixes; users who want finer
+ * patterns can hand-edit settings.json. For write_file, the directory
+ * the file lives in is allowlisted (`/**` suffix); writes deeper in
+ * the tree match. For git_commit, the literal `"*"` allowlists all
+ * future commits.
+ */
+export declare function derivePattern(tool: AllowlistTool, input: Record<string, unknown>): string | null;
+/**
+ * Check whether a tool invocation matches any entry in the
+ * allowlist. Matching semantics differ per tool:
+ *   - shell_command: exact equality between derived pattern and
+ *     stored pattern (`npm install` matches only `npm install`,
+ *     not `npm install lodash` directly — but the derived pattern
+ *     for `npm install lodash` IS `npm install`, so it matches.)
+ *   - write_file: glob-match the incoming path against each
+ *     `write_file` entry's stored glob.
+ *   - git_commit: any `git_commit` entry matches (stored pattern
+ *     is `"*"`).
+ *
+ * The cross-tool isolation invariant (PR3 ISC-spec): an entry with
+ * `tool === "shell_command"` can never authorize a `write_file` call
+ * even if patterns coincidentally match — the tool field is checked
+ * first.
+ */
+export declare function matchAllowlist(tool: AllowlistTool, input: Record<string, unknown>, allowlist: AllowlistEntry[]): AllowlistEntry | null;
+//# sourceMappingURL=settings.d.ts.map

package/dist/settings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings.d.ts","sourceRoot":"","sources":["../src/settings.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAMH,MAAM,MAAM,aAAa,GAAG,eAAe,GAAG,YAAY,GAAG,YAAY,CAAC;AAQ1E,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,aAAa,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AASD;;;;;GAKG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAKtC;AAMD;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,IAAI,cAAc,EAAE,CAoChD;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAC9C,IAAI,CAwCN;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,aAAa,CAC3B,IAAI,EAAE,aAAa,EACnB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,MAAM,GAAG,IAAI,CA+Cf;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,aAAa,EACnB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9B,SAAS,EAAE,cAAc,EAAE,GAC1B,cAAc,GAAG,IAAI,CAsBvB"}

package/dist/settings.js

@@ -0,0 +1,332 @@
+"use strict";
+/**
+ * Per-user CLI settings + approval allowlist.
+ *
+ * SPRINT-CLI-APPROVAL-MENU-1 (#6509) PR2.
+ *
+ * Backs the option-2 "Run and don't ask again" path of
+ * `promptApprovalMenu`. Allowlist is persisted to
+ * `~/.xiaotime/settings.json` (mode 0600) and consulted before every
+ * `executeTool` invocation of the three prompting client-side tools
+ * (`shell_command` / `write_file` / `git_commit`). A match short-
+ * circuits the menu entirely; the inline log line gets an
+ * ` (auto-approved)` suffix so the user can still see what ran.
+ *
+ * Schema is `version: 1`; missing/malformed/unknown-version files
+ * fall back to an empty allowlist (with a stderr warning for
+ * malformed/unknown cases) — never crash the CLI on corrupted local
+ * config (ISC-6509-007).
+ *
+ * Pattern derivation differs per tool (see D2 in the sprint spec):
+ *   - shell_command: argv[0] + leading flags + first subcommand
+ *     token. `npm install --no-save lodash` → "npm install".
+ *     Multi-level subcommand grammars (gh issue list) collapse to
+ *     the first 2 tokens; users can hand-edit settings.json for
+ *     finer-grained patterns.
+ *   - write_file: `dirname(path) + "/**"`. Glob-matched against
+ *     subsequent write_file invocations so allowlisting a write to
+ *     `/repo/foo.ts` covers `/repo/bar.ts`.
+ *   - git_commit: literal `"*"` — allowlisting one commit
+ *     allowlists all future commits (the commit message + staged
+ *     files vary by definition; there's no meaningful pattern
+ *     parameter to narrow on).
+ *
+ * Distinct from `terminal_orchestrator/task_manager.py:57`'s
+ * server-side allowlist (EXACT-NAME on argv[0] basename, binary `gh`
+ * only). That's a security perimeter for `task_create`'s long-running
+ * managed-task envelope; this is a UX gate for client-side tool
+ * approvals. Two allowlists, two audiences, two update cadences.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports._settingsPath = _settingsPath;
+exports.loadAllowlist = loadAllowlist;
+exports.appendAllowlist = appendAllowlist;
+exports.derivePattern = derivePattern;
+exports.matchAllowlist = matchAllowlist;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const ALLOWLIST_TOOLS = new Set([
+    "shell_command",
+    "write_file",
+    "git_commit",
+]);
+/**
+ * Settings-file location. Resolved lazily per call so the
+ * `XIAOTIME_SETTINGS_PATH` env-var override can redirect (used by
+ * tests to avoid touching the real `~/.xiaotime/settings.json`).
+ * Default: `~/.xiaotime/settings.json`.
+ */
+function _settingsPath() {
+    return (process.env.XIAOTIME_SETTINGS_PATH
+        ?? path.join(os.homedir(), ".xiaotime", "settings.json"));
+}
+function _settingsDir() {
+    return path.dirname(_settingsPath());
+}
+/**
+ * Read the allowlist from disk. Returns [] for any of:
+ *   - file missing (first run; not an error)
+ *   - file unreadable (permissions; logged + treated as empty)
+ *   - malformed JSON (logged + treated as empty)
+ *   - unknown schema version (logged + treated as empty)
+ *   - shape doesn't match SettingsV1 (silently treated as empty)
+ *
+ * Never throws. The CLI must remain usable when the user has a
+ * corrupted local config (ISC-6509-007).
+ */
+function loadAllowlist() {
+    if (!fs.existsSync(_settingsPath()))
+        return [];
+    let raw;
+    try {
+        raw = fs.readFileSync(_settingsPath(), "utf-8");
+    }
+    catch (err) {
+        process.stderr.write(`[xiaotime] ~/.xiaotime/settings.json unreadable: ${err.message}\n`);
+        return [];
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (err) {
+        process.stderr.write(`[xiaotime] ~/.xiaotime/settings.json malformed JSON, treating as empty: ${err.message}\n`);
+        return [];
+    }
+    const obj = parsed;
+    if (!obj || typeof obj !== "object")
+        return [];
+    if (obj.version !== 1) {
+        process.stderr.write(`[xiaotime] ~/.xiaotime/settings.json: unrecognized schema version ${JSON.stringify(obj.version)}, treating as empty\n`);
+        return [];
+    }
+    const entries = obj.permissions?.allow;
+    if (!Array.isArray(entries))
+        return [];
+    return entries.filter(_isValidEntry);
+}
+/**
+ * Append a new entry to the allowlist + persist. Creates
+ * ~/.xiaotime/ with mode 0700 if it doesn't exist; writes
+ * settings.json with mode 0600. Idempotent on duplicate
+ * (tool, pattern) — duplicate appends are silently dropped.
+ */
+function appendAllowlist(entry) {
+    const existing = loadAllowlist();
+    const isDup = existing.some((e) => e.tool === entry.tool && e.pattern === entry.pattern);
+    if (isDup)
+        return;
+    const newEntries = [
+        ...existing,
+        {
+            tool: entry.tool,
+            pattern: entry.pattern,
+            added_at: new Date().toISOString(),
+        },
+    ];
+    const settings = {
+        version: 1,
+        permissions: { allow: newEntries },
+    };
+    // Directory: mode 0700 (user-only). The settings file's mode is the
+    // load-bearing one but the parent permission tightens the surface
+    // against a hostile-co-tenant scenario on shared boxes.
+    fs.mkdirSync(_settingsDir(), { recursive: true, mode: 0o700 });
+    // openSync + writeSync + closeSync (with O_TRUNC + O_CREAT + 0o600
+    // mode) so the file is created with 0600 from the first byte. Using
+    // writeFileSync's `mode` option only sets mode on CREATE — but on
+    // overwrite of an existing file Node skips chmod entirely on some
+    // platforms. Explicit fchmod closes that gap.
+    const fd = fs.openSync(_settingsPath(), fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_TRUNC, 0o600);
+    try {
+        fs.writeSync(fd, JSON.stringify(settings, null, 2) + "\n");
+        fs.fchmodSync(fd, 0o600);
+    }
+    finally {
+        fs.closeSync(fd);
+    }
+}
+/**
+ * Derive the allowlist pattern for a tool invocation. Returns null
+ * if the input shape is unusable (empty command, missing path). The
+ * pattern is used both at write time (option-2 selection persists
+ * `derivePattern(tool, input)`) and at read time (the next call's
+ * derived pattern feeds `matchAllowlist`).
+ *
+ * Per D2 in the sprint spec, derivation is coarse on purpose. For
+ * shell_command, the v1 rule captures argv[0] + leading flags + at
+ * most one subcommand token. Multi-level grammars (gh issue list,
+ * git remote add) collapse to 2-token prefixes; users who want finer
+ * patterns can hand-edit settings.json. For write_file, the directory
+ * the file lives in is allowlisted (`/**` suffix); writes deeper in
+ * the tree match. For git_commit, the literal `"*"` allowlists all
+ * future commits.
+ */
+function derivePattern(tool, input) {
+    if (tool === "shell_command") {
+        const cmd = String(input.command ?? "").trim();
+        if (!cmd)
+            return null;
+        const tokens = cmd.split(/\s+/);
+        // #6538 CR-r1: guard flag-only input. `"-la -h"` would
+        // otherwise produce pattern `"-la -h"`, which is nonsensical
+        // (no argv[0]) and would persist as a broken allowlist entry.
+        if (tokens[0].startsWith("-"))
+            return null;
+        const result = [tokens[0]];
+        for (let i = 1; i < tokens.length; i++) {
+            const tok = tokens[i];
+            if (tok.startsWith("-")) {
+                result.push(tok);
+                continue;
+            }
+            // First non-flag arg. Treat as a subcommand iff it's at
+            // position 1 (immediately after argv[0]). Otherwise stop —
+            // it's a data argument (path / value / package name) we
+            // don't want to bake into the pattern.
+            if (i === 1)
+                result.push(tok);
+            break;
+        }
+        return result.join(" ");
+    }
+    if (tool === "write_file") {
+        const p = String(input.path ?? "");
+        if (!p)
+            return null;
+        // #6538 CR-r1: normalize BEFORE deriving the pattern. Without
+        // this, a malicious or careless `input.path` like
+        // `"../../etc/passwd"` would persist as allowlist pattern
+        // `"../../etc/**"`, opening every future write to that
+        // resolved location to bypass the prompt. `path.resolve`
+        // anchors against the process cwd; tools.ts calls
+        // `resolvePath` (which uses the session cwd) before the file
+        // write itself, but derivePattern was operating on raw input
+        // — closing the gap here.
+        const normalized = path.resolve(p);
+        return path.dirname(normalized) + path.sep + "**";
+    }
+    if (tool === "git_commit") {
+        return "*";
+    }
+    return null;
+}
+/**
+ * Check whether a tool invocation matches any entry in the
+ * allowlist. Matching semantics differ per tool:
+ *   - shell_command: exact equality between derived pattern and
+ *     stored pattern (`npm install` matches only `npm install`,
+ *     not `npm install lodash` directly — but the derived pattern
+ *     for `npm install lodash` IS `npm install`, so it matches.)
+ *   - write_file: glob-match the incoming path against each
+ *     `write_file` entry's stored glob.
+ *   - git_commit: any `git_commit` entry matches (stored pattern
+ *     is `"*"`).
+ *
+ * The cross-tool isolation invariant (PR3 ISC-spec): an entry with
+ * `tool === "shell_command"` can never authorize a `write_file` call
+ * even if patterns coincidentally match — the tool field is checked
+ * first.
+ */
+function matchAllowlist(tool, input, allowlist) {
+    for (const entry of allowlist) {
+        if (entry.tool !== tool)
+            continue;
+        if (tool === "git_commit")
+            return entry;
+        if (tool === "shell_command") {
+            const derived = derivePattern(tool, input);
+            if (derived !== null && derived === entry.pattern)
+                return entry;
+            continue;
+        }
+        if (tool === "write_file") {
+            const raw = String(input.path ?? "");
+            if (!raw)
+                continue;
+            // #6538 CR-r1: normalize the input path before matching for
+            // the same reason derivePattern does — so `../foo.txt`
+            // resolves to its absolute canonical form before being
+            // compared against stored absolute patterns.
+            const p = path.resolve(raw);
+            if (_globMatch(p, entry.pattern))
+                return entry;
+            continue;
+        }
+    }
+    return null;
+}
+// ── Internals ────────────────────────────────────────────────────
+function _isValidEntry(e) {
+    if (!e || typeof e !== "object")
+        return false;
+    const entry = e;
+    return (typeof entry.tool === "string" &&
+        ALLOWLIST_TOOLS.has(entry.tool) &&
+        typeof entry.pattern === "string" &&
+        typeof entry.added_at === "string");
+}
+/**
+ * Tiny glob matcher. Supports `*` (matches everything) and
+ * `<prefix><sep>**` (matches `<prefix>` and any path under it),
+ * where `<sep>` is the platform path separator (`/` on Unix, `\`
+ * on Windows). Plain patterns require exact equality. Sufficient
+ * for write_file's directory-scope allowlist; not a general-
+ * purpose glob engine.
+ *
+ * #6538 CR-r1: was hardcoded to `/` — broken on Windows where
+ * `path.dirname` returns backslash-separated paths. Now uses
+ * `path.sep` so the comparison matches the form derivePattern
+ * stores (also using `path.sep`).
+ */
+function _globMatch(p, pattern) {
+    if (pattern === "*")
+        return true;
+    const sepGlob = path.sep + "**";
+    if (pattern.endsWith(sepGlob)) {
+        const prefix = pattern.slice(0, -sepGlob.length);
+        return p === prefix || p.startsWith(prefix + path.sep);
+    }
+    // Tolerant of legacy entries that stored `/**` on Unix (no-op
+    // on Linux/macOS; harmless on Windows since path.sep is `\`).
+    if (pattern.endsWith("/**")) {
+        const prefix = pattern.slice(0, -3);
+        return p === prefix || p.startsWith(prefix + "/");
+    }
+    return p === pattern;
+}
+//# sourceMappingURL=settings.js.map

package/dist/settings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings.js","sourceRoot":"","sources":["../src/settings.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiCH,sCAKC;AAiBD,sCAoCC;AAQD,0CA0CC;AAkBD,sCAkDC;AAmBD,wCA0BC;AA5PD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAIzB,MAAM,eAAe,GAA+B,IAAI,GAAG,CAAC;IAC1D,eAAe;IACf,YAAY;IACZ,YAAY;CACb,CAAC,CAAC;AAeH;;;;;GAKG;AACH,SAAgB,aAAa;IAC3B,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,sBAAsB;WAC/B,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,CAAC,CACzD,CAAC;AACJ,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;AACvC,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,aAAa;IAC3B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,EAAE,CAAC;QAAE,OAAO,EAAE,CAAC;IAE/C,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,EAAE,OAAO,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,oDAAqD,GAAa,CAAC,OAAO,IAAI,CAC/E,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,2EAA4E,GAAa,CAAC,OAAO,IAAI,CACtG,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,GAAG,GAAG,MAAoC,CAAC;IACjD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,EAAE,CAAC;IAC/C,IAAI,GAAG,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,qEAAqE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,uBAAuB,CACxH,CAAC;QACF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC;IACvC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAC;IAEvC,OAAO,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;AACvC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,eAAe,CAC7B,KAA+C;IAE/C,MAAM,QAAQ,GAAG,aAAa,EAAE,CAAC;IACjC,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CACzB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,KAAK,CAAC,OAAO,CAC5D,CAAC;IACF,IAAI,KAAK;QAAE,OAAO;IAElB,MAAM,UAAU,GAAqB;QACnC,GAAG,QAAQ;QACX;YACE,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACnC;KACF,CAAC;IACF,MAAM,QAAQ,GAAe;QAC3B,OAAO,EAAE,CAAC;QACV,WAAW,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE;KACnC,CAAC;IAEF,oEAAoE;IACpE,kEAAkE;IAClE,wDAAwD;IACxD,EAAE,CAAC,SAAS,CAAC,YAAY,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/D,mEAAmE;IACnE,oEAAoE;IACpE,kEAAkE;IAClE,kEAAkE;IAClE,8CAA8C;IAC9C,MAAM,EAAE,GAAG,EAAE,CAAC,QAAQ,CACpB,aAAa,EAAE,EACf,EAAE,CAAC,SAAS,CAAC,QAAQ,GAAG,EAAE,CAAC,SAAS,CAAC,OAAO,GAAG,EAAE,CAAC,SAAS,CAAC,OAAO,EACnE,KAAK,CACN,CAAC;IACF,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAC3D,EAAE,CAAC,UAAU,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAC3B,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,aAAa,CAC3B,IAAmB,EACnB,KAA8B;IAE9B,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC/C,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAChC,uDAAuD;QACvD,6DAA6D;QAC7D,8DAA8D;QAC9D,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAC3C,MAAM,MAAM,GAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACjB,SAAS;YACX,CAAC;YACD,wDAAwD;YACxD,2DAA2D;YAC3D,wDAAwD;YACxD,uCAAuC;YACvC,IAAI,CAAC,KAAK,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC9B,MAAM;QACR,CAAC;QACD,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;QAC1B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACnC,IAAI,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACpB,8DAA8D;QAC9D,kDAAkD;QAClD,0DAA0D;QAC1D,uDAAuD;QACvD,yDAAyD;QACzD,kDAAkD;QAClD,6DAA6D;QAC7D,6DAA6D;QAC7D,0BAA0B;QAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC;IACpD,CAAC;IAED,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;QAC1B,OAAO,GAAG,CAAC;IACb,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,cAAc,CAC5B,IAAmB,EACnB,KAA8B,EAC9B,SAA2B;IAE3B,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,IAAI,KAAK,IAAI;YAAE,SAAS;QAClC,IAAI,IAAI,KAAK,YAAY;YAAE,OAAO,KAAK,CAAC;QACxC,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC3C,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,CAAC,OAAO;gBAAE,OAAO,KAAK,CAAC;YAChE,SAAS;QACX,CAAC;QACD,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;YACrC,IAAI,CAAC,GAAG;gBAAE,SAAS;YACnB,4DAA4D;YAC5D,uDAAuD;YACvD,uDAAuD;YACvD,6CAA6C;YAC7C,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC5B,IAAI,UAAU,CAAC,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC/C,SAAS;QACX,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,oEAAoE;AAEpE,SAAS,aAAa,CAAC,CAAU;IAC/B,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9C,MAAM,KAAK,GAAG,CAA4B,CAAC;IAC3C,OAAO,CACL,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ;QAC9B,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,IAAqB,CAAC;QAChD,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ;QACjC,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,CACnC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,UAAU,CAAC,CAAS,EAAE,OAAe;IAC5C,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACjC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC;IAChC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACjD,OAAO,CAAC,KAAK,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACzD,CAAC;IACD,8DAA8D;IAC9D,8DAA8D;IAC9D,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACpC,OAAO,CAAC,KAAK,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,CAAC,KAAK,OAAO,CAAC;AACvB,CAAC"}

package/dist/tool_result_client.d.ts

@@ -0,0 +1,72 @@
+/**
+ * REST POST client for tool_result delivery.
+ *
+ * SPRINT-TERMINAL-CLIENT-OWNED-DISPATCH-1 (#6565) PR3.
+ *
+ * Pre-#6565 the CLI sent tool_result back to terminal-orchestrator
+ * over the WebSocket — the server awaited each one inline with a
+ * 120s timeout. Any approval taking >2 min wedged the session
+ * (the wedge class observed live 2026-05-20 during #6509 PR1
+ * canary).
+ *
+ * Post-#6565 the CLI POSTs results to the new REST endpoint:
+ *
+ *     POST <ORCHESTRATOR_URL>/terminal/sessions/{session_id}/tool_results
+ *     Headers: x-api-key: <cli_token>
+ *     Body:    {"results": [{tool_use_id, content, is_error}, ...]}
+ *
+ * Server-side: atomic across the batch. Any unknown `tool_use_id`
+ * → 400 `unknown_tool_use_id` + no rows mutated. On success,
+ * ``mark_completed_batch.all_completed=True`` signals the WS
+ * handler (waiting on the per-session resume queue) to assemble
+ * tool_result blocks + resume the model stream.
+ *
+ * Retry policy: 3 attempts with 100ms→200ms→400ms exponential
+ * backoff for transient 5xx + network errors. 4xx errors are
+ * non-retriable (the server's rejection is durable — the
+ * tool_use_id IS unknown, retrying won't change that).
+ *
+ * Failure mode if all retries exhaust: the tool_result is lost
+ * from the server's perspective; the corresponding row stays as
+ * `status='pending'` in `terminal_pending_tool_calls` until the
+ * future expiry sweep (PR5). The user-visible symptom is a
+ * session that appears frozen (model never resumes). Tightening
+ * this is the WS-reconnect-replay work in PR4 — on the next WS
+ * connect, server re-emits pending tool_call events and the CLI
+ * can re-attempt the POST after re-rendering the menu.
+ */
+export interface ToolResultEntry {
+    tool_use_id: string;
+    content: string;
+    is_error: boolean;
+}
+export interface PostToolResultsResponse {
+    completed: string[];
+    all_completed: boolean;
+    resume_signaled: boolean;
+}
+/**
+ * Thrown on durable (4xx) HTTP rejections that retrying won't fix.
+ * #6573 CR-r1: replaces the pre-r1 string-prefix matching on the
+ * Error message (`startsWith("POST tool_results rejected")`) which
+ * was fragile to message-format drift. The retry loop checks
+ * `instanceof DurableHttpError` and re-throws without retry; all
+ * other thrown errors are treated as transient + retried.
+ */
+export declare class DurableHttpError extends Error {
+    readonly status: number;
+    readonly body: string;
+    constructor(status: number, body: string);
+}
+/**
+ * POST a batch of tool_results to the orchestrator. Retries on
+ * 5xx / network errors with exponential backoff; throws on
+ * 4xx (non-retriable) or after retries exhaust.
+ *
+ * Most callers pass a single-result batch (one tool finished, POST
+ * the result, move to next). Batch form exists so a future
+ * client-side allowlist-auto-execute path could fire multiple
+ * results in one POST.
+ */
+export declare function postToolResults(sessionId: string, results: ToolResultEntry[]): Promise<PostToolResultsResponse>;
+//# sourceMappingURL=tool_result_client.d.ts.map

package/dist/tool_result_client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool_result_client.d.ts","sourceRoot":"","sources":["../src/tool_result_client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AAKH,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,aAAa,EAAE,OAAO,CAAC;IACvB,eAAe,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;GAOG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;gBACV,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;CAMzC;AAKD;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CACnC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,eAAe,EAAE,GACzB,OAAO,CAAC,uBAAuB,CAAC,CAmDlC"}