zidane 4.1.4 → 4.1.6

package/dist/tools.d.ts

@@ -1,3 +1,3 @@
-import { _ as ToolDef, g as ToolContext, v as ToolMap } from "./agent-BoV5Twdl.js";
-import { A as edit, C as readFile, D as createInteractionTool, E as InteractionToolOptions, O as grep, S as shell, T as listFiles, _ as createSkillsUseTool, b as SkillsReadToolOptions, c as validateToolArgs, d as createToolSearchTool, f as ChildAgent, g as SkillsUseToolOptions, h as createSpawnTool, k as glob, l as LazyToolEntry, m as SpawnToolState, o as writeFile, p as SpawnToolOptions, s as ValidationResult, u as ToolSearchToolOptions, v as SkillsRunScriptToolOptions, w as multiEdit, x as createSkillsReadTool, y as createSkillsRunScriptTool } from "./index-28otmfLX.js";
+import { _ as ToolDef, g as ToolContext, v as ToolMap } from "./agent-BAoqUvwA.js";
+import { A as edit, C as readFile, D as createInteractionTool, E as InteractionToolOptions, O as grep, S as shell, T as listFiles, _ as createSkillsUseTool, b as SkillsReadToolOptions, c as validateToolArgs, d as createToolSearchTool, f as ChildAgent, g as SkillsUseToolOptions, h as createSpawnTool, k as glob, l as LazyToolEntry, m as SpawnToolState, o as writeFile, p as SpawnToolOptions, s as ValidationResult, u as ToolSearchToolOptions, v as SkillsRunScriptToolOptions, w as multiEdit, x as createSkillsReadTool, y as createSkillsRunScriptTool } from "./index-B8-yNSsk.js";
 export { ChildAgent, InteractionToolOptions, LazyToolEntry, SkillsReadToolOptions, SkillsRunScriptToolOptions, SkillsUseToolOptions, SpawnToolOptions, SpawnToolState, ToolContext, ToolDef, ToolMap, ToolSearchToolOptions, ValidationResult, createInteractionTool, createSkillsReadTool, createSkillsRunScriptTool, createSkillsUseTool, createSpawnTool, createToolSearchTool, edit, glob, grep, listFiles, multiEdit, readFile, shell, validateToolArgs, writeFile };

package/dist/tools.js

@@ -1,2 +1,2 @@
-import { a as multiEdit, c as grep, f as createToolSearchTool, g as validateToolArgs, h as createSkillsReadTool, i as readFile, l as glob, m as createSkillsRunScriptTool, n as createSpawnTool, o as listFiles, p as createSkillsUseTool, r as shell, s as createInteractionTool, t as writeFile, u as edit } from "./tools-DpeWKzP1.js";
+import { a as multiEdit, c as grep, f as createToolSearchTool, g as validateToolArgs, h as createSkillsReadTool, i as readFile, l as glob, m as createSkillsRunScriptTool, n as createSpawnTool, o as listFiles, p as createSkillsUseTool, r as shell, s as createInteractionTool, t as writeFile, u as edit } from "./tools-C8kDot0H.js";
 export { createInteractionTool, createSkillsReadTool, createSkillsRunScriptTool, createSkillsUseTool, createSpawnTool, createToolSearchTool, edit, glob, grep, listFiles, multiEdit, readFile, shell, validateToolArgs, writeFile };

package/dist/tui.d.ts

@@ -1,13 +1,143 @@
-import { Et as SessionTurn, H as Provider, It as TurnUsage, Mt as ToolResultContent, O as SessionStore } from "./agent-BoV5Twdl.js";
-import { P as Preset } from "./index-28otmfLX.js";
+import { D as SessionRun, Et as SessionTurn, H as Provider, It as TurnUsage, Mt as ToolResultContent, O as SessionStore } from "./agent-BAoqUvwA.js";
+import { P as Preset } from "./index-B8-yNSsk.js";
+import { OAuthCredentials, OAuthProviderInterface } from "@mariozechner/pi-ai/oauth";
 import { SyntaxStyle } from "@opentui/core";
 import * as _$react from "react";
 import { Dispatch, ReactNode, SetStateAction } from "react";
 
+//#region src/tui/providers.d.ts
+/**
+ * Structural model metadata — compatible with pi-ai's `Model` interface but
+ * not coupled to it, so hosts can pass either pi-ai-shaped objects or a
+ * custom registry of their own.
+ *
+ * Deliberately a structural duplicate of pi-ai's `Model` rather than a
+ * re-export: keeps the public API stable when pi-ai bumps shape, and lets
+ * hosts implement their own registry without depending on pi-ai's types.
+ *
+ * Lives here (rather than `./config`) because `ProviderDescriptor.models`
+ * needs it — pushing it to `config.tsx` created an import cycle.
+ */
+interface ModelInfo {
+  id: string;
+  name?: string;
+  contextWindow: number;
+  maxTokens?: number;
+  reasoning?: boolean;
+  input?: readonly ('text' | 'image')[];
+  cost?: {
+    input: number;
+    output: number;
+    cacheRead?: number;
+    cacheWrite?: number;
+  };
+  provider?: string;
+}
+interface ProviderDescriptor {
+  /**
+   * Unique identifier. Used as the registry key, persisted in `state.json`
+   * as the resumed provider, and (by default) as the credential-file key.
+   */
+  key: string;
+  /** Display name shown in the TUI's provider picker and labels. */
+  label: string;
+  /**
+   * Factory that builds a fresh `Provider` instance. Called on every session
+   * activation. Some factories (e.g. zidane's built-in `anthropic`) eagerly
+   * resolve credentials at construction time and throw when none are
+   * configured — set {@link defaultModel} on the descriptor to avoid the TUI
+   * calling the factory before the user has picked + authed a provider.
+   */
+  factory: () => Provider;
+  /**
+   * Default model id to seed the picker with. When omitted, the TUI falls
+   * back to `descriptor.factory().meta.defaultModel`, which constructs the
+   * provider — fine for lazy-credential factories, but breaks for factories
+   * that throw on missing credentials before the wizard runs. Setting this
+   * eagerly lets the TUI render the auth wizard without ever instantiating
+   * the provider.
+   */
+  defaultModel?: string;
+  /**
+   * Env var checked when detecting whether the user has an API key
+   * configured for this provider. Optional — set to `undefined` when the
+   * provider only supports OAuth (or only credentials via a custom path).
+   */
+  envKey?: string;
+  /**
+   * Key under which credentials live in `credentials.json`. Defaults to
+   * `key`. The only built-in that overrides this is OpenAI Codex
+   * (`openai` → `openai-codex`) to stay compatible with the harness
+   * provider's existing lookup.
+   */
+  credentialFileKey?: string;
+  /** Placeholder shown in the wizard's API-key input. */
+  apiKeyPlaceholder?: string;
+  /**
+   * pi-ai (or compat) OAuth provider. When present, the wizard offers an
+   * OAuth option in addition to API key.
+   */
+  oauthProvider?: OAuthProviderInterface;
+  /**
+   * Optional copy appended to the wizard's "OAuth" method description.
+   * Use to communicate why a user might pick OAuth (e.g. subscription tier,
+   * org-wide SSO). Shown after `browser-based sign-in`. Skip the leading
+   * space — the wizard adds it. Example: `'Claude Pro/Max subscription'`.
+   */
+  oauthHint?: string;
+  /**
+   * pi-ai provider id used to look up models in pi-ai's built-in registry.
+   * Defaults to `key`. Only Codex differs (`openai` → `openai-codex`).
+   */
+  piProviderId?: string;
+  /**
+   * Override the model list returned for this provider's picker. When set,
+   * skips pi-ai's registry entirely. Useful for hosts maintaining their
+   * own model catalogue or for custom providers pi-ai doesn't know about.
+   */
+  models?: readonly ModelInfo[];
+}
+/** Convenience accessor — returns `credentialFileKey ?? key`. */
+declare function credKeyOf(desc: ProviderDescriptor): string;
+/** Convenience accessor — returns `piProviderId ?? key`. */
+declare function piIdOf(desc: ProviderDescriptor): string;
+declare const anthropicDescriptor: ProviderDescriptor;
+declare const openaiDescriptor: ProviderDescriptor;
+declare const openrouterDescriptor: ProviderDescriptor;
+declare const cerebrasDescriptor: ProviderDescriptor;
+/**
+ * Default provider registry. Passed verbatim when `runTui` is invoked without
+ * an explicit `providers` option. Hosts that want to override per-provider
+ * metadata can spread this and replace specific entries:
+ *
+ * ```ts
+ * runTui({ providers: { ...BUILTIN_PROVIDERS, anthropic: myOwnAnthropicDescriptor } })
+ * ```
+ */
+declare const BUILTIN_PROVIDERS: Readonly<Record<string, ProviderDescriptor>>;
+/**
+ * Resolve the model list for a given provider. Honors `descriptor.models`
+ * when set; otherwise queries pi-ai via `descriptor.piProviderId`. Returns
+ * `[]` for descriptors with no known mapping (custom providers without a
+ * model list) — callers should hide the model picker in that case.
+ */
+declare function modelsForDescriptor(descriptor: ProviderDescriptor): readonly ModelInfo[];
+/**
+ * Look up the model's max context window via the descriptor's model source.
+ * Returns `null` when the model isn't known (custom slugs, providers without
+ * a registry); callers should hide the context indicator in that case.
+ */
+declare function getContextWindow(descriptor: ProviderDescriptor, modelId: string): number | null;
+//#endregion
 //#region src/tui/auth.d.ts
-type ProviderKey = 'anthropic' | 'openai' | 'openrouter' | 'cerebras';
+/**
+ * Provider identifier as known to the TUI. Built-in keys are `anthropic`,
+ * `openai`, `openrouter`, `cerebras`, but hosts can register additional
+ * keys via {@link ProviderDescriptor} — so the type is open.
+ */
+type ProviderKey = string;
 interface AuthMethod {
-  source: 'env' | 'oauth';
+  source: 'env' | 'oauth' | 'apikey';
   /** Human-readable detail (env var name, expiry timestamp, …). */
   detail: string;
 }
@@ -18,17 +148,20 @@ interface ProviderAuth {
   available: boolean;
   methods: AuthMethod[];
 }
-declare function envKeyFor(key: ProviderKey): string;
 /**
- * Detect available auth across the providers the harness ships with.
+ * Detect available auth for every registered provider.
+ *
+ * Resolution order per provider (a method appears in `methods` for each
+ * layer that has a credential — the agent itself resolves them in the same
+ * order via its provider factories):
  *
- * Mirrors the resolution order used by the providers at runtime:
- *   - explicit env var (highest)
- *   - OAuth credentials in `.credentials.json` (anthropic + openai-codex only)
+ *   1. `kind: 'apikey'` from `credentials.json` (injected into env at TUI launch)
+ *   2. explicit env var (descriptor's `envKey`)
+ *   3. `kind: 'oauth'` from `credentials.json` (or legacy `cwd/.credentials.json`)
  *
  * Pure read — never refreshes or rewrites the credentials file.
  */
-declare function detectAuth(env?: Record<string, string | undefined>): ProviderAuth[];
+declare function detectAuth(dataDir: string, registry: Readonly<Record<string, ProviderDescriptor>>, env?: Record<string, string | undefined>): ProviderAuth[];
 //#endregion
 //#region src/tui/types.d.ts
 type Screen = 'auth' | 'sessions' | 'chat';
@@ -47,6 +180,13 @@ interface StreamEvent {
   childId?: string;
   /** Nesting depth — 0 = parent, ≥ 1 = subagent (matches zidane's spawn depth). */
   depth?: number;
+  /**
+   * Canonical tool name for `tool` / `tool-result` events. Lets the renderer
+   * filter by tool — e.g. hide the parent's `spawn` tool-result when
+   * `hideSubagentOutput` is on, since the spawn-end marker already shows the
+   * same stats. Absent for non-tool events.
+   */
+  tool?: string;
 }
 interface Picked {
   provider: ProviderAuth;
@@ -58,11 +198,28 @@ interface SessionMeta {
   turnCount: number;
   updatedAt: number;
 }
-/** Persisted, user-toggleable transcript filters. */
+/** Persisted, user-toggleable transcript filters and modes. */
 interface Settings {
   showThinking: boolean;
   showToolCalls: boolean;
   showToolResults: boolean;
+  /**
+   * Safe mode — when enabled, every tool call requires explicit user
+   * approval unless it's covered by the project safelist (`projects.json`)
+   * or the implicit read-only allow-list. Default: on.
+   */
+  safeMode: boolean;
+  /**
+   * Hide a subagent's internal events (its streamed markdown, thinking,
+   * tool calls, and tool results) from the transcript. The `🌱` start and
+   * `✓` end markers stay visible so the user still sees that a subagent
+   * is working and when it finished. Default: on — subagent runs are
+   * usually noisy and the parent's final response already summarizes them.
+   *
+   * When off, those events are visible and wrapped in a dim bordered box
+   * for clear visual hierarchy.
+   */
+  hideSubagentOutput: boolean;
 }
 //#endregion
 //#region src/tui/store.d.ts
@@ -91,13 +248,24 @@ declare function listSessionMeta(store: SessionStore): Promise<SessionMeta[]>;
 /** Derive a short title from the first user message — returns null when empty. */
 declare function titleFromTurns(turns: SessionTurn[]): string | null;
 /**
- * Replay persisted turns as a viewable transcript. Mirrors the event shape produced
- * live by the agent hooks so loaded and streaming history render identically.
+ * Replay persisted turns as a viewable transcript. Mirrors the event shape
+ * produced live by the agent hooks so loaded and streaming history render
+ * identically — including subagent ancestry when `runs` is supplied.
  *
- * Skips `tool_result` blocks (they're not user-visible by default), and inserts a
- * `separator` event between turn groups so the eye can parse turn boundaries.
+ * Subagent reconstruction:
+ *   - Every turn carries a `runId`. We look that up in `runs` to get the
+ *     run's `depth` and tag the resulting events with `{ depth, childId }`
+ *     — the same shape the live `child:*` bubble hooks produce.
+ *   - We synthesize `spawn-start` / `spawn-end` markers at each child-run
+ *     boundary so the transcript reads the same as a live run did
+ *     (`🌱 [run-id] task` … child events … `🌳 [run-id] done · tokens`).
+ *   - For child runs (`depth > 0`), the user-role "task" text is suppressed
+ *     because `spawn-start` already shows it.
+ *
+ * Without `runs` (legacy callers / tests), the function falls back to the
+ * old behavior: depth-0 events with no subagent grouping.
  */
-declare function eventsFromTurns(turns: SessionTurn[]): StreamEvent[];
+declare function eventsFromTurns(turns: SessionTurn[], runs?: readonly SessionRun[]): StreamEvent[];
 /** Shared formatter for the `↳ name(args)` line shown on tool calls. */
 declare function toolCallPreview(name: string, input: Record<string, unknown>): string;
 /** Render tool output as plain text, whether it's a string or structured content. */
@@ -107,35 +275,16 @@ declare function lastContextSizeFromTurns(turns: SessionTurn[]): number;
 //#endregion
 //#region src/tui/config.d.ts
 /**
- * Structural model metadata — compatible with pi-ai's `Model` interface but
- * not coupled to it, so callers can pass either pi-ai-shaped objects or a
- * custom registry of their own.
- *
- * Deliberately a structural duplicate of `pi-ai`'s `Model` rather than a
- * re-export: keeps the public API stable when pi-ai bumps shape, and lets
- * hosts implement their own registry without depending on pi-ai's types.
+ * Provider registry — a map keyed by `descriptor.key`. Passed verbatim to the
+ * TUI; there is no implicit merge with built-ins. Hosts that want the four
+ * default providers spread {@link BUILTIN_PROVIDERS}; hosts that only want
+ * their own pass exactly their own.
  */
-interface ModelInfo {
-  id: string;
-  name?: string;
-  contextWindow: number;
-  maxTokens?: number;
-  reasoning?: boolean;
-  input?: readonly ('text' | 'image')[];
-  cost?: {
-    input: number;
-    output: number;
-    cacheRead?: number;
-    cacheWrite?: number;
-  };
-  provider?: string;
-}
-type ProviderRegistry = Partial<Record<ProviderKey, () => Provider>>;
-type ModelRegistry = Partial<Record<ProviderKey, readonly ModelInfo[]>>;
+type ProviderRegistry = Readonly<Record<string, ProviderDescriptor>>;
 /**
  * Options accepted by `runTui()` and `resolveConfig()`. Every field is optional
- * — sensible defaults boot a working chat against the four built-in providers
- * with sessions stored under `~/.zidane/`.
+ * — defaults boot a working chat against the built-in providers with sessions
+ * stored under `~/.zidane/`.
  */
 interface TuiOptions {
   /**
@@ -150,9 +299,15 @@ interface TuiOptions {
    */
   storageDir?: string;
   /**
-   * Provider factory map. Override entries (or supply a whole new map) to
-   * register custom providers. Default: anthropic/openai/openrouter/cerebras
-   * from the built-in zidane factories.
+   * Provider registry. Each value is a {@link ProviderDescriptor} carrying
+   * label + factory + credential metadata. **No automatic merge** — hosts
+   * pass exactly what they want.
+   *
+   * - Omitted → {@link BUILTIN_PROVIDERS} (anthropic + openai + openrouter + cerebras).
+   * - `providers: BUILTIN_PROVIDERS` → same as omitted, but explicit.
+   * - `providers: { anthropic: anthropicDescriptor }` → only Anthropic.
+   * - `providers: { ...BUILTIN_PROVIDERS, mine: customDescriptor }` → built-ins + custom.
+   * - `providers: { mine: customDescriptor }` → custom-only, **no built-ins**.
    */
   providers?: ProviderRegistry;
   /**
@@ -164,12 +319,6 @@ interface TuiOptions {
    * `<storageDir>/<prefix>/sessions.db`.
    */
   store?: SessionStore;
-  /**
-   * Per-provider model registry for the in-app model picker. Each list should
-   * be in pi-ai's `Model`-compatible shape (see `ModelInfo`). If omitted, the
-   * picker falls back to pi-ai's built-in registry via `getModels()`.
-   */
-  models?: ModelRegistry;
 }
 interface ResolvedConfig {
   prefix: string;
@@ -256,15 +405,83 @@ declare function Transcript({
 /**
  * Resolve the top margin for an event given the one rendered just before it.
  *
- * The only context-aware rule today: a tool/tool-result event that follows
- * another tool/tool-result event collapses its margin to zero, so a chain of
- * tool calls reads as a tight list — whether the user has hidden tool outputs
- * or not, and whether the agent emits back-to-back calls or call→result pairs.
+ * Context-aware rules:
+ *
+ *   - A `tool` / `tool-result` event right after another `tool` / `tool-result`
+ *     collapses to a tight list — call→result pairs and back-to-back calls
+ *     read as one logical block.
+ *   - A parent-level event (`depth === 0`) right after a subagent event
+ *     (`depth > 0`) collapses too. The subagent's `🌳` end marker (and, in
+ *     show mode, the subagent box's bottom border) already provides the
+ *     separation; adding the event's default `marginTop` on top would
+ *     produce the visible "line jump" between a subagent's outcome and the
+ *     parent's follow-up. Either form of marker is enough — we don't want
+ *     both.
  *
  * Exported so the spacing matrix can be unit-tested without rendering.
  */
 declare function marginTopFor(event: StreamEvent, previous: StreamEvent | undefined): number;
 //#endregion
+//#region src/tui/credentials.d.ts
+interface ApiKeyCredential {
+  kind: 'apikey';
+  value: string;
+}
+interface OAuthCredential {
+  kind: 'oauth';
+  access: string;
+  refresh?: string;
+  expires?: number;
+  /** Provider-specific extras (e.g. OpenAI Codex `accountId`). */
+  [extra: string]: unknown;
+}
+type ProviderCredential = ApiKeyCredential | OAuthCredential;
+/** Top-level shape of `credentials.json` — keys are credential-file keys. */
+type CredentialsFile = Record<string, ProviderCredential>;
+/**
+ * Resolve the credentials file path given the resolved TUI data directory
+ * (typically `~/.zidane`, i.e. `config.paths.dir`).
+ *
+ * Matches the convention used elsewhere in the TUI (sessions.db, state.json)
+ * so a single `ZIDANE_STORAGE_DIR` override moves the entire data root.
+ */
+declare function credentialsPath(dataDir: string): string;
+/**
+ * Read credentials from disk.
+ *
+ * Returns `{}` when the file is missing or corrupt (last-ditch tolerance —
+ * a hand-edit gone wrong shouldn't lock the user out of re-authing). On first
+ * call with no file present, attempts a migration from `cwd/.credentials.json`
+ * (the legacy location used by `bun run auth`).
+ */
+declare function readCredentials(dataDir: string): CredentialsFile;
+/** Read a single provider's credential (translating via the descriptor). */
+declare function readProviderCredential(dataDir: string, descriptor: ProviderDescriptor): ProviderCredential | undefined;
+/**
+ * Write credentials atomically (write-then-rename) with mode 0o600.
+ *
+ * Atomic on the same filesystem — readers either see the previous file or the
+ * new one, never a half-written intermediate. Creates the parent dir if needed
+ * (first launch on a fresh machine: `~/.zidane/` may not exist yet).
+ */
+declare function writeCredentials(dataDir: string, creds: CredentialsFile): void;
+declare function setProviderCredential(dataDir: string, descriptor: ProviderDescriptor, cred: ProviderCredential): void;
+declare function removeProviderCredential(dataDir: string, descriptor: ProviderDescriptor): void;
+/**
+ * Inject API-key credentials into `process.env` so the harness providers pick
+ * them up via their existing env-var resolution. Called once at TUI launch
+ * after the credentials file has been resolved. OAuth credentials are NOT
+ * injected — those reach providers via `ZIDANE_CREDENTIALS_PATH` + the file
+ * reader in `src/providers/oauth.ts`.
+ *
+ * Does not overwrite env vars that are already set — explicit user-provided
+ * env values win over stored API keys.
+ *
+ * Descriptors without an `envKey` (OAuth-only providers, custom providers
+ * that bypass env-var resolution) are skipped silently.
+ */
+declare function applyApiKeyEnv(dataDir: string, registry: Readonly<Record<string, ProviderDescriptor>>): void;
+//#endregion
 //#region src/tui/format.d.ts
 /** Compact token formatter — 12_415 → "12.4k", 1_234_567 → "1.23M". */
 declare function fmtTokens(n: number): string;
@@ -328,9 +545,10 @@ declare function Modal({
 //#endregion
 //#region src/tui/model-picker.d.ts
 /**
- * Modal that lists the available models for the current provider and lets the
- * user pick one. Options come from `runTui({ models })` if supplied, otherwise
- * from pi-ai's built-in registry.
+ * Modal that lists the available models for the current provider and lets
+ * the user pick one. Options come from the active `ProviderDescriptor` —
+ * either its declared `models` list or, when absent, pi-ai's built-in
+ * registry looked up via `piProviderId`.
  *
  * Each row shows: `● selected · name (ctx N · reasoning · vision)`.
  */
@@ -344,30 +562,140 @@ declare function ModelPickerModal({
   onPick: (modelId: string) => void;
 }): _$react.ReactNode;
 //#endregion
-//#region src/tui/providers.d.ts
+//#region src/tui/oauth.d.ts
+declare function supportsOAuth(descriptor: ProviderDescriptor): boolean;
+interface OAuthFlowOptions {
+  /** Called when the provider emits its login URL — typically right after the callback server starts. */
+  onUrl: (url: string, instructions?: string) => void;
+  /** Called when the provider needs a code entered manually (rare; only when callback server fails). */
+  onCodeRequest?: () => Promise<string>;
+  /** Called with each progress message from the OAuth flow (token exchange, etc.). */
+  onProgress?: (message: string) => void;
+  /** Abort the in-flight login (e.g. user pressed esc). */
+  signal?: AbortSignal;
+}
+/**
+ * Run the OAuth login flow for a provider.
+ *
+ * Returns the OAuth credentials on success; caller persists them via
+ * `setProviderCredential(dataDir, descriptor, { kind: 'oauth', ...credentials })`.
+ * Throws when the descriptor has no `oauthProvider` configured.
+ */
+declare function runOAuthLogin(descriptor: ProviderDescriptor, options: OAuthFlowOptions): Promise<OAuthCredentials>;
+//#endregion
+//#region src/tui/safe-mode.d.ts
+/**
+ * Safe-mode storage + matching for the TUI.
+ *
+ * Lives at `<dataDir>/projects.json` (default `~/.zidane/projects.json`). Each
+ * top-level key is an absolute project directory; the value carries that
+ * project's persisted tool-call `safelist`.
+ *
+ * ```json
+ * {
+ *   "/Users/me/proj-a": { "safelist": ["read_file", "shell:git:*"] }
+ * }
+ * ```
+ *
+ * Two granularities for safelist entries:
+ *   - **bare tool name** — `"read_file"` matches every `read_file` call.
+ *   - **tool + first-arg token + wildcard** — `"shell:git:*"` matches `shell`
+ *     calls whose primary string argument starts with the token `git`
+ *     (followed by whitespace or end-of-string). Modelled on Claude Code's
+ *     `Bash(git:*)` syntax.
+ *
+ * A short list of read-only tools is **implicitly safe** without being
+ * persisted — see {@link IMPLICITLY_SAFE_TOOLS}.
+ */
+interface ProjectEntry {
+  safelist?: string[];
+}
+type ProjectsFile = Record<string, ProjectEntry>;
+/** Resolve `projects.json`'s on-disk path given the TUI data directory. */
+declare function projectsFilePath(dataDir: string): string;
+declare function readProjects(dataDir: string): ProjectsFile;
+/** Atomic write — tmp + rename so a crash never leaves a half-file. */
+declare function writeProjects(dataDir: string, file: ProjectsFile): void;
 /**
- * Construct a fresh provider instance for a given key.
+ * Append `entry` to the safelist for `projectDir`, dedup-aware. Returns the
+ * updated entry list (post-write) so callers can render it without re-reading.
+ */
+declare function addToSafelist(dataDir: string, projectDir: string, entry: string): readonly string[];
+/** Read the safelist for one project. Returns `[]` for unknown projects. */
+declare function getSafelist(dataDir: string, projectDir: string): readonly string[];
+/**
+ * Tools that always pass without prompting — pure file/dir reads with no
+ * side effects. Users who want to gate them must disable safe-mode entirely
+ * (or fork this list in their own embedding).
+ */
+declare const IMPLICITLY_SAFE_TOOLS: readonly string[];
+/**
+ * Test whether a `{ tool, input }` pair is covered by one safelist entry.
+ *
+ * Supported entry shapes:
+ *   - `"<tool>"` — broad match on tool name. For `shell` this still requires
+ *     a single-program command (compound forms always prompt).
+ *   - `"<tool>:<token>:*"` — match when the primary arg's first token equals
+ *     `<token>`. For `shell`, also requires the command to be free of
+ *     metacharacters (`;`, `&&`, `||`, `|`, `$(`, backticks, `>`, `<`,
+ *     newlines, subshells) — otherwise a `shell:git:*` entry would silently
+ *     greenlight `git status && rm -rf /`.
+ *
+ * Entries that don't fit either shape are ignored (forward-compat for future
+ * pattern syntax — readers shouldn't choke on entries written by a newer
+ * version of the TUI).
+ */
+declare function matchesSafelistEntry(entry: string, tool: string, input: Record<string, unknown>): boolean;
+/** True when a call matches ANY entry in the project's safelist (or is implicitly safe). */
+declare function isOnSafelist(entries: readonly string[], tool: string, input: Record<string, unknown>): boolean;
+/**
+ * Suggest the safelist entry to write when the user picks "accept and
+ * remember" for a `{ tool, input }`. Heuristic:
+ *
+ *   - `shell` → scope by first command token (`shell:git:*`).
+ *   - anything else → bare tool name (broad).
  *
- * Providers are cheap to build — credentials are resolved lazily at first
- * stream call — so we instantiate on demand rather than caching a singleton.
- * This also avoids leaking state across session/provider switches.
+ * Returning a string ensures the UI always has a concrete entry to display
+ * as the button label.
  */
-declare const FACTORIES: Record<ProviderKey, () => Provider>;
-/** zidane provider key → pi-ai provider id (some don't match 1:1). */
-declare const PI_PROVIDER_ID: Record<ProviderKey, string>;
+declare function suggestSafelistEntry(tool: string, input: Record<string, unknown>): string;
+//#endregion
+//#region src/tui/safe-mode-context.d.ts
+type ApprovalDecision = 'accept-once' | 'accept-safelist' | 'deny';
+interface ApprovalRequest {
+  id: string;
+  tool: string;
+  input: Record<string, unknown>;
+  resolve: (decision: ApprovalDecision) => void;
+}
+/** Function signature consumed by `tool:gate` handlers + the child-tool wrap. */
+type RequestApproval = (tool: string, input: Record<string, unknown>) => Promise<ApprovalDecision>;
+interface SafeModeActions {
+  /** Request a decision; resolves once the user picks. */
+  requestApproval: RequestApproval;
+  /** Resolve the head and shift the queue forward. */
+  resolveHead: (decision: ApprovalDecision) => void;
+  /** Resolve all pending with `deny`. Used on abort / hard exit. */
+  denyAll: () => void;
+}
 /**
- * Look up the model's max context window via pi-ai's model registry.
- * Returns `null` when the model isn't known (e.g. a custom openrouter slug);
- * callers should hide the context indicator in that case.
+ * Owns the queue + actions. Splits the value across two contexts so a queue
+ * change doesn't invalidate every callback memo that closes over the actions.
  */
-declare function getContextWindow(key: ProviderKey, modelId: string): number | null;
+declare function SafeModeProvider({
+  children
+}: {
+  children: ReactNode;
+}): ReactNode;
+declare function useSafeModeQueue(): readonly ApprovalRequest[];
+declare function useSafeModeActions(): SafeModeActions;
 //#endregion
 //#region src/tui/screens.d.ts
 declare function AuthScreen({
   onPick
 }: {
   onPick: (p: ProviderAuth) => void;
-}): _$react.ReactNode;
+}): ReactNode;
 declare function SessionsScreen({
   sessions,
   currentId,
@@ -378,20 +706,24 @@ declare function SessionsScreen({
   currentId: string | null;
   onPick: (id: string) => void;
   onCreate: () => void;
-}): _$react.ReactNode;
+}): ReactNode;
 declare function ChatScreen({
   events,
   busy,
   settings,
   onSubmit,
-  session
+  session,
+  pending,
+  onApproval
 }: {
   events: StreamEvent[];
   busy: boolean;
   settings: Settings;
   onSubmit: (prompt: string) => void;
-  session: SessionMeta | null;
-}): _$react.ReactNode;
+  session: SessionMeta | null; /** Head of the safe-mode approval queue, or `null` when nothing is pending. */
+  pending: ApprovalRequest | null; /** Resolve the active prompt with the user's pick. */
+  onApproval: (decision: ApprovalDecision) => void;
+}): ReactNode;
 //#endregion
 //#region src/tui/settings.d.ts
 declare const DEFAULT_SETTINGS: Settings;
@@ -409,7 +741,19 @@ declare function SettingsProvider({
   children: ReactNode;
 }): ReactNode;
 declare function useSettings(): SettingsContextValue;
-declare function SettingsModal(): ReactNode;
+interface SettingsActions {
+  /**
+   * Re-open the auth screen so the user can switch providers or run the
+   * wizard for a new/existing one. Wiring this callback adds a
+   * "Re-configure providers" row to the modal.
+   */
+  onReauth?: () => void;
+}
+declare function SettingsModal({
+  actions
+}?: {
+  actions?: SettingsActions;
+}): ReactNode;
 //#endregion
 //#region src/tui/streaming.d.ts
 /** Flip any trailing streaming markdown blocks (any owner) to finalized. */
@@ -516,18 +860,17 @@ declare const MD_STYLE: SyntaxStyle;
  * to `runTui({ storageDir, prefix })`.
  *
  * ```ts
- * import { runTui } from 'zidane/tui'
+ * import { BUILTIN_PROVIDERS, runTui } from 'zidane/tui'
  * import { createRemoteStore } from 'zidane/session'  // for the `store` option
  *
  * await runTui()                                       // ~/.zidane/sessions.db + state.json
  * await runTui({ prefix: '.myapp' })                   // ~/.myapp/...
  * await runTui({ storageDir: '/data', prefix: 'myapp' })
- * await runTui({ providers: { custom: () => myProvider() } })
+ * await runTui({ providers: { ...BUILTIN_PROVIDERS, mine: myDescriptor } })
  * await runTui({ store: createRemoteStore({ url: '…' }) })
- * await runTui({ models: { anthropic: [{ id: 'claude-foo', contextWindow: 200_000 }] } })
  * ```
  */
 declare function runTui(options?: TuiOptions): Promise<never>;
 //#endregion
-export { App, type AuthMethod, AuthScreen, COLOR, ChatScreen, ConfigProvider, type ContextUsage, DEFAULT_SETTINGS, FACTORIES, Footer, type Hint, MD_STYLE, Modal, type ModalProps, ModalRoot, type ModelInfo, ModelPickerModal, type ModelRegistry, type Owner, PI_PROVIDER_ID, type Picked, type ProviderAuth, type ProviderKey, type ProviderRegistry, type ResolvedConfig, SELECT_THEME, type Screen, type SessionMeta, SessionsScreen, type Settings, SettingsModal, SettingsProvider, Spinner, type StateStoreApi, type StreamBuffer, type StreamEvent, type StreamSource, Transcript, type TuiOptions, type TuiState, ageString, createStateStore, createTuiStore, detectAuth, envKeyFor, eventsFromTurns, finalizeStreamingMarkdown, finalizeStreamingMarkdownForOwner, fmtTokens, getContextWindow, lastContextSizeFromTurns, listSessionMeta, loadState, marginTopFor, onInputSubmit, resolveConfig, runTui, saveState, shortId, titleFromTurns, toolCallPreview, toolResultText, turnContextSize, useConfig, useModal, useModalAwareFocus, useSettings, useStreamBuffer };
+export { type ApiKeyCredential, App, type ApprovalDecision, type ApprovalRequest, type AuthMethod, AuthScreen, BUILTIN_PROVIDERS, COLOR, ChatScreen, ConfigProvider, type ContextUsage, type CredentialsFile, DEFAULT_SETTINGS, Footer, type Hint, IMPLICITLY_SAFE_TOOLS, MD_STYLE, Modal, type ModalProps, ModalRoot, type ModelInfo, ModelPickerModal, type OAuthCredential, type OAuthFlowOptions, type Owner, type Picked, type ProjectEntry, type ProjectsFile, type ProviderAuth, type ProviderCredential, type ProviderDescriptor, type ProviderKey, type ProviderRegistry, type RequestApproval, type ResolvedConfig, SELECT_THEME, type SafeModeActions, SafeModeProvider, type Screen, type SessionMeta, SessionsScreen, type Settings, SettingsModal, SettingsProvider, Spinner, type StateStoreApi, type StreamBuffer, type StreamEvent, type StreamSource, Transcript, type TuiOptions, type TuiState, addToSafelist, ageString, anthropicDescriptor, applyApiKeyEnv, cerebrasDescriptor, createStateStore, createTuiStore, credKeyOf, credentialsPath, detectAuth, eventsFromTurns, finalizeStreamingMarkdown, finalizeStreamingMarkdownForOwner, fmtTokens, getContextWindow, getSafelist, isOnSafelist, lastContextSizeFromTurns, listSessionMeta, loadState, marginTopFor, matchesSafelistEntry, modelsForDescriptor, onInputSubmit, openaiDescriptor, openrouterDescriptor, piIdOf, projectsFilePath, readCredentials, readProjects, readProviderCredential, removeProviderCredential, resolveConfig, runOAuthLogin, runTui, saveState, setProviderCredential, shortId, suggestSafelistEntry, supportsOAuth, titleFromTurns, toolCallPreview, toolResultText, turnContextSize, useConfig, useModal, useModalAwareFocus, useSafeModeActions, useSafeModeQueue, useSettings, useStreamBuffer, writeCredentials, writeProjects };
 //# sourceMappingURL=tui.d.ts.map