zubo 0.1.8 → 0.1.11

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "zubo",
-  "version": "0.1.8",
+  "version": "0.1.11",
   "description": "Your AI agent that never forgets. Persistent memory, 25+ tools, 7 channels, 11+ LLM providers — runs entirely on your machine.",
   "license": "MIT",
   "author": "thomaskanze",

package/site/index.html

@@ -4,7 +4,7 @@
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>Zubo — Your AI Agent. Your Machine. Your Rules.</title>
-  <meta name="description" content="Open-source AI agent that runs on your machine. One command to install, one file to configure. Persistent memory, 25+ tools, 7 messaging channels, 11+ LLM providers. MCP compatible. Zero complexity.">
+  <meta name="description" content="Open-source AI agent that runs on your machine. One command to install, one file to configure. Persistent memory, 25+ tools, 7 messaging channels, 12+ LLM providers. MCP compatible. Zero complexity.">
   <meta name="theme-color" content="#060608">
   <link rel="canonical" href="https://zubo.bot/">
   <meta property="og:title" content="Zubo — Your AI Agent. Your Machine. Your Rules.">
@@ -305,11 +305,11 @@
             <svg width="28" height="28" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round"><path d="M21 16V8a2 2 0 0 0-1-1.73l-7-4a2 2 0 0 0-2 0l-7 4A2 2 0 0 0 3 8v8a2 2 0 0 0 1 1.73l7 4a2 2 0 0 0 2 0l7-4A2 2 0 0 0 21 16z"/><polyline points="7.5 4.21 12 6.81 16.5 4.21"/><polyline points="7.5 19.79 7.5 14.6 3 12"/><polyline points="21 12 16.5 14.6 16.5 19.79"/><polyline points="3.27 6.96 12 12.01 20.73 6.96"/><line x1="12" y1="22.08" x2="12" y2="12"/></svg>
           </div>
           <h3>Any LLM, Your Choice</h3>
-          <p>11+ providers including Anthropic, OpenAI, Gemini, Ollama, Groq, DeepSeek, and more. Smart routing sends simple queries to fast, cheap models automatically &mdash; so you save money without thinking about it.</p>
+          <p>12+ providers including Anthropic, OpenAI, MiniMax, Ollama, Groq, DeepSeek, and more. Smart routing sends simple queries to fast, cheap models automatically &mdash; so you save money without thinking about it.</p>
           <div class="bento-models">
             <span class="model-tag">Claude</span>
             <span class="model-tag">GPT-4o</span>
-            <span class="model-tag">Gemini</span>
+            <span class="model-tag">MiniMax</span>
             <span class="model-tag">DeepSeek</span>
             <span class="model-tag">Llama</span>
             <span class="model-tag">Mistral</span>

package/src/agent/delegate.ts

@@ -104,8 +104,8 @@ export async function delegateToAgent(
 
   // Filter out privileged tools from sub-agents to prevent escalation
   const FORBIDDEN_DELEGATION_TOOLS = new Set([
-    "delegate", "manage_agents", "config_update",
-    "secret_set", "secret_delete", "manage_skills",
+    "delegate", "delegate_task", "manage_agents",
+    "config_update", "secret_set", "secret_delete", "manage_skills",
   ]);
   const filteredTools = agent.tools.filter(
     (t) => !FORBIDDEN_DELEGATION_TOOLS.has(t)

package/src/agent/prompts.ts

@@ -5,7 +5,7 @@ const DEFAULT_PERSONALITY = `You are Zubo, a personal AI agent. You are friendly
 
 ## How you behave
 
-**Act first.** When the user asks you to do something, do it. Don't describe what you could do — use your tools and make it happen. If you need something from the user (an API key, a preference, a clarification), ask for it directly, and once you get it, act on it immediately.
+**Act first.** When the user asks you to do something, do it immediately. Don't describe what you could do — use your tools and make it happen. Don't ask for permission to do what the user just asked you to do (e.g. if they say "check my mails", just call the gmail tool — don't ask "do you approve me reading your emails?"). If you need something from the user (an API key, a preference, a clarification), ask for it directly, and once you get it, act on it immediately.
 
 **Be concise.** Answer in the fewest words that fully address the question. No filler, no preamble. Long explanations only when explicitly asked.
 
@@ -47,9 +47,15 @@ const DEFAULT_PERSONALITY = `You are Zubo, a personal AI agent. You are friendly
 - Delegate tasks using the delegate tool. Sub-agents share your memory but have scoped tools.
 - Keep the main conversation lightweight. Offload complex, self-contained tasks.
 
-## Connecting services
+## Connecting services (integrations)
 
-- **Google** (Gmail, Calendar, Drive): Requires OAuth 2.0. Need both client_id (ends with .apps.googleusercontent.com) and client_secret (starts with GOCSPX-) from Google Cloud Console. Use google_oauth to start the flow.
+Service integrations and LLM providers are COMPLETELY SEPARATE concepts. Never confuse them:
+- **Integrations** = external services like Gmail, GitHub, Notion (connected via OAuth or API tokens)
+- **LLM providers** = the AI model you use for thinking (Anthropic, OpenAI, etc.)
+- If Gmail access is broken, the fix is to re-authenticate Google OAuth — NOT to change the LLM provider. Never suggest changing LLM providers as a fix for integration issues.
+
+How to connect services:
+- **Google** (Gmail, Calendar, Drive): Requires OAuth 2.0. Need both client_id (ends with .apps.googleusercontent.com) and client_secret (starts with GOCSPX-) from Google Cloud Console. The OAuth app type should be "Desktop app" (NOT "Web application"). Use google_oauth tool to manage the full flow.
 - **GitHub**: Personal Access Token. Store as github_token via secret_set.
 - **Notion**: Internal Integration Token from notion.so/my-integrations. Store as notion_token.
 - **Linear**: Personal API Key from Linear > Settings > API. Store as linear_token.
@@ -58,6 +64,30 @@ const DEFAULT_PERSONALITY = `You are Zubo, a personal AI agent. You are friendly
 - **Twitter/X**: Bearer token for reading, full OAuth keys for posting. Store as twitter_bearer_token.
 - When the user says "connect my GitHub" or similar, ask for the credentials, store them with secret_set, then call connect_service.
 
+When Google OAuth expires or a Google tool returns an auth error:
+- Call google_oauth with action "start" (with NO parameters). It will automatically use the stored client_id and client_secret from secrets. Do NOT ask the user to re-provide credentials that are already saved.
+- Only ask the user for credentials if google_oauth returns an error saying credentials are missing.
+- For non-Google services, ask the user to provide a new token and store it with secret_set.
+- NEVER suggest unrelated solutions like changing the LLM provider.
+- NEVER try to guide the user through OAuth setup manually — always use the google_oauth tool.
+
+## LLM providers
+
+You support 12+ LLM providers. The user can switch at any time using config_update.
+
+**API-based providers** (need an API key):
+- Anthropic (Claude), OpenAI (GPT), MiniMax (M2.5), Groq, Together, DeepSeek, xAI (Grok), Fireworks, Cerebras, Perplexity, OpenRouter
+- To set up: config_update with path "providers.<name>" value {"apiKey":"...","model":"..."}, then set "activeProvider" to "<name>".
+
+**Local providers** (no API key needed):
+- Ollama, LM Studio — run models locally
+
+**CLI-based providers** (NO API key needed — they use the user's own CLI authentication):
+- **Claude Code** (provider name: "claude-code"): Spawns the Claude Code CLI. The user must have it installed and authenticated on their machine. To activate: config_update with path "providers.claude-code" value {"model":"claude-sonnet-4-5-20250929"}, then set "activeProvider" to "claude-code". NO apiKey field needed.
+- **OpenAI Codex** (provider name: "codex"): Spawns the Codex CLI. The user must have it installed and authenticated on their machine. To activate: config_update with path "providers.codex" value {"model":"o4-mini"}, then set "activeProvider" to "codex". NO apiKey field needed.
+
+IMPORTANT: When a user says "use codex" or "use claude code", do NOT ask for an API key. These are CLI tools that authenticate via the user's own terminal session. Just set the provider config and activate it.
+
 ## Tool confirmation
 
 Some tools (shell, file_write) require user confirmation. When a tool returns a confirmation request, explain what you want to do and why, then ask for permission. Never set _confirmed without explicit user approval.

package/src/channels/email.ts

@@ -154,8 +154,12 @@ class ImapClient {
     const bodyMatch = result.match(/\r\n\r\n([\s\S]*?)(?:\r\n\)|\r\nA\d+)/);
     if (bodyMatch) body = bodyMatch[1].trim();
 
-    // Strip HTML tags if present
-    body = body.replace(/<[^>]+>/g, "").trim();
+    // Strip script/style blocks and all HTML tags
+    body = body
+      .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "")
+      .replace(/<style\b[^<]*(?:(?!<\/style>)<[^<]*)*<\/style>/gi, "")
+      .replace(/<[^>]+>/g, "")
+      .trim();
     // Decode basic quoted-printable
     body = body.replace(/=\r?\n/g, "").replace(/=([0-9A-Fa-f]{2})/g, (_, hex) => String.fromCharCode(parseInt(hex, 16)));
 

package/src/channels/webchat.ts

@@ -1109,29 +1109,32 @@ function handleDashboardApi(url: URL, req: Request): Response | null {
     }
   }
 
-  // GET /api/dashboard/secrets/:name — check if a secret exists (NEVER reveals values)
+  // GET /api/dashboard/secrets/:name — reveal a secret value (dashboard is localhost-only + session-authenticated)
   if (path.startsWith("/secrets/") && req.method === "GET") {
     const secretName = decodeURIComponent(path.replace("/secrets/", ""));
     if (!secretName || !/^[a-z0-9_]+$/.test(secretName)) {
       return Response.json({ error: "Invalid secret name" }, { status: 400 });
     }
     try {
+      const { maskToken } = require("../util/mask") as { maskToken: (s: string) => string };
       // Check config provider keys first
       if (secretName.endsWith("_api_key")) {
         const provider = secretName.replace(/_api_key$/, "");
         try {
           const cfg = JSON.parse(readFileSync(paths.config, "utf-8"));
           if (cfg.providers?.[provider]?.apiKey) {
-            return Response.json({ name: secretName, exists: true, source: "config" });
+            const key = cfg.providers[provider].apiKey;
+            return Response.json({ name: secretName, value: maskToken(key), source: "config" });
           }
         } catch (err: any) {
           logger.warn("Failed to read provider secret from config", { error: (err as Error).message });
         }
       }
       const db = getDb();
-      const row = db.query("SELECT name FROM secrets WHERE name = ?").get(secretName) as { name: string } | null;
-      if (!row) return Response.json({ error: "Not found" }, { status: 404 });
-      return Response.json({ name: secretName, exists: true, source: "secrets" });
+      const { getSecret } = require("../secrets/store") as { getSecret: (name: string) => string | null };
+      const value = getSecret(secretName);
+      if (!value) return Response.json({ error: "Not found" }, { status: 404 });
+      return Response.json({ name: secretName, value: maskToken(value), source: "secrets" });
     } catch (err: any) {
       return Response.json({ error: err.message }, { status: 500 });
     }
@@ -2013,8 +2016,15 @@ async function handleRequest(
           // CORS protection: reject cross-origin API requests
           if (url.pathname.startsWith("/api/")) {
             const origin = req.headers.get("origin");
-            if (origin && !origin.startsWith("http://localhost:") && !origin.startsWith("http://127.0.0.1:")) {
-              return Response.json({ error: "Cross-origin requests are not allowed" }, { status: 403 });
+            if (origin) {
+              const actualPort = server?.port ?? port;
+              const allowed = [
+                `http://localhost:${actualPort}`,
+                `http://127.0.0.1:${actualPort}`,
+              ];
+              if (!allowed.includes(origin)) {
+                return Response.json({ error: "Cross-origin requests are not allowed" }, { status: 403 });
+              }
             }
           }
 
@@ -2038,15 +2048,20 @@ async function handleRequest(
             });
           }
 
-          // --- OAuth routes (no auth required — part of OAuth flow) ---
+          // --- OAuth routes ---
 
-          // GET /oauth/:provider/authorize — redirect user to provider's auth page
+          // GET /oauth/:provider/authorize — redirect user to provider's auth page (requires session key)
           const ALLOWED_OAUTH_PROVIDERS = new Set(["google", "github", "notion", "linear", "slack"]);
           if (url.pathname.match(/^\/oauth\/[a-z]+\/authorize$/) && req.method === "GET") {
             const provider = url.pathname.split("/")[2];
             if (!ALLOWED_OAUTH_PROVIDERS.has(provider)) {
               return Response.json({ error: "Unknown OAuth provider" }, { status: 400 });
             }
+            // Require session key to prevent unauthorized OAuth initiation
+            const sk = url.searchParams.get("sk");
+            if (sk !== sessionKey) {
+              return Response.json({ error: "Unauthorized" }, { status: 401 });
+            }
             try {
               const { getAuthUrl } = await import("../tools/oauth");
               const actualPort = server?.port ?? port;

package/src/channels/whatsapp.ts

@@ -13,7 +13,7 @@ export function createWhatsAppAdapter(
   let sock: any = null;
   const sessionDir = authDir ?? join(paths.root, "whatsapp-auth");
 
-  return {
+  const adapter: ChannelAdapter = {
     channelName: "whatsapp",
 
     start() {
@@ -40,8 +40,11 @@ export function createWhatsAppAdapter(
             const shouldReconnect =
               lastDisconnect?.error?.output?.statusCode !== DisconnectReason.loggedOut;
             if (shouldReconnect) {
-              logger.info("WhatsApp reconnecting...");
-              // Re-create connection
+              logger.info("WhatsApp reconnecting in 3s...");
+              sock = null;
+              setTimeout(() => adapter.start(), 3000);
+            } else {
+              logger.info("WhatsApp logged out — not reconnecting");
             }
           } else if (connection === "open") {
             logger.info("WhatsApp connected");
@@ -116,4 +119,6 @@ export function createWhatsAppAdapter(
       }
     },
   };
+
+  return adapter;
 }

package/src/llm/claude-code.ts

@@ -67,11 +67,16 @@ export class ClaudeCodeProvider implements LlmProvider {
         try { proc.kill(); } catch {}
       }, 300000);
 
-      const exitCode = await proc.exited;
-      clearTimeout(timeout);
-
-      const stdout = await new Response(proc.stdout as ReadableStream).text();
-      const stderr = await new Response(proc.stderr as ReadableStream).text();
+      let exitCode: number;
+      let stdout: string;
+      let stderr: string;
+      try {
+        exitCode = await proc.exited;
+        stdout = await new Response(proc.stdout as ReadableStream).text();
+        stderr = await new Response(proc.stderr as ReadableStream).text();
+      } finally {
+        clearTimeout(timeout);
+      }
 
       if (exitCode !== 0) {
         throw new Error(`Claude Code CLI exited with code ${exitCode}: ${stderr.slice(0, 500)}`);

package/src/llm/codex.ts

@@ -64,11 +64,16 @@ export class CodexProvider implements LlmProvider {
         try { proc.kill(); } catch {}
       }, 300000);
 
-      const exitCode = await proc.exited;
-      clearTimeout(timeout);
-
-      const stdout = await new Response(proc.stdout as ReadableStream).text();
-      const stderr = await new Response(proc.stderr as ReadableStream).text();
+      let exitCode: number;
+      let stdout: string;
+      let stderr: string;
+      try {
+        exitCode = await proc.exited;
+        stdout = await new Response(proc.stdout as ReadableStream).text();
+        stderr = await new Response(proc.stderr as ReadableStream).text();
+      } finally {
+        clearTimeout(timeout);
+      }
 
       if (exitCode !== 0) {
         throw new Error(`Codex CLI exited with code ${exitCode}: ${stderr.slice(0, 500)}`);

package/src/llm/factory.ts

@@ -18,6 +18,7 @@ const KNOWN_BASE_URLS: Record<string, string> = {
   cerebras: "https://api.cerebras.ai/v1",
   perplexity: "https://api.perplexity.ai",
   xai: "https://api.x.ai/v1",
+  minimax: "https://api.minimax.io/v1",
   ollama: "http://localhost:11434/v1",
   lmstudio: "http://localhost:1234/v1",
 };

package/src/llm/openai-compat.ts

@@ -28,6 +28,7 @@ const DEFAULT_CONTEXT_WINDOWS: Record<string, number> = {
   cerebras: 128_000,
   perplexity: 128_000,
   xai: 131_072,           // Grok 4.1 supports up to 2M; safe default
+  minimax: 204_800,        // MiniMax M2.5
   ollama: 8_000,
   lmstudio: 8_000,
 };
@@ -375,7 +376,7 @@ export class OpenAICompatProvider implements LlmProvider {
     } finally {
       reader.releaseLock();
       // Ensure the response body is fully consumed/cancelled to free resources
-      try { await res.body!.cancel(); } catch (err: any) { logger.warn("Failed to cancel response body stream", { error: (err as Error).message }); }
+      try { await res.body?.cancel(); } catch (err: any) { logger.warn("Failed to cancel response body stream", { error: (err as Error).message }); }
     }
 
     // Emit tool_use_end for all tool calls

package/src/llm/smart-router.ts

@@ -147,8 +147,6 @@ export class SmartRouterProvider implements LlmProvider {
         model: this.fast.model,
         reason: "simple query",
       });
-      this.providerName = this.fast.providerName;
-      this.model = this.fast.model;
       return this.fast;
     }
 
@@ -157,8 +155,6 @@ export class SmartRouterProvider implements LlmProvider {
       model: this.primary.model,
       reason: "complex query",
     });
-    this.providerName = this.primary.providerName;
-    this.model = this.primary.model;
     return this.primary;
   }
 
@@ -172,8 +168,6 @@ export class SmartRouterProvider implements LlmProvider {
         logger.warn("Fast model failed, falling back to primary", {
           error: err.message,
         });
-        this.providerName = this.primary.providerName;
-        this.model = this.primary.model;
         return this.primary.chat(request);
       }
     }
@@ -212,13 +206,9 @@ export class SmartRouterProvider implements LlmProvider {
         }
 
         // Fallback to primary stream
-        this.providerName = this.primary.providerName;
-        this.model = this.primary.model;
       } else {
         // Fast model has no streaming, fall back to primary
         logger.info("Fast model has no streaming support, using primary");
-        this.providerName = this.primary.providerName;
-        this.model = this.primary.model;
       }
     }
 

package/src/setup.ts

@@ -168,6 +168,21 @@ const PROVIDER_OPTIONS: ProviderOption[] = [
   },
   {
     key: "9",
+    label: "MiniMax (M2.5)",
+    setup: async () => {
+      const apiKey = await prompt("  MiniMax API key: ");
+      const model = await prompt("  Model [MiniMax-M2.5] (or MiniMax-M2.5-highspeed): ");
+      return {
+        name: "minimax",
+        config: {
+          apiKey,
+          model: model || "MiniMax-M2.5",
+        },
+      };
+    },
+  },
+  {
+    key: "10",
     label: "Fireworks AI",
     setup: async () => {
       const apiKey = await prompt("  Fireworks API key: ");
@@ -183,7 +198,7 @@ const PROVIDER_OPTIONS: ProviderOption[] = [
     },
   },
   {
-    key: "10",
+    key: "11",
     label: "Cerebras",
     setup: async () => {
       const apiKey = await prompt("  Cerebras API key: ");
@@ -199,7 +214,7 @@ const PROVIDER_OPTIONS: ProviderOption[] = [
     },
   },
   {
-    key: "11",
+    key: "12",
     label: "LM Studio (local)",
     setup: async () => {
       const baseUrl = await prompt("  LM Studio URL [http://localhost:1234/v1]: ");
@@ -215,7 +230,7 @@ const PROVIDER_OPTIONS: ProviderOption[] = [
     },
   },
   {
-    key: "12",
+    key: "13",
     label: "Other (OpenAI-compatible)",
     setup: async () => {
       const name = await prompt("  Provider name: ");

package/src/tools/builtin/delegate.ts

@@ -35,7 +35,9 @@ export function registerDelegateTool(llm: LlmProvider) {
 
       // Dynamic import to avoid circular dependency
       const { delegateToAgent } = await import("../../agent/delegate");
-      const result = await delegateToAgent(llm, agent, task);
+      const crypto = await import("crypto");
+      const contextId = "delegation-" + crypto.randomUUID().slice(0, 8);
+      const result = await delegateToAgent(llm, agent, task, contextId);
       return result;
     },
   });

package/src/tools/builtin/google-oauth.ts

@@ -80,6 +80,10 @@ async function handleStart(
   clientId?: string,
   clientSecret?: string
 ): Promise<string> {
+  // If credentials not provided as parameters, check stored secrets
+  if (!clientId) clientId = getSecret("google_client_id") ?? undefined;
+  if (!clientSecret) clientSecret = getSecret("google_client_secret") ?? undefined;
+
   if (!clientId || !clientSecret) {
     return JSON.stringify({
       error:

package/src/tools/builtin/manage-agents.ts

@@ -75,6 +75,7 @@ export function registerManageAgentsTool() {
           const FORBIDDEN_SUBAGENT_TOOLS = [
             "manage_agents",   // Prevents recursive agent creation
             "delegate",        // Prevents delegation loops
+            "delegate_task",   // Prevents ad-hoc delegation loops
             "config_update",   // Prevents config tampering
             "secret_set",      // Prevents secret manipulation
             "secret_delete",   // Prevents secret deletion

package/src/tools/oauth.ts

@@ -433,6 +433,11 @@ export async function getToken(provider: string): Promise<string | null> {
           return await refreshPromise;
         } catch (err: any) {
           logger.warn(`[OAuth] Token refresh failed for ${provider}`, { error: err.message });
+          // If refresh token is invalid/revoked, remove stale token to stop retry loops
+          if (err.message?.includes("400") || err.message?.includes("401") || err.message?.includes("invalid")) {
+            logger.warn(`[OAuth] Removing stale token for ${provider} — user must re-authenticate`);
+            try { revokeToken(provider); } catch {}
+          }
           return null;
         }
       }

package/src/tools/permissions.ts

@@ -39,6 +39,20 @@ const DEFAULT_PERMISSIONS: Record<string, ToolPermission> = {
   image_generate: "auto",
   google_oauth: "auto",
 
+  // Integration skills — auto because user explicitly requests these actions
+  gmail: "auto",
+  google_calendar: "auto",
+  google_sheets: "auto",
+  google_docs: "auto",
+  google_drive: "auto",
+  github_issues: "auto",
+  github_repos: "auto",
+  github_prs: "auto",
+  notion_pages: "auto",
+  linear_issues: "auto",
+  jira_issues: "auto",
+  slack_messages: "auto",
+
   // Built-in skills — require confirmation (network writes, code execution, system access)
   http_request: "confirm",
   code_interpreter: "confirm",

package/src/util/costs.ts

@@ -24,6 +24,10 @@ const MODEL_PRICING: Record<string, { input: number; output: number }> = {
   "deepseek-chat": { input: 0.56, output: 1.68 },
   "deepseek-reasoner": { input: 0.55, output: 2.19 },
 
+  // MiniMax
+  "MiniMax-M2.5": { input: 0.3, output: 1.2 },
+  "MiniMax-M2.5-highspeed": { input: 0.3, output: 2.4 },
+
   // Groq
   "llama-3.3-70b-versatile": { input: 0.59, output: 0.79 },
   "llama-3.1-8b-instant": { input: 0.05, output: 0.08 },

package/tests/executor.test.ts

@@ -22,11 +22,18 @@ describe("Tool Executor", () => {
     unregisterTool("error_tool");
   });
 
-  it("should execute a registered tool", async () => {
-    const result = await executeTool("test_tool", "t1", { msg: "hello" });
+  it("should execute a registered tool (with confirmation)", async () => {
+    // Unknown tools default to "confirm" — first call returns confirmation token
+    const confirmResult = await executeTool("test_tool", "t1", { msg: "hello" });
+    expect(confirmResult.content).toContain("Confirmation Token:");
+    const tokenMatch = confirmResult.content.match(/Confirmation Token: ([a-f0-9-]+)/);
+    expect(tokenMatch).toBeTruthy();
+
+    // Second call with token executes the tool
+    const result = await executeTool("test_tool", "t1b", { msg: "hello", _confirmToken: tokenMatch![1] });
     expect(result.content).toBe("echo: hello");
     expect(result.is_error).toBe(false);
-    expect(result.tool_use_id).toBe("t1");
+    expect(result.tool_use_id).toBe("t1b");
   });
 
   it("should return error for unknown tool", async () => {
@@ -53,7 +60,14 @@ describe("Tool Executor", () => {
       },
     });
 
-    const result = await executeTool("error_tool", "t4", {});
+    // Unknown tools default to "confirm" — first call returns confirmation token
+    const confirmResult = await executeTool("error_tool", "t4", {});
+    expect(confirmResult.content).toContain("Confirmation Token:");
+    const tokenMatch = confirmResult.content.match(/Confirmation Token: ([a-f0-9-]+)/);
+    expect(tokenMatch).toBeTruthy();
+
+    // Second call with token — tool throws
+    const result = await executeTool("error_tool", "t4b", { _confirmToken: tokenMatch![1] });
     expect(result.is_error).toBe(true);
     expect(result.content).toContain("intentional failure");
   });

package/tests/permissions.test.ts

@@ -14,8 +14,8 @@ describe("getToolPermission", () => {
     expect(getToolPermission("file_write")).toBe("confirm");
   });
 
-  it("returns 'auto' for unknown tools (user-installed skills)", () => {
-    expect(getToolPermission("my_custom_skill")).toBe("auto");
-    expect(getToolPermission("weather")).toBe("auto");
+  it("returns 'confirm' for unknown tools (user-installed skills, MCP)", () => {
+    expect(getToolPermission("my_custom_skill")).toBe("confirm");
+    expect(getToolPermission("weather")).toBe("confirm");
   });
 });

package/tests/tools/executor.test.ts

@@ -41,13 +41,24 @@ describe("executeTool", () => {
     });
 
     try {
-      const result = await executeTool(
+      // Unknown tools default to "confirm" — first call returns confirmation token
+      const confirmResult = await executeTool(
         testToolName,
         "call-789",
         {},
         [testToolName]
       );
+      expect(confirmResult.content).toContain("Confirmation Token:");
+      const tokenMatch = confirmResult.content.match(/Confirmation Token: ([a-f0-9-]+)/);
+      expect(tokenMatch).toBeTruthy();
 
+      // Second call with token executes the tool
+      const result = await executeTool(
+        testToolName,
+        "call-789b",
+        { _confirmToken: tokenMatch![1] },
+        [testToolName]
+      );
       expect(result.is_error).toBe(false);
       expect(result.content).toBe("success");
     } finally {
@@ -56,15 +67,6 @@ describe("executeTool", () => {
   });
 
   test("returns a denied error for tools with deny permission", async () => {
-    // Register a tool and give it the "deny" permission by temporarily
-    // adding it to the permissions map. Since getToolPermission defaults
-    // to "auto" for unknown tools, we test with the "shell" tool which
-    // has "confirm" permission instead. Let's test the confirm flow.
-    // We'll test denied tools by checking the mechanism works correctly.
-
-    // The "shell" tool has "confirm" permission in the default map.
-    // For a truly denied tool, we'd need to modify the permissions map.
-    // Instead, let's verify that when allowedTools blocks a tool, it works.
     const result = await executeTool(
       "shell",
       "call-deny",
@@ -92,13 +94,23 @@ describe("executeTool", () => {
     });
 
     try {
-      const result = await executeTool(testToolName, "call-exec", {
+      // First call: get confirmation token (unknown tools default to "confirm")
+      const confirmResult = await executeTool(testToolName, "call-exec", {
         message: "hello",
       });
+      expect(confirmResult.content).toContain("Confirmation Token:");
+      const tokenMatch = confirmResult.content.match(/Confirmation Token: ([a-f0-9-]+)/);
+      expect(tokenMatch).toBeTruthy();
+
+      // Second call with token: actually execute
+      const result = await executeTool(testToolName, "call-exec2", {
+        message: "hello",
+        _confirmToken: tokenMatch![1],
+      });
 
       expect(result.is_error).toBe(false);
       expect(result.content).toBe("echo: hello");
-      expect(result.tool_use_id).toBe("call-exec");
+      expect(result.tool_use_id).toBe("call-exec2");
     } finally {
       unregisterTool(testToolName);
     }
@@ -119,7 +131,15 @@ describe("executeTool", () => {
     });
 
     try {
-      const result = await executeTool(testToolName, "call-throw", {});
+      // First call: get confirmation token
+      const confirmResult = await executeTool(testToolName, "call-throw", {});
+      const tokenMatch = confirmResult.content.match(/Confirmation Token: ([a-f0-9-]+)/);
+      expect(tokenMatch).toBeTruthy();
+
+      // Second call with token: tool throws
+      const result = await executeTool(testToolName, "call-throw2", {
+        _confirmToken: tokenMatch![1],
+      });
 
       expect(result.is_error).toBe(true);
       expect(result.content).toContain("Something went wrong");