aru-code 0.28.0__tar.gz → 0.30.0__tar.gz

{aru_code-0.28.0/aru_code.egg-info → aru_code-0.30.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aru-code
-Version: 0.28.0
+Version: 0.30.0
 Summary: A Claude Code clone built with Agno agents
 Author-email: Estevao <estevaofon@gmail.com>
 License-Expression: MIT

aru_code-0.30.0/aru/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.30.0"

{aru_code-0.28.0 → aru_code-0.30.0}/aru/agent_factory.py

@@ -81,6 +81,32 @@ def _wrap_tools_with_hooks(tools: list) -> list:
                         f"exit_plan_mode(plan=<full plan text>) to request "
                         f"approval. Do NOT retry {tool_name}."
                     )
+            # Active-skill disallowed-tools gate — honors the `disallowed-tools`
+            # frontmatter field of the currently active skill. Mirrors the
+            # plan-mode gate pattern above; runs before plugin hooks so a skill
+            # can hard-block a tool regardless of permission/plugin state.
+            try:
+                from aru.runtime import get_ctx
+                ctx = get_ctx()
+                session = getattr(ctx, "session", None)
+                config = getattr(ctx, "config", None)
+            except (LookupError, AttributeError):
+                session = None
+                config = None
+            if session is not None and config is not None:
+                active = getattr(session, "active_skill", None)
+                skills = getattr(config, "skills", None) or {}
+                active_skill_obj = skills.get(active) if active else None
+                disallowed = getattr(active_skill_obj, "disallowed_tools", None) or []
+                if tool_name in disallowed:
+                    return (
+                        f"BLOCKED: tool `{tool_name}` is disallowed by the "
+                        f"currently active skill `{active}`. Read the skill's "
+                        f"SKILL.md for the prescribed path. Do NOT retry "
+                        f"`{tool_name}`; use the alternative the skill specifies "
+                        f"(commonly: write the output to a `.md` file via "
+                        f"`write_file` instead of using in-session state)."
+                    )
             # Before hook — plugins can mutate args or raise PermissionError to block
             try:
                 before_data = await _fire_hook("tool.execute.before", {
@@ -112,10 +138,11 @@ def _wrap_tools_with_hooks(tools: list) -> list:
 
 
 async def _apply_chat_hooks(instructions: str, model_ref: str, agent_name: str,
-                            max_tokens: int = 8192) -> tuple[str, str, int]:
+                            max_tokens: int | None = None) -> tuple[str, str, int | None]:
     """Apply chat.system.transform and chat.params hooks to agent creation params.
 
     Returns (instructions, model_ref, max_tokens) — possibly modified by plugins.
+    When max_tokens is None, providers.create_model will use the model's full cap.
     """
     # chat.system.transform — plugins can modify the system prompt
     data = await _fire_hook("chat.system.transform", {
@@ -216,9 +243,9 @@ async def create_custom_agent_instance(agent_def: CustomAgent, session: Session,
         parts.append(extra)
     instructions = "\n\n".join(parts)
 
-    # Apply chat hooks (system.transform + params)
+    # Apply chat hooks (system.transform + params). max_tokens=None → provider cap.
     instructions, model_ref, max_tokens = await _apply_chat_hooks(
-        instructions, model_ref, agent_def.name, max_tokens=8192,
+        instructions, model_ref, agent_def.name, max_tokens=None,
     )
 
     return Agent(

{aru_code-0.28.0 → aru_code-0.30.0}/aru/agents/catalog.py

@@ -21,13 +21,18 @@ class AgentSpec:
 
     The tools_factory is a lazy callable so module load order does not force
     aru.tools.codebase to be imported before this module.
+
+    `max_tokens=None` means "use the model's full cap" (see providers.py).
+    An explicit int caps the agent below that ceiling — providers.py always
+    clamps the final value to min(requested, model_cap) so specs can never
+    ask for more than the model supports.
     """
 
     name: str                            # display name passed to Agno
     role: str                            # key into build_instructions(role, ...)
     mode: Literal["primary", "subagent"]
     tools_factory: Callable[[], list]    # lazy resolver — invoked at agent creation
-    max_tokens: int
+    max_tokens: int | None
     small_model: bool = False            # if True, factory uses ctx.small_model_ref
 
 
@@ -52,12 +57,15 @@ def _explore_tools() -> list:
 
 
 AGENTS: dict[str, AgentSpec] = {
+    # Primary agents default to the model's full output cap (clamped by
+    # providers.create_model). Subagents keep a tight budget so a runaway
+    # explorer can't blow through the whole turn.
     "build": AgentSpec(
         name="Aru",
         role="general",
         mode="primary",
         tools_factory=_build_tools,
-        max_tokens=8192,
+        max_tokens=None,
     ),
     "plan": AgentSpec(
         name="Planner",
@@ -71,14 +79,14 @@ AGENTS: dict[str, AgentSpec] = {
         role="executor",
         mode="primary",
         tools_factory=_exec_tools,
-        max_tokens=8192,
+        max_tokens=None,
     ),
     "explorer": AgentSpec(
         name="Explorer",
         role="explorer",
         mode="subagent",
         tools_factory=_explore_tools,
-        max_tokens=4096,
+        max_tokens=8192,
         small_model=True,
     ),
 }

{aru_code-0.28.0 → aru_code-0.30.0}/aru/cache_patch.py

@@ -1,6 +1,6 @@
 """Monkey-patch Agno's model layer to reduce token consumption.
 
-Three optimizations:
+Four optimizations:
 
 1. **Tool result pruning** (ALL providers): After each tool execution, old tool
    results in the message list are truncated to a short summary. This prevents
@@ -12,6 +12,11 @@ Three optimizations:
 3. **Per-call metrics** (ALL providers): Captures input/output tokens of the
    last API call (context window size), exposed via get_last_call_metrics().
 
+4. **Stop-reason capture** (Anthropic + OpenAI-compatible): Captures the
+   `stop_reason` / `finish_reason` from the final message of the last API call,
+   exposed via get_last_stop_reason(). Lets the runner detect `max_tokens`
+   truncation and trigger the recovery loop.
+
 These patches intercept Agno's internal loop so they work transparently
 regardless of which provider is used.
 """
@@ -33,12 +38,36 @@ _last_call_output_tokens: int = 0
 _last_call_cache_read: int = 0
 _last_call_cache_write: int = 0
 
+# Last API call stop reason (Anthropic uses "end_turn"/"tool_use"/"max_tokens"/
+# "stop_sequence"/"pause_turn"; OpenAI uses "stop"/"length"/"tool_calls").
+# We normalize "length" → "max_tokens" so callers can check a single value.
+_last_call_stop_reason: str | None = None
+
 
 def get_last_call_metrics() -> tuple[int, int, int, int]:
     """Return (input, output, cache_read, cache_write) from the most recent API call."""
     return _last_call_input_tokens, _last_call_output_tokens, _last_call_cache_read, _last_call_cache_write
 
 
+def get_last_stop_reason() -> str | None:
+    """Return the stop reason from the most recent API call, normalized.
+
+    Returns one of: `end_turn`, `tool_use`, `max_tokens`, `stop_sequence`,
+    `pause_turn`, or None if no call has happened yet / the provider did not
+    expose one. OpenAI's `length` is mapped to `max_tokens` and `stop` to
+    `end_turn` so callers have a single vocabulary.
+    """
+    return _last_call_stop_reason
+
+
+def reset_last_stop_reason() -> None:
+    """Clear the cached stop reason — call before starting a new turn so a
+    stale value from a prior turn never leaks into the next one.
+    """
+    global _last_call_stop_reason
+    _last_call_stop_reason = None
+
+
 def _prune_tool_messages(messages):
     """Clear old tool result content using a token-budget approach.
 
@@ -97,6 +126,7 @@ def apply_cache_patch():
     _patch_tool_result_pruning()
     _patch_claude_cache_breakpoints()
     _patch_per_call_metrics()
+    _patch_stop_reason_capture()
 
 
 def _patch_tool_result_pruning():
@@ -235,3 +265,94 @@ def _patch_per_call_metrics():
         _base_module.accumulate_model_metrics = _patched_accumulate
     except (ImportError, AttributeError):
         pass
+
+
+# OpenAI "length" and Anthropic "max_tokens" mean the same thing; normalize so
+# runner logic can check a single value.
+_STOP_REASON_NORMALIZE = {
+    "length": "max_tokens",        # OpenAI
+    "stop": "end_turn",            # OpenAI
+    "tool_calls": "tool_use",      # OpenAI
+    "function_call": "tool_use",   # legacy OpenAI
+    "MAX_TOKENS": "max_tokens",    # Gemini (all-caps)
+}
+
+
+def _record_stop_reason(raw: str | None) -> None:
+    """Normalize and cache the provider's stop reason."""
+    global _last_call_stop_reason
+    if raw is None or raw == "":
+        return
+    _last_call_stop_reason = _STOP_REASON_NORMALIZE.get(raw, raw)
+
+
+def _patch_stop_reason_capture():
+    """Forward `stop_reason` from Agno's provider parsers into a module-level
+    slot readable via `get_last_stop_reason()`.
+
+    Agno's Anthropic adapter sees `response.stop_reason` (non-streaming) and
+    `response.message.stop_reason` (streaming MessageStopEvent), but discards
+    both before anything downstream can observe them. We wrap the two parsers
+    and record the value as a side effect. The OpenAI-compatible adapter
+    already exposes `response.choices[0].finish_reason`, so we hook that too
+    for completeness (Qwen, DeepSeek, Groq, OpenRouter).
+    """
+    # Anthropic (native + streaming)
+    try:
+        from agno.models.anthropic import claude as _claude_mod
+
+        _original_parse = _claude_mod.Claude._parse_provider_response
+        _original_parse_delta = _claude_mod.Claude._parse_provider_response_delta
+
+        def _patched_parse(self, response, *args, **kwargs):
+            result = _original_parse(self, response, *args, **kwargs)
+            _record_stop_reason(getattr(response, "stop_reason", None))
+            return result
+
+        def _patched_parse_delta(self, response, *args, **kwargs):
+            result = _original_parse_delta(self, response, *args, **kwargs)
+            # MessageStopEvent / ParsedBetaMessageStopEvent carry the final
+            # stop_reason on their nested `message` object.
+            msg = getattr(response, "message", None)
+            if msg is not None:
+                _record_stop_reason(getattr(msg, "stop_reason", None))
+            return result
+
+        _claude_mod.Claude._parse_provider_response = _patched_parse
+        _claude_mod.Claude._parse_provider_response_delta = _patched_parse_delta
+    except (ImportError, AttributeError):
+        pass
+
+    # OpenAI-compatible (OpenAI, Qwen/DashScope, DeepSeek, Groq, OpenRouter)
+    try:
+        from agno.models.openai import chat as _openai_chat
+
+        _original_openai_parse = _openai_chat.OpenAIChat._parse_provider_response
+
+        def _patched_openai_parse(self, response, *args, **kwargs):
+            result = _original_openai_parse(self, response, *args, **kwargs)
+            try:
+                choice = response.choices[0]
+                _record_stop_reason(getattr(choice, "finish_reason", None))
+            except (AttributeError, IndexError, TypeError):
+                pass
+            return result
+
+        _openai_chat.OpenAIChat._parse_provider_response = _patched_openai_parse
+
+        if hasattr(_openai_chat.OpenAIChat, "_parse_provider_response_delta"):
+            _original_openai_delta = _openai_chat.OpenAIChat._parse_provider_response_delta
+
+            def _patched_openai_delta(self, response, *args, **kwargs):
+                result = _original_openai_delta(self, response, *args, **kwargs)
+                try:
+                    choice = response.choices[0]
+                    # Only the final chunk sets finish_reason.
+                    _record_stop_reason(getattr(choice, "finish_reason", None))
+                except (AttributeError, IndexError, TypeError):
+                    pass
+                return result
+
+            _openai_chat.OpenAIChat._parse_provider_response_delta = _patched_openai_delta
+    except (ImportError, AttributeError):
+        pass

{aru_code-0.28.0 → aru_code-0.30.0}/aru/cli.py

@@ -15,6 +15,7 @@ import sys
 
 from rich.markdown import Markdown
 from rich.panel import Panel
+from rich.text import Text
 
 # ── Re-exports for backward compatibility ─────────────────────────────
 # Tests and external code import these from aru.cli; keep them accessible.
@@ -92,7 +93,7 @@ _logging.getLogger("agno").setLevel(_logging.WARNING)
 
 from aru.agents.planner import review_plan
 from aru.config import load_config, render_command_template, render_skill_template
-from aru.permissions import get_skip_permissions
+from aru.permissions import get_skip_permissions, set_permission_mode
 from aru.providers import (
     MODEL_ALIASES,
     list_providers,
@@ -100,6 +101,39 @@ from aru.providers import (
 )
 
 
+def _toggle_yolo_mode(ctx) -> None:
+    """Toggle YOLO (dangerously-skip-permissions) mode from the REPL.
+
+    Turning YOLO *off* is unconditional — safety is not at risk.
+    Turning YOLO *on* requires an explicit y/n confirmation with a red warning panel.
+    """
+    if ctx.permission_mode == "yolo":
+        set_permission_mode("default")
+        console.print("[bold green]✔ YOLO disabled — safe mode restored.[/bold green]")
+        return
+
+    warning = Text.from_markup(
+        "[bold red]⚠  DANGEROUSLY SKIP PERMISSIONS (YOLO)[/bold red]\n\n"
+        "[red]All permission prompts will be bypassed for this session, including:[/red]\n"
+        "  • Reading/writing [bold].env[/bold] files and other sensitive paths\n"
+        "  • Arbitrary shell commands ([bold]rm -rf[/bold], package installs, network calls)\n"
+        "  • Edits outside the working directory\n"
+        "  • All sub-agents delegated during this session\n\n"
+        "[dim]Toggle off anytime with /yolo or shift+tab.[/dim]"
+    )
+    console.print(Panel(
+        warning,
+        title="[bold red]Enable YOLO mode?[/bold red]",
+        border_style="red",
+        padding=(1, 2),
+    ))
+    if ask_yes_no("Confirm enabling YOLO mode"):
+        set_permission_mode("yolo")
+        console.print("[bold red]🔥 YOLO MODE ACTIVE — all permissions bypassed.[/bold red]")
+    else:
+        console.print("[dim]Cancelled. Remaining in safe mode.[/dim]")
+
+
 # ── Main REPL ──────────────────────────────────────────────────────────
 
 async def run_cli(skip_permissions: bool = False, resume_id: str | None = None):
@@ -288,7 +322,13 @@ async def run_cli(skip_permissions: bool = False, resume_id: str | None = None):
                         f'  <style fg="ansigray">│</style>'
                         f'  <style fg="ansigray">{ctx.mcp_loaded_msg}</style>'
                     )
-                if ctx.permission_mode == "acceptEdits":
+                if ctx.permission_mode == "yolo":
+                    mode_part = (
+                        f'  <style fg="ansigray">│</style>'
+                        f'  <b><style fg="ansired">🔥 YOLO — permissions bypassed</style></b>'
+                        f'  <style fg="ansigray">(/yolo to toggle)</style>'
+                    )
+                elif ctx.permission_mode == "acceptEdits":
                     mode_part = (
                         f'  <style fg="ansigray">│</style>'
                         f'  <b><style fg="ansigreen">⏵⏵ auto-accept edits on</style></b>'
@@ -570,6 +610,10 @@ async def run_cli(skip_permissions: bool = False, resume_id: str | None = None):
             ))
             continue
 
+        if user_input.lower() in ("/yolo", "/unsafe"):
+            _toggle_yolo_mode(ctx)
+            continue
+
         # Begin a new checkpoint turn for undo support
         _turn_counter += 1
         ctx.checkpoint_manager.begin_turn(_turn_counter)
@@ -667,7 +711,13 @@ async def run_cli(skip_permissions: bool = False, resume_id: str | None = None):
                 if not skill.user_invocable:
                     console.print(f"[yellow]Skill '{cmd_name}' is not user-invocable[/yellow]")
                 else:
+                    session.active_skill = cmd_name
                     prompt = render_skill_template(skill.content, cmd_args)
+                    # Record so the skill body survives compaction — mirror of
+                    # claude-code's addInvokedSkill. Store the rendered content
+                    # (post-argument substitution) so post-compact restoration
+                    # matches what the model initially read.
+                    session.record_invoked_skill(cmd_name, prompt, skill.source_path)
                     console.print(f"[bold magenta]Running skill /{cmd_name}...[/bold magenta]")
 
                     agent = await create_general_agent(session, config, env_context=_build_env_ctx())
@@ -791,7 +841,7 @@ async def run_oneshot(prompt: str, print_only: bool = False, skip_permissions: b
 
         agent = Agent(
             name="Aru",
-            model=create_model(session.model_ref, max_tokens=8192),
+            model=create_model(session.model_ref),  # None → provider cap
             tools=[],
             instructions=build_instructions("general", extra_instructions),
             markdown=True,

{aru_code-0.28.0 → aru_code-0.30.0}/aru/commands.py

@@ -24,6 +24,7 @@ SLASH_COMMANDS = [
     ("/plugin", "Manage cached plugins (install/list/remove/update)", "/plugin <subcommand>"),
     ("/undo", "Undo last turn — restore files and/or conversation", "/undo"),
     ("/cost", "Show detailed token usage and cost", "/cost"),
+    ("/yolo", "Toggle DANGEROUSLY skip all permissions (YOLO mode)", "/yolo"),
     ("/quit", "Exit aru", "/quit"),
 ]
 

{aru_code-0.28.0 → aru_code-0.30.0}/aru/config.py

@@ -39,9 +39,16 @@ class Skill:
     content: str
     source_path: str
     allowed_tools: list[str] = field(default_factory=list)
+    disallowed_tools: list[str] = field(default_factory=list)
     disable_model_invocation: bool = False
     user_invocable: bool = True
     argument_hint: str = ""
+    # Short (~1-2 sentences) reminder used by the core to reinforce the
+    # skill's critical gates during compaction. Not re-injected per turn —
+    # it only appears wrapped in `<system-reminder>` when a compaction
+    # would otherwise drop the skill body from history. When absent, the
+    # core derives a default from `description`.
+    reminder: str = ""
 
 
 @dataclass
@@ -266,6 +273,17 @@ def _parse_skill_metadata(metadata: dict[str, Any]) -> dict[str, Any]:
     else:
         result["allowed_tools"] = []
 
+    disallowed_raw = metadata.get("disallowed-tools", "")
+    if isinstance(disallowed_raw, list):
+        result["disallowed_tools"] = [str(t).strip() for t in disallowed_raw]
+    elif disallowed_raw:
+        result["disallowed_tools"] = [t.strip() for t in str(disallowed_raw).split(",") if t.strip()]
+    else:
+        result["disallowed_tools"] = []
+
+    reminder_raw = metadata.get("reminder", "")
+    result["reminder"] = str(reminder_raw).strip() if reminder_raw else ""
+
     return result
 
 
@@ -382,9 +400,11 @@ def _discover_skills(search_roots: list[Path]) -> dict[str, Skill]:
                 content=body,
                 source_path=str(skill_file),
                 allowed_tools=meta["allowed_tools"],
+                disallowed_tools=meta["disallowed_tools"],
                 disable_model_invocation=meta["disable_model_invocation"],
                 user_invocable=meta["user_invocable"],
                 argument_hint=meta["argument_hint"],
+                reminder=meta["reminder"],
             )
 
     return skills

{aru_code-0.28.0 → aru_code-0.30.0}/aru/context.py

@@ -52,6 +52,20 @@ TRUNCATE_SAVE_DIR = ".aru/truncated"
 # opencode's approach where the split point mirrors the prune window.
 COMPACT_RECENT_CHARS = 160_000
 
+# Per-skill head-keep cap when preserving invoked SKILL.md bodies through a
+# compaction. 20K chars ≈ 5K tokens (claude-code POST_COMPACT_MAX_TOKENS_PER_SKILL).
+# The head is kept because SKILL.md files put gates and checklists at the top.
+POST_COMPACT_MAX_CHARS_PER_SKILL = 20_000
+# Total budget across all invoked skills in the preservation block.
+# 100K chars ≈ 25K tokens (claude-code POST_COMPACT_SKILLS_TOKEN_BUDGET).
+# Skills are sorted most-recent-first; older ones are dropped when the budget
+# fills, so stale mid-session invocations don't crowd out the skill you're
+# currently following.
+POST_COMPACT_SKILLS_BUDGET_CHARS = 100_000
+# Marker appended to a per-skill body when it was truncated — tells the model
+# it can re-read the full SKILL.md at the source path if needed.
+SKILL_TRUNCATION_MARKER = "\n\n[... SKILL.md truncated for budget. Re-read the file if details below the cutoff are needed.]"
+
 # Compaction: trigger when per-call input tokens approach real overflow.
 # Matches opencode's philosophy: only fire near the model's actual context
 # limit, not routinely. Routine context reduction is handled by prune_history
@@ -607,8 +621,88 @@ def build_compaction_prompt(
 
 
 
+def _build_skills_preservation_item(invoked_skills: dict | None) -> dict | None:
+    """Build a user message preserving invoked SKILL.md bodies through compaction.
+
+    Mirrors claude-code's `createSkillAttachmentIfNeeded` (compact.ts:1494) +
+    the `'invoked_skills'` branch of the attachment renderer (messages.ts:3644).
+    Skills are sorted most-recent-first; each body is head-capped at
+    `POST_COMPACT_MAX_CHARS_PER_SKILL`; once the cumulative total crosses
+    `POST_COMPACT_SKILLS_BUDGET_CHARS` subsequent (older) skills are dropped.
+
+    The rendered item is a **user meta-message** whose content is wrapped in
+    `<system-reminder>` tags — this signals to the model that the block is a
+    system-level reminder (elevated attention) rather than fresh user intent.
+    Mirrors `wrapMessagesInSystemReminder` from claude-code.
+
+    Returns None when there is nothing to preserve (no invoked skills, or all
+    bodies empty), so the caller can skip injection cleanly.
+
+    Args:
+        invoked_skills: session.invoked_skills — dict keyed by skill name with
+            `.content`, `.source_path`, `.invoked_at` attributes (InvokedSkill
+            instances; dict-shaped values are tolerated for from-JSON callers).
+    """
+    if not invoked_skills:
+        return None
+
+    def _attr(obj, name, default=""):
+        if isinstance(obj, dict):
+            return obj.get(name, default)
+        return getattr(obj, name, default)
+
+    # Sort most-recent-first so budget pressure drops the oldest skills first.
+    entries = sorted(
+        invoked_skills.values(),
+        key=lambda s: float(_attr(s, "invoked_at", 0.0)) or 0.0,
+        reverse=True,
+    )
+
+    rendered_blocks: list[str] = []
+    used_chars = 0
+    for skill in entries:
+        body = str(_attr(skill, "content", "") or "")
+        if not body.strip():
+            continue
+        # Head-keep cap per skill
+        if len(body) > POST_COMPACT_MAX_CHARS_PER_SKILL:
+            body = body[: POST_COMPACT_MAX_CHARS_PER_SKILL - len(SKILL_TRUNCATION_MARKER)] + SKILL_TRUNCATION_MARKER
+        if used_chars + len(body) > POST_COMPACT_SKILLS_BUDGET_CHARS:
+            break
+        used_chars += len(body)
+
+        name = str(_attr(skill, "name", "") or "?")
+        path = str(_attr(skill, "source_path", "") or "")
+        header = f"### Skill: /{name}"
+        if path:
+            header += f"\nPath: {path}"
+        rendered_blocks.append(f"{header}\n\n{body}")
+
+    if not rendered_blocks:
+        return None
+
+    skills_text = "\n\n---\n\n".join(rendered_blocks)
+    preserved = (
+        "<system-reminder>\n"
+        "The following skills were invoked earlier in this session and their full SKILL.md bodies "
+        "were summarized out during compaction. Continue to follow these guidelines exactly — all "
+        "gates, checklists, and forbidden shortcuts still apply.\n\n"
+        f"{skills_text}\n"
+        "</system-reminder>"
+    )
+
+    from aru.history_blocks import text_block
+    return {
+        "role": "user",
+        "content": [text_block(preserved)],
+    }
+
+
 def apply_compaction(
-    history: list[dict], summary: str, model_id: str = "default"
+    history: list[dict],
+    summary: str,
+    model_id: str = "default",
+    invoked_skills: dict | None = None,
 ) -> list[dict]:
     """Replace OLD messages with a summary, keep RECENT messages intact.
 
@@ -616,12 +710,19 @@ def apply_compaction(
     role alternation stays natural:
         [user: "Please summarize..."]
         [assistant: "<summary>", summary=True]
+        [user: "<system-reminder>...invoked skills...</system-reminder>"]  ← when invoked_skills
         + recent messages as-is
 
     The assistant summary is marked with `summary: True` as a checkpoint.
     `prune_history` walks backward and stops at this marker, so content
     already consolidated into the summary is never re-processed. Mirrors
     opencode's `msg.info.summary` flag (see message-v2.ts:914).
+
+    `invoked_skills` (claude-code parity — `STATE.invokedSkills`) is the
+    session's record of every SKILL.md invoked so far. When provided, a
+    skills-preservation `<system-reminder>` is injected right after the
+    summary so the model continues following skill gates even though the
+    original SKILL.md body was folded into the summary.
     """
     from aru.history_blocks import text_block, coerce_history_item
     _, recent = _split_history(history, model_id)
@@ -637,6 +738,11 @@ def apply_compaction(
             "summary": True,
         },
     ]
+
+    skills_item = _build_skills_preservation_item(invoked_skills)
+    if skills_item is not None:
+        compacted.append(skills_item)
+
     compacted.extend(coerce_history_item(m) for m in recent)
 
     return compacted
@@ -647,6 +753,7 @@ async def compact_conversation(
     model_ref: str,
     plan_task: str | None = None,
     model_id: str = "default",
+    invoked_skills: dict | None = None,
 ) -> list[dict[str, str]]:
     """Run the compaction agent to summarize and replace history.
 
@@ -663,6 +770,13 @@ async def compact_conversation(
       step.
 
     Falls back to a mechanical summary if the agent call fails.
+
+    `invoked_skills` is `session.invoked_skills` — passed through to
+    `apply_compaction` so SKILL.md bodies survive the summary via a
+    `<system-reminder>` preservation block. When None (caller didn't pass
+    it, e.g. tests, subagent flows), `get_ctx().session.invoked_skills` is
+    consulted as a best-effort fallback. See claude-code
+    `createSkillAttachmentIfNeeded` for the pattern.
     """
     from aru.providers import create_model
 
@@ -677,6 +791,19 @@ async def compact_conversation(
     except (LookupError, AttributeError, ImportError):
         pass  # no plugin manager available — proceed without hooks
 
+    # Best-effort: if caller didn't pass invoked_skills but there's a session
+    # in the current runtime context, use its record. Keeps legacy call sites
+    # (subagent compaction, tests) covered without forcing every caller to
+    # plumb the session through.
+    if invoked_skills is None:
+        try:
+            from aru.runtime import get_ctx
+            session = getattr(get_ctx(), "session", None)
+            if session is not None:
+                invoked_skills = getattr(session, "invoked_skills", None)
+        except (LookupError, AttributeError, ImportError):
+            pass
+
     prompt = build_compaction_prompt(history, plan_task, model_id=model_id)
 
     try:
@@ -705,12 +832,12 @@ async def compact_conversation(
             # Fallback: simple mechanical summary
             summary = _fallback_summary(history, plan_task)
 
-        return apply_compaction(history, summary, model_id=model_id)
+        return apply_compaction(history, summary, model_id=model_id, invoked_skills=invoked_skills)
 
     except Exception:
         # Fallback if agent fails
         summary = _fallback_summary(history, plan_task)
-        return apply_compaction(history, summary, model_id=model_id)
+        return apply_compaction(history, summary, model_id=model_id, invoked_skills=invoked_skills)
 
 
 def _fallback_summary(history: list[dict], plan_task: str | None = None) -> str:

{aru_code-0.28.0 → aru_code-0.30.0}/aru/display.py

@@ -119,7 +119,7 @@ def _render_home(session, skip_permissions: bool) -> None:
     console.print(cmds)
     console.print()
 
-    mode_label = "[red]skip permissions[/red]" if skip_permissions else "[green]safe mode[/green]"
+    mode_label = "[bold red]🔥 YOLO mode — permissions bypassed[/bold red]" if skip_permissions else "[green]safe mode[/green]"
     console.print(
         Text.from_markup(
             f"  [dim]model:[/dim] [bold]{session.model_display}[/bold] [dim]({session.model_id})[/dim]"