aru-code 0.28.0__tar.gz → 0.31.0__tar.gz

{aru_code-0.28.0/aru_code.egg-info → aru_code-0.31.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: aru-code
-Version: 0.28.0
+Version: 0.31.0
 Summary: A Claude Code clone built with Agno agents
 Author-email: Estevao <estevaofon@gmail.com>
 License-Expression: MIT

aru_code-0.31.0/aru/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.31.0"

{aru_code-0.28.0 → aru_code-0.31.0}/aru/agent_factory.py

@@ -29,32 +29,26 @@ async def _fire_hook(event_name: str, data: dict) -> dict:
     return data
 
 
-# Tools blocked while the session is in plan mode. Read-only tools (read,
-# glob, grep, list_directory, web_search, web_fetch, etc.) are NOT in this
-# set — the agent needs them to research and write the plan. Mutating or
-# execution-capable tools are gated: the agent must call exit_plan_mode and
-# get user approval before running any of these.
-_PLAN_MODE_BLOCKED_TOOLS: frozenset[str] = frozenset({
-    "edit_file",
-    "edit_files",
-    "write_file",
-    "write_files",
-    "bash",
-    "delegate_task",
-})
+# Backward-compat re-export. The canonical list now lives in
+# aru.tool_policy.PLAN_MODE_BLOCKED_TOOLS; external callers (tests,
+# docs) that import it from here keep working.
+from aru.tool_policy import PLAN_MODE_BLOCKED_TOOLS as _PLAN_MODE_BLOCKED_TOOLS
 
 
 def _wrap_tools_with_hooks(tools: list) -> list:
-    """Wrap tool functions to fire tool.execute.before/after plugin hooks.
-
-    Before hook can mutate args; after hook can mutate the result.
-    If a before hook raises, the tool is not executed and the error is returned.
-
-    Also enforces the plan-mode gate: when `session.plan_mode` is True,
-    any tool in `_PLAN_MODE_BLOCKED_TOOLS` short-circuits with a structured
-    BLOCKED message telling the agent to call `exit_plan_mode` first. The
-    gate runs BEFORE plugin hooks so plan mode is the highest-priority
-    enforcement; plugins cannot accidentally bypass it.
+    """Wrap tool functions with a single tool-policy gate and plugin hooks.
+
+    The policy gate (plan mode + active-skill disallowed_tools) is
+    evaluated by `aru.tool_policy.evaluate_tool_policy` — a single
+    decision function shared with `aru.permissions.resolve_permission`,
+    so both the wrapper and per-tool permission checks see the same
+    answer. When a tool is denied by multiple rules at once, the policy
+    layer returns one combined BLOCKED message rather than two
+    sequential contradictory ones (this is the scenario-1 fix of the
+    combinatorial gate audit).
+
+    Plugin hooks run AFTER the policy gate so a plugin's
+    tool.execute.before hook cannot bypass plan-mode / skill rules.
     """
 
     def _wrap_one(fn):
@@ -64,23 +58,13 @@ def _wrap_tools_with_hooks(tools: list) -> list:
         @functools.wraps(fn)
         async def wrapper(**kwargs):
             tool_name = fn.__name__
-            # Plan-mode gate — fires before any other logic so a mutating
-            # tool never reaches the permission layer or the actual executor.
-            if tool_name in _PLAN_MODE_BLOCKED_TOOLS:
-                try:
-                    from aru.runtime import get_ctx
-                    session = getattr(get_ctx(), "session", None)
-                except (LookupError, AttributeError):
-                    session = None
-                if session is not None and getattr(session, "plan_mode", False):
-                    return (
-                        f"BLOCKED: plan mode is active. Mutating tools "
-                        f"(edit/write/bash/delegate_task) are blocked until the "
-                        f"user approves the plan. Finish writing the plan as "
-                        f"your next assistant message, then call "
-                        f"exit_plan_mode(plan=<full plan text>) to request "
-                        f"approval. Do NOT retry {tool_name}."
-                    )
+            # Unified policy gate — one function, one decision, one
+            # message on denial (combines plan-mode + skill rules when
+            # both apply).
+            from aru.tool_policy import evaluate_tool_policy
+            decision = evaluate_tool_policy(tool_name)
+            if not decision.allowed:
+                return decision.message
             # Before hook — plugins can mutate args or raise PermissionError to block
             try:
                 before_data = await _fire_hook("tool.execute.before", {
@@ -112,10 +96,11 @@ def _wrap_tools_with_hooks(tools: list) -> list:
 
 
 async def _apply_chat_hooks(instructions: str, model_ref: str, agent_name: str,
-                            max_tokens: int = 8192) -> tuple[str, str, int]:
+                            max_tokens: int | None = None) -> tuple[str, str, int | None]:
     """Apply chat.system.transform and chat.params hooks to agent creation params.
 
     Returns (instructions, model_ref, max_tokens) — possibly modified by plugins.
+    When max_tokens is None, providers.create_model will use the model's full cap.
     """
     # chat.system.transform — plugins can modify the system prompt
     data = await _fire_hook("chat.system.transform", {
@@ -124,14 +109,16 @@ async def _apply_chat_hooks(instructions: str, model_ref: str, agent_name: str,
     })
     instructions = data.get("system_prompt", instructions)
 
-    # chat.params — plugins can modify LLM parameters
+    # chat.params — plugins can modify LLM parameters. max_tokens is
+    # deliberately NOT exposed: it is coupled with the recovery loop in
+    # runner.py and mutating it from a plugin can break mid-thought
+    # recovery. Plugins that need to bound output should do so via model
+    # selection or temperature, not raw token limits.
     data = await _fire_hook("chat.params", {
         "model": model_ref,
-        "max_tokens": max_tokens,
         "temperature": None,  # let plugin set if desired
     })
     model_ref = data.get("model", model_ref)
-    max_tokens = data.get("max_tokens", max_tokens)
 
     return instructions, model_ref, max_tokens
 
@@ -216,9 +203,9 @@ async def create_custom_agent_instance(agent_def: CustomAgent, session: Session,
         parts.append(extra)
     instructions = "\n\n".join(parts)
 
-    # Apply chat hooks (system.transform + params)
+    # Apply chat hooks (system.transform + params). max_tokens=None → provider cap.
     instructions, model_ref, max_tokens = await _apply_chat_hooks(
-        instructions, model_ref, agent_def.name, max_tokens=8192,
+        instructions, model_ref, agent_def.name, max_tokens=None,
     )
 
     return Agent(

{aru_code-0.28.0 → aru_code-0.31.0}/aru/agents/catalog.py

@@ -21,13 +21,18 @@ class AgentSpec:
 
     The tools_factory is a lazy callable so module load order does not force
     aru.tools.codebase to be imported before this module.
+
+    `max_tokens=None` means "use the model's full cap" (see providers.py).
+    An explicit int caps the agent below that ceiling — providers.py always
+    clamps the final value to min(requested, model_cap) so specs can never
+    ask for more than the model supports.
     """
 
     name: str                            # display name passed to Agno
     role: str                            # key into build_instructions(role, ...)
     mode: Literal["primary", "subagent"]
     tools_factory: Callable[[], list]    # lazy resolver — invoked at agent creation
-    max_tokens: int
+    max_tokens: int | None
     small_model: bool = False            # if True, factory uses ctx.small_model_ref
 
 
@@ -52,12 +57,15 @@ def _explore_tools() -> list:
 
 
 AGENTS: dict[str, AgentSpec] = {
+    # Primary agents default to the model's full output cap (clamped by
+    # providers.create_model). Subagents keep a tight budget so a runaway
+    # explorer can't blow through the whole turn.
     "build": AgentSpec(
         name="Aru",
         role="general",
         mode="primary",
         tools_factory=_build_tools,
-        max_tokens=8192,
+        max_tokens=None,
     ),
     "plan": AgentSpec(
         name="Planner",
@@ -71,14 +79,14 @@ AGENTS: dict[str, AgentSpec] = {
         role="executor",
         mode="primary",
         tools_factory=_exec_tools,
-        max_tokens=8192,
+        max_tokens=None,
     ),
     "explorer": AgentSpec(
         name="Explorer",
         role="explorer",
         mode="subagent",
         tools_factory=_explore_tools,
-        max_tokens=4096,
+        max_tokens=8192,
         small_model=True,
     ),
 }

{aru_code-0.28.0 → aru_code-0.31.0}/aru/cache_patch.py

@@ -1,6 +1,6 @@
 """Monkey-patch Agno's model layer to reduce token consumption.
 
-Three optimizations:
+Four optimizations:
 
 1. **Tool result pruning** (ALL providers): After each tool execution, old tool
    results in the message list are truncated to a short summary. This prevents
@@ -12,6 +12,11 @@ Three optimizations:
 3. **Per-call metrics** (ALL providers): Captures input/output tokens of the
    last API call (context window size), exposed via get_last_call_metrics().
 
+4. **Stop-reason capture** (Anthropic + OpenAI-compatible): Captures the
+   `stop_reason` / `finish_reason` from the final message of the last API call,
+   exposed via get_last_stop_reason(). Lets the runner detect `max_tokens`
+   truncation and trigger the recovery loop.
+
 These patches intercept Agno's internal loop so they work transparently
 regardless of which provider is used.
 """
@@ -33,12 +38,36 @@ _last_call_output_tokens: int = 0
 _last_call_cache_read: int = 0
 _last_call_cache_write: int = 0
 
+# Last API call stop reason (Anthropic uses "end_turn"/"tool_use"/"max_tokens"/
+# "stop_sequence"/"pause_turn"; OpenAI uses "stop"/"length"/"tool_calls").
+# We normalize "length" → "max_tokens" so callers can check a single value.
+_last_call_stop_reason: str | None = None
+
 
 def get_last_call_metrics() -> tuple[int, int, int, int]:
     """Return (input, output, cache_read, cache_write) from the most recent API call."""
     return _last_call_input_tokens, _last_call_output_tokens, _last_call_cache_read, _last_call_cache_write
 
 
+def get_last_stop_reason() -> str | None:
+    """Return the stop reason from the most recent API call, normalized.
+
+    Returns one of: `end_turn`, `tool_use`, `max_tokens`, `stop_sequence`,
+    `pause_turn`, or None if no call has happened yet / the provider did not
+    expose one. OpenAI's `length` is mapped to `max_tokens` and `stop` to
+    `end_turn` so callers have a single vocabulary.
+    """
+    return _last_call_stop_reason
+
+
+def reset_last_stop_reason() -> None:
+    """Clear the cached stop reason — call before starting a new turn so a
+    stale value from a prior turn never leaks into the next one.
+    """
+    global _last_call_stop_reason
+    _last_call_stop_reason = None
+
+
 def _prune_tool_messages(messages):
     """Clear old tool result content using a token-budget approach.
 
@@ -97,6 +126,7 @@ def apply_cache_patch():
     _patch_tool_result_pruning()
     _patch_claude_cache_breakpoints()
     _patch_per_call_metrics()
+    _patch_stop_reason_capture()
 
 
 def _patch_tool_result_pruning():
@@ -235,3 +265,94 @@ def _patch_per_call_metrics():
         _base_module.accumulate_model_metrics = _patched_accumulate
     except (ImportError, AttributeError):
         pass
+
+
+# OpenAI "length" and Anthropic "max_tokens" mean the same thing; normalize so
+# runner logic can check a single value.
+_STOP_REASON_NORMALIZE = {
+    "length": "max_tokens",        # OpenAI
+    "stop": "end_turn",            # OpenAI
+    "tool_calls": "tool_use",      # OpenAI
+    "function_call": "tool_use",   # legacy OpenAI
+    "MAX_TOKENS": "max_tokens",    # Gemini (all-caps)
+}
+
+
+def _record_stop_reason(raw: str | None) -> None:
+    """Normalize and cache the provider's stop reason."""
+    global _last_call_stop_reason
+    if raw is None or raw == "":
+        return
+    _last_call_stop_reason = _STOP_REASON_NORMALIZE.get(raw, raw)
+
+
+def _patch_stop_reason_capture():
+    """Forward `stop_reason` from Agno's provider parsers into a module-level
+    slot readable via `get_last_stop_reason()`.
+
+    Agno's Anthropic adapter sees `response.stop_reason` (non-streaming) and
+    `response.message.stop_reason` (streaming MessageStopEvent), but discards
+    both before anything downstream can observe them. We wrap the two parsers
+    and record the value as a side effect. The OpenAI-compatible adapter
+    already exposes `response.choices[0].finish_reason`, so we hook that too
+    for completeness (Qwen, DeepSeek, Groq, OpenRouter).
+    """
+    # Anthropic (native + streaming)
+    try:
+        from agno.models.anthropic import claude as _claude_mod
+
+        _original_parse = _claude_mod.Claude._parse_provider_response
+        _original_parse_delta = _claude_mod.Claude._parse_provider_response_delta
+
+        def _patched_parse(self, response, *args, **kwargs):
+            result = _original_parse(self, response, *args, **kwargs)
+            _record_stop_reason(getattr(response, "stop_reason", None))
+            return result
+
+        def _patched_parse_delta(self, response, *args, **kwargs):
+            result = _original_parse_delta(self, response, *args, **kwargs)
+            # MessageStopEvent / ParsedBetaMessageStopEvent carry the final
+            # stop_reason on their nested `message` object.
+            msg = getattr(response, "message", None)
+            if msg is not None:
+                _record_stop_reason(getattr(msg, "stop_reason", None))
+            return result
+
+        _claude_mod.Claude._parse_provider_response = _patched_parse
+        _claude_mod.Claude._parse_provider_response_delta = _patched_parse_delta
+    except (ImportError, AttributeError):
+        pass
+
+    # OpenAI-compatible (OpenAI, Qwen/DashScope, DeepSeek, Groq, OpenRouter)
+    try:
+        from agno.models.openai import chat as _openai_chat
+
+        _original_openai_parse = _openai_chat.OpenAIChat._parse_provider_response
+
+        def _patched_openai_parse(self, response, *args, **kwargs):
+            result = _original_openai_parse(self, response, *args, **kwargs)
+            try:
+                choice = response.choices[0]
+                _record_stop_reason(getattr(choice, "finish_reason", None))
+            except (AttributeError, IndexError, TypeError):
+                pass
+            return result
+
+        _openai_chat.OpenAIChat._parse_provider_response = _patched_openai_parse
+
+        if hasattr(_openai_chat.OpenAIChat, "_parse_provider_response_delta"):
+            _original_openai_delta = _openai_chat.OpenAIChat._parse_provider_response_delta
+
+            def _patched_openai_delta(self, response, *args, **kwargs):
+                result = _original_openai_delta(self, response, *args, **kwargs)
+                try:
+                    choice = response.choices[0]
+                    # Only the final chunk sets finish_reason.
+                    _record_stop_reason(getattr(choice, "finish_reason", None))
+                except (AttributeError, IndexError, TypeError):
+                    pass
+                return result
+
+            _openai_chat.OpenAIChat._parse_provider_response_delta = _patched_openai_delta
+    except (ImportError, AttributeError):
+        pass

{aru_code-0.28.0 → aru_code-0.31.0}/aru/cli.py

@@ -15,6 +15,7 @@ import sys
 
 from rich.markdown import Markdown
 from rich.panel import Panel
+from rich.text import Text
 
 # ── Re-exports for backward compatibility ─────────────────────────────
 # Tests and external code import these from aru.cli; keep them accessible.
@@ -92,7 +93,7 @@ _logging.getLogger("agno").setLevel(_logging.WARNING)
 
 from aru.agents.planner import review_plan
 from aru.config import load_config, render_command_template, render_skill_template
-from aru.permissions import get_skip_permissions
+from aru.permissions import get_skip_permissions, set_permission_mode
 from aru.providers import (
     MODEL_ALIASES,
     list_providers,
@@ -100,6 +101,39 @@ from aru.providers import (
 )
 
 
+def _toggle_yolo_mode(ctx) -> None:
+    """Toggle YOLO (dangerously-skip-permissions) mode from the REPL.
+
+    Turning YOLO *off* is unconditional — safety is not at risk.
+    Turning YOLO *on* requires an explicit y/n confirmation with a red warning panel.
+    """
+    if ctx.permission_mode == "yolo":
+        set_permission_mode("default")
+        console.print("[bold green]✔ YOLO disabled — safe mode restored.[/bold green]")
+        return
+
+    warning = Text.from_markup(
+        "[bold red]⚠  DANGEROUSLY SKIP PERMISSIONS (YOLO)[/bold red]\n\n"
+        "[red]All permission prompts will be bypassed for this session, including:[/red]\n"
+        "  • Reading/writing [bold].env[/bold] files and other sensitive paths\n"
+        "  • Arbitrary shell commands ([bold]rm -rf[/bold], package installs, network calls)\n"
+        "  • Edits outside the working directory\n"
+        "  • All sub-agents delegated during this session\n\n"
+        "[dim]Toggle off anytime with /yolo or shift+tab.[/dim]"
+    )
+    console.print(Panel(
+        warning,
+        title="[bold red]Enable YOLO mode?[/bold red]",
+        border_style="red",
+        padding=(1, 2),
+    ))
+    if ask_yes_no("Confirm enabling YOLO mode"):
+        set_permission_mode("yolo")
+        console.print("[bold red]🔥 YOLO MODE ACTIVE — all permissions bypassed.[/bold red]")
+    else:
+        console.print("[dim]Cancelled. Remaining in safe mode.[/dim]")
+
+
 # ── Main REPL ──────────────────────────────────────────────────────────
 
 async def run_cli(skip_permissions: bool = False, resume_id: str | None = None):
@@ -288,7 +322,13 @@ async def run_cli(skip_permissions: bool = False, resume_id: str | None = None):
                         f'  <style fg="ansigray">│</style>'
                         f'  <style fg="ansigray">{ctx.mcp_loaded_msg}</style>'
                     )
-                if ctx.permission_mode == "acceptEdits":
+                if ctx.permission_mode == "yolo":
+                    mode_part = (
+                        f'  <style fg="ansigray">│</style>'
+                        f'  <b><style fg="ansired">🔥 YOLO — permissions bypassed</style></b>'
+                        f'  <style fg="ansigray">(/yolo to toggle)</style>'
+                    )
+                elif ctx.permission_mode == "acceptEdits":
                     mode_part = (
                         f'  <style fg="ansigray">│</style>'
                         f'  <b><style fg="ansigreen">⏵⏵ auto-accept edits on</style></b>'
@@ -570,6 +610,10 @@ async def run_cli(skip_permissions: bool = False, resume_id: str | None = None):
             ))
             continue
 
+        if user_input.lower() in ("/yolo", "/unsafe"):
+            _toggle_yolo_mode(ctx)
+            continue
+
         # Begin a new checkpoint turn for undo support
         _turn_counter += 1
         ctx.checkpoint_manager.begin_turn(_turn_counter)
@@ -667,7 +711,16 @@ async def run_cli(skip_permissions: bool = False, resume_id: str | None = None):
                 if not skill.user_invocable:
                     console.print(f"[yellow]Skill '{cmd_name}' is not user-invocable[/yellow]")
                 else:
+                    # Slash-invoked skills always run under the primary agent
+                    # scope (agent_id=None). Subagents reach skills via the
+                    # invoke_skill tool, which keys by ctx.agent_id instead.
+                    session.set_active_skill(None, cmd_name)
                     prompt = render_skill_template(skill.content, cmd_args)
+                    # Record so the skill body survives compaction — mirror of
+                    # claude-code's addInvokedSkill. Store the rendered content
+                    # (post-argument substitution) so post-compact restoration
+                    # matches what the model initially read.
+                    session.record_invoked_skill(cmd_name, prompt, skill.source_path, agent_id=None)
                     console.print(f"[bold magenta]Running skill /{cmd_name}...[/bold magenta]")
 
                     agent = await create_general_agent(session, config, env_context=_build_env_ctx())
@@ -791,7 +844,7 @@ async def run_oneshot(prompt: str, print_only: bool = False, skip_permissions: b
 
         agent = Agent(
             name="Aru",
-            model=create_model(session.model_ref, max_tokens=8192),
+            model=create_model(session.model_ref),  # None → provider cap
             tools=[],
             instructions=build_instructions("general", extra_instructions),
             markdown=True,

{aru_code-0.28.0 → aru_code-0.31.0}/aru/commands.py

@@ -24,6 +24,7 @@ SLASH_COMMANDS = [
     ("/plugin", "Manage cached plugins (install/list/remove/update)", "/plugin <subcommand>"),
     ("/undo", "Undo last turn — restore files and/or conversation", "/undo"),
     ("/cost", "Show detailed token usage and cost", "/cost"),
+    ("/yolo", "Toggle DANGEROUSLY skip all permissions (YOLO mode)", "/yolo"),
     ("/quit", "Exit aru", "/quit"),
 ]
 

{aru_code-0.28.0 → aru_code-0.31.0}/aru/config.py

@@ -39,9 +39,16 @@ class Skill:
     content: str
     source_path: str
     allowed_tools: list[str] = field(default_factory=list)
+    disallowed_tools: list[str] = field(default_factory=list)
     disable_model_invocation: bool = False
     user_invocable: bool = True
     argument_hint: str = ""
+    # Short (~1-2 sentences) reminder used by the core to reinforce the
+    # skill's critical gates during compaction. Not re-injected per turn —
+    # it only appears wrapped in `<system-reminder>` when a compaction
+    # would otherwise drop the skill body from history. When absent, the
+    # core derives a default from `description`.
+    reminder: str = ""
 
 
 @dataclass
@@ -266,6 +273,17 @@ def _parse_skill_metadata(metadata: dict[str, Any]) -> dict[str, Any]:
     else:
         result["allowed_tools"] = []
 
+    disallowed_raw = metadata.get("disallowed-tools", "")
+    if isinstance(disallowed_raw, list):
+        result["disallowed_tools"] = [str(t).strip() for t in disallowed_raw]
+    elif disallowed_raw:
+        result["disallowed_tools"] = [t.strip() for t in str(disallowed_raw).split(",") if t.strip()]
+    else:
+        result["disallowed_tools"] = []
+
+    reminder_raw = metadata.get("reminder", "")
+    result["reminder"] = str(reminder_raw).strip() if reminder_raw else ""
+
     return result
 
 
@@ -382,9 +400,11 @@ def _discover_skills(search_roots: list[Path]) -> dict[str, Skill]:
                 content=body,
                 source_path=str(skill_file),
                 allowed_tools=meta["allowed_tools"],
+                disallowed_tools=meta["disallowed_tools"],
                 disable_model_invocation=meta["disable_model_invocation"],
                 user_invocable=meta["user_invocable"],
                 argument_hint=meta["argument_hint"],
+                reminder=meta["reminder"],
             )
 
     return skills