@cruxy/cli 0.4.0 → 0.6.0

package/dist/approval/prompt.js

@@ -0,0 +1,212 @@
+import path from "node:path";
+import pc from "picocolors";
+/** Cap on rendered preview lines before collapsing the rest. */
+const PREVIEW_MAX_LINES = 40;
+/**
+ * Render the action, read one key, and map it to a {@link PromptChoice}. `n`/`t`
+ * read a follow-up line (reason / instruction). Anything else — including EOF —
+ * is a reject.
+ */
+export async function promptForApproval(request, io) {
+    io.write(render(request, io.color));
+    const key = (await io.readKey()).toLowerCase();
+    io.write("\n");
+    switch (key) {
+        case "y":
+            return { kind: "once" };
+        case "a":
+            return { kind: "session" };
+        case "n": {
+            io.write("  reason (optional, sent to the agent): ");
+            const reason = (await io.readLine()).trim();
+            return reason ? { kind: "reject", reason } : { kind: "reject" };
+        }
+        case "t": {
+            io.write("  what should the agent do instead? ");
+            const instruction = (await io.readLine()).trim();
+            return instruction
+                ? { kind: "instruct", instruction }
+                : { kind: "reject" };
+        }
+        default:
+            // n/a key, empty, EOF, Ctrl-C → default-deny.
+            return { kind: "reject" };
+    }
+}
+/** Render the full prompt block: header, detail (diff or command+cwd), choices. */
+export function render(request, color) {
+    const c = pc.createColors(color);
+    const destructive = request.tier === "destructive";
+    const mark = destructive ? c.red(c.bold("!")) : c.yellow("?");
+    const label = destructive ? c.red(c.bold(" (destructive)")) : "";
+    const lines = [];
+    lines.push(`${mark} cruxy wants to ${c.bold(request.summary)}${label}`);
+    lines.push(detail(request, c));
+    lines.push(choices(request.scope, c));
+    return lines.filter((l) => l !== "").join("\n") + " ";
+}
+/** The action detail: a diff for file actions, the command + cwd for shell. */
+function detail(request, c) {
+    if (request.action.kind === "shell") {
+        return [
+            `  ${c.dim("$")} ${request.action.command ?? ""}`,
+            `  ${c.dim(`in ${request.cwd}`)}`,
+        ].join("\n");
+    }
+    return renderPreview(request.action.preview, c);
+}
+/** The choices line, including a short label of what an `a` grant would cover. */
+function choices(scope, c) {
+    const grant = scopeLabel(scope);
+    const a = grant === null
+        ? `${c.dim("[a] allow this kind (n/a here)")}`
+        : `[a] allow ${c.bold(grant)} this session`;
+    return `  ${c.dim("[y] approve once ·")} ${a} ${c.dim("· [n] reject · [t] reject & instruct:")}`;
+}
+/** Short human label for what a session grant would allow, or null if none. */
+function scopeLabel(scope) {
+    if (scope.kind === "shell-prefix")
+        return `${scope.token} commands`;
+    if (scope.kind === "file-subtree")
+        return `changes under ${path.basename(scope.root)}/`;
+    return null;
+}
+// ── diff rendering (shared with the old C.6 renderer) ──────────────────────────
+function diffLines(oldStr, newStr, c) {
+    const removed = oldStr.split("\n").map((l) => c.red(`- ${l}`));
+    const added = newStr.split("\n").map((l) => c.green(`+ ${l}`));
+    return [...removed, ...added];
+}
+function renderPatchFiles(files, c) {
+    const out = [];
+    for (const file of files) {
+        if (file.op === "delete") {
+            out.push(c.red(`delete ${file.path}`));
+        }
+        else if (file.op === "create") {
+            out.push(c.green(`create ${file.path}`));
+            out.push(...file.lines.map((l) => c.green(`+ ${l}`)));
+            if (file.omittedLines > 0)
+                out.push(c.dim(`  ...${file.omittedLines} more lines`));
+        }
+        else {
+            out.push(c.yellow(`update ${file.path}`));
+            for (const hunk of file.hunks)
+                out.push(...diffLines(hunk.oldStr, hunk.newStr, c));
+        }
+    }
+    return out;
+}
+/** Render a `vcs` pull-request publish plan: branch, commit, and PR body. */
+function renderPrPreview(preview, c) {
+    const out = [];
+    out.push(`${c.bold("branch")}  ${c.green(preview.branch)} → ${preview.base}`);
+    out.push("");
+    out.push(c.bold("commit"));
+    out.push(`  ${preview.commitSubject}`);
+    for (const line of bodyLines(preview.commitBody))
+        out.push(c.dim(`  ${line}`));
+    out.push("");
+    out.push(`${c.bold("pull request")}  ${preview.prTitle}`);
+    for (const line of bodyLines(preview.prBody))
+        out.push(c.dim(`  ${line}`));
+    return out;
+}
+/** Split a multi-line body into trimmed-of-trailing lines, dropping a trailing blank. */
+function bodyLines(body) {
+    const lines = body.replace(/\s+$/, "").split("\n");
+    return lines.length === 1 && lines[0] === "" ? [] : lines;
+}
+function renderPreview(preview, c) {
+    if (!preview)
+        return "";
+    let lines;
+    if (preview.type === "edit") {
+        lines = diffLines(preview.oldStr, preview.newStr, c);
+    }
+    else if (preview.type === "patch") {
+        lines = renderPatchFiles(preview.files, c);
+    }
+    else if (preview.type === "pr") {
+        lines = renderPrPreview(preview, c);
+    }
+    else {
+        const header = preview.exists
+            ? c.yellow("OVERWRITE existing")
+            : c.green("create");
+        const body = preview.lines.map((l) => `  ${l}`);
+        if (preview.omittedLines > 0)
+            body.push(c.dim(`  ...${preview.omittedLines} more lines`));
+        lines = [header, ...body];
+    }
+    if (lines.length > PREVIEW_MAX_LINES) {
+        const hidden = lines.length - PREVIEW_MAX_LINES;
+        lines = [...lines.slice(0, PREVIEW_MAX_LINES), c.dim(`...${hidden} more`)];
+    }
+    return lines.map((l) => `  ${l}`).join("\n");
+}
+// ── default stdin-backed PromptIO ──────────────────────────────────────────────
+/** Build the real PromptIO: prompt to stderr, read keys/lines from stdin. */
+export function defaultPromptIO(color) {
+    return {
+        write: (text) => void process.stderr.write(text),
+        readKey: readKeyFromStdin,
+        readLine: readLineFromStdin,
+        color,
+    };
+}
+/** Read a single keypress in raw mode; "" on EOF. Always restores cooked mode. */
+function readKeyFromStdin() {
+    const stdin = process.stdin;
+    return new Promise((resolve) => {
+        const cleanup = () => {
+            stdin.removeListener("data", onData);
+            stdin.removeListener("end", onEnd);
+            if (stdin.isTTY)
+                stdin.setRawMode(false);
+            stdin.pause();
+        };
+        const onData = (buf) => {
+            cleanup();
+            resolve(buf.toString("utf8").slice(0, 1));
+        };
+        const onEnd = () => {
+            cleanup();
+            resolve("");
+        };
+        if (stdin.isTTY)
+            stdin.setRawMode(true);
+        stdin.resume();
+        stdin.once("data", onData);
+        stdin.once("end", onEnd);
+    });
+}
+/** Read one line in cooked mode; "" on EOF. */
+function readLineFromStdin() {
+    const stdin = process.stdin;
+    return new Promise((resolve) => {
+        let buf = "";
+        const cleanup = () => {
+            stdin.removeListener("data", onData);
+            stdin.removeListener("end", onEnd);
+            stdin.pause();
+        };
+        const onData = (chunk) => {
+            buf += chunk.toString("utf8");
+            const nl = buf.indexOf("\n");
+            if (nl !== -1) {
+                cleanup();
+                resolve(buf.slice(0, nl).replace(/\r$/, ""));
+            }
+        };
+        const onEnd = () => {
+            cleanup();
+            resolve(buf.replace(/\r$/, ""));
+        };
+        if (stdin.isTTY)
+            stdin.setRawMode(false);
+        stdin.resume();
+        stdin.on("data", onData);
+        stdin.once("end", onEnd);
+    });
+}

package/dist/approval/service.d.ts

@@ -0,0 +1,36 @@
+import type { ApproveAction } from "../tools/types.js";
+import { type PromptIO } from "./prompt.js";
+import type { ApprovalDecision, ApprovalPolicy } from "./types.js";
+/**
+ * The approval gate, called by the tool layer **before any side effect**. It
+ * classifies the action, lets read-only actions through, **throws
+ * CRUXY_E_APPROVAL_REQUIRED when it can't ask** (non-interactive — default-deny,
+ * never auto-approve), and otherwise defers to the policy. It owns the
+ * per-session allowlist, so a new service ⇒ a fresh session.
+ */
+export interface ApprovalServiceOptions {
+    /** Resolved project root the actions run in. */
+    cwd: string;
+    /** Whether cruxy can actually prompt (stdin is a TTY). */
+    interactive: boolean;
+    /** Override the decision policy (the seam — tests / a future CI policy). */
+    policy?: ApprovalPolicy;
+    /** Override the prompt I/O (tests script keys/lines). */
+    io?: PromptIO;
+}
+export declare class ApprovalService {
+    private readonly cwd;
+    private readonly interactive;
+    private readonly allowlist;
+    private readonly policy;
+    constructor(opts: ApprovalServiceOptions);
+    /**
+     * Decide whether `action` may proceed. Read-only ⇒ allow. Non-interactive ⇒
+     * throw {@link approvalRequired} (the U.5 error system, exit 10). Otherwise the
+     * policy prompts. A returned `{allow:false}` is a clean rejection (fed back to
+     * the agent), not an error.
+     */
+    requestApproval(action: ApproveAction): Promise<ApprovalDecision>;
+    /** Clear all session grants (a fresh session). */
+    resetSession(): void;
+}

package/dist/approval/service.js

@@ -0,0 +1,37 @@
+import { approvalRequired } from "../errors/index.js";
+import { shouldUseColor } from "../errors/index.js";
+import { classify } from "./classify.js";
+import { InteractivePolicy, SessionAllowlist } from "./policy.js";
+import { defaultPromptIO } from "./prompt.js";
+export class ApprovalService {
+    cwd;
+    interactive;
+    allowlist = new SessionAllowlist();
+    policy;
+    constructor(opts) {
+        this.cwd = opts.cwd;
+        this.interactive = opts.interactive;
+        this.policy =
+            opts.policy ??
+                new InteractivePolicy(this.allowlist, opts.io ?? defaultPromptIO(shouldUseColor()));
+    }
+    /**
+     * Decide whether `action` may proceed. Read-only ⇒ allow. Non-interactive ⇒
+     * throw {@link approvalRequired} (the U.5 error system, exit 10). Otherwise the
+     * policy prompts. A returned `{allow:false}` is a clean rejection (fed back to
+     * the agent), not an error.
+     */
+    async requestApproval(action) {
+        const request = classify(action, this.cwd);
+        if (request.tier === "read")
+            return { allow: true };
+        if (!this.interactive) {
+            throw approvalRequired(request.summary);
+        }
+        return this.policy.decide(request);
+    }
+    /** Clear all session grants (a fresh session). */
+    resetSession() {
+        this.allowlist.clear();
+    }
+}

package/dist/approval/types.d.ts

@@ -0,0 +1,64 @@
+import type { ApproveAction } from "../tools/types.js";
+/**
+ * Types for the approval gate (U.3) — the security boundary between the agent
+ * and side-effecting actions. The gate is **default-deny**: no response means
+ * reject, never auto-approve.
+ */
+/**
+ * Risk classification for a pending action. Friction is reserved for what's
+ * risky, so users don't rubber-stamp.
+ * - `read` — read-only, auto-allowed (read tools bypass the gate entirely).
+ * - `mutate` — reversible-ish mutation (file write/edit) → approve, normal style.
+ * - `destructive` — irreversible / high blast radius (shell, delete) → approve,
+ *   visually distinct. **Unknown actions classify here.**
+ */
+export type RiskTier = "read" | "mutate" | "destructive";
+/**
+ * The tight scope a session grant is keyed by. Never blanket.
+ * - `shell-prefix` — a command's leading program token (e.g. `git`); only ever
+ *   matches commands we can *positively* prove are simple (no shell features).
+ * - `file-subtree` — an absolute directory (or, under the root-cap, an exact
+ *   file path); matches targets that resolve inside it.
+ * - `none` — nothing safe to grant (e.g. a multi-file patch spanning the root).
+ */
+export type Scope = {
+    readonly kind: "shell-prefix";
+    readonly token: string;
+} | {
+    readonly kind: "file-subtree";
+    readonly root: string;
+} | {
+    readonly kind: "none";
+};
+/** A pending action, classified and ready to show / decide on. */
+export interface ApprovalRequest {
+    /** The raw tool action (kind, path/command, preview). */
+    readonly action: ApproveAction;
+    /** Risk classification. */
+    readonly tier: RiskTier;
+    /** The tight scope a session grant would use. */
+    readonly scope: Scope;
+    /** One plain line describing the action (e.g. "run: git status"). */
+    readonly summary: string;
+    /** Absolute resolved target paths for file actions; `[]` for shell. */
+    readonly targets: readonly string[];
+    /** Resolved project root the action runs in (shown as the shell cwd). */
+    readonly cwd: string;
+}
+/**
+ * The gate's verdict. On reject, `feedback` (if any) is fed back to the agent as
+ * the tool result so it can adapt — a rejection is data, not an error.
+ */
+export type ApprovalDecision = {
+    readonly allow: true;
+} | {
+    readonly allow: false;
+    readonly feedback?: string;
+};
+/**
+ * Pluggable decision strategy — the seam. Only `InteractivePolicy` ships in U.3;
+ * a future non-interactive/CI policy slots in here without touching call sites.
+ */
+export interface ApprovalPolicy {
+    decide(request: ApprovalRequest): Promise<ApprovalDecision>;
+}

package/dist/approval/types.js

@@ -0,0 +1 @@
+export {};

package/dist/cli/commands/pr.d.ts

@@ -0,0 +1,8 @@
+import { Command } from "commander";
+/**
+ * `cruxy pr` — turn the current changes into a pull request (C.15). Generates the
+ * branch name, conventional commit, and PR title/body from the diff with the
+ * model, then runs branch → commit → push → open-PR behind the one U.3 approval.
+ * The forge token comes from the environment / `gh`; it's never prompted or stored.
+ */
+export declare function prCommand(): Command;

package/dist/cli/commands/pr.js

@@ -0,0 +1,87 @@
+import { Command } from "commander";
+import pc from "picocolors";
+import { createProvider } from "@cruxy/sdk";
+import { logger } from "../../utils/logger.js";
+import { loadConfig, resolveApiKey } from "../../config/index.js";
+import { authMissingKey } from "../../errors/index.js";
+import { ApprovalService } from "../../approval/index.js";
+import { createForgeProvider, createPrService, generateWithLlm, loadCommitGuidance, resolveForgeToken, } from "../../vcs/index.js";
+/**
+ * `cruxy pr` — turn the current changes into a pull request (C.15). Generates the
+ * branch name, conventional commit, and PR title/body from the diff with the
+ * model, then runs branch → commit → push → open-PR behind the one U.3 approval.
+ * The forge token comes from the environment / `gh`; it's never prompted or stored.
+ */
+export function prCommand() {
+    return new Command("pr")
+        .description("open a pull request from the current changes (generated + gated)")
+        .option("-b, --base <branch>", "base branch to merge into")
+        .option("-t, --title <title>", "PR title (conventional-commit subject)")
+        .option("--body <body>", "PR body")
+        .option("--draft", "open the pull request as a draft")
+        .action(async (opts) => {
+        const cwd = process.cwd();
+        const { config } = loadConfig();
+        // The model writes the PR content, so we need a provider key just like
+        // `cruxy run`. The forge token is resolved separately (env / gh).
+        const apiKey = resolveApiKey(config.model.provider);
+        if (!apiKey) {
+            throw authMissingKey(config.model.provider, apiKeyEnvVar(config.model.provider));
+        }
+        const provider = createProvider({
+            provider: config.model.provider,
+            apiKey,
+            model: config.model.model,
+            maxTokens: config.model.maxTokens,
+            temperature: config.model.temperature,
+            gatewayUrl: config.cruxy.gatewayUrl,
+        });
+        // resolveForgeToken throws CRUXY_E_FORGE_AUTH (exit 4) if none is found.
+        const forge = createForgeProvider(resolveForgeToken());
+        const guidance = await loadCommitGuidance(cwd);
+        const approval = new ApprovalService({
+            cwd,
+            interactive: Boolean(process.stdin.isTTY),
+        });
+        const service = createPrService({
+            cwd,
+            config,
+            forge,
+            requestApproval: (action) => approval.requestApproval(action),
+            generate: (i) => generateWithLlm(provider, {
+                ...i,
+                scopes: guidance.scopes,
+                skillBody: guidance.skillBody,
+            }),
+        });
+        logger.info(pc.dim("generating pull request content…"));
+        const outcome = await service.openPullRequest({
+            base: opts.base,
+            title: opts.title,
+            body: opts.body,
+            draft: opts.draft,
+        });
+        if (!outcome.approved) {
+            logger.print(pc.yellow("pull request not opened — approval declined."));
+            if (outcome.feedback)
+                logger.print(pc.dim(outcome.feedback));
+            return;
+        }
+        const label = outcome.alreadyExists
+            ? "a pull request already exists"
+            : "opened pull request";
+        logger.print(`${pc.green("✓")} ${label} (${outcome.branch} → ${outcome.base})`);
+        logger.print(pc.cyan(outcome.url));
+    });
+}
+/** Environment variable that holds the API key for a provider. */
+function apiKeyEnvVar(provider) {
+    switch (provider) {
+        case "anthropic":
+            return "ANTHROPIC_API_KEY";
+        case "openai":
+            return "OPENAI_API_KEY";
+        default:
+            return "CRUXY_API_KEY";
+    }
+}

package/dist/cli/commands/run.js

@@ -4,8 +4,9 @@ import { createProvider } from "@cruxy/sdk";
 import { logger } from "../../utils/logger.js";
 import { loadConfig, resolveApiKey, loadProjectInstructions, } from "../../config/index.js";
 import { authMissingKey, usageError } from "../../errors/index.js";
+import { ApprovalService } from "../../approval/index.js";
 import { buildDefaultRegistry } from "../../tools/index.js";
-import { Session, createApprover } from "../../agent/index.js";
+import { Session } from "../../agent/index.js";
 import { runInteractive } from "../repl.js";
 import { createStreamPrinter } from "../stream-print.js";
 import { getGitInfo } from "../../utils/git.js";
@@ -13,9 +14,7 @@ export function runCommand() {
     return new Command("run")
         .description("run cruxy on a prompt (one-shot), or with no prompt for an interactive session")
         .argument("[prompt...]", "the task for cruxy to perform (omit for interactive)")
-        .option("-y, --yes", "auto-approve all tool actions (run unattended)")
-        .option("--dangerously-approve", "alias for --yes: approve every action without prompting")
-        .action(async (promptParts, opts) => {
+        .action(async (promptParts) => {
         const prompt = promptParts.join(" ").trim();
         const interactive = prompt === "";
         // No prompt and stdin isn't a terminal: there's no way to read input and
@@ -39,18 +38,19 @@ export function runCommand() {
             gatewayUrl: config.cruxy.gatewayUrl,
         });
         const registry = buildDefaultRegistry();
-        const approver = createApprover({
-            mode: config.approval.mode,
+        // The approval gate. Default-deny, risk-tiered, scoped session allowlist;
+        // no global skip flag (the policy seam lives in src/approval). When stdin
+        // isn't a TTY, a side-effecting action fails with CRUXY_E_APPROVAL_REQUIRED
+        // rather than being auto-approved.
+        const approval = new ApprovalService({
             cwd: process.cwd(),
-            isInteractive: Boolean(process.stdin.isTTY),
-            autoApprove: Boolean(opts.yes || opts.dangerouslyApprove),
-            logger,
+            interactive: Boolean(process.stdin.isTTY),
         });
         const ctx = {
             cwd: process.cwd(),
             config,
             logger,
-            approve: (action) => approver.approve(action),
+            requestApproval: (action) => approval.requestApproval(action),
         };
         const projectInstructions = loadProjectInstructions(process.cwd());
         const git = getGitInfo(process.cwd());

package/dist/cli/program.js

@@ -7,6 +7,7 @@ import { runCommand } from "./commands/run.js";
 import { configCommand } from "./commands/config.js";
 import { indexCommand } from "./commands/index.js";
 import { skillsCommand } from "./commands/skills.js";
+import { prCommand } from "./commands/pr.js";
 export function buildProgram() {
     const program = new Command();
     program
@@ -28,6 +29,7 @@ export function buildProgram() {
     program.addCommand(configCommand());
     program.addCommand(indexCommand());
     program.addCommand(skillsCommand());
+    program.addCommand(prCommand());
     // Default action: bare `cruxy` -> entrypoint. An unrecognized first operand
     // means an unknown command (Commander runs the default action with it as an
     // operand rather than erroring), so reject it as a usage error.

package/dist/cli/repl.js

@@ -18,7 +18,7 @@ const defaultIO = () => ({
 /**
  * Read one line using a readline interface that is created and then **closed
  * before this resolves**. This is the crux of the stdin coordination: while a
- * turn runs (`session.send`), approvals grab stdin in raw mode via the Approver
+ * turn runs (`session.send`), approvals grab stdin in raw mode via the approval prompt
  * — so no readline interface may be live at that moment. Creating a fresh
  * interface per line, and closing it the instant we have input, guarantees the
  * two never contend.

package/dist/config/schema.d.ts

@@ -52,10 +52,20 @@ export declare const ToolsConfigSchema: z.ZodObject<{
 }>;
 export declare const GitConfigSchema: z.ZodObject<{
     autoCommit: z.ZodDefault<z.ZodBoolean>;
+    /** Branches cruxy never commits/pushes to directly (PR flow branches off
+     * first). `main` and `master` are always protected; these add to them. */
+    protectedBranches: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    /** Default base branch for generated pull requests; falls back to the
+     * repo's default branch, then `main`, when unset. */
+    defaultBase: z.ZodOptional<z.ZodString>;
 }, "strict", z.ZodTypeAny, {
     autoCommit: boolean;
+    protectedBranches: string[];
+    defaultBase?: string | undefined;
 }, {
     autoCommit?: boolean | undefined;
+    protectedBranches?: string[] | undefined;
+    defaultBase?: string | undefined;
 }>;
 /** Execution bounds for the `run_command` shell tool (distinct from the
  * `tools.shell` enable flag above). */
@@ -89,13 +99,18 @@ export declare const ContextConfigSchema: z.ZodObject<{
     compactThreshold?: number | undefined;
     keepRecentMessages?: number | undefined;
 }>;
-/** How tool-action approval is resolved. */
+/**
+ * How tool-action approval is resolved. Only `prompt` exists: ask interactively
+ * and **deny by default** when non-interactive. There is deliberately no
+ * auto-approve / skip mode — the policy seam for a future CI mode lives in
+ * `src/approval` (see U.3), not behind a footgun flag.
+ */
 export declare const ApprovalConfigSchema: z.ZodObject<{
-    mode: z.ZodDefault<z.ZodEnum<["prompt", "auto"]>>;
+    mode: z.ZodDefault<z.ZodEnum<["prompt"]>>;
 }, "strict", z.ZodTypeAny, {
-    mode: "auto" | "prompt";
+    mode: "prompt";
 }, {
-    mode?: "auto" | "prompt" | undefined;
+    mode?: "prompt" | undefined;
 }>;
 /**
  * Codebase semantic index (C.17): the local embedding index that backs the
@@ -249,10 +264,20 @@ export declare const CruxyConfigSchema: z.ZodObject<{
     }>>;
     git: z.ZodDefault<z.ZodObject<{
         autoCommit: z.ZodDefault<z.ZodBoolean>;
+        /** Branches cruxy never commits/pushes to directly (PR flow branches off
+         * first). `main` and `master` are always protected; these add to them. */
+        protectedBranches: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        /** Default base branch for generated pull requests; falls back to the
+         * repo's default branch, then `main`, when unset. */
+        defaultBase: z.ZodOptional<z.ZodString>;
     }, "strict", z.ZodTypeAny, {
         autoCommit: boolean;
+        protectedBranches: string[];
+        defaultBase?: string | undefined;
     }, {
         autoCommit?: boolean | undefined;
+        protectedBranches?: string[] | undefined;
+        defaultBase?: string | undefined;
     }>>;
     shell: z.ZodDefault<z.ZodObject<{
         /** Kill the command (and its process tree) after this many ms. */
@@ -284,11 +309,11 @@ export declare const CruxyConfigSchema: z.ZodObject<{
         keepRecentMessages?: number | undefined;
     }>>;
     approval: z.ZodDefault<z.ZodObject<{
-        mode: z.ZodDefault<z.ZodEnum<["prompt", "auto"]>>;
+        mode: z.ZodDefault<z.ZodEnum<["prompt"]>>;
     }, "strict", z.ZodTypeAny, {
-        mode: "auto" | "prompt";
+        mode: "prompt";
     }, {
-        mode?: "auto" | "prompt" | undefined;
+        mode?: "prompt" | undefined;
     }>>;
     index: z.ZodDefault<z.ZodObject<{
         /** Master switch for `search_codebase` and `cruxy index`. */
@@ -411,6 +436,8 @@ export declare const CruxyConfigSchema: z.ZodObject<{
     };
     git: {
         autoCommit: boolean;
+        protectedBranches: string[];
+        defaultBase?: string | undefined;
     };
     context: {
         maxTokens: number;
@@ -418,7 +445,7 @@ export declare const CruxyConfigSchema: z.ZodObject<{
         keepRecentMessages: number;
     };
     approval: {
-        mode: "auto" | "prompt";
+        mode: "prompt";
     };
     index: {
         search: {
@@ -466,6 +493,8 @@ export declare const CruxyConfigSchema: z.ZodObject<{
     } | undefined;
     git?: {
         autoCommit?: boolean | undefined;
+        protectedBranches?: string[] | undefined;
+        defaultBase?: string | undefined;
     } | undefined;
     context?: {
         maxTokens?: number | undefined;
@@ -473,7 +502,7 @@ export declare const CruxyConfigSchema: z.ZodObject<{
         keepRecentMessages?: number | undefined;
     } | undefined;
     approval?: {
-        mode?: "auto" | "prompt" | undefined;
+        mode?: "prompt" | undefined;
     } | undefined;
     index?: {
         search?: {

package/dist/config/schema.js

@@ -40,6 +40,12 @@ export const ToolsConfigSchema = z
 export const GitConfigSchema = z
     .object({
     autoCommit: z.boolean().default(false),
+    /** Branches cruxy never commits/pushes to directly (PR flow branches off
+     * first). `main` and `master` are always protected; these add to them. */
+    protectedBranches: z.array(z.string()).default([]),
+    /** Default base branch for generated pull requests; falls back to the
+     * repo's default branch, then `main`, when unset. */
+    defaultBase: z.string().optional(),
 })
     .strict();
 /** Execution bounds for the `run_command` shell tool (distinct from the
@@ -64,12 +70,15 @@ export const ContextConfigSchema = z
     keepRecentMessages: z.number().int().positive().default(6),
 })
     .strict();
-/** How tool-action approval is resolved. */
+/**
+ * How tool-action approval is resolved. Only `prompt` exists: ask interactively
+ * and **deny by default** when non-interactive. There is deliberately no
+ * auto-approve / skip mode — the policy seam for a future CI mode lives in
+ * `src/approval` (see U.3), not behind a footgun flag.
+ */
 export const ApprovalConfigSchema = z
     .object({
-    // "prompt": ask interactively (deny when non-interactive). "auto": approve
-    // every action unattended (CI / explicit opt-in).
-    mode: z.enum(["prompt", "auto"]).default("prompt"),
+    mode: z.enum(["prompt"]).default("prompt"),
 })
     .strict();
 /**