@pugi/cli 0.1.0-alpha.10

package/dist/tools/web-fetch.js

@@ -0,0 +1,535 @@
+/**
+ * web_fetch tool — Sprint α6.15 Phase 1 quick-win.
+ *
+ * One-shot HTTP GET against an operator-supplied URL. The response is
+ * parsed with Readability over a linkedom DOM, converted to Markdown
+ * with Turndown, and returned wrapped in an `<untrusted-content-NONCE>`
+ * sentinel that downstream prompts must treat as data, never as
+ * instructions.
+ *
+ * Sentinel pattern (P0 from `docs/specs/pugi-browser-integration-2026-05-24.md`
+ * §10 risk 3): fetched bytes can carry prompt injection. The Mira system
+ * prompt is expected to honor the `<untrusted-content-*>` wrapping the
+ * way Anthropic Computer Use and Codex `skills/chrome/SKILL.md` do —
+ * treat the block as fact, refuse to follow instructions inside.
+ * The tag carries a per-call random nonce so a page literal of
+ * `</untrusted-content>` cannot break out of the boundary, and the
+ * source URL lives inside the body (escaped) instead of as an opening
+ * attribute so quote-injection cannot break the tag.
+ *
+ * Gate: the tool refuses unless either the caller flips
+ * `web.fetch.enabled = true` in `.pugi/settings.json` or the CLI
+ * runtime sets `allowFetch: true` (mapped from `--allow-fetch`). The
+ * default-off posture mirrors the «no auto-fetch from chat» rule in
+ * §8 anti-pattern 1 of the spec.
+ *
+ * SSRF guard: every URL we are about to fetch (initial + every redirect
+ * hop) is resolved via `dns.lookup` and rejected if any answer maps to
+ * loopback, link-local, RFC 1918, CGNAT, IPv6 ULA/link-local, or the
+ * 0.0.0.0/8 wildcard. There is a microsecond TOCTOU window between
+ * lookup and the kernel's connect(); we accept it for v1 because
+ * exploiting it requires DNS control over the target host plus a
+ * timing race. Tracked as P3 follow-up.
+ *
+ * Brand voice: brief / dispatch / ship / sentinel only. The
+ * brandbook §08 forbidden-word list applies — see CLAUDE.md.
+ */
+import { request } from 'undici';
+import { Readability } from '@mozilla/readability';
+import { parseHTML } from 'linkedom';
+import TurndownService from 'turndown';
+import { randomBytes } from 'node:crypto';
+import { lookup as dnsLookup } from 'node:dns/promises';
+import { isIPv4, isIPv6 } from 'node:net';
+let activeLookup = async (hostname) => await dnsLookup(hostname, { all: true, verbatim: true });
+export function _setLookupForTests(fn) {
+    activeLookup = fn ?? (async (hostname) => await dnsLookup(hostname, { all: true, verbatim: true }));
+}
+const FETCH_TIMEOUT_MS = 10_000;
+const MAX_RESPONSE_BYTES = 5 * 1024 * 1024; // 5 MiB
+const MAX_REDIRECTS = 5;
+const USER_AGENT = 'pugi-cli/0.1 (+https://pugi.dev)';
+const ALLOWED_CONTENT_TYPES = ['text/html', 'application/xhtml+xml', 'text/plain'];
+export function isWebFetchEnabled(ctx) {
+    if (ctx.allowFetch === true)
+        return true;
+    return ctx.settings.web?.fetch?.enabled === true;
+}
+/* ----------------------- SSRF guard helpers ---------------------- */
+/**
+ * Parse a dotted IPv4 string into a 32-bit unsigned integer. Returns
+ * `null` if the string is not a syntactically valid IPv4. We avoid
+ * adding `ip-address` to keep the deps surface clean.
+ */
+function ipv4ToInt(ip) {
+    const parts = ip.split('.');
+    if (parts.length !== 4)
+        return null;
+    let acc = 0;
+    for (const part of parts) {
+        if (!/^\d{1,3}$/.test(part))
+            return null;
+        const n = Number(part);
+        if (n < 0 || n > 255)
+            return null;
+        acc = (acc << 8) + n;
+    }
+    // Force unsigned 32-bit.
+    return acc >>> 0;
+}
+/**
+ * Hand-rolled IPv4 CIDR check. `prefix` is the high-bit count.
+ */
+function ipv4InCidr(ip, cidr, prefix) {
+    const ipInt = ipv4ToInt(ip);
+    const baseInt = ipv4ToInt(cidr);
+    if (ipInt === null || baseInt === null)
+        return false;
+    if (prefix === 0)
+        return true;
+    const mask = prefix === 32 ? 0xffffffff : (0xffffffff << (32 - prefix)) >>> 0;
+    return (ipInt & mask) === (baseInt & mask);
+}
+/**
+ * IPv4 blocklist — every range that must never reach a server-side
+ * fetcher. Sources: IANA special-purpose registry plus the standard
+ * SSRF cheat-sheet (loopback, RFC 1918, link-local, CGNAT, wildcard).
+ */
+const IPV4_BLOCKED_RANGES = [
+    ['0.0.0.0', 8], // "this network" wildcard
+    ['10.0.0.0', 8], // RFC 1918
+    ['100.64.0.0', 10], // RFC 6598 CGNAT
+    ['127.0.0.0', 8], // loopback
+    ['169.254.0.0', 16], // link-local + AWS/GCP metadata
+    ['172.16.0.0', 12], // RFC 1918
+    ['192.0.0.0', 24], // IETF protocol assignments
+    ['192.168.0.0', 16], // RFC 1918
+    ['198.18.0.0', 15], // benchmarking
+    ['224.0.0.0', 4], // multicast
+    ['240.0.0.0', 4], // reserved (includes 255.255.255.255 broadcast)
+];
+/**
+ * Expand an IPv6 address into 8 16-bit hex words. Handles `::`
+ * shorthand and IPv4-mapped trailers (`::ffff:1.2.3.4`).
+ * Returns `null` if the input cannot be parsed as IPv6.
+ */
+function expandIPv6(ip) {
+    // Strip zone id (`%eth0` etc) — it is not part of the address.
+    const bare = ip.split('%')[0] ?? ip;
+    // Handle IPv4-mapped form by converting the trailing dotted quad
+    // into two hex words first.
+    let working = bare;
+    const lastColon = working.lastIndexOf(':');
+    if (lastColon !== -1 && working.slice(lastColon + 1).includes('.')) {
+        const dotted = working.slice(lastColon + 1);
+        const v4 = ipv4ToInt(dotted);
+        if (v4 === null)
+            return null;
+        const hi = ((v4 >>> 16) & 0xffff).toString(16);
+        const lo = (v4 & 0xffff).toString(16);
+        working = `${working.slice(0, lastColon)}:${hi}:${lo}`;
+    }
+    if (!working.includes(':'))
+        return null;
+    const sides = working.split('::');
+    if (sides.length > 2)
+        return null;
+    const leftRaw = sides[0] ?? '';
+    const rightRaw = sides.length === 2 ? sides[1] ?? '' : '';
+    const left = leftRaw === '' ? [] : leftRaw.split(':');
+    const right = rightRaw === '' ? [] : rightRaw.split(':');
+    const totalGiven = left.length + right.length;
+    if (sides.length === 1 && totalGiven !== 8)
+        return null;
+    if (totalGiven > 8)
+        return null;
+    const fillCount = 8 - totalGiven;
+    const filled = [...left, ...Array(fillCount).fill('0'), ...right];
+    for (const word of filled) {
+        if (!/^[0-9a-fA-F]{1,4}$/.test(word))
+            return null;
+    }
+    return filled.map((w) => w.toLowerCase().padStart(4, '0'));
+}
+/**
+ * Reject the IPv6 ranges the SSRF guard never wants to reach.
+ * Covers loopback (::1), unspecified (::), link-local (fe80::/10),
+ * unique local (fc00::/7), discard (100::/64), and IPv4-mapped
+ * (::ffff:0:0/96 — must also block since the embedded IPv4 still
+ * routes locally on some stacks).
+ */
+/**
+ * Build a dotted IPv4 string from the last two 16-bit words of an
+ * expanded IPv6 address. Shared by every embedded-IPv4 path below
+ * (IPv4-mapped, IPv4-translated SIIT, NAT64 well-known).
+ */
+function embeddedIPv4FromTrailingWords(words) {
+    const high = parseInt(words[6] ?? '0', 16);
+    const low = parseInt(words[7] ?? '0', 16);
+    return `${high >>> 8}.${high & 0xff}.${low >>> 8}.${low & 0xff}`;
+}
+function ipv6IsBlocked(ip) {
+    const words = expandIPv6(ip);
+    if (!words)
+        return false;
+    const joined = words.join('');
+    // ::1 loopback.
+    if (joined === '00000000000000000000000000000001')
+        return true;
+    // :: unspecified / wildcard.
+    if (joined === '00000000000000000000000000000000')
+        return true;
+    // ::ffff:0:0/96 IPv4-mapped (RFC 4291 §2.5.5.2):
+    //   words[0..4] = 0000, words[5] = ffff.
+    // Example: ::ffff:127.0.0.1 → [0,0,0,0,0,ffff,7f00,0001].
+    if (words.slice(0, 5).every((w) => w === '0000') && words[5] === 'ffff') {
+        const embedded = embeddedIPv4FromTrailingWords(words);
+        if (ipv4IsBlocked(embedded))
+            return true;
+    }
+    // ::ffff:0:0:0/96 IPv4-translated (RFC 6145 §2.2 / RFC 6052 SIIT):
+    //   words[0..3] = 0000, words[4] = ffff, words[5] = 0000.
+    // Example: ::ffff:0:a9fe:a9fe → [0,0,0,0,ffff,0,a9fe,a9fe] → 169.254.169.254.
+    // Codex P2 (PR #349): the original guard only covered the IPv4-mapped
+    // form above. SIIT/NAT64 stacks (Linux clatd, some macOS revisions,
+    // and various carrier-NAT64 deployments) translate `::ffff:0:a.b.c.d`
+    // straight to the embedded IPv4, so without this branch a hostile
+    // literal could ride through to the metadata service.
+    if (words.slice(0, 4).every((w) => w === '0000') &&
+        words[4] === 'ffff' &&
+        words[5] === '0000') {
+        const embedded = embeddedIPv4FromTrailingWords(words);
+        if (ipv4IsBlocked(embedded))
+            return true;
+    }
+    // 100::/64 discard prefix.
+    if (words[0] === '0100' && words.slice(1, 4).every((w) => w === '0000'))
+        return true;
+    // 64:ff9b::/96 — well-known NAT64 (still resolves to embedded IPv4).
+    if (words[0] === '0064' && words[1] === 'ff9b' && words.slice(2, 6).every((w) => w === '0000')) {
+        const embedded = embeddedIPv4FromTrailingWords(words);
+        if (ipv4IsBlocked(embedded))
+            return true;
+    }
+    // fc00::/7 — unique local (high 7 bits = 1111110).
+    const firstByte = parseInt(words[0]?.slice(0, 2) ?? '00', 16);
+    if ((firstByte & 0xfe) === 0xfc)
+        return true;
+    // fe80::/10 — link-local (first 10 bits = 1111111010).
+    const firstTen = parseInt(words[0] ?? '0000', 16) & 0xffc0;
+    if (firstTen === 0xfe80)
+        return true;
+    // ff00::/8 — multicast.
+    if (firstByte === 0xff)
+        return true;
+    return false;
+}
+function ipv4IsBlocked(ip) {
+    for (const [base, prefix] of IPV4_BLOCKED_RANGES) {
+        if (ipv4InCidr(ip, base, prefix))
+            return true;
+    }
+    return false;
+}
+/**
+ * Resolve `hostname` via dns.lookup and reject if any answer maps to
+ * a private/loopback/link-local/CGNAT range. Returns `null` on success
+ * (safe to fetch), an error string when the lookup or guard fails.
+ *
+ * `hostname` is whatever URL.hostname returned, so it may already be
+ * a literal IP (with brackets stripped). We honor that fast-path and
+ * skip DNS.
+ */
+export async function validateHostnameForFetch(hostname) {
+    // URL.hostname keeps the brackets off IPv6 literals already.
+    if (!hostname)
+        return 'empty hostname';
+    // Literal `localhost` resolves locally regardless of DNS — refuse
+    // by name so a hosts-file alias to a public IP cannot smuggle it.
+    if (hostname.toLowerCase() === 'localhost') {
+        return 'localhost is blocked (SSRF guard)';
+    }
+    // Fast-path: literal IP. Skip DNS.
+    if (isIPv4(hostname)) {
+        if (ipv4IsBlocked(hostname)) {
+            return `IP ${hostname} is in a blocked range (SSRF guard)`;
+        }
+        return null;
+    }
+    if (isIPv6(hostname)) {
+        if (ipv6IsBlocked(hostname)) {
+            return `IPv6 ${hostname} is in a blocked range (SSRF guard)`;
+        }
+        return null;
+    }
+    // DNS lookup — refuse if any answer is private. The active resolver
+    // is module-private so tests can stub it.
+    let answers;
+    try {
+        answers = await activeLookup(hostname);
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        return `DNS lookup failed for ${hostname}: ${msg}`;
+    }
+    if (answers.length === 0) {
+        return `DNS returned no answers for ${hostname}`;
+    }
+    for (const answer of answers) {
+        if (answer.family === 4 && ipv4IsBlocked(answer.address)) {
+            return `${hostname} resolves to ${answer.address} which is in a blocked range (SSRF guard)`;
+        }
+        if (answer.family === 6 && ipv6IsBlocked(answer.address)) {
+            return `${hostname} resolves to ${answer.address} which is in a blocked range (SSRF guard)`;
+        }
+    }
+    return null;
+}
+/* ----------------------- sentinel helpers ---------------------- */
+/**
+ * HTML-escape the five characters that can break out of either an
+ * element body or an attribute value. We place the source URL inside
+ * the sentinel body (not as an attribute), so the only realistic
+ * breakout vector is a literal `</untrusted-content-NONCE>` closing
+ * tag, but escaping `<` and `>` covers it cheaply.
+ *
+ * Exported for spec coverage; production callers must keep using
+ * the wrapper inside `webFetchTool`.
+ */
+export function escapeForSentinelBody(input) {
+    return input
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+/**
+ * Strip any literal `</untrusted-content-NONCE>` (or the bare legacy
+ * form) from fetched body content. The nonce makes a successful
+ * breakout cryptographically improbable but the extra scrub costs
+ * nothing and gives defense-in-depth.
+ */
+function scrubSentinelEscapes(input, nonce) {
+    const nonceTag = new RegExp(`</?untrusted-content-${nonce}>`, 'gi');
+    const bareTag = /<\/?untrusted-content[^>]*>/gi;
+    return input.replace(nonceTag, '').replace(bareTag, '');
+}
+/* ----------------------- response read ---------------------- */
+/**
+ * Read the response body with a hard 5 MiB streaming cap. Disables
+ * undici auto-decompression upstream (caller sets accept-encoding:
+ * identity) so the cap is meaningful — otherwise a 50 KB gzip bomb
+ * could expand to gigabytes before we noticed.
+ *
+ * On size overflow we abort the request via the AbortController AND
+ * destroy the body stream so the socket closes instead of dangling.
+ */
+async function readBodyWithCap(body, controller) {
+    const chunks = [];
+    let total = 0;
+    try {
+        for await (const chunk of body) {
+            const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+            total += buf.length;
+            if (total > MAX_RESPONSE_BYTES) {
+                controller.abort();
+                // undici BodyReadable extends Node Readable — destroy() closes
+                // the underlying socket eagerly so we are not waiting on GC.
+                try {
+                    if (typeof body.destroy === 'function')
+                        body.destroy();
+                }
+                catch {
+                    /* ignore — abort already fired */
+                }
+                return { ok: false, error: `Response exceeded ${MAX_RESPONSE_BYTES} byte cap.` };
+            }
+            chunks.push(buf);
+        }
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        return { ok: false, error: `Body read failed: ${msg}` };
+    }
+    return { ok: true, buffer: Buffer.concat(chunks) };
+}
+/**
+ * Dispatch a single GET, follow up to MAX_REDIRECTS hops, enforce the
+ * 5 MiB / 10 s caps, refuse non-2xx and unsupported content-types.
+ * Returns the wrapped Markdown on success, an error result otherwise.
+ *
+ * No retries: GET is idempotent but the contract is one-shot per
+ * spec; surface the error to the operator and let them re-dispatch
+ * explicitly.
+ */
+export async function webFetchTool(input, ctx) {
+    if (!isWebFetchEnabled(ctx)) {
+        return {
+            ok: false,
+            error: 'web_fetch disabled. Enable with --allow-fetch or set web.fetch.enabled=true in .pugi/settings.json.',
+        };
+    }
+    let parsedUrl;
+    try {
+        parsedUrl = new URL(input.url);
+    }
+    catch {
+        return { ok: false, error: `Invalid URL: ${input.url}` };
+    }
+    if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
+        return { ok: false, error: `Unsupported scheme ${parsedUrl.protocol} — only http/https.` };
+    }
+    // Strip IPv6 brackets — URL.hostname keeps them, dns/net do not.
+    const initialHost = parsedUrl.hostname.replace(/^\[|\]$/g, '');
+    const initialGuard = await validateHostnameForFetch(initialHost);
+    if (initialGuard) {
+        return { ok: false, error: `SSRF refused: ${initialGuard}` };
+    }
+    // Manual redirect loop: undici v8 moved `maxRedirections` off the
+    // per-request options and onto the redirect interceptor, which we
+    // skip to keep the call site MockAgent-compatible. Cap at 5 hops.
+    // Every hop re-runs the SSRF guard because a public origin can
+    // return `302 Location: http://169.254.169.254/...`.
+    let response = null;
+    let currentUrl = parsedUrl;
+    let hops = 0;
+    const controller = new AbortController();
+    try {
+        while (true) {
+            response = await request(currentUrl.toString(), {
+                method: 'GET',
+                headers: {
+                    'user-agent': USER_AGENT,
+                    accept: 'text/html,application/xhtml+xml',
+                    // Disable content-encoding negotiation — undici would
+                    // auto-decompress gzip/br otherwise and our streaming cap
+                    // would only see post-decompression bytes, making a small
+                    // gzip bomb expand to GBs before the cap trips.
+                    'accept-encoding': 'identity',
+                },
+                bodyTimeout: FETCH_TIMEOUT_MS,
+                headersTimeout: FETCH_TIMEOUT_MS,
+                signal: controller.signal,
+            });
+            if (response.statusCode >= 300 && response.statusCode < 400) {
+                const loc = response.headers['location'];
+                const locStr = Array.isArray(loc) ? loc[0] : loc;
+                if (typeof locStr !== 'string' || locStr.length === 0)
+                    break;
+                hops += 1;
+                if (hops > MAX_REDIRECTS) {
+                    // Drain the body on the way out so the underlying socket
+                    // closes deterministically instead of lingering until GC.
+                    // Codex P2 (PR #349 triple-review): without this dump() the
+                    // socket stays half-read until the response object is
+                    // collected, which under load can exhaust the connection
+                    // pool. `dump()` swallows errors; the catch is belt + braces.
+                    try {
+                        await response.body.dump();
+                    }
+                    catch {
+                        try {
+                            response.body.destroy();
+                        }
+                        catch {
+                            /* socket already closed — nothing to do */
+                        }
+                    }
+                    return { ok: false, error: `Exceeded ${MAX_REDIRECTS} redirect hops.` };
+                }
+                // Drain prior body so the socket can be reused.
+                await response.body.dump();
+                let nextUrl;
+                try {
+                    nextUrl = new URL(locStr, currentUrl);
+                }
+                catch {
+                    return { ok: false, error: `Invalid redirect target: ${locStr}` };
+                }
+                if (nextUrl.protocol !== 'http:' && nextUrl.protocol !== 'https:') {
+                    return {
+                        ok: false,
+                        error: `Refusing redirect to unsupported scheme ${nextUrl.protocol}.`,
+                    };
+                }
+                const nextHost = nextUrl.hostname.replace(/^\[|\]$/g, '');
+                const guard = await validateHostnameForFetch(nextHost);
+                if (guard) {
+                    return { ok: false, error: `SSRF refused on redirect: ${guard}` };
+                }
+                currentUrl = nextUrl;
+                continue;
+            }
+            break;
+        }
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return { ok: false, error: `Fetch failed: ${message}` };
+    }
+    if (!response) {
+        return { ok: false, error: 'No response received.' };
+    }
+    if (response.statusCode < 200 || response.statusCode >= 300) {
+        return { ok: false, error: `HTTP ${response.statusCode} from ${currentUrl.toString()}` };
+    }
+    // content-length is advisory — never trust it for the size cap, but
+    // we can short-circuit obviously huge declared payloads BEFORE we
+    // start reading. The streaming cap is still the source of truth.
+    const declaredLengthRaw = response.headers['content-length'];
+    const declaredLength = Array.isArray(declaredLengthRaw) ? declaredLengthRaw[0] : declaredLengthRaw;
+    if (typeof declaredLength === 'string' && /^\d+$/.test(declaredLength)) {
+        const n = Number(declaredLength);
+        if (n > MAX_RESPONSE_BYTES) {
+            controller.abort();
+            try {
+                response.body.destroy();
+            }
+            catch {
+                /* ignore */
+            }
+            return {
+                ok: false,
+                error: `Declared content-length ${n} exceeds ${MAX_RESPONSE_BYTES} byte cap.`,
+            };
+        }
+    }
+    const contentTypeRaw = response.headers['content-type'];
+    const contentType = Array.isArray(contentTypeRaw) ? contentTypeRaw[0] : contentTypeRaw;
+    const mime = typeof contentType === 'string' ? contentType.split(';')[0]?.trim().toLowerCase() ?? '' : '';
+    if (!ALLOWED_CONTENT_TYPES.includes(mime)) {
+        return { ok: false, error: `Disallowed content-type ${mime || '(none)'}; only HTML/XHTML/text.` };
+    }
+    const bodyResult = await readBodyWithCap(response.body, controller);
+    if (!bodyResult.ok)
+        return bodyResult;
+    const html = bodyResult.buffer.toString('utf8');
+    // linkedom is the lightweight DOM Readability needs; jsdom would
+    // add ~3 MB to the install footprint for the same surface.
+    const { document } = parseHTML(html);
+    const article = new Readability(document).parse();
+    const title = article?.title?.trim() || currentUrl.hostname;
+    const articleHtml = article?.content ?? html;
+    const turndown = new TurndownService({ headingStyle: 'atx', codeBlockStyle: 'fenced' });
+    const markdown = turndown.turndown(articleHtml).trim();
+    // Per-call nonce defeats sentinel escape via literal `</untrusted-content>`
+    // inside fetched bodies. Tag carries the nonce; downstream consumers
+    // match dynamically. Source URL lives INSIDE the sentinel body
+    // (escaped) so a quote-injection in the URL cannot break the tag.
+    const nonce = randomBytes(8).toString('hex');
+    const scrubbedMarkdown = scrubSentinelEscapes(markdown, nonce);
+    const safeSource = escapeForSentinelBody(currentUrl.toString());
+    const wrapped = `<untrusted-content-${nonce}>\n` +
+        `Source: ${safeSource}\n\n` +
+        `${scrubbedMarkdown}\n` +
+        `</untrusted-content-${nonce}>`;
+    return {
+        ok: true,
+        url: currentUrl.toString(),
+        title,
+        content_md: wrapped,
+        fetched_at: new Date().toISOString(),
+    };
+}
+//# sourceMappingURL=web-fetch.js.map

package/dist/tui/agent-tree.js

@@ -0,0 +1,66 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { Box, Text } from 'ink';
+export function AgentTree(props) {
+    if (props.agents.length === 0) {
+        return (_jsx(Box, { children: _jsx(Text, { dimColor: true, children: "No agents on watch. Type a brief to dispatch one." }) }));
+    }
+    const now = props.nowEpochMs ?? Date.now();
+    return (_jsx(Box, { flexDirection: "column", children: props.agents.map((agent, index) => (_jsx(AgentRow, { agent: agent, last: index === props.agents.length - 1, nowEpochMs: now }, agent.taskId))) }));
+}
+function AgentRow({ agent, last, nowEpochMs, }) {
+    const branch = last ? '└' : '├';
+    const glyph = statusGlyph(agent.status);
+    const glyphColor = statusColor(agent.status);
+    const elapsed = formatElapsed(agent.startedAtEpochMs, nowEpochMs);
+    const tokens = formatTokens(agent.tokensIn + agent.tokensOut);
+    const name = agent.personaName.padEnd(8, ' ');
+    const role = agent.role.padEnd(10, ' ');
+    const detail = agent.detail.length > 60 ? `${agent.detail.slice(0, 57)}…` : agent.detail;
+    return (_jsxs(Box, { children: [_jsx(Text, { dimColor: true, children: ` ${branch} ` }), _jsx(Text, { bold: true, children: `${name}` }), _jsx(Text, { dimColor: true, children: ` ${role} ` }), _jsx(Text, { color: glyphColor, children: glyph }), _jsx(Text, { children: ` ${detail}` }), _jsx(Text, { dimColor: true, children: `  (${elapsed}${tokens ? ` · ↓ ${tokens}` : ''})` })] }));
+}
+function statusGlyph(status) {
+    switch (status) {
+        case 'queued':
+            return '□';
+        case 'thinking':
+            return '⏳';
+        case 'shipped':
+            return '✓';
+        case 'blocked':
+            return '✗';
+        case 'failed':
+            return '✗';
+    }
+}
+function statusColor(status) {
+    switch (status) {
+        case 'queued':
+            return undefined;
+        case 'thinking':
+            return 'cyan';
+        case 'shipped':
+            return 'green';
+        case 'blocked':
+            return 'yellow';
+        case 'failed':
+            return 'red';
+    }
+}
+function formatElapsed(startedAtEpochMs, nowEpochMs) {
+    const ms = Math.max(0, nowEpochMs - startedAtEpochMs);
+    if (ms < 60_000)
+        return `${Math.floor(ms / 1000)}s`;
+    const minutes = Math.floor(ms / 60_000);
+    const seconds = Math.floor((ms % 60_000) / 1000);
+    return `${minutes}m ${seconds.toString().padStart(2, '0')}s`;
+}
+function formatTokens(total) {
+    if (total <= 0)
+        return '';
+    if (total < 1_000)
+        return total.toString();
+    if (total < 1_000_000)
+        return `${(total / 1_000).toFixed(1)}k`;
+    return `${(total / 1_000_000).toFixed(1)}m`;
+}
+//# sourceMappingURL=agent-tree.js.map

package/dist/tui/conversation-pane.js

@@ -0,0 +1,45 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { Box, Text } from 'ink';
+const HUE_COLOR_BY_SLUG = {
+    // Mira (Pug) - coordinator
+    main: 'cyan',
+    // Olivia (Honeybee) - release
+    pm: 'yellow',
+    // Marcus (Owl)
+    architect: 'magenta',
+    // Hiroshi (Wolf) - lead dev
+    dev: 'blueBright',
+    // Mia (Hummingbird) - frontend
+    frontend: 'magentaBright',
+    // Vera (Fox) - QA
+    qa: 'red',
+    // Diego (Octopus) - devops
+    devops: 'cyan',
+    // Sofia (Stag) - designer
+    designer: 'green',
+    // Anika (Raven) - researcher
+    researcher: 'gray',
+    // Liam (Spider) - analyst
+    analyst: 'gray',
+};
+export function ConversationPane(props) {
+    if (props.rows.length === 0) {
+        return (_jsx(Box, { children: _jsx(Text, { dimColor: true, children: "Brief the workforce to begin. Try a short sentence or /help." }) }));
+    }
+    return (_jsx(Box, { flexDirection: "column", children: props.rows.map((row) => (_jsx(ConversationRow, { row: row, personaNames: props.personaNames }, row.id))) }));
+}
+function ConversationRow({ row, personaNames, }) {
+    switch (row.source) {
+        case 'operator':
+            return (_jsxs(Box, { children: [_jsx(Text, { bold: true, color: "cyan", children: '› ' }), _jsx(Text, { children: row.text })] }));
+        case 'system':
+            return (_jsxs(Box, { children: [_jsx(Text, { dimColor: true, children: '· ' }), _jsx(Text, { dimColor: true, children: row.text })] }));
+        case 'persona': {
+            const slug = row.personaSlug ?? '';
+            const color = HUE_COLOR_BY_SLUG[slug] ?? 'white';
+            const displayName = personaNames?.get(slug) ?? slug;
+            return (_jsxs(Box, { children: [_jsx(Text, { color: color, bold: true, children: `▸ ${displayName} ` }), _jsx(Text, { children: row.text })] }));
+        }
+    }
+}
+//# sourceMappingURL=conversation-pane.js.map