@pugi/cli 0.1.0-alpha.3 → 0.1.0-alpha.6

package/dist/runtime/commands/config.js

@@ -0,0 +1,231 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { dirname, resolve } from 'node:path';
+import { z } from 'zod';
+import { loadMcpRegistry } from '../../core/mcp/registry.js';
+import { listMcpTrust, setMcpTrust, } from '../../core/mcp/trust.js';
+import { trustWorkspace } from '../../core/trust.js';
+/**
+ * `pugi config` — operator-level configuration surface.
+ *
+ * Subcommands:
+ *   - `pugi config get <key>`              read a value from `~/.pugi/config.json`
+ *   - `pugi config set <key> <value>`      write a value
+ *   - `pugi config list`                   dump all values
+ *   - `pugi config trust .`                trust the current workspace (delegates to core/trust.ts)
+ *   - `pugi config mcp trust <name>`       flip MCP server to trusted
+ *   - `pugi config mcp deny <name>`        flip MCP server to denied
+ *   - `pugi config mcp list`               show declared servers + their trust state
+ *
+ * Schema (pugi-config-v1):
+ *   {
+ *     "permissionMode": "ask" | "acceptEdits" | "auto" | "plan" | "dontAsk" | "bypassPermissions",
+ *     "privacy":        "local-only" | "metadata" | "full",
+ *     "model":          "<id>" | null,
+ *     "preferredEndpoint": "https://api.pugi.io"
+ *   }
+ *
+ * The config file lives at `~/.pugi/config.json` (PUGI_HOME-aware) and uses
+ * mode 0o600. Unknown keys are rejected by `set` so a typo never silently
+ * persists.
+ */
+const configSchema = z
+    .object({
+    permissionMode: z
+        .enum(['plan', 'ask', 'acceptEdits', 'auto', 'dontAsk', 'bypassPermissions'])
+        .optional(),
+    privacy: z.enum(['local-only', 'metadata', 'full']).optional(),
+    model: z.string().nullable().optional(),
+    preferredEndpoint: z.string().url().optional(),
+})
+    .strict();
+const CONFIG_KEYS = ['permissionMode', 'privacy', 'model', 'preferredEndpoint'];
+export async function runConfigCommand(args, ctx) {
+    const sub = args[0];
+    if (!sub || sub === '--help' || sub === '-h') {
+        ctx.writeOutput({
+            command: 'config',
+            usage: [
+                'pugi config get <key>',
+                'pugi config set <key> <value>',
+                'pugi config list',
+                'pugi config trust .',
+                'pugi config mcp trust <name>',
+                'pugi config mcp deny <name>',
+                'pugi config mcp list',
+            ],
+        }, [
+            'Usage:',
+            '  pugi config get <key>            Read a config value.',
+            '  pugi config set <key> <value>    Write a config value.',
+            '  pugi config list                 Show all config values.',
+            '  pugi config trust .              Trust the current workspace for hooks + MCP.',
+            '  pugi config mcp trust <name>     Mark an MCP server as trusted.',
+            '  pugi config mcp deny <name>      Block an MCP server.',
+            '  pugi config mcp list             Show declared MCP servers + trust state.',
+        ].join('\n'));
+        return;
+    }
+    switch (sub) {
+        case 'get':
+            return runConfigGet(args.slice(1), ctx);
+        case 'set':
+            return runConfigSet(args.slice(1), ctx);
+        case 'list':
+            return runConfigList(ctx);
+        case 'trust':
+            return runConfigTrust(args.slice(1), ctx);
+        case 'mcp':
+            return runConfigMcp(args.slice(1), ctx);
+        default:
+            throw new Error(`Unknown sub-command "pugi config ${sub}". Expected get, set, list, trust, or mcp.`);
+    }
+}
+function configPath() {
+    const home = process.env.PUGI_HOME ?? resolve(homedir(), '.pugi');
+    return resolve(home, 'config.json');
+}
+export function readConfig() {
+    const path = configPath();
+    if (!existsSync(path))
+        return {};
+    const raw = readFileSync(path, 'utf8');
+    if (raw.trim() === '')
+        return {};
+    const parsed = JSON.parse(raw);
+    return configSchema.parse(parsed);
+}
+function writeConfig(config) {
+    const path = configPath();
+    mkdirSync(dirname(path), { recursive: true });
+    // 0o600 — `preferredEndpoint` could be a private self-hosted URL; the
+    // config does not contain secrets, but file mode parity with the trust
+    // ledger keeps the audit surface uniform.
+    writeFileSync(path, `${JSON.stringify(config, null, 2)}\n`, {
+        encoding: 'utf8',
+        mode: 0o600,
+    });
+}
+function isConfigKey(value) {
+    return CONFIG_KEYS.includes(value);
+}
+function runConfigGet(args, ctx) {
+    const key = args[0];
+    if (!key)
+        throw new Error('pugi config get requires a key.');
+    if (!isConfigKey(key)) {
+        throw new Error(`Unknown config key "${key}". Allowed: ${CONFIG_KEYS.join(', ')}.`);
+    }
+    const config = readConfig();
+    const value = config[key] ?? null;
+    ctx.writeOutput({ command: 'config.get', key, value }, value === null || value === undefined ? `${key} = (unset)` : `${key} = ${String(value)}`);
+}
+function runConfigSet(args, ctx) {
+    const key = args[0];
+    const value = args.slice(1).join(' ');
+    if (!key)
+        throw new Error('pugi config set requires a key.');
+    if (value.length === 0)
+        throw new Error('pugi config set requires a value.');
+    if (!isConfigKey(key)) {
+        throw new Error(`Unknown config key "${key}". Allowed: ${CONFIG_KEYS.join(', ')}.`);
+    }
+    const current = readConfig();
+    // Build the candidate and validate via the schema so an invalid value
+    // (e.g. `permissionMode = nonsense`) is rejected before persistence.
+    const candidate = { ...current };
+    candidate[key] = coerceValue(key, value);
+    const validated = configSchema.parse(candidate);
+    writeConfig(validated);
+    ctx.writeOutput({
+        command: 'config.set',
+        key,
+        value: validated[key] ?? null,
+    }, `${key} = ${String(validated[key] ?? '')}`);
+}
+function coerceValue(key, raw) {
+    if (key === 'model') {
+        return raw === 'null' || raw === '' ? null : raw;
+    }
+    return raw;
+}
+function runConfigList(ctx) {
+    const config = readConfig();
+    const entries = CONFIG_KEYS.map((key) => ({
+        key,
+        value: config[key] ?? null,
+    }));
+    ctx.writeOutput({ command: 'config.list', config, entries }, entries
+        .map((entry) => entry.value === null || entry.value === undefined
+        ? `${entry.key} = (unset)`
+        : `${entry.key} = ${String(entry.value)}`)
+        .join('\n'));
+}
+async function runConfigTrust(args, ctx) {
+    const target = args[0];
+    if (!target)
+        throw new Error('pugi config trust requires a path (use "." for cwd).');
+    const root = target === '.' ? ctx.workspaceRoot : resolve(ctx.workspaceRoot, target);
+    // Identity for the audit entry: prefer the explicit env override
+    // (`PUGI_TRUSTED_BY`), then `USER` from the shell, then literal
+    // 'cli'. The trust ledger requires a non-empty string and we want
+    // it to mean something for a future audit replay.
+    const by = process.env.PUGI_TRUSTED_BY?.trim() ||
+        process.env.USER?.trim() ||
+        process.env.USERNAME?.trim() ||
+        'cli';
+    await trustWorkspace(root, by);
+    ctx.writeOutput({ command: 'config.trust', workspaceRoot: root, trustedBy: by }, `Trusted workspace: ${root}`);
+}
+async function runConfigMcp(args, ctx) {
+    const sub = args[0];
+    if (!sub) {
+        throw new Error('pugi config mcp requires a sub-command: trust, deny, or list.');
+    }
+    switch (sub) {
+        case 'list':
+            return runConfigMcpList(ctx);
+        case 'trust':
+            return runConfigMcpFlip(args.slice(1), ctx, 'trusted');
+        case 'deny':
+            return runConfigMcpFlip(args.slice(1), ctx, 'denied');
+        default:
+            throw new Error(`Unknown sub-command "pugi config mcp ${sub}". Expected trust, deny, or list.`);
+    }
+}
+async function runConfigMcpList(ctx) {
+    const registry = await loadMcpRegistry(ctx.workspaceRoot, { connect: false });
+    const declared = Array.from(registry.servers.values()).map((state) => ({
+        name: state.name,
+        command: state.config.command,
+        args: state.config.args,
+        trust: state.trust,
+        surfacedTools: state.surfacedTools.length,
+        lastError: state.lastError ?? null,
+    }));
+    const ledger = await listMcpTrust();
+    await registry.shutdown();
+    if (declared.length === 0) {
+        ctx.writeOutput({ command: 'config.mcp.list', servers: [], ledger }, 'No MCP servers declared. Add one to .pugi/mcp.json or ~/.pugi/mcp.json.');
+        return;
+    }
+    ctx.writeOutput({ command: 'config.mcp.list', servers: declared, ledger }, [
+        'MCP servers:',
+        ...declared.map((server) => `  ${server.name.padEnd(20)} ${server.trust.padEnd(8)} ${server.command} ${server.args.join(' ')}`),
+    ].join('\n'));
+}
+async function runConfigMcpFlip(args, ctx, state) {
+    const name = args[0];
+    if (!name) {
+        throw new Error(`pugi config mcp ${state === 'trusted' ? 'trust' : 'deny'} requires a server name.`);
+    }
+    const by = process.env.PUGI_TRUSTED_BY?.trim() ||
+        process.env.USER?.trim() ||
+        process.env.USERNAME?.trim() ||
+        'cli';
+    await setMcpTrust(name, state, by);
+    ctx.writeOutput({ command: `config.mcp.${state === 'trusted' ? 'trust' : 'deny'}`, name, state, decidedBy: by }, state === 'trusted'
+        ? `MCP server "${name}" is now trusted.`
+        : `MCP server "${name}" is now denied.`);
+}
+//# sourceMappingURL=config.js.map

package/dist/runtime/commands/privacy.js

@@ -0,0 +1,107 @@
+import { z } from 'zod';
+import { readConfig } from './config.js';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { dirname, resolve } from 'node:path';
+/**
+ * `pugi privacy` — read or update the operator's privacy mode.
+ *
+ * Subcommands:
+ *   - `pugi privacy show`           — print current mode + source
+ *   - `pugi privacy set <mode>`     — write `local-only | metadata | full`
+ *
+ * Persistence:
+ *   - Stored in `~/.pugi/privacy.json` (PUGI_HOME-aware).
+ *   - The `privacy` key in `~/.pugi/config.json` is also consulted at
+ *     read time (config takes precedence when both exist) so a user who
+ *     already set `pugi config set privacy ...` sees the same value
+ *     here.
+ *
+ * Modes:
+ *   - `local-only` — nothing leaves the workstation. Engine commands
+ *     refuse to ship transcripts; sync is a no-op.
+ *   - `metadata`   — only artifact metadata + session timeline ships
+ *     (no raw file contents).
+ *   - `full`       — full sync allowed (operator-acknowledged).
+ */
+export const privacyModeSchema = z.enum(['local-only', 'metadata', 'full']);
+const privacyFileSchema = z.object({
+    schema: z.number().int().positive().default(1),
+    mode: privacyModeSchema,
+});
+function privacyPath() {
+    const home = process.env.PUGI_HOME ?? resolve(homedir(), '.pugi');
+    return resolve(home, 'privacy.json');
+}
+export function readPrivacyFile() {
+    const path = privacyPath();
+    if (!existsSync(path))
+        return null;
+    const raw = readFileSync(path, 'utf8');
+    if (raw.trim() === '')
+        return null;
+    const parsed = JSON.parse(raw);
+    const result = privacyFileSchema.safeParse(parsed);
+    if (!result.success)
+        return null;
+    return result.data.mode;
+}
+function writePrivacyFile(mode) {
+    const path = privacyPath();
+    mkdirSync(dirname(path), { recursive: true });
+    writeFileSync(path, `${JSON.stringify({ schema: 1, mode }, null, 2)}\n`, { encoding: 'utf8', mode: 0o600 });
+}
+/**
+ * Effective privacy mode resolution order:
+ *   1. `~/.pugi/config.json` privacy key (when set via `pugi config set`)
+ *   2. `~/.pugi/privacy.json` (when set via `pugi privacy set`)
+ *   3. `metadata` (default — matches the M1 default-ship posture)
+ */
+export function resolvePrivacyMode() {
+    const config = readConfig();
+    if (config.privacy)
+        return { mode: config.privacy, source: 'config' };
+    const fromFile = readPrivacyFile();
+    if (fromFile)
+        return { mode: fromFile, source: 'privacy' };
+    return { mode: 'metadata', source: 'default' };
+}
+export async function runPrivacyCommand(args, ctx) {
+    const sub = args[0];
+    if (!sub || sub === '--help' || sub === '-h') {
+        ctx.writeOutput({
+            command: 'privacy',
+            usage: ['pugi privacy show', 'pugi privacy set <mode>'],
+            modes: ['local-only', 'metadata', 'full'],
+        }, [
+            'Usage:',
+            '  pugi privacy show           Show current privacy mode.',
+            '  pugi privacy set <mode>     Set mode to local-only, metadata, or full.',
+        ].join('\n'));
+        return;
+    }
+    switch (sub) {
+        case 'show':
+            return runPrivacyShow(ctx);
+        case 'set':
+            return runPrivacySet(args.slice(1), ctx);
+        default:
+            throw new Error(`Unknown sub-command "pugi privacy ${sub}". Expected show or set.`);
+    }
+}
+function runPrivacyShow(ctx) {
+    const resolved = resolvePrivacyMode();
+    ctx.writeOutput({ command: 'privacy.show', ...resolved }, `Privacy mode: ${resolved.mode} (source: ${resolved.source})`);
+}
+function runPrivacySet(args, ctx) {
+    const raw = args[0];
+    if (!raw)
+        throw new Error('pugi privacy set requires a mode: local-only, metadata, or full.');
+    const result = privacyModeSchema.safeParse(raw);
+    if (!result.success) {
+        throw new Error(`Invalid privacy mode "${raw}". Allowed: local-only, metadata, full.`);
+    }
+    writePrivacyFile(result.data);
+    ctx.writeOutput({ command: 'privacy.set', mode: result.data }, `Privacy mode set to ${result.data}.`);
+}
+//# sourceMappingURL=privacy.js.map

package/dist/runtime/commands/undo.js

@@ -0,0 +1,329 @@
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync, renameSync, unlinkSync, writeFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { hashContent } from '../../core/file-cache.js';
+import { recordFileMutation, recordToolCall, recordToolResult, } from '../../core/session.js';
+/**
+ * `pugi undo` — revert the file mutations from the most recent successful
+ * `write` / `edit` / `multi_edit` tool result.
+ *
+ * Walk strategy:
+ *   1. Read `.pugi/events.jsonl` line by line into an array.
+ *   2. Walk backwards. Find the most recent `tool_result` whose
+ *      `status === 'success'` and whose linked `tool_call` names a
+ *      mutating tool (write / edit / multi_edit).
+ *   3. From that point, gather every `file_mutation` event that shares
+ *      the same `toolCallId`. M1 records one `file_mutation` per
+ *      mutating tool call, but the loop is shaped for the multi_edit
+ *      future case where a single tool call mutates many files.
+ *
+ * Restore strategy (M1 — no blob store yet):
+ *   For each mutation we restore from the workspace's git history when
+ *   possible, with a strict safety gate to avoid silently overwriting
+ *   the user's WORK-IN-PROGRESS:
+ *
+ *   - `operation: create`  → unlink the created file iff its current
+ *     sha256 matches the recorded `afterHash`. Skip otherwise (the user
+ *     has edited it since; refuse to delete their work).
+ *   - `operation: update`  → restore from `HEAD:<path>` iff (a) the file
+ *     was tracked at HEAD AND (b) the HEAD content's sha256 matches the
+ *     recorded `beforeHash`. Otherwise abort the turn (no partial
+ *     reverts — the spec is atomic).
+ *   - `operation: delete`  → restore the deleted file from `HEAD:<path>`
+ *     if tracked there; skip otherwise.
+ *
+ * If any single restore is unsafe the whole turn aborts with exit code
+ * 1 and no files are touched.
+ *
+ * Why git as the backing store: the file cache stores hash + metadata
+ * but NOT raw content (see `core/file-cache.ts`). M1 ships without a
+ * dedicated blob CAS; `git show HEAD:<path>` is the cheapest authoritative
+ * source for pre-mutation content as long as the workspace is a git
+ * repository. The α6.4 SQLite session store will replace this with a
+ * proper before-blob ledger.
+ */
+const MUTATING_TOOLS = new Set(['write', 'edit', 'multi_edit']);
+export async function runUndoCommand(_args, ctx) {
+    const eventsPath = resolve(ctx.workspaceRoot, '.pugi/events.jsonl');
+    if (!existsSync(eventsPath)) {
+        ctx.writeOutput({ command: 'undo', status: 'noop', reason: 'no_session' }, 'No session events found. Nothing to undo.');
+        return;
+    }
+    const events = parseEvents(eventsPath);
+    const target = findLastMutationTurn(events);
+    if (!target) {
+        ctx.writeOutput({ command: 'undo', status: 'noop', reason: 'no_mutation' }, 'No mutating tool result found in the session log.');
+        return;
+    }
+    if (target.mutations.length === 0) {
+        ctx.writeOutput({
+            command: 'undo',
+            status: 'noop',
+            reason: 'no_file_mutations',
+            toolCallId: target.toolCallId,
+        }, `Tool call ${target.toolCallId} recorded no file mutations.`);
+        return;
+    }
+    // Pre-flight: confirm every mutation is reversible before touching
+    // disk. This keeps the operation atomic per spec.
+    const plan = planReverts(ctx.workspaceRoot, target.mutations);
+    if (plan.aborted) {
+        ctx.writeOutput({
+            command: 'undo',
+            status: 'aborted',
+            reason: plan.reason,
+            toolCallId: target.toolCallId,
+            unsafe: plan.unsafe,
+        }, `Refusing to undo ${target.toolCallId}: ${plan.reason}`);
+        process.exitCode = 1;
+        return;
+    }
+    const restored = [];
+    for (const step of plan.steps) {
+        try {
+            executeRevert(ctx.workspaceRoot, step);
+            restored.push({ path: step.path, operation: step.operation });
+        }
+        catch (error) {
+            // A revert failed after pre-flight said it was safe. Surface the
+            // error and bail out — the spec says no partial state on failure.
+            const message = error instanceof Error ? error.message : String(error);
+            ctx.writeOutput({
+                command: 'undo',
+                status: 'failed',
+                reason: message,
+                toolCallId: target.toolCallId,
+                restored,
+                failedAt: step.path,
+            }, `Undo failed mid-flight on ${step.path}: ${message}`);
+            process.exitCode = 1;
+            return;
+        }
+    }
+    // Audit the inverse mutations so the event log explains the undo.
+    const toolCallId = recordToolCall(ctx.session, 'undo', `revert ${target.toolCallId}`);
+    for (const step of plan.steps) {
+        recordFileMutation(ctx.session, {
+            toolCallId,
+            path: step.path,
+            operation: step.operation === 'create' ? 'delete' : 'update',
+            beforeHash: step.beforeHash,
+            afterHash: step.afterHash,
+        });
+    }
+    recordToolResult(ctx.session, toolCallId, 'success', `Undid ${restored.length} mutation(s) from ${target.toolCallId}`);
+    ctx.writeOutput({
+        command: 'undo',
+        status: 'ok',
+        toolCallId: target.toolCallId,
+        restored,
+    }, [
+        `Undid ${restored.length} mutation(s) from ${target.toolCallId}:`,
+        ...restored.map((entry) => `  ${entry.operation.padEnd(7)} ${entry.path}`),
+    ].join('\n'));
+}
+function parseEvents(eventsPath) {
+    const raw = readFileSync(eventsPath, 'utf8');
+    const lines = raw.split('\n').filter((line) => line.trim().length > 0);
+    const out = [];
+    for (const line of lines) {
+        try {
+            const parsed = JSON.parse(line);
+            if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+                out.push(parsed);
+            }
+        }
+        catch {
+            // Drop malformed lines silently — partial writes mid-shutdown can
+            // produce them and undo should still work for the rest.
+        }
+    }
+    return out;
+}
+function findLastMutationTurn(events) {
+    const toolCalls = new Map();
+    const results = [];
+    for (let i = 0; i < events.length; i += 1) {
+        const event = events[i];
+        if (!event)
+            continue;
+        if (event.type === 'tool_call' && typeof event.id === 'string' && typeof event.tool === 'string') {
+            toolCalls.set(event.id, { id: event.id, tool: event.tool });
+        }
+        else if (event.type === 'tool_result' &&
+            typeof event.id === 'string' &&
+            typeof event.toolCallId === 'string' &&
+            (event.status === 'success' || event.status === 'error' || event.status === 'cancelled')) {
+            results.push({
+                id: event.id,
+                toolCallId: event.toolCallId,
+                status: event.status,
+                index: i,
+            });
+        }
+    }
+    for (let i = results.length - 1; i >= 0; i -= 1) {
+        const result = results[i];
+        if (result.status !== 'success')
+            continue;
+        const call = toolCalls.get(result.toolCallId);
+        if (!call)
+            continue;
+        if (!MUTATING_TOOLS.has(call.tool))
+            continue;
+        // Collect file_mutation events whose toolCallId matches. We do NOT
+        // window by event index: M1 emits the file_mutation alongside the
+        // tool_result, but a future iteration that emits them earlier
+        // (e.g. mid-stream for multi_edit) still maps correctly.
+        const mutations = [];
+        for (const event of events) {
+            if (event.type !== 'file_mutation')
+                continue;
+            if (event.toolCallId !== result.toolCallId)
+                continue;
+            if (typeof event.path !== 'string')
+                continue;
+            if (event.operation !== 'create' &&
+                event.operation !== 'update' &&
+                event.operation !== 'delete' &&
+                event.operation !== 'move') {
+                continue;
+            }
+            mutations.push({
+                toolCallId: result.toolCallId,
+                path: event.path,
+                operation: event.operation,
+                beforeHash: typeof event.beforeHash === 'string' ? event.beforeHash : undefined,
+                afterHash: typeof event.afterHash === 'string' ? event.afterHash : undefined,
+            });
+        }
+        return {
+            toolCallId: result.toolCallId,
+            resultIndex: result.index,
+            tool: call.tool,
+            mutations,
+        };
+    }
+    return null;
+}
+function planReverts(root, mutations) {
+    const steps = [];
+    const unsafe = [];
+    for (const mutation of mutations) {
+        const abs = resolve(root, mutation.path);
+        switch (mutation.operation) {
+            case 'create': {
+                if (!existsSync(abs)) {
+                    // Already gone — nothing to undo for this entry.
+                    continue;
+                }
+                const current = readFileSync(abs, 'utf8');
+                const currentHash = hashContent(current);
+                if (!mutation.afterHash || currentHash !== mutation.afterHash) {
+                    unsafe.push(`${mutation.path}: created by Pugi, then modified by the user — refusing to delete uncommitted work`);
+                    continue;
+                }
+                steps.push({
+                    path: mutation.path,
+                    operation: 'create',
+                    beforeHash: mutation.afterHash,
+                    afterHash: undefined,
+                });
+                break;
+            }
+            case 'update': {
+                if (!existsSync(abs)) {
+                    unsafe.push(`${mutation.path}: file expected to exist for update revert, not found`);
+                    continue;
+                }
+                const current = readFileSync(abs, 'utf8');
+                const currentHash = hashContent(current);
+                if (!mutation.afterHash || currentHash !== mutation.afterHash) {
+                    unsafe.push(`${mutation.path}: updated by Pugi, then modified by the user — refusing to overwrite uncommitted work`);
+                    continue;
+                }
+                const headContent = readHead(root, mutation.path);
+                if (headContent === null) {
+                    unsafe.push(`${mutation.path}: no git HEAD version available for revert`);
+                    continue;
+                }
+                if (mutation.beforeHash && hashContent(headContent) !== mutation.beforeHash) {
+                    unsafe.push(`${mutation.path}: git HEAD differs from the pre-mutation hash — refusing to restore an unverifiable version`);
+                    continue;
+                }
+                steps.push({
+                    path: mutation.path,
+                    operation: 'update',
+                    beforeHash: mutation.afterHash,
+                    afterHash: mutation.beforeHash,
+                    restoreContent: headContent,
+                });
+                break;
+            }
+            case 'delete': {
+                const headContent = readHead(root, mutation.path);
+                if (headContent === null) {
+                    unsafe.push(`${mutation.path}: deleted file has no git HEAD version, cannot restore`);
+                    continue;
+                }
+                if (mutation.beforeHash && hashContent(headContent) !== mutation.beforeHash) {
+                    unsafe.push(`${mutation.path}: git HEAD differs from the pre-deletion hash, cannot restore safely`);
+                    continue;
+                }
+                steps.push({
+                    path: mutation.path,
+                    operation: 'delete',
+                    beforeHash: undefined,
+                    afterHash: mutation.beforeHash,
+                    restoreContent: headContent,
+                });
+                break;
+            }
+            case 'move':
+                // Move reverts are not in M1 scope — the tool layer does not yet
+                // emit `move` mutations. Flag as unsafe so a future operator who
+                // hits this gets a clear failure instead of partial revert.
+                unsafe.push(`${mutation.path}: move undo is not supported in M1`);
+                break;
+        }
+    }
+    if (unsafe.length > 0) {
+        return {
+            aborted: true,
+            reason: 'one or more files are unsafe to revert',
+            unsafe,
+            steps: [],
+        };
+    }
+    return { aborted: false, steps };
+}
+function executeRevert(root, step) {
+    const abs = resolve(root, step.path);
+    if (step.operation === 'create') {
+        // We previously created the file. Reverting means deleting it.
+        unlinkSync(abs);
+        return;
+    }
+    if (step.restoreContent === undefined) {
+        throw new Error(`internal: restoreContent missing for ${step.path}`);
+    }
+    // Atomic write via tmp+rename — same pattern as file-tools.writeTool.
+    const tmp = `${abs}.pugi-undo-${Date.now()}`;
+    writeFileSync(tmp, step.restoreContent, { encoding: 'utf8', mode: 0o600 });
+    renameSync(tmp, abs);
+}
+function readHead(root, path) {
+    try {
+        const out = execFileSync('git', ['show', `HEAD:${path}`], {
+            cwd: root,
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+            maxBuffer: 64 * 1024 * 1024,
+        });
+        return out;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=undo.js.map