@pugi/cli 0.1.0-alpha.3

package/dist/core/permission.js

@@ -0,0 +1,204 @@
+import { basename, resolve } from 'node:path';
+const protectedBasenames = new Set([
+    '.env',
+    '.npmrc',
+    '.yarnrc',
+    '.pypirc',
+    '.gitconfig',
+    'id_rsa',
+    'id_ed25519',
+]);
+const protectedSuffixes = ['.pem', '.key', '.crt', '.p12', '.dump', '.sql'];
+// Hard-deny list for `bash` actions. Substring match against the
+// normalized (trimmed, original-case) command — the model can
+// concatenate arguments any way it wants, but if ANY substring on
+// this list appears the command is refused before /bin/sh sees it.
+//
+// Coverage classes:
+//   - destructive filesystem wipes: rm -rf, dd, mkfs, shred, wipefs
+//   - destructive system ops: chmod 777, chown -R /, setuid bits
+//   - dangerous shell tricks: eval, fork bombs, /dev/sda writes
+//   - git history loss: reset --hard, clean -fdx
+//   - container / infra wipes: docker system prune, k8s delete --all
+//   - destructive SQL: DROP DATABASE / DROP TABLE
+//   - firewall disable: ufw disable, iptables -F
+//   - credential exfil to stdout: cat ~/.ssh/id_rsa, gpg --export
+//
+// Code Reviewer P1 2026-05-23 flagged the previous list as missing
+// dd/mkfs/chmod 777/eval/fork bomb — added below. List intentionally
+// errs toward over-block: a false positive blocks a destructive
+// pattern the human can `pugi bash -- run` manually with confirmation,
+// while a false negative is catastrophic.
+const destructiveBashPatterns = [
+    // Filesystem wipe
+    'rm -rf /',
+    'rm -rf ~',
+    'rm -rf .',
+    'rm -rf *',
+    'rm -rf "/',
+    'rm -rf "~',
+    'dd if=/dev/zero',
+    'dd if=/dev/random',
+    'dd of=/dev/sda',
+    'dd of=/dev/disk',
+    'mkfs',
+    'shred ',
+    'wipefs',
+    '> /dev/sda',
+    '> /dev/disk',
+    // Permission wipe
+    'chmod 777 /',
+    'chmod -R 777 /',
+    'chown -R root /',
+    // Shell tricks
+    ':(){ :|:& };:',
+    'eval "$',
+    "eval '$",
+    // Git history loss
+    'git reset --hard',
+    'git clean -fdx',
+    'git push --force origin main',
+    'git push -f origin main',
+    // Container / infra
+    'docker system prune',
+    'docker rm -f $(docker',
+    'kubectl delete --all',
+    // SQL destructive. Code Reviewer P2 retro 2026-05-23: the
+    // substring match was case-sensitive; lowercase `drop database`
+    // bypassed the gate. We now uppercase-normalise the target
+    // (`hardDenyReason` below) so both upper- and mixed-case SQL
+    // hits the same pattern. Patterns themselves stay uppercase
+    // since they're compared against the uppercased command.
+    'DROP DATABASE',
+    'DROP TABLE',
+    'TRUNCATE TABLE',
+    // Firewall / network
+    'ufw disable',
+    'iptables -F',
+    'iptables --flush',
+    // Credential exfil
+    'cat ~/.ssh/id_rsa',
+    'cat ~/.ssh/id_ed25519',
+    'gpg --export-secret',
+    // SSH config tampering — write paths only. Code Reviewer P2
+    // retro 2026-05-23: a bare `sshd_config` substring also blocked
+    // read-only `cat /etc/sshd_config` / `grep PermitRootLogin
+    // sshd_config`. Scoped to redirections + tee so the model can
+    // still inspect the file but cannot write to it through bash.
+    '> sshd_config',
+    '>> sshd_config',
+    '> /etc/ssh/sshd_config',
+    '>> /etc/ssh/sshd_config',
+    'tee sshd_config',
+    'tee /etc/ssh/sshd_config',
+    'tee -a sshd_config',
+    'tee -a /etc/ssh/sshd_config',
+    // History destruction
+    'history -c',
+    ' >/dev/null 2>&1; rm',
+];
+export function decidePermission(action, settings, root) {
+    const hardDeny = hardDenyReason(action);
+    if (hardDeny) {
+        return { decision: 'deny', reason: hardDeny, source: 'hard_deny' };
+    }
+    const protectedReason = protectedTargetReason(action, root);
+    if (protectedReason) {
+        return decisionForMode(settings.permissions.mode, protectedReason, 'protected_file', 'high');
+    }
+    const signature = `${action.kind}:${action.target}`;
+    if (matchesAny(signature, settings.permissions.deny)) {
+        return { decision: 'deny', reason: `Denied by rule: ${signature}`, source: 'settings.deny' };
+    }
+    if (matchesAny(signature, settings.permissions.notAutomatic) || matchesAny(signature, settings.workflow.notAutomatic)) {
+        return { decision: 'ask', reason: `Marked not automatic: ${signature}`, risk: 'medium' };
+    }
+    if (matchesAny(signature, settings.permissions.allow)) {
+        return { decision: 'allow', reason: `Allowed by rule: ${signature}`, source: 'settings.allow' };
+    }
+    return decisionForMode(settings.permissions.mode, `Default ${settings.permissions.mode} policy`, 'mode', riskForAction(action));
+}
+export function protectedTargetReason(action, root) {
+    if (action.kind !== 'edit' && action.kind !== 'read')
+        return null;
+    const target = resolve(root, action.target);
+    const name = basename(target);
+    if (protectedBasenames.has(name) || name.startsWith('.env.')) {
+        return `Protected file: ${action.target}`;
+    }
+    if (protectedSuffixes.some((suffix) => name.endsWith(suffix))) {
+        return `Protected file suffix: ${action.target}`;
+    }
+    if (target.includes('/.ssh/') || target.includes('/.gnupg/') || target.includes('/.aws/')) {
+        return `Protected credential path: ${action.target}`;
+    }
+    return null;
+}
+function hardDenyReason(action) {
+    if (action.kind !== 'bash')
+        return null;
+    const normalized = action.target.trim();
+    // Patterns whose match must be case-insensitive — primarily SQL verbs
+    // that the model can emit as `drop database`, `Drop Database`, etc.
+    // Code Reviewer P2 retro 2026-05-23: substring match was previously
+    // case-sensitive so lowercase SQL silently bypassed the deny list.
+    // We compare an uppercased copy of the command against the uppercase
+    // patterns below; non-SQL patterns stay exact-match against the
+    // original-case target to avoid over-matching benign filenames.
+    const normalizedUpper = normalized.toUpperCase();
+    const caseInsensitivePatterns = new Set([
+        'DROP DATABASE',
+        'DROP TABLE',
+        'TRUNCATE TABLE',
+    ]);
+    const matched = destructiveBashPatterns.find((pattern) => {
+        if (caseInsensitivePatterns.has(pattern)) {
+            return normalizedUpper.includes(pattern);
+        }
+        return normalized.includes(pattern);
+    });
+    return matched ? `Destructive command blocked: ${matched}` : null;
+}
+function decisionForMode(mode, reason, source, risk) {
+    switch (mode) {
+        case 'plan':
+            return risk === 'low'
+                ? { decision: 'allow', reason, source }
+                : { decision: 'deny', reason: `${reason}; plan mode blocks mutating actions`, source: 'mode.plan' };
+        case 'ask':
+            return { decision: 'ask', reason, risk };
+        case 'acceptEdits':
+            return risk === 'medium'
+                ? { decision: 'allow', reason, source: 'mode.acceptEdits' }
+                : { decision: 'ask', reason, risk };
+        case 'auto':
+            return risk === 'high' ? { decision: 'ask', reason, risk } : { decision: 'allow', reason, source: 'mode.auto' };
+        case 'dontAsk':
+            return risk === 'high'
+                ? { decision: 'deny', reason: `${reason}; dontAsk denies high-risk actions`, source: 'mode.dontAsk' }
+                : { decision: 'allow', reason, source: 'mode.dontAsk' };
+        case 'bypassPermissions':
+            return { decision: 'allow', reason, source: 'mode.bypassPermissions' };
+    }
+}
+function riskForAction(action) {
+    if (action.kind === 'read')
+        return 'low';
+    if (action.kind === 'edit')
+        return 'medium';
+    if (action.kind === 'bash')
+        return 'high';
+    if (action.kind === 'workflow')
+        return 'medium';
+    return 'medium';
+}
+function matchesAny(value, rules) {
+    return rules.some((rule) => {
+        if (rule === value)
+            return true;
+        if (rule.endsWith('*'))
+            return value.startsWith(rule.slice(0, -1));
+        return false;
+    });
+}
+//# sourceMappingURL=permission.js.map

package/dist/core/session.js

@@ -0,0 +1,90 @@
+import { randomUUID } from 'node:crypto';
+import { appendFileSync, existsSync, mkdirSync } from 'node:fs';
+import { resolve } from 'node:path';
+export function openSession(root) {
+    const pugiDir = resolve(root, '.pugi');
+    const enabled = existsSync(pugiDir);
+    const id = `local-${Date.now()}-${randomUUID()}`;
+    const eventsPath = resolve(pugiDir, 'events.jsonl');
+    if (enabled) {
+        mkdirSync(pugiDir, { recursive: true });
+        appendEvent({ id: randomUUID(), sessionId: id, timestamp: now(), type: 'session', name: 'created' }, eventsPath);
+    }
+    return {
+        id,
+        root,
+        pugiDir,
+        eventsPath,
+        enabled,
+    };
+}
+export function recordCommandStarted(session, command) {
+    if (!session.enabled)
+        return;
+    appendEvent({
+        id: randomUUID(),
+        sessionId: session.id,
+        timestamp: now(),
+        type: 'session',
+        name: 'command_started',
+        command,
+    }, session.eventsPath);
+}
+export function recordCommandCompleted(session, command, status) {
+    if (!session.enabled)
+        return;
+    appendEvent({
+        id: randomUUID(),
+        sessionId: session.id,
+        timestamp: now(),
+        type: 'session',
+        name: 'command_completed',
+        command,
+        status,
+    }, session.eventsPath);
+}
+export function recordToolCall(session, tool, inputSummary) {
+    const id = randomUUID();
+    if (!session.enabled)
+        return id;
+    appendEvent({
+        id,
+        sessionId: session.id,
+        timestamp: now(),
+        type: 'tool_call',
+        tool,
+        inputSummary,
+    }, session.eventsPath);
+    return id;
+}
+export function recordToolResult(session, toolCallId, status, outputSummary) {
+    if (!session.enabled)
+        return;
+    appendEvent({
+        id: randomUUID(),
+        sessionId: session.id,
+        timestamp: now(),
+        type: 'tool_result',
+        toolCallId,
+        status,
+        outputSummary,
+    }, session.eventsPath);
+}
+export function recordFileMutation(session, input) {
+    if (!session.enabled)
+        return;
+    appendEvent({
+        id: randomUUID(),
+        sessionId: session.id,
+        timestamp: now(),
+        type: 'file_mutation',
+        ...input,
+    }, session.eventsPath);
+}
+function appendEvent(event, eventsPath) {
+    appendFileSync(eventsPath, `${JSON.stringify(event)}\n`, { encoding: 'utf8', mode: 0o600 });
+}
+function now() {
+    return new Date().toISOString();
+}
+//# sourceMappingURL=session.js.map

package/dist/core/settings.js

@@ -0,0 +1,46 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { z } from 'zod';
+const pugiSettingsSchema = z.object({
+    schema: z.number().int().positive().default(1),
+    workflow: z
+        .object({
+        brand: z.string().default('pugi'),
+        legacyName: z.string().optional(),
+        approvals: z.enum(['auto', 'manual']).default('auto'),
+        notAutomatic: z.array(z.string()).default([]),
+        defaultBaseBranch: z.string().default('dev'),
+        branchPrefixes: z.array(z.string()).default(['feature', 'fix', 'refactor', 'chore']),
+        aiCoAuthorTrailers: z.boolean().default(false),
+    })
+        .default({}),
+    permissions: z
+        .object({
+        mode: z.enum(['plan', 'ask', 'acceptEdits', 'auto', 'dontAsk', 'bypassPermissions']).default('auto'),
+        allow: z.array(z.string()).default([]),
+        deny: z.array(z.string()).default([]),
+        notAutomatic: z.array(z.string()).default([]),
+    })
+        .default({}),
+    privacy: z
+        .object({
+        mode: z.enum(['balanced', 'embeddings-only', 'airgapped']).default('balanced'),
+        telemetry: z.enum(['off', 'anonymous', 'community']).default('off'),
+    })
+        .default({}),
+    artifacts: z
+        .object({
+        defaultPath: z.string().default('.pugi/artifacts'),
+        promoteExplicitly: z.boolean().default(true),
+    })
+        .default({}),
+});
+export function loadSettings(root) {
+    const settingsPath = resolve(root, '.pugi/settings.json');
+    if (!existsSync(settingsPath)) {
+        return pugiSettingsSchema.parse({});
+    }
+    const parsed = JSON.parse(readFileSync(settingsPath, 'utf8'));
+    return pugiSettingsSchema.parse(parsed);
+}
+//# sourceMappingURL=settings.js.map

package/dist/index.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+import { runCli } from './runtime/cli.js';
+runCli(process.argv.slice(2)).catch((error) => {
+    const message = error instanceof Error ? error.message : String(error);
+    console.error(`pugi: ${message}`);
+    process.exitCode = 1;
+});
+//# sourceMappingURL=index.js.map