@pugi/cli 0.1.0-alpha.6 → 0.1.0-alpha.7

package/dist/tools/web-fetch.js

@@ -0,0 +1,535 @@
+/**
+ * web_fetch tool — Sprint α6.15 Phase 1 quick-win.
+ *
+ * One-shot HTTP GET against an operator-supplied URL. The response is
+ * parsed with Readability over a linkedom DOM, converted to Markdown
+ * with Turndown, and returned wrapped in an `<untrusted-content-NONCE>`
+ * sentinel that downstream prompts must treat as data, never as
+ * instructions.
+ *
+ * Sentinel pattern (P0 from `docs/specs/pugi-browser-integration-2026-05-24.md`
+ * §10 risk 3): fetched bytes can carry prompt injection. The Mira system
+ * prompt is expected to honor the `<untrusted-content-*>` wrapping the
+ * way Anthropic Computer Use and Codex `skills/chrome/SKILL.md` do —
+ * treat the block as fact, refuse to follow instructions inside.
+ * The tag carries a per-call random nonce so a page literal of
+ * `</untrusted-content>` cannot break out of the boundary, and the
+ * source URL lives inside the body (escaped) instead of as an opening
+ * attribute so quote-injection cannot break the tag.
+ *
+ * Gate: the tool refuses unless either the caller flips
+ * `web.fetch.enabled = true` in `.pugi/settings.json` or the CLI
+ * runtime sets `allowFetch: true` (mapped from `--allow-fetch`). The
+ * default-off posture mirrors the «no auto-fetch from chat» rule in
+ * §8 anti-pattern 1 of the spec.
+ *
+ * SSRF guard: every URL we are about to fetch (initial + every redirect
+ * hop) is resolved via `dns.lookup` and rejected if any answer maps to
+ * loopback, link-local, RFC 1918, CGNAT, IPv6 ULA/link-local, or the
+ * 0.0.0.0/8 wildcard. There is a microsecond TOCTOU window between
+ * lookup and the kernel's connect(); we accept it for v1 because
+ * exploiting it requires DNS control over the target host plus a
+ * timing race. Tracked as P3 follow-up.
+ *
+ * Brand voice: brief / dispatch / ship / sentinel only. The
+ * brandbook §08 forbidden-word list applies — see CLAUDE.md.
+ */
+import { request } from 'undici';
+import { Readability } from '@mozilla/readability';
+import { parseHTML } from 'linkedom';
+import TurndownService from 'turndown';
+import { randomBytes } from 'node:crypto';
+import { lookup as dnsLookup } from 'node:dns/promises';
+import { isIPv4, isIPv6 } from 'node:net';
+let activeLookup = async (hostname) => await dnsLookup(hostname, { all: true, verbatim: true });
+export function _setLookupForTests(fn) {
+    activeLookup = fn ?? (async (hostname) => await dnsLookup(hostname, { all: true, verbatim: true }));
+}
+const FETCH_TIMEOUT_MS = 10_000;
+const MAX_RESPONSE_BYTES = 5 * 1024 * 1024; // 5 MiB
+const MAX_REDIRECTS = 5;
+const USER_AGENT = 'pugi-cli/0.1 (+https://pugi.dev)';
+const ALLOWED_CONTENT_TYPES = ['text/html', 'application/xhtml+xml', 'text/plain'];
+export function isWebFetchEnabled(ctx) {
+    if (ctx.allowFetch === true)
+        return true;
+    return ctx.settings.web?.fetch?.enabled === true;
+}
+/* ----------------------- SSRF guard helpers ---------------------- */
+/**
+ * Parse a dotted IPv4 string into a 32-bit unsigned integer. Returns
+ * `null` if the string is not a syntactically valid IPv4. We avoid
+ * adding `ip-address` to keep the deps surface clean.
+ */
+function ipv4ToInt(ip) {
+    const parts = ip.split('.');
+    if (parts.length !== 4)
+        return null;
+    let acc = 0;
+    for (const part of parts) {
+        if (!/^\d{1,3}$/.test(part))
+            return null;
+        const n = Number(part);
+        if (n < 0 || n > 255)
+            return null;
+        acc = (acc << 8) + n;
+    }
+    // Force unsigned 32-bit.
+    return acc >>> 0;
+}
+/**
+ * Hand-rolled IPv4 CIDR check. `prefix` is the high-bit count.
+ */
+function ipv4InCidr(ip, cidr, prefix) {
+    const ipInt = ipv4ToInt(ip);
+    const baseInt = ipv4ToInt(cidr);
+    if (ipInt === null || baseInt === null)
+        return false;
+    if (prefix === 0)
+        return true;
+    const mask = prefix === 32 ? 0xffffffff : (0xffffffff << (32 - prefix)) >>> 0;
+    return (ipInt & mask) === (baseInt & mask);
+}
+/**
+ * IPv4 blocklist — every range that must never reach a server-side
+ * fetcher. Sources: IANA special-purpose registry plus the standard
+ * SSRF cheat-sheet (loopback, RFC 1918, link-local, CGNAT, wildcard).
+ */
+const IPV4_BLOCKED_RANGES = [
+    ['0.0.0.0', 8], // "this network" wildcard
+    ['10.0.0.0', 8], // RFC 1918
+    ['100.64.0.0', 10], // RFC 6598 CGNAT
+    ['127.0.0.0', 8], // loopback
+    ['169.254.0.0', 16], // link-local + AWS/GCP metadata
+    ['172.16.0.0', 12], // RFC 1918
+    ['192.0.0.0', 24], // IETF protocol assignments
+    ['192.168.0.0', 16], // RFC 1918
+    ['198.18.0.0', 15], // benchmarking
+    ['224.0.0.0', 4], // multicast
+    ['240.0.0.0', 4], // reserved (includes 255.255.255.255 broadcast)
+];
+/**
+ * Expand an IPv6 address into 8 16-bit hex words. Handles `::`
+ * shorthand and IPv4-mapped trailers (`::ffff:1.2.3.4`).
+ * Returns `null` if the input cannot be parsed as IPv6.
+ */
+function expandIPv6(ip) {
+    // Strip zone id (`%eth0` etc) — it is not part of the address.
+    const bare = ip.split('%')[0] ?? ip;
+    // Handle IPv4-mapped form by converting the trailing dotted quad
+    // into two hex words first.
+    let working = bare;
+    const lastColon = working.lastIndexOf(':');
+    if (lastColon !== -1 && working.slice(lastColon + 1).includes('.')) {
+        const dotted = working.slice(lastColon + 1);
+        const v4 = ipv4ToInt(dotted);
+        if (v4 === null)
+            return null;
+        const hi = ((v4 >>> 16) & 0xffff).toString(16);
+        const lo = (v4 & 0xffff).toString(16);
+        working = `${working.slice(0, lastColon)}:${hi}:${lo}`;
+    }
+    if (!working.includes(':'))
+        return null;
+    const sides = working.split('::');
+    if (sides.length > 2)
+        return null;
+    const leftRaw = sides[0] ?? '';
+    const rightRaw = sides.length === 2 ? sides[1] ?? '' : '';
+    const left = leftRaw === '' ? [] : leftRaw.split(':');
+    const right = rightRaw === '' ? [] : rightRaw.split(':');
+    const totalGiven = left.length + right.length;
+    if (sides.length === 1 && totalGiven !== 8)
+        return null;
+    if (totalGiven > 8)
+        return null;
+    const fillCount = 8 - totalGiven;
+    const filled = [...left, ...Array(fillCount).fill('0'), ...right];
+    for (const word of filled) {
+        if (!/^[0-9a-fA-F]{1,4}$/.test(word))
+            return null;
+    }
+    return filled.map((w) => w.toLowerCase().padStart(4, '0'));
+}
+/**
+ * Reject the IPv6 ranges the SSRF guard never wants to reach.
+ * Covers loopback (::1), unspecified (::), link-local (fe80::/10),
+ * unique local (fc00::/7), discard (100::/64), and IPv4-mapped
+ * (::ffff:0:0/96 — must also block since the embedded IPv4 still
+ * routes locally on some stacks).
+ */
+/**
+ * Build a dotted IPv4 string from the last two 16-bit words of an
+ * expanded IPv6 address. Shared by every embedded-IPv4 path below
+ * (IPv4-mapped, IPv4-translated SIIT, NAT64 well-known).
+ */
+function embeddedIPv4FromTrailingWords(words) {
+    const high = parseInt(words[6] ?? '0', 16);
+    const low = parseInt(words[7] ?? '0', 16);
+    return `${high >>> 8}.${high & 0xff}.${low >>> 8}.${low & 0xff}`;
+}
+function ipv6IsBlocked(ip) {
+    const words = expandIPv6(ip);
+    if (!words)
+        return false;
+    const joined = words.join('');
+    // ::1 loopback.
+    if (joined === '00000000000000000000000000000001')
+        return true;
+    // :: unspecified / wildcard.
+    if (joined === '00000000000000000000000000000000')
+        return true;
+    // ::ffff:0:0/96 IPv4-mapped (RFC 4291 §2.5.5.2):
+    //   words[0..4] = 0000, words[5] = ffff.
+    // Example: ::ffff:127.0.0.1 → [0,0,0,0,0,ffff,7f00,0001].
+    if (words.slice(0, 5).every((w) => w === '0000') && words[5] === 'ffff') {
+        const embedded = embeddedIPv4FromTrailingWords(words);
+        if (ipv4IsBlocked(embedded))
+            return true;
+    }
+    // ::ffff:0:0:0/96 IPv4-translated (RFC 6145 §2.2 / RFC 6052 SIIT):
+    //   words[0..3] = 0000, words[4] = ffff, words[5] = 0000.
+    // Example: ::ffff:0:a9fe:a9fe → [0,0,0,0,ffff,0,a9fe,a9fe] → 169.254.169.254.
+    // Codex P2 (PR #349): the original guard only covered the IPv4-mapped
+    // form above. SIIT/NAT64 stacks (Linux clatd, some macOS revisions,
+    // and various carrier-NAT64 deployments) translate `::ffff:0:a.b.c.d`
+    // straight to the embedded IPv4, so without this branch a hostile
+    // literal could ride through to the metadata service.
+    if (words.slice(0, 4).every((w) => w === '0000') &&
+        words[4] === 'ffff' &&
+        words[5] === '0000') {
+        const embedded = embeddedIPv4FromTrailingWords(words);
+        if (ipv4IsBlocked(embedded))
+            return true;
+    }
+    // 100::/64 discard prefix.
+    if (words[0] === '0100' && words.slice(1, 4).every((w) => w === '0000'))
+        return true;
+    // 64:ff9b::/96 — well-known NAT64 (still resolves to embedded IPv4).
+    if (words[0] === '0064' && words[1] === 'ff9b' && words.slice(2, 6).every((w) => w === '0000')) {
+        const embedded = embeddedIPv4FromTrailingWords(words);
+        if (ipv4IsBlocked(embedded))
+            return true;
+    }
+    // fc00::/7 — unique local (high 7 bits = 1111110).
+    const firstByte = parseInt(words[0]?.slice(0, 2) ?? '00', 16);
+    if ((firstByte & 0xfe) === 0xfc)
+        return true;
+    // fe80::/10 — link-local (first 10 bits = 1111111010).
+    const firstTen = parseInt(words[0] ?? '0000', 16) & 0xffc0;
+    if (firstTen === 0xfe80)
+        return true;
+    // ff00::/8 — multicast.
+    if (firstByte === 0xff)
+        return true;
+    return false;
+}
+function ipv4IsBlocked(ip) {
+    for (const [base, prefix] of IPV4_BLOCKED_RANGES) {
+        if (ipv4InCidr(ip, base, prefix))
+            return true;
+    }
+    return false;
+}
+/**
+ * Resolve `hostname` via dns.lookup and reject if any answer maps to
+ * a private/loopback/link-local/CGNAT range. Returns `null` on success
+ * (safe to fetch), an error string when the lookup or guard fails.
+ *
+ * `hostname` is whatever URL.hostname returned, so it may already be
+ * a literal IP (with brackets stripped). We honor that fast-path and
+ * skip DNS.
+ */
+async function validateHostnameForFetch(hostname) {
+    // URL.hostname keeps the brackets off IPv6 literals already.
+    if (!hostname)
+        return 'empty hostname';
+    // Literal `localhost` resolves locally regardless of DNS — refuse
+    // by name so a hosts-file alias to a public IP cannot smuggle it.
+    if (hostname.toLowerCase() === 'localhost') {
+        return 'localhost is blocked (SSRF guard)';
+    }
+    // Fast-path: literal IP. Skip DNS.
+    if (isIPv4(hostname)) {
+        if (ipv4IsBlocked(hostname)) {
+            return `IP ${hostname} is in a blocked range (SSRF guard)`;
+        }
+        return null;
+    }
+    if (isIPv6(hostname)) {
+        if (ipv6IsBlocked(hostname)) {
+            return `IPv6 ${hostname} is in a blocked range (SSRF guard)`;
+        }
+        return null;
+    }
+    // DNS lookup — refuse if any answer is private. The active resolver
+    // is module-private so tests can stub it.
+    let answers;
+    try {
+        answers = await activeLookup(hostname);
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        return `DNS lookup failed for ${hostname}: ${msg}`;
+    }
+    if (answers.length === 0) {
+        return `DNS returned no answers for ${hostname}`;
+    }
+    for (const answer of answers) {
+        if (answer.family === 4 && ipv4IsBlocked(answer.address)) {
+            return `${hostname} resolves to ${answer.address} which is in a blocked range (SSRF guard)`;
+        }
+        if (answer.family === 6 && ipv6IsBlocked(answer.address)) {
+            return `${hostname} resolves to ${answer.address} which is in a blocked range (SSRF guard)`;
+        }
+    }
+    return null;
+}
+/* ----------------------- sentinel helpers ---------------------- */
+/**
+ * HTML-escape the five characters that can break out of either an
+ * element body or an attribute value. We place the source URL inside
+ * the sentinel body (not as an attribute), so the only realistic
+ * breakout vector is a literal `</untrusted-content-NONCE>` closing
+ * tag, but escaping `<` and `>` covers it cheaply.
+ *
+ * Exported for spec coverage; production callers must keep using
+ * the wrapper inside `webFetchTool`.
+ */
+export function escapeForSentinelBody(input) {
+    return input
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+/**
+ * Strip any literal `</untrusted-content-NONCE>` (or the bare legacy
+ * form) from fetched body content. The nonce makes a successful
+ * breakout cryptographically improbable but the extra scrub costs
+ * nothing and gives defense-in-depth.
+ */
+function scrubSentinelEscapes(input, nonce) {
+    const nonceTag = new RegExp(`</?untrusted-content-${nonce}>`, 'gi');
+    const bareTag = /<\/?untrusted-content[^>]*>/gi;
+    return input.replace(nonceTag, '').replace(bareTag, '');
+}
+/* ----------------------- response read ---------------------- */
+/**
+ * Read the response body with a hard 5 MiB streaming cap. Disables
+ * undici auto-decompression upstream (caller sets accept-encoding:
+ * identity) so the cap is meaningful — otherwise a 50 KB gzip bomb
+ * could expand to gigabytes before we noticed.
+ *
+ * On size overflow we abort the request via the AbortController AND
+ * destroy the body stream so the socket closes instead of dangling.
+ */
+async function readBodyWithCap(body, controller) {
+    const chunks = [];
+    let total = 0;
+    try {
+        for await (const chunk of body) {
+            const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+            total += buf.length;
+            if (total > MAX_RESPONSE_BYTES) {
+                controller.abort();
+                // undici BodyReadable extends Node Readable — destroy() closes
+                // the underlying socket eagerly so we are not waiting on GC.
+                try {
+                    if (typeof body.destroy === 'function')
+                        body.destroy();
+                }
+                catch {
+                    /* ignore — abort already fired */
+                }
+                return { ok: false, error: `Response exceeded ${MAX_RESPONSE_BYTES} byte cap.` };
+            }
+            chunks.push(buf);
+        }
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        return { ok: false, error: `Body read failed: ${msg}` };
+    }
+    return { ok: true, buffer: Buffer.concat(chunks) };
+}
+/**
+ * Dispatch a single GET, follow up to MAX_REDIRECTS hops, enforce the
+ * 5 MiB / 10 s caps, refuse non-2xx and unsupported content-types.
+ * Returns the wrapped Markdown on success, an error result otherwise.
+ *
+ * No retries: GET is idempotent but the contract is one-shot per
+ * spec; surface the error to the operator and let them re-dispatch
+ * explicitly.
+ */
+export async function webFetchTool(input, ctx) {
+    if (!isWebFetchEnabled(ctx)) {
+        return {
+            ok: false,
+            error: 'web_fetch disabled. Enable with --allow-fetch or set web.fetch.enabled=true in .pugi/settings.json.',
+        };
+    }
+    let parsedUrl;
+    try {
+        parsedUrl = new URL(input.url);
+    }
+    catch {
+        return { ok: false, error: `Invalid URL: ${input.url}` };
+    }
+    if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
+        return { ok: false, error: `Unsupported scheme ${parsedUrl.protocol} — only http/https.` };
+    }
+    // Strip IPv6 brackets — URL.hostname keeps them, dns/net do not.
+    const initialHost = parsedUrl.hostname.replace(/^\[|\]$/g, '');
+    const initialGuard = await validateHostnameForFetch(initialHost);
+    if (initialGuard) {
+        return { ok: false, error: `SSRF refused: ${initialGuard}` };
+    }
+    // Manual redirect loop: undici v8 moved `maxRedirections` off the
+    // per-request options and onto the redirect interceptor, which we
+    // skip to keep the call site MockAgent-compatible. Cap at 5 hops.
+    // Every hop re-runs the SSRF guard because a public origin can
+    // return `302 Location: http://169.254.169.254/...`.
+    let response = null;
+    let currentUrl = parsedUrl;
+    let hops = 0;
+    const controller = new AbortController();
+    try {
+        while (true) {
+            response = await request(currentUrl.toString(), {
+                method: 'GET',
+                headers: {
+                    'user-agent': USER_AGENT,
+                    accept: 'text/html,application/xhtml+xml',
+                    // Disable content-encoding negotiation — undici would
+                    // auto-decompress gzip/br otherwise and our streaming cap
+                    // would only see post-decompression bytes, making a small
+                    // gzip bomb expand to GBs before the cap trips.
+                    'accept-encoding': 'identity',
+                },
+                bodyTimeout: FETCH_TIMEOUT_MS,
+                headersTimeout: FETCH_TIMEOUT_MS,
+                signal: controller.signal,
+            });
+            if (response.statusCode >= 300 && response.statusCode < 400) {
+                const loc = response.headers['location'];
+                const locStr = Array.isArray(loc) ? loc[0] : loc;
+                if (typeof locStr !== 'string' || locStr.length === 0)
+                    break;
+                hops += 1;
+                if (hops > MAX_REDIRECTS) {
+                    // Drain the body on the way out so the underlying socket
+                    // closes deterministically instead of lingering until GC.
+                    // Codex P2 (PR #349 triple-review): without this dump() the
+                    // socket stays half-read until the response object is
+                    // collected, which under load can exhaust the connection
+                    // pool. `dump()` swallows errors; the catch is belt + braces.
+                    try {
+                        await response.body.dump();
+                    }
+                    catch {
+                        try {
+                            response.body.destroy();
+                        }
+                        catch {
+                            /* socket already closed — nothing to do */
+                        }
+                    }
+                    return { ok: false, error: `Exceeded ${MAX_REDIRECTS} redirect hops.` };
+                }
+                // Drain prior body so the socket can be reused.
+                await response.body.dump();
+                let nextUrl;
+                try {
+                    nextUrl = new URL(locStr, currentUrl);
+                }
+                catch {
+                    return { ok: false, error: `Invalid redirect target: ${locStr}` };
+                }
+                if (nextUrl.protocol !== 'http:' && nextUrl.protocol !== 'https:') {
+                    return {
+                        ok: false,
+                        error: `Refusing redirect to unsupported scheme ${nextUrl.protocol}.`,
+                    };
+                }
+                const nextHost = nextUrl.hostname.replace(/^\[|\]$/g, '');
+                const guard = await validateHostnameForFetch(nextHost);
+                if (guard) {
+                    return { ok: false, error: `SSRF refused on redirect: ${guard}` };
+                }
+                currentUrl = nextUrl;
+                continue;
+            }
+            break;
+        }
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return { ok: false, error: `Fetch failed: ${message}` };
+    }
+    if (!response) {
+        return { ok: false, error: 'No response received.' };
+    }
+    if (response.statusCode < 200 || response.statusCode >= 300) {
+        return { ok: false, error: `HTTP ${response.statusCode} from ${currentUrl.toString()}` };
+    }
+    // content-length is advisory — never trust it for the size cap, but
+    // we can short-circuit obviously huge declared payloads BEFORE we
+    // start reading. The streaming cap is still the source of truth.
+    const declaredLengthRaw = response.headers['content-length'];
+    const declaredLength = Array.isArray(declaredLengthRaw) ? declaredLengthRaw[0] : declaredLengthRaw;
+    if (typeof declaredLength === 'string' && /^\d+$/.test(declaredLength)) {
+        const n = Number(declaredLength);
+        if (n > MAX_RESPONSE_BYTES) {
+            controller.abort();
+            try {
+                response.body.destroy();
+            }
+            catch {
+                /* ignore */
+            }
+            return {
+                ok: false,
+                error: `Declared content-length ${n} exceeds ${MAX_RESPONSE_BYTES} byte cap.`,
+            };
+        }
+    }
+    const contentTypeRaw = response.headers['content-type'];
+    const contentType = Array.isArray(contentTypeRaw) ? contentTypeRaw[0] : contentTypeRaw;
+    const mime = typeof contentType === 'string' ? contentType.split(';')[0]?.trim().toLowerCase() ?? '' : '';
+    if (!ALLOWED_CONTENT_TYPES.includes(mime)) {
+        return { ok: false, error: `Disallowed content-type ${mime || '(none)'}; only HTML/XHTML/text.` };
+    }
+    const bodyResult = await readBodyWithCap(response.body, controller);
+    if (!bodyResult.ok)
+        return bodyResult;
+    const html = bodyResult.buffer.toString('utf8');
+    // linkedom is the lightweight DOM Readability needs; jsdom would
+    // add ~3 MB to the install footprint for the same surface.
+    const { document } = parseHTML(html);
+    const article = new Readability(document).parse();
+    const title = article?.title?.trim() || currentUrl.hostname;
+    const articleHtml = article?.content ?? html;
+    const turndown = new TurndownService({ headingStyle: 'atx', codeBlockStyle: 'fenced' });
+    const markdown = turndown.turndown(articleHtml).trim();
+    // Per-call nonce defeats sentinel escape via literal `</untrusted-content>`
+    // inside fetched bodies. Tag carries the nonce; downstream consumers
+    // match dynamically. Source URL lives INSIDE the sentinel body
+    // (escaped) so a quote-injection in the URL cannot break the tag.
+    const nonce = randomBytes(8).toString('hex');
+    const scrubbedMarkdown = scrubSentinelEscapes(markdown, nonce);
+    const safeSource = escapeForSentinelBody(currentUrl.toString());
+    const wrapped = `<untrusted-content-${nonce}>\n` +
+        `Source: ${safeSource}\n\n` +
+        `${scrubbedMarkdown}\n` +
+        `</untrusted-content-${nonce}>`;
+    return {
+        ok: true,
+        url: currentUrl.toString(),
+        title,
+        content_md: wrapped,
+        fetched_at: new Date().toISOString(),
+    };
+}
+//# sourceMappingURL=web-fetch.js.map

package/dist/tui/device-flow.js

@@ -0,0 +1,142 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useEffect, useState } from 'react';
+import { Box, Text, useInput } from 'ink';
+const SPINNER_FRAMES = ['⠋', '⠙', '⠹', '⠸', '⠼', '⠴', '⠦', '⠧', '⠇', '⠏'];
+const ACCENT_CYAN = 'cyan';
+const ACCENT_RED = 'red';
+/**
+ * P2-1 (triple-review 2026-05-24): both `userCode` and
+ * `verificationUrl` originate from a server response and would render
+ * verbatim into Ink `<Text>`. A hostile or compromised server could
+ * embed ANSI escape sequences (clear screen, cursor moves, hyperlink
+ * faking) and they would EXECUTE in the user's terminal. We whitelist
+ * the user code to the documented alphabet (uppercase letters, digits,
+ * dashes) and clamp the URL to the same safe-http guard used by the
+ * auto-open helper. Anything outside the whitelist renders as a
+ * `<invalid>` placeholder so the visual contract stays intact while
+ * the dangerous bytes never reach the terminal.
+ */
+const USER_CODE_PATTERN = /^[A-Z0-9-]{1,16}$/;
+function sanitizeUserCode(code) {
+    return USER_CODE_PATTERN.test(code) ? code : '<invalid>';
+}
+function hasControlChar(input) {
+    // Reject any C0 (0x00-0x1F, 0x7F) or C1 (0x80-0x9F) control byte.
+    // ESC (0x1B) is the gateway character for every ANSI escape sequence
+    // we care about (CSI, OSC, hyperlink), and CSI alone (0x9B) is the
+    // C1 single-byte form some terminals still honour.
+    for (let i = 0; i < input.length; i += 1) {
+        const code = input.charCodeAt(i);
+        if (code <= 0x1f)
+            return true;
+        if (code === 0x7f)
+            return true;
+        if (code >= 0x80 && code <= 0x9f)
+            return true;
+    }
+    return false;
+}
+function sanitizeDisplayUrl(url) {
+    // Reject control characters BEFORE handing to `new URL`. The URL
+    // parser preserves ESC bytes inside the path, so a server response
+    // with an embedded escape would otherwise round-trip into the Ink
+    // render and execute against the user terminal.
+    if (hasControlChar(url))
+        return '<invalid URL>';
+    try {
+        const parsed = new URL(url);
+        if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {
+            return '<invalid URL>';
+        }
+        return url;
+    }
+    catch {
+        return '<invalid URL>';
+    }
+}
+/**
+ * Pugi device-flow Ink view. Stateless w.r.t. the network — the host
+ * supplies `status` and we render the matching frame.
+ */
+export function DeviceFlow(props) {
+    const copiedFlashMs = props.copiedFlashMs ?? 800;
+    const spinnerIntervalMs = props.spinnerIntervalMs ?? 120;
+    const [copied, setCopied] = useState(false);
+    const [spinnerFrame, setSpinnerFrame] = useState(0);
+    useInput((input, key) => {
+        if (key.escape) {
+            props.onCancel();
+            return;
+        }
+        if (input === 'c' || input === 'C') {
+            // The host owns the clipboard side effect. The component just
+            // signals the intent and surfaces the "Copied!" flash.
+            props.onCopy();
+            setCopied(true);
+            return;
+        }
+        if (key.return && props.status.kind === 'success') {
+            props.onContinue();
+            return;
+        }
+    });
+    // Spinner pulse — only while polling. Pausing the interval on
+    // success/failure avoids a no-op timer surviving past the final
+    // render frame.
+    useEffect(() => {
+        if (props.status.kind !== 'polling')
+            return;
+        const handle = setInterval(() => {
+            setSpinnerFrame((current) => (current + 1) % SPINNER_FRAMES.length);
+        }, spinnerIntervalMs);
+        return () => clearInterval(handle);
+    }, [props.status.kind, spinnerIntervalMs]);
+    // "Copied!" auto-clear so the chip flashes briefly without sticking.
+    useEffect(() => {
+        if (!copied)
+            return;
+        const handle = setTimeout(() => setCopied(false), copiedFlashMs);
+        return () => clearTimeout(handle);
+    }, [copied, copiedFlashMs]);
+    return (_jsxs(Box, { flexDirection: "column", paddingX: 2, paddingY: 1, children: [_jsx(Box, { children: _jsx(Text, { bold: true, color: ACCENT_CYAN, children: "Authorize Pugi CLI" }) }), _jsx(CodeChip, { code: sanitizeUserCode(props.userCode) }), _jsx(BrowserHintRow, { opened: props.browserOpened, url: sanitizeDisplayUrl(props.verificationUrl), copied: copied }), _jsx(Box, { marginTop: 1, children: _jsx(StatusRow, { status: props.status, spinnerFrame: spinnerFrame }) }), _jsx(Box, { marginTop: 1, children: _jsx(FooterHint, { status: props.status }) })] }));
+}
+/**
+ * Centered short-code "chip". The Pugi device-flow user code is
+ * always the 9-character "XXXX-XXXX" form (4 + dash + 4) generated by
+ * the Anvil device-flow start endpoint — we render it in cyan-bold so
+ * the user's eye lands on it instantly when comparing against the
+ * cabinet page.
+ */
+function CodeChip({ code }) {
+    return (_jsx(Box, { marginTop: 1, justifyContent: "center", children: _jsx(Text, { bold: true, color: ACCENT_CYAN, children: `  ${code}  ` }) }));
+}
+function BrowserHintRow({ opened, url, copied, }) {
+    if (copied) {
+        return (_jsx(Box, { marginTop: 1, children: _jsx(Text, { color: ACCENT_CYAN, children: "Copied!" }) }));
+    }
+    if (opened) {
+        return (_jsxs(Box, { marginTop: 1, flexDirection: "column", children: [_jsx(Text, { dimColor: true, children: "Browser opened to" }), _jsx(Text, { dimColor: true, children: url })] }));
+    }
+    return (_jsxs(Box, { marginTop: 1, flexDirection: "column", children: [_jsx(Text, { dimColor: true, children: "Browser didn't open? Use the URL below to sign in (c to copy)" }), _jsx(Text, { children: url })] }));
+}
+function StatusRow({ status, spinnerFrame, }) {
+    if (status.kind === 'polling') {
+        const glyph = SPINNER_FRAMES[spinnerFrame] ?? SPINNER_FRAMES[0];
+        return (_jsxs(Text, { children: [_jsx(Text, { color: ACCENT_CYAN, children: glyph }), _jsx(Text, { children: ' Waiting for browser approval…' })] }));
+    }
+    if (status.kind === 'success') {
+        return (_jsxs(Text, { children: [_jsx(Text, { color: ACCENT_CYAN, children: '✓ ' }), _jsx(Text, { color: ACCENT_CYAN, children: `Logged in as ${status.principalLabel}` })] }));
+    }
+    // failure
+    return (_jsxs(Box, { flexDirection: "column", children: [_jsxs(Text, { children: [_jsx(Text, { color: ACCENT_RED, children: '✗ ' }), _jsx(Text, { color: ACCENT_RED, children: status.reason })] }), status.hint ? _jsx(Text, { dimColor: true, children: status.hint }) : null] }));
+}
+function FooterHint({ status }) {
+    if (status.kind === 'success') {
+        return _jsx(Text, { dimColor: true, children: "Press Enter to continue\u2026" });
+    }
+    if (status.kind === 'failure') {
+        return _jsx(Text, { dimColor: true, children: "Esc to dismiss \u00B7 Run `pugi login` again to retry" });
+    }
+    return _jsx(Text, { dimColor: true, children: "Esc to cancel \u00B7 c to copy URL" });
+}
+//# sourceMappingURL=device-flow.js.map