@pugi/cli 0.1.0-alpha.9 → 0.1.0-beta.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +33 -0
- package/THIRD_PARTY_NOTICES.md +40 -0
- package/assets/pugi-mascot.ansi +16 -0
- package/dist/commands/deploy.js +439 -0
- package/dist/core/agents/loader.js +104 -0
- package/dist/core/agents/registry.js +1 -1
- package/dist/core/consensus/anvil-fanout.js +276 -0
- package/dist/core/consensus/diff-capture.js +382 -0
- package/dist/core/consensus/rubric.js +233 -0
- package/dist/core/context/index.js +21 -0
- package/dist/core/context/pugiignore.js +316 -0
- package/dist/core/context/repo-skeleton.js +533 -0
- package/dist/core/context/watcher.js +342 -0
- package/dist/core/context/working-set.js +165 -0
- package/dist/core/edits/dispatch.js +185 -0
- package/dist/core/edits/index.js +15 -0
- package/dist/core/edits/layer-a-apply.js +217 -0
- package/dist/core/edits/layer-b-apply.js +211 -0
- package/dist/core/edits/layer-c-apply.js +160 -0
- package/dist/core/edits/layer-d-ast.js +29 -0
- package/dist/core/edits/marker-parser.js +401 -0
- package/dist/core/edits/security-gate.js +223 -0
- package/dist/core/edits/worktree.js +322 -0
- package/dist/core/engine/native-pugi.js +6 -1
- package/dist/core/engine/prompts.js +8 -0
- package/dist/core/engine/tool-bridge.js +33 -1
- package/dist/core/lsp/client.js +719 -0
- package/dist/core/repl/ask.js +512 -0
- package/dist/core/repl/cancellation.js +98 -0
- package/dist/core/repl/dispatch-fsm.js +220 -0
- package/dist/core/repl/privacy-banner.js +71 -0
- package/dist/core/repl/session.js +1908 -13
- package/dist/core/repl/slash-commands.js +92 -32
- package/dist/core/repl/store/index.js +12 -0
- package/dist/core/repl/store/jsonl-log.js +321 -0
- package/dist/core/repl/store/lockfile.js +155 -0
- package/dist/core/repl/store/session-store.js +792 -0
- package/dist/core/repl/store/types.js +44 -0
- package/dist/core/repl/store/uuid-v7.js +68 -0
- package/dist/core/repl/workspace-context.js +72 -1
- package/dist/core/skills/defaults.js +457 -0
- package/dist/core/skills/loader.js +454 -0
- package/dist/core/skills/sources.js +480 -0
- package/dist/core/skills/trust.js +172 -0
- package/dist/runtime/cli.js +998 -12
- package/dist/runtime/commands/agents.js +385 -0
- package/dist/runtime/commands/config.js +338 -8
- package/dist/runtime/commands/delegate.js +289 -0
- package/dist/runtime/commands/lsp.js +206 -0
- package/dist/runtime/commands/patch.js +128 -0
- package/dist/runtime/commands/review-consensus.js +399 -0
- package/dist/runtime/commands/roster.js +117 -0
- package/dist/runtime/commands/skills.js +401 -0
- package/dist/runtime/commands/worktree.js +177 -0
- package/dist/runtime/plan-decompose.js +531 -0
- package/dist/tools/apply-patch.js +495 -0
- package/dist/tools/file-tools.js +90 -0
- package/dist/tools/lsp-tools.js +189 -0
- package/dist/tools/registry.js +26 -0
- package/dist/tools/web-fetch.js +1 -1
- package/dist/tui/agent-tree-pane.js +9 -0
- package/dist/tui/ask-cli.js +52 -0
- package/dist/tui/ask-modal.js +211 -0
- package/dist/tui/conversation-pane.js +48 -3
- package/dist/tui/input-box.js +48 -5
- package/dist/tui/markdown-render.js +266 -0
- package/dist/tui/repl-render.js +319 -3
- package/dist/tui/repl-splash-mascot.js +130 -0
- package/dist/tui/repl-splash.js +7 -1
- package/dist/tui/repl.js +96 -12
- package/dist/tui/status-bar.js +63 -3
- package/dist/tui/tool-stream-pane.js +91 -0
- package/docs/examples/codegraph.mcp.json +10 -0
- package/package.json +14 -6
|
@@ -0,0 +1,495 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* apply_patch tool — α7.7 Phase 1.
|
|
3
|
+
*
|
|
4
|
+
* Accepts a unified diff (the format produced by `git diff` and
|
|
5
|
+
* consumed by `git apply`) and lands it atomically into the workspace.
|
|
6
|
+
* This is the third edit primitive alongside the α6.6 4-layer diff
|
|
7
|
+
* escalation: where the layers escalate from minimal `oldString`/
|
|
8
|
+
* `newString` blocks up to full-file rewrites, apply_patch covers the
|
|
9
|
+
* unified-diff dialect that OpenAI Codex and most external tools emit.
|
|
10
|
+
*
|
|
11
|
+
* Why we have both:
|
|
12
|
+
*
|
|
13
|
+
* - The 4-layer escalation maximises model-side success rate on
|
|
14
|
+
* conversational edits (Claude / Gemini / OpenAI all have a
|
|
15
|
+
* preferred dialect that maps onto one of the layers).
|
|
16
|
+
* - apply_patch is the "external tools speak this" path. A model
|
|
17
|
+
* emits a single unified diff (the format `git diff` produces),
|
|
18
|
+
* and we run it through `git apply` with the same security gate
|
|
19
|
+
* the layers use.
|
|
20
|
+
*
|
|
21
|
+
* Security: every file mentioned in the patch goes through the same
|
|
22
|
+
* `applySecurityGate` chokepoint as the layers (see
|
|
23
|
+
* `src/core/edits/security-gate.ts`). A patch that touches
|
|
24
|
+
* `../../etc/passwd`, `.env`, or a workspace-local symlink to a protected
|
|
25
|
+
* file is rejected BEFORE `git apply` runs. Symlink escape, protected
|
|
26
|
+
* file, and path traversal are all covered by the same gate the layers
|
|
27
|
+
* inherit — we never roll our own resolver here.
|
|
28
|
+
*
|
|
29
|
+
* Atomicity: a multi-file patch either lands entirely or not at all.
|
|
30
|
+
* `git apply --check` validates the patch end-to-end against the
|
|
31
|
+
* working tree first; only on a clean check do we run the real apply.
|
|
32
|
+
* If the apply still fails partway (extremely rare — usually a race
|
|
33
|
+
* with another writer), we run `git checkout -- <each file>` to roll
|
|
34
|
+
* the tree back. This keeps the dispatcher's invariant: a tool result
|
|
35
|
+
* of `ok: false` means the workspace is unchanged.
|
|
36
|
+
*
|
|
37
|
+
* Idempotency: applying the same patch twice rejects the second with
|
|
38
|
+
* `already_applied`. `git apply` itself returns success only when the
|
|
39
|
+
* patch's pre-image matches the working tree, so a second invocation
|
|
40
|
+
* naturally fails. We translate the specific failure mode into a
|
|
41
|
+
* dedicated reason so callers can short-circuit retry loops.
|
|
42
|
+
*
|
|
43
|
+
* Brand voice: ASCII only, no emoji, no banned words.
|
|
44
|
+
*/
|
|
45
|
+
import { spawnSync } from 'node:child_process';
|
|
46
|
+
import { existsSync, rmSync } from 'node:fs';
|
|
47
|
+
import { resolve, sep } from 'node:path';
|
|
48
|
+
import { applySecurityGate } from '../core/edits/security-gate.js';
|
|
49
|
+
import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
|
|
50
|
+
import { recordToolCall, recordToolResult, recordFileMutation } from '../core/session.js';
|
|
51
|
+
/**
|
|
52
|
+
* Parse the file paths referenced in a unified diff. We look for both
|
|
53
|
+
* `diff --git a/X b/Y` headers (preferred) and the fallback
|
|
54
|
+
* `+++ b/<path>` lines that plain `diff -u` emits. The full set of
|
|
55
|
+
* touched paths feeds the security gate — EVERY file goes through
|
|
56
|
+
* `applySecurityGate` before we trust `git apply` to do anything.
|
|
57
|
+
*
|
|
58
|
+
* Security (R1 fix 2026-05-26, PR #413 r1): git emits C-style quoted
|
|
59
|
+
* path headers when a path contains "unusual" bytes (high bits, control
|
|
60
|
+
* chars, double-quote, backslash) and `core.quotePath` is true (the
|
|
61
|
+
* default). The literal header looks like
|
|
62
|
+
* `diff --git "a/.env" "b/.env"`. Before this fix the regex captured
|
|
63
|
+
* the literal `"b/.env"` string and the security gate's basename match
|
|
64
|
+
* never saw `.env` — `basename('"b/.env"')` is `'.env"'` (note the
|
|
65
|
+
* trailing quote) which does NOT match the `.env` protected pattern.
|
|
66
|
+
* `git apply` then de-quoted the header and happily landed on the real
|
|
67
|
+
* `.env`. We strip the surrounding quotes + decode the C-style escapes
|
|
68
|
+
* via `unquoteGitPath` BEFORE passing to the security gate so the
|
|
69
|
+
* basename matcher sees the real target.
|
|
70
|
+
*/
|
|
71
|
+
export function extractPatchPaths(patch) {
|
|
72
|
+
const paths = new Set();
|
|
73
|
+
for (const line of patch.split('\n')) {
|
|
74
|
+
if (line.startsWith('diff --git ')) {
|
|
75
|
+
// `diff --git a/foo b/bar` — paths can contain spaces only when
|
|
76
|
+
// quoted by git's own diff machinery (rare). The robust extractor
|
|
77
|
+
// matches the `b/...` half because rename diffs carry the new
|
|
78
|
+
// name there.
|
|
79
|
+
// Two variants: unquoted (`a/foo b/bar`) and C-style quoted
|
|
80
|
+
// (`"a/foo" "b/bar"`). We try the quoted form first because the
|
|
81
|
+
// unquoted regex below would accept the literal quote as part of
|
|
82
|
+
// the path otherwise.
|
|
83
|
+
const quoted = line.match(/^diff --git "a\/(.+)" "b\/(.+)"$/);
|
|
84
|
+
if (quoted) {
|
|
85
|
+
if (quoted[1])
|
|
86
|
+
paths.add(unquoteGitPath(quoted[1]));
|
|
87
|
+
if (quoted[2])
|
|
88
|
+
paths.add(unquoteGitPath(quoted[2]));
|
|
89
|
+
continue;
|
|
90
|
+
}
|
|
91
|
+
const match = line.match(/^diff --git a\/(.+?) b\/(.+)$/);
|
|
92
|
+
if (match) {
|
|
93
|
+
if (match[1])
|
|
94
|
+
paths.add(unquoteGitPath(match[1]));
|
|
95
|
+
if (match[2])
|
|
96
|
+
paths.add(unquoteGitPath(match[2]));
|
|
97
|
+
}
|
|
98
|
+
continue;
|
|
99
|
+
}
|
|
100
|
+
if (line.startsWith('+++ ')) {
|
|
101
|
+
const after = line.slice(4).trim();
|
|
102
|
+
if (after === '/dev/null')
|
|
103
|
+
continue;
|
|
104
|
+
const stripped = stripQuotedHalf(after, 'b/');
|
|
105
|
+
if (stripped)
|
|
106
|
+
paths.add(stripTimestampSuffix(stripped));
|
|
107
|
+
continue;
|
|
108
|
+
}
|
|
109
|
+
if (line.startsWith('--- ')) {
|
|
110
|
+
const after = line.slice(4).trim();
|
|
111
|
+
if (after === '/dev/null')
|
|
112
|
+
continue;
|
|
113
|
+
const stripped = stripQuotedHalf(after, 'a/');
|
|
114
|
+
if (stripped)
|
|
115
|
+
paths.add(stripTimestampSuffix(stripped));
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
return Array.from(paths);
|
|
119
|
+
}
|
|
120
|
+
/**
|
|
121
|
+
* Strip the leading `a/` or `b/` prefix from a `---` / `+++` line,
|
|
122
|
+
* handling both unquoted (`b/.env`) and C-style quoted (`"b/.env"`)
|
|
123
|
+
* variants. The returned path is fully de-quoted so the security gate
|
|
124
|
+
* sees the real basename. Returns null when the line does not parse.
|
|
125
|
+
*/
|
|
126
|
+
function stripQuotedHalf(after, prefix) {
|
|
127
|
+
// Quoted form: `"b/path with \"escapes\""`. Detect surrounding quotes
|
|
128
|
+
// first, strip them, then peel the prefix, then unquote the inner
|
|
129
|
+
// C-style escapes.
|
|
130
|
+
if (after.startsWith('"') && after.endsWith('"') && after.length >= 2) {
|
|
131
|
+
const inner = after.slice(1, -1);
|
|
132
|
+
const peeled = inner.startsWith(prefix) ? inner.slice(prefix.length) : inner;
|
|
133
|
+
return unquoteGitPath(peeled);
|
|
134
|
+
}
|
|
135
|
+
const trimmed = after.startsWith(prefix) ? after.slice(prefix.length) : after;
|
|
136
|
+
return trimmed;
|
|
137
|
+
}
|
|
138
|
+
/**
|
|
139
|
+
* Decode git's C-style path quoting. When `core.quotePath` is true
|
|
140
|
+
* (default) git writes paths with high-bit / control / quote bytes as
|
|
141
|
+
* C-string escapes inside double quotes:
|
|
142
|
+
*
|
|
143
|
+
* `"\.env"` -> `.env` (backslash before . is just a literal)
|
|
144
|
+
* `"a\"b"` -> `a"b` (escaped double-quote)
|
|
145
|
+
* `"a\\b"` -> `a\b` (escaped backslash)
|
|
146
|
+
* `"a\tb"` -> `a` + TAB + `b`
|
|
147
|
+
* `"a\341\210\264"` -> `a` + UTF-8 bytes 0xe1 0x88 0xb4
|
|
148
|
+
*
|
|
149
|
+
* Accepts a path that is EITHER already unquoted (passed through) OR an
|
|
150
|
+
* inner string previously stripped of its surrounding quotes. The
|
|
151
|
+
* function is idempotent on already-clean ASCII paths.
|
|
152
|
+
*
|
|
153
|
+
* Reference: git source `quote.c::unquote_c_style`.
|
|
154
|
+
*/
|
|
155
|
+
export function unquoteGitPath(s) {
|
|
156
|
+
// If the caller passed us a wrapped string (`"foo"`), peel it now.
|
|
157
|
+
if (s.startsWith('"') && s.endsWith('"') && s.length >= 2) {
|
|
158
|
+
s = s.slice(1, -1);
|
|
159
|
+
}
|
|
160
|
+
// Fast path: no backslash means no C-style escapes, return as-is.
|
|
161
|
+
if (!s.includes('\\'))
|
|
162
|
+
return s;
|
|
163
|
+
const out = [];
|
|
164
|
+
for (let i = 0; i < s.length; i += 1) {
|
|
165
|
+
const ch = s[i];
|
|
166
|
+
if (ch !== '\\') {
|
|
167
|
+
// Single-byte ASCII or multi-byte JS string char; the byte we
|
|
168
|
+
// emit must match its UTF-8 encoding so the security gate sees
|
|
169
|
+
// the same bytes the filesystem will. JS strings are UTF-16; we
|
|
170
|
+
// bounce through Buffer to get the canonical UTF-8 bytes.
|
|
171
|
+
const bytes = Buffer.from(ch ?? '', 'utf8');
|
|
172
|
+
for (const b of bytes)
|
|
173
|
+
out.push(b);
|
|
174
|
+
continue;
|
|
175
|
+
}
|
|
176
|
+
const next = s[i + 1];
|
|
177
|
+
if (next === undefined) {
|
|
178
|
+
// Trailing backslash with no follower — emit literal.
|
|
179
|
+
out.push(0x5c);
|
|
180
|
+
continue;
|
|
181
|
+
}
|
|
182
|
+
// Three-digit octal escape: `\NNN` (each digit 0-7).
|
|
183
|
+
if (next >= '0' && next <= '7' && i + 3 < s.length + 1) {
|
|
184
|
+
const oct = s.slice(i + 1, i + 4);
|
|
185
|
+
if (/^[0-7]{3}$/.test(oct)) {
|
|
186
|
+
out.push(Number.parseInt(oct, 8));
|
|
187
|
+
i += 3;
|
|
188
|
+
continue;
|
|
189
|
+
}
|
|
190
|
+
}
|
|
191
|
+
switch (next) {
|
|
192
|
+
case 'a':
|
|
193
|
+
out.push(0x07);
|
|
194
|
+
break;
|
|
195
|
+
case 'b':
|
|
196
|
+
out.push(0x08);
|
|
197
|
+
break;
|
|
198
|
+
case 't':
|
|
199
|
+
out.push(0x09);
|
|
200
|
+
break;
|
|
201
|
+
case 'n':
|
|
202
|
+
out.push(0x0a);
|
|
203
|
+
break;
|
|
204
|
+
case 'v':
|
|
205
|
+
out.push(0x0b);
|
|
206
|
+
break;
|
|
207
|
+
case 'f':
|
|
208
|
+
out.push(0x0c);
|
|
209
|
+
break;
|
|
210
|
+
case 'r':
|
|
211
|
+
out.push(0x0d);
|
|
212
|
+
break;
|
|
213
|
+
case '"':
|
|
214
|
+
out.push(0x22);
|
|
215
|
+
break;
|
|
216
|
+
case '\\':
|
|
217
|
+
out.push(0x5c);
|
|
218
|
+
break;
|
|
219
|
+
default:
|
|
220
|
+
// Unknown escape — emit the escape char as a literal so we
|
|
221
|
+
// don't silently drop bytes. Mirrors git's own permissive
|
|
222
|
+
// behaviour.
|
|
223
|
+
out.push(next.charCodeAt(0));
|
|
224
|
+
}
|
|
225
|
+
i += 1;
|
|
226
|
+
}
|
|
227
|
+
return Buffer.from(out).toString('utf8');
|
|
228
|
+
}
|
|
229
|
+
/**
|
|
230
|
+
* `diff -u` (non-git) emits trailing tab-prefixed timestamps after the
|
|
231
|
+
* path: `--- foo.ts\t2026-05-25 10:00:00`. Strip those so the security
|
|
232
|
+
* gate sees the clean path.
|
|
233
|
+
*/
|
|
234
|
+
function stripTimestampSuffix(path) {
|
|
235
|
+
const tab = path.indexOf('\t');
|
|
236
|
+
return tab >= 0 ? path.slice(0, tab) : path;
|
|
237
|
+
}
|
|
238
|
+
/**
|
|
239
|
+
* Apply a unified-diff patch to the workspace. Routes every mentioned
|
|
240
|
+
* file through the shared security gate before invoking `git apply`.
|
|
241
|
+
*/
|
|
242
|
+
export function applyPatch(ctx, patch, opts = {}) {
|
|
243
|
+
const toolCallId = recordToolCall(ctx.session, 'apply_patch', `${patch.length} bytes`);
|
|
244
|
+
try {
|
|
245
|
+
gateOnCancellation(ctx, 'apply_patch');
|
|
246
|
+
}
|
|
247
|
+
catch (error) {
|
|
248
|
+
if (error instanceof OperatorAbortedError) {
|
|
249
|
+
recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
|
|
250
|
+
throw error;
|
|
251
|
+
}
|
|
252
|
+
throw error;
|
|
253
|
+
}
|
|
254
|
+
if (patch.trim().length === 0) {
|
|
255
|
+
const result = {
|
|
256
|
+
ok: false,
|
|
257
|
+
filesChanged: [],
|
|
258
|
+
reason: 'empty_patch',
|
|
259
|
+
detail: 'patch body is empty',
|
|
260
|
+
};
|
|
261
|
+
recordToolResult(ctx.session, toolCallId, 'error', 'empty_patch');
|
|
262
|
+
return result;
|
|
263
|
+
}
|
|
264
|
+
const paths = extractPatchPaths(patch);
|
|
265
|
+
if (paths.length === 0) {
|
|
266
|
+
const result = {
|
|
267
|
+
ok: false,
|
|
268
|
+
filesChanged: [],
|
|
269
|
+
reason: 'invalid_patch',
|
|
270
|
+
detail: 'no `diff --git` or `+++` headers found in patch',
|
|
271
|
+
};
|
|
272
|
+
recordToolResult(ctx.session, toolCallId, 'error', 'invalid_patch');
|
|
273
|
+
return result;
|
|
274
|
+
}
|
|
275
|
+
// SECURITY GATE — reuse the α6.6 chokepoint. Every path in the patch
|
|
276
|
+
// is validated against:
|
|
277
|
+
// 1. workspace containment (no ../../ escapes)
|
|
278
|
+
// 2. protected-file basenames (.env, *.pem, id_rsa, etc.)
|
|
279
|
+
// 3. symlink escape (an in-workspace symlink pointing to /etc/hosts
|
|
280
|
+
// or a protected basename gets rejected here)
|
|
281
|
+
for (const file of paths) {
|
|
282
|
+
const gate = applySecurityGate(file, { cwd: ctx.root, toolName: 'layer-c' });
|
|
283
|
+
if (!gate.ok) {
|
|
284
|
+
const result = {
|
|
285
|
+
ok: false,
|
|
286
|
+
filesChanged: [],
|
|
287
|
+
reason: gate.reason,
|
|
288
|
+
detail: `${file}: ${gate.detail}`,
|
|
289
|
+
};
|
|
290
|
+
recordToolResult(ctx.session, toolCallId, 'error', `${gate.reason}: ${file}`);
|
|
291
|
+
return result;
|
|
292
|
+
}
|
|
293
|
+
}
|
|
294
|
+
// `git apply --check` validates the patch end-to-end against the
|
|
295
|
+
// working tree. A passing check is the gate for the actual apply.
|
|
296
|
+
const checkArgs = ['apply', '--check'];
|
|
297
|
+
if (opts.baseSha)
|
|
298
|
+
checkArgs.push('--3way');
|
|
299
|
+
checkArgs.push('-');
|
|
300
|
+
const check = runGit(checkArgs, ctx.root, patch);
|
|
301
|
+
if (check.status === 127) {
|
|
302
|
+
// No git binary on PATH. Rare on a developer machine but possible
|
|
303
|
+
// in slim containers / CI images. Surface a dedicated reason so
|
|
304
|
+
// the operator's message says "install git" not "patch is bad".
|
|
305
|
+
const result = {
|
|
306
|
+
ok: false,
|
|
307
|
+
filesChanged: [],
|
|
308
|
+
reason: 'git_unavailable',
|
|
309
|
+
detail: 'git not found on PATH',
|
|
310
|
+
};
|
|
311
|
+
recordToolResult(ctx.session, toolCallId, 'error', 'git_unavailable');
|
|
312
|
+
return result;
|
|
313
|
+
}
|
|
314
|
+
if (check.status !== 0) {
|
|
315
|
+
// Decide whether this is the "already applied" case or a real
|
|
316
|
+
// failure. `git apply --check` rejects an already-applied patch
|
|
317
|
+
// with stderr containing patterns like "patch does not apply" or
|
|
318
|
+
// "already exists in working directory". The simpler signal is
|
|
319
|
+
// the stderr string containing `already exists in working directory`
|
|
320
|
+
// (git's own message for a creating patch landing twice) — that's
|
|
321
|
+
// the only path we treat as `already_applied` here. Other stderr
|
|
322
|
+
// surfaces fall through to `check_failed` so the operator sees the
|
|
323
|
+
// raw reason.
|
|
324
|
+
const stderr = check.stderr.toLowerCase();
|
|
325
|
+
if (stderr.includes('already exists in working directory')) {
|
|
326
|
+
const result = {
|
|
327
|
+
ok: false,
|
|
328
|
+
filesChanged: [],
|
|
329
|
+
reason: 'already_applied',
|
|
330
|
+
detail: 'patch creates a path that already exists — likely already applied',
|
|
331
|
+
};
|
|
332
|
+
recordToolResult(ctx.session, toolCallId, 'error', 'already_applied');
|
|
333
|
+
return result;
|
|
334
|
+
}
|
|
335
|
+
const result = {
|
|
336
|
+
ok: false,
|
|
337
|
+
filesChanged: [],
|
|
338
|
+
reason: 'check_failed',
|
|
339
|
+
detail: check.stderr.trim() || 'git apply --check rejected the patch',
|
|
340
|
+
};
|
|
341
|
+
recordToolResult(ctx.session, toolCallId, 'error', `check_failed: ${result.detail}`);
|
|
342
|
+
return result;
|
|
343
|
+
}
|
|
344
|
+
if (opts.dryRun) {
|
|
345
|
+
const result = {
|
|
346
|
+
ok: true,
|
|
347
|
+
filesChanged: paths,
|
|
348
|
+
};
|
|
349
|
+
recordToolResult(ctx.session, toolCallId, 'success', `dry-run ok, ${paths.length} files`);
|
|
350
|
+
return result;
|
|
351
|
+
}
|
|
352
|
+
// R1 fix (2026-05-26, PR #413 r1, Fix 6): snapshot which paths exist
|
|
353
|
+
// BEFORE the apply so rollbackFiles can decide between
|
|
354
|
+
// `git checkout -- <file>` (for files that existed) and `fs.rmSync`
|
|
355
|
+
// (for files the patch was creating that may have been half-written
|
|
356
|
+
// before the failure). Without this snapshot, `git checkout`
|
|
357
|
+
// gracefully no-ops on a never-tracked file and the partial creation
|
|
358
|
+
// is left behind.
|
|
359
|
+
const preExisting = new Map();
|
|
360
|
+
for (const p of paths) {
|
|
361
|
+
preExisting.set(p, existsSync(resolve(ctx.root, p)));
|
|
362
|
+
}
|
|
363
|
+
const applyArgs = ['apply'];
|
|
364
|
+
if (opts.baseSha)
|
|
365
|
+
applyArgs.push('--3way');
|
|
366
|
+
applyArgs.push('-');
|
|
367
|
+
const apply = runGit(applyArgs, ctx.root, patch);
|
|
368
|
+
if (apply.status !== 0) {
|
|
369
|
+
// Apply failed AFTER --check passed. This is almost always a TOCTOU
|
|
370
|
+
// (another writer touched a file between the two git calls).
|
|
371
|
+
// Rollback ANY partial mutation so the workspace stays consistent.
|
|
372
|
+
const rollback = rollbackFiles(ctx.root, paths, preExisting);
|
|
373
|
+
const detail = apply.stderr.trim() || 'git apply failed after passing --check';
|
|
374
|
+
if (!rollback.ok) {
|
|
375
|
+
const result = {
|
|
376
|
+
ok: false,
|
|
377
|
+
filesChanged: [],
|
|
378
|
+
reason: 'rollback_failed',
|
|
379
|
+
detail: `${detail}; rollback also failed: ${rollback.detail}`,
|
|
380
|
+
};
|
|
381
|
+
recordToolResult(ctx.session, toolCallId, 'error', 'rollback_failed');
|
|
382
|
+
return result;
|
|
383
|
+
}
|
|
384
|
+
const result = {
|
|
385
|
+
ok: false,
|
|
386
|
+
filesChanged: [],
|
|
387
|
+
reason: 'apply_failed',
|
|
388
|
+
detail,
|
|
389
|
+
};
|
|
390
|
+
recordToolResult(ctx.session, toolCallId, 'error', `apply_failed: ${detail}`);
|
|
391
|
+
return result;
|
|
392
|
+
}
|
|
393
|
+
// Audit-log every file the patch mutated. The before/after hashes
|
|
394
|
+
// are NOT recorded (git owns the staging area for that); the
|
|
395
|
+
// mutation entry is enough for `pugi undo` to surface "apply_patch
|
|
396
|
+
// touched these files" in the timeline.
|
|
397
|
+
for (const file of paths) {
|
|
398
|
+
recordFileMutation(ctx.session, {
|
|
399
|
+
toolCallId,
|
|
400
|
+
path: file,
|
|
401
|
+
operation: 'update',
|
|
402
|
+
});
|
|
403
|
+
}
|
|
404
|
+
recordToolResult(ctx.session, toolCallId, 'success', `applied ${paths.length} files`);
|
|
405
|
+
return { ok: true, filesChanged: paths };
|
|
406
|
+
}
|
|
407
|
+
/**
|
|
408
|
+
* Roll back any partial mutation by checking files out from HEAD. Used
|
|
409
|
+
* only on the rare path where `git apply` fails AFTER `git apply --check`
|
|
410
|
+
* passed.
|
|
411
|
+
*
|
|
412
|
+
* R1 fix (2026-05-26, PR #413 r1, Fix 6): a multi-file patch that
|
|
413
|
+
* creates new files leaves them on disk when `git apply` fails partway —
|
|
414
|
+
* `git checkout -- <file>` does NOT delete a path that was never tracked
|
|
415
|
+
* (the file was created by the failed apply). We split paths into two
|
|
416
|
+
* groups using the pre-apply snapshot:
|
|
417
|
+
*
|
|
418
|
+
* - existed-before -> `git checkout -- <file>` restores tracked content.
|
|
419
|
+
* - created-by-apply -> `fs.rmSync(file, { force: true })` removes the
|
|
420
|
+
* half-written file so the workspace ends up identical to its
|
|
421
|
+
* pre-apply state.
|
|
422
|
+
*
|
|
423
|
+
* This keeps the dispatcher's invariant: a tool result of `ok: false`
|
|
424
|
+
* means the workspace is unchanged.
|
|
425
|
+
*/
|
|
426
|
+
function rollbackFiles(cwd, paths, preExisting) {
|
|
427
|
+
if (paths.length === 0)
|
|
428
|
+
return { ok: true };
|
|
429
|
+
// We only attempt to roll back files that are inside the workspace
|
|
430
|
+
// and were resolved by the security gate. A path that escaped the
|
|
431
|
+
// gate would have already aborted us above.
|
|
432
|
+
const safePaths = paths.filter((p) => {
|
|
433
|
+
const abs = resolve(cwd, p);
|
|
434
|
+
return abs === cwd || abs.startsWith(cwd + sep);
|
|
435
|
+
});
|
|
436
|
+
if (safePaths.length === 0)
|
|
437
|
+
return { ok: true };
|
|
438
|
+
const toCheckout = [];
|
|
439
|
+
const toRemove = [];
|
|
440
|
+
for (const p of safePaths) {
|
|
441
|
+
if (preExisting.get(p))
|
|
442
|
+
toCheckout.push(p);
|
|
443
|
+
else
|
|
444
|
+
toRemove.push(p);
|
|
445
|
+
}
|
|
446
|
+
// Unlink files that the patch was creating. `force: true` swallows
|
|
447
|
+
// ENOENT so a creation that never got far enough to write the file
|
|
448
|
+
// is a no-op. We record every unlink failure but keep going so a
|
|
449
|
+
// single permission error on one file doesn't strand the others.
|
|
450
|
+
const removeFailures = [];
|
|
451
|
+
for (const p of toRemove) {
|
|
452
|
+
const abs = resolve(cwd, p);
|
|
453
|
+
try {
|
|
454
|
+
rmSync(abs, { force: true });
|
|
455
|
+
}
|
|
456
|
+
catch (error) {
|
|
457
|
+
removeFailures.push(`${p}: ${error instanceof Error ? error.message : String(error)}`);
|
|
458
|
+
}
|
|
459
|
+
}
|
|
460
|
+
if (toCheckout.length > 0) {
|
|
461
|
+
const result = runGit(['checkout', '--', ...toCheckout], cwd);
|
|
462
|
+
if (result.status !== 0) {
|
|
463
|
+
const detail = [result.stderr.trim(), ...removeFailures].filter(Boolean).join('; ');
|
|
464
|
+
return { ok: false, detail };
|
|
465
|
+
}
|
|
466
|
+
}
|
|
467
|
+
if (removeFailures.length > 0) {
|
|
468
|
+
return { ok: false, detail: `rollback unlink failed: ${removeFailures.join('; ')}` };
|
|
469
|
+
}
|
|
470
|
+
return { ok: true };
|
|
471
|
+
}
|
|
472
|
+
function runGit(args, cwd, stdin) {
|
|
473
|
+
// R1 fix (2026-05-26, PR #413 r1, P2 #13): force the English C locale
|
|
474
|
+
// for the git child process. The `already_applied` reason-coding
|
|
475
|
+
// below greps stderr for the literal English string
|
|
476
|
+
// "already exists in working directory"; on a host where git was
|
|
477
|
+
// installed with a translated message catalog (de_DE / ru_RU / etc.)
|
|
478
|
+
// the substring match would silently miss and the operator would see
|
|
479
|
+
// `check_failed` instead of `already_applied`. C locale (also
|
|
480
|
+
// LC_ALL) guarantees the canonical message regardless of host env.
|
|
481
|
+
return spawnSync('git', args, {
|
|
482
|
+
cwd,
|
|
483
|
+
input: stdin,
|
|
484
|
+
encoding: 'utf8',
|
|
485
|
+
maxBuffer: 64 * 1024 * 1024,
|
|
486
|
+
env: { ...process.env, LANG: 'C', LC_ALL: 'C' },
|
|
487
|
+
});
|
|
488
|
+
}
|
|
489
|
+
/**
|
|
490
|
+
* Test-only surface for the apply-patch heuristics. Specs poke
|
|
491
|
+
* `extractPatchPaths` directly to assert on the path-parsing layer
|
|
492
|
+
* without paying for a real git invocation.
|
|
493
|
+
*/
|
|
494
|
+
export const __test__ = { extractPatchPaths, runGit, unquoteGitPath };
|
|
495
|
+
//# sourceMappingURL=apply-patch.js.map
|
package/dist/tools/file-tools.js
CHANGED
|
@@ -6,6 +6,35 @@ import { decidePermission } from '../core/permission.js';
|
|
|
6
6
|
import { createReadRecord, hashContent } from '../core/file-cache.js';
|
|
7
7
|
import { resolveWorkspacePath } from '../core/path-security.js';
|
|
8
8
|
import { recordFileMutation, recordToolCall, recordToolResult } from '../core/session.js';
|
|
9
|
+
/**
|
|
10
|
+
* α6.9 WriteGate marker — thrown by `gateOnCancellation` when the
|
|
11
|
+
* caller supplied a cancellation token that has already aborted. The
|
|
12
|
+
* tool dispatch loop in `tool-bridge.ts` recognises the name and folds
|
|
13
|
+
* the throw into a `status: 'aborted'` tool result rather than a hard
|
|
14
|
+
* error so the loop terminates cleanly.
|
|
15
|
+
*/
|
|
16
|
+
export class OperatorAbortedError extends Error {
|
|
17
|
+
constructor(toolName) {
|
|
18
|
+
super(`operator_aborted: ${toolName} refused — operator cancelled the dispatch.`);
|
|
19
|
+
this.name = 'OperatorAbortedError';
|
|
20
|
+
}
|
|
21
|
+
}
|
|
22
|
+
/**
|
|
23
|
+
* α6.9 WriteGate: refuse the tool dispatch when the active
|
|
24
|
+
* cancellation token has aborted. Idempotent (the token's `isAborted`
|
|
25
|
+
* is a getter, no side effects). Returns void on the happy path so the
|
|
26
|
+
* tool can proceed; throws `OperatorAbortedError` when cancelled.
|
|
27
|
+
*
|
|
28
|
+
* The audit trail still gets the call: `recordToolCall` already fired
|
|
29
|
+
* upstream of this guard so the abort + reason are persisted. The
|
|
30
|
+
* matching `recordToolResult` is fired by the caller in its catch
|
|
31
|
+
* block with `status: 'cancelled'` (see existing path for `error`).
|
|
32
|
+
*/
|
|
33
|
+
export function gateOnCancellation(ctx, toolName) {
|
|
34
|
+
if (ctx.cancellation && ctx.cancellation.isAborted) {
|
|
35
|
+
throw new OperatorAbortedError(toolName);
|
|
36
|
+
}
|
|
37
|
+
}
|
|
9
38
|
/**
|
|
10
39
|
* Re-check the permission decision against the *resolved* real path so
|
|
11
40
|
* a workspace-local symlink (`alias -> .env`) cannot bypass the protected
|
|
@@ -42,6 +71,13 @@ function permissionGatedResolve(ctx, inputPath, action, toolName) {
|
|
|
42
71
|
}
|
|
43
72
|
export function readTool(ctx, path) {
|
|
44
73
|
const toolCallId = recordToolCall(ctx.session, 'read', path);
|
|
74
|
+
// α6.9 WriteGate: fail fast on operator cancel BEFORE permission
|
|
75
|
+
// decision so a half-second post-cancel race never lands the read.
|
|
76
|
+
if (ctx.cancellation && ctx.cancellation.isAborted) {
|
|
77
|
+
const reason = 'operator_aborted: read refused';
|
|
78
|
+
recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
|
|
79
|
+
throw new OperatorAbortedError('read');
|
|
80
|
+
}
|
|
45
81
|
const decision = decidePermission({ tool: 'read', kind: 'read', target: path }, ctx.settings, ctx.root);
|
|
46
82
|
if (decision.decision !== 'allow') {
|
|
47
83
|
const reason = `Permission ${decision.decision} for read ${path}: ${decision.reason}`;
|
|
@@ -64,6 +100,14 @@ export function readTool(ctx, path) {
|
|
|
64
100
|
}
|
|
65
101
|
export function writeTool(ctx, path, content) {
|
|
66
102
|
const toolCallId = recordToolCall(ctx.session, 'write', path);
|
|
103
|
+
// α6.9 WriteGate: refuse the write when the operator has cancelled
|
|
104
|
+
// the dispatch. The audit log captures the cancellation reason so a
|
|
105
|
+
// post-mortem can distinguish operator_aborted from settings-deny.
|
|
106
|
+
if (ctx.cancellation && ctx.cancellation.isAborted) {
|
|
107
|
+
const reason = 'operator_aborted: write refused';
|
|
108
|
+
recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
|
|
109
|
+
throw new OperatorAbortedError('write');
|
|
110
|
+
}
|
|
67
111
|
const decision = decidePermission({ tool: 'write', kind: 'edit', target: path }, ctx.settings, ctx.root);
|
|
68
112
|
if (decision.decision !== 'allow') {
|
|
69
113
|
const reason = `Permission ${decision.decision} for write ${path}: ${decision.reason}`;
|
|
@@ -95,6 +139,15 @@ export function writeTool(ctx, path, content) {
|
|
|
95
139
|
}
|
|
96
140
|
export function editTool(ctx, path, oldString, newString) {
|
|
97
141
|
const toolCallId = recordToolCall(ctx.session, 'edit', path);
|
|
142
|
+
// α6.9 WriteGate: refuse the edit when the operator has cancelled
|
|
143
|
+
// the dispatch. Edits are higher-risk than reads — surface the abort
|
|
144
|
+
// BEFORE we even consult permissions so a cancel-during-tool-loop
|
|
145
|
+
// never partially mutates the workspace.
|
|
146
|
+
if (ctx.cancellation && ctx.cancellation.isAborted) {
|
|
147
|
+
const reason = 'operator_aborted: edit refused';
|
|
148
|
+
recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
|
|
149
|
+
throw new OperatorAbortedError('edit');
|
|
150
|
+
}
|
|
98
151
|
const decision = decidePermission({ tool: 'edit', kind: 'edit', target: path }, ctx.settings, ctx.root);
|
|
99
152
|
if (decision.decision !== 'allow') {
|
|
100
153
|
const reason = `Permission ${decision.decision} for edit ${path}: ${decision.reason}`;
|
|
@@ -140,6 +193,14 @@ export function editTool(ctx, path, oldString, newString) {
|
|
|
140
193
|
}
|
|
141
194
|
export function globTool(ctx, pattern) {
|
|
142
195
|
const toolCallId = recordToolCall(ctx.session, 'glob', pattern);
|
|
196
|
+
// α6.9 WriteGate: cancel-aware short-circuit. Glob is read-only but
|
|
197
|
+
// can be expensive on large trees; respecting the abort here keeps
|
|
198
|
+
// the tool loop responsive when the operator hits Ctrl+C mid-scan.
|
|
199
|
+
if (ctx.cancellation && ctx.cancellation.isAborted) {
|
|
200
|
+
const reason = 'operator_aborted: glob refused';
|
|
201
|
+
recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
|
|
202
|
+
throw new OperatorAbortedError('glob');
|
|
203
|
+
}
|
|
143
204
|
// Pugi globs are workspace-scoped. Reject any pattern that could enumerate
|
|
144
205
|
// outside the workspace:
|
|
145
206
|
// 1. absolute paths (`/etc/**/*`) — globSync resolves these against `/`
|
|
@@ -169,11 +230,28 @@ export function globTool(ctx, pattern) {
|
|
|
169
230
|
}
|
|
170
231
|
export function grepTool(ctx, query) {
|
|
171
232
|
const toolCallId = recordToolCall(ctx.session, 'grep', query);
|
|
233
|
+
// α6.9 WriteGate: refuse before scanning. Grep walks the whole
|
|
234
|
+
// workspace and can take seconds on a large repo; check abort first
|
|
235
|
+
// so a cancel mid-scan returns immediately rather than after the
|
|
236
|
+
// full walk completes.
|
|
237
|
+
if (ctx.cancellation && ctx.cancellation.isAborted) {
|
|
238
|
+
const reason = 'operator_aborted: grep refused';
|
|
239
|
+
recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
|
|
240
|
+
throw new OperatorAbortedError('grep');
|
|
241
|
+
}
|
|
172
242
|
const files = globTool(ctx, '**/*').filter((path) => !path.endsWith('/'));
|
|
173
243
|
const matches = [];
|
|
174
244
|
for (const path of files) {
|
|
175
245
|
if (matches.length >= 200)
|
|
176
246
|
break;
|
|
247
|
+
// α6.9 WriteGate: poll abort inside the file loop so a cancel
|
|
248
|
+
// arriving mid-scan terminates early. The per-file branch keeps
|
|
249
|
+
// the responsiveness bounded by the slowest single-file read.
|
|
250
|
+
if (ctx.cancellation && ctx.cancellation.isAborted) {
|
|
251
|
+
const reason = `operator_aborted: grep stopped mid-scan after ${matches.length} matches`;
|
|
252
|
+
recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
|
|
253
|
+
throw new OperatorAbortedError('grep');
|
|
254
|
+
}
|
|
177
255
|
// Permission gate every file read individually — grep used to bypass
|
|
178
256
|
// `decidePermission` and could surface lines from protected files
|
|
179
257
|
// (.env, *.sql, *.pem, ~/.ssh/**) when invoked from a directory walk.
|
|
@@ -241,6 +319,18 @@ export const BASH_DEFAULT_TIMEOUT_MS = 30_000;
|
|
|
241
319
|
export const BASH_CHILD_MAXBUFFER = 10 * 1024 * 1024;
|
|
242
320
|
export function bashTool(ctx, command, options = {}) {
|
|
243
321
|
const toolCallId = recordToolCall(ctx.session, 'bash', command);
|
|
322
|
+
// α6.9 WriteGate: bash is the highest-risk tool surface. Refuse
|
|
323
|
+
// before the destructive-pattern classifier even runs so a
|
|
324
|
+
// cancelled dispatch never spawns a child process. Note: this is
|
|
325
|
+
// pre-spawn cancellation only; once the /bin/sh -c process is
|
|
326
|
+
// running, the synchronous spawnSync wait blocks until it exits or
|
|
327
|
+
// the 30s timeout fires. Phase 2 will wire SIGTERM forwarding via
|
|
328
|
+
// an async wrapper.
|
|
329
|
+
if (ctx.cancellation && ctx.cancellation.isAborted) {
|
|
330
|
+
const reason = 'operator_aborted: bash refused';
|
|
331
|
+
recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
|
|
332
|
+
throw new OperatorAbortedError('bash');
|
|
333
|
+
}
|
|
244
334
|
const decision = decidePermission({ tool: 'bash', kind: 'bash', target: command }, ctx.settings, ctx.root);
|
|
245
335
|
if (decision.decision !== 'allow') {
|
|
246
336
|
const reason = `Permission ${decision.decision} for bash: ${decision.reason}`;
|