@pugi/cli 0.1.0-alpha.9 → 0.1.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (74) hide show
  1. package/README.md +33 -0
  2. package/THIRD_PARTY_NOTICES.md +40 -0
  3. package/assets/pugi-mascot.ansi +16 -0
  4. package/dist/commands/deploy.js +439 -0
  5. package/dist/core/agents/loader.js +104 -0
  6. package/dist/core/agents/registry.js +1 -1
  7. package/dist/core/consensus/anvil-fanout.js +276 -0
  8. package/dist/core/consensus/diff-capture.js +382 -0
  9. package/dist/core/consensus/rubric.js +233 -0
  10. package/dist/core/context/index.js +21 -0
  11. package/dist/core/context/pugiignore.js +316 -0
  12. package/dist/core/context/repo-skeleton.js +533 -0
  13. package/dist/core/context/watcher.js +342 -0
  14. package/dist/core/context/working-set.js +165 -0
  15. package/dist/core/edits/dispatch.js +185 -0
  16. package/dist/core/edits/index.js +15 -0
  17. package/dist/core/edits/layer-a-apply.js +217 -0
  18. package/dist/core/edits/layer-b-apply.js +211 -0
  19. package/dist/core/edits/layer-c-apply.js +160 -0
  20. package/dist/core/edits/layer-d-ast.js +29 -0
  21. package/dist/core/edits/marker-parser.js +401 -0
  22. package/dist/core/edits/security-gate.js +223 -0
  23. package/dist/core/edits/worktree.js +322 -0
  24. package/dist/core/engine/native-pugi.js +6 -1
  25. package/dist/core/engine/prompts.js +8 -0
  26. package/dist/core/engine/tool-bridge.js +33 -1
  27. package/dist/core/lsp/client.js +719 -0
  28. package/dist/core/repl/ask.js +512 -0
  29. package/dist/core/repl/cancellation.js +98 -0
  30. package/dist/core/repl/dispatch-fsm.js +220 -0
  31. package/dist/core/repl/privacy-banner.js +71 -0
  32. package/dist/core/repl/session.js +1908 -13
  33. package/dist/core/repl/slash-commands.js +92 -32
  34. package/dist/core/repl/store/index.js +12 -0
  35. package/dist/core/repl/store/jsonl-log.js +321 -0
  36. package/dist/core/repl/store/lockfile.js +155 -0
  37. package/dist/core/repl/store/session-store.js +792 -0
  38. package/dist/core/repl/store/types.js +44 -0
  39. package/dist/core/repl/store/uuid-v7.js +68 -0
  40. package/dist/core/repl/workspace-context.js +72 -1
  41. package/dist/core/skills/defaults.js +457 -0
  42. package/dist/core/skills/loader.js +454 -0
  43. package/dist/core/skills/sources.js +480 -0
  44. package/dist/core/skills/trust.js +172 -0
  45. package/dist/runtime/cli.js +998 -12
  46. package/dist/runtime/commands/agents.js +385 -0
  47. package/dist/runtime/commands/config.js +338 -8
  48. package/dist/runtime/commands/delegate.js +289 -0
  49. package/dist/runtime/commands/lsp.js +206 -0
  50. package/dist/runtime/commands/patch.js +128 -0
  51. package/dist/runtime/commands/review-consensus.js +399 -0
  52. package/dist/runtime/commands/roster.js +117 -0
  53. package/dist/runtime/commands/skills.js +401 -0
  54. package/dist/runtime/commands/worktree.js +177 -0
  55. package/dist/runtime/plan-decompose.js +531 -0
  56. package/dist/tools/apply-patch.js +495 -0
  57. package/dist/tools/file-tools.js +90 -0
  58. package/dist/tools/lsp-tools.js +189 -0
  59. package/dist/tools/registry.js +26 -0
  60. package/dist/tools/web-fetch.js +1 -1
  61. package/dist/tui/agent-tree-pane.js +9 -0
  62. package/dist/tui/ask-cli.js +52 -0
  63. package/dist/tui/ask-modal.js +211 -0
  64. package/dist/tui/conversation-pane.js +48 -3
  65. package/dist/tui/input-box.js +48 -5
  66. package/dist/tui/markdown-render.js +266 -0
  67. package/dist/tui/repl-render.js +319 -3
  68. package/dist/tui/repl-splash-mascot.js +130 -0
  69. package/dist/tui/repl-splash.js +7 -1
  70. package/dist/tui/repl.js +96 -12
  71. package/dist/tui/status-bar.js +63 -3
  72. package/dist/tui/tool-stream-pane.js +91 -0
  73. package/docs/examples/codegraph.mcp.json +10 -0
  74. package/package.json +14 -6
@@ -0,0 +1,495 @@
1
+ /**
2
+ * apply_patch tool — α7.7 Phase 1.
3
+ *
4
+ * Accepts a unified diff (the format produced by `git diff` and
5
+ * consumed by `git apply`) and lands it atomically into the workspace.
6
+ * This is the third edit primitive alongside the α6.6 4-layer diff
7
+ * escalation: where the layers escalate from minimal `oldString`/
8
+ * `newString` blocks up to full-file rewrites, apply_patch covers the
9
+ * unified-diff dialect that OpenAI Codex and most external tools emit.
10
+ *
11
+ * Why we have both:
12
+ *
13
+ * - The 4-layer escalation maximises model-side success rate on
14
+ * conversational edits (Claude / Gemini / OpenAI all have a
15
+ * preferred dialect that maps onto one of the layers).
16
+ * - apply_patch is the "external tools speak this" path. A model
17
+ * emits a single unified diff (the format `git diff` produces),
18
+ * and we run it through `git apply` with the same security gate
19
+ * the layers use.
20
+ *
21
+ * Security: every file mentioned in the patch goes through the same
22
+ * `applySecurityGate` chokepoint as the layers (see
23
+ * `src/core/edits/security-gate.ts`). A patch that touches
24
+ * `../../etc/passwd`, `.env`, or a workspace-local symlink to a protected
25
+ * file is rejected BEFORE `git apply` runs. Symlink escape, protected
26
+ * file, and path traversal are all covered by the same gate the layers
27
+ * inherit — we never roll our own resolver here.
28
+ *
29
+ * Atomicity: a multi-file patch either lands entirely or not at all.
30
+ * `git apply --check` validates the patch end-to-end against the
31
+ * working tree first; only on a clean check do we run the real apply.
32
+ * If the apply still fails partway (extremely rare — usually a race
33
+ * with another writer), we run `git checkout -- <each file>` to roll
34
+ * the tree back. This keeps the dispatcher's invariant: a tool result
35
+ * of `ok: false` means the workspace is unchanged.
36
+ *
37
+ * Idempotency: applying the same patch twice rejects the second with
38
+ * `already_applied`. `git apply` itself returns success only when the
39
+ * patch's pre-image matches the working tree, so a second invocation
40
+ * naturally fails. We translate the specific failure mode into a
41
+ * dedicated reason so callers can short-circuit retry loops.
42
+ *
43
+ * Brand voice: ASCII only, no emoji, no banned words.
44
+ */
45
+ import { spawnSync } from 'node:child_process';
46
+ import { existsSync, rmSync } from 'node:fs';
47
+ import { resolve, sep } from 'node:path';
48
+ import { applySecurityGate } from '../core/edits/security-gate.js';
49
+ import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
50
+ import { recordToolCall, recordToolResult, recordFileMutation } from '../core/session.js';
51
+ /**
52
+ * Parse the file paths referenced in a unified diff. We look for both
53
+ * `diff --git a/X b/Y` headers (preferred) and the fallback
54
+ * `+++ b/<path>` lines that plain `diff -u` emits. The full set of
55
+ * touched paths feeds the security gate — EVERY file goes through
56
+ * `applySecurityGate` before we trust `git apply` to do anything.
57
+ *
58
+ * Security (R1 fix 2026-05-26, PR #413 r1): git emits C-style quoted
59
+ * path headers when a path contains "unusual" bytes (high bits, control
60
+ * chars, double-quote, backslash) and `core.quotePath` is true (the
61
+ * default). The literal header looks like
62
+ * `diff --git "a/.env" "b/.env"`. Before this fix the regex captured
63
+ * the literal `"b/.env"` string and the security gate's basename match
64
+ * never saw `.env` — `basename('"b/.env"')` is `'.env"'` (note the
65
+ * trailing quote) which does NOT match the `.env` protected pattern.
66
+ * `git apply` then de-quoted the header and happily landed on the real
67
+ * `.env`. We strip the surrounding quotes + decode the C-style escapes
68
+ * via `unquoteGitPath` BEFORE passing to the security gate so the
69
+ * basename matcher sees the real target.
70
+ */
71
+ export function extractPatchPaths(patch) {
72
+ const paths = new Set();
73
+ for (const line of patch.split('\n')) {
74
+ if (line.startsWith('diff --git ')) {
75
+ // `diff --git a/foo b/bar` — paths can contain spaces only when
76
+ // quoted by git's own diff machinery (rare). The robust extractor
77
+ // matches the `b/...` half because rename diffs carry the new
78
+ // name there.
79
+ // Two variants: unquoted (`a/foo b/bar`) and C-style quoted
80
+ // (`"a/foo" "b/bar"`). We try the quoted form first because the
81
+ // unquoted regex below would accept the literal quote as part of
82
+ // the path otherwise.
83
+ const quoted = line.match(/^diff --git "a\/(.+)" "b\/(.+)"$/);
84
+ if (quoted) {
85
+ if (quoted[1])
86
+ paths.add(unquoteGitPath(quoted[1]));
87
+ if (quoted[2])
88
+ paths.add(unquoteGitPath(quoted[2]));
89
+ continue;
90
+ }
91
+ const match = line.match(/^diff --git a\/(.+?) b\/(.+)$/);
92
+ if (match) {
93
+ if (match[1])
94
+ paths.add(unquoteGitPath(match[1]));
95
+ if (match[2])
96
+ paths.add(unquoteGitPath(match[2]));
97
+ }
98
+ continue;
99
+ }
100
+ if (line.startsWith('+++ ')) {
101
+ const after = line.slice(4).trim();
102
+ if (after === '/dev/null')
103
+ continue;
104
+ const stripped = stripQuotedHalf(after, 'b/');
105
+ if (stripped)
106
+ paths.add(stripTimestampSuffix(stripped));
107
+ continue;
108
+ }
109
+ if (line.startsWith('--- ')) {
110
+ const after = line.slice(4).trim();
111
+ if (after === '/dev/null')
112
+ continue;
113
+ const stripped = stripQuotedHalf(after, 'a/');
114
+ if (stripped)
115
+ paths.add(stripTimestampSuffix(stripped));
116
+ }
117
+ }
118
+ return Array.from(paths);
119
+ }
120
+ /**
121
+ * Strip the leading `a/` or `b/` prefix from a `---` / `+++` line,
122
+ * handling both unquoted (`b/.env`) and C-style quoted (`"b/.env"`)
123
+ * variants. The returned path is fully de-quoted so the security gate
124
+ * sees the real basename. Returns null when the line does not parse.
125
+ */
126
+ function stripQuotedHalf(after, prefix) {
127
+ // Quoted form: `"b/path with \"escapes\""`. Detect surrounding quotes
128
+ // first, strip them, then peel the prefix, then unquote the inner
129
+ // C-style escapes.
130
+ if (after.startsWith('"') && after.endsWith('"') && after.length >= 2) {
131
+ const inner = after.slice(1, -1);
132
+ const peeled = inner.startsWith(prefix) ? inner.slice(prefix.length) : inner;
133
+ return unquoteGitPath(peeled);
134
+ }
135
+ const trimmed = after.startsWith(prefix) ? after.slice(prefix.length) : after;
136
+ return trimmed;
137
+ }
138
+ /**
139
+ * Decode git's C-style path quoting. When `core.quotePath` is true
140
+ * (default) git writes paths with high-bit / control / quote bytes as
141
+ * C-string escapes inside double quotes:
142
+ *
143
+ * `"\.env"` -> `.env` (backslash before . is just a literal)
144
+ * `"a\"b"` -> `a"b` (escaped double-quote)
145
+ * `"a\\b"` -> `a\b` (escaped backslash)
146
+ * `"a\tb"` -> `a` + TAB + `b`
147
+ * `"a\341\210\264"` -> `a` + UTF-8 bytes 0xe1 0x88 0xb4
148
+ *
149
+ * Accepts a path that is EITHER already unquoted (passed through) OR an
150
+ * inner string previously stripped of its surrounding quotes. The
151
+ * function is idempotent on already-clean ASCII paths.
152
+ *
153
+ * Reference: git source `quote.c::unquote_c_style`.
154
+ */
155
+ export function unquoteGitPath(s) {
156
+ // If the caller passed us a wrapped string (`"foo"`), peel it now.
157
+ if (s.startsWith('"') && s.endsWith('"') && s.length >= 2) {
158
+ s = s.slice(1, -1);
159
+ }
160
+ // Fast path: no backslash means no C-style escapes, return as-is.
161
+ if (!s.includes('\\'))
162
+ return s;
163
+ const out = [];
164
+ for (let i = 0; i < s.length; i += 1) {
165
+ const ch = s[i];
166
+ if (ch !== '\\') {
167
+ // Single-byte ASCII or multi-byte JS string char; the byte we
168
+ // emit must match its UTF-8 encoding so the security gate sees
169
+ // the same bytes the filesystem will. JS strings are UTF-16; we
170
+ // bounce through Buffer to get the canonical UTF-8 bytes.
171
+ const bytes = Buffer.from(ch ?? '', 'utf8');
172
+ for (const b of bytes)
173
+ out.push(b);
174
+ continue;
175
+ }
176
+ const next = s[i + 1];
177
+ if (next === undefined) {
178
+ // Trailing backslash with no follower — emit literal.
179
+ out.push(0x5c);
180
+ continue;
181
+ }
182
+ // Three-digit octal escape: `\NNN` (each digit 0-7).
183
+ if (next >= '0' && next <= '7' && i + 3 < s.length + 1) {
184
+ const oct = s.slice(i + 1, i + 4);
185
+ if (/^[0-7]{3}$/.test(oct)) {
186
+ out.push(Number.parseInt(oct, 8));
187
+ i += 3;
188
+ continue;
189
+ }
190
+ }
191
+ switch (next) {
192
+ case 'a':
193
+ out.push(0x07);
194
+ break;
195
+ case 'b':
196
+ out.push(0x08);
197
+ break;
198
+ case 't':
199
+ out.push(0x09);
200
+ break;
201
+ case 'n':
202
+ out.push(0x0a);
203
+ break;
204
+ case 'v':
205
+ out.push(0x0b);
206
+ break;
207
+ case 'f':
208
+ out.push(0x0c);
209
+ break;
210
+ case 'r':
211
+ out.push(0x0d);
212
+ break;
213
+ case '"':
214
+ out.push(0x22);
215
+ break;
216
+ case '\\':
217
+ out.push(0x5c);
218
+ break;
219
+ default:
220
+ // Unknown escape — emit the escape char as a literal so we
221
+ // don't silently drop bytes. Mirrors git's own permissive
222
+ // behaviour.
223
+ out.push(next.charCodeAt(0));
224
+ }
225
+ i += 1;
226
+ }
227
+ return Buffer.from(out).toString('utf8');
228
+ }
229
+ /**
230
+ * `diff -u` (non-git) emits trailing tab-prefixed timestamps after the
231
+ * path: `--- foo.ts\t2026-05-25 10:00:00`. Strip those so the security
232
+ * gate sees the clean path.
233
+ */
234
+ function stripTimestampSuffix(path) {
235
+ const tab = path.indexOf('\t');
236
+ return tab >= 0 ? path.slice(0, tab) : path;
237
+ }
238
+ /**
239
+ * Apply a unified-diff patch to the workspace. Routes every mentioned
240
+ * file through the shared security gate before invoking `git apply`.
241
+ */
242
+ export function applyPatch(ctx, patch, opts = {}) {
243
+ const toolCallId = recordToolCall(ctx.session, 'apply_patch', `${patch.length} bytes`);
244
+ try {
245
+ gateOnCancellation(ctx, 'apply_patch');
246
+ }
247
+ catch (error) {
248
+ if (error instanceof OperatorAbortedError) {
249
+ recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
250
+ throw error;
251
+ }
252
+ throw error;
253
+ }
254
+ if (patch.trim().length === 0) {
255
+ const result = {
256
+ ok: false,
257
+ filesChanged: [],
258
+ reason: 'empty_patch',
259
+ detail: 'patch body is empty',
260
+ };
261
+ recordToolResult(ctx.session, toolCallId, 'error', 'empty_patch');
262
+ return result;
263
+ }
264
+ const paths = extractPatchPaths(patch);
265
+ if (paths.length === 0) {
266
+ const result = {
267
+ ok: false,
268
+ filesChanged: [],
269
+ reason: 'invalid_patch',
270
+ detail: 'no `diff --git` or `+++` headers found in patch',
271
+ };
272
+ recordToolResult(ctx.session, toolCallId, 'error', 'invalid_patch');
273
+ return result;
274
+ }
275
+ // SECURITY GATE — reuse the α6.6 chokepoint. Every path in the patch
276
+ // is validated against:
277
+ // 1. workspace containment (no ../../ escapes)
278
+ // 2. protected-file basenames (.env, *.pem, id_rsa, etc.)
279
+ // 3. symlink escape (an in-workspace symlink pointing to /etc/hosts
280
+ // or a protected basename gets rejected here)
281
+ for (const file of paths) {
282
+ const gate = applySecurityGate(file, { cwd: ctx.root, toolName: 'layer-c' });
283
+ if (!gate.ok) {
284
+ const result = {
285
+ ok: false,
286
+ filesChanged: [],
287
+ reason: gate.reason,
288
+ detail: `${file}: ${gate.detail}`,
289
+ };
290
+ recordToolResult(ctx.session, toolCallId, 'error', `${gate.reason}: ${file}`);
291
+ return result;
292
+ }
293
+ }
294
+ // `git apply --check` validates the patch end-to-end against the
295
+ // working tree. A passing check is the gate for the actual apply.
296
+ const checkArgs = ['apply', '--check'];
297
+ if (opts.baseSha)
298
+ checkArgs.push('--3way');
299
+ checkArgs.push('-');
300
+ const check = runGit(checkArgs, ctx.root, patch);
301
+ if (check.status === 127) {
302
+ // No git binary on PATH. Rare on a developer machine but possible
303
+ // in slim containers / CI images. Surface a dedicated reason so
304
+ // the operator's message says "install git" not "patch is bad".
305
+ const result = {
306
+ ok: false,
307
+ filesChanged: [],
308
+ reason: 'git_unavailable',
309
+ detail: 'git not found on PATH',
310
+ };
311
+ recordToolResult(ctx.session, toolCallId, 'error', 'git_unavailable');
312
+ return result;
313
+ }
314
+ if (check.status !== 0) {
315
+ // Decide whether this is the "already applied" case or a real
316
+ // failure. `git apply --check` rejects an already-applied patch
317
+ // with stderr containing patterns like "patch does not apply" or
318
+ // "already exists in working directory". The simpler signal is
319
+ // the stderr string containing `already exists in working directory`
320
+ // (git's own message for a creating patch landing twice) — that's
321
+ // the only path we treat as `already_applied` here. Other stderr
322
+ // surfaces fall through to `check_failed` so the operator sees the
323
+ // raw reason.
324
+ const stderr = check.stderr.toLowerCase();
325
+ if (stderr.includes('already exists in working directory')) {
326
+ const result = {
327
+ ok: false,
328
+ filesChanged: [],
329
+ reason: 'already_applied',
330
+ detail: 'patch creates a path that already exists — likely already applied',
331
+ };
332
+ recordToolResult(ctx.session, toolCallId, 'error', 'already_applied');
333
+ return result;
334
+ }
335
+ const result = {
336
+ ok: false,
337
+ filesChanged: [],
338
+ reason: 'check_failed',
339
+ detail: check.stderr.trim() || 'git apply --check rejected the patch',
340
+ };
341
+ recordToolResult(ctx.session, toolCallId, 'error', `check_failed: ${result.detail}`);
342
+ return result;
343
+ }
344
+ if (opts.dryRun) {
345
+ const result = {
346
+ ok: true,
347
+ filesChanged: paths,
348
+ };
349
+ recordToolResult(ctx.session, toolCallId, 'success', `dry-run ok, ${paths.length} files`);
350
+ return result;
351
+ }
352
+ // R1 fix (2026-05-26, PR #413 r1, Fix 6): snapshot which paths exist
353
+ // BEFORE the apply so rollbackFiles can decide between
354
+ // `git checkout -- <file>` (for files that existed) and `fs.rmSync`
355
+ // (for files the patch was creating that may have been half-written
356
+ // before the failure). Without this snapshot, `git checkout`
357
+ // gracefully no-ops on a never-tracked file and the partial creation
358
+ // is left behind.
359
+ const preExisting = new Map();
360
+ for (const p of paths) {
361
+ preExisting.set(p, existsSync(resolve(ctx.root, p)));
362
+ }
363
+ const applyArgs = ['apply'];
364
+ if (opts.baseSha)
365
+ applyArgs.push('--3way');
366
+ applyArgs.push('-');
367
+ const apply = runGit(applyArgs, ctx.root, patch);
368
+ if (apply.status !== 0) {
369
+ // Apply failed AFTER --check passed. This is almost always a TOCTOU
370
+ // (another writer touched a file between the two git calls).
371
+ // Rollback ANY partial mutation so the workspace stays consistent.
372
+ const rollback = rollbackFiles(ctx.root, paths, preExisting);
373
+ const detail = apply.stderr.trim() || 'git apply failed after passing --check';
374
+ if (!rollback.ok) {
375
+ const result = {
376
+ ok: false,
377
+ filesChanged: [],
378
+ reason: 'rollback_failed',
379
+ detail: `${detail}; rollback also failed: ${rollback.detail}`,
380
+ };
381
+ recordToolResult(ctx.session, toolCallId, 'error', 'rollback_failed');
382
+ return result;
383
+ }
384
+ const result = {
385
+ ok: false,
386
+ filesChanged: [],
387
+ reason: 'apply_failed',
388
+ detail,
389
+ };
390
+ recordToolResult(ctx.session, toolCallId, 'error', `apply_failed: ${detail}`);
391
+ return result;
392
+ }
393
+ // Audit-log every file the patch mutated. The before/after hashes
394
+ // are NOT recorded (git owns the staging area for that); the
395
+ // mutation entry is enough for `pugi undo` to surface "apply_patch
396
+ // touched these files" in the timeline.
397
+ for (const file of paths) {
398
+ recordFileMutation(ctx.session, {
399
+ toolCallId,
400
+ path: file,
401
+ operation: 'update',
402
+ });
403
+ }
404
+ recordToolResult(ctx.session, toolCallId, 'success', `applied ${paths.length} files`);
405
+ return { ok: true, filesChanged: paths };
406
+ }
407
+ /**
408
+ * Roll back any partial mutation by checking files out from HEAD. Used
409
+ * only on the rare path where `git apply` fails AFTER `git apply --check`
410
+ * passed.
411
+ *
412
+ * R1 fix (2026-05-26, PR #413 r1, Fix 6): a multi-file patch that
413
+ * creates new files leaves them on disk when `git apply` fails partway —
414
+ * `git checkout -- <file>` does NOT delete a path that was never tracked
415
+ * (the file was created by the failed apply). We split paths into two
416
+ * groups using the pre-apply snapshot:
417
+ *
418
+ * - existed-before -> `git checkout -- <file>` restores tracked content.
419
+ * - created-by-apply -> `fs.rmSync(file, { force: true })` removes the
420
+ * half-written file so the workspace ends up identical to its
421
+ * pre-apply state.
422
+ *
423
+ * This keeps the dispatcher's invariant: a tool result of `ok: false`
424
+ * means the workspace is unchanged.
425
+ */
426
+ function rollbackFiles(cwd, paths, preExisting) {
427
+ if (paths.length === 0)
428
+ return { ok: true };
429
+ // We only attempt to roll back files that are inside the workspace
430
+ // and were resolved by the security gate. A path that escaped the
431
+ // gate would have already aborted us above.
432
+ const safePaths = paths.filter((p) => {
433
+ const abs = resolve(cwd, p);
434
+ return abs === cwd || abs.startsWith(cwd + sep);
435
+ });
436
+ if (safePaths.length === 0)
437
+ return { ok: true };
438
+ const toCheckout = [];
439
+ const toRemove = [];
440
+ for (const p of safePaths) {
441
+ if (preExisting.get(p))
442
+ toCheckout.push(p);
443
+ else
444
+ toRemove.push(p);
445
+ }
446
+ // Unlink files that the patch was creating. `force: true` swallows
447
+ // ENOENT so a creation that never got far enough to write the file
448
+ // is a no-op. We record every unlink failure but keep going so a
449
+ // single permission error on one file doesn't strand the others.
450
+ const removeFailures = [];
451
+ for (const p of toRemove) {
452
+ const abs = resolve(cwd, p);
453
+ try {
454
+ rmSync(abs, { force: true });
455
+ }
456
+ catch (error) {
457
+ removeFailures.push(`${p}: ${error instanceof Error ? error.message : String(error)}`);
458
+ }
459
+ }
460
+ if (toCheckout.length > 0) {
461
+ const result = runGit(['checkout', '--', ...toCheckout], cwd);
462
+ if (result.status !== 0) {
463
+ const detail = [result.stderr.trim(), ...removeFailures].filter(Boolean).join('; ');
464
+ return { ok: false, detail };
465
+ }
466
+ }
467
+ if (removeFailures.length > 0) {
468
+ return { ok: false, detail: `rollback unlink failed: ${removeFailures.join('; ')}` };
469
+ }
470
+ return { ok: true };
471
+ }
472
+ function runGit(args, cwd, stdin) {
473
+ // R1 fix (2026-05-26, PR #413 r1, P2 #13): force the English C locale
474
+ // for the git child process. The `already_applied` reason-coding
475
+ // below greps stderr for the literal English string
476
+ // "already exists in working directory"; on a host where git was
477
+ // installed with a translated message catalog (de_DE / ru_RU / etc.)
478
+ // the substring match would silently miss and the operator would see
479
+ // `check_failed` instead of `already_applied`. C locale (also
480
+ // LC_ALL) guarantees the canonical message regardless of host env.
481
+ return spawnSync('git', args, {
482
+ cwd,
483
+ input: stdin,
484
+ encoding: 'utf8',
485
+ maxBuffer: 64 * 1024 * 1024,
486
+ env: { ...process.env, LANG: 'C', LC_ALL: 'C' },
487
+ });
488
+ }
489
+ /**
490
+ * Test-only surface for the apply-patch heuristics. Specs poke
491
+ * `extractPatchPaths` directly to assert on the path-parsing layer
492
+ * without paying for a real git invocation.
493
+ */
494
+ export const __test__ = { extractPatchPaths, runGit, unquoteGitPath };
495
+ //# sourceMappingURL=apply-patch.js.map
@@ -6,6 +6,35 @@ import { decidePermission } from '../core/permission.js';
6
6
  import { createReadRecord, hashContent } from '../core/file-cache.js';
7
7
  import { resolveWorkspacePath } from '../core/path-security.js';
8
8
  import { recordFileMutation, recordToolCall, recordToolResult } from '../core/session.js';
9
+ /**
10
+ * α6.9 WriteGate marker — thrown by `gateOnCancellation` when the
11
+ * caller supplied a cancellation token that has already aborted. The
12
+ * tool dispatch loop in `tool-bridge.ts` recognises the name and folds
13
+ * the throw into a `status: 'aborted'` tool result rather than a hard
14
+ * error so the loop terminates cleanly.
15
+ */
16
+ export class OperatorAbortedError extends Error {
17
+ constructor(toolName) {
18
+ super(`operator_aborted: ${toolName} refused — operator cancelled the dispatch.`);
19
+ this.name = 'OperatorAbortedError';
20
+ }
21
+ }
22
+ /**
23
+ * α6.9 WriteGate: refuse the tool dispatch when the active
24
+ * cancellation token has aborted. Idempotent (the token's `isAborted`
25
+ * is a getter, no side effects). Returns void on the happy path so the
26
+ * tool can proceed; throws `OperatorAbortedError` when cancelled.
27
+ *
28
+ * The audit trail still gets the call: `recordToolCall` already fired
29
+ * upstream of this guard so the abort + reason are persisted. The
30
+ * matching `recordToolResult` is fired by the caller in its catch
31
+ * block with `status: 'cancelled'` (see existing path for `error`).
32
+ */
33
+ export function gateOnCancellation(ctx, toolName) {
34
+ if (ctx.cancellation && ctx.cancellation.isAborted) {
35
+ throw new OperatorAbortedError(toolName);
36
+ }
37
+ }
9
38
  /**
10
39
  * Re-check the permission decision against the *resolved* real path so
11
40
  * a workspace-local symlink (`alias -> .env`) cannot bypass the protected
@@ -42,6 +71,13 @@ function permissionGatedResolve(ctx, inputPath, action, toolName) {
42
71
  }
43
72
  export function readTool(ctx, path) {
44
73
  const toolCallId = recordToolCall(ctx.session, 'read', path);
74
+ // α6.9 WriteGate: fail fast on operator cancel BEFORE permission
75
+ // decision so a half-second post-cancel race never lands the read.
76
+ if (ctx.cancellation && ctx.cancellation.isAborted) {
77
+ const reason = 'operator_aborted: read refused';
78
+ recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
79
+ throw new OperatorAbortedError('read');
80
+ }
45
81
  const decision = decidePermission({ tool: 'read', kind: 'read', target: path }, ctx.settings, ctx.root);
46
82
  if (decision.decision !== 'allow') {
47
83
  const reason = `Permission ${decision.decision} for read ${path}: ${decision.reason}`;
@@ -64,6 +100,14 @@ export function readTool(ctx, path) {
64
100
  }
65
101
  export function writeTool(ctx, path, content) {
66
102
  const toolCallId = recordToolCall(ctx.session, 'write', path);
103
+ // α6.9 WriteGate: refuse the write when the operator has cancelled
104
+ // the dispatch. The audit log captures the cancellation reason so a
105
+ // post-mortem can distinguish operator_aborted from settings-deny.
106
+ if (ctx.cancellation && ctx.cancellation.isAborted) {
107
+ const reason = 'operator_aborted: write refused';
108
+ recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
109
+ throw new OperatorAbortedError('write');
110
+ }
67
111
  const decision = decidePermission({ tool: 'write', kind: 'edit', target: path }, ctx.settings, ctx.root);
68
112
  if (decision.decision !== 'allow') {
69
113
  const reason = `Permission ${decision.decision} for write ${path}: ${decision.reason}`;
@@ -95,6 +139,15 @@ export function writeTool(ctx, path, content) {
95
139
  }
96
140
  export function editTool(ctx, path, oldString, newString) {
97
141
  const toolCallId = recordToolCall(ctx.session, 'edit', path);
142
+ // α6.9 WriteGate: refuse the edit when the operator has cancelled
143
+ // the dispatch. Edits are higher-risk than reads — surface the abort
144
+ // BEFORE we even consult permissions so a cancel-during-tool-loop
145
+ // never partially mutates the workspace.
146
+ if (ctx.cancellation && ctx.cancellation.isAborted) {
147
+ const reason = 'operator_aborted: edit refused';
148
+ recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
149
+ throw new OperatorAbortedError('edit');
150
+ }
98
151
  const decision = decidePermission({ tool: 'edit', kind: 'edit', target: path }, ctx.settings, ctx.root);
99
152
  if (decision.decision !== 'allow') {
100
153
  const reason = `Permission ${decision.decision} for edit ${path}: ${decision.reason}`;
@@ -140,6 +193,14 @@ export function editTool(ctx, path, oldString, newString) {
140
193
  }
141
194
  export function globTool(ctx, pattern) {
142
195
  const toolCallId = recordToolCall(ctx.session, 'glob', pattern);
196
+ // α6.9 WriteGate: cancel-aware short-circuit. Glob is read-only but
197
+ // can be expensive on large trees; respecting the abort here keeps
198
+ // the tool loop responsive when the operator hits Ctrl+C mid-scan.
199
+ if (ctx.cancellation && ctx.cancellation.isAborted) {
200
+ const reason = 'operator_aborted: glob refused';
201
+ recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
202
+ throw new OperatorAbortedError('glob');
203
+ }
143
204
  // Pugi globs are workspace-scoped. Reject any pattern that could enumerate
144
205
  // outside the workspace:
145
206
  // 1. absolute paths (`/etc/**/*`) — globSync resolves these against `/`
@@ -169,11 +230,28 @@ export function globTool(ctx, pattern) {
169
230
  }
170
231
  export function grepTool(ctx, query) {
171
232
  const toolCallId = recordToolCall(ctx.session, 'grep', query);
233
+ // α6.9 WriteGate: refuse before scanning. Grep walks the whole
234
+ // workspace and can take seconds on a large repo; check abort first
235
+ // so a cancel mid-scan returns immediately rather than after the
236
+ // full walk completes.
237
+ if (ctx.cancellation && ctx.cancellation.isAborted) {
238
+ const reason = 'operator_aborted: grep refused';
239
+ recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
240
+ throw new OperatorAbortedError('grep');
241
+ }
172
242
  const files = globTool(ctx, '**/*').filter((path) => !path.endsWith('/'));
173
243
  const matches = [];
174
244
  for (const path of files) {
175
245
  if (matches.length >= 200)
176
246
  break;
247
+ // α6.9 WriteGate: poll abort inside the file loop so a cancel
248
+ // arriving mid-scan terminates early. The per-file branch keeps
249
+ // the responsiveness bounded by the slowest single-file read.
250
+ if (ctx.cancellation && ctx.cancellation.isAborted) {
251
+ const reason = `operator_aborted: grep stopped mid-scan after ${matches.length} matches`;
252
+ recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
253
+ throw new OperatorAbortedError('grep');
254
+ }
177
255
  // Permission gate every file read individually — grep used to bypass
178
256
  // `decidePermission` and could surface lines from protected files
179
257
  // (.env, *.sql, *.pem, ~/.ssh/**) when invoked from a directory walk.
@@ -241,6 +319,18 @@ export const BASH_DEFAULT_TIMEOUT_MS = 30_000;
241
319
  export const BASH_CHILD_MAXBUFFER = 10 * 1024 * 1024;
242
320
  export function bashTool(ctx, command, options = {}) {
243
321
  const toolCallId = recordToolCall(ctx.session, 'bash', command);
322
+ // α6.9 WriteGate: bash is the highest-risk tool surface. Refuse
323
+ // before the destructive-pattern classifier even runs so a
324
+ // cancelled dispatch never spawns a child process. Note: this is
325
+ // pre-spawn cancellation only; once the /bin/sh -c process is
326
+ // running, the synchronous spawnSync wait blocks until it exits or
327
+ // the 30s timeout fires. Phase 2 will wire SIGTERM forwarding via
328
+ // an async wrapper.
329
+ if (ctx.cancellation && ctx.cancellation.isAborted) {
330
+ const reason = 'operator_aborted: bash refused';
331
+ recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
332
+ throw new OperatorAbortedError('bash');
333
+ }
244
334
  const decision = decidePermission({ tool: 'bash', kind: 'bash', target: command }, ctx.settings, ctx.root);
245
335
  if (decision.decision !== 'allow') {
246
336
  const reason = `Permission ${decision.decision} for bash: ${decision.reason}`;