@pugi/cli 0.1.0-alpha.9 → 0.1.0-beta.2

package/dist/tools/apply-patch.js

@@ -0,0 +1,314 @@
+/**
+ * apply_patch tool — α7.7 Phase 1.
+ *
+ * Accepts a unified diff (the format produced by `git diff` and
+ * consumed by `git apply`) and lands it atomically into the workspace.
+ * This is the third edit primitive alongside the α6.6 4-layer diff
+ * escalation: where the layers escalate from minimal `oldString`/
+ * `newString` blocks up to full-file rewrites, apply_patch covers the
+ * unified-diff dialect that OpenAI Codex and most external tools emit.
+ *
+ * Why we have both:
+ *
+ *   - The 4-layer escalation maximises model-side success rate on
+ *     conversational edits (Claude / Gemini / OpenAI all have a
+ *     preferred dialect that maps onto one of the layers).
+ *   - apply_patch is the "external tools speak this" path. A model
+ *     emits a single unified diff (the format `git diff` produces),
+ *     and we run it through `git apply` with the same security gate
+ *     the layers use.
+ *
+ * Security: every file mentioned in the patch goes through the same
+ * `applySecurityGate` chokepoint as the layers (see
+ * `src/core/edits/security-gate.ts`). A patch that touches
+ * `../../etc/passwd`, `.env`, or a workspace-local symlink to a protected
+ * file is rejected BEFORE `git apply` runs. Symlink escape, protected
+ * file, and path traversal are all covered by the same gate the layers
+ * inherit — we never roll our own resolver here.
+ *
+ * Atomicity: a multi-file patch either lands entirely or not at all.
+ * `git apply --check` validates the patch end-to-end against the
+ * working tree first; only on a clean check do we run the real apply.
+ * If the apply still fails partway (extremely rare — usually a race
+ * with another writer), we run `git checkout -- <each file>` to roll
+ * the tree back. This keeps the dispatcher's invariant: a tool result
+ * of `ok: false` means the workspace is unchanged.
+ *
+ * Idempotency: applying the same patch twice rejects the second with
+ * `already_applied`. `git apply` itself returns success only when the
+ * patch's pre-image matches the working tree, so a second invocation
+ * naturally fails. We translate the specific failure mode into a
+ * dedicated reason so callers can short-circuit retry loops.
+ *
+ * Brand voice: ASCII only, no emoji, no banned words.
+ */
+import { spawnSync } from 'node:child_process';
+import { resolve, sep } from 'node:path';
+import { applySecurityGate } from '../core/edits/security-gate.js';
+import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
+import { recordToolCall, recordToolResult, recordFileMutation } from '../core/session.js';
+/**
+ * Parse the file paths referenced in a unified diff. We look for both
+ * `diff --git a/X b/Y` headers (preferred) and the fallback
+ * `+++ b/<path>` lines that plain `diff -u` emits. The full set of
+ * touched paths feeds the security gate — EVERY file goes through
+ * `applySecurityGate` before we trust `git apply` to do anything.
+ */
+export function extractPatchPaths(patch) {
+    const paths = new Set();
+    for (const line of patch.split('\n')) {
+        if (line.startsWith('diff --git ')) {
+            // `diff --git a/foo b/bar` — paths can contain spaces only when
+            // quoted by git's own diff machinery (rare). The robust extractor
+            // matches the `b/...` half because rename diffs carry the new
+            // name there.
+            const match = line.match(/^diff --git a\/(.+?) b\/(.+)$/);
+            if (match) {
+                if (match[1])
+                    paths.add(match[1]);
+                if (match[2])
+                    paths.add(match[2]);
+            }
+            continue;
+        }
+        if (line.startsWith('+++ ')) {
+            const after = line.slice(4).trim();
+            if (after === '/dev/null')
+                continue;
+            const trimmed = after.startsWith('b/') ? after.slice(2) : after;
+            if (trimmed)
+                paths.add(stripTimestampSuffix(trimmed));
+            continue;
+        }
+        if (line.startsWith('--- ')) {
+            const after = line.slice(4).trim();
+            if (after === '/dev/null')
+                continue;
+            const trimmed = after.startsWith('a/') ? after.slice(2) : after;
+            if (trimmed)
+                paths.add(stripTimestampSuffix(trimmed));
+        }
+    }
+    return Array.from(paths);
+}
+/**
+ * `diff -u` (non-git) emits trailing tab-prefixed timestamps after the
+ * path: `--- foo.ts\t2026-05-25 10:00:00`. Strip those so the security
+ * gate sees the clean path.
+ */
+function stripTimestampSuffix(path) {
+    const tab = path.indexOf('\t');
+    return tab >= 0 ? path.slice(0, tab) : path;
+}
+/**
+ * Apply a unified-diff patch to the workspace. Routes every mentioned
+ * file through the shared security gate before invoking `git apply`.
+ */
+export function applyPatch(ctx, patch, opts = {}) {
+    const toolCallId = recordToolCall(ctx.session, 'apply_patch', `${patch.length} bytes`);
+    try {
+        gateOnCancellation(ctx, 'apply_patch');
+    }
+    catch (error) {
+        if (error instanceof OperatorAbortedError) {
+            recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
+            throw error;
+        }
+        throw error;
+    }
+    if (patch.trim().length === 0) {
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'empty_patch',
+            detail: 'patch body is empty',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'empty_patch');
+        return result;
+    }
+    const paths = extractPatchPaths(patch);
+    if (paths.length === 0) {
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'invalid_patch',
+            detail: 'no `diff --git` or `+++` headers found in patch',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'invalid_patch');
+        return result;
+    }
+    // SECURITY GATE — reuse the α6.6 chokepoint. Every path in the patch
+    // is validated against:
+    //   1. workspace containment (no ../../ escapes)
+    //   2. protected-file basenames (.env, *.pem, id_rsa, etc.)
+    //   3. symlink escape (an in-workspace symlink pointing to /etc/hosts
+    //      or a protected basename gets rejected here)
+    for (const file of paths) {
+        const gate = applySecurityGate(file, { cwd: ctx.root, toolName: 'layer-c' });
+        if (!gate.ok) {
+            const result = {
+                ok: false,
+                filesChanged: [],
+                reason: gate.reason,
+                detail: `${file}: ${gate.detail}`,
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', `${gate.reason}: ${file}`);
+            return result;
+        }
+    }
+    // `git apply --check` validates the patch end-to-end against the
+    // working tree. A passing check is the gate for the actual apply.
+    const checkArgs = ['apply', '--check'];
+    if (opts.baseSha)
+        checkArgs.push('--3way');
+    checkArgs.push('-');
+    const check = runGit(checkArgs, ctx.root, patch);
+    if (check.status === 127) {
+        // No git binary on PATH. Rare on a developer machine but possible
+        // in slim containers / CI images. Surface a dedicated reason so
+        // the operator's message says "install git" not "patch is bad".
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'git_unavailable',
+            detail: 'git not found on PATH',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'git_unavailable');
+        return result;
+    }
+    if (check.status !== 0) {
+        // Decide whether this is the "already applied" case or a real
+        // failure. `git apply --check` rejects an already-applied patch
+        // with stderr containing `error: patch failed` and at least one
+        // hunk that mentions "patch does not apply" or "already exists".
+        // We use a conservative heuristic: when EVERY targeted file in the
+        // diff is present and the patch's pre-image is missing, treat it
+        // as already_applied. The simpler signal is the stderr string
+        // containing `already exists in working directory` (git's own
+        // message for a creating patch landing twice) or `does not apply`.
+        const stderr = check.stderr.toLowerCase();
+        if (stderr.includes('already exists in working directory') || isLikelyAlreadyApplied(check.stderr, patch)) {
+            const result = {
+                ok: false,
+                filesChanged: [],
+                reason: 'already_applied',
+                detail: 'patch pre-image does not match working tree — patch was likely already applied',
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', 'already_applied');
+            return result;
+        }
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'check_failed',
+            detail: check.stderr.trim() || 'git apply --check rejected the patch',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', `check_failed: ${result.detail}`);
+        return result;
+    }
+    if (opts.dryRun) {
+        const result = {
+            ok: true,
+            filesChanged: paths,
+        };
+        recordToolResult(ctx.session, toolCallId, 'success', `dry-run ok, ${paths.length} files`);
+        return result;
+    }
+    const applyArgs = ['apply'];
+    if (opts.baseSha)
+        applyArgs.push('--3way');
+    applyArgs.push('-');
+    const apply = runGit(applyArgs, ctx.root, patch);
+    if (apply.status !== 0) {
+        // Apply failed AFTER --check passed. This is almost always a TOCTOU
+        // (another writer touched a file between the two git calls).
+        // Rollback ANY partial mutation so the workspace stays consistent.
+        const rollback = rollbackFiles(ctx.root, paths);
+        const detail = apply.stderr.trim() || 'git apply failed after passing --check';
+        if (!rollback.ok) {
+            const result = {
+                ok: false,
+                filesChanged: [],
+                reason: 'rollback_failed',
+                detail: `${detail}; rollback also failed: ${rollback.detail}`,
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', 'rollback_failed');
+            return result;
+        }
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'apply_failed',
+            detail,
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', `apply_failed: ${detail}`);
+        return result;
+    }
+    // Audit-log every file the patch mutated. The before/after hashes
+    // are NOT recorded (git owns the staging area for that); the
+    // mutation entry is enough for `pugi undo` to surface "apply_patch
+    // touched these files" in the timeline.
+    for (const file of paths) {
+        recordFileMutation(ctx.session, {
+            toolCallId,
+            path: file,
+            operation: 'update',
+        });
+    }
+    recordToolResult(ctx.session, toolCallId, 'success', `applied ${paths.length} files`);
+    return { ok: true, filesChanged: paths };
+}
+/**
+ * Heuristic for the "patch already applied" case beyond git's explicit
+ * `already exists` string. When `git apply --check` rejects with
+ * `patch does not apply` AND every hunk's target file exists with
+ * matching post-image lines, the patch is effectively a no-op repeat.
+ * We keep the heuristic minimal because the explicit string covers the
+ * dominant case; full hunk inspection would require parsing the patch
+ * (which is what `git apply` does in the first place).
+ */
+function isLikelyAlreadyApplied(stderr, _patch) {
+    return stderr.toLowerCase().includes('patch does not apply') === false ? false : false;
+    // Intentionally conservative for now — the explicit `already exists`
+    // case above covers the only path that's reliably distinguishable
+    // from a malformed-patch failure. A richer detector can land in
+    // α7.7b when we have a corpus of real "already_applied" stderr samples.
+}
+/**
+ * Roll back any partial mutation by checking files out from HEAD. Used
+ * only on the rare path where `git apply` fails AFTER `git apply --check`
+ * passed.
+ */
+function rollbackFiles(cwd, paths) {
+    if (paths.length === 0)
+        return { ok: true };
+    // We only attempt to roll back files that are inside the workspace
+    // and were resolved by the security gate. A path that escaped the
+    // gate would have already aborted us above.
+    const safePaths = paths.filter((p) => {
+        const abs = resolve(cwd, p);
+        return abs === cwd || abs.startsWith(cwd + sep);
+    });
+    if (safePaths.length === 0)
+        return { ok: true };
+    const result = runGit(['checkout', '--', ...safePaths], cwd);
+    if (result.status !== 0) {
+        return { ok: false, detail: result.stderr.trim() };
+    }
+    return { ok: true };
+}
+function runGit(args, cwd, stdin) {
+    return spawnSync('git', args, {
+        cwd,
+        input: stdin,
+        encoding: 'utf8',
+        maxBuffer: 64 * 1024 * 1024,
+    });
+}
+/**
+ * Test-only surface for the apply-patch heuristics. Specs poke
+ * `extractPatchPaths` directly to assert on the path-parsing layer
+ * without paying for a real git invocation.
+ */
+export const __test__ = { extractPatchPaths, isLikelyAlreadyApplied, runGit };
+//# sourceMappingURL=apply-patch.js.map

package/dist/tools/file-tools.js

@@ -6,6 +6,35 @@ import { decidePermission } from '../core/permission.js';
 import { createReadRecord, hashContent } from '../core/file-cache.js';
 import { resolveWorkspacePath } from '../core/path-security.js';
 import { recordFileMutation, recordToolCall, recordToolResult } from '../core/session.js';
+/**
+ * α6.9 WriteGate marker — thrown by `gateOnCancellation` when the
+ * caller supplied a cancellation token that has already aborted. The
+ * tool dispatch loop in `tool-bridge.ts` recognises the name and folds
+ * the throw into a `status: 'aborted'` tool result rather than a hard
+ * error so the loop terminates cleanly.
+ */
+export class OperatorAbortedError extends Error {
+    constructor(toolName) {
+        super(`operator_aborted: ${toolName} refused — operator cancelled the dispatch.`);
+        this.name = 'OperatorAbortedError';
+    }
+}
+/**
+ * α6.9 WriteGate: refuse the tool dispatch when the active
+ * cancellation token has aborted. Idempotent (the token's `isAborted`
+ * is a getter, no side effects). Returns void on the happy path so the
+ * tool can proceed; throws `OperatorAbortedError` when cancelled.
+ *
+ * The audit trail still gets the call: `recordToolCall` already fired
+ * upstream of this guard so the abort + reason are persisted. The
+ * matching `recordToolResult` is fired by the caller in its catch
+ * block with `status: 'cancelled'` (see existing path for `error`).
+ */
+export function gateOnCancellation(ctx, toolName) {
+    if (ctx.cancellation && ctx.cancellation.isAborted) {
+        throw new OperatorAbortedError(toolName);
+    }
+}
 /**
  * Re-check the permission decision against the *resolved* real path so
  * a workspace-local symlink (`alias -> .env`) cannot bypass the protected
@@ -42,6 +71,13 @@ function permissionGatedResolve(ctx, inputPath, action, toolName) {
 }
 export function readTool(ctx, path) {
     const toolCallId = recordToolCall(ctx.session, 'read', path);
+    // α6.9 WriteGate: fail fast on operator cancel BEFORE permission
+    // decision so a half-second post-cancel race never lands the read.
+    if (ctx.cancellation && ctx.cancellation.isAborted) {
+        const reason = 'operator_aborted: read refused';
+        recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+        throw new OperatorAbortedError('read');
+    }
     const decision = decidePermission({ tool: 'read', kind: 'read', target: path }, ctx.settings, ctx.root);
     if (decision.decision !== 'allow') {
         const reason = `Permission ${decision.decision} for read ${path}: ${decision.reason}`;
@@ -64,6 +100,14 @@ export function readTool(ctx, path) {
 }
 export function writeTool(ctx, path, content) {
     const toolCallId = recordToolCall(ctx.session, 'write', path);
+    // α6.9 WriteGate: refuse the write when the operator has cancelled
+    // the dispatch. The audit log captures the cancellation reason so a
+    // post-mortem can distinguish operator_aborted from settings-deny.
+    if (ctx.cancellation && ctx.cancellation.isAborted) {
+        const reason = 'operator_aborted: write refused';
+        recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+        throw new OperatorAbortedError('write');
+    }
     const decision = decidePermission({ tool: 'write', kind: 'edit', target: path }, ctx.settings, ctx.root);
     if (decision.decision !== 'allow') {
         const reason = `Permission ${decision.decision} for write ${path}: ${decision.reason}`;
@@ -95,6 +139,15 @@ export function writeTool(ctx, path, content) {
 }
 export function editTool(ctx, path, oldString, newString) {
     const toolCallId = recordToolCall(ctx.session, 'edit', path);
+    // α6.9 WriteGate: refuse the edit when the operator has cancelled
+    // the dispatch. Edits are higher-risk than reads — surface the abort
+    // BEFORE we even consult permissions so a cancel-during-tool-loop
+    // never partially mutates the workspace.
+    if (ctx.cancellation && ctx.cancellation.isAborted) {
+        const reason = 'operator_aborted: edit refused';
+        recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+        throw new OperatorAbortedError('edit');
+    }
     const decision = decidePermission({ tool: 'edit', kind: 'edit', target: path }, ctx.settings, ctx.root);
     if (decision.decision !== 'allow') {
         const reason = `Permission ${decision.decision} for edit ${path}: ${decision.reason}`;
@@ -140,6 +193,14 @@ export function editTool(ctx, path, oldString, newString) {
 }
 export function globTool(ctx, pattern) {
     const toolCallId = recordToolCall(ctx.session, 'glob', pattern);
+    // α6.9 WriteGate: cancel-aware short-circuit. Glob is read-only but
+    // can be expensive on large trees; respecting the abort here keeps
+    // the tool loop responsive when the operator hits Ctrl+C mid-scan.
+    if (ctx.cancellation && ctx.cancellation.isAborted) {
+        const reason = 'operator_aborted: glob refused';
+        recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+        throw new OperatorAbortedError('glob');
+    }
     // Pugi globs are workspace-scoped. Reject any pattern that could enumerate
     // outside the workspace:
     //   1. absolute paths (`/etc/**/*`) — globSync resolves these against `/`
@@ -169,11 +230,28 @@ export function globTool(ctx, pattern) {
 }
 export function grepTool(ctx, query) {
     const toolCallId = recordToolCall(ctx.session, 'grep', query);
+    // α6.9 WriteGate: refuse before scanning. Grep walks the whole
+    // workspace and can take seconds on a large repo; check abort first
+    // so a cancel mid-scan returns immediately rather than after the
+    // full walk completes.
+    if (ctx.cancellation && ctx.cancellation.isAborted) {
+        const reason = 'operator_aborted: grep refused';
+        recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+        throw new OperatorAbortedError('grep');
+    }
     const files = globTool(ctx, '**/*').filter((path) => !path.endsWith('/'));
     const matches = [];
     for (const path of files) {
         if (matches.length >= 200)
             break;
+        // α6.9 WriteGate: poll abort inside the file loop so a cancel
+        // arriving mid-scan terminates early. The per-file branch keeps
+        // the responsiveness bounded by the slowest single-file read.
+        if (ctx.cancellation && ctx.cancellation.isAborted) {
+            const reason = `operator_aborted: grep stopped mid-scan after ${matches.length} matches`;
+            recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+            throw new OperatorAbortedError('grep');
+        }
         // Permission gate every file read individually — grep used to bypass
         // `decidePermission` and could surface lines from protected files
         // (.env, *.sql, *.pem, ~/.ssh/**) when invoked from a directory walk.
@@ -241,6 +319,18 @@ export const BASH_DEFAULT_TIMEOUT_MS = 30_000;
 export const BASH_CHILD_MAXBUFFER = 10 * 1024 * 1024;
 export function bashTool(ctx, command, options = {}) {
     const toolCallId = recordToolCall(ctx.session, 'bash', command);
+    // α6.9 WriteGate: bash is the highest-risk tool surface. Refuse
+    // before the destructive-pattern classifier even runs so a
+    // cancelled dispatch never spawns a child process. Note: this is
+    // pre-spawn cancellation only; once the /bin/sh -c process is
+    // running, the synchronous spawnSync wait blocks until it exits or
+    // the 30s timeout fires. Phase 2 will wire SIGTERM forwarding via
+    // an async wrapper.
+    if (ctx.cancellation && ctx.cancellation.isAborted) {
+        const reason = 'operator_aborted: bash refused';
+        recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+        throw new OperatorAbortedError('bash');
+    }
     const decision = decidePermission({ tool: 'bash', kind: 'bash', target: command }, ctx.settings, ctx.root);
     if (decision.decision !== 'allow') {
         const reason = `Permission ${decision.decision} for bash: ${decision.reason}`;

package/dist/tools/lsp-tools.js

@@ -0,0 +1,189 @@
+import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
+import { recordToolCall, recordToolResult } from '../core/session.js';
+/** Cap for any single LSP tool's payload size. Keeps model context lean. */
+const LSP_PAYLOAD_CAP_BYTES = 8 * 1024;
+export async function lspHover(ctx, lang, file, line, col) {
+    const toolCallId = recordToolCall(ctx.session, 'lsp_hover', `${lang}:${file}:${line}:${col}`);
+    return guard(ctx, 'lsp_hover', toolCallId, async () => {
+        const client = ctx.lspClients?.get(lang);
+        if (!client)
+            return unavailable(lang);
+        const result = await client.hover(file, { line, character: col }, ctx.cancellation);
+        if (!result.ok)
+            return failure(result);
+        if (!result.value) {
+            return { ok: true, value: { content: '' } };
+        }
+        const content = truncate(result.value.content);
+        return {
+            ok: true,
+            value: {
+                content: content.text,
+                ...(result.value.range ? { range: result.value.range } : {}),
+            },
+            ...(content.truncated ? { truncated: true } : {}),
+        };
+    });
+}
+export async function lspDefinition(ctx, lang, file, line, col) {
+    const toolCallId = recordToolCall(ctx.session, 'lsp_definition', `${lang}:${file}:${line}:${col}`);
+    return guard(ctx, 'lsp_definition', toolCallId, async () => {
+        const client = ctx.lspClients?.get(lang);
+        if (!client)
+            return unavailable(lang);
+        const result = await client.definition(file, { line, character: col }, ctx.cancellation);
+        if (!result.ok)
+            return failure(result);
+        const capped = capLocations(result.value);
+        return {
+            ok: true,
+            value: capped.value,
+            ...(capped.truncated ? { truncated: true } : {}),
+        };
+    });
+}
+export async function lspReferences(ctx, lang, file, line, col) {
+    const toolCallId = recordToolCall(ctx.session, 'lsp_references', `${lang}:${file}:${line}:${col}`);
+    return guard(ctx, 'lsp_references', toolCallId, async () => {
+        const client = ctx.lspClients?.get(lang);
+        if (!client)
+            return unavailable(lang);
+        const result = await client.references(file, { line, character: col }, ctx.cancellation);
+        if (!result.ok)
+            return failure(result);
+        const capped = capLocations(result.value);
+        return {
+            ok: true,
+            value: capped.value,
+            ...(capped.truncated ? { truncated: true } : {}),
+        };
+    });
+}
+export async function lspDiagnostics(ctx, lang, file) {
+    const toolCallId = recordToolCall(ctx.session, 'lsp_diagnostics', `${lang}:${file}`);
+    return guard(ctx, 'lsp_diagnostics', toolCallId, async () => {
+        const client = ctx.lspClients?.get(lang);
+        if (!client)
+            return unavailable(lang);
+        const result = await client.diagnostics(file, ctx.cancellation);
+        if (!result.ok)
+            return failure(result);
+        const capped = capDiagnostics(result.value);
+        return {
+            ok: true,
+            value: capped.value,
+            ...(capped.truncated ? { truncated: true } : {}),
+        };
+    });
+}
+async function guard(ctx, toolName, toolCallId, op) {
+    try {
+        gateOnCancellation(ctx, toolName);
+    }
+    catch (error) {
+        if (error instanceof OperatorAbortedError) {
+            recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
+            return { ok: false, reason: 'operator_aborted', detail: error.message };
+        }
+        throw error;
+    }
+    try {
+        const result = await op();
+        if (result.ok) {
+            recordToolResult(ctx.session, toolCallId, 'success', summarize(result.value));
+        }
+        else {
+            recordToolResult(ctx.session, toolCallId, 'error', `${result.reason ?? 'error'}: ${result.detail ?? ''}`);
+        }
+        return result;
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        recordToolResult(ctx.session, toolCallId, 'error', message);
+        return { ok: false, reason: 'lsp_error', detail: message };
+    }
+}
+function unavailable(lang) {
+    return {
+        ok: false,
+        reason: 'lsp_unavailable',
+        detail: `no LSP server started for ${lang}. Install the server and re-run ` +
+            `with --lsp ${lang}, or fall back to grep.`,
+    };
+}
+function failure(result) {
+    if (result.ok) {
+        // Shouldn't be hit — caller checks first.
+        return { ok: true, value: result.value };
+    }
+    return { ok: false, reason: result.reason, detail: result.detail };
+}
+function summarize(value) {
+    if (value === null || value === undefined)
+        return 'no result';
+    if (Array.isArray(value))
+        return `${value.length} items`;
+    if (typeof value === 'object')
+        return Object.keys(value).join(',');
+    return String(value);
+}
+function truncate(text) {
+    const bytes = Buffer.byteLength(text, 'utf8');
+    if (bytes <= LSP_PAYLOAD_CAP_BYTES)
+        return { text, truncated: false };
+    // Truncate to the cap byte boundary. We don't try to honor codepoint
+    // alignment — UTF-8 surrogate splits show up as a single ? at the
+    // boundary, which is acceptable for a debug surface; the dispatcher
+    // is the trust boundary for "this is what the model will see".
+    const buf = Buffer.from(text, 'utf8').subarray(0, LSP_PAYLOAD_CAP_BYTES);
+    return { text: `${buf.toString('utf8')}\n... [truncated]`, truncated: true };
+}
+function capLocations(locations) {
+    // Cap at 200 locations OR the byte cap, whichever hits first. The
+    // 200 number is the operator-facing "this is a hot symbol" threshold —
+    // a richer surface (paginated `pugi lsp references --offset N`) is
+    // open backlog.
+    const COUNT_CAP = 200;
+    if (locations.length === 0)
+        return { value: locations, truncated: false };
+    const trimmed = locations.slice(0, COUNT_CAP);
+    const serialized = JSON.stringify(trimmed);
+    if (Buffer.byteLength(serialized, 'utf8') <= LSP_PAYLOAD_CAP_BYTES && trimmed.length === locations.length) {
+        return { value: trimmed, truncated: false };
+    }
+    // Trim by halves until we fit the byte cap. Worst case ~10 iterations
+    // for the 200 max, fine for an interactive tool.
+    let upper = trimmed.length;
+    while (upper > 1) {
+        const half = Math.floor(upper / 2);
+        const sub = trimmed.slice(0, half);
+        if (Buffer.byteLength(JSON.stringify(sub), 'utf8') <= LSP_PAYLOAD_CAP_BYTES) {
+            return { value: sub, truncated: true };
+        }
+        upper = half;
+    }
+    return { value: trimmed.slice(0, 1), truncated: true };
+}
+function capDiagnostics(items) {
+    if (items.length === 0)
+        return { value: items, truncated: false };
+    const serialized = JSON.stringify(items);
+    if (Buffer.byteLength(serialized, 'utf8') <= LSP_PAYLOAD_CAP_BYTES) {
+        return { value: items, truncated: false };
+    }
+    // Diagnostics are sorted error-first in LSP convention; trim from the
+    // tail so we keep the highest-severity items.
+    let upper = items.length;
+    while (upper > 1) {
+        const half = Math.floor(upper / 2);
+        const sub = items.slice(0, half);
+        if (Buffer.byteLength(JSON.stringify(sub), 'utf8') <= LSP_PAYLOAD_CAP_BYTES) {
+            return { value: sub, truncated: true };
+        }
+        upper = half;
+    }
+    return { value: items.slice(0, 1), truncated: true };
+}
+/** Test-only surface so specs can poke truncation directly. */
+export const __test__ = { truncate, capLocations, capDiagnostics, LSP_PAYLOAD_CAP_BYTES };
+//# sourceMappingURL=lsp-tools.js.map

package/dist/tools/registry.js

@@ -1,8 +1,19 @@
 const registry = [
+    // α7.7: unified-diff patch apply. Routes through the same security
+    // gate as Layer A/B/C, so the risk class matches `edit`/`write`
+    // (medium — writes inside the workspace, never to protected files).
+    { name: 'apply_patch', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
     { name: 'bash', permission: 'bash', risk: 'high', concurrencySafe: false, m1: true },
     { name: 'edit', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
     { name: 'glob', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'grep', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
+    // α7.7: LSP read-only surface. Server runs locally, no Anvil
+    // round-trip. Concurrency-safe because every operation reads
+    // server state without mutating workspace files.
+    { name: 'lsp_definition', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
+    { name: 'lsp_diagnostics', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
+    { name: 'lsp_hover', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
+    { name: 'lsp_references', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'question', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
     { name: 'read', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'skill', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
@@ -11,6 +22,13 @@ const registry = [
     { name: 'task_list', permission: 'none', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'task_update', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
     { name: 'web_fetch', permission: 'network', risk: 'medium', concurrencySafe: true, m1: true },
+    // α7.7: scratch worktree management. `worktree_create` writes nothing
+    // dangerous (a clone under `.pugi/worktrees/`); `worktree_promote`
+    // applies a diff back to the main tree, so it shares the `edit`
+    // risk class. `worktree_drop` is the cleanup primitive.
+    { name: 'worktree_create', permission: 'edit', risk: 'low', concurrencySafe: false, m1: true },
+    { name: 'worktree_drop', permission: 'edit', risk: 'low', concurrencySafe: false, m1: true },
+    { name: 'worktree_promote', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
     { name: 'write', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
 ];
 export const toolRegistry = registry.sort((a, b) => a.name.localeCompare(b.name));