@pugi/cli 0.1.0-beta.1 → 0.1.0-beta.100

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (448) hide show
  1. package/CHANGELOG.md +132 -0
  2. package/LICENSE +1 -1
  3. package/README.md +53 -11
  4. package/THIRD_PARTY_NOTICES.md +40 -0
  5. package/assets/pugi-mascot.ansi +15 -40
  6. package/assets/pugi-prozr2-mascot.ansi +9 -0
  7. package/bin/run.js +33 -1
  8. package/dist/commands/deploy.js +40 -40
  9. package/dist/commands/flatten.js +191 -0
  10. package/dist/commands/jobs-watch.js +201 -0
  11. package/dist/commands/jobs.js +42 -27
  12. package/dist/commands/retro.js +210 -0
  13. package/dist/commands/smoke.js +133 -0
  14. package/dist/core/agent-progress/cleanup.js +134 -0
  15. package/dist/core/agent-progress/schema.js +144 -0
  16. package/dist/core/agent-progress/writer.js +101 -0
  17. package/dist/core/agents/adaptive-router.js +330 -0
  18. package/dist/core/agents/query-decomposer.js +297 -0
  19. package/dist/core/agents/registry.js +3 -3
  20. package/dist/core/approvals/shortcut-resolver.js +98 -0
  21. package/dist/core/artifact-chain/dispatcher.js +148 -0
  22. package/dist/core/artifact-chain/exporter.js +164 -0
  23. package/dist/core/artifact-chain/state.js +243 -0
  24. package/dist/core/artifact-chain/steps.js +169 -0
  25. package/dist/core/ask-user/question.js +92 -0
  26. package/dist/core/audit/audit-trail.js +275 -0
  27. package/dist/core/auth/ensure-authenticated.js +129 -0
  28. package/dist/core/auth/env-provider.js +238 -0
  29. package/dist/core/auto-open-browser.js +4 -4
  30. package/dist/core/auto-update/channels.js +122 -0
  31. package/dist/core/auto-update/checker.js +241 -0
  32. package/dist/core/auto-update/state.js +235 -0
  33. package/dist/core/bare-mode/index.js +107 -0
  34. package/dist/core/bash/redirect.js +281 -0
  35. package/dist/core/bash-classifier.js +436 -40
  36. package/dist/core/checkpoint/resumer.js +149 -0
  37. package/dist/core/checkpoint/rewinder.js +291 -0
  38. package/dist/core/checkpoints/shadow-git.js +670 -0
  39. package/dist/core/citations/parser.js +109 -0
  40. package/dist/core/classifier/yolo-classifier.js +88 -0
  41. package/dist/core/codegraph/db.js +506 -0
  42. package/dist/core/codegraph/decision-store.js +248 -0
  43. package/dist/core/codegraph/detect-repo.js +459 -0
  44. package/dist/core/codegraph/install.js +134 -0
  45. package/dist/core/codegraph/offer-hook.js +220 -0
  46. package/dist/core/codegraph/parser.js +71 -0
  47. package/dist/core/codegraph/types.js +34 -0
  48. package/dist/core/compact/auto-trigger.js +96 -0
  49. package/dist/core/compact/buffer-rewriter.js +115 -0
  50. package/dist/core/compact/summarizer.js +208 -0
  51. package/dist/core/compact/token-counter.js +108 -0
  52. package/dist/core/consensus/anvil-fanout.js +25 -25
  53. package/dist/core/consensus/diff-capture.js +121 -12
  54. package/dist/core/consensus/rubric.js +21 -21
  55. package/dist/core/context/builder.js +6 -6
  56. package/dist/core/context/compaction-events.js +8 -8
  57. package/dist/core/context/compaction.js +31 -31
  58. package/dist/core/context/index.js +15 -8
  59. package/dist/core/context/invariants.js +51 -51
  60. package/dist/core/context/markdown-loader.js +28 -10
  61. package/dist/core/context/markdown-traverse.js +255 -0
  62. package/dist/core/context/pugiignore.js +41 -41
  63. package/dist/core/context/repo-skeleton.js +37 -37
  64. package/dist/core/context/tool-eviction.js +55 -0
  65. package/dist/core/context/watcher.js +32 -32
  66. package/dist/core/context/working-set.js +23 -23
  67. package/dist/core/coordinator/agent-tools.js +77 -0
  68. package/dist/core/coordinator/agent-toolset.js +65 -0
  69. package/dist/core/coordinator/fsm.js +73 -0
  70. package/dist/core/coordinator/mode-fsm.js +70 -0
  71. package/dist/core/cost/rate-card.js +129 -0
  72. package/dist/core/cost/tracker.js +221 -0
  73. package/dist/core/credentials.js +13 -13
  74. package/dist/core/cron/scheduler.js +138 -0
  75. package/dist/core/denial-tracking/index.js +8 -0
  76. package/dist/core/denial-tracking/state.js +264 -0
  77. package/dist/core/diagnostics/probe-runner.js +93 -0
  78. package/dist/core/diagnostics/probes/api.js +46 -0
  79. package/dist/core/diagnostics/probes/auth.js +93 -0
  80. package/dist/core/diagnostics/probes/bare-mode.js +42 -0
  81. package/dist/core/diagnostics/probes/cli-version.js +127 -0
  82. package/dist/core/diagnostics/probes/config.js +72 -0
  83. package/dist/core/diagnostics/probes/denial-tracking.js +57 -0
  84. package/dist/core/diagnostics/probes/disk.js +81 -0
  85. package/dist/core/diagnostics/probes/engine-live.js +46 -0
  86. package/dist/core/diagnostics/probes/git.js +65 -0
  87. package/dist/core/diagnostics/probes/hooks.js +118 -0
  88. package/dist/core/diagnostics/probes/mcp.js +75 -0
  89. package/dist/core/diagnostics/probes/node.js +59 -0
  90. package/dist/core/diagnostics/probes/pnpm.js +36 -0
  91. package/dist/core/diagnostics/probes/pugi-md.js +89 -0
  92. package/dist/core/diagnostics/probes/sandbox.js +72 -0
  93. package/dist/core/diagnostics/probes/session.js +74 -0
  94. package/dist/core/diagnostics/probes/status-snapshot.js +488 -0
  95. package/dist/core/diagnostics/probes/workspace.js +63 -0
  96. package/dist/core/diagnostics/types.js +70 -0
  97. package/dist/core/dispatch/cache-cleanup.js +197 -0
  98. package/dist/core/dispatch/cache-handoff.js +295 -0
  99. package/dist/core/edits/apply-patch-layer-e.js +189 -0
  100. package/dist/core/edits/dispatch.js +333 -7
  101. package/dist/core/edits/format-detector.js +260 -0
  102. package/dist/core/edits/format-matrix.js +26 -0
  103. package/dist/core/edits/fuzzy-ladder.js +650 -0
  104. package/dist/core/edits/index.js +5 -1
  105. package/dist/core/edits/journal.js +199 -0
  106. package/dist/core/edits/layer-a-apply.js +15 -15
  107. package/dist/core/edits/layer-a-fuzzy-apply.js +198 -0
  108. package/dist/core/edits/layer-b-apply.js +9 -9
  109. package/dist/core/edits/layer-c-apply.js +6 -6
  110. package/dist/core/edits/layer-d-ast.js +557 -14
  111. package/dist/core/edits/marker-parser.js +12 -12
  112. package/dist/core/edits/security-gate.js +27 -27
  113. package/dist/core/edits/verify-hook.js +273 -0
  114. package/dist/core/edits/worktree.js +322 -0
  115. package/dist/core/engine/anvil-client.js +214 -26
  116. package/dist/core/engine/auto-compact.js +247 -0
  117. package/dist/core/engine/budgets.js +220 -0
  118. package/dist/core/engine/compact-llm-summarizer.js +124 -0
  119. package/dist/core/engine/context-prefix.js +155 -0
  120. package/dist/core/engine/index.js +1 -1
  121. package/dist/core/engine/intensity.js +163 -0
  122. package/dist/core/engine/intent.js +260 -0
  123. package/dist/core/engine/native-pugi.js +1559 -227
  124. package/dist/core/engine/prompts.js +192 -16
  125. package/dist/core/engine/strip-internal-fields.js +124 -0
  126. package/dist/core/engine/tool-bridge.js +1887 -59
  127. package/dist/core/engine/verification-patterns.js +195 -0
  128. package/dist/core/evaluation/golden-dataset.js +293 -0
  129. package/dist/core/feedback/queue.js +177 -0
  130. package/dist/core/feedback/submitter.js +145 -0
  131. package/dist/core/file-cache.js +113 -1
  132. package/dist/core/flatten/flatten-repo.js +439 -0
  133. package/dist/core/format/osc8-link.js +28 -0
  134. package/dist/core/hook-chains.js +392 -0
  135. package/dist/core/hooks/citation-verify-hook.js +138 -0
  136. package/dist/core/hooks/citation-verify.js +112 -0
  137. package/dist/core/hooks/events.js +46 -0
  138. package/dist/core/hooks/index.js +15 -0
  139. package/dist/core/hooks/registry.js +216 -0
  140. package/dist/core/hooks/runner.js +236 -0
  141. package/dist/core/hooks/v2/event-emitter.js +115 -0
  142. package/dist/core/hooks/v2/executor.js +282 -0
  143. package/dist/core/hooks/v2/index.js +25 -0
  144. package/dist/core/hooks/v2/lifecycle.js +104 -0
  145. package/dist/core/hooks/v2/loader.js +216 -0
  146. package/dist/core/hooks/v2/matcher.js +125 -0
  147. package/dist/core/hooks/v2/trust.js +143 -0
  148. package/dist/core/hooks/v2/types.js +86 -0
  149. package/dist/core/hooks/worktree-events.js +158 -0
  150. package/dist/core/image/renderer.js +71 -0
  151. package/dist/core/init/detector.js +582 -0
  152. package/dist/core/init/template-renderer.js +242 -0
  153. package/dist/core/jobs/registry.js +18 -18
  154. package/dist/core/ledger/results-tsv.js +142 -0
  155. package/dist/core/log-discipline/stdout-redirect.js +51 -0
  156. package/dist/core/lsp/cache.js +105 -0
  157. package/dist/core/lsp/client.js +1229 -0
  158. package/dist/core/lsp/language-detect.js +66 -0
  159. package/dist/core/lsp/post-edit-diagnostics.js +171 -0
  160. package/dist/core/lsp/server-detect.js +173 -0
  161. package/dist/core/lsp/symbol-cache.js +162 -0
  162. package/dist/core/lsp/symbol-tools.js +664 -0
  163. package/dist/core/mcp/client.js +97 -28
  164. package/dist/core/mcp/http-server.js +553 -0
  165. package/dist/core/mcp/orchestrator-config.js +192 -0
  166. package/dist/core/mcp/orchestrator-tools.js +806 -0
  167. package/dist/core/mcp/permission.js +190 -0
  168. package/dist/core/mcp/registry.js +39 -17
  169. package/dist/core/mcp/server-tools.js +219 -0
  170. package/dist/core/mcp/server.js +397 -0
  171. package/dist/core/mcp/trust.js +10 -10
  172. package/dist/core/memory/dual-write.js +416 -0
  173. package/dist/core/memory/passive-extract.js +130 -0
  174. package/dist/core/memory/phase1-kinds.js +20 -0
  175. package/dist/core/memory/secret-scanner.js +304 -0
  176. package/dist/core/memory-sync/queue.js +170 -0
  177. package/dist/core/metrics/extract.js +113 -0
  178. package/dist/core/modes/roo-modes.js +68 -0
  179. package/dist/core/notes/notes-paths.js +113 -0
  180. package/dist/core/notes/notes-recorder.js +140 -0
  181. package/dist/core/notes/notes-writer.js +53 -0
  182. package/dist/core/notes/renderers.js +0 -0
  183. package/dist/core/notes/slug.js +105 -0
  184. package/dist/core/onboarding/ensure-initialized.js +133 -0
  185. package/dist/core/onboarding/marker.js +111 -0
  186. package/dist/core/onboarding/telemetry-state.js +108 -0
  187. package/dist/core/output-style/presets.js +176 -0
  188. package/dist/core/output-style/state.js +185 -0
  189. package/dist/core/path-security.js +287 -5
  190. package/dist/core/permission.js +82 -22
  191. package/dist/core/permissions/auto-classifier.js +124 -0
  192. package/dist/core/permissions/bash-parser.js +371 -0
  193. package/dist/core/permissions/circuit-breaker.js +83 -0
  194. package/dist/core/permissions/constrained-edit.js +91 -0
  195. package/dist/core/permissions/gate.js +278 -0
  196. package/dist/core/permissions/index.js +20 -0
  197. package/dist/core/permissions/mode.js +174 -0
  198. package/dist/core/permissions/network-egress.js +137 -0
  199. package/dist/core/permissions/state.js +241 -0
  200. package/dist/core/permissions/tool-class.js +107 -0
  201. package/dist/core/plan-mode/ui-state.js +51 -0
  202. package/dist/core/plans/plan-artifact.js +721 -0
  203. package/dist/core/policy-limits/etag-store.js +122 -0
  204. package/dist/core/prd-check/parser.js +215 -0
  205. package/dist/core/prd-check/reporter.js +127 -0
  206. package/dist/core/prd-check/session-review.js +557 -0
  207. package/dist/core/prd-check/verifiers.js +223 -0
  208. package/dist/core/prompt-cache/client-cache.js +99 -0
  209. package/dist/core/prompts/assembly.js +29 -0
  210. package/dist/core/prompts/registry.js +364 -0
  211. package/dist/core/pugi-gitignore.js +52 -0
  212. package/dist/core/pugi-md/cc-compat-rules.js +735 -0
  213. package/dist/core/pugi-md/context-injector.js +76 -0
  214. package/dist/core/pugi-md/walk-up.js +207 -0
  215. package/dist/core/python/uv-installer.js +270 -0
  216. package/dist/core/python/uv-resolver.js +83 -0
  217. package/dist/core/rate-limit/narrator.js +146 -0
  218. package/dist/core/recipes/cli-types.js +20 -0
  219. package/dist/core/recipes/loader.js +103 -0
  220. package/dist/core/recipes/runner.js +345 -0
  221. package/dist/core/recipes/schema.js +587 -0
  222. package/dist/core/release-notes/parser.js +241 -0
  223. package/dist/core/release-notes/state.js +116 -0
  224. package/dist/core/repl/ask.js +37 -37
  225. package/dist/core/repl/cancellation.js +26 -26
  226. package/dist/core/repl/cap-warning.js +4 -4
  227. package/dist/core/repl/clipboard-read.js +11 -11
  228. package/dist/core/repl/dispatch-fsm.js +12 -12
  229. package/dist/core/repl/engine-bridge.js +303 -0
  230. package/dist/core/repl/history-search.js +15 -15
  231. package/dist/core/repl/history.js +28 -18
  232. package/dist/core/repl/kill-ring.js +5 -5
  233. package/dist/core/repl/model-pricing.js +135 -0
  234. package/dist/core/repl/privacy-banner.js +22 -22
  235. package/dist/core/repl/session.js +2714 -228
  236. package/dist/core/repl/slash-commands.js +572 -40
  237. package/dist/core/repl/store/index.js +1 -1
  238. package/dist/core/repl/store/jsonl-log.js +22 -22
  239. package/dist/core/repl/store/lockfile.js +10 -10
  240. package/dist/core/repl/store/session-store.js +136 -107
  241. package/dist/core/repl/store/types.js +15 -15
  242. package/dist/core/repl/store/uuid-v7.js +12 -12
  243. package/dist/core/repl/tool-route.js +382 -0
  244. package/dist/core/repl/workspace-context.js +43 -21
  245. package/dist/core/repo-map/build.js +125 -0
  246. package/dist/core/repo-map/cache.js +185 -0
  247. package/dist/core/repo-map/extractor.js +254 -0
  248. package/dist/core/repo-map/formatter.js +145 -0
  249. package/dist/core/repo-map/page-rank.js +105 -0
  250. package/dist/core/repo-map/scanner.js +211 -0
  251. package/dist/core/retro/git-collector.js +251 -0
  252. package/dist/core/retro/health-card.js +25 -0
  253. package/dist/core/retro/metrics.js +342 -0
  254. package/dist/core/retro/narrative.js +249 -0
  255. package/dist/core/retro/plane-collector.js +274 -0
  256. package/dist/core/retro/pr-issue-link.js +65 -0
  257. package/dist/core/retro/types.js +16 -0
  258. package/dist/core/retry-budget/budget.js +284 -0
  259. package/dist/core/retry-budget/index.js +5 -0
  260. package/dist/core/retry-budget/retry-cap.js +74 -0
  261. package/dist/core/routing/lead-worker.js +43 -0
  262. package/dist/core/routing/pre-flight-estimator.js +108 -0
  263. package/dist/core/runs/run-tree.js +103 -0
  264. package/dist/core/sandboxing/adapter.js +29 -0
  265. package/dist/core/sandboxing/index.js +49 -0
  266. package/dist/core/sandboxing/none.js +19 -0
  267. package/dist/core/sandboxing/seatbelt.js +183 -0
  268. package/dist/core/security/injection-scanner.js +367 -0
  269. package/dist/core/security/output-filter.js +418 -0
  270. package/dist/core/session/env-file.js +105 -0
  271. package/dist/core/session/section-budgets.js +140 -0
  272. package/dist/core/session.js +119 -0
  273. package/dist/core/settings.js +378 -5
  274. package/dist/core/share/formatter.js +271 -0
  275. package/dist/core/share/redactor.js +221 -0
  276. package/dist/core/share/uploader.js +267 -0
  277. package/dist/core/skills/defaults.js +457 -0
  278. package/dist/core/skills/loader.js +22 -22
  279. package/dist/core/skills/sources.js +27 -27
  280. package/dist/core/smoke/headless-driver.js +174 -0
  281. package/dist/core/smoke/orchestrator.js +194 -0
  282. package/dist/core/smoke/runner.js +238 -0
  283. package/dist/core/smoke/scenario-parser.js +316 -0
  284. package/dist/core/statusline.js +99 -0
  285. package/dist/core/subagents/dispatcher-real.js +600 -0
  286. package/dist/core/subagents/dispatcher.js +146 -52
  287. package/dist/core/subagents/index.js +19 -6
  288. package/dist/core/subagents/isolation-matrix.js +213 -0
  289. package/dist/core/subagents/spawn.js +19 -4
  290. package/dist/core/telemetry/emitter.js +229 -0
  291. package/dist/core/telemetry/queue.js +251 -0
  292. package/dist/core/theme/context.js +91 -0
  293. package/dist/core/theme/presets.js +228 -0
  294. package/dist/core/theme/state.js +181 -0
  295. package/dist/core/todos/invariant.js +10 -0
  296. package/dist/core/todos/state.js +177 -0
  297. package/dist/core/tool-schema/compressor.js +89 -0
  298. package/dist/core/transport/version-interceptor.js +166 -0
  299. package/dist/core/trust.js +2 -2
  300. package/dist/core/tui/thinking-block.js +64 -0
  301. package/dist/core/vim/keymap.js +288 -0
  302. package/dist/core/vim/state.js +92 -0
  303. package/dist/core/watch-markers/marker-watcher.js +133 -0
  304. package/dist/core/worktree/include-parser.js +249 -0
  305. package/dist/core/worktree-manager/cleanup.js +123 -0
  306. package/dist/core/worktree-manager/manager.js +303 -0
  307. package/dist/index.js +36 -0
  308. package/dist/runtime/bootstrap.js +190 -0
  309. package/dist/runtime/cli.js +4536 -477
  310. package/dist/runtime/commands/agents.js +31 -31
  311. package/dist/runtime/commands/budget.js +5 -5
  312. package/dist/runtime/commands/cancel.js +231 -0
  313. package/dist/runtime/commands/chain.js +489 -0
  314. package/dist/runtime/commands/codegraph-status.js +227 -0
  315. package/dist/runtime/commands/compact.js +297 -0
  316. package/dist/runtime/commands/config.js +74 -40
  317. package/dist/runtime/commands/cost.js +199 -0
  318. package/dist/runtime/commands/delegate.js +312 -0
  319. package/dist/runtime/commands/dispatch.js +126 -0
  320. package/dist/runtime/commands/doctor.js +579 -0
  321. package/dist/runtime/commands/feedback.js +184 -0
  322. package/dist/runtime/commands/hooks.js +187 -0
  323. package/dist/runtime/commands/index-cmd.js +353 -0
  324. package/dist/runtime/commands/init.js +254 -0
  325. package/dist/runtime/commands/lsp.js +368 -0
  326. package/dist/runtime/commands/mcp.js +935 -0
  327. package/dist/runtime/commands/memory.js +582 -0
  328. package/dist/runtime/commands/model.js +237 -0
  329. package/dist/runtime/commands/onboarding.js +275 -0
  330. package/dist/runtime/commands/patch.js +128 -0
  331. package/dist/runtime/commands/permissions.js +112 -0
  332. package/dist/runtime/commands/plan.js +143 -0
  333. package/dist/runtime/commands/prd-check.js +285 -0
  334. package/dist/runtime/commands/privacy.js +17 -17
  335. package/dist/runtime/commands/recipe.js +325 -0
  336. package/dist/runtime/commands/redo-blob-store.js +92 -0
  337. package/dist/runtime/commands/redo.js +361 -0
  338. package/dist/runtime/commands/release-notes.js +229 -0
  339. package/dist/runtime/commands/repo-map.js +95 -0
  340. package/dist/runtime/commands/report.js +299 -0
  341. package/dist/runtime/commands/resume.js +118 -0
  342. package/dist/runtime/commands/review-consensus.js +68 -53
  343. package/dist/runtime/commands/rewind.js +333 -0
  344. package/dist/runtime/commands/roster.js +117 -0
  345. package/dist/runtime/commands/servers.js +236 -0
  346. package/dist/runtime/commands/sessions.js +163 -0
  347. package/dist/runtime/commands/share.js +316 -0
  348. package/dist/runtime/commands/skills.js +31 -31
  349. package/dist/runtime/commands/status.js +186 -0
  350. package/dist/runtime/commands/stickers.js +82 -0
  351. package/dist/runtime/commands/style.js +194 -0
  352. package/dist/runtime/commands/theme.js +196 -0
  353. package/dist/runtime/commands/undo.js +54 -22
  354. package/dist/runtime/commands/update.js +289 -0
  355. package/dist/runtime/commands/vim.js +140 -0
  356. package/dist/runtime/commands/worktree.js +177 -0
  357. package/dist/runtime/commands/worktrees.js +155 -0
  358. package/dist/runtime/deprecation-warning.js +69 -0
  359. package/dist/runtime/engine-exit-code.js +50 -0
  360. package/dist/runtime/headless-repl.js +195 -0
  361. package/dist/runtime/headless.js +548 -0
  362. package/dist/runtime/load-hooks-or-exit.js +71 -0
  363. package/dist/runtime/plan-decompose.js +531 -0
  364. package/dist/runtime/sigint-guard.js +272 -0
  365. package/dist/runtime/stream-renderer.js +195 -0
  366. package/dist/runtime/update-check.js +28 -28
  367. package/dist/runtime/version.js +65 -0
  368. package/dist/runtime/worktree-bootstrap.js +579 -0
  369. package/dist/skills/bundled/batch.js +617 -0
  370. package/dist/skills/bundled/index.js +45 -0
  371. package/dist/skills/bundled/loop.js +358 -0
  372. package/dist/skills/bundled/remember.js +383 -0
  373. package/dist/skills/bundled/simplify.js +289 -0
  374. package/dist/skills/bundled/skillify.js +373 -0
  375. package/dist/skills/bundled/stuck.js +558 -0
  376. package/dist/skills/bundled/verify.js +439 -0
  377. package/dist/testing/vcr.js +486 -0
  378. package/dist/tools/agent-tool.js +229 -0
  379. package/dist/tools/apply-patch.js +556 -0
  380. package/dist/tools/ask-user-question.js +337 -0
  381. package/dist/tools/ask-user.js +115 -0
  382. package/dist/tools/bash.js +624 -46
  383. package/dist/tools/brief.js +224 -0
  384. package/dist/tools/cron.js +433 -0
  385. package/dist/tools/enter-worktree.js +250 -0
  386. package/dist/tools/exit-worktree.js +147 -0
  387. package/dist/tools/file-tools.js +161 -44
  388. package/dist/tools/http-request.js +336 -0
  389. package/dist/tools/lsp-tools.js +565 -0
  390. package/dist/tools/mcp-tool.js +260 -0
  391. package/dist/tools/multi-edit.js +361 -0
  392. package/dist/tools/powershell.js +268 -0
  393. package/dist/tools/registry.js +142 -1
  394. package/dist/tools/server-tools.js +892 -0
  395. package/dist/tools/skill-tool.js +96 -0
  396. package/dist/tools/sleep.js +99 -0
  397. package/dist/tools/synthetic-output.js +133 -0
  398. package/dist/tools/tasks.js +208 -0
  399. package/dist/tools/todo-write.js +184 -0
  400. package/dist/tools/verify-plan-execution.js +295 -0
  401. package/dist/tools/web-fetch-injection-scanner.js +207 -0
  402. package/dist/tools/web-fetch.js +195 -10
  403. package/dist/tools/web-search.js +458 -0
  404. package/dist/tui/agent-progress-card.js +111 -0
  405. package/dist/tui/agent-tree.js +22 -1
  406. package/dist/tui/ask-modal.js +14 -14
  407. package/dist/tui/ask-user-question-chips.js +315 -0
  408. package/dist/tui/ask-user-question-prompt.js +203 -0
  409. package/dist/tui/compact-banner.js +81 -0
  410. package/dist/tui/conversation-pane.js +85 -11
  411. package/dist/tui/cost-table.js +111 -0
  412. package/dist/tui/device-flow.js +2 -2
  413. package/dist/tui/doctor-table.js +46 -0
  414. package/dist/tui/feedback-prompt.js +156 -0
  415. package/dist/tui/input-box.js +247 -32
  416. package/dist/tui/login-picker.js +3 -3
  417. package/dist/tui/markdown-render.js +6 -6
  418. package/dist/tui/multi-file-diff-approval.js +375 -0
  419. package/dist/tui/onboarding-wizard.js +240 -0
  420. package/dist/tui/permissions-picker.js +86 -0
  421. package/dist/tui/render.js +36 -1
  422. package/dist/tui/repl-render.js +405 -32
  423. package/dist/tui/repl-splash-art.js +16 -16
  424. package/dist/tui/repl-splash-mascot.js +48 -24
  425. package/dist/tui/repl-splash.js +22 -22
  426. package/dist/tui/repl.js +136 -43
  427. package/dist/tui/slash-palette.js +6 -6
  428. package/dist/tui/splash.js +2 -2
  429. package/dist/tui/status-bar.js +109 -31
  430. package/dist/tui/status-table.js +7 -0
  431. package/dist/tui/stickers-art.js +136 -0
  432. package/dist/tui/style-table.js +28 -0
  433. package/dist/tui/theme-table.js +29 -0
  434. package/dist/tui/thinking-spinner.js +123 -0
  435. package/dist/tui/tool-stream-pane.js +53 -4
  436. package/dist/tui/update-banner.js +27 -2
  437. package/dist/tui/vim-input.js +267 -0
  438. package/dist/tui/welcome-banner.js +107 -0
  439. package/dist/tui/welcome-data.js +293 -0
  440. package/dist/tui/workspace-context.js +2 -2
  441. package/docs/examples/codegraph.mcp.json +10 -0
  442. package/package.json +25 -7
  443. package/test/scenarios/codegen-create-file.scenario.txt +13 -0
  444. package/test/scenarios/compact-force.scenario.txt +12 -0
  445. package/test/scenarios/identity.scenario.txt +11 -0
  446. package/test/scenarios/persona-handoff.scenario.txt +12 -0
  447. package/test/scenarios/walkback.scenario.txt +12 -0
  448. package/dist/core/engine/compaction-hook.js +0 -154
@@ -0,0 +1,268 @@
1
+ /**
2
+ * PowerShell tool — .
3
+ *
4
+ * Windows operators cannot run native `*.ps1` scripts via the bash tool
5
+ * (which spawns `/bin/sh`). This tool spawns `pwsh -NoProfile -Command`
6
+ * на cross-platform PowerShell 7+ binary so Windows-first workflows are
7
+ * first-class на Pugi.
8
+ *
9
+ * independent implementation re-implementation. Surface mirrors bashTool's permission
10
+ * gate, env sanitiser, output cap, timeout, and exit-code propagation;
11
+ * the only difference is the shell binary selection. Per-platform
12
+ * resolution:
13
+ * - All OS: try `pwsh` on $PATH first (PowerShell 7+ cross-platform).
14
+ * - Windows fallback: `powershell.exe` (Windows PowerShell 5.1 baked-in).
15
+ * - Other OS without pwsh: tool returns a clear "powershell binary
16
+ * not found" error so the operator can install pwsh or fall back
17
+ * к bash.
18
+ *
19
+ * Permission class: reuses the bash classifier — destructive patterns,
20
+ * sandbox detection, and additional-directories checks are command-string
21
+ * based and apply equally to pwsh and sh.
22
+ */
23
+ import { spawnSync } from 'node:child_process';
24
+ import { listDestructivePatterns } from '../core/bash-classifier.js';
25
+ import { recordToolCall, recordToolResult } from '../core/session.js';
26
+ export const POWERSHELL_OUTPUT_CAP_BYTES = 64 * 1024;
27
+ export const POWERSHELL_DEFAULT_TIMEOUT_MS = 30_000;
28
+ export const POWERSHELL_MAX_TIMEOUT_MS = 120_000;
29
+ /**
30
+ * PowerShell-specific destructive patterns. Layered ON TOP of the
31
+ * shared `listDestructivePatterns()` from the bash classifier (which
32
+ * covers `rm -rf`, `DROP TABLE`, etc — patterns that also surface в
33
+ * pwsh-via-aliases). These are the cmdlet forms unique to pwsh.
34
+ *
35
+ * Patterns are case-insensitive matched against the command string
36
+ * (pwsh cmdlets accept any case: `remove-item -force` == `Remove-Item -Force`).
37
+ */
38
+ const PWSH_DESTRUCTIVE_PATTERNS = [
39
+ // Recursive force delete via cmdlet
40
+ 'remove-item -recurse -force',
41
+ 'remove-item -force -recurse',
42
+ 'ri -recurse -force',
43
+ 'ri -force -recurse',
44
+ 'rmdir -recurse -force',
45
+ 'rmdir -force -recurse',
46
+ // Disk / volume operations
47
+ 'format-volume',
48
+ 'clear-disk',
49
+ 'reset-physicaldisk',
50
+ // System state
51
+ 'stop-computer',
52
+ 'restart-computer',
53
+ 'shutdown',
54
+ // Security weakening
55
+ 'set-executionpolicy unrestricted',
56
+ 'set-executionpolicy bypass',
57
+ // Service / process attack surface
58
+ 'invoke-webrequest', // common phishing-script vector when piped to iex
59
+ 'iex (new-object', // download-execute pattern
60
+ // Credential exfil
61
+ 'get-credential | export-clixml',
62
+ ];
63
+ /**
64
+ * Normalize whitespace before pattern matching: collapse runs of
65
+ * whitespace к single space + lowercase. Defends against the
66
+ * `iex(New-Object`/`IEX (New-Object` style bypass where pattern
67
+ * `iex (new-object` would miss the no-space or double-space variant.
68
+ */
69
+ function normalizeForMatch(text) {
70
+ return text.toLowerCase().replace(/\s+/g, ' ');
71
+ }
72
+ function findPwshDestructiveMatch(cmd) {
73
+ const normalized = normalizeForMatch(cmd);
74
+ for (const pattern of PWSH_DESTRUCTIVE_PATTERNS) {
75
+ if (normalized.includes(normalizeForMatch(pattern)))
76
+ return pattern;
77
+ }
78
+ // Fall back к the shared bash destructive list (covers cross-shell
79
+ // patterns like `rm -rf /`, `DROP DATABASE`). Shared patterns may
80
+ // contain uppercase (case-insensitive SQL verbs); normalize both
81
+ // sides before compare.
82
+ const shared = listDestructivePatterns();
83
+ for (const pattern of shared) {
84
+ if (normalized.includes(normalizeForMatch(pattern)))
85
+ return pattern;
86
+ }
87
+ return null;
88
+ }
89
+ /**
90
+ * PowerShell-aware permission decision. Differs from
91
+ * `evaluateBashPermission` в two ways:
92
+ *
93
+ * 1. Default class is `allow` (after destructive check) instead of
94
+ * `unknown → deny`. The bash classifier rejects any first-token
95
+ * it does not recognise — appropriate for bash where every verb
96
+ * is a separate binary, hostile for pwsh where the Verb-Noun
97
+ * cmdlet convention means thousands of legitimate verbs exist
98
+ * (`Get-Process`, `$PSVersionTable`, `Select-Object`, ...).
99
+ *
100
+ * 2. Destructive patterns combine the shared bash denylist (covers
101
+ * cross-shell patterns like `rm -rf`) с pwsh-specific cmdlet
102
+ * forms (`Remove-Item -Recurse -Force`, `Format-Volume`, etc).
103
+ *
104
+ * Mode FSM mirrors bash: plan → deny ALL, ask → ask, auto/bypass → allow,
105
+ * destructive class → deny unless `bypassPermissions + human + ENV override`.
106
+ */
107
+ function evaluatePwshPermission(cmd, mode, source) {
108
+ const destructive = findPwshDestructiveMatch(cmd);
109
+ if (destructive !== null) {
110
+ const overrideOk = mode === 'bypassPermissions' &&
111
+ source === 'human' &&
112
+ process.env['PUGI_DESTRUCTIVE_OVERRIDE'] === '1';
113
+ if (overrideOk) {
114
+ return {
115
+ decision: 'allow',
116
+ reason: `destructive pwsh pattern '${destructive}' allowed via override (bypassPermissions + human + PUGI_DESTRUCTIVE_OVERRIDE=1)`,
117
+ };
118
+ }
119
+ return {
120
+ decision: 'deny',
121
+ reason: `destructive pwsh pattern '${destructive}' is always denied (override requires bypassPermissions + human + PUGI_DESTRUCTIVE_OVERRIDE=1)`,
122
+ };
123
+ }
124
+ // Non-destructive pwsh command — mode FSM.
125
+ switch (mode) {
126
+ case 'plan':
127
+ return { decision: 'deny', reason: 'plan mode denies all shell dispatches' };
128
+ case 'ask':
129
+ case 'acceptEdits':
130
+ return { decision: 'ask', reason: 'pwsh command requires operator confirmation' };
131
+ case 'auto':
132
+ case 'dontAsk':
133
+ case 'bypassPermissions':
134
+ return { decision: 'allow', reason: 'pwsh command allowed by mode' };
135
+ default:
136
+ return { decision: 'ask', reason: `unknown mode ${mode}; defaulting к ask` };
137
+ }
138
+ }
139
+ /** Cached binary path so repeated calls inside one session skip the probe. */
140
+ let cachedShellBinary;
141
+ function resolveShellBinary() {
142
+ if (cachedShellBinary !== undefined)
143
+ return cachedShellBinary;
144
+ // Try pwsh (cross-platform PowerShell 7+) first.
145
+ const pwshProbe = spawnSync('pwsh', ['-NoProfile', '-Command', 'exit 0'], {
146
+ encoding: 'utf8',
147
+ stdio: ['ignore', 'ignore', 'ignore'],
148
+ timeout: 3000,
149
+ });
150
+ if (pwshProbe.status === 0) {
151
+ cachedShellBinary = 'pwsh';
152
+ return 'pwsh';
153
+ }
154
+ // Windows fallback к the baked-in PowerShell 5.1.
155
+ if (process.platform === 'win32') {
156
+ const wpsProbe = spawnSync('powershell.exe', ['-NoProfile', '-Command', 'exit 0'], {
157
+ encoding: 'utf8',
158
+ stdio: ['ignore', 'ignore', 'ignore'],
159
+ timeout: 3000,
160
+ });
161
+ if (wpsProbe.status === 0) {
162
+ cachedShellBinary = 'powershell.exe';
163
+ return 'powershell.exe';
164
+ }
165
+ }
166
+ cachedShellBinary = null;
167
+ return null;
168
+ }
169
+ function sanitizeTimeout(value) {
170
+ if (value === undefined || !Number.isFinite(value) || value <= 0) {
171
+ return POWERSHELL_DEFAULT_TIMEOUT_MS;
172
+ }
173
+ return Math.min(value, POWERSHELL_MAX_TIMEOUT_MS);
174
+ }
175
+ function buildChildEnv() {
176
+ const env = { ...process.env };
177
+ delete env['PUGI_API_KEY'];
178
+ delete env['PUGI_LOGIN_TOKEN'];
179
+ return env;
180
+ }
181
+ /**
182
+ * Sync PowerShell dispatch. Mirrors bashToolSync shape so dispatchTool
183
+ * can call either tool with the same context shape.
184
+ */
185
+ export function powerShellToolSync(input, ctx) {
186
+ const cmd = input.cmd ?? '';
187
+ const source = ctx.source ?? 'agent';
188
+ const toolCallId = recordToolCall(ctx.session, 'powershell', cmd);
189
+ // pwsh-aware permission gate (NOT the bash classifier). Bash classifier
190
+ // would reject `$PSVersionTable`, `Get-Process`, etc as "Unrecognized
191
+ // command" → default-deny, making the pwsh tool useless. The pwsh gate
192
+ // applies the shared destructive denylist (rm -rf / DROP TABLE) + a
193
+ // pwsh-specific list (Remove-Item -Recurse -Force / Format-Volume /
194
+ // Set-ExecutionPolicy Unrestricted / iex (New-Object ...)) and
195
+ // defaults non-destructive cmdlets к allow under mode FSM.
196
+ const decision = evaluatePwshPermission(cmd, ctx.settings.permissions.mode, source);
197
+ if (decision.decision !== 'allow') {
198
+ const reason = `Permission ${decision.decision}: ${decision.reason}`;
199
+ recordToolResult(ctx.session, toolCallId, 'error', reason);
200
+ return {
201
+ stdout: '',
202
+ stderr: `Permission ${decision.decision}: ${decision.reason}`,
203
+ exitCode: 126,
204
+ truncated: false,
205
+ timedOut: false,
206
+ shellBinary: 'unresolved',
207
+ };
208
+ }
209
+ const shellBinary = resolveShellBinary();
210
+ if (shellBinary === null) {
211
+ const reason = 'powershell binary not found (tried pwsh' +
212
+ (process.platform === 'win32' ? ', powershell.exe' : '') +
213
+ '). Install PowerShell 7+ from https://aka.ms/powershell or use the bash tool instead.';
214
+ recordToolResult(ctx.session, toolCallId, 'error', reason);
215
+ return {
216
+ stdout: '',
217
+ stderr: reason,
218
+ exitCode: 127,
219
+ truncated: false,
220
+ timedOut: false,
221
+ shellBinary: 'unavailable',
222
+ };
223
+ }
224
+ const timeoutMs = sanitizeTimeout(input.timeoutMs);
225
+ const childEnv = buildChildEnv();
226
+ const cwd = input.cwd ?? ctx.root;
227
+ const result = spawnSync(shellBinary, ['-NoProfile', '-Command', cmd], {
228
+ cwd,
229
+ env: childEnv,
230
+ encoding: 'utf8',
231
+ stdio: ['ignore', 'pipe', 'pipe'],
232
+ timeout: timeoutMs,
233
+ maxBuffer: 10 * 1024 * 1024,
234
+ });
235
+ const stdoutFull = (result.stdout ?? '').toString();
236
+ const stderrFull = (result.stderr ?? '').toString();
237
+ const combined = stdoutFull.length + stderrFull.length;
238
+ const truncated = combined > POWERSHELL_OUTPUT_CAP_BYTES;
239
+ let stdoutOut = stdoutFull;
240
+ let stderrOut = stderrFull;
241
+ if (truncated) {
242
+ const halfCap = POWERSHELL_OUTPUT_CAP_BYTES / 2;
243
+ stdoutOut = stdoutFull.slice(0, halfCap);
244
+ stderrOut = stderrFull.slice(0, halfCap);
245
+ }
246
+ const timedOut = result.error?.code === 'ETIMEDOUT' ||
247
+ result.signal === 'SIGTERM';
248
+ const exitCode = timedOut ? 124 : result.status ?? 1;
249
+ if (timedOut) {
250
+ recordToolResult(ctx.session, toolCallId, 'error', `powershell timed out after ${timeoutMs}ms`);
251
+ }
252
+ else {
253
+ recordToolResult(ctx.session, toolCallId, 'success', `powershell exit=${exitCode} bytes=${combined} binary=${shellBinary}`);
254
+ }
255
+ return {
256
+ stdout: stdoutOut,
257
+ stderr: stderrOut,
258
+ exitCode,
259
+ truncated,
260
+ timedOut,
261
+ shellBinary,
262
+ };
263
+ }
264
+ /** Visible-for-spec helper: forces a re-probe on next call. */
265
+ export function _resetShellBinaryCacheForSpec() {
266
+ cachedShellBinary = undefined;
267
+ }
268
+ //# sourceMappingURL=powershell.js.map
@@ -1,16 +1,157 @@
1
1
  const registry = [
2
+ // : unified-diff patch apply. Routes through the same security
3
+ // gate as Layer A/B/C, so the risk class matches `edit`/`write`
4
+ // (medium — writes inside the workspace, never to protected files).
5
+ { name: 'apply_patch', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
6
+ // structured multi-choice clarifier tool. Risk =
7
+ // low because the dispatch is a pure UI surface — no file writes, no
8
+ // shell, no network. Permission = none (no workspace access required).
9
+ // concurrencySafe = true because the prompt-budget gate runs in the
10
+ // engine loop, not via tool-side mutex (one prompt per turn is enforced
11
+ // by the persona system prompt + the engine's tool_calls budget).
12
+ { name: 'ask_user_question', permission: 'none', risk: 'low', concurrencySafe: true, m1: true },
2
13
  { name: 'bash', permission: 'bash', risk: 'high', concurrencySafe: false, m1: true },
14
+ // Tool gap pack : structured progress brief. Writes
15
+ // one JSONL record to `.pugi/briefs/<session>.jsonl` per call via
16
+ // atomic tmp+rename. Risk = low (metadata only, no source mutation).
17
+ // concurrencySafe = false because the read-modify-write loop is not
18
+ // atomic (the rename is atomic but two parallel dispatches could lose
19
+ // the loser's record).
20
+ { name: 'brief', permission: 'none', risk: 'low', concurrencySafe: false, m1: false },
21
+ // Backlog #5 P0 : verify_plan_execution anti-fake-dispatch gate.
22
+ // Reads session audit events only; safe для parallel dispatches.
23
+ { name: 'verify_plan_execution', permission: 'none', risk: 'low', concurrencySafe: true, m1: false },
24
+ // Backlog PUGI-7 : cron_* tool family. Persists routine registry to
25
+ // `.pugi/cron/<name>.json` (one file per routine, atomic tmp+rename).
26
+ // Permission = none because the writes land in metadata, not source —
27
+ // mirrors the brief / todo_write posture. concurrencySafe = false for
28
+ // create + delete because per-file persistence is atomic individually
29
+ // but two parallel creates of the SAME name race on the rename and
30
+ // the loser's body is dropped silently; cron_list is read-only and
31
+ // safe for concurrent dispatch. Risk = low across the board: routines
32
+ // are configuration objects, the actual scheduler runner lives behind
33
+ // an explicit `pugi routines run` opt-in and is OUT of this surface.
34
+ { name: 'cron_create', permission: 'none', risk: 'low', concurrencySafe: false, m1: false },
35
+ { name: 'cron_delete', permission: 'none', risk: 'low', concurrencySafe: false, m1: false },
36
+ { name: 'cron_list', permission: 'none', risk: 'low', concurrencySafe: true, m1: false },
3
37
  { name: 'edit', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
38
+ // Tool gap pack : scratch worktree open. Spawns
39
+ // `git worktree add` under `.pugi/worktrees/<taskId>/`. Permission =
40
+ // edit because the spawn materialises files on disk; risk = medium
41
+ // to mirror the existing worktree_create posture (PR r1 raised
42
+ // that one for disk-pressure parity, same applies here).
43
+ { name: 'enter_worktree', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: false },
44
+ // Tool gap pack : scratch worktree teardown. The
45
+ // destructive primitive — runs `git worktree remove --force` then a
46
+ // recursive rmSync, both gated by a strict containment check that
47
+ // refuses any path outside <workspace>/.pugi/worktrees/. Mirrors
48
+ // worktree_drop's medium-risk posture for the same reason.
49
+ { name: 'exit_worktree', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: false },
4
50
  { name: 'glob', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
5
51
  { name: 'grep', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
52
+ // Phase 1 runtime evidence pack (PUGI-291..295): http_request issues a
53
+ // single HTTP call, mostly against loopback URLs produced by
54
+ // `server_start`. permission = 'network' to share the same egress
55
+ // gate as web_fetch; risk = 'medium' because the dispatcher will
56
+ // accept arbitrary verbs (POST/PUT/DELETE) - destructive verbs only
57
+ // when the caller opts in by URL/body. concurrencySafe = true because
58
+ // every dispatch is a fresh fetch with no shared state.
59
+ { name: 'http_request', permission: 'network', risk: 'medium', concurrencySafe: true, m1: false },
60
+ // : LSP read-only surface. Server runs locally, no Anvil
61
+ // round-trip. Concurrency-safe because every operation reads
62
+ // server state without mutating workspace files.
63
+ { name: 'lsp_definition', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
64
+ { name: 'lsp_diagnostics', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
65
+ { name: 'lsp_hover', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
66
+ { name: 'lsp_references', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
67
+ // PUGI-78 Phase 1 — symbols.* namespace. 13 first-class tools that
68
+ // expose the full LSP symbol-aware surface (definition, references,
69
+ // hover, signature, document/workspace symbols, rename preview, call
70
+ // hierarchy, implementations, type definition, code actions,
71
+ // formatter, diagnostics). All read-only in Phase 1 — `rename` /
72
+ // `format` / `code_actions` return PREVIEW edits the dispatcher
73
+ // applies via apply_patch in a future ticket. Permission stays
74
+ // `read` because no workspace mutation happens on dispatch; risk
75
+ // stays `low` because the LSP server is local and the payload is
76
+ // capped at 8 KB per tool.
77
+ { name: 'symbols_call_hierarchy', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
78
+ { name: 'symbols_code_actions', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
79
+ { name: 'symbols_diagnostics', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
80
+ { name: 'symbols_find_definition', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
81
+ { name: 'symbols_find_references', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
82
+ { name: 'symbols_format', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
83
+ { name: 'symbols_hover', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
84
+ { name: 'symbols_implementations', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
85
+ { name: 'symbols_list_in_file', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
86
+ { name: 'symbols_rename', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
87
+ { name: 'symbols_signature', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
88
+ { name: 'symbols_type_definition', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
89
+ { name: 'symbols_workspace_symbols', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
90
+ // β7 L5+T11: multi_edit dispatches an ordered batch of Layer A edits
91
+ // as a single transaction. Risk = medium (same chokepoints as `edit`).
92
+ // concurrencySafe = false because the journal serialises one dispatch
93
+ // per session.
94
+ { name: 'multi_edit', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
95
+ // PowerShell tool for Windows-first workflows. Same
96
+ // bash permission class — destructive-pattern classification fires the
97
+ // same gate. concurrencySafe = false because spawn-shell child cwd /
98
+ // env carry-over could race across parallel agent calls.
99
+ { name: 'powershell', permission: 'bash', risk: 'high', concurrencySafe: false, m1: false },
6
100
  { name: 'question', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
7
101
  { name: 'read', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
8
- { name: 'skill', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
102
+ // Phase 1 runtime evidence pack (PUGI-291..295): server_* family.
103
+ // server_start spawns a process under /bin/sh -c and persists pid +
104
+ // log path к .pugi/runs/<runId>/. permission = 'bash' shares the
105
+ // same destructive-classifier gate as the bash tool (the command
106
+ // ultimately runs in a real shell). risk = 'high' for start/stop
107
+ // (process lifecycle mutates the operator's machine) and 'low' for
108
+ // health/logs (read-only probes). concurrencySafe = false for
109
+ // start/stop because the pid registry is not transactional;
110
+ // health/logs are safe to dispatch in parallel.
111
+ { name: 'server_health', permission: 'network', risk: 'low', concurrencySafe: true, m1: false },
112
+ { name: 'server_logs', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
113
+ { name: 'server_start', permission: 'bash', risk: 'high', concurrencySafe: false, m1: false },
114
+ { name: 'server_stop', permission: 'bash', risk: 'high', concurrencySafe: false, m1: false },
115
+ // Tool gap pack : wall-clock pause primitive. No
116
+ // filesystem / network / shell side-effects. concurrencySafe = true
117
+ // because every dispatch is a fresh setTimeout closure with no
118
+ // shared state.
119
+ { name: 'sleep', permission: 'none', risk: 'low', concurrencySafe: true, m1: false },
120
+ // Tool gap pack : experimental engine-only echo
121
+ // helper. Writes verbatim bytes to the requested stream so a test
122
+ // harness can assert on the dispatch without spinning the full
123
+ // engine loop. NOT advertised to customer agents (allowSyntheticOutput
124
+ // opt-in at the executor level). Risk = low (no source mutation, no
125
+ // shell), concurrencySafe = true (writes go to fresh stream calls).
126
+ { name: 'synthetic_output', permission: 'none', risk: 'low', concurrencySafe: true, m1: false },
9
127
  { name: 'task_create', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
10
128
  { name: 'task_get', permission: 'none', risk: 'low', concurrencySafe: true, m1: true },
11
129
  { name: 'task_list', permission: 'none', risk: 'low', concurrencySafe: true, m1: true },
12
130
  { name: 'task_update', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
131
+ // batch TodoWrite. Mirrors the standard tool's upstream
132
+ // surface — full board snapshot, single-in-progress invariant, atomic
133
+ // tmp+rename persistence to `.pugi/todos.json`. `concurrencySafe = false`
134
+ // because two concurrent writes could lose the loser's snapshot (the
135
+ // rename is atomic but the read-modify-write loop is not). Risk = low
136
+ // because the only filesystem mutation lands inside `.pugi/todos.json`,
137
+ // which is metadata, not source.
138
+ { name: 'todo_write', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
13
139
  { name: 'web_fetch', permission: 'network', risk: 'medium', concurrencySafe: true, m1: true },
140
+ // : scratch worktree management. `worktree_create` writes nothing
141
+ // dangerous (a clone under `.pugi/worktrees/`); `worktree_promote`
142
+ // applies a diff back to the main tree, so it shares the `edit`
143
+ // risk class. `worktree_drop` is the cleanup primitive.
144
+ //
145
+ // R1 fix (2026-05-26, PR r1, Fix 9): raised `worktree_create`
146
+ // and `worktree_drop` from `low` to `medium`. `worktree_drop` runs
147
+ // `rmSync` on its target — even with the new path-containment gate
148
+ // in `core/edits/worktree.ts::dropWorktree`, a destructive primitive
149
+ // belongs in `medium` so the permission FSM prompts on every call.
150
+ // `worktree_create` is raised for disk-pressure parity (a runaway
151
+ // agent loop could fill the disk with abandoned scratch worktrees).
152
+ { name: 'worktree_create', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
153
+ { name: 'worktree_drop', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
154
+ { name: 'worktree_promote', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
14
155
  { name: 'write', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
15
156
  ];
16
157
  export const toolRegistry = registry.sort((a, b) => a.name.localeCompare(b.name));