@pugi/cli 0.1.0-beta.1 → 0.1.0-beta.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/THIRD_PARTY_NOTICES.md +40 -0
- package/assets/pugi-mascot.ansi +15 -40
- package/dist/core/edits/worktree.js +322 -0
- package/dist/core/engine/anvil-client.js +16 -0
- package/dist/core/engine/budgets.js +89 -0
- package/dist/core/engine/native-pugi.js +112 -12
- package/dist/core/engine/prompts.js +8 -0
- package/dist/core/engine/tool-bridge.js +267 -8
- package/dist/core/init/scaffold.js +195 -0
- package/dist/core/lsp/client.js +719 -0
- package/dist/core/repl/codebase-survey.js +308 -0
- package/dist/core/repl/init-interview.js +457 -0
- package/dist/core/repl/onboarding-state.js +297 -0
- package/dist/core/repl/session.js +72 -1
- package/dist/core/repl/slash-commands.js +41 -0
- package/dist/core/settings.js +28 -0
- package/dist/core/skills/defaults.js +457 -0
- package/dist/runtime/cli.js +366 -14
- package/dist/runtime/commands/delegate.js +289 -0
- package/dist/runtime/commands/lsp.js +206 -0
- package/dist/runtime/commands/patch.js +128 -0
- package/dist/runtime/commands/roster.js +117 -0
- package/dist/runtime/commands/worktree.js +177 -0
- package/dist/runtime/plan-decompose.js +531 -0
- package/dist/tools/apply-patch.js +495 -0
- package/dist/tools/ask-user.js +115 -0
- package/dist/tools/lsp-tools.js +189 -0
- package/dist/tools/registry.js +26 -0
- package/dist/tools/skill-tool.js +96 -0
- package/dist/tools/tasks.js +208 -0
- package/dist/tui/ask-modal.js +2 -2
- package/dist/tui/conversation-pane.js +1 -1
- package/dist/tui/input-box.js +1 -1
- package/dist/tui/markdown-render.js +4 -4
- package/dist/tui/repl-render.js +169 -10
- package/dist/tui/repl-splash.js +2 -2
- package/dist/tui/repl.js +18 -5
- package/dist/tui/splash.js +1 -1
- package/dist/tui/update-banner.js +1 -1
- package/docs/examples/codegraph.mcp.json +10 -0
- package/package.json +6 -4
|
@@ -0,0 +1,495 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* apply_patch tool — α7.7 Phase 1.
|
|
3
|
+
*
|
|
4
|
+
* Accepts a unified diff (the format produced by `git diff` and
|
|
5
|
+
* consumed by `git apply`) and lands it atomically into the workspace.
|
|
6
|
+
* This is the third edit primitive alongside the α6.6 4-layer diff
|
|
7
|
+
* escalation: where the layers escalate from minimal `oldString`/
|
|
8
|
+
* `newString` blocks up to full-file rewrites, apply_patch covers the
|
|
9
|
+
* unified-diff dialect that OpenAI Codex and most external tools emit.
|
|
10
|
+
*
|
|
11
|
+
* Why we have both:
|
|
12
|
+
*
|
|
13
|
+
* - The 4-layer escalation maximises model-side success rate on
|
|
14
|
+
* conversational edits (Claude / Gemini / OpenAI all have a
|
|
15
|
+
* preferred dialect that maps onto one of the layers).
|
|
16
|
+
* - apply_patch is the "external tools speak this" path. A model
|
|
17
|
+
* emits a single unified diff (the format `git diff` produces),
|
|
18
|
+
* and we run it through `git apply` with the same security gate
|
|
19
|
+
* the layers use.
|
|
20
|
+
*
|
|
21
|
+
* Security: every file mentioned in the patch goes through the same
|
|
22
|
+
* `applySecurityGate` chokepoint as the layers (see
|
|
23
|
+
* `src/core/edits/security-gate.ts`). A patch that touches
|
|
24
|
+
* `../../etc/passwd`, `.env`, or a workspace-local symlink to a protected
|
|
25
|
+
* file is rejected BEFORE `git apply` runs. Symlink escape, protected
|
|
26
|
+
* file, and path traversal are all covered by the same gate the layers
|
|
27
|
+
* inherit — we never roll our own resolver here.
|
|
28
|
+
*
|
|
29
|
+
* Atomicity: a multi-file patch either lands entirely or not at all.
|
|
30
|
+
* `git apply --check` validates the patch end-to-end against the
|
|
31
|
+
* working tree first; only on a clean check do we run the real apply.
|
|
32
|
+
* If the apply still fails partway (extremely rare — usually a race
|
|
33
|
+
* with another writer), we run `git checkout -- <each file>` to roll
|
|
34
|
+
* the tree back. This keeps the dispatcher's invariant: a tool result
|
|
35
|
+
* of `ok: false` means the workspace is unchanged.
|
|
36
|
+
*
|
|
37
|
+
* Idempotency: applying the same patch twice rejects the second with
|
|
38
|
+
* `already_applied`. `git apply` itself returns success only when the
|
|
39
|
+
* patch's pre-image matches the working tree, so a second invocation
|
|
40
|
+
* naturally fails. We translate the specific failure mode into a
|
|
41
|
+
* dedicated reason so callers can short-circuit retry loops.
|
|
42
|
+
*
|
|
43
|
+
* Brand voice: ASCII only, no emoji, no banned words.
|
|
44
|
+
*/
|
|
45
|
+
import { spawnSync } from 'node:child_process';
|
|
46
|
+
import { existsSync, rmSync } from 'node:fs';
|
|
47
|
+
import { resolve, sep } from 'node:path';
|
|
48
|
+
import { applySecurityGate } from '../core/edits/security-gate.js';
|
|
49
|
+
import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
|
|
50
|
+
import { recordToolCall, recordToolResult, recordFileMutation } from '../core/session.js';
|
|
51
|
+
/**
|
|
52
|
+
* Parse the file paths referenced in a unified diff. We look for both
|
|
53
|
+
* `diff --git a/X b/Y` headers (preferred) and the fallback
|
|
54
|
+
* `+++ b/<path>` lines that plain `diff -u` emits. The full set of
|
|
55
|
+
* touched paths feeds the security gate — EVERY file goes through
|
|
56
|
+
* `applySecurityGate` before we trust `git apply` to do anything.
|
|
57
|
+
*
|
|
58
|
+
* Security (R1 fix 2026-05-26, PR #413 r1): git emits C-style quoted
|
|
59
|
+
* path headers when a path contains "unusual" bytes (high bits, control
|
|
60
|
+
* chars, double-quote, backslash) and `core.quotePath` is true (the
|
|
61
|
+
* default). The literal header looks like
|
|
62
|
+
* `diff --git "a/.env" "b/.env"`. Before this fix the regex captured
|
|
63
|
+
* the literal `"b/.env"` string and the security gate's basename match
|
|
64
|
+
* never saw `.env` — `basename('"b/.env"')` is `'.env"'` (note the
|
|
65
|
+
* trailing quote) which does NOT match the `.env` protected pattern.
|
|
66
|
+
* `git apply` then de-quoted the header and happily landed on the real
|
|
67
|
+
* `.env`. We strip the surrounding quotes + decode the C-style escapes
|
|
68
|
+
* via `unquoteGitPath` BEFORE passing to the security gate so the
|
|
69
|
+
* basename matcher sees the real target.
|
|
70
|
+
*/
|
|
71
|
+
export function extractPatchPaths(patch) {
|
|
72
|
+
const paths = new Set();
|
|
73
|
+
for (const line of patch.split('\n')) {
|
|
74
|
+
if (line.startsWith('diff --git ')) {
|
|
75
|
+
// `diff --git a/foo b/bar` — paths can contain spaces only when
|
|
76
|
+
// quoted by git's own diff machinery (rare). The robust extractor
|
|
77
|
+
// matches the `b/...` half because rename diffs carry the new
|
|
78
|
+
// name there.
|
|
79
|
+
// Two variants: unquoted (`a/foo b/bar`) and C-style quoted
|
|
80
|
+
// (`"a/foo" "b/bar"`). We try the quoted form first because the
|
|
81
|
+
// unquoted regex below would accept the literal quote as part of
|
|
82
|
+
// the path otherwise.
|
|
83
|
+
const quoted = line.match(/^diff --git "a\/(.+)" "b\/(.+)"$/);
|
|
84
|
+
if (quoted) {
|
|
85
|
+
if (quoted[1])
|
|
86
|
+
paths.add(unquoteGitPath(quoted[1]));
|
|
87
|
+
if (quoted[2])
|
|
88
|
+
paths.add(unquoteGitPath(quoted[2]));
|
|
89
|
+
continue;
|
|
90
|
+
}
|
|
91
|
+
const match = line.match(/^diff --git a\/(.+?) b\/(.+)$/);
|
|
92
|
+
if (match) {
|
|
93
|
+
if (match[1])
|
|
94
|
+
paths.add(unquoteGitPath(match[1]));
|
|
95
|
+
if (match[2])
|
|
96
|
+
paths.add(unquoteGitPath(match[2]));
|
|
97
|
+
}
|
|
98
|
+
continue;
|
|
99
|
+
}
|
|
100
|
+
if (line.startsWith('+++ ')) {
|
|
101
|
+
const after = line.slice(4).trim();
|
|
102
|
+
if (after === '/dev/null')
|
|
103
|
+
continue;
|
|
104
|
+
const stripped = stripQuotedHalf(after, 'b/');
|
|
105
|
+
if (stripped)
|
|
106
|
+
paths.add(stripTimestampSuffix(stripped));
|
|
107
|
+
continue;
|
|
108
|
+
}
|
|
109
|
+
if (line.startsWith('--- ')) {
|
|
110
|
+
const after = line.slice(4).trim();
|
|
111
|
+
if (after === '/dev/null')
|
|
112
|
+
continue;
|
|
113
|
+
const stripped = stripQuotedHalf(after, 'a/');
|
|
114
|
+
if (stripped)
|
|
115
|
+
paths.add(stripTimestampSuffix(stripped));
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
return Array.from(paths);
|
|
119
|
+
}
|
|
120
|
+
/**
|
|
121
|
+
* Strip the leading `a/` or `b/` prefix from a `---` / `+++` line,
|
|
122
|
+
* handling both unquoted (`b/.env`) and C-style quoted (`"b/.env"`)
|
|
123
|
+
* variants. The returned path is fully de-quoted so the security gate
|
|
124
|
+
* sees the real basename. Returns null when the line does not parse.
|
|
125
|
+
*/
|
|
126
|
+
function stripQuotedHalf(after, prefix) {
|
|
127
|
+
// Quoted form: `"b/path with \"escapes\""`. Detect surrounding quotes
|
|
128
|
+
// first, strip them, then peel the prefix, then unquote the inner
|
|
129
|
+
// C-style escapes.
|
|
130
|
+
if (after.startsWith('"') && after.endsWith('"') && after.length >= 2) {
|
|
131
|
+
const inner = after.slice(1, -1);
|
|
132
|
+
const peeled = inner.startsWith(prefix) ? inner.slice(prefix.length) : inner;
|
|
133
|
+
return unquoteGitPath(peeled);
|
|
134
|
+
}
|
|
135
|
+
const trimmed = after.startsWith(prefix) ? after.slice(prefix.length) : after;
|
|
136
|
+
return trimmed;
|
|
137
|
+
}
|
|
138
|
+
/**
|
|
139
|
+
* Decode git's C-style path quoting. When `core.quotePath` is true
|
|
140
|
+
* (default) git writes paths with high-bit / control / quote bytes as
|
|
141
|
+
* C-string escapes inside double quotes:
|
|
142
|
+
*
|
|
143
|
+
* `"\.env"` -> `.env` (backslash before . is just a literal)
|
|
144
|
+
* `"a\"b"` -> `a"b` (escaped double-quote)
|
|
145
|
+
* `"a\\b"` -> `a\b` (escaped backslash)
|
|
146
|
+
* `"a\tb"` -> `a` + TAB + `b`
|
|
147
|
+
* `"a\341\210\264"` -> `a` + UTF-8 bytes 0xe1 0x88 0xb4
|
|
148
|
+
*
|
|
149
|
+
* Accepts a path that is EITHER already unquoted (passed through) OR an
|
|
150
|
+
* inner string previously stripped of its surrounding quotes. The
|
|
151
|
+
* function is idempotent on already-clean ASCII paths.
|
|
152
|
+
*
|
|
153
|
+
* Reference: git source `quote.c::unquote_c_style`.
|
|
154
|
+
*/
|
|
155
|
+
export function unquoteGitPath(s) {
|
|
156
|
+
// If the caller passed us a wrapped string (`"foo"`), peel it now.
|
|
157
|
+
if (s.startsWith('"') && s.endsWith('"') && s.length >= 2) {
|
|
158
|
+
s = s.slice(1, -1);
|
|
159
|
+
}
|
|
160
|
+
// Fast path: no backslash means no C-style escapes, return as-is.
|
|
161
|
+
if (!s.includes('\\'))
|
|
162
|
+
return s;
|
|
163
|
+
const out = [];
|
|
164
|
+
for (let i = 0; i < s.length; i += 1) {
|
|
165
|
+
const ch = s[i];
|
|
166
|
+
if (ch !== '\\') {
|
|
167
|
+
// Single-byte ASCII or multi-byte JS string char; the byte we
|
|
168
|
+
// emit must match its UTF-8 encoding so the security gate sees
|
|
169
|
+
// the same bytes the filesystem will. JS strings are UTF-16; we
|
|
170
|
+
// bounce through Buffer to get the canonical UTF-8 bytes.
|
|
171
|
+
const bytes = Buffer.from(ch ?? '', 'utf8');
|
|
172
|
+
for (const b of bytes)
|
|
173
|
+
out.push(b);
|
|
174
|
+
continue;
|
|
175
|
+
}
|
|
176
|
+
const next = s[i + 1];
|
|
177
|
+
if (next === undefined) {
|
|
178
|
+
// Trailing backslash with no follower — emit literal.
|
|
179
|
+
out.push(0x5c);
|
|
180
|
+
continue;
|
|
181
|
+
}
|
|
182
|
+
// Three-digit octal escape: `\NNN` (each digit 0-7).
|
|
183
|
+
if (next >= '0' && next <= '7' && i + 3 < s.length + 1) {
|
|
184
|
+
const oct = s.slice(i + 1, i + 4);
|
|
185
|
+
if (/^[0-7]{3}$/.test(oct)) {
|
|
186
|
+
out.push(Number.parseInt(oct, 8));
|
|
187
|
+
i += 3;
|
|
188
|
+
continue;
|
|
189
|
+
}
|
|
190
|
+
}
|
|
191
|
+
switch (next) {
|
|
192
|
+
case 'a':
|
|
193
|
+
out.push(0x07);
|
|
194
|
+
break;
|
|
195
|
+
case 'b':
|
|
196
|
+
out.push(0x08);
|
|
197
|
+
break;
|
|
198
|
+
case 't':
|
|
199
|
+
out.push(0x09);
|
|
200
|
+
break;
|
|
201
|
+
case 'n':
|
|
202
|
+
out.push(0x0a);
|
|
203
|
+
break;
|
|
204
|
+
case 'v':
|
|
205
|
+
out.push(0x0b);
|
|
206
|
+
break;
|
|
207
|
+
case 'f':
|
|
208
|
+
out.push(0x0c);
|
|
209
|
+
break;
|
|
210
|
+
case 'r':
|
|
211
|
+
out.push(0x0d);
|
|
212
|
+
break;
|
|
213
|
+
case '"':
|
|
214
|
+
out.push(0x22);
|
|
215
|
+
break;
|
|
216
|
+
case '\\':
|
|
217
|
+
out.push(0x5c);
|
|
218
|
+
break;
|
|
219
|
+
default:
|
|
220
|
+
// Unknown escape — emit the escape char as a literal so we
|
|
221
|
+
// don't silently drop bytes. Mirrors git's own permissive
|
|
222
|
+
// behaviour.
|
|
223
|
+
out.push(next.charCodeAt(0));
|
|
224
|
+
}
|
|
225
|
+
i += 1;
|
|
226
|
+
}
|
|
227
|
+
return Buffer.from(out).toString('utf8');
|
|
228
|
+
}
|
|
229
|
+
/**
|
|
230
|
+
* `diff -u` (non-git) emits trailing tab-prefixed timestamps after the
|
|
231
|
+
* path: `--- foo.ts\t2026-05-25 10:00:00`. Strip those so the security
|
|
232
|
+
* gate sees the clean path.
|
|
233
|
+
*/
|
|
234
|
+
function stripTimestampSuffix(path) {
|
|
235
|
+
const tab = path.indexOf('\t');
|
|
236
|
+
return tab >= 0 ? path.slice(0, tab) : path;
|
|
237
|
+
}
|
|
238
|
+
/**
|
|
239
|
+
* Apply a unified-diff patch to the workspace. Routes every mentioned
|
|
240
|
+
* file through the shared security gate before invoking `git apply`.
|
|
241
|
+
*/
|
|
242
|
+
export function applyPatch(ctx, patch, opts = {}) {
|
|
243
|
+
const toolCallId = recordToolCall(ctx.session, 'apply_patch', `${patch.length} bytes`);
|
|
244
|
+
try {
|
|
245
|
+
gateOnCancellation(ctx, 'apply_patch');
|
|
246
|
+
}
|
|
247
|
+
catch (error) {
|
|
248
|
+
if (error instanceof OperatorAbortedError) {
|
|
249
|
+
recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
|
|
250
|
+
throw error;
|
|
251
|
+
}
|
|
252
|
+
throw error;
|
|
253
|
+
}
|
|
254
|
+
if (patch.trim().length === 0) {
|
|
255
|
+
const result = {
|
|
256
|
+
ok: false,
|
|
257
|
+
filesChanged: [],
|
|
258
|
+
reason: 'empty_patch',
|
|
259
|
+
detail: 'patch body is empty',
|
|
260
|
+
};
|
|
261
|
+
recordToolResult(ctx.session, toolCallId, 'error', 'empty_patch');
|
|
262
|
+
return result;
|
|
263
|
+
}
|
|
264
|
+
const paths = extractPatchPaths(patch);
|
|
265
|
+
if (paths.length === 0) {
|
|
266
|
+
const result = {
|
|
267
|
+
ok: false,
|
|
268
|
+
filesChanged: [],
|
|
269
|
+
reason: 'invalid_patch',
|
|
270
|
+
detail: 'no `diff --git` or `+++` headers found in patch',
|
|
271
|
+
};
|
|
272
|
+
recordToolResult(ctx.session, toolCallId, 'error', 'invalid_patch');
|
|
273
|
+
return result;
|
|
274
|
+
}
|
|
275
|
+
// SECURITY GATE — reuse the α6.6 chokepoint. Every path in the patch
|
|
276
|
+
// is validated against:
|
|
277
|
+
// 1. workspace containment (no ../../ escapes)
|
|
278
|
+
// 2. protected-file basenames (.env, *.pem, id_rsa, etc.)
|
|
279
|
+
// 3. symlink escape (an in-workspace symlink pointing to /etc/hosts
|
|
280
|
+
// or a protected basename gets rejected here)
|
|
281
|
+
for (const file of paths) {
|
|
282
|
+
const gate = applySecurityGate(file, { cwd: ctx.root, toolName: 'layer-c' });
|
|
283
|
+
if (!gate.ok) {
|
|
284
|
+
const result = {
|
|
285
|
+
ok: false,
|
|
286
|
+
filesChanged: [],
|
|
287
|
+
reason: gate.reason,
|
|
288
|
+
detail: `${file}: ${gate.detail}`,
|
|
289
|
+
};
|
|
290
|
+
recordToolResult(ctx.session, toolCallId, 'error', `${gate.reason}: ${file}`);
|
|
291
|
+
return result;
|
|
292
|
+
}
|
|
293
|
+
}
|
|
294
|
+
// `git apply --check` validates the patch end-to-end against the
|
|
295
|
+
// working tree. A passing check is the gate for the actual apply.
|
|
296
|
+
const checkArgs = ['apply', '--check'];
|
|
297
|
+
if (opts.baseSha)
|
|
298
|
+
checkArgs.push('--3way');
|
|
299
|
+
checkArgs.push('-');
|
|
300
|
+
const check = runGit(checkArgs, ctx.root, patch);
|
|
301
|
+
if (check.status === 127) {
|
|
302
|
+
// No git binary on PATH. Rare on a developer machine but possible
|
|
303
|
+
// in slim containers / CI images. Surface a dedicated reason so
|
|
304
|
+
// the operator's message says "install git" not "patch is bad".
|
|
305
|
+
const result = {
|
|
306
|
+
ok: false,
|
|
307
|
+
filesChanged: [],
|
|
308
|
+
reason: 'git_unavailable',
|
|
309
|
+
detail: 'git not found on PATH',
|
|
310
|
+
};
|
|
311
|
+
recordToolResult(ctx.session, toolCallId, 'error', 'git_unavailable');
|
|
312
|
+
return result;
|
|
313
|
+
}
|
|
314
|
+
if (check.status !== 0) {
|
|
315
|
+
// Decide whether this is the "already applied" case or a real
|
|
316
|
+
// failure. `git apply --check` rejects an already-applied patch
|
|
317
|
+
// with stderr containing patterns like "patch does not apply" or
|
|
318
|
+
// "already exists in working directory". The simpler signal is
|
|
319
|
+
// the stderr string containing `already exists in working directory`
|
|
320
|
+
// (git's own message for a creating patch landing twice) — that's
|
|
321
|
+
// the only path we treat as `already_applied` here. Other stderr
|
|
322
|
+
// surfaces fall through to `check_failed` so the operator sees the
|
|
323
|
+
// raw reason.
|
|
324
|
+
const stderr = check.stderr.toLowerCase();
|
|
325
|
+
if (stderr.includes('already exists in working directory')) {
|
|
326
|
+
const result = {
|
|
327
|
+
ok: false,
|
|
328
|
+
filesChanged: [],
|
|
329
|
+
reason: 'already_applied',
|
|
330
|
+
detail: 'patch creates a path that already exists — likely already applied',
|
|
331
|
+
};
|
|
332
|
+
recordToolResult(ctx.session, toolCallId, 'error', 'already_applied');
|
|
333
|
+
return result;
|
|
334
|
+
}
|
|
335
|
+
const result = {
|
|
336
|
+
ok: false,
|
|
337
|
+
filesChanged: [],
|
|
338
|
+
reason: 'check_failed',
|
|
339
|
+
detail: check.stderr.trim() || 'git apply --check rejected the patch',
|
|
340
|
+
};
|
|
341
|
+
recordToolResult(ctx.session, toolCallId, 'error', `check_failed: ${result.detail}`);
|
|
342
|
+
return result;
|
|
343
|
+
}
|
|
344
|
+
if (opts.dryRun) {
|
|
345
|
+
const result = {
|
|
346
|
+
ok: true,
|
|
347
|
+
filesChanged: paths,
|
|
348
|
+
};
|
|
349
|
+
recordToolResult(ctx.session, toolCallId, 'success', `dry-run ok, ${paths.length} files`);
|
|
350
|
+
return result;
|
|
351
|
+
}
|
|
352
|
+
// R1 fix (2026-05-26, PR #413 r1, Fix 6): snapshot which paths exist
|
|
353
|
+
// BEFORE the apply so rollbackFiles can decide between
|
|
354
|
+
// `git checkout -- <file>` (for files that existed) and `fs.rmSync`
|
|
355
|
+
// (for files the patch was creating that may have been half-written
|
|
356
|
+
// before the failure). Without this snapshot, `git checkout`
|
|
357
|
+
// gracefully no-ops on a never-tracked file and the partial creation
|
|
358
|
+
// is left behind.
|
|
359
|
+
const preExisting = new Map();
|
|
360
|
+
for (const p of paths) {
|
|
361
|
+
preExisting.set(p, existsSync(resolve(ctx.root, p)));
|
|
362
|
+
}
|
|
363
|
+
const applyArgs = ['apply'];
|
|
364
|
+
if (opts.baseSha)
|
|
365
|
+
applyArgs.push('--3way');
|
|
366
|
+
applyArgs.push('-');
|
|
367
|
+
const apply = runGit(applyArgs, ctx.root, patch);
|
|
368
|
+
if (apply.status !== 0) {
|
|
369
|
+
// Apply failed AFTER --check passed. This is almost always a TOCTOU
|
|
370
|
+
// (another writer touched a file between the two git calls).
|
|
371
|
+
// Rollback ANY partial mutation so the workspace stays consistent.
|
|
372
|
+
const rollback = rollbackFiles(ctx.root, paths, preExisting);
|
|
373
|
+
const detail = apply.stderr.trim() || 'git apply failed after passing --check';
|
|
374
|
+
if (!rollback.ok) {
|
|
375
|
+
const result = {
|
|
376
|
+
ok: false,
|
|
377
|
+
filesChanged: [],
|
|
378
|
+
reason: 'rollback_failed',
|
|
379
|
+
detail: `${detail}; rollback also failed: ${rollback.detail}`,
|
|
380
|
+
};
|
|
381
|
+
recordToolResult(ctx.session, toolCallId, 'error', 'rollback_failed');
|
|
382
|
+
return result;
|
|
383
|
+
}
|
|
384
|
+
const result = {
|
|
385
|
+
ok: false,
|
|
386
|
+
filesChanged: [],
|
|
387
|
+
reason: 'apply_failed',
|
|
388
|
+
detail,
|
|
389
|
+
};
|
|
390
|
+
recordToolResult(ctx.session, toolCallId, 'error', `apply_failed: ${detail}`);
|
|
391
|
+
return result;
|
|
392
|
+
}
|
|
393
|
+
// Audit-log every file the patch mutated. The before/after hashes
|
|
394
|
+
// are NOT recorded (git owns the staging area for that); the
|
|
395
|
+
// mutation entry is enough for `pugi undo` to surface "apply_patch
|
|
396
|
+
// touched these files" in the timeline.
|
|
397
|
+
for (const file of paths) {
|
|
398
|
+
recordFileMutation(ctx.session, {
|
|
399
|
+
toolCallId,
|
|
400
|
+
path: file,
|
|
401
|
+
operation: 'update',
|
|
402
|
+
});
|
|
403
|
+
}
|
|
404
|
+
recordToolResult(ctx.session, toolCallId, 'success', `applied ${paths.length} files`);
|
|
405
|
+
return { ok: true, filesChanged: paths };
|
|
406
|
+
}
|
|
407
|
+
/**
|
|
408
|
+
* Roll back any partial mutation by checking files out from HEAD. Used
|
|
409
|
+
* only on the rare path where `git apply` fails AFTER `git apply --check`
|
|
410
|
+
* passed.
|
|
411
|
+
*
|
|
412
|
+
* R1 fix (2026-05-26, PR #413 r1, Fix 6): a multi-file patch that
|
|
413
|
+
* creates new files leaves them on disk when `git apply` fails partway —
|
|
414
|
+
* `git checkout -- <file>` does NOT delete a path that was never tracked
|
|
415
|
+
* (the file was created by the failed apply). We split paths into two
|
|
416
|
+
* groups using the pre-apply snapshot:
|
|
417
|
+
*
|
|
418
|
+
* - existed-before -> `git checkout -- <file>` restores tracked content.
|
|
419
|
+
* - created-by-apply -> `fs.rmSync(file, { force: true })` removes the
|
|
420
|
+
* half-written file so the workspace ends up identical to its
|
|
421
|
+
* pre-apply state.
|
|
422
|
+
*
|
|
423
|
+
* This keeps the dispatcher's invariant: a tool result of `ok: false`
|
|
424
|
+
* means the workspace is unchanged.
|
|
425
|
+
*/
|
|
426
|
+
function rollbackFiles(cwd, paths, preExisting) {
|
|
427
|
+
if (paths.length === 0)
|
|
428
|
+
return { ok: true };
|
|
429
|
+
// We only attempt to roll back files that are inside the workspace
|
|
430
|
+
// and were resolved by the security gate. A path that escaped the
|
|
431
|
+
// gate would have already aborted us above.
|
|
432
|
+
const safePaths = paths.filter((p) => {
|
|
433
|
+
const abs = resolve(cwd, p);
|
|
434
|
+
return abs === cwd || abs.startsWith(cwd + sep);
|
|
435
|
+
});
|
|
436
|
+
if (safePaths.length === 0)
|
|
437
|
+
return { ok: true };
|
|
438
|
+
const toCheckout = [];
|
|
439
|
+
const toRemove = [];
|
|
440
|
+
for (const p of safePaths) {
|
|
441
|
+
if (preExisting.get(p))
|
|
442
|
+
toCheckout.push(p);
|
|
443
|
+
else
|
|
444
|
+
toRemove.push(p);
|
|
445
|
+
}
|
|
446
|
+
// Unlink files that the patch was creating. `force: true` swallows
|
|
447
|
+
// ENOENT so a creation that never got far enough to write the file
|
|
448
|
+
// is a no-op. We record every unlink failure but keep going so a
|
|
449
|
+
// single permission error on one file doesn't strand the others.
|
|
450
|
+
const removeFailures = [];
|
|
451
|
+
for (const p of toRemove) {
|
|
452
|
+
const abs = resolve(cwd, p);
|
|
453
|
+
try {
|
|
454
|
+
rmSync(abs, { force: true });
|
|
455
|
+
}
|
|
456
|
+
catch (error) {
|
|
457
|
+
removeFailures.push(`${p}: ${error instanceof Error ? error.message : String(error)}`);
|
|
458
|
+
}
|
|
459
|
+
}
|
|
460
|
+
if (toCheckout.length > 0) {
|
|
461
|
+
const result = runGit(['checkout', '--', ...toCheckout], cwd);
|
|
462
|
+
if (result.status !== 0) {
|
|
463
|
+
const detail = [result.stderr.trim(), ...removeFailures].filter(Boolean).join('; ');
|
|
464
|
+
return { ok: false, detail };
|
|
465
|
+
}
|
|
466
|
+
}
|
|
467
|
+
if (removeFailures.length > 0) {
|
|
468
|
+
return { ok: false, detail: `rollback unlink failed: ${removeFailures.join('; ')}` };
|
|
469
|
+
}
|
|
470
|
+
return { ok: true };
|
|
471
|
+
}
|
|
472
|
+
function runGit(args, cwd, stdin) {
|
|
473
|
+
// R1 fix (2026-05-26, PR #413 r1, P2 #13): force the English C locale
|
|
474
|
+
// for the git child process. The `already_applied` reason-coding
|
|
475
|
+
// below greps stderr for the literal English string
|
|
476
|
+
// "already exists in working directory"; on a host where git was
|
|
477
|
+
// installed with a translated message catalog (de_DE / ru_RU / etc.)
|
|
478
|
+
// the substring match would silently miss and the operator would see
|
|
479
|
+
// `check_failed` instead of `already_applied`. C locale (also
|
|
480
|
+
// LC_ALL) guarantees the canonical message regardless of host env.
|
|
481
|
+
return spawnSync('git', args, {
|
|
482
|
+
cwd,
|
|
483
|
+
input: stdin,
|
|
484
|
+
encoding: 'utf8',
|
|
485
|
+
maxBuffer: 64 * 1024 * 1024,
|
|
486
|
+
env: { ...process.env, LANG: 'C', LC_ALL: 'C' },
|
|
487
|
+
});
|
|
488
|
+
}
|
|
489
|
+
/**
|
|
490
|
+
* Test-only surface for the apply-patch heuristics. Specs poke
|
|
491
|
+
* `extractPatchPaths` directly to assert on the path-parsing layer
|
|
492
|
+
* without paying for a real git invocation.
|
|
493
|
+
*/
|
|
494
|
+
export const __test__ = { extractPatchPaths, runGit, unquoteGitPath };
|
|
495
|
+
//# sourceMappingURL=apply-patch.js.map
|
|
@@ -0,0 +1,115 @@
|
|
|
1
|
+
export const ASK_USER_DEFAULT_TIMEOUT_MS = 5 * 60 * 1_000;
|
|
2
|
+
/**
|
|
3
|
+
* Schema cap: keep the option count tight so the modal stays scannable.
|
|
4
|
+
* Mirrors `ASK_MAX_OPTIONS` in `core/repl/ask.ts` (4).
|
|
5
|
+
*/
|
|
6
|
+
export const ASK_USER_MAX_OPTIONS = 4;
|
|
7
|
+
export const ASK_USER_MAX_QUESTION_LEN = 1_000;
|
|
8
|
+
export const ASK_USER_MAX_OPTION_LEN = 200;
|
|
9
|
+
export async function askUser(ctx, input) {
|
|
10
|
+
validate(input);
|
|
11
|
+
if (ctx.interactive && ctx.bridge) {
|
|
12
|
+
// β1a r1 (2026-05-26): wrap the bridge in an abort-aware race so a
|
|
13
|
+
// pending modal cannot block the engine loop forever. Two signals
|
|
14
|
+
// can interrupt:
|
|
15
|
+
// 1. `ctx.signal` — the operator cancelled the parent task via
|
|
16
|
+
// Ctrl-C; the engine forwards the loop's AbortSignal here.
|
|
17
|
+
// 2. `ctx.timeoutMs` (default 5 minutes) — operator walked away;
|
|
18
|
+
// the modal stays renderable but the tool surface returns the
|
|
19
|
+
// `cancelled` envelope so the model can make progress.
|
|
20
|
+
// The bridge receives the same `signal` so an Ink-based modal can
|
|
21
|
+
// tear down its render loop and free its keyboard handlers on
|
|
22
|
+
// abort. Bridges that ignore the signal still get pre-empted by
|
|
23
|
+
// the race — they just leak a render until the next operator
|
|
24
|
+
// keystroke.
|
|
25
|
+
const timeoutMs = ctx.timeoutMs ?? ASK_USER_DEFAULT_TIMEOUT_MS;
|
|
26
|
+
// Pre-flight: short-circuit when the caller's signal is already
|
|
27
|
+
// aborted. Avoids constructing a bridge promise that races against
|
|
28
|
+
// an already-resolved abort sentinel — the race ordering is
|
|
29
|
+
// unspecified for promises that have all settled by the time
|
|
30
|
+
// Promise.race is called, which would non-deterministically let
|
|
31
|
+
// the bridge's answer leak through after an explicit cancel.
|
|
32
|
+
if (ctx.signal?.aborted) {
|
|
33
|
+
return { envelope: formatEnvelope(input, 'cancelled') };
|
|
34
|
+
}
|
|
35
|
+
const controller = new AbortController();
|
|
36
|
+
if (ctx.signal) {
|
|
37
|
+
ctx.signal.addEventListener('abort', () => controller.abort(), { once: true });
|
|
38
|
+
}
|
|
39
|
+
let timeoutHandle;
|
|
40
|
+
const timeoutPromise = new Promise((resolve) => {
|
|
41
|
+
timeoutHandle = setTimeout(() => resolve('timeout'), timeoutMs);
|
|
42
|
+
});
|
|
43
|
+
const abortPromise = new Promise((resolve) => {
|
|
44
|
+
controller.signal.addEventListener('abort', () => resolve('aborted'), { once: true });
|
|
45
|
+
});
|
|
46
|
+
let picked;
|
|
47
|
+
try {
|
|
48
|
+
picked = await Promise.race([
|
|
49
|
+
ctx.bridge(input, { signal: controller.signal }),
|
|
50
|
+
timeoutPromise,
|
|
51
|
+
abortPromise,
|
|
52
|
+
]);
|
|
53
|
+
}
|
|
54
|
+
finally {
|
|
55
|
+
if (timeoutHandle)
|
|
56
|
+
clearTimeout(timeoutHandle);
|
|
57
|
+
}
|
|
58
|
+
if (picked === 'timeout') {
|
|
59
|
+
controller.abort();
|
|
60
|
+
return { envelope: formatEnvelope(input, 'timeout') };
|
|
61
|
+
}
|
|
62
|
+
if (picked === 'aborted') {
|
|
63
|
+
return { envelope: formatEnvelope(input, 'cancelled') };
|
|
64
|
+
}
|
|
65
|
+
if (!Array.isArray(picked) || picked.length === 0) {
|
|
66
|
+
// Operator declined / closed the modal — surface a structured
|
|
67
|
+
// "no answer" envelope so the model can decide whether to retry.
|
|
68
|
+
const envelope = formatEnvelope(input, 'cancelled');
|
|
69
|
+
return { envelope };
|
|
70
|
+
}
|
|
71
|
+
return {
|
|
72
|
+
answers: picked,
|
|
73
|
+
envelope: formatAnswer(picked),
|
|
74
|
+
};
|
|
75
|
+
}
|
|
76
|
+
// Non-TTY or no bridge — surface the envelope. Caller parses it and
|
|
77
|
+
// either pipes an answer back on a follow-up turn or aborts.
|
|
78
|
+
const envelope = formatEnvelope(input, 'no_tty');
|
|
79
|
+
return { envelope };
|
|
80
|
+
}
|
|
81
|
+
function validate(input) {
|
|
82
|
+
const question = input.question?.trim();
|
|
83
|
+
if (!question)
|
|
84
|
+
throw new Error('ask_user: question is required');
|
|
85
|
+
if (question.length > ASK_USER_MAX_QUESTION_LEN) {
|
|
86
|
+
throw new Error(`ask_user: question exceeds ${ASK_USER_MAX_QUESTION_LEN} char cap`);
|
|
87
|
+
}
|
|
88
|
+
if (!Array.isArray(input.options) || input.options.length < 2) {
|
|
89
|
+
throw new Error('ask_user: at least 2 options required');
|
|
90
|
+
}
|
|
91
|
+
if (input.options.length > ASK_USER_MAX_OPTIONS) {
|
|
92
|
+
throw new Error(`ask_user: at most ${ASK_USER_MAX_OPTIONS} options allowed`);
|
|
93
|
+
}
|
|
94
|
+
for (const opt of input.options) {
|
|
95
|
+
if (typeof opt !== 'string' || !opt.trim()) {
|
|
96
|
+
throw new Error('ask_user: every option must be a non-empty string');
|
|
97
|
+
}
|
|
98
|
+
if (opt.length > ASK_USER_MAX_OPTION_LEN) {
|
|
99
|
+
throw new Error(`ask_user: option exceeds ${ASK_USER_MAX_OPTION_LEN} char cap`);
|
|
100
|
+
}
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
function formatEnvelope(input, reason) {
|
|
104
|
+
const payload = {
|
|
105
|
+
question: input.question,
|
|
106
|
+
options: input.options,
|
|
107
|
+
multiSelect: input.multiSelect === true,
|
|
108
|
+
reason,
|
|
109
|
+
};
|
|
110
|
+
return `[user_input_required]${JSON.stringify(payload)}[/user_input_required]`;
|
|
111
|
+
}
|
|
112
|
+
function formatAnswer(answers) {
|
|
113
|
+
return answers.join(', ');
|
|
114
|
+
}
|
|
115
|
+
//# sourceMappingURL=ask-user.js.map
|