@pugi/cli 0.1.0-beta.10 → 0.1.0-beta.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,115 @@
1
+ export const ASK_USER_DEFAULT_TIMEOUT_MS = 5 * 60 * 1_000;
2
+ /**
3
+ * Schema cap: keep the option count tight so the modal stays scannable.
4
+ * Mirrors `ASK_MAX_OPTIONS` in `core/repl/ask.ts` (4).
5
+ */
6
+ export const ASK_USER_MAX_OPTIONS = 4;
7
+ export const ASK_USER_MAX_QUESTION_LEN = 1_000;
8
+ export const ASK_USER_MAX_OPTION_LEN = 200;
9
+ export async function askUser(ctx, input) {
10
+ validate(input);
11
+ if (ctx.interactive && ctx.bridge) {
12
+ // β1a r1 (2026-05-26): wrap the bridge in an abort-aware race so a
13
+ // pending modal cannot block the engine loop forever. Two signals
14
+ // can interrupt:
15
+ // 1. `ctx.signal` — the operator cancelled the parent task via
16
+ // Ctrl-C; the engine forwards the loop's AbortSignal here.
17
+ // 2. `ctx.timeoutMs` (default 5 minutes) — operator walked away;
18
+ // the modal stays renderable but the tool surface returns the
19
+ // `cancelled` envelope so the model can make progress.
20
+ // The bridge receives the same `signal` so an Ink-based modal can
21
+ // tear down its render loop and free its keyboard handlers on
22
+ // abort. Bridges that ignore the signal still get pre-empted by
23
+ // the race — they just leak a render until the next operator
24
+ // keystroke.
25
+ const timeoutMs = ctx.timeoutMs ?? ASK_USER_DEFAULT_TIMEOUT_MS;
26
+ // Pre-flight: short-circuit when the caller's signal is already
27
+ // aborted. Avoids constructing a bridge promise that races against
28
+ // an already-resolved abort sentinel — the race ordering is
29
+ // unspecified for promises that have all settled by the time
30
+ // Promise.race is called, which would non-deterministically let
31
+ // the bridge's answer leak through after an explicit cancel.
32
+ if (ctx.signal?.aborted) {
33
+ return { envelope: formatEnvelope(input, 'cancelled') };
34
+ }
35
+ const controller = new AbortController();
36
+ if (ctx.signal) {
37
+ ctx.signal.addEventListener('abort', () => controller.abort(), { once: true });
38
+ }
39
+ let timeoutHandle;
40
+ const timeoutPromise = new Promise((resolve) => {
41
+ timeoutHandle = setTimeout(() => resolve('timeout'), timeoutMs);
42
+ });
43
+ const abortPromise = new Promise((resolve) => {
44
+ controller.signal.addEventListener('abort', () => resolve('aborted'), { once: true });
45
+ });
46
+ let picked;
47
+ try {
48
+ picked = await Promise.race([
49
+ ctx.bridge(input, { signal: controller.signal }),
50
+ timeoutPromise,
51
+ abortPromise,
52
+ ]);
53
+ }
54
+ finally {
55
+ if (timeoutHandle)
56
+ clearTimeout(timeoutHandle);
57
+ }
58
+ if (picked === 'timeout') {
59
+ controller.abort();
60
+ return { envelope: formatEnvelope(input, 'timeout') };
61
+ }
62
+ if (picked === 'aborted') {
63
+ return { envelope: formatEnvelope(input, 'cancelled') };
64
+ }
65
+ if (!Array.isArray(picked) || picked.length === 0) {
66
+ // Operator declined / closed the modal — surface a structured
67
+ // "no answer" envelope so the model can decide whether to retry.
68
+ const envelope = formatEnvelope(input, 'cancelled');
69
+ return { envelope };
70
+ }
71
+ return {
72
+ answers: picked,
73
+ envelope: formatAnswer(picked),
74
+ };
75
+ }
76
+ // Non-TTY or no bridge — surface the envelope. Caller parses it and
77
+ // either pipes an answer back on a follow-up turn or aborts.
78
+ const envelope = formatEnvelope(input, 'no_tty');
79
+ return { envelope };
80
+ }
81
+ function validate(input) {
82
+ const question = input.question?.trim();
83
+ if (!question)
84
+ throw new Error('ask_user: question is required');
85
+ if (question.length > ASK_USER_MAX_QUESTION_LEN) {
86
+ throw new Error(`ask_user: question exceeds ${ASK_USER_MAX_QUESTION_LEN} char cap`);
87
+ }
88
+ if (!Array.isArray(input.options) || input.options.length < 2) {
89
+ throw new Error('ask_user: at least 2 options required');
90
+ }
91
+ if (input.options.length > ASK_USER_MAX_OPTIONS) {
92
+ throw new Error(`ask_user: at most ${ASK_USER_MAX_OPTIONS} options allowed`);
93
+ }
94
+ for (const opt of input.options) {
95
+ if (typeof opt !== 'string' || !opt.trim()) {
96
+ throw new Error('ask_user: every option must be a non-empty string');
97
+ }
98
+ if (opt.length > ASK_USER_MAX_OPTION_LEN) {
99
+ throw new Error(`ask_user: option exceeds ${ASK_USER_MAX_OPTION_LEN} char cap`);
100
+ }
101
+ }
102
+ }
103
+ function formatEnvelope(input, reason) {
104
+ const payload = {
105
+ question: input.question,
106
+ options: input.options,
107
+ multiSelect: input.multiSelect === true,
108
+ reason,
109
+ };
110
+ return `[user_input_required]${JSON.stringify(payload)}[/user_input_required]`;
111
+ }
112
+ function formatAnswer(answers) {
113
+ return answers.join(', ');
114
+ }
115
+ //# sourceMappingURL=ask-user.js.map
@@ -0,0 +1,96 @@
1
+ import { listSkills } from '../core/skills/loader.js';
2
+ import { hashSkillDir, verifyTrust } from '../core/skills/trust.js';
3
+ export const SKILL_BODY_CAP_BYTES = 32 * 1024;
4
+ export const SKILL_LIST_CAP = 100;
5
+ export function skillList(ctx, input) {
6
+ const scope = input.scope ?? 'all';
7
+ const all = [];
8
+ if (scope === 'all' || scope === 'global') {
9
+ all.push(...listSkills('global', ctx.workspaceRoot));
10
+ }
11
+ if (scope === 'all' || scope === 'workspace') {
12
+ all.push(...listSkills('workspace', ctx.workspaceRoot));
13
+ }
14
+ // Dedup by name, prefer workspace scope when both exist (workspace
15
+ // overrides global per skills loader convention).
16
+ const byName = new Map();
17
+ for (const skill of all) {
18
+ const prev = byName.get(skill.name);
19
+ if (!prev || skill.scope === 'workspace') {
20
+ byName.set(skill.name, skill);
21
+ }
22
+ }
23
+ return Array.from(byName.values())
24
+ .slice(0, SKILL_LIST_CAP)
25
+ .map((skill) => ({
26
+ name: skill.name,
27
+ description: skill.frontmatter.description,
28
+ scope: skill.scope,
29
+ }));
30
+ }
31
+ export async function skillInvoke(ctx, input) {
32
+ if (!input.name || typeof input.name !== 'string') {
33
+ throw new Error('skill: name is required');
34
+ }
35
+ // Defense-in-depth: skill loader already validates slugs but the
36
+ // tool surface is operator-controlled.
37
+ if (!/^[a-zA-Z0-9_-]{1,128}$/.test(input.name)) {
38
+ throw new Error(`skill: invalid skill name shape: "${input.name}"`);
39
+ }
40
+ // Workspace scope wins over global (operator override). Mirrors
41
+ // SkillLoader convention.
42
+ const workspace = listSkills('workspace', ctx.workspaceRoot).find((s) => s.name === input.name);
43
+ const global = workspace
44
+ ? null
45
+ : listSkills('global', ctx.workspaceRoot).find((s) => s.name === input.name);
46
+ const skill = workspace ?? global;
47
+ if (!skill) {
48
+ throw new Error(`skill: not found: "${input.name}"`);
49
+ }
50
+ // β1a r1 (2026-05-26): re-verify the on-disk skill payload against
51
+ // the trust manifest sha256 on EVERY invoke, not just at install
52
+ // time. Before this fix a post-install swap (malicious npm dep that
53
+ // touches `~/.pugi/skills/<name>/SKILL.md` after the operator
54
+ // approved the install) would bypass the trust gate — `listSkills`
55
+ // reads the body fresh from disk and the loader does no integrity
56
+ // check. The skill body lands directly in the model's tool result,
57
+ // so a mutated body is a prompt-injection vector against the agent
58
+ // loop's tool surface.
59
+ //
60
+ // Posture:
61
+ // - `trusted` → proceed (body is hash-pinned).
62
+ // - `unsigned` → refuse: the operator never approved this skill.
63
+ // This catches the case where a skill directory was dropped in
64
+ // manually (no `pugi skills install`) and the loader picked it
65
+ // up. Refusing is fail-closed.
66
+ // - `mismatch` → refuse + surface the recorded vs actual hashes
67
+ // so the operator can decide between re-trust and revoke.
68
+ //
69
+ // Performance: `hashSkillDir` walks the skill directory on every
70
+ // invoke. Skills are small (median 4-8 files, <50KB total) so the
71
+ // cost is sub-millisecond on warm cache. The β1a r1 spec exercises
72
+ // a mutated-body case; the existing skill-tool.spec.ts cases for
73
+ // happy-path use the `recordTrust` helper to seed the registry.
74
+ const actualHash = hashSkillDir(skill.dir);
75
+ const verdict = await verifyTrust('skill', skill.scope, skill.name, actualHash);
76
+ if (verdict.status === 'unsigned') {
77
+ throw new Error(`skill: refused to invoke "${skill.name}" — no trust entry (run \`pugi skills trust ${skill.name}\` to approve)`);
78
+ }
79
+ if (verdict.status === 'mismatch') {
80
+ throw new Error(`skill: refused to invoke "${skill.name}" — sha256 mismatch (recorded ${verdict.recorded.slice(0, 12)}…, actual ${verdict.actual.slice(0, 12)}…). Re-trust via \`pugi skills trust ${skill.name}\`.`);
81
+ }
82
+ const body = skill.body;
83
+ const truncated = Buffer.byteLength(body, 'utf8') > SKILL_BODY_CAP_BYTES;
84
+ const cappedBody = truncated
85
+ ? body.slice(0, SKILL_BODY_CAP_BYTES) +
86
+ `\n\n(... truncated at ${SKILL_BODY_CAP_BYTES} bytes — see \`pugi skills info ${skill.name}\` for full text)`
87
+ : body;
88
+ return {
89
+ name: skill.name,
90
+ scope: skill.scope,
91
+ description: skill.frontmatter.description,
92
+ body: cappedBody,
93
+ truncated,
94
+ };
95
+ }
96
+ //# sourceMappingURL=skill-tool.js.map
@@ -0,0 +1,208 @@
1
+ /**
2
+ * task_* tool family — β1 T1/T6 (TodoWrite + agent task ledger).
3
+ *
4
+ * Mirrors Claude Code's TodoWrite tool surface so a model trained on
5
+ * the upstream tool grammar speaks Pugi's variant verbatim. Four ops:
6
+ *
7
+ * - `task_create` — append a new task to the session's todo ledger.
8
+ * Returns the assigned id.
9
+ * - `task_get` — fetch a single task by id.
10
+ * - `task_list` — list every task in the current session, ordered
11
+ * by createdAt ascending.
12
+ * - `task_update` — mutate status/title/notes of an existing task.
13
+ * Append-only journal — every mutation lands as a
14
+ * fresh JSONL line and the latest line per id wins
15
+ * on `task_list` / `task_get` reads.
16
+ *
17
+ * Persistence: append-only JSONL at
18
+ * `.pugi/sessions/<sessionId>/tasks.jsonl`. Append-only keeps crash
19
+ * recovery trivial — a partial write at the end of the file is the
20
+ * worst case and the parser drops the malformed tail line.
21
+ *
22
+ * Scope: this is the local-side ledger surface. Anvil-side mirror
23
+ * (cabinet `/projects/[id]/tasks` page) ships in β5 once the session-
24
+ * memory hook lands; until then the ledger is purely local.
25
+ */
26
+ import { appendFileSync, chmodSync, existsSync, mkdirSync, readFileSync, } from 'node:fs';
27
+ import { dirname, join } from 'node:path';
28
+ import { randomUUID } from 'node:crypto';
29
+ function ledgerPath(ctx) {
30
+ // Defense-in-depth: the sessionId is supposed to be a UUID minted by
31
+ // openSession() but the tool surface is operator-facing. Validate the
32
+ // shape before composing a path — refuse anything that contains
33
+ // separators or shell wildcards.
34
+ if (!/^[a-zA-Z0-9_-]{1,128}$/.test(ctx.sessionId)) {
35
+ throw new Error(`task_*: invalid sessionId shape: "${ctx.sessionId}"`);
36
+ }
37
+ return join(ctx.workspaceRoot, '.pugi', 'sessions', ctx.sessionId, 'tasks.jsonl');
38
+ }
39
+ function nowIso(ctx) {
40
+ return (ctx.now ? ctx.now() : new Date()).toISOString();
41
+ }
42
+ function ensureDir(path) {
43
+ // β1a r1 (2026-05-26): switched from POSIX-only
44
+ // `path.slice(0, path.lastIndexOf('/'))` to `path.dirname()` so
45
+ // Windows path separators (`\`) work. Also chmod the per-session
46
+ // directory to 0o700 — the tasks ledger carries operator-confidential
47
+ // brief text, status notes, and timing metadata that should not be
48
+ // world-readable through an inherited umask.
49
+ const dir = dirname(path);
50
+ if (!existsSync(dir)) {
51
+ mkdirSync(dir, { recursive: true });
52
+ try {
53
+ chmodSync(dir, 0o700);
54
+ }
55
+ catch {
56
+ // Best-effort. POSIX permission setting is a no-op on Windows
57
+ // NTFS, and the dir-creation race with another concurrent task
58
+ // tool call is the only realistic failure case. The 0o600 mode
59
+ // on the JSONL file itself remains the primary guard; the dir
60
+ // chmod is defense in depth for tools that walk `.pugi/`.
61
+ }
62
+ }
63
+ }
64
+ function readJournal(ctx) {
65
+ const path = ledgerPath(ctx);
66
+ if (!existsSync(path))
67
+ return [];
68
+ const raw = readFileSync(path, 'utf8');
69
+ const out = [];
70
+ for (const line of raw.split('\n')) {
71
+ if (!line.trim())
72
+ continue;
73
+ try {
74
+ const parsed = JSON.parse(line);
75
+ if ((parsed.op === 'create' || parsed.op === 'update') &&
76
+ typeof parsed.id === 'string' &&
77
+ typeof parsed.at === 'string') {
78
+ out.push(parsed);
79
+ }
80
+ }
81
+ catch {
82
+ // Drop malformed line (partial-write tail or external corruption).
83
+ // The append-only design guarantees only the LAST line can be bad
84
+ // — everything before it is whole.
85
+ }
86
+ }
87
+ return out;
88
+ }
89
+ function fold(journal) {
90
+ const out = new Map();
91
+ for (const entry of journal) {
92
+ if (entry.op === 'create') {
93
+ if (!entry.title)
94
+ continue;
95
+ out.set(entry.id, {
96
+ id: entry.id,
97
+ title: entry.title,
98
+ status: entry.status ?? 'pending',
99
+ ...(entry.notes !== undefined ? { notes: entry.notes } : {}),
100
+ createdAt: entry.at,
101
+ updatedAt: entry.at,
102
+ });
103
+ }
104
+ else {
105
+ const prev = out.get(entry.id);
106
+ if (!prev)
107
+ continue; // update before create — drop silently
108
+ out.set(entry.id, {
109
+ ...prev,
110
+ ...(entry.title !== undefined ? { title: entry.title } : {}),
111
+ ...(entry.status !== undefined ? { status: entry.status } : {}),
112
+ ...(entry.notes !== undefined ? { notes: entry.notes } : {}),
113
+ updatedAt: entry.at,
114
+ });
115
+ }
116
+ }
117
+ return out;
118
+ }
119
+ function appendEntry(ctx, entry) {
120
+ const path = ledgerPath(ctx);
121
+ ensureDir(path);
122
+ appendFileSync(path, `${JSON.stringify(entry)}\n`, {
123
+ encoding: 'utf8',
124
+ mode: 0o600,
125
+ });
126
+ }
127
+ export function taskCreate(ctx, input) {
128
+ const title = input.title?.trim();
129
+ if (!title) {
130
+ throw new Error('task_create: title is required');
131
+ }
132
+ if (title.length > 2_000) {
133
+ throw new Error('task_create: title exceeds 2000 char cap');
134
+ }
135
+ const status = input.status ?? 'pending';
136
+ if (!isValidStatus(status)) {
137
+ throw new Error(`task_create: invalid status "${status}"`);
138
+ }
139
+ const id = `task-${randomUUID()}`;
140
+ const at = nowIso(ctx);
141
+ const entry = {
142
+ op: 'create',
143
+ id,
144
+ title,
145
+ status,
146
+ at,
147
+ ...(input.notes !== undefined ? { notes: input.notes } : {}),
148
+ };
149
+ appendEntry(ctx, entry);
150
+ return {
151
+ id,
152
+ title,
153
+ status,
154
+ ...(input.notes !== undefined ? { notes: input.notes } : {}),
155
+ createdAt: at,
156
+ updatedAt: at,
157
+ };
158
+ }
159
+ export function taskGet(ctx, id) {
160
+ if (typeof id !== 'string' || id.length === 0) {
161
+ throw new Error('task_get: id is required');
162
+ }
163
+ const folded = fold(readJournal(ctx));
164
+ return folded.get(id) ?? null;
165
+ }
166
+ export function taskList(ctx) {
167
+ const folded = fold(readJournal(ctx));
168
+ return Array.from(folded.values()).sort((a, b) => a.createdAt.localeCompare(b.createdAt));
169
+ }
170
+ export function taskUpdate(ctx, input) {
171
+ if (!input.id)
172
+ throw new Error('task_update: id is required');
173
+ const folded = fold(readJournal(ctx));
174
+ const existing = folded.get(input.id);
175
+ if (!existing) {
176
+ throw new Error(`task_update: unknown id "${input.id}"`);
177
+ }
178
+ if (input.status !== undefined && !isValidStatus(input.status)) {
179
+ throw new Error(`task_update: invalid status "${input.status}"`);
180
+ }
181
+ if (input.title !== undefined && input.title.trim().length === 0) {
182
+ throw new Error('task_update: title cannot be empty');
183
+ }
184
+ const at = nowIso(ctx);
185
+ const entry = {
186
+ op: 'update',
187
+ id: input.id,
188
+ at,
189
+ ...(input.title !== undefined ? { title: input.title } : {}),
190
+ ...(input.status !== undefined ? { status: input.status } : {}),
191
+ ...(input.notes !== undefined ? { notes: input.notes } : {}),
192
+ };
193
+ appendEntry(ctx, entry);
194
+ return {
195
+ ...existing,
196
+ ...(input.title !== undefined ? { title: input.title } : {}),
197
+ ...(input.status !== undefined ? { status: input.status } : {}),
198
+ ...(input.notes !== undefined ? { notes: input.notes } : {}),
199
+ updatedAt: at,
200
+ };
201
+ }
202
+ function isValidStatus(status) {
203
+ return (status === 'pending' ||
204
+ status === 'in_progress' ||
205
+ status === 'completed' ||
206
+ status === 'cancelled');
207
+ }
208
+ //# sourceMappingURL=tasks.js.map
@@ -50,6 +50,24 @@ export async function renderRepl(options) {
50
50
  // top, and our finally{} restore drops the floor only after Ink
51
51
  // has cleanly torn down (or never mounted on a bootstrap crash).
52
52
  const bootstrap = claimTerminalForRepl();
53
+ // beta.12 CEO dogfood 2026-05-26: auto-init .pugi/ workspace if missing.
54
+ // Without this, every fresh-dir REPL launch hung at "workspace: (not
55
+ // bound - run /init OR cd into project)" because /init was a tooltip,
56
+ // not an actual slash command. Calling ensureWorkspaceInitialized in
57
+ // silent mode here makes the workspace bind transparent on first boot —
58
+ // matches Claude Code's "just works" pattern. Idempotent on re-runs.
59
+ // Skippable via PUGI_NO_AUTO_INIT=1 for hermetic CI / read-only mounts.
60
+ if (process.env.PUGI_NO_AUTO_INIT !== '1') {
61
+ try {
62
+ const { ensureWorkspaceInitialized } = await import('../core/init/scaffold.js');
63
+ ensureWorkspaceInitialized(process.cwd(), { silent: true });
64
+ }
65
+ catch {
66
+ // Fail-safe: a read-only FS or perms error must never block the REPL.
67
+ // The status bar will surface "(not bound)" and the operator can
68
+ // still use commands; we just won't have a persisted .pugi/ dir.
69
+ }
70
+ }
53
71
  const transport = createProductionTransport();
54
72
  // Auto-bind the workspace context from process.cwd() so Mira knows
55
73
  // which repo the operator launched the CLI in. The resolver is
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pugi/cli",
3
- "version": "0.1.0-beta.10",
3
+ "version": "0.1.0-beta.12",
4
4
  "description": "Pugi CLI - terminal-native software execution system",
5
5
  "homepage": "https://pugi.io",
6
6
  "repository": {