@pugi/cli 0.1.0-beta.17 → 0.1.0-beta.19

package/dist/core/denial-tracking/state.js

@@ -0,0 +1,264 @@
+/**
+ * α7 L11 (2026-05-27) — DenialTrackingState surface (Claude Code parity).
+ *
+ * Per the openclaude / anarchic-CC leak research (`gap-analysis-3-repos`
+ * §5.2): Claude Code's `QueryEngine.ts` maintains a per-session
+ * `DenialTrackingState` that records every tool-dispatch denial.
+ * Subsequent turns receive a compact reminder so the model does not
+ * loop on the same refused operation, the operator can audit pressure
+ * points via `/permissions denials` / `/doctor`, and hooks can react
+ * to recurring patterns.
+ *
+ * Pugi pre-L11 surfaced denials only as a one-line sentinel inside the
+ * tool error (`HOOK_BLOCKED:`, `PLAN_MODE_REFUSED:`, `STALE_READ:`).
+ * The model saw each refusal in isolation; no aggregate, no count, no
+ * "do not retry" context across turns. This module closes that gap.
+ *
+ * Design contract:
+ *
+ *   - Per-session in-memory state. The engine adapter creates one
+ *     instance at session open and threads it through `buildExecutor`
+ *     + `runEngineLoop`. No disk persistence — denial history is a
+ *     turn-scoped signal, not a forensic log (the audit ledger at
+ *     `.pugi/events.jsonl` already carries every refused dispatch).
+ *
+ *   - Pure: no I/O, no logging. Inputs are passed by caller, output
+ *     is in-memory only. The diagnostics probe + system-reminder
+ *     splice are pure functions over the snapshot.
+ *
+ *   - Canonical argHash: sha256 of `canonicalize(args)`. Same call
+ *     to same tool with same args = same key. Reordering JSON object
+ *     keys does NOT change the hash (we sort keys recursively before
+ *     stringification). This makes "repeated denial" detection
+ *     deterministic across model retries.
+ *
+ *   - Bounded: the map caps at 256 entries per session. Once full,
+ *     `recordDenial` evicts the oldest entry (lowest `lastDeniedAt`).
+ *     A session with > 256 distinct denials is already pathological;
+ *     the cap is defensive insurance against pathological loops
+ *     blowing memory.
+ *
+ *   - Reminder threshold: the reminder splice only injects when at
+ *     least one record has `count >= 2`. One-off denials are normal
+ *     (the operator is shaping the session); repeated denials = the
+ *     model is failing to learn from the refusal and we should
+ *     reinforce it.
+ */
+import { createHash } from 'node:crypto';
+/** Bound on the per-session map. See module header. */
+export const DENIAL_TRACKING_MAX_ENTRIES = 256;
+/** Threshold above which `buildDenialContext` injects a system reminder. */
+export const DENIAL_REMINDER_THRESHOLD = 2;
+/** Per-denial-args summary cap surfaced to the model. */
+export const DENIAL_ARGS_SUMMARY_BYTES = 240;
+/**
+ * Per-session denial tracker. Instances are mutable but threaded
+ * through `buildExecutor` so every dispatcher in the loop sees the
+ * same view.
+ */
+export class DenialTrackingState {
+    /** Insertion-ordered map. Eviction walks oldest `lastDeniedAt`. */
+    records = new Map();
+    /**
+     * Wall clock. Defaults to `Date.now`. Injected so tests can drive
+     * deterministic timestamps.
+     */
+    clock;
+    constructor(options = {}) {
+        this.clock = options.clock ?? Date.now;
+    }
+    /**
+     * Record a denial. Increments the count when the (tool, args) pair
+     * has been denied before; otherwise inserts a new record. The reason
+     * is always overwritten with the latest value so the system reminder
+     * surfaces the most-recent context.
+     */
+    recordDenial(toolName, args, reason) {
+        const argHash = canonicalArgHash(args);
+        const key = `${toolName}:${argHash}`;
+        const now = new Date(this.clock());
+        const existing = this.records.get(key);
+        if (existing) {
+            existing.count += 1;
+            existing.lastDeniedAt = now;
+            existing.lastReason = truncateReason(reason);
+            // Re-insert so the iteration order tracks lastDeniedAt (LRU-ish).
+            this.records.delete(key);
+            this.records.set(key, existing);
+            return existing;
+        }
+        if (this.records.size >= DENIAL_TRACKING_MAX_ENTRIES) {
+            // Evict the oldest entry (insertion order = LRU after our delete
+            // + set pattern above). Map iteration order is insertion order
+            // in JS; the first key is the LRU one.
+            const oldestKey = this.records.keys().next().value;
+            if (oldestKey !== undefined) {
+                this.records.delete(oldestKey);
+            }
+        }
+        const record = {
+            key,
+            toolName,
+            argsSummary: summariseArgs(args),
+            firstDeniedAt: now,
+            lastDeniedAt: now,
+            count: 1,
+            lastReason: truncateReason(reason),
+        };
+        this.records.set(key, record);
+        return record;
+    }
+    /**
+     * Snapshot of every recorded denial. Returned in insertion order
+     * (LRU-ish: most-recently-touched at the tail). The caller MUST
+     * treat the array as read-only — mutating it does not affect state.
+     */
+    getDenialHistory() {
+        return Array.from(this.records.values()).map((r) => ({ ...r }));
+    }
+    /** Lookup the record for a specific (tool, args) pair, or undefined. */
+    getPatternFor(toolName, args) {
+        const argHash = canonicalArgHash(args);
+        const key = `${toolName}:${argHash}`;
+        const record = this.records.get(key);
+        return record ? { ...record } : undefined;
+    }
+    /**
+     * Aggregate counts — handy for `/doctor`, `/permissions denials`,
+     * and the system-reminder threshold check.
+     */
+    summary() {
+        let totalDenials = 0;
+        let repeatedPatterns = 0;
+        for (const record of this.records.values()) {
+            totalDenials += record.count;
+            if (record.count >= DENIAL_REMINDER_THRESHOLD)
+                repeatedPatterns += 1;
+        }
+        return {
+            totalDenials,
+            uniquePatterns: this.records.size,
+            repeatedPatterns,
+        };
+    }
+    /** Drop every recorded denial. Called on session end. */
+    clear() {
+        this.records.clear();
+    }
+    /** Number of distinct (tool, args) pairs currently tracked. */
+    size() {
+        return this.records.size;
+    }
+}
+/**
+ * Build the operator-facing system-reminder block. Returns an empty
+ * string when no record meets the threshold — the caller short-circuits
+ * the splice in that case.
+ *
+ * Rendered shape:
+ *
+ *   <denial-context>
+ *     - Tool `bash` denied 3 times in this session.
+ *       Last reason: HOOK_BLOCKED: PreToolUse refused (exit=1).
+ *       Args: {"command":"rm -rf node_modules"}
+ *       Do not retry without operator intervention.
+ *     - Tool `edit` denied 2 times in this session.
+ *       Last reason: STALE_READ: file changed since last read.
+ *       Args: {"path":"src/index.ts","oldString":"..."}
+ *       Do not retry without operator intervention.
+ *   </denial-context>
+ *
+ * Determinism: same snapshot always produces the same block. We sort
+ * entries by `count` descending then `lastDeniedAt` descending so the
+ * most-pressing patterns surface first.
+ */
+export function buildDenialContext(state) {
+    const records = state.getDenialHistory()
+        .filter((r) => r.count >= DENIAL_REMINDER_THRESHOLD)
+        .sort((a, b) => {
+        if (b.count !== a.count)
+            return b.count - a.count;
+        return b.lastDeniedAt.getTime() - a.lastDeniedAt.getTime();
+    });
+    if (records.length === 0)
+        return '';
+    const lines = ['<denial-context>'];
+    for (const record of records) {
+        lines.push(`  - Tool \`${record.toolName}\` denied ${record.count} times in this session.`);
+        lines.push(`    Last reason: ${record.lastReason}`);
+        lines.push(`    Args: ${record.argsSummary}`);
+        lines.push('    Do not retry without operator intervention.');
+    }
+    lines.push('</denial-context>');
+    return lines.join('\n');
+}
+/**
+ * Canonical sha256 of the args. Object keys are sorted recursively
+ * before stringification so `{a:1,b:2}` and `{b:2,a:1}` hash to the
+ * same value. Undefined values + functions are stripped (JSON.stringify
+ * already does this); circular refs throw — the caller is expected to
+ * pass plain JSON objects (every Pugi tool argument set is a JSON
+ * object by contract).
+ *
+ * Returns the full 64-char hex digest. The denial key prepends the
+ * tool name (`<tool>:<hash>`) so a hash collision across tools cannot
+ * confuse the matcher.
+ */
+export function canonicalArgHash(args) {
+    const canonical = canonicalize(args);
+    const hash = createHash('sha256');
+    hash.update(canonical);
+    return hash.digest('hex');
+}
+function canonicalize(value) {
+    if (value === null)
+        return 'null';
+    if (value === undefined)
+        return 'null';
+    const t = typeof value;
+    if (t === 'string')
+        return JSON.stringify(value);
+    if (t === 'number' || t === 'boolean')
+        return JSON.stringify(value);
+    if (t === 'bigint')
+        return JSON.stringify(value.toString());
+    if (Array.isArray(value)) {
+        return `[${value.map((entry) => canonicalize(entry)).join(',')}]`;
+    }
+    if (t === 'object') {
+        const obj = value;
+        const keys = Object.keys(obj).sort();
+        const parts = keys.map((k) => `${JSON.stringify(k)}:${canonicalize(obj[k])}`);
+        return `{${parts.join(',')}}`;
+    }
+    // Functions / symbols — neither should reach here for tool args.
+    // Stringify defensively so the hash is stable.
+    return JSON.stringify(String(value));
+}
+/**
+ * Short, operator-readable preview of the args object. Cap so a
+ * 32 KB write payload does not blow up the reminder block. Falls back
+ * к `[non-JSON args]` when stringification fails (e.g. a circular ref
+ * snuck through — unlikely for tool args by contract).
+ */
+function summariseArgs(args) {
+    let stringified;
+    try {
+        stringified = JSON.stringify(args);
+    }
+    catch {
+        return '[non-JSON args]';
+    }
+    if (stringified === undefined)
+        return '{}';
+    if (stringified.length <= DENIAL_ARGS_SUMMARY_BYTES)
+        return stringified;
+    return `${stringified.slice(0, DENIAL_ARGS_SUMMARY_BYTES)}…`;
+}
+/** Cap reason at a sane length so a hook script's stdout cannot flood the reminder. */
+function truncateReason(reason, cap = 240) {
+    if (reason.length <= cap)
+        return reason;
+    return `${reason.slice(0, cap)}…`;
+}
+//# sourceMappingURL=state.js.map

package/dist/core/diagnostics/probe-runner.js

@@ -0,0 +1,93 @@
+/**
+ * Probe runner — orchestrates a set of diagnostic probes in parallel
+ * with per-probe fail-isolation + a global wall-clock budget.
+ *
+ * Design contract:
+ *
+ *   - Probes are independent: one probe's throw or timeout NEVER stops
+ *     the others. The runner wraps each call in a try/catch + a
+ *     `Promise.race` against a timeout sentinel.
+ *
+ *   - Order preservation: the returned `probes[]` array preserves the
+ *     input order so the table renderer always lists rows in the same
+ *     sequence (operators rely on muscle memory: "auth is the first
+ *     row, api is the second").
+ *
+ *   - No I/O ownership: the runner owns ZERO file or network calls.
+ *     Every external dependency is injected via the probe function
+ *     itself. This keeps the test surface minimal and verifies the
+ *     fail-isolation contract without spinning real subprocesses.
+ *
+ *   - Crashes attributed to the probe: a probe that throws maps to a
+ *     synthetic `error` ProbeResult with the probe name + the error
+ *     message. A probe that exceeds the timeout becomes a synthetic
+ *     `warn` (timing out is asymmetric — the host is reachable but
+ *     slow).
+ *
+ *   - The aggregate `DoctorReport` shape comes straight from
+ *     `types.ts` so the doctor command + the Ink table renderer both
+ *     consume the same struct without any glue layer.
+ */
+import { computeOverall, countProbes, } from './types.js';
+/**
+ * Run a set of probes in parallel and produce a structured report.
+ * Never throws — every failure mode maps to a structured ProbeResult.
+ */
+export async function runProbes(probes, options = {}) {
+    const now = options.now ?? Date.now;
+    const defaultTimeoutMs = options.defaultTimeoutMs ?? 5_000;
+    const startedAt = now();
+    // Each probe is wrapped in a fail-isolation envelope.
+    const results = await Promise.all(probes.map(async (entry) => runOne(entry, defaultTimeoutMs)));
+    const overall = computeOverall(results);
+    const counts = countProbes(results);
+    const durationMs = now() - startedAt;
+    return {
+        probes: results,
+        overall,
+        counts,
+        durationMs,
+    };
+}
+async function runOne(entry, defaultTimeoutMs) {
+    const budget = entry.timeoutMs ?? defaultTimeoutMs;
+    try {
+        return await raceWithTimeout(entry, budget);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (error instanceof ProbeTimeoutError) {
+            return {
+                name: entry.name,
+                status: 'warn',
+                detail: `Probe timed out after ${budget}ms`,
+                remediation: 'Re-run later; the host or registry may be slow',
+            };
+        }
+        return {
+            name: entry.name,
+            status: 'error',
+            detail: `Probe crashed: ${message}`,
+        };
+    }
+}
+class ProbeTimeoutError extends Error {
+    constructor(name, budgetMs) {
+        super(`Probe ${name} exceeded ${budgetMs}ms`);
+        this.name = 'ProbeTimeoutError';
+    }
+}
+async function raceWithTimeout(entry, budgetMs) {
+    let timer;
+    const timeoutPromise = new Promise((_, reject) => {
+        timer = setTimeout(() => reject(new ProbeTimeoutError(entry.name, budgetMs)), budgetMs);
+    });
+    try {
+        return await Promise.race([entry.run(), timeoutPromise]);
+    }
+    finally {
+        if (timer !== undefined)
+            clearTimeout(timer);
+    }
+}
+//# sourceMappingURL=probe-runner.js.map

package/dist/core/diagnostics/probes/api.js

@@ -0,0 +1,46 @@
+/**
+ * API probe — verifies `api.pugi.io` (or the active apiUrl) is
+ * reachable WITHOUT requiring a valid auth token. The auth probe
+ * covers the credentialed path; this probe answers the orthogonal
+ * "is the network broken" question so the operator can disambiguate
+ * "I'm offline" from "my token is bad" without reading two probe
+ * details together.
+ *
+ * Success criteria: any HTTP response (including 401 unauthenticated)
+ * proves the host is reachable. A thrown fetch (DNS / TCP / TLS
+ * failure) is the only true failure mode.
+ */
+export async function probeApi(ctx, deps) {
+    const apiUrl = deps.resolveApiUrl(ctx.env);
+    const startedAt = deps.now();
+    try {
+        const response = await deps.fetchImpl(`${stripTrailingSlash(apiUrl)}/api/pugi/health`, {
+            method: 'GET',
+        });
+        const latencyMs = deps.now() - startedAt;
+        // Any HTTP response confirms the host is reachable. The auth probe
+        // is responsible for verdicting the 401 / 200 split — here we just
+        // confirm we can talk to the server.
+        return {
+            name: 'API',
+            status: 'ok',
+            detail: `${apiUrl} reachable (${response.status})`,
+            latencyMs,
+        };
+    }
+    catch (error) {
+        const latencyMs = deps.now() - startedAt;
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            name: 'API',
+            status: 'error',
+            detail: `Cannot reach ${apiUrl}`,
+            latencyMs,
+            remediation: `Check network or override with PUGI_API_URL: ${message}`,
+        };
+    }
+}
+function stripTrailingSlash(url) {
+    return url.endsWith('/') ? url.slice(0, -1) : url;
+}
+//# sourceMappingURL=api.js.map

package/dist/core/diagnostics/probes/auth.js

@@ -0,0 +1,86 @@
+/**
+ * AUTH probe — verifies the active credential resolves to a working
+ * Bearer token by calling `GET /api/pugi/health` with it.
+ *
+ * Failure modes (deterministic mapping):
+ *   - no credential found in env or `~/.pugi/credentials.json`
+ *       → status `error`, remediation = `pugi login`
+ *   - credential exists but server returns 401/403
+ *       → status `error`, remediation = `pugi login` (token expired/revoked)
+ *   - credential exists but server returns 5xx OR network fails
+ *       → status `warn` (server-side; don't blame the operator)
+ *   - credential exists and server returns 200
+ *       → status `ok` (latency captured)
+ *
+ * NOTE: the probe must NEVER log the token itself. Memory hit
+ * `feedback_no_claude_attribution_anywhere_hard_rule` plus the CSO
+ * sweep on bearer leaks (history: PR-AGENT-MERGE-GATE 2026-05-15)
+ * frame why this is enforced at the probe layer.
+ */
+export async function probeAuth(ctx, deps) {
+    const credential = deps.resolveCredential(ctx.env, ctx.home);
+    if (!credential) {
+        return {
+            name: 'AUTH',
+            status: 'error',
+            detail: 'No credential — no PUGI_API_KEY env and no ~/.pugi/credentials.json',
+            remediation: 'Run `pugi login` to authenticate',
+        };
+    }
+    const startedAt = deps.now();
+    let response;
+    try {
+        response = await deps.fetchImpl(`${stripTrailingSlash(credential.apiUrl)}/api/pugi/health`, {
+            method: 'GET',
+            headers: {
+                Authorization: `Bearer ${credential.apiKey}`,
+            },
+        });
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            name: 'AUTH',
+            status: 'warn',
+            detail: `Auth check skipped — network error contacting ${credential.apiUrl}`,
+            remediation: `Verify network: ${message}`,
+        };
+    }
+    const latencyMs = deps.now() - startedAt;
+    if (response.status === 401 || response.status === 403) {
+        return {
+            name: 'AUTH',
+            status: 'error',
+            detail: `Token rejected (${response.status}) by ${credential.apiUrl}`,
+            latencyMs,
+            remediation: 'Token expired or revoked — run `pugi login`',
+        };
+    }
+    if (response.status >= 500) {
+        return {
+            name: 'AUTH',
+            status: 'warn',
+            detail: `Server error ${response.status} from ${credential.apiUrl}`,
+            latencyMs,
+            remediation: 'Try again in a moment; if it persists, check api.pugi.io status',
+        };
+    }
+    if (response.status !== 200) {
+        return {
+            name: 'AUTH',
+            status: 'warn',
+            detail: `Unexpected status ${response.status} from /api/pugi/health`,
+            latencyMs,
+        };
+    }
+    return {
+        name: 'AUTH',
+        status: 'ok',
+        detail: `Authenticated against ${credential.apiUrl}`,
+        latencyMs,
+    };
+}
+function stripTrailingSlash(url) {
+    return url.endsWith('/') ? url.slice(0, -1) : url;
+}
+//# sourceMappingURL=auth.js.map

package/dist/core/diagnostics/probes/cli-version.js

@@ -0,0 +1,127 @@
+/**
+ * CLI VERSION probe — compares the running @pugi/cli version against
+ * the npm registry's `latest` tag. Surfaces an upgrade banner when
+ * the operator is behind.
+ *
+ * Semver comparison is intentionally minimal — we only need to answer
+ * "is local strictly older than latest" for the WARN gate. Edge cases
+ * (pre-release ordering, build metadata) collapse к string equality
+ * because the publish pipeline only tags clean `X.Y.Z[-channel.N]`.
+ *
+ * Network failure is NOT an error — the operator is offline, that's
+ * a transient condition surfaced by the API probe; this probe reports
+ * `warn` so the doctor table still ships a usable verdict.
+ */
+const REGISTRY_URL = 'https://registry.npmjs.org/@pugi/cli/latest';
+/**
+ * Strict-newer comparison. Returns true when `b` is strictly newer
+ * than `a`. Treats unparseable inputs as equal (no false-positive
+ * upgrade banner on a hand-edited local version).
+ */
+export function isNewerVersion(a, b) {
+    const left = parseSemver(a);
+    const right = parseSemver(b);
+    if (!left || !right)
+        return false;
+    if (right.major !== left.major)
+        return right.major > left.major;
+    if (right.minor !== left.minor)
+        return right.minor > left.minor;
+    if (right.patch !== left.patch)
+        return right.patch > left.patch;
+    // Same X.Y.Z — pre-release ordering: a stable release is newer
+    // than any pre-release of the same X.Y.Z; otherwise compare
+    // pre-release tokens lexicographically as a coarse heuristic
+    // sufficient for the upgrade banner.
+    if (!right.pre && left.pre)
+        return true;
+    if (right.pre && !left.pre)
+        return false;
+    if (right.pre && left.pre)
+        return right.pre > left.pre;
+    return false;
+}
+function parseSemver(version) {
+    const match = /^v?(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?/.exec(version);
+    if (!match)
+        return null;
+    const major = Number(match[1]);
+    const minor = Number(match[2]);
+    const patch = Number(match[3]);
+    if (!Number.isFinite(major) || !Number.isFinite(minor) || !Number.isFinite(patch)) {
+        return null;
+    }
+    return { major, minor, patch, pre: match[4] ?? '' };
+}
+export async function probeCliVersion(deps) {
+    const url = deps.registryUrl ?? REGISTRY_URL;
+    const timeoutMs = deps.timeoutMs ?? 3_000;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    const startedAt = deps.now();
+    let response;
+    try {
+        response = await deps.fetchImpl(url, {
+            method: 'GET',
+            headers: { Accept: 'application/json' },
+            signal: controller.signal,
+        });
+    }
+    catch (error) {
+        clearTimeout(timer);
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            name: 'CLI VERSION',
+            status: 'warn',
+            detail: `local=${deps.localVersion} — registry unreachable`,
+            remediation: `Skip-able. Network error: ${message}`,
+        };
+    }
+    clearTimeout(timer);
+    const latencyMs = deps.now() - startedAt;
+    if (!response.ok) {
+        return {
+            name: 'CLI VERSION',
+            status: 'warn',
+            detail: `local=${deps.localVersion} — registry returned ${response.status}`,
+            latencyMs,
+        };
+    }
+    let body;
+    try {
+        body = (await response.json());
+    }
+    catch {
+        return {
+            name: 'CLI VERSION',
+            status: 'warn',
+            detail: `local=${deps.localVersion} — registry JSON unparseable`,
+            latencyMs,
+        };
+    }
+    const remote = body.version;
+    if (typeof remote !== 'string' || remote.length === 0) {
+        return {
+            name: 'CLI VERSION',
+            status: 'warn',
+            detail: `local=${deps.localVersion} — registry response missing version`,
+            latencyMs,
+        };
+    }
+    if (isNewerVersion(deps.localVersion, remote)) {
+        return {
+            name: 'CLI VERSION',
+            status: 'warn',
+            detail: `local=${deps.localVersion}, latest=${remote}`,
+            latencyMs,
+            remediation: 'Run `npm i -g @pugi/cli@latest` to upgrade',
+        };
+    }
+    return {
+        name: 'CLI VERSION',
+        status: 'ok',
+        detail: `${deps.localVersion} (latest)`,
+        latencyMs,
+    };
+}
+//# sourceMappingURL=cli-version.js.map

package/dist/core/diagnostics/probes/config.js

@@ -0,0 +1,72 @@
+/**
+ * CONFIG probe — verifies `~/.pugi/credentials.json` exists, parses,
+ * and carries the canonical shape (a `tokens` array). Lighter-weight
+ * than the auth probe (no network); catches `corrupted JSON` /
+ * `accidentally overwrote with empty file` / `bad permissions` cases
+ * that would otherwise surface as confusing errors deeper in the
+ * auth path.
+ *
+ * Absence of the file is NOT an error here — the operator may not
+ * have run `pugi login` yet. That case is caught by the AUTH probe
+ * with a clean "run pugi login" remediation. CONFIG's job is to
+ * verify the file is sane WHEN it exists.
+ */
+export function probeConfig(ctx, fs) {
+    const credPath = `${ctx.home}/.pugi/credentials.json`;
+    if (!fs.existsSync(credPath)) {
+        return {
+            name: 'CONFIG',
+            status: 'skipped',
+            detail: '~/.pugi/credentials.json absent (operator has not logged in)',
+        };
+    }
+    let raw;
+    try {
+        raw = fs.readFileSync(credPath, 'utf8');
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            name: 'CONFIG',
+            status: 'error',
+            detail: `Cannot read ~/.pugi/credentials.json`,
+            remediation: `Fix permissions or delete and re-login: ${message}`,
+        };
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            name: 'CONFIG',
+            status: 'error',
+            detail: `~/.pugi/credentials.json is not valid JSON`,
+            remediation: `Delete and re-login: ${message}`,
+        };
+    }
+    if (!parsed || typeof parsed !== 'object') {
+        return {
+            name: 'CONFIG',
+            status: 'error',
+            detail: `credentials.json root is not an object`,
+            remediation: 'Delete and re-login',
+        };
+    }
+    const tokens = parsed.tokens;
+    if (!Array.isArray(tokens)) {
+        return {
+            name: 'CONFIG',
+            status: 'error',
+            detail: `credentials.json missing required \`tokens\` array`,
+            remediation: 'Delete and re-login',
+        };
+    }
+    return {
+        name: 'CONFIG',
+        status: 'ok',
+        detail: `~/.pugi/credentials.json valid (${tokens.length} token(s) stored)`,
+    };
+}
+//# sourceMappingURL=config.js.map