@pugi/cli 0.1.0-beta.2 → 0.1.0-beta.20

package/dist/core/mcp/server.js

@@ -0,0 +1,397 @@
+import { EventEmitter } from 'node:events';
+/**
+ * Pugi MCP server (β4 M2) — exposes Pugi's native tool surface to other
+ * agents (Claude Code, OpenCode, Codex CLI, any client that speaks
+ * MCP).
+ *
+ * Transport-agnostic core. The stdio entry-point lives at the bottom of
+ * this module (`serveStdio`); the HTTP+SSE wrapper lives in
+ * `./http-server.ts` and feeds the same core via the synchronous
+ * `handleMessage` entry-point.
+ *
+ * Spec: https://modelcontextprotocol.io/specification (2024-11-05).
+ *
+ * Methods implemented:
+ *   - `initialize`               -> protocol handshake, server capabilities
+ *   - `notifications/initialized` -> ack, no-op
+ *   - `tools/list`               -> Pugi tool schemas
+ *   - `tools/call`               -> dispatch to the underlying executor
+ *   - `ping`                     -> liveness, returns `{}` (some MCP clients
+ *                                   poll this on a HTTP transport)
+ *
+ * NOT yet implemented (deferred — these are not on the β4 acceptance
+ * surface):
+ *   - `resources/*`              — file resource browser
+ *   - `prompts/*`                — server-supplied prompts
+ *   - `sampling/*`               — agent sampling callbacks
+ *   - `notifications/cancelled`  — client-side cancellation (we honour
+ *                                   the AbortSignal passed at construction
+ *                                   instead)
+ *
+ * Why hand-rolled instead of `@modelcontextprotocol/sdk`:
+ *   - The SDK ships every transport (stdio, HTTP, WebSocket, SSE) and
+ *     drags in a 3 MB compressed dependency footprint. Pugi-CLI ships as
+ *     `npm i -g pugi` and every transitive dep is supply-chain risk.
+ *   - The core JSON-RPC envelope is <500 LOC and we already maintain the
+ *     client-side variant in `./client.ts` — keeping the server matching
+ *     hand-roll lets a code reviewer hold both sides of the wire in one
+ *     head.
+ *   - Pugi-specific extensions (permission FSM hooks on `tools/call`,
+ *     bearer-auth attestation on HTTP, scope-limited tool filtering for
+ *     paired-agent worktrees) drop in cleanly because we own the
+ *     dispatch table.
+ */
+/* ---------- protocol types (mirror client.ts conventions) ----------------- */
+export const PUGI_MCP_PROTOCOL_VERSION = '2024-11-05';
+export const PUGI_MCP_SERVER_NAME = 'pugi';
+export const PUGI_MCP_SERVER_VERSION = '0.1.0';
+/** JSON-RPC standard error codes used by the server. */
+export const MCP_ERROR_CODES = Object.freeze({
+    PARSE_ERROR: -32700,
+    INVALID_REQUEST: -32600,
+    METHOD_NOT_FOUND: -32601,
+    INVALID_PARAMS: -32602,
+    INTERNAL_ERROR: -32603,
+    /**
+     * Pugi-specific: operator-side permission gate refused this tool call.
+     * Distinct from generic INTERNAL_ERROR so MCP clients can surface a
+     * "permission denied" status to their user.
+     */
+    PERMISSION_REFUSED: -32001,
+    /**
+     * Pugi-specific: HTTP transport saw an invalid or missing bearer
+     * token. Stdio transport never emits this code (no auth).
+     */
+    AUTH_REQUIRED: -32002,
+});
+export class McpServerToolError extends Error {
+    code;
+    constructor(message, code = MCP_ERROR_CODES.INTERNAL_ERROR) {
+        super(message);
+        this.name = 'McpServerToolError';
+        this.code = code;
+    }
+}
+/**
+ * Build a Pugi MCP server bound to a fixed tool surface. Stateless
+ * between requests — the same instance can drive many concurrent stdio
+ * connections (one per child process) without cross-talk.
+ */
+export function createPugiMcpServer(options) {
+    const events = new EventEmitter();
+    // Build a lookup by name once at construction. Duplicate names are a
+    // programmer error and we throw eagerly so the bug surfaces in the
+    // boot path, not at the first `tools/call`.
+    const byName = new Map();
+    for (const tool of options.tools) {
+        // Reject names that would re-encode as MCP `mcp__<server>__<tool>`
+        // false-positively on the consumer side — a server name containing
+        // `__` makes parseMcpToolName misalign the split. We surface the
+        // bug here, not at first dispatch. β4 r1 P2.
+        if (tool.name.includes('__')) {
+            throw new Error(`pugi mcp server: tool name "${tool.name}" must not contain "__" (collides with mcp__<server>__<tool> naming)`);
+        }
+        if (byName.has(tool.name)) {
+            throw new Error(`pugi mcp server: duplicate tool name "${tool.name}" — every tool in the surface must be unique`);
+        }
+        byName.set(tool.name, tool);
+    }
+    const tools = Array.from(byName.values()).sort((a, b) => a.name.localeCompare(b.name));
+    const log = options.log ?? (() => { });
+    if (typeof options.permissionGate !== 'function') {
+        throw new Error('pugi mcp server: options.permissionGate is required (β4 r1 P1 #2 — no implicit allow-all default)');
+    }
+    const permissionGate = options.permissionGate;
+    const requireInitialized = options.requireInitialized !== false;
+    let initialized = false;
+    async function dispatch(method, params, clientId) {
+        switch (method) {
+            case 'initialize': {
+                // The MCP spec permits multiple `initialize` calls before
+                // `notifications/initialized` settles the handshake — we just
+                // re-affirm. After init, repeated `initialize` is harmless on
+                // our side and lets the client recover from a state desync.
+                return {
+                    protocolVersion: PUGI_MCP_PROTOCOL_VERSION,
+                    capabilities: {
+                        tools: { listChanged: false },
+                    },
+                    serverInfo: {
+                        name: PUGI_MCP_SERVER_NAME,
+                        version: PUGI_MCP_SERVER_VERSION,
+                    },
+                };
+            }
+            case 'ping': {
+                return {};
+            }
+            case 'tools/list': {
+                return {
+                    tools: tools.map((tool) => ({
+                        name: tool.name,
+                        description: tool.description,
+                        inputSchema: tool.inputSchema,
+                    })),
+                };
+            }
+            case 'tools/call': {
+                if (options.signal?.aborted) {
+                    throw new McpServerToolError('server shutting down', MCP_ERROR_CODES.INTERNAL_ERROR);
+                }
+                // β4 r1 P2 — require `initialize` + `notifications/initialized`
+                // handshake first. Without this, an attacker with the bearer
+                // token can dispatch a `tools/call` without ever advertising
+                // client capabilities; the MCP spec mandates the handshake.
+                if (requireInitialized && !initialized) {
+                    throw new McpServerToolError('tools/call: MCP handshake not complete — send `initialize` + `notifications/initialized` first', MCP_ERROR_CODES.INVALID_REQUEST);
+                }
+                const p = (params ?? {});
+                const rawName = p['name'];
+                if (typeof rawName !== 'string') {
+                    throw new McpServerToolError('tools/call: params.name (string) is required', MCP_ERROR_CODES.INVALID_PARAMS);
+                }
+                // Trim whitespace-only names so the lookup fails fast with
+                // METHOD_NOT_FOUND instead of silently matching an entry that
+                // happens to share leading/trailing whitespace. β4 r1 P2.
+                const toolName = rawName.trim();
+                if (toolName.length === 0) {
+                    throw new McpServerToolError('tools/call: params.name (string) is required', MCP_ERROR_CODES.INVALID_PARAMS);
+                }
+                const tool = byName.get(toolName);
+                if (!tool) {
+                    throw new McpServerToolError(`tools/call: tool "${toolName}" is not registered`, MCP_ERROR_CODES.METHOD_NOT_FOUND);
+                }
+                const rawArgs = p['arguments'];
+                let args;
+                if (rawArgs === undefined || rawArgs === null) {
+                    args = {};
+                }
+                else if (typeof rawArgs === 'object' && !Array.isArray(rawArgs)) {
+                    args = rawArgs;
+                }
+                else {
+                    throw new McpServerToolError('tools/call: params.arguments must be a JSON object', MCP_ERROR_CODES.INVALID_PARAMS);
+                }
+                const allowed = await permissionGate({
+                    tool,
+                    arguments: args,
+                    ...(clientId ? { clientId } : {}),
+                });
+                if (!allowed) {
+                    log('warn', `permission refused: ${tool.name}`);
+                    throw new McpServerToolError(`permission refused by operator: ${tool.name}`, MCP_ERROR_CODES.PERMISSION_REFUSED);
+                }
+                // Stamp clientId on emitted events so the HTTP transport can
+                // route them to the originating SSE listener instead of
+                // broadcasting to every bearer-holder (β4 r1 P1 #5).
+                events.emit('tool_call', {
+                    name: tool.name,
+                    args,
+                    ...(clientId ? { clientId } : {}),
+                });
+                try {
+                    const text = await tool.execute(args);
+                    events.emit('tool_result', {
+                        name: tool.name,
+                        ok: true,
+                        summary: text.slice(0, 200),
+                        ...(clientId ? { clientId } : {}),
+                    });
+                    return {
+                        content: [{ type: 'text', text }],
+                        isError: false,
+                    };
+                }
+                catch (error) {
+                    const message = error instanceof Error ? error.message : String(error);
+                    events.emit('tool_result', {
+                        name: tool.name,
+                        ok: false,
+                        summary: message.slice(0, 200),
+                        ...(clientId ? { clientId } : {}),
+                    });
+                    // Tool-level failures surface as MCP `isError: true` content —
+                    // the client knows the call ran but failed, distinct from a
+                    // protocol-level error (bad tool name, malformed params).
+                    return {
+                        content: [{ type: 'text', text: message }],
+                        isError: true,
+                    };
+                }
+            }
+            case 'notifications/initialized': {
+                initialized = true;
+                events.emit('initialized');
+                return null;
+            }
+            default: {
+                if (method.startsWith('notifications/')) {
+                    // Silently accept unknown notifications — the spec requires
+                    // they be ignored, not errored.
+                    return null;
+                }
+                throw new McpServerToolError(`method not found: ${method}`, MCP_ERROR_CODES.METHOD_NOT_FOUND);
+            }
+        }
+    }
+    async function handleMessage(request) {
+        const clientId = request.meta?.clientId;
+        // Notifications never get a response.
+        const isNotification = request.id === undefined || request.id === null;
+        if (isNotification) {
+            try {
+                await dispatch(request.method, request.params, clientId);
+            }
+            catch (error) {
+                log('error', `notification handler threw: ${error.message}`);
+            }
+            return null;
+        }
+        const id = request.id;
+        try {
+            const result = await dispatch(request.method, request.params, clientId);
+            // dispatch may return null for void responses (notifications) —
+            // but we already filtered those above. Treat null here as `{}`.
+            return {
+                jsonrpc: '2.0',
+                id,
+                result: result ?? {},
+            };
+        }
+        catch (error) {
+            const isToolError = error instanceof McpServerToolError;
+            const code = isToolError ? error.code : MCP_ERROR_CODES.INTERNAL_ERROR;
+            const message = error instanceof Error ? error.message : String(error);
+            log('error', `dispatch ${request.method} (id=${id}) failed: ${message}`);
+            return {
+                jsonrpc: '2.0',
+                id,
+                error: { code, message },
+            };
+        }
+    }
+    return {
+        handleMessage,
+        events,
+        listToolsSync() {
+            return tools.slice();
+        },
+        // Internal: exposed to tests via type assertion when they want to
+        // verify the initialized flag advanced. Not part of the public
+        // interface intentionally — production callers should listen on
+        // `events` instead.
+        // @ts-expect-error — debug accessor
+        _isInitialized() {
+            return initialized;
+        },
+    };
+}
+/**
+ * Run the server on stdio. Reads one JSON-RPC line per request from
+ * stdin, writes the response (or nothing for notifications) as one line
+ * to stdout. Lines are `\n`-terminated UTF-8 JSON.
+ *
+ * Returns a promise that resolves when stdin closes. The caller can race
+ * it against `signal` to force shutdown — the stdio reader is shielded
+ * by the same signal, so an abort terminates the line loop cleanly.
+ */
+export async function serveStdio(options) {
+    const stdin = options.stdin ?? process.stdin;
+    const stdout = options.stdout ?? process.stdout;
+    const { server, signal } = options;
+    return new Promise((resolve) => {
+        let buffer = '';
+        let closed = false;
+        const finish = () => {
+            if (closed)
+                return;
+            closed = true;
+            stdin.off('data', onData);
+            stdin.off('end', finish);
+            stdin.off('close', finish);
+            if (signal) {
+                signal.removeEventListener('abort', finish);
+            }
+            resolve();
+        };
+        const writeFrame = (response) => {
+            stdout.write(`${JSON.stringify(response)}\n`);
+        };
+        const writeParseError = (id, message) => {
+            writeFrame({
+                jsonrpc: '2.0',
+                id,
+                error: { code: MCP_ERROR_CODES.PARSE_ERROR, message },
+            });
+        };
+        const processLine = async (line) => {
+            const trimmed = line.trim();
+            if (trimmed.length === 0)
+                return;
+            let parsed;
+            try {
+                parsed = JSON.parse(trimmed);
+            }
+            catch (error) {
+                writeParseError(null, `invalid JSON: ${error.message}`);
+                return;
+            }
+            if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+                writeParseError(null, 'request must be a JSON object');
+                return;
+            }
+            const candidate = parsed;
+            if (candidate.jsonrpc !== '2.0' || typeof candidate.method !== 'string') {
+                writeParseError(typeof candidate.id === 'number' || typeof candidate.id === 'string'
+                    ? candidate.id
+                    : null, 'invalid JSON-RPC envelope: jsonrpc=2.0 + string method required');
+                return;
+            }
+            // Stdio is a single-tenant transport — the parent process owns
+            // both ends — so we intentionally drop any inbound `meta.clientId`.
+            // Per-connection scoping only makes sense for HTTP+SSE.
+            const request = {
+                jsonrpc: '2.0',
+                method: candidate.method,
+                ...(candidate.id !== undefined ? { id: candidate.id } : {}),
+                ...(candidate.params !== undefined ? { params: candidate.params } : {}),
+            };
+            const response = await server.handleMessage(request);
+            if (response)
+                writeFrame(response);
+        };
+        const onData = (chunk) => {
+            buffer += typeof chunk === 'string' ? chunk : chunk.toString('utf8');
+            let newlineIndex = buffer.indexOf('\n');
+            while (newlineIndex !== -1) {
+                const line = buffer.slice(0, newlineIndex);
+                buffer = buffer.slice(newlineIndex + 1);
+                // Fire-and-forget the line handler; ordering of responses
+                // matches request ordering at the protocol level because the
+                // dispatch is microtask-serialized via the await above for
+                // each line — Node iterates `data` callbacks synchronously,
+                // and processLine awaits the dispatcher before returning so
+                // the next iteration of the loop sees the prior one settled.
+                void processLine(line);
+                newlineIndex = buffer.indexOf('\n');
+            }
+        };
+        if (signal) {
+            if (signal.aborted) {
+                finish();
+                return;
+            }
+            signal.addEventListener('abort', finish, { once: true });
+        }
+        if (!stdin.readable) {
+            // Stream already closed (e.g. parent piped EOF immediately).
+            finish();
+            return;
+        }
+        stdin.setEncoding('utf8');
+        stdin.on('data', onData);
+        stdin.on('end', finish);
+        stdin.on('close', finish);
+    });
+}
+//# sourceMappingURL=server.js.map

package/dist/core/permissions/gate.js

@@ -0,0 +1,187 @@
+/**
+ * Permission gate — Leak L6 canonical 4-mode enforcement.
+ *
+ * Single dispatch entry point. Every tool call goes through `gate()`
+ * before the executor runs the tool body; the executor surfaces the
+ * `PermissionDenied` error as a model-readable sentinel so the model
+ * can either reformulate the request or wait for the operator to
+ * change the mode.
+ *
+ * Routing matrix (mode × class):
+ *
+ *                 |  read  | write  | dispatch
+ *   plan          |  allow |  deny  |  deny
+ *   ask           |  ask   |  ask   |  ask
+ *   allow         |  allow |  allow |  allow
+ *   bypass        |  allow |  allow |  allow   (plus: hooks bypassed)
+ *
+ * In ask mode the gate consults a session-scoped `always-allow` cache
+ * keyed by tool name (set when the operator picks "always-allow-tool"
+ * in the prompt). The cache is in-memory only — restarting the session
+ * resets it, by design (every-session-fresh ask consent).
+ *
+ * Bypass mode does NOT take a different code path in this module — the
+ * `hooksBypassed` flag in the decision payload signals the executor /
+ * hook layer to skip policy hooks. The classification logic is the
+ * same as `allow` because the gate doesn't own hook execution; the
+ * caller decides what to do with the bypass signal.
+ */
+import { getToolClass } from './tool-class.js';
+export const ASK_OPTIONS = Object.freeze([
+    'allow-once',
+    'always-this-tool',
+    'deny-once',
+    'always-deny-this-tool',
+]);
+export function createAskAlwaysCache() {
+    return {
+        alwaysAllowed: new Set(),
+        alwaysDenied: new Set(),
+    };
+}
+/**
+ * Apply the operator's answer to an `ask` decision. Caller invokes this
+ * after the operator picks an option so the cache stays in sync.
+ * Returns the effective decision: `allow-once` / `always-this-tool`
+ * become `allow`; `deny-once` / `always-deny-this-tool` become `deny`.
+ *
+ * `always-*` answers persist to the cache and short-circuit the next
+ * gate call for the same tool name within the same session.
+ */
+export function applyAskAnswer(cache, toolName, answer) {
+    switch (answer) {
+        case 'allow-once':
+            return { decision: 'allow', reason: `Allowed once for ${toolName}` };
+        case 'always-this-tool':
+            cache.alwaysAllowed.add(toolName);
+            cache.alwaysDenied.delete(toolName);
+            return { decision: 'allow', reason: `Allowed for ${toolName} this session` };
+        case 'deny-once':
+            return { decision: 'deny', reason: `Denied once for ${toolName}` };
+        case 'always-deny-this-tool':
+            cache.alwaysDenied.add(toolName);
+            cache.alwaysAllowed.delete(toolName);
+            return { decision: 'deny', reason: `Denied for ${toolName} this session` };
+    }
+}
+/**
+ * Permission-denied sentinel. Distinguishable from other tool errors
+ * (parse errors, IO failures) so the caller can route the message back
+ * to the model with the canonical recovery hint.
+ */
+export class PermissionDenied extends Error {
+    name = 'PermissionDenied';
+    mode;
+    toolName;
+    toolClass;
+    /**
+     * Human-friendly reason surfaced in logs / hook payloads. Distinct
+     * from `message` so the spec layer can pattern-match the canonical
+     * `PERMISSION_DENIED:` sentinel verbatim while operators see the
+     * full explanation in console output.
+     */
+    reason;
+    constructor(toolName, toolClass, mode, reason) {
+        // The base Error.message is the canonical sentinel so default
+        // toString() / re-throw paths preserve the format the model and
+        // the spec layer pattern-match against.
+        super(`PERMISSION_DENIED: ${toolName} blocked in ${mode} mode. Operator can switch with /permissions <mode>.`);
+        this.mode = mode;
+        this.toolName = toolName;
+        this.toolClass = toolClass;
+        this.reason = reason;
+    }
+    /**
+     * Render the sentinel message the executor surfaces to the model.
+     * The string format is stable so a parent agent / E2E spec can
+     * pattern-match `PERMISSION_DENIED: <tool> blocked in <mode> mode.`
+     * verbatim. Equivalent to `this.message`; kept as a method so
+     * downstream callers can use whichever spelling reads better at the
+     * site.
+     */
+    toModelMessage() {
+        return this.message;
+    }
+}
+/**
+ * Core dispatch gate. Pure function — no IO, no side effects beyond
+ * mutating the caller-supplied `alwaysCache`. Safe to call from any
+ * layer (engine adapter, agent-as-tool bridge, doctor command).
+ *
+ * Argument bag mirrors the executor entry shape:
+ *   - `toolName` is the registered tool key (e.g. `read`, `write`,
+ *     `mcp__github__list_issues`).
+ *   - `args` is the raw arg payload. Currently unused in the routing
+ *     decision — the matrix only cares about class. Plumbed in
+ *     because future "always-allow-this-pattern" rules (e.g.
+ *     `git status` auto-allow) will consume it without changing the
+ *     callsite contract.
+ *   - `ctx` carries mode + session-scoped state.
+ */
+export function gate(toolName, 
+// Reserved for future pattern-based rules (always-allow `git status`).
+// Suppress unused-argument lint — the contract is stable on purpose.
+_args, ctx) {
+    const toolClass = getToolClass(toolName);
+    const cache = ctx.alwaysCache;
+    // Ask-mode session memory: an explicit "always-deny" beats any other
+    // routing because the operator has actively refused this tool.
+    if (cache?.alwaysDenied.has(toolName)) {
+        return {
+            decision: 'deny',
+            reason: `Tool ${toolName} denied for the session via /permissions ask`,
+        };
+    }
+    // "Always-allow" in ask mode skips the prompt for subsequent calls.
+    // Plan mode IGNORES the always-allow cache because plan mode's
+    // contract is structural (read-only), not consent-based.
+    if (cache?.alwaysAllowed.has(toolName) && ctx.permissionMode === 'ask') {
+        return {
+            decision: 'allow',
+            reason: `Tool ${toolName} always-allowed for this session`,
+        };
+    }
+    switch (ctx.permissionMode) {
+        case 'plan': {
+            if (toolClass === 'read') {
+                return { decision: 'allow', reason: `Plan mode: read tools allowed (${toolName})` };
+            }
+            return {
+                decision: 'deny',
+                reason: `Plan mode: ${toolClass} tools blocked. Switch with /permissions allow.`,
+            };
+        }
+        case 'ask': {
+            return {
+                decision: 'ask',
+                reason: `Ask mode: prompt before ${toolName}`,
+                question: buildAskQuestion(toolName, toolClass, ctx.target),
+                options: ASK_OPTIONS,
+                toolClass,
+            };
+        }
+        case 'allow': {
+            return {
+                decision: 'allow',
+                reason: `Allow mode: ${toolName} executed`,
+            };
+        }
+        case 'bypass': {
+            return {
+                decision: 'allow',
+                reason: `Bypass mode: ${toolName} executed (policy hooks skipped)`,
+                hooksBypassed: true,
+            };
+        }
+    }
+}
+/**
+ * Build the operator-facing question string for an ask-mode prompt.
+ * Kept in one place so the wording stays consistent across the REPL
+ * Ink modal and the simpler stdin fallback.
+ */
+function buildAskQuestion(toolName, toolClass, target) {
+    const suffix = target ? ` on ${target}` : '';
+    return `Allow ${toolName} (${toolClass})${suffix}?`;
+}
+//# sourceMappingURL=gate.js.map

package/dist/core/permissions/index.js

@@ -0,0 +1,18 @@
+/**
+ * Permission gate (Leak L6) public surface.
+ *
+ * Re-exports the canonical 4-mode types, the tool-class classifier,
+ * the dispatch gate, and the workspace + global session-state helpers
+ * so callers import from one place:
+ *
+ *   import { gate, resolveMode, PermissionDenied } from '<...>/permissions/index.js';
+ *
+ * Keeps the internal file split (mode / tool-class / gate / state)
+ * invisible to consumers — those files are an implementation detail
+ * the engine adapter does not need to know about.
+ */
+export { DEFAULT_PERMISSION_MODE, PERMISSION_MODE_GLOSS, PERMISSION_MODES, isPermissionMode, parsePermissionMode, toLegacyMode, } from './mode.js';
+export { getToolClass, listBuiltInToolClasses, } from './tool-class.js';
+export { ASK_OPTIONS, PermissionDenied, applyAskAnswer, createAskAlwaysCache, gate, } from './gate.js';
+export { getCurrentMode, getGlobalDefaultMode, globalConfigPath, resolveMode, sessionStatePath, setCurrentMode, setGlobalDefaultMode, } from './state.js';
+//# sourceMappingURL=index.js.map