@pugi/cli 0.1.0-beta.2 → 0.1.0-beta.20

package/dist/core/permissions/mode.js

@@ -0,0 +1,102 @@
+/**
+ * Permission modes — canonical 4-mode taxonomy (Leak L6).
+ *
+ * Pugi historically shipped a 6-mode taxonomy in `@pugi/sdk`
+ * (`plan | ask | acceptEdits | auto | dontAsk | bypassPermissions`)
+ * which the legacy `core/permission.ts` engine maps tools onto. Claude
+ * Code, Codex, and the openclaude / openwork leaks all converge on a
+ * smaller, sharper 4-mode set:
+ *
+ *   - `plan`    — read-only proposal mode. Write/dispatch tools refused
+ *                 with a deterministic sentinel; the model is expected
+ *                 to surface a plan, not execute it.
+ *   - `ask`     — every tool execution prompts the operator. Default
+ *                 mode for new operators; the safe ground state.
+ *   - `allow`   — every tool executes without per-call prompts, BUT
+ *                 the policy hook layer (skill-steering, denial audit,
+ *                 destructive deny-list) still fires.
+ *   - `bypass`  — same as allow but ALSO skips policy hooks. Power-user
+ *                 mode for trusted scripted runs; surface a banner on
+ *                 entry so an operator who flips here by accident sees
+ *                 they have disengaged the audit layer.
+ *
+ * This module owns the union type, the canonical default, and the
+ * mode-resolution helper. The runtime gate (`gate.ts`) consumes it; the
+ * legacy 6-mode SDK enum remains the system-of-record for bash-class
+ * decisions inside `core/permission.ts` — the canonical 4-mode layer
+ * sits in front and short-circuits the dispatch decision before bash
+ * classification ever runs.
+ */
+/**
+ * Closed list — useful for input validation and slash-command help.
+ */
+export const PERMISSION_MODES = Object.freeze([
+    'plan',
+    'ask',
+    'allow',
+    'bypass',
+]);
+/**
+ * Default mode applied when no `--mode` flag, no per-workspace session
+ * state, and no `defaultPermissionMode` in `~/.pugi/config.json`. We
+ * default cautious (`ask`) — an operator who has not configured anything
+ * is treated as a new operator who deserves visibility into every tool
+ * call.
+ */
+export const DEFAULT_PERMISSION_MODE = 'ask';
+/**
+ * Type guard for arbitrary string input (CLI flag, session.json
+ * deserialization). Returns false for casing variants — caller is
+ * expected to lowercase before testing.
+ */
+export function isPermissionMode(value) {
+    return typeof value === 'string' && PERMISSION_MODES.includes(value);
+}
+/**
+ * Parse + validate a mode string. Returns null for invalid input so the
+ * caller can surface a typed error (`unknown mode: <value>`) instead of
+ * throwing from a parse helper.
+ */
+export function parsePermissionMode(value) {
+    const lower = value.trim().toLowerCase();
+    return isPermissionMode(lower) ? lower : null;
+}
+/**
+ * Map the canonical 4-mode taxonomy to the legacy 6-mode SDK enum used
+ * by `core/permission.ts::evaluateBashPermission` and friends. The map
+ * is intentionally surjective on a narrower target — the canonical
+ * layer is the new public contract, the legacy layer is plumbing.
+ *
+ *   plan   -> 'plan'              (read-only)
+ *   ask    -> 'ask'               (prompt every action)
+ *   allow  -> 'auto'              (allow non-destructive; deny destructive)
+ *   bypass -> 'bypassPermissions' (allow everything except destructive override)
+ *
+ * Callers that need the legacy enum (existing bash classifier, settings
+ * persistence) should funnel through this helper so the mapping is in
+ * one place.
+ */
+export function toLegacyMode(mode) {
+    switch (mode) {
+        case 'plan':
+            return 'plan';
+        case 'ask':
+            return 'ask';
+        case 'allow':
+            return 'auto';
+        case 'bypass':
+            return 'bypassPermissions';
+    }
+}
+/**
+ * One-line human-readable summary surfaced by the `/permissions` table
+ * and `pugi --help` text. Kept inline so the strings stay localizable
+ * via a single edit point.
+ */
+export const PERMISSION_MODE_GLOSS = Object.freeze({
+    plan: 'Read-only — propose, never execute. Write + dispatch tools refused.',
+    ask: 'Prompt before every tool call. Default for new operators.',
+    allow: 'Execute tools without prompts. Policy hooks still fire.',
+    bypass: 'Execute tools without prompts AND skip policy hooks. Power-user only.',
+});
+//# sourceMappingURL=mode.js.map

package/dist/core/permissions/state.js

@@ -0,0 +1,160 @@
+/**
+ * Per-workspace permission-mode session state — Leak L6.
+ *
+ * State lives in `.pugi/session.json` under the workspace root. The
+ * file is read on first `getCurrentMode()` call (cached for the
+ * process lifetime) and written atomically via tmp+rename on
+ * `setCurrentMode()` so a kill mid-write does not corrupt the JSON.
+ *
+ * Resolution order for the effective mode on a fresh process:
+ *   1. CLI flag (`pugi --mode plan`) — passed via `resolveMode` arg;
+ *      not read from disk here.
+ *   2. Workspace session state — `<root>/.pugi/session.json` field
+ *      `permissionMode`.
+ *   3. Global config — `~/.pugi/config.json` field
+ *      `defaultPermissionMode`.
+ *   4. Hard default `ask`.
+ *
+ * This module owns layers 2 + 3. The CLI arg parser owns layer 1; both
+ * funnel into `resolveMode()` which performs the merge.
+ */
+import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { homedir } from 'node:os';
+import { z } from 'zod';
+import { DEFAULT_PERMISSION_MODE, isPermissionMode, parsePermissionMode, } from './mode.js';
+const permissionModeEnum = z.enum(['plan', 'ask', 'allow', 'bypass']);
+const sessionStateSchema = z
+    .object({
+    permissionMode: permissionModeEnum.optional(),
+})
+    .partial()
+    .passthrough();
+const globalConfigSchema = z
+    .object({
+    defaultPermissionMode: permissionModeEnum.optional(),
+})
+    .partial()
+    .passthrough();
+const SESSION_FILE = '.pugi/session.json';
+/**
+ * Return the path to the workspace session-state file.
+ */
+export function sessionStatePath(workspaceRoot) {
+    return resolve(workspaceRoot, SESSION_FILE);
+}
+/**
+ * Return the path to the user-global config file. Uses HOME env when
+ * present (test fixtures, CI) so we never accidentally hit the real
+ * user-global file in spec runs.
+ */
+export function globalConfigPath(homeDir = homedir()) {
+    return resolve(homeDir, '.pugi/config.json');
+}
+/**
+ * Read the workspace's saved permission mode. Returns null when the
+ * file is absent OR the field is unset; the caller layers in CLI + env
+ * + global config defaults to produce the effective mode.
+ *
+ * Never throws on JSON parse / schema errors — a malformed session
+ * file should not break the gate. The defensive `try/catch` returns
+ * null and lets the caller fall through to the next layer.
+ */
+export function getCurrentMode(workspaceRoot) {
+    const path = sessionStatePath(workspaceRoot);
+    if (!existsSync(path))
+        return null;
+    try {
+        const raw = readFileSync(path, 'utf8');
+        const parsed = sessionStateSchema.parse(JSON.parse(raw));
+        return isPermissionMode(parsed.permissionMode) ? parsed.permissionMode : null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Persist the workspace's permission mode. Creates the `.pugi/` dir
+ * when missing; preserves any unrelated keys in the file (passthrough
+ * schema). Atomic tmp+rename so a kill mid-write does not corrupt the
+ * JSON.
+ */
+export function setCurrentMode(workspaceRoot, mode) {
+    const path = sessionStatePath(workspaceRoot);
+    mkdirSync(dirname(path), { recursive: true });
+    const existing = existsSync(path)
+        ? safeParseObject(readFileSync(path, 'utf8'))
+        : {};
+    const next = { ...existing, permissionMode: mode };
+    const tmpPath = `${path}.tmp`;
+    writeFileSync(tmpPath, `${JSON.stringify(next, null, 2)}\n`, { encoding: 'utf8', mode: 0o600 });
+    renameSync(tmpPath, path);
+}
+/**
+ * Read `~/.pugi/config.json::defaultPermissionMode`. Returns null when
+ * the file is absent / the field is unset; same defensive behaviour
+ * as `getCurrentMode` — a malformed global config never breaks the gate.
+ */
+export function getGlobalDefaultMode(homeDir = homedir()) {
+    const path = globalConfigPath(homeDir);
+    if (!existsSync(path))
+        return null;
+    try {
+        const raw = readFileSync(path, 'utf8');
+        const parsed = globalConfigSchema.parse(JSON.parse(raw));
+        return isPermissionMode(parsed.defaultPermissionMode) ? parsed.defaultPermissionMode : null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Persist `~/.pugi/config.json::defaultPermissionMode`. Used by the
+ * `/permissions <mode> --persist` flow so a future fresh session
+ * defaults to the same mode without an explicit `--mode` flag.
+ */
+export function setGlobalDefaultMode(mode, homeDir = homedir()) {
+    const path = globalConfigPath(homeDir);
+    mkdirSync(dirname(path), { recursive: true });
+    const existing = existsSync(path)
+        ? safeParseObject(readFileSync(path, 'utf8'))
+        : {};
+    const next = { ...existing, defaultPermissionMode: mode };
+    const tmpPath = `${path}.tmp`;
+    writeFileSync(tmpPath, `${JSON.stringify(next, null, 2)}\n`, { encoding: 'utf8', mode: 0o600 });
+    renameSync(tmpPath, path);
+}
+export function resolveMode(options) {
+    if (options.cliFlag) {
+        const flag = parsePermissionMode(options.cliFlag);
+        if (flag)
+            return flag;
+    }
+    const workspace = getCurrentMode(options.workspaceRoot);
+    if (workspace)
+        return workspace;
+    const global = getGlobalDefaultMode(options.homeDir);
+    if (global)
+        return global;
+    return DEFAULT_PERMISSION_MODE;
+}
+/**
+ * Defensive helper — parse JSON to an object; non-object payload (top-
+ * level array, primitive) collapses to an empty object so the merge
+ * doesn't surface a TypeError. The `setCurrentMode` / `setGlobalDefaultMode`
+ * helpers only write objects, so a non-object existing file is corrupted
+ * and we explicitly reset it rather than appending into a non-object.
+ */
+function safeParseObject(raw) {
+    try {
+        const parsed = JSON.parse(raw);
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            return parsed;
+        }
+        return {};
+    }
+    catch {
+        return {};
+    }
+}
+//# sourceMappingURL=state.js.map

package/dist/core/permissions/tool-class.js

@@ -0,0 +1,93 @@
+/**
+ * Tool side-effect classification — Leak L6.
+ *
+ * Three classes drive the canonical 4-mode permission gate:
+ *
+ *   - `read`     — observe-only. Plan mode allows; ask still prompts;
+ *                  allow + bypass execute silently. Examples: read,
+ *                  grep, glob, web_fetch, web_search, skills_list.
+ *   - `write`    — mutates workspace, journal, or operator screen with
+ *                  visible side effects. Plan mode refuses; ask prompts;
+ *                  allow + bypass execute. Examples: write, edit, bash,
+ *                  multi_edit, task_*. `ask_user_question` is also
+ *                  classed as `write` because it interrupts the
+ *                  dispatcher's flow control and demands operator
+ *                  attention — plan mode should not prompt operators.
+ *   - `dispatch` — spawns a child subagent or off-tree task. Plan mode
+ *                  refuses (a write-capable child violates plan-mode's
+ *                  read-only contract); ask prompts; allow + bypass
+ *                  execute. Example: `agent`.
+ *
+ * Unknown tool names default to `write` — deny-first safety. A stale
+ * schema entry that the gate has not been told about should not silently
+ * pass in plan mode just because the gate doesn't recognise it.
+ */
+/**
+ * Closed map of every built-in tool name -> side-effect class. The
+ * source of truth for the four standard modes; mirrored against the
+ * `WIRED_TOOLS` set in `core/engine/tool-bridge.ts` so an unrecognised
+ * tool surfaces as the safe deny-first `write` default.
+ *
+ * MCP tools follow the `mcp__<server>__<tool>` namespace and are
+ * uniformly classed via `getToolClass` because per-tool annotations are
+ * not yet a part of the MCP spec — treating them as `write` is the
+ * conservative default until server-side metadata is trustworthy.
+ */
+const BUILT_IN_TOOL_CLASSES = Object.freeze({
+    // Read-only observations.
+    read: 'read',
+    grep: 'read',
+    glob: 'read',
+    ls: 'read',
+    search: 'read',
+    web_fetch: 'read',
+    web_search: 'read',
+    file_cache_check: 'read',
+    skills_list: 'read',
+    skill: 'read',
+    task_get: 'read',
+    task_list: 'read',
+    // Mutating actions.
+    write: 'write',
+    edit: 'write',
+    multi_edit: 'write',
+    bash: 'write',
+    task_create: 'write',
+    task_update: 'write',
+    todo_write: 'write',
+    // `ask_user_question` halts the loop and demands operator attention.
+    // Plan mode should not interrupt — class as write so the gate refuses
+    // it in plan mode but ask + allow + bypass execute normally.
+    ask_user_question: 'write',
+    // Dispatch — spawn a child agent. Refused in plan mode regardless of
+    // the child's role tier (the engine adapter applies role-based
+    // capability filtering, but the gate refuses dispatch up front so a
+    // plan-mode session cannot leak a writeable child).
+    agent: 'dispatch',
+    pugi_delegate: 'dispatch',
+    sub_agent_spawn: 'dispatch',
+});
+const MCP_TOOL_PREFIX = 'mcp__';
+/**
+ * Resolve the class for a tool name. Unknown names default to `write`
+ * (deny-first). MCP tools (any name prefixed with `mcp__`) default to
+ * `write` for the same conservative reason — the MCP spec lacks
+ * per-tool annotations today.
+ */
+export function getToolClass(toolName) {
+    const builtIn = BUILT_IN_TOOL_CLASSES[toolName];
+    if (builtIn)
+        return builtIn;
+    if (toolName.startsWith(MCP_TOOL_PREFIX))
+        return 'write';
+    return 'write';
+}
+/**
+ * Expose the built-in class map for diagnostic surfaces (`pugi doctor`,
+ * test fixtures). Caller MUST NOT mutate — the object is already frozen
+ * so any attempt throws in strict mode.
+ */
+export function listBuiltInToolClasses() {
+    return BUILT_IN_TOOL_CLASSES;
+}
+//# sourceMappingURL=tool-class.js.map

package/dist/core/repl/codebase-survey.js

@@ -0,0 +1,308 @@
+/**
+ * Codebase survey for the `/init` interview - Phase 2.
+ *
+ * Inspired by Claude Code's /init Phase 2 (the upstream spawns a
+ * Task-tool subagent to read manifest files + CI config + existing
+ * agent rules and produce a structured "what this repo is" digest).
+ * Independent implementation: Pugi's subagent infra is admin-api
+ * scheduled and not available in the local REPL boot path, so the
+ * survey runs as a direct filesystem scan instead. The shape of the
+ * output matches the upstream pattern - manifest, languages, build /
+ * test / lint commands, existing AI-tool configs - so the downstream
+ * Phase 3 / Phase 4 logic stays portable.
+ *
+ * # Design notes
+ *
+ * - Pure fs reads. No spawn, no network, no LLM call. Safe to run on
+ *   every `/init` invocation without rate-limit concern.
+ * - Bounded: every read caps at 16 KB to defend against an enormous
+ *   manifest pinning memory. Real package.json / pyproject.toml are
+ *   well under that.
+ * - Defensive: a missing or unreadable file maps to `undefined` in the
+ *   returned record. Phase 3 treats unknowns as "ask the operator".
+ * - Manifest grammar is closed: package.json (Node) and pyproject.toml
+ *   (Python) are recognised explicitly because Pugi customers ship one
+ *   of those nine times out of ten. Cargo.toml / go.mod / pom.xml are
+ *   detected by filename only - we surface "rust"/"go"/"java" as the
+ *   language hint but do not parse them, because the Phase 3 question
+ *   set asks for build commands directly when the manifest is opaque.
+ *
+ * # What we collect
+ *
+ *   1. `manifest`: which manifest file was found (closed enum).
+ *   2. `languages`: deduped list inferred from manifest + file extension
+ *      heuristics under the workspace root (one-level deep scan).
+ *   3. `packageManager`: pnpm / npm / yarn (Node only) or `unknown`.
+ *   4. `buildCommand` / `testCommand` / `lintCommand`: parsed out of
+ *      `package.json` scripts when a Node manifest is present.
+ *   5. `aiToolConfigs`: a record of which sibling-agent config files
+ *      already exist (CLAUDE.md, AGENTS.md, .cursorrules,
+ *      .github/copilot-instructions.md, .windsurfrules, .clinerules,
+ *      .mcp.json). Phase 4 mines these for "important parts" without
+ *      duplicating them into PUGI.md.
+ *   6. `hasReadme`, `hasGit`, `hasCi`: simple booleans for the
+ *      gap-question logic.
+ *   7. `hasExistingPugiMd`: true when re-running `/init` against a
+ *      workspace that already produced PUGI.md.
+ *
+ * # Why not spawn a Pugi subagent
+ *
+ * The Pugi subagent dispatcher (apps/pugi-cli/src/core/subagents/)
+ * speaks to admin-api over the SSE transport. Running the codebase
+ * survey through that path would (a) burn a tenant token quota on
+ * every `/init`, (b) require an online connection, and (c) round-trip
+ * structured data through the persona prompt - which is the wrong
+ * tool for "list which files exist". A direct fs scan is faster,
+ * deterministic, and works offline. The upstream Task-tool decision
+ * makes sense in a hosted product where every operation is metered;
+ * Pugi runs locally so we keep the survey local too.
+ */
+import { existsSync, readdirSync, readFileSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+/**
+ * Maximum bytes the survey reads from any single file. Real manifests
+ * are tiny (<8 KB); this cap defends against a hostile or accidental
+ * gigabyte JSON pinning the REPL boot.
+ */
+const MAX_READ_BYTES = 16 * 1024;
+/**
+ * Top-level directory scan budget. The survey looks at the workspace
+ * root + at most this many entries when inferring languages from file
+ * extensions. Deep walks are not needed - the manifest is the source
+ * of truth for the active stack.
+ */
+const MAX_TOP_LEVEL_ENTRIES = 200;
+/**
+ * Run a codebase survey against `workspaceRoot`. Pure: returns a
+ * snapshot record; the caller decides how to render it.
+ */
+export function surveyCodebase(workspaceRoot) {
+    const errors = [];
+    const manifest = detectManifest(workspaceRoot);
+    const packageJson = manifest === 'package.json'
+        ? safeReadJson(join(workspaceRoot, 'package.json'), errors)
+        : undefined;
+    const packageManager = inferPackageManager(workspaceRoot, packageJson);
+    const languages = inferLanguages(workspaceRoot, manifest, errors);
+    const scripts = (packageJson && typeof packageJson === 'object' && packageJson !== null
+        ? packageJson.scripts
+        : undefined) ?? {};
+    const buildCommand = pickScript(scripts, ['build', 'compile']);
+    const testCommand = pickScript(scripts, ['test', 'tests']);
+    const lintCommand = pickScript(scripts, ['lint', 'check']);
+    const formatCommand = pickScript(scripts, ['format', 'fmt', 'prettier']);
+    const aiToolConfigs = scanAiToolConfigs(workspaceRoot);
+    return {
+        workspaceRoot,
+        manifest,
+        packageManager,
+        languages,
+        buildCommand,
+        testCommand,
+        lintCommand,
+        formatCommand,
+        aiToolConfigs,
+        hasReadme: existsSafe(join(workspaceRoot, 'README.md')) ||
+            existsSafe(join(workspaceRoot, 'readme.md')),
+        hasGit: existsSafe(join(workspaceRoot, '.git')),
+        hasCi: detectCi(workspaceRoot),
+        hasExistingPugiMd: aiToolConfigs['PUGI.md'],
+        readErrors: errors,
+    };
+}
+/* ------------------------------------------------------------------ */
+/* Manifest detection                                                  */
+/* ------------------------------------------------------------------ */
+const MANIFEST_PROBE_ORDER = Object.freeze([
+    'package.json',
+    'pyproject.toml',
+    'Cargo.toml',
+    'go.mod',
+    'pom.xml',
+    'Gemfile',
+    'composer.json',
+]);
+function detectManifest(root) {
+    for (const candidate of MANIFEST_PROBE_ORDER) {
+        if (existsSafe(join(root, candidate)))
+            return candidate;
+    }
+    return 'unknown';
+}
+function inferPackageManager(root, packageJson) {
+    // package.json `packageManager` field wins when present (corepack convention).
+    if (packageJson &&
+        typeof packageJson === 'object' &&
+        packageJson !== null &&
+        'packageManager' in packageJson) {
+        const declared = packageJson.packageManager;
+        if (typeof declared === 'string') {
+            if (declared.startsWith('pnpm@'))
+                return 'pnpm';
+            if (declared.startsWith('yarn@'))
+                return 'yarn';
+            if (declared.startsWith('npm@'))
+                return 'npm';
+            if (declared.startsWith('bun@'))
+                return 'bun';
+        }
+    }
+    // Lockfile fallback.
+    if (existsSafe(join(root, 'pnpm-lock.yaml')))
+        return 'pnpm';
+    if (existsSafe(join(root, 'yarn.lock')))
+        return 'yarn';
+    if (existsSafe(join(root, 'bun.lockb')) || existsSafe(join(root, 'bun.lock')))
+        return 'bun';
+    if (existsSafe(join(root, 'package-lock.json')))
+        return 'npm';
+    return 'unknown';
+}
+/* ------------------------------------------------------------------ */
+/* Language inference                                                  */
+/* ------------------------------------------------------------------ */
+const EXT_TO_LANG = Object.freeze({
+    '.ts': 'typescript',
+    '.tsx': 'typescript',
+    '.js': 'javascript',
+    '.jsx': 'javascript',
+    '.mjs': 'javascript',
+    '.cjs': 'javascript',
+    '.py': 'python',
+    '.rs': 'rust',
+    '.go': 'go',
+    '.java': 'java',
+    '.kt': 'kotlin',
+    '.swift': 'swift',
+    '.rb': 'ruby',
+    '.php': 'php',
+    '.cs': 'csharp',
+    '.cpp': 'cpp',
+    '.c': 'c',
+});
+const MANIFEST_TO_LANG = Object.freeze({
+    'package.json': ['javascript'],
+    'pyproject.toml': ['python'],
+    'Cargo.toml': ['rust'],
+    'go.mod': ['go'],
+    'pom.xml': ['java'],
+    'Gemfile': ['ruby'],
+    'composer.json': ['php'],
+    'unknown': [],
+});
+function inferLanguages(root, manifest, errors) {
+    const collected = new Set(MANIFEST_TO_LANG[manifest]);
+    // Top-level extension scan, bounded.
+    try {
+        const entries = readdirSync(root);
+        let scanned = 0;
+        for (const entry of entries) {
+            if (scanned >= MAX_TOP_LEVEL_ENTRIES)
+                break;
+            scanned += 1;
+            // Skip dotfiles + common dependency dirs - they pollute the
+            // language inference with build/cache content.
+            if (entry.startsWith('.') || entry === 'node_modules' || entry === 'dist')
+                continue;
+            const dot = entry.lastIndexOf('.');
+            if (dot <= 0)
+                continue;
+            const ext = entry.slice(dot);
+            const lang = EXT_TO_LANG[ext];
+            if (lang)
+                collected.add(lang);
+        }
+    }
+    catch (error) {
+        errors.push(`readdir ${root}: ${normalizeError(error)}`);
+    }
+    // `typescript` implies `javascript` runtime; keep both so the
+    // interview can ask "compiled-with vs run-with" if needed.
+    return Array.from(collected).sort();
+}
+/* ------------------------------------------------------------------ */
+/* Script picker                                                       */
+/* ------------------------------------------------------------------ */
+function pickScript(scripts, candidates) {
+    for (const key of candidates) {
+        const value = scripts[key];
+        if (typeof value === 'string' && value.trim().length > 0) {
+            // Surface the npm-style invocation so Phase 4 can quote it
+            // verbatim. The package manager name is filled in by the caller
+            // once it has resolved `packageManager`.
+            return key;
+        }
+    }
+    return undefined;
+}
+/* ------------------------------------------------------------------ */
+/* AI tool config scan                                                 */
+/* ------------------------------------------------------------------ */
+const AI_TOOL_CONFIG_PATHS = Object.freeze([
+    'CLAUDE.md',
+    'CLAUDE.local.md',
+    'AGENTS.md',
+    '.cursorrules',
+    '.cursor/rules',
+    '.github/copilot-instructions.md',
+    '.windsurfrules',
+    '.clinerules',
+    '.mcp.json',
+    'PUGI.md',
+    'PUGI.local.md',
+]);
+function scanAiToolConfigs(root) {
+    const result = {};
+    for (const rel of AI_TOOL_CONFIG_PATHS) {
+        result[rel] = existsSafe(join(root, rel));
+    }
+    return Object.freeze(result);
+}
+/* ------------------------------------------------------------------ */
+/* CI detection                                                        */
+/* ------------------------------------------------------------------ */
+const CI_PROBE_PATHS = Object.freeze([
+    '.github/workflows',
+    '.gitlab-ci.yml',
+    '.circleci/config.yml',
+    'azure-pipelines.yml',
+    '.travis.yml',
+    '.buildkite',
+]);
+function detectCi(root) {
+    return CI_PROBE_PATHS.some((rel) => existsSafe(join(root, rel)));
+}
+/* ------------------------------------------------------------------ */
+/* Safe IO helpers                                                     */
+/* ------------------------------------------------------------------ */
+function existsSafe(path) {
+    try {
+        return existsSync(path);
+    }
+    catch {
+        return false;
+    }
+}
+function safeReadJson(path, errors) {
+    try {
+        const stats = statSync(path);
+        if (!stats.isFile())
+            return undefined;
+        if (stats.size > MAX_READ_BYTES) {
+            errors.push(`oversize ${path}: ${stats.size} bytes`);
+            return undefined;
+        }
+        const raw = readFileSync(path, 'utf8');
+        return JSON.parse(raw);
+    }
+    catch (error) {
+        errors.push(`read ${path}: ${normalizeError(error)}`);
+        return undefined;
+    }
+}
+function normalizeError(error) {
+    if (error instanceof Error)
+        return error.message;
+    return String(error);
+}
+//# sourceMappingURL=codebase-survey.js.map

package/dist/core/repl/history.js

@@ -31,6 +31,7 @@
  * keys stay readable English (`brief`, `ts`). No forbidden words.
  */
 import { existsSync, mkdirSync, readFileSync, writeFileSync, appendFileSync, renameSync, unlinkSync, } from 'node:fs';
+import { randomBytes } from 'node:crypto';
 import { homedir } from 'node:os';
 import { dirname, join } from 'node:path';
 /** Cap on stored entries per workspace. Drops oldest on overflow. */
@@ -77,7 +78,16 @@ export function append(input) {
     // sibling guarantees that). P2 fix from PR #335 triple-review.
     if (existing.length + 1 > MAX_HISTORY_ENTRIES) {
         const trimmed = [...existing.slice(existing.length + 1 - MAX_HISTORY_ENTRIES), entry];
-        const tmpPath = `${path}.tmp`;
+        // β1b #52 (2026-05-26): unique-per-call tmp suffix.
+        // Previous form was a fixed `${path}.tmp`, which means two CLI
+        // processes hitting the overflow rewrite at the same moment race
+        // on the same sibling file. Whichever writeFileSync lands second
+        // can corrupt the renameSync target's content (one process's
+        // serialized buffer overwrites the other mid-flight). Append a
+        // pid + monotonic-ish timestamp + 8 hex random bytes so the tmp
+        // names are collision-proof across PIDs, concurrent calls inside
+        // one PID, and rapid re-runs that share the same ms timestamp.
+        const tmpPath = `${path}.${process.pid}.${Date.now()}.${randomBytes(4).toString('hex')}.tmp`;
         try {
             writeFileSync(tmpPath, trimmed.map(serialize).join('\n') + '\n', { mode: 0o600 });
             renameSync(tmpPath, path);