@pugi/cli 0.1.0-beta.2 → 0.1.0-beta.20

package/dist/runtime/commands/status.js

@@ -0,0 +1,178 @@
+/**
+ * `pugi status` — concise session-state probe (Leak L34, 2026-05-27).
+ *
+ * Different from `pugi doctor` (environment health). The status
+ * command answers "what is this Pugi session doing right now?" —
+ * session id + age, cwd, permission mode, CLI version, token
+ * usage, dispatch counts, last command, compact boundaries, auth
+ * identity.
+ *
+ * # Module contract
+ *
+ *   - This file owns the WIRING from CLI flags + ambient process
+ *     state к the snapshot collector. The data collector itself
+ *     lives in `core/diagnostics/probes/status-snapshot.ts` and
+ *     has zero coupling к the CLI dispatch surface.
+ *
+ *   - `runStatusCommand` is the single entry point. Both the
+ *     top-level `pugi status` handler in `runtime/cli.ts` AND the
+ *     in-REPL `/status` slash command call it. The function
+ *     returns the `StatusSnapshot` so the REPL slash handler can
+ *     mount the Ink renderer without re-collecting fields.
+ *
+ *   - The credential resolver is captured behind a function so the
+ *     spec can stub it without monkey-patching `core/credentials.ts`.
+ *
+ *   - The permission state module is dynamic-imported with a
+ *     try/catch so this command lands cleanly before the L6
+ *     permission-mode work — when the module is absent the field
+ *     degrades к "unknown" instead of crashing the snapshot.
+ *
+ *   - Exit code is 0 unless the snapshot itself throws. The
+ *     command is intentionally informational — even a fully
+ *     "unavailable" snapshot (everything degraded к sentinels)
+ *     exits 0 so monitoring scripts can rely on a stable contract.
+ */
+import { existsSync, readFileSync, readdirSync, statSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { resolveActiveCredential } from '../../core/credentials.js';
+import { PUGI_CLI_VERSION } from '../version.js';
+import { collectStatusSnapshot, } from '../../core/diagnostics/probes/status-snapshot.js';
+/**
+ * Default production filesystem stubs. Wraps node:fs so the
+ * snapshot collector can stay sync + structurally testable.
+ */
+const DEFAULT_FS = {
+    existsSync,
+    statSync,
+    readdirSync: (p) => readdirSync(p),
+    readFileSync: (p, encoding) => readFileSync(p, encoding),
+};
+/**
+ * Default credential resolver. Wraps `resolveActiveCredential` so
+ * the snapshot only sees the trimmed `ResolvedCredentialSummary`
+ * shape and не the full store record.
+ */
+function defaultResolveCredential(env, home) {
+    const cred = resolveActiveCredential(env, home);
+    if (!cred)
+        return null;
+    // Tier is не yet recorded в the credentials file — set к null
+    // until a future sprint surfaces `tier` on the stored record.
+    // The renderer hides the parenthetical when tier is null.
+    return {
+        apiUrl: cred.apiUrl,
+        label: cred.label ?? null,
+        tier: null,
+        identity: cred.label ?? null,
+    };
+}
+/**
+ * Default permission-mode loader. Dynamic-imports
+ * `core/permissions/state.ts` (L6 in the leak-parity roadmap);
+ * returns null when the module is absent OR malformed, which the
+ * snapshot field degrades к the "unknown" sentinel.
+ */
+async function defaultResolvePermissionMode() {
+    try {
+        const mod = (await import('../../core/permissions/state.js').catch(() => null));
+        if (!mod || typeof mod.getCurrentPermissionMode !== 'function') {
+            return null;
+        }
+        const mode = mod.getCurrentPermissionMode();
+        return typeof mode === 'string' && mode.length > 0 ? mode : null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Collect the snapshot + emit the output via the supplied
+ * writeOutput sink. Returns the snapshot so REPL callers can
+ * route it к the Ink renderer instead of the plain-text fallback.
+ */
+export async function runStatusCommand(ctx) {
+    // Resolve the permission mode upfront — the snapshot is sync but
+    // the L6 loader is async (dynamic import). We materialise the
+    // value here and hand the snapshot a sync getter.
+    const permissionMode = ctx.resolvePermissionMode === undefined
+        ? await defaultResolvePermissionMode()
+        : null;
+    const deps = {
+        cwd: ctx.cwd,
+        home: ctx.home,
+        cliVersion: PUGI_CLI_VERSION,
+        now: ctx.now ?? Date.now,
+        liveSessionId: ctx.liveSessionId ?? null,
+        sessionStartedAtEpochMs: ctx.sessionStartedAtEpochMs ?? null,
+        liveTokensUsed: ctx.liveTokensUsed ?? null,
+        lastCommand: ctx.lastCommand ?? null,
+        lastCommandAtEpochMs: ctx.lastCommandAtEpochMs ?? null,
+        fs: ctx.fs ?? DEFAULT_FS,
+        resolveCredential: ctx.resolveCredential ?? (() => defaultResolveCredential(ctx.env, ctx.home)),
+        resolvePermissionMode: ctx.resolvePermissionMode ?? (() => permissionMode),
+    };
+    let snapshot;
+    try {
+        snapshot = collectStatusSnapshot(deps);
+    }
+    catch (error) {
+        // Defensive: the snapshot collector is fail-soft per field, but
+        // a structural crash (e.g. a hostile env that throws on
+        // `process.version` access) must не bring down `pugi status`.
+        // We synthesise a minimal envelope and surface the error в the
+        // text output so the operator can file a bug.
+        const message = error instanceof Error ? error.message : String(error);
+        snapshot = {
+            command: 'status',
+            fields: [
+                {
+                    key: 'session',
+                    label: 'Session',
+                    value: 'unknown',
+                    available: false,
+                    note: `snapshot collector crashed: ${message}`,
+                },
+            ],
+            meta: {
+                cliVersion: PUGI_CLI_VERSION,
+                nodeVersion: process.version,
+                cwd: ctx.cwd,
+                capturedAt: new Date((ctx.now ?? Date.now)()).toISOString(),
+            },
+        };
+    }
+    const text = renderStatusTable(snapshot);
+    ctx.writeOutput(snapshot, text);
+    // Always exit 0 — `pugi status` is informational, never a gate.
+    process.exitCode = 0;
+    return snapshot;
+}
+/**
+ * Plain-text table renderer. Lays out the snapshot as a two-column
+ * (LABEL / VALUE) table with the brand-voice header `Pugi status`.
+ * Matches the column-light pattern used by `renderDoctorTable` so
+ * narrow terminals stay legible without a layout library.
+ */
+export function renderStatusTable(snapshot) {
+    const labelWidth = Math.max('Label'.length, ...snapshot.fields.map((f) => f.label.length));
+    const lines = [];
+    lines.push('Pugi status');
+    lines.push('═'.repeat(50));
+    for (const field of snapshot.fields) {
+        const labelPart = field.label.padEnd(labelWidth, ' ');
+        lines.push(`${labelPart}  ${field.value}`);
+    }
+    lines.push('');
+    lines.push(`CLI ${snapshot.meta.cliVersion}  Node ${snapshot.meta.nodeVersion}  cwd ${snapshot.meta.cwd}`);
+    return lines.join('\n');
+}
+/**
+ * Default home dir resolver. Centralised so the CLI handler can
+ * call `runStatusCommand` without re-importing `os.homedir`
+ * everywhere.
+ */
+export function defaultStatusHome() {
+    return homedir();
+}
+//# sourceMappingURL=status.js.map

package/dist/runtime/commands/worktree.js

@@ -16,9 +16,21 @@
  *
  * Brand voice: ASCII only, no emoji, no banned words.
  */
-import { resolve } from 'node:path';
 import { spawnSync } from 'node:child_process';
+import { resolve, sep } from 'node:path';
 import { createWorktree, dropWorktree, promoteWorktree } from '../../core/edits/worktree.js';
+/**
+ * R1 fix (2026-05-26, PR #413 r1, P2 #10): operator-facing path
+ * validation. The core `promoteWorktree` / `dropWorktree` primitives
+ * already gate their inputs, but mirroring the check at the CLI surface
+ * gives the operator a clean error message before we even attempt the
+ * git invocation (which would otherwise leak `git rev-parse HEAD` stderr).
+ */
+function isUnderScratchRoot(cwd, candidate) {
+    const scratchRoot = resolve(cwd, '.pugi', 'worktrees');
+    const abs = resolve(cwd, candidate);
+    return abs.startsWith(scratchRoot + sep) && abs !== scratchRoot;
+}
 export async function runWorktreeCommand(args, opts) {
     const [op, ...rest] = args;
     if (!op)
@@ -56,6 +68,19 @@ export async function runWorktreeCommand(args, opts) {
                 exitCode: 2,
             };
         }
+        if (!isUnderScratchRoot(opts.cwd, worktreePath)) {
+            return {
+                ok: false,
+                text: opts.json
+                    ? JSON.stringify({
+                        ok: false,
+                        reason: 'invalid_worktree_path',
+                        detail: `worktree path must live under <cwd>/.pugi/worktrees/`,
+                    }, null, 2)
+                    : `promote failed: invalid_worktree_path: ${worktreePath} is not under .pugi/worktrees/`,
+                exitCode: 3,
+            };
+        }
         // Resolve the worktree path's base SHA from its own git HEAD so
         // the operator never has to remember it after `worktree create`.
         const abs = resolve(opts.cwd, worktreePath);
@@ -68,21 +93,27 @@ export async function runWorktreeCommand(args, opts) {
             };
         }
         const baseSha = head.stdout.trim();
-        const result = promoteWorktree({ cwd: opts.cwd, worktreePath: abs, baseSha });
+        const result = promoteWorktree({
+            cwd: opts.cwd,
+            worktreePath: abs,
+            baseSha,
+            ...(opts.dryRun ? { dryRun: true } : {}),
+        });
         if (!result.ok) {
             return {
                 ok: false,
                 text: opts.json
                     ? JSON.stringify(result, null, 2)
                     : `promote failed: ${result.reason}: ${result.detail}`,
-                exitCode: 1,
+                exitCode: result.reason === 'protected_file_in_worktree' ? 3 : 1,
             };
         }
+        const prefix = opts.dryRun ? 'dry-run: would promote' : 'promoted';
         return {
             ok: true,
             text: opts.json
-                ? JSON.stringify({ filesChanged: result.value.filesChanged }, null, 2)
-                : `promoted ${result.value.filesChanged} files from ${abs}`,
+                ? JSON.stringify({ filesChanged: result.value.filesChanged, dryRun: opts.dryRun ?? false }, null, 2)
+                : `${prefix} ${result.value.filesChanged} files from ${abs}`,
             exitCode: 0,
         };
     }
@@ -95,6 +126,19 @@ export async function runWorktreeCommand(args, opts) {
                 exitCode: 2,
             };
         }
+        if (!isUnderScratchRoot(opts.cwd, worktreePath)) {
+            return {
+                ok: false,
+                text: opts.json
+                    ? JSON.stringify({
+                        ok: false,
+                        reason: 'invalid_worktree_path',
+                        detail: `worktree path must live under <cwd>/.pugi/worktrees/`,
+                    }, null, 2)
+                    : `drop failed: invalid_worktree_path: ${worktreePath} is not under .pugi/worktrees/`,
+                exitCode: 3,
+            };
+        }
         const abs = resolve(opts.cwd, worktreePath);
         const result = dropWorktree(abs, opts.cwd);
         if (!result.ok) {
@@ -103,7 +147,7 @@ export async function runWorktreeCommand(args, opts) {
                 text: opts.json
                     ? JSON.stringify(result, null, 2)
                     : `drop failed: ${result.reason}: ${result.detail}`,
-                exitCode: 1,
+                exitCode: result.reason === 'invalid_worktree_path' ? 3 : 1,
             };
         }
         return {