@pugi/cli 0.1.0-beta.2 → 0.1.0-beta.20

package/dist/tools/agent-tool.js

@@ -0,0 +1,206 @@
+/**
+ * `agent` tool — β2 S3 (2026-05-26).
+ *
+ * Exposes the subagent spawn primitive as a first-class tool call so
+ * the root Mira persona (or any orchestrator-capable parent loop) can
+ * delegate a brief to a specialist child via the standard tool-use
+ * grammar instead of via the legacy `<pugi-delegate>` XML sidechannel.
+ *
+ * Grammar:
+ *
+ *   {
+ *     "role":    "coder" | "verifier" | "reviewer" | "researcher" | ...,
+ *     "brief":   "one-paragraph task description",
+ *     "isolation":  "worktree" | "shared_fs" | "auto"   // optional, default "auto"
+ *   }
+ *
+ * Returns a JSON envelope:
+ *
+ *   {
+ *     "ok":          true,
+ *     "taskId":      "subagent-<uuid>",
+ *     "role":        "coder",
+ *     "personaSlug": "dev",
+ *     "status":      "shipped" | "blocked" | "failed",
+ *     "summary":     "...",
+ *     "filesChanged": ["src/...", "src/..."],
+ *     "toolCallCount": N,
+ *     "tokensIn":  N,
+ *     "tokensOut": N,
+ *     "durationMs": N,
+ *     "worktreePath":  "/path/.pugi/worktrees/<uuid>"  // only when worktree isolation used
+ *   }
+ *
+ * Why expose this as a tool rather than baking it into the engine
+ * loop directly:
+ *
+ *   - The model's existing tool-use grammar is what every modern Anvil
+ *     provider speaks natively. Wrapping delegation as a tool means the
+ *     model can decide WHEN to spawn a child the same way it decides
+ *     when to read/edit/bash — no special-case prompt engineering.
+ *   - The `agent` tool is gated by the isolation-matrix capability map
+ *     (only `orchestrator`-class roles see it in their tools schema).
+ *     A coder/reviewer/verifier cannot recursively spawn grandchildren
+ *     because they never see the `agent` tool in the first place.
+ *   - The audit log threads cleanly: parent's `tool_call: agent(...)`
+ *     pairs with the child's `subagent.spawned/tool_call/completed`
+ *     events, and a single SSE replay yields the full tree.
+ */
+import { z } from 'zod';
+import { randomUUID } from 'node:crypto';
+import { relative as relativePath } from 'node:path';
+import { spawnSubagentWithOutcome } from '../core/subagents/spawn.js';
+/**
+ * Argument schema. `isolation: 'auto'` defers to the role-default
+ * isolation tier (set by `isolationForRole` in dispatcher.ts). The
+ * explicit `worktree` opt-in forces worktree isolation even for roles
+ * whose default is `shared_fs_serialized`; `shared_fs` does the
+ * inverse (forces shared-fs even for roles whose default is `worktree`).
+ *
+ * The role enum mirrors the SDK's SubagentRole — keep both in lockstep.
+ *
+ * Leak P0 L2 (2026-05-27): `z.strictObject` rejects ANY additional or
+ * aliased fields at parse time. Matches the openclaude FileEditTool /
+ * FileWriteTool posture (research memo §1.1). The model-facing JSON
+ * schema already declares `additionalProperties: false`; the strict
+ * Zod variant is defense-in-depth — if the bridge ever bypasses the
+ * model-side gate (raw test fixture, internal dispatch), the runtime
+ * still refuses unknown keys instead of silently dropping them.
+ */
+export const agentToolArgsSchema = z.strictObject({
+    role: z.enum([
+        'orchestrator',
+        'architect',
+        'coder',
+        'verifier',
+        'reviewer',
+        'researcher',
+        'release',
+        'devops',
+        'design_qa',
+    ]).describe('SubagentRole — selects persona + isolation tier.'),
+    brief: z
+        .string()
+        .min(1, 'brief must not be empty')
+        .max(8000, 'brief must be ≤ 8000 chars')
+        .describe('One-paragraph task description forwarded to the child as the user prompt. '
+        + 'Be concrete: include filenames, expected behavior, and acceptance criteria.'),
+    isolation: z
+        .enum(['worktree', 'shared_fs', 'auto'])
+        .optional()
+        .describe('Optional override. `worktree` forces a scratch git worktree for write isolation; '
+        + '`shared_fs` forces same-tree execution; `auto` (default) defers to the role tier.'),
+});
+/**
+ * Dispatch a subagent via the `agent` tool. Returns the JSON envelope
+ * the executor wraps into the tool result frame. Throws when the
+ * arguments fail schema validation — the executor catches and feeds
+ * the message back to the model so it can correct itself.
+ */
+export async function agentTool(args, ctx) {
+    const validated = agentToolArgsSchema.parse(args);
+    if (!ctx.engineClient) {
+        // Hard refusal: the `agent` tool is real-backend-only. Surfacing a
+        // structured envelope (instead of throwing) lets the model decide
+        // whether to abandon the delegation or to fall back to in-process
+        // work. Throwing here would terminate the parent loop on a tool
+        // error frame, which is the wrong UX when the issue is config.
+        return {
+            ok: false,
+            taskId: `subagent-rejected-${randomUUID()}`,
+            role: validated.role,
+            personaSlug: '',
+            status: 'failed',
+            summary: 'agent tool unavailable: no engine client wired through the parent dispatch. '
+                + 'Run pugi via the standard CLI entrypoints; the in-memory test harness does '
+                + 'not currently support real subagent spawn.',
+            filesChanged: [],
+            toolCallCount: 0,
+            tokensIn: 0,
+            tokensOut: 0,
+            durationMs: 0,
+        };
+    }
+    // β2 S10 pre-flight (best-effort): refuse the spawn if the child's
+    // role-default token budget exceeds the parent's remaining budget.
+    // The check is conservative — it uses the child's DEFAULT envelope
+    // because we do not know the actual run cost ahead of time. Roles
+    // can downscale via SubagentTask.budget overrides; this gate just
+    // catches the gross case (parent has 5k left, child default 80k).
+    if (ctx.parentBudgetRemaining?.tokens !== undefined) {
+        const { budgetForRole } = await import('../core/subagents/dispatcher.js');
+        const childDefault = budgetForRole(validated.role, undefined);
+        if (childDefault.tokens > ctx.parentBudgetRemaining.tokens) {
+            return {
+                ok: false,
+                taskId: `subagent-budget-refused-${randomUUID()}`,
+                role: validated.role,
+                personaSlug: '',
+                status: 'blocked',
+                summary: `agent spawn refused: child '${validated.role}' default budget is ${childDefault.tokens} tokens `
+                    + `but parent has only ${ctx.parentBudgetRemaining.tokens} tokens remaining. `
+                    + 'Tighten the child task budget or finish the parent first.',
+                filesChanged: [],
+                toolCallCount: 0,
+                tokensIn: 0,
+                tokensOut: 0,
+                durationMs: 0,
+            };
+        }
+    }
+    const task = {
+        id: `subagent-${randomUUID()}`,
+        role: validated.role,
+        prompt: validated.brief,
+        // `auto` permission mode matches the parent loop's default; the
+        // isolation-matrix capability gate provides the load-bearing
+        // restriction layer regardless of permissionMode.
+        permissionMode: 'auto',
+    };
+    const useWorktree = validated.isolation === 'worktree'
+        ? true
+        : validated.isolation === 'shared_fs'
+            ? false
+            : undefined; // 'auto' → defer to role default
+    const outcome = await spawnSubagentWithOutcome(task, ctx.session, {
+        engineClient: ctx.engineClient,
+        ...(useWorktree !== undefined ? { useWorktreeIsolation: useWorktree } : {}),
+    });
+    const envelope = {
+        // `ok` = subagent did not crash. Both `shipped` (real work) and
+        // `replied` (text-only completion, added 2026-05-26) count as
+        // non-crash outcomes; the caller can branch on the explicit
+        // `status` field below if it needs to distinguish them.
+        ok: outcome.result.status === 'shipped' || outcome.result.status === 'replied',
+        taskId: outcome.result.taskId,
+        role: outcome.result.role,
+        personaSlug: outcome.result.personaSlug,
+        status: outcome.result.status,
+        summary: outcome.result.summary,
+        filesChanged: outcome.result.filesChanged,
+        toolCallCount: outcome.result.toolCallCount,
+        tokensIn: outcome.result.tokensIn,
+        tokensOut: outcome.result.tokensOut,
+        durationMs: outcome.result.durationMs,
+    };
+    if (outcome.worktreeHandle) {
+        // β2a r2 (Codex P1, 2026-05-26): emit the worktree path RELATIVE to
+        // the parent session's workspace root. The envelope is JSON-stringified
+        // into the parent loop's tool_result frame and from there flows to the
+        // provider on every subsequent assistant turn — shipping the absolute
+        // path (`/Users/<operator>/Web/.../.pugi/worktrees/<uuid>`) leaks the
+        // operator's home directory to the upstream provider on every spawn.
+        //
+        // The composeSummary path (dispatcher-real.ts §β2a r1) already scrubs
+        // the summary text via the same `relative()` wrapping; this is the
+        // matching fix for the structured envelope field that r1 missed.
+        // The relative form (`.pugi/worktrees/<uuid>`) is enough for the
+        // operator's local `pugi worktree promote/drop` commands which run
+        // resolved against ctx.session.root anyway.
+        const relPath = relativePath(ctx.session.root, outcome.worktreeHandle.path)
+            || outcome.worktreeHandle.path;
+        envelope.worktreePath = relPath;
+    }
+    return envelope;
+}
+//# sourceMappingURL=agent-tool.js.map

package/dist/tools/apply-patch.js

@@ -43,6 +43,7 @@
  * Brand voice: ASCII only, no emoji, no banned words.
  */
 import { spawnSync } from 'node:child_process';
+import { existsSync, rmSync } from 'node:fs';
 import { resolve, sep } from 'node:path';
 import { applySecurityGate } from '../core/edits/security-gate.js';
 import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
@@ -53,6 +54,19 @@ import { recordToolCall, recordToolResult, recordFileMutation } from '../core/se
  * `+++ b/<path>` lines that plain `diff -u` emits. The full set of
  * touched paths feeds the security gate — EVERY file goes through
  * `applySecurityGate` before we trust `git apply` to do anything.
+ *
+ * Security (R1 fix 2026-05-26, PR #413 r1): git emits C-style quoted
+ * path headers when a path contains "unusual" bytes (high bits, control
+ * chars, double-quote, backslash) and `core.quotePath` is true (the
+ * default). The literal header looks like
+ * `diff --git "a/.env" "b/.env"`. Before this fix the regex captured
+ * the literal `"b/.env"` string and the security gate's basename match
+ * never saw `.env` — `basename('"b/.env"')` is `'.env"'` (note the
+ * trailing quote) which does NOT match the `.env` protected pattern.
+ * `git apply` then de-quoted the header and happily landed on the real
+ * `.env`. We strip the surrounding quotes + decode the C-style escapes
+ * via `unquoteGitPath` BEFORE passing to the security gate so the
+ * basename matcher sees the real target.
  */
 export function extractPatchPaths(patch) {
     const paths = new Set();
@@ -62,12 +76,24 @@ export function extractPatchPaths(patch) {
             // quoted by git's own diff machinery (rare). The robust extractor
             // matches the `b/...` half because rename diffs carry the new
             // name there.
+            // Two variants: unquoted (`a/foo b/bar`) and C-style quoted
+            // (`"a/foo" "b/bar"`). We try the quoted form first because the
+            // unquoted regex below would accept the literal quote as part of
+            // the path otherwise.
+            const quoted = line.match(/^diff --git "a\/(.+)" "b\/(.+)"$/);
+            if (quoted) {
+                if (quoted[1])
+                    paths.add(unquoteGitPath(quoted[1]));
+                if (quoted[2])
+                    paths.add(unquoteGitPath(quoted[2]));
+                continue;
+            }
             const match = line.match(/^diff --git a\/(.+?) b\/(.+)$/);
             if (match) {
                 if (match[1])
-                    paths.add(match[1]);
+                    paths.add(unquoteGitPath(match[1]));
                 if (match[2])
-                    paths.add(match[2]);
+                    paths.add(unquoteGitPath(match[2]));
             }
             continue;
         }
@@ -75,22 +101,131 @@ export function extractPatchPaths(patch) {
             const after = line.slice(4).trim();
             if (after === '/dev/null')
                 continue;
-            const trimmed = after.startsWith('b/') ? after.slice(2) : after;
-            if (trimmed)
-                paths.add(stripTimestampSuffix(trimmed));
+            const stripped = stripQuotedHalf(after, 'b/');
+            if (stripped)
+                paths.add(stripTimestampSuffix(stripped));
             continue;
         }
         if (line.startsWith('--- ')) {
             const after = line.slice(4).trim();
             if (after === '/dev/null')
                 continue;
-            const trimmed = after.startsWith('a/') ? after.slice(2) : after;
-            if (trimmed)
-                paths.add(stripTimestampSuffix(trimmed));
+            const stripped = stripQuotedHalf(after, 'a/');
+            if (stripped)
+                paths.add(stripTimestampSuffix(stripped));
         }
     }
     return Array.from(paths);
 }
+/**
+ * Strip the leading `a/` or `b/` prefix from a `---` / `+++` line,
+ * handling both unquoted (`b/.env`) and C-style quoted (`"b/.env"`)
+ * variants. The returned path is fully de-quoted so the security gate
+ * sees the real basename. Returns null when the line does not parse.
+ */
+function stripQuotedHalf(after, prefix) {
+    // Quoted form: `"b/path with \"escapes\""`. Detect surrounding quotes
+    // first, strip them, then peel the prefix, then unquote the inner
+    // C-style escapes.
+    if (after.startsWith('"') && after.endsWith('"') && after.length >= 2) {
+        const inner = after.slice(1, -1);
+        const peeled = inner.startsWith(prefix) ? inner.slice(prefix.length) : inner;
+        return unquoteGitPath(peeled);
+    }
+    const trimmed = after.startsWith(prefix) ? after.slice(prefix.length) : after;
+    return trimmed;
+}
+/**
+ * Decode git's C-style path quoting. When `core.quotePath` is true
+ * (default) git writes paths with high-bit / control / quote bytes as
+ * C-string escapes inside double quotes:
+ *
+ *   `"\.env"` -> `.env`         (backslash before . is just a literal)
+ *   `"a\"b"`  -> `a"b`          (escaped double-quote)
+ *   `"a\\b"`  -> `a\b`          (escaped backslash)
+ *   `"a\tb"`  -> `a` + TAB + `b`
+ *   `"a\341\210\264"` -> `a` + UTF-8 bytes 0xe1 0x88 0xb4
+ *
+ * Accepts a path that is EITHER already unquoted (passed through) OR an
+ * inner string previously stripped of its surrounding quotes. The
+ * function is idempotent on already-clean ASCII paths.
+ *
+ * Reference: git source `quote.c::unquote_c_style`.
+ */
+export function unquoteGitPath(s) {
+    // If the caller passed us a wrapped string (`"foo"`), peel it now.
+    if (s.startsWith('"') && s.endsWith('"') && s.length >= 2) {
+        s = s.slice(1, -1);
+    }
+    // Fast path: no backslash means no C-style escapes, return as-is.
+    if (!s.includes('\\'))
+        return s;
+    const out = [];
+    for (let i = 0; i < s.length; i += 1) {
+        const ch = s[i];
+        if (ch !== '\\') {
+            // Single-byte ASCII or multi-byte JS string char; the byte we
+            // emit must match its UTF-8 encoding so the security gate sees
+            // the same bytes the filesystem will. JS strings are UTF-16; we
+            // bounce through Buffer to get the canonical UTF-8 bytes.
+            const bytes = Buffer.from(ch ?? '', 'utf8');
+            for (const b of bytes)
+                out.push(b);
+            continue;
+        }
+        const next = s[i + 1];
+        if (next === undefined) {
+            // Trailing backslash with no follower — emit literal.
+            out.push(0x5c);
+            continue;
+        }
+        // Three-digit octal escape: `\NNN` (each digit 0-7).
+        if (next >= '0' && next <= '7' && i + 3 < s.length + 1) {
+            const oct = s.slice(i + 1, i + 4);
+            if (/^[0-7]{3}$/.test(oct)) {
+                out.push(Number.parseInt(oct, 8));
+                i += 3;
+                continue;
+            }
+        }
+        switch (next) {
+            case 'a':
+                out.push(0x07);
+                break;
+            case 'b':
+                out.push(0x08);
+                break;
+            case 't':
+                out.push(0x09);
+                break;
+            case 'n':
+                out.push(0x0a);
+                break;
+            case 'v':
+                out.push(0x0b);
+                break;
+            case 'f':
+                out.push(0x0c);
+                break;
+            case 'r':
+                out.push(0x0d);
+                break;
+            case '"':
+                out.push(0x22);
+                break;
+            case '\\':
+                out.push(0x5c);
+                break;
+            default:
+                // Unknown escape — emit the escape char as a literal so we
+                // don't silently drop bytes. Mirrors git's own permissive
+                // behaviour.
+                out.push(next.charCodeAt(0));
+        }
+        i += 1;
+    }
+    return Buffer.from(out).toString('utf8');
+}
 /**
  * `diff -u` (non-git) emits trailing tab-prefixed timestamps after the
  * path: `--- foo.ts\t2026-05-25 10:00:00`. Strip those so the security
@@ -126,6 +261,25 @@ export function applyPatch(ctx, patch, opts = {}) {
         recordToolResult(ctx.session, toolCallId, 'error', 'empty_patch');
         return result;
     }
+    // β7 L4: pre-flight conflict-marker check. A patch that still carries
+    // unresolved `<<<<<<<`/`=======`/`>>>>>>>` lines is almost always
+    // operator error (copy-pasted a half-resolved merge instead of the
+    // clean diff). `git apply` would reject it with a confusing
+    // "corrupt patch" message; the dedicated reason makes the failure
+    // obvious. We only check at body line starts so a legitimate diff
+    // that adds a string literal containing `<<<<<<<` for tests still
+    // applies.
+    if (containsConflictMarkers(patch)) {
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'conflict_markers',
+            detail: 'patch body contains unresolved git conflict markers (<<<<<<<, =======, >>>>>>>). ' +
+                'Resolve the conflict first or use --3way with --base=<sha> to defer to git.',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'conflict_markers');
+        return result;
+    }
     const paths = extractPatchPaths(patch);
     if (paths.length === 0) {
         const result = {
@@ -179,20 +333,20 @@ export function applyPatch(ctx, patch, opts = {}) {
     if (check.status !== 0) {
         // Decide whether this is the "already applied" case or a real
         // failure. `git apply --check` rejects an already-applied patch
-        // with stderr containing `error: patch failed` and at least one
-        // hunk that mentions "patch does not apply" or "already exists".
-        // We use a conservative heuristic: when EVERY targeted file in the
-        // diff is present and the patch's pre-image is missing, treat it
-        // as already_applied. The simpler signal is the stderr string
-        // containing `already exists in working directory` (git's own
-        // message for a creating patch landing twice) or `does not apply`.
+        // with stderr containing patterns like "patch does not apply" or
+        // "already exists in working directory". The simpler signal is
+        // the stderr string containing `already exists in working directory`
+        // (git's own message for a creating patch landing twice) — that's
+        // the only path we treat as `already_applied` here. Other stderr
+        // surfaces fall through to `check_failed` so the operator sees the
+        // raw reason.
         const stderr = check.stderr.toLowerCase();
-        if (stderr.includes('already exists in working directory') || isLikelyAlreadyApplied(check.stderr, patch)) {
+        if (stderr.includes('already exists in working directory')) {
             const result = {
                 ok: false,
                 filesChanged: [],
                 reason: 'already_applied',
-                detail: 'patch pre-image does not match working tree — patch was likely already applied',
+                detail: 'patch creates a path that already exists — likely already applied',
             };
             recordToolResult(ctx.session, toolCallId, 'error', 'already_applied');
             return result;
@@ -214,6 +368,17 @@ export function applyPatch(ctx, patch, opts = {}) {
         recordToolResult(ctx.session, toolCallId, 'success', `dry-run ok, ${paths.length} files`);
         return result;
     }
+    // R1 fix (2026-05-26, PR #413 r1, Fix 6): snapshot which paths exist
+    // BEFORE the apply so rollbackFiles can decide between
+    // `git checkout -- <file>` (for files that existed) and `fs.rmSync`
+    // (for files the patch was creating that may have been half-written
+    // before the failure). Without this snapshot, `git checkout`
+    // gracefully no-ops on a never-tracked file and the partial creation
+    // is left behind.
+    const preExisting = new Map();
+    for (const p of paths) {
+        preExisting.set(p, existsSync(resolve(ctx.root, p)));
+    }
     const applyArgs = ['apply'];
     if (opts.baseSha)
         applyArgs.push('--3way');
@@ -223,7 +388,7 @@ export function applyPatch(ctx, patch, opts = {}) {
         // Apply failed AFTER --check passed. This is almost always a TOCTOU
         // (another writer touched a file between the two git calls).
         // Rollback ANY partial mutation so the workspace stays consistent.
-        const rollback = rollbackFiles(ctx.root, paths);
+        const rollback = rollbackFiles(ctx.root, paths, preExisting);
         const detail = apply.stderr.trim() || 'git apply failed after passing --check';
         if (!rollback.ok) {
             const result = {
@@ -258,28 +423,26 @@ export function applyPatch(ctx, patch, opts = {}) {
     recordToolResult(ctx.session, toolCallId, 'success', `applied ${paths.length} files`);
     return { ok: true, filesChanged: paths };
 }
-/**
- * Heuristic for the "patch already applied" case beyond git's explicit
- * `already exists` string. When `git apply --check` rejects with
- * `patch does not apply` AND every hunk's target file exists with
- * matching post-image lines, the patch is effectively a no-op repeat.
- * We keep the heuristic minimal because the explicit string covers the
- * dominant case; full hunk inspection would require parsing the patch
- * (which is what `git apply` does in the first place).
- */
-function isLikelyAlreadyApplied(stderr, _patch) {
-    return stderr.toLowerCase().includes('patch does not apply') === false ? false : false;
-    // Intentionally conservative for now — the explicit `already exists`
-    // case above covers the only path that's reliably distinguishable
-    // from a malformed-patch failure. A richer detector can land in
-    // α7.7b when we have a corpus of real "already_applied" stderr samples.
-}
 /**
  * Roll back any partial mutation by checking files out from HEAD. Used
  * only on the rare path where `git apply` fails AFTER `git apply --check`
  * passed.
+ *
+ * R1 fix (2026-05-26, PR #413 r1, Fix 6): a multi-file patch that
+ * creates new files leaves them on disk when `git apply` fails partway —
+ * `git checkout -- <file>` does NOT delete a path that was never tracked
+ * (the file was created by the failed apply). We split paths into two
+ * groups using the pre-apply snapshot:
+ *
+ *   - existed-before  -> `git checkout -- <file>` restores tracked content.
+ *   - created-by-apply -> `fs.rmSync(file, { force: true })` removes the
+ *     half-written file so the workspace ends up identical to its
+ *     pre-apply state.
+ *
+ * This keeps the dispatcher's invariant: a tool result of `ok: false`
+ * means the workspace is unchanged.
  */
-function rollbackFiles(cwd, paths) {
+function rollbackFiles(cwd, paths, preExisting) {
     if (paths.length === 0)
         return { ok: true };
     // We only attempt to roll back files that are inside the workspace
@@ -291,24 +454,103 @@ function rollbackFiles(cwd, paths) {
     });
     if (safePaths.length === 0)
         return { ok: true };
-    const result = runGit(['checkout', '--', ...safePaths], cwd);
-    if (result.status !== 0) {
-        return { ok: false, detail: result.stderr.trim() };
+    const toCheckout = [];
+    const toRemove = [];
+    for (const p of safePaths) {
+        if (preExisting.get(p))
+            toCheckout.push(p);
+        else
+            toRemove.push(p);
+    }
+    // Unlink files that the patch was creating. `force: true` swallows
+    // ENOENT so a creation that never got far enough to write the file
+    // is a no-op. We record every unlink failure but keep going so a
+    // single permission error on one file doesn't strand the others.
+    const removeFailures = [];
+    for (const p of toRemove) {
+        const abs = resolve(cwd, p);
+        try {
+            rmSync(abs, { force: true });
+        }
+        catch (error) {
+            removeFailures.push(`${p}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    if (toCheckout.length > 0) {
+        const result = runGit(['checkout', '--', ...toCheckout], cwd);
+        if (result.status !== 0) {
+            const detail = [result.stderr.trim(), ...removeFailures].filter(Boolean).join('; ');
+            return { ok: false, detail };
+        }
+    }
+    if (removeFailures.length > 0) {
+        return { ok: false, detail: `rollback unlink failed: ${removeFailures.join('; ')}` };
     }
     return { ok: true };
 }
 function runGit(args, cwd, stdin) {
+    // R1 fix (2026-05-26, PR #413 r1, P2 #13): force the English C locale
+    // for the git child process. The `already_applied` reason-coding
+    // below greps stderr for the literal English string
+    // "already exists in working directory"; on a host where git was
+    // installed with a translated message catalog (de_DE / ru_RU / etc.)
+    // the substring match would silently miss and the operator would see
+    // `check_failed` instead of `already_applied`. C locale (also
+    // LC_ALL) guarantees the canonical message regardless of host env.
     return spawnSync('git', args, {
         cwd,
         input: stdin,
         encoding: 'utf8',
         maxBuffer: 64 * 1024 * 1024,
+        env: { ...process.env, LANG: 'C', LC_ALL: 'C' },
     });
 }
+/**
+ * β7 L4: detect unresolved git conflict markers in a patch body.
+ *
+ * Conflict markers in a unified diff are a sign of operator error —
+ * someone copy-pasted a half-merged file instead of the clean diff.
+ * `git apply` would reject the patch with a confusing parse error
+ * ("corrupt patch at line N"). We check at the START of body lines so
+ * a legitimate diff that adds a string literal containing `<<<<<<<`
+ * (rare but legitimate for tests) still applies.
+ *
+ * Conflict marker bytes in a unified diff body look like:
+ *
+ *   +<<<<<<< HEAD
+ *   +=======
+ *   +>>>>>>> branch
+ *
+ * The `+` prefix is the unified-diff line-add marker. We strip it
+ * before the marker check; without the strip, an INVERSE diff that
+ * REMOVES a real conflict marker (legitimate cleanup commit) would be
+ * a false positive.
+ *
+ * Returns true when ANY conflict marker is detected.
+ */
+export function containsConflictMarkers(patch) {
+    for (const line of patch.split('\n')) {
+        // Only inspect body lines (start with `+` or `-` — the diff add/del
+        // markers). Header lines (`diff --git`, `+++`, `---`, `@@`) are
+        // skipped because the marker tokens cannot appear in those positions.
+        if (!(line.startsWith('+') || line.startsWith('-')))
+            continue;
+        // Skip diff header lines (`+++ b/foo` / `--- a/foo`).
+        if (line.startsWith('+++') || line.startsWith('---'))
+            continue;
+        const body = line.slice(1);
+        if (body.startsWith('<<<<<<<') ||
+            body.startsWith('>>>>>>>') ||
+            body === '=======') {
+            return true;
+        }
+    }
+    return false;
+}
 /**
  * Test-only surface for the apply-patch heuristics. Specs poke
  * `extractPatchPaths` directly to assert on the path-parsing layer
  * without paying for a real git invocation.
  */
-export const __test__ = { extractPatchPaths, isLikelyAlreadyApplied, runGit };
+export const __test__ = { extractPatchPaths, runGit, unquoteGitPath, containsConflictMarkers };
 //# sourceMappingURL=apply-patch.js.map