@pugi/cli 0.1.0-beta.2 → 0.1.0-beta.20

package/dist/core/edits/verify-hook.js

@@ -0,0 +1,273 @@
+/**
+ * Verify hook — β1b Pl10 (2026-05-26).
+ *
+ * After the edit-dispatcher writes a multi-file change to the
+ * workspace, this hook fires three lightweight checks against the
+ * post-state and reports each result back to the engine loop as a
+ * status event:
+ *
+ *   1. tsc — if `tsconfig.json` is present in the workspace root, run
+ *      `tsc --noEmit` to catch compile-time breakage. Pass/fail tracked
+ *      per file is overkill at this stage; we surface the exit code +
+ *      first ~40 lines of stderr.
+ *   2. tests — if package.json has a `test` script AND a test runner
+ *      is available (jest / vitest / node --test), run `pnpm test
+ *      --bail` (or `npm test --bail`). Same exit-code + tail of output
+ *      contract.
+ *   3. URL probes — extract every `https?://...` literal from the diff
+ *      (README + code) and HEAD-probe each. A response < 400 counts as
+ *      live; >=400 surfaces as a warning. Capped at 8 unique URLs per
+ *      hook to avoid spending the budget on doc rot.
+ *
+ * Retry contract (β1b r1 rescope): the hook itself is stateless and
+ * runs ONCE per invocation, returning a structured report. The
+ * "feedback → model → re-edit" retry orchestrator does NOT exist yet
+ * in the engine loop — it was promised as part of β1b Pl10 but never
+ * shipped because the engine refactor that hosts it is bigger than
+ * the verify-hook itself can absorb. Retry orchestration is deferred
+ * to β6 plan-mode integration where the loop already needs a
+ * model→hook feedback channel for plan replay. Today the operator
+ * re-runs `pugi code` to re-drive verification after a fail. The
+ * stateless hook ships unchanged so the β6 driver can wrap it.
+ *
+ * Why HEAD and not GET for URL probes:
+ *   - HEAD avoids the body fetch; cheaper + faster.
+ *   - SSRF guard from `web-fetch.ts::validateHostnameForFetch` runs
+ *     before every probe so private IPs / localhost cannot ride.
+ *   - Some servers reject HEAD (rare but real); on 4xx-from-HEAD we
+ *     do NOT escalate to GET — that would burn the budget. We surface
+ *     a `head_rejected` warning so the operator decides.
+ *
+ * Skip cases (return early with `skipped: true` on the relevant
+ * check):
+ *   - tsc: no `tsconfig.json` at workspace root.
+ *   - tests: no `package.json` OR no `test` script.
+ *   - urls: no `https?://...` literals in the diff.
+ *
+ * Best-effort: every failure mode degrades to a structured report; the
+ * hook itself NEVER throws. The engine loop decides whether to
+ * surface as a hard fail vs a model-correctable warning.
+ *
+ * Brand voice: ASCII only, no banned words.
+ */
+import { spawnSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { validateHostnameForFetch } from '../../tools/web-fetch.js';
+const DEFAULT_TIMEOUT_MS = 30_000;
+const DEFAULT_MAX_URL_PROBES = 8;
+const URL_LITERAL_RE = /(https?:\/\/[^\s"'<>()`\\\]]+)/g;
+/**
+ * Drive one verify pass. Synchronous tsc + test child processes,
+ * concurrent URL probes (up to `maxUrlProbes`). Returns once every
+ * check has completed (no streaming events — the caller wraps the
+ * report into its own status event format).
+ */
+export async function runVerifyHook(input) {
+    const timeoutMs = input.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    const runProc = input.runProc ?? defaultRunProc;
+    return {
+        tsc: runTscCheck(input.workspaceRoot, runProc, timeoutMs),
+        tests: runTestsCheck(input.workspaceRoot, runProc, timeoutMs),
+        urls: await runUrlChecks(input),
+    };
+}
+/* ----------------------- tsc check ---------------------- */
+function runTscCheck(workspaceRoot, runProc, timeoutMs) {
+    const tsconfig = resolve(workspaceRoot, 'tsconfig.json');
+    if (!existsSync(tsconfig)) {
+        return { ok: true, skipped: true, reason: 'no_tsconfig' };
+    }
+    // Prefer `pnpm exec tsc` because pnpm-aware monorepos hoist tsc into
+    // `node_modules/.bin`; fallback to bare `tsc` for global installs.
+    // We try `pnpm exec tsc` first only if a `pnpm-lock.yaml` is at the
+    // workspace root; otherwise we go straight to `tsc`.
+    const pnpmLock = existsSync(resolve(workspaceRoot, 'pnpm-lock.yaml'));
+    const cmd = pnpmLock ? 'pnpm' : 'tsc';
+    const args = pnpmLock ? ['exec', 'tsc', '--noEmit'] : ['--noEmit'];
+    const result = runProc(cmd, args, workspaceRoot, timeoutMs);
+    if (result.exitCode === 0)
+        return { ok: true };
+    return {
+        ok: false,
+        reason: `tsc_exit_${result.exitCode}`,
+        detail: tailOutput(result.stdout, result.stderr, 40),
+    };
+}
+/* ----------------------- tests check ---------------------- */
+function runTestsCheck(workspaceRoot, runProc, timeoutMs) {
+    const pkgPath = resolve(workspaceRoot, 'package.json');
+    if (!existsSync(pkgPath)) {
+        return { ok: true, skipped: true, reason: 'no_package_json' };
+    }
+    let pkg;
+    try {
+        pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+    }
+    catch {
+        return { ok: true, skipped: true, reason: 'malformed_package_json' };
+    }
+    if (!pkg.scripts || typeof pkg.scripts.test !== 'string') {
+        return { ok: true, skipped: true, reason: 'no_test_script' };
+    }
+    const pnpmLock = existsSync(resolve(workspaceRoot, 'pnpm-lock.yaml'));
+    // Prefer pnpm test --bail; some test runners reject the flag (node
+    // --test ignores it), so we surface non-zero exits clearly but do
+    // not retry without --bail.
+    // Both pnpm + npm accept `<cmd> test -- --bail`; the runner-side
+    // flag-forwarding contract is identical, so the ternary collapses to
+    // a single args literal.
+    const cmd = pnpmLock ? 'pnpm' : 'npm';
+    const args = ['test', '--', '--bail'];
+    const result = runProc(cmd, args, workspaceRoot, timeoutMs);
+    if (result.exitCode === 0)
+        return { ok: true };
+    return {
+        ok: false,
+        reason: `tests_exit_${result.exitCode}`,
+        detail: tailOutput(result.stdout, result.stderr, 60),
+    };
+}
+/* ----------------------- url probes ---------------------- */
+async function runUrlChecks(input) {
+    const diffText = input.diffText ?? '';
+    if (diffText.length === 0) {
+        return { ok: true, skipped: true, reason: 'no_diff_text' };
+    }
+    const urls = extractUrls(diffText);
+    if (urls.length === 0) {
+        return { ok: true, skipped: true, reason: 'no_urls' };
+    }
+    const cap = input.maxUrlProbes ?? DEFAULT_MAX_URL_PROBES;
+    const probed = urls.slice(0, cap);
+    const probeFn = input.probeFn ?? defaultProbeFn;
+    const failures = [];
+    for (const url of probed) {
+        // Hostname SSRF guard — never probe a localhost / private IP even
+        // when a literal in the diff points there.
+        let parsed;
+        try {
+            parsed = new URL(url);
+        }
+        catch {
+            failures.push({ url, error: 'invalid_url' });
+            continue;
+        }
+        if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+            failures.push({ url, error: `unsupported_scheme_${parsed.protocol}` });
+            continue;
+        }
+        const hostname = parsed.hostname.replace(/^\[|\]$/g, '');
+        const guard = await validateHostnameForFetch(hostname);
+        if (guard) {
+            failures.push({ url, error: `ssrf_refused: ${guard}` });
+            continue;
+        }
+        try {
+            const r = await probeFn(url);
+            if ('error' in r) {
+                failures.push({ url, error: r.error });
+                continue;
+            }
+            if (r.status >= 400) {
+                failures.push({ url, error: `http_${r.status}` });
+            }
+        }
+        catch (error) {
+            failures.push({
+                url,
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+    }
+    if (failures.length === 0) {
+        return { ok: true, probedCount: probed.length };
+    }
+    return {
+        ok: false,
+        reason: `url_probe_failed`,
+        probedCount: probed.length,
+        failures,
+        detail: failures.map((f) => `${f.url} → ${f.error}`).join('; '),
+    };
+}
+/**
+ * Extract unique http(s) URLs from a diff/text blob. Order preserved
+ * (first-seen) so the cap picks the earliest-mentioned ones, which
+ * intuitively matches the operator's expectation.
+ */
+export function extractUrls(text) {
+    const seen = new Set();
+    const out = [];
+    let match;
+    // Reset the regex's lastIndex; URL_LITERAL_RE is module-scoped and
+    // /g means stateful exec calls.
+    URL_LITERAL_RE.lastIndex = 0;
+    while ((match = URL_LITERAL_RE.exec(text)) !== null) {
+        const raw = match[1];
+        if (!raw)
+            continue;
+        // Strip a trailing punctuation that the regex tolerates inside
+        // the match (sentences in Markdown often end `... https://x).`).
+        // We also strip `!` and `?` so prose like "see https://x!" lands
+        // as `https://x`.
+        const cleaned = raw.replace(/[.,;:!?)\]>]+$/, '');
+        if (cleaned.length === 0)
+            continue;
+        if (seen.has(cleaned))
+            continue;
+        seen.add(cleaned);
+        out.push(cleaned);
+    }
+    return out;
+}
+/* ----------------------- defaults ---------------------- */
+function defaultRunProc(cmd, args, cwd, timeoutMs) {
+    const result = spawnSync(cmd, [...args], {
+        cwd,
+        encoding: 'utf8',
+        timeout: timeoutMs,
+        // Inherit a minimal env — every check is read-only against the
+        // workspace and we do not want to leak PUGI_API_KEY into a
+        // sub-process accidentally.
+        env: { ...process.env, PUGI_API_KEY: undefined, PUGI_LOGIN_TOKEN: undefined },
+    });
+    return {
+        exitCode: typeof result.status === 'number' ? result.status : -1,
+        stdout: result.stdout ?? '',
+        stderr: result.stderr ?? '',
+    };
+}
+async function defaultProbeFn(url) {
+    // Lazy-import undici so the verify-hook module stays cheap when
+    // url probes are skipped.
+    const { request } = await import('undici');
+    try {
+        const response = await request(url, {
+            method: 'HEAD',
+            bodyTimeout: 5_000,
+            headersTimeout: 5_000,
+        });
+        // Drain so the connection releases promptly.
+        try {
+            await response.body.dump();
+        }
+        catch {
+            /* swallow */
+        }
+        return { status: response.statusCode };
+    }
+    catch (error) {
+        return { error: error instanceof Error ? error.message : String(error) };
+    }
+}
+function tailOutput(stdout, stderr, maxLines) {
+    const merged = `${stdout}\n${stderr}`.trim();
+    if (merged.length === 0)
+        return '';
+    const lines = merged.split('\n');
+    if (lines.length <= maxLines)
+        return merged;
+    return `... (${lines.length - maxLines} earlier lines elided)\n${lines.slice(-maxLines).join('\n')}`;
+}
+//# sourceMappingURL=verify-hook.js.map

package/dist/core/edits/worktree.js

@@ -30,10 +30,12 @@
  * Brand voice: ASCII only, no emoji, no banned words.
  */
 import { spawnSync } from 'node:child_process';
-import { existsSync, mkdirSync, rmSync } from 'node:fs';
+import { existsSync, mkdirSync, realpathSync, rmSync } from 'node:fs';
 import { randomUUID } from 'node:crypto';
 import { resolve, sep } from 'node:path';
 import { OperatorAbortedError } from '../../tools/file-tools.js';
+import { applySecurityGate } from './security-gate.js';
+import { extractPatchPaths } from '../../tools/apply-patch.js';
 /**
  * Create a scratch worktree under `.pugi/worktrees/<uuid>`. The path is
  * guaranteed unique (uuid) so multiple agent loops can run in parallel
@@ -121,25 +123,58 @@ export function promoteWorktree(opts) {
             detail: `worktree path does not exist: ${opts.worktreePath}`,
         };
     }
-    // Capture the diff. Include both unstaged AND staged changes — the
-    // agent loop typically stages nothing (it just writes files), but
-    // honoring both is forward-compatible with hand-edits inside the
-    // worktree.
-    const diff = runGit(['diff', '--binary', opts.baseSha], opts.worktreePath);
-    if (diff.status !== 0) {
+    // Capture the diff against the base SHA. `git diff <baseSha>`
+    // (no `--cached`) compares the WORKING TREE against the base, which
+    // covers both unstaged AND staged changes in a single invocation —
+    // anything the working tree shows is included. `--binary` ensures
+    // non-text files survive the round-trip.
+    //
+    // Note: untracked files that were NEVER staged stay invisible — git
+    // diff has no native flag to include them. The agent loop must
+    // `git add` any new file it wants promoted; the CLI surface
+    // documents this explicitly so the contract is not surprising.
+    // (Staging is enough to expose the file; the file does not need to
+    // be committed.)
+    const diffResult = runGit(['diff', '--binary', opts.baseSha], opts.worktreePath);
+    if (diffResult.status !== 0) {
         return {
             ok: false,
             reason: 'git_command_failed',
-            detail: `git diff failed: ${diff.stderr}`,
+            detail: `git diff failed: ${diffResult.stderr}`,
         };
     }
-    if (diff.stdout.trim().length === 0) {
+    const diffText = diffResult.stdout;
+    if (diffText.trim().length === 0) {
         return { ok: true, value: { filesChanged: 0 } };
     }
+    // SECURITY GATE (R1 fix 2026-05-26, PR #413 r1) — every path mentioned
+    // in the worktree's diff goes through the same `applySecurityGate`
+    // chokepoint as the apply_patch + Layer A/B/C applicators. A staged
+    // `.env` (or `../../etc/passwd`, or a symlink into a protected target)
+    // inside the worktree must NOT slip into the operator's main tree just
+    // because the worktree itself was a sandboxed scratch dir. Without
+    // this gate, `promoteWorktree` was a clean bypass of every other edit
+    // primitive's safety net.
+    const diffPaths = extractPatchPaths(diffText);
+    const failedPaths = [];
+    for (const file of diffPaths) {
+        const gate = applySecurityGate(file, { cwd: opts.cwd, toolName: 'layer-c' });
+        if (!gate.ok) {
+            failedPaths.push(`${file}: ${gate.reason}`);
+        }
+    }
+    if (failedPaths.length > 0) {
+        return {
+            ok: false,
+            reason: 'protected_file_in_worktree',
+            detail: `worktree diff touches protected/escaping paths: ${failedPaths.join('; ')}`,
+            files: failedPaths,
+        };
+    }
     // `git apply --check` validates the diff against the main tree first.
     // Refuse early on conflict so the operator can resolve before we
     // touch any file.
-    const check = runGit(['apply', '--check', '-'], opts.cwd, diff.stdout);
+    const check = runGit(['apply', '--check', '-'], opts.cwd, diffText);
     if (check.status !== 0) {
         return {
             ok: false,
@@ -148,9 +183,9 @@ export function promoteWorktree(opts) {
         };
     }
     if (opts.dryRun) {
-        return { ok: true, value: { filesChanged: countDiffFiles(diff.stdout) } };
+        return { ok: true, value: { filesChanged: countDiffFiles(diffText) } };
     }
-    const apply = runGit(['apply', '-'], opts.cwd, diff.stdout);
+    const apply = runGit(['apply', '-'], opts.cwd, diffText);
     if (apply.status !== 0) {
         return {
             ok: false,
@@ -158,23 +193,81 @@ export function promoteWorktree(opts) {
             detail: `git apply failed: ${apply.stderr}`,
         };
     }
-    return { ok: true, value: { filesChanged: countDiffFiles(diff.stdout) } };
+    return { ok: true, value: { filesChanged: countDiffFiles(diffText) } };
 }
 /**
  * Drop a worktree both from git's bookkeeping and from disk. Idempotent —
  * a missing path returns `worktree_missing` which the caller can ignore
  * on the cleanup-after-error path.
+ *
+ * Security (R1 fix 2026-05-26, PR #413 r1): we MUST validate the path is
+ * a real subdirectory of `<cwd>/.pugi/worktrees/` BEFORE running either
+ * `git worktree remove --force` or `rmSync`. Without this gate, a
+ * typo like `pugi worktree drop ../some-dir` recursively deleted an
+ * arbitrary directory: `git worktree remove` correctly failed (path not
+ * registered), but the `rmSync(worktreePath, recursive: true)` below
+ * still fired regardless.
+ *
+ * We resolve both `cwd` and `worktreePath` through `realpathSync` so a
+ * caller passing a symlink that points outside `.pugi/worktrees/` is
+ * still rejected. When the worktree path does not exist on disk at all
+ * (idempotent re-drop of an already-removed worktree), we fall back to
+ * the lexical containment check — the rejection only matters when there
+ * is a real directory to delete.
  */
 export function dropWorktree(worktreePath, cwd) {
+    // SECURITY GATE — validate containment under `<cwd>/.pugi/worktrees/`
+    // BEFORE any destructive call. Two-tier check:
+    //   1. lexical containment using resolved (but not realpath'd) paths,
+    //      catches the operator-typo + missing-worktree cases.
+    //   2. realpath containment when the path exists, catches symlink
+    //      shenanigans.
+    const scratchRootLexical = resolve(cwd, '.pugi', 'worktrees');
+    const worktreeLexical = resolve(cwd, worktreePath);
+    const insideLexical = worktreeLexical.startsWith(scratchRootLexical + sep) &&
+        worktreeLexical !== scratchRootLexical;
+    if (!insideLexical) {
+        return {
+            ok: false,
+            reason: 'invalid_worktree_path',
+            detail: `worktree path ${worktreePath} is not under ${scratchRootLexical}`,
+        };
+    }
+    if (existsSync(worktreeLexical)) {
+        try {
+            const realScratchRoot = realpathSync(scratchRootLexical);
+            const realWorktree = realpathSync(worktreeLexical);
+            const insideReal = realWorktree.startsWith(realScratchRoot + sep) &&
+                realWorktree !== realScratchRoot;
+            if (!insideReal) {
+                return {
+                    ok: false,
+                    reason: 'invalid_worktree_path',
+                    detail: `worktree realpath ${realWorktree} escapes ${realScratchRoot}`,
+                };
+            }
+        }
+        catch (error) {
+            // realpath failed for a path that exists — surface as
+            // invalid_worktree_path so we never recurse into rmSync on an
+            // unreadable path.
+            return {
+                ok: false,
+                reason: 'invalid_worktree_path',
+                detail: `cannot realpath worktree path: ${error instanceof Error ? error.message : String(error)}`,
+            };
+        }
+    }
     // `git worktree remove --force` cleans the metadata in `.git/worktrees`.
     // If the worktree was created by another process and already pruned,
     // git returns non-zero — we still try to `rmSync` the dir to leave the
-    // filesystem consistent.
-    const remove = runGit(['worktree', 'remove', '--force', worktreePath], cwd);
+    // filesystem consistent. Path containment has already been validated
+    // above so the rmSync below is bounded to `.pugi/worktrees/`.
+    const remove = runGit(['worktree', 'remove', '--force', worktreeLexical], cwd);
     const gitCleanFailed = remove.status !== 0;
-    if (existsSync(worktreePath)) {
+    if (existsSync(worktreeLexical)) {
         try {
-            rmSync(worktreePath, { recursive: true, force: true });
+            rmSync(worktreeLexical, { recursive: true, force: true });
         }
         catch (error) {
             if (gitCleanFailed) {
@@ -186,7 +279,7 @@ export function dropWorktree(worktreePath, cwd) {
             }
         }
     }
-    if (gitCleanFailed && !worktreePath.includes(`${sep}.pugi${sep}worktrees${sep}`)) {
+    if (gitCleanFailed && !worktreeLexical.includes(`${sep}.pugi${sep}worktrees${sep}`)) {
         // A worktree that wasn't created by us (path is outside our naming
         // convention) is suspicious — surface the failure so the operator
         // can diagnose.

package/dist/core/engine/anvil-client.js

@@ -1,3 +1,10 @@
+// PR-CLI-SERVER-VERSION-HANDSHAKE (#225). The interceptor stamps the
+// outbound X-Pugi-Cli-Version header, inspects the inbound recommended/
+// server-version headers, and throws PugiCliUpgradeRequiredError on a
+// 426 server response. The top-level catch in `runtime/cli.ts` /
+// `index.ts` renders the upgrade message and exits 1.
+import { assertNotUpgradeRequired, injectClientVersionHeader, inspectVersionResponse, } from '../transport/version-interceptor.js';
+import { PUGI_CLI_VERSION } from '../../runtime/version.js';
 /**
  * Anvil-backed engine loop client.
  *
@@ -54,23 +61,77 @@ export class AnvilEngineLoopClient {
             options.signal.addEventListener('abort', onAbort);
         const timeout = setTimeout(() => controller.abort(), this.config.timeoutMs);
         try {
+            // PR-CLI-SERVER-VERSION-HANDSHAKE (#225). Stamp the outbound
+            // X-Pugi-Cli-Version header so the admin-api middleware can
+            // decide whether to honour, soft-warn, or 426 this request.
+            const outboundHeaders = injectClientVersionHeader({
+                'content-type': 'application/json',
+                authorization: `Bearer ${this.config.apiKey}`,
+                'user-agent': 'pugi-cli/0.0.1',
+            }, PUGI_CLI_VERSION);
             const res = await fetch(url, {
                 method: 'POST',
-                headers: {
-                    'content-type': 'application/json',
-                    authorization: `Bearer ${this.config.apiKey}`,
-                    'user-agent': 'pugi-cli/0.0.1',
-                },
+                headers: outboundHeaders,
                 body: JSON.stringify({
                     personaSlug: options.personaSlug,
                     messages,
                     tools,
                     maxTokens: options.maxTokens,
                     temperature: options.temperature,
+                    // β1 (audit E2): the admin-api `EngineRequestDto` accepts
+                    // these optional fields (see `pugi-engine.controller.ts:230`
+                    // EngineRequestDto schema). Before this fix the CLI dropped
+                    // them, which forced the controller to fall back to legacy
+                    // per-persona resolution + emit `command="(none)"` in its
+                    // structured logs. `undefined` keys are stripped by
+                    // `JSON.stringify` so the payload stays clean for fixture
+                    // clients that exact-match the body shape.
+                    command: options.command,
+                    // β1a r1: `tag` is `EngineDispatchTag` object shape now —
+                    // `JSON.stringify` serialises it as `{tag, priority?,
+                    // budget_hint?}` matching `EngineDispatchTagDto`. Previously
+                    // this was a bare string and the server's `IsIn` validator
+                    // rejected every payload with HTTP 400.
+                    tag: options.tag,
+                    model: options.model,
                 }),
                 signal: controller.signal,
             });
             const text = await res.text();
+            // PR-CLI-SERVER-VERSION-HANDSHAKE: cache server-recommended +
+            // server-version headers so UpdateBanner / `pugi doctor` can
+            // surface them, then short-circuit on 426 by throwing
+            // PugiCliUpgradeRequiredError. The throw bubbles to the
+            // top-level catch in index.ts which renders the upgrade banner.
+            // The getter shim handles both real `Response` (`.headers.get`)
+            // and minimal fixture/stub responses (`.headers?.[name]`) so
+            // existing transport tests that mock `fetch` with `{status, text}`
+            // don't need to grow a Headers polyfill just to keep passing.
+            //
+            // Cache poison guard: skip the inspect step on 426. A hostile
+            // upstream (proxy with a compromised cert pin, or a transient MITM
+            // on a coffee-shop network) could otherwise forge an
+            // `X-Pugi-Cli-Upgrade-Recommended` header alongside a 426 status
+            // and poison `cachedServerRecommendation` for the rest of the REPL
+            // session — `UpdateBanner` would then surface attacker-chosen
+            // version strings to the operator. The 426 body still carries the
+            // legitimate `recommendedVersion` field, which assertNotUpgrade-
+            // Required parses + throws with, so the operator-facing banner
+            // remains accurate via the error path.
+            if (res.status !== 426) {
+                inspectVersionResponse((name) => {
+                    const h = res.headers;
+                    if (h && typeof h.get === 'function') {
+                        return h.get(name);
+                    }
+                    if (h && typeof h === 'object') {
+                        const lowered = h[name.toLowerCase()];
+                        return lowered ?? null;
+                    }
+                    return null;
+                });
+            }
+            assertNotUpgradeRequired(res.status, text, PUGI_CLI_VERSION);
             if (res.status === 200) {
                 try {
                     const json = JSON.parse(text);
@@ -119,6 +180,55 @@ export class AnvilEngineLoopClient {
                 };
             }
             if (res.status === 401 || res.status === 403) {
+                // 403 has two distinct causes:
+                //   1. genuinely invalid / expired token (auth_missing) — the
+                //      old default.
+                //   2. tenant authenticated successfully but the privacy mode
+                //      (strict / balanced policy) refused upstream LLM dispatch.
+                //      The admin-api returns
+                //      `{ code: 'privacy_strict_upstream_blocked', mode, model,
+                //         message: '...switch via pugi config set privacy=...' }`.
+                //      Reported as `auth_missing` the user runs `pugi login`
+                //      again, which does nothing — the actual fix is a privacy-
+                //      mode change. Parse the body and route accordingly.
+                // (2026-05-27 P0.3 — dogfood surfaced this on /api/pugi/engine
+                // for a strict-mode tenant; see memory feedback_no_fake_dispatch_promises
+                // for the broader "misleading error" pattern.)
+                try {
+                    const parsed = text ? JSON.parse(text) : null;
+                    // 2026-05-27 dogfood cycle 2: distinct error code for the
+                    // infra-side "PII scrubber down" case. Previously the engine
+                    // server returned `privacy_strict_upstream_blocked` here even
+                    // when the tenant was on BALANCED (the scrubber crash forced
+                    // a fail-closed). Operators chased the wrong fix ("switch
+                    // privacy") for hours. Server now emits
+                    // `pii_scrubber_unavailable` — surface a distinct remediation
+                    // that points at the infra side, not the operator's privacy
+                    // posture.
+                    if (parsed?.code === 'pii_scrubber_unavailable') {
+                        return {
+                            stop: 'error',
+                            code: 'privacy_blocked',
+                            message: parsed.message ?? 'PII scrubber unavailable; privacy filter refused dispatch.',
+                            remediation: 'Infra-side issue (not your tenant privacy mode). Wait for ops to restore ' +
+                                'the PiiScrubberService, OR temporarily switch your tenant to permissive via ' +
+                                '`pugi config set privacy=permissive`.',
+                        };
+                    }
+                    if (parsed?.code === 'privacy_strict_upstream_blocked' || parsed?.code === 'privacy_blocked') {
+                        return {
+                            stop: 'error',
+                            code: 'privacy_blocked',
+                            message: parsed.message ?? 'Tenant privacy mode forbids upstream LLM dispatch.',
+                            remediation: 'pugi config set privacy=balanced — OR configure a self-hosted Anvil model.',
+                        };
+                    }
+                }
+                catch {
+                    // Body not JSON — fall through to the generic auth_missing
+                    // branch below; the 200-char text echo on `failed` will at
+                    // least give the operator the raw response to triage.
+                }
                 return {
                     stop: 'error',
                     code: 'auth_missing',