@pugi/cli 0.1.0-beta.2 → 0.1.0-beta.4

package/dist/runtime/commands/roster.js

@@ -0,0 +1,117 @@
+/**
+ * `pugi roster` command - α7.5 Tier 1 instantiation Phase 1.
+ *
+ * Lists the live Tier 1 personas with display name, role, and routing
+ * tag. The CLI walks two sources in order:
+ *
+ *   1. The local @pugi/personas roster (THE_TEN). Always succeeds; the
+ *      ten brand-canonical personas are baked into the SDK.
+ *   2. The remote `GET /api/pugi/sessions/roster` endpoint when the
+ *      operator has a valid credential. The remote response carries the
+ *      server-side dispatch role + dispatchTag for each slug so the
+ *      operator sees the actual routing decision the dispatcher will
+ *      apply on a `pugi delegate <slug>` call.
+ *
+ * The command never fails if the network is unreachable - it falls back
+ * to local-only output with a one-line warning. This matches the
+ * local-first contract (ADR-0037): the operator can still see who is on
+ * the team without an API key.
+ *
+ * Output:
+ *   - text default: a 3-column table (slug | name | role).
+ *   - --json:        a structured array of { slug, name, role, totem,
+ *                    dispatchTag } records, used by scripted callers.
+ */
+import { THE_TEN } from '@pugi/personas';
+import { fetchPersonaRoster, } from '@pugi/sdk';
+/**
+ * Fallback role + tag table the CLI uses when the runtime is unreachable
+ * (no credentials, network error, older runtime without the
+ * /sessions/roster endpoint). Mirrors the server-side
+ * persona-dispatch.ts PERSONA_REGISTRY so a CLI that ran without
+ * credentials still shows the operator the right routing intent.
+ */
+const FALLBACK_ROLE_BY_SLUG = Object.freeze({
+    main: { role: 'orchestrator', dispatchTag: 'reason' },
+    architect: { role: 'architect', dispatchTag: 'reason' },
+    dev: { role: 'coder', dispatchTag: 'codegen' },
+    qa: { role: 'verifier', dispatchTag: 'reason' },
+    pm: { role: 'release', dispatchTag: 'reason' },
+    devops: { role: 'devops', dispatchTag: 'reason' },
+    researcher: { role: 'researcher', dispatchTag: 'reason' },
+    analyst: { role: 'analyst', dispatchTag: 'summarize' },
+    designer: { role: 'design_qa', dispatchTag: 'reason' },
+    frontend: { role: 'frontend', dispatchTag: 'codegen' },
+});
+/**
+ * Build the roster rows by merging the local @pugi/personas brand
+ * roster with the remote dispatch metadata when a credential is
+ * available. Pure function so the runtime CLI command can unit-test it
+ * without standing up an Anvil endpoint.
+ */
+export function mergeRoster(brandRoster, remote) {
+    const remoteIndex = new Map((remote ?? []).map((entry) => [entry.slug, entry]));
+    return brandRoster.map((persona) => {
+        const fromRemote = remoteIndex.get(persona.slug);
+        const fallback = FALLBACK_ROLE_BY_SLUG[persona.slug] ?? {
+            role: persona.role,
+            dispatchTag: 'reason',
+        };
+        return {
+            slug: persona.slug,
+            name: persona.name,
+            totem: persona.animal,
+            role: fromRemote?.role ?? fallback.role,
+            dispatchTag: fromRemote?.dispatchTag ?? fallback.dispatchTag,
+            oneLiner: persona.oneLiner,
+            source: fromRemote ? 'remote' : 'local-fallback',
+        };
+    });
+}
+/**
+ * Render a roster as a plain-text 3-column table the operator reads in
+ * the terminal. The column widths grow to fit the longest cell so a
+ * future displayName drift does not truncate silently.
+ */
+export function renderRosterTable(rows) {
+    if (rows.length === 0)
+        return 'Roster is empty.';
+    const head = { slug: 'slug', name: 'name', totem: 'totem', role: 'role', dispatchTag: 'tag' };
+    const widths = {
+        slug: Math.max(head.slug.length, ...rows.map((r) => r.slug.length)),
+        name: Math.max(head.name.length, ...rows.map((r) => r.name.length)),
+        totem: Math.max(head.totem.length, ...rows.map((r) => r.totem.length)),
+        role: Math.max(head.role.length, ...rows.map((r) => r.role.length)),
+        dispatchTag: Math.max(head.dispatchTag.length, ...rows.map((r) => r.dispatchTag.length)),
+    };
+    const pad = (s, width) => s + ' '.repeat(Math.max(0, width - s.length));
+    const line = (r) => [pad(r.slug, widths.slug), pad(r.name, widths.name), pad(r.totem, widths.totem), pad(r.role, widths.role), pad(r.dispatchTag, widths.dispatchTag)].join('  ');
+    const header = line(head);
+    const sep = '-'.repeat(header.length);
+    return [header, sep, ...rows.map((r) => line(r))].join('\n');
+}
+/**
+ * Resolve the roster by walking remote + local sources. The CLI command
+ * is a thin wrapper around this function so unit tests can exercise the
+ * merge logic without hitting the runtime.
+ */
+export async function resolveRoster(config) {
+    if (!config) {
+        return {
+            rows: mergeRoster(THE_TEN, null),
+            warning: 'no credential configured; showing local @pugi/personas roster only',
+        };
+    }
+    const result = await fetchPersonaRoster(config);
+    if (result.status === 'ok') {
+        return { rows: mergeRoster(THE_TEN, result.response.personas), warning: null };
+    }
+    const reason = result.status === 'endpoint_missing'
+        ? 'runtime does not expose /api/pugi/sessions/roster (upgrade admin-api to α7.5+)'
+        : result.message;
+    return {
+        rows: mergeRoster(THE_TEN, null),
+        warning: `roster fetch failed (${result.status}): ${reason}; showing local roster only`,
+    };
+}
+//# sourceMappingURL=roster.js.map

package/dist/tools/registry.js

@@ -1,19 +1,8 @@
 const registry = [
-    // α7.7: unified-diff patch apply. Routes through the same security
-    // gate as Layer A/B/C, so the risk class matches `edit`/`write`
-    // (medium — writes inside the workspace, never to protected files).
-    { name: 'apply_patch', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
     { name: 'bash', permission: 'bash', risk: 'high', concurrencySafe: false, m1: true },
     { name: 'edit', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
     { name: 'glob', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'grep', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
-    // α7.7: LSP read-only surface. Server runs locally, no Anvil
-    // round-trip. Concurrency-safe because every operation reads
-    // server state without mutating workspace files.
-    { name: 'lsp_definition', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
-    { name: 'lsp_diagnostics', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
-    { name: 'lsp_hover', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
-    { name: 'lsp_references', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'question', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
     { name: 'read', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'skill', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
@@ -22,13 +11,6 @@ const registry = [
     { name: 'task_list', permission: 'none', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'task_update', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
     { name: 'web_fetch', permission: 'network', risk: 'medium', concurrencySafe: true, m1: true },
-    // α7.7: scratch worktree management. `worktree_create` writes nothing
-    // dangerous (a clone under `.pugi/worktrees/`); `worktree_promote`
-    // applies a diff back to the main tree, so it shares the `edit`
-    // risk class. `worktree_drop` is the cleanup primitive.
-    { name: 'worktree_create', permission: 'edit', risk: 'low', concurrencySafe: false, m1: true },
-    { name: 'worktree_drop', permission: 'edit', risk: 'low', concurrencySafe: false, m1: true },
-    { name: 'worktree_promote', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
     { name: 'write', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
 ];
 export const toolRegistry = registry.sort((a, b) => a.name.localeCompare(b.name));

package/dist/tui/repl-render.js

@@ -95,18 +95,6 @@ export async function renderRepl(options) {
     // When skipSplash is true (operator opted out via --no-splash), we
     // suppress the pre-print too so the boot stays silent.
     const mascotPrePrinted = options.skipSplash === true ? false : printPugMascotPreInk(process.stdout);
-    // α6.14.4 CEO dogfood 2026-05-25 (parity with Claude Code): enter
-    // the terminal's alternate screen buffer so the REPL renders on a
-    // fresh "screen" the operator cannot scroll above. On exit, leave
-    // restores the previous terminal contents — the conversation does
-    // not pollute the operator's shell history. Skipped under --no-tty
-    // and when stdout is not a TTY (pipe/CI), where the escapes would
-    // appear as literal characters.
-    const supportsAltScreen = process.stdout.isTTY === true;
-    if (supportsAltScreen) {
-        process.stdout.write('\x1b[?1049h');
-        process.stdout.write('\x1b[H');
-    }
     const instance = render(React.createElement(Repl, {
         session,
         updateBanner: options.updateBanner ?? null,
@@ -114,26 +102,10 @@ export async function renderRepl(options) {
         hideToolStream: options.hideToolStream === true,
         mascotPrePrinted,
     }));
-    const restoreAltScreen = () => {
-        if (supportsAltScreen) {
-            try {
-                process.stdout.write('\x1b[?1049l');
-            }
-            catch {
-                /* shutdown race — terminal already detached */
-            }
-        }
-    };
-    // Make sure we leave the alt screen on abrupt exits too. Without
-    // this the operator's shell stays "frozen" on the Pugi splash.
-    process.once('exit', restoreAltScreen);
-    process.once('SIGINT', restoreAltScreen);
-    process.once('SIGTERM', restoreAltScreen);
     try {
         await instance.waitUntilExit();
     }
     finally {
-        restoreAltScreen();
         session.close();
         if (store) {
             try {

package/dist/tui/repl.js

@@ -178,7 +178,16 @@ export function Repl(props) {
             return undefined;
         return props.session.cancel();
     }, [props.session, modalActive]);
-    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, children: [props.updateBanner ? _jsx(UpdateBanner, { result: props.updateBanner }) : null, splashVisible ? (_jsx(ReplSplash, { cliVersion: state.cliVersion, workspaceLabel: state.workspaceLabel, plan: props.splashPlan, model: props.splashModel, tenant: props.splashTenant, onDismiss: dismissSplash, mascotPrePrinted: props.mascotPrePrinted === true })) : null, _jsx(Header, { state: state }), _jsx(Box, { flexDirection: "column", marginTop: 1, children: overlay === 'help' ? (_jsx(HelpOverlay, {})) : overlay === 'roster' ? (_jsx(RosterOverlay, {})) : overlay === 'farewell' ? (_jsx(FarewellOverlay, {})) : (_jsx(MainArea, { state: state, personaNames: personaNames, nowEpochMs: tickNow, hideToolStream: props.hideToolStream === true, toolStreamCollapsed: toolStreamCollapsed })) }), state.pendingAsk ? (_jsx(Box, { marginTop: 1, children: _jsx(AskModal, { tag: state.pendingAsk, onResolve: handleAskResolve }) })) : null, state.pendingPlanReview ? (_jsx(Box, { marginTop: 1, children: _jsx(PlanReviewModal, { tag: state.pendingPlanReview, onResolve: handlePlanReviewResolve }) })) : null, _jsxs(Box, { flexDirection: "column", marginTop: 1, children: [overlay === 'farewell' || modalActive ? null : (_jsx(InputBox, { onSubmit: handleSubmit, onExit: handleExit, onCancel: handleCancel, now: props.now, 
+    // α6.14.5 CEO dogfood 2026-05-25 (parity with Claude Code): the
+    // input box must pin to the BOTTOM of the alt-screen viewport, not
+    // float right under the conversation. Beta.3 attempt at full-height
+    // broke keystroke focus (raw echo at row 79). The right pattern is
+    // minHeight on the root + flexGrow on the conversation pane so the
+    // empty space sits ABOVE the input, not below it. The input then
+    // captures all keystrokes because it is the only Ink-focusable
+    // surface adjacent to the cursor row.
+    const altScreenRows = process.stdout.rows ?? 24;
+    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, minHeight: altScreenRows, children: [props.updateBanner ? _jsx(UpdateBanner, { result: props.updateBanner }) : null, splashVisible ? (_jsx(ReplSplash, { cliVersion: state.cliVersion, workspaceLabel: state.workspaceLabel, plan: props.splashPlan, model: props.splashModel, tenant: props.splashTenant, onDismiss: dismissSplash, mascotPrePrinted: props.mascotPrePrinted === true })) : null, _jsx(Header, { state: state }), _jsx(Box, { flexDirection: "column", marginTop: 1, flexGrow: 1, children: overlay === 'help' ? (_jsx(HelpOverlay, {})) : overlay === 'roster' ? (_jsx(RosterOverlay, {})) : overlay === 'farewell' ? (_jsx(FarewellOverlay, {})) : (_jsx(MainArea, { state: state, personaNames: personaNames, nowEpochMs: tickNow, hideToolStream: props.hideToolStream === true, toolStreamCollapsed: toolStreamCollapsed })) }), state.pendingAsk ? (_jsx(Box, { marginTop: 1, children: _jsx(AskModal, { tag: state.pendingAsk, onResolve: handleAskResolve }) })) : null, state.pendingPlanReview ? (_jsx(Box, { marginTop: 1, children: _jsx(PlanReviewModal, { tag: state.pendingPlanReview, onResolve: handlePlanReviewResolve }) })) : null, _jsxs(Box, { flexDirection: "column", marginTop: 1, children: [overlay === 'farewell' || modalActive ? null : (_jsx(InputBox, { onSubmit: handleSubmit, onExit: handleExit, onCancel: handleCancel, now: props.now, 
                         // Slug from process.cwd() (full path) so two workspaces with
                         // the same basename do not share history. state.workspaceLabel
                         // is the basename only. Codex review P2.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pugi/cli",
-  "version": "0.1.0-beta.2",
+  "version": "0.1.0-beta.4",
   "description": "Pugi CLI - terminal-native software execution system",
   "homepage": "https://pugi.io",
   "repository": {
@@ -52,7 +52,7 @@
     "undici": "^8.3.0",
     "zod": "^3.23.0",
     "@pugi/personas": "0.1.2",
-    "@pugi/sdk": "0.1.0-beta.2"
+    "@pugi/sdk": "0.1.0-beta.4"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",

package/dist/core/edits/worktree.js

@@ -1,229 +0,0 @@
-/**
- * Worktree isolation — α7.7 Phase 1.
- *
- * Wraps `git worktree add` so a long agent loop (build / consensus
- * review / multi-file refactor) can land its edits into a scratch
- * workspace, run the validators against THAT path, and only then promote
- * the resulting diff back to the operator's main working tree. The
- * primary win is safety: a half-applied refactor never corrupts the
- * operator's branch.
- *
- * Three operations:
- *
- *   - `createWorktree(branch)` — spawns `git worktree add --detach`
- *     under `.pugi/worktrees/<uuid>` based on the supplied branch (or
- *     HEAD when omitted). Returns the absolute path + a `cleanup()`
- *     callback. The dir lives under `.pugi/` so the existing `.gitignore`
- *     for that subtree applies (no accidental commits of the scratch
- *     state to the main repo).
- *
- *   - `promoteWorktree(worktreePath, cwd)` — diffs the worktree against
- *     its base commit and applies the diff to the main `cwd` via
- *     `git apply`. Refuses if the main cwd has staged changes that
- *     would conflict; the operator must commit or stash first.
- *
- *   - `dropWorktree(worktreePath)` — removes the worktree both from
- *     git's bookkeeping (`git worktree remove --force`) and from disk.
- *     Idempotent; a partially-removed worktree (`git` already cleaned
- *     up but dir survived) is handled.
- *
- * Brand voice: ASCII only, no emoji, no banned words.
- */
-import { spawnSync } from 'node:child_process';
-import { existsSync, mkdirSync, rmSync } from 'node:fs';
-import { randomUUID } from 'node:crypto';
-import { resolve, sep } from 'node:path';
-import { OperatorAbortedError } from '../../tools/file-tools.js';
-/**
- * Create a scratch worktree under `.pugi/worktrees/<uuid>`. The path is
- * guaranteed unique (uuid) so multiple agent loops can run in parallel
- * without collision.
- */
-export function createWorktree(opts) {
-    if (opts.cancellation && opts.cancellation.isAborted) {
-        return { ok: false, reason: 'operator_aborted', detail: 'createWorktree aborted' };
-    }
-    // Confirm we're inside a git repo. `git rev-parse --git-dir` is the
-    // canonical check and avoids a misleading error message later when
-    // `git worktree add` runs in a non-repo.
-    const gitDir = runGit(['rev-parse', '--git-dir'], opts.cwd);
-    if (gitDir.status !== 0) {
-        return {
-            ok: false,
-            reason: 'not_a_git_repo',
-            detail: `not a git repo: ${opts.cwd}`,
-        };
-    }
-    // Resolve base SHA. When the operator named a branch we honor it; the
-    // default is HEAD. We capture the SHA up-front so `promoteWorktree`
-    // can `git diff <baseSha>..HEAD` deterministically even if the main
-    // working tree has moved forward since.
-    const baseRef = opts.branch ?? 'HEAD';
-    const baseShaResult = runGit(['rev-parse', baseRef], opts.cwd);
-    if (baseShaResult.status !== 0) {
-        return {
-            ok: false,
-            reason: 'git_command_failed',
-            detail: `cannot resolve base ref ${baseRef}: ${baseShaResult.stderr}`,
-        };
-    }
-    const baseSha = baseShaResult.stdout.trim();
-    const worktreeRoot = resolve(opts.cwd, '.pugi', 'worktrees');
-    mkdirSync(worktreeRoot, { recursive: true });
-    const worktreePath = resolve(worktreeRoot, randomUUID());
-    // `--detach` keeps the worktree on a detached HEAD so we don't
-    // collide with branch checkouts on the main tree. The worktree is
-    // throwaway — there is no branch name to track.
-    const create = runGit(['worktree', 'add', '--detach', worktreePath, baseSha], opts.cwd);
-    if (create.status !== 0) {
-        return {
-            ok: false,
-            reason: 'git_command_failed',
-            detail: `git worktree add failed: ${create.stderr}`,
-        };
-    }
-    const handle = {
-        path: worktreePath,
-        baseSha,
-        cleanup: () => {
-            const r = dropWorktree(worktreePath, opts.cwd);
-            if (!r.ok && r.reason !== 'worktree_missing') {
-                // Swallow non-fatal cleanup failures so the agent loop doesn't
-                // hard-crash on the happy path. The diagnostic still surfaces
-                // via the JSON output on the `pugi worktree drop` command.
-            }
-        },
-    };
-    return { ok: true, value: handle };
-}
-/**
- * Diff the worktree against its base and apply the diff to the main cwd.
- *
- * Implementation notes:
- *
- *   - We run `git diff --binary <baseSha>` inside the worktree (NOT
- *     `git diff <worktree>..HEAD` from the main tree — the worktree's
- *     HEAD is detached at `baseSha`, so the meaningful diff is the
- *     UNCOMMITTED changes the agent wrote into it).
- *   - `--binary` ensures non-text files (assets, images) survive the
- *     round-trip; without it `git apply` fails on any binary delta.
- *   - We always run `git apply --check` first so a refusal does not
- *     leave the main tree half-modified.
- */
-export function promoteWorktree(opts) {
-    if (opts.cancellation && opts.cancellation.isAborted) {
-        return { ok: false, reason: 'operator_aborted', detail: 'promoteWorktree aborted' };
-    }
-    if (!existsSync(opts.worktreePath)) {
-        return {
-            ok: false,
-            reason: 'worktree_missing',
-            detail: `worktree path does not exist: ${opts.worktreePath}`,
-        };
-    }
-    // Capture the diff. Include both unstaged AND staged changes — the
-    // agent loop typically stages nothing (it just writes files), but
-    // honoring both is forward-compatible with hand-edits inside the
-    // worktree.
-    const diff = runGit(['diff', '--binary', opts.baseSha], opts.worktreePath);
-    if (diff.status !== 0) {
-        return {
-            ok: false,
-            reason: 'git_command_failed',
-            detail: `git diff failed: ${diff.stderr}`,
-        };
-    }
-    if (diff.stdout.trim().length === 0) {
-        return { ok: true, value: { filesChanged: 0 } };
-    }
-    // `git apply --check` validates the diff against the main tree first.
-    // Refuse early on conflict so the operator can resolve before we
-    // touch any file.
-    const check = runGit(['apply', '--check', '-'], opts.cwd, diff.stdout);
-    if (check.status !== 0) {
-        return {
-            ok: false,
-            reason: 'apply_conflict',
-            detail: `git apply --check rejected: ${check.stderr}`,
-        };
-    }
-    if (opts.dryRun) {
-        return { ok: true, value: { filesChanged: countDiffFiles(diff.stdout) } };
-    }
-    const apply = runGit(['apply', '-'], opts.cwd, diff.stdout);
-    if (apply.status !== 0) {
-        return {
-            ok: false,
-            reason: 'apply_failed',
-            detail: `git apply failed: ${apply.stderr}`,
-        };
-    }
-    return { ok: true, value: { filesChanged: countDiffFiles(diff.stdout) } };
-}
-/**
- * Drop a worktree both from git's bookkeeping and from disk. Idempotent —
- * a missing path returns `worktree_missing` which the caller can ignore
- * on the cleanup-after-error path.
- */
-export function dropWorktree(worktreePath, cwd) {
-    // `git worktree remove --force` cleans the metadata in `.git/worktrees`.
-    // If the worktree was created by another process and already pruned,
-    // git returns non-zero — we still try to `rmSync` the dir to leave the
-    // filesystem consistent.
-    const remove = runGit(['worktree', 'remove', '--force', worktreePath], cwd);
-    const gitCleanFailed = remove.status !== 0;
-    if (existsSync(worktreePath)) {
-        try {
-            rmSync(worktreePath, { recursive: true, force: true });
-        }
-        catch (error) {
-            if (gitCleanFailed) {
-                return {
-                    ok: false,
-                    reason: 'git_command_failed',
-                    detail: `git worktree remove failed AND rmSync failed: ${error instanceof Error ? error.message : String(error)}`,
-                };
-            }
-        }
-    }
-    if (gitCleanFailed && !worktreePath.includes(`${sep}.pugi${sep}worktrees${sep}`)) {
-        // A worktree that wasn't created by us (path is outside our naming
-        // convention) is suspicious — surface the failure so the operator
-        // can diagnose.
-        return {
-            ok: false,
-            reason: 'git_command_failed',
-            detail: `git worktree remove failed: ${remove.stderr}`,
-        };
-    }
-    return { ok: true, value: undefined };
-}
-function countDiffFiles(diff) {
-    // Count `diff --git a/... b/...` headers. Cheap and unambiguous.
-    let count = 0;
-    for (const line of diff.split('\n')) {
-        if (line.startsWith('diff --git '))
-            count += 1;
-    }
-    return count;
-}
-function runGit(args, cwd, stdin) {
-    return spawnSync('git', args, {
-        cwd,
-        input: stdin,
-        encoding: 'utf8',
-        maxBuffer: 64 * 1024 * 1024,
-    });
-}
-/**
- * Test-only helper exporting the internal git runner so specs can stub
- * the spawn surface when running on a CI host without a global git.
- */
-export const __test__ = { runGit, countDiffFiles };
-/**
- * Re-export the abort marker so the worktree CLI surface can fold the
- * exception into a clean exit code without needing to import from the
- * tools layer.
- */
-export { OperatorAbortedError };
-//# sourceMappingURL=worktree.js.map