@pugi/cli 0.1.0-beta.20 → 0.1.0-beta.22

package/dist/core/bare-mode/index.js

@@ -0,0 +1,107 @@
+/**
+ * Leak L22 (2026-05-27) — `--bare` mode predicate.
+ *
+ * Mirror of Claude Code's `--bare` flag: when active the CLI behaves
+ * like a plain LLM frontend with NO project auto-discovery. Useful for:
+ *
+ *   - headless scripting where the operator wants deterministic, repo-
+ *     independent behavior (`pugi --bare --print "..."`),
+ *   - dropping into a workspace without auto-creating `.pugi/`,
+ *   - REPL sessions that should NOT inject ambient `PUGI.md` / `CLAUDE.md`
+ *     into the model prompt,
+ *   - support / triage flows where the engineer needs the CLI to act
+ *     like a fresh install regardless of where it's invoked.
+ *
+ * Discovery surfaces gated by `isBareMode()`:
+ *
+ *   1. `PUGI.md` / `AGENTS.md` / `CLAUDE.md` / `GEMINI.md` parent-dir
+ *      walk-up (`loadTraversedMarkdown` in `core/context/markdown-traverse.ts`).
+ *   2. Workspace-root markdown context (`loadMarkdownContext` consumers).
+ *   3. Auto-init `.pugi/` scaffold on REPL boot in untouched dirs.
+ *   4. Persona / skill auto-load from `.pugi/skills/`.
+ *   5. Workspace summary (`readPugiSummary`) read on REPL session start.
+ *
+ * Activation precedence — the bare bit is "sticky" once set so any
+ * subprocess the CLI spawns inherits it without re-passing the flag:
+ *
+ *   1. Top-level `--bare` arg parsed by `parseArgs` in `runtime/cli.ts`.
+ *      The parser sets `process.env.PUGI_BARE='1'` BEFORE the dispatch
+ *      flows so callsites checking the env see the activated state.
+ *   2. `PUGI_BARE=1` env var (any value matching `/^(1|true|yes|on)$/i`).
+ *   3. Default: bare mode OFF — full auto-discovery as before.
+ *
+ * This mirrors the existing `PUGI_SKIP_SPLASH` / `PUGI_NO_AUTO_INIT`
+ * env-flag pattern so the bare module fits the rest of the runtime
+ * configuration grammar without inventing a new wire.
+ *
+ * Test surface: `apps/pugi-cli/test/bare-mode.spec.ts` exercises the
+ * env precedence, value parsing, and the explicit-set / clear helpers.
+ */
+/**
+ * Env var consulted by `isBareMode()`. Kept as an export so the spec
+ * + the runtime CLI can use the same constant — no string-typing of
+ * the wire name across modules.
+ */
+export const PUGI_BARE_ENV = 'PUGI_BARE';
+/**
+ * Truthy values recognised on the `PUGI_BARE` env. Anything else
+ * (empty string, `0`, `false`, `no`, `off`, `disabled`, undefined) is
+ * treated as bare-mode OFF. The list is intentionally short — the
+ * value is set by the CLI parser and is not customer-typed prose, so
+ * we do not need a permissive boolean coercion.
+ */
+const TRUTHY = new Set(['1', 'true', 'yes', 'on']);
+/**
+ * Return true when bare mode is active for the current process. Reads
+ * `process.env[PUGI_BARE_ENV]` and applies the truthy-value match.
+ *
+ * Safe to call from any module (no FS, no side-effects). The runtime
+ * cost is a single env-var lookup + lower-case + set membership, so
+ * gating hot-path callsites with `if (isBareMode()) return ...` adds
+ * effectively zero overhead in the default (non-bare) case.
+ */
+export function isBareMode(env = process.env) {
+    const raw = env[PUGI_BARE_ENV];
+    if (typeof raw !== 'string' || raw.length === 0)
+        return false;
+    return TRUTHY.has(raw.toLowerCase());
+}
+/**
+ * Explicitly activate bare mode for the current process. Called by
+ * `parseArgs` in `runtime/cli.ts` when `--bare` is seen on the command
+ * line so downstream modules (engine, REPL bootstrap, doctor probe)
+ * see a consistent activated state via `isBareMode()` regardless of
+ * whether the operator set the env var manually or used the flag.
+ *
+ * Subprocess inheritance is the reason we mutate `process.env` rather
+ * than threading a `bare: boolean` field through every call signature
+ * — every Node child_process spawn inherits `process.env` by default,
+ * so the bare bit propagates to MCP servers / hook scripts / git
+ * subprocesses without ceremony.
+ */
+export function setBareMode(env = process.env) {
+    env[PUGI_BARE_ENV] = '1';
+}
+/**
+ * Clear bare mode for the current process. Provided primarily for the
+ * spec so adjacent tests do not leak state between cases. Production
+ * code does NOT call this — bare mode is a one-shot per process.
+ */
+export function clearBareMode(env = process.env) {
+    delete env[PUGI_BARE_ENV];
+}
+/**
+ * Human-readable one-line banner printed by the dispatcher when bare
+ * mode is active and the invocation is NOT JSON-only. Kept as a single
+ * constant so the spec can assert the exact wording and downstream
+ * tools (status bars, doctor row, REPL header) stay in lockstep.
+ */
+export const BARE_MODE_BANNER = 'Pugi --bare mode: project auto-discovery disabled.';
+/**
+ * Short label rendered inside the `pugi doctor` table when bare mode
+ * is active. The doctor probe surfaces `BARE MODE` as a separate row
+ * so operators triaging "why is Pugi ignoring my PUGI.md" see the
+ * cause without grep'ing the env.
+ */
+export const BARE_MODE_DOCTOR_LABEL = 'BARE MODE';
+//# sourceMappingURL=index.js.map

package/dist/core/diagnostics/probes/bare-mode.js

@@ -0,0 +1,42 @@
+/**
+ * BARE MODE probe — Leak L22 (2026-05-27).
+ *
+ * Surfaces the `--bare` activation state inside `pugi doctor`. The row is
+ * informational: bare mode is an opt-in operator choice, never an error.
+ * Operators triaging "why is Pugi ignoring my PUGI.md / why was the
+ * `.pugi/` scaffold skipped" see the cause without grep'ing the env.
+ *
+ * Status semantics:
+ *   - `skipped` when bare mode is OFF (default). The probe stays silent
+ *     in the table since there is nothing to report; the row still
+ *     renders so the JSON consumer can read a stable schema.
+ *   - `ok` when bare mode is ON via `--bare` or `PUGI_BARE=1`. The detail
+ *     enumerates the surfaces that are currently bypassed.
+ *
+ * No I/O — pure env probe. Wired into `buildDefaultProbes` in
+ * `runtime/commands/doctor.ts`.
+ */
+import { isBareMode, BARE_MODE_DOCTOR_LABEL } from '../../bare-mode/index.js';
+/**
+ * One-line summary printed in the `--bare` row when bare mode is on.
+ * Exported so the spec can assert the exact wording — operators reading
+ * `pugi doctor` should see the list of surfaces that the flag disables.
+ */
+export const BARE_MODE_ACTIVE_DETAIL = 'bare mode active: PUGI.md walk-up + auto-init + persona auto-load disabled';
+export const BARE_MODE_INACTIVE_DETAIL = 'bare mode off (default auto-discovery)';
+export function probeBareMode(input = {}) {
+    const env = input.env ?? process.env;
+    if (isBareMode(env)) {
+        return {
+            name: BARE_MODE_DOCTOR_LABEL,
+            status: 'ok',
+            detail: BARE_MODE_ACTIVE_DETAIL,
+        };
+    }
+    return {
+        name: BARE_MODE_DOCTOR_LABEL,
+        status: 'skipped',
+        detail: BARE_MODE_INACTIVE_DETAIL,
+    };
+}
+//# sourceMappingURL=bare-mode.js.map

package/dist/core/engine/native-pugi.js

@@ -17,6 +17,7 @@ import { CancellationToken } from '../repl/cancellation.js';
 import { buildContextPrefix, spliceContextPrefix } from './context-prefix.js';
 import { applyIntentMarker, classifyIntent } from './intent.js';
 import { loadTraversedMarkdown } from '../context/markdown-traverse.js';
+import { isBareMode } from '../bare-mode/index.js';
 // α7 L11 (2026-05-27): per-session DenialTrackingState. One instance
 // per `run()` so denials cluster by (tool, args) within the same
 // command but do NOT leak across CLI invocations.
@@ -234,18 +235,28 @@ export class NativePugiEngineAdapter {
             // lifetime of the session which is what the operator expects.
             const cwdForTraverse = process.cwd();
             let traverseResult;
-            try {
-                traverseResult = await loadTraversedMarkdown({
-                    cwd: cwdForTraverse,
-                    workspaceRoot: root,
-                });
-            }
-            catch {
-                // Per-dir markdown is a NICE-TO-HAVE; a fs error here must
-                // never break the engine loop. Fall back to an empty result
-                // so the prefix block still surfaces cwd + working set.
+            // Leak L22 (2026-05-27): `--bare` skips the parent-dir PUGI.md /
+            // AGENTS.md / CLAUDE.md / GEMINI.md walk-up. The engine sees only
+            // the operator's prompt + working-set + intent marker, with no
+            // ambient project context injection. Mirrors Claude Code's
+            // --bare semantics.
+            if (isBareMode()) {
                 traverseResult = { loaded: [], warnings: [], totalBytes: 0 };
             }
+            else {
+                try {
+                    traverseResult = await loadTraversedMarkdown({
+                        cwd: cwdForTraverse,
+                        workspaceRoot: root,
+                    });
+                }
+                catch {
+                    // Per-dir markdown is a NICE-TO-HAVE; a fs error here must
+                    // never break the engine loop. Fall back to an empty result
+                    // so the prefix block still surfaces cwd + working set.
+                    traverseResult = { loaded: [], warnings: [], totalBytes: 0 };
+                }
+            }
             const intentClassification = classifyIntent(task.prompt);
             const intentHint = intentClassification.intent !== 'ambiguous' ? intentClassification.intent : undefined;
             const cwdRelative = relativeOrAbsolute(root, cwdForTraverse);

package/dist/core/engine/prompts.js

@@ -1,4 +1,6 @@
 import { getJobRegistry, summarizeJobsForPrompt, } from '../jobs/registry.js';
+import { compileStyleBlock } from '../output-style/presets.js';
+import { resolveOutputStyle } from '../output-style/state.js';
 /**
  * System prompts for each engine command. Each prompt:
  *   - Anchors the model in Pugi's local-first contract (ADR-0037).
@@ -92,10 +94,36 @@ export function systemPromptFor(kind) {
     // voice gate are command-agnostic — a definitional question lands
     // the same way under `pugi explain` and `pugi code`.
     const withV2 = `${base}\n\n${PROMPT_V2_APPENDIX}`;
+    // Leak L18 (2026-05-27): output-style preset block. Compiled from
+    // workspace > user > default precedence. The `default` preset
+    // returns an empty block (no override over the base voice), so the
+    // injection is a no-op for the most-common case. Wrapped in
+    // try/catch — every IO failure inside `resolveOutputStyle` already
+    // degrades to the default slug, but defence in depth keeps the
+    // engine prompt assembly from ever crashing on a hand-edited
+    // config.json.
+    const styleBlock = formatOutputStyleBlock();
+    const withStyle = styleBlock ? `${withV2}\n\n${styleBlock}` : withV2;
     const snapshot = formatBackgroundJobsSnapshot(getJobRegistrySafely());
     if (!snapshot)
-        return withV2;
-    return `${withV2}\n\n${snapshot}`;
+        return withStyle;
+    return `${withStyle}\n\n${snapshot}`;
+}
+/**
+ * Resolve the active output-style preset for the current process
+ * and compile it into a prompt block. Returns empty string for the
+ * default preset OR for any unexpected IO failure so the engine
+ * prompt assembly path is unaffected by a missing / malformed
+ * config.json.
+ */
+function formatOutputStyleBlock() {
+    try {
+        const resolved = resolveOutputStyle({ workspaceRoot: process.cwd() });
+        return compileStyleBlock(resolved.slug);
+    }
+    catch {
+        return '';
+    }
 }
 function baseSystemPromptFor(kind) {
     switch (kind) {

package/dist/core/engine/tool-bridge.js

@@ -4,6 +4,7 @@ import { askUser } from '../../tools/ask-user.js';
 import { askUserQuestionJsonSchema, dispatchAskUserQuestion, } from '../../tools/ask-user-question.js';
 import { skillInvoke, skillList } from '../../tools/skill-tool.js';
 import { taskCreate, taskGet, taskList, taskUpdate, } from '../../tools/tasks.js';
+import { dispatchTodoWrite, todoWriteJsonSchema, } from '../../tools/todo-write.js';
 import { webFetchTool } from '../../tools/web-fetch.js';
 import { webSearchTool } from '../../tools/web-search.js';
 import { agentTool } from '../../tools/agent-tool.js';
@@ -53,6 +54,12 @@ const READ_ONLY_TOOLS = new Set([
     'task_get',
     'task_list',
     'task_update',
+    // Leak L16 (2026-05-27): `todo_write` writes to `.pugi/todos.json`
+    // — metadata, not source. From the workspace's perspective it is
+    // read-only (no source mutation), so plan-mode keeps the tool
+    // available: planning a refactor frequently means writing the
+    // todo board BEFORE picking which file to touch.
+    'todo_write',
     'web_fetch',
     // β1b T4 (2026-05-26): web_search is read-only from the workspace's
     // perspective (no file writes, no shell). Egress goes through the
@@ -82,6 +89,8 @@ const WIRED_TOOLS = new Set([
     'task_get',
     'task_list',
     'task_update',
+    // Leak L16: see READ_ONLY_TOOLS above for the rationale.
+    'todo_write',
     'web_fetch',
     // β1b T4: see READ_ONLY_TOOLS above.
     'web_search',
@@ -190,6 +199,21 @@ export function buildToolsSchema(kind, options = { allowFetch: false, allowSearc
             },
         },
     });
+    // Leak L16 (2026-05-27): `todo_write` — batch TodoWrite mirror of
+    // Claude Code's upstream tool. Whereas `task_*` above is granular
+    // (one mutation per call, JSONL append, session-scoped),
+    // `todo_write` snapshots the FULL board in one call, JSON snapshot
+    // at `.pugi/todos.json`, workspace-scoped. Enforces the single-
+    // in-progress invariant at dispatch time: a batch with >1
+    // `in_progress` rejects with `TODO_INVARIANT_VIOLATED` and the
+    // on-disk board is left unchanged.
+    toolDefs.push({
+        name: 'todo_write',
+        description: 'Replace the workspace todo board (batch snapshot, not incremental). Emit the FULL todo list every call. ' +
+            'At most ONE item may carry status="in_progress" — violations reject with TODO_INVARIANT_VIOLATED. ' +
+            'Persisted atomically to .pugi/todos.json. Mirrors Claude Code TodoWrite verbatim.',
+        parameters: todoWriteJsonSchema,
+    });
     // β1 T2 → leak L5 (2026-05-27): structured AskUserQuestion bridge.
     // Schema upgraded to openclaude's multi-choice form: header chip +
     // {label, description} per option. Dispatcher accepts the structured
@@ -684,6 +708,14 @@ export function buildExecutor(input) {
             if (name === 'task_create' || name === 'task_get' || name === 'task_list' || name === 'task_update') {
                 return dispatchTaskTool(name, args, { workspaceRoot, sessionId });
             }
+            if (name === 'todo_write') {
+                // Leak L16: batch TodoWrite. The dispatcher delegates the
+                // Zod validation + atomic persist to the tool module — any
+                // ZodError or `TODO_INVARIANT_VIOLATED` sentinel surfaces here
+                // as a thrown Error and lands on the catch arm below, which
+                // re-emits it through the PostToolUseFailure hook.
+                return dispatchTodoWrite({ workspaceRoot }, args);
+            }
             if (name === 'ask_user_question') {
                 return dispatchAskUser(args, { interactive: Boolean(interactive), bridge: askUserBridge });
             }

package/dist/core/feedback/queue.js

@@ -0,0 +1,177 @@
+/**
+ * Local feedback queue — Leak L21 (2026-05-27).
+ *
+ * `pugi feedback` POSTs collected operator feedback to the admin-api
+ * `/api/pugi/feedback` route. When that round-trip fails (endpoint
+ * missing, network down, server 5xx), the submitter falls back to
+ * appending the envelope to `<cwd>/.pugi/feedback-queue.jsonl`. On the
+ * next online session the flusher drains the queue silently in the
+ * background.
+ *
+ * # Module contract
+ *
+ *   - Per-workspace storage. The queue file lives at
+ *     `<cwd>/.pugi/feedback-queue.jsonl` so the operator-visible state
+ *     stays alongside the project's other Pugi metadata. Multi-repo
+ *     operators get one queue per repo — matches the rest of `.pugi/`.
+ *
+ *   - JSONL append-only format. One envelope per line. Newlines inside
+ *     the comment field are escaped as `\n` by `JSON.stringify`. The
+ *     enqueue path uses an atomic `O_APPEND` write so concurrent
+ *     `pugi feedback` invocations from a split-screen REPL + shell do
+ *     not interleave half-records.
+ *
+ *   - The flusher is best-effort. It returns counts but never throws —
+ *     a failed flush leaves the queue untouched and a successful flush
+ *     atomically rewrites the file with the remaining (unsubmitted)
+ *     envelopes. Partial-success is the normal path when the server
+ *     accepts the first N but 5xx's the (N+1)th.
+ *
+ *   - The queue file is intentionally NOT readable by anything beyond
+ *     the flusher. The operator's free-text comments are confidential
+ *     — we do not surface them in `/status` / `/doctor` / telemetry.
+ *
+ *   - All filesystem writes go through `mkdirSync({recursive: true})`
+ *     so the first-ever enqueue on a fresh workspace lazily creates
+ *     `.pugi/` without depending on an earlier `pugi init`.
+ */
+import { appendFileSync, existsSync, mkdirSync, readFileSync, renameSync, writeFileSync, } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+/**
+ * Resolve the queue file path for a workspace. Centralised so the
+ * submitter + flusher + tests agree on a single canonical location.
+ */
+export function feedbackQueuePath(cwd) {
+    return resolve(cwd, '.pugi', 'feedback-queue.jsonl');
+}
+/**
+ * Append one envelope atomically. Uses `O_APPEND` semantics via
+ * `appendFileSync` so concurrent invocations from a split-screen
+ * REPL + shell cannot interleave bytes mid-line.
+ *
+ * Returns the absolute path written so callers can surface it in the
+ * "Feedback queued locally" toast.
+ */
+export function enqueueFeedback(env, cwd) {
+    const path = feedbackQueuePath(cwd);
+    mkdirSync(dirname(path), { recursive: true });
+    // JSON.stringify of an object never emits raw newlines; the trailing
+    // '\n' is the line separator. JSONL parsers split on '\n' so the
+    // separator survives round-trips.
+    const line = `${JSON.stringify(env)}\n`;
+    appendFileSync(path, line, { encoding: 'utf8' });
+    return path;
+}
+export function readFeedbackQueue(cwd) {
+    const path = feedbackQueuePath(cwd);
+    if (!existsSync(path)) {
+        return { envelopes: [], parseErrors: [] };
+    }
+    const contents = readFileSync(path, 'utf8');
+    const lines = contents.split('\n');
+    const envelopes = [];
+    const parseErrors = [];
+    for (let i = 0; i < lines.length; i += 1) {
+        const raw = lines[i]?.trim();
+        if (!raw)
+            continue;
+        try {
+            const parsed = JSON.parse(raw);
+            // Minimal shape check — we don't full-validate here because the
+            // server is the trust boundary. Just guard against obvious
+            // corruption that would make the line un-submittable.
+            if (typeof parsed.category === 'string'
+                && typeof parsed.rating === 'number'
+                && typeof parsed.comment === 'string'
+                && typeof parsed.ts === 'string'
+                && typeof parsed.cliVersion === 'string') {
+                envelopes.push(parsed);
+            }
+            else {
+                parseErrors.push(i + 1);
+            }
+        }
+        catch {
+            parseErrors.push(i + 1);
+        }
+    }
+    return { envelopes, parseErrors };
+}
+/**
+ * Rewrite the queue file atomically with the remaining (unsubmitted)
+ * envelopes. Called by the flusher after a partial-success drain.
+ *
+ * Atomicity: write to a sibling `.tmp` then rename. On a crash mid-
+ * rewrite the original file is preserved (rename is atomic on POSIX
+ * + on NTFS via `MoveFileEx`).
+ */
+export function rewriteFeedbackQueue(remaining, cwd) {
+    const path = feedbackQueuePath(cwd);
+    if (remaining.length === 0) {
+        // Clear the file by truncating to empty. Done in-place — we still
+        // want the file to exist (presence signals an active workspace)
+        // but with zero bytes so the next read returns no envelopes.
+        if (existsSync(path)) {
+            writeFileSync(path, '', { encoding: 'utf8' });
+        }
+        return;
+    }
+    mkdirSync(dirname(path), { recursive: true });
+    const tmp = `${path}.tmp`;
+    const body = remaining.map((env) => JSON.stringify(env)).join('\n') + '\n';
+    writeFileSync(tmp, body, { encoding: 'utf8' });
+    // Use writeFileSync's atomic-replace semantics by going through
+    // tmp + rename. Node's `fs.renameSync` is the atomic primitive
+    // on POSIX. We avoid `fs.writeFileSync` directly on `path`
+    // because writeFileSync truncates first which leaves a brief
+    // window of zero-byte state if the process is killed mid-write.
+    renameSync(tmp, path);
+}
+/**
+ * Drain the queue. Best-effort: each envelope is submitted in order;
+ * a `false` return keeps it in the queue for the next attempt; a
+ * `true` return removes it. After all envelopes are processed the
+ * queue file is rewritten with the unsubmitted ones.
+ *
+ * The function NEVER throws — it returns a structured result and
+ * the caller decides whether to log / surface failures. This keeps
+ * the silent-background-drain path on session-start safe.
+ */
+export async function flushFeedbackQueue(cwd, submit) {
+    const { envelopes, parseErrors } = readFeedbackQueue(cwd);
+    if (envelopes.length === 0) {
+        return {
+            attempted: 0,
+            succeeded: 0,
+            failed: 0,
+            failedEnvelopes: [],
+            parseErrors,
+        };
+    }
+    let succeeded = 0;
+    const failedEnvelopes = [];
+    for (const env of envelopes) {
+        let ok = false;
+        try {
+            ok = await submit(env);
+        }
+        catch {
+            ok = false;
+        }
+        if (ok) {
+            succeeded += 1;
+        }
+        else {
+            failedEnvelopes.push(env);
+        }
+    }
+    rewriteFeedbackQueue(failedEnvelopes, cwd);
+    return {
+        attempted: envelopes.length,
+        succeeded,
+        failed: failedEnvelopes.length,
+        failedEnvelopes,
+        parseErrors,
+    };
+}
+//# sourceMappingURL=queue.js.map

package/dist/core/feedback/submitter.js

@@ -0,0 +1,145 @@
+/**
+ * Feedback POST submitter — Leak L21 (2026-05-27).
+ *
+ * Submits one `FeedbackEnvelope` to the admin-api `/api/pugi/feedback`
+ * route. Designed for graceful degradation:
+ *
+ *   - 200/201/204                → success
+ *   - 404 / route not found      → "endpoint missing, fall back to queue"
+ *   - 4xx (other)                → permanent — discard (do NOT requeue)
+ *   - 5xx / network error / abort → transient — caller should enqueue
+ *
+ * The submitter does NOT touch the local queue. The caller wires the
+ * submitter to `enqueueFeedback` on a `transient` result, and to a
+ * silent log on a `permanent` failure. This split keeps the submitter
+ * a pure HTTP wrapper that the flusher (`flushFeedbackQueue`) can
+ * reuse without filesystem side effects.
+ */
+const DEFAULT_TIMEOUT_MS = 8000;
+/**
+ * Build the absolute submit URL from the base API URL. Centralised so
+ * the spec can reference one canonical place when asserting the
+ * outgoing path. The leading slash is normalised so a base URL with
+ * or without trailing slash both produce a well-formed URL.
+ */
+export function feedbackSubmitUrl(apiUrl) {
+    const base = apiUrl.replace(/\/+$/u, '');
+    return `${base}/api/pugi/feedback`;
+}
+/**
+ * Submit one envelope. See `FeedbackSubmitResult` for the contract.
+ *
+ * Never throws — every failure path is mapped to a result variant so
+ * callers do not need a try/catch boundary.
+ */
+export async function submitFeedback(env, config) {
+    const url = feedbackSubmitUrl(config.apiUrl);
+    const fetchImpl = config.fetchImpl ?? fetch;
+    const timeoutMs = config.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        const headers = {
+            'content-type': 'application/json',
+            'user-agent': `pugi-cli/${env.cliVersion}`,
+        };
+        if (config.apiKey) {
+            headers['authorization'] = `Bearer ${config.apiKey}`;
+        }
+        const res = await fetchImpl(url, {
+            method: 'POST',
+            headers,
+            body: JSON.stringify(env),
+            signal: controller.signal,
+        });
+        const status = res.status;
+        if (status >= 200 && status < 300) {
+            return { kind: 'ok', httpStatus: status };
+        }
+        if (status === 404) {
+            // The most common transient cause: admin-api hasn't shipped the
+            // route yet. Treat as retry-worthy so once the controller lands
+            // a future flush picks it up.
+            return {
+                kind: 'transient',
+                reason: 'admin-api /api/pugi/feedback not deployed yet',
+                httpStatus: status,
+            };
+        }
+        if (status >= 500) {
+            return {
+                kind: 'transient',
+                reason: `server error ${status}`,
+                httpStatus: status,
+            };
+        }
+        // Any other 4xx — auth failure, payload rejected, rate-limit
+        // exceeded. None of those will fix themselves on a silent retry,
+        // so we mark them permanent. The operator sees a one-line error
+        // and the envelope is dropped (not queued).
+        return {
+            kind: 'permanent',
+            reason: `client error ${status}`,
+            httpStatus: status,
+        };
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        // AbortController.abort fires when the timeout elapses. We treat
+        // it as transient so the queue picks it up on the next online
+        // session. Same for plain network errors (`fetch failed`, ECONNREFUSED).
+        return { kind: 'transient', reason: `network: ${message}` };
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * Bundle the last N turns of the conversation into a redacted
+ * `FeedbackSessionContext`. The redactor:
+ *
+ *   - Caps at 5 turns (most recent). Older context is dropped — the
+ *     submitter never sees it.
+ *   - Truncates each turn to 240 chars + ellipsis. Operator comments
+ *     are the primary signal; raw transcript is just disambiguation.
+ *   - Strips bearer tokens, JWT-like blobs, and `PUGI_API_KEY=`-style
+ *     env-var prefixes. Conservative — we'd rather drop a few
+ *     non-secret characters than leak a key.
+ *
+ * The function is pure + sync so tests can pin its output without a
+ * worktree harness.
+ */
+export function redactSessionContext(turns, options = {}) {
+    const lastFive = turns.slice(-5);
+    const previewed = lastFive.map((turn) => ({
+        role: turn.role,
+        preview: redactPreview(truncate(turn.text, 240)),
+    }));
+    return {
+        turnCount: previewed.length,
+        turns: previewed,
+        ...(options.gitBranch ? { gitBranch: options.gitBranch } : {}),
+    };
+}
+function truncate(s, max) {
+    if (s.length <= max)
+        return s;
+    return `${s.slice(0, max - 1)}…`;
+}
+/**
+ * Conservative secret-blanking. The rules:
+ *   - Bearer tokens: `Bearer <token>` → `Bearer ***REDACTED***`
+ *   - Long base64/JWT-ish blobs (≥ 40 chars of [A-Za-z0-9_-/=+]):
+ *     replace the inner middle with `***`. Keeps a head + tail so the
+ *     operator can still spot which kind of secret it was.
+ *   - `PUGI_API_KEY=...` and similar `*_KEY=`/`*_TOKEN=` lookalikes:
+ *     replace the value with `***REDACTED***`.
+ */
+function redactPreview(s) {
+    let out = s;
+    out = out.replace(/bearer\s+[A-Za-z0-9._-]{20,}/giu, 'Bearer ***REDACTED***');
+    out = out.replace(/([A-Z][A-Z0-9_]*?(?:KEY|TOKEN|SECRET|PASSWORD))\s*=\s*\S+/gu, '$1=***REDACTED***');
+    out = out.replace(/\b([A-Za-z0-9_-]{6})[A-Za-z0-9_/+=-]{30,}([A-Za-z0-9_-]{4})\b/gu, '$1***$2');
+    return out;
+}
+//# sourceMappingURL=submitter.js.map