@pugi/cli 0.1.0-beta.21 → 0.1.0-beta.22

package/dist/runtime/commands/share.js

@@ -0,0 +1,316 @@
+/**
+ * `pugi share` / `/share` command handler — Leak L20 (2026-05-27).
+ *
+ * Exports the current session transcript as Markdown to either a GitHub
+ * Gist (default when `gh` is available + auth'd) or a pugi.io public URL
+ * (`--pugi`). Mirrors Claude Code's `/share` ergonomics — operator can
+ * pin a session for portfolio / debugging / team sharing without copy-
+ * pasting the REPL pane by hand.
+ *
+ * Subcommands / flags (see L20 spec):
+ *
+ *   pugi share                Default upload — picks gist when available,
+ *                              falls back to pugi.io.
+ *   pugi share --gist          Force gist target; refuses if `gh` is not
+ *                              installed / authenticated.
+ *   pugi share --pugi          Force pugi.io target.
+ *   pugi share --redact        Run PII scrubber first; shows finding
+ *                              counts in the privacy gate banner.
+ *   pugi share --preview       Print transcript to stdout WITHOUT
+ *                              upload. Always implies a redact step IF
+ *                              `--redact` is also set so the operator
+ *                              inspects the scrubbed shape, not the raw.
+ *   pugi share --yes           Skip the y/n confirmation prompt
+ *                              (CI / scripted callers). Default is
+ *                              ALWAYS to ask before uploading. Refuses
+ *                              if the heuristic detects an active
+ *                              `Bearer ` credential regardless of `--yes`.
+ *   pugi share --json          Emit the result envelope as JSON.
+ *
+ * Privacy gates (mandatory):
+ *
+ *   1. Active credential heuristic — refuses upload entirely when the
+ *      transcript contains a live `Bearer <token>` span. Operators who
+ *      want to share a debug session that captured an auth header MUST
+ *      run `--redact` first; the redactor masks the credential before
+ *      the upload path sees it.
+ *   2. Confirmation prompt — y/n question shown to the operator before
+ *      every upload. Bypassed with `--yes`. Refuses upload on `n` /
+ *      empty / Ctrl-C.
+ *   3. Redact preview — when `--redact` is set, the gate banner shows
+ *      the per-category finding counts BEFORE the upload prompt so the
+ *      operator sees what would leave the machine.
+ *
+ * Same handler powers both `pugi share` (top-level) and `/share`
+ * (in-REPL slash). The slash side wires `writeOutput` to the REPL's
+ * `appendSystemLine` and never hits stdout directly.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { createInterface } from 'node:readline/promises';
+import { formatTranscript } from '../../core/share/formatter.js';
+import { containsActiveCredential, redactPii, summariseFindings, } from '../../core/share/redactor.js';
+import { uploadShare, } from '../../core/share/uploader.js';
+export function parseShareFlags(args) {
+    const flags = {
+        target: 'auto',
+        redact: false,
+        preview: false,
+        yes: false,
+        json: false,
+    };
+    for (const arg of args) {
+        if (arg === '--gist')
+            flags.target = 'gist';
+        else if (arg === '--pugi')
+            flags.target = 'pugi';
+        else if (arg === '--redact')
+            flags.redact = true;
+        else if (arg === '--preview')
+            flags.preview = true;
+        else if (arg === '--yes' || arg === '-y')
+            flags.yes = true;
+        else if (arg === '--json')
+            flags.json = true;
+    }
+    return flags;
+}
+export async function runShareCommand(args, ctx) {
+    const flags = parseShareFlags(args);
+    const eventsPath = resolve(ctx.workspaceRoot, '.pugi/events.jsonl');
+    if (!existsSync(eventsPath)) {
+        ctx.writeOutput({
+            command: 'share',
+            status: 'no_session',
+            message: '.pugi/events.jsonl not found',
+        }, 'pugi share: no session log found. Run any pugi command first to create .pugi/events.jsonl.');
+        process.exitCode = 2;
+        return;
+    }
+    // Read + format. The formatter walks the events stream once; size cap
+    // is implicit (we do not chunk multi-GB files because session logs are
+    // capped at a few MB by the cost-tracker / compaction subsystems).
+    const eventsJsonl = readFileSync(eventsPath, 'utf8');
+    const sessionId = ctx.sessionId ?? deriveSessionIdFromEvents(eventsJsonl) ?? 'no-session';
+    const formatted = formatTranscript({
+        sessionId,
+        workspaceRoot: ctx.workspaceRoot,
+        cliVersion: ctx.cliVersion,
+        eventsJsonl,
+        now: ctx.now,
+    });
+    // Active-credential gate. Refuses even with `--yes`; redact-first IS
+    // the only path to share a transcript with a Bearer token. We check
+    // BEFORE redact so the operator's intent is clear in the gate banner.
+    const hasLiveCredential = containsActiveCredential(formatted.markdown);
+    if (hasLiveCredential && !flags.redact) {
+        ctx.writeOutput({
+            command: 'share',
+            status: 'refused_active_credential',
+            message: 'Transcript contains an active Bearer credential. Re-run with --redact to scrub it before sharing.',
+        }, 'pugi share: refused — transcript contains an active `Bearer ` credential. ' +
+            'Re-run with --redact to scrub it before sharing, or open .pugi/events.jsonl to inspect manually.');
+        process.exitCode = 4;
+        return;
+    }
+    // Optional redact pass. We run BEFORE the preview/upload decisions so
+    // the operator sees what would actually leave their machine.
+    let body = formatted.markdown;
+    let redactionSummary = null;
+    let redactionFindings = [];
+    if (flags.redact) {
+        const result = redactPii(body);
+        body = result.output;
+        redactionSummary = summariseFindings(result);
+        redactionFindings = result.findings;
+    }
+    // Preview path. Always non-destructive: prints the (possibly redacted)
+    // transcript + the redact summary, no upload, no prompt. Operators
+    // chain `--preview --redact` to see what would be shared before they
+    // commit, which is the L20 spec's "inspect first" affordance.
+    if (flags.preview) {
+        const payload = {
+            command: 'share',
+            status: 'preview',
+            sessionId,
+            turnCount: formatted.turnCount,
+            eventCount: formatted.eventCount,
+            redact: flags.redact,
+            redactionSummary,
+            redactionFindings,
+            markdown: body,
+        };
+        const text = [
+            redactionSummary ? `${redactionSummary}` : null,
+            '--- transcript preview (not uploaded) ---',
+            body,
+        ]
+            .filter((line) => line !== null)
+            .join('\n');
+        ctx.writeOutput(payload, text);
+        return;
+    }
+    // Resolve the target. `auto` picks gist if `gh` is available, else
+    // falls back to pugi.io. The probe is best-effort — a missing `gh`
+    // surfaces as `ghAvailable -> false` and we route to pugi without an
+    // error.
+    const resolvedTarget = await pickTarget(flags.target, ctx);
+    // Confirmation gate. Refused by default unless `--yes`.
+    if (!flags.yes) {
+        const promptText = redactionSummary
+            ? `${redactionSummary} Share session transcript to ${resolvedTarget}? [y/N] `
+            : `Share session transcript to ${resolvedTarget}? [y/N] `;
+        const answer = (await ((ctx.promptYesNo ?? defaultPromptYesNo)(promptText))).trim().toLowerCase();
+        if (answer !== 'y' && answer !== 'yes') {
+            ctx.writeOutput({
+                command: 'share',
+                status: 'cancelled',
+                target: resolvedTarget,
+                message: 'Operator declined the upload.',
+            }, 'pugi share: cancelled.');
+            return;
+        }
+    }
+    // Resolve pugi.io credentials lazily — gist target does not need them.
+    let credential = null;
+    if (resolvedTarget === 'pugi') {
+        credential = ctx.resolveCredential ? await safeResolveCredential(ctx.resolveCredential) : null;
+    }
+    const uploadReq = {
+        target: resolvedTarget,
+        sessionId,
+        markdown: body,
+        description: `Pugi session ${sessionId}`,
+        ...(credential?.apiUrl !== undefined ? { apiUrl: credential.apiUrl } : {}),
+        ...(credential?.apiToken !== undefined ? { apiToken: credential.apiToken } : {}),
+        ...(ctx.execaLike !== undefined ? { execaLike: ctx.execaLike } : {}),
+        ...(ctx.fetchLike !== undefined ? { fetchLike: ctx.fetchLike } : {}),
+    };
+    const result = await uploadShare(uploadReq);
+    emitUploadResult(ctx, sessionId, resolvedTarget, redactionSummary, redactionFindings, result);
+}
+/**
+ * Default-target selection. `--gist` / `--pugi` are honoured verbatim;
+ * `auto` consults the `gh` probe and picks gist when available. We
+ * deliberately do not cache the probe — it costs one syscall and the
+ * operator might `gh auth login` between two `pugi share` runs.
+ */
+async function pickTarget(requested, ctx) {
+    if (requested === 'gist')
+        return 'gist';
+    if (requested === 'pugi')
+        return 'pugi';
+    // auto
+    const probe = ctx.ghAvailable ?? defaultGhAvailable(ctx.execaLike);
+    return (await probe()) ? 'gist' : 'pugi';
+}
+function defaultGhAvailable(execaLike) {
+    return async () => {
+        if (!execaLike) {
+            // Production: try to spawn `gh --version`. The default execa shim
+            // in uploader.ts is the right one but importing it here would
+            // create a small cycle; instead we replicate the minimal probe.
+            try {
+                const { defaultExecaLike } = await import('../../core/share/uploader.js');
+                const result = await defaultExecaLike('gh', ['--version']);
+                return result.exitCode === 0;
+            }
+            catch {
+                return false;
+            }
+        }
+        try {
+            const result = await execaLike('gh', ['--version']);
+            return result.exitCode === 0;
+        }
+        catch {
+            return false;
+        }
+    };
+}
+async function defaultPromptYesNo(question) {
+    if (!process.stdin.isTTY) {
+        // Non-interactive caller without --yes: refuse rather than block on
+        // an empty stdin. Mirrors the install-trust pattern in skills.ts.
+        process.stdout.write(`${question}\n(non-interactive stdin; declining)\n`);
+        return 'n';
+    }
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    try {
+        return await rl.question(question);
+    }
+    finally {
+        rl.close();
+    }
+}
+async function safeResolveCredential(resolver) {
+    try {
+        return await resolver();
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Walk the JSONL log from the tail and pick the newest `session.created`
+ * id. Mirrors the helper in cost.ts so the two surfaces agree on what
+ * "current session" means.
+ */
+function deriveSessionIdFromEvents(raw) {
+    const lines = raw.split('\n').filter((line) => line.trim().length > 0);
+    for (let i = lines.length - 1; i >= 0; i -= 1) {
+        try {
+            const parsed = JSON.parse(lines[i]);
+            if (parsed.type === 'session' && parsed.name === 'created' && typeof parsed.sessionId === 'string') {
+                return parsed.sessionId;
+            }
+        }
+        catch {
+            // skip
+        }
+    }
+    return null;
+}
+function emitUploadResult(ctx, sessionId, target, redactionSummary, redactionFindings, result) {
+    if (result.ok) {
+        const payload = {
+            command: 'share',
+            status: 'ok',
+            sessionId,
+            target,
+            url: result.url,
+            remoteId: result.remoteId ?? null,
+            redact: redactionSummary !== null,
+            redactionSummary,
+            redactionFindings,
+        };
+        const text = [
+            redactionSummary,
+            `pugi share: uploaded to ${target}.`,
+            `URL: ${result.url}`,
+        ]
+            .filter((line) => line !== null)
+            .join('\n');
+        ctx.writeOutput(payload, text);
+        return;
+    }
+    const payload = {
+        command: 'share',
+        status: 'upload_failed',
+        sessionId,
+        target,
+        reason: result.reason,
+        message: result.message,
+        redact: redactionSummary !== null,
+        redactionSummary,
+    };
+    const text = [
+        redactionSummary,
+        `pugi share: ${result.reason} — ${result.message}`,
+    ]
+        .filter((line) => line !== null)
+        .join('\n');
+    ctx.writeOutput(payload, text);
+    process.exitCode = 3;
+}
+//# sourceMappingURL=share.js.map

package/dist/runtime/commands/stickers.js

@@ -0,0 +1,82 @@
+/**
+ * `pugi stickers` — brand-personality gimmick command (Leak L33, 2026-05-27).
+ *
+ * Parity command with Claude Code's `/stickers` easter egg. Claude
+ * ships physical stickers OR shows ASCII brand art; Pugi's variant
+ * focuses на the ASCII branch — picks one of the curated pug-face
+ * variants at random and footers it with a rotating brand quote.
+ *
+ * # Module contract
+ *
+ *   - This file owns the WIRING from CLI flags + ambient state to the
+ *     art + quote pickers. The corpus + pure renderers live in
+ *     `tui/stickers-art.tsx` and have zero coupling к the CLI dispatch
+ *     surface.
+ *
+ *   - `runStickersCommand` is the single entry point. Both the top-
+ *     level `pugi stickers` handler в `runtime/cli.ts` AND the in-REPL
+ *     `/stickers` slash command call it. The function returns the
+ *     resolved `StickersResult` so the slash dispatcher can route the
+ *     output к the REPL's system pane without re-picking the art.
+ *
+ *   - Exit code is ALWAYS 0. The command is a brand surface — never a
+ *     gate. Even when the corpus is somehow exhausted (impossible
+ *     today, the lists are frozen), the handler synthesises a fallback
+ *     line and exits 0 instead of crashing.
+ *
+ *   - The random source is injected so the spec can pin the chosen
+ *     art + quote without monkey-patching `Math.random`.
+ */
+import { PUG_QUOTES, PUG_STICKERS, pickArtVariant, pickQuote, renderPugStickersText, } from '../../tui/stickers-art.js';
+/**
+ * Pick + render the sticker, hand it к the output sink, exit 0.
+ * Returns the picked result so the REPL slash handler can mount the
+ * Ink renderer without re-picking.
+ */
+export function runStickersCommand(ctx) {
+    const rng = ctx.rng ?? Math.random;
+    let art;
+    let quote;
+    try {
+        art = pickArtVariant(rng);
+        quote = pickQuote(rng);
+    }
+    catch {
+        // Defensive: the pickers are pure + the corpus is frozen, so this
+        // path is unreachable in production. If a future refactor swaps
+        // the corpus к an empty array we still want к exit 0 with a
+        // deterministic fallback so monitoring scripts that probe
+        // `pugi stickers` do not flap.
+        art = {
+            id: 'fallback',
+            caption: 'fallback',
+            art: '/\\___/\\\n( o o )\n( =^= )',
+        };
+        quote = 'Pugi: your engineering co-pilot.';
+    }
+    const text = renderPugStickersText(art, quote);
+    const result = {
+        command: 'stickers',
+        art,
+        quote,
+        text,
+        meta: {
+            artVariants: PUG_STICKERS.length,
+            quotes: PUG_QUOTES.length,
+        },
+    };
+    ctx.writeOutput(result, text);
+    // Brand surface — never a gate. The caller may have set a different
+    // exit code (e.g. dispatch loop reused this handler for an inline
+    // brand banner); we explicitly stamp 0 so `pugi stickers && echo ok`
+    // stays predictable.
+    process.exitCode = 0;
+    // Silence the unused-import warning in the rare case `ctx.asciiOnly`
+    // is added in a future surface without a switch. Today the flag is
+    // honoured by the CLI handler choosing the writeOutput sink — the
+    // result.text is the same regardless because the boxed renderer
+    // never lands в the plain stdout sink.
+    void ctx.asciiOnly;
+    return result;
+}
+//# sourceMappingURL=stickers.js.map

package/dist/runtime/commands/style.js

@@ -0,0 +1,194 @@
+/**
+ * Leak L18 (2026-05-27) — `pugi style` top-level command + REPL slash
+ * companion.
+ *
+ * Operator surface:
+ *
+ *   pugi style                       Show active preset + table.
+ *   pugi style <name>                Switch workspace preset (current cwd).
+ *   pugi style <name> --persist      Switch + also write user default.
+ *   pugi style --reset               Clear workspace override → back to default.
+ *   pugi style --reset --user        Also clear the user default.
+ *   pugi style --list                Print the catalogue (no flip).
+ *   pugi style --json                Structured envelope variant.
+ *
+ * The same runner powers `/style` from inside the REPL. The REPL
+ * dispatcher (see `core/repl/session.ts`) routes through here so the
+ * two surfaces stay single-sourced — operators trained on one read
+ * the same payload + table on the other.
+ *
+ * Exit codes:
+ *   0 — show / switch / reset all succeed
+ *   1 — unknown preset slug (returned BEFORE any write)
+ *   2 — conflicting flags (e.g. `--reset` with a positional slug)
+ *
+ * The exit codes are surfaced through `process.exitCode` by the
+ * dispatcher in `cli.ts` — this module returns a structured payload
+ * + writes via the injected `writeOutput`. Throwing is reserved for
+ * truly unexpected errors (fs permissions etc.); the spec hooks the
+ * happy + sad paths through `writeOutput` shape, not via try/catch
+ * on the throw.
+ */
+import { DEFAULT_OUTPUT_STYLE, isOutputStyleSlug, OUTPUT_STYLE_SLUGS, renderStyleTable, } from '../../core/output-style/presets.js';
+import { clearUserOutputStyle, clearWorkspaceOutputStyle, resolveOutputStyle, setUserOutputStyle, setWorkspaceOutputStyle, } from '../../core/output-style/state.js';
+/**
+ * Entry point. Parses `args`, applies the operation, emits the
+ * payload + text via `ctx.writeOutput`, and returns the exit code the
+ * dispatcher should hand back to the shell.
+ */
+export async function runStyleCommand(args, ctx) {
+    const flags = parseFlags(args);
+    // Reset path
+    if (flags.reset) {
+        if (flags.slug !== null) {
+            const payload = buildPayload({
+                status: 'invalid_flags',
+                ctx,
+                message: '/style --reset cannot be combined with a preset name. Use one or the other.',
+            });
+            ctx.writeOutput(payload, payload.message);
+            return 2;
+        }
+        if (flags.persist) {
+            const payload = buildPayload({
+                status: 'invalid_flags',
+                ctx,
+                message: '/style --reset cannot be combined with --persist. Use --reset --user to also clear the user default.',
+            });
+            ctx.writeOutput(payload, payload.message);
+            return 2;
+        }
+        clearWorkspaceOutputStyle({ workspaceRoot: ctx.workspaceRoot, env: ctx.env });
+        if (flags.user) {
+            clearUserOutputStyle({ workspaceRoot: ctx.workspaceRoot, env: ctx.env });
+        }
+        const payload = buildPayload({
+            status: 'reset',
+            ctx,
+            message: flags.user
+                ? `Cleared workspace + user output style. Active: ${DEFAULT_OUTPUT_STYLE} (default).`
+                : `Cleared workspace output style. Active: ${describeActive(ctx)}.`,
+        });
+        ctx.writeOutput(payload, payload.message);
+        return 0;
+    }
+    // List path
+    if (flags.list && flags.slug === null) {
+        const resolved = resolveOutputStyle({ workspaceRoot: ctx.workspaceRoot, env: ctx.env });
+        const payload = buildPayload({
+            status: 'listed',
+            ctx,
+            message: renderStyleTable(resolved.slug),
+        });
+        ctx.writeOutput(payload, payload.message);
+        return 0;
+    }
+    // Switch path
+    if (flags.slug !== null) {
+        if (!isOutputStyleSlug(flags.slug)) {
+            const payload = buildPayload({
+                status: 'invalid_slug',
+                ctx,
+                attemptedSlug: flags.slug,
+                message: `Unknown style "${flags.slug}". Try one of: ${OUTPUT_STYLE_SLUGS.join(', ')}.`,
+            });
+            ctx.writeOutput(payload, payload.message);
+            return 1;
+        }
+        const before = resolveOutputStyle({ workspaceRoot: ctx.workspaceRoot, env: ctx.env });
+        setWorkspaceOutputStyle(flags.slug, { workspaceRoot: ctx.workspaceRoot, env: ctx.env });
+        if (flags.persist) {
+            setUserOutputStyle(flags.slug, { workspaceRoot: ctx.workspaceRoot, env: ctx.env });
+        }
+        const tail = flags.persist ? ' (workspace + user default)' : ' (workspace)';
+        const payload = buildPayload({
+            status: 'switched',
+            ctx,
+            previous: before.slug,
+            persistedToUser: flags.persist,
+            message: `Output style → ${flags.slug}${tail}. Was: ${before.slug} (${before.source}).`,
+        });
+        ctx.writeOutput(payload, payload.message);
+        return 0;
+    }
+    // Show path (no args)
+    const resolved = resolveOutputStyle({ workspaceRoot: ctx.workspaceRoot, env: ctx.env });
+    const banner = `Active output style: ${resolved.slug} (${resolved.source})`;
+    const table = renderStyleTable(resolved.slug);
+    const payload = buildPayload({
+        status: 'show',
+        ctx,
+        message: `${banner}\n\n${table}`,
+    });
+    ctx.writeOutput(payload, payload.message);
+    return 0;
+}
+function describeActive(ctx) {
+    const resolved = resolveOutputStyle({ workspaceRoot: ctx.workspaceRoot, env: ctx.env });
+    return `${resolved.slug} (${resolved.source})`;
+}
+function buildPayload(args) {
+    const resolved = resolveOutputStyle({ workspaceRoot: args.ctx.workspaceRoot, env: args.ctx.env });
+    const payload = {
+        command: 'style',
+        status: args.status,
+        active: resolved.slug,
+        source: resolved.source,
+        presets: OUTPUT_STYLE_SLUGS,
+        message: args.message,
+    };
+    if (args.previous !== undefined)
+        payload.previous = args.previous;
+    if (args.persistedToUser !== undefined)
+        payload.persistedToUser = args.persistedToUser;
+    if (args.attemptedSlug !== undefined)
+        payload.attemptedSlug = args.attemptedSlug;
+    return payload;
+}
+function parseFlags(args) {
+    const flags = {
+        slug: null,
+        persist: false,
+        reset: false,
+        user: false,
+        list: false,
+    };
+    for (const arg of args) {
+        if (arg === '--persist')
+            flags.persist = true;
+        else if (arg === '--reset')
+            flags.reset = true;
+        else if (arg === '--user')
+            flags.user = true;
+        else if (arg === '--list')
+            flags.list = true;
+        else if (arg.startsWith('-')) {
+            // Unknown flag — keep simple parser. Treat as positional so the
+            // downstream isOutputStyleSlug check rejects it with a clear
+            // "unknown style" message rather than swallowing silently.
+            if (flags.slug === null)
+                flags.slug = arg;
+        }
+        else if (flags.slug === null) {
+            flags.slug = arg;
+        }
+    }
+    // Normalise the slug to lowercase so `pugi style TERSE` works the
+    // same as `pugi style terse`. The catalogue is lowercase-only by
+    // contract; this keeps operators from tripping on shift-key habits.
+    if (flags.slug !== null)
+        flags.slug = flags.slug.toLowerCase();
+    return flags;
+}
+/**
+ * Re-export for the slash-command dispatcher in `core/repl/session.ts`
+ * so it can render a compiled prompt block when the operator runs
+ * `/style --preview` (follow-up surface; current slash returns the
+ * runner's standard payload).
+ *
+ * Kept here so the runtime module is the single import point for
+ * style-related surfaces; consumers should NOT reach into
+ * `core/output-style/*` directly.
+ */
+export { OUTPUT_STYLES as OUTPUT_STYLE_CATALOGUE, } from '../../core/output-style/presets.js';
+//# sourceMappingURL=style.js.map

package/dist/runtime/version.js

@@ -44,7 +44,7 @@ export function sanitizeSemver(raw) {
  * during import). When bumping the CLI version BOTH literals must be
  * updated; the release smoke-test (`pack:smoke`) verifies they agree.
  */
-export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.21');
+export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.22');
 /**
  * Outbound: the CLI's installed semver. Read at request time by
  * `version-interceptor.ts` and injected on every `fetch` call.

package/dist/tools/registry.js

@@ -33,6 +33,14 @@ const registry = [
     { name: 'task_get', permission: 'none', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'task_list', permission: 'none', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'task_update', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
+    // Leak L16 (2026-05-27): batch TodoWrite. Mirrors Claude Code's upstream
+    // surface — full board snapshot, single-in-progress invariant, atomic
+    // tmp+rename persistence to `.pugi/todos.json`. `concurrencySafe = false`
+    // because two concurrent writes could lose the loser's snapshot (the
+    // rename is atomic but the read-modify-write loop is not). Risk = low
+    // because the only filesystem mutation lands inside `.pugi/todos.json`,
+    // which is metadata, not source.
+    { name: 'todo_write', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
     { name: 'web_fetch', permission: 'network', risk: 'medium', concurrencySafe: true, m1: true },
     // α7.7: scratch worktree management. `worktree_create` writes nothing
     // dangerous (a clone under `.pugi/worktrees/`); `worktree_promote`