@pugi/cli 0.1.0-beta.21 → 0.1.0-beta.23

package/dist/core/auth/env-provider.js

@@ -0,0 +1,238 @@
+/**
+ * `pugi login --provider env` — env-var auth path (Leak L35).
+ *
+ * Claude Code, Codex CLI, and gh CLI all ship a way to authenticate via
+ * an environment variable so CI / container / scripted contexts can
+ * skip the device flow entirely. This module backs that path:
+ *
+ *   1. Resolve the candidate token (explicit `--key` flag beats
+ *      `PUGI_API_KEY` env — same precedence as `gh auth login --token`).
+ *   2. Run a cheap local format check so an obviously malformed key
+ *      (empty, whitespace, suspiciously short) fails fast WITHOUT
+ *      shipping it to the server (no observability leak into the
+ *      Anvil access log).
+ *   3. Call `GET /api/pugi/health` with `Authorization: Bearer <key>`
+ *      so an expired / revoked / typo'd token surfaces immediately
+ *      and the credential file never lands on disk for a dead key.
+ *   4. Map response to typed outcome the CLI dispatcher can render.
+ *
+ * The module is intentionally pure — fetch + reading env are injected,
+ * the writer is a separate concern. The CLI dispatcher composes
+ * `resolveEnvCandidateToken` + `assertTokenFormat` + `validateTokenAgainstHealth`
+ * and then writes the credential via `storeApiKey` on success.
+ *
+ * Failure modes are explicit so the dispatcher can pick the user-facing
+ * remediation string without re-parsing strings:
+ *
+ *   - `missing`          → no token in env or --key, halt with hint
+ *   - `invalid-format`   → token failed local format check, halt
+ *   - `unauthorized`     → server rejected the token (401 / 403)
+ *   - `network-error`    → fetch threw (DNS, refused, TLS)
+ *   - `server-error`     → server returned 5xx (transient — operator
+ *                          may want to retry once)
+ *   - `unexpected-status`→ anything else non-2xx (treat as failure)
+ *
+ * NEVER log the raw token. Memory hits
+ * `feedback_no_claude_attribution_anywhere_hard_rule` plus the
+ * CSO bearer-leak sweep apply here. Use `maskApiKey` from
+ * `core/credentials.ts` when the dispatcher needs to surface the key
+ * to the operator.
+ */
+/**
+ * The minimum length below which we refuse to even ship the token to
+ * the server. Pugi-issued PATs are 48+ chars (`pugi_<32 base32>`), JWTs
+ * issued by the device flow are ~250 chars, legacy `sk-*` PATs we
+ * accept for compatibility are 32+. 16 is well below all three real
+ * shapes so it only catches obvious paste mistakes.
+ */
+export const MIN_TOKEN_LENGTH = 16;
+/**
+ * The set of prefixes we recognise as plausibly-real Pugi-shaped
+ * tokens. Loose by design — the real validator is the server-side
+ * health probe. We just want to catch an operator who pasted the
+ * wrong string entirely (a username, a URL, a placeholder like
+ * "<your-key>") before it reaches the network.
+ *
+ * Three-segment JWTs are also accepted via the `looksLikeJwt`
+ * predicate so device-flow tokens copied out of `~/.pugi/credentials.json`
+ * on a different machine work.
+ */
+export const RECOGNISED_TOKEN_PREFIXES = ['pugi_', 'sk_', 'sk-', 'pat_'];
+/**
+ * Returns the trimmed candidate token, or `null` when neither path
+ * produced one. Precedence: explicit flag arg beats env var (matches
+ * `gh auth login --with-token`, `aws configure set`, and `pugi config`
+ * which all prefer the most-specific operator intent over the ambient
+ * env).
+ */
+export function resolveEnvCandidateToken(input) {
+    const explicit = input.explicitKey?.trim();
+    if (explicit)
+        return explicit;
+    const env = input.env ?? process.env;
+    const fromEnv = env.PUGI_API_KEY?.trim();
+    if (fromEnv)
+        return fromEnv;
+    return null;
+}
+/**
+ * Local-only format check. Returns `null` on accept, a human-readable
+ * error string on reject. Deliberately lenient — the server-side
+ * health probe is the source of truth. We only catch obvious paste
+ * mistakes (empty, whitespace-laden, too short, looks like a URL or
+ * a placeholder).
+ */
+export function assertTokenFormat(token) {
+    if (!token)
+        return 'Token is empty';
+    if (/\s/.test(token)) {
+        return 'Token contains whitespace — check for shell quoting issues or a stray newline';
+    }
+    if (token.length < MIN_TOKEN_LENGTH) {
+        return `Token too short (${token.length} chars; Pugi tokens are >= ${MIN_TOKEN_LENGTH})`;
+    }
+    if (token.startsWith('<') && token.endsWith('>')) {
+        return 'Token looks like a placeholder (`<your-key>`) — replace with the actual key';
+    }
+    if (/^https?:\/\//i.test(token)) {
+        return 'Token looks like a URL — did you mean --api-url?';
+    }
+    // Accept either a recognised prefix OR a JWT three-segment shape.
+    // Anything else still passes — the server probe will catch genuinely
+    // unknown keys. We just want to surface an obvious mistake.
+    const hasKnownPrefix = RECOGNISED_TOKEN_PREFIXES.some((p) => token.startsWith(p));
+    if (!hasKnownPrefix && !looksLikeJwt(token)) {
+        // Soft-fail: warn the operator but proceed. Returning null here
+        // would mask the case where the operator pasted something
+        // genuinely wrong but the server happens to accept it (impossible
+        // for real keys but defence-in-depth). Returning the warning
+        // string would block legacy keys. We choose to proceed — the
+        // server is the source of truth — and let the CLI dispatcher
+        // decide whether to surface a note. Tracked via a separate
+        // `warnUnknownPrefix` return on a future revision.
+        return null;
+    }
+    return null;
+}
+/**
+ * JWT three-segment check. Does NOT verify the signature — we just
+ * want to recognise the shape so device-flow tokens copied from one
+ * machine to another pass the format gate.
+ */
+export function looksLikeJwt(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3)
+        return false;
+    return parts.every((p) => /^[A-Za-z0-9_-]+$/.test(p) && p.length > 0);
+}
+/**
+ * Call `GET /api/pugi/health` with the candidate token. Returns a
+ * typed outcome that the CLI dispatcher can map directly to an exit
+ * code + remediation string.
+ *
+ * Health endpoint conventions (see apps/admin-api):
+ *   - 200 → token is valid, account is active
+ *   - 401 → token unknown / malformed at the server boundary
+ *   - 403 → token recognised but the account is suspended / paused
+ *   - 5xx → server-side issue, operator can retry
+ *   - network throw → DNS, refused, TLS — operator's connectivity issue
+ *
+ * We do not parse the body — the health endpoint's contract is the
+ * status code. Any future field (latency, region, build sha) can be
+ * surfaced by a separate `pugi doctor` probe without touching the
+ * login path.
+ */
+export async function validateTokenAgainstHealth(input) {
+    const fetchImpl = input.fetchImpl ?? fetch;
+    const now = input.now ?? Date.now;
+    const url = `${stripTrailingSlash(input.apiUrl)}/api/pugi/health`;
+    const started = now();
+    let response;
+    try {
+        response = await fetchImpl(url, {
+            method: 'GET',
+            headers: {
+                Authorization: `Bearer ${input.apiKey}`,
+                Accept: 'application/json',
+            },
+        });
+    }
+    catch (error) {
+        // DNS failure, ECONNREFUSED, TLS handshake — anything that makes
+        // fetch throw before a status code is observable. We deliberately
+        // do NOT echo the URL host in the message body if it could leak a
+        // self-hosted Anvil hostname into a public CI log; the dispatcher
+        // composes the user-facing remediation.
+        const cause = error instanceof Error ? error.message : String(error);
+        return {
+            kind: 'network-error',
+            message: `Cannot reach ${input.apiUrl}; check your connection`,
+            cause,
+        };
+    }
+    const latencyMs = now() - started;
+    const { status } = response;
+    if (status === 200) {
+        return { kind: 'ok', latencyMs };
+    }
+    if (status === 401 || status === 403) {
+        return {
+            kind: 'unauthorized',
+            status,
+            message: status === 401
+                ? 'Token invalid or expired — run `pugi login --provider device` to get a fresh one'
+                : 'Token recognised but the account is suspended — check `pugi whoami` on a working machine or contact support',
+        };
+    }
+    if (status >= 500) {
+        return {
+            kind: 'server-error',
+            status,
+            message: `${input.apiUrl} returned ${status}; retry in a moment`,
+        };
+    }
+    return {
+        kind: 'unexpected-status',
+        status,
+        message: `Unexpected ${status} from /api/pugi/health; treat as login failure`,
+    };
+}
+export async function resolveAndValidateEnvLogin(input) {
+    const token = resolveEnvCandidateToken({
+        explicitKey: input.explicitKey,
+        env: input.env,
+    });
+    if (!token) {
+        return {
+            kind: 'missing',
+            message: 'pugi login --provider env requires a token. Export PUGI_API_KEY in the current shell or pass --key <value>.',
+        };
+    }
+    const formatError = assertTokenFormat(token);
+    if (formatError) {
+        return {
+            kind: 'invalid-format',
+            message: `pugi login --provider env: ${formatError}`,
+        };
+    }
+    if (input.skipValidate) {
+        // Used by the existing `login-variants.spec.ts` regression suite
+        // so the test plane does not require a live network. Production
+        // path always validates.
+        return { kind: 'ok', token, latencyMs: 0 };
+    }
+    const probe = await validateTokenAgainstHealth({
+        apiUrl: input.apiUrl,
+        apiKey: token,
+        fetchImpl: input.fetchImpl,
+        now: input.now,
+    });
+    if (probe.kind === 'ok') {
+        return { kind: 'ok', token, latencyMs: probe.latencyMs };
+    }
+    return probe;
+}
+function stripTrailingSlash(url) {
+    return url.endsWith('/') ? url.slice(0, -1) : url;
+}
+//# sourceMappingURL=env-provider.js.map

package/dist/core/bare-mode/index.js

@@ -0,0 +1,107 @@
+/**
+ * Leak L22 (2026-05-27) — `--bare` mode predicate.
+ *
+ * Mirror of Claude Code's `--bare` flag: when active the CLI behaves
+ * like a plain LLM frontend with NO project auto-discovery. Useful for:
+ *
+ *   - headless scripting where the operator wants deterministic, repo-
+ *     independent behavior (`pugi --bare --print "..."`),
+ *   - dropping into a workspace without auto-creating `.pugi/`,
+ *   - REPL sessions that should NOT inject ambient `PUGI.md` / `CLAUDE.md`
+ *     into the model prompt,
+ *   - support / triage flows where the engineer needs the CLI to act
+ *     like a fresh install regardless of where it's invoked.
+ *
+ * Discovery surfaces gated by `isBareMode()`:
+ *
+ *   1. `PUGI.md` / `AGENTS.md` / `CLAUDE.md` / `GEMINI.md` parent-dir
+ *      walk-up (`loadTraversedMarkdown` in `core/context/markdown-traverse.ts`).
+ *   2. Workspace-root markdown context (`loadMarkdownContext` consumers).
+ *   3. Auto-init `.pugi/` scaffold on REPL boot in untouched dirs.
+ *   4. Persona / skill auto-load from `.pugi/skills/`.
+ *   5. Workspace summary (`readPugiSummary`) read on REPL session start.
+ *
+ * Activation precedence — the bare bit is "sticky" once set so any
+ * subprocess the CLI spawns inherits it without re-passing the flag:
+ *
+ *   1. Top-level `--bare` arg parsed by `parseArgs` in `runtime/cli.ts`.
+ *      The parser sets `process.env.PUGI_BARE='1'` BEFORE the dispatch
+ *      flows so callsites checking the env see the activated state.
+ *   2. `PUGI_BARE=1` env var (any value matching `/^(1|true|yes|on)$/i`).
+ *   3. Default: bare mode OFF — full auto-discovery as before.
+ *
+ * This mirrors the existing `PUGI_SKIP_SPLASH` / `PUGI_NO_AUTO_INIT`
+ * env-flag pattern so the bare module fits the rest of the runtime
+ * configuration grammar without inventing a new wire.
+ *
+ * Test surface: `apps/pugi-cli/test/bare-mode.spec.ts` exercises the
+ * env precedence, value parsing, and the explicit-set / clear helpers.
+ */
+/**
+ * Env var consulted by `isBareMode()`. Kept as an export so the spec
+ * + the runtime CLI can use the same constant — no string-typing of
+ * the wire name across modules.
+ */
+export const PUGI_BARE_ENV = 'PUGI_BARE';
+/**
+ * Truthy values recognised on the `PUGI_BARE` env. Anything else
+ * (empty string, `0`, `false`, `no`, `off`, `disabled`, undefined) is
+ * treated as bare-mode OFF. The list is intentionally short — the
+ * value is set by the CLI parser and is not customer-typed prose, so
+ * we do not need a permissive boolean coercion.
+ */
+const TRUTHY = new Set(['1', 'true', 'yes', 'on']);
+/**
+ * Return true when bare mode is active for the current process. Reads
+ * `process.env[PUGI_BARE_ENV]` and applies the truthy-value match.
+ *
+ * Safe to call from any module (no FS, no side-effects). The runtime
+ * cost is a single env-var lookup + lower-case + set membership, so
+ * gating hot-path callsites with `if (isBareMode()) return ...` adds
+ * effectively zero overhead in the default (non-bare) case.
+ */
+export function isBareMode(env = process.env) {
+    const raw = env[PUGI_BARE_ENV];
+    if (typeof raw !== 'string' || raw.length === 0)
+        return false;
+    return TRUTHY.has(raw.toLowerCase());
+}
+/**
+ * Explicitly activate bare mode for the current process. Called by
+ * `parseArgs` in `runtime/cli.ts` when `--bare` is seen on the command
+ * line so downstream modules (engine, REPL bootstrap, doctor probe)
+ * see a consistent activated state via `isBareMode()` regardless of
+ * whether the operator set the env var manually or used the flag.
+ *
+ * Subprocess inheritance is the reason we mutate `process.env` rather
+ * than threading a `bare: boolean` field through every call signature
+ * — every Node child_process spawn inherits `process.env` by default,
+ * so the bare bit propagates to MCP servers / hook scripts / git
+ * subprocesses without ceremony.
+ */
+export function setBareMode(env = process.env) {
+    env[PUGI_BARE_ENV] = '1';
+}
+/**
+ * Clear bare mode for the current process. Provided primarily for the
+ * spec so adjacent tests do not leak state between cases. Production
+ * code does NOT call this — bare mode is a one-shot per process.
+ */
+export function clearBareMode(env = process.env) {
+    delete env[PUGI_BARE_ENV];
+}
+/**
+ * Human-readable one-line banner printed by the dispatcher when bare
+ * mode is active and the invocation is NOT JSON-only. Kept as a single
+ * constant so the spec can assert the exact wording and downstream
+ * tools (status bars, doctor row, REPL header) stay in lockstep.
+ */
+export const BARE_MODE_BANNER = 'Pugi --bare mode: project auto-discovery disabled.';
+/**
+ * Short label rendered inside the `pugi doctor` table when bare mode
+ * is active. The doctor probe surfaces `BARE MODE` as a separate row
+ * so operators triaging "why is Pugi ignoring my PUGI.md" see the
+ * cause without grep'ing the env.
+ */
+export const BARE_MODE_DOCTOR_LABEL = 'BARE MODE';
+//# sourceMappingURL=index.js.map

package/dist/core/diagnostics/probes/bare-mode.js

@@ -0,0 +1,42 @@
+/**
+ * BARE MODE probe — Leak L22 (2026-05-27).
+ *
+ * Surfaces the `--bare` activation state inside `pugi doctor`. The row is
+ * informational: bare mode is an opt-in operator choice, never an error.
+ * Operators triaging "why is Pugi ignoring my PUGI.md / why was the
+ * `.pugi/` scaffold skipped" see the cause without grep'ing the env.
+ *
+ * Status semantics:
+ *   - `skipped` when bare mode is OFF (default). The probe stays silent
+ *     in the table since there is nothing to report; the row still
+ *     renders so the JSON consumer can read a stable schema.
+ *   - `ok` when bare mode is ON via `--bare` or `PUGI_BARE=1`. The detail
+ *     enumerates the surfaces that are currently bypassed.
+ *
+ * No I/O — pure env probe. Wired into `buildDefaultProbes` in
+ * `runtime/commands/doctor.ts`.
+ */
+import { isBareMode, BARE_MODE_DOCTOR_LABEL } from '../../bare-mode/index.js';
+/**
+ * One-line summary printed in the `--bare` row when bare mode is on.
+ * Exported so the spec can assert the exact wording — operators reading
+ * `pugi doctor` should see the list of surfaces that the flag disables.
+ */
+export const BARE_MODE_ACTIVE_DETAIL = 'bare mode active: PUGI.md walk-up + auto-init + persona auto-load disabled';
+export const BARE_MODE_INACTIVE_DETAIL = 'bare mode off (default auto-discovery)';
+export function probeBareMode(input = {}) {
+    const env = input.env ?? process.env;
+    if (isBareMode(env)) {
+        return {
+            name: BARE_MODE_DOCTOR_LABEL,
+            status: 'ok',
+            detail: BARE_MODE_ACTIVE_DETAIL,
+        };
+    }
+    return {
+        name: BARE_MODE_DOCTOR_LABEL,
+        status: 'skipped',
+        detail: BARE_MODE_INACTIVE_DETAIL,
+    };
+}
+//# sourceMappingURL=bare-mode.js.map

package/dist/core/diagnostics/probes/pugi-md.js

@@ -0,0 +1,89 @@
+/**
+ * PUGI.md hierarchy probe — Leak L32 (2026-05-27).
+ *
+ * Surfaces how many ambient `PUGI.md` / `CLAUDE.md` files were
+ * discovered by the cwd → homedir walk-up. Operators triaging "why
+ * is the model not following my project conventions" can run
+ * `pugi doctor` and immediately see whether the hierarchy walk
+ * loaded the file they expected.
+ *
+ * Status semantics:
+ *   - `skipped` when bare mode is active (the walk is deliberately
+ *     disabled). The row still renders so the JSON schema stays
+ *     stable for downstream consumers.
+ *   - `skipped` when zero files were found. This is the default
+ *     state on a clean machine and is NOT an error — most operators
+ *     do not maintain a `~/PUGI.md`.
+ *   - `ok` when one or more files were discovered. The detail names
+ *     the closest file and the total count.
+ *
+ * Side effects:
+ *   - One filesystem walk from cwd to homedir (bounded by the walker's
+ *     depth cap). Each level performs at most 2 `existsSync` calls.
+ *     Cost is single-digit ms even on cold cache; well inside the
+ *     doctor probe wall-clock budget.
+ *
+ * Wired into `buildDefaultProbes` in `runtime/commands/doctor.ts`.
+ */
+import { isBareMode } from '../../bare-mode/index.js';
+import { walkUpPugiMd } from '../../pugi-md/walk-up.js';
+export const PUGI_MD_DOCTOR_LABEL = 'PUGI.md HIERARCHY';
+/** Detail string emitted when bare mode disables the walk. */
+export const PUGI_MD_BARE_SKIP_DETAIL = 'skipped (--bare)';
+/** Detail string emitted when the walk ran but found nothing. */
+export const PUGI_MD_EMPTY_DETAIL = 'no PUGI.md / CLAUDE.md found in cwd → homedir';
+export function probePugiMdHierarchy(input = {}) {
+    const env = input.env ?? process.env;
+    if (isBareMode(env)) {
+        return {
+            name: PUGI_MD_DOCTOR_LABEL,
+            status: 'skipped',
+            detail: PUGI_MD_BARE_SKIP_DETAIL,
+        };
+    }
+    const cwd = input.cwd ?? process.cwd();
+    const walk = input.walkImpl ?? ((c, o) => walkUpPugiMd(c, o));
+    let files;
+    try {
+        files = walk(cwd, input.homedir !== undefined ? { homedir: input.homedir } : {});
+    }
+    catch {
+        // Defensive: walker is wrapped in per-file try/catch already, so
+        // a throw here means a programmer error (bad input). Degrade to
+        // a `warn` row rather than crashing the doctor sweep.
+        return {
+            name: PUGI_MD_DOCTOR_LABEL,
+            status: 'warn',
+            detail: 'walk-up failed (see logs)',
+        };
+    }
+    if (files.length === 0) {
+        return {
+            name: PUGI_MD_DOCTOR_LABEL,
+            status: 'skipped',
+            detail: PUGI_MD_EMPTY_DETAIL,
+        };
+    }
+    // `files` is shallow-to-deep; the first entry is the closest to cwd.
+    // Operators reading the table care most about that one — it is the
+    // file that will most directly influence model behaviour. The
+    // additional count gives a quick "is the homedir / parent picked up
+    // too?" signal without listing every path.
+    const closest = files[0];
+    // closest is guaranteed non-undefined: files.length > 0 enforced
+    // by the early return above.
+    if (!closest) {
+        return {
+            name: PUGI_MD_DOCTOR_LABEL,
+            status: 'skipped',
+            detail: PUGI_MD_EMPTY_DETAIL,
+        };
+    }
+    const suffix = files.length === 1 ? '' : ` (+${files.length - 1} more)`;
+    return {
+        name: PUGI_MD_DOCTOR_LABEL,
+        status: 'ok',
+        detail: `${files.length} file${files.length === 1 ? '' : 's'}: ${closest.path}${suffix}`,
+    };
+}
+//# sourceMappingURL=pugi-md.js.map

package/dist/core/engine/native-pugi.js

@@ -17,6 +17,9 @@ import { CancellationToken } from '../repl/cancellation.js';
 import { buildContextPrefix, spliceContextPrefix } from './context-prefix.js';
 import { applyIntentMarker, classifyIntent } from './intent.js';
 import { loadTraversedMarkdown } from '../context/markdown-traverse.js';
+import { isBareMode } from '../bare-mode/index.js';
+import { walkUpPugiMd } from '../pugi-md/walk-up.js';
+import { renderAmbientContext } from '../pugi-md/context-injector.js';
 // α7 L11 (2026-05-27): per-session DenialTrackingState. One instance
 // per `run()` so denials cluster by (tool, args) within the same
 // command but do NOT leak across CLI invocations.
@@ -233,19 +236,53 @@ export class NativePugiEngineAdapter {
             // accurate; the REPL session retains the launch cwd for the
             // lifetime of the session which is what the operator expects.
             const cwdForTraverse = process.cwd();
-            let traverseResult;
-            try {
-                traverseResult = await loadTraversedMarkdown({
-                    cwd: cwdForTraverse,
-                    workspaceRoot: root,
-                });
+            // Leak L32 (2026-05-27): cwd → homedir walk-up that picks up every
+            // ambient `PUGI.md` (or `CLAUDE.md` as a fallback) the operator
+            // has placed above their workspace. This is the cross-project
+            // hierarchy walk — distinct from the workspace-bounded
+            // `loadTraversedMarkdown` below which only sees files INSIDE the
+            // workspace root. Render the concatenation once at session boot
+            // and prepend to the system prompt so the model treats the
+            // operator's personal guidance as ambient context for the whole
+            // session. `--bare` (Leak L22) skips this walk entirely.
+            let ambientContextBlock = '';
+            if (!isBareMode()) {
+                try {
+                    const hierarchy = walkUpPugiMd(cwdForTraverse);
+                    ambientContextBlock = renderAmbientContext(hierarchy);
+                }
+                catch {
+                    // Pure FS surface — if it throws (programmer error in the
+                    // walker, not a per-file fs error which is already swallowed
+                    // inside) we drop ambient context for this session rather
+                    // than crashing the engine loop. Doctor probe still surfaces
+                    // the hierarchy state for operator triage.
+                    ambientContextBlock = '';
+                }
             }
-            catch {
-                // Per-dir markdown is a NICE-TO-HAVE; a fs error here must
-                // never break the engine loop. Fall back to an empty result
-                // so the prefix block still surfaces cwd + working set.
+            let traverseResult;
+            // Leak L22 (2026-05-27): `--bare` skips the parent-dir PUGI.md /
+            // AGENTS.md / CLAUDE.md / GEMINI.md walk-up. The engine sees only
+            // the operator's prompt + working-set + intent marker, with no
+            // ambient project context injection. Mirrors Claude Code's
+            // --bare semantics.
+            if (isBareMode()) {
                 traverseResult = { loaded: [], warnings: [], totalBytes: 0 };
             }
+            else {
+                try {
+                    traverseResult = await loadTraversedMarkdown({
+                        cwd: cwdForTraverse,
+                        workspaceRoot: root,
+                    });
+                }
+                catch {
+                    // Per-dir markdown is a NICE-TO-HAVE; a fs error here must
+                    // never break the engine loop. Fall back to an empty result
+                    // so the prefix block still surfaces cwd + working set.
+                    traverseResult = { loaded: [], warnings: [], totalBytes: 0 };
+                }
+            }
             const intentClassification = classifyIntent(task.prompt);
             const intentHint = intentClassification.intent !== 'ambiguous' ? intentClassification.intent : undefined;
             const cwdRelative = relativeOrAbsolute(root, cwdForTraverse);
@@ -537,7 +574,14 @@ export class NativePugiEngineAdapter {
                             // pattern instead of re-issuing the same refused call.
                             denialTracking,
                         }),
-                        systemPrompt: systemPromptFor(kind),
+                        // Leak L32 (2026-05-27): ambient `PUGI.md` hierarchy block
+                        // prepended once at session boot. When the walk found
+                        // nothing OR bare mode is on, `ambientContextBlock === ''`
+                        // and the system prompt is unchanged — no leading blank
+                        // line, no empty wrapper tag.
+                        systemPrompt: ambientContextBlock
+                            ? `${ambientContextBlock}\n\n${systemPromptFor(kind)}`
+                            : systemPromptFor(kind),
                         // β5a R5+R6+P1: per-turn `<context>` prefix + intent marker
                         // applied above. Falls back to verbatim `task.prompt` when
                         // both the prefix block is empty AND the intent classifier

package/dist/core/engine/prompts.js

@@ -1,4 +1,6 @@
 import { getJobRegistry, summarizeJobsForPrompt, } from '../jobs/registry.js';
+import { compileStyleBlock } from '../output-style/presets.js';
+import { resolveOutputStyle } from '../output-style/state.js';
 /**
  * System prompts for each engine command. Each prompt:
  *   - Anchors the model in Pugi's local-first contract (ADR-0037).
@@ -92,10 +94,36 @@ export function systemPromptFor(kind) {
     // voice gate are command-agnostic — a definitional question lands
     // the same way under `pugi explain` and `pugi code`.
     const withV2 = `${base}\n\n${PROMPT_V2_APPENDIX}`;
+    // Leak L18 (2026-05-27): output-style preset block. Compiled from
+    // workspace > user > default precedence. The `default` preset
+    // returns an empty block (no override over the base voice), so the
+    // injection is a no-op for the most-common case. Wrapped in
+    // try/catch — every IO failure inside `resolveOutputStyle` already
+    // degrades to the default slug, but defence in depth keeps the
+    // engine prompt assembly from ever crashing on a hand-edited
+    // config.json.
+    const styleBlock = formatOutputStyleBlock();
+    const withStyle = styleBlock ? `${withV2}\n\n${styleBlock}` : withV2;
     const snapshot = formatBackgroundJobsSnapshot(getJobRegistrySafely());
     if (!snapshot)
-        return withV2;
-    return `${withV2}\n\n${snapshot}`;
+        return withStyle;
+    return `${withStyle}\n\n${snapshot}`;
+}
+/**
+ * Resolve the active output-style preset for the current process
+ * and compile it into a prompt block. Returns empty string for the
+ * default preset OR for any unexpected IO failure so the engine
+ * prompt assembly path is unaffected by a missing / malformed
+ * config.json.
+ */
+function formatOutputStyleBlock() {
+    try {
+        const resolved = resolveOutputStyle({ workspaceRoot: process.cwd() });
+        return compileStyleBlock(resolved.slug);
+    }
+    catch {
+        return '';
+    }
 }
 function baseSystemPromptFor(kind) {
     switch (kind) {