@pugi/cli 0.1.0-beta.22 → 0.1.0-beta.24

package/dist/core/auto-update/state.js

@@ -0,0 +1,235 @@
+/**
+ * Leak L27 (2026-05-27) — Auto-update channel + last-check persistence.
+ *
+ * Two pieces of disk state are managed here:
+ *
+ *   1. **Channel selection** — `~/.pugi/config.json::updateChannel`.
+ *      Persisted across sessions so `pugi update` keeps polling the
+ *      same track the operator opted into via `pugi update --channel
+ *      <name>`. Mirrors the read/write pattern used by
+ *      `core/permissions/state.ts::getGlobalDefaultMode` (passthrough
+ *      schema, atomic tmp+rename, defensive parse).
+ *
+ *   2. **Last-check timestamp** — `~/.pugi/.last-update-check` (ISO
+ *      string, single-line). Read by the cold-start banner gate so
+ *      operators only see the "update available" hint once per
+ *      `UPDATE_CHECK_INTERVAL_HOURS` (default 24h). Living on its own
+ *      file (NOT a JSON object inside config.json) is intentional:
+ *      the timestamp is a hot path — every CLI invocation touches it —
+ *      and a single-line read+write is materially faster than the
+ *      JSON parse + serialise of the broader config doc, with no
+ *      schema coupling cost.
+ *
+ * Module contract:
+ *
+ *   - Every file path resolver accepts a `homeDir` override so the
+ *     test suite can drive the module through a per-test mkdtemp
+ *     directory without polluting the real `~/.pugi/`.
+ *
+ *   - Parse / read helpers NEVER throw on a malformed file. A
+ *     corrupted JSON blob, a missing field, or an unreadable file all
+ *     collapse to "no persisted value" so the next layer (the CLI
+ *     flag or the hard default `beta`) takes over. A future-self
+ *     debugging an update flow against a corrupt config never has the
+ *     CLI crash on them.
+ *
+ *   - Write helpers use the atomic tmp+rename idiom so a kill mid-
+ *     write never produces a half-flushed JSON document. The
+ *     timestamp file is small enough that POSIX `rename` is itself
+ *     atomic in practice, but we keep the idiom uniform with the
+ *     config write so reviewers do not have to context-switch.
+ */
+import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync, } from 'node:fs';
+import { homedir } from 'node:os';
+import { resolve, dirname } from 'node:path';
+import { z } from 'zod';
+import { DEFAULT_UPDATE_CHANNEL, UPDATE_CHANNELS, } from './channels.js';
+/**
+ * Default rate-limit window between registry probes. Operators see the
+ * cold-start banner at most once per window. Override per call via
+ * `shouldCheckForUpdate({ intervalHours })` — the cron-style scheduler
+ * passes 0 to force a check on every invocation, the doctor probe
+ * passes 24 to match the operator-visible cadence.
+ */
+export const UPDATE_CHECK_INTERVAL_HOURS = 24;
+/** Filename of the per-user channel + misc config. Mirrors L6 / L25. */
+const CONFIG_FILE = '.pugi/config.json';
+/** Filename of the standalone last-check ISO timestamp. */
+const LAST_CHECK_FILE = '.pugi/.last-update-check';
+/**
+ * Zod schema for the channel slice of `~/.pugi/config.json`. The
+ * passthrough lets sibling skills (L6 `defaultPermissionMode`, L25
+ * onboarding marker, etc.) coexist in the same JSON document without
+ * dropping their fields on a channel write.
+ */
+const channelConfigSchema = z
+    .object({
+    updateChannel: z.enum(['stable', 'beta', 'canary']).optional(),
+})
+    .partial()
+    .passthrough();
+/**
+ * Resolve the absolute path of the per-user config file. Defaults to
+ * the real home dir, but every caller in the spec passes an explicit
+ * tmpdir so the persisted writes never escape the test sandbox.
+ */
+export function configPath(homeDir = homedir()) {
+    return resolve(homeDir, CONFIG_FILE);
+}
+/**
+ * Resolve the absolute path of the single-line last-check file.
+ */
+export function lastCheckPath(homeDir = homedir()) {
+    return resolve(homeDir, LAST_CHECK_FILE);
+}
+/**
+ * Read the persisted channel selection. Returns `null` when the
+ * config file is absent, the field is unset, or the file is unparse-
+ * able. The caller layers in the CLI flag + the hard default
+ * `DEFAULT_UPDATE_CHANNEL`.
+ *
+ * Defensive parse is intentional — a half-written config from a
+ * crashed session should never block `pugi update` from finishing the
+ * channel switch.
+ */
+export function getUpdateChannel(homeDir = homedir()) {
+    const path = configPath(homeDir);
+    if (!existsSync(path))
+        return null;
+    try {
+        const raw = readFileSync(path, 'utf8');
+        const parsed = channelConfigSchema.parse(JSON.parse(raw));
+        return parsed.updateChannel ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Resolve the effective channel for an invocation. Resolution order:
+ *
+ *   1. `cliFlag` (when provided + parses to a known channel).
+ *   2. `~/.pugi/config.json::updateChannel`.
+ *   3. `DEFAULT_UPDATE_CHANNEL` (currently `beta`).
+ *
+ * An invalid `cliFlag` (e.g. `--channel yolo`) falls through to the
+ * next layer rather than crashing — the dispatcher already validates
+ * the flag up front and surfaces a deterministic error for unknown
+ * names. This helper exists for code paths (the doctor probe, the
+ * cold-start banner) where no CLI flag is in play and a silent fall-
+ * through is the correct behaviour.
+ */
+export function resolveEffectiveChannel(options = {}) {
+    const cli = options.cliFlag;
+    if (cli && typeof cli === 'string') {
+        const trimmed = cli.trim().toLowerCase();
+        for (const channel of UPDATE_CHANNELS) {
+            if (channel === trimmed)
+                return channel;
+        }
+    }
+    const persisted = getUpdateChannel(options.homeDir ?? homedir());
+    if (persisted)
+        return persisted;
+    return DEFAULT_UPDATE_CHANNEL;
+}
+/**
+ * Persist the channel to `~/.pugi/config.json::updateChannel`. Creates
+ * `~/.pugi/` when missing; preserves any unrelated keys in the file
+ * (passthrough schema). Atomic tmp+rename so a kill mid-write never
+ * leaves the config half-flushed.
+ */
+export function setUpdateChannel(channel, homeDir = homedir()) {
+    const path = configPath(homeDir);
+    mkdirSync(dirname(path), { recursive: true });
+    const existing = existsSync(path)
+        ? safeParseObject(readFileSync(path, 'utf8'))
+        : {};
+    const next = { ...existing, updateChannel: channel };
+    const tmpPath = `${path}.tmp`;
+    writeFileSync(tmpPath, `${JSON.stringify(next, null, 2)}\n`, {
+        encoding: 'utf8',
+        mode: 0o600,
+    });
+    renameSync(tmpPath, path);
+}
+/**
+ * Read the ISO timestamp of the most recent registry probe. Returns
+ * `null` when the file is absent or the contents do not parse as a
+ * valid Date. The caller treats `null` as "never checked" and runs an
+ * immediate probe.
+ */
+export function readLastCheckedAt(homeDir = homedir()) {
+    const path = lastCheckPath(homeDir);
+    if (!existsSync(path))
+        return null;
+    try {
+        const raw = readFileSync(path, 'utf8').trim();
+        if (raw.length === 0)
+            return null;
+        const ts = Date.parse(raw);
+        if (!Number.isFinite(ts))
+            return null;
+        return new Date(ts);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Persist the timestamp of the most recent registry probe. Atomic
+ * tmp+rename for the same reasons as `setUpdateChannel` — the file is
+ * small but we keep the idiom uniform.
+ */
+export function writeLastCheckedAt(when, homeDir = homedir()) {
+    const path = lastCheckPath(homeDir);
+    mkdirSync(dirname(path), { recursive: true });
+    const tmpPath = `${path}.tmp`;
+    writeFileSync(tmpPath, `${when.toISOString()}\n`, {
+        encoding: 'utf8',
+        mode: 0o600,
+    });
+    renameSync(tmpPath, path);
+}
+/**
+ * Decide whether the cold-start hint should run a fresh registry
+ * probe. Returns true when the last probe was more than
+ * `intervalHours` ago OR the timestamp file is missing entirely.
+ *
+ * Pass `intervalHours = 0` to force a probe on every call (used by
+ * the `pugi update --check` JSON surface where the operator is
+ * explicitly asking for a fresh result).
+ */
+export function shouldCheckForUpdate(options = {}) {
+    const now = options.now ? options.now() : Date.now();
+    const intervalHours = options.intervalHours ?? UPDATE_CHECK_INTERVAL_HOURS;
+    if (intervalHours <= 0)
+        return true;
+    const last = readLastCheckedAt(options.homeDir ?? homedir());
+    if (!last)
+        return true;
+    const ageMs = now - last.getTime();
+    const windowMs = intervalHours * 60 * 60 * 1_000;
+    return ageMs >= windowMs;
+}
+/**
+ * Defensive helper — parse JSON to an object; non-object payloads
+ * (top-level array, primitive) collapse to an empty object so the
+ * channel-write merge does not surface a TypeError. Mirrors the
+ * `safeParseObject` in `core/permissions/state.ts` — duplicating the
+ * 10 lines is cheaper than threading a shared util module through
+ * two unrelated leak surfaces.
+ */
+function safeParseObject(raw) {
+    try {
+        const parsed = JSON.parse(raw);
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            return parsed;
+        }
+        return {};
+    }
+    catch {
+        return {};
+    }
+}
+//# sourceMappingURL=state.js.map

package/dist/core/diagnostics/probes/pugi-md.js

@@ -0,0 +1,89 @@
+/**
+ * PUGI.md hierarchy probe — Leak L32 (2026-05-27).
+ *
+ * Surfaces how many ambient `PUGI.md` / `CLAUDE.md` files were
+ * discovered by the cwd → homedir walk-up. Operators triaging "why
+ * is the model not following my project conventions" can run
+ * `pugi doctor` and immediately see whether the hierarchy walk
+ * loaded the file they expected.
+ *
+ * Status semantics:
+ *   - `skipped` when bare mode is active (the walk is deliberately
+ *     disabled). The row still renders so the JSON schema stays
+ *     stable for downstream consumers.
+ *   - `skipped` when zero files were found. This is the default
+ *     state on a clean machine and is NOT an error — most operators
+ *     do not maintain a `~/PUGI.md`.
+ *   - `ok` when one or more files were discovered. The detail names
+ *     the closest file and the total count.
+ *
+ * Side effects:
+ *   - One filesystem walk from cwd to homedir (bounded by the walker's
+ *     depth cap). Each level performs at most 2 `existsSync` calls.
+ *     Cost is single-digit ms even on cold cache; well inside the
+ *     doctor probe wall-clock budget.
+ *
+ * Wired into `buildDefaultProbes` in `runtime/commands/doctor.ts`.
+ */
+import { isBareMode } from '../../bare-mode/index.js';
+import { walkUpPugiMd } from '../../pugi-md/walk-up.js';
+export const PUGI_MD_DOCTOR_LABEL = 'PUGI.md HIERARCHY';
+/** Detail string emitted when bare mode disables the walk. */
+export const PUGI_MD_BARE_SKIP_DETAIL = 'skipped (--bare)';
+/** Detail string emitted when the walk ran but found nothing. */
+export const PUGI_MD_EMPTY_DETAIL = 'no PUGI.md / CLAUDE.md found in cwd → homedir';
+export function probePugiMdHierarchy(input = {}) {
+    const env = input.env ?? process.env;
+    if (isBareMode(env)) {
+        return {
+            name: PUGI_MD_DOCTOR_LABEL,
+            status: 'skipped',
+            detail: PUGI_MD_BARE_SKIP_DETAIL,
+        };
+    }
+    const cwd = input.cwd ?? process.cwd();
+    const walk = input.walkImpl ?? ((c, o) => walkUpPugiMd(c, o));
+    let files;
+    try {
+        files = walk(cwd, input.homedir !== undefined ? { homedir: input.homedir } : {});
+    }
+    catch {
+        // Defensive: walker is wrapped in per-file try/catch already, so
+        // a throw here means a programmer error (bad input). Degrade to
+        // a `warn` row rather than crashing the doctor sweep.
+        return {
+            name: PUGI_MD_DOCTOR_LABEL,
+            status: 'warn',
+            detail: 'walk-up failed (see logs)',
+        };
+    }
+    if (files.length === 0) {
+        return {
+            name: PUGI_MD_DOCTOR_LABEL,
+            status: 'skipped',
+            detail: PUGI_MD_EMPTY_DETAIL,
+        };
+    }
+    // `files` is shallow-to-deep; the first entry is the closest to cwd.
+    // Operators reading the table care most about that one — it is the
+    // file that will most directly influence model behaviour. The
+    // additional count gives a quick "is the homedir / parent picked up
+    // too?" signal without listing every path.
+    const closest = files[0];
+    // closest is guaranteed non-undefined: files.length > 0 enforced
+    // by the early return above.
+    if (!closest) {
+        return {
+            name: PUGI_MD_DOCTOR_LABEL,
+            status: 'skipped',
+            detail: PUGI_MD_EMPTY_DETAIL,
+        };
+    }
+    const suffix = files.length === 1 ? '' : ` (+${files.length - 1} more)`;
+    return {
+        name: PUGI_MD_DOCTOR_LABEL,
+        status: 'ok',
+        detail: `${files.length} file${files.length === 1 ? '' : 's'}: ${closest.path}${suffix}`,
+    };
+}
+//# sourceMappingURL=pugi-md.js.map

package/dist/core/engine/native-pugi.js

@@ -18,6 +18,8 @@ import { buildContextPrefix, spliceContextPrefix } from './context-prefix.js';
 import { applyIntentMarker, classifyIntent } from './intent.js';
 import { loadTraversedMarkdown } from '../context/markdown-traverse.js';
 import { isBareMode } from '../bare-mode/index.js';
+import { walkUpPugiMd } from '../pugi-md/walk-up.js';
+import { renderAmbientContext } from '../pugi-md/context-injector.js';
 // α7 L11 (2026-05-27): per-session DenialTrackingState. One instance
 // per `run()` so denials cluster by (tool, args) within the same
 // command but do NOT leak across CLI invocations.
@@ -234,6 +236,30 @@ export class NativePugiEngineAdapter {
             // accurate; the REPL session retains the launch cwd for the
             // lifetime of the session which is what the operator expects.
             const cwdForTraverse = process.cwd();
+            // Leak L32 (2026-05-27): cwd → homedir walk-up that picks up every
+            // ambient `PUGI.md` (or `CLAUDE.md` as a fallback) the operator
+            // has placed above their workspace. This is the cross-project
+            // hierarchy walk — distinct from the workspace-bounded
+            // `loadTraversedMarkdown` below which only sees files INSIDE the
+            // workspace root. Render the concatenation once at session boot
+            // and prepend to the system prompt so the model treats the
+            // operator's personal guidance as ambient context for the whole
+            // session. `--bare` (Leak L22) skips this walk entirely.
+            let ambientContextBlock = '';
+            if (!isBareMode()) {
+                try {
+                    const hierarchy = walkUpPugiMd(cwdForTraverse);
+                    ambientContextBlock = renderAmbientContext(hierarchy);
+                }
+                catch {
+                    // Pure FS surface — if it throws (programmer error in the
+                    // walker, not a per-file fs error which is already swallowed
+                    // inside) we drop ambient context for this session rather
+                    // than crashing the engine loop. Doctor probe still surfaces
+                    // the hierarchy state for operator triage.
+                    ambientContextBlock = '';
+                }
+            }
             let traverseResult;
             // Leak L22 (2026-05-27): `--bare` skips the parent-dir PUGI.md /
             // AGENTS.md / CLAUDE.md / GEMINI.md walk-up. The engine sees only
@@ -548,7 +574,14 @@ export class NativePugiEngineAdapter {
                             // pattern instead of re-issuing the same refused call.
                             denialTracking,
                         }),
-                        systemPrompt: systemPromptFor(kind),
+                        // Leak L32 (2026-05-27): ambient `PUGI.md` hierarchy block
+                        // prepended once at session boot. When the walk found
+                        // nothing OR bare mode is on, `ambientContextBlock === ''`
+                        // and the system prompt is unchanged — no leading blank
+                        // line, no empty wrapper tag.
+                        systemPrompt: ambientContextBlock
+                            ? `${ambientContextBlock}\n\n${systemPromptFor(kind)}`
+                            : systemPromptFor(kind),
                         // β5a R5+R6+P1: per-turn `<context>` prefix + intent marker
                         // applied above. Falls back to verbatim `task.prompt` when
                         // both the prefix block is empty AND the intent classifier

package/dist/core/pugi-md/context-injector.js

@@ -0,0 +1,76 @@
+/**
+ * Aggregate byte cap on the full rendered block. 96 KB = 3 files at
+ * the per-file cap, which is enough for cwd + parent + homedir while
+ * leaving plenty of prompt budget for the rest of the system prompt.
+ * Anything beyond is replaced with a truncation marker.
+ */
+export const MAX_INJECT_BYTES = 96 * 1024;
+/**
+ * Marker line emitted when the aggregate cap is hit. Visible to the
+ * model so it knows ambient context was clipped; visible to the
+ * operator via the doctor probe so they can decide whether to trim
+ * their `PUGI.md` hierarchy.
+ */
+export const TRUNCATION_MARKER = '<ambient-context-truncated reason="aggregate-cap" />';
+/**
+ * Render a HierarchyFile array into the system-prompt block. Returns
+ * `''` when `files` is empty. Each file becomes one
+ * `<ambient-context source="..." level="...">...</ambient-context>`
+ * stanza separated by a single newline.
+ *
+ * Determinism: same input always produces byte-identical output.
+ */
+export function renderAmbientContext(files) {
+    if (files.length === 0)
+        return '';
+    const stanzas = [];
+    let bytes = 0;
+    let truncated = false;
+    for (const file of files) {
+        const stanza = renderStanza(file);
+        const stanzaBytes = Buffer.byteLength(stanza, 'utf8') + 1; // newline join cost
+        if (bytes + stanzaBytes > MAX_INJECT_BYTES) {
+            truncated = true;
+            break;
+        }
+        stanzas.push(stanza);
+        bytes += stanzaBytes;
+    }
+    if (truncated)
+        stanzas.push(TRUNCATION_MARKER);
+    return stanzas.join('\n');
+}
+/**
+ * Build a single `<ambient-context>` stanza for one HierarchyFile.
+ * The `source` attribute carries the absolute path (after realpath)
+ * so the model can cite which file a piece of guidance came from
+ * when it explains its decisions to the operator.
+ */
+function renderStanza(file) {
+    const sourceAttr = escapeAttr(file.path);
+    const levelAttr = String(file.level);
+    // No trailing newline inside `content` — the join adds one between
+    // stanzas. Trimming the file's trailing whitespace keeps the tag
+    // close to the content for readability when an engineer dumps the
+    // assembled prompt for debugging.
+    const trimmed = file.content.replace(/\s+$/g, '');
+    return [
+        `<ambient-context source="${sourceAttr}" level="${levelAttr}">`,
+        trimmed,
+        `</ambient-context>`,
+    ].join('\n');
+}
+/**
+ * Escape an XML attribute value. We expect operator-controlled paths
+ * (not adversarial input) but `&`, `"` and `<` are still possible in
+ * symlinked / unicode paths so we escape them defensively. The model
+ * has been trained to read this attribute as opaque metadata.
+ */
+function escapeAttr(value) {
+    return value
+        .replace(/&/g, '&amp;')
+        .replace(/"/g, '&quot;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;');
+}
+//# sourceMappingURL=context-injector.js.map

package/dist/core/pugi-md/walk-up.js

@@ -0,0 +1,207 @@
+/**
+ * Leak L32 (2026-05-27) — `PUGI.md` hierarchy walk-up to `$HOME`.
+ *
+ * Claude Code walks from `cwd` upward toward the user's homedir and
+ * concatenates every `CLAUDE.md` it finds at each intermediate level
+ * (deepest overrides shallowest). Pugi parity: same walk, looking for
+ * `PUGI.md` first at each level and accepting `CLAUDE.md` as a fallback
+ * — operators often have a leftover `~/CLAUDE.md` or a parent-dir
+ * `CLAUDE.md` from a previous Claude Code session and we want their
+ * ambient guidance picked up automatically without a migration step.
+ *
+ * Why this is a separate module from `core/context/markdown-traverse.ts`:
+ *
+ *   - `markdown-traverse.ts` is the *workspace-bounded* walk (cwd → up
+ *     to but NOT including `workspaceRoot`). It guards every read by
+ *     `realpathSync` containment against the workspace root and
+ *     refuses to escape — by design, because the per-dir markdown is
+ *     part of the project's first-party context.
+ *
+ *   - This module is the *home-bounded* walk (cwd → up to `homedir()`,
+ *     OR until depth limit). It picks up the operator's personal /
+ *     global guidance that lives ABOVE the workspace root. The two
+ *     surfaces are complementary: workspace markdown encodes project
+ *     conventions; this hierarchy walk encodes operator-level taste
+ *     (preferred libraries, "always run prettier", style guides).
+ *
+ * Contract:
+ *
+ *   - Walks from `cwd` upward. At each directory checks `PUGI.md`
+ *     (preferred); when absent falls back to `CLAUDE.md`. Only ONE
+ *     file per level is loaded — preferred wins.
+ *   - Stops at `homedir()` INCLUSIVE — the file at `~/PUGI.md` or
+ *     `~/CLAUDE.md` IS loaded (Claude Code parity: a `~/CLAUDE.md`
+ *     applies to every project the operator opens).
+ *   - Hard depth cap of `MAX_WALK_DEPTH` (20) directories regardless
+ *     of how far cwd is from homedir; defense against symlinked or
+ *     malicious cwd values.
+ *   - Per-file byte cap `MAX_FILE_BYTES` (32 KB); over-cap files are
+ *     truncated, not rejected, so a runaway `PUGI.md` does not break
+ *     the prompt budget.
+ *   - Returns shallow-to-deep order (cwd FIRST, homedir LAST). The
+ *     caller is responsible for rendering precedence — Claude Code's
+ *     rule is "deeper overrides shallower", which means the LAST
+ *     entry in the rendered system prompt wins. Our order matches
+ *     that convention so the context injector can splice directly.
+ *
+ * Safety:
+ *
+ *   - No `realpath` on the directories themselves: the operator's
+ *     cwd may live under a workspace symlink (common with macOS
+ *     `/private/var/...`) and we want to honor what the operator
+ *     sees in their shell. We DO resolve the candidate file via
+ *     `realpathSync` before reading, but only to defeat
+ *     symlinks-pointing-outside-homedir attacks; an off-tree symlink
+ *     is skipped silently.
+ *   - Catch + skip every fs error per file. The walk-up surface MUST
+ *     NEVER break engine boot — missing read perms on a parent dir
+ *     is the common case (e.g. `/etc` on a corp laptop) and the
+ *     fallback is "no ambient context", not a crash.
+ *
+ * Pure module: no logging, no network, no fs writes.
+ */
+import { existsSync, readFileSync, realpathSync, statSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+/**
+ * Hard ceiling on parent-dir traversal depth. 20 is generous — even
+ * deep monorepo layouts rarely sit more than 8-10 levels below the
+ * homedir on a developer's laptop. The cap exists so a misconfigured
+ * cwd (e.g. cwd outside the user's home filesystem entirely) cannot
+ * cause a multi-second fs scan of unrelated directories.
+ */
+export const MAX_WALK_DEPTH = 20;
+/**
+ * Per-file byte cap. 32 KB matches the per-dir markdown traverse
+ * aggregate budget — generous enough for a fully written-out
+ * project / personal `PUGI.md` (~8000 words) while keeping any one
+ * file from blowing the prompt budget on its own.
+ */
+export const MAX_FILE_BYTES = 32 * 1024;
+/**
+ * Filenames consulted at each level, in lookup order. `PUGI.md` is
+ * preferred — when both files coexist in a directory the Pugi-native
+ * file wins and the Claude Code shim is ignored. This is the same
+ * precedence used by `markdown-traverse.ts` for workspace-bounded
+ * walks; keeping the two surfaces consistent removes the "why does
+ * Pugi sometimes read CLAUDE.md and sometimes PUGI.md?" foot-gun.
+ */
+export const HIERARCHY_SOURCES = ['PUGI.md', 'CLAUDE.md'];
+/**
+ * Walk from `cwd` upward, collecting ambient `PUGI.md` / `CLAUDE.md`
+ * files at each level until we reach the homedir (inclusive) or the
+ * depth cap.
+ *
+ * Returns an array ordered shallowest-first (cwd → homedir). When no
+ * files are found, returns `[]`. When `cwd` is OUTSIDE the homedir
+ * tree (e.g. the operator runs `pugi` from `/tmp`), the walk still
+ * proceeds upward but stops the moment we reach a filesystem root
+ * without ever entering the homedir — useful for ops/admin invocations
+ * where there is genuinely no personal context to load.
+ */
+export function walkUpPugiMd(cwd, opts = {}) {
+    const limit = clampLimit(opts.limit);
+    const home = opts.homedir;
+    let absCwd;
+    try {
+        absCwd = resolve(cwd);
+    }
+    catch {
+        return [];
+    }
+    const absHome = home ? resolve(home) : undefined;
+    const results = [];
+    let current = absCwd;
+    let level = 0;
+    const visited = new Set();
+    while (level <= limit) {
+        if (visited.has(current))
+            break; // pathological symlink loop guard
+        visited.add(current);
+        const found = tryLoadDirectory(current, level);
+        if (found)
+            results.push(found);
+        // Inclusive home boundary: load home if we are here, then stop.
+        if (absHome && current === absHome)
+            break;
+        const parent = dirname(current);
+        if (parent === current)
+            break; // hit filesystem root before homedir
+        current = parent;
+        level += 1;
+    }
+    return results;
+}
+/**
+ * Pick the first matching file in `dir`, read + cap it, and produce
+ * a HierarchyFile row. Returns `undefined` when no file in
+ * `HIERARCHY_SOURCES` exists or all reads error out (perms, symlink
+ * escape, etc.). NEVER throws — fs errors degrade to "no file at
+ * this level".
+ */
+function tryLoadDirectory(dir, level) {
+    for (const source of HIERARCHY_SOURCES) {
+        const candidate = resolve(dir, source);
+        if (!existsSync(candidate))
+            continue;
+        // Realpath the FILE to defeat symlink-points-elsewhere attacks.
+        // We do not realpath the directory itself — operators often run
+        // pugi from inside a workspace symlink and the walk should honor
+        // the path they see.
+        let realPath;
+        try {
+            realPath = realpathSync(candidate);
+        }
+        catch {
+            // Broken symlink or perms issue on the link itself. Skip this
+            // file and try the next source in the same directory.
+            continue;
+        }
+        let rawBytes;
+        try {
+            rawBytes = statSync(realPath).size;
+        }
+        catch {
+            continue;
+        }
+        let content;
+        try {
+            content = readFileSync(realPath, 'utf8');
+        }
+        catch {
+            continue;
+        }
+        let truncated = false;
+        if (Buffer.byteLength(content, 'utf8') > MAX_FILE_BYTES) {
+            // Trim by character index sized to the byte cap. Mild over-trim
+            // on multi-byte boundaries is acceptable — we never under-trim
+            // (we'd exceed the cap) and the truncation is operator-visible
+            // via the `truncated` flag.
+            content = content.slice(0, MAX_FILE_BYTES);
+            truncated = true;
+        }
+        return {
+            path: realPath,
+            content,
+            level,
+            source,
+            truncated,
+            rawBytes,
+        };
+    }
+    return undefined;
+}
+/**
+ * Bound the limit to `[0, MAX_WALK_DEPTH]`. A negative or zero value
+ * still permits the cwd-level file to load (level 0 is always
+ * considered) — passing `limit: 0` means "current directory only".
+ */
+function clampLimit(limit) {
+    if (typeof limit !== 'number' || !Number.isFinite(limit))
+        return MAX_WALK_DEPTH;
+    if (limit < 0)
+        return 0;
+    if (limit > MAX_WALK_DEPTH)
+        return MAX_WALK_DEPTH;
+    return Math.floor(limit);
+}
+//# sourceMappingURL=walk-up.js.map