@pugi/cli 0.1.0-beta.26 → 0.1.0-beta.28

package/dist/core/prd-check/parser.js

@@ -0,0 +1,215 @@
+/**
+ * PRD parser — Pugi α7 Wave 6 (`/prd-check`, 2026-05-27).
+ *
+ * Reads a markdown PRD file and extracts the acceptance-criteria
+ * section into a list of verifiable criteria. The parser is
+ * intentionally narrow: it owns ONE function, accepts raw markdown
+ * source as a string (no fs I/O), and returns a structured list the
+ * verifier module can fan out over.
+ *
+ * Why two phases (parse → verify) instead of a single pass:
+ *
+ *   - keeps the parser deterministic + fast (pure string in, JSON
+ *     out — trivial to unit-test without touching the filesystem)
+ *
+ *   - lets the reporter render the criterion list even when every
+ *     verifier fails, so operators see WHAT failed before WHY
+ *
+ *   - mirrors the L17 doctor split: `probe-runner` runs a set of
+ *     probe descriptors → identical contract here, just for PRD
+ *     acceptance items instead of environment probes
+ *
+ * Heading recognition is tolerant by design: PRD authors use both
+ * `## Acceptance Criteria` and `## Success Criteria`, sometimes with
+ * a trailing colon, sometimes inside an h3. We accept any h2/h3
+ * matching either label (case-insensitive). The first matching
+ * section wins; subsequent matches are ignored so a PRD with both
+ * sections does not double-count items.
+ *
+ * Item recognition supports two shapes documented in the wave-6
+ * spec:
+ *
+ *   1. numbered lists      `1. <text>` / `1) <text>`
+ *   2. markdown checklists `- [ ] <text>` / `- [x] <text>`
+ *
+ * Either shape may include inline mentions the verifier extracts:
+ * file paths (`apps/foo/bar.ts`), test specs (`*.spec.ts`),
+ * route declarations (`GET /api/x`), CLI commands (`pugi prd-check`),
+ * and doc references (`docs/foo.md`). The parser captures these
+ * verbatim into `mentions` so the verifier module can fan checks
+ * without re-tokenising the prose.
+ */
+const ACCEPTANCE_HEADING_RE = /^(#{2,3})\s+(acceptance criteria|success criteria|deliverables)\b\s*:?\s*$/i;
+const ANY_HEADING_RE = /^(#{1,6})\s+\S/;
+const TITLE_HEADING_RE = /^#\s+(.+?)\s*$/;
+const NUMBERED_ITEM_RE = /^(\s*)(\d+)[\.)]\s+(.+?)\s*$/;
+const CHECKLIST_ITEM_RE = /^(\s*)-\s+\[([ xX])\]\s+(.+?)\s*$/;
+/**
+ * Public entry: parse a markdown PRD source into `ParsedPrd`. Pure
+ * function — no filesystem, no logging. The CLI handler is
+ * responsible for reading the file and forwarding the contents.
+ */
+export function parsePrd(source) {
+    const lines = source.split(/\r?\n/);
+    const title = extractTitle(lines);
+    const range = findAcceptanceRange(lines);
+    if (!range) {
+        return { title, hasAcceptanceSection: false, criteria: [] };
+    }
+    const sectionLines = lines.slice(range.start, range.end);
+    const criteria = extractCriteria(sectionLines);
+    return { title, hasAcceptanceSection: true, criteria };
+}
+/**
+ * Extract verifiable mentions from a criterion text. Exported for
+ * the verifier spec so tests can drive mention classification
+ * without running the full parser.
+ */
+export function extractMentions(text) {
+    const mentions = [];
+    const seen = new Set();
+    const push = (key, mention) => {
+        if (seen.has(key))
+            return;
+        seen.add(key);
+        mentions.push(mention);
+    };
+    // 1) Routes — `GET /api/path`, `POST /foo`, etc. Recognised
+    //    BEFORE file paths because the trailing `/` could otherwise
+    //    be mis-classified.
+    const routeRe = /\b(GET|POST|PUT|PATCH|DELETE|HEAD|OPTIONS)\s+(\/[A-Za-z0-9_./:\-]+)/g;
+    for (const match of text.matchAll(routeRe)) {
+        const method = match[1].toUpperCase();
+        const path = match[2];
+        push(`route:${method} ${path}`, { kind: 'route', method, path });
+    }
+    // 2) Backtick-wrapped tokens — most reliable signal. The parser
+    //    inspects each token and decides whether it is a path, a test
+    //    spec, a CLI command, or a route.
+    const backtickRe = /`([^`\n]+)`/g;
+    for (const match of text.matchAll(backtickRe)) {
+        const raw = match[1].trim();
+        classifyToken(raw, push);
+    }
+    // 3) Bare paths with at least one slash + an extension. Authors
+    //    sometimes forget the backticks; we still surface the file
+    //    so the verifier can attempt the check.
+    const barePathRe = /(?<![A-Za-z0-9])((?:[a-zA-Z0-9_.\-]+\/)+[a-zA-Z0-9_.\-]+\.[a-zA-Z0-9]{1,6})/g;
+    for (const match of text.matchAll(barePathRe)) {
+        const path = match[1];
+        classifyPath(path, push);
+    }
+    return mentions;
+}
+function classifyToken(raw, push) {
+    const trimmed = raw.replace(/[,;.]+$/u, '').trim();
+    if (trimmed.length === 0)
+        return;
+    // Route shape inside backticks (`GET /api/x`).
+    const routeMatch = trimmed.match(/^(GET|POST|PUT|PATCH|DELETE|HEAD|OPTIONS)\s+(\/[A-Za-z0-9_./:\-]+)$/u);
+    if (routeMatch) {
+        const method = routeMatch[1].toUpperCase();
+        const path = routeMatch[2];
+        push(`route:${method} ${path}`, { kind: 'route', method, path });
+        return;
+    }
+    // Pugi command — `pugi <name>` or `/<name>`. Slash form covers
+    // REPL slash commands; pugi form covers shell commands.
+    const pugiCmdMatch = trimmed.match(/^pugi\s+([a-z][a-z0-9-]*)(?:\s+.*)?$/u);
+    if (pugiCmdMatch) {
+        const name = pugiCmdMatch[1];
+        push(`command:${name}`, { kind: 'command', name });
+        return;
+    }
+    const slashCmdMatch = trimmed.match(/^\/([a-z][a-z0-9-]*)$/u);
+    if (slashCmdMatch) {
+        const name = slashCmdMatch[1];
+        push(`command:${name}`, { kind: 'command', name });
+        return;
+    }
+    // Path shape — must contain at least one `/` AND an extension.
+    if (trimmed.includes('/') && /\.[a-zA-Z0-9]{1,6}$/.test(trimmed)) {
+        classifyPath(trimmed, push);
+    }
+}
+function classifyPath(path, push) {
+    if (/\.spec\.[a-z]+$|\.test\.[a-z]+$/u.test(path)) {
+        push(`test:${path}`, { kind: 'test', path });
+        return;
+    }
+    if (/^docs?\//u.test(path) || /\.md$/u.test(path)) {
+        push(`doc:${path}`, { kind: 'doc', path });
+        return;
+    }
+    push(`file:${path}`, { kind: 'file', path });
+}
+function extractTitle(lines) {
+    for (const line of lines) {
+        const match = line.match(TITLE_HEADING_RE);
+        if (match) {
+            return match[1].trim();
+        }
+    }
+    return null;
+}
+function findAcceptanceRange(lines) {
+    let startIdx = -1;
+    let startHeadingLevel = 0;
+    for (let i = 0; i < lines.length; i += 1) {
+        const line = lines[i];
+        const match = line.match(ACCEPTANCE_HEADING_RE);
+        if (match) {
+            startIdx = i + 1;
+            startHeadingLevel = match[1].length;
+            break;
+        }
+    }
+    if (startIdx === -1)
+        return null;
+    let endIdx = lines.length;
+    for (let i = startIdx; i < lines.length; i += 1) {
+        const line = lines[i];
+        const headingMatch = line.match(ANY_HEADING_RE);
+        if (!headingMatch)
+            continue;
+        const level = headingMatch[1].length;
+        if (level <= startHeadingLevel) {
+            endIdx = i;
+            break;
+        }
+    }
+    return { start: startIdx, end: endIdx };
+}
+function extractCriteria(sectionLines) {
+    const out = [];
+    let index = 0;
+    for (const line of sectionLines) {
+        const checklistMatch = line.match(CHECKLIST_ITEM_RE);
+        if (checklistMatch) {
+            index += 1;
+            const marker = checklistMatch[2].toLowerCase();
+            const text = checklistMatch[3];
+            out.push({
+                index,
+                text,
+                preChecked: marker === 'x',
+                mentions: extractMentions(text),
+            });
+            continue;
+        }
+        const numberedMatch = line.match(NUMBERED_ITEM_RE);
+        if (numberedMatch) {
+            index += 1;
+            const text = numberedMatch[3];
+            out.push({
+                index,
+                text,
+                preChecked: false,
+                mentions: extractMentions(text),
+            });
+            continue;
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=parser.js.map

package/dist/core/prd-check/reporter.js

@@ -0,0 +1,127 @@
+/**
+ * PRD-check reporter — Pugi α7 Wave 6 (`/prd-check`, 2026-05-27).
+ *
+ * Turns a list of `VerifiedCriterion` into either a plain-text
+ * table (matches the L17 doctor renderer layout for visual
+ * consistency) OR a structured JSON envelope for scripted callers.
+ *
+ * The reporter is intentionally render-only — it does not perform
+ * any verification work. The verifier module decides PASS / FAIL /
+ * SKIPPED; the reporter only formats those verdicts. This keeps
+ * the JSON envelope deterministic + diff-friendly between runs.
+ *
+ * Exit-code policy:
+ *
+ *   - `healthy`  -> every criterion PASS or SKIPPED. exit 0.
+ *   - `failing`  -> at least one FAIL. exit 1.
+ *   - `unparsed` -> the PRD had no acceptance section. exit 2
+ *                   (operator authored a stub but never filled it
+ *                   in — distinct signal from "criteria don't
+ *                   verify yet" so CI can route differently).
+ */
+/**
+ * Build the JSON envelope. Pure transform — no fs, no clock. The
+ * CLI handler wraps this in the writeOutput sink.
+ */
+export function buildEnvelope(input) {
+    const counts = {
+        pass: 0,
+        fail: 0,
+        skipped: 0,
+    };
+    for (const v of input.verified) {
+        counts[v.status] += 1;
+    }
+    const overall = computeOverall(input.hasAcceptanceSection, counts);
+    return {
+        command: 'prd-check',
+        prdPath: input.prdPath,
+        title: input.title,
+        overall,
+        counts,
+        criteria: input.verified.map((v) => ({
+            index: v.criterion.index,
+            text: v.criterion.text,
+            status: v.status,
+            results: v.results.map((r) => ({
+                kind: r.mention.kind,
+                target: mentionTarget(r.mention),
+                status: r.status,
+                evidence: r.evidence,
+            })),
+        })),
+    };
+}
+/** Exit code for the resolved overall verdict. */
+export function exitCodeFor(overall) {
+    switch (overall) {
+        case 'healthy':
+            return 0;
+        case 'failing':
+            return 1;
+        case 'unparsed':
+            return 2;
+    }
+}
+/**
+ * Plain-text renderer. Mirrors the L17 doctor table for visual
+ * consistency — 4 columns: # / STATUS / CRITERION / EVIDENCE. The
+ * criterion column is truncated to 60 chars so narrow terminals
+ * stay readable; the full text lives in the JSON envelope for
+ * scripted callers that want every byte.
+ */
+export function renderTable(envelope) {
+    const lines = [];
+    const titlePart = envelope.title ? ` — ${envelope.title}` : '';
+    lines.push(`Pugi PRD-check${titlePart}`);
+    lines.push('='.repeat(50));
+    lines.push(`Source: ${envelope.prdPath}`);
+    lines.push('');
+    if (envelope.overall === 'unparsed') {
+        lines.push('No acceptance-criteria section found in PRD.');
+        lines.push('');
+        lines.push('Expected one of:');
+        lines.push('  ## Acceptance Criteria');
+        lines.push('  ## Success Criteria');
+        lines.push('  ## Deliverables');
+        return lines.join('\n');
+    }
+    if (envelope.criteria.length === 0) {
+        lines.push('Acceptance section present but contains 0 items.');
+        return lines.join('\n');
+    }
+    for (const c of envelope.criteria) {
+        const status = c.status.toUpperCase().padEnd(7, ' ');
+        const truncated = c.text.length > 60 ? `${c.text.slice(0, 57)}...` : c.text;
+        lines.push(`#${String(c.index).padStart(2, ' ')}  ${status}  ${truncated}`);
+        for (const r of c.results) {
+            const subStatus = r.status.toUpperCase().padEnd(7, ' ');
+            lines.push(`        ${subStatus}  ${r.evidence}`);
+        }
+    }
+    lines.push('');
+    const { pass, fail, skipped } = envelope.counts;
+    const summary = envelope.overall === 'healthy' ? 'HEALTHY' : envelope.overall === 'failing' ? 'FAILING' : 'UNPARSED';
+    lines.push(`${fail} fail · ${pass} pass · ${skipped} skipped. Overall: ${summary}`);
+    return lines.join('\n');
+}
+function computeOverall(hasAcceptanceSection, counts) {
+    if (!hasAcceptanceSection)
+        return 'unparsed';
+    if (counts.fail > 0)
+        return 'failing';
+    return 'healthy';
+}
+function mentionTarget(mention) {
+    switch (mention.kind) {
+        case 'file':
+        case 'test':
+        case 'doc':
+            return mention.path;
+        case 'command':
+            return mention.name;
+        case 'route':
+            return `${mention.method} ${mention.path}`;
+    }
+}
+//# sourceMappingURL=reporter.js.map

package/dist/core/prd-check/verifiers.js

@@ -0,0 +1,223 @@
+/**
+ * PRD criterion verifiers — Pugi α7 Wave 6 (`/prd-check`, 2026-05-27).
+ *
+ * Given a `ParsedCriterion` from `parser.ts`, run a set of built-in
+ * checks against the repository workspace and return a
+ * `VerifiedCriterion` with a per-criterion verdict + per-mention
+ * evidence trail. The module owns the file-system + grep surface
+ * the parser deliberately avoided.
+ *
+ * Verdict semantics (mirror the doctor probe contract so the
+ * reporter can render both with the same column layout):
+ *
+ *   - PASS    : at least one mention verified AND every attempted
+ *               verifier passed
+ *   - FAIL    : at least one verifier failed (missing file, empty
+ *               doc, command not in registry, etc.)
+ *   - SKIPPED : no verifiable mentions in the criterion. The
+ *               criterion is preserved in the report so the
+ *               operator sees it, but it does not gate the verdict.
+ *
+ * Each `MentionResult` carries an evidence string the reporter
+ * shows next to the criterion. For PASS we render the resolved
+ * absolute path or matched line; for FAIL we render the missing
+ * artifact identifier so the operator can fix it directly.
+ *
+ * The verifier deps are injected (existsSync, readFileSync, …) so
+ * the spec can drive every branch without touching the real disk.
+ * The default-bound variant `runDefaultVerifiers` plugs the real
+ * Node fs helpers in for the CLI handler.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import { isAbsolute, resolve } from 'node:path';
+/**
+ * Top-level verify-one-criterion entry. Walks the mention list,
+ * dispatches each to the right verifier, then computes the
+ * roll-up. Pure with respect to `deps` — no globals touched.
+ */
+export function verifyCriterion(criterion, deps) {
+    if (criterion.mentions.length === 0) {
+        return {
+            criterion,
+            status: 'skipped',
+            results: [],
+        };
+    }
+    const results = [];
+    for (const mention of criterion.mentions) {
+        results.push(verifyMention(mention, deps));
+    }
+    const status = rollUp(results);
+    return { criterion, status, results };
+}
+/** Verify a whole PRD's worth of criteria. */
+export function verifyAll(criteria, deps) {
+    return criteria.map((c) => verifyCriterion(c, deps));
+}
+function verifyMention(mention, deps) {
+    switch (mention.kind) {
+        case 'file':
+            return verifyFile(mention, deps);
+        case 'test':
+            return verifyTest(mention, deps);
+        case 'doc':
+            return verifyDoc(mention, deps);
+        case 'command':
+            return verifyCommand(mention, deps);
+        case 'route':
+            return verifyRoute(mention, deps);
+    }
+}
+function verifyFile(mention, deps) {
+    const absolute = deps.resolveWorkspacePath(mention.path);
+    if (deps.existsSync(absolute)) {
+        return {
+            mention,
+            status: 'pass',
+            evidence: `file present (${mention.path})`,
+        };
+    }
+    return {
+        mention,
+        status: 'fail',
+        evidence: `file missing (${mention.path})`,
+    };
+}
+function verifyTest(mention, deps) {
+    const absolute = deps.resolveWorkspacePath(mention.path);
+    if (!deps.existsSync(absolute)) {
+        return {
+            mention,
+            status: 'fail',
+            evidence: `spec missing (${mention.path})`,
+        };
+    }
+    let body;
+    try {
+        body = deps.readFileSync(absolute);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            mention,
+            status: 'fail',
+            evidence: `spec unreadable: ${message}`,
+        };
+    }
+    // Count `test(`, `it(`, and `describe(...).it(` blocks. The
+    // matcher is permissive — any of the three counts because the
+    // PRD only cares whether the spec asserts anything at all.
+    const matches = body.match(/\b(it|test)\s*\(/g);
+    if (!matches || matches.length === 0) {
+        return {
+            mention,
+            status: 'fail',
+            evidence: `spec present but has 0 test()/it() blocks`,
+        };
+    }
+    return {
+        mention,
+        status: 'pass',
+        evidence: `spec present with ${matches.length} block(s)`,
+    };
+}
+function verifyDoc(mention, deps) {
+    const absolute = deps.resolveWorkspacePath(mention.path);
+    if (!deps.existsSync(absolute)) {
+        return {
+            mention,
+            status: 'fail',
+            evidence: `doc missing (${mention.path})`,
+        };
+    }
+    let body;
+    try {
+        body = deps.readFileSync(absolute);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            mention,
+            status: 'fail',
+            evidence: `doc unreadable: ${message}`,
+        };
+    }
+    const trimmed = body.trim();
+    if (trimmed.length < 100) {
+        return {
+            mention,
+            status: 'fail',
+            evidence: `doc present but too short (${trimmed.length} chars, < 100)`,
+        };
+    }
+    return {
+        mention,
+        status: 'pass',
+        evidence: `doc present (${trimmed.length} chars)`,
+    };
+}
+function verifyCommand(mention, deps) {
+    if (deps.isKnownCommand(mention.name)) {
+        return {
+            mention,
+            status: 'pass',
+            evidence: `command \`${mention.name}\` registered`,
+        };
+    }
+    return {
+        mention,
+        status: 'fail',
+        evidence: `command \`${mention.name}\` not found in CLI registry`,
+    };
+}
+function verifyRoute(mention, deps) {
+    if (deps.hasRoute(mention.method, mention.path)) {
+        return {
+            mention,
+            status: 'pass',
+            evidence: `route ${mention.method} ${mention.path} registered`,
+        };
+    }
+    return {
+        mention,
+        status: 'fail',
+        evidence: `route ${mention.method} ${mention.path} not found`,
+    };
+}
+function rollUp(results) {
+    if (results.length === 0)
+        return 'skipped';
+    const anyFail = results.some((r) => r.status === 'fail');
+    if (anyFail)
+        return 'fail';
+    const anyPass = results.some((r) => r.status === 'pass');
+    return anyPass ? 'pass' : 'skipped';
+}
+/**
+ * Default verifier deps bound to real fs + a CLI-command predicate
+ * + a grep-based route locator. The CLI handler passes the
+ * workspace root + the known-command list at call time.
+ */
+export function createDefaultDeps(options) {
+    return {
+        resolveWorkspacePath: (relative) => {
+            if (isAbsolute(relative))
+                return relative;
+            return resolve(options.workspaceRoot, relative);
+        },
+        existsSync: (path) => existsSync(path),
+        readFileSync: (path) => readFileSync(path, 'utf8'),
+        isKnownCommand: (name) => options.knownCommands.has(name),
+        hasRoute: () => {
+            // Best-effort default: the wave-6 PRD says the route verifier
+            // is "best-effort grep of controllers". Since the workspace
+            // layout varies per repo, the CLI handler injects a project
+            // -aware implementation when one is available; the default
+            // stays conservative and reports `fail` so the reporter
+            // surfaces the missing-verifier signal instead of silently
+            // passing.
+            return false;
+        },
+    };
+}
+//# sourceMappingURL=verifiers.js.map

package/dist/core/repl/session.js

@@ -979,6 +979,50 @@ export class ReplSession {
                 }
                 return verdict;
             }
+            case 'prd-check': {
+                // Wave 6 (2026-05-27): forward to the same handler the shell
+                // surface uses so the verdict is identical between
+                // `/prd-check` and `pugi prd-check`. Dynamic-import the
+                // module to keep the parser + verifier graph out of the
+                // REPL hot path.
+                try {
+                    const { parsePrdCheckArgs, runPrdCheckCommand } = await import('../../runtime/commands/prd-check.js');
+                    const parsed = parsePrdCheckArgs(verdict.args, { jsonDefault: false });
+                    if (!parsed.ok) {
+                        this.appendSystemLine(`/prd-check: ${parsed.error}`);
+                        return verdict;
+                    }
+                    const lines = [];
+                    await runPrdCheckCommand({
+                        cwd: process.cwd(),
+                        ...(parsed.prdPath !== undefined ? { prdPath: parsed.prdPath } : {}),
+                        flags: parsed.flags,
+                        // The REPL slash does not have a snapshot of the CLI
+                        // command registry, so we pass an empty set; the
+                        // command:<name> verifier will report FAIL for now.
+                        // This is a deliberate trade-off — the slash surface
+                        // primarily exists for quick eyeball checks during a
+                        // session; the shell surface (which DOES inject the
+                        // full registry) is the canonical gate.
+                        knownCommands: new Set(),
+                        writeOutput: (_payload, text) => {
+                            const trimmed = text.replace(/\n+$/u, '');
+                            if (trimmed.length > 0)
+                                lines.push(trimmed);
+                        },
+                    });
+                    for (const line of lines)
+                        this.appendSystemLine(line);
+                    if (lines.length === 0) {
+                        this.appendSystemLine('/prd-check: no output.');
+                    }
+                }
+                catch (error) {
+                    const message = error instanceof Error ? error.message : String(error);
+                    this.appendSystemLine(`/prd-check failed: ${message}`);
+                }
+                return verdict;
+            }
             case 'permissions': {
                 // Leak L6: handle the `/permissions [mode] [--persist]` flow.
                 // The session module forwards to the runtime helper so the

package/dist/core/repl/slash-commands.js

@@ -93,6 +93,7 @@ export const SLASH_COMMAND_HELP = Object.freeze([
     { name: 'help', args: '', gloss: 'Show this help overlay', group: 'Meta' },
     { name: 'version', args: '', gloss: 'Show CLI version', group: 'Meta' },
     { name: 'doctor', args: '', gloss: 'Environment health report (auth · API · Node · disk · MCP · …)', group: 'Meta' },
+    { name: 'prd-check', args: '<prd-path | --all> [--json]', gloss: 'Verify PRD acceptance criteria against committed code/tests/docs (Wave 6)', group: 'Meta' },
     { name: 'stickers', args: '', gloss: 'show Pugi brand stickers (gimmick)', group: 'Meta' },
     { name: 'feedback', args: '', gloss: 'file a bug / feature / general comment without leaving the REPL', group: 'Meta' },
     { name: 'share', args: '[--gist|--pugi] [--redact] [--preview]', gloss: 'Export session transcript to gist / pugi.io (leak L20)', group: 'Meta' },
@@ -432,6 +433,14 @@ export function parseSlashCommand(input) {
             // shell surface, not the slash one).
             return { kind: 'doctor' };
         }
+        case 'prd-check':
+        case 'prdcheck': {
+            // Wave 6 (2026-05-27): tokenise the tail and forward verbatim
+            // so the slash + shell surfaces share one `parsePrdCheckArgs`.
+            // Supports `<prd-path>`, `--all`, and `--json`.
+            const tokens = tail.length === 0 ? [] : tail.split(/\s+/).filter((s) => s.length > 0);
+            return { kind: 'prd-check', args: tokens };
+        }
         case 'compact': {
             // Leak L8 (2026-05-27): graduated from stub. The session module
             // owns the summariser round-trip; tail args are ignored today

package/dist/runtime/cli.js

@@ -36,6 +36,7 @@ import { isOnboarded } from '../core/onboarding/marker.js';
 import { runPrivacyCommand } from './commands/privacy.js';
 import { runReport } from './commands/report.js';
 import { runDoctorCommand, defaultHome as defaultDoctorHome } from './commands/doctor.js';
+import { parsePrdCheckArgs, runPrdCheckCommand, } from './commands/prd-check.js';
 import { runStatusCommand, defaultStatusHome, } from './commands/status.js';
 import { runStickersCommand } from './commands/stickers.js';
 import { runRepoMapCommand } from './commands/repo-map.js';
@@ -127,6 +128,11 @@ const handlers = {
     perms: dispatchPermissions,
     plan: dispatchPlan,
     'plan-review': dispatchPlanReview,
+    // Wave 6 (2026-05-27): `pugi prd-check` verifies PRD acceptance
+    // criteria against committed code/tests/docs/commands BEFORE an
+    // operator (or autonomous agent) claims a feature done. Same
+    // handler powers the in-REPL `/prd-check` slash via session.ts.
+    'prd-check': dispatchPrdCheck,
     privacy: dispatchPrivacy,
     // L24 (2026-05-27): `pugi release-notes` shows the bundled CHANGELOG
     // diff between the operator's last-seen version + installed version.
@@ -1641,6 +1647,22 @@ const COMMAND_HELP_BODIES = {
         'event log, settings), permission mode, and the capability matrix per',
         'engine adapter. Safe to run anywhere; no network calls.',
     ],
+    'prd-check': [
+        'pugi prd-check <prd-path> | --all   — Wave 6 verified-deliverable gate.',
+        '',
+        'Reads a markdown PRD, parses the acceptance-criteria section, and',
+        'runs verifiers against committed artifacts:',
+        '  file:<path>      fs.existsSync',
+        '  test:<spec>      spec file exists + has ≥1 test()/it() block',
+        '  doc:<path>       doc exists + has > 100 chars',
+        '  command:<name>   CLI registry contains the command',
+        '  route:METHOD /p  best-effort grep of controllers',
+        '',
+        '  --all                   Scan docs/prd/**.md instead of one file.',
+        '  --json                  Emit a structured envelope to stdout.',
+        '',
+        'Exit codes: 0 healthy · 1 failing · 2 unparsed / arg error.',
+    ],
     status: [
         'pugi status — concise session snapshot.',
         '',
@@ -1864,6 +1886,48 @@ async function doctor(_args, flags, _session) {
         writeOutput: (payload, text) => writeOutput(flags, payload, text),
     });
 }
+/**
+ * `pugi prd-check` — Wave 6 verified-deliverable gate (2026-05-27).
+ *
+ * Reads `docs/prd/<feature>.md` (or any explicit path), parses the
+ * acceptance-criteria section, and runs file / test / doc / command
+ * / route verifiers per criterion. Same handler powers the in-REPL
+ * `/prd-check` slash via session.ts so the verdict is identical
+ * between surfaces.
+ *
+ * The `knownCommands` set is sourced from the same `handlers` map
+ * used by the CLI dispatcher (one source of truth), so a PRD that
+ * mentions `pugi <name>` resolves against the EXACT registry the
+ * shell exposes.
+ *
+ * Exit codes (from reporter.exitCodeFor):
+ *   0 — healthy (every criterion PASS or SKIPPED)
+ *   1 — failing (≥1 FAIL)
+ *   2 — unparsed (PRD has no acceptance section) OR arg error
+ */
+async function dispatchPrdCheck(args, flags, _session) {
+    const parsed = parsePrdCheckArgs(args, { jsonDefault: flags.json });
+    if (!parsed.ok) {
+        writeOutput(flags, { ok: false, error: parsed.error }, parsed.error);
+        process.exitCode = 2;
+        return;
+    }
+    await runPrdCheckCommand({
+        cwd: process.cwd(),
+        ...(parsed.prdPath !== undefined ? { prdPath: parsed.prdPath } : {}),
+        flags: parsed.flags,
+        knownCommands: knownCommandNames(),
+        writeOutput: (payload, text) => writeOutput(flags, payload, text),
+    });
+}
+/**
+ * Snapshot the set of registered CLI command names — used by the
+ * prd-check `command:` verifier so PRD mentions of `pugi <name>`
+ * resolve against the exact same registry the shell exposes.
+ */
+function knownCommandNames() {
+    return new Set(Object.keys(handlers));
+}
 /**
  * `pugi update` — Leak L27 (2026-05-27). Channel-aware npm registry
  * probe + optional shell-out to `npm install -g @pugi/cli@<tag>`.

package/dist/runtime/commands/prd-check.js

@@ -0,0 +1,235 @@
+/**
+ * `pugi prd-check` — Pugi α7 Wave 6 verified-deliverable gate (2026-05-27).
+ *
+ * Runs a PRD ↔ delivered-artifact verification sweep BEFORE the
+ * operator (or an autonomous agent) claims a feature is done.
+ * Reads `docs/prd/<feature>.md` (or any explicit path), parses the
+ * acceptance-criteria section, and runs file / test / doc / command
+ * / route verifiers per criterion. Output mirrors `pugi doctor`:
+ * either a plain-text table or a JSON envelope (`--json`).
+ *
+ * Module contract (mirrors L17 doctor split):
+ *
+ *   - parser + verifiers + reporter are pure with respect to deps;
+ *     this file is the THIN wiring that resolves cwd, glob-expands
+ *     `--all`, loads each PRD, and forwards the structured result
+ *     к the supplied writeOutput sink.
+ *
+ *   - `runPrdCheckCommand` is the single entry point. Both the
+ *     top-level `pugi prd-check` shell command AND the in-REPL
+ *     `/prd-check` slash command call it. The function returns the
+ *     `PrdCheckEnvelope[]` so the REPL can render via Ink without
+ *     re-running the verification.
+ *
+ *   - Exit codes follow `exitCodeFor` from the reporter:
+ *       0 — healthy (every criterion PASS or SKIPPED)
+ *       1 — failing (≥1 FAIL across the scanned PRDs)
+ *       2 — unparsed (≥1 PRD missing the acceptance section)
+ *     When `--all` scans multiple PRDs the worst verdict wins (1 > 2 > 0).
+ *
+ *   - The `knownCommands` set is sourced from the CLI registry — we
+ *     accept it as an injected parameter so the spec can drive
+ *     command-verification without importing the entire cli.ts
+ *     module (which would pull the engine graph into the test).
+ */
+import { readdirSync, readFileSync, statSync } from 'node:fs';
+import { isAbsolute, join, relative, resolve } from 'node:path';
+import { parsePrd } from '../../core/prd-check/parser.js';
+import { buildEnvelope, exitCodeFor, renderTable, } from '../../core/prd-check/reporter.js';
+import { createDefaultDeps, verifyAll, } from '../../core/prd-check/verifiers.js';
+const DEFAULT_PRD_DIR = 'docs/prd';
+/**
+ * Run the gate. Resolves which PRDs to inspect, runs the parser +
+ * verifiers + reporter chain per PRD, emits the combined output,
+ * and sets `process.exitCode` to the worst verdict across the set.
+ */
+export async function runPrdCheckCommand(ctx) {
+    const paths = resolveTargets(ctx);
+    if (paths.length === 0) {
+        const result = {
+            command: 'prd-check',
+            overall: 'unparsed',
+            envelopes: [],
+        };
+        ctx.writeOutput(result, 'No PRD files found.');
+        process.exitCode = exitCodeFor('unparsed');
+        return result;
+    }
+    const deps = ctx.deps ??
+        createDefaultDeps({
+            workspaceRoot: ctx.cwd,
+            knownCommands: ctx.knownCommands,
+        });
+    const envelopes = [];
+    for (const path of paths) {
+        envelopes.push(checkSinglePrd(path, ctx.cwd, deps));
+    }
+    const overall = combineOverall(envelopes.map((e) => e.overall));
+    const result = {
+        command: 'prd-check',
+        overall,
+        envelopes,
+    };
+    const text = renderRun(result, ctx.cwd);
+    ctx.writeOutput(result, text);
+    process.exitCode = exitCodeFor(overall);
+    return result;
+}
+/**
+ * Render the combined plain-text view. Multi-PRD runs print one
+ * table per envelope separated by a divider; single-PRD runs print
+ * just the table to keep the output narrow.
+ */
+function renderRun(result, cwd) {
+    if (result.envelopes.length === 0) {
+        return 'No PRD files found.';
+    }
+    if (result.envelopes.length === 1) {
+        return renderTable(result.envelopes[0]);
+    }
+    const parts = [];
+    for (const envelope of result.envelopes) {
+        const relPath = relative(cwd, envelope.prdPath) || envelope.prdPath;
+        parts.push(renderTable({ ...envelope, prdPath: relPath }));
+        parts.push('');
+    }
+    parts.push('-'.repeat(50));
+    const summary = `${result.envelopes.length} PRD(s) scanned. Overall: ${result.overall.toUpperCase()}`;
+    parts.push(summary);
+    return parts.join('\n');
+}
+function checkSinglePrd(prdPath, workspaceRoot, deps) {
+    let source;
+    try {
+        source = readFileSync(prdPath, 'utf8');
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            command: 'prd-check',
+            prdPath: relative(workspaceRoot, prdPath) || prdPath,
+            title: null,
+            overall: 'unparsed',
+            counts: { pass: 0, fail: 0, skipped: 0 },
+            criteria: [
+                {
+                    index: 0,
+                    text: `PRD file unreadable: ${message}`,
+                    status: 'fail',
+                    results: [],
+                },
+            ],
+        };
+    }
+    const parsed = parsePrd(source);
+    const verified = verifyAll(parsed.criteria, deps);
+    return buildEnvelope({
+        prdPath: relative(workspaceRoot, prdPath) || prdPath,
+        title: parsed.title,
+        hasAcceptanceSection: parsed.hasAcceptanceSection,
+        verified,
+    });
+}
+function resolveTargets(ctx) {
+    if (ctx.flags.all) {
+        const prdDir = resolve(ctx.cwd, DEFAULT_PRD_DIR);
+        return listMarkdownFiles(prdDir);
+    }
+    if (ctx.prdPath) {
+        const absolute = isAbsolute(ctx.prdPath)
+            ? ctx.prdPath
+            : resolve(ctx.cwd, ctx.prdPath);
+        return [absolute];
+    }
+    return [];
+}
+function listMarkdownFiles(dir) {
+    let entries;
+    try {
+        entries = readdirSync(dir);
+    }
+    catch {
+        return [];
+    }
+    const out = [];
+    for (const entry of entries) {
+        const full = join(dir, entry);
+        let isDirectory = false;
+        try {
+            isDirectory = statSync(full).isDirectory();
+        }
+        catch {
+            continue;
+        }
+        if (isDirectory) {
+            out.push(...listMarkdownFiles(full));
+            continue;
+        }
+        if (entry.endsWith('.md')) {
+            out.push(full);
+        }
+    }
+    return out.sort();
+}
+/**
+ * Combine per-PRD verdicts into the run-wide one. failing > unparsed > healthy.
+ * Exported for the spec.
+ */
+export function combineOverall(verdicts) {
+    if (verdicts.length === 0)
+        return 'unparsed';
+    if (verdicts.some((v) => v === 'failing'))
+        return 'failing';
+    if (verdicts.some((v) => v === 'unparsed'))
+        return 'unparsed';
+    return 'healthy';
+}
+/**
+ * Parse the CLI argv tail. Accepts:
+ *
+ *   pugi prd-check                       -> error (no target)
+ *   pugi prd-check <path>                -> single PRD
+ *   pugi prd-check --all                 -> scan docs/prd/**.md
+ *   pugi prd-check <path> --json         -> single PRD, JSON envelope
+ *
+ * `--json` is also forwarded from the global flag set in cli.ts;
+ * the local parse re-honours it so the slash command can use the
+ * same parser without the global flag plumbing.
+ */
+export function parsePrdCheckArgs(args, options) {
+    let json = options.jsonDefault;
+    let all = false;
+    let prdPath;
+    for (const arg of args) {
+        if (arg === '--json') {
+            json = true;
+            continue;
+        }
+        if (arg === '--all') {
+            all = true;
+            continue;
+        }
+        if (arg.startsWith('--')) {
+            return { ok: false, error: `unknown flag: ${arg}` };
+        }
+        if (prdPath !== undefined) {
+            return { ok: false, error: `unexpected extra argument: ${arg}` };
+        }
+        prdPath = arg;
+    }
+    if (!all && prdPath === undefined) {
+        return {
+            ok: false,
+            error: 'pugi prd-check <prd-path> | --all   (pass a PRD path or --all to scan docs/prd/**.md)',
+        };
+    }
+    if (all && prdPath !== undefined) {
+        return { ok: false, error: 'cannot combine <path> with --all' };
+    }
+    return {
+        ok: true,
+        flags: { json, all },
+        ...(prdPath !== undefined ? { prdPath } : {}),
+    };
+}
+//# sourceMappingURL=prd-check.js.map

package/dist/runtime/version.js

@@ -44,7 +44,7 @@ export function sanitizeSemver(raw) {
  * during import). When bumping the CLI version BOTH literals must be
  * updated; the release smoke-test (`pack:smoke`) verifies they agree.
  */
-export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.26');
+export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.28');
 /**
  * Outbound: the CLI's installed semver. Read at request time by
  * `version-interceptor.ts` and injected on every `fetch` call.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pugi/cli",
-  "version": "0.1.0-beta.26",
+  "version": "0.1.0-beta.28",
   "description": "Pugi CLI - terminal-native software execution system",
   "homepage": "https://pugi.io",
   "repository": {
@@ -54,7 +54,7 @@
     "undici": "^8.3.0",
     "zod": "^3.23.0",
     "@pugi/personas": "0.1.2",
-    "@pugi/sdk": "0.1.0-beta.26"
+    "@pugi/sdk": "0.1.0-beta.28"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",