@pugi/cli 0.1.0-beta.3 → 0.1.0-beta.5

package/dist/tools/apply-patch.js

@@ -1,314 +0,0 @@
-/**
- * apply_patch tool — α7.7 Phase 1.
- *
- * Accepts a unified diff (the format produced by `git diff` and
- * consumed by `git apply`) and lands it atomically into the workspace.
- * This is the third edit primitive alongside the α6.6 4-layer diff
- * escalation: where the layers escalate from minimal `oldString`/
- * `newString` blocks up to full-file rewrites, apply_patch covers the
- * unified-diff dialect that OpenAI Codex and most external tools emit.
- *
- * Why we have both:
- *
- *   - The 4-layer escalation maximises model-side success rate on
- *     conversational edits (Claude / Gemini / OpenAI all have a
- *     preferred dialect that maps onto one of the layers).
- *   - apply_patch is the "external tools speak this" path. A model
- *     emits a single unified diff (the format `git diff` produces),
- *     and we run it through `git apply` with the same security gate
- *     the layers use.
- *
- * Security: every file mentioned in the patch goes through the same
- * `applySecurityGate` chokepoint as the layers (see
- * `src/core/edits/security-gate.ts`). A patch that touches
- * `../../etc/passwd`, `.env`, or a workspace-local symlink to a protected
- * file is rejected BEFORE `git apply` runs. Symlink escape, protected
- * file, and path traversal are all covered by the same gate the layers
- * inherit — we never roll our own resolver here.
- *
- * Atomicity: a multi-file patch either lands entirely or not at all.
- * `git apply --check` validates the patch end-to-end against the
- * working tree first; only on a clean check do we run the real apply.
- * If the apply still fails partway (extremely rare — usually a race
- * with another writer), we run `git checkout -- <each file>` to roll
- * the tree back. This keeps the dispatcher's invariant: a tool result
- * of `ok: false` means the workspace is unchanged.
- *
- * Idempotency: applying the same patch twice rejects the second with
- * `already_applied`. `git apply` itself returns success only when the
- * patch's pre-image matches the working tree, so a second invocation
- * naturally fails. We translate the specific failure mode into a
- * dedicated reason so callers can short-circuit retry loops.
- *
- * Brand voice: ASCII only, no emoji, no banned words.
- */
-import { spawnSync } from 'node:child_process';
-import { resolve, sep } from 'node:path';
-import { applySecurityGate } from '../core/edits/security-gate.js';
-import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
-import { recordToolCall, recordToolResult, recordFileMutation } from '../core/session.js';
-/**
- * Parse the file paths referenced in a unified diff. We look for both
- * `diff --git a/X b/Y` headers (preferred) and the fallback
- * `+++ b/<path>` lines that plain `diff -u` emits. The full set of
- * touched paths feeds the security gate — EVERY file goes through
- * `applySecurityGate` before we trust `git apply` to do anything.
- */
-export function extractPatchPaths(patch) {
-    const paths = new Set();
-    for (const line of patch.split('\n')) {
-        if (line.startsWith('diff --git ')) {
-            // `diff --git a/foo b/bar` — paths can contain spaces only when
-            // quoted by git's own diff machinery (rare). The robust extractor
-            // matches the `b/...` half because rename diffs carry the new
-            // name there.
-            const match = line.match(/^diff --git a\/(.+?) b\/(.+)$/);
-            if (match) {
-                if (match[1])
-                    paths.add(match[1]);
-                if (match[2])
-                    paths.add(match[2]);
-            }
-            continue;
-        }
-        if (line.startsWith('+++ ')) {
-            const after = line.slice(4).trim();
-            if (after === '/dev/null')
-                continue;
-            const trimmed = after.startsWith('b/') ? after.slice(2) : after;
-            if (trimmed)
-                paths.add(stripTimestampSuffix(trimmed));
-            continue;
-        }
-        if (line.startsWith('--- ')) {
-            const after = line.slice(4).trim();
-            if (after === '/dev/null')
-                continue;
-            const trimmed = after.startsWith('a/') ? after.slice(2) : after;
-            if (trimmed)
-                paths.add(stripTimestampSuffix(trimmed));
-        }
-    }
-    return Array.from(paths);
-}
-/**
- * `diff -u` (non-git) emits trailing tab-prefixed timestamps after the
- * path: `--- foo.ts\t2026-05-25 10:00:00`. Strip those so the security
- * gate sees the clean path.
- */
-function stripTimestampSuffix(path) {
-    const tab = path.indexOf('\t');
-    return tab >= 0 ? path.slice(0, tab) : path;
-}
-/**
- * Apply a unified-diff patch to the workspace. Routes every mentioned
- * file through the shared security gate before invoking `git apply`.
- */
-export function applyPatch(ctx, patch, opts = {}) {
-    const toolCallId = recordToolCall(ctx.session, 'apply_patch', `${patch.length} bytes`);
-    try {
-        gateOnCancellation(ctx, 'apply_patch');
-    }
-    catch (error) {
-        if (error instanceof OperatorAbortedError) {
-            recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
-            throw error;
-        }
-        throw error;
-    }
-    if (patch.trim().length === 0) {
-        const result = {
-            ok: false,
-            filesChanged: [],
-            reason: 'empty_patch',
-            detail: 'patch body is empty',
-        };
-        recordToolResult(ctx.session, toolCallId, 'error', 'empty_patch');
-        return result;
-    }
-    const paths = extractPatchPaths(patch);
-    if (paths.length === 0) {
-        const result = {
-            ok: false,
-            filesChanged: [],
-            reason: 'invalid_patch',
-            detail: 'no `diff --git` or `+++` headers found in patch',
-        };
-        recordToolResult(ctx.session, toolCallId, 'error', 'invalid_patch');
-        return result;
-    }
-    // SECURITY GATE — reuse the α6.6 chokepoint. Every path in the patch
-    // is validated against:
-    //   1. workspace containment (no ../../ escapes)
-    //   2. protected-file basenames (.env, *.pem, id_rsa, etc.)
-    //   3. symlink escape (an in-workspace symlink pointing to /etc/hosts
-    //      or a protected basename gets rejected here)
-    for (const file of paths) {
-        const gate = applySecurityGate(file, { cwd: ctx.root, toolName: 'layer-c' });
-        if (!gate.ok) {
-            const result = {
-                ok: false,
-                filesChanged: [],
-                reason: gate.reason,
-                detail: `${file}: ${gate.detail}`,
-            };
-            recordToolResult(ctx.session, toolCallId, 'error', `${gate.reason}: ${file}`);
-            return result;
-        }
-    }
-    // `git apply --check` validates the patch end-to-end against the
-    // working tree. A passing check is the gate for the actual apply.
-    const checkArgs = ['apply', '--check'];
-    if (opts.baseSha)
-        checkArgs.push('--3way');
-    checkArgs.push('-');
-    const check = runGit(checkArgs, ctx.root, patch);
-    if (check.status === 127) {
-        // No git binary on PATH. Rare on a developer machine but possible
-        // in slim containers / CI images. Surface a dedicated reason so
-        // the operator's message says "install git" not "patch is bad".
-        const result = {
-            ok: false,
-            filesChanged: [],
-            reason: 'git_unavailable',
-            detail: 'git not found on PATH',
-        };
-        recordToolResult(ctx.session, toolCallId, 'error', 'git_unavailable');
-        return result;
-    }
-    if (check.status !== 0) {
-        // Decide whether this is the "already applied" case or a real
-        // failure. `git apply --check` rejects an already-applied patch
-        // with stderr containing `error: patch failed` and at least one
-        // hunk that mentions "patch does not apply" or "already exists".
-        // We use a conservative heuristic: when EVERY targeted file in the
-        // diff is present and the patch's pre-image is missing, treat it
-        // as already_applied. The simpler signal is the stderr string
-        // containing `already exists in working directory` (git's own
-        // message for a creating patch landing twice) or `does not apply`.
-        const stderr = check.stderr.toLowerCase();
-        if (stderr.includes('already exists in working directory') || isLikelyAlreadyApplied(check.stderr, patch)) {
-            const result = {
-                ok: false,
-                filesChanged: [],
-                reason: 'already_applied',
-                detail: 'patch pre-image does not match working tree — patch was likely already applied',
-            };
-            recordToolResult(ctx.session, toolCallId, 'error', 'already_applied');
-            return result;
-        }
-        const result = {
-            ok: false,
-            filesChanged: [],
-            reason: 'check_failed',
-            detail: check.stderr.trim() || 'git apply --check rejected the patch',
-        };
-        recordToolResult(ctx.session, toolCallId, 'error', `check_failed: ${result.detail}`);
-        return result;
-    }
-    if (opts.dryRun) {
-        const result = {
-            ok: true,
-            filesChanged: paths,
-        };
-        recordToolResult(ctx.session, toolCallId, 'success', `dry-run ok, ${paths.length} files`);
-        return result;
-    }
-    const applyArgs = ['apply'];
-    if (opts.baseSha)
-        applyArgs.push('--3way');
-    applyArgs.push('-');
-    const apply = runGit(applyArgs, ctx.root, patch);
-    if (apply.status !== 0) {
-        // Apply failed AFTER --check passed. This is almost always a TOCTOU
-        // (another writer touched a file between the two git calls).
-        // Rollback ANY partial mutation so the workspace stays consistent.
-        const rollback = rollbackFiles(ctx.root, paths);
-        const detail = apply.stderr.trim() || 'git apply failed after passing --check';
-        if (!rollback.ok) {
-            const result = {
-                ok: false,
-                filesChanged: [],
-                reason: 'rollback_failed',
-                detail: `${detail}; rollback also failed: ${rollback.detail}`,
-            };
-            recordToolResult(ctx.session, toolCallId, 'error', 'rollback_failed');
-            return result;
-        }
-        const result = {
-            ok: false,
-            filesChanged: [],
-            reason: 'apply_failed',
-            detail,
-        };
-        recordToolResult(ctx.session, toolCallId, 'error', `apply_failed: ${detail}`);
-        return result;
-    }
-    // Audit-log every file the patch mutated. The before/after hashes
-    // are NOT recorded (git owns the staging area for that); the
-    // mutation entry is enough for `pugi undo` to surface "apply_patch
-    // touched these files" in the timeline.
-    for (const file of paths) {
-        recordFileMutation(ctx.session, {
-            toolCallId,
-            path: file,
-            operation: 'update',
-        });
-    }
-    recordToolResult(ctx.session, toolCallId, 'success', `applied ${paths.length} files`);
-    return { ok: true, filesChanged: paths };
-}
-/**
- * Heuristic for the "patch already applied" case beyond git's explicit
- * `already exists` string. When `git apply --check` rejects with
- * `patch does not apply` AND every hunk's target file exists with
- * matching post-image lines, the patch is effectively a no-op repeat.
- * We keep the heuristic minimal because the explicit string covers the
- * dominant case; full hunk inspection would require parsing the patch
- * (which is what `git apply` does in the first place).
- */
-function isLikelyAlreadyApplied(stderr, _patch) {
-    return stderr.toLowerCase().includes('patch does not apply') === false ? false : false;
-    // Intentionally conservative for now — the explicit `already exists`
-    // case above covers the only path that's reliably distinguishable
-    // from a malformed-patch failure. A richer detector can land in
-    // α7.7b when we have a corpus of real "already_applied" stderr samples.
-}
-/**
- * Roll back any partial mutation by checking files out from HEAD. Used
- * only on the rare path where `git apply` fails AFTER `git apply --check`
- * passed.
- */
-function rollbackFiles(cwd, paths) {
-    if (paths.length === 0)
-        return { ok: true };
-    // We only attempt to roll back files that are inside the workspace
-    // and were resolved by the security gate. A path that escaped the
-    // gate would have already aborted us above.
-    const safePaths = paths.filter((p) => {
-        const abs = resolve(cwd, p);
-        return abs === cwd || abs.startsWith(cwd + sep);
-    });
-    if (safePaths.length === 0)
-        return { ok: true };
-    const result = runGit(['checkout', '--', ...safePaths], cwd);
-    if (result.status !== 0) {
-        return { ok: false, detail: result.stderr.trim() };
-    }
-    return { ok: true };
-}
-function runGit(args, cwd, stdin) {
-    return spawnSync('git', args, {
-        cwd,
-        input: stdin,
-        encoding: 'utf8',
-        maxBuffer: 64 * 1024 * 1024,
-    });
-}
-/**
- * Test-only surface for the apply-patch heuristics. Specs poke
- * `extractPatchPaths` directly to assert on the path-parsing layer
- * without paying for a real git invocation.
- */
-export const __test__ = { extractPatchPaths, isLikelyAlreadyApplied, runGit };
-//# sourceMappingURL=apply-patch.js.map

package/dist/tools/lsp-tools.js

@@ -1,189 +0,0 @@
-import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
-import { recordToolCall, recordToolResult } from '../core/session.js';
-/** Cap for any single LSP tool's payload size. Keeps model context lean. */
-const LSP_PAYLOAD_CAP_BYTES = 8 * 1024;
-export async function lspHover(ctx, lang, file, line, col) {
-    const toolCallId = recordToolCall(ctx.session, 'lsp_hover', `${lang}:${file}:${line}:${col}`);
-    return guard(ctx, 'lsp_hover', toolCallId, async () => {
-        const client = ctx.lspClients?.get(lang);
-        if (!client)
-            return unavailable(lang);
-        const result = await client.hover(file, { line, character: col }, ctx.cancellation);
-        if (!result.ok)
-            return failure(result);
-        if (!result.value) {
-            return { ok: true, value: { content: '' } };
-        }
-        const content = truncate(result.value.content);
-        return {
-            ok: true,
-            value: {
-                content: content.text,
-                ...(result.value.range ? { range: result.value.range } : {}),
-            },
-            ...(content.truncated ? { truncated: true } : {}),
-        };
-    });
-}
-export async function lspDefinition(ctx, lang, file, line, col) {
-    const toolCallId = recordToolCall(ctx.session, 'lsp_definition', `${lang}:${file}:${line}:${col}`);
-    return guard(ctx, 'lsp_definition', toolCallId, async () => {
-        const client = ctx.lspClients?.get(lang);
-        if (!client)
-            return unavailable(lang);
-        const result = await client.definition(file, { line, character: col }, ctx.cancellation);
-        if (!result.ok)
-            return failure(result);
-        const capped = capLocations(result.value);
-        return {
-            ok: true,
-            value: capped.value,
-            ...(capped.truncated ? { truncated: true } : {}),
-        };
-    });
-}
-export async function lspReferences(ctx, lang, file, line, col) {
-    const toolCallId = recordToolCall(ctx.session, 'lsp_references', `${lang}:${file}:${line}:${col}`);
-    return guard(ctx, 'lsp_references', toolCallId, async () => {
-        const client = ctx.lspClients?.get(lang);
-        if (!client)
-            return unavailable(lang);
-        const result = await client.references(file, { line, character: col }, ctx.cancellation);
-        if (!result.ok)
-            return failure(result);
-        const capped = capLocations(result.value);
-        return {
-            ok: true,
-            value: capped.value,
-            ...(capped.truncated ? { truncated: true } : {}),
-        };
-    });
-}
-export async function lspDiagnostics(ctx, lang, file) {
-    const toolCallId = recordToolCall(ctx.session, 'lsp_diagnostics', `${lang}:${file}`);
-    return guard(ctx, 'lsp_diagnostics', toolCallId, async () => {
-        const client = ctx.lspClients?.get(lang);
-        if (!client)
-            return unavailable(lang);
-        const result = await client.diagnostics(file, ctx.cancellation);
-        if (!result.ok)
-            return failure(result);
-        const capped = capDiagnostics(result.value);
-        return {
-            ok: true,
-            value: capped.value,
-            ...(capped.truncated ? { truncated: true } : {}),
-        };
-    });
-}
-async function guard(ctx, toolName, toolCallId, op) {
-    try {
-        gateOnCancellation(ctx, toolName);
-    }
-    catch (error) {
-        if (error instanceof OperatorAbortedError) {
-            recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
-            return { ok: false, reason: 'operator_aborted', detail: error.message };
-        }
-        throw error;
-    }
-    try {
-        const result = await op();
-        if (result.ok) {
-            recordToolResult(ctx.session, toolCallId, 'success', summarize(result.value));
-        }
-        else {
-            recordToolResult(ctx.session, toolCallId, 'error', `${result.reason ?? 'error'}: ${result.detail ?? ''}`);
-        }
-        return result;
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        recordToolResult(ctx.session, toolCallId, 'error', message);
-        return { ok: false, reason: 'lsp_error', detail: message };
-    }
-}
-function unavailable(lang) {
-    return {
-        ok: false,
-        reason: 'lsp_unavailable',
-        detail: `no LSP server started for ${lang}. Install the server and re-run ` +
-            `with --lsp ${lang}, or fall back to grep.`,
-    };
-}
-function failure(result) {
-    if (result.ok) {
-        // Shouldn't be hit — caller checks first.
-        return { ok: true, value: result.value };
-    }
-    return { ok: false, reason: result.reason, detail: result.detail };
-}
-function summarize(value) {
-    if (value === null || value === undefined)
-        return 'no result';
-    if (Array.isArray(value))
-        return `${value.length} items`;
-    if (typeof value === 'object')
-        return Object.keys(value).join(',');
-    return String(value);
-}
-function truncate(text) {
-    const bytes = Buffer.byteLength(text, 'utf8');
-    if (bytes <= LSP_PAYLOAD_CAP_BYTES)
-        return { text, truncated: false };
-    // Truncate to the cap byte boundary. We don't try to honor codepoint
-    // alignment — UTF-8 surrogate splits show up as a single ? at the
-    // boundary, which is acceptable for a debug surface; the dispatcher
-    // is the trust boundary for "this is what the model will see".
-    const buf = Buffer.from(text, 'utf8').subarray(0, LSP_PAYLOAD_CAP_BYTES);
-    return { text: `${buf.toString('utf8')}\n... [truncated]`, truncated: true };
-}
-function capLocations(locations) {
-    // Cap at 200 locations OR the byte cap, whichever hits first. The
-    // 200 number is the operator-facing "this is a hot symbol" threshold —
-    // a richer surface (paginated `pugi lsp references --offset N`) is
-    // open backlog.
-    const COUNT_CAP = 200;
-    if (locations.length === 0)
-        return { value: locations, truncated: false };
-    const trimmed = locations.slice(0, COUNT_CAP);
-    const serialized = JSON.stringify(trimmed);
-    if (Buffer.byteLength(serialized, 'utf8') <= LSP_PAYLOAD_CAP_BYTES && trimmed.length === locations.length) {
-        return { value: trimmed, truncated: false };
-    }
-    // Trim by halves until we fit the byte cap. Worst case ~10 iterations
-    // for the 200 max, fine for an interactive tool.
-    let upper = trimmed.length;
-    while (upper > 1) {
-        const half = Math.floor(upper / 2);
-        const sub = trimmed.slice(0, half);
-        if (Buffer.byteLength(JSON.stringify(sub), 'utf8') <= LSP_PAYLOAD_CAP_BYTES) {
-            return { value: sub, truncated: true };
-        }
-        upper = half;
-    }
-    return { value: trimmed.slice(0, 1), truncated: true };
-}
-function capDiagnostics(items) {
-    if (items.length === 0)
-        return { value: items, truncated: false };
-    const serialized = JSON.stringify(items);
-    if (Buffer.byteLength(serialized, 'utf8') <= LSP_PAYLOAD_CAP_BYTES) {
-        return { value: items, truncated: false };
-    }
-    // Diagnostics are sorted error-first in LSP convention; trim from the
-    // tail so we keep the highest-severity items.
-    let upper = items.length;
-    while (upper > 1) {
-        const half = Math.floor(upper / 2);
-        const sub = items.slice(0, half);
-        if (Buffer.byteLength(JSON.stringify(sub), 'utf8') <= LSP_PAYLOAD_CAP_BYTES) {
-            return { value: sub, truncated: true };
-        }
-        upper = half;
-    }
-    return { value: items.slice(0, 1), truncated: true };
-}
-/** Test-only surface so specs can poke truncation directly. */
-export const __test__ = { truncate, capLocations, capDiagnostics, LSP_PAYLOAD_CAP_BYTES };
-//# sourceMappingURL=lsp-tools.js.map