@pugi/cli 0.1.0-beta.35 → 0.1.0-beta.37

package/dist/core/permissions/auto-classifier.js

@@ -0,0 +1,124 @@
+/**
+ * Auto-mode classifier — Wave 7 Phase 1 (regex allowlist + denylist).
+ *
+ * `permissionMode === 'auto'` is the Claude Code parity mode where the
+ * classifier decides safe-vs-unsafe per call. Phase 1 ships without
+ * ML — just two curated regex lists covering the 80% of "obviously
+ * safe" and "obviously catastrophic" patterns. Anything that doesn't
+ * match either list returns `ask`, so the operator stays in the loop
+ * для the ambiguous middle.
+ *
+ * Phase 2 (deferred, NOT in this PR): semantic classifier consulting
+ * the model with a tight system prompt. The interface (`AutoVerdict`)
+ * is stable so we can swap implementations without touching the gate.
+ *
+ * Design notes:
+ *
+ *   - Patterns are conservative: a read-only command is only
+ *     allow-listed когда its argv shape is unambiguous (no `-exec`,
+ *     no `--delete`, no `|` к shell). When в doubt, fall back to ask.
+ *   - The denylist matches catastrophic patterns even в auto-mode so
+ *     a misclick can't shred the workspace. The circuit-breaker
+ *     (`circuit-breaker.ts`) covers the same surface для bypass-mode;
+ *     this denylist is the auto-mode equivalent.
+ *   - All matches operate on the FULL command string, not parsed
+ *     argv. This is deliberately permissive on whitespace but strict
+ *     on operator characters (`|`, `&`, `;`, `>`, backticks) — a
+ *     pipe-into-shell или command-chain forces fallback к ask.
+ */
+/**
+ * Catastrophic patterns — the auto-mode regex denylist. Each entry
+ * carries a human-readable reason surfaced в the deny payload so the
+ * operator + audit log see why the gate refused. Order matters: most-
+ * specific первой так "rm -rf /" reports as that, не the generic
+ * "rm -rf".
+ */
+const AUTO_DENY_PATTERNS = [
+    { pattern: /\brm\s+(-[a-z]*r[a-z]*f|-[a-z]*f[a-z]*r)\b/i, reason: 'rm -rf (recursive force-delete)' },
+    { pattern: /\bgit\s+push\s+(-{1,2}force\b|\-f\b)/i, reason: 'git push --force (history rewrite)' },
+    { pattern: /\bgit\s+reset\s+--hard\b/i, reason: 'git reset --hard (uncommitted-work loss)' },
+    { pattern: /\bdd\s+if=\/(dev|)/i, reason: 'dd if=/dev/* (raw device read/write)' },
+    { pattern: /\bmkfs(\.|\s|$)/i, reason: 'mkfs (filesystem format)' },
+    { pattern: /\bchmod\s+-R\s+777\b/i, reason: 'chmod -R 777 (world-writable recursive)' },
+    { pattern: /\bchown\s+-R\b/i, reason: 'chown -R (recursive ownership change)' },
+    { pattern: /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;?\s*:/, reason: 'fork bomb signature' },
+    { pattern: /\bsudo\b/i, reason: 'sudo (privilege escalation)' },
+    { pattern: /\b(npm|pnpm|yarn)\s+publish\b/i, reason: 'package publish (irreversible npm release)' },
+    { pattern: /\b(curl|wget)\b[^|;&]*\|\s*(sh|bash|zsh)\b/i, reason: 'pipe-to-shell installer (curl … | sh)' },
+];
+/**
+ * Safe-by-default patterns — auto-mode regex allowlist. Each regex
+ * must match the FULL command (with `^…$` anchors) so a leading
+ * `sudo ls` или a trailing `; rm -rf /` does NOT slip through. The
+ * caller passes the trimmed command string; whitespace around argv
+ * tokens is tolerated.
+ */
+const AUTO_ALLOW_PATTERNS = [
+    { pattern: /^ls(\s+-[a-zA-Z]+)*(\s+[^|;&`>$()\\]+)?$/, reason: 'ls (directory listing)' },
+    { pattern: /^pwd\s*$/, reason: 'pwd (working directory)' },
+    { pattern: /^cat\s+[^|;&`>$()\\]+$/, reason: 'cat (file read)' },
+    { pattern: /^head(\s+-n?\s*\d+)?\s+[^|;&`>$()\\]+$/, reason: 'head (file preview)' },
+    { pattern: /^tail(\s+-n?\s*\d+)?\s+[^|;&`>$()\\]+$/, reason: 'tail (file preview)' },
+    { pattern: /^wc(\s+-[a-z]+)?\s+[^|;&`>$()\\]+$/, reason: 'wc (line/word count)' },
+    { pattern: /^du\s+-sh?\s+[^|;&`>$()\\]+$/, reason: 'du -sh (disk usage summary)' },
+    { pattern: /^df\s+-h\s*$/, reason: 'df -h (filesystem free space)' },
+    { pattern: /^git\s+status(\s+--short|\s+-s)?\s*$/, reason: 'git status' },
+    { pattern: /^git\s+diff(\s+[a-zA-Z0-9_./~^-]+)*\s*$/, reason: 'git diff (read-only)' },
+    { pattern: /^git\s+log(\s+[a-zA-Z0-9_./~^-]+)*\s*$/, reason: 'git log (read-only)' },
+    { pattern: /^git\s+branch(\s+-[a-z]+)?\s*$/, reason: 'git branch (read-only)' },
+    { pattern: /^git\s+remote\s+-v\s*$/, reason: 'git remote -v (read-only)' },
+    { pattern: /^pnpm\s+(typecheck|lint|test\s+--run|test\s+--watch=false)\s*$/, reason: 'pnpm read-only build check' },
+    { pattern: /^npm\s+(--version|-v|run\s+typecheck|run\s+lint)\s*$/, reason: 'npm read-only check' },
+    { pattern: /^node\s+--version\s*$/, reason: 'node --version' },
+    { pattern: /^pnpm\s+--version\s*$/, reason: 'pnpm --version' },
+    { pattern: /^which\s+[a-zA-Z0-9_-]+\s*$/, reason: 'which (command lookup)' },
+    { pattern: /^find\s+\.\s+-type\s+f(\s+-name\s+[^|;&`>$()\\]+)?\s*$/, reason: 'find -type f (read-only)' },
+    { pattern: /^(rg|ripgrep|grep)\s+(-[a-z]+\s+)*[^|;&`>$()\\]+(\s+[^|;&`>$()\\]+)?\s*$/, reason: 'grep/ripgrep (read-only search)' },
+];
+/**
+ * Classify an auto-mode command. Order:
+ *   1. Catastrophic deny patterns — surface the explicit deny reason.
+ *   2. Safe allow patterns — surface the matched reason.
+ *   3. Fallback к ask.
+ *
+ * The order matters: a destructive pattern that ALSO looks like a
+ * read-only token (e.g. `git diff ; rm -rf .`) hits deny first because
+ * the allow patterns require `^…$` anchors that the chained command
+ * fails to satisfy. Belt + suspenders.
+ */
+export function classifyAutoMode(command) {
+    const trimmed = command.trim();
+    if (trimmed.length === 0)
+        return { verdict: 'ask' };
+    for (const entry of AUTO_DENY_PATTERNS) {
+        if (entry.pattern.test(trimmed)) {
+            return {
+                verdict: 'deny',
+                reason: entry.reason,
+                pattern: entry.pattern.source,
+            };
+        }
+    }
+    for (const entry of AUTO_ALLOW_PATTERNS) {
+        if (entry.pattern.test(trimmed)) {
+            return {
+                verdict: 'allow',
+                reason: entry.reason,
+                pattern: entry.pattern.source,
+            };
+        }
+    }
+    return { verdict: 'ask' };
+}
+/**
+ * Diagnostic accessors — exposed для doctor surfaces + spec coverage.
+ * The arrays are frozen at module load so callers can iterate without
+ * mutating the source-of-truth.
+ */
+export function listAutoAllowPatterns() {
+    return AUTO_ALLOW_PATTERNS.map((e) => ({ pattern: e.pattern.source, reason: e.reason }));
+}
+export function listAutoDenyPatterns() {
+    return AUTO_DENY_PATTERNS.map((e) => ({ pattern: e.pattern.source, reason: e.reason }));
+}
+//# sourceMappingURL=auto-classifier.js.map

package/dist/core/permissions/circuit-breaker.js

@@ -0,0 +1,83 @@
+/**
+ * bypassPermissions circuit-breaker — Wave 7.
+ *
+ * `bypassPermissions` is "skip ALL checks" for trusted scripted runs.
+ * Even so, certain commands are catastrophic enough that the gate
+ * MUST refuse regardless of mode. This module owns that short list.
+ *
+ * The breaker is conservative on purpose:
+ *   - rm -rf against `/`, `~`, or workspace root (`.`)
+ *   - fork bomb signature (`:(){:|:&};:`)
+ *   - dd if=/ (raw block-device read or write)
+ *
+ * False positives are acceptable here — an operator who really wants
+ * to nuke their root filesystem can switch to `dontAsk` and re-issue;
+ * the breaker is the "are you sure you typed this correctly?" guard,
+ * not a hard policy boundary.
+ *
+ * `evaluateCircuitBreaker` is pure regex matching — no IO, no state.
+ * It's called by the gate before any other routing so a bypass-mode
+ * session that types `rm -rf /` sees the deny path first.
+ */
+/**
+ * Pattern list — kept narrow on purpose. Each entry must match the
+ * canonical destructive shape; argv variants without the exact form
+ * fall through к the regular `dontAsk` / `bypassPermissions` allow
+ * path, which is what the operator opted into.
+ */
+const CIRCUIT_BREAKER_PATTERNS = [
+    // rm -rf against absolute root, $HOME, ~, $WORKSPACE_ROOT, or `.`
+    // with no further token. The negative lookahead на `[/~.]\S` makes
+    // sure `rm -rf /tmp/foo` (specific subtree) doesn't trip — only the
+    // catastrophic `rm -rf /` or `rm -rf ~` or `rm -rf .` shapes do.
+    {
+        pattern: /\brm\s+(-[a-z]*r[a-z]*f|-[a-z]*f[a-z]*r)\s+(\/|~|\$HOME|\$\{HOME\}|\.)\s*$/i,
+        reason: 'rm -rf against /, $HOME, ~, or workspace root',
+    },
+    // Fork bomb signature. Whitespace-tolerant но shape-strict.
+    {
+        pattern: /:\s*\(\s*\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;?\s*:/,
+        reason: 'fork bomb (`:(){ :|:& };:`)',
+    },
+    // dd to/from raw devices. Either direction is catastrophic enough
+    // to warrant the breaker (read of /dev/random into a workspace file
+    // can fill the disk, write to /dev/sda destroys the disk).
+    {
+        pattern: /\bdd\b[^|;&]*\b(if|of)=\/dev\//i,
+        reason: 'dd reading/writing /dev/* (catastrophic IO)',
+    },
+    // mkfs against any disk — single regex covers ext*, xfs, btrfs, vfat.
+    {
+        pattern: /\bmkfs(\.[a-z0-9]+)?\s+\/dev\//i,
+        reason: 'mkfs against /dev/* (filesystem format)',
+    },
+];
+/**
+ * Test the command against every circuit-breaker pattern. Returns the
+ * first match (most-catastrophic-first ordering is encoded в the array
+ * order); when no pattern matches, the breaker is `tripped: false` so
+ * the caller proceeds to the regular gate decision.
+ *
+ * Pure function — no IO, no module-scoped state. Safe to call from any
+ * surface (gate, doctor command, audit replay).
+ */
+export function evaluateCircuitBreaker(command) {
+    const trimmed = command.trim();
+    if (trimmed.length === 0)
+        return { tripped: false, reason: '' };
+    for (const entry of CIRCUIT_BREAKER_PATTERNS) {
+        if (entry.pattern.test(trimmed)) {
+            return { tripped: true, reason: entry.reason };
+        }
+    }
+    return { tripped: false, reason: '' };
+}
+/**
+ * Diagnostic accessor — exposed для doctor surfaces + spec coverage so
+ * the test layer can iterate the full list and assert each entry trips
+ * on representative input.
+ */
+export function listCircuitBreakerPatterns() {
+    return CIRCUIT_BREAKER_PATTERNS.map((e) => ({ pattern: e.pattern.source, reason: e.reason }));
+}
+//# sourceMappingURL=circuit-breaker.js.map

package/dist/core/permissions/gate.js

@@ -1,5 +1,5 @@
 /**
- * Permission gate — Leak L6 canonical 4-mode enforcement.
+ * Permission gate — Wave 7 canonical 6-mode enforcement (CC parity).
  *
  * Single dispatch entry point. Every tool call goes through `gate()`
  * before the executor runs the tool body; the executor surfaces the
@@ -9,23 +9,32 @@
  *
  * Routing matrix (mode × class):
  *
- *                 |  read  | write  | dispatch
- *   plan          |  allow |  deny  |  deny
- *   ask           |  ask   |  ask   |  ask
- *   allow         |  allow |  allow |  allow
- *   bypass        |  allow |  allow |  allow   (plus: hooks bypassed)
+ *                       |  read  | write       | dispatch
+ *   default             |  ask   |  ask        |  ask
+ *   acceptEdits         |  allow |  allow*     |  ask
+ *   plan                |  allow |  deny       |  deny
+ *   auto                |  ask†  |  ask†       |  ask†
+ *   dontAsk             |  allow |  allow      |  allow
+ *   bypassPermissions   |  allow |  allow      |  allow   (hooks bypassed)
  *
- * In ask mode the gate consults a session-scoped `always-allow` cache
- * keyed by tool name (set when the operator picks "always-allow-tool"
- * in the prompt). The cache is in-memory only — restarting the session
- * resets it, by design (every-session-fresh ask consent).
+ *   * acceptEdits allows file-write tools (write/edit/multi_edit) only;
+ *     bash and other write-class tools still ask.
+ *   † auto-mode consults the classifier (`auto-classifier.ts`): safe
+ *     regex allowlist → allow; destructive regex denylist → deny;
+ *     anything else → ask.
  *
- * Bypass mode does NOT take a different code path in this module — the
- * `hooksBypassed` flag in the decision payload signals the executor /
- * hook layer to skip policy hooks. The classification logic is the
- * same as `allow` because the gate doesn't own hook execution; the
- * caller decides what to do with the bypass signal.
+ * Protected paths (`.git`, `~/.ssh`, `.pugi/settings.json`, …) NEVER
+ * auto-approve regardless of mode — the gate refuses them even in
+ * `dontAsk` and `bypassPermissions`. The bypassPermissions circuit-
+ * breaker fires on rm -rf / fork-bomb / dd if=/ patterns против root /
+ * home / workspace.
+ *
+ * Ask-mode session cache (`AskAlwaysCache`) survives — `default` and
+ * `auto` consult it; `plan` ignores it (structural contract); the
+ * permissive modes already allow / refuse без the cache.
  */
+import { classifyAutoMode } from './auto-classifier.js';
+import { evaluateCircuitBreaker } from './circuit-breaker.js';
 import { getToolClass } from './tool-class.js';
 export const ASK_OPTIONS = Object.freeze([
     'allow-once',
@@ -41,12 +50,12 @@ export function createAskAlwaysCache() {
 }
 /**
  * Apply the operator's answer to an `ask` decision. Caller invokes this
- * after the operator picks an option so the cache stays in sync.
- * Returns the effective decision: `allow-once` / `always-this-tool`
- * become `allow`; `deny-once` / `always-deny-this-tool` become `deny`.
+ * after the operator picks an option так cache stays в sync. Returns
+ * the effective decision: `allow-once` / `always-this-tool` become
+ * `allow`; `deny-once` / `always-deny-this-tool` become `deny`.
  *
  * `always-*` answers persist to the cache and short-circuit the next
- * gate call for the same tool name within the same session.
+ * gate call для the same tool name внутри session.
  */
 export function applyAskAnswer(cache, toolName, answer) {
     switch (answer) {
@@ -64,6 +73,17 @@ export function applyAskAnswer(cache, toolName, answer) {
             return { decision: 'deny', reason: `Denied for ${toolName} this session` };
     }
 }
+/**
+ * Tools that `acceptEdits` mode auto-allows. Restricted к file-edit
+ * surfaces — bash / dispatch / etc fall through к the ask branch so
+ * the operator stays in control of "execute arbitrary command" and
+ * "spawn child agent" actions.
+ */
+const ACCEPT_EDITS_AUTO_ALLOW = new Set([
+    'write',
+    'edit',
+    'multi_edit',
+]);
 /**
  * Permission-denied sentinel. Distinguishable from other tool errors
  * (parse errors, IO failures) so the caller can route the message back
@@ -75,14 +95,14 @@ export class PermissionDenied extends Error {
     toolName;
     toolClass;
     /**
-     * Human-friendly reason surfaced in logs / hook payloads. Distinct
+     * Human-friendly reason surfaced в logs / hook payloads. Distinct
      * from `message` so the spec layer can pattern-match the canonical
      * `PERMISSION_DENIED:` sentinel verbatim while operators see the
-     * full explanation in console output.
+     * full explanation в console output.
      */
     reason;
     constructor(toolName, toolClass, mode, reason) {
-        // The base Error.message is the canonical sentinel so default
+        // The base Error.message is the canonical sentinel так default
         // toString() / re-throw paths preserve the format the model and
         // the spec layer pattern-match against.
         super(`PERMISSION_DENIED: ${toolName} blocked in ${mode} mode. Operator can switch with /permissions <mode>.`);
@@ -92,10 +112,10 @@ export class PermissionDenied extends Error {
         this.reason = reason;
     }
     /**
-     * Render the sentinel message the executor surfaces to the model.
-     * The string format is stable so a parent agent / E2E spec can
+     * Render the sentinel message the executor surfaces к the model.
+     * The string format stable так a parent agent / E2E spec can
      * pattern-match `PERMISSION_DENIED: <tool> blocked in <mode> mode.`
-     * verbatim. Equivalent to `this.message`; kept as a method so
+     * verbatim. Equivalent to `this.message`; kept как method так
      * downstream callers can use whichever spelling reads better at the
      * site.
      */
@@ -111,31 +131,48 @@ export class PermissionDenied extends Error {
  * Argument bag mirrors the executor entry shape:
  *   - `toolName` is the registered tool key (e.g. `read`, `write`,
  *     `mcp__github__list_issues`).
- *   - `args` is the raw arg payload. Currently unused in the routing
- *     decision — the matrix only cares about class. Plumbed in
- *     because future "always-allow-this-pattern" rules (e.g.
- *     `git status` auto-allow) will consume it without changing the
- *     callsite contract.
+ *   - `args` is the raw arg payload. The gate inspects `args.command`
+ *     when present (bash tool) for the circuit-breaker + auto-mode
+ *     classifier. Other tools pass through unused — the contract is
+ *     stable on purpose.
  *   - `ctx` carries mode + session-scoped state.
  */
-export function gate(toolName, 
-// Reserved for future pattern-based rules (always-allow `git status`).
-// Suppress unused-argument lint — the contract is stable on purpose.
-_args, ctx) {
+export function gate(toolName, args, ctx) {
     const toolClass = getToolClass(toolName);
     const cache = ctx.alwaysCache;
+    const command = extractCommand(args, ctx.commandPreview);
+    // Bypass-mode circuit breaker: catastrophic patterns refuse FIRST,
+    // before any other routing. Same rule applies when the operator
+    // wired `dontAsk` and a destructive command sneaks through — defence
+    // in depth.
+    if ((ctx.permissionMode === 'bypassPermissions' || ctx.permissionMode === 'dontAsk')
+        && command) {
+        const breaker = evaluateCircuitBreaker(command);
+        if (breaker.tripped) {
+            return {
+                decision: 'deny',
+                reason: `Circuit-breaker tripped: ${breaker.reason}. Refused в ${ctx.permissionMode} mode regardless of policy.`,
+                circuitBreakerReason: breaker.reason,
+            };
+        }
+    }
     // Ask-mode session memory: an explicit "always-deny" beats any other
     // routing because the operator has actively refused this tool.
     if (cache?.alwaysDenied.has(toolName)) {
         return {
             decision: 'deny',
-            reason: `Tool ${toolName} denied for the session via /permissions ask`,
+            reason: `Tool ${toolName} denied for the session via /permissions`,
         };
     }
-    // "Always-allow" in ask mode skips the prompt for subsequent calls.
-    // Plan mode IGNORES the always-allow cache because plan mode's
-    // contract is structural (read-only), not consent-based.
-    if (cache?.alwaysAllowed.has(toolName) && ctx.permissionMode === 'ask') {
+    // "Always-allow" в ask-style modes skips the prompt for subsequent
+    // calls. `plan` mode IGNORES the always-allow cache because plan
+    // mode's contract is structural (read-only), not consent-based.
+    // `bypassPermissions` / `dontAsk` already allow so the cache is moot.
+    // `acceptEdits` and `auto` honour the cache like `default` does.
+    if (cache?.alwaysAllowed.has(toolName)
+        && (ctx.permissionMode === 'default'
+            || ctx.permissionMode === 'acceptEdits'
+            || ctx.permissionMode === 'auto')) {
         return {
             decision: 'allow',
             reason: `Tool ${toolName} always-allowed for this session`,
@@ -148,36 +185,90 @@ _args, ctx) {
             }
             return {
                 decision: 'deny',
-                reason: `Plan mode: ${toolClass} tools blocked. Switch with /permissions allow.`,
+                reason: `Plan mode: ${toolClass} tools blocked. Switch with /permissions dontAsk.`,
             };
         }
-        case 'ask': {
-            return {
-                decision: 'ask',
-                reason: `Ask mode: prompt before ${toolName}`,
-                question: buildAskQuestion(toolName, toolClass, ctx.target),
-                options: ASK_OPTIONS,
-                toolClass,
-            };
+        case 'default': {
+            return askDecision(toolName, toolClass, ctx.target, 'default');
+        }
+        case 'acceptEdits': {
+            // File-edit surfaces auto-execute; everything else asks.
+            if (toolClass === 'read') {
+                return { decision: 'allow', reason: `acceptEdits: read allowed (${toolName})` };
+            }
+            if (toolClass === 'write' && ACCEPT_EDITS_AUTO_ALLOW.has(toolName)) {
+                return {
+                    decision: 'allow',
+                    reason: `acceptEdits: file-edit auto-allowed (${toolName})`,
+                };
+            }
+            return askDecision(toolName, toolClass, ctx.target, 'acceptEdits');
         }
-        case 'allow': {
+        case 'auto': {
+            // Phase 1 classifier — regex allowlist / denylist для bash;
+            // other tools always fall back to ask. The classifier surfaces
+            // an explicit verdict so the spec layer can assert per-pattern.
+            if (toolName === 'bash' && command) {
+                const verdict = classifyAutoMode(command);
+                if (verdict.verdict === 'allow') {
+                    return {
+                        decision: 'allow',
+                        reason: `auto-mode: ${verdict.reason}`,
+                    };
+                }
+                if (verdict.verdict === 'deny') {
+                    return {
+                        decision: 'deny',
+                        reason: `auto-mode: ${verdict.reason}. Switch with /permissions default to override.`,
+                    };
+                }
+                // verdict === 'ask' — fall through.
+            }
+            return askDecision(toolName, toolClass, ctx.target, 'auto');
+        }
+        case 'dontAsk': {
             return {
                 decision: 'allow',
-                reason: `Allow mode: ${toolName} executed`,
+                reason: `dontAsk mode: ${toolName} executed (deny-list still applies)`,
             };
         }
-        case 'bypass': {
+        case 'bypassPermissions': {
             return {
                 decision: 'allow',
-                reason: `Bypass mode: ${toolName} executed (policy hooks skipped)`,
+                reason: `bypassPermissions: ${toolName} executed (policy hooks skipped)`,
                 hooksBypassed: true,
             };
         }
     }
 }
+function askDecision(toolName, toolClass, target, mode) {
+    return {
+        decision: 'ask',
+        reason: `${mode} mode: prompt before ${toolName}`,
+        question: buildAskQuestion(toolName, toolClass, target),
+        options: ASK_OPTIONS,
+        toolClass,
+    };
+}
+/**
+ * Best-effort extract of the bash command string from the raw tool
+ * args. Returns `null` when the shape doesn't match — auto-mode and
+ * the circuit-breaker treat null как "no preview available" and fall
+ * back to safe defaults (ask / no-trip).
+ */
+function extractCommand(args, fallback) {
+    if (typeof fallback === 'string' && fallback.length > 0)
+        return fallback;
+    if (args && typeof args === 'object') {
+        const maybe = args.command;
+        if (typeof maybe === 'string' && maybe.length > 0)
+            return maybe;
+    }
+    return null;
+}
 /**
  * Build the operator-facing question string for an ask-mode prompt.
- * Kept in one place so the wording stays consistent across the REPL
+ * Kept в one place так the wording stays consistent across the REPL
  * Ink modal and the simpler stdin fallback.
  */
 function buildAskQuestion(toolName, toolClass, target) {

package/dist/core/permissions/index.js

@@ -11,7 +11,9 @@
  * invisible to consumers — those files are an implementation detail
  * the engine adapter does not need to know about.
  */
-export { DEFAULT_PERMISSION_MODE, PERMISSION_MODE_GLOSS, PERMISSION_MODES, isPermissionMode, parsePermissionMode, toLegacyMode, } from './mode.js';
+export { DEFAULT_PERMISSION_MODE, PERMISSION_MODE_GLOSS, PERMISSION_MODES, isPermissionMode, nextPermissionMode, parsePermissionMode, toLegacyMode, } from './mode.js';
+export { classifyAutoMode, listAutoAllowPatterns, listAutoDenyPatterns, } from './auto-classifier.js';
+export { evaluateCircuitBreaker, listCircuitBreakerPatterns, } from './circuit-breaker.js';
 export { getToolClass, listBuiltInToolClasses, } from './tool-class.js';
 export { ASK_OPTIONS, PermissionDenied, applyAskAnswer, createAskAlwaysCache, gate, } from './gate.js';
 export { getCurrentMode, getGlobalDefaultMode, getPreviousMode, globalConfigPath, resolveMode, sessionStatePath, setCurrentMode, setGlobalDefaultMode, setPreviousMode, } from './state.js';