@pugi/cli 0.1.0-beta.36 → 0.1.0-beta.37

package/dist/core/permissions/gate.js

@@ -1,5 +1,5 @@
 /**
- * Permission gate — Leak L6 canonical 4-mode enforcement.
+ * Permission gate — Wave 7 canonical 6-mode enforcement (CC parity).
  *
  * Single dispatch entry point. Every tool call goes through `gate()`
  * before the executor runs the tool body; the executor surfaces the
@@ -9,23 +9,32 @@
  *
  * Routing matrix (mode × class):
  *
- *                 |  read  | write  | dispatch
- *   plan          |  allow |  deny  |  deny
- *   ask           |  ask   |  ask   |  ask
- *   allow         |  allow |  allow |  allow
- *   bypass        |  allow |  allow |  allow   (plus: hooks bypassed)
+ *                       |  read  | write       | dispatch
+ *   default             |  ask   |  ask        |  ask
+ *   acceptEdits         |  allow |  allow*     |  ask
+ *   plan                |  allow |  deny       |  deny
+ *   auto                |  ask†  |  ask†       |  ask†
+ *   dontAsk             |  allow |  allow      |  allow
+ *   bypassPermissions   |  allow |  allow      |  allow   (hooks bypassed)
  *
- * In ask mode the gate consults a session-scoped `always-allow` cache
- * keyed by tool name (set when the operator picks "always-allow-tool"
- * in the prompt). The cache is in-memory only — restarting the session
- * resets it, by design (every-session-fresh ask consent).
+ *   * acceptEdits allows file-write tools (write/edit/multi_edit) only;
+ *     bash and other write-class tools still ask.
+ *   † auto-mode consults the classifier (`auto-classifier.ts`): safe
+ *     regex allowlist → allow; destructive regex denylist → deny;
+ *     anything else → ask.
  *
- * Bypass mode does NOT take a different code path in this module — the
- * `hooksBypassed` flag in the decision payload signals the executor /
- * hook layer to skip policy hooks. The classification logic is the
- * same as `allow` because the gate doesn't own hook execution; the
- * caller decides what to do with the bypass signal.
+ * Protected paths (`.git`, `~/.ssh`, `.pugi/settings.json`, …) NEVER
+ * auto-approve regardless of mode — the gate refuses them even in
+ * `dontAsk` and `bypassPermissions`. The bypassPermissions circuit-
+ * breaker fires on rm -rf / fork-bomb / dd if=/ patterns против root /
+ * home / workspace.
+ *
+ * Ask-mode session cache (`AskAlwaysCache`) survives — `default` and
+ * `auto` consult it; `plan` ignores it (structural contract); the
+ * permissive modes already allow / refuse без the cache.
  */
+import { classifyAutoMode } from './auto-classifier.js';
+import { evaluateCircuitBreaker } from './circuit-breaker.js';
 import { getToolClass } from './tool-class.js';
 export const ASK_OPTIONS = Object.freeze([
     'allow-once',
@@ -41,12 +50,12 @@ export function createAskAlwaysCache() {
 }
 /**
  * Apply the operator's answer to an `ask` decision. Caller invokes this
- * after the operator picks an option so the cache stays in sync.
- * Returns the effective decision: `allow-once` / `always-this-tool`
- * become `allow`; `deny-once` / `always-deny-this-tool` become `deny`.
+ * after the operator picks an option так cache stays в sync. Returns
+ * the effective decision: `allow-once` / `always-this-tool` become
+ * `allow`; `deny-once` / `always-deny-this-tool` become `deny`.
  *
  * `always-*` answers persist to the cache and short-circuit the next
- * gate call for the same tool name within the same session.
+ * gate call для the same tool name внутри session.
  */
 export function applyAskAnswer(cache, toolName, answer) {
     switch (answer) {
@@ -64,6 +73,17 @@ export function applyAskAnswer(cache, toolName, answer) {
             return { decision: 'deny', reason: `Denied for ${toolName} this session` };
     }
 }
+/**
+ * Tools that `acceptEdits` mode auto-allows. Restricted к file-edit
+ * surfaces — bash / dispatch / etc fall through к the ask branch so
+ * the operator stays in control of "execute arbitrary command" and
+ * "spawn child agent" actions.
+ */
+const ACCEPT_EDITS_AUTO_ALLOW = new Set([
+    'write',
+    'edit',
+    'multi_edit',
+]);
 /**
  * Permission-denied sentinel. Distinguishable from other tool errors
  * (parse errors, IO failures) so the caller can route the message back
@@ -75,14 +95,14 @@ export class PermissionDenied extends Error {
     toolName;
     toolClass;
     /**
-     * Human-friendly reason surfaced in logs / hook payloads. Distinct
+     * Human-friendly reason surfaced в logs / hook payloads. Distinct
      * from `message` so the spec layer can pattern-match the canonical
      * `PERMISSION_DENIED:` sentinel verbatim while operators see the
-     * full explanation in console output.
+     * full explanation в console output.
      */
     reason;
     constructor(toolName, toolClass, mode, reason) {
-        // The base Error.message is the canonical sentinel so default
+        // The base Error.message is the canonical sentinel так default
         // toString() / re-throw paths preserve the format the model and
         // the spec layer pattern-match against.
         super(`PERMISSION_DENIED: ${toolName} blocked in ${mode} mode. Operator can switch with /permissions <mode>.`);
@@ -92,10 +112,10 @@ export class PermissionDenied extends Error {
         this.reason = reason;
     }
     /**
-     * Render the sentinel message the executor surfaces to the model.
-     * The string format is stable so a parent agent / E2E spec can
+     * Render the sentinel message the executor surfaces к the model.
+     * The string format stable так a parent agent / E2E spec can
      * pattern-match `PERMISSION_DENIED: <tool> blocked in <mode> mode.`
-     * verbatim. Equivalent to `this.message`; kept as a method so
+     * verbatim. Equivalent to `this.message`; kept как method так
      * downstream callers can use whichever spelling reads better at the
      * site.
      */
@@ -111,31 +131,48 @@ export class PermissionDenied extends Error {
  * Argument bag mirrors the executor entry shape:
  *   - `toolName` is the registered tool key (e.g. `read`, `write`,
  *     `mcp__github__list_issues`).
- *   - `args` is the raw arg payload. Currently unused in the routing
- *     decision — the matrix only cares about class. Plumbed in
- *     because future "always-allow-this-pattern" rules (e.g.
- *     `git status` auto-allow) will consume it without changing the
- *     callsite contract.
+ *   - `args` is the raw arg payload. The gate inspects `args.command`
+ *     when present (bash tool) for the circuit-breaker + auto-mode
+ *     classifier. Other tools pass through unused — the contract is
+ *     stable on purpose.
  *   - `ctx` carries mode + session-scoped state.
  */
-export function gate(toolName, 
-// Reserved for future pattern-based rules (always-allow `git status`).
-// Suppress unused-argument lint — the contract is stable on purpose.
-_args, ctx) {
+export function gate(toolName, args, ctx) {
     const toolClass = getToolClass(toolName);
     const cache = ctx.alwaysCache;
+    const command = extractCommand(args, ctx.commandPreview);
+    // Bypass-mode circuit breaker: catastrophic patterns refuse FIRST,
+    // before any other routing. Same rule applies when the operator
+    // wired `dontAsk` and a destructive command sneaks through — defence
+    // in depth.
+    if ((ctx.permissionMode === 'bypassPermissions' || ctx.permissionMode === 'dontAsk')
+        && command) {
+        const breaker = evaluateCircuitBreaker(command);
+        if (breaker.tripped) {
+            return {
+                decision: 'deny',
+                reason: `Circuit-breaker tripped: ${breaker.reason}. Refused в ${ctx.permissionMode} mode regardless of policy.`,
+                circuitBreakerReason: breaker.reason,
+            };
+        }
+    }
     // Ask-mode session memory: an explicit "always-deny" beats any other
     // routing because the operator has actively refused this tool.
     if (cache?.alwaysDenied.has(toolName)) {
         return {
             decision: 'deny',
-            reason: `Tool ${toolName} denied for the session via /permissions ask`,
+            reason: `Tool ${toolName} denied for the session via /permissions`,
         };
     }
-    // "Always-allow" in ask mode skips the prompt for subsequent calls.
-    // Plan mode IGNORES the always-allow cache because plan mode's
-    // contract is structural (read-only), not consent-based.
-    if (cache?.alwaysAllowed.has(toolName) && ctx.permissionMode === 'ask') {
+    // "Always-allow" в ask-style modes skips the prompt for subsequent
+    // calls. `plan` mode IGNORES the always-allow cache because plan
+    // mode's contract is structural (read-only), not consent-based.
+    // `bypassPermissions` / `dontAsk` already allow so the cache is moot.
+    // `acceptEdits` and `auto` honour the cache like `default` does.
+    if (cache?.alwaysAllowed.has(toolName)
+        && (ctx.permissionMode === 'default'
+            || ctx.permissionMode === 'acceptEdits'
+            || ctx.permissionMode === 'auto')) {
         return {
             decision: 'allow',
             reason: `Tool ${toolName} always-allowed for this session`,
@@ -148,36 +185,90 @@ _args, ctx) {
             }
             return {
                 decision: 'deny',
-                reason: `Plan mode: ${toolClass} tools blocked. Switch with /permissions allow.`,
+                reason: `Plan mode: ${toolClass} tools blocked. Switch with /permissions dontAsk.`,
             };
         }
-        case 'ask': {
-            return {
-                decision: 'ask',
-                reason: `Ask mode: prompt before ${toolName}`,
-                question: buildAskQuestion(toolName, toolClass, ctx.target),
-                options: ASK_OPTIONS,
-                toolClass,
-            };
+        case 'default': {
+            return askDecision(toolName, toolClass, ctx.target, 'default');
+        }
+        case 'acceptEdits': {
+            // File-edit surfaces auto-execute; everything else asks.
+            if (toolClass === 'read') {
+                return { decision: 'allow', reason: `acceptEdits: read allowed (${toolName})` };
+            }
+            if (toolClass === 'write' && ACCEPT_EDITS_AUTO_ALLOW.has(toolName)) {
+                return {
+                    decision: 'allow',
+                    reason: `acceptEdits: file-edit auto-allowed (${toolName})`,
+                };
+            }
+            return askDecision(toolName, toolClass, ctx.target, 'acceptEdits');
         }
-        case 'allow': {
+        case 'auto': {
+            // Phase 1 classifier — regex allowlist / denylist для bash;
+            // other tools always fall back to ask. The classifier surfaces
+            // an explicit verdict so the spec layer can assert per-pattern.
+            if (toolName === 'bash' && command) {
+                const verdict = classifyAutoMode(command);
+                if (verdict.verdict === 'allow') {
+                    return {
+                        decision: 'allow',
+                        reason: `auto-mode: ${verdict.reason}`,
+                    };
+                }
+                if (verdict.verdict === 'deny') {
+                    return {
+                        decision: 'deny',
+                        reason: `auto-mode: ${verdict.reason}. Switch with /permissions default to override.`,
+                    };
+                }
+                // verdict === 'ask' — fall through.
+            }
+            return askDecision(toolName, toolClass, ctx.target, 'auto');
+        }
+        case 'dontAsk': {
             return {
                 decision: 'allow',
-                reason: `Allow mode: ${toolName} executed`,
+                reason: `dontAsk mode: ${toolName} executed (deny-list still applies)`,
             };
         }
-        case 'bypass': {
+        case 'bypassPermissions': {
             return {
                 decision: 'allow',
-                reason: `Bypass mode: ${toolName} executed (policy hooks skipped)`,
+                reason: `bypassPermissions: ${toolName} executed (policy hooks skipped)`,
                 hooksBypassed: true,
             };
         }
     }
 }
+function askDecision(toolName, toolClass, target, mode) {
+    return {
+        decision: 'ask',
+        reason: `${mode} mode: prompt before ${toolName}`,
+        question: buildAskQuestion(toolName, toolClass, target),
+        options: ASK_OPTIONS,
+        toolClass,
+    };
+}
+/**
+ * Best-effort extract of the bash command string from the raw tool
+ * args. Returns `null` when the shape doesn't match — auto-mode and
+ * the circuit-breaker treat null как "no preview available" and fall
+ * back to safe defaults (ask / no-trip).
+ */
+function extractCommand(args, fallback) {
+    if (typeof fallback === 'string' && fallback.length > 0)
+        return fallback;
+    if (args && typeof args === 'object') {
+        const maybe = args.command;
+        if (typeof maybe === 'string' && maybe.length > 0)
+            return maybe;
+    }
+    return null;
+}
 /**
  * Build the operator-facing question string for an ask-mode prompt.
- * Kept in one place so the wording stays consistent across the REPL
+ * Kept в one place так the wording stays consistent across the REPL
  * Ink modal and the simpler stdin fallback.
  */
 function buildAskQuestion(toolName, toolClass, target) {

package/dist/core/permissions/index.js

@@ -11,7 +11,9 @@
  * invisible to consumers — those files are an implementation detail
  * the engine adapter does not need to know about.
  */
-export { DEFAULT_PERMISSION_MODE, PERMISSION_MODE_GLOSS, PERMISSION_MODES, isPermissionMode, parsePermissionMode, toLegacyMode, } from './mode.js';
+export { DEFAULT_PERMISSION_MODE, PERMISSION_MODE_GLOSS, PERMISSION_MODES, isPermissionMode, nextPermissionMode, parsePermissionMode, toLegacyMode, } from './mode.js';
+export { classifyAutoMode, listAutoAllowPatterns, listAutoDenyPatterns, } from './auto-classifier.js';
+export { evaluateCircuitBreaker, listCircuitBreakerPatterns, } from './circuit-breaker.js';
 export { getToolClass, listBuiltInToolClasses, } from './tool-class.js';
 export { ASK_OPTIONS, PermissionDenied, applyAskAnswer, createAskAlwaysCache, gate, } from './gate.js';
 export { getCurrentMode, getGlobalDefaultMode, getPreviousMode, globalConfigPath, resolveMode, sessionStatePath, setCurrentMode, setGlobalDefaultMode, setPreviousMode, } from './state.js';

package/dist/core/permissions/mode.js

@@ -1,102 +1,174 @@
 /**
- * Permission modes — canonical 4-mode taxonomy (Leak L6).
+ * Permission modes — Wave 7 canonical 6-mode taxonomy (Claude Code parity).
  *
- * Pugi historically shipped a 6-mode taxonomy in `@pugi/sdk`
- * (`plan | ask | acceptEdits | auto | dontAsk | bypassPermissions`)
- * which the legacy `core/permission.ts` engine maps tools onto. Claude
- * Code, Codex, and the openclaude / openwork leaks all converge on a
- * smaller, sharper 4-mode set:
+ * Pugi α6 shipped a 4-mode taxonomy (`plan | ask | allow | bypass`) that
+ * proved fine для daily use but diverged from Claude Code's 6-mode
+ * surface (`default | acceptEdits | plan | auto | dontAsk |
+ * bypassPermissions`). Wave 7 Sprint 1 epic #2 closes the parity gap so
+ * operators coming from Claude Code see the same mode names + same
+ * Shift+Tab cycle.
  *
- *   - `plan`    — read-only proposal mode. Write/dispatch tools refused
- *                 with a deterministic sentinel; the model is expected
- *                 to surface a plan, not execute it.
- *   - `ask`     — every tool execution prompts the operator. Default
- *                 mode for new operators; the safe ground state.
- *   - `allow`   — every tool executes without per-call prompts, BUT
- *                 the policy hook layer (skill-steering, denial audit,
- *                 destructive deny-list) still fires.
- *   - `bypass`  — same as allow but ALSO skips policy hooks. Power-user
- *                 mode for trusted scripted runs; surface a banner on
- *                 entry so an operator who flips here by accident sees
- *                 they have disengaged the audit layer.
+ * Canonical 6 modes (Wave 7):
  *
- * This module owns the union type, the canonical default, and the
- * mode-resolution helper. The runtime gate (`gate.ts`) consumes it; the
- * legacy 6-mode SDK enum remains the system-of-record for bash-class
- * decisions inside `core/permission.ts` — the canonical 4-mode layer
- * sits in front and short-circuits the dispatch decision before bash
- * classification ever runs.
+ *   - `default`            — every tool call asks the operator. Safe
+ *                            ground state, replaces α6 `ask`.
+ *   - `acceptEdits`        — auto-allow write/edit on workspace files,
+ *                            ask for everything else (bash, dispatch).
+ *                            Matches CC's "trust file edits только".
+ *   - `plan`               — read-only proposal mode. Write/dispatch
+ *                            refused with deterministic sentinel; the
+ *                            model surfaces a plan, не executes.
+ *   - `auto`               — classifier decides per-call. Phase 1
+ *                            (this PR) ships regex allowlist (safe
+ *                            commands) + regex denylist (destructive).
+ *                            Anything else falls back to ask.
+ *   - `dontAsk`            — auto-allow everything except `permissions.deny`
+ *                            list. Replaces α6 `allow`.
+ *   - `bypassPermissions`  — skip ALL checks including deny list +
+ *                            policy hooks. Has a circuit-breaker for
+ *                            catastrophic patterns (rm -rf /, fork bomb,
+ *                            dd if=/) that refuses regardless of mode.
+ *                            Replaces α6 `bypass`.
+ *
+ * Backwards-compat aliases: the α6 short names (`ask`, `allow`, `bypass`)
+ * map to the new canonical names via `MODE_ALIASES`. `parsePermissionMode`
+ * resolves aliases so existing session.json files keep working.
+ *
+ * Rename mapping (α6 → α7):
+ *   ask     → default
+ *   allow   → dontAsk
+ *   bypass  → bypassPermissions
+ *   (plan, acceptEdits, auto unchanged / new)
  */
 /**
- * Closed list — useful for input validation and slash-command help.
+ * Closed list — used by Shift+Tab cycle (in order), input validation,
+ * and slash-command help. Order matches Claude Code's documented
+ * Shift+Tab progression: default → acceptEdits → plan → auto → dontAsk
+ * → bypassPermissions → wrap к default.
  */
 export const PERMISSION_MODES = Object.freeze([
+    'default',
+    'acceptEdits',
     'plan',
-    'ask',
-    'allow',
-    'bypass',
+    'auto',
+    'dontAsk',
+    'bypassPermissions',
 ]);
 /**
  * Default mode applied when no `--mode` flag, no per-workspace session
- * state, and no `defaultPermissionMode` in `~/.pugi/config.json`. We
- * default cautious (`ask`) — an operator who has not configured anything
- * is treated as a new operator who deserves visibility into every tool
- * call.
+ * state, and no `defaultPermissionMode` в `~/.pugi/config.json`. We
+ * default cautious (`default` mode = prompt every call) — an operator
+ * who has not configured anything is treated as a new operator who
+ * deserves visibility into every tool call.
  */
-export const DEFAULT_PERMISSION_MODE = 'ask';
+export const DEFAULT_PERMISSION_MODE = 'default';
 /**
- * Type guard for arbitrary string input (CLI flag, session.json
+ * Backwards-compat aliases: α6 short names map to α7 canonical names.
+ * `parsePermissionMode` consults this table так existing session.json
+ * files + scripts that pass `--mode ask` keep working without breaking.
+ *
+ * Aliases are one-way: persistence writes the canonical name, so a
+ * session that started on `ask` is migrated to `default` on next save.
+ */
+const MODE_ALIASES = Object.freeze({
+    ask: 'default',
+    allow: 'dontAsk',
+    bypass: 'bypassPermissions',
+});
+/**
+ * Type guard для arbitrary string input (CLI flag, session.json
  * deserialization). Returns false for casing variants — caller is
- * expected to lowercase before testing.
+ * expected to lowercase before testing. Aliases are NOT accepted by
+ * this predicate; use `parsePermissionMode` for alias resolution.
  */
 export function isPermissionMode(value) {
     return typeof value === 'string' && PERMISSION_MODES.includes(value);
 }
 /**
- * Parse + validate a mode string. Returns null for invalid input so the
+ * Parse + validate a mode string. Returns null для invalid input so the
  * caller can surface a typed error (`unknown mode: <value>`) instead of
  * throwing from a parse helper.
+ *
+ * Resolves α6 aliases (`ask` → `default`, `allow` → `dontAsk`,
+ * `bypass` → `bypassPermissions`) for backwards compatibility.
+ *
+ * Case-handling: lowercases for canonical names but matches camelCase
+ * names case-insensitively too (так `acceptedits` resolves to
+ * `acceptEdits`). The aliases table covers the legacy lowercase tokens.
  */
 export function parsePermissionMode(value) {
-    const lower = value.trim().toLowerCase();
-    return isPermissionMode(lower) ? lower : null;
+    const trimmed = value.trim();
+    if (trimmed.length === 0)
+        return null;
+    // Direct canonical match first (preserves camelCase capitalisation).
+    if (isPermissionMode(trimmed))
+        return trimmed;
+    // Case-insensitive canonical match — operator typed `acceptedits`.
+    const lower = trimmed.toLowerCase();
+    const canonical = PERMISSION_MODES.find((m) => m.toLowerCase() === lower);
+    if (canonical)
+        return canonical;
+    // α6 alias fallthrough.
+    const aliased = MODE_ALIASES[lower];
+    if (aliased)
+        return aliased;
+    return null;
 }
 /**
- * Map the canonical 4-mode taxonomy to the legacy 6-mode SDK enum used
- * by `core/permission.ts::evaluateBashPermission` and friends. The map
- * is intentionally surjective on a narrower target — the canonical
- * layer is the new public contract, the legacy layer is plumbing.
- *
- *   plan   -> 'plan'              (read-only)
- *   ask    -> 'ask'               (prompt every action)
- *   allow  -> 'auto'              (allow non-destructive; deny destructive)
- *   bypass -> 'bypassPermissions' (allow everything except destructive override)
+ * Wave 7 Shift+Tab cycle — advance to the next mode in the canonical
+ * order, wrapping from the last back to the first. Pure helper so the
+ * TUI binding can call it without re-implementing the cycle logic.
+ */
+export function nextPermissionMode(current) {
+    const idx = PERMISSION_MODES.indexOf(current);
+    if (idx === -1)
+        return DEFAULT_PERMISSION_MODE;
+    const next = PERMISSION_MODES[(idx + 1) % PERMISSION_MODES.length];
+    return next ?? DEFAULT_PERMISSION_MODE;
+}
+/**
+ * Map the canonical 6-mode taxonomy to the legacy SDK enum used by
+ * `@pugi/sdk::permissionModeSchema`. The SDK enum already contains all
+ * 6 names so the map is identity для the modes that align; the two
+ * α6-only legacy names (`ask`, `allow`) are not part of the canonical
+ * set anymore — `default` and `dontAsk` are их replacements.
  *
  * Callers that need the legacy enum (existing bash classifier, settings
- * persistence) should funnel through this helper so the mapping is in
- * one place.
+ * persistence) should funnel through this helper so the mapping stays
+ * в one place.
  */
 export function toLegacyMode(mode) {
     switch (mode) {
+        case 'default':
+            // SDK enum doesn't carry `default`; the closest legacy semantic is
+            // `ask` (prompt-every-call). Persistence layers that round-trip
+            // через the SDK enum get back `ask`, which `parsePermissionMode`
+            // re-maps to `default` via the alias table. Round-trip safe.
+            return 'ask';
+        case 'acceptEdits':
+            return 'acceptEdits';
         case 'plan':
             return 'plan';
-        case 'ask':
-            return 'ask';
-        case 'allow':
+        case 'auto':
             return 'auto';
-        case 'bypass':
+        case 'dontAsk':
+            return 'dontAsk';
+        case 'bypassPermissions':
             return 'bypassPermissions';
     }
 }
 /**
- * One-line human-readable summary surfaced by the `/permissions` table
- * and `pugi --help` text. Kept inline so the strings stay localizable
- * via a single edit point.
+ * One-line human-readable summary surfaced by the `/permissions` table,
+ * the Ink picker, and `pugi --help` text. Each line carries a safety
+ * hint ("safe-by-default" / "use carefully" / "power-user only") so an
+ * operator скимming the picker knows the risk profile at a glance.
  */
 export const PERMISSION_MODE_GLOSS = Object.freeze({
-    plan: 'Read-only — propose, never execute. Write + dispatch tools refused.',
-    ask: 'Prompt before every tool call. Default for new operators.',
-    allow: 'Execute tools without prompts. Policy hooks still fire.',
-    bypass: 'Execute tools without prompts AND skip policy hooks. Power-user only.',
+    default: 'Prompt before every tool call. Safe-by-default for new operators.',
+    acceptEdits: 'Auto-allow file edit/write; ask for bash + dispatch. Safe-by-default.',
+    plan: 'Read-only — propose, never execute. Write + dispatch refused.',
+    auto: 'Classifier decides per call (safe regex allowlist; falls back к ask). Use carefully.',
+    dontAsk: 'Execute tools without prompts; deny-list still applies. Use carefully.',
+    bypassPermissions: 'Skip ALL checks AND policy hooks; circuit-breaker on catastrophic patterns. Power-user only.',
 });
 //# sourceMappingURL=mode.js.map

package/dist/core/permissions/state.js

@@ -22,8 +22,27 @@ import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from '
 import { dirname, resolve } from 'node:path';
 import { homedir } from 'node:os';
 import { z } from 'zod';
-import { DEFAULT_PERMISSION_MODE, isPermissionMode, parsePermissionMode, } from './mode.js';
-const permissionModeEnum = z.enum(['plan', 'ask', 'allow', 'bypass']);
+import { DEFAULT_PERMISSION_MODE, parsePermissionMode, } from './mode.js';
+/**
+ * Wave 7: zod enum for the canonical 6-mode taxonomy. Includes α6
+ * aliases (`ask`, `allow`, `bypass`) as accepted input — Zod parses
+ * them, the helpers below remap к canonical names before returning к
+ * the caller. Persistence always writes the canonical name so the file
+ * migrates forward on next save.
+ */
+const permissionModeEnum = z.enum([
+    // Canonical Wave 7 names.
+    'default',
+    'acceptEdits',
+    'plan',
+    'auto',
+    'dontAsk',
+    'bypassPermissions',
+    // α6 backwards-compat aliases — resolved via parsePermissionMode.
+    'ask',
+    'allow',
+    'bypass',
+]);
 const sessionStateSchema = z
     .object({
     permissionMode: permissionModeEnum.optional(),
@@ -74,7 +93,12 @@ export function getCurrentMode(workspaceRoot) {
     try {
         const raw = readFileSync(path, 'utf8');
         const parsed = sessionStateSchema.parse(JSON.parse(raw));
-        return isPermissionMode(parsed.permissionMode) ? parsed.permissionMode : null;
+        if (typeof parsed.permissionMode !== 'string')
+            return null;
+        // Wave 7: parsePermissionMode resolves α6 aliases (`ask`, `allow`,
+        // `bypass`) to their canonical Wave 7 names. A session file written
+        // by α6.x is silently upgraded on read.
+        return parsePermissionMode(parsed.permissionMode);
     }
     catch {
         return null;
@@ -112,9 +136,9 @@ export function getPreviousMode(workspaceRoot) {
     try {
         const raw = readFileSync(path, 'utf8');
         const parsed = sessionStateSchema.parse(JSON.parse(raw));
-        return isPermissionMode(parsed.previousPermissionMode)
-            ? parsed.previousPermissionMode
-            : null;
+        if (typeof parsed.previousPermissionMode !== 'string')
+            return null;
+        return parsePermissionMode(parsed.previousPermissionMode);
     }
     catch {
         return null;
@@ -157,7 +181,9 @@ export function getGlobalDefaultMode(homeDir = homedir()) {
     try {
         const raw = readFileSync(path, 'utf8');
         const parsed = globalConfigSchema.parse(JSON.parse(raw));
-        return isPermissionMode(parsed.defaultPermissionMode) ? parsed.defaultPermissionMode : null;
+        if (typeof parsed.defaultPermissionMode !== 'string')
+            return null;
+        return parsePermissionMode(parsed.defaultPermissionMode);
     }
     catch {
         return null;