@pugi/cli 0.1.0-beta.4 → 0.1.0-beta.40

package/dist/core/edits/verify-hook.js

@@ -0,0 +1,273 @@
+/**
+ * Verify hook — β1b Pl10 (2026-05-26).
+ *
+ * After the edit-dispatcher writes a multi-file change to the
+ * workspace, this hook fires three lightweight checks against the
+ * post-state and reports each result back to the engine loop as a
+ * status event:
+ *
+ *   1. tsc — if `tsconfig.json` is present in the workspace root, run
+ *      `tsc --noEmit` to catch compile-time breakage. Pass/fail tracked
+ *      per file is overkill at this stage; we surface the exit code +
+ *      first ~40 lines of stderr.
+ *   2. tests — if package.json has a `test` script AND a test runner
+ *      is available (jest / vitest / node --test), run `pnpm test
+ *      --bail` (or `npm test --bail`). Same exit-code + tail of output
+ *      contract.
+ *   3. URL probes — extract every `https?://...` literal from the diff
+ *      (README + code) and HEAD-probe each. A response < 400 counts as
+ *      live; >=400 surfaces as a warning. Capped at 8 unique URLs per
+ *      hook to avoid spending the budget on doc rot.
+ *
+ * Retry contract (β1b r1 rescope): the hook itself is stateless and
+ * runs ONCE per invocation, returning a structured report. The
+ * "feedback → model → re-edit" retry orchestrator does NOT exist yet
+ * in the engine loop — it was promised as part of β1b Pl10 but never
+ * shipped because the engine refactor that hosts it is bigger than
+ * the verify-hook itself can absorb. Retry orchestration is deferred
+ * to β6 plan-mode integration where the loop already needs a
+ * model→hook feedback channel for plan replay. Today the operator
+ * re-runs `pugi code` to re-drive verification after a fail. The
+ * stateless hook ships unchanged so the β6 driver can wrap it.
+ *
+ * Why HEAD and not GET for URL probes:
+ *   - HEAD avoids the body fetch; cheaper + faster.
+ *   - SSRF guard from `web-fetch.ts::validateHostnameForFetch` runs
+ *     before every probe so private IPs / localhost cannot ride.
+ *   - Some servers reject HEAD (rare but real); on 4xx-from-HEAD we
+ *     do NOT escalate to GET — that would burn the budget. We surface
+ *     a `head_rejected` warning so the operator decides.
+ *
+ * Skip cases (return early with `skipped: true` on the relevant
+ * check):
+ *   - tsc: no `tsconfig.json` at workspace root.
+ *   - tests: no `package.json` OR no `test` script.
+ *   - urls: no `https?://...` literals in the diff.
+ *
+ * Best-effort: every failure mode degrades to a structured report; the
+ * hook itself NEVER throws. The engine loop decides whether to
+ * surface as a hard fail vs a model-correctable warning.
+ *
+ * Brand voice: ASCII only, no banned words.
+ */
+import { spawnSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { validateHostnameForFetch } from '../../tools/web-fetch.js';
+const DEFAULT_TIMEOUT_MS = 30_000;
+const DEFAULT_MAX_URL_PROBES = 8;
+const URL_LITERAL_RE = /(https?:\/\/[^\s"'<>()`\\\]]+)/g;
+/**
+ * Drive one verify pass. Synchronous tsc + test child processes,
+ * concurrent URL probes (up to `maxUrlProbes`). Returns once every
+ * check has completed (no streaming events — the caller wraps the
+ * report into its own status event format).
+ */
+export async function runVerifyHook(input) {
+    const timeoutMs = input.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    const runProc = input.runProc ?? defaultRunProc;
+    return {
+        tsc: runTscCheck(input.workspaceRoot, runProc, timeoutMs),
+        tests: runTestsCheck(input.workspaceRoot, runProc, timeoutMs),
+        urls: await runUrlChecks(input),
+    };
+}
+/* ----------------------- tsc check ---------------------- */
+function runTscCheck(workspaceRoot, runProc, timeoutMs) {
+    const tsconfig = resolve(workspaceRoot, 'tsconfig.json');
+    if (!existsSync(tsconfig)) {
+        return { ok: true, skipped: true, reason: 'no_tsconfig' };
+    }
+    // Prefer `pnpm exec tsc` because pnpm-aware monorepos hoist tsc into
+    // `node_modules/.bin`; fallback to bare `tsc` for global installs.
+    // We try `pnpm exec tsc` first only if a `pnpm-lock.yaml` is at the
+    // workspace root; otherwise we go straight to `tsc`.
+    const pnpmLock = existsSync(resolve(workspaceRoot, 'pnpm-lock.yaml'));
+    const cmd = pnpmLock ? 'pnpm' : 'tsc';
+    const args = pnpmLock ? ['exec', 'tsc', '--noEmit'] : ['--noEmit'];
+    const result = runProc(cmd, args, workspaceRoot, timeoutMs);
+    if (result.exitCode === 0)
+        return { ok: true };
+    return {
+        ok: false,
+        reason: `tsc_exit_${result.exitCode}`,
+        detail: tailOutput(result.stdout, result.stderr, 40),
+    };
+}
+/* ----------------------- tests check ---------------------- */
+function runTestsCheck(workspaceRoot, runProc, timeoutMs) {
+    const pkgPath = resolve(workspaceRoot, 'package.json');
+    if (!existsSync(pkgPath)) {
+        return { ok: true, skipped: true, reason: 'no_package_json' };
+    }
+    let pkg;
+    try {
+        pkg = JSON.parse(readFileSync(pkgPath, 'utf8'));
+    }
+    catch {
+        return { ok: true, skipped: true, reason: 'malformed_package_json' };
+    }
+    if (!pkg.scripts || typeof pkg.scripts.test !== 'string') {
+        return { ok: true, skipped: true, reason: 'no_test_script' };
+    }
+    const pnpmLock = existsSync(resolve(workspaceRoot, 'pnpm-lock.yaml'));
+    // Prefer pnpm test --bail; some test runners reject the flag (node
+    // --test ignores it), so we surface non-zero exits clearly but do
+    // not retry without --bail.
+    // Both pnpm + npm accept `<cmd> test -- --bail`; the runner-side
+    // flag-forwarding contract is identical, so the ternary collapses to
+    // a single args literal.
+    const cmd = pnpmLock ? 'pnpm' : 'npm';
+    const args = ['test', '--', '--bail'];
+    const result = runProc(cmd, args, workspaceRoot, timeoutMs);
+    if (result.exitCode === 0)
+        return { ok: true };
+    return {
+        ok: false,
+        reason: `tests_exit_${result.exitCode}`,
+        detail: tailOutput(result.stdout, result.stderr, 60),
+    };
+}
+/* ----------------------- url probes ---------------------- */
+async function runUrlChecks(input) {
+    const diffText = input.diffText ?? '';
+    if (diffText.length === 0) {
+        return { ok: true, skipped: true, reason: 'no_diff_text' };
+    }
+    const urls = extractUrls(diffText);
+    if (urls.length === 0) {
+        return { ok: true, skipped: true, reason: 'no_urls' };
+    }
+    const cap = input.maxUrlProbes ?? DEFAULT_MAX_URL_PROBES;
+    const probed = urls.slice(0, cap);
+    const probeFn = input.probeFn ?? defaultProbeFn;
+    const failures = [];
+    for (const url of probed) {
+        // Hostname SSRF guard — never probe a localhost / private IP even
+        // when a literal in the diff points there.
+        let parsed;
+        try {
+            parsed = new URL(url);
+        }
+        catch {
+            failures.push({ url, error: 'invalid_url' });
+            continue;
+        }
+        if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+            failures.push({ url, error: `unsupported_scheme_${parsed.protocol}` });
+            continue;
+        }
+        const hostname = parsed.hostname.replace(/^\[|\]$/g, '');
+        const guard = await validateHostnameForFetch(hostname);
+        if (guard) {
+            failures.push({ url, error: `ssrf_refused: ${guard}` });
+            continue;
+        }
+        try {
+            const r = await probeFn(url);
+            if ('error' in r) {
+                failures.push({ url, error: r.error });
+                continue;
+            }
+            if (r.status >= 400) {
+                failures.push({ url, error: `http_${r.status}` });
+            }
+        }
+        catch (error) {
+            failures.push({
+                url,
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+    }
+    if (failures.length === 0) {
+        return { ok: true, probedCount: probed.length };
+    }
+    return {
+        ok: false,
+        reason: `url_probe_failed`,
+        probedCount: probed.length,
+        failures,
+        detail: failures.map((f) => `${f.url} → ${f.error}`).join('; '),
+    };
+}
+/**
+ * Extract unique http(s) URLs from a diff/text blob. Order preserved
+ * (first-seen) so the cap picks the earliest-mentioned ones, which
+ * intuitively matches the operator's expectation.
+ */
+export function extractUrls(text) {
+    const seen = new Set();
+    const out = [];
+    let match;
+    // Reset the regex's lastIndex; URL_LITERAL_RE is module-scoped and
+    // /g means stateful exec calls.
+    URL_LITERAL_RE.lastIndex = 0;
+    while ((match = URL_LITERAL_RE.exec(text)) !== null) {
+        const raw = match[1];
+        if (!raw)
+            continue;
+        // Strip a trailing punctuation that the regex tolerates inside
+        // the match (sentences in Markdown often end `... https://x).`).
+        // We also strip `!` and `?` so prose like "see https://x!" lands
+        // as `https://x`.
+        const cleaned = raw.replace(/[.,;:!?)\]>]+$/, '');
+        if (cleaned.length === 0)
+            continue;
+        if (seen.has(cleaned))
+            continue;
+        seen.add(cleaned);
+        out.push(cleaned);
+    }
+    return out;
+}
+/* ----------------------- defaults ---------------------- */
+function defaultRunProc(cmd, args, cwd, timeoutMs) {
+    const result = spawnSync(cmd, [...args], {
+        cwd,
+        encoding: 'utf8',
+        timeout: timeoutMs,
+        // Inherit a minimal env — every check is read-only against the
+        // workspace and we do not want to leak PUGI_API_KEY into a
+        // sub-process accidentally.
+        env: { ...process.env, PUGI_API_KEY: undefined, PUGI_LOGIN_TOKEN: undefined },
+    });
+    return {
+        exitCode: typeof result.status === 'number' ? result.status : -1,
+        stdout: result.stdout ?? '',
+        stderr: result.stderr ?? '',
+    };
+}
+async function defaultProbeFn(url) {
+    // Lazy-import undici so the verify-hook module stays cheap when
+    // url probes are skipped.
+    const { request } = await import('undici');
+    try {
+        const response = await request(url, {
+            method: 'HEAD',
+            bodyTimeout: 5_000,
+            headersTimeout: 5_000,
+        });
+        // Drain so the connection releases promptly.
+        try {
+            await response.body.dump();
+        }
+        catch {
+            /* swallow */
+        }
+        return { status: response.statusCode };
+    }
+    catch (error) {
+        return { error: error instanceof Error ? error.message : String(error) };
+    }
+}
+function tailOutput(stdout, stderr, maxLines) {
+    const merged = `${stdout}\n${stderr}`.trim();
+    if (merged.length === 0)
+        return '';
+    const lines = merged.split('\n');
+    if (lines.length <= maxLines)
+        return merged;
+    return `... (${lines.length - maxLines} earlier lines elided)\n${lines.slice(-maxLines).join('\n')}`;
+}
+//# sourceMappingURL=verify-hook.js.map

package/dist/core/edits/worktree.js

@@ -0,0 +1,322 @@
+/**
+ * Worktree isolation — α7.7 Phase 1.
+ *
+ * Wraps `git worktree add` so a long agent loop (build / consensus
+ * review / multi-file refactor) can land its edits into a scratch
+ * workspace, run the validators against THAT path, and only then promote
+ * the resulting diff back to the operator's main working tree. The
+ * primary win is safety: a half-applied refactor never corrupts the
+ * operator's branch.
+ *
+ * Three operations:
+ *
+ *   - `createWorktree(branch)` — spawns `git worktree add --detach`
+ *     under `.pugi/worktrees/<uuid>` based on the supplied branch (or
+ *     HEAD when omitted). Returns the absolute path + a `cleanup()`
+ *     callback. The dir lives under `.pugi/` so the existing `.gitignore`
+ *     for that subtree applies (no accidental commits of the scratch
+ *     state to the main repo).
+ *
+ *   - `promoteWorktree(worktreePath, cwd)` — diffs the worktree against
+ *     its base commit and applies the diff to the main `cwd` via
+ *     `git apply`. Refuses if the main cwd has staged changes that
+ *     would conflict; the operator must commit or stash first.
+ *
+ *   - `dropWorktree(worktreePath)` — removes the worktree both from
+ *     git's bookkeeping (`git worktree remove --force`) and from disk.
+ *     Idempotent; a partially-removed worktree (`git` already cleaned
+ *     up but dir survived) is handled.
+ *
+ * Brand voice: ASCII only, no emoji, no banned words.
+ */
+import { spawnSync } from 'node:child_process';
+import { existsSync, mkdirSync, realpathSync, rmSync } from 'node:fs';
+import { randomUUID } from 'node:crypto';
+import { resolve, sep } from 'node:path';
+import { OperatorAbortedError } from '../../tools/file-tools.js';
+import { applySecurityGate } from './security-gate.js';
+import { extractPatchPaths } from '../../tools/apply-patch.js';
+/**
+ * Create a scratch worktree under `.pugi/worktrees/<uuid>`. The path is
+ * guaranteed unique (uuid) so multiple agent loops can run in parallel
+ * without collision.
+ */
+export function createWorktree(opts) {
+    if (opts.cancellation && opts.cancellation.isAborted) {
+        return { ok: false, reason: 'operator_aborted', detail: 'createWorktree aborted' };
+    }
+    // Confirm we're inside a git repo. `git rev-parse --git-dir` is the
+    // canonical check and avoids a misleading error message later when
+    // `git worktree add` runs in a non-repo.
+    const gitDir = runGit(['rev-parse', '--git-dir'], opts.cwd);
+    if (gitDir.status !== 0) {
+        return {
+            ok: false,
+            reason: 'not_a_git_repo',
+            detail: `not a git repo: ${opts.cwd}`,
+        };
+    }
+    // Resolve base SHA. When the operator named a branch we honor it; the
+    // default is HEAD. We capture the SHA up-front so `promoteWorktree`
+    // can `git diff <baseSha>..HEAD` deterministically even if the main
+    // working tree has moved forward since.
+    const baseRef = opts.branch ?? 'HEAD';
+    const baseShaResult = runGit(['rev-parse', baseRef], opts.cwd);
+    if (baseShaResult.status !== 0) {
+        return {
+            ok: false,
+            reason: 'git_command_failed',
+            detail: `cannot resolve base ref ${baseRef}: ${baseShaResult.stderr}`,
+        };
+    }
+    const baseSha = baseShaResult.stdout.trim();
+    const worktreeRoot = resolve(opts.cwd, '.pugi', 'worktrees');
+    mkdirSync(worktreeRoot, { recursive: true });
+    const worktreePath = resolve(worktreeRoot, randomUUID());
+    // `--detach` keeps the worktree on a detached HEAD so we don't
+    // collide with branch checkouts on the main tree. The worktree is
+    // throwaway — there is no branch name to track.
+    const create = runGit(['worktree', 'add', '--detach', worktreePath, baseSha], opts.cwd);
+    if (create.status !== 0) {
+        return {
+            ok: false,
+            reason: 'git_command_failed',
+            detail: `git worktree add failed: ${create.stderr}`,
+        };
+    }
+    const handle = {
+        path: worktreePath,
+        baseSha,
+        cleanup: () => {
+            const r = dropWorktree(worktreePath, opts.cwd);
+            if (!r.ok && r.reason !== 'worktree_missing') {
+                // Swallow non-fatal cleanup failures so the agent loop doesn't
+                // hard-crash on the happy path. The diagnostic still surfaces
+                // via the JSON output on the `pugi worktree drop` command.
+            }
+        },
+    };
+    return { ok: true, value: handle };
+}
+/**
+ * Diff the worktree against its base and apply the diff to the main cwd.
+ *
+ * Implementation notes:
+ *
+ *   - We run `git diff --binary <baseSha>` inside the worktree (NOT
+ *     `git diff <worktree>..HEAD` from the main tree — the worktree's
+ *     HEAD is detached at `baseSha`, so the meaningful diff is the
+ *     UNCOMMITTED changes the agent wrote into it).
+ *   - `--binary` ensures non-text files (assets, images) survive the
+ *     round-trip; without it `git apply` fails on any binary delta.
+ *   - We always run `git apply --check` first so a refusal does not
+ *     leave the main tree half-modified.
+ */
+export function promoteWorktree(opts) {
+    if (opts.cancellation && opts.cancellation.isAborted) {
+        return { ok: false, reason: 'operator_aborted', detail: 'promoteWorktree aborted' };
+    }
+    if (!existsSync(opts.worktreePath)) {
+        return {
+            ok: false,
+            reason: 'worktree_missing',
+            detail: `worktree path does not exist: ${opts.worktreePath}`,
+        };
+    }
+    // Capture the diff against the base SHA. `git diff <baseSha>`
+    // (no `--cached`) compares the WORKING TREE against the base, which
+    // covers both unstaged AND staged changes in a single invocation —
+    // anything the working tree shows is included. `--binary` ensures
+    // non-text files survive the round-trip.
+    //
+    // Note: untracked files that were NEVER staged stay invisible — git
+    // diff has no native flag to include them. The agent loop must
+    // `git add` any new file it wants promoted; the CLI surface
+    // documents this explicitly so the contract is not surprising.
+    // (Staging is enough to expose the file; the file does not need to
+    // be committed.)
+    const diffResult = runGit(['diff', '--binary', opts.baseSha], opts.worktreePath);
+    if (diffResult.status !== 0) {
+        return {
+            ok: false,
+            reason: 'git_command_failed',
+            detail: `git diff failed: ${diffResult.stderr}`,
+        };
+    }
+    const diffText = diffResult.stdout;
+    if (diffText.trim().length === 0) {
+        return { ok: true, value: { filesChanged: 0 } };
+    }
+    // SECURITY GATE (R1 fix 2026-05-26, PR #413 r1) — every path mentioned
+    // in the worktree's diff goes through the same `applySecurityGate`
+    // chokepoint as the apply_patch + Layer A/B/C applicators. A staged
+    // `.env` (or `../../etc/passwd`, or a symlink into a protected target)
+    // inside the worktree must NOT slip into the operator's main tree just
+    // because the worktree itself was a sandboxed scratch dir. Without
+    // this gate, `promoteWorktree` was a clean bypass of every other edit
+    // primitive's safety net.
+    const diffPaths = extractPatchPaths(diffText);
+    const failedPaths = [];
+    for (const file of diffPaths) {
+        const gate = applySecurityGate(file, { cwd: opts.cwd, toolName: 'layer-c' });
+        if (!gate.ok) {
+            failedPaths.push(`${file}: ${gate.reason}`);
+        }
+    }
+    if (failedPaths.length > 0) {
+        return {
+            ok: false,
+            reason: 'protected_file_in_worktree',
+            detail: `worktree diff touches protected/escaping paths: ${failedPaths.join('; ')}`,
+            files: failedPaths,
+        };
+    }
+    // `git apply --check` validates the diff against the main tree first.
+    // Refuse early on conflict so the operator can resolve before we
+    // touch any file.
+    const check = runGit(['apply', '--check', '-'], opts.cwd, diffText);
+    if (check.status !== 0) {
+        return {
+            ok: false,
+            reason: 'apply_conflict',
+            detail: `git apply --check rejected: ${check.stderr}`,
+        };
+    }
+    if (opts.dryRun) {
+        return { ok: true, value: { filesChanged: countDiffFiles(diffText) } };
+    }
+    const apply = runGit(['apply', '-'], opts.cwd, diffText);
+    if (apply.status !== 0) {
+        return {
+            ok: false,
+            reason: 'apply_failed',
+            detail: `git apply failed: ${apply.stderr}`,
+        };
+    }
+    return { ok: true, value: { filesChanged: countDiffFiles(diffText) } };
+}
+/**
+ * Drop a worktree both from git's bookkeeping and from disk. Idempotent —
+ * a missing path returns `worktree_missing` which the caller can ignore
+ * on the cleanup-after-error path.
+ *
+ * Security (R1 fix 2026-05-26, PR #413 r1): we MUST validate the path is
+ * a real subdirectory of `<cwd>/.pugi/worktrees/` BEFORE running either
+ * `git worktree remove --force` or `rmSync`. Without this gate, a
+ * typo like `pugi worktree drop ../some-dir` recursively deleted an
+ * arbitrary directory: `git worktree remove` correctly failed (path not
+ * registered), but the `rmSync(worktreePath, recursive: true)` below
+ * still fired regardless.
+ *
+ * We resolve both `cwd` and `worktreePath` through `realpathSync` so a
+ * caller passing a symlink that points outside `.pugi/worktrees/` is
+ * still rejected. When the worktree path does not exist on disk at all
+ * (idempotent re-drop of an already-removed worktree), we fall back to
+ * the lexical containment check — the rejection only matters when there
+ * is a real directory to delete.
+ */
+export function dropWorktree(worktreePath, cwd) {
+    // SECURITY GATE — validate containment under `<cwd>/.pugi/worktrees/`
+    // BEFORE any destructive call. Two-tier check:
+    //   1. lexical containment using resolved (but not realpath'd) paths,
+    //      catches the operator-typo + missing-worktree cases.
+    //   2. realpath containment when the path exists, catches symlink
+    //      shenanigans.
+    const scratchRootLexical = resolve(cwd, '.pugi', 'worktrees');
+    const worktreeLexical = resolve(cwd, worktreePath);
+    const insideLexical = worktreeLexical.startsWith(scratchRootLexical + sep) &&
+        worktreeLexical !== scratchRootLexical;
+    if (!insideLexical) {
+        return {
+            ok: false,
+            reason: 'invalid_worktree_path',
+            detail: `worktree path ${worktreePath} is not under ${scratchRootLexical}`,
+        };
+    }
+    if (existsSync(worktreeLexical)) {
+        try {
+            const realScratchRoot = realpathSync(scratchRootLexical);
+            const realWorktree = realpathSync(worktreeLexical);
+            const insideReal = realWorktree.startsWith(realScratchRoot + sep) &&
+                realWorktree !== realScratchRoot;
+            if (!insideReal) {
+                return {
+                    ok: false,
+                    reason: 'invalid_worktree_path',
+                    detail: `worktree realpath ${realWorktree} escapes ${realScratchRoot}`,
+                };
+            }
+        }
+        catch (error) {
+            // realpath failed for a path that exists — surface as
+            // invalid_worktree_path so we never recurse into rmSync on an
+            // unreadable path.
+            return {
+                ok: false,
+                reason: 'invalid_worktree_path',
+                detail: `cannot realpath worktree path: ${error instanceof Error ? error.message : String(error)}`,
+            };
+        }
+    }
+    // `git worktree remove --force` cleans the metadata in `.git/worktrees`.
+    // If the worktree was created by another process and already pruned,
+    // git returns non-zero — we still try to `rmSync` the dir to leave the
+    // filesystem consistent. Path containment has already been validated
+    // above so the rmSync below is bounded to `.pugi/worktrees/`.
+    const remove = runGit(['worktree', 'remove', '--force', worktreeLexical], cwd);
+    const gitCleanFailed = remove.status !== 0;
+    if (existsSync(worktreeLexical)) {
+        try {
+            rmSync(worktreeLexical, { recursive: true, force: true });
+        }
+        catch (error) {
+            if (gitCleanFailed) {
+                return {
+                    ok: false,
+                    reason: 'git_command_failed',
+                    detail: `git worktree remove failed AND rmSync failed: ${error instanceof Error ? error.message : String(error)}`,
+                };
+            }
+        }
+    }
+    if (gitCleanFailed && !worktreeLexical.includes(`${sep}.pugi${sep}worktrees${sep}`)) {
+        // A worktree that wasn't created by us (path is outside our naming
+        // convention) is suspicious — surface the failure so the operator
+        // can diagnose.
+        return {
+            ok: false,
+            reason: 'git_command_failed',
+            detail: `git worktree remove failed: ${remove.stderr}`,
+        };
+    }
+    return { ok: true, value: undefined };
+}
+function countDiffFiles(diff) {
+    // Count `diff --git a/... b/...` headers. Cheap and unambiguous.
+    let count = 0;
+    for (const line of diff.split('\n')) {
+        if (line.startsWith('diff --git '))
+            count += 1;
+    }
+    return count;
+}
+function runGit(args, cwd, stdin) {
+    return spawnSync('git', args, {
+        cwd,
+        input: stdin,
+        encoding: 'utf8',
+        maxBuffer: 64 * 1024 * 1024,
+    });
+}
+/**
+ * Test-only helper exporting the internal git runner so specs can stub
+ * the spawn surface when running on a CI host without a global git.
+ */
+export const __test__ = { runGit, countDiffFiles };
+/**
+ * Re-export the abort marker so the worktree CLI surface can fold the
+ * exception into a clean exit code without needing to import from the
+ * tools layer.
+ */
+export { OperatorAbortedError };
+//# sourceMappingURL=worktree.js.map