@pugi/cli 0.1.0-beta.4 → 0.1.0-beta.41

package/dist/core/permissions/index.js

@@ -0,0 +1,20 @@
+/**
+ * Permission gate (Leak L6) public surface.
+ *
+ * Re-exports the canonical 4-mode types, the tool-class classifier,
+ * the dispatch gate, and the workspace + global session-state helpers
+ * so callers import from one place:
+ *
+ *   import { gate, resolveMode, PermissionDenied } from '<...>/permissions/index.js';
+ *
+ * Keeps the internal file split (mode / tool-class / gate / state)
+ * invisible to consumers — those files are an implementation detail
+ * the engine adapter does not need to know about.
+ */
+export { DEFAULT_PERMISSION_MODE, PERMISSION_MODE_GLOSS, PERMISSION_MODES, isPermissionMode, nextPermissionMode, parsePermissionMode, toLegacyMode, } from './mode.js';
+export { classifyAutoMode, listAutoAllowPatterns, listAutoDenyPatterns, } from './auto-classifier.js';
+export { evaluateCircuitBreaker, listCircuitBreakerPatterns, } from './circuit-breaker.js';
+export { getToolClass, listBuiltInToolClasses, } from './tool-class.js';
+export { ASK_OPTIONS, PermissionDenied, applyAskAnswer, createAskAlwaysCache, gate, } from './gate.js';
+export { getCurrentMode, getGlobalDefaultMode, getPreviousMode, globalConfigPath, resolveMode, sessionStatePath, setCurrentMode, setGlobalDefaultMode, setPreviousMode, } from './state.js';
+//# sourceMappingURL=index.js.map

package/dist/core/permissions/mode.js

@@ -0,0 +1,174 @@
+/**
+ * Permission modes — Wave 7 canonical 6-mode taxonomy (Claude Code parity).
+ *
+ * Pugi α6 shipped a 4-mode taxonomy (`plan | ask | allow | bypass`) that
+ * proved fine для daily use but diverged from Claude Code's 6-mode
+ * surface (`default | acceptEdits | plan | auto | dontAsk |
+ * bypassPermissions`). Wave 7 Sprint 1 epic #2 closes the parity gap so
+ * operators coming from Claude Code see the same mode names + same
+ * Shift+Tab cycle.
+ *
+ * Canonical 6 modes (Wave 7):
+ *
+ *   - `default`            — every tool call asks the operator. Safe
+ *                            ground state, replaces α6 `ask`.
+ *   - `acceptEdits`        — auto-allow write/edit on workspace files,
+ *                            ask for everything else (bash, dispatch).
+ *                            Matches CC's "trust file edits только".
+ *   - `plan`               — read-only proposal mode. Write/dispatch
+ *                            refused with deterministic sentinel; the
+ *                            model surfaces a plan, не executes.
+ *   - `auto`               — classifier decides per-call. Phase 1
+ *                            (this PR) ships regex allowlist (safe
+ *                            commands) + regex denylist (destructive).
+ *                            Anything else falls back to ask.
+ *   - `dontAsk`            — auto-allow everything except `permissions.deny`
+ *                            list. Replaces α6 `allow`.
+ *   - `bypassPermissions`  — skip ALL checks including deny list +
+ *                            policy hooks. Has a circuit-breaker for
+ *                            catastrophic patterns (rm -rf /, fork bomb,
+ *                            dd if=/) that refuses regardless of mode.
+ *                            Replaces α6 `bypass`.
+ *
+ * Backwards-compat aliases: the α6 short names (`ask`, `allow`, `bypass`)
+ * map to the new canonical names via `MODE_ALIASES`. `parsePermissionMode`
+ * resolves aliases so existing session.json files keep working.
+ *
+ * Rename mapping (α6 → α7):
+ *   ask     → default
+ *   allow   → dontAsk
+ *   bypass  → bypassPermissions
+ *   (plan, acceptEdits, auto unchanged / new)
+ */
+/**
+ * Closed list — used by Shift+Tab cycle (in order), input validation,
+ * and slash-command help. Order matches Claude Code's documented
+ * Shift+Tab progression: default → acceptEdits → plan → auto → dontAsk
+ * → bypassPermissions → wrap к default.
+ */
+export const PERMISSION_MODES = Object.freeze([
+    'default',
+    'acceptEdits',
+    'plan',
+    'auto',
+    'dontAsk',
+    'bypassPermissions',
+]);
+/**
+ * Default mode applied when no `--mode` flag, no per-workspace session
+ * state, and no `defaultPermissionMode` в `~/.pugi/config.json`. We
+ * default cautious (`default` mode = prompt every call) — an operator
+ * who has not configured anything is treated as a new operator who
+ * deserves visibility into every tool call.
+ */
+export const DEFAULT_PERMISSION_MODE = 'default';
+/**
+ * Backwards-compat aliases: α6 short names map to α7 canonical names.
+ * `parsePermissionMode` consults this table так existing session.json
+ * files + scripts that pass `--mode ask` keep working without breaking.
+ *
+ * Aliases are one-way: persistence writes the canonical name, so a
+ * session that started on `ask` is migrated to `default` on next save.
+ */
+const MODE_ALIASES = Object.freeze({
+    ask: 'default',
+    allow: 'dontAsk',
+    bypass: 'bypassPermissions',
+});
+/**
+ * Type guard для arbitrary string input (CLI flag, session.json
+ * deserialization). Returns false for casing variants — caller is
+ * expected to lowercase before testing. Aliases are NOT accepted by
+ * this predicate; use `parsePermissionMode` for alias resolution.
+ */
+export function isPermissionMode(value) {
+    return typeof value === 'string' && PERMISSION_MODES.includes(value);
+}
+/**
+ * Parse + validate a mode string. Returns null для invalid input so the
+ * caller can surface a typed error (`unknown mode: <value>`) instead of
+ * throwing from a parse helper.
+ *
+ * Resolves α6 aliases (`ask` → `default`, `allow` → `dontAsk`,
+ * `bypass` → `bypassPermissions`) for backwards compatibility.
+ *
+ * Case-handling: lowercases for canonical names but matches camelCase
+ * names case-insensitively too (так `acceptedits` resolves to
+ * `acceptEdits`). The aliases table covers the legacy lowercase tokens.
+ */
+export function parsePermissionMode(value) {
+    const trimmed = value.trim();
+    if (trimmed.length === 0)
+        return null;
+    // Direct canonical match first (preserves camelCase capitalisation).
+    if (isPermissionMode(trimmed))
+        return trimmed;
+    // Case-insensitive canonical match — operator typed `acceptedits`.
+    const lower = trimmed.toLowerCase();
+    const canonical = PERMISSION_MODES.find((m) => m.toLowerCase() === lower);
+    if (canonical)
+        return canonical;
+    // α6 alias fallthrough.
+    const aliased = MODE_ALIASES[lower];
+    if (aliased)
+        return aliased;
+    return null;
+}
+/**
+ * Wave 7 Shift+Tab cycle — advance to the next mode in the canonical
+ * order, wrapping from the last back to the first. Pure helper so the
+ * TUI binding can call it without re-implementing the cycle logic.
+ */
+export function nextPermissionMode(current) {
+    const idx = PERMISSION_MODES.indexOf(current);
+    if (idx === -1)
+        return DEFAULT_PERMISSION_MODE;
+    const next = PERMISSION_MODES[(idx + 1) % PERMISSION_MODES.length];
+    return next ?? DEFAULT_PERMISSION_MODE;
+}
+/**
+ * Map the canonical 6-mode taxonomy to the legacy SDK enum used by
+ * `@pugi/sdk::permissionModeSchema`. The SDK enum already contains all
+ * 6 names so the map is identity для the modes that align; the two
+ * α6-only legacy names (`ask`, `allow`) are not part of the canonical
+ * set anymore — `default` and `dontAsk` are их replacements.
+ *
+ * Callers that need the legacy enum (existing bash classifier, settings
+ * persistence) should funnel through this helper so the mapping stays
+ * в one place.
+ */
+export function toLegacyMode(mode) {
+    switch (mode) {
+        case 'default':
+            // SDK enum doesn't carry `default`; the closest legacy semantic is
+            // `ask` (prompt-every-call). Persistence layers that round-trip
+            // через the SDK enum get back `ask`, which `parsePermissionMode`
+            // re-maps to `default` via the alias table. Round-trip safe.
+            return 'ask';
+        case 'acceptEdits':
+            return 'acceptEdits';
+        case 'plan':
+            return 'plan';
+        case 'auto':
+            return 'auto';
+        case 'dontAsk':
+            return 'dontAsk';
+        case 'bypassPermissions':
+            return 'bypassPermissions';
+    }
+}
+/**
+ * One-line human-readable summary surfaced by the `/permissions` table,
+ * the Ink picker, and `pugi --help` text. Each line carries a safety
+ * hint ("safe-by-default" / "use carefully" / "power-user only") so an
+ * operator скимming the picker knows the risk profile at a glance.
+ */
+export const PERMISSION_MODE_GLOSS = Object.freeze({
+    default: 'Prompt before every tool call. Safe-by-default for new operators.',
+    acceptEdits: 'Auto-allow file edit/write; ask for bash + dispatch. Safe-by-default.',
+    plan: 'Read-only — propose, never execute. Write + dispatch refused.',
+    auto: 'Classifier decides per call (safe regex allowlist; falls back к ask). Use carefully.',
+    dontAsk: 'Execute tools without prompts; deny-list still applies. Use carefully.',
+    bypassPermissions: 'Skip ALL checks AND policy hooks; circuit-breaker on catastrophic patterns. Power-user only.',
+});
+//# sourceMappingURL=mode.js.map

package/dist/core/permissions/state.js

@@ -0,0 +1,241 @@
+/**
+ * Per-workspace permission-mode session state — Leak L6.
+ *
+ * State lives in `.pugi/session.json` under the workspace root. The
+ * file is read on first `getCurrentMode()` call (cached for the
+ * process lifetime) and written atomically via tmp+rename on
+ * `setCurrentMode()` so a kill mid-write does not corrupt the JSON.
+ *
+ * Resolution order for the effective mode on a fresh process:
+ *   1. CLI flag (`pugi --mode plan`) — passed via `resolveMode` arg;
+ *      not read from disk here.
+ *   2. Workspace session state — `<root>/.pugi/session.json` field
+ *      `permissionMode`.
+ *   3. Global config — `~/.pugi/config.json` field
+ *      `defaultPermissionMode`.
+ *   4. Hard default `ask`.
+ *
+ * This module owns layers 2 + 3. The CLI arg parser owns layer 1; both
+ * funnel into `resolveMode()` which performs the merge.
+ */
+import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { homedir } from 'node:os';
+import { z } from 'zod';
+import { DEFAULT_PERMISSION_MODE, parsePermissionMode, } from './mode.js';
+/**
+ * Wave 7: zod enum for the canonical 6-mode taxonomy. Includes α6
+ * aliases (`ask`, `allow`, `bypass`) as accepted input — Zod parses
+ * them, the helpers below remap к canonical names before returning к
+ * the caller. Persistence always writes the canonical name so the file
+ * migrates forward on next save.
+ */
+const permissionModeEnum = z.enum([
+    // Canonical Wave 7 names.
+    'default',
+    'acceptEdits',
+    'plan',
+    'auto',
+    'dontAsk',
+    'bypassPermissions',
+    // α6 backwards-compat aliases — resolved via parsePermissionMode.
+    'ask',
+    'allow',
+    'bypass',
+]);
+const sessionStateSchema = z
+    .object({
+    permissionMode: permissionModeEnum.optional(),
+    /**
+     * Leak L7: snapshot of the mode that was active immediately BEFORE
+     * the operator typed `/plan` (or `/plan <prompt>`). `/plan --back`
+     * pops this snapshot and restores it. Cleared after a successful
+     * pop so a second `/plan --back` does not double-revert.
+     */
+    previousPermissionMode: permissionModeEnum.optional(),
+})
+    .partial()
+    .passthrough();
+const globalConfigSchema = z
+    .object({
+    defaultPermissionMode: permissionModeEnum.optional(),
+})
+    .partial()
+    .passthrough();
+const SESSION_FILE = '.pugi/session.json';
+/**
+ * Return the path to the workspace session-state file.
+ */
+export function sessionStatePath(workspaceRoot) {
+    return resolve(workspaceRoot, SESSION_FILE);
+}
+/**
+ * Return the path to the user-global config file. Uses HOME env when
+ * present (test fixtures, CI) so we never accidentally hit the real
+ * user-global file in spec runs.
+ */
+export function globalConfigPath(homeDir = homedir()) {
+    return resolve(homeDir, '.pugi/config.json');
+}
+/**
+ * Read the workspace's saved permission mode. Returns null when the
+ * file is absent OR the field is unset; the caller layers in CLI + env
+ * + global config defaults to produce the effective mode.
+ *
+ * Never throws on JSON parse / schema errors — a malformed session
+ * file should not break the gate. The defensive `try/catch` returns
+ * null and lets the caller fall through to the next layer.
+ */
+export function getCurrentMode(workspaceRoot) {
+    const path = sessionStatePath(workspaceRoot);
+    if (!existsSync(path))
+        return null;
+    try {
+        const raw = readFileSync(path, 'utf8');
+        const parsed = sessionStateSchema.parse(JSON.parse(raw));
+        if (typeof parsed.permissionMode !== 'string')
+            return null;
+        // Wave 7: parsePermissionMode resolves α6 aliases (`ask`, `allow`,
+        // `bypass`) to their canonical Wave 7 names. A session file written
+        // by α6.x is silently upgraded on read.
+        return parsePermissionMode(parsed.permissionMode);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Persist the workspace's permission mode. Creates the `.pugi/` dir
+ * when missing; preserves any unrelated keys in the file (passthrough
+ * schema). Atomic tmp+rename so a kill mid-write does not corrupt the
+ * JSON.
+ */
+export function setCurrentMode(workspaceRoot, mode) {
+    const path = sessionStatePath(workspaceRoot);
+    mkdirSync(dirname(path), { recursive: true });
+    const existing = existsSync(path)
+        ? safeParseObject(readFileSync(path, 'utf8'))
+        : {};
+    const next = { ...existing, permissionMode: mode };
+    const tmpPath = `${path}.tmp`;
+    writeFileSync(tmpPath, `${JSON.stringify(next, null, 2)}\n`, { encoding: 'utf8', mode: 0o600 });
+    renameSync(tmpPath, path);
+}
+/**
+ * Leak L7 — read the snapshot of the mode that was active before the
+ * most-recent `/plan` (or `pugi plan`) entry. Returns null when the
+ * file is absent OR the field is unset. Same defensive behaviour as
+ * `getCurrentMode`: a malformed session file never breaks the slash
+ * command — the worst case is `/plan --back` reports "no previous
+ * mode to restore" and the operator picks the target mode explicitly.
+ */
+export function getPreviousMode(workspaceRoot) {
+    const path = sessionStatePath(workspaceRoot);
+    if (!existsSync(path))
+        return null;
+    try {
+        const raw = readFileSync(path, 'utf8');
+        const parsed = sessionStateSchema.parse(JSON.parse(raw));
+        if (typeof parsed.previousPermissionMode !== 'string')
+            return null;
+        return parsePermissionMode(parsed.previousPermissionMode);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Leak L7 — record the mode that was active immediately before the
+ * operator switched to plan. The runtime calls this AT `/plan` entry
+ * with the current mode (whatever `resolveMode` returned). Atomic
+ * tmp+rename keeps the snapshot consistent if the process is killed
+ * mid-write. Pass `null` to clear the snapshot (used after a
+ * successful `/plan --back` so a second `--back` does not loop).
+ */
+export function setPreviousMode(workspaceRoot, mode) {
+    const path = sessionStatePath(workspaceRoot);
+    mkdirSync(dirname(path), { recursive: true });
+    const existing = existsSync(path)
+        ? safeParseObject(readFileSync(path, 'utf8'))
+        : {};
+    const next = { ...existing };
+    if (mode === null) {
+        delete next.previousPermissionMode;
+    }
+    else {
+        next.previousPermissionMode = mode;
+    }
+    const tmpPath = `${path}.tmp`;
+    writeFileSync(tmpPath, `${JSON.stringify(next, null, 2)}\n`, { encoding: 'utf8', mode: 0o600 });
+    renameSync(tmpPath, path);
+}
+/**
+ * Read `~/.pugi/config.json::defaultPermissionMode`. Returns null when
+ * the file is absent / the field is unset; same defensive behaviour
+ * as `getCurrentMode` — a malformed global config never breaks the gate.
+ */
+export function getGlobalDefaultMode(homeDir = homedir()) {
+    const path = globalConfigPath(homeDir);
+    if (!existsSync(path))
+        return null;
+    try {
+        const raw = readFileSync(path, 'utf8');
+        const parsed = globalConfigSchema.parse(JSON.parse(raw));
+        if (typeof parsed.defaultPermissionMode !== 'string')
+            return null;
+        return parsePermissionMode(parsed.defaultPermissionMode);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Persist `~/.pugi/config.json::defaultPermissionMode`. Used by the
+ * `/permissions <mode> --persist` flow so a future fresh session
+ * defaults to the same mode without an explicit `--mode` flag.
+ */
+export function setGlobalDefaultMode(mode, homeDir = homedir()) {
+    const path = globalConfigPath(homeDir);
+    mkdirSync(dirname(path), { recursive: true });
+    const existing = existsSync(path)
+        ? safeParseObject(readFileSync(path, 'utf8'))
+        : {};
+    const next = { ...existing, defaultPermissionMode: mode };
+    const tmpPath = `${path}.tmp`;
+    writeFileSync(tmpPath, `${JSON.stringify(next, null, 2)}\n`, { encoding: 'utf8', mode: 0o600 });
+    renameSync(tmpPath, path);
+}
+export function resolveMode(options) {
+    if (options.cliFlag) {
+        const flag = parsePermissionMode(options.cliFlag);
+        if (flag)
+            return flag;
+    }
+    const workspace = getCurrentMode(options.workspaceRoot);
+    if (workspace)
+        return workspace;
+    const global = getGlobalDefaultMode(options.homeDir);
+    if (global)
+        return global;
+    return DEFAULT_PERMISSION_MODE;
+}
+/**
+ * Defensive helper — parse JSON to an object; non-object payload (top-
+ * level array, primitive) collapses to an empty object so the merge
+ * doesn't surface a TypeError. The `setCurrentMode` / `setGlobalDefaultMode`
+ * helpers only write objects, so a non-object existing file is corrupted
+ * and we explicitly reset it rather than appending into a non-object.
+ */
+function safeParseObject(raw) {
+    try {
+        const parsed = JSON.parse(raw);
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            return parsed;
+        }
+        return {};
+    }
+    catch {
+        return {};
+    }
+}
+//# sourceMappingURL=state.js.map

package/dist/core/permissions/tool-class.js

@@ -0,0 +1,93 @@
+/**
+ * Tool side-effect classification — Leak L6.
+ *
+ * Three classes drive the canonical 4-mode permission gate:
+ *
+ *   - `read`     — observe-only. Plan mode allows; ask still prompts;
+ *                  allow + bypass execute silently. Examples: read,
+ *                  grep, glob, web_fetch, web_search, skills_list.
+ *   - `write`    — mutates workspace, journal, or operator screen with
+ *                  visible side effects. Plan mode refuses; ask prompts;
+ *                  allow + bypass execute. Examples: write, edit, bash,
+ *                  multi_edit, task_*. `ask_user_question` is also
+ *                  classed as `write` because it interrupts the
+ *                  dispatcher's flow control and demands operator
+ *                  attention — plan mode should not prompt operators.
+ *   - `dispatch` — spawns a child subagent or off-tree task. Plan mode
+ *                  refuses (a write-capable child violates plan-mode's
+ *                  read-only contract); ask prompts; allow + bypass
+ *                  execute. Example: `agent`.
+ *
+ * Unknown tool names default to `write` — deny-first safety. A stale
+ * schema entry that the gate has not been told about should not silently
+ * pass in plan mode just because the gate doesn't recognise it.
+ */
+/**
+ * Closed map of every built-in tool name -> side-effect class. The
+ * source of truth for the four standard modes; mirrored against the
+ * `WIRED_TOOLS` set in `core/engine/tool-bridge.ts` so an unrecognised
+ * tool surfaces as the safe deny-first `write` default.
+ *
+ * MCP tools follow the `mcp__<server>__<tool>` namespace and are
+ * uniformly classed via `getToolClass` because per-tool annotations are
+ * not yet a part of the MCP spec — treating them as `write` is the
+ * conservative default until server-side metadata is trustworthy.
+ */
+const BUILT_IN_TOOL_CLASSES = Object.freeze({
+    // Read-only observations.
+    read: 'read',
+    grep: 'read',
+    glob: 'read',
+    ls: 'read',
+    search: 'read',
+    web_fetch: 'read',
+    web_search: 'read',
+    file_cache_check: 'read',
+    skills_list: 'read',
+    skill: 'read',
+    task_get: 'read',
+    task_list: 'read',
+    // Mutating actions.
+    write: 'write',
+    edit: 'write',
+    multi_edit: 'write',
+    bash: 'write',
+    task_create: 'write',
+    task_update: 'write',
+    todo_write: 'write',
+    // `ask_user_question` halts the loop and demands operator attention.
+    // Plan mode should not interrupt — class as write so the gate refuses
+    // it in plan mode but ask + allow + bypass execute normally.
+    ask_user_question: 'write',
+    // Dispatch — spawn a child agent. Refused in plan mode regardless of
+    // the child's role tier (the engine adapter applies role-based
+    // capability filtering, but the gate refuses dispatch up front so a
+    // plan-mode session cannot leak a writeable child).
+    agent: 'dispatch',
+    pugi_delegate: 'dispatch',
+    sub_agent_spawn: 'dispatch',
+});
+const MCP_TOOL_PREFIX = 'mcp__';
+/**
+ * Resolve the class for a tool name. Unknown names default to `write`
+ * (deny-first). MCP tools (any name prefixed with `mcp__`) default to
+ * `write` for the same conservative reason — the MCP spec lacks
+ * per-tool annotations today.
+ */
+export function getToolClass(toolName) {
+    const builtIn = BUILT_IN_TOOL_CLASSES[toolName];
+    if (builtIn)
+        return builtIn;
+    if (toolName.startsWith(MCP_TOOL_PREFIX))
+        return 'write';
+    return 'write';
+}
+/**
+ * Expose the built-in class map for diagnostic surfaces (`pugi doctor`,
+ * test fixtures). Caller MUST NOT mutate — the object is already frozen
+ * so any attempt throws in strict mode.
+ */
+export function listBuiltInToolClasses() {
+    return BUILT_IN_TOOL_CLASSES;
+}
+//# sourceMappingURL=tool-class.js.map