npm - @pugi/cli - Versions diffs - 0.1.0-beta.40 → 0.1.0-beta.41 - Mend

@pugi/cli 0.1.0-beta.40 → 0.1.0-beta.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/core/engine/tool-bridge.js +53 -0
package/dist/runtime/version.js +1 -1
package/dist/tools/powershell.js +156 -0
package/dist/tools/registry.js +5 -0
package/package.json +2 -2

package/dist/core/engine/tool-bridge.js CHANGED Viewed

@@ -1,5 +1,6 @@
 import { editTool, globTool, grepTool, OperatorAbortedError, readTool, StaleReadError, writeTool, } from '../../tools/file-tools.js';
 import { bashToolSync } from '../../tools/bash.js';
+import { powerShellToolSync } from '../../tools/powershell.js';
 import { askUser } from '../../tools/ask-user.js';
 import { askUserQuestionJsonSchema, dispatchAskUserQuestion, } from '../../tools/ask-user-question.js';
 import { skillInvoke, skillList } from '../../tools/skill-tool.js';
@@ -83,6 +84,12 @@ const WIRED_TOOLS = new Set([
     'grep',
     'glob',
     'bash',
+    // Leak L6 (2026-05-28): PowerShell tool for Windows-first workflows.
+    // Same bash permission class — destructive-pattern classifier applies.
+    // Plan mode excludes shell tools by design (read-only); the planMode
+    // check on the schema side already handles that, so we just list it
+    // alongside 'bash' here.
+    'powershell',
     'ask_user_question',
     'skill',
     'skills_list',
@@ -394,6 +401,19 @@ export function buildToolsSchema(kind, options = { allowFetch: false, allowSearc
                     command: { type: 'string', description: 'Single shell command to execute.' },
                 },
             },
+        }, {
+            name: 'powershell',
+            description: 'Run a PowerShell command via `pwsh -NoProfile -Command` (or `powershell.exe` fallback on Windows). Same security posture as bash — destructive pattern gate applies. 30s default timeout, 120s max. Output capped at 64KB. Returns {exitCode, stdout, stderr, truncated, shellBinary}. Prefer the dedicated bash tool for /bin/sh scripts; use this when the operator needs native pwsh cmdlets or *.ps1 syntax.',
+            parameters: {
+                type: 'object',
+                additionalProperties: false,
+                required: ['command'],
+                properties: {
+                    command: { type: 'string', description: 'Single PowerShell command or script.' },
+                    cwd: { type: 'string', description: 'Optional cwd; defaults to workspace root.' },
+                    timeoutMs: { type: 'number', description: 'Hard timeout (default 30000, max 120000).' },
+                },
+            },
         },
         // β7 L5+T11 (2026-05-26): transactional multi-file edit. Either
         // all entries land or none do — failures roll the workspace back
@@ -1004,6 +1024,30 @@ function dispatchTool(name, args, ctx) {
             const body = parts.filter(Boolean).join('\n');
             return body || '(no output)';
         }
+        case 'powershell': {
+            // Leak L6 (2026-05-28): pwsh dispatcher. Permission gate reuses the
+            // bash classifier so destructive patterns block the same way.
+            const command = requireString(args, 'command');
+            const cwd = optionalString(args, 'cwd');
+            const timeoutMs = optionalNumber(args, 'timeoutMs');
+            const psResult = powerShellToolSync({ cmd: command, ...(cwd !== undefined ? { cwd } : {}), ...(timeoutMs !== undefined ? { timeoutMs } : {}) }, {
+                root: ctx.root,
+                settings: ctx.settings,
+                session: ctx.session,
+                source: 'agent',
+            });
+            const parts = [
+                `exit=${psResult.exitCode}`,
+                `shell=${psResult.shellBinary}`,
+                psResult.stdout ? `stdout:\n${psResult.stdout}` : '',
+                psResult.stderr ? `stderr:\n${psResult.stderr}` : '',
+            ];
+            if (psResult.truncated)
+                parts.push('truncated=true');
+            if (psResult.timedOut)
+                parts.push('timedOut=true');
+            return parts.filter(Boolean).join('\n') || '(no output)';
+        }
         default:
             // Exhaustive; unreachable because of the WIRED_TOOLS guard above.
             throw new Error(`unhandled tool: ${name}`);
@@ -1180,6 +1224,15 @@ function optionalString(obj, key) {
     }
     return v;
 }
+function optionalNumber(obj, key) {
+    const v = obj[key];
+    if (v === undefined || v === null)
+        return undefined;
+    if (typeof v !== 'number' || !Number.isFinite(v)) {
+        throw new Error(`tool argument "${key}" must be a finite number when present`);
+    }
+    return v;
+}
 /**
  * β7 L5+T11: dispatch the model-emitted `multi_edit` tool call. The
  * tool returns a structured result envelope; we serialize it to JSON

package/dist/runtime/version.js CHANGED Viewed

@@ -44,7 +44,7 @@ export function sanitizeSemver(raw) {
  * during import). When bumping the CLI version BOTH literals must be
  * updated; the release smoke-test (`pack:smoke`) verifies they agree.
  */
-export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.40');
+export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.41');
 /**
  * Outbound: the CLI's installed semver. Read at request time by
  * `version-interceptor.ts` and injected on every `fetch` call.

package/dist/tools/powershell.js ADDED Viewed

@@ -0,0 +1,156 @@
+/**
+ * PowerShell tool — leak L6 (Pugi parity catch-up 2026-05-28).
+ *
+ * Windows operators cannot run native `*.ps1` scripts via the bash tool
+ * (which spawns `/bin/sh`). This tool spawns `pwsh -NoProfile -Command`
+ * на cross-platform PowerShell 7+ binary so Windows-first workflows are
+ * first-class на Pugi.
+ *
+ * Clean-room re-implementation. Surface mirrors bashTool's permission
+ * gate, env sanitiser, output cap, timeout, and exit-code propagation;
+ * the only difference is the shell binary selection. Per-platform
+ * resolution:
+ *   - All OS: try `pwsh` on $PATH first (PowerShell 7+ cross-platform).
+ *   - Windows fallback: `powershell.exe` (Windows PowerShell 5.1 baked-in).
+ *   - Other OS without pwsh: tool returns a clear "powershell binary
+ *     not found" error so the operator can install pwsh or fall back
+ *     к bash.
+ *
+ * Permission class: reuses the bash classifier — destructive patterns,
+ * sandbox detection, and additional-directories checks are command-string
+ * based and apply equally to pwsh and sh.
+ */
+import { spawnSync } from 'node:child_process';
+import { evaluateBashPermission } from '../core/permission.js';
+import { recordToolCall, recordToolResult } from '../core/session.js';
+export const POWERSHELL_OUTPUT_CAP_BYTES = 64 * 1024;
+export const POWERSHELL_DEFAULT_TIMEOUT_MS = 30_000;
+export const POWERSHELL_MAX_TIMEOUT_MS = 120_000;
+/** Cached binary path so repeated calls inside one session skip the probe. */
+let cachedShellBinary;
+function resolveShellBinary() {
+    if (cachedShellBinary !== undefined)
+        return cachedShellBinary;
+    // Try pwsh (cross-platform PowerShell 7+) first.
+    const pwshProbe = spawnSync('pwsh', ['-NoProfile', '-Command', 'exit 0'], {
+        encoding: 'utf8',
+        stdio: ['ignore', 'ignore', 'ignore'],
+        timeout: 3000,
+    });
+    if (pwshProbe.status === 0) {
+        cachedShellBinary = 'pwsh';
+        return 'pwsh';
+    }
+    // Windows fallback к the baked-in PowerShell 5.1.
+    if (process.platform === 'win32') {
+        const wpsProbe = spawnSync('powershell.exe', ['-NoProfile', '-Command', 'exit 0'], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'ignore', 'ignore'],
+            timeout: 3000,
+        });
+        if (wpsProbe.status === 0) {
+            cachedShellBinary = 'powershell.exe';
+            return 'powershell.exe';
+        }
+    }
+    cachedShellBinary = null;
+    return null;
+}
+function sanitizeTimeout(value) {
+    if (value === undefined || !Number.isFinite(value) || value <= 0) {
+        return POWERSHELL_DEFAULT_TIMEOUT_MS;
+    }
+    return Math.min(value, POWERSHELL_MAX_TIMEOUT_MS);
+}
+function buildChildEnv() {
+    const env = { ...process.env };
+    delete env['PUGI_API_KEY'];
+    delete env['PUGI_LOGIN_TOKEN'];
+    return env;
+}
+/**
+ * Sync PowerShell dispatch. Mirrors bashToolSync shape so dispatchTool
+ * can call either tool with the same context shape.
+ */
+export function powerShellToolSync(input, ctx) {
+    const cmd = input.cmd ?? '';
+    const additionalDirectories = ctx.additionalDirectories ?? [];
+    const source = ctx.source ?? 'agent';
+    const toolCallId = recordToolCall(ctx.session, 'powershell', cmd);
+    const decision = evaluateBashPermission(cmd, ctx.settings.permissions.mode, {
+        workspaceRoot: ctx.root,
+        additionalDirectories,
+        source,
+    });
+    if (decision.decision !== 'allow') {
+        const reason = `Permission ${decision.decision}: ${decision.reason}`;
+        recordToolResult(ctx.session, toolCallId, 'error', reason);
+        return {
+            stdout: '',
+            stderr: `Permission denied: ${decision.reason}`,
+            exitCode: 126,
+            truncated: false,
+            timedOut: false,
+            shellBinary: 'unresolved',
+        };
+    }
+    const shellBinary = resolveShellBinary();
+    if (shellBinary === null) {
+        const reason = 'powershell binary not found (tried pwsh' +
+            (process.platform === 'win32' ? ', powershell.exe' : '') +
+            '). Install PowerShell 7+ from https://aka.ms/powershell or use the bash tool instead.';
+        recordToolResult(ctx.session, toolCallId, 'error', reason);
+        return {
+            stdout: '',
+            stderr: reason,
+            exitCode: 127,
+            truncated: false,
+            timedOut: false,
+            shellBinary: 'unavailable',
+        };
+    }
+    const timeoutMs = sanitizeTimeout(input.timeoutMs);
+    const childEnv = buildChildEnv();
+    const cwd = input.cwd ?? ctx.root;
+    const result = spawnSync(shellBinary, ['-NoProfile', '-Command', cmd], {
+        cwd,
+        env: childEnv,
+        encoding: 'utf8',
+        stdio: ['ignore', 'pipe', 'pipe'],
+        timeout: timeoutMs,
+        maxBuffer: 10 * 1024 * 1024,
+    });
+    const stdoutFull = (result.stdout ?? '').toString();
+    const stderrFull = (result.stderr ?? '').toString();
+    const combined = stdoutFull.length + stderrFull.length;
+    const truncated = combined > POWERSHELL_OUTPUT_CAP_BYTES;
+    let stdoutOut = stdoutFull;
+    let stderrOut = stderrFull;
+    if (truncated) {
+        const halfCap = POWERSHELL_OUTPUT_CAP_BYTES / 2;
+        stdoutOut = stdoutFull.slice(0, halfCap);
+        stderrOut = stderrFull.slice(0, halfCap);
+    }
+    const timedOut = result.error?.code === 'ETIMEDOUT' ||
+        result.signal === 'SIGTERM';
+    const exitCode = timedOut ? 124 : result.status ?? 1;
+    if (timedOut) {
+        recordToolResult(ctx.session, toolCallId, 'error', `powershell timed out after ${timeoutMs}ms`);
+    }
+    else {
+        recordToolResult(ctx.session, toolCallId, 'success', `powershell exit=${exitCode} bytes=${combined} binary=${shellBinary}`);
+    }
+    return {
+        stdout: stdoutOut,
+        stderr: stderrOut,
+        exitCode,
+        truncated,
+        timedOut,
+        shellBinary,
+    };
+}
+/** Visible-for-spec helper: forces a re-probe on next call. */
+export function _resetShellBinaryCacheForSpec() {
+    cachedShellBinary = undefined;
+}
+//# sourceMappingURL=powershell.js.map

package/dist/tools/registry.js CHANGED Viewed

@@ -26,6 +26,11 @@ const registry = [
     // concurrencySafe = false because the journal serialises one dispatch
     // per session.
     { name: 'multi_edit', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
+    // Leak L6 (2026-05-28): PowerShell tool for Windows-first workflows. Same
+    // bash permission class — destructive-pattern classification fires the
+    // same gate. concurrencySafe = false because spawn-shell child cwd /
+    // env carry-over could race across parallel agent calls.
+    { name: 'powershell', permission: 'bash', risk: 'high', concurrencySafe: false, m1: false },
     { name: 'question', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
     { name: 'read', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'skill', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pugi/cli",
-  "version": "0.1.0-beta.40",
+  "version": "0.1.0-beta.41",
   "description": "Pugi CLI - terminal-native software execution system",
   "homepage": "https://pugi.io",
   "repository": {
@@ -55,7 +55,7 @@
     "undici": "^8.3.0",
     "zod": "^3.23.0",
     "@pugi/personas": "0.1.2",
-    "@pugi/sdk": "0.1.0-beta.40"
+    "@pugi/sdk": "0.1.0-beta.41"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",