@pugi/cli 0.1.0-beta.40 → 0.1.0-beta.42

package/dist/core/diagnostics/probes/hooks.js

@@ -0,0 +1,118 @@
+/**
+ * HOOKS probe — verifies `.pugi/hooks-mvp.json` and `.pugi/hook-chains.json`
+ * exist + parse + carry their declared shape. Absence is OK (most workspaces
+ * don't ship hooks); presence с invalid JSON is a deployment-blocking error
+ * the operator wants surfaced before a tool dispatch fires a malformed hook
+ * and the model sees a confusing failure.
+ *
+ * Validation tier:
+ *   1. JSON.parse — catches typos / trailing commas / bad escapes.
+ *   2. Top-level shape sniff — `hooks-mvp.json` MUST be an object с a
+ *      `hooks` array property; `hook-chains.json` MUST be an object
+ *      с string-keyed event names mapping to arrays.
+ *   3. Per-entry require-fields sniff — minimal так что probe stays cheap.
+ *
+ * Out of scope: full Zod schema validation. That lives in the hook loader
+ * itself (apps/pugi-cli/src/core/hooks/v2/loader.ts). The probe is a
+ * fast sanity check; the loader produces the canonical error message
+ * when a hook actually fires.
+ */
+function loadHookFile(fs, path) {
+    if (!fs.existsSync(path))
+        return null;
+    try {
+        const raw = fs.readFileSync(path, 'utf8');
+        return { path, parsed: JSON.parse(raw) };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return { parseError: `${path}: ${message}` };
+    }
+}
+function validateMvpShape(parsed) {
+    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
+        return 'top-level value must be an object';
+    }
+    const hooks = parsed['hooks'];
+    if (hooks !== undefined && !Array.isArray(hooks)) {
+        return '`hooks` property must be an array when present';
+    }
+    return null;
+}
+function validateChainsShape(parsed) {
+    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
+        return 'top-level value must be an object';
+    }
+    for (const [event, body] of Object.entries(parsed)) {
+        if (!Array.isArray(body)) {
+            return `event "${event}": value must be an array of hook entries`;
+        }
+    }
+    return null;
+}
+export function probeHooks(ctx, fs) {
+    const mvpPath = `${ctx.cwd}/.pugi/hooks-mvp.json`;
+    const chainsPath = `${ctx.cwd}/.pugi/hook-chains.json`;
+    const mvp = loadHookFile(fs, mvpPath);
+    const chains = loadHookFile(fs, chainsPath);
+    const issues = [];
+    let mvpCount = 0;
+    let chainEvents = 0;
+    if (mvp !== null) {
+        if ('parseError' in mvp) {
+            issues.push(`hooks-mvp.json parse failed: ${mvp.parseError}`);
+        }
+        else {
+            const shapeIssue = validateMvpShape(mvp.parsed);
+            if (shapeIssue) {
+                issues.push(`hooks-mvp.json: ${shapeIssue}`);
+            }
+            else {
+                const hooksArr = mvp.parsed['hooks'];
+                mvpCount = Array.isArray(hooksArr) ? hooksArr.length : 0;
+            }
+        }
+    }
+    if (chains !== null) {
+        if ('parseError' in chains) {
+            issues.push(`hook-chains.json parse failed: ${chains.parseError}`);
+        }
+        else {
+            const shapeIssue = validateChainsShape(chains.parsed);
+            if (shapeIssue) {
+                issues.push(`hook-chains.json: ${shapeIssue}`);
+            }
+            else {
+                chainEvents = Object.keys(chains.parsed).length;
+            }
+        }
+    }
+    if (issues.length > 0) {
+        return {
+            name: 'HOOKS',
+            status: 'error',
+            detail: issues.join('; '),
+            remediation: 'Fix the JSON syntax / shape, or delete the file if hooks are not in use. The hook loader surfaces the canonical error when a hook actually fires; this probe catches the problem before the first dispatch.',
+        };
+    }
+    if (mvp === null && chains === null) {
+        return {
+            name: 'HOOKS',
+            status: 'skipped',
+            detail: 'no hook config files in .pugi/ (workspace has not opted into hooks)',
+        };
+    }
+    const parts = [];
+    if (mvp !== null && !('parseError' in mvp)) {
+        parts.push(`hooks-mvp.json OK (${mvpCount} entr${mvpCount === 1 ? 'y' : 'ies'})`);
+    }
+    if (chains !== null && !('parseError' in chains)) {
+        parts.push(`hook-chains.json OK (${chainEvents} event${chainEvents === 1 ? '' : 's'})`);
+    }
+    return {
+        name: 'HOOKS',
+        status: 'ok',
+        detail: parts.join('; '),
+    };
+}
+//# sourceMappingURL=hooks.js.map

package/dist/core/diagnostics/probes/sandbox.js

@@ -0,0 +1,40 @@
+/**
+ * SANDBOX probe — surfaces the current OS-level sandbox posture (Leak L1
+ * spec: sandbox-adapter.ts macOS Seatbelt / Linux Landlock / WSL2 detect).
+ *
+ * Pugi sandbox enforcement is tracked under task #5 (P0/L1+L16). Until
+ * that lands, this probe reports the platform's available primitive and
+ * a clear "not yet armed" warning so the operator sees the gap in
+ * `pugi doctor` instead of assuming bash dispatches run jailed.
+ *
+ * When the sandbox does ship, the probe upgrade path:
+ *   - Replace the static "not_armed" detail with a real config probe
+ *     (read .pugi/settings.json::sandbox.mode, verify the OS primitive
+ *     resolves, return ok when both line up).
+ *   - Keep the same probe NAME so doctor output / spec assertions
+ *     don't churn.
+ */
+export function probeSandbox(_ctx) {
+    const platform = process.platform;
+    let availablePrimitive;
+    switch (platform) {
+        case 'darwin':
+            availablePrimitive = 'macOS Seatbelt (/usr/bin/sandbox-exec)';
+            break;
+        case 'linux':
+            availablePrimitive = 'Linux Landlock / nsjail (kernel-dependent)';
+            break;
+        case 'win32':
+            availablePrimitive = 'Windows AppContainer / Job Object';
+            break;
+        default:
+            availablePrimitive = `unknown platform ${platform}`;
+    }
+    return {
+        name: 'SANDBOX',
+        status: 'warn',
+        detail: `OS primitive available: ${availablePrimitive}. Sandbox enforcement NOT yet armed (Pugi task #5 pending — bash tool currently runs с full process privileges).`,
+        remediation: 'Bash tool dispatches run unsandboxed today. Track progress on the OS-level sandbox adapter via the operator-trust roadmap. Until then, rely on the bash classifier denylist + permission FSM.',
+    };
+}
+//# sourceMappingURL=sandbox.js.map

package/dist/core/engine/tool-bridge.js

@@ -1,5 +1,6 @@
 import { editTool, globTool, grepTool, OperatorAbortedError, readTool, StaleReadError, writeTool, } from '../../tools/file-tools.js';
 import { bashToolSync } from '../../tools/bash.js';
+import { powerShellToolSync } from '../../tools/powershell.js';
 import { askUser } from '../../tools/ask-user.js';
 import { askUserQuestionJsonSchema, dispatchAskUserQuestion, } from '../../tools/ask-user-question.js';
 import { skillInvoke, skillList } from '../../tools/skill-tool.js';
@@ -83,6 +84,12 @@ const WIRED_TOOLS = new Set([
     'grep',
     'glob',
     'bash',
+    // Leak L6 (2026-05-28): PowerShell tool for Windows-first workflows.
+    // Same bash permission class — destructive-pattern classifier applies.
+    // Plan mode excludes shell tools by design (read-only); the planMode
+    // check on the schema side already handles that, so we just list it
+    // alongside 'bash' here.
+    'powershell',
     'ask_user_question',
     'skill',
     'skills_list',
@@ -394,6 +401,19 @@ export function buildToolsSchema(kind, options = { allowFetch: false, allowSearc
                     command: { type: 'string', description: 'Single shell command to execute.' },
                 },
             },
+        }, {
+            name: 'powershell',
+            description: 'Run a PowerShell command via `pwsh -NoProfile -Command` (or `powershell.exe` fallback on Windows). Same security posture as bash — destructive pattern gate applies. 30s default timeout, 120s max. Output capped at 64KB. Returns {exitCode, stdout, stderr, truncated, shellBinary}. Prefer the dedicated bash tool for /bin/sh scripts; use this when the operator needs native pwsh cmdlets or *.ps1 syntax.',
+            parameters: {
+                type: 'object',
+                additionalProperties: false,
+                required: ['command'],
+                properties: {
+                    command: { type: 'string', description: 'Single PowerShell command or script.' },
+                    cwd: { type: 'string', description: 'Optional cwd; defaults to workspace root.' },
+                    timeoutMs: { type: 'number', description: 'Hard timeout (default 30000, max 120000).' },
+                },
+            },
         }, 
         // β7 L5+T11 (2026-05-26): transactional multi-file edit. Either
         // all entries land or none do — failures roll the workspace back
@@ -1004,6 +1024,30 @@ function dispatchTool(name, args, ctx) {
             const body = parts.filter(Boolean).join('\n');
             return body || '(no output)';
         }
+        case 'powershell': {
+            // Leak L6 (2026-05-28): pwsh dispatcher. Permission gate reuses the
+            // bash classifier so destructive patterns block the same way.
+            const command = requireString(args, 'command');
+            const cwd = optionalString(args, 'cwd');
+            const timeoutMs = optionalNumber(args, 'timeoutMs');
+            const psResult = powerShellToolSync({ cmd: command, ...(cwd !== undefined ? { cwd } : {}), ...(timeoutMs !== undefined ? { timeoutMs } : {}) }, {
+                root: ctx.root,
+                settings: ctx.settings,
+                session: ctx.session,
+                source: 'agent',
+            });
+            const parts = [
+                `exit=${psResult.exitCode}`,
+                `shell=${psResult.shellBinary}`,
+                psResult.stdout ? `stdout:\n${psResult.stdout}` : '',
+                psResult.stderr ? `stderr:\n${psResult.stderr}` : '',
+            ];
+            if (psResult.truncated)
+                parts.push('truncated=true');
+            if (psResult.timedOut)
+                parts.push('timedOut=true');
+            return parts.filter(Boolean).join('\n') || '(no output)';
+        }
         default:
             // Exhaustive; unreachable because of the WIRED_TOOLS guard above.
             throw new Error(`unhandled tool: ${name}`);
@@ -1180,6 +1224,15 @@ function optionalString(obj, key) {
     }
     return v;
 }
+function optionalNumber(obj, key) {
+    const v = obj[key];
+    if (v === undefined || v === null)
+        return undefined;
+    if (typeof v !== 'number' || !Number.isFinite(v)) {
+        throw new Error(`tool argument "${key}" must be a finite number when present`);
+    }
+    return v;
+}
 /**
  * β7 L5+T11: dispatch the model-emitted `multi_edit` tool call. The
  * tool returns a structured result envelope; we serialize it to JSON

package/dist/runtime/commands/doctor.js

@@ -51,6 +51,8 @@ import { probeSession } from '../../core/diagnostics/probes/session.js';
 import { probeDenialTracking } from '../../core/diagnostics/probes/denial-tracking.js';
 import { probeBareMode } from '../../core/diagnostics/probes/bare-mode.js';
 import { probePugiMdHierarchy } from '../../core/diagnostics/probes/pugi-md.js';
+import { probeSandbox } from '../../core/diagnostics/probes/sandbox.js';
+import { probeHooks } from '../../core/diagnostics/probes/hooks.js';
 /**
  * Default API URL when no PUGI_API_URL env override is set. Mirrors
  * the constant in `core/credentials.ts` (kept local to avoid an
@@ -219,6 +221,26 @@ export function buildDefaultProbes(ctx, options = {}) {
         // ambient `PUGI.md` / `CLAUDE.md` files the cwd → homedir walk
         // discovered, and the closest path. `skipped` when bare mode is
         // active (walk disabled) or zero files found.
+        // Leak L3 (2026-05-28): SANDBOX row. Reports the platform's available
+        // OS-level sandbox primitive (Seatbelt / Landlock / AppContainer) and
+        // surfaces a `warning` status until the bash-tool sandbox adapter (#5)
+        // is armed. Operator-trust gap visibility — better к flag "not yet
+        // jailed" loud than let operators assume it's already on.
+        {
+            name: 'SANDBOX',
+            run: async () => probeSandbox(ctx),
+        },
+        // Leak L3 (2026-05-28): HOOKS row. Validates `.pugi/hooks-mvp.json`
+        // + `.pugi/hook-chains.json` syntax + shape before the first tool
+        // dispatch fires. Absence = skipped (most workspaces don't ship
+        // hooks); bad JSON = error с remediation hint.
+        {
+            name: 'HOOKS',
+            run: async () => probeHooks(ctx, {
+                existsSync,
+                readFileSync: (p, encoding) => readFileSync(p, encoding),
+            }),
+        },
         {
             name: 'PUGI.md HIERARCHY',
             run: async () => probePugiMdHierarchy({

package/dist/runtime/version.js

@@ -44,7 +44,7 @@ export function sanitizeSemver(raw) {
  * during import). When bumping the CLI version BOTH literals must be
  * updated; the release smoke-test (`pack:smoke`) verifies they agree.
  */
-export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.40');
+export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.42');
 /**
  * Outbound: the CLI's installed semver. Read at request time by
  * `version-interceptor.ts` and injected on every `fetch` call.

package/dist/tools/powershell.js

@@ -0,0 +1,268 @@
+/**
+ * PowerShell tool — leak L6 (Pugi parity catch-up 2026-05-28).
+ *
+ * Windows operators cannot run native `*.ps1` scripts via the bash tool
+ * (which spawns `/bin/sh`). This tool spawns `pwsh -NoProfile -Command`
+ * на cross-platform PowerShell 7+ binary so Windows-first workflows are
+ * first-class на Pugi.
+ *
+ * Clean-room re-implementation. Surface mirrors bashTool's permission
+ * gate, env sanitiser, output cap, timeout, and exit-code propagation;
+ * the only difference is the shell binary selection. Per-platform
+ * resolution:
+ *   - All OS: try `pwsh` on $PATH first (PowerShell 7+ cross-platform).
+ *   - Windows fallback: `powershell.exe` (Windows PowerShell 5.1 baked-in).
+ *   - Other OS without pwsh: tool returns a clear "powershell binary
+ *     not found" error so the operator can install pwsh or fall back
+ *     к bash.
+ *
+ * Permission class: reuses the bash classifier — destructive patterns,
+ * sandbox detection, and additional-directories checks are command-string
+ * based and apply equally to pwsh and sh.
+ */
+import { spawnSync } from 'node:child_process';
+import { listDestructivePatterns } from '../core/bash-classifier.js';
+import { recordToolCall, recordToolResult } from '../core/session.js';
+export const POWERSHELL_OUTPUT_CAP_BYTES = 64 * 1024;
+export const POWERSHELL_DEFAULT_TIMEOUT_MS = 30_000;
+export const POWERSHELL_MAX_TIMEOUT_MS = 120_000;
+/**
+ * PowerShell-specific destructive patterns. Layered ON TOP of the
+ * shared `listDestructivePatterns()` from the bash classifier (which
+ * covers `rm -rf`, `DROP TABLE`, etc — patterns that also surface в
+ * pwsh-via-aliases). These are the cmdlet forms unique to pwsh.
+ *
+ * Patterns are case-insensitive matched against the command string
+ * (pwsh cmdlets accept any case: `remove-item -force` == `Remove-Item -Force`).
+ */
+const PWSH_DESTRUCTIVE_PATTERNS = [
+    // Recursive force delete via cmdlet
+    'remove-item -recurse -force',
+    'remove-item -force -recurse',
+    'ri -recurse -force',
+    'ri -force -recurse',
+    'rmdir -recurse -force',
+    'rmdir -force -recurse',
+    // Disk / volume operations
+    'format-volume',
+    'clear-disk',
+    'reset-physicaldisk',
+    // System state
+    'stop-computer',
+    'restart-computer',
+    'shutdown',
+    // Security weakening
+    'set-executionpolicy unrestricted',
+    'set-executionpolicy bypass',
+    // Service / process attack surface
+    'invoke-webrequest', // common phishing-script vector when piped to iex
+    'iex (new-object', // download-execute pattern
+    // Credential exfil
+    'get-credential | export-clixml',
+];
+/**
+ * Normalize whitespace before pattern matching: collapse runs of
+ * whitespace к single space + lowercase. Defends against the
+ * `iex(New-Object`/`IEX  (New-Object` style bypass where pattern
+ * `iex (new-object` would miss the no-space or double-space variant.
+ */
+function normalizeForMatch(text) {
+    return text.toLowerCase().replace(/\s+/g, ' ');
+}
+function findPwshDestructiveMatch(cmd) {
+    const normalized = normalizeForMatch(cmd);
+    for (const pattern of PWSH_DESTRUCTIVE_PATTERNS) {
+        if (normalized.includes(normalizeForMatch(pattern)))
+            return pattern;
+    }
+    // Fall back к the shared bash destructive list (covers cross-shell
+    // patterns like `rm -rf /`, `DROP DATABASE`). Shared patterns may
+    // contain uppercase (case-insensitive SQL verbs); normalize both
+    // sides before compare.
+    const shared = listDestructivePatterns();
+    for (const pattern of shared) {
+        if (normalized.includes(normalizeForMatch(pattern)))
+            return pattern;
+    }
+    return null;
+}
+/**
+ * PowerShell-aware permission decision. Differs from
+ * `evaluateBashPermission` в two ways:
+ *
+ *   1. Default class is `allow` (after destructive check) instead of
+ *      `unknown → deny`. The bash classifier rejects any first-token
+ *      it does not recognise — appropriate for bash where every verb
+ *      is a separate binary, hostile for pwsh where the Verb-Noun
+ *      cmdlet convention means thousands of legitimate verbs exist
+ *      (`Get-Process`, `$PSVersionTable`, `Select-Object`, ...).
+ *
+ *   2. Destructive patterns combine the shared bash denylist (covers
+ *      cross-shell patterns like `rm -rf`) с pwsh-specific cmdlet
+ *      forms (`Remove-Item -Recurse -Force`, `Format-Volume`, etc).
+ *
+ * Mode FSM mirrors bash: plan → deny ALL, ask → ask, auto/bypass → allow,
+ * destructive class → deny unless `bypassPermissions + human + ENV override`.
+ */
+function evaluatePwshPermission(cmd, mode, source) {
+    const destructive = findPwshDestructiveMatch(cmd);
+    if (destructive !== null) {
+        const overrideOk = mode === 'bypassPermissions' &&
+            source === 'human' &&
+            process.env['PUGI_DESTRUCTIVE_OVERRIDE'] === '1';
+        if (overrideOk) {
+            return {
+                decision: 'allow',
+                reason: `destructive pwsh pattern '${destructive}' allowed via override (bypassPermissions + human + PUGI_DESTRUCTIVE_OVERRIDE=1)`,
+            };
+        }
+        return {
+            decision: 'deny',
+            reason: `destructive pwsh pattern '${destructive}' is always denied (override requires bypassPermissions + human + PUGI_DESTRUCTIVE_OVERRIDE=1)`,
+        };
+    }
+    // Non-destructive pwsh command — mode FSM.
+    switch (mode) {
+        case 'plan':
+            return { decision: 'deny', reason: 'plan mode denies all shell dispatches' };
+        case 'ask':
+        case 'acceptEdits':
+            return { decision: 'ask', reason: 'pwsh command requires operator confirmation' };
+        case 'auto':
+        case 'dontAsk':
+        case 'bypassPermissions':
+            return { decision: 'allow', reason: 'pwsh command allowed by mode' };
+        default:
+            return { decision: 'ask', reason: `unknown mode ${mode}; defaulting к ask` };
+    }
+}
+/** Cached binary path so repeated calls inside one session skip the probe. */
+let cachedShellBinary;
+function resolveShellBinary() {
+    if (cachedShellBinary !== undefined)
+        return cachedShellBinary;
+    // Try pwsh (cross-platform PowerShell 7+) first.
+    const pwshProbe = spawnSync('pwsh', ['-NoProfile', '-Command', 'exit 0'], {
+        encoding: 'utf8',
+        stdio: ['ignore', 'ignore', 'ignore'],
+        timeout: 3000,
+    });
+    if (pwshProbe.status === 0) {
+        cachedShellBinary = 'pwsh';
+        return 'pwsh';
+    }
+    // Windows fallback к the baked-in PowerShell 5.1.
+    if (process.platform === 'win32') {
+        const wpsProbe = spawnSync('powershell.exe', ['-NoProfile', '-Command', 'exit 0'], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'ignore', 'ignore'],
+            timeout: 3000,
+        });
+        if (wpsProbe.status === 0) {
+            cachedShellBinary = 'powershell.exe';
+            return 'powershell.exe';
+        }
+    }
+    cachedShellBinary = null;
+    return null;
+}
+function sanitizeTimeout(value) {
+    if (value === undefined || !Number.isFinite(value) || value <= 0) {
+        return POWERSHELL_DEFAULT_TIMEOUT_MS;
+    }
+    return Math.min(value, POWERSHELL_MAX_TIMEOUT_MS);
+}
+function buildChildEnv() {
+    const env = { ...process.env };
+    delete env['PUGI_API_KEY'];
+    delete env['PUGI_LOGIN_TOKEN'];
+    return env;
+}
+/**
+ * Sync PowerShell dispatch. Mirrors bashToolSync shape so dispatchTool
+ * can call either tool with the same context shape.
+ */
+export function powerShellToolSync(input, ctx) {
+    const cmd = input.cmd ?? '';
+    const source = ctx.source ?? 'agent';
+    const toolCallId = recordToolCall(ctx.session, 'powershell', cmd);
+    // pwsh-aware permission gate (NOT the bash classifier). Bash classifier
+    // would reject `$PSVersionTable`, `Get-Process`, etc as "Unrecognized
+    // command" → default-deny, making the pwsh tool useless. The pwsh gate
+    // applies the shared destructive denylist (rm -rf / DROP TABLE) + a
+    // pwsh-specific list (Remove-Item -Recurse -Force / Format-Volume /
+    // Set-ExecutionPolicy Unrestricted / iex (New-Object ...)) and
+    // defaults non-destructive cmdlets к allow under mode FSM.
+    const decision = evaluatePwshPermission(cmd, ctx.settings.permissions.mode, source);
+    if (decision.decision !== 'allow') {
+        const reason = `Permission ${decision.decision}: ${decision.reason}`;
+        recordToolResult(ctx.session, toolCallId, 'error', reason);
+        return {
+            stdout: '',
+            stderr: `Permission ${decision.decision}: ${decision.reason}`,
+            exitCode: 126,
+            truncated: false,
+            timedOut: false,
+            shellBinary: 'unresolved',
+        };
+    }
+    const shellBinary = resolveShellBinary();
+    if (shellBinary === null) {
+        const reason = 'powershell binary not found (tried pwsh' +
+            (process.platform === 'win32' ? ', powershell.exe' : '') +
+            '). Install PowerShell 7+ from https://aka.ms/powershell or use the bash tool instead.';
+        recordToolResult(ctx.session, toolCallId, 'error', reason);
+        return {
+            stdout: '',
+            stderr: reason,
+            exitCode: 127,
+            truncated: false,
+            timedOut: false,
+            shellBinary: 'unavailable',
+        };
+    }
+    const timeoutMs = sanitizeTimeout(input.timeoutMs);
+    const childEnv = buildChildEnv();
+    const cwd = input.cwd ?? ctx.root;
+    const result = spawnSync(shellBinary, ['-NoProfile', '-Command', cmd], {
+        cwd,
+        env: childEnv,
+        encoding: 'utf8',
+        stdio: ['ignore', 'pipe', 'pipe'],
+        timeout: timeoutMs,
+        maxBuffer: 10 * 1024 * 1024,
+    });
+    const stdoutFull = (result.stdout ?? '').toString();
+    const stderrFull = (result.stderr ?? '').toString();
+    const combined = stdoutFull.length + stderrFull.length;
+    const truncated = combined > POWERSHELL_OUTPUT_CAP_BYTES;
+    let stdoutOut = stdoutFull;
+    let stderrOut = stderrFull;
+    if (truncated) {
+        const halfCap = POWERSHELL_OUTPUT_CAP_BYTES / 2;
+        stdoutOut = stdoutFull.slice(0, halfCap);
+        stderrOut = stderrFull.slice(0, halfCap);
+    }
+    const timedOut = result.error?.code === 'ETIMEDOUT' ||
+        result.signal === 'SIGTERM';
+    const exitCode = timedOut ? 124 : result.status ?? 1;
+    if (timedOut) {
+        recordToolResult(ctx.session, toolCallId, 'error', `powershell timed out after ${timeoutMs}ms`);
+    }
+    else {
+        recordToolResult(ctx.session, toolCallId, 'success', `powershell exit=${exitCode} bytes=${combined} binary=${shellBinary}`);
+    }
+    return {
+        stdout: stdoutOut,
+        stderr: stderrOut,
+        exitCode,
+        truncated,
+        timedOut,
+        shellBinary,
+    };
+}
+/** Visible-for-spec helper: forces a re-probe on next call. */
+export function _resetShellBinaryCacheForSpec() {
+    cachedShellBinary = undefined;
+}
+//# sourceMappingURL=powershell.js.map

package/dist/tools/registry.js

@@ -26,6 +26,11 @@ const registry = [
     // concurrencySafe = false because the journal serialises one dispatch
     // per session.
     { name: 'multi_edit', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
+    // Leak L6 (2026-05-28): PowerShell tool for Windows-first workflows. Same
+    // bash permission class — destructive-pattern classification fires the
+    // same gate. concurrencySafe = false because spawn-shell child cwd /
+    // env carry-over could race across parallel agent calls.
+    { name: 'powershell', permission: 'bash', risk: 'high', concurrencySafe: false, m1: false },
     { name: 'question', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
     { name: 'read', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'skill', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },

package/dist/tui/repl-splash-art.js

@@ -3,7 +3,7 @@
  *
  * Hand-crafted at 9 rows × 20 columns to read as a pug at a single
  * glance — references the cyber-zoo hero glyph in
- * `apps/clawhost-web/public/brand/hero-pug.png`: blocky pug face with
+ * `apps/console-web/public/brand/hero-pug.png`: blocky pug face with
  * angular ear flaps on either side of the head, forehead crease,
  * angular cyan eyes (`◉`), smushed snout, undershot jaw, and a small
  * cyan circuit chip (`▐■▌`) on the lower-right cheek.

package/dist/tui/repl-splash-mascot.js

@@ -22,7 +22,7 @@
  *
  * Generation (operator-side, one-shot):
  *   chafa --size 80x40 --symbols=vhalf --colors=full \
- *     apps/clawhost-web/public/brand/hero-pug.png \
+ *     apps/console-web/public/brand/hero-pug.png \
  *     > apps/pugi-cli/assets/pugi-mascot.ansi
  *
  * The output is committed verbatim to the repo and shipped inside the

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pugi/cli",
-  "version": "0.1.0-beta.40",
+  "version": "0.1.0-beta.42",
   "description": "Pugi CLI - terminal-native software execution system",
   "homepage": "https://pugi.io",
   "repository": {
@@ -55,7 +55,7 @@
     "undici": "^8.3.0",
     "zod": "^3.23.0",
     "@pugi/personas": "0.1.2",
-    "@pugi/sdk": "0.1.0-beta.40"
+    "@pugi/sdk": "0.1.0-beta.42"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",