@pugi/cli 0.1.0-beta.41 → 0.1.0-beta.43

package/dist/core/diagnostics/probes/hooks.js

@@ -0,0 +1,118 @@
+/**
+ * HOOKS probe — verifies `.pugi/hooks-mvp.json` and `.pugi/hook-chains.json`
+ * exist + parse + carry their declared shape. Absence is OK (most workspaces
+ * don't ship hooks); presence с invalid JSON is a deployment-blocking error
+ * the operator wants surfaced before a tool dispatch fires a malformed hook
+ * and the model sees a confusing failure.
+ *
+ * Validation tier:
+ *   1. JSON.parse — catches typos / trailing commas / bad escapes.
+ *   2. Top-level shape sniff — `hooks-mvp.json` MUST be an object с a
+ *      `hooks` array property; `hook-chains.json` MUST be an object
+ *      с string-keyed event names mapping to arrays.
+ *   3. Per-entry require-fields sniff — minimal так что probe stays cheap.
+ *
+ * Out of scope: full Zod schema validation. That lives in the hook loader
+ * itself (apps/pugi-cli/src/core/hooks/v2/loader.ts). The probe is a
+ * fast sanity check; the loader produces the canonical error message
+ * when a hook actually fires.
+ */
+function loadHookFile(fs, path) {
+    if (!fs.existsSync(path))
+        return null;
+    try {
+        const raw = fs.readFileSync(path, 'utf8');
+        return { path, parsed: JSON.parse(raw) };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return { parseError: `${path}: ${message}` };
+    }
+}
+function validateMvpShape(parsed) {
+    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
+        return 'top-level value must be an object';
+    }
+    const hooks = parsed['hooks'];
+    if (hooks !== undefined && !Array.isArray(hooks)) {
+        return '`hooks` property must be an array when present';
+    }
+    return null;
+}
+function validateChainsShape(parsed) {
+    if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
+        return 'top-level value must be an object';
+    }
+    for (const [event, body] of Object.entries(parsed)) {
+        if (!Array.isArray(body)) {
+            return `event "${event}": value must be an array of hook entries`;
+        }
+    }
+    return null;
+}
+export function probeHooks(ctx, fs) {
+    const mvpPath = `${ctx.cwd}/.pugi/hooks-mvp.json`;
+    const chainsPath = `${ctx.cwd}/.pugi/hook-chains.json`;
+    const mvp = loadHookFile(fs, mvpPath);
+    const chains = loadHookFile(fs, chainsPath);
+    const issues = [];
+    let mvpCount = 0;
+    let chainEvents = 0;
+    if (mvp !== null) {
+        if ('parseError' in mvp) {
+            issues.push(`hooks-mvp.json parse failed: ${mvp.parseError}`);
+        }
+        else {
+            const shapeIssue = validateMvpShape(mvp.parsed);
+            if (shapeIssue) {
+                issues.push(`hooks-mvp.json: ${shapeIssue}`);
+            }
+            else {
+                const hooksArr = mvp.parsed['hooks'];
+                mvpCount = Array.isArray(hooksArr) ? hooksArr.length : 0;
+            }
+        }
+    }
+    if (chains !== null) {
+        if ('parseError' in chains) {
+            issues.push(`hook-chains.json parse failed: ${chains.parseError}`);
+        }
+        else {
+            const shapeIssue = validateChainsShape(chains.parsed);
+            if (shapeIssue) {
+                issues.push(`hook-chains.json: ${shapeIssue}`);
+            }
+            else {
+                chainEvents = Object.keys(chains.parsed).length;
+            }
+        }
+    }
+    if (issues.length > 0) {
+        return {
+            name: 'HOOKS',
+            status: 'error',
+            detail: issues.join('; '),
+            remediation: 'Fix the JSON syntax / shape, or delete the file if hooks are not in use. The hook loader surfaces the canonical error when a hook actually fires; this probe catches the problem before the first dispatch.',
+        };
+    }
+    if (mvp === null && chains === null) {
+        return {
+            name: 'HOOKS',
+            status: 'skipped',
+            detail: 'no hook config files in .pugi/ (workspace has not opted into hooks)',
+        };
+    }
+    const parts = [];
+    if (mvp !== null && !('parseError' in mvp)) {
+        parts.push(`hooks-mvp.json OK (${mvpCount} entr${mvpCount === 1 ? 'y' : 'ies'})`);
+    }
+    if (chains !== null && !('parseError' in chains)) {
+        parts.push(`hook-chains.json OK (${chainEvents} event${chainEvents === 1 ? '' : 's'})`);
+    }
+    return {
+        name: 'HOOKS',
+        status: 'ok',
+        detail: parts.join('; '),
+    };
+}
+//# sourceMappingURL=hooks.js.map

package/dist/core/diagnostics/probes/sandbox.js

@@ -0,0 +1,40 @@
+/**
+ * SANDBOX probe — surfaces the current OS-level sandbox posture (Leak L1
+ * spec: sandbox-adapter.ts macOS Seatbelt / Linux Landlock / WSL2 detect).
+ *
+ * Pugi sandbox enforcement is tracked under task #5 (P0/L1+L16). Until
+ * that lands, this probe reports the platform's available primitive and
+ * a clear "not yet armed" warning so the operator sees the gap in
+ * `pugi doctor` instead of assuming bash dispatches run jailed.
+ *
+ * When the sandbox does ship, the probe upgrade path:
+ *   - Replace the static "not_armed" detail with a real config probe
+ *     (read .pugi/settings.json::sandbox.mode, verify the OS primitive
+ *     resolves, return ok when both line up).
+ *   - Keep the same probe NAME so doctor output / spec assertions
+ *     don't churn.
+ */
+export function probeSandbox(_ctx) {
+    const platform = process.platform;
+    let availablePrimitive;
+    switch (platform) {
+        case 'darwin':
+            availablePrimitive = 'macOS Seatbelt (/usr/bin/sandbox-exec)';
+            break;
+        case 'linux':
+            availablePrimitive = 'Linux Landlock / nsjail (kernel-dependent)';
+            break;
+        case 'win32':
+            availablePrimitive = 'Windows AppContainer / Job Object';
+            break;
+        default:
+            availablePrimitive = `unknown platform ${platform}`;
+    }
+    return {
+        name: 'SANDBOX',
+        status: 'warn',
+        detail: `OS primitive available: ${availablePrimitive}. Sandbox enforcement NOT yet armed (Pugi task #5 pending — bash tool currently runs с full process privileges).`,
+        remediation: 'Bash tool dispatches run unsandboxed today. Track progress on the OS-level sandbox adapter via the operator-trust roadmap. Until then, rely on the bash classifier denylist + permission FSM.',
+    };
+}
+//# sourceMappingURL=sandbox.js.map

package/dist/core/engine/budgets.js

@@ -17,7 +17,7 @@ export const beta1DefaultBudgets = {
     code: { maxTokens: 80_000, maxToolCalls: 20 },
     build: { maxTokens: 200_000, maxToolCalls: 30 },
     plan: { maxTokens: 200_000, maxToolCalls: 8 },
-    explain: { maxTokens: 20_000, maxToolCalls: 5 },
+    explain: { maxTokens: 40_000, maxToolCalls: 5 },
     review_triple: { maxTokens: 100_000, maxToolCalls: 10 },
 };
 /**

package/dist/runtime/commands/doctor.js

@@ -51,6 +51,8 @@ import { probeSession } from '../../core/diagnostics/probes/session.js';
 import { probeDenialTracking } from '../../core/diagnostics/probes/denial-tracking.js';
 import { probeBareMode } from '../../core/diagnostics/probes/bare-mode.js';
 import { probePugiMdHierarchy } from '../../core/diagnostics/probes/pugi-md.js';
+import { probeSandbox } from '../../core/diagnostics/probes/sandbox.js';
+import { probeHooks } from '../../core/diagnostics/probes/hooks.js';
 /**
  * Default API URL when no PUGI_API_URL env override is set. Mirrors
  * the constant in `core/credentials.ts` (kept local to avoid an
@@ -219,6 +221,26 @@ export function buildDefaultProbes(ctx, options = {}) {
         // ambient `PUGI.md` / `CLAUDE.md` files the cwd → homedir walk
         // discovered, and the closest path. `skipped` when bare mode is
         // active (walk disabled) or zero files found.
+        // Leak L3 (2026-05-28): SANDBOX row. Reports the platform's available
+        // OS-level sandbox primitive (Seatbelt / Landlock / AppContainer) and
+        // surfaces a `warning` status until the bash-tool sandbox adapter (#5)
+        // is armed. Operator-trust gap visibility — better к flag "not yet
+        // jailed" loud than let operators assume it's already on.
+        {
+            name: 'SANDBOX',
+            run: async () => probeSandbox(ctx),
+        },
+        // Leak L3 (2026-05-28): HOOKS row. Validates `.pugi/hooks-mvp.json`
+        // + `.pugi/hook-chains.json` syntax + shape before the first tool
+        // dispatch fires. Absence = skipped (most workspaces don't ship
+        // hooks); bad JSON = error с remediation hint.
+        {
+            name: 'HOOKS',
+            run: async () => probeHooks(ctx, {
+                existsSync,
+                readFileSync: (p, encoding) => readFileSync(p, encoding),
+            }),
+        },
         {
             name: 'PUGI.md HIERARCHY',
             run: async () => probePugiMdHierarchy({

package/dist/runtime/version.js

@@ -44,7 +44,7 @@ export function sanitizeSemver(raw) {
  * during import). When bumping the CLI version BOTH literals must be
  * updated; the release smoke-test (`pack:smoke`) verifies they agree.
  */
-export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.41');
+export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.43');
 /**
  * Outbound: the CLI's installed semver. Read at request time by
  * `version-interceptor.ts` and injected on every `fetch` call.

package/dist/tools/powershell.js

@@ -21,11 +21,121 @@
  * based and apply equally to pwsh and sh.
  */
 import { spawnSync } from 'node:child_process';
-import { evaluateBashPermission } from '../core/permission.js';
+import { listDestructivePatterns } from '../core/bash-classifier.js';
 import { recordToolCall, recordToolResult } from '../core/session.js';
 export const POWERSHELL_OUTPUT_CAP_BYTES = 64 * 1024;
 export const POWERSHELL_DEFAULT_TIMEOUT_MS = 30_000;
 export const POWERSHELL_MAX_TIMEOUT_MS = 120_000;
+/**
+ * PowerShell-specific destructive patterns. Layered ON TOP of the
+ * shared `listDestructivePatterns()` from the bash classifier (which
+ * covers `rm -rf`, `DROP TABLE`, etc — patterns that also surface в
+ * pwsh-via-aliases). These are the cmdlet forms unique to pwsh.
+ *
+ * Patterns are case-insensitive matched against the command string
+ * (pwsh cmdlets accept any case: `remove-item -force` == `Remove-Item -Force`).
+ */
+const PWSH_DESTRUCTIVE_PATTERNS = [
+    // Recursive force delete via cmdlet
+    'remove-item -recurse -force',
+    'remove-item -force -recurse',
+    'ri -recurse -force',
+    'ri -force -recurse',
+    'rmdir -recurse -force',
+    'rmdir -force -recurse',
+    // Disk / volume operations
+    'format-volume',
+    'clear-disk',
+    'reset-physicaldisk',
+    // System state
+    'stop-computer',
+    'restart-computer',
+    'shutdown',
+    // Security weakening
+    'set-executionpolicy unrestricted',
+    'set-executionpolicy bypass',
+    // Service / process attack surface
+    'invoke-webrequest', // common phishing-script vector when piped to iex
+    'iex (new-object', // download-execute pattern
+    // Credential exfil
+    'get-credential | export-clixml',
+];
+/**
+ * Normalize whitespace before pattern matching: collapse runs of
+ * whitespace к single space + lowercase. Defends against the
+ * `iex(New-Object`/`IEX  (New-Object` style bypass where pattern
+ * `iex (new-object` would miss the no-space or double-space variant.
+ */
+function normalizeForMatch(text) {
+    return text.toLowerCase().replace(/\s+/g, ' ');
+}
+function findPwshDestructiveMatch(cmd) {
+    const normalized = normalizeForMatch(cmd);
+    for (const pattern of PWSH_DESTRUCTIVE_PATTERNS) {
+        if (normalized.includes(normalizeForMatch(pattern)))
+            return pattern;
+    }
+    // Fall back к the shared bash destructive list (covers cross-shell
+    // patterns like `rm -rf /`, `DROP DATABASE`). Shared patterns may
+    // contain uppercase (case-insensitive SQL verbs); normalize both
+    // sides before compare.
+    const shared = listDestructivePatterns();
+    for (const pattern of shared) {
+        if (normalized.includes(normalizeForMatch(pattern)))
+            return pattern;
+    }
+    return null;
+}
+/**
+ * PowerShell-aware permission decision. Differs from
+ * `evaluateBashPermission` в two ways:
+ *
+ *   1. Default class is `allow` (after destructive check) instead of
+ *      `unknown → deny`. The bash classifier rejects any first-token
+ *      it does not recognise — appropriate for bash where every verb
+ *      is a separate binary, hostile for pwsh where the Verb-Noun
+ *      cmdlet convention means thousands of legitimate verbs exist
+ *      (`Get-Process`, `$PSVersionTable`, `Select-Object`, ...).
+ *
+ *   2. Destructive patterns combine the shared bash denylist (covers
+ *      cross-shell patterns like `rm -rf`) с pwsh-specific cmdlet
+ *      forms (`Remove-Item -Recurse -Force`, `Format-Volume`, etc).
+ *
+ * Mode FSM mirrors bash: plan → deny ALL, ask → ask, auto/bypass → allow,
+ * destructive class → deny unless `bypassPermissions + human + ENV override`.
+ */
+function evaluatePwshPermission(cmd, mode, source) {
+    const destructive = findPwshDestructiveMatch(cmd);
+    if (destructive !== null) {
+        const overrideOk = mode === 'bypassPermissions' &&
+            source === 'human' &&
+            process.env['PUGI_DESTRUCTIVE_OVERRIDE'] === '1';
+        if (overrideOk) {
+            return {
+                decision: 'allow',
+                reason: `destructive pwsh pattern '${destructive}' allowed via override (bypassPermissions + human + PUGI_DESTRUCTIVE_OVERRIDE=1)`,
+            };
+        }
+        return {
+            decision: 'deny',
+            reason: `destructive pwsh pattern '${destructive}' is always denied (override requires bypassPermissions + human + PUGI_DESTRUCTIVE_OVERRIDE=1)`,
+        };
+    }
+    // Non-destructive pwsh command — mode FSM.
+    switch (mode) {
+        case 'plan':
+            return { decision: 'deny', reason: 'plan mode denies all shell dispatches' };
+        case 'ask':
+        case 'acceptEdits':
+            return { decision: 'ask', reason: 'pwsh command requires operator confirmation' };
+        case 'auto':
+        case 'dontAsk':
+        case 'bypassPermissions':
+            return { decision: 'allow', reason: 'pwsh command allowed by mode' };
+        default:
+            return { decision: 'ask', reason: `unknown mode ${mode}; defaulting к ask` };
+    }
+}
 /** Cached binary path so repeated calls inside one session skip the probe. */
 let cachedShellBinary;
 function resolveShellBinary() {
@@ -74,20 +184,22 @@ function buildChildEnv() {
  */
 export function powerShellToolSync(input, ctx) {
     const cmd = input.cmd ?? '';
-    const additionalDirectories = ctx.additionalDirectories ?? [];
     const source = ctx.source ?? 'agent';
     const toolCallId = recordToolCall(ctx.session, 'powershell', cmd);
-    const decision = evaluateBashPermission(cmd, ctx.settings.permissions.mode, {
-        workspaceRoot: ctx.root,
-        additionalDirectories,
-        source,
-    });
+    // pwsh-aware permission gate (NOT the bash classifier). Bash classifier
+    // would reject `$PSVersionTable`, `Get-Process`, etc as "Unrecognized
+    // command" → default-deny, making the pwsh tool useless. The pwsh gate
+    // applies the shared destructive denylist (rm -rf / DROP TABLE) + a
+    // pwsh-specific list (Remove-Item -Recurse -Force / Format-Volume /
+    // Set-ExecutionPolicy Unrestricted / iex (New-Object ...)) and
+    // defaults non-destructive cmdlets к allow under mode FSM.
+    const decision = evaluatePwshPermission(cmd, ctx.settings.permissions.mode, source);
     if (decision.decision !== 'allow') {
         const reason = `Permission ${decision.decision}: ${decision.reason}`;
         recordToolResult(ctx.session, toolCallId, 'error', reason);
         return {
             stdout: '',
-            stderr: `Permission denied: ${decision.reason}`,
+            stderr: `Permission ${decision.decision}: ${decision.reason}`,
             exitCode: 126,
             truncated: false,
             timedOut: false,

package/dist/tui/repl-splash-art.js

@@ -3,7 +3,7 @@
  *
  * Hand-crafted at 9 rows × 20 columns to read as a pug at a single
  * glance — references the cyber-zoo hero glyph in
- * `apps/clawhost-web/public/brand/hero-pug.png`: blocky pug face with
+ * `apps/console-web/public/brand/hero-pug.png`: blocky pug face with
  * angular ear flaps on either side of the head, forehead crease,
  * angular cyan eyes (`◉`), smushed snout, undershot jaw, and a small
  * cyan circuit chip (`▐■▌`) on the lower-right cheek.

package/dist/tui/repl-splash-mascot.js

@@ -22,7 +22,7 @@
  *
  * Generation (operator-side, one-shot):
  *   chafa --size 80x40 --symbols=vhalf --colors=full \
- *     apps/clawhost-web/public/brand/hero-pug.png \
+ *     apps/console-web/public/brand/hero-pug.png \
  *     > apps/pugi-cli/assets/pugi-mascot.ansi
  *
  * The output is committed verbatim to the repo and shipped inside the

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pugi/cli",
-  "version": "0.1.0-beta.41",
+  "version": "0.1.0-beta.43",
   "description": "Pugi CLI - terminal-native software execution system",
   "homepage": "https://pugi.io",
   "repository": {
@@ -55,7 +55,7 @@
     "undici": "^8.3.0",
     "zod": "^3.23.0",
     "@pugi/personas": "0.1.2",
-    "@pugi/sdk": "0.1.0-beta.41"
+    "@pugi/sdk": "0.1.0-beta.43"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",