@pugi/cli 0.1.0-beta.43 → 0.1.0-beta.44

package/dist/core/bash-classifier.js

@@ -119,6 +119,63 @@ const DESTRUCTIVE_PATTERNS = [
     // History destruction
     { pattern: 'history -c' },
     { pattern: ' >/dev/null 2>&1; rm' },
+    // ---------------------------------------------------------------
+    // Patterns ported from KeiSeiKit `destructive-guard.sh` (Apache-2.0)
+    // and `safety-guard.sh` BLOCKED_PATTERNS array. Upstream source:
+    //   /tmp/KeiSeiKit/hooks/destructive-guard.sh  (lines 7-13)
+    //   /tmp/KeiSeiKit/hooks/safety-guard.sh       (lines 14-50)
+    // Attribution: licenses/keiseikit-LICENSE-NOTICE.md.
+    //
+    // The patterns below need word-boundary matching because their
+    // tokens (kill, halt, reboot, ...) appear as substrings of common
+    // unrelated words (skills, default, chrooted-rebooter, etc.).
+    // Substring `.includes` cannot express that — `regex` is required.
+    // ---------------------------------------------------------------
+    // Process termination — `kill`, `pkill`, `killall` at command head
+    // or after `sudo`. Matches `kill 1234`, `kill -9 $$`, `sudo killall
+    // node`, but NOT `skill issue` (no leading boundary) or
+    // `git commit -m "skill kill story"` (the kill is inside a quoted
+    // string — quote-aware split handled upstream; here we still need
+    // the boundary). Anchored to start-of-component or `sudo ` prefix.
+    {
+        pattern: 'kill',
+        regex: /^(?:sudo\s+)?(?:pkill|killall|kill)\b/,
+    },
+    // System power state — reboot / shutdown / halt / poweroff / init 0
+    // / init 6. KeiSei matches these anywhere in the command; we
+    // tighten to start-of-component or `sudo ` prefix to avoid FPs on
+    // file paths or variable names containing the substring.
+    {
+        pattern: 'reboot',
+        regex: /^(?:sudo\s+)?reboot\b/,
+    },
+    {
+        pattern: 'shutdown',
+        regex: /^(?:sudo\s+)?shutdown\b/,
+    },
+    {
+        pattern: 'halt',
+        regex: /^(?:sudo\s+)?halt\b/,
+    },
+    {
+        pattern: 'poweroff',
+        regex: /^(?:sudo\s+)?poweroff\b/,
+    },
+    {
+        pattern: 'init 0',
+        regex: /^(?:sudo\s+)?init\s+0\b/,
+    },
+    {
+        pattern: 'init 6',
+        regex: /^(?:sudo\s+)?init\s+6\b/,
+    },
+    // `git clean -f` (without -dx) — KeiSei lists this as destructive
+    // because it still deletes untracked files. Pugi previously only
+    // gated `git clean -fdx`; broaden to any `-f` variant.
+    {
+        pattern: 'git clean -f',
+        regex: /\bgit\s+clean\s+-[A-Za-z]*f/,
+    },
 ];
 /**
  * Compound separators. We split on `&&`, `||`, `;`, `|` to classify
@@ -622,7 +679,15 @@ function classifyComponent(cmd, ctx) {
 }
 function findDestructiveMatch(cmd) {
     const upper = cmd.toUpperCase();
-    for (const { pattern, caseInsensitive } of DESTRUCTIVE_PATTERNS) {
+    for (const { pattern, caseInsensitive, regex } of DESTRUCTIVE_PATTERNS) {
+        if (regex) {
+            // Word-boundary regex form (KeiSei-derived patterns). Match
+            // against the trimmed component so `^` anchors to command head,
+            // not surrounding whitespace from the compound split.
+            if (regex.test(cmd.trim()))
+                return pattern;
+            continue;
+        }
         if (caseInsensitive) {
             if (upper.includes(pattern))
                 return pattern;
@@ -697,8 +762,17 @@ function detectProtectedWrite(cmd, ctx) {
     // Captures `sort -o`, `uniq <in> <out>`, `sed -i` files, `awk '... > "file"'`,
     // and `>` / `>>` redirections without surrounding whitespace.
     const writeTargets = extractWriteTargets(cmd);
+    // Strip heredoc bodies before substring scan. Heredoc payloads are
+    // DATA (file contents the script writes), not commands the shell
+    // executes — a `package.json` body containing `/usr/local/bin/...`
+    // would FP as "Write into protected path: /usr/" under the broad
+    // includes() scan below. The per-target check at the bottom of this
+    // function still catches real `cat > /usr/file << EOF` attempts
+    // because extractWriteTargets reads the redirection target, not the
+    // heredoc body. CEO dogfood 2026-05-28 (#28 follow-up).
+    const cmdForScan = stripHeredocBodies(cmd);
     for (const needle of PROTECTED_PATH_SUBSTRINGS) {
-        if (!cmd.includes(needle))
+        if (!cmdForScan.includes(needle))
             continue;
         // Reading from a protected path is allowed at the classifier
         // layer (the permission engine still gates `read`); writing is
@@ -760,6 +834,56 @@ function detectProtectedWrite(cmd, ctx) {
  * Conservative — we do not try to resolve shell vars or globs; the
  * caller still gates absolute paths via `looksAbsoluteOutsideWorkspace`.
  */
+/**
+ * Strip heredoc bodies so substring scans (e.g. `cmd.includes('/usr/')`)
+ * do not false-positive on file content the script is *writing*. A
+ * heredoc starts с `<< 'WORD'` (or `<< WORD` / `<<-WORD`) and ends на a
+ * line containing only WORD. The body between is DATA, not commands.
+ *
+ * Best-effort: handles single-heredoc-per-command (the common case)
+ * AND multiple sequential heredocs. Nested heredocs (heredoc-inside-
+ * heredoc) are rare and out of scope — the substring scan still gates
+ * the outer command, just без stripping the nested body. Per-target
+ * detection at detectProtectedWrite's tail loop catches real
+ * `cat > /usr/file << EOF` attacks regardless of body content.
+ *
+ * CEO dogfood 2026-05-28 (#28): `cat > package.json << 'EOF'\n{"bin":
+ * "/usr/local/bin/foo"}\nEOF` was rejected as "Write into protected
+ * path: /usr/" because the broad substring scan saw `/usr/` in the
+ * JSON body. With heredoc-body stripping, the scan now sees only
+ * `cat > package.json << 'EOF'  EOF` which contains no protected path.
+ */
+function stripHeredocBodies(cmd) {
+    // Match `<< [-]'WORD'` or `<< [-]"WORD"` or `<< [-]WORD` (quoted form
+    // disables variable expansion in real bash; we treat all three the
+    // same for stripping). Capture the WORD so we can find the close
+    // marker.
+    const heredocStart = /<<-?\s*(['"]?)([A-Za-z_][A-Za-z0-9_]*)\1/g;
+    let out = cmd;
+    let safetyLoops = 0;
+    let match;
+    while ((match = heredocStart.exec(out)) !== null) {
+        if (++safetyLoops > 16)
+            break;
+        const word = match[2];
+        if (!word)
+            continue;
+        const headEnd = match.index + match[0].length;
+        // Find the close-marker line: `\n<optional indent>WORD<\n|$>`.
+        const closeRegex = new RegExp(`\\n\\s*${word}(?:\\n|$)`);
+        closeRegex.lastIndex = headEnd;
+        const closeMatch = closeRegex.exec(out.slice(headEnd));
+        if (!closeMatch)
+            break;
+        const closeStart = headEnd + closeMatch.index;
+        const closeEnd = closeStart + closeMatch[0].length;
+        // Replace heredoc body + close marker с single space so the regex
+        // iterator's lastIndex stays meaningful.
+        out = out.slice(0, headEnd) + ' ' + out.slice(closeEnd);
+        heredocStart.lastIndex = headEnd + 1;
+    }
+    return out;
+}
 function extractWriteTargets(cmd) {
     const targets = [];
     // Shell redirection (`>`, `>>`) with optional whitespace. Skip
@@ -831,8 +955,13 @@ function detectProtectedRead(cmd) {
         firstToken === 'find';
     if (!isReadTool)
         return null;
+    // Strip heredoc bodies so `cat > config << 'EOF'\n... /etc/... \nEOF`
+    // does not FP as "Read from protected path" when first-token=`cat` +
+    // redirection writes к workspace-local file. Heredoc payload is data.
+    // CEO dogfood 2026-05-28 (#28).
+    const cmdForScan = stripHeredocBodies(cmd);
     for (const needle of PROTECTED_PATH_SUBSTRINGS) {
-        if (cmd.includes(needle)) {
+        if (cmdForScan.includes(needle)) {
             return {
                 reason: `Read from protected path: ${needle}`,
                 matched: needle,

package/dist/runtime/cli.js

@@ -1168,6 +1168,33 @@ export async function runCli(argv) {
             // Propagating via env keeps the session module transport-free.
             if (flags.allowFetch)
                 process.env.PUGI_ALLOW_FETCH = '1';
+            // CEO P0 (2026-05-28): auto-init pre-flight on the bare REPL
+            // boot path. PR #628 wired `runAutoInitPreflight` into every
+            // engine command (`pugi code/fix/build/...`) but the bare
+            // `pugi` REPL entry boots straight into the workspace label
+            // resolver — which surfaces the "(not bound — run /init OR cd
+            // into project)" banner without ever asking the operator
+            // whether к initialise the workspace. CEO escalation: closed
+            // multiple times wrong; the operator hits the banner and walks
+            // away thinking Pugi is broken. We use the REPL-tuned variant
+            // that NEVER throws — `n`, `--bare`, `--no-init`, non-TTY all
+            // fall through к the legacy "not bound" banner so the existing
+            // contract (booting REPL still works without `.pugi/`) holds.
+            // The prompt fires ONLY on the happy path: interactive TTY,
+            // no `.pugi/`, no opt-out flag. Wrapped in a defensive try/
+            // catch — the scaffold may legitimately fail (read-only fs,
+            // permission denied) but the REPL still needs to boot so the
+            // operator gets a usable surface к diagnose the failure.
+            try {
+                await runReplAutoInitPreflight(process.cwd(), flags);
+            }
+            catch (error) {
+                // Surface the scaffold error on stderr but proceed to mount
+                // the REPL. Crashing here would regress the splash-fallback
+                // path the dispatcher used to take when `.pugi/` was missing.
+                const message = error instanceof Error ? error.message : String(error);
+                process.stderr.write(`Auto-init failed: ${message}\n`);
+            }
             // α6.2: peek the npm registry for a newer @pugi/cli before
             // mounting Ink. Wrapped in a try/catch belt-and-braces even
             // though `checkForUpdate` already swallows every failure mode —
@@ -1187,6 +1214,12 @@ export async function runCli(argv) {
             await renderRepl({
                 apiUrl: runtimeConfig.apiUrl,
                 apiKey: runtimeConfig.apiKey,
+                // Re-resolve AFTER the auto-init pre-flight so a freshly-
+                // scaffolded `.pugi/PUGI.md` flips the splash label from
+                // "(not bound — run /init OR cd into project)" к the project
+                // basename in the same boot cycle. `workspaceLabel` is a
+                // pure function over `process.cwd()`; calling it twice is
+                // cheap.
                 workspaceLabel: workspaceLabel(process.cwd()),
                 cliVersion: PUGI_CLI_VERSION,
                 updateBanner,
@@ -6466,6 +6499,27 @@ async function runAutoInitPreflight(root, flags) {
         throw new Error('Run pugi init first');
     }
 }
+export async function runReplAutoInitPreflight(root, flags, overrides = {}) {
+    const interactive = overrides.interactive ?? isInteractive(flags);
+    return ensureInitializedHelper({
+        cwd: root,
+        interactive,
+        // Leak L22 (2026-05-27): `--bare` short-circuits BEFORE the prompt.
+        // Bare mode is the operator's explicit "disable project auto-
+        // discovery" signal — scaffolding `.pugi/` would directly violate
+        // that contract. Treat `--bare` the same as `--no-init` for the
+        // pre-flight gate.
+        skip: flags.noInit
+            || flags.bare
+            || process.env.PUGI_NO_AUTO_INIT === '1'
+            || process.env.PUGI_BARE === '1',
+        prompt: overrides.prompt ?? (async (question) => readSingleChoice(question)),
+        scaffold: overrides.scaffold
+            ?? (async (input) => {
+                await scaffoldPugiWorkspace({ cwd: input.cwd, noDefaults: flags.noDefaults });
+            }),
+    });
+}
 /**
  * Wave 6 UX (2026-05-27): async pre-flight wrapper around the
  * `ensureAuthenticatedHelper` from `core/auth/ensure-authenticated.ts`.

package/dist/runtime/version.js

@@ -44,7 +44,7 @@ export function sanitizeSemver(raw) {
  * during import). When bumping the CLI version BOTH literals must be
  * updated; the release smoke-test (`pack:smoke`) verifies they agree.
  */
-export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.43');
+export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.44');
 /**
  * Outbound: the CLI's installed semver. Read at request time by
  * `version-interceptor.ts` and injected on every `fetch` call.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pugi/cli",
-  "version": "0.1.0-beta.43",
+  "version": "0.1.0-beta.44",
   "description": "Pugi CLI - terminal-native software execution system",
   "homepage": "https://pugi.io",
   "repository": {
@@ -55,7 +55,7 @@
     "undici": "^8.3.0",
     "zod": "^3.23.0",
     "@pugi/personas": "0.1.2",
-    "@pugi/sdk": "0.1.0-beta.43"
+    "@pugi/sdk": "0.1.0-beta.44"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",