@pugi/cli 0.1.0-beta.47 → 0.1.0-beta.48

package/dist/core/bash-classifier.js

@@ -346,6 +346,93 @@ const BUILD_TEST_PREFIXES = [
     'tsc -p',
     'eslint',
     'prettier --check',
+    // P0 fix 2026-05-29 (#37 CRITICAL): customer-blocking gap surfaced
+    // during dogfood. Engine emitted `chmod +x build.sh`, `node script.js`,
+    // `python3 -m pytest`, `git status`, `pnpm build`, `docker ps`, etc.
+    // and the classifier returned `unknown` → permission matrix denied
+    // в bypassPermissions mode (which the customer expected to auto-allow
+    // basic dev tools). Customers could not run ANY real build/test/git
+    // workflow through Pugi.
+    //
+    // The prefixes below cover three classes of developer tooling that
+    // are always allowed in `auto`/`dontAsk`/`bypassPermissions` modes,
+    // `ask` in interactive modes, and `deny` in `plan` (read-only) mode:
+    //   - Language runtimes: `node`, `python`, `python3`, `ruby`, etc.
+    //   - Native build chains: `gcc`, `clang`, `cmake`, `rustc`, etc.
+    //   - Container/k8s read-class: `docker ps/inspect/logs`, `kubectl get`.
+    //
+    // Destructive variants are already gated upstream by DESTRUCTIVE_PATTERNS
+    // (e.g. `docker system prune`, `kubectl delete --all`). The first-token
+    // gate in classifyComponent runs THIS list before the unknown fallback.
+    //
+    // Language runtime invocations (first-token match, with or without args).
+    'node',
+    'python',
+    'python3',
+    'ruby',
+    'perl',
+    'php',
+    'deno',
+    'bun',
+    'tsx',
+    'ts-node',
+    // Native build chains.
+    'gcc',
+    'g++',
+    'clang',
+    'clang++',
+    'cmake',
+    'rustc',
+    'javac',
+    'java',
+    // Container/k8s read-class (the destructive subcommands are pre-empted
+    // by DESTRUCTIVE_PATTERNS: `docker system prune`, `kubectl delete --all`,
+    // `kubectl delete namespace`).
+    'docker ps',
+    'docker images',
+    'docker inspect',
+    'docker logs',
+    'docker version',
+    'docker info',
+    'docker exec',
+    'docker run',
+    'docker stop',
+    'docker start',
+    'docker restart',
+    'docker rm',
+    'docker rmi',
+    'docker build',
+    'docker tag',
+    'docker compose',
+    'docker-compose',
+    'kubectl get',
+    'kubectl describe',
+    'kubectl logs',
+    'kubectl exec',
+    'kubectl apply',
+    'kubectl create',
+    'kubectl rollout',
+    'kubectl port-forward',
+    'kubectl config',
+    // Git read+write surface (network ops already handled by NETWORK_PREFIXES;
+    // destructive ops `reset --hard`/`clean -fdx`/`push --force` blocked above).
+    // Note: WRITE_WORKSPACE_PREFIXES already covers `git commit/add/checkout/...`.
+    // These entries handle plain `git rev-list`, `git cherry-pick`, `git worktree`,
+    // `git submodule`, etc that customer scripts commonly invoke.
+    'git rev-list',
+    'git cherry-pick',
+    'git worktree',
+    'git submodule',
+    'git blame',
+    'git describe',
+    'git tag --list',
+    'git tag -l',
+    'git for-each-ref',
+    'git ls-remote',
+    // gh CLI (GitHub). `gh repo delete` / `gh release delete` reach into
+    // network operations but are non-destructive for the local workspace.
+    // Permission matrix asks before allowing in auto.
+    'gh',
 ];
 /** Single-token read-only commands. Argument-free entries match exact. */
 const READ_TOKENS = new Set([
@@ -384,6 +471,16 @@ const READ_TOKENS = new Set([
     'cut',
     'sort',
     'uniq',
+    // P0 fix 2026-05-29 (#37 CRITICAL): structured-data inspection tools
+    // are pure stdin/stdout transformers (no FS write, no network) when
+    // не paired с `>` redirection (the redirection branch above promotes
+    // к write_workspace independently). Common в dev scripts for parsing
+    // package.json, tsconfig.json, Helm values.yaml, etc.
+    // `tee` is INTENTIONALLY excluded — it writes by definition, even
+    // в protected paths (`tee /etc/...` is already in DESTRUCTIVE_PATTERNS).
+    'jq',
+    'yq',
+    'column',
 ]);
 const READ_PREFIXES = [
     'git status',
@@ -418,6 +515,16 @@ const WRITE_WORKSPACE_PREFIXES = [
     'git tag',
     'git rebase',
     'git merge',
+    // P0 fix 2026-05-29 (#37 CRITICAL): file-permission ops are common
+    // в build scripts (`chmod +x build.sh`, `chown $USER file`). The
+    // destructive variants (`chmod 777 /`, `chmod -R 777 /`, `chmod -R
+    // 777 ~`, `chown -R root /`, `chown -R / ...`) are pre-empted by
+    // DESTRUCTIVE_PATTERNS which runs BEFORE this list — safe to add
+    // here for the non-destructive path. detectProtectedWrite's `\bchmod\b`
+    // / `\bchown\b` regex also catches writes into protected paths
+    // regardless of this list.
+    'chmod ',
+    'chown ',
 ];
 /**
  * Protected-write triggers. If a command writes to any of these paths
@@ -636,6 +743,25 @@ function classifyComponent(cmd, ctx) {
     if (trimmed === 'make' || trimmed.startsWith('make ')) {
         return { class: 'build_test', reason: 'make runner', matched: 'make' };
     }
+    // 7c. Operator-override safe tokens (P0 fix 2026-05-29 #37).
+    // `PUGI_CLASSIFIER_EXTRA_SAFE=tool1,tool2,...` extends the BUILD_TEST
+    // first-token list at runtime. This is a security-sensitive escape
+    // hatch — operators can add their custom build tools without a
+    // recompile. Destructive patterns ALREADY ran above (step 1) so this
+    // cannot whitelist `rm`, `mkfs`, `git push --force`, etc. The match
+    // is strict first-token equality — not substring — and the env var
+    // is read fresh on every classify call so tests can mutate it.
+    const extraSafe = readExtraSafeTokens();
+    if (extraSafe.size > 0) {
+        const firstTokenForExtraSafe = trimmed.split(/\s+/)[0] ?? '';
+        if (extraSafe.has(firstTokenForExtraSafe)) {
+            return {
+                class: 'build_test',
+                reason: `PUGI_CLASSIFIER_EXTRA_SAFE override: ${firstTokenForExtraSafe}`,
+                matched: firstTokenForExtraSafe,
+            };
+        }
+    }
     // 7c. Bare `cd <path>` (inside workspace — the cwd-escape detector
     // upgrades the class to write_protected when the target is
     // outside). Standalone `cd` (HOME) is escape, also handled by the
@@ -756,6 +882,40 @@ function nestingDepth(cmd, open, close) {
 function escapeRegex(s) {
     return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 }
+/**
+ * Operator-override safe tokens. Read from `PUGI_CLASSIFIER_EXTRA_SAFE`
+ * (comma-separated). Allows operators to extend the BUILD_TEST first-
+ * token list at runtime for site-specific tooling без recompile.
+ *
+ * Security note: destructive substring patterns run BEFORE this gate
+ * (step 1 in classifyComponent), so this cannot whitelist `rm`, `mkfs`,
+ * `git push --force`, etc. The env var only adds tools to the benign
+ * build_test class. Invalid entries (empty strings, тokens containing
+ * shell metas) are silently dropped to avoid surprising classifications.
+ *
+ * Read fresh on every call so per-test mutations work и so operators
+ * can update without restarting the agent loop. The cost (one env var
+ * read + Set construction per call) is negligible for the classifier's
+ * call frequency.
+ */
+function readExtraSafeTokens() {
+    const raw = process.env.PUGI_CLASSIFIER_EXTRA_SAFE;
+    if (!raw || raw.trim() === '')
+        return new Set();
+    const tokens = new Set();
+    for (const candidate of raw.split(',')) {
+        const trimmed = candidate.trim();
+        if (trimmed === '')
+            continue;
+        // Reject anything containing shell metas or whitespace — only bare
+        // tool names allowed. Defends against accidental
+        // `PUGI_CLASSIFIER_EXTRA_SAFE='rm -rf /'` smuggling.
+        if (/[\s;|&<>$`(){}\[\]'"\\]/.test(trimmed))
+            continue;
+        tokens.add(trimmed);
+    }
+    return tokens;
+}
 function detectProtectedWrite(cmd, ctx) {
     // Surface every write target this command produces so we can both
     // protected-path-check and outside-workspace-check them uniformly.

package/dist/runtime/version.js

@@ -44,7 +44,7 @@ export function sanitizeSemver(raw) {
  * during import). When bumping the CLI version BOTH literals must be
  * updated; the release smoke-test (`pack:smoke`) verifies they agree.
  */
-export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.47');
+export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.48');
 /**
  * Outbound: the CLI's installed semver. Read at request time by
  * `version-interceptor.ts` and injected on every `fetch` call.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pugi/cli",
-  "version": "0.1.0-beta.47",
+  "version": "0.1.0-beta.48",
   "description": "Pugi CLI - terminal-native software execution system",
   "homepage": "https://pugi.io",
   "repository": {
@@ -55,7 +55,7 @@
     "undici": "^8.3.0",
     "zod": "^3.23.0",
     "@pugi/personas": "0.1.2",
-    "@pugi/sdk": "0.1.0-beta.47"
+    "@pugi/sdk": "0.1.0-beta.48"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",