@pugi/cli 0.1.0-beta.47 → 0.1.0-beta.49

package/dist/core/bash-classifier.js

@@ -346,6 +346,93 @@ const BUILD_TEST_PREFIXES = [
     'tsc -p',
     'eslint',
     'prettier --check',
+    // P0 fix 2026-05-29 (#37 CRITICAL): customer-blocking gap surfaced
+    // during dogfood. Engine emitted `chmod +x build.sh`, `node script.js`,
+    // `python3 -m pytest`, `git status`, `pnpm build`, `docker ps`, etc.
+    // and the classifier returned `unknown` → permission matrix denied
+    // в bypassPermissions mode (which the customer expected to auto-allow
+    // basic dev tools). Customers could not run ANY real build/test/git
+    // workflow through Pugi.
+    //
+    // The prefixes below cover three classes of developer tooling that
+    // are always allowed in `auto`/`dontAsk`/`bypassPermissions` modes,
+    // `ask` in interactive modes, and `deny` in `plan` (read-only) mode:
+    //   - Language runtimes: `node`, `python`, `python3`, `ruby`, etc.
+    //   - Native build chains: `gcc`, `clang`, `cmake`, `rustc`, etc.
+    //   - Container/k8s read-class: `docker ps/inspect/logs`, `kubectl get`.
+    //
+    // Destructive variants are already gated upstream by DESTRUCTIVE_PATTERNS
+    // (e.g. `docker system prune`, `kubectl delete --all`). The first-token
+    // gate in classifyComponent runs THIS list before the unknown fallback.
+    //
+    // Language runtime invocations (first-token match, with or without args).
+    'node',
+    'python',
+    'python3',
+    'ruby',
+    'perl',
+    'php',
+    'deno',
+    'bun',
+    'tsx',
+    'ts-node',
+    // Native build chains.
+    'gcc',
+    'g++',
+    'clang',
+    'clang++',
+    'cmake',
+    'rustc',
+    'javac',
+    'java',
+    // Container/k8s read-class (the destructive subcommands are pre-empted
+    // by DESTRUCTIVE_PATTERNS: `docker system prune`, `kubectl delete --all`,
+    // `kubectl delete namespace`).
+    'docker ps',
+    'docker images',
+    'docker inspect',
+    'docker logs',
+    'docker version',
+    'docker info',
+    'docker exec',
+    'docker run',
+    'docker stop',
+    'docker start',
+    'docker restart',
+    'docker rm',
+    'docker rmi',
+    'docker build',
+    'docker tag',
+    'docker compose',
+    'docker-compose',
+    'kubectl get',
+    'kubectl describe',
+    'kubectl logs',
+    'kubectl exec',
+    'kubectl apply',
+    'kubectl create',
+    'kubectl rollout',
+    'kubectl port-forward',
+    'kubectl config',
+    // Git read+write surface (network ops already handled by NETWORK_PREFIXES;
+    // destructive ops `reset --hard`/`clean -fdx`/`push --force` blocked above).
+    // Note: WRITE_WORKSPACE_PREFIXES already covers `git commit/add/checkout/...`.
+    // These entries handle plain `git rev-list`, `git cherry-pick`, `git worktree`,
+    // `git submodule`, etc that customer scripts commonly invoke.
+    'git rev-list',
+    'git cherry-pick',
+    'git worktree',
+    'git submodule',
+    'git blame',
+    'git describe',
+    'git tag --list',
+    'git tag -l',
+    'git for-each-ref',
+    'git ls-remote',
+    // gh CLI (GitHub). `gh repo delete` / `gh release delete` reach into
+    // network operations but are non-destructive for the local workspace.
+    // Permission matrix asks before allowing in auto.
+    'gh',
 ];
 /** Single-token read-only commands. Argument-free entries match exact. */
 const READ_TOKENS = new Set([
@@ -384,6 +471,16 @@ const READ_TOKENS = new Set([
     'cut',
     'sort',
     'uniq',
+    // P0 fix 2026-05-29 (#37 CRITICAL): structured-data inspection tools
+    // are pure stdin/stdout transformers (no FS write, no network) when
+    // не paired с `>` redirection (the redirection branch above promotes
+    // к write_workspace independently). Common в dev scripts for parsing
+    // package.json, tsconfig.json, Helm values.yaml, etc.
+    // `tee` is INTENTIONALLY excluded — it writes by definition, even
+    // в protected paths (`tee /etc/...` is already in DESTRUCTIVE_PATTERNS).
+    'jq',
+    'yq',
+    'column',
 ]);
 const READ_PREFIXES = [
     'git status',
@@ -418,6 +515,16 @@ const WRITE_WORKSPACE_PREFIXES = [
     'git tag',
     'git rebase',
     'git merge',
+    // P0 fix 2026-05-29 (#37 CRITICAL): file-permission ops are common
+    // в build scripts (`chmod +x build.sh`, `chown $USER file`). The
+    // destructive variants (`chmod 777 /`, `chmod -R 777 /`, `chmod -R
+    // 777 ~`, `chown -R root /`, `chown -R / ...`) are pre-empted by
+    // DESTRUCTIVE_PATTERNS which runs BEFORE this list — safe to add
+    // here for the non-destructive path. detectProtectedWrite's `\bchmod\b`
+    // / `\bchown\b` regex also catches writes into protected paths
+    // regardless of this list.
+    'chmod ',
+    'chown ',
 ];
 /**
  * Protected-write triggers. If a command writes to any of these paths
@@ -636,6 +743,25 @@ function classifyComponent(cmd, ctx) {
     if (trimmed === 'make' || trimmed.startsWith('make ')) {
         return { class: 'build_test', reason: 'make runner', matched: 'make' };
     }
+    // 7c. Operator-override safe tokens (P0 fix 2026-05-29 #37).
+    // `PUGI_CLASSIFIER_EXTRA_SAFE=tool1,tool2,...` extends the BUILD_TEST
+    // first-token list at runtime. This is a security-sensitive escape
+    // hatch — operators can add their custom build tools without a
+    // recompile. Destructive patterns ALREADY ran above (step 1) so this
+    // cannot whitelist `rm`, `mkfs`, `git push --force`, etc. The match
+    // is strict first-token equality — not substring — and the env var
+    // is read fresh on every classify call so tests can mutate it.
+    const extraSafe = readExtraSafeTokens();
+    if (extraSafe.size > 0) {
+        const firstTokenForExtraSafe = trimmed.split(/\s+/)[0] ?? '';
+        if (extraSafe.has(firstTokenForExtraSafe)) {
+            return {
+                class: 'build_test',
+                reason: `PUGI_CLASSIFIER_EXTRA_SAFE override: ${firstTokenForExtraSafe}`,
+                matched: firstTokenForExtraSafe,
+            };
+        }
+    }
     // 7c. Bare `cd <path>` (inside workspace — the cwd-escape detector
     // upgrades the class to write_protected when the target is
     // outside). Standalone `cd` (HOME) is escape, also handled by the
@@ -756,6 +882,40 @@ function nestingDepth(cmd, open, close) {
 function escapeRegex(s) {
     return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 }
+/**
+ * Operator-override safe tokens. Read from `PUGI_CLASSIFIER_EXTRA_SAFE`
+ * (comma-separated). Allows operators to extend the BUILD_TEST first-
+ * token list at runtime for site-specific tooling без recompile.
+ *
+ * Security note: destructive substring patterns run BEFORE this gate
+ * (step 1 in classifyComponent), so this cannot whitelist `rm`, `mkfs`,
+ * `git push --force`, etc. The env var only adds tools to the benign
+ * build_test class. Invalid entries (empty strings, тokens containing
+ * shell metas) are silently dropped to avoid surprising classifications.
+ *
+ * Read fresh on every call so per-test mutations work и so operators
+ * can update without restarting the agent loop. The cost (one env var
+ * read + Set construction per call) is negligible for the classifier's
+ * call frequency.
+ */
+function readExtraSafeTokens() {
+    const raw = process.env.PUGI_CLASSIFIER_EXTRA_SAFE;
+    if (!raw || raw.trim() === '')
+        return new Set();
+    const tokens = new Set();
+    for (const candidate of raw.split(',')) {
+        const trimmed = candidate.trim();
+        if (trimmed === '')
+            continue;
+        // Reject anything containing shell metas or whitespace — only bare
+        // tool names allowed. Defends against accidental
+        // `PUGI_CLASSIFIER_EXTRA_SAFE='rm -rf /'` smuggling.
+        if (/[\s;|&<>$`(){}\[\]'"\\]/.test(trimmed))
+            continue;
+        tokens.add(trimmed);
+    }
+    return tokens;
+}
 function detectProtectedWrite(cmd, ctx) {
     // Surface every write target this command produces so we can both
     // protected-path-check and outside-workspace-check them uniformly.

package/dist/runtime/version.js

@@ -44,7 +44,7 @@ export function sanitizeSemver(raw) {
  * during import). When bumping the CLI version BOTH literals must be
  * updated; the release smoke-test (`pack:smoke`) verifies they agree.
  */
-export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.47');
+export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.49');
 /**
  * Outbound: the CLI's installed semver. Read at request time by
  * `version-interceptor.ts` and injected on every `fetch` call.

package/dist/tui/repl.js

@@ -108,17 +108,20 @@ export function Repl(props) {
             setSplashVisible(false);
         }
     }, [splashVisible, state.agents.length, state.transcript.length]);
-    // CEO P0 #2 (2026-05-29): same dismissal contract for the welcome
-    // banner. The banner is the "boot card" — once any agent fires or
-    // the transcript gains а row, the banner clears так the conversation
-    // pane owns the vertical real estate.
+    // CEO P0 #2 (2026-05-29) v2: welcome banner stays until the operator
+    // actively engages the loop — first agent spawn. Boot-time auto-init
+    // emits system rows into `state.transcript` (skip-trust hints, dirty
+    // tree warnings) which used к dismiss the banner within ~2s, hiding
+    // the brand mascot before the operator could read it. Drop the
+    // `transcript.length` trigger; agent spawn (= real dispatch) remains
+    // the sole signal that the operator stopped reading the banner.
     useEffect(() => {
         if (!welcomeVisible)
             return;
-        if (state.agents.length > 0 || state.transcript.length > 0) {
+        if (state.agents.length > 0) {
             setWelcomeVisible(false);
         }
-    }, [welcomeVisible, state.agents.length, state.transcript.length]);
+    }, [welcomeVisible, state.agents.length]);
     const personaNames = useMemo(() => buildPersonaNameMap(), []);
     const { exit } = useApp();
     const handleSubmit = useCallback((line) => {
@@ -255,7 +258,7 @@ export function Repl(props) {
     // input, and the input stays the sole focusable surface adjacent
     // to the cursor row, so all keystrokes route through it.
     const altScreenRows = process.stdout.rows ?? 24;
-    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, minHeight: altScreenRows, children: [props.updateBanner ? _jsx(UpdateBanner, { result: props.updateBanner }) : null, welcomeVisible && props.welcomeData ? (_jsx(WelcomeBanner, { data: props.welcomeData, mascotPrePrinted: props.mascotPrePrinted === true, autoInitStatus: props.autoInitStatus ?? null })) : null, splashVisible ? (_jsx(ReplSplash, { cliVersion: state.cliVersion, workspaceLabel: state.workspaceLabel, plan: props.splashPlan, model: props.splashModel, tenant: props.splashTenant, onDismiss: dismissSplash, mascotPrePrinted: props.mascotPrePrinted === true })) : null, _jsx(Header, { state: state }), _jsx(Box, { flexDirection: "column", marginTop: 1, flexGrow: 1, justifyContent: "flex-end", children: overlay === 'help' ? (_jsx(HelpOverlay, {})) : overlay === 'roster' ? (_jsx(RosterOverlay, {})) : overlay === 'farewell' ? (_jsx(FarewellOverlay, {})) : (_jsx(MainArea, { state: state, personaNames: personaNames, nowEpochMs: tickNow, hideToolStream: props.hideToolStream === true, toolStreamCollapsed: toolStreamCollapsed })) }), state.pendingAsk ? (_jsx(Box, { marginTop: 1, children: _jsx(AskModal, { tag: state.pendingAsk, onResolve: handleAskResolve }) })) : null, state.pendingPlanReview ? (_jsx(Box, { marginTop: 1, children: _jsx(PlanReviewModal, { tag: state.pendingPlanReview, onResolve: handlePlanReviewResolve }) })) : null, _jsxs(Box, { flexDirection: "column", marginTop: 1, children: [overlay === 'farewell' || modalActive ? null : (_jsx(InputBox, { onSubmit: handleSubmit, onExit: handleExit, onCancel: handleCancel, onWalkback: handleWalkback, onCyclePermissionMode: handleCyclePermissionMode, now: props.now, 
+    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, minHeight: altScreenRows, children: [welcomeVisible && props.welcomeData ? (_jsx(WelcomeBanner, { data: props.welcomeData, mascotPrePrinted: props.mascotPrePrinted === true, autoInitStatus: props.autoInitStatus ?? null })) : null, splashVisible ? (_jsx(ReplSplash, { cliVersion: state.cliVersion, workspaceLabel: state.workspaceLabel, plan: props.splashPlan, model: props.splashModel, tenant: props.splashTenant, onDismiss: dismissSplash, mascotPrePrinted: props.mascotPrePrinted === true })) : null, _jsx(Header, { state: state }), _jsx(Box, { flexDirection: "column", marginTop: 1, flexGrow: 1, justifyContent: "flex-end", children: overlay === 'help' ? (_jsx(HelpOverlay, {})) : overlay === 'roster' ? (_jsx(RosterOverlay, {})) : overlay === 'farewell' ? (_jsx(FarewellOverlay, {})) : (_jsx(MainArea, { state: state, personaNames: personaNames, nowEpochMs: tickNow, hideToolStream: props.hideToolStream === true, toolStreamCollapsed: toolStreamCollapsed })) }), state.pendingAsk ? (_jsx(Box, { marginTop: 1, children: _jsx(AskModal, { tag: state.pendingAsk, onResolve: handleAskResolve }) })) : null, state.pendingPlanReview ? (_jsx(Box, { marginTop: 1, children: _jsx(PlanReviewModal, { tag: state.pendingPlanReview, onResolve: handlePlanReviewResolve }) })) : null, _jsxs(Box, { flexDirection: "column", marginTop: 1, children: [overlay === 'farewell' || modalActive ? null : (_jsx(InputBox, { onSubmit: handleSubmit, onExit: handleExit, onCancel: handleCancel, onWalkback: handleWalkback, onCyclePermissionMode: handleCyclePermissionMode, now: props.now, 
                         // Slug from process.cwd() (full path) so two workspaces with
                         // the same basename do not share history. state.workspaceLabel
                         // is the basename only. Codex review P2.
@@ -263,7 +266,7 @@ export function Repl(props) {
                         // α7 cost-meter sprint — surface accumulated session totals
                         // + per-turn delta flash on the status bar's top row. The
                         // session module owns accumulation; the bar is a pure render.
-                        sessionTokensIn: state.sessionTokensIn, sessionTokensOut: state.sessionTokensOut, sessionCostUsd: state.sessionCostUsd, sessionStartedAtEpochMs: state.sessionStartedAtEpochMs, lastTurnDelta: state.lastTurnDelta })] })] }));
+                        sessionTokensIn: state.sessionTokensIn, sessionTokensOut: state.sessionTokensOut, sessionCostUsd: state.sessionCostUsd, sessionStartedAtEpochMs: state.sessionStartedAtEpochMs, lastTurnDelta: state.lastTurnDelta }), props.updateBanner ? _jsx(UpdateBanner, { result: props.updateBanner }) : null] })] }));
 }
 function Header({ state }) {
     // Leak L30 (2026-05-27): the header `.io` brand accent + connection

package/dist/tui/update-banner.js

@@ -13,6 +13,13 @@ export function resolveDisplayedLatest(npmLatest, serverRecommended) {
         ? serverRecommended
         : npmLatest;
 }
+/**
+ * Claude-Code-style corner banner: single line, dim orange, right
+ * aligned. Renders to the bottom of the REPL frame so it never
+ * displaces conversation content. Only mounts when an update is
+ * actually available; identical to no-op when the registry poll
+ * reports current. Suppress with `PUGI_SKIP_UPDATE_BANNER=1`.
+ */
 export function UpdateBanner({ result }) {
     const command = upgradeCommand(result.method);
     // Read the cache lazily inside the render so a server response that
@@ -21,6 +28,6 @@ export function UpdateBanner({ result }) {
     // do per render.
     const serverRecommended = getCachedServerRecommendation();
     const displayedLatest = resolveDisplayedLatest(result.latest, serverRecommended);
-    return (_jsxs(Box, { flexDirection: "column", marginBottom: 1, children: [_jsxs(Box, { children: [_jsx(Text, { dimColor: true, children: '─ ' }), _jsx(Text, { bold: true, color: "#3da9fc", children: 'Pugi ' }), _jsx(Text, { children: result.installed }), _jsx(Text, { dimColor: true, children: ' (installed) → ' }), _jsx(Text, { bold: true, children: displayedLatest }), _jsx(Text, { dimColor: true, children: ' (latest)' })] }), _jsxs(Box, { children: [_jsx(Text, { dimColor: true, children: '  Update: ' }), _jsx(Text, { color: "#3da9fc", children: command })] }), _jsx(Box, { children: _jsx(Text, { dimColor: true, children: '  Skip with PUGI_SKIP_UPDATE_BANNER=1' }) })] }));
+    return (_jsx(Box, { justifyContent: "flex-end", children: _jsxs(Text, { color: "#d97706", children: [_jsx(Text, { dimColor: true, children: 'Update available! ' }), _jsx(Text, { dimColor: true, children: `v${displayedLatest} — Run: ` }), _jsx(Text, { bold: true, children: command })] }) }));
 }
 //# sourceMappingURL=update-banner.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pugi/cli",
-  "version": "0.1.0-beta.47",
+  "version": "0.1.0-beta.49",
   "description": "Pugi CLI - terminal-native software execution system",
   "homepage": "https://pugi.io",
   "repository": {
@@ -55,7 +55,7 @@
     "undici": "^8.3.0",
     "zod": "^3.23.0",
     "@pugi/personas": "0.1.2",
-    "@pugi/sdk": "0.1.0-beta.47"
+    "@pugi/sdk": "0.1.0-beta.49"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",