@pugi/cli 0.1.0-beta.53 → 0.1.0-beta.54

package/dist/core/context/markdown-loader.js

@@ -26,22 +26,40 @@ export const MAX_TOTAL_BYTES = 64 * 1024;
 /**
  * Source filenames we look for at the workspace root. Order matters:
  * PUGI.md is the canonical Pugi-native file; AGENTS.md is the
- * cross-CLI compatibility shim used by other agentic CLIs.
+ * cross-CLI compatibility shim used by other agentic CLIs; CLAUDE.md
+ * is the Claude Code drop-in compat shim (Wave 7 #20, 2026-05-29) —
+ * operators migrating from CC routinely keep a workspace-root
+ * `CLAUDE.md` documenting project conventions, and we pick it up so
+ * Pugi sees the same ambient guidance without a manual rename.
+ *
+ * All three files are loaded when present (no "first one wins"
+ * dropdown). Each entry is HTML-stripped + @import-expanded + capped
+ * against the shared 64 KB budget. Pugi's precedence convention is
+ * "shown last = highest specificity"; PUGI.md / AGENTS.md / CLAUDE.md
+ * each have a stable position in this list so the context builder's
+ * render order is deterministic.
  */
-export const MARKDOWN_SOURCES = ['PUGI.md', 'AGENTS.md'];
+export const MARKDOWN_SOURCES = ['PUGI.md', 'AGENTS.md', 'CLAUDE.md'];
 /**
  * Load PUGI.md + AGENTS.md from `workspaceRoot`. Either or both may be
  * absent. Returns the combined load result with per-file detail plus a
  * flat list of warnings (best-effort: a missing file is a warning, not
  * an error).
  */
-export async function loadMarkdownContext(workspaceRoot) {
+export async function loadMarkdownContext(workspaceRoot, env = process.env) {
     const warnings = [];
     const loaded = [];
     let budgetRemaining = MAX_TOTAL_BYTES;
     const visited = new Set();
     const absRoot = resolve(workspaceRoot);
-    for (const source of MARKDOWN_SOURCES) {
+    // Wave 7 #20 (2026-05-29): allow operators to opt OUT of CLAUDE.md
+    // ingest via `PUGI_CC_COMPAT_DISABLE=1`. PUGI.md / AGENTS.md remain
+    // loaded — they are Pugi-native surfaces, not CC compat shims.
+    const ccCompatDisabled = env.PUGI_CC_COMPAT_DISABLE === '1';
+    const activeSources = ccCompatDisabled
+        ? MARKDOWN_SOURCES.filter((s) => s !== 'CLAUDE.md')
+        : MARKDOWN_SOURCES;
+    for (const source of activeSources) {
         const candidate = resolve(absRoot, source);
         if (!existsSync(candidate)) {
             warnings.push({

package/dist/core/format/osc8-link.js

@@ -0,0 +1,28 @@
+/**
+ * OSC 8 hyperlink helpers — turns workspace-relative file paths into
+ * clickable links in modern terminals (iTerm2, kitty, Windows Terminal,
+ * VS Code integrated terminal, Alacritty, WezTerm). Dumb terminals and
+ * pipes ignore the escape sequence and render only the visible label.
+ *
+ * CEO P2 #38 — Wave 7 artifact linking. Triggers ONLY when:
+ *   - stdout is a TTY
+ *   - PUGI_ARTIFACT_LINKS_DISABLE !== '1'
+ *   - NO_COLOR is not set
+ */
+import { resolve, isAbsolute } from 'node:path';
+import { pathToFileURL } from 'node:url';
+const ESC = '';
+export function linkArtifact(pathRel, opts) {
+    const env = opts.env ?? process.env;
+    const tty = opts.isTty ?? process.stdout.isTTY ?? false;
+    if (!tty)
+        return pathRel;
+    if (env['PUGI_ARTIFACT_LINKS_DISABLE'] === '1')
+        return pathRel;
+    if (env['NO_COLOR'] && env['NO_COLOR'].length > 0)
+        return pathRel;
+    const abs = isAbsolute(pathRel) ? pathRel : resolve(opts.workspaceRoot, pathRel);
+    const url = pathToFileURL(abs).href;
+    return `${ESC}]8;;${url}${ESC}\\${pathRel}${ESC}]8;;${ESC}\\`;
+}
+//# sourceMappingURL=osc8-link.js.map

package/dist/core/settings.js

@@ -128,12 +128,175 @@ const pugiSettingsSchema = z.object({
     })
         .optional(),
 });
-export function loadSettings(root) {
+/**
+ * Wave 7 #20 (2026-05-29) — Claude Code drop-in compat ingest.
+ *
+ * Operators migrating from Claude Code typically keep a `.claude/`
+ * directory at workspace root with settings.json, slash commands,
+ * and ambient guidance files. We honour the existence of that
+ * directory and mirror the subset of keys that map cleanly onto
+ * Pugi's own settings surface — Pugi values ALWAYS win on conflict
+ * (the operator opted into Pugi as their primary), CC fills gaps.
+ *
+ * Opt-out: `PUGI_CC_COMPAT_DISABLE=1` short-circuits the merger and
+ * loads only `.pugi/settings.json` (or the empty default).
+ *
+ * Key mirror table:
+ *   - `permissions.defaultMode` → `permissions.mode`
+ *     (CC values map: `acceptEdits|plan|bypassPermissions|default` →
+ *      `acceptEdits|plan|bypassPermissions|ask`).
+ *   - `permissions.allow` → `permissions.allow` (concatenated, deduped).
+ *   - `permissions.deny`  → `permissions.deny`  (concatenated, deduped).
+ *   - `enabledPlugins`    → ignored (CC-only concept; Pugi has its own
+ *      plugin surface and we do not want to silently activate them).
+ *   - `hooks`             → currently ignored. Pugi's hook system is
+ *      managed via `apps/pugi-cli/src/core/hooks/`; future work can
+ *      wire CC hook entries through that bridge.
+ *
+ * Unknown CC keys are dropped on the floor by Zod's strip semantics
+ * just like the existing PUGI settings path — we never warn on
+ * unrecognised CC keys, because the CC surface is wider and we want
+ * fallthrough to be silent (operator does not need a stream of "we
+ * skipped this CC concept" warnings on every CLI invocation).
+ */
+const ccPermissionsSchema = z
+    .object({
+    defaultMode: z.string().optional(),
+    allow: z.array(z.string()).optional(),
+    deny: z.array(z.string()).optional(),
+})
+    .passthrough()
+    .optional();
+const ccSettingsSchema = z
+    .object({
+    permissions: ccPermissionsSchema,
+    enabledPlugins: z.unknown().optional(),
+    hooks: z.unknown().optional(),
+})
+    .passthrough();
+/**
+ * Env var that disables CC compat ingest entirely. Useful for CI
+ * sandboxes where a stray `.claude/` from a parent checkout could
+ * otherwise leak permissions into Pugi.
+ */
+export const CC_COMPAT_DISABLE_ENV = 'PUGI_CC_COMPAT_DISABLE';
+/**
+ * Map a CC `permissions.defaultMode` to the closest Pugi permission
+ * mode. Unknown / missing values map to `undefined` so the caller
+ * keeps Pugi's own default.
+ *
+ * CC's `default` mode = "ask the user for each tool" which is Pugi's
+ * `ask` mode. `acceptEdits` / `plan` / `bypassPermissions` map 1:1.
+ */
+export function mapCcPermissionMode(mode) {
+    if (typeof mode !== 'string')
+        return undefined;
+    switch (mode) {
+        case 'acceptEdits':
+            return 'acceptEdits';
+        case 'plan':
+            return 'plan';
+        case 'bypassPermissions':
+            return 'bypassPermissions';
+        case 'default':
+            return 'ask';
+        default:
+            return undefined;
+    }
+}
+/**
+ * Merge a parsed CC settings object into a Pugi settings object.
+ * Pugi ALWAYS wins on conflict; CC values fill gaps only.
+ */
+export function mergeCcIntoPugi(pugi, cc, opts) {
+    const merged = {
+        ...pugi,
+        permissions: { ...pugi.permissions },
+    };
+    const pugiWroteMode = pugiPermissionKeyPresent(opts.pugiRawJson, 'mode');
+    if (!pugiWroteMode) {
+        const ccMode = mapCcPermissionMode(cc.permissions?.defaultMode);
+        if (ccMode)
+            merged.permissions.mode = ccMode;
+    }
+    if (Array.isArray(cc.permissions?.allow)) {
+        merged.permissions.allow = dedupeKeepFirst([
+            ...pugi.permissions.allow,
+            ...cc.permissions.allow,
+        ]);
+    }
+    if (Array.isArray(cc.permissions?.deny)) {
+        merged.permissions.deny = dedupeKeepFirst([
+            ...pugi.permissions.deny,
+            ...cc.permissions.deny,
+        ]);
+    }
+    // `enabledPlugins` and `hooks` are intentionally NOT mirrored. See
+    // the doc-block above for rationale.
+    void opts.pugiSettingsExisted;
+    return merged;
+}
+function pugiPermissionKeyPresent(raw, key) {
+    if (!raw || typeof raw !== 'object')
+        return false;
+    const permissions = raw.permissions;
+    if (!permissions || typeof permissions !== 'object')
+        return false;
+    return Object.prototype.hasOwnProperty.call(permissions, key);
+}
+function dedupeKeepFirst(items) {
+    const seen = new Set();
+    const out = [];
+    for (const item of items) {
+        if (seen.has(item))
+            continue;
+        seen.add(item);
+        out.push(item);
+    }
+    return out;
+}
+/**
+ * Read + parse `.claude/settings.json` at `root`. Returns `undefined`
+ * when the file is absent, malformed, or the operator has opted out
+ * via `PUGI_CC_COMPAT_DISABLE=1`. Never throws — a broken CC settings
+ * file degrades to "no CC compat ingest", not a Pugi boot crash.
+ */
+export function loadCcSettings(root, env = process.env) {
+    if (env[CC_COMPAT_DISABLE_ENV] === '1')
+        return undefined;
+    const ccPath = resolve(root, '.claude/settings.json');
+    if (!existsSync(ccPath))
+        return undefined;
+    let parsed;
+    try {
+        parsed = JSON.parse(readFileSync(ccPath, 'utf8'));
+    }
+    catch {
+        return undefined;
+    }
+    const result = ccSettingsSchema.safeParse(parsed);
+    if (!result.success)
+        return undefined;
+    return result.data;
+}
+export function loadSettings(root, env = process.env) {
     const settingsPath = resolve(root, '.pugi/settings.json');
-    if (!existsSync(settingsPath)) {
-        return pugiSettingsSchema.parse({});
+    const pugiExists = existsSync(settingsPath);
+    let pugiRawJson = undefined;
+    let pugi;
+    if (pugiExists) {
+        pugiRawJson = JSON.parse(readFileSync(settingsPath, 'utf8'));
+        pugi = pugiSettingsSchema.parse(pugiRawJson);
+    }
+    else {
+        pugi = pugiSettingsSchema.parse({});
     }
-    const parsed = JSON.parse(readFileSync(settingsPath, 'utf8'));
-    return pugiSettingsSchema.parse(parsed);
+    const cc = loadCcSettings(root, env);
+    if (!cc)
+        return pugi;
+    return mergeCcIntoPugi(pugi, cc, {
+        pugiSettingsExisted: pugiExists,
+        pugiRawJson,
+    });
 }
 //# sourceMappingURL=settings.js.map

package/dist/runtime/cli.js

@@ -5,6 +5,7 @@ import { realpathSync, statSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { dirname, relative, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { linkArtifact } from '../core/format/osc8-link.js';
 import { AnvilEngineLoopClient } from '../core/engine/anvil-client.js';
 import { NativePugiEngineAdapter } from '../core/engine/native-pugi.js';
 import { loadMcpRegistry } from '../core/mcp/registry.js';
@@ -4663,10 +4664,46 @@ function runEngineTask(kind) {
         });
         const toolCallId = recordToolCall(session, `engine:${adapter.name}`, `${label}: ${prompt}`);
         const taskId = `${kind}-${Date.now()}`;
+        // CEO P1 #25 (2026-05-29) — Ctrl+C interrupt for non-REPL
+        // dispatch (CC parity). Before this fix, SIGINT on `pugi code "..."`
+        // killed the whole CLI process so the operator could not abort a
+        // single bad turn without losing the session. We now:
+        //   1. Bind an AbortController to the engine run so the first
+        //      Ctrl+C aborts THIS dispatch (the engine loop already
+        //      honours `ctx.signal` — see EngineContext in @pugi/sdk).
+        //   2. Count presses: a second Ctrl+C within 2s falls through к
+        //      the legacy "hard exit" so the operator always has an
+        //      escape hatch (mirrors the REPL InputBox "press again к
+        //      exit" pattern).
+        //   3. Restore Node's default SIGINT semantics in the `finally`
+        //      block so successive engine runs (e.g. within tests that
+        //      iterate runEngineTask) each see a fresh handler.
+        const abortController = new AbortController();
+        const SIGINT_DOUBLE_PRESS_WINDOW_MS = 2000;
+        let firstSigintAt = null;
+        const onSigint = () => {
+            const now = Date.now();
+            if (firstSigintAt !== null && now - firstSigintAt <= SIGINT_DOUBLE_PRESS_WINDOW_MS) {
+                // Second press within the window — hard exit. Mirrors the
+                // shell convention (^C ^C = give up) so the operator never
+                // gets stuck on a runaway engine.
+                process.stderr.write(`\npugi ${label}: interrupted (hard exit on ^C^C).\n`);
+                process.exit(130);
+            }
+            firstSigintAt = now;
+            if (!abortController.signal.aborted) {
+                process.stderr.write(`\npugi ${label}: aborting current turn (press ^C again to exit).\n`);
+                abortController.abort();
+            }
+        };
+        process.on('SIGINT', onSigint);
         // β4 r2 P1 #3 — try/finally so loaded MCP child processes are
         // reaped regardless of run outcome (success, blocked, failed,
-        // thrown). The shutdown is best-effort; we never want a stuck
-        // MCP server to mask a successful Pugi run.
+        // thrown). Triple-review P1 (#725): the try now wraps BOTH the
+        // adapter.run() call и the iteration, so a sync throw from
+        // adapter.run() still hits the SIGINT-detach + MCP-cleanup
+        // finally block. Before this fix a sync throw would have leaked
+        // the SIGINT listener (10+ runs → MaxListenersExceededWarning).
         try {
             const events = adapter.run({
                 id: taskId,
@@ -4680,7 +4717,7 @@ function runEngineTask(kind) {
                 // executor refusal sentinel). The permission mode here is the
                 // workspace-level toggle and is unchanged from interactive default.
                 permissionMode: 'auto',
-            }, { sessionId: session.id });
+            }, { sessionId: session.id, signal: abortController.signal });
             const statusEvents = [];
             let result = null;
             for await (const event of events) {
@@ -4896,8 +4933,13 @@ function runEngineTask(kind) {
             textLines.push(`Summary: ${result.summary}`);
             if (result.filesChanged.length > 0) {
                 textLines.push(`Files modified (${result.filesChanged.length}):`);
-                for (const file of result.filesChanged)
-                    textLines.push(`  - ${file}`);
+                // CEO P2 #38 (Wave 7 artifact linking): emit each file as an OSC 8
+                // hyperlink so modern terminals (iTerm2, kitty, VS Code, Windows
+                // Terminal, Alacritty, WezTerm) let the operator click straight
+                // into the file. Falls back to plain text on dumb terminals / CI.
+                for (const file of result.filesChanged) {
+                    textLines.push(`  - ${linkArtifact(file, { workspaceRoot: process.cwd() })}`);
+                }
             }
             else if (kind !== 'explain' && kind !== 'plan') {
                 textLines.push('Files modified: none');
@@ -4925,6 +4967,13 @@ function runEngineTask(kind) {
             writeOutput(flags, payload, textLines.join('\n'));
         }
         finally {
+            // CEO P1 #25 — detach the per-run SIGINT handler so a second
+            // engine run from the same process (tests, scripts iterating
+            // `runEngineTask`, future REPL non-watch dispatches) starts
+            // with a fresh press counter and does NOT pile up listeners
+            // on the process object (Node prints
+            // `MaxListenersExceededWarning` at 10).
+            process.off('SIGINT', onSigint);
             // β4 r2 P1 #3 — tear down live MCP child processes BEFORE the
             // CLI exits. shutdown() is idempotent and swallows per-server
             // disconnect errors, so it is safe even if no servers connected.

package/dist/runtime/version.js

@@ -44,7 +44,7 @@ export function sanitizeSemver(raw) {
  * during import). When bumping the CLI version BOTH literals must be
  * updated; the release smoke-test (`pack:smoke`) verifies they agree.
  */
-export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.53');
+export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.54');
 /**
  * Outbound: the CLI's installed semver. Read at request time by
  * `version-interceptor.ts` and injected on every `fetch` call.

package/dist/tools/bash.js

@@ -85,6 +85,7 @@ export async function bashTool(input, ctx) {
             nextCwd: ctx.lastBashCwd ?? ctx.root,
             truncated: false,
             timedOut: false,
+            cancelled: false,
         };
     }
     // Permission gate via the new class-aware engine.
@@ -119,6 +120,25 @@ export async function bashTool(input, ctx) {
             nextCwd: ctx.lastBashCwd ?? ctx.root,
             truncated: false,
             timedOut: false,
+            cancelled: false,
+        };
+    }
+    // CEO P1 #25 (2026-05-29) — pre-spawn cancellation check. Fires
+    // AFTER the permission gate so a cancelled brief never reaches
+    // /bin/sh even when the command would have been allowed. Mirrors
+    // the `gateOnCancellation` pattern from file-tools.ts.
+    if (ctx.cancellation?.isAborted === true) {
+        const reason = 'operator_aborted: bash refused before spawn';
+        emitEvent(ctx.session, 'bash.cancelled', { cmd, phase: 'pre_spawn' });
+        recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+        return {
+            stdout: '',
+            stderr: reason,
+            exitCode: 130,
+            nextCwd: ctx.lastBashCwd ?? ctx.root,
+            truncated: false,
+            timedOut: false,
+            cancelled: true,
         };
     }
     // Background job branch.
@@ -147,6 +167,12 @@ export async function bashTool(input, ctx) {
     // before the timeout watchdog fires, we enforce a live ceiling
     // (BASH_LIVE_OUTPUT_CAP_BYTES) and SIGTERM the child when crossed.
     let truncatedMidStream = false;
+    // CEO P1 #25 (2026-05-29) — mid-stream operator cancellation. The
+    // listener registered against the CancellationToken below flips
+    // this flag and SIGTERMs the child. The close handler reads it to
+    // decide between `cancelled` (operator abort) and `timedOut`
+    // (watchdog).
+    let cancelledMidStream = false;
     const enforceLiveCap = () => {
         if (truncatedMidStream)
             return;
@@ -160,21 +186,88 @@ export async function bashTool(input, ctx) {
             // child already exited; the close handler will run
         }
     };
+    // CEO P1 #25 (2026-05-29) — live stream callback. When the REPL
+    // host wires `onStreamChunk`, we forward each stdout/stderr chunk
+    // in real time so the conversation pane / tool-stream pane paint
+    // bytes as they arrive instead of waiting for the child to exit.
+    // We invoke the callback inside a try/catch so a buggy sink
+    // (renderer crash, assertion error) never escalates to killing
+    // the bash dispatch. The buffered path below still captures the
+    // chunk so the model + audit trail stay consistent regardless of
+    // renderer health.
+    const onStreamChunk = ctx.onStreamChunk;
+    const emitStreamChunk = onStreamChunk
+        ? (stream, chunk) => {
+            try {
+                onStreamChunk({ stream, data: chunk.toString('utf8') });
+            }
+            catch {
+                // Sink crash — swallow.
+            }
+        }
+        : null;
     child.stdout?.on('data', (chunk) => {
-        if (truncatedMidStream)
+        if (truncatedMidStream || cancelledMidStream)
             return;
         stdoutChunks.push(chunk);
         stdoutBytes += chunk.length;
+        if (emitStreamChunk)
+            emitStreamChunk('stdout', chunk);
         enforceLiveCap();
     });
     child.stderr?.on('data', (chunk) => {
-        if (truncatedMidStream)
+        if (truncatedMidStream || cancelledMidStream)
             return;
         stderrChunks.push(chunk);
         stderrBytes += chunk.length;
+        if (emitStreamChunk)
+            emitStreamChunk('stderr', chunk);
         enforceLiveCap();
     });
+    // CEO P1 #25 — wire the cancellation token to SIGTERM. We track
+    // the detach handle so a successful run releases the listener
+    // instead of leaving it pinned to a long-lived REPL
+    // CancellationToken (same anti-leak pattern as
+    // native-pugi.ts:262).
+    let detachCancelListener;
+    if (ctx.cancellation && !ctx.cancellation.isAborted) {
+        const onAbort = () => {
+            if (cancelledMidStream)
+                return;
+            cancelledMidStream = true;
+            emitEvent(ctx.session, 'bash.cancelled', { cmd, phase: 'mid_stream' });
+            try {
+                child.kill('SIGTERM');
+            }
+            catch {
+                // child already exited; close handler will run
+            }
+            // SIGKILL escalation if the child does not honour SIGTERM
+            // within the grace window. Mirrors the timeout watchdog's
+            // two-phase shutdown.
+            setTimeout(() => {
+                if (child.exitCode !== null || child.signalCode !== null)
+                    return;
+                try {
+                    child.kill('SIGKILL');
+                }
+                catch {
+                    // gone between the check and the signal
+                }
+            }, BASH_SIGKILL_GRACE_MS).unref();
+        };
+        detachCancelListener = ctx.cancellation.onAbort(onAbort);
+    }
     const timeoutOutcome = await waitWithTimeout(child, timeoutMs);
+    // Detach the cancellation listener on completion so a long-lived
+    // REPL token does not retain a reference to the dead child + this
+    // closure.
+    if (detachCancelListener) {
+        try {
+            detachCancelListener();
+        }
+        catch { /* listener already drained */ }
+    }
     const stdoutFull = Buffer.concat(stdoutChunks).toString('utf8');
     const stderrFull = Buffer.concat(stderrChunks).toString('utf8');
     const combinedBytes = stdoutBytes + stderrBytes;
@@ -199,6 +292,25 @@ export async function bashTool(input, ctx) {
         stdoutOut = capToCombined(stdoutFull, stderrFull).stdout;
         stderrOut = capToCombined(stdoutFull, stderrFull).stderr;
     }
+    // CEO P1 #25 — cancellation wins races against timeout / cap
+    // overflow. The token already aborted by the time the close
+    // handler fires; we distinguish operator-driven termination from
+    // the watchdog so the REPL transcript reads "Aborted." rather
+    // than "Timed out."
+    if (cancelledMidStream) {
+        const reason = 'operator_aborted: bash killed mid-stream';
+        recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+        return {
+            stdout: stdoutOut,
+            stderr: stderrOut === '' ? reason : `${stderrOut}\n${reason}`,
+            exitCode: 130,
+            artifactRef,
+            nextCwd,
+            truncated,
+            timedOut: false,
+            cancelled: true,
+        };
+    }
     if (truncatedMidStream) {
         // We killed the child because output cap exceeded mid-stream.
         // Report that as the failure cause rather than as a timeout —
@@ -217,6 +329,7 @@ export async function bashTool(input, ctx) {
             nextCwd,
             truncated: true,
             timedOut: false,
+            cancelled: false,
         };
     }
     if (timeoutOutcome.timedOut) {
@@ -230,6 +343,7 @@ export async function bashTool(input, ctx) {
             nextCwd,
             truncated,
             timedOut: true,
+            cancelled: false,
         };
     }
     const exitCode = timeoutOutcome.exitCode;
@@ -242,6 +356,7 @@ export async function bashTool(input, ctx) {
         nextCwd,
         truncated,
         timedOut: false,
+        cancelled: false,
     };
 }
 function sanitizeTimeout(value) {
@@ -471,6 +586,7 @@ function runBackground(input) {
         nextCwd: ctx.lastBashCwd ?? ctx.root,
         truncated: false,
         timedOut: false,
+        cancelled: false,
     };
 }
 /**
@@ -807,6 +923,7 @@ export function bashToolSync(input, ctx) {
             nextCwd: ctx.lastBashCwd ?? ctx.root,
             truncated: false,
             timedOut: false,
+            cancelled: false,
         };
     }
     const decision = evaluateBashPermission(cmd, ctx.settings.permissions.mode, {
@@ -838,6 +955,27 @@ export function bashToolSync(input, ctx) {
             nextCwd: ctx.lastBashCwd ?? ctx.root,
             truncated: false,
             timedOut: false,
+            cancelled: false,
+        };
+    }
+    // CEO P1 #25 — sync path observes pre-spawn cancellation too. The
+    // sync path is used by the engine-loop tool-bridge (`bashToolSync`
+    // from tool-bridge.ts:1385); we cannot mid-stream cancel that path
+    // without rewriting spawnSync, but the pre-spawn gate still gives
+    // the operator a quick-exit window between permission and shell
+    // launch.
+    if (ctx.cancellation?.isAborted === true) {
+        const reason = 'operator_aborted: bash refused before spawn';
+        emitEvent(ctx.session, 'bash.cancelled', { cmd, phase: 'pre_spawn_sync' });
+        recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+        return {
+            stdout: '',
+            stderr: reason,
+            exitCode: 130,
+            nextCwd: ctx.lastBashCwd ?? ctx.root,
+            truncated: false,
+            timedOut: false,
+            cancelled: true,
         };
     }
     const timeoutMs = sanitizeTimeout(input.timeoutMs);
@@ -885,6 +1023,7 @@ export function bashToolSync(input, ctx) {
         nextCwd,
         truncated,
         timedOut,
+        cancelled: false,
     };
 }
 //# sourceMappingURL=bash.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pugi/cli",
-  "version": "0.1.0-beta.53",
+  "version": "0.1.0-beta.54",
   "description": "Pugi CLI - terminal-native software execution system",
   "homepage": "https://pugi.io",
   "repository": {
@@ -55,7 +55,7 @@
     "undici": "^8.3.0",
     "zod": "^3.23.0",
     "@pugi/personas": "0.1.2",
-    "@pugi/sdk": "0.1.0-beta.53"
+    "@pugi/sdk": "0.1.0-beta.54"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",