@pugi/cli 0.1.0-beta.53 → 0.1.0-beta.55

package/dist/core/audit/audit-trail.js

@@ -43,6 +43,7 @@ import { appendFileSync, mkdirSync } from 'node:fs';
 import { createHash } from 'node:crypto';
 import { homedir } from 'node:os';
 import { basename, dirname, join, resolve } from 'node:path';
+import { collectStrings, scanForInjection, summarizeFindings, } from '../security/injection-scanner.js';
 /**
  * Opt-out env var. Mirrors the convention every other Pugi feature uses
  * (`PUGI_BARE`, `PUGI_AGENTMEMORY_RECALL_ENABLED=false`, etc.).
@@ -183,6 +184,32 @@ export function writeAuditEvent(input) {
             encoding: 'utf8',
             mode: 0o600,
         });
+        // Injection scan (ported KeiSeiKit `injection_patterns.rs`,
+        // Apache-2.0). Wrap the OUTBOUND `data` payload through the
+        // scanner. Findings emit a SECOND audit line of type
+        // `injection_detected` so an operator (or SOC pipeline) sees a
+        // structured, append-only record without losing the original
+        // event. Never blocks the write — hard-block requires a separate
+        // CEO-signed PR.
+        //
+        // Recursion guard: the `injection_detected` event itself carries
+        // matched substrings (intentional — they are the evidence). We
+        // skip scanning it to avoid an infinite loop of self-detections.
+        if (input.event !== 'injection_detected') {
+            const findings = scanAuditPayload(input.data);
+            if (findings.length > 0) {
+                emitInjectionDetected({
+                    findings,
+                    triggeringEvent: input.event,
+                    sessionId: input.sessionId,
+                    workspaceRoot: input.workspaceRoot,
+                    tenant: input.tenant,
+                    env: input.env,
+                    home: input.home,
+                    now: input.now,
+                });
+            }
+        }
     }
     catch {
         // Audit failures must NEVER break a dispatch. The session log + the
@@ -191,4 +218,58 @@ export function writeAuditEvent(input) {
         // via the doctor probe; for now silent no-op is the contract.
     }
 }
+/**
+ * Fold the audit `data` payload into a single string and scan it for
+ * prompt-injection / invisible-unicode / secret markers. Returns the
+ * empty array on clean payloads.
+ *
+ * Exported for the spec — the scanner module owns the algorithm, this
+ * helper owns the payload-walking glue.
+ */
+export function scanAuditPayload(data) {
+    // Fold every string anywhere in the payload (keys included) into a
+    // single buffer separated by NULs. NUL keeps regex anchors honest
+    // (no accidental cross-field match for a `^system:` pattern) without
+    // adding bytes that themselves could become a pattern.
+    const fragments = collectStrings(data);
+    if (fragments.length === 0)
+        return [];
+    const joined = fragments.join('\0');
+    return scanForInjection(joined);
+}
+/**
+ * Build the `injection_detected` envelope payload and recurse into
+ * `writeAuditEvent` to append it. The recursion is bounded — the
+ * recursion guard in `writeAuditEvent` short-circuits on the
+ * `injection_detected` event so we never re-scan ourselves.
+ */
+function emitInjectionDetected(input) {
+    const summary = summarizeFindings(input.findings);
+    // Cap the findings array in the audit line so a payload with
+    // hundreds of invisible-unicode hits does not bloat the JSONL row.
+    // The summary still carries `total` so operators see the real count.
+    const MAX_FINDINGS_PER_EVENT = 32;
+    const truncated = input.findings.length > MAX_FINDINGS_PER_EVENT;
+    const capped = truncated
+        ? input.findings.slice(0, MAX_FINDINGS_PER_EVENT)
+        : [...input.findings];
+    writeAuditEvent({
+        event: 'injection_detected',
+        sessionId: input.sessionId,
+        workspaceRoot: input.workspaceRoot,
+        tenant: input.tenant,
+        env: input.env,
+        home: input.home,
+        now: input.now,
+        data: {
+            triggeringEvent: input.triggeringEvent,
+            summary,
+            findings: capped,
+            truncated,
+            // KeiSeiKit attribution is recorded inline so a SOC pipeline
+            // grepping for the upstream project name lands here.
+            detector: 'keiseikit-injection-patterns',
+        },
+    });
+}
 //# sourceMappingURL=audit-trail.js.map

package/dist/core/context/markdown-loader.js

@@ -26,22 +26,40 @@ export const MAX_TOTAL_BYTES = 64 * 1024;
 /**
  * Source filenames we look for at the workspace root. Order matters:
  * PUGI.md is the canonical Pugi-native file; AGENTS.md is the
- * cross-CLI compatibility shim used by other agentic CLIs.
+ * cross-CLI compatibility shim used by other agentic CLIs; CLAUDE.md
+ * is the Claude Code drop-in compat shim (Wave 7 #20, 2026-05-29) —
+ * operators migrating from CC routinely keep a workspace-root
+ * `CLAUDE.md` documenting project conventions, and we pick it up so
+ * Pugi sees the same ambient guidance without a manual rename.
+ *
+ * All three files are loaded when present (no "first one wins"
+ * dropdown). Each entry is HTML-stripped + @import-expanded + capped
+ * against the shared 64 KB budget. Pugi's precedence convention is
+ * "shown last = highest specificity"; PUGI.md / AGENTS.md / CLAUDE.md
+ * each have a stable position in this list so the context builder's
+ * render order is deterministic.
  */
-export const MARKDOWN_SOURCES = ['PUGI.md', 'AGENTS.md'];
+export const MARKDOWN_SOURCES = ['PUGI.md', 'AGENTS.md', 'CLAUDE.md'];
 /**
  * Load PUGI.md + AGENTS.md from `workspaceRoot`. Either or both may be
  * absent. Returns the combined load result with per-file detail plus a
  * flat list of warnings (best-effort: a missing file is a warning, not
  * an error).
  */
-export async function loadMarkdownContext(workspaceRoot) {
+export async function loadMarkdownContext(workspaceRoot, env = process.env) {
     const warnings = [];
     const loaded = [];
     let budgetRemaining = MAX_TOTAL_BYTES;
     const visited = new Set();
     const absRoot = resolve(workspaceRoot);
-    for (const source of MARKDOWN_SOURCES) {
+    // Wave 7 #20 (2026-05-29): allow operators to opt OUT of CLAUDE.md
+    // ingest via `PUGI_CC_COMPAT_DISABLE=1`. PUGI.md / AGENTS.md remain
+    // loaded — they are Pugi-native surfaces, not CC compat shims.
+    const ccCompatDisabled = env.PUGI_CC_COMPAT_DISABLE === '1';
+    const activeSources = ccCompatDisabled
+        ? MARKDOWN_SOURCES.filter((s) => s !== 'CLAUDE.md')
+        : MARKDOWN_SOURCES;
+    for (const source of activeSources) {
         const candidate = resolve(absRoot, source);
         if (!existsSync(candidate)) {
             warnings.push({

package/dist/core/format/osc8-link.js

@@ -0,0 +1,28 @@
+/**
+ * OSC 8 hyperlink helpers — turns workspace-relative file paths into
+ * clickable links in modern terminals (iTerm2, kitty, Windows Terminal,
+ * VS Code integrated terminal, Alacritty, WezTerm). Dumb terminals and
+ * pipes ignore the escape sequence and render only the visible label.
+ *
+ * CEO P2 #38 — Wave 7 artifact linking. Triggers ONLY when:
+ *   - stdout is a TTY
+ *   - PUGI_ARTIFACT_LINKS_DISABLE !== '1'
+ *   - NO_COLOR is not set
+ */
+import { resolve, isAbsolute } from 'node:path';
+import { pathToFileURL } from 'node:url';
+const ESC = '';
+export function linkArtifact(pathRel, opts) {
+    const env = opts.env ?? process.env;
+    const tty = opts.isTty ?? process.stdout.isTTY ?? false;
+    if (!tty)
+        return pathRel;
+    if (env['PUGI_ARTIFACT_LINKS_DISABLE'] === '1')
+        return pathRel;
+    if (env['NO_COLOR'] && env['NO_COLOR'].length > 0)
+        return pathRel;
+    const abs = isAbsolute(pathRel) ? pathRel : resolve(opts.workspaceRoot, pathRel);
+    const url = pathToFileURL(abs).href;
+    return `${ESC}]8;;${url}${ESC}\\${pathRel}${ESC}]8;;${ESC}\\`;
+}
+//# sourceMappingURL=osc8-link.js.map

package/dist/core/security/injection-scanner.js

@@ -0,0 +1,367 @@
+/**
+ * Prompt-injection scanner — TypeScript port of KeiSeiKit's
+ * `injection_patterns.rs` (Apache-2.0, KeiSeiLab).
+ *
+ * Upstream source:
+ *   `_primitives/_rust/kei-memory/src/injection_patterns.rs`
+ *   from https://github.com/Pugi-dev/KeiSeiKit (private mirror).
+ *
+ * Scope of the port:
+ *   - Pattern TABLES are ported verbatim (regex + invisible-codepoint
+ *     set + ChatML tags + role-prefix patterns). The substring/secret
+ *     rows (curl-with-bearer, aws_secret keyword, api_key URL, openssh
+ *     PEM markers, long-base64 blob heuristic) are KEPT in this port —
+ *     they harden writes through memory/audit paths against accidental
+ *     credential pasting.
+ *   - Detection logic is rewritten in TypeScript. The Rust upstream
+ *     uses `regex::Regex` + a separate `injection_guard.rs` that owns
+ *     the "should I block?" decision. Pugi's port collapses both
+ *     responsibilities into a single function (`scanForInjection`)
+ *     because the caller surfaces (audit-trail, file-tools) only need
+ *     the findings list — they do not block writes today (CEO sign-off
+ *     gate, separate PR).
+ *
+ * Severity model:
+ *   The upstream `Block` / `Warn` enum is mirrored as a Pugi field on
+ *   each finding so a future PR can wire hard-block behavior without
+ *   re-shaping the call sites.
+ *
+ * What this is NOT:
+ *   - An LLM-output safety filter. This scans CONTENT BOUND FOR DISK
+ *     (audit payloads + file writes / edits) for accidental or
+ *     adversarial prompt-injection markers.
+ *   - A secrets scanner. Real secrets detection lives in
+ *     `scripts/secret-scanner.mjs` (release gate). The few credential
+ *     heuristics here exist because the upstream Rust treats memory
+ *     persistence as a credential-exfil surface too.
+ *
+ * See `licenses/keiseikit-LICENSE-NOTICE.md` for Apache-2.0 attribution.
+ */
+/**
+ * Maximum captured-match length recorded in a finding. Bounds the
+ * worst-case row size in the audit JSONL stream. Set to 128 because
+ * the longest legitimate pattern match (`long_base64_line`) would be
+ * 1024+ bytes — the operator can re-scan the source content for the
+ * full blob if they need it; we only need enough context to triage.
+ */
+export const MAX_MATCH_CAPTURE = 128;
+function clampMatch(matched) {
+    if (matched.length <= MAX_MATCH_CAPTURE)
+        return matched;
+    return `${matched.slice(0, MAX_MATCH_CAPTURE)}…`;
+}
+/**
+ * Invisible / bidi / zero-width unicode codepoints ported verbatim
+ * from `INVISIBLE_CHARS` in the upstream Rust. Each one is a known
+ * vehicle for hiding prompt-override text from a casual reader.
+ */
+export const INVISIBLE_CHARS = [
+    '​', // ZERO WIDTH SPACE
+    '‌', // ZERO WIDTH NON-JOINER
+    '‍', // ZERO WIDTH JOINER
+    '‎', // LEFT-TO-RIGHT MARK
+    '‏', // RIGHT-TO-LEFT MARK
+    '‪', // LEFT-TO-RIGHT EMBEDDING
+    '‫', // RIGHT-TO-LEFT EMBEDDING
+    '‬', // POP DIRECTIONAL FORMATTING
+    '‭', // LEFT-TO-RIGHT OVERRIDE
+    '‮', // RIGHT-TO-LEFT OVERRIDE
+    '⁠', // WORD JOINER
+    '', // BYTE ORDER MARK / ZERO WIDTH NO-BREAK SPACE
+];
+/**
+ * Pre-built Set for O(1) codepoint membership tests. The scanner walks
+ * the input once and probes this set per character — cheaper than a
+ * regex with 12 alternation branches.
+ */
+const INVISIBLE_CHAR_SET = new Set(INVISIBLE_CHARS);
+/**
+ * Threshold above which a single base64-looking line is flagged.
+ * Matches the upstream `BASE64_BLOB_BYTES` constant so the heuristic
+ * stays aligned with the Rust spec. The regex below hardcodes the
+ * same value for compile-time clarity.
+ */
+export const BASE64_BLOB_BYTES = 1024;
+/**
+ * PEM begin marker built at runtime so the literal dashes do not
+ * trigger over-eager secret-scanners in this very source file (same
+ * concern as the upstream `pem_dashes()` helper).
+ */
+function pemMarker(label) {
+    const d = '-'.repeat(5);
+    return `${d}BEGIN ${label}${d}`;
+}
+/**
+ * Escape regex metachars in a literal string. We avoid pulling a
+ * dependency just for this — the set of metachars is small and
+ * well-known.
+ */
+function escapeRegex(literal) {
+    return literal.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Prompt-override patterns. Ported verbatim from
+ * `prompt_override_patterns()` in the upstream Rust. The regex
+ * strings are the same modulo Rust's `(?im)` inline flags being
+ * expressed as `i` + `m` on the TS `RegExp`.
+ */
+const PROMPT_OVERRIDE_PATTERNS = [
+    {
+        id: 'prompt_override_ignore_previous',
+        kind: 'override-prompt',
+        re: /ignore\s+previous\s+instructions/gi,
+        severity: 'block',
+        source: 'promptguard:override',
+    },
+    {
+        id: 'prompt_override_you_are_now',
+        kind: 'override-prompt',
+        re: /you\s+are\s+now\b/gi,
+        severity: 'block',
+        source: 'promptguard:roleplay',
+    },
+    {
+        id: 'prompt_override_disregard',
+        kind: 'override-prompt',
+        re: /disregard\s+(all|prior|above)/gi,
+        severity: 'block',
+        source: 'promptguard:override',
+    },
+    {
+        id: 'system_role_prefix',
+        kind: 'override-prompt',
+        re: /^\s*system\s*:/gim,
+        severity: 'block',
+        source: 'promptguard:role-prefix',
+    },
+    {
+        id: 'chatml_im_start',
+        kind: 'tag-injection',
+        re: /<\|im_start\|>/g,
+        severity: 'block',
+        source: 'chatml:tag',
+    },
+    {
+        id: 'chatml_endoftext',
+        kind: 'tag-injection',
+        re: /<\|endoftext\|>/g,
+        severity: 'block',
+        source: 'chatml:tag',
+    },
+];
+/**
+ * Secret-shaped patterns. Ported from `secret_patterns()`. The PEM
+ * markers are built at runtime so they do not show up verbatim in
+ * this file's bytes (anti-self-trigger).
+ */
+function buildSecretPatterns() {
+    const openssh = escapeRegex(pemMarker('OPENSSH PRIVATE KEY'));
+    const rsa = escapeRegex(pemMarker('RSA PRIVATE KEY'));
+    return [
+        {
+            id: 'ssh_openssh_private',
+            kind: 'secret-marker',
+            re: new RegExp(openssh, 'g'),
+            severity: 'block',
+            source: 'secret:openssh',
+        },
+        {
+            id: 'ssh_rsa_private',
+            kind: 'secret-marker',
+            re: new RegExp(rsa, 'g'),
+            severity: 'block',
+            source: 'secret:rsa',
+        },
+        {
+            // Upstream P2.1.b audit upgraded this to Block tier — long
+            // base64 blobs on a memory-write path are a direct exfil
+            // surface for attestation / key blobs pasted into transcripts.
+            id: 'long_base64_line',
+            kind: 'secret-marker',
+            re: new RegExp(`^[A-Za-z0-9+/=]{${BASE64_BLOB_BYTES},}$`, 'gm'),
+            severity: 'block',
+            source: 'heuristic:base64-blob',
+        },
+    ];
+}
+/**
+ * Substring/heuristic patterns. Ported from `build_substring_table()`.
+ * Each row demands ALL needles be present in the LOWERCASED copy of
+ * the input (AND semantics) — keeps false-positives low.
+ */
+const SUBSTRING_PATTERNS = [
+    {
+        id: 'curl_with_bearer',
+        kind: 'secret-marker',
+        needles: ['bearer ', '://'],
+        severity: 'block',
+        source: 'exfil:curl-bearer',
+    },
+    {
+        id: 'aws_secret_keyword',
+        kind: 'secret-marker',
+        needles: ['aws_secret'],
+        severity: 'block',
+        source: 'secret:aws',
+    },
+    {
+        id: 'api_key_url',
+        kind: 'secret-marker',
+        needles: ['api_key=', '://'],
+        severity: 'block',
+        source: 'exfil:api-key-url',
+    },
+];
+let REGEX_TABLE = null;
+function regexPatterns() {
+    if (REGEX_TABLE === null) {
+        REGEX_TABLE = [...PROMPT_OVERRIDE_PATTERNS, ...buildSecretPatterns()];
+    }
+    return REGEX_TABLE;
+}
+/**
+ * Maximum input size we scan. Above this we sample the first
+ * MAX_SCAN_BYTES bytes and tag the result as `truncated: true`. This
+ * keeps a 10 MB log payload from stalling the audit append path.
+ *
+ * The threshold is deliberately generous (256 KB) — the typical audit
+ * `data` payload is a few hundred bytes (a single `tool_call` envelope)
+ * and a file write of an HTML page is well under the cap. The cutoff
+ * exists only for pathological cases.
+ */
+export const MAX_SCAN_BYTES = 256 * 1024;
+/**
+ * Scan a string for prompt-injection / invisible-unicode / secret
+ * markers. Returns the empty array when clean. Never throws —
+ * malformed input (e.g. lone surrogates) falls through to the regex
+ * engine and produces zero or more findings, never an exception.
+ *
+ * Pure function. Safe to call from a hot path (audit-trail append,
+ * file-tools writeTool) without worrying about side effects.
+ */
+export function scanForInjection(text) {
+    if (typeof text !== 'string' || text.length === 0)
+        return [];
+    const findings = [];
+    const scanText = text.length > MAX_SCAN_BYTES ? text.slice(0, MAX_SCAN_BYTES) : text;
+    // 1. Invisible unicode scan: O(n) single pass with a Set lookup.
+    //    We collect per-codepoint hits rather than collapsing them so
+    //    the operator can see how many bidi marks are present (high
+    //    counts strongly suggest adversarial intent).
+    for (let i = 0; i < scanText.length; i += 1) {
+        const ch = scanText[i];
+        if (ch === undefined)
+            continue;
+        if (INVISIBLE_CHAR_SET.has(ch)) {
+            const code = ch.charCodeAt(0).toString(16).toUpperCase().padStart(4, '0');
+            findings.push({
+                kind: 'invisible-unicode',
+                id: `invisible_unicode_U+${code}`,
+                severity: 'warn',
+                matched: ch,
+                offset: i,
+                source: `unicode:invisible:U+${code}`,
+            });
+        }
+    }
+    // 2. Regex table scan. Each pattern uses the `g` flag so we walk
+    //    every occurrence — a single text can carry multiple ChatML
+    //    tags or override phrases and the operator needs to see all of
+    //    them, not just the first.
+    for (const pattern of regexPatterns()) {
+        // Re-set lastIndex defensively in case a prior call left the
+        // regex's stateful cursor mid-string.
+        pattern.re.lastIndex = 0;
+        let match;
+        while ((match = pattern.re.exec(scanText)) !== null) {
+            findings.push({
+                kind: pattern.kind,
+                id: pattern.id,
+                severity: pattern.severity,
+                matched: clampMatch(match[0]),
+                offset: match.index,
+                source: pattern.source,
+            });
+            // Guard against zero-width matches infinite-looping (e.g. a
+            // regex that matches the empty string would never advance).
+            if (match.index === pattern.re.lastIndex) {
+                pattern.re.lastIndex += 1;
+            }
+        }
+    }
+    // 3. Substring/heuristic scan. AND semantics: every needle must
+    //    appear in the lowercased copy. We record the FIRST needle's
+    //    offset because that is the most actionable index for the
+    //    operator (the others may be hundreds of bytes away).
+    const lower = scanText.toLowerCase();
+    for (const pattern of SUBSTRING_PATTERNS) {
+        const offsets = pattern.needles.map((n) => lower.indexOf(n));
+        if (offsets.every((o) => o >= 0)) {
+            const firstOffset = Math.min(...offsets);
+            // Reconstruct a useful matched snippet — the needles can be
+            // far apart so we cap at the first needle plus a window.
+            const snippetEnd = Math.min(firstOffset + MAX_MATCH_CAPTURE, scanText.length);
+            findings.push({
+                kind: pattern.kind,
+                id: pattern.id,
+                severity: pattern.severity,
+                matched: clampMatch(scanText.slice(firstOffset, snippetEnd)),
+                offset: firstOffset,
+                source: pattern.source,
+            });
+        }
+    }
+    return findings;
+}
+export function summarizeFindings(findings) {
+    let score = 0;
+    const kindSet = new Set();
+    for (const f of findings) {
+        if (f.severity === 'block')
+            score += 1;
+        kindSet.add(f.kind);
+    }
+    return {
+        score,
+        total: findings.length,
+        kinds: Array.from(kindSet).sort(),
+    };
+}
+/**
+ * Recursively walk a JSON-shaped value and concatenate every string
+ * found. Used by audit-trail to fold the entire `data` payload into a
+ * single scannable surface — a tool_result with a deeply nested error
+ * object could otherwise hide an override prompt one level deep.
+ *
+ * Cycles are broken by a WeakSet — a payload that round-trips through
+ * a session struct is safe to scan even when it has back-references.
+ */
+export function collectStrings(value, seen = new WeakSet()) {
+    if (value === null || value === undefined)
+        return [];
+    if (typeof value === 'string')
+        return [value];
+    if (typeof value === 'number' || typeof value === 'boolean' || typeof value === 'bigint') {
+        return [];
+    }
+    if (typeof value !== 'object')
+        return [];
+    if (seen.has(value))
+        return [];
+    seen.add(value);
+    const out = [];
+    if (Array.isArray(value)) {
+        for (const item of value) {
+            out.push(...collectStrings(item, seen));
+        }
+        return out;
+    }
+    for (const key of Object.keys(value)) {
+        // Scan the KEY too — a deliberately-crafted payload could hide
+        // an override phrase as an object key.
+        out.push(key);
+        out.push(...collectStrings(value[key], seen));
+    }
+    return out;
+}
+//# sourceMappingURL=injection-scanner.js.map

package/dist/core/settings.js

@@ -128,12 +128,175 @@ const pugiSettingsSchema = z.object({
     })
         .optional(),
 });
-export function loadSettings(root) {
+/**
+ * Wave 7 #20 (2026-05-29) — Claude Code drop-in compat ingest.
+ *
+ * Operators migrating from Claude Code typically keep a `.claude/`
+ * directory at workspace root with settings.json, slash commands,
+ * and ambient guidance files. We honour the existence of that
+ * directory and mirror the subset of keys that map cleanly onto
+ * Pugi's own settings surface — Pugi values ALWAYS win on conflict
+ * (the operator opted into Pugi as their primary), CC fills gaps.
+ *
+ * Opt-out: `PUGI_CC_COMPAT_DISABLE=1` short-circuits the merger and
+ * loads only `.pugi/settings.json` (or the empty default).
+ *
+ * Key mirror table:
+ *   - `permissions.defaultMode` → `permissions.mode`
+ *     (CC values map: `acceptEdits|plan|bypassPermissions|default` →
+ *      `acceptEdits|plan|bypassPermissions|ask`).
+ *   - `permissions.allow` → `permissions.allow` (concatenated, deduped).
+ *   - `permissions.deny`  → `permissions.deny`  (concatenated, deduped).
+ *   - `enabledPlugins`    → ignored (CC-only concept; Pugi has its own
+ *      plugin surface and we do not want to silently activate them).
+ *   - `hooks`             → currently ignored. Pugi's hook system is
+ *      managed via `apps/pugi-cli/src/core/hooks/`; future work can
+ *      wire CC hook entries through that bridge.
+ *
+ * Unknown CC keys are dropped on the floor by Zod's strip semantics
+ * just like the existing PUGI settings path — we never warn on
+ * unrecognised CC keys, because the CC surface is wider and we want
+ * fallthrough to be silent (operator does not need a stream of "we
+ * skipped this CC concept" warnings on every CLI invocation).
+ */
+const ccPermissionsSchema = z
+    .object({
+    defaultMode: z.string().optional(),
+    allow: z.array(z.string()).optional(),
+    deny: z.array(z.string()).optional(),
+})
+    .passthrough()
+    .optional();
+const ccSettingsSchema = z
+    .object({
+    permissions: ccPermissionsSchema,
+    enabledPlugins: z.unknown().optional(),
+    hooks: z.unknown().optional(),
+})
+    .passthrough();
+/**
+ * Env var that disables CC compat ingest entirely. Useful for CI
+ * sandboxes where a stray `.claude/` from a parent checkout could
+ * otherwise leak permissions into Pugi.
+ */
+export const CC_COMPAT_DISABLE_ENV = 'PUGI_CC_COMPAT_DISABLE';
+/**
+ * Map a CC `permissions.defaultMode` to the closest Pugi permission
+ * mode. Unknown / missing values map to `undefined` so the caller
+ * keeps Pugi's own default.
+ *
+ * CC's `default` mode = "ask the user for each tool" which is Pugi's
+ * `ask` mode. `acceptEdits` / `plan` / `bypassPermissions` map 1:1.
+ */
+export function mapCcPermissionMode(mode) {
+    if (typeof mode !== 'string')
+        return undefined;
+    switch (mode) {
+        case 'acceptEdits':
+            return 'acceptEdits';
+        case 'plan':
+            return 'plan';
+        case 'bypassPermissions':
+            return 'bypassPermissions';
+        case 'default':
+            return 'ask';
+        default:
+            return undefined;
+    }
+}
+/**
+ * Merge a parsed CC settings object into a Pugi settings object.
+ * Pugi ALWAYS wins on conflict; CC values fill gaps only.
+ */
+export function mergeCcIntoPugi(pugi, cc, opts) {
+    const merged = {
+        ...pugi,
+        permissions: { ...pugi.permissions },
+    };
+    const pugiWroteMode = pugiPermissionKeyPresent(opts.pugiRawJson, 'mode');
+    if (!pugiWroteMode) {
+        const ccMode = mapCcPermissionMode(cc.permissions?.defaultMode);
+        if (ccMode)
+            merged.permissions.mode = ccMode;
+    }
+    if (Array.isArray(cc.permissions?.allow)) {
+        merged.permissions.allow = dedupeKeepFirst([
+            ...pugi.permissions.allow,
+            ...cc.permissions.allow,
+        ]);
+    }
+    if (Array.isArray(cc.permissions?.deny)) {
+        merged.permissions.deny = dedupeKeepFirst([
+            ...pugi.permissions.deny,
+            ...cc.permissions.deny,
+        ]);
+    }
+    // `enabledPlugins` and `hooks` are intentionally NOT mirrored. See
+    // the doc-block above for rationale.
+    void opts.pugiSettingsExisted;
+    return merged;
+}
+function pugiPermissionKeyPresent(raw, key) {
+    if (!raw || typeof raw !== 'object')
+        return false;
+    const permissions = raw.permissions;
+    if (!permissions || typeof permissions !== 'object')
+        return false;
+    return Object.prototype.hasOwnProperty.call(permissions, key);
+}
+function dedupeKeepFirst(items) {
+    const seen = new Set();
+    const out = [];
+    for (const item of items) {
+        if (seen.has(item))
+            continue;
+        seen.add(item);
+        out.push(item);
+    }
+    return out;
+}
+/**
+ * Read + parse `.claude/settings.json` at `root`. Returns `undefined`
+ * when the file is absent, malformed, or the operator has opted out
+ * via `PUGI_CC_COMPAT_DISABLE=1`. Never throws — a broken CC settings
+ * file degrades to "no CC compat ingest", not a Pugi boot crash.
+ */
+export function loadCcSettings(root, env = process.env) {
+    if (env[CC_COMPAT_DISABLE_ENV] === '1')
+        return undefined;
+    const ccPath = resolve(root, '.claude/settings.json');
+    if (!existsSync(ccPath))
+        return undefined;
+    let parsed;
+    try {
+        parsed = JSON.parse(readFileSync(ccPath, 'utf8'));
+    }
+    catch {
+        return undefined;
+    }
+    const result = ccSettingsSchema.safeParse(parsed);
+    if (!result.success)
+        return undefined;
+    return result.data;
+}
+export function loadSettings(root, env = process.env) {
     const settingsPath = resolve(root, '.pugi/settings.json');
-    if (!existsSync(settingsPath)) {
-        return pugiSettingsSchema.parse({});
+    const pugiExists = existsSync(settingsPath);
+    let pugiRawJson = undefined;
+    let pugi;
+    if (pugiExists) {
+        pugiRawJson = JSON.parse(readFileSync(settingsPath, 'utf8'));
+        pugi = pugiSettingsSchema.parse(pugiRawJson);
+    }
+    else {
+        pugi = pugiSettingsSchema.parse({});
     }
-    const parsed = JSON.parse(readFileSync(settingsPath, 'utf8'));
-    return pugiSettingsSchema.parse(parsed);
+    const cc = loadCcSettings(root, env);
+    if (!cc)
+        return pugi;
+    return mergeCcIntoPugi(pugi, cc, {
+        pugiSettingsExisted: pugiExists,
+        pugiRawJson,
+    });
 }
 //# sourceMappingURL=settings.js.map

package/dist/runtime/cli.js

@@ -5,6 +5,7 @@ import { realpathSync, statSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { dirname, relative, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
+import { linkArtifact } from '../core/format/osc8-link.js';
 import { AnvilEngineLoopClient } from '../core/engine/anvil-client.js';
 import { NativePugiEngineAdapter } from '../core/engine/native-pugi.js';
 import { loadMcpRegistry } from '../core/mcp/registry.js';
@@ -4663,10 +4664,46 @@ function runEngineTask(kind) {
         });
         const toolCallId = recordToolCall(session, `engine:${adapter.name}`, `${label}: ${prompt}`);
         const taskId = `${kind}-${Date.now()}`;
+        // CEO P1 #25 (2026-05-29) — Ctrl+C interrupt for non-REPL
+        // dispatch (CC parity). Before this fix, SIGINT on `pugi code "..."`
+        // killed the whole CLI process so the operator could not abort a
+        // single bad turn without losing the session. We now:
+        //   1. Bind an AbortController to the engine run so the first
+        //      Ctrl+C aborts THIS dispatch (the engine loop already
+        //      honours `ctx.signal` — see EngineContext in @pugi/sdk).
+        //   2. Count presses: a second Ctrl+C within 2s falls through к
+        //      the legacy "hard exit" so the operator always has an
+        //      escape hatch (mirrors the REPL InputBox "press again к
+        //      exit" pattern).
+        //   3. Restore Node's default SIGINT semantics in the `finally`
+        //      block so successive engine runs (e.g. within tests that
+        //      iterate runEngineTask) each see a fresh handler.
+        const abortController = new AbortController();
+        const SIGINT_DOUBLE_PRESS_WINDOW_MS = 2000;
+        let firstSigintAt = null;
+        const onSigint = () => {
+            const now = Date.now();
+            if (firstSigintAt !== null && now - firstSigintAt <= SIGINT_DOUBLE_PRESS_WINDOW_MS) {
+                // Second press within the window — hard exit. Mirrors the
+                // shell convention (^C ^C = give up) so the operator never
+                // gets stuck on a runaway engine.
+                process.stderr.write(`\npugi ${label}: interrupted (hard exit on ^C^C).\n`);
+                process.exit(130);
+            }
+            firstSigintAt = now;
+            if (!abortController.signal.aborted) {
+                process.stderr.write(`\npugi ${label}: aborting current turn (press ^C again to exit).\n`);
+                abortController.abort();
+            }
+        };
+        process.on('SIGINT', onSigint);
         // β4 r2 P1 #3 — try/finally so loaded MCP child processes are
         // reaped regardless of run outcome (success, blocked, failed,
-        // thrown). The shutdown is best-effort; we never want a stuck
-        // MCP server to mask a successful Pugi run.
+        // thrown). Triple-review P1 (#725): the try now wraps BOTH the
+        // adapter.run() call и the iteration, so a sync throw from
+        // adapter.run() still hits the SIGINT-detach + MCP-cleanup
+        // finally block. Before this fix a sync throw would have leaked
+        // the SIGINT listener (10+ runs → MaxListenersExceededWarning).
         try {
             const events = adapter.run({
                 id: taskId,
@@ -4680,7 +4717,7 @@ function runEngineTask(kind) {
                 // executor refusal sentinel). The permission mode here is the
                 // workspace-level toggle and is unchanged from interactive default.
                 permissionMode: 'auto',
-            }, { sessionId: session.id });
+            }, { sessionId: session.id, signal: abortController.signal });
             const statusEvents = [];
             let result = null;
             for await (const event of events) {
@@ -4896,8 +4933,13 @@ function runEngineTask(kind) {
             textLines.push(`Summary: ${result.summary}`);
             if (result.filesChanged.length > 0) {
                 textLines.push(`Files modified (${result.filesChanged.length}):`);
-                for (const file of result.filesChanged)
-                    textLines.push(`  - ${file}`);
+                // CEO P2 #38 (Wave 7 artifact linking): emit each file as an OSC 8
+                // hyperlink so modern terminals (iTerm2, kitty, VS Code, Windows
+                // Terminal, Alacritty, WezTerm) let the operator click straight
+                // into the file. Falls back to plain text on dumb terminals / CI.
+                for (const file of result.filesChanged) {
+                    textLines.push(`  - ${linkArtifact(file, { workspaceRoot: process.cwd() })}`);
+                }
             }
             else if (kind !== 'explain' && kind !== 'plan') {
                 textLines.push('Files modified: none');
@@ -4925,6 +4967,13 @@ function runEngineTask(kind) {
             writeOutput(flags, payload, textLines.join('\n'));
         }
         finally {
+            // CEO P1 #25 — detach the per-run SIGINT handler so a second
+            // engine run from the same process (tests, scripts iterating
+            // `runEngineTask`, future REPL non-watch dispatches) starts
+            // with a fresh press counter and does NOT pile up listeners
+            // on the process object (Node prints
+            // `MaxListenersExceededWarning` at 10).
+            process.off('SIGINT', onSigint);
             // β4 r2 P1 #3 — tear down live MCP child processes BEFORE the
             // CLI exits. shutdown() is idempotent and swallows per-server
             // disconnect errors, so it is safe even if no servers connected.

package/dist/runtime/version.js

@@ -44,7 +44,7 @@ export function sanitizeSemver(raw) {
  * during import). When bumping the CLI version BOTH literals must be
  * updated; the release smoke-test (`pack:smoke`) verifies they agree.
  */
-export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.53');
+export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.55');
 /**
  * Outbound: the CLI's installed semver. Read at request time by
  * `version-interceptor.ts` and injected on every `fetch` call.

package/dist/tools/bash.js

@@ -85,6 +85,7 @@ export async function bashTool(input, ctx) {
             nextCwd: ctx.lastBashCwd ?? ctx.root,
             truncated: false,
             timedOut: false,
+            cancelled: false,
         };
     }
     // Permission gate via the new class-aware engine.
@@ -119,6 +120,25 @@ export async function bashTool(input, ctx) {
             nextCwd: ctx.lastBashCwd ?? ctx.root,
             truncated: false,
             timedOut: false,
+            cancelled: false,
+        };
+    }
+    // CEO P1 #25 (2026-05-29) — pre-spawn cancellation check. Fires
+    // AFTER the permission gate so a cancelled brief never reaches
+    // /bin/sh even when the command would have been allowed. Mirrors
+    // the `gateOnCancellation` pattern from file-tools.ts.
+    if (ctx.cancellation?.isAborted === true) {
+        const reason = 'operator_aborted: bash refused before spawn';
+        emitEvent(ctx.session, 'bash.cancelled', { cmd, phase: 'pre_spawn' });
+        recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+        return {
+            stdout: '',
+            stderr: reason,
+            exitCode: 130,
+            nextCwd: ctx.lastBashCwd ?? ctx.root,
+            truncated: false,
+            timedOut: false,
+            cancelled: true,
         };
     }
     // Background job branch.
@@ -147,6 +167,12 @@ export async function bashTool(input, ctx) {
     // before the timeout watchdog fires, we enforce a live ceiling
     // (BASH_LIVE_OUTPUT_CAP_BYTES) and SIGTERM the child when crossed.
     let truncatedMidStream = false;
+    // CEO P1 #25 (2026-05-29) — mid-stream operator cancellation. The
+    // listener registered against the CancellationToken below flips
+    // this flag and SIGTERMs the child. The close handler reads it to
+    // decide between `cancelled` (operator abort) and `timedOut`
+    // (watchdog).
+    let cancelledMidStream = false;
     const enforceLiveCap = () => {
         if (truncatedMidStream)
             return;
@@ -160,21 +186,88 @@ export async function bashTool(input, ctx) {
             // child already exited; the close handler will run
         }
     };
+    // CEO P1 #25 (2026-05-29) — live stream callback. When the REPL
+    // host wires `onStreamChunk`, we forward each stdout/stderr chunk
+    // in real time so the conversation pane / tool-stream pane paint
+    // bytes as they arrive instead of waiting for the child to exit.
+    // We invoke the callback inside a try/catch so a buggy sink
+    // (renderer crash, assertion error) never escalates to killing
+    // the bash dispatch. The buffered path below still captures the
+    // chunk so the model + audit trail stay consistent regardless of
+    // renderer health.
+    const onStreamChunk = ctx.onStreamChunk;
+    const emitStreamChunk = onStreamChunk
+        ? (stream, chunk) => {
+            try {
+                onStreamChunk({ stream, data: chunk.toString('utf8') });
+            }
+            catch {
+                // Sink crash — swallow.
+            }
+        }
+        : null;
     child.stdout?.on('data', (chunk) => {
-        if (truncatedMidStream)
+        if (truncatedMidStream || cancelledMidStream)
             return;
         stdoutChunks.push(chunk);
         stdoutBytes += chunk.length;
+        if (emitStreamChunk)
+            emitStreamChunk('stdout', chunk);
         enforceLiveCap();
     });
     child.stderr?.on('data', (chunk) => {
-        if (truncatedMidStream)
+        if (truncatedMidStream || cancelledMidStream)
             return;
         stderrChunks.push(chunk);
         stderrBytes += chunk.length;
+        if (emitStreamChunk)
+            emitStreamChunk('stderr', chunk);
         enforceLiveCap();
     });
+    // CEO P1 #25 — wire the cancellation token to SIGTERM. We track
+    // the detach handle so a successful run releases the listener
+    // instead of leaving it pinned to a long-lived REPL
+    // CancellationToken (same anti-leak pattern as
+    // native-pugi.ts:262).
+    let detachCancelListener;
+    if (ctx.cancellation && !ctx.cancellation.isAborted) {
+        const onAbort = () => {
+            if (cancelledMidStream)
+                return;
+            cancelledMidStream = true;
+            emitEvent(ctx.session, 'bash.cancelled', { cmd, phase: 'mid_stream' });
+            try {
+                child.kill('SIGTERM');
+            }
+            catch {
+                // child already exited; close handler will run
+            }
+            // SIGKILL escalation if the child does not honour SIGTERM
+            // within the grace window. Mirrors the timeout watchdog's
+            // two-phase shutdown.
+            setTimeout(() => {
+                if (child.exitCode !== null || child.signalCode !== null)
+                    return;
+                try {
+                    child.kill('SIGKILL');
+                }
+                catch {
+                    // gone between the check and the signal
+                }
+            }, BASH_SIGKILL_GRACE_MS).unref();
+        };
+        detachCancelListener = ctx.cancellation.onAbort(onAbort);
+    }
     const timeoutOutcome = await waitWithTimeout(child, timeoutMs);
+    // Detach the cancellation listener on completion so a long-lived
+    // REPL token does not retain a reference to the dead child + this
+    // closure.
+    if (detachCancelListener) {
+        try {
+            detachCancelListener();
+        }
+        catch { /* listener already drained */ }
+    }
     const stdoutFull = Buffer.concat(stdoutChunks).toString('utf8');
     const stderrFull = Buffer.concat(stderrChunks).toString('utf8');
     const combinedBytes = stdoutBytes + stderrBytes;
@@ -199,6 +292,25 @@ export async function bashTool(input, ctx) {
         stdoutOut = capToCombined(stdoutFull, stderrFull).stdout;
         stderrOut = capToCombined(stdoutFull, stderrFull).stderr;
     }
+    // CEO P1 #25 — cancellation wins races against timeout / cap
+    // overflow. The token already aborted by the time the close
+    // handler fires; we distinguish operator-driven termination from
+    // the watchdog so the REPL transcript reads "Aborted." rather
+    // than "Timed out."
+    if (cancelledMidStream) {
+        const reason = 'operator_aborted: bash killed mid-stream';
+        recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+        return {
+            stdout: stdoutOut,
+            stderr: stderrOut === '' ? reason : `${stderrOut}\n${reason}`,
+            exitCode: 130,
+            artifactRef,
+            nextCwd,
+            truncated,
+            timedOut: false,
+            cancelled: true,
+        };
+    }
     if (truncatedMidStream) {
         // We killed the child because output cap exceeded mid-stream.
         // Report that as the failure cause rather than as a timeout —
@@ -217,6 +329,7 @@ export async function bashTool(input, ctx) {
             nextCwd,
             truncated: true,
             timedOut: false,
+            cancelled: false,
         };
     }
     if (timeoutOutcome.timedOut) {
@@ -230,6 +343,7 @@ export async function bashTool(input, ctx) {
             nextCwd,
             truncated,
             timedOut: true,
+            cancelled: false,
         };
     }
     const exitCode = timeoutOutcome.exitCode;
@@ -242,6 +356,7 @@ export async function bashTool(input, ctx) {
         nextCwd,
         truncated,
         timedOut: false,
+        cancelled: false,
     };
 }
 function sanitizeTimeout(value) {
@@ -471,6 +586,7 @@ function runBackground(input) {
         nextCwd: ctx.lastBashCwd ?? ctx.root,
         truncated: false,
         timedOut: false,
+        cancelled: false,
     };
 }
 /**
@@ -807,6 +923,7 @@ export function bashToolSync(input, ctx) {
             nextCwd: ctx.lastBashCwd ?? ctx.root,
             truncated: false,
             timedOut: false,
+            cancelled: false,
         };
     }
     const decision = evaluateBashPermission(cmd, ctx.settings.permissions.mode, {
@@ -838,6 +955,27 @@ export function bashToolSync(input, ctx) {
             nextCwd: ctx.lastBashCwd ?? ctx.root,
             truncated: false,
             timedOut: false,
+            cancelled: false,
+        };
+    }
+    // CEO P1 #25 — sync path observes pre-spawn cancellation too. The
+    // sync path is used by the engine-loop tool-bridge (`bashToolSync`
+    // from tool-bridge.ts:1385); we cannot mid-stream cancel that path
+    // without rewriting spawnSync, but the pre-spawn gate still gives
+    // the operator a quick-exit window between permission and shell
+    // launch.
+    if (ctx.cancellation?.isAborted === true) {
+        const reason = 'operator_aborted: bash refused before spawn';
+        emitEvent(ctx.session, 'bash.cancelled', { cmd, phase: 'pre_spawn_sync' });
+        recordToolResult(ctx.session, toolCallId, 'cancelled', reason);
+        return {
+            stdout: '',
+            stderr: reason,
+            exitCode: 130,
+            nextCwd: ctx.lastBashCwd ?? ctx.root,
+            truncated: false,
+            timedOut: false,
+            cancelled: true,
         };
     }
     const timeoutMs = sanitizeTimeout(input.timeoutMs);
@@ -885,6 +1023,7 @@ export function bashToolSync(input, ctx) {
         nextCwd,
         truncated,
         timedOut,
+        cancelled: false,
     };
 }
 //# sourceMappingURL=bash.js.map

package/dist/tools/file-tools.js

@@ -33,6 +33,7 @@ import { globSync } from 'node:fs';
 import { decidePermission } from '../core/permission.js';
 import { StaleReadError, createReadRecord, hashContent, } from '../core/file-cache.js';
 import { resolveWorkspacePath } from '../core/path-security.js';
+import { scanForInjection, summarizeFindings } from '../core/security/injection-scanner.js';
 import { recordFileMutation, recordToolCall, recordToolResult } from '../core/session.js';
 /**
  * α6.9 WriteGate marker — thrown by `gateOnCancellation` when the
@@ -184,6 +185,14 @@ export function writeTool(ctx, path, content) {
     const tmp = `${resolved}.pugi-tmp-${Date.now()}`;
     writeFileSync(tmp, content, { encoding: 'utf8', mode: 0o600 });
     renameSync(tmp, resolved);
+    // Injection scan (ported KeiSeiKit `injection_patterns.rs`,
+    // Apache-2.0). Scan the BODY (never the path — path security is
+    // owned by `path-security.ts`). Findings are SURFACED as an extra
+    // line on the session tool-result, never block the write. Hard-
+    // block requires a separate CEO-signed PR. Failure here must NOT
+    // throw: a buggy scanner cannot rugpull the write that already
+    // landed on disk above.
+    surfaceInjectionWarning(ctx, toolCallId, 'write', path, content);
     // Refresh the cache with the post-write content so the model can
     // chain a follow-up read+edit on the same file without an extra
     // round-trip. Same pattern editTool uses below.
@@ -197,6 +206,36 @@ export function writeTool(ctx, path, content) {
     });
     recordToolResult(ctx.session, toolCallId, 'success', `${existed ? 'Updated' : 'Created'} ${path}`);
 }
+/**
+ * Surface an injection-scan warning on a file write/edit BODY. The
+ * scan never blocks — it folds findings into the session as a
+ * `tool_result` with status `warn` so an operator (or SOC pipeline
+ * tailing `<workspace>/.pugi/events.jsonl`) sees the signal without a
+ * mid-dispatch rollback.
+ *
+ * Wrapped in try/catch so a malformed scanner never crashes the tool
+ * loop — the write itself has already landed on disk by the time we
+ * call this.
+ */
+function surfaceInjectionWarning(ctx, triggeringToolCallId, tool, path, body) {
+    try {
+        const findings = scanForInjection(body);
+        if (findings.length === 0)
+            return;
+        const summary = summarizeFindings(findings);
+        const warnCallId = recordToolCall(ctx.session, 'injection_warning', path);
+        const message = `injection_warning: ${tool} ${path} — ${summary.total} pattern(s) ` +
+            `(score=${summary.score}, kinds=${summary.kinds.join('|')}). ` +
+            `Triggering call: ${triggeringToolCallId}. ` +
+            `Detector: keiseikit-injection-patterns. Write was NOT blocked.`;
+        recordToolResult(ctx.session, warnCallId, 'success', message);
+    }
+    catch {
+        // Scanner failure must NEVER throw — the write has already
+        // landed and the tool loop has to continue. Silent no-op
+        // mirrors the audit-trail contract.
+    }
+}
 export function editTool(ctx, path, oldString, newString) {
     const toolCallId = recordToolCall(ctx.session, 'edit', path);
     // α6.9 WriteGate: refuse the edit when the operator has cancelled
@@ -252,6 +291,13 @@ export function editTool(ctx, path, oldString, newString) {
     const tmp = `${resolved}.pugi-tmp-${Date.now()}`;
     writeFileSync(tmp, after, { encoding: 'utf8', mode: 0o600 });
     renameSync(tmp, resolved);
+    // Injection scan (ported KeiSeiKit `injection_patterns.rs`,
+    // Apache-2.0). We scan the NEW SUBSTRING the model is inserting,
+    // not the full post-edit file — the rest of the file is operator-
+    // owned content that pre-dates this dispatch. False-positive on
+    // legitimate prose that mentions banned phrases is the worst
+    // outcome and the warn-only contract bounds the cost.
+    surfaceInjectionWarning(ctx, toolCallId, 'edit', path, newString);
     ctx.readCache.set(createReadRecord(ctx.root, path, after, 'read_tool'));
     recordFileMutation(ctx.session, {
         toolCallId,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pugi/cli",
-  "version": "0.1.0-beta.53",
+  "version": "0.1.0-beta.55",
   "description": "Pugi CLI - terminal-native software execution system",
   "homepage": "https://pugi.io",
   "repository": {
@@ -55,7 +55,7 @@
     "undici": "^8.3.0",
     "zod": "^3.23.0",
     "@pugi/personas": "0.1.2",
-    "@pugi/sdk": "0.1.0-beta.53"
+    "@pugi/sdk": "0.1.0-beta.55"
   },
   "devDependencies": {
     "@types/node": "^22.0.0",