@pugi/cli 0.1.0-beta.7 → 0.1.0-beta.9

package/dist/tools/apply-patch.js

@@ -0,0 +1,495 @@
+/**
+ * apply_patch tool — α7.7 Phase 1.
+ *
+ * Accepts a unified diff (the format produced by `git diff` and
+ * consumed by `git apply`) and lands it atomically into the workspace.
+ * This is the third edit primitive alongside the α6.6 4-layer diff
+ * escalation: where the layers escalate from minimal `oldString`/
+ * `newString` blocks up to full-file rewrites, apply_patch covers the
+ * unified-diff dialect that OpenAI Codex and most external tools emit.
+ *
+ * Why we have both:
+ *
+ *   - The 4-layer escalation maximises model-side success rate on
+ *     conversational edits (Claude / Gemini / OpenAI all have a
+ *     preferred dialect that maps onto one of the layers).
+ *   - apply_patch is the "external tools speak this" path. A model
+ *     emits a single unified diff (the format `git diff` produces),
+ *     and we run it through `git apply` with the same security gate
+ *     the layers use.
+ *
+ * Security: every file mentioned in the patch goes through the same
+ * `applySecurityGate` chokepoint as the layers (see
+ * `src/core/edits/security-gate.ts`). A patch that touches
+ * `../../etc/passwd`, `.env`, or a workspace-local symlink to a protected
+ * file is rejected BEFORE `git apply` runs. Symlink escape, protected
+ * file, and path traversal are all covered by the same gate the layers
+ * inherit — we never roll our own resolver here.
+ *
+ * Atomicity: a multi-file patch either lands entirely or not at all.
+ * `git apply --check` validates the patch end-to-end against the
+ * working tree first; only on a clean check do we run the real apply.
+ * If the apply still fails partway (extremely rare — usually a race
+ * with another writer), we run `git checkout -- <each file>` to roll
+ * the tree back. This keeps the dispatcher's invariant: a tool result
+ * of `ok: false` means the workspace is unchanged.
+ *
+ * Idempotency: applying the same patch twice rejects the second with
+ * `already_applied`. `git apply` itself returns success only when the
+ * patch's pre-image matches the working tree, so a second invocation
+ * naturally fails. We translate the specific failure mode into a
+ * dedicated reason so callers can short-circuit retry loops.
+ *
+ * Brand voice: ASCII only, no emoji, no banned words.
+ */
+import { spawnSync } from 'node:child_process';
+import { existsSync, rmSync } from 'node:fs';
+import { resolve, sep } from 'node:path';
+import { applySecurityGate } from '../core/edits/security-gate.js';
+import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
+import { recordToolCall, recordToolResult, recordFileMutation } from '../core/session.js';
+/**
+ * Parse the file paths referenced in a unified diff. We look for both
+ * `diff --git a/X b/Y` headers (preferred) and the fallback
+ * `+++ b/<path>` lines that plain `diff -u` emits. The full set of
+ * touched paths feeds the security gate — EVERY file goes through
+ * `applySecurityGate` before we trust `git apply` to do anything.
+ *
+ * Security (R1 fix 2026-05-26, PR #413 r1): git emits C-style quoted
+ * path headers when a path contains "unusual" bytes (high bits, control
+ * chars, double-quote, backslash) and `core.quotePath` is true (the
+ * default). The literal header looks like
+ * `diff --git "a/.env" "b/.env"`. Before this fix the regex captured
+ * the literal `"b/.env"` string and the security gate's basename match
+ * never saw `.env` — `basename('"b/.env"')` is `'.env"'` (note the
+ * trailing quote) which does NOT match the `.env` protected pattern.
+ * `git apply` then de-quoted the header and happily landed on the real
+ * `.env`. We strip the surrounding quotes + decode the C-style escapes
+ * via `unquoteGitPath` BEFORE passing to the security gate so the
+ * basename matcher sees the real target.
+ */
+export function extractPatchPaths(patch) {
+    const paths = new Set();
+    for (const line of patch.split('\n')) {
+        if (line.startsWith('diff --git ')) {
+            // `diff --git a/foo b/bar` — paths can contain spaces only when
+            // quoted by git's own diff machinery (rare). The robust extractor
+            // matches the `b/...` half because rename diffs carry the new
+            // name there.
+            // Two variants: unquoted (`a/foo b/bar`) and C-style quoted
+            // (`"a/foo" "b/bar"`). We try the quoted form first because the
+            // unquoted regex below would accept the literal quote as part of
+            // the path otherwise.
+            const quoted = line.match(/^diff --git "a\/(.+)" "b\/(.+)"$/);
+            if (quoted) {
+                if (quoted[1])
+                    paths.add(unquoteGitPath(quoted[1]));
+                if (quoted[2])
+                    paths.add(unquoteGitPath(quoted[2]));
+                continue;
+            }
+            const match = line.match(/^diff --git a\/(.+?) b\/(.+)$/);
+            if (match) {
+                if (match[1])
+                    paths.add(unquoteGitPath(match[1]));
+                if (match[2])
+                    paths.add(unquoteGitPath(match[2]));
+            }
+            continue;
+        }
+        if (line.startsWith('+++ ')) {
+            const after = line.slice(4).trim();
+            if (after === '/dev/null')
+                continue;
+            const stripped = stripQuotedHalf(after, 'b/');
+            if (stripped)
+                paths.add(stripTimestampSuffix(stripped));
+            continue;
+        }
+        if (line.startsWith('--- ')) {
+            const after = line.slice(4).trim();
+            if (after === '/dev/null')
+                continue;
+            const stripped = stripQuotedHalf(after, 'a/');
+            if (stripped)
+                paths.add(stripTimestampSuffix(stripped));
+        }
+    }
+    return Array.from(paths);
+}
+/**
+ * Strip the leading `a/` or `b/` prefix from a `---` / `+++` line,
+ * handling both unquoted (`b/.env`) and C-style quoted (`"b/.env"`)
+ * variants. The returned path is fully de-quoted so the security gate
+ * sees the real basename. Returns null when the line does not parse.
+ */
+function stripQuotedHalf(after, prefix) {
+    // Quoted form: `"b/path with \"escapes\""`. Detect surrounding quotes
+    // first, strip them, then peel the prefix, then unquote the inner
+    // C-style escapes.
+    if (after.startsWith('"') && after.endsWith('"') && after.length >= 2) {
+        const inner = after.slice(1, -1);
+        const peeled = inner.startsWith(prefix) ? inner.slice(prefix.length) : inner;
+        return unquoteGitPath(peeled);
+    }
+    const trimmed = after.startsWith(prefix) ? after.slice(prefix.length) : after;
+    return trimmed;
+}
+/**
+ * Decode git's C-style path quoting. When `core.quotePath` is true
+ * (default) git writes paths with high-bit / control / quote bytes as
+ * C-string escapes inside double quotes:
+ *
+ *   `"\.env"` -> `.env`         (backslash before . is just a literal)
+ *   `"a\"b"`  -> `a"b`          (escaped double-quote)
+ *   `"a\\b"`  -> `a\b`          (escaped backslash)
+ *   `"a\tb"`  -> `a` + TAB + `b`
+ *   `"a\341\210\264"` -> `a` + UTF-8 bytes 0xe1 0x88 0xb4
+ *
+ * Accepts a path that is EITHER already unquoted (passed through) OR an
+ * inner string previously stripped of its surrounding quotes. The
+ * function is idempotent on already-clean ASCII paths.
+ *
+ * Reference: git source `quote.c::unquote_c_style`.
+ */
+export function unquoteGitPath(s) {
+    // If the caller passed us a wrapped string (`"foo"`), peel it now.
+    if (s.startsWith('"') && s.endsWith('"') && s.length >= 2) {
+        s = s.slice(1, -1);
+    }
+    // Fast path: no backslash means no C-style escapes, return as-is.
+    if (!s.includes('\\'))
+        return s;
+    const out = [];
+    for (let i = 0; i < s.length; i += 1) {
+        const ch = s[i];
+        if (ch !== '\\') {
+            // Single-byte ASCII or multi-byte JS string char; the byte we
+            // emit must match its UTF-8 encoding so the security gate sees
+            // the same bytes the filesystem will. JS strings are UTF-16; we
+            // bounce through Buffer to get the canonical UTF-8 bytes.
+            const bytes = Buffer.from(ch ?? '', 'utf8');
+            for (const b of bytes)
+                out.push(b);
+            continue;
+        }
+        const next = s[i + 1];
+        if (next === undefined) {
+            // Trailing backslash with no follower — emit literal.
+            out.push(0x5c);
+            continue;
+        }
+        // Three-digit octal escape: `\NNN` (each digit 0-7).
+        if (next >= '0' && next <= '7' && i + 3 < s.length + 1) {
+            const oct = s.slice(i + 1, i + 4);
+            if (/^[0-7]{3}$/.test(oct)) {
+                out.push(Number.parseInt(oct, 8));
+                i += 3;
+                continue;
+            }
+        }
+        switch (next) {
+            case 'a':
+                out.push(0x07);
+                break;
+            case 'b':
+                out.push(0x08);
+                break;
+            case 't':
+                out.push(0x09);
+                break;
+            case 'n':
+                out.push(0x0a);
+                break;
+            case 'v':
+                out.push(0x0b);
+                break;
+            case 'f':
+                out.push(0x0c);
+                break;
+            case 'r':
+                out.push(0x0d);
+                break;
+            case '"':
+                out.push(0x22);
+                break;
+            case '\\':
+                out.push(0x5c);
+                break;
+            default:
+                // Unknown escape — emit the escape char as a literal so we
+                // don't silently drop bytes. Mirrors git's own permissive
+                // behaviour.
+                out.push(next.charCodeAt(0));
+        }
+        i += 1;
+    }
+    return Buffer.from(out).toString('utf8');
+}
+/**
+ * `diff -u` (non-git) emits trailing tab-prefixed timestamps after the
+ * path: `--- foo.ts\t2026-05-25 10:00:00`. Strip those so the security
+ * gate sees the clean path.
+ */
+function stripTimestampSuffix(path) {
+    const tab = path.indexOf('\t');
+    return tab >= 0 ? path.slice(0, tab) : path;
+}
+/**
+ * Apply a unified-diff patch to the workspace. Routes every mentioned
+ * file through the shared security gate before invoking `git apply`.
+ */
+export function applyPatch(ctx, patch, opts = {}) {
+    const toolCallId = recordToolCall(ctx.session, 'apply_patch', `${patch.length} bytes`);
+    try {
+        gateOnCancellation(ctx, 'apply_patch');
+    }
+    catch (error) {
+        if (error instanceof OperatorAbortedError) {
+            recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
+            throw error;
+        }
+        throw error;
+    }
+    if (patch.trim().length === 0) {
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'empty_patch',
+            detail: 'patch body is empty',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'empty_patch');
+        return result;
+    }
+    const paths = extractPatchPaths(patch);
+    if (paths.length === 0) {
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'invalid_patch',
+            detail: 'no `diff --git` or `+++` headers found in patch',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'invalid_patch');
+        return result;
+    }
+    // SECURITY GATE — reuse the α6.6 chokepoint. Every path in the patch
+    // is validated against:
+    //   1. workspace containment (no ../../ escapes)
+    //   2. protected-file basenames (.env, *.pem, id_rsa, etc.)
+    //   3. symlink escape (an in-workspace symlink pointing to /etc/hosts
+    //      or a protected basename gets rejected here)
+    for (const file of paths) {
+        const gate = applySecurityGate(file, { cwd: ctx.root, toolName: 'layer-c' });
+        if (!gate.ok) {
+            const result = {
+                ok: false,
+                filesChanged: [],
+                reason: gate.reason,
+                detail: `${file}: ${gate.detail}`,
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', `${gate.reason}: ${file}`);
+            return result;
+        }
+    }
+    // `git apply --check` validates the patch end-to-end against the
+    // working tree. A passing check is the gate for the actual apply.
+    const checkArgs = ['apply', '--check'];
+    if (opts.baseSha)
+        checkArgs.push('--3way');
+    checkArgs.push('-');
+    const check = runGit(checkArgs, ctx.root, patch);
+    if (check.status === 127) {
+        // No git binary on PATH. Rare on a developer machine but possible
+        // in slim containers / CI images. Surface a dedicated reason so
+        // the operator's message says "install git" not "patch is bad".
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'git_unavailable',
+            detail: 'git not found on PATH',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'git_unavailable');
+        return result;
+    }
+    if (check.status !== 0) {
+        // Decide whether this is the "already applied" case or a real
+        // failure. `git apply --check` rejects an already-applied patch
+        // with stderr containing patterns like "patch does not apply" or
+        // "already exists in working directory". The simpler signal is
+        // the stderr string containing `already exists in working directory`
+        // (git's own message for a creating patch landing twice) — that's
+        // the only path we treat as `already_applied` here. Other stderr
+        // surfaces fall through to `check_failed` so the operator sees the
+        // raw reason.
+        const stderr = check.stderr.toLowerCase();
+        if (stderr.includes('already exists in working directory')) {
+            const result = {
+                ok: false,
+                filesChanged: [],
+                reason: 'already_applied',
+                detail: 'patch creates a path that already exists — likely already applied',
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', 'already_applied');
+            return result;
+        }
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'check_failed',
+            detail: check.stderr.trim() || 'git apply --check rejected the patch',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', `check_failed: ${result.detail}`);
+        return result;
+    }
+    if (opts.dryRun) {
+        const result = {
+            ok: true,
+            filesChanged: paths,
+        };
+        recordToolResult(ctx.session, toolCallId, 'success', `dry-run ok, ${paths.length} files`);
+        return result;
+    }
+    // R1 fix (2026-05-26, PR #413 r1, Fix 6): snapshot which paths exist
+    // BEFORE the apply so rollbackFiles can decide between
+    // `git checkout -- <file>` (for files that existed) and `fs.rmSync`
+    // (for files the patch was creating that may have been half-written
+    // before the failure). Without this snapshot, `git checkout`
+    // gracefully no-ops on a never-tracked file and the partial creation
+    // is left behind.
+    const preExisting = new Map();
+    for (const p of paths) {
+        preExisting.set(p, existsSync(resolve(ctx.root, p)));
+    }
+    const applyArgs = ['apply'];
+    if (opts.baseSha)
+        applyArgs.push('--3way');
+    applyArgs.push('-');
+    const apply = runGit(applyArgs, ctx.root, patch);
+    if (apply.status !== 0) {
+        // Apply failed AFTER --check passed. This is almost always a TOCTOU
+        // (another writer touched a file between the two git calls).
+        // Rollback ANY partial mutation so the workspace stays consistent.
+        const rollback = rollbackFiles(ctx.root, paths, preExisting);
+        const detail = apply.stderr.trim() || 'git apply failed after passing --check';
+        if (!rollback.ok) {
+            const result = {
+                ok: false,
+                filesChanged: [],
+                reason: 'rollback_failed',
+                detail: `${detail}; rollback also failed: ${rollback.detail}`,
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', 'rollback_failed');
+            return result;
+        }
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'apply_failed',
+            detail,
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', `apply_failed: ${detail}`);
+        return result;
+    }
+    // Audit-log every file the patch mutated. The before/after hashes
+    // are NOT recorded (git owns the staging area for that); the
+    // mutation entry is enough for `pugi undo` to surface "apply_patch
+    // touched these files" in the timeline.
+    for (const file of paths) {
+        recordFileMutation(ctx.session, {
+            toolCallId,
+            path: file,
+            operation: 'update',
+        });
+    }
+    recordToolResult(ctx.session, toolCallId, 'success', `applied ${paths.length} files`);
+    return { ok: true, filesChanged: paths };
+}
+/**
+ * Roll back any partial mutation by checking files out from HEAD. Used
+ * only on the rare path where `git apply` fails AFTER `git apply --check`
+ * passed.
+ *
+ * R1 fix (2026-05-26, PR #413 r1, Fix 6): a multi-file patch that
+ * creates new files leaves them on disk when `git apply` fails partway —
+ * `git checkout -- <file>` does NOT delete a path that was never tracked
+ * (the file was created by the failed apply). We split paths into two
+ * groups using the pre-apply snapshot:
+ *
+ *   - existed-before  -> `git checkout -- <file>` restores tracked content.
+ *   - created-by-apply -> `fs.rmSync(file, { force: true })` removes the
+ *     half-written file so the workspace ends up identical to its
+ *     pre-apply state.
+ *
+ * This keeps the dispatcher's invariant: a tool result of `ok: false`
+ * means the workspace is unchanged.
+ */
+function rollbackFiles(cwd, paths, preExisting) {
+    if (paths.length === 0)
+        return { ok: true };
+    // We only attempt to roll back files that are inside the workspace
+    // and were resolved by the security gate. A path that escaped the
+    // gate would have already aborted us above.
+    const safePaths = paths.filter((p) => {
+        const abs = resolve(cwd, p);
+        return abs === cwd || abs.startsWith(cwd + sep);
+    });
+    if (safePaths.length === 0)
+        return { ok: true };
+    const toCheckout = [];
+    const toRemove = [];
+    for (const p of safePaths) {
+        if (preExisting.get(p))
+            toCheckout.push(p);
+        else
+            toRemove.push(p);
+    }
+    // Unlink files that the patch was creating. `force: true` swallows
+    // ENOENT so a creation that never got far enough to write the file
+    // is a no-op. We record every unlink failure but keep going so a
+    // single permission error on one file doesn't strand the others.
+    const removeFailures = [];
+    for (const p of toRemove) {
+        const abs = resolve(cwd, p);
+        try {
+            rmSync(abs, { force: true });
+        }
+        catch (error) {
+            removeFailures.push(`${p}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    if (toCheckout.length > 0) {
+        const result = runGit(['checkout', '--', ...toCheckout], cwd);
+        if (result.status !== 0) {
+            const detail = [result.stderr.trim(), ...removeFailures].filter(Boolean).join('; ');
+            return { ok: false, detail };
+        }
+    }
+    if (removeFailures.length > 0) {
+        return { ok: false, detail: `rollback unlink failed: ${removeFailures.join('; ')}` };
+    }
+    return { ok: true };
+}
+function runGit(args, cwd, stdin) {
+    // R1 fix (2026-05-26, PR #413 r1, P2 #13): force the English C locale
+    // for the git child process. The `already_applied` reason-coding
+    // below greps stderr for the literal English string
+    // "already exists in working directory"; on a host where git was
+    // installed with a translated message catalog (de_DE / ru_RU / etc.)
+    // the substring match would silently miss and the operator would see
+    // `check_failed` instead of `already_applied`. C locale (also
+    // LC_ALL) guarantees the canonical message regardless of host env.
+    return spawnSync('git', args, {
+        cwd,
+        input: stdin,
+        encoding: 'utf8',
+        maxBuffer: 64 * 1024 * 1024,
+        env: { ...process.env, LANG: 'C', LC_ALL: 'C' },
+    });
+}
+/**
+ * Test-only surface for the apply-patch heuristics. Specs poke
+ * `extractPatchPaths` directly to assert on the path-parsing layer
+ * without paying for a real git invocation.
+ */
+export const __test__ = { extractPatchPaths, runGit, unquoteGitPath };
+//# sourceMappingURL=apply-patch.js.map

package/dist/tools/lsp-tools.js

@@ -0,0 +1,189 @@
+import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
+import { recordToolCall, recordToolResult } from '../core/session.js';
+/** Cap for any single LSP tool's payload size. Keeps model context lean. */
+const LSP_PAYLOAD_CAP_BYTES = 8 * 1024;
+export async function lspHover(ctx, lang, file, line, col) {
+    const toolCallId = recordToolCall(ctx.session, 'lsp_hover', `${lang}:${file}:${line}:${col}`);
+    return guard(ctx, 'lsp_hover', toolCallId, async () => {
+        const client = ctx.lspClients?.get(lang);
+        if (!client)
+            return unavailable(lang);
+        const result = await client.hover(file, { line, character: col }, ctx.cancellation);
+        if (!result.ok)
+            return failure(result);
+        if (!result.value) {
+            return { ok: true, value: { content: '' } };
+        }
+        const content = truncate(result.value.content);
+        return {
+            ok: true,
+            value: {
+                content: content.text,
+                ...(result.value.range ? { range: result.value.range } : {}),
+            },
+            ...(content.truncated ? { truncated: true } : {}),
+        };
+    });
+}
+export async function lspDefinition(ctx, lang, file, line, col) {
+    const toolCallId = recordToolCall(ctx.session, 'lsp_definition', `${lang}:${file}:${line}:${col}`);
+    return guard(ctx, 'lsp_definition', toolCallId, async () => {
+        const client = ctx.lspClients?.get(lang);
+        if (!client)
+            return unavailable(lang);
+        const result = await client.definition(file, { line, character: col }, ctx.cancellation);
+        if (!result.ok)
+            return failure(result);
+        const capped = capLocations(result.value);
+        return {
+            ok: true,
+            value: capped.value,
+            ...(capped.truncated ? { truncated: true } : {}),
+        };
+    });
+}
+export async function lspReferences(ctx, lang, file, line, col) {
+    const toolCallId = recordToolCall(ctx.session, 'lsp_references', `${lang}:${file}:${line}:${col}`);
+    return guard(ctx, 'lsp_references', toolCallId, async () => {
+        const client = ctx.lspClients?.get(lang);
+        if (!client)
+            return unavailable(lang);
+        const result = await client.references(file, { line, character: col }, ctx.cancellation);
+        if (!result.ok)
+            return failure(result);
+        const capped = capLocations(result.value);
+        return {
+            ok: true,
+            value: capped.value,
+            ...(capped.truncated ? { truncated: true } : {}),
+        };
+    });
+}
+export async function lspDiagnostics(ctx, lang, file) {
+    const toolCallId = recordToolCall(ctx.session, 'lsp_diagnostics', `${lang}:${file}`);
+    return guard(ctx, 'lsp_diagnostics', toolCallId, async () => {
+        const client = ctx.lspClients?.get(lang);
+        if (!client)
+            return unavailable(lang);
+        const result = await client.diagnostics(file, ctx.cancellation);
+        if (!result.ok)
+            return failure(result);
+        const capped = capDiagnostics(result.value);
+        return {
+            ok: true,
+            value: capped.value,
+            ...(capped.truncated ? { truncated: true } : {}),
+        };
+    });
+}
+async function guard(ctx, toolName, toolCallId, op) {
+    try {
+        gateOnCancellation(ctx, toolName);
+    }
+    catch (error) {
+        if (error instanceof OperatorAbortedError) {
+            recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
+            return { ok: false, reason: 'operator_aborted', detail: error.message };
+        }
+        throw error;
+    }
+    try {
+        const result = await op();
+        if (result.ok) {
+            recordToolResult(ctx.session, toolCallId, 'success', summarize(result.value));
+        }
+        else {
+            recordToolResult(ctx.session, toolCallId, 'error', `${result.reason ?? 'error'}: ${result.detail ?? ''}`);
+        }
+        return result;
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        recordToolResult(ctx.session, toolCallId, 'error', message);
+        return { ok: false, reason: 'lsp_error', detail: message };
+    }
+}
+function unavailable(lang) {
+    return {
+        ok: false,
+        reason: 'lsp_unavailable',
+        detail: `no LSP server started for ${lang}. Install the server and re-run ` +
+            `with --lsp ${lang}, or fall back to grep.`,
+    };
+}
+function failure(result) {
+    if (result.ok) {
+        // Shouldn't be hit — caller checks first.
+        return { ok: true, value: result.value };
+    }
+    return { ok: false, reason: result.reason, detail: result.detail };
+}
+function summarize(value) {
+    if (value === null || value === undefined)
+        return 'no result';
+    if (Array.isArray(value))
+        return `${value.length} items`;
+    if (typeof value === 'object')
+        return Object.keys(value).join(',');
+    return String(value);
+}
+function truncate(text) {
+    const bytes = Buffer.byteLength(text, 'utf8');
+    if (bytes <= LSP_PAYLOAD_CAP_BYTES)
+        return { text, truncated: false };
+    // Truncate to the cap byte boundary. We don't try to honor codepoint
+    // alignment — UTF-8 surrogate splits show up as a single ? at the
+    // boundary, which is acceptable for a debug surface; the dispatcher
+    // is the trust boundary for "this is what the model will see".
+    const buf = Buffer.from(text, 'utf8').subarray(0, LSP_PAYLOAD_CAP_BYTES);
+    return { text: `${buf.toString('utf8')}\n... [truncated]`, truncated: true };
+}
+function capLocations(locations) {
+    // Cap at 200 locations OR the byte cap, whichever hits first. The
+    // 200 number is the operator-facing "this is a hot symbol" threshold —
+    // a richer surface (paginated `pugi lsp references --offset N`) is
+    // open backlog.
+    const COUNT_CAP = 200;
+    if (locations.length === 0)
+        return { value: locations, truncated: false };
+    const trimmed = locations.slice(0, COUNT_CAP);
+    const serialized = JSON.stringify(trimmed);
+    if (Buffer.byteLength(serialized, 'utf8') <= LSP_PAYLOAD_CAP_BYTES && trimmed.length === locations.length) {
+        return { value: trimmed, truncated: false };
+    }
+    // Trim by halves until we fit the byte cap. Worst case ~10 iterations
+    // for the 200 max, fine for an interactive tool.
+    let upper = trimmed.length;
+    while (upper > 1) {
+        const half = Math.floor(upper / 2);
+        const sub = trimmed.slice(0, half);
+        if (Buffer.byteLength(JSON.stringify(sub), 'utf8') <= LSP_PAYLOAD_CAP_BYTES) {
+            return { value: sub, truncated: true };
+        }
+        upper = half;
+    }
+    return { value: trimmed.slice(0, 1), truncated: true };
+}
+function capDiagnostics(items) {
+    if (items.length === 0)
+        return { value: items, truncated: false };
+    const serialized = JSON.stringify(items);
+    if (Buffer.byteLength(serialized, 'utf8') <= LSP_PAYLOAD_CAP_BYTES) {
+        return { value: items, truncated: false };
+    }
+    // Diagnostics are sorted error-first in LSP convention; trim from the
+    // tail so we keep the highest-severity items.
+    let upper = items.length;
+    while (upper > 1) {
+        const half = Math.floor(upper / 2);
+        const sub = items.slice(0, half);
+        if (Buffer.byteLength(JSON.stringify(sub), 'utf8') <= LSP_PAYLOAD_CAP_BYTES) {
+            return { value: sub, truncated: true };
+        }
+        upper = half;
+    }
+    return { value: items.slice(0, 1), truncated: true };
+}
+/** Test-only surface so specs can poke truncation directly. */
+export const __test__ = { truncate, capLocations, capDiagnostics, LSP_PAYLOAD_CAP_BYTES };
+//# sourceMappingURL=lsp-tools.js.map