@pugi/cli 0.1.0-beta.8 → 0.1.0-beta.87

package/dist/core/security/output-filter.js

@@ -0,0 +1,418 @@
+/**
+ * Output filter (primitive #2 of the 9-layer RAG architecture).
+ *
+ * Composes four independent safety checks into a single perimeter that
+ * runs against text the engine is ABOUT to emit to the operator. Each
+ * sub-check is a private function inside this module; the public entry
+ * point `filterOutput` runs them in a deterministic order and returns
+ * the union of their findings.
+ *
+ * The intent is "one chokepoint" — the engine wire-up (out of scope for
+ * this PR) will call `filterOutput` once per assistant turn and refuse
+ * to surface text whose `allowed` flag is false. Operators get a single
+ * structured violations list to triage.
+ *
+ * # Composed checks (deterministic order)
+ *
+ *  1. citation-verify — `[file:line]` / `(file:line)` patterns must
+ *                        resolve to a real file inside `workspaceRoot`.
+ *                        Path containment uses the existing workspace
+ *                        boundary check pattern from `path-security.ts`.
+ *  2. secret-scan     — defers to `core/memory/secret-scanner.ts`
+ *                        (backlog). When `redactSecrets=true`
+ *                        (default) the filter substitutes detected
+ *                        secrets with `[SECRET:<kind>]` placeholders
+ *                        AND reports the violations.
+ *  3. numeric-claim   — standalone numbers (≥3 digits OR percentages
+ *                        OR currency) must have a citation within
+ *                        80 chars. When `allowNumericClaims=true` the
+ *                        check is skipped entirely.
+ *  4. malicious-url   — every URL found in the text must intersect
+ *                        `allowedURLs`. Empty allowlist + non-empty URL
+ *                        set = all URLs flagged.
+ *  5. injection-echo  — surface obvious prompt-injection fragments
+ *                        that look like upstream content leaked into
+ *                        the model's output (`<system-reminder>`,
+ *                        ChatML tags, "ignore previous instructions",
+ *                        etc.).
+ *
+ * # No early exit
+ *
+ * The filter walks every check on every call and accumulates every
+ * violation. A text with three secrets, two bad URLs and one bogus
+ * citation surfaces six violations — operators see the whole picture in
+ * one pass, not piecemeal across retries.
+ *
+ * # What this is NOT
+ *
+ *  - A blocking guard. The caller decides what to do with
+ *    `allowed=false`. We never throw on a violation — throwing would
+ *    deny the caller the redacted text + structured findings.
+ *  - A locale-aware numeric extractor. Only English thousands
+ *    separators are recognised for now (`1,000`, `1000`, `1,000.50`).
+ *    Locale variants (e.g. `1.000,50` in DE) are intentionally out of
+ *    scope per the spec.
+ *  - An ML-based harm classifier. Regex tier only; harm-pattern
+ *    expansion is deferred.
+ *
+ * # Existing modules composed against
+ *
+ *  - `core/memory/secret-scanner.ts` — secret-scan delegate.
+ *  - `core/path-security.ts`              — workspace boundary check
+ *                                             pattern (containment +
+ *                                             realpath).
+ *
+ * # Follow-ups (tracked, NOT shipped here)
+ *
+ *  - Engine wire-up — consumer pulls `filterOutput` before emitting
+ *    to the operator. Out of scope; touches `core/engine/` only.
+ *  - Shared secret-scanner consolidation — depends on ship.
+ *  - Locale-aware numeric extraction.
+ *  - LLM-driven harm classifier (regex tier only today).
+ */
+import { existsSync, realpathSync } from 'node:fs';
+import { isAbsolute, relative, resolve } from 'node:path';
+import { redactSecrets as redactSecretsImpl, scanForSecrets, } from '../memory/secret-scanner.js';
+// ---------------------------------------------------------------------------
+// Pattern catalog
+// ---------------------------------------------------------------------------
+/**
+ * Inline citation patterns. Accepts:
+ *  - `[file:line]` e.g. `[src/foo.ts:42]`
+ *  - `(file:line)` e.g. `(src/foo.ts:42)`
+ *
+ * The path must contain a `.` (file extension hint) to keep prose like
+ * `[chapter:1]` from being misread as a code citation. Line is a
+ * 1+ digit positive integer.
+ *
+ * Anchored with bounded character classes — no `.*` and no nested
+ * alternations, defending against catastrophic backtracking.
+ */
+const INLINE_CITATION_RE = /[\[(]([^\]\s)]+\.[A-Za-z0-9]+):(\d+)[\])]/g;
+/**
+ * URL extraction. Matches `http://` or `https://` followed by host +
+ * optional path. Bounded path char class.
+ */
+const URL_RE = /\bhttps?:\/\/[A-Za-z0-9.\-]+(?::\d+)?(?:\/[A-Za-z0-9._~:/?#@!$&'()*+,;=%\-]*)?/g;
+/**
+ * Numeric-claim patterns. We accumulate matches from THREE shapes:
+ *  - percentage:  `42%`, `0.5%`, `100.0%`
+ *  - currency:    `$1`, `$1,000`, `$1.50`, `€42`, `£99.99` (any 1+)
+ *  - bare number: `123`, `1,000`, `42.5` (≥3 significant digits)
+ *
+ * "Significant digits" for the bare-number rule means ≥3 digit chars
+ * total ignoring separators. `99` (2 digits) is NOT flagged; `100` is.
+ * This dodges the false-positive trap of years / common small numbers
+ * appearing in prose without a citation needing to back them up.
+ */
+const PERCENT_RE = /\b\d+(?:\.\d+)?%/g;
+const CURRENCY_RE = /[$€£¥₹]\s?\d{1,3}(?:,\d{3})*(?:\.\d+)?/g;
+const BARE_NUMBER_RE = /\b\d{1,3}(?:,\d{3})+(?:\.\d+)?\b|\b\d{3,}(?:\.\d+)?\b/g;
+/**
+ * Injection-echo fragments. These are markers we never expect a model
+ * to legitimately produce in its output; their appearance suggests
+ * upstream context (a user-supplied document, a tool result, a leaked
+ * system prompt) has bled into the generation surface.
+ *
+ * Kept literal-prefix-anchored to keep false-positives low. A model
+ * legitimately discussing prompt-injection education ("attackers might
+ * say `ignore previous instructions`") will trip the warning — the
+ * caller can downgrade via `allowed` post-hoc, but the violation must
+ * still surface so reviewers see it.
+ */
+const INJECTION_PATTERNS = [
+    { id: 'system-reminder-tag', re: /<system-reminder\b/gi },
+    { id: 'system-tag', re: /<\|im_start\|>/g },
+    { id: 'endoftext-tag', re: /<\|endoftext\|>/g },
+    { id: 'inst-marker', re: /\[INST\]/g },
+    { id: 'inst-close', re: /\[\/INST\]/g },
+    { id: 'ignore-previous', re: /\b(?:important[^a-z]*)?ignore\s+(?:all\s+|the\s+)?previous\s+(?:instructions|prompts?)/gi },
+    { id: 'disregard-above', re: /\bdisregard\s+(?:all|prior|the)?\s*above/gi },
+    { id: 'anthropic-human-tag', re: /\n\s*Human:\s*/g },
+    { id: 'anthropic-assistant-tag', re: /\n\s*Assistant:\s*/g },
+];
+// ---------------------------------------------------------------------------
+// Public entry point
+// ---------------------------------------------------------------------------
+export function filterOutput(text, options = {}) {
+    if (typeof text !== 'string' || text.length === 0) {
+        return { allowed: true, violations: [] };
+    }
+    const violations = [];
+    // Check order is deterministic — locked by the spec. Each check
+    // pushes its findings to `violations` and never throws.
+    // 1. Citation verify.
+    pushCitationViolations(text, options, violations);
+    // 2. Secret scan. We always scan; redaction is gated by the flag.
+    const redact = options.redactSecrets !== false;
+    const secretMatches = scanForSecrets(text);
+    for (const match of secretMatches) {
+        violations.push({
+            kind: 'secret-leak',
+            location: lineColumnFor(text, match.offset),
+            detail: `Secret pattern '${match.pattern}' (${match.confidence}) detected`,
+        });
+    }
+    let redactedText;
+    if (redact && secretMatches.length > 0) {
+        const result = redactSecretsImpl(text);
+        redactedText = result.redacted;
+    }
+    // 3. Numeric claim guard. Skipped when allowNumericClaims=true.
+    if (options.allowNumericClaims !== true) {
+        pushNumericClaimViolations(text, violations);
+    }
+    // 4. Malicious URL.
+    pushUrlViolations(text, options.allowedURLs ?? [], violations);
+    // 5. Injection echo.
+    pushInjectionEchoViolations(text, violations);
+    return {
+        allowed: violations.length === 0,
+        redactedText,
+        violations,
+    };
+}
+function collectInlineCitations(text) {
+    const out = [];
+    for (const m of text.matchAll(INLINE_CITATION_RE)) {
+        if (m.index === undefined)
+            continue;
+        const path = m[1];
+        const lineStr = m[2];
+        if (path === undefined || lineStr === undefined)
+            continue;
+        const lineNum = Number.parseInt(lineStr, 10);
+        if (!Number.isFinite(lineNum) || lineNum <= 0)
+            continue;
+        out.push({
+            raw: m[0],
+            path,
+            line: lineNum,
+            offset: m.index,
+        });
+    }
+    return out;
+}
+function pushCitationViolations(text, options, violations) {
+    const inline = collectInlineCitations(text);
+    const explicit = options.citations ?? [];
+    // Nothing to check.
+    if (inline.length === 0 && explicit.length === 0)
+        return;
+    const root = options.workspaceRoot;
+    if (root === undefined) {
+        // Fail-closed: cannot verify without a root, but we still surface
+        // the citations so the caller sees them.
+        for (const cite of inline) {
+            violations.push({
+                kind: 'invalid-citation',
+                location: lineColumnFor(text, cite.offset),
+                detail: `Citation '${cite.raw}' cannot be verified (workspaceRoot missing)`,
+            });
+        }
+        for (const cite of explicit) {
+            violations.push({
+                kind: 'invalid-citation',
+                detail: `Citation '${cite.path}:${cite.line}' cannot be verified (workspaceRoot missing)`,
+            });
+        }
+        return;
+    }
+    // Canonicalise the workspace root once. realpath fail = pass-through;
+    // the containment check below will still reject any traversal.
+    let canonicalRoot;
+    try {
+        canonicalRoot = realpathSync.native(root);
+    }
+    catch {
+        canonicalRoot = resolve(root);
+    }
+    for (const cite of inline) {
+        if (!isCitationContained(cite.path, canonicalRoot)) {
+            violations.push({
+                kind: 'invalid-citation',
+                location: lineColumnFor(text, cite.offset),
+                detail: `Citation '${cite.raw}' resolves outside workspace`,
+            });
+            continue;
+        }
+        const abs = resolve(canonicalRoot, cite.path);
+        if (!existsSync(abs)) {
+            violations.push({
+                kind: 'invalid-citation',
+                location: lineColumnFor(text, cite.offset),
+                detail: `Citation '${cite.raw}' references missing file`,
+            });
+        }
+    }
+    for (const cite of explicit) {
+        if (!isCitationContained(cite.path, canonicalRoot)) {
+            violations.push({
+                kind: 'invalid-citation',
+                detail: `Citation '${cite.path}:${cite.line}' resolves outside workspace`,
+            });
+            continue;
+        }
+        const abs = resolve(canonicalRoot, cite.path);
+        if (!existsSync(abs)) {
+            violations.push({
+                kind: 'invalid-citation',
+                detail: `Citation '${cite.path}:${cite.line}' references missing file`,
+            });
+        }
+    }
+}
+function isCitationContained(citationPath, canonicalRoot) {
+    if (isAbsolute(citationPath))
+        return false; // absolute paths in citations are never trusted
+    // Reject `..` segments before any FS work (mirror path-security.ts step #1).
+    const segments = citationPath.split(/[/\\]/);
+    if (segments.some((seg) => seg === '..'))
+        return false;
+    // Resolve relative to the canonical root and reverify containment.
+    const target = resolve(canonicalRoot, citationPath);
+    const rel = relative(canonicalRoot, target);
+    if (!rel)
+        return true;
+    return !rel.startsWith('..');
+}
+function collectNumericHits(text) {
+    const out = [];
+    for (const re of [PERCENT_RE, CURRENCY_RE, BARE_NUMBER_RE]) {
+        for (const m of text.matchAll(re)) {
+            if (m.index === undefined)
+                continue;
+            out.push({ value: m[0], offset: m.index });
+        }
+    }
+    // Deduplicate overlapping hits — `100%` matches PERCENT_RE and the
+    // bare-number rule would not (anchored to no trailing `%`), but a
+    // currency `$100` could overlap a bare `100`. Sort by offset, keep
+    // the longest match at each anchor.
+    out.sort((a, b) => a.offset - b.offset || b.value.length - a.value.length);
+    const deduped = [];
+    let lastEnd = -1;
+    for (const hit of out) {
+        if (hit.offset < lastEnd)
+            continue;
+        deduped.push(hit);
+        lastEnd = hit.offset + hit.value.length;
+    }
+    return deduped;
+}
+function pushNumericClaimViolations(text, violations) {
+    const numbers = collectNumericHits(text);
+    if (numbers.length === 0)
+        return;
+    // Compute citation offsets ONCE — every inline citation in the text
+    // counts as anchorage for nearby numbers regardless of validity.
+    // (Validity is checked separately in pushCitationViolations.)
+    const citationOffsets = [];
+    for (const m of text.matchAll(INLINE_CITATION_RE)) {
+        if (m.index !== undefined)
+            citationOffsets.push(m.index);
+    }
+    for (const hit of numbers) {
+        if (!hasCitationWithin(hit.offset, hit.value.length, citationOffsets, 80)) {
+            violations.push({
+                kind: 'numeric-without-citation',
+                location: lineColumnFor(text, hit.offset),
+                detail: `Numeric claim '${hit.value}' has no citation within 80 chars`,
+            });
+        }
+    }
+}
+function hasCitationWithin(hitOffset, hitLength, citationOffsets, window) {
+    const lo = hitOffset - window;
+    const hi = hitOffset + hitLength + window;
+    for (const cOff of citationOffsets) {
+        if (cOff >= lo && cOff <= hi)
+            return true;
+    }
+    return false;
+}
+// ---------------------------------------------------------------------------
+// Malicious URL
+// ---------------------------------------------------------------------------
+function pushUrlViolations(text, allowed, violations) {
+    const normalisedAllowed = allowed.map((u) => stripTrailingSlash(u.toLowerCase()));
+    for (const m of text.matchAll(URL_RE)) {
+        if (m.index === undefined)
+            continue;
+        const url = m[0];
+        if (!isUrlAllowed(url, normalisedAllowed)) {
+            violations.push({
+                kind: 'malicious-url',
+                location: lineColumnFor(text, m.index),
+                detail: `URL '${url}' is not in the allowlist`,
+            });
+        }
+    }
+}
+function stripTrailingSlash(s) {
+    return s.endsWith('/') ? s.slice(0, -1) : s;
+}
+function isUrlAllowed(url, allowlist) {
+    const lower = stripTrailingSlash(url.toLowerCase());
+    for (const allowed of allowlist) {
+        if (lower === allowed)
+            return true;
+        // Prefix-with-`/` match prevents `https://example.com.evil` from
+        // satisfying an `https://example.com` entry. We also accept the
+        // bare host without path.
+        if (lower.startsWith(`${allowed}/`))
+            return true;
+        if (lower.startsWith(`${allowed}?`))
+            return true;
+        if (lower.startsWith(`${allowed}#`))
+            return true;
+    }
+    return false;
+}
+// ---------------------------------------------------------------------------
+// Injection echo
+// ---------------------------------------------------------------------------
+function pushInjectionEchoViolations(text, violations) {
+    for (const pattern of INJECTION_PATTERNS) {
+        // Clone each regex so concurrent calls do not share `lastIndex`.
+        const rx = new RegExp(pattern.re.source, pattern.re.flags);
+        for (const m of text.matchAll(rx)) {
+            if (m.index === undefined)
+                continue;
+            violations.push({
+                kind: 'injection-echo',
+                location: lineColumnFor(text, m.index),
+                detail: `Injection-echo pattern '${pattern.id}' matched (${truncateMatch(m[0])})`,
+            });
+        }
+    }
+}
+function truncateMatch(s) {
+    if (s.length <= 64)
+        return s;
+    return `${s.slice(0, 64)}...`;
+}
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/**
+ * Compute 1-based line + column for a 0-based byte (UTF-16 code unit)
+ * offset within `text`. Mirrors the helper in `secret-scanner.ts` but
+ * returns column too — the spec demands a `{ line, column }` shape.
+ */
+function lineColumnFor(text, offset) {
+    let line = 1;
+    let column = 1;
+    const cap = Math.min(offset, text.length);
+    for (let i = 0; i < cap; i += 1) {
+        if (text.charCodeAt(i) === 10) {
+            line += 1;
+            column = 1;
+        }
+        else {
+            column += 1;
+        }
+    }
+    return { line, column };
+}
+//# sourceMappingURL=output-filter.js.map

package/dist/core/session/env-file.js

@@ -0,0 +1,105 @@
+import { promises as fs } from 'node:fs';
+import { dirname } from 'node:path';
+const PUGI_PREFIX = 'PUGI_';
+function isPugiKey(key) {
+    return key.startsWith(PUGI_PREFIX);
+}
+function filterPugiVars(env) {
+    const out = {};
+    for (const [k, v] of Object.entries(env)) {
+        if (isPugiKey(k) && typeof v === 'string')
+            out[k] = v;
+    }
+    return out;
+}
+function isValidState(value) {
+    if (!value || typeof value !== 'object')
+        return false;
+    const v = value;
+    if (typeof v.cwd !== 'string')
+        return false;
+    if (!v.environment || typeof v.environment !== 'object' || Array.isArray(v.environment))
+        return false;
+    if (typeof v.updatedAt !== 'string')
+        return false;
+    if (v.personaSlug !== undefined && typeof v.personaSlug !== 'string')
+        return false;
+    for (const [k, entry] of Object.entries(v.environment)) {
+        if (typeof k !== 'string' || typeof entry !== 'string')
+            return false;
+    }
+    return true;
+}
+function warn(message) {
+    process.stderr.write(`[pugi:env-file] ${message}\n`);
+}
+export async function loadEnvState(opts) {
+    let raw;
+    try {
+        raw = await fs.readFile(opts.envFilePath, 'utf8');
+    }
+    catch (err) {
+        const code = err.code;
+        if (code === 'ENOENT')
+            return null;
+        warn(`failed to read ${opts.envFilePath}: ${err.message}`);
+        return null;
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (err) {
+        warn(`malformed JSON at ${opts.envFilePath}: ${err.message}`);
+        return null;
+    }
+    if (!isValidState(parsed)) {
+        warn(`invalid env state shape at ${opts.envFilePath}`);
+        return null;
+    }
+    const state = {
+        cwd: parsed.cwd,
+        environment: filterPugiVars(parsed.environment),
+        updatedAt: parsed.updatedAt,
+    };
+    if (parsed.personaSlug !== undefined)
+        state.personaSlug = parsed.personaSlug;
+    return state;
+}
+export async function saveEnvState(state, opts) {
+    const dir = dirname(opts.envFilePath);
+    await fs.mkdir(dir, { recursive: true });
+    const finalState = {
+        cwd: state.cwd,
+        environment: filterPugiVars(state.environment ?? {}),
+        updatedAt: new Date().toISOString(),
+    };
+    if (state.personaSlug !== undefined)
+        finalState.personaSlug = state.personaSlug;
+    const payload = JSON.stringify(finalState, null, 2);
+    const tmpSuffix = `${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+    const tmpPath = `${opts.envFilePath}.tmp-${tmpSuffix}`;
+    await fs.writeFile(tmpPath, payload, { encoding: 'utf8', mode: 0o600 });
+    try {
+        await fs.rename(tmpPath, opts.envFilePath);
+    }
+    catch (err) {
+        await fs.rm(tmpPath, { force: true }).catch(() => { });
+        throw err;
+    }
+}
+export function mergeIntoEnv(state, processEnv) {
+    const out = {};
+    if (state) {
+        for (const [k, v] of Object.entries(state.environment)) {
+            if (isPugiKey(k) && typeof v === 'string')
+                out[k] = v;
+        }
+    }
+    for (const [k, v] of Object.entries(processEnv)) {
+        if (v !== undefined)
+            out[k] = v;
+    }
+    return out;
+}
+//# sourceMappingURL=env-file.js.map

package/dist/core/session/section-budgets.js

@@ -0,0 +1,140 @@
+import { estimateTokens } from '../compact/token-counter.js';
+export const TRUNCATION_MARKER = '\n[…truncated…]\n';
+const DEFAULT_PRIORITY = 0.5;
+const SHAVE_STEP_RATIO = 0.1;
+const SHAVE_SAFETY_BOUND = 10_000;
+function validateInputs(sections) {
+    const seen = new Set();
+    for (const s of sections) {
+        if (typeof s.name !== 'string' || s.name.length === 0) {
+            throw new TypeError('section name must be a non-empty string');
+        }
+        if (seen.has(s.name)) {
+            throw new TypeError(`duplicate section name: ${s.name}`);
+        }
+        seen.add(s.name);
+        if (!Number.isFinite(s.budget) || s.budget < 0) {
+            throw new RangeError(`section ${s.name}: budget must be a finite number >= 0`);
+        }
+        if (s.priority !== undefined) {
+            if (!Number.isFinite(s.priority) || s.priority < 0 || s.priority > 1) {
+                throw new RangeError(`section ${s.name}: priority must be in [0, 1]`);
+            }
+        }
+    }
+}
+function buildTruncated(content, keepChars, strategy) {
+    if (keepChars <= 0)
+        return '';
+    if (strategy === 'head') {
+        const start = Math.max(0, content.length - keepChars);
+        return TRUNCATION_MARKER + content.slice(start);
+    }
+    if (strategy === 'tail') {
+        return content.slice(0, keepChars) + TRUNCATION_MARKER;
+    }
+    const headChars = Math.floor(keepChars / 2);
+    const tailChars = keepChars - headChars;
+    const head = content.slice(0, headChars);
+    const tailStart = Math.max(headChars, content.length - tailChars);
+    const tail = content.slice(tailStart);
+    return head + TRUNCATION_MARKER + tail;
+}
+function truncateSection(name, content, budget, strategy) {
+    const originalTokens = estimateTokens(content);
+    if (originalTokens <= budget) {
+        return { content, tokens: originalTokens, truncated: false, droppedTokens: 0 };
+    }
+    if (strategy === 'none') {
+        throw new RangeError(`section ${name}: content (${originalTokens} tokens) exceeds budget (${budget}) and strategy='none'`);
+    }
+    if (budget === 0) {
+        return { content: '', tokens: 0, truncated: true, droppedTokens: originalTokens };
+    }
+    const markerTokens = estimateTokens(TRUNCATION_MARKER);
+    if (markerTokens >= budget) {
+        return { content: '', tokens: 0, truncated: true, droppedTokens: originalTokens };
+    }
+    const available = budget - markerTokens;
+    let keepChars = Math.max(0, available * 4);
+    let next = buildTruncated(content, keepChars, strategy);
+    let tokens = estimateTokens(next);
+    while (tokens > budget && keepChars > 0) {
+        keepChars = Math.max(0, keepChars - 4);
+        if (keepChars === 0) {
+            next = '';
+            tokens = 0;
+            break;
+        }
+        next = buildTruncated(content, keepChars, strategy);
+        tokens = estimateTokens(next);
+    }
+    return {
+        content: next,
+        tokens,
+        truncated: true,
+        droppedTokens: originalTokens - tokens,
+    };
+}
+export function applySectionBudgets(sections, options) {
+    validateInputs(sections);
+    const sumBudgets = sections.reduce((sum, s) => sum + s.budget, 0);
+    const totalBudget = options?.totalBudget ?? sumBudgets;
+    const working = sections.map((s) => {
+        const r = truncateSection(s.name, s.content, s.budget, s.strategy);
+        return {
+            input: s,
+            currentBudget: s.budget,
+            content: r.content,
+            tokens: r.tokens,
+            truncated: r.truncated,
+            droppedTokens: r.droppedTokens,
+        };
+    });
+    let totalTokens = working.reduce((sum, w) => sum + w.tokens, 0);
+    if (totalTokens > totalBudget) {
+        const shrinkable = working
+            .map((w, idx) => ({ w, idx, priority: w.input.priority ?? DEFAULT_PRIORITY }))
+            .filter((x) => x.w.input.strategy !== 'none')
+            .sort((a, b) => a.priority - b.priority || a.idx - b.idx);
+        let safety = 0;
+        while (totalTokens > totalBudget && safety < SHAVE_SAFETY_BOUND) {
+            safety++;
+            let shaved = false;
+            for (const x of shrinkable) {
+                if (x.w.currentBudget === 0 && x.w.tokens === 0)
+                    continue;
+                const step = Math.max(1, Math.ceil(x.w.input.budget * SHAVE_STEP_RATIO));
+                const newBudget = Math.max(0, x.w.currentBudget - step);
+                if (newBudget === x.w.currentBudget)
+                    continue;
+                x.w.currentBudget = newBudget;
+                const r = truncateSection(x.w.input.name, x.w.input.content, newBudget, x.w.input.strategy);
+                const delta = x.w.tokens - r.tokens;
+                x.w.content = r.content;
+                x.w.tokens = r.tokens;
+                x.w.truncated = r.truncated;
+                x.w.droppedTokens = r.droppedTokens;
+                totalTokens -= delta;
+                shaved = true;
+                break;
+            }
+            if (!shaved)
+                break;
+        }
+    }
+    const finalSections = working.map((w) => ({
+        name: w.input.name,
+        content: w.content,
+        tokens: w.tokens,
+        truncated: w.truncated,
+        droppedTokens: w.droppedTokens,
+    }));
+    return {
+        sections: finalSections,
+        totalTokens,
+        totalBudget,
+        overBudget: totalTokens > totalBudget,
+    };
+}
+//# sourceMappingURL=section-budgets.js.map