@pugi/cli 0.1.0-beta.8 → 0.1.0-beta.88

package/dist/tools/apply-patch.js

@@ -0,0 +1,556 @@
+/**
+ * apply_patch tool — Phase 1.
+ *
+ * Accepts a unified diff (the format produced by `git diff` and
+ * consumed by `git apply`) and lands it atomically into the workspace.
+ * This is the third edit primitive alongside the 4-layer diff
+ * escalation: where the layers escalate from minimal `oldString`/
+ * `newString` blocks up to full-file rewrites, apply_patch covers the
+ * unified-diff dialect that OpenAI Codex and most external tools emit.
+ *
+ * Why we have both:
+ *
+ *  - The 4-layer escalation maximises model-side success rate on
+ *    conversational edits (Claude / Gemini / OpenAI all have a
+ *    preferred dialect that maps onto one of the layers).
+ *  - apply_patch is the "external tools speak this" path. A model
+ *    emits a single unified diff (the format `git diff` produces),
+ *    and we run it through `git apply` with the same security gate
+ *    the layers use.
+ *
+ * Security: every file mentioned in the patch goes through the same
+ * `applySecurityGate` chokepoint as the layers (see
+ * `src/core/edits/security-gate.ts`). A patch that touches
+ * `../../etc/passwd`, `.env`, or a workspace-local symlink to a protected
+ * file is rejected BEFORE `git apply` runs. Symlink escape, protected
+ * file, and path traversal are all covered by the same gate the layers
+ * inherit — we never roll our own resolver here.
+ *
+ * Atomicity: a multi-file patch either lands entirely or not at all.
+ * `git apply --check` validates the patch end-to-end against the
+ * working tree first; only on a clean check do we run the real apply.
+ * If the apply still fails partway (extremely rare — usually a race
+ * with another writer), we run `git checkout -- <each file>` to roll
+ * the tree back. This keeps the dispatcher's invariant: a tool result
+ * of `ok: false` means the workspace is unchanged.
+ *
+ * Idempotency: applying the same patch twice rejects the second with
+ * `already_applied`. `git apply` itself returns success only when the
+ * patch's pre-image matches the working tree, so a second invocation
+ * naturally fails. We translate the specific failure mode into a
+ * dedicated reason so callers can short-circuit retry loops.
+ *
+ * Brand voice: ASCII only, no emoji, no banned words.
+ */
+import { spawnSync } from 'node:child_process';
+import { existsSync, rmSync } from 'node:fs';
+import { resolve, sep } from 'node:path';
+import { applySecurityGate } from '../core/edits/security-gate.js';
+import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
+import { recordToolCall, recordToolResult, recordFileMutation } from '../core/session.js';
+/**
+ * Parse the file paths referenced in a unified diff. We look for both
+ * `diff --git a/X b/Y` headers (preferred) and the fallback
+ * `+++ b/<path>` lines that plain `diff -u` emits. The full set of
+ * touched paths feeds the security gate — EVERY file goes through
+ * `applySecurityGate` before we trust `git apply` to do anything.
+ *
+ * Security (R1 fix, PR r1): git emits C-style quoted
+ * path headers when a path contains "unusual" bytes (high bits, control
+ * chars, double-quote, backslash) and `core.quotePath` is true (the
+ * default). The literal header looks like
+ * `diff --git "a/.env" "b/.env"`. Before this fix the regex captured
+ * the literal `"b/.env"` string and the security gate's basename match
+ * never saw `.env` — `basename('"b/.env"')` is `'.env"'` (note the
+ * trailing quote) which does NOT match the `.env` protected pattern.
+ * `git apply` then de-quoted the header and happily landed on the real
+ * `.env`. We strip the surrounding quotes + decode the C-style escapes
+ * via `unquoteGitPath` BEFORE passing to the security gate so the
+ * basename matcher sees the real target.
+ */
+export function extractPatchPaths(patch) {
+    const paths = new Set();
+    for (const line of patch.split('\n')) {
+        if (line.startsWith('diff --git ')) {
+            // `diff --git a/foo b/bar` — paths can contain spaces only when
+            // quoted by git's own diff machinery (rare). The robust extractor
+            // matches the `b/...` half because rename diffs carry the new
+            // name there.
+            // Two variants: unquoted (`a/foo b/bar`) and C-style quoted
+            // (`"a/foo" "b/bar"`). We try the quoted form first because the
+            // unquoted regex below would accept the literal quote as part of
+            // the path otherwise.
+            const quoted = line.match(/^diff --git "a\/(.+)" "b\/(.+)"$/);
+            if (quoted) {
+                if (quoted[1])
+                    paths.add(unquoteGitPath(quoted[1]));
+                if (quoted[2])
+                    paths.add(unquoteGitPath(quoted[2]));
+                continue;
+            }
+            const match = line.match(/^diff --git a\/(.+?) b\/(.+)$/);
+            if (match) {
+                if (match[1])
+                    paths.add(unquoteGitPath(match[1]));
+                if (match[2])
+                    paths.add(unquoteGitPath(match[2]));
+            }
+            continue;
+        }
+        if (line.startsWith('+++ ')) {
+            const after = line.slice(4).trim();
+            if (after === '/dev/null')
+                continue;
+            const stripped = stripQuotedHalf(after, 'b/');
+            if (stripped)
+                paths.add(stripTimestampSuffix(stripped));
+            continue;
+        }
+        if (line.startsWith('--- ')) {
+            const after = line.slice(4).trim();
+            if (after === '/dev/null')
+                continue;
+            const stripped = stripQuotedHalf(after, 'a/');
+            if (stripped)
+                paths.add(stripTimestampSuffix(stripped));
+        }
+    }
+    return Array.from(paths);
+}
+/**
+ * Strip the leading `a/` or `b/` prefix from a `---` / `+++` line,
+ * handling both unquoted (`b/.env`) and C-style quoted (`"b/.env"`)
+ * variants. The returned path is fully de-quoted so the security gate
+ * sees the real basename. Returns null when the line does not parse.
+ */
+function stripQuotedHalf(after, prefix) {
+    // Quoted form: `"b/path with \"escapes\""`. Detect surrounding quotes
+    // first, strip them, then peel the prefix, then unquote the inner
+    // C-style escapes.
+    if (after.startsWith('"') && after.endsWith('"') && after.length >= 2) {
+        const inner = after.slice(1, -1);
+        const peeled = inner.startsWith(prefix) ? inner.slice(prefix.length) : inner;
+        return unquoteGitPath(peeled);
+    }
+    const trimmed = after.startsWith(prefix) ? after.slice(prefix.length) : after;
+    return trimmed;
+}
+/**
+ * Decode git's C-style path quoting. When `core.quotePath` is true
+ * (default) git writes paths with high-bit / control / quote bytes as
+ * C-string escapes inside double quotes:
+ *
+ *  `"\.env"` -> `.env`        (backslash before . is just a literal)
+ *  `"a\"b"` -> `a"b`         (escaped double-quote)
+ *  `"a\\b"` -> `a\b`         (escaped backslash)
+ *  `"a\tb"` -> `a` + TAB + `b`
+ *  `"a\341\210\264"` -> `a` + UTF-8 bytes 0xe1 0x88 0xb4
+ *
+ * Accepts a path that is EITHER already unquoted (passed through) OR an
+ * inner string previously stripped of its surrounding quotes. The
+ * function is idempotent on already-clean ASCII paths.
+ *
+ * Reference: git source `quote.c::unquote_c_style`.
+ */
+export function unquoteGitPath(s) {
+    // If the caller passed us a wrapped string (`"foo"`), peel it now.
+    if (s.startsWith('"') && s.endsWith('"') && s.length >= 2) {
+        s = s.slice(1, -1);
+    }
+    // Fast path: no backslash means no C-style escapes, return as-is.
+    if (!s.includes('\\'))
+        return s;
+    const out = [];
+    for (let i = 0; i < s.length; i += 1) {
+        const ch = s[i];
+        if (ch !== '\\') {
+            // Single-byte ASCII or multi-byte JS string char; the byte we
+            // emit must match its UTF-8 encoding so the security gate sees
+            // the same bytes the filesystem will. JS strings are UTF-16; we
+            // bounce through Buffer to get the canonical UTF-8 bytes.
+            const bytes = Buffer.from(ch ?? '', 'utf8');
+            for (const b of bytes)
+                out.push(b);
+            continue;
+        }
+        const next = s[i + 1];
+        if (next === undefined) {
+            // Trailing backslash with no follower — emit literal.
+            out.push(0x5c);
+            continue;
+        }
+        // Three-digit octal escape: `\NNN` (each digit 0-7).
+        if (next >= '0' && next <= '7' && i + 3 < s.length + 1) {
+            const oct = s.slice(i + 1, i + 4);
+            if (/^[0-7]{3}$/.test(oct)) {
+                out.push(Number.parseInt(oct, 8));
+                i += 3;
+                continue;
+            }
+        }
+        switch (next) {
+            case 'a':
+                out.push(0x07);
+                break;
+            case 'b':
+                out.push(0x08);
+                break;
+            case 't':
+                out.push(0x09);
+                break;
+            case 'n':
+                out.push(0x0a);
+                break;
+            case 'v':
+                out.push(0x0b);
+                break;
+            case 'f':
+                out.push(0x0c);
+                break;
+            case 'r':
+                out.push(0x0d);
+                break;
+            case '"':
+                out.push(0x22);
+                break;
+            case '\\':
+                out.push(0x5c);
+                break;
+            default:
+                // Unknown escape — emit the escape char as a literal so we
+                // don't silently drop bytes. Mirrors git's own permissive
+                // behaviour.
+                out.push(next.charCodeAt(0));
+        }
+        i += 1;
+    }
+    return Buffer.from(out).toString('utf8');
+}
+/**
+ * `diff -u` (non-git) emits trailing tab-prefixed timestamps after the
+ * path: `--- foo.ts\t2026-05-25 10:00:00`. Strip those so the security
+ * gate sees the clean path.
+ */
+function stripTimestampSuffix(path) {
+    const tab = path.indexOf('\t');
+    return tab >= 0 ? path.slice(0, tab) : path;
+}
+/**
+ * Apply a unified-diff patch to the workspace. Routes every mentioned
+ * file through the shared security gate before invoking `git apply`.
+ */
+export function applyPatch(ctx, patch, opts = {}) {
+    const toolCallId = recordToolCall(ctx.session, 'apply_patch', `${patch.length} bytes`);
+    try {
+        gateOnCancellation(ctx, 'apply_patch');
+    }
+    catch (error) {
+        if (error instanceof OperatorAbortedError) {
+            recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
+            throw error;
+        }
+        throw error;
+    }
+    if (patch.trim().length === 0) {
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'empty_patch',
+            detail: 'patch body is empty',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'empty_patch');
+        return result;
+    }
+    // β7 L4: pre-flight conflict-marker check. A patch that still carries
+    // unresolved `<<<<<<<`/`=======`/`>>>>>>>` lines is almost always
+    // operator error (copy-pasted a half-resolved merge instead of the
+    // clean diff). `git apply` would reject it with a confusing
+    // "corrupt patch" message; the dedicated reason makes the failure
+    // obvious. We only check at body line starts so a legitimate diff
+    // that adds a string literal containing `<<<<<<<` for tests still
+    // applies.
+    if (containsConflictMarkers(patch)) {
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'conflict_markers',
+            detail: 'patch body contains unresolved git conflict markers (<<<<<<<, =======, >>>>>>>). ' +
+                'Resolve the conflict first or use --3way with --base=<sha> to defer to git.',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'conflict_markers');
+        return result;
+    }
+    const paths = extractPatchPaths(patch);
+    if (paths.length === 0) {
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'invalid_patch',
+            detail: 'no `diff --git` or `+++` headers found in patch',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'invalid_patch');
+        return result;
+    }
+    // SECURITY GATE — reuse the chokepoint. Every path in the patch
+    // is validated against:
+    //  1. workspace containment (no ../../ escapes)
+    //  2. protected-file basenames (.env, *.pem, id_rsa, etc.)
+    //  3. symlink escape (an in-workspace symlink pointing to /etc/hosts
+    //     or a protected basename gets rejected here)
+    for (const file of paths) {
+        const gate = applySecurityGate(file, { cwd: ctx.root, toolName: 'layer-c' });
+        if (!gate.ok) {
+            const result = {
+                ok: false,
+                filesChanged: [],
+                reason: gate.reason,
+                detail: `${file}: ${gate.detail}`,
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', `${gate.reason}: ${file}`);
+            return result;
+        }
+    }
+    // `git apply --check` validates the patch end-to-end against the
+    // working tree. A passing check is the gate for the actual apply.
+    const checkArgs = ['apply', '--check'];
+    if (opts.baseSha)
+        checkArgs.push('--3way');
+    checkArgs.push('-');
+    const check = runGit(checkArgs, ctx.root, patch);
+    if (check.status === 127) {
+        // No git binary on PATH. Rare on a developer machine but possible
+        // in slim containers / CI images. Surface a dedicated reason so
+        // the operator's message says "install git" not "patch is bad".
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'git_unavailable',
+            detail: 'git not found on PATH',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'git_unavailable');
+        return result;
+    }
+    if (check.status !== 0) {
+        // Decide whether this is the "already applied" case or a real
+        // failure. `git apply --check` rejects an already-applied patch
+        // with stderr containing patterns like "patch does not apply" or
+        // "already exists in working directory". The simpler signal is
+        // the stderr string containing `already exists in working directory`
+        // (git's own message for a creating patch landing twice) — that's
+        // the only path we treat as `already_applied` here. Other stderr
+        // surfaces fall through to `check_failed` so the operator sees the
+        // raw reason.
+        const stderr = check.stderr.toLowerCase();
+        if (stderr.includes('already exists in working directory')) {
+            const result = {
+                ok: false,
+                filesChanged: [],
+                reason: 'already_applied',
+                detail: 'patch creates a path that already exists — likely already applied',
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', 'already_applied');
+            return result;
+        }
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'check_failed',
+            detail: check.stderr.trim() || 'git apply --check rejected the patch',
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', `check_failed: ${result.detail}`);
+        return result;
+    }
+    if (opts.dryRun) {
+        const result = {
+            ok: true,
+            filesChanged: paths,
+        };
+        recordToolResult(ctx.session, toolCallId, 'success', `dry-run ok, ${paths.length} files`);
+        return result;
+    }
+    // R1 fix (2026-05-26, PR r1, Fix 6): snapshot which paths exist
+    // BEFORE the apply so rollbackFiles can decide between
+    // `git checkout -- <file>` (for files that existed) and `fs.rmSync`
+    // (for files the patch was creating that may have been half-written
+    // before the failure). Without this snapshot, `git checkout`
+    // gracefully no-ops on a never-tracked file and the partial creation
+    // is left behind.
+    const preExisting = new Map();
+    for (const p of paths) {
+        preExisting.set(p, existsSync(resolve(ctx.root, p)));
+    }
+    const applyArgs = ['apply'];
+    if (opts.baseSha)
+        applyArgs.push('--3way');
+    applyArgs.push('-');
+    const apply = runGit(applyArgs, ctx.root, patch);
+    if (apply.status !== 0) {
+        // Apply failed AFTER --check passed. This is almost always a TOCTOU
+        // (another writer touched a file between the two git calls).
+        // Rollback ANY partial mutation so the workspace stays consistent.
+        const rollback = rollbackFiles(ctx.root, paths, preExisting);
+        const detail = apply.stderr.trim() || 'git apply failed after passing --check';
+        if (!rollback.ok) {
+            const result = {
+                ok: false,
+                filesChanged: [],
+                reason: 'rollback_failed',
+                detail: `${detail}; rollback also failed: ${rollback.detail}`,
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', 'rollback_failed');
+            return result;
+        }
+        const result = {
+            ok: false,
+            filesChanged: [],
+            reason: 'apply_failed',
+            detail,
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', `apply_failed: ${detail}`);
+        return result;
+    }
+    // Audit-log every file the patch mutated. The before/after hashes
+    // are NOT recorded (git owns the staging area for that); the
+    // mutation entry is enough for `pugi undo` to surface "apply_patch
+    // touched these files" in the timeline.
+    for (const file of paths) {
+        recordFileMutation(ctx.session, {
+            toolCallId,
+            path: file,
+            operation: 'update',
+        });
+    }
+    recordToolResult(ctx.session, toolCallId, 'success', `applied ${paths.length} files`);
+    return { ok: true, filesChanged: paths };
+}
+/**
+ * Roll back any partial mutation by checking files out from HEAD. Used
+ * only on the rare path where `git apply` fails AFTER `git apply --check`
+ * passed.
+ *
+ * R1 fix (2026-05-26, PR r1, Fix 6): a multi-file patch that
+ * creates new files leaves them on disk when `git apply` fails partway —
+ * `git checkout -- <file>` does NOT delete a path that was never tracked
+ * (the file was created by the failed apply). We split paths into two
+ * groups using the pre-apply snapshot:
+ *
+ *  - existed-before -> `git checkout -- <file>` restores tracked content.
+ *  - created-by-apply -> `fs.rmSync(file, { force: true })` removes the
+ *    half-written file so the workspace ends up identical to its
+ *    pre-apply state.
+ *
+ * This keeps the dispatcher's invariant: a tool result of `ok: false`
+ * means the workspace is unchanged.
+ */
+function rollbackFiles(cwd, paths, preExisting) {
+    if (paths.length === 0)
+        return { ok: true };
+    // We only attempt to roll back files that are inside the workspace
+    // and were resolved by the security gate. A path that escaped the
+    // gate would have already aborted us above.
+    const safePaths = paths.filter((p) => {
+        const abs = resolve(cwd, p);
+        return abs === cwd || abs.startsWith(cwd + sep);
+    });
+    if (safePaths.length === 0)
+        return { ok: true };
+    const toCheckout = [];
+    const toRemove = [];
+    for (const p of safePaths) {
+        if (preExisting.get(p))
+            toCheckout.push(p);
+        else
+            toRemove.push(p);
+    }
+    // Unlink files that the patch was creating. `force: true` swallows
+    // ENOENT so a creation that never got far enough to write the file
+    // is a no-op. We record every unlink failure but keep going so a
+    // single permission error on one file doesn't strand the others.
+    const removeFailures = [];
+    for (const p of toRemove) {
+        const abs = resolve(cwd, p);
+        try {
+            rmSync(abs, { force: true });
+        }
+        catch (error) {
+            removeFailures.push(`${p}: ${error instanceof Error ? error.message : String(error)}`);
+        }
+    }
+    if (toCheckout.length > 0) {
+        const result = runGit(['checkout', '--', ...toCheckout], cwd);
+        if (result.status !== 0) {
+            const detail = [result.stderr.trim(), ...removeFailures].filter(Boolean).join('; ');
+            return { ok: false, detail };
+        }
+    }
+    if (removeFailures.length > 0) {
+        return { ok: false, detail: `rollback unlink failed: ${removeFailures.join('; ')}` };
+    }
+    return { ok: true };
+}
+function runGit(args, cwd, stdin) {
+    // R1 fix (2026-05-26, PR r1, P2 #13): force the English C locale
+    // for the git child process. The `already_applied` reason-coding
+    // below greps stderr for the literal English string
+    // "already exists in working directory"; on a host where git was
+    // installed with a translated message catalog (de_DE / ru_RU / etc.)
+    // the substring match would silently miss and the operator would see
+    // `check_failed` instead of `already_applied`. C locale (also
+    // LC_ALL) guarantees the canonical message regardless of host env.
+    return spawnSync('git', args, {
+        cwd,
+        input: stdin,
+        encoding: 'utf8',
+        maxBuffer: 64 * 1024 * 1024,
+        env: { ...process.env, LANG: 'C', LC_ALL: 'C' },
+    });
+}
+/**
+ * β7 L4: detect unresolved git conflict markers in a patch body.
+ *
+ * Conflict markers in a unified diff are a sign of operator error —
+ * someone copy-pasted a half-merged file instead of the clean diff.
+ * `git apply` would reject the patch with a confusing parse error
+ * ("corrupt patch at line N"). We check at the START of body lines so
+ * a legitimate diff that adds a string literal containing `<<<<<<<`
+ * (rare but legitimate for tests) still applies.
+ *
+ * Conflict marker bytes in a unified diff body look like:
+ *
+ *  +<<<<<<< HEAD
+ *  +=======
+ *  +>>>>>>> branch
+ *
+ * The `+` prefix is the unified-diff line-add marker. We strip it
+ * before the marker check; without the strip, an INVERSE diff that
+ * REMOVES a real conflict marker (legitimate cleanup commit) would be
+ * a false positive.
+ *
+ * Returns true when ANY conflict marker is detected.
+ */
+export function containsConflictMarkers(patch) {
+    for (const line of patch.split('\n')) {
+        // Only inspect body lines (start with `+` or `-` — the diff add/del
+        // markers). Header lines (`diff --git`, `+++`, `---`, `@@`) are
+        // skipped because the marker tokens cannot appear in those positions.
+        if (!(line.startsWith('+') || line.startsWith('-')))
+            continue;
+        // Skip diff header lines (`+++ b/foo` / `--- a/foo`).
+        if (line.startsWith('+++') || line.startsWith('---'))
+            continue;
+        const body = line.slice(1);
+        if (body.startsWith('<<<<<<<') ||
+            body.startsWith('>>>>>>>') ||
+            body === '=======') {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Test-only surface for the apply-patch heuristics. Specs poke
+ * `extractPatchPaths` directly to assert on the path-parsing layer
+ * without paying for a real git invocation.
+ */
+export const __test__ = { extractPatchPaths, runGit, unquoteGitPath, containsConflictMarkers };
+//# sourceMappingURL=apply-patch.js.map