@pugi/cli 0.1.0-beta.87 → 0.1.0-beta.89

package/CHANGELOG.md

@@ -7,6 +7,42 @@ releases listed first. Section format: `## [<version>] - <YYYY-MM-DD>`.
 The bundled `pugi release-notes` command parses this file and renders sections
 strictly newer than `~/.pugi/.last-seen-version` after every upgrade.
 
+## [0.1.0-beta.88] - 2026-06-02
+
+### Fixed
+- **Pugi identity intro no longer chants on later turns**. The output gate now
+  strips the canonical long-form intro ("I'm Pugi - your engineering copilot.
+  Tell me what you need...") and its Russian variant on mid-thread replies.
+  Operators were seeing the intro re-emit on turn 2+ after a session-resume
+  or autonomous tick.
+- **Ctrl+C double-press exit guard**. A single Ctrl+C in the REPL no longer
+  kills the CLI. First press prompts "Press Ctrl+C again to exit (within 2s)
+  or any key to continue". Second press within 2s exits cleanly; any other
+  key cancels. Headless mode emits a `session-end` envelope and exits 0.
+- **Persona no longer over-clarifies trivial creative tasks**. Asking for a
+  well-known game / demo / todo app now picks reasonable defaults and starts
+  building in one turn. Ambiguous tasks (auth, deploy targets) still ask
+  ≤ 3 short choices via the `ask_user_question` tool.
+
+### Added
+- **Short-format AskUserQuestion chip renderer**. Up to 3 questions render
+  side-by-side as Ink chips with ▸ default highlight, ↑↓ in-question nav,
+  ←→/Tab between questions, 1-9 jump, [s] skip-with-default, [Esc] cancel,
+  [Enter] commit. Labels truncate at 5 words / 22 chars. Caller can opt
+  into a non-TTY numbered fallback via `forceFallback`.
+
+### Security
+- **npm publish leak-gate hardening**. `prepublishOnly` now runs a
+  banned-string scan against the staged tarball (`tools/scrub/scan-tarball.sh`)
+  covering personal names, competitor refs, internal codenames, engineering
+  provenance, absolute paths, brand legacy, and secret-token shapes.
+  Per-line `[pugi-leak-ok]` allowlist marker for legitimate references;
+  path allowlist for LICENSE / THIRD_PARTY_NOTICES files where MIT requires
+  copyright-holder name. Synthetic injection regression test runs in CI.
+
+### Chore
+- MIT LICENSE copyright holder set to `Pugi.io` (was personal name).
+
 ## [0.1.0-beta.26] - 2026-05-27
 
 ### Added

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 Yurii Bulakh
+Copyright (c) 2026 Pugi.io
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/dist/core/agents/registry.js

@@ -30,7 +30,7 @@ function requirePersona(slug) {
 /**
  * CLI-only role-to-persona mapping. Roles are dispatcher-facing strings;
  * personas come from the brand-canonical THE_TEN. Vera (qa) intentionally
- * dual-roles as verifier + reviewer per ADR-0056 — the cabinet's review
+ * dual-roles as verifier + reviewer per  — the cabinet's review
  * pipeline already merges the two surfaces.
  */
 export const SUBAGENT_REGISTRY = [

package/dist/core/auth/env-provider.js

@@ -1,7 +1,7 @@
 /**
  * `pugi login --provider env` — env-var auth path ().
  *
- * the upstream tool, Codex CLI, and gh CLI all ship a way to authenticate via
+ * the upstream tool, peer CLI, and gh CLI all ship a way to authenticate via
  * an environment variable so CI / container / scripted contexts can
  * skip the device flow entirely. This module backs that path:
  *

package/dist/core/checkpoints/shadow-git.js

@@ -2,7 +2,7 @@
  * Per-task shadow git repo — file-state checkpoint surface.
  *
  * Inspired by Cline `CheckpointTracker.ts` (Apache-2.0).
- * Clean-room TypeScript implementation following Pugi conventions.
+ * independent implementation TypeScript implementation following Pugi conventions.
  *
  * Goal: every Pugi-orchestrated file mutation lands in a per-task
  * shadow git history kept entirely separate from the user's real

package/dist/core/context/compaction.js

@@ -2,7 +2,7 @@
  * Six-tier context compaction engine for the Pugi CLI agent loop.
  *
  * Spec: `docs/research/pugi-cli-corpus/patterns/context-compaction.md`,
- * sprint slot: ADR-0056 §.
+ * sprint slot:  §.
  *
  * Tiers and triggers (selectTier rules):
  *

package/dist/core/context/markdown-traverse.js

@@ -2,7 +2,7 @@
  * Per-directory PUGI.md / AGENTS.md / CLAUDE.md / GEMINI.md traverse-up
  * loader — β5a R4+P5.
  *
- * the upstream tool, Codex CLI, and Gemini CLI all support a "walk up from
+ * the upstream tool, peer CLI, and Gemini CLI all support a "walk up from
  * cwd to the workspace root, pick up agent-context markdown at every
  * level" pattern. Without this, a `pugi explain` invoked from
  * `apps/admin-api/` cannot see project-local conventions encoded in

package/dist/core/credentials.js

@@ -6,7 +6,7 @@ import { z } from 'zod';
  * Local credentials store for the Pugi CLI.
  *
  * Stored at `~/.pugi/credentials.json` (mode 0o600). Mirrors the convention
- * Codex CLI uses (`~/.codex/auth.json`) and matches gh CLI's per-host
+ * peer CLI uses (`~/.codex/auth.json`) and matches gh CLI's per-host
  * token model. The store is intentionally file-based, not OS keychain —
  * adding the native `keytar` dep would force per-platform native builds
  * across npm distribution and complicate the install path. The 0600

package/dist/core/denial-tracking/state.js

@@ -1,7 +1,7 @@
 /**
  * L11 — DenialTrackingState surface (the upstream tool parity).
  *
- * Per the upstream / anarchic-CC the upstream behavior (``
+ * Per the upstream /  the upstream behavior (``
  * §5.2): the upstream tool's `QueryEngine.ts` maintains a per-session
  * `DenialTrackingState` that records every tool-dispatch denial.
  * Subsequent turns receive a compact reminder so the model does not

package/dist/core/edits/fuzzy-ladder.js

@@ -30,7 +30,7 @@
  *     >= 0.8 to count as a match; below that we fail LOUD rather
  *     than write the wrong region.
  *
- * Inspired by Aider editblock_coder.py (Apache-2.0). Clean-room
+ * Inspired by Aider editblock_coder.py (Apache-2.0). independent implementation
  * implementation; no Aider source code copied.
  *
  * Pure functions throughout — every tier returns a structured result

package/dist/core/edits/layer-a-fuzzy-apply.js

@@ -19,7 +19,7 @@
  *  - `identical_replacement` — search and replace are identical;
  *                         would no-op; surfaced LOUD.
  *
- * Inspired by Aider editblock_coder.py (Apache-2.0). Clean-room
+ * Inspired by Aider editblock_coder.py (Apache-2.0). independent implementation
  * implementation; no Aider source code copied.
  */
 import { existsSync, readFileSync, renameSync, writeFileSync, unlinkSync } from 'node:fs';

package/dist/core/engine/anvil-client.js

@@ -64,11 +64,22 @@ export class AnvilEngineLoopClient {
             // PR-CLI-SERVER-VERSION-HANDSHAKE . Stamp the outbound
             // X-Pugi-Cli-Version header so the admin-api middleware can
             // decide whether to honour, soft-warn, or 426 this request.
-            const outboundHeaders = injectClientVersionHeader({
+            // PUGI-260: also stamp `X-Pugi-Context-Tier: 1m` when the
+            // operator opted into the long-context lane. The server reads
+            // either the body's `contextTier` field OR this header (header is
+            // a fallback for older runtimes / non-CLI clients), so emitting
+            // both is harmless и belt-and-suspenders. Only emitted for the
+            // `'1m'` value — the absence of the header is wire-equivalent к
+            // `'standard'`, keeping the default-lane path header-free.
+            const baseHeaders = {
                 'content-type': 'application/json',
                 authorization: `Bearer ${this.config.apiKey}`,
                 'user-agent': 'pugi-cli/0.0.1',
-            }, PUGI_CLI_VERSION);
+            };
+            if (options.contextTier === '1m') {
+                baseHeaders['x-pugi-context-tier'] = '1m';
+            }
+            const outboundHeaders = injectClientVersionHeader(baseHeaders, PUGI_CLI_VERSION);
             const res = await fetch(url, {
                 method: 'POST',
                 headers: outboundHeaders,
@@ -246,6 +257,23 @@ export class AnvilEngineLoopClient {
                     message: 'runtime rate limit reached for this tenant',
                 };
             }
+            // PUGI-490 (2026-06-03): structured envelope for upstream-proxy
+            // static error pages. When the response body is HTML (the upstream
+            // proxy's static 5xx page rather than a NestJS JSON envelope), the
+            // raw truncated HTML is useless to operators — it cannot point at
+            // what failed. Parse the `cf-ray` request id so the operator can
+            // look the request up in the proxy dashboard, and surface a
+            // remediation hint pointing at the engine VM logs.
+            const cfDetails = detectUpstreamProxyError(res, text);
+            if (cfDetails) {
+                return {
+                    stop: 'error',
+                    code: 'failed',
+                    message: `runtime error (cf-ray: ${cfDetails.cfRay ?? 'unknown'}) — ` +
+                        `upstream proxy returned ${res.status} static page. ` +
+                        `Check engine VM logs for the correlating request id.`,
+                };
+            }
             return {
                 stop: 'error',
                 code: 'failed',
@@ -267,4 +295,50 @@ export class AnvilEngineLoopClient {
         }
     }
 }
+/**
+ * PUGI-490 (2026-06-03): detect when the response body is a static HTML
+ * error page emitted by the upstream proxy (rather than a JSON envelope
+ * produced by admin-api). Returns the cf-ray request id when matched, so
+ * the CLI can surface a meaningful runtime-error envelope instead of
+ * truncating raw HTML in front of the operator.
+ *
+ * Heuristic: the body starts with `<!DOCTYPE` or `<html`, or carries the
+ * `cf-ray` response header. We require BOTH conditions when the body is
+ * non-empty (defense against admin-api accidentally emitting an HTML
+ * fragment) and accept just the header when the body is empty (some
+ * proxy 5xx variants ship empty bodies). The function is intentionally
+ * permissive — false positives produce a clearer error than false
+ * negatives, and the message still includes "upstream proxy" so the
+ * operator knows the call did not reach a Pugi controller.
+ *
+ * Exported for unit testing; not for runtime callers.
+ */
+export function detectUpstreamProxyError(res, body) {
+    if (res.status < 500)
+        return null;
+    // Pull cf-ray via the same getter shim the version-interceptor uses;
+    // it tolerates both real `Response.headers.get` and fixture/stub
+    // headers represented as plain objects.
+    const h = res.headers;
+    const readHeader = (name) => {
+        if (h && typeof h.get === 'function') {
+            return h.get(name);
+        }
+        if (h && typeof h === 'object') {
+            const lowered = h[name.toLowerCase()];
+            return lowered ?? null;
+        }
+        return null;
+    };
+    const cfRay = readHeader('cf-ray');
+    const bodyTrimmed = (body ?? '').trimStart();
+    const looksHtml = bodyTrimmed.startsWith('<!DOCTYPE') ||
+        bodyTrimmed.startsWith('<!doctype') ||
+        bodyTrimmed.startsWith('<html');
+    if (looksHtml)
+        return { cfRay };
+    if (cfRay && bodyTrimmed.length === 0)
+        return { cfRay };
+    return null;
+}
 //# sourceMappingURL=anvil-client.js.map

package/dist/core/engine/native-pugi.js

@@ -1127,7 +1127,7 @@ function extractPathArg(raw) {
         const parsed = JSON.parse(raw);
         if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
             const obj = parsed;
-            // Accept canonical `path` OR the Claude-Code-trained `filePath`
+            // Accept canonical `path` OR the peer-CLI-trained `filePath`
             // alias so the filesChanged summary captures writes regardless of
             // which key the model emitted. Without the alias the operator
             // sees "Files modified: none" even when a write actually landed,