@pugi/cli 0.1.0-beta.9 → 0.1.0-beta.90

package/dist/tools/multi-edit.js

@@ -0,0 +1,361 @@
+/**
+ * multi_edit tool — β7 .
+ *
+ * Dispatches an ordered batch of file edits as a single transaction. Each
+ * edit is one Layer A (oldString -> newString) operation against one
+ * workspace file. Either every edit lands, or none do — failures roll
+ * the workspace back to the pre-dispatch state using the same journal +
+ * snapshot machinery the β1b Pl8 transactional layer uses for the
+ * marker-driven dispatcher.
+ *
+ * Why multi_edit when `edit` already exists:
+ *
+ *  The single-shot `edit` tool is the right primitive for one mutation;
+ *  the model uses it dozens of times in a typical session. A coordinated
+ *  refactor (rename across 8 files, add an import to 12 modules, peel a
+ *  helper into 5 callers) is currently 8/12/5 separate `edit` calls.
+ *  Each call is its own audit + permission check + atomic write, which
+ *  is the right shape for the audit story but means the model can leave
+ *  the workspace half-mutated when one of the calls fails partway. The
+ *  model also pays the round-trip latency once per call.
+ *
+ *  `multi_edit` collapses the 8/12/5 calls into one tool dispatch with
+ *  transactional semantics: snapshot every target file, attempt every
+ *  edit against an in-memory buffer, then commit the writes only after
+ *  all in-memory edits succeed. A failure rolls back via journal +
+ *  in-memory snapshot — same code path as the dispatcher.
+ *
+ * Security: every target file routes through the same `applySecurityGate`
+ * chokepoint Layer A/B/C inherit. A path that escapes the workspace,
+ * points at a protected basename (`.env`, `*.pem`, ...), or symlinks
+ * outside the tree is refused BEFORE any read.
+ *
+ * Concurrency: marked `concurrencySafe: false` in the tool registry. The
+ * model MUST NOT issue another `multi_edit` (or any write tool) in
+ * parallel with one in flight; the journal serialises one dispatch per
+ * session.
+ *
+ * Output cap: a 50-edit batch is the soft ceiling. Beyond that the tool
+ * refuses with `too_many_edits` — the operator can split the refactor.
+ * Empirically a coordinated refactor that needs 50+ atomic edits should
+ * be a per-file Layer C rewrite instead.
+ *
+ * Brand voice: ASCII only, no emoji, no banned words.
+ */
+import { existsSync, readFileSync, renameSync, unlinkSync, writeFileSync } from 'node:fs';
+import { applySecurityGate } from '../core/edits/security-gate.js';
+import { appendEntry, snapshotForDispatch, } from '../core/edits/journal.js';
+import { rollbackDispatch } from '../core/edits/dispatch.js';
+import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
+import { recordFileMutation, recordToolCall, recordToolResult } from '../core/session.js';
+/** Soft cap on per-dispatch edit count. See module docstring. */
+const MULTI_EDIT_MAX = 50;
+/**
+ * Apply a batch of file edits transactionally. Returns a structured
+ * result; never throws on operator-attributable failure (security,
+ * missing file, no_match) — only on infrastructure error (filesystem
+ * permission denied mid-write after the snapshot, etc.).
+ */
+export function multiEdit(ctx, edits, opts = {}) {
+    const toolCallId = recordToolCall(ctx.session, 'multi_edit', `${edits.length} edits across ${new Set(edits.map((e) => e.file)).size} files`);
+    try {
+        gateOnCancellation(ctx, 'multi_edit');
+    }
+    catch (error) {
+        if (error instanceof OperatorAbortedError) {
+            recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
+            throw error;
+        }
+        throw error;
+    }
+    if (edits.length === 0) {
+        const result = {
+            ok: false,
+            filesChanged: [],
+            editsApplied: 0,
+            reason: 'empty_batch',
+            detail: 'multi_edit received zero edits',
+            perEdit: [],
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'empty_batch');
+        return result;
+    }
+    if (edits.length > MULTI_EDIT_MAX) {
+        const result = {
+            ok: false,
+            filesChanged: [],
+            editsApplied: 0,
+            reason: 'too_many_edits',
+            detail: `multi_edit batch of ${edits.length} exceeds cap ${MULTI_EDIT_MAX}; split the refactor`,
+            perEdit: [],
+        };
+        recordToolResult(ctx.session, toolCallId, 'error', 'too_many_edits');
+        return result;
+    }
+    // SECURITY GATE pass over every distinct file BEFORE any read.
+    // A single rejected file aborts the whole batch — the transactional
+    // contract requires we never partial-mutate.
+    const uniqueFiles = Array.from(new Set(edits.map((e) => e.file)));
+    const resolvedByFile = new Map();
+    for (const f of uniqueFiles) {
+        const gate = applySecurityGate(f, { cwd: ctx.root, toolName: 'layer-c' });
+        if (!gate.ok) {
+            const result = {
+                ok: false,
+                filesChanged: [],
+                editsApplied: 0,
+                reason: gate.reason,
+                detail: `${f}: ${gate.detail}`,
+                perEdit: edits.map((e, i) => ({
+                    index: i,
+                    file: e.file,
+                    ok: false,
+                    reason: gate.reason,
+                    detail: e.file === f ? gate.detail : 'batch aborted by sibling security failure',
+                })),
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', `${gate.reason}: ${f}`);
+            return result;
+        }
+        resolvedByFile.set(f, gate.absPath);
+    }
+    // Snapshot existing files BEFORE any in-memory edit so a partial-write
+    // rollback is deterministic. The snapshot also captures sha256 of each
+    // pre-existing file so post-failure restore can verify the in-memory
+    // buffer still matches.
+    const snapshot = snapshotForDispatch(ctx.root, uniqueFiles);
+    const preContent = new Map();
+    for (const entry of snapshot) {
+        if (!entry.existed)
+            continue;
+        const abs = resolvedByFile.get(entry.path);
+        if (!abs)
+            continue;
+        try {
+            preContent.set(entry.path, readFileSync(abs));
+        }
+        catch {
+            // Best-effort. A read failure here will surface again when the
+            // per-edit phase tries to read the same file — let that path
+            // produce the operator-facing error.
+        }
+    }
+    // In-memory edit phase. For each edit we work on the latest version
+    // of the file (so two edits against the same file stack). Failure
+    // here is the common case — `no_match`, `ambiguous_match`, missing
+    // file — and aborts the whole batch.
+    const bodyByFile = new Map();
+    const perEdit = [];
+    for (let i = 0; i < edits.length; i += 1) {
+        const edit = edits[i];
+        const abs = resolvedByFile.get(edit.file);
+        if (!abs) {
+            // Should be unreachable — every distinct file went through the
+            // gate above. Belt + braces.
+            perEdit.push({ index: i, file: edit.file, ok: false, reason: 'write_error', detail: 'no resolved path' });
+            const result = {
+                ok: false,
+                filesChanged: [],
+                editsApplied: 0,
+                reason: 'write_error',
+                detail: `${edit.file}: no resolved path`,
+                perEdit,
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', 'write_error');
+            return result;
+        }
+        let body = bodyByFile.get(edit.file);
+        if (body === undefined) {
+            if (!existsSync(abs)) {
+                const detail = `file does not exist: ${edit.file}`;
+                perEdit.push({ index: i, file: edit.file, ok: false, reason: 'file_missing', detail });
+                const result = {
+                    ok: false,
+                    filesChanged: [],
+                    editsApplied: 0,
+                    reason: 'file_missing',
+                    detail,
+                    perEdit,
+                };
+                recordToolResult(ctx.session, toolCallId, 'error', 'file_missing');
+                return result;
+            }
+            try {
+                body = readFileSync(abs, 'utf8');
+            }
+            catch (error) {
+                const detail = error instanceof Error ? error.message : String(error);
+                perEdit.push({ index: i, file: edit.file, ok: false, reason: 'write_error', detail });
+                const result = {
+                    ok: false,
+                    filesChanged: [],
+                    editsApplied: 0,
+                    reason: 'write_error',
+                    detail: `${edit.file}: ${detail}`,
+                    perEdit,
+                };
+                recordToolResult(ctx.session, toolCallId, 'error', 'write_error');
+                return result;
+            }
+        }
+        if (edit.oldString === edit.newString) {
+            perEdit.push({
+                index: i,
+                file: edit.file,
+                ok: false,
+                reason: 'identical_replacement',
+                detail: 'oldString and newString are identical',
+            });
+            const result = {
+                ok: false,
+                filesChanged: [],
+                editsApplied: 0,
+                reason: 'identical_replacement',
+                detail: `edit ${i} (${edit.file}): oldString and newString are identical`,
+                perEdit,
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', 'identical_replacement');
+            return result;
+        }
+        const matches = countOccurrences(body, edit.oldString);
+        if (matches === 0) {
+            const detail = `edit ${i} (${edit.file}): oldString not found`;
+            perEdit.push({ index: i, file: edit.file, ok: false, reason: 'no_match', detail });
+            const result = {
+                ok: false,
+                filesChanged: [],
+                editsApplied: 0,
+                reason: 'no_match',
+                detail,
+                perEdit,
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', 'no_match');
+            return result;
+        }
+        if (matches > 1) {
+            const detail = `edit ${i} (${edit.file}): oldString matches ${matches} times — expand context to make it unique`;
+            perEdit.push({ index: i, file: edit.file, ok: false, reason: 'ambiguous_match', detail });
+            const result = {
+                ok: false,
+                filesChanged: [],
+                editsApplied: 0,
+                reason: 'ambiguous_match',
+                detail,
+                perEdit,
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', 'ambiguous_match');
+            return result;
+        }
+        body = body.replace(edit.oldString, edit.newString);
+        bodyByFile.set(edit.file, body);
+        perEdit.push({ index: i, file: edit.file, ok: true });
+    }
+    if (opts.dryRun) {
+        const result = {
+            ok: true,
+            filesChanged: Array.from(bodyByFile.keys()),
+            editsApplied: edits.length,
+            perEdit,
+        };
+        recordToolResult(ctx.session, toolCallId, 'success', `dry-run ${edits.length} edits ok`);
+        return result;
+    }
+    // Persist the snapshot to the journal BEFORE the first write. A crash
+    // mid-write then has a recoverable trail in `.pugi/sessions/<id>/journal.jsonl`.
+    // Best-effort; a journal write failure does not block the edits (the
+    // in-memory rollback path still covers same-process failures).
+    if (ctx.session.enabled) {
+        appendEntry(ctx.root, ctx.session.id, {
+            ts: Date.now(),
+            taskId: `multi_edit-${toolCallId}`,
+            files: snapshot,
+        });
+    }
+    // Commit phase. Atomic writes one file at a time. A failure rolls
+    // back via the same dispatcher rollback used by the marker layer.
+    const written = [];
+    for (const [file, body] of bodyByFile) {
+        const abs = resolvedByFile.get(file);
+        try {
+            atomicWrite(abs, body);
+            written.push(file);
+        }
+        catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            // Roll back every file we already touched plus restore the
+            // not-yet-touched ones that existed before (defensive — the
+            // rollback function is idempotent on untouched paths).
+            const rollback = rollbackDispatch(ctx.root, snapshot, preContent);
+            if (!rollback.ok) {
+                const result = {
+                    ok: false,
+                    filesChanged: [],
+                    editsApplied: 0,
+                    reason: 'rollback_failed',
+                    detail: `${file}: ${detail}; rollback also failed: ${rollback.detail}`,
+                    perEdit,
+                };
+                recordToolResult(ctx.session, toolCallId, 'error', 'rollback_failed');
+                return result;
+            }
+            const result = {
+                ok: false,
+                filesChanged: [],
+                editsApplied: 0,
+                reason: 'write_error',
+                detail: `${file}: ${detail}`,
+                perEdit,
+            };
+            recordToolResult(ctx.session, toolCallId, 'error', `write_error: ${detail}`);
+            return result;
+        }
+    }
+    for (const file of written) {
+        recordFileMutation(ctx.session, {
+            toolCallId,
+            path: file,
+            operation: 'update',
+        });
+    }
+    recordToolResult(ctx.session, toolCallId, 'success', `applied ${edits.length} edits across ${written.length} files`);
+    return {
+        ok: true,
+        filesChanged: written,
+        editsApplied: edits.length,
+        perEdit,
+    };
+}
+function countOccurrences(haystack, needle) {
+    if (needle.length === 0)
+        return 0;
+    let count = 0;
+    let from = 0;
+    while (true) {
+        const idx = haystack.indexOf(needle, from);
+        if (idx === -1)
+            return count;
+        count += 1;
+        from = idx + needle.length;
+    }
+}
+/** Atomic write helper — mirrors Layer A / Layer D. */
+function atomicWrite(absPath, contents) {
+    const suffix = `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    const tmp = `${absPath}.pugi-tmp-${suffix}`;
+    try {
+        writeFileSync(tmp, contents, { encoding: 'utf8', mode: 0o600 });
+        renameSync(tmp, absPath);
+    }
+    catch (error) {
+        try {
+            unlinkSync(tmp);
+        }
+        catch {
+            // tmp file may not exist if writeFileSync itself failed.
+        }
+        throw error;
+    }
+}
+/** Test-only surface. */
+export const __test__ = { MULTI_EDIT_MAX };
+//# sourceMappingURL=multi-edit.js.map

package/dist/tools/powershell.js

@@ -0,0 +1,268 @@
+/**
+ * PowerShell tool — .
+ *
+ * Windows operators cannot run native `*.ps1` scripts via the bash tool
+ * (which spawns `/bin/sh`). This tool spawns `pwsh -NoProfile -Command`
+ * на cross-platform PowerShell 7+ binary so Windows-first workflows are
+ * first-class на Pugi.
+ *
+ * independent implementation re-implementation. Surface mirrors bashTool's permission
+ * gate, env sanitiser, output cap, timeout, and exit-code propagation;
+ * the only difference is the shell binary selection. Per-platform
+ * resolution:
+ *  - All OS: try `pwsh` on $PATH first (PowerShell 7+ cross-platform).
+ *  - Windows fallback: `powershell.exe` (Windows PowerShell 5.1 baked-in).
+ *  - Other OS without pwsh: tool returns a clear "powershell binary
+ *    not found" error so the operator can install pwsh or fall back
+ *    к bash.
+ *
+ * Permission class: reuses the bash classifier — destructive patterns,
+ * sandbox detection, and additional-directories checks are command-string
+ * based and apply equally to pwsh and sh.
+ */
+import { spawnSync } from 'node:child_process';
+import { listDestructivePatterns } from '../core/bash-classifier.js';
+import { recordToolCall, recordToolResult } from '../core/session.js';
+export const POWERSHELL_OUTPUT_CAP_BYTES = 64 * 1024;
+export const POWERSHELL_DEFAULT_TIMEOUT_MS = 30_000;
+export const POWERSHELL_MAX_TIMEOUT_MS = 120_000;
+/**
+ * PowerShell-specific destructive patterns. Layered ON TOP of the
+ * shared `listDestructivePatterns()` from the bash classifier (which
+ * covers `rm -rf`, `DROP TABLE`, etc — patterns that also surface в
+ * pwsh-via-aliases). These are the cmdlet forms unique to pwsh.
+ *
+ * Patterns are case-insensitive matched against the command string
+ * (pwsh cmdlets accept any case: `remove-item -force` == `Remove-Item -Force`).
+ */
+const PWSH_DESTRUCTIVE_PATTERNS = [
+    // Recursive force delete via cmdlet
+    'remove-item -recurse -force',
+    'remove-item -force -recurse',
+    'ri -recurse -force',
+    'ri -force -recurse',
+    'rmdir -recurse -force',
+    'rmdir -force -recurse',
+    // Disk / volume operations
+    'format-volume',
+    'clear-disk',
+    'reset-physicaldisk',
+    // System state
+    'stop-computer',
+    'restart-computer',
+    'shutdown',
+    // Security weakening
+    'set-executionpolicy unrestricted',
+    'set-executionpolicy bypass',
+    // Service / process attack surface
+    'invoke-webrequest', // common phishing-script vector when piped to iex
+    'iex (new-object', // download-execute pattern
+    // Credential exfil
+    'get-credential | export-clixml',
+];
+/**
+ * Normalize whitespace before pattern matching: collapse runs of
+ * whitespace к single space + lowercase. Defends against the
+ * `iex(New-Object`/`IEX (New-Object` style bypass where pattern
+ * `iex (new-object` would miss the no-space or double-space variant.
+ */
+function normalizeForMatch(text) {
+    return text.toLowerCase().replace(/\s+/g, ' ');
+}
+function findPwshDestructiveMatch(cmd) {
+    const normalized = normalizeForMatch(cmd);
+    for (const pattern of PWSH_DESTRUCTIVE_PATTERNS) {
+        if (normalized.includes(normalizeForMatch(pattern)))
+            return pattern;
+    }
+    // Fall back к the shared bash destructive list (covers cross-shell
+    // patterns like `rm -rf /`, `DROP DATABASE`). Shared patterns may
+    // contain uppercase (case-insensitive SQL verbs); normalize both
+    // sides before compare.
+    const shared = listDestructivePatterns();
+    for (const pattern of shared) {
+        if (normalized.includes(normalizeForMatch(pattern)))
+            return pattern;
+    }
+    return null;
+}
+/**
+ * PowerShell-aware permission decision. Differs from
+ * `evaluateBashPermission` в two ways:
+ *
+ *  1. Default class is `allow` (after destructive check) instead of
+ *     `unknown → deny`. The bash classifier rejects any first-token
+ *     it does not recognise — appropriate for bash where every verb
+ *     is a separate binary, hostile for pwsh where the Verb-Noun
+ *     cmdlet convention means thousands of legitimate verbs exist
+ *     (`Get-Process`, `$PSVersionTable`, `Select-Object`, ...).
+ *
+ *  2. Destructive patterns combine the shared bash denylist (covers
+ *     cross-shell patterns like `rm -rf`) с pwsh-specific cmdlet
+ *     forms (`Remove-Item -Recurse -Force`, `Format-Volume`, etc).
+ *
+ * Mode FSM mirrors bash: plan → deny ALL, ask → ask, auto/bypass → allow,
+ * destructive class → deny unless `bypassPermissions + human + ENV override`.
+ */
+function evaluatePwshPermission(cmd, mode, source) {
+    const destructive = findPwshDestructiveMatch(cmd);
+    if (destructive !== null) {
+        const overrideOk = mode === 'bypassPermissions' &&
+            source === 'human' &&
+            process.env['PUGI_DESTRUCTIVE_OVERRIDE'] === '1';
+        if (overrideOk) {
+            return {
+                decision: 'allow',
+                reason: `destructive pwsh pattern '${destructive}' allowed via override (bypassPermissions + human + PUGI_DESTRUCTIVE_OVERRIDE=1)`,
+            };
+        }
+        return {
+            decision: 'deny',
+            reason: `destructive pwsh pattern '${destructive}' is always denied (override requires bypassPermissions + human + PUGI_DESTRUCTIVE_OVERRIDE=1)`,
+        };
+    }
+    // Non-destructive pwsh command — mode FSM.
+    switch (mode) {
+        case 'plan':
+            return { decision: 'deny', reason: 'plan mode denies all shell dispatches' };
+        case 'ask':
+        case 'acceptEdits':
+            return { decision: 'ask', reason: 'pwsh command requires operator confirmation' };
+        case 'auto':
+        case 'dontAsk':
+        case 'bypassPermissions':
+            return { decision: 'allow', reason: 'pwsh command allowed by mode' };
+        default:
+            return { decision: 'ask', reason: `unknown mode ${mode}; defaulting к ask` };
+    }
+}
+/** Cached binary path so repeated calls inside one session skip the probe. */
+let cachedShellBinary;
+function resolveShellBinary() {
+    if (cachedShellBinary !== undefined)
+        return cachedShellBinary;
+    // Try pwsh (cross-platform PowerShell 7+) first.
+    const pwshProbe = spawnSync('pwsh', ['-NoProfile', '-Command', 'exit 0'], {
+        encoding: 'utf8',
+        stdio: ['ignore', 'ignore', 'ignore'],
+        timeout: 3000,
+    });
+    if (pwshProbe.status === 0) {
+        cachedShellBinary = 'pwsh';
+        return 'pwsh';
+    }
+    // Windows fallback к the baked-in PowerShell 5.1.
+    if (process.platform === 'win32') {
+        const wpsProbe = spawnSync('powershell.exe', ['-NoProfile', '-Command', 'exit 0'], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'ignore', 'ignore'],
+            timeout: 3000,
+        });
+        if (wpsProbe.status === 0) {
+            cachedShellBinary = 'powershell.exe';
+            return 'powershell.exe';
+        }
+    }
+    cachedShellBinary = null;
+    return null;
+}
+function sanitizeTimeout(value) {
+    if (value === undefined || !Number.isFinite(value) || value <= 0) {
+        return POWERSHELL_DEFAULT_TIMEOUT_MS;
+    }
+    return Math.min(value, POWERSHELL_MAX_TIMEOUT_MS);
+}
+function buildChildEnv() {
+    const env = { ...process.env };
+    delete env['PUGI_API_KEY'];
+    delete env['PUGI_LOGIN_TOKEN'];
+    return env;
+}
+/**
+ * Sync PowerShell dispatch. Mirrors bashToolSync shape so dispatchTool
+ * can call either tool with the same context shape.
+ */
+export function powerShellToolSync(input, ctx) {
+    const cmd = input.cmd ?? '';
+    const source = ctx.source ?? 'agent';
+    const toolCallId = recordToolCall(ctx.session, 'powershell', cmd);
+    // pwsh-aware permission gate (NOT the bash classifier). Bash classifier
+    // would reject `$PSVersionTable`, `Get-Process`, etc as "Unrecognized
+    // command" → default-deny, making the pwsh tool useless. The pwsh gate
+    // applies the shared destructive denylist (rm -rf / DROP TABLE) + a
+    // pwsh-specific list (Remove-Item -Recurse -Force / Format-Volume /
+    // Set-ExecutionPolicy Unrestricted / iex (New-Object ...)) and
+    // defaults non-destructive cmdlets к allow under mode FSM.
+    const decision = evaluatePwshPermission(cmd, ctx.settings.permissions.mode, source);
+    if (decision.decision !== 'allow') {
+        const reason = `Permission ${decision.decision}: ${decision.reason}`;
+        recordToolResult(ctx.session, toolCallId, 'error', reason);
+        return {
+            stdout: '',
+            stderr: `Permission ${decision.decision}: ${decision.reason}`,
+            exitCode: 126,
+            truncated: false,
+            timedOut: false,
+            shellBinary: 'unresolved',
+        };
+    }
+    const shellBinary = resolveShellBinary();
+    if (shellBinary === null) {
+        const reason = 'powershell binary not found (tried pwsh' +
+            (process.platform === 'win32' ? ', powershell.exe' : '') +
+            '). Install PowerShell 7+ from https://aka.ms/powershell or use the bash tool instead.';
+        recordToolResult(ctx.session, toolCallId, 'error', reason);
+        return {
+            stdout: '',
+            stderr: reason,
+            exitCode: 127,
+            truncated: false,
+            timedOut: false,
+            shellBinary: 'unavailable',
+        };
+    }
+    const timeoutMs = sanitizeTimeout(input.timeoutMs);
+    const childEnv = buildChildEnv();
+    const cwd = input.cwd ?? ctx.root;
+    const result = spawnSync(shellBinary, ['-NoProfile', '-Command', cmd], {
+        cwd,
+        env: childEnv,
+        encoding: 'utf8',
+        stdio: ['ignore', 'pipe', 'pipe'],
+        timeout: timeoutMs,
+        maxBuffer: 10 * 1024 * 1024,
+    });
+    const stdoutFull = (result.stdout ?? '').toString();
+    const stderrFull = (result.stderr ?? '').toString();
+    const combined = stdoutFull.length + stderrFull.length;
+    const truncated = combined > POWERSHELL_OUTPUT_CAP_BYTES;
+    let stdoutOut = stdoutFull;
+    let stderrOut = stderrFull;
+    if (truncated) {
+        const halfCap = POWERSHELL_OUTPUT_CAP_BYTES / 2;
+        stdoutOut = stdoutFull.slice(0, halfCap);
+        stderrOut = stderrFull.slice(0, halfCap);
+    }
+    const timedOut = result.error?.code === 'ETIMEDOUT' ||
+        result.signal === 'SIGTERM';
+    const exitCode = timedOut ? 124 : result.status ?? 1;
+    if (timedOut) {
+        recordToolResult(ctx.session, toolCallId, 'error', `powershell timed out after ${timeoutMs}ms`);
+    }
+    else {
+        recordToolResult(ctx.session, toolCallId, 'success', `powershell exit=${exitCode} bytes=${combined} binary=${shellBinary}`);
+    }
+    return {
+        stdout: stdoutOut,
+        stderr: stderrOut,
+        exitCode,
+        truncated,
+        timedOut,
+        shellBinary,
+    };
+}
+/** Visible-for-spec helper: forces a re-probe on next call. */
+export function _resetShellBinaryCacheForSpec() {
+    cachedShellBinary = undefined;
+}
+//# sourceMappingURL=powershell.js.map