@pugi/cli 0.1.0-beta.92 → 0.1.0-beta.94

package/dist/core/repl/tool-route.js

@@ -0,0 +1,382 @@
+/**
+ * PUGI-538b () — `<pugi-tool-route>` envelope parser.
+ *
+ * The admin-api Pugi coordinator persona emits an
+ * `<pugi-tool-route command="code|fix|build" persona="<slug>" brief="…"/>`
+ * envelope on her turn when the operator's brief requires workspace
+ * tool use (write/edit/read a file, run a script, install a package,
+ * build, test). The CLI consumer parses the envelope, strips it from
+ * operator-visible detail, and routes the brief through the local
+ * `NativePugiEngineAdapter` → `runEngineLoop` → `POST /api/pugi/engine`
+ * flow that already drives `pugi code/fix/build` end-to-end with real
+ * tool calls and atomic file writes.
+ *
+ * Without this envelope the REPL chat path is a single-shot text
+ * streamer: customer says "make tic-tac-toe", Pugi responds with a
+ * bash heredoc dump as prose, no file is written.  (PUGI-538a)
+ * lays out the architecture; this parser is the CLI half of the bridge.
+ *
+ * # Grammar (self-closing form is preferred; paired form also accepted)
+ *
+ *   <pugi-tool-route command="code" persona="dev" brief="One sentence…"/>
+ *   <pugi-tool-route command="fix"  persona="dev" brief="…"></pugi-tool-route>
+ *
+ * Attributes:
+ *   - command  (required) — exactly one of `code`, `fix`, `build`.
+ *   - persona  (optional) — Tier-1 persona slug hint; defaults to `dev`
+ *              when omitted. The value `main` is rejected (the REPL
+ *              coordinator IS Pugi already, routing back to herself
+ *              would not change behaviour).
+ *   - brief    (required) — single-sentence operational brief,
+ *              <= 400 chars after entity decoding.
+ *
+ * # Why a hand-rolled parser, not a generic XML library
+ *
+ * Same rationale as `ask.ts`: generic XML libraries (sax,
+ * fast-xml-parser, xmldoc) carry a large attack surface (external
+ * entity expansion, recursive blowup on malformed input, sloppy
+ * attribute handling) and require ~50 KB of runtime dependency. The
+ * persona-side grammar here is one tag with a closed three-attribute
+ * set, so a bounded tokenizer is both safer and smaller. The defences
+ * mirror ask.ts: closed entity allowlist, control-char strip, refusal
+ * on raw `&` outside `&amp;` / `&lt;` / `&gt;` / `&quot;` / `&apos;`,
+ * refusal on nested tags inside attribute blob, hard span cap.
+ *
+ * # Buffering across streaming chunks
+ *
+ * The session calls `extractToolRouteTags(buffer)` on the accumulated
+ * `agent.step.detail` body. If the close tag (or self-close `/>`) has
+ * not arrived yet, the parser returns `{ tags: [], pendingOpenTag: true }`
+ * and the session waits for more chunks. This mirrors the
+ * `extractAskTags` / `extractPlanReviewTags` shape so `session.ts`
+ * routes the three envelope families through one buffer-and-strip
+ * machinery.
+ */
+/* ------------------------------------------------------------------ */
+/* Bounded constants                                                  */
+/* ------------------------------------------------------------------ */
+/** Hard cap on the brief length after entity decoding. */
+export const TOOL_ROUTE_MAX_BRIEF_LEN = 400;
+/** Hard cap on the persona slug length. */
+export const TOOL_ROUTE_MAX_PERSONA_LEN = 32;
+/** Hard cap on the entire tag span. Long enough for full attrs + a
+ * worst-case 400-char brief plus closing form; defends against runaway
+ * payloads. */
+const TAG_MAX_SPAN_BYTES = 4 * 1024;
+/** Tag families exhaustively enumerated for the closed-attribute gate. */
+const ALLOWED_ATTRS = new Set([
+    'command',
+    'persona',
+    'brief',
+]);
+/** Accepted `command` literals — locked to the engine adapter contract. */
+const ALLOWED_COMMANDS = new Set(['code', 'fix', 'build']);
+/** Refused personas. `main` would route Pugi back to herself; the engine
+ * adapter rejects the slug anyway, so we filter at parse time for clarity. */
+const REFUSED_PERSONAS = new Set(['main', 'pugi']);
+/** Default persona slug when the attribute is omitted. Matches the
+ * ENVELOPES_BODY prompt copy ("Defaults to 'dev' when omitted"). */
+const DEFAULT_PERSONA = 'dev';
+/* ------------------------------------------------------------------ */
+/* Public extraction API                                              */
+/* ------------------------------------------------------------------ */
+/**
+ * Find every well-formed `<pugi-tool-route>` envelope in `body`.
+ * Malformed envelopes are dropped and surfaced via `hadMalformedTag`
+ * so the session can log a warning. Streaming-incomplete envelopes
+ * (open observed, close/self-close not yet arrived) are withheld from
+ * `cleaned` so the raw envelope cannot leak into the transcript if the
+ * stream pauses mid-tag.
+ */
+export function extractToolRouteTags(body) {
+    const tags = [];
+    const segments = [];
+    let cursor = 0;
+    let pendingOpenTag = false;
+    let hadMalformedTag = false;
+    // Hard cap on tags per buffer so a hostile (or accidental) flood
+    // does not pin the parser. 16 is generous — a real session never
+    // has more than one envelope queued per turn.
+    const MAX_TAGS_PER_BUFFER = 16;
+    // Belt-and-braces safety counter — the body length bounds the
+    // iteration count strictly, but a pathological input could otherwise
+    // loop until the per-buffer cap fires.
+    let safetyIterations = body.length + 16;
+    const OPEN_PREFIX = '<pugi-tool-route';
+    const PAIR_CLOSE = '</pugi-tool-route>';
+    while (cursor < body.length && tags.length < MAX_TAGS_PER_BUFFER) {
+        if (safetyIterations-- <= 0)
+            break;
+        const openIndex = body.indexOf(OPEN_PREFIX, cursor);
+        if (openIndex === -1) {
+            // No more envelopes. Flush the rest of the body as cleaned prose.
+            segments.push(body.slice(cursor));
+            cursor = body.length;
+            break;
+        }
+        // Push everything before the opening tag as cleaned prose.
+        segments.push(body.slice(cursor, openIndex));
+        // Locate the end of the opening tag. The envelope may be self-
+        // closing (`/>`) or paired (`>` then `</pugi-tool-route>`).
+        // Search for the FIRST unquoted `>` after the OPEN_PREFIX position
+        // so a quoted attribute value with an embedded `>` (escaped as
+        // `&gt;` per the grammar; raw `>` is rejected below) cannot
+        // confuse the boundary scan.
+        const openEnd = findUnquotedGt(body, openIndex + OPEN_PREFIX.length);
+        if (openEnd === -1) {
+            // Open seen, no terminator yet. Withhold from `cleaned` so the
+            // raw envelope cannot leak. Same posture as ask.ts.
+            pendingOpenTag = true;
+            cursor = body.length;
+            break;
+        }
+        const selfClosed = body[openEnd - 1] === '/';
+        let tagEnd;
+        if (selfClosed) {
+            tagEnd = openEnd + 1; // include the closing `>`
+        }
+        else {
+            // Paired form — look for `</pugi-tool-route>`.
+            const closeAt = body.indexOf(PAIR_CLOSE, openEnd + 1);
+            if (closeAt === -1) {
+                pendingOpenTag = true;
+                cursor = body.length;
+                break;
+            }
+            tagEnd = closeAt + PAIR_CLOSE.length;
+        }
+        const span = body.slice(openIndex, tagEnd);
+        if (span.length > TAG_MAX_SPAN_BYTES) {
+            hadMalformedTag = true;
+            cursor = tagEnd;
+            continue;
+        }
+        // Reject nested envelopes — the generic "find next close" would
+        // otherwise pair an outer open with an inner close.
+        const innerOpen = span.indexOf(OPEN_PREFIX, OPEN_PREFIX.length);
+        if (innerOpen !== -1) {
+            hadMalformedTag = true;
+            cursor = tagEnd;
+            continue;
+        }
+        // Slice the attribute blob between OPEN_PREFIX and the closing
+        // `>` (excluding the trailing `/` on the self-closed form).
+        const attrBlobEnd = selfClosed ? openEnd - 1 : openEnd;
+        const attrBlob = body.slice(openIndex + OPEN_PREFIX.length, attrBlobEnd);
+        const parsed = parseToolRouteInner(attrBlob, {
+            start: openIndex,
+            end: tagEnd,
+        });
+        if (parsed === null) {
+            hadMalformedTag = true;
+            cursor = tagEnd;
+            continue;
+        }
+        tags.push(parsed);
+        cursor = tagEnd;
+    }
+    return {
+        tags,
+        cleaned: segments.join('').replace(/\s+\n/g, '\n').trimEnd(),
+        pendingOpenTag,
+        hadMalformedTag,
+    };
+}
+/* ------------------------------------------------------------------ */
+/* Inner parser                                                       */
+/* ------------------------------------------------------------------ */
+function parseToolRouteInner(attrBlob, span) {
+    // Reject CDATA, comments, processing instructions, DOCTYPE inside
+    // the attribute blob — none of those appear in the legal grammar.
+    if (/<!--|<!\[|<\?|<!DOCTYPE/i.test(attrBlob))
+        return null;
+    // Reject raw `&` not in a known entity (decoded entities are allowed
+    // via decodeEntities below).
+    if (containsRawAmpersand(attrBlob))
+        return null;
+    // Reject raw `<` / `>` inside the attribute blob — they should always
+    // be escaped as `&lt;` / `&gt;`. The presence of a raw bracket is a
+    // sign of either accidental sloppy output or an injection attempt.
+    if (/[<>]/.test(attrBlob))
+        return null;
+    const attrs = parseAttrBlob(attrBlob);
+    if (attrs === null)
+        return null;
+    // Closed-attribute gate — refuse anything outside the allowlist.
+    for (const key of Object.keys(attrs)) {
+        if (!ALLOWED_ATTRS.has(key))
+            return null;
+    }
+    const command = attrs['command'];
+    if (typeof command !== 'string' || command.length === 0)
+        return null;
+    if (!ALLOWED_COMMANDS.has(command))
+        return null;
+    const briefRaw = attrs['brief'];
+    if (typeof briefRaw !== 'string')
+        return null;
+    const brief = briefRaw.trim();
+    if (brief.length === 0 || brief.length > TOOL_ROUTE_MAX_BRIEF_LEN)
+        return null;
+    // Persona is optional → default to `dev`. Any explicit non-empty
+    // value runs through the slug shape check + refused-persona gate.
+    const personaRaw = attrs['persona'];
+    let persona = DEFAULT_PERSONA;
+    if (typeof personaRaw === 'string' && personaRaw.length > 0) {
+        const trimmed = personaRaw.trim();
+        if (trimmed.length === 0 || trimmed.length > TOOL_ROUTE_MAX_PERSONA_LEN)
+            return null;
+        // Slug shape: lowercase ASCII letters + digits + hyphens, must
+        // start with a letter. Same shape as the `<pugi-delegate>` slug
+        // gate in admin-api so a future engine adapter can reuse the slug
+        // verbatim without re-validating.
+        if (!/^[a-z][a-z0-9-]*$/.test(trimmed))
+            return null;
+        if (REFUSED_PERSONAS.has(trimmed))
+            return null;
+        persona = trimmed;
+    }
+    const signature = signatureForToolRoute(command, persona, brief);
+    return {
+        command: command,
+        persona,
+        brief,
+        signature,
+        start: span.start,
+        end: span.end,
+    };
+}
+/**
+ * Parse `key="value"` / `key='value'` pairs out of an attribute blob.
+ * Returns null on any malformed attribute (unterminated quote, raw
+ * entity outside the allowlist, etc). Mirrors the bounded tokenizer
+ * in ask.ts so the parsing posture is uniform across envelope families.
+ */
+function parseAttrBlob(blob) {
+    const trimmed = blob.trim();
+    if (trimmed.length === 0)
+        return {};
+    const result = {};
+    let cursor = 0;
+    const maxIterations = trimmed.length + 4;
+    let iterations = 0;
+    while (cursor < trimmed.length && iterations++ < maxIterations) {
+        while (cursor < trimmed.length && /\s/.test(trimmed[cursor] ?? ''))
+            cursor += 1;
+        if (cursor >= trimmed.length)
+            break;
+        const nameStart = cursor;
+        // Attribute names are lowercase letters; allow `-` for consistency
+        // with the rest of the persona grammar even though our allowlist is
+        // hyphen-free. Mismatch is caught by the ALLOWED_ATTRS gate.
+        while (cursor < trimmed.length &&
+            /[a-z-]/.test(trimmed[cursor] ?? '')) {
+            cursor += 1;
+        }
+        if (cursor === nameStart)
+            return null;
+        const name = trimmed.slice(nameStart, cursor);
+        if (trimmed[cursor] !== '=')
+            return null;
+        cursor += 1;
+        const quote = trimmed[cursor];
+        if (quote !== '"' && quote !== "'")
+            return null;
+        cursor += 1;
+        const valueStart = cursor;
+        const valueEnd = trimmed.indexOf(quote, valueStart);
+        if (valueEnd === -1)
+            return null;
+        const rawValue = trimmed.slice(valueStart, valueEnd);
+        // Raw `&` outside a known entity is malformed; raw angle brackets
+        // are forbidden inside quoted values (must be escaped). The closed
+        // entity allowlist + control-char strip mirrors ask.ts.
+        if (containsRawAmpersand(rawValue))
+            return null;
+        if (/[<>]/.test(rawValue))
+            return null;
+        result[name] = stripControlChars(decodeEntities(rawValue));
+        cursor = valueEnd + 1;
+    }
+    return result;
+}
+/* ------------------------------------------------------------------ */
+/* Streaming helper — find an unquoted `>` after `from`               */
+/* ------------------------------------------------------------------ */
+/**
+ * Walk `body` from index `from` looking for the first `>` that is NOT
+ * inside a quoted attribute value. Returns the index of the `>` or -1
+ * when no such position is found.
+ *
+ * Quote tracking is necessary because a `brief="…contains > as &gt;…"`
+ * value should never confuse the boundary scan. The grammar already
+ * forbids raw `>` inside quoted values (escape as `&gt;`) — this is
+ * belt-and-braces against a sloppy model emission.
+ */
+function findUnquotedGt(body, from) {
+    let quote = null;
+    for (let i = from; i < body.length; i += 1) {
+        const ch = body[i];
+        if (quote !== null) {
+            if (ch === quote)
+                quote = null;
+            continue;
+        }
+        if (ch === '"' || ch === "'") {
+            quote = ch;
+            continue;
+        }
+        if (ch === '>')
+            return i;
+    }
+    return -1;
+}
+/* ------------------------------------------------------------------ */
+/* Entity decoding + amp safety + control strip                       */
+/* ------------------------------------------------------------------ */
+const ENTITY_MAP = Object.freeze({
+    amp: '&',
+    lt: '<',
+    gt: '>',
+    quot: '"',
+    apos: "'",
+});
+function decodeEntities(input) {
+    return input.replace(/&([a-z]+);/g, (whole, name) => {
+        const decoded = ENTITY_MAP[name];
+        return decoded === undefined ? whole : decoded;
+    });
+}
+function stripControlChars(input) {
+    // eslint-disable-next-line no-control-regex -- deliberately matching control range
+    return input.replace(/[\x00-\x08\x0b\x0c\x0e-\x1f\x7f\x80-\x9f]/g, '');
+}
+function containsRawAmpersand(input) {
+    for (let i = 0; i < input.length; i += 1) {
+        if (input[i] !== '&')
+            continue;
+        const semi = input.indexOf(';', i + 1);
+        if (semi === -1)
+            return true;
+        const name = input.slice(i + 1, semi);
+        if (!Object.prototype.hasOwnProperty.call(ENTITY_MAP, name))
+            return true;
+        i = semi;
+    }
+    return false;
+}
+/* ------------------------------------------------------------------ */
+/* Signature                                                          */
+/* ------------------------------------------------------------------ */
+/**
+ * Stable dedupe signature for a tool-route tag. Exported so future
+ * synthesisers (slash command, local fallback) can produce signatures
+ * that collision-match parser-produced ones — without a single source
+ * of truth a local synth could share a signature with a persona-emitted
+ * envelope and the rolling-seen set would suppress one of them.
+ */
+export function signatureForToolRoute(command, persona, brief) {
+    const raw = `${command}::${persona.toLowerCase()}::${brief.trim().toLowerCase()}`;
+    return Buffer.from(raw, 'utf8').toString('base64');
+}
+//# sourceMappingURL=tool-route.js.map

package/dist/core/retro/git-collector.js

@@ -0,0 +1,251 @@
+/**
+ * Git collector for `pugi retro`.
+ *
+ * Mines a window of git history into RawCommit[] using `git log
+ * --numstat --no-renames` plus a few discrete `git` calls for branch
+ * + base + user identity. All git invocations go through child_process
+ * (execFile) so we never shell-expand operator-controlled values.
+ *
+ * The collector is intentionally tolerant of a "no git" workspace —
+ * `pugi retro` should not crash on a fresh `pugi init` scratch dir.
+ * `collectGitContext` returns an empty harvest with `hasGit: false`
+ * so the renderer can emit a friendly empty-state.
+ */
+import { execFile } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { promisify } from 'node:util';
+const execFileAsync = promisify(execFile);
+const GIT_LOG_FORMAT = '%H%x01%an%x01%ae%x01%aI%x01%at%x01%s%x01%b';
+const RECORD_SEP = '\x02';
+const FIELD_SEP = '\x01';
+/** Files counted as tests (used both for stats split + commit-type
+ * classification when the author forgets a conventional prefix). */
+const TEST_FILE_RE = /(^|\/)(test|tests|spec|__tests__)\//i;
+const TEST_FILE_SUFFIX_RE = /\.(spec|test)\.(ts|tsx|js|jsx|mjs|cjs)$/i;
+function isTestFile(path) {
+    if (TEST_FILE_RE.test(path))
+        return true;
+    if (TEST_FILE_SUFFIX_RE.test(path))
+        return true;
+    return false;
+}
+/** Format a Date as `YYYY-MM-DDTHH:mm:ss` in LOCAL time (no `Z` suffix).
+ * Spec: git log `--since` parses local-time strings when no Z is given.
+ */
+export function formatLocalDateTime(d) {
+    const pad = (n) => n.toString().padStart(2, '0');
+    const y = d.getFullYear();
+    const mo = pad(d.getMonth() + 1);
+    const da = pad(d.getDate());
+    const h = pad(d.getHours());
+    const mi = pad(d.getMinutes());
+    const s = pad(d.getSeconds());
+    return `${y}-${mo}-${da}T${h}:${mi}:${s}`;
+}
+/** Detect whether the cwd lives inside a git working tree.
+ * Cheap probe: checks for a `.git` dir/file, then falls back to the
+ * actual `git rev-parse --is-inside-work-tree` for worktrees / submodules.
+ */
+export async function isGitWorkspace(cwd) {
+    if (existsSync(join(cwd, '.git')))
+        return true;
+    try {
+        const { stdout } = await execFileAsync('git', ['rev-parse', '--is-inside-work-tree'], { cwd });
+        return stdout.trim() === 'true';
+    }
+    catch {
+        return false;
+    }
+}
+/** Resolve `origin/HEAD` symbolic ref → short name (e.g. `main`).
+ * Falls back to `main` if the remote ref is not set (common in fresh
+ * scratch repos with no remote).
+ */
+export async function detectBaseBranch(cwd) {
+    try {
+        const { stdout } = await execFileAsync('git', ['symbolic-ref', '--short', 'refs/remotes/origin/HEAD'], { cwd });
+        const ref = stdout.trim();
+        if (!ref)
+            return 'main';
+        const idx = ref.lastIndexOf('/');
+        return idx === -1 ? ref : ref.slice(idx + 1);
+    }
+    catch {
+        return 'main';
+    }
+}
+export async function detectCurrentBranch(cwd) {
+    try {
+        const { stdout } = await execFileAsync('git', ['branch', '--show-current'], { cwd });
+        const branch = stdout.trim();
+        return branch || 'HEAD';
+    }
+    catch {
+        return 'HEAD';
+    }
+}
+export async function detectUserIdentity(cwd) {
+    const name = await readGitConfig(cwd, 'user.name');
+    const email = await readGitConfig(cwd, 'user.email');
+    return { name: name || 'You', email: email || '' };
+}
+async function readGitConfig(cwd, key) {
+    try {
+        const { stdout } = await execFileAsync('git', ['config', '--get', key], { cwd });
+        return stdout.trim();
+    }
+    catch {
+        return '';
+    }
+}
+/** Parse the multi-line `git log --numstat` output into RawCommit[].
+ *
+ * Format laid out as: `<header>\n<numstat lines>\n` per record,
+ * records separated by RECORD_SEP. The header has 7 fields joined by
+ * FIELD_SEP: sha, name, email, iso-date, epoch, subject, body. Each
+ * numstat line is `<ins>\t<del>\t<path>`; binary diffs surface as
+ * `-\t-\t<path>` and contribute 0/0 to the stats roll-up.
+ */
+export function parseGitLog(raw) {
+    const records = raw.split(RECORD_SEP).map((r) => r.trim()).filter(Boolean);
+    const commits = [];
+    for (const record of records) {
+        const lines = record.split('\n');
+        const headerLine = lines[0];
+        if (!headerLine)
+            continue;
+        const headerFields = headerLine.split(FIELD_SEP);
+        if (headerFields.length < 7)
+            continue;
+        const sha = headerFields[0] ?? '';
+        const author = headerFields[1] ?? '';
+        const authorEmail = headerFields[2] ?? '';
+        const timestamp = headerFields[3] ?? '';
+        const epochRaw = headerFields[4] ?? '0';
+        const subject = headerFields[5] ?? '';
+        const body = headerFields[6] ?? '';
+        const epochSeconds = Number.parseInt(epochRaw, 10);
+        if (!sha || !Number.isFinite(epochSeconds))
+            continue;
+        const files = [];
+        let insertions = 0;
+        let deletions = 0;
+        let testInsertions = 0;
+        let testDeletions = 0;
+        for (let i = 1; i < lines.length; i += 1) {
+            const line = lines[i];
+            if (!line)
+                continue;
+            const parts = line.split('\t');
+            if (parts.length < 3)
+                continue;
+            const insRaw = parts[0] ?? '0';
+            const delRaw = parts[1] ?? '0';
+            const path = parts[2] ?? '';
+            if (!path)
+                continue;
+            const ins = insRaw === '-' ? 0 : Number.parseInt(insRaw, 10) || 0;
+            const del = delRaw === '-' ? 0 : Number.parseInt(delRaw, 10) || 0;
+            files.push(path);
+            insertions += ins;
+            deletions += del;
+            if (isTestFile(path)) {
+                testInsertions += ins;
+                testDeletions += del;
+            }
+        }
+        commits.push({
+            sha,
+            author,
+            authorEmail,
+            timestamp,
+            epochSeconds,
+            subject,
+            body,
+            files,
+            stats: { insertions, deletions, testInsertions, testDeletions },
+        });
+    }
+    return commits;
+}
+/** Run `git log` for the given window. The format string packs every
+ * field we need into one stream so we only spawn git once. Records
+ * are separated by RECORD_SEP and fields by FIELD_SEP (both control
+ * characters that cannot appear inside commit text), so the parser
+ * never confuses subject text containing tabs/newlines for delimiters.
+ */
+async function runGitLog(cwd, window) {
+    const since = formatLocalDateTime(window.since);
+    const until = formatLocalDateTime(window.until);
+    const args = [
+        'log',
+        `--since=${since}`,
+        `--until=${until}`,
+        '--no-renames',
+        '--numstat',
+        `--pretty=format:${RECORD_SEP}${GIT_LOG_FORMAT}`,
+        'HEAD',
+    ];
+    try {
+        const { stdout } = await execFileAsync('git', args, {
+            cwd,
+            maxBuffer: 64 * 1024 * 1024,
+        });
+        return stdout;
+    }
+    catch {
+        return '';
+    }
+}
+/** Count commits between the merge-base of <base>...HEAD and HEAD —
+ * i.e. how many commits the current branch has added over the base.
+ * Returns 0 when the branch is base or the base ref is unknown.
+ */
+export async function countCommitsAheadOfBase(cwd, base, since) {
+    try {
+        const { stdout } = await execFileAsync('git', [
+            'rev-list',
+            '--count',
+            `${base}..HEAD`,
+            `--since=${formatLocalDateTime(since)}`,
+        ], { cwd });
+        const n = Number.parseInt(stdout.trim(), 10);
+        return Number.isFinite(n) ? n : 0;
+    }
+    catch {
+        return 0;
+    }
+}
+export async function collectGitContext(options) {
+    const { cwd, window } = options;
+    const hasGit = await isGitWorkspace(cwd);
+    if (!hasGit) {
+        return {
+            hasGit: false,
+            cwd,
+            currentBranch: '',
+            baseBranch: '',
+            userName: '',
+            userEmail: '',
+            commits: [],
+        };
+    }
+    const [currentBranch, baseBranch, identity, rawLog] = await Promise.all([
+        detectCurrentBranch(cwd),
+        detectBaseBranch(cwd),
+        detectUserIdentity(cwd),
+        runGitLog(cwd, window),
+    ]);
+    const commits = parseGitLog(rawLog);
+    return {
+        hasGit: true,
+        cwd,
+        currentBranch,
+        baseBranch,
+        userName: identity.name,
+        userEmail: identity.email,
+        commits,
+    };
+}
+//# sourceMappingURL=git-collector.js.map

package/dist/core/retro/health-card.js

@@ -0,0 +1,25 @@
+/**
+ * Workspace health card — Plane module oversize detection.
+ *
+ * Background (recall Pugi incident 2026-05-30): the Plane web UI
+ * tripped a React error boundary when an admin-api module accumulated
+ * ~200 issues. The actual REST API still returned 200, but the frontend
+ * choked. The fix was to keep modules at or below 60 issues and split larger ones.
+ *
+ * The health card surfaces a P1 warning when a module exceeds the
+ * recommended cap so the operator can split it before the next sprint.
+ */
+/** Recommended max issues per Plane module. The retro card surfaces
+ * any module exceeding this so the operator can split it. */
+export const OVERSIZED_MODULE_THRESHOLD = 60;
+export function computeHealthCard(modules) {
+    const oversized = modules
+        .filter((m) => m.issueCount > OVERSIZED_MODULE_THRESHOLD)
+        .sort((a, b) => b.issueCount - a.issueCount);
+    return {
+        totalModules: modules.length,
+        oversized,
+        oversizedThreshold: OVERSIZED_MODULE_THRESHOLD,
+    };
+}
+//# sourceMappingURL=health-card.js.map