@pugi/cli 0.1.0-beta.96 → 0.1.0-beta.97

package/dist/core/engine/tool-bridge.js

@@ -19,6 +19,12 @@ import { dispatchEnterWorktree, enterWorktreeJsonSchema, } from '../../tools/ent
 import { dispatchExitWorktree, exitWorktreeJsonSchema, } from '../../tools/exit-worktree.js';
 import { webFetchTool } from '../../tools/web-fetch.js';
 import { webSearchTool } from '../../tools/web-search.js';
+// Phase 1 runtime evidence pack (PUGI-291..295): server_* + http_request
+// dispatchers + JSON schema fragments. Every primitive returns a
+// sentinel string on validation failure (sleep/brief convention) so
+// the engine adapter surfaces it as a recoverable tool result.
+import { dispatchHttpRequest, httpRequestJsonSchema, } from '../../tools/http-request.js';
+import { dispatchServerHealth, dispatchServerLogs, dispatchServerStart, dispatchServerStop, serverHealthJsonSchema, serverLogsJsonSchema, serverStartJsonSchema, serverStopJsonSchema, } from '../../tools/server-tools.js';
 import { agentTool } from '../../tools/agent-tool.js';
 import { multiEdit } from '../../tools/multi-edit.js';
 import { recordVerificationCall } from '../session.js';
@@ -217,6 +223,15 @@ const WIRED_TOOLS = new Set([
     'symbols_signature',
     'symbols_type_definition',
     'symbols_workspace_symbols',
+    // Phase 1 runtime evidence pack (PUGI-291..295): server_* + http_request.
+    // Off by default in plan mode (mutation surface for start/stop; even
+    // health/logs/http_request cross the plan-mode read-only contract
+    // because they are runtime evidence primitives, not source reads).
+    'http_request',
+    'server_health',
+    'server_logs',
+    'server_start',
+    'server_stop',
 ]);
 export function buildToolsSchema(kind, options = { allowFetch: false, allowSearch: false }) {
     const planMode = kind === 'plan';
@@ -831,6 +846,31 @@ export function buildToolsSchema(kind, options = { allowFetch: false, allowSearc
                     },
                 },
             },
+        }, 
+        // Phase 1 runtime evidence pack (PUGI-291..295) - server lifecycle
+        // primitives + generic HTTP request. Off in plan mode because each
+        // tool produces side effects (a spawned process, an outbound HTTP
+        // call) the plan-mode read-only contract refuses.
+        {
+            name: 'server_start',
+            description: 'Spawn a server via /bin/sh -c <command> in the workspace and poll the health URL until it returns the expected status (default 200) or the timeout elapses. Persists pid + meta to `.pugi/runs/<runId>/server.json` and a stdout/stderr tail to `server.log`. Returns {ok, pid, port, healthStatus, logPath, durationMs, error?}. Use to materialise concrete pid + health 200 evidence rather than asserting a server is up in prose.',
+            parameters: serverStartJsonSchema,
+        }, {
+            name: 'server_stop',
+            description: 'Send SIGTERM to the supplied pid, wait graceMs (default 5000ms), then escalate to SIGKILL. Idempotent - a pid that already exited returns ok=true with signal=undefined. Returns {ok, pid, exitCode?, signal?, durationMs, error?}.',
+            parameters: serverStopJsonSchema,
+        }, {
+            name: 'server_health',
+            description: 'One-shot HTTP GET against the supplied URL with a short timeout (default 5000ms, max 60000ms). Returns {ok, status, durationMs, body?, error?} where ok=true only when the response status equals expectStatus (default 200). Body is capped at 1 KB so the envelope stays compact.',
+            parameters: serverHealthJsonSchema,
+        }, {
+            name: 'server_logs',
+            description: 'Read the trailing N lines of `.pugi/runs/<runId>/server.log`. Defaults to the most recent run when runId is omitted; pid-based lookup walks every run dir. Returns {ok, logPath, lines, totalLines, error?}.',
+            parameters: serverLogsJsonSchema,
+        }, {
+            name: 'http_request',
+            description: 'Issue an HTTP request (GET/POST/PUT/PATCH/DELETE/HEAD/OPTIONS) against a URL. Loopback hosts (localhost / 127.0.0.0/8 / ::1) always pass; non-loopback hosts require allowExternal: true so the default posture stays private. Body objects/arrays are JSON-serialised. Returns {ok, status, headers, body, json?, durationMs, error?, truncated?}.',
+            parameters: httpRequestJsonSchema,
         });
     }
     // β4 M1/M3: append MCP tools last. Plan mode skips them because every
@@ -1235,6 +1275,26 @@ export function buildExecutor(input) {
                     sessionId,
                 });
             }
+            // Phase 1 runtime evidence pack (PUGI-291..295). Each tool returns
+            // a JSON-string envelope or a sentinel string on validation
+            // failure - both paths are recoverable from the model's POV, so
+            // the engine adapter routes them as plain tool results and the
+            // model can self-correct.
+            if (name === 'server_start') {
+                return dispatchServerStart({ workspaceRoot }, args);
+            }
+            if (name === 'server_stop') {
+                return dispatchServerStop({ workspaceRoot }, args);
+            }
+            if (name === 'server_health') {
+                return dispatchServerHealth({ workspaceRoot }, args);
+            }
+            if (name === 'server_logs') {
+                return dispatchServerLogs({ workspaceRoot }, args);
+            }
+            if (name === 'http_request') {
+                return dispatchHttpRequest({}, args);
+            }
             if (name === 'multi_edit') {
                 return dispatchMultiEdit(args, ctx);
             }

package/dist/core/permissions/tool-class.js

@@ -47,11 +47,25 @@ const BUILT_IN_TOOL_CLASSES = Object.freeze({
     skill: 'read',
     task_get: 'read',
     task_list: 'read',
+    // Phase 1 runtime evidence pack (PUGI-291..295): server_health and
+    // server_logs are read-only probes (HTTP GET + tail of a log file
+    // already on disk). Classifying them as `read` keeps the ask-mode
+    // prompts honest; the dispatcher still applies the network-perm gate
+    // for server_health and the workspace-read gate for server_logs.
+    server_health: 'read',
+    server_logs: 'read',
     // Mutating actions.
     write: 'write',
     edit: 'write',
     multi_edit: 'write',
     bash: 'write',
+    // Phase 1 runtime evidence pack: server_start spawns a process,
+    // server_stop terminates one, http_request can POST/PUT/DELETE
+    // arbitrary data against a localhost service. All three are write
+    // class so plan mode refuses and ask mode prompts.
+    server_start: 'write',
+    server_stop: 'write',
+    http_request: 'write',
     task_create: 'write',
     task_update: 'write',
     todo_write: 'write',

package/dist/runtime/cli.js

@@ -5021,48 +5021,26 @@ function renderLocalSessionList(rows, projectSlug) {
  * 1 is reserved for the credential gate (engine_unavailable) so
  * existing shell wrappers that branch on "any non-zero" still work.
  */
-const ENGINE_EXIT_CODES = {
-    done: 0,
-    failed: 8,
-    blocked: 9,
-    engine_unavailable: 1,
-    // PUGI-VERIFY-GATE: needs_verification is the engine telling the
-    // operator "you did not run a verification command — I cannot
-    // confirm correctness". CI scripts treating any non-zero as
-    // failure keep working; exit 2 historically means "misuse" (the
-    // engine completed but the operator missed a required step),
-    // which matches the semantic here.
-    needs_verification: 2,
-};
-/**
- * PUGI-VERIFY-GATE — Codex dogfood 2026-06-04 surfaced a P0 where
- * `pugi code` returned exit 0 while npm test failed. The spec
- * locks the contract to exit 1 on a verification failure AND exit
- * 2 on `needs_verification`. Legacy callers reading exit 8/9 still
- * see "any non-zero = failure" but the new codes (1/2) are the
- * authoritative signal for the verification gate.
- *
- * The override fires when `result.status` carries the new
- * `needs_verification` literal OR when `result.unverifiedReason`
- * is set to `verification_command_failed` — the latter pins exit
- * 1 even if a future producer left `status: 'failed'` while
- * inferring the cause from the reason field.
- */
-function resolveEngineExitCode(result) {
-    if (result.status === 'needs_verification') {
-        return ENGINE_EXIT_CODES.needs_verification;
-    }
-    if (result.unverifiedReason === 'verification_command_failed') {
-        // Spec: verified=false because a verification command failed
-        // maps to CLI exit 1 (clear "this is broken" signal).
-        return 1;
-    }
-    if (result.status === 'done')
-        return ENGINE_EXIT_CODES.done;
-    if (result.status === 'failed')
-        return ENGINE_EXIT_CODES.failed;
-    return ENGINE_EXIT_CODES.blocked;
-}
+// PUGI-VERIFY-GATE - Codex dogfood 2026-06-04 surfaced a P0 where
+// `pugi code` returned exit 0 while npm test failed. The spec locks
+// the contract to exit 1 on a verification failure AND exit 2 on
+// `needs_verification`. Legacy callers reading exit 8/9 still see
+// "any non-zero = failure" but the new codes (1/2) are the
+// authoritative signal for the verification gate.
+//
+// Phase 1 (PUGI-299) - runtime invariant additions:
+//  3. `verificationFailures` non-empty array → exit 1
+//  4. `verified === false && status === 'done'` → exit 2
+//
+// The two new rules are defensive: today `computeVerificationOutcome`
+// always populates `unverifiedReason` (rule 2) or downgrades the
+// status (rule 1) so the new branches never fire, but the invariant
+// locks the contract for future engine adapters.
+//
+// Implementation lives in `engine-exit-code.ts` so the runtime spec
+// (`test/engine-exit-code.spec.ts`) can exercise it without mounting
+// this 9700-LOC entry module.
+import { ENGINE_EXIT_CODES, resolveEngineExitCode, } from './engine-exit-code.js';
 function commandLabel(kind) {
     return kind === 'build_task' ? 'build' : kind;
 }
@@ -8132,5 +8110,12 @@ export const __test__ = {
     // env-driven $PUGI_HOME redirect) without going через the full
     // engine-task dispatch path.
     readPersistedContextTier,
+    // Phase 1 (PUGI-299) - runtime verification gate exit-code resolver.
+    // Re-exported from `engine-exit-code.ts` so the invariant spec can
+    // assert that a `verificationFailures` non-empty array OR a
+    // `verified=false` outcome MUST surface as a non-zero CLI exit
+    // even when a malformed adapter forgets to flip the status.
+    resolveEngineExitCode,
+    ENGINE_EXIT_CODES,
 };
 //# sourceMappingURL=cli.js.map

package/dist/runtime/engine-exit-code.js

@@ -0,0 +1,50 @@
+/**
+ * engine-exit-code - Phase 1 verification gate invariant (PUGI-299).
+ *
+ * The runtime resolves the CLI exit code from the engine outcome via a
+ * deterministic ladder. Extracted from `cli.ts` so the invariant is
+ * exercisable from a focused spec without mounting the 9700-LOC entry
+ * module.
+ *
+ * Contract (in priority order):
+ *  1. `status === 'needs_verification'`    → exit 2
+ *  2. `unverifiedReason === 'verification_command_failed'` → exit 1
+ *  3. `verificationFailures` is a non-empty array          → exit 1
+ *  4. `verified === false && status === 'done'`            → exit 2
+ *  5. `status === 'done'`                                   → exit 0
+ *  6. `status === 'failed'`                                 → exit 8
+ *  7. `status === 'blocked'` (catch-all)                    → exit 9
+ *
+ * The rule fires defensively: rules 3 + 4 cover producer bugs where a
+ * future engine adapter forgets to flip `unverifiedReason` or
+ * downgrade the status to `needs_verification`. Today
+ * `computeVerificationOutcome` always synthesises one of the two,
+ * but the invariant locks the contract.
+ */
+export const ENGINE_EXIT_CODES = {
+    done: 0,
+    failed: 8,
+    blocked: 9,
+    engine_unavailable: 1,
+    needs_verification: 2,
+};
+export function resolveEngineExitCode(result) {
+    if (result.status === 'needs_verification') {
+        return ENGINE_EXIT_CODES.needs_verification;
+    }
+    if (result.unverifiedReason === 'verification_command_failed') {
+        return 1;
+    }
+    if (Array.isArray(result.verificationFailures) && result.verificationFailures.length > 0) {
+        return 1;
+    }
+    if (result.verified === false && result.status === 'done') {
+        return ENGINE_EXIT_CODES.needs_verification;
+    }
+    if (result.status === 'done')
+        return ENGINE_EXIT_CODES.done;
+    if (result.status === 'failed')
+        return ENGINE_EXIT_CODES.failed;
+    return ENGINE_EXIT_CODES.blocked;
+}
+//# sourceMappingURL=engine-exit-code.js.map

package/dist/runtime/version.js

@@ -44,7 +44,7 @@ export function sanitizeSemver(raw) {
  * during import). When bumping the CLI version BOTH literals must be
  * updated; the release smoke-test (`pack:smoke`) verifies they agree.
  */
-export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.96');
+export const PUGI_CLI_VERSION = sanitizeSemver('0.1.0-beta.97');
 /**
  * Outbound: the CLI's installed semver. Read at request time by
  * `version-interceptor.ts` and injected on every `fetch` call.

package/dist/tools/http-request.js

@@ -0,0 +1,336 @@
+/**
+ * http_request - Phase 1 CRUD-smoke primitive (PUGI Phase 1).
+ *
+ * Generic HTTP request tool the model uses to verify a freshly-spun
+ * service end-to-end. Distinct from `web_fetch`:
+ *   - `web_fetch` is an opt-in marketing-grade content fetch (always
+ *     GET, response folded to Markdown, sentinel wrap, SSRF guard
+ *     blocks loopback / RFC1918).
+ *   - `http_request` is a *development-evidence* primitive: any verb,
+ *     any localhost URL, JSON-aware body+response. The default
+ *     allow-list permits localhost / 127.0.0.1 / ::1 so the model can
+ *     drive a CRUD smoke against a server it just started via
+ *     `server_start`; non-loopback hosts require an explicit
+ *     `allowExternal` opt-in.
+ *
+ * Body is serialised to JSON when a plain object is supplied. Headers
+ * are merged on top of a small default set (Accept: application/json,
+ * Content-Type when body is JSON). Response body is capped at 64 KB to
+ * keep the envelope sized; when the response content-type matches
+ * `application/json` the dispatcher attempts a parse and surfaces
+ * `json` alongside `body`.
+ *
+ * Brand voice: English only, no emoji, no banned words.
+ */
+import { isIP } from 'node:net';
+export const HTTP_REQUEST_INVALID_ARGS = 'HTTP_REQUEST_INVALID_ARGS';
+export const HTTP_REQUEST_BODY_CAP_BYTES = 64 * 1024;
+export const HTTP_REQUEST_DEFAULT_TIMEOUT_MS = 10_000;
+export const HTTP_REQUEST_MAX_TIMEOUT_MS = 60_000;
+const ALLOWED_METHODS = new Set(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS']);
+/**
+ * Validate raw arguments. Returns the typed payload on success or a
+ * sentinel string on failure (sleep/brief convention).
+ */
+export function parseHttpRequestArgs(raw) {
+    if (typeof raw !== 'object' || raw === null || Array.isArray(raw)) {
+        return `${HTTP_REQUEST_INVALID_ARGS}: arguments must be a JSON object`;
+    }
+    const obj = raw;
+    const method = obj['method'];
+    const url = obj['url'];
+    if (typeof method !== 'string' || !ALLOWED_METHODS.has(method.toUpperCase())) {
+        return `${HTTP_REQUEST_INVALID_ARGS}: method must be one of ${Array.from(ALLOWED_METHODS).join(', ')}`;
+    }
+    if (typeof url !== 'string' || url.trim() === '') {
+        return `${HTTP_REQUEST_INVALID_ARGS}: url must be a non-empty string`;
+    }
+    const body = obj['body'];
+    if (body !== undefined && body !== null) {
+        if (typeof body !== 'string' &&
+            !(typeof body === 'object')) {
+            return `${HTTP_REQUEST_INVALID_ARGS}: body must be a string or a JSON object/array`;
+        }
+    }
+    const headers = obj['headers'];
+    if (headers !== undefined) {
+        if (typeof headers !== 'object' || headers === null || Array.isArray(headers)) {
+            return `${HTTP_REQUEST_INVALID_ARGS}: headers must be a JSON object of string values`;
+        }
+        for (const [k, v] of Object.entries(headers)) {
+            if (typeof v !== 'string') {
+                return `${HTTP_REQUEST_INVALID_ARGS}: headers["${k}"] must be a string`;
+            }
+        }
+    }
+    const timeoutMs = obj['timeoutMs'];
+    if (timeoutMs !== undefined) {
+        if (typeof timeoutMs !== 'number' || !Number.isFinite(timeoutMs) || timeoutMs <= 0) {
+            return `${HTTP_REQUEST_INVALID_ARGS}: timeoutMs must be a positive number when provided`;
+        }
+    }
+    const allowExternal = obj['allowExternal'];
+    if (allowExternal !== undefined && typeof allowExternal !== 'boolean') {
+        return `${HTTP_REQUEST_INVALID_ARGS}: allowExternal must be a boolean when provided`;
+    }
+    const result = {
+        method: method.toUpperCase(),
+        url,
+        ...(body !== undefined && body !== null
+            ? { body: body }
+            : {}),
+        ...(headers !== undefined ? { headers: headers } : {}),
+        ...(typeof timeoutMs === 'number' ? { timeoutMs } : {}),
+        ...(typeof allowExternal === 'boolean' ? { allowExternal } : {}),
+    };
+    return result;
+}
+function clampTimeout(value) {
+    if (typeof value !== 'number' || !Number.isFinite(value) || value <= 0) {
+        return HTTP_REQUEST_DEFAULT_TIMEOUT_MS;
+    }
+    return Math.min(value, HTTP_REQUEST_MAX_TIMEOUT_MS);
+}
+/**
+ * Decide whether the target host counts as loopback. Accept the
+ * familiar shorthand (`localhost`, `127.0.0.1`, `::1`) plus the
+ * full 127.0.0.0/8 IPv4 range so a server bound to e.g. `127.0.0.5`
+ * still passes the gate.
+ */
+function isLoopbackHost(host) {
+    const lower = host.toLowerCase();
+    if (lower === 'localhost' ||
+        lower === '127.0.0.1' ||
+        lower === '::1' ||
+        lower === '[::1]' ||
+        // /triple-review P1 (Claude reviewer): IPv4-mapped
+        // IPv6 (`::ffff:127.0.0.1`) reaches loopback at the OS level.
+        // Recognize so a model that emits the IPv6 form is gated as
+        // loopback (rather than blocked as external — safer to allow
+        // explicitly recognised loopback and reject everything else).
+        lower === '::ffff:127.0.0.1' ||
+        lower.startsWith('::ffff:127.')) {
+        return true;
+    }
+    if (isIP(lower) === 4 && lower.startsWith('127.')) {
+        return true;
+    }
+    // /triple-review P1: `0.0.0.0` resolves к localhost for outbound on
+    // Linux and is reachable from inside the host. Treat as loopback so
+    // a server bound к `0.0.0.0` is callable from the dispatcher без
+    // requiring `allowExternal`. The risk surface is identical к
+    // `127.0.0.0/8` — anything reachable via `0.0.0.0` is also reachable
+    // via `127.0.0.1` on the same host.
+    if (lower === '0.0.0.0') {
+        return true;
+    }
+    return false;
+}
+function headersToObject(h) {
+    const out = {};
+    h.forEach((value, key) => {
+        out[key.toLowerCase()] = value;
+    });
+    return out;
+}
+/**
+ * Dispatch entry. Pure async - no shell, no filesystem. Loopback URLs
+ * always pass; external URLs require `allowExternal: true` so the
+ * default posture stays private.
+ */
+export async function dispatchHttpRequest(ctx, raw) {
+    const parsed = parseHttpRequestArgs(raw);
+    if (typeof parsed === 'string')
+        return parsed;
+    const args = parsed;
+    const now = ctx.now ?? (() => Date.now());
+    const fetchImpl = ctx.fetch ?? globalThis.fetch;
+    if (typeof fetchImpl !== 'function') {
+        const result = {
+            ok: false,
+            status: 0,
+            headers: {},
+            body: '',
+            durationMs: 0,
+            error: 'no_fetch_available',
+        };
+        return JSON.stringify(result);
+    }
+    // URL parse + loopback gate.
+    let parsedUrl;
+    try {
+        parsedUrl = new URL(args.url);
+    }
+    catch (error) {
+        const result = {
+            ok: false,
+            status: 0,
+            headers: {},
+            body: '',
+            durationMs: 0,
+            error: `invalid_url: ${error.message}`,
+        };
+        return JSON.stringify(result);
+    }
+    if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
+        const result = {
+            ok: false,
+            status: 0,
+            headers: {},
+            body: '',
+            durationMs: 0,
+            error: `unsupported_protocol: ${parsedUrl.protocol}`,
+        };
+        return JSON.stringify(result);
+    }
+    const host = parsedUrl.hostname;
+    const loopback = isLoopbackHost(host);
+    if (!loopback && args.allowExternal !== true) {
+        const result = {
+            ok: false,
+            status: 0,
+            headers: {},
+            body: '',
+            durationMs: 0,
+            error: `external_host_blocked: ${host} (set allowExternal: true to permit)`,
+        };
+        return JSON.stringify(result);
+    }
+    // Header + body normalisation. The default Accept header pushes
+    // servers that content-negotiate toward JSON so the response parse
+    // hits more often.
+    const defaultHeaders = {
+        accept: 'application/json,text/plain;q=0.9,*/*;q=0.5',
+    };
+    const merged = { ...defaultHeaders };
+    if (args.headers) {
+        for (const [k, v] of Object.entries(args.headers)) {
+            merged[k.toLowerCase()] = v;
+        }
+    }
+    let serialisedBody;
+    if (args.body !== undefined && args.body !== null) {
+        if (typeof args.body === 'string') {
+            serialisedBody = args.body;
+        }
+        else {
+            try {
+                serialisedBody = JSON.stringify(args.body);
+            }
+            catch (error) {
+                const result = {
+                    ok: false,
+                    status: 0,
+                    headers: {},
+                    body: '',
+                    durationMs: 0,
+                    error: `body_serialise_failed: ${error.message}`,
+                };
+                return JSON.stringify(result);
+            }
+            if (!('content-type' in merged)) {
+                merged['content-type'] = 'application/json';
+            }
+        }
+    }
+    const timeoutMs = clampTimeout(args.timeoutMs);
+    const start = now();
+    const ac = new AbortController();
+    const timer = setTimeout(() => ac.abort(), timeoutMs);
+    try {
+        const init = {
+            method: args.method,
+            headers: merged,
+            signal: ac.signal,
+            // /triple-review P1 (Claude reviewer): default `fetch`
+            // follows redirects to ANY target. A loopback service can return
+            // 30x with Location pointing к cloud metadata IPs (169.254.169.254,
+            // 100.64/10 ranges) or arbitrary external hosts, and `fetch` would
+            // chase the redirect and surface the body. SSRF bypass class.
+            // `redirect: 'manual'` stops the chase; the dispatcher returns the
+            // 30x status + Location header to the model so it can decide
+            // whether the redirect target is acceptable.
+            redirect: 'manual',
+            ...(serialisedBody !== undefined ? { body: serialisedBody } : {}),
+        };
+        const res = await fetchImpl(args.url, init);
+        const text = await res.text();
+        const truncated = text.length > HTTP_REQUEST_BODY_CAP_BYTES;
+        const body = truncated ? text.slice(0, HTTP_REQUEST_BODY_CAP_BYTES) : text;
+        const respHeaders = headersToObject(res.headers);
+        const contentType = respHeaders['content-type'] ?? '';
+        let json;
+        if (contentType.includes('application/json') && body.length > 0 && !truncated) {
+            try {
+                json = JSON.parse(body);
+            }
+            catch {
+                // Body claimed JSON but failed to parse - preserve raw text only.
+            }
+        }
+        const result = {
+            ok: res.status >= 200 && res.status < 300,
+            status: res.status,
+            headers: respHeaders,
+            body,
+            ...(json !== undefined ? { json } : {}),
+            durationMs: now() - start,
+            ...(truncated ? { truncated: true } : {}),
+        };
+        return JSON.stringify(result);
+    }
+    catch (error) {
+        const message = error.message;
+        const aborted = error.name === 'AbortError';
+        const result = {
+            ok: false,
+            status: 0,
+            headers: {},
+            body: '',
+            durationMs: now() - start,
+            error: aborted ? `timeout_after_${timeoutMs}ms` : `request_failed: ${message}`,
+        };
+        return JSON.stringify(result);
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+export const httpRequestJsonSchema = {
+    type: 'object',
+    additionalProperties: false,
+    required: ['method', 'url'],
+    properties: {
+        method: {
+            type: 'string',
+            enum: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],
+            description: 'HTTP verb. Uppercase preferred but the dispatcher accepts any case.',
+        },
+        url: {
+            type: 'string',
+            description: 'Fully-qualified http(s) URL. Loopback hosts always pass; external hosts require allowExternal: true.',
+        },
+        body: {
+            description: 'Request body. A string is sent verbatim; an object/array is JSON-serialised and Content-Type defaults to application/json.',
+            oneOf: [
+                { type: 'string' },
+                { type: 'object', additionalProperties: true },
+                { type: 'array' },
+            ],
+        },
+        headers: {
+            type: 'object',
+            description: 'Custom request headers. Lower-cased keys overwrite the dispatcher defaults.',
+            additionalProperties: { type: 'string' },
+        },
+        timeoutMs: {
+            type: 'number',
+            description: `Per-request timeout in ms. Default ${HTTP_REQUEST_DEFAULT_TIMEOUT_MS}, max ${HTTP_REQUEST_MAX_TIMEOUT_MS}.`,
+        },
+        allowExternal: {
+            type: 'boolean',
+            description: 'Opt-in flag for non-loopback hosts. Defaults to false so the dispatcher refuses external URLs without explicit consent.',
+        },
+    },
+};
+//# sourceMappingURL=http-request.js.map

package/dist/tools/registry.js

@@ -49,6 +49,14 @@ const registry = [
     { name: 'exit_worktree', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: false },
     { name: 'glob', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
     { name: 'grep', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
+    // Phase 1 runtime evidence pack (PUGI-291..295): http_request issues a
+    // single HTTP call, mostly against loopback URLs produced by
+    // `server_start`. permission = 'network' to share the same egress
+    // gate as web_fetch; risk = 'medium' because the dispatcher will
+    // accept arbitrary verbs (POST/PUT/DELETE) - destructive verbs only
+    // when the caller opts in by URL/body. concurrencySafe = true because
+    // every dispatch is a fresh fetch with no shared state.
+    { name: 'http_request', permission: 'network', risk: 'medium', concurrencySafe: true, m1: false },
     // : LSP read-only surface. Server runs locally, no Anvil
     // round-trip. Concurrency-safe because every operation reads
     // server state without mutating workspace files.
@@ -91,7 +99,19 @@ const registry = [
     { name: 'powershell', permission: 'bash', risk: 'high', concurrencySafe: false, m1: false },
     { name: 'question', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
     { name: 'read', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
-    { name: 'skill', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
+    // Phase 1 runtime evidence pack (PUGI-291..295): server_* family.
+    // server_start spawns a process under /bin/sh -c and persists pid +
+    // log path к .pugi/runs/<runId>/. permission = 'bash' shares the
+    // same destructive-classifier gate as the bash tool (the command
+    // ultimately runs in a real shell). risk = 'high' for start/stop
+    // (process lifecycle mutates the operator's machine) and 'low' for
+    // health/logs (read-only probes). concurrencySafe = false for
+    // start/stop because the pid registry is not transactional;
+    // health/logs are safe to dispatch in parallel.
+    { name: 'server_health', permission: 'network', risk: 'low', concurrencySafe: true, m1: false },
+    { name: 'server_logs', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
+    { name: 'server_start', permission: 'bash', risk: 'high', concurrencySafe: false, m1: false },
+    { name: 'server_stop', permission: 'bash', risk: 'high', concurrencySafe: false, m1: false },
     // Tool gap pack : wall-clock pause primitive. No
     // filesystem / network / shell side-effects. concurrencySafe = true
     // because every dispatch is a fresh setTimeout closure with no