@pugi/cli 0.1.0-beta.98 → 1.0.0-alpha.1

package/dist/core/security/output-filter.js

@@ -1,418 +0,0 @@
-/**
- * Output filter (primitive #2 of the 9-layer RAG architecture).
- *
- * Composes four independent safety checks into a single perimeter that
- * runs against text the engine is ABOUT to emit to the operator. Each
- * sub-check is a private function inside this module; the public entry
- * point `filterOutput` runs them in a deterministic order and returns
- * the union of their findings.
- *
- * The intent is "one chokepoint" — the engine wire-up (out of scope for
- * this PR) will call `filterOutput` once per assistant turn and refuse
- * to surface text whose `allowed` flag is false. Operators get a single
- * structured violations list to triage.
- *
- * # Composed checks (deterministic order)
- *
- *  1. citation-verify — `[file:line]` / `(file:line)` patterns must
- *                        resolve to a real file inside `workspaceRoot`.
- *                        Path containment uses the existing workspace
- *                        boundary check pattern from `path-security.ts`.
- *  2. secret-scan     — defers to `core/memory/secret-scanner.ts`
- *                        (backlog). When `redactSecrets=true`
- *                        (default) the filter substitutes detected
- *                        secrets with `[SECRET:<kind>]` placeholders
- *                        AND reports the violations.
- *  3. numeric-claim   — standalone numbers (≥3 digits OR percentages
- *                        OR currency) must have a citation within
- *                        80 chars. When `allowNumericClaims=true` the
- *                        check is skipped entirely.
- *  4. malicious-url   — every URL found in the text must intersect
- *                        `allowedURLs`. Empty allowlist + non-empty URL
- *                        set = all URLs flagged.
- *  5. injection-echo  — surface obvious prompt-injection fragments
- *                        that look like upstream content leaked into
- *                        the model's output (`<system-reminder>`,
- *                        ChatML tags, "ignore previous instructions",
- *                        etc.).
- *
- * # No early exit
- *
- * The filter walks every check on every call and accumulates every
- * violation. A text with three secrets, two bad URLs and one bogus
- * citation surfaces six violations — operators see the whole picture in
- * one pass, not piecemeal across retries.
- *
- * # What this is NOT
- *
- *  - A blocking guard. The caller decides what to do with
- *    `allowed=false`. We never throw on a violation — throwing would
- *    deny the caller the redacted text + structured findings.
- *  - A locale-aware numeric extractor. Only English thousands
- *    separators are recognised for now (`1,000`, `1000`, `1,000.50`).
- *    Locale variants (e.g. `1.000,50` in DE) are intentionally out of
- *    scope per the spec.
- *  - An ML-based harm classifier. Regex tier only; harm-pattern
- *    expansion is deferred.
- *
- * # Existing modules composed against
- *
- *  - `core/memory/secret-scanner.ts` — secret-scan delegate.
- *  - `core/path-security.ts`              — workspace boundary check
- *                                             pattern (containment +
- *                                             realpath).
- *
- * # Follow-ups (tracked, NOT shipped here)
- *
- *  - Engine wire-up — consumer pulls `filterOutput` before emitting
- *    to the operator. Out of scope; touches `core/engine/` only.
- *  - Shared secret-scanner consolidation — depends on ship.
- *  - Locale-aware numeric extraction.
- *  - LLM-driven harm classifier (regex tier only today).
- */
-import { existsSync, realpathSync } from 'node:fs';
-import { isAbsolute, relative, resolve } from 'node:path';
-import { redactSecrets as redactSecretsImpl, scanForSecrets, } from '../memory/secret-scanner.js';
-// ---------------------------------------------------------------------------
-// Pattern catalog
-// ---------------------------------------------------------------------------
-/**
- * Inline citation patterns. Accepts:
- *  - `[file:line]` e.g. `[src/foo.ts:42]`
- *  - `(file:line)` e.g. `(src/foo.ts:42)`
- *
- * The path must contain a `.` (file extension hint) to keep prose like
- * `[chapter:1]` from being misread as a code citation. Line is a
- * 1+ digit positive integer.
- *
- * Anchored with bounded character classes — no `.*` and no nested
- * alternations, defending against catastrophic backtracking.
- */
-const INLINE_CITATION_RE = /[\[(]([^\]\s)]+\.[A-Za-z0-9]+):(\d+)[\])]/g;
-/**
- * URL extraction. Matches `http://` or `https://` followed by host +
- * optional path. Bounded path char class.
- */
-const URL_RE = /\bhttps?:\/\/[A-Za-z0-9.\-]+(?::\d+)?(?:\/[A-Za-z0-9._~:/?#@!$&'()*+,;=%\-]*)?/g;
-/**
- * Numeric-claim patterns. We accumulate matches from THREE shapes:
- *  - percentage:  `42%`, `0.5%`, `100.0%`
- *  - currency:    `$1`, `$1,000`, `$1.50`, `€42`, `£99.99` (any 1+)
- *  - bare number: `123`, `1,000`, `42.5` (≥3 significant digits)
- *
- * "Significant digits" for the bare-number rule means ≥3 digit chars
- * total ignoring separators. `99` (2 digits) is NOT flagged; `100` is.
- * This dodges the false-positive trap of years / common small numbers
- * appearing in prose without a citation needing to back them up.
- */
-const PERCENT_RE = /\b\d+(?:\.\d+)?%/g;
-const CURRENCY_RE = /[$€£¥₹]\s?\d{1,3}(?:,\d{3})*(?:\.\d+)?/g;
-const BARE_NUMBER_RE = /\b\d{1,3}(?:,\d{3})+(?:\.\d+)?\b|\b\d{3,}(?:\.\d+)?\b/g;
-/**
- * Injection-echo fragments. These are markers we never expect a model
- * to legitimately produce in its output; their appearance suggests
- * upstream context (a user-supplied document, a tool result, a leaked
- * system prompt) has bled into the generation surface.
- *
- * Kept literal-prefix-anchored to keep false-positives low. A model
- * legitimately discussing prompt-injection education ("attackers might
- * say `ignore previous instructions`") will trip the warning — the
- * caller can downgrade via `allowed` post-hoc, but the violation must
- * still surface so reviewers see it.
- */
-const INJECTION_PATTERNS = [
-    { id: 'system-reminder-tag', re: /<system-reminder\b/gi },
-    { id: 'system-tag', re: /<\|im_start\|>/g },
-    { id: 'endoftext-tag', re: /<\|endoftext\|>/g },
-    { id: 'inst-marker', re: /\[INST\]/g },
-    { id: 'inst-close', re: /\[\/INST\]/g },
-    { id: 'ignore-previous', re: /\b(?:important[^a-z]*)?ignore\s+(?:all\s+|the\s+)?previous\s+(?:instructions|prompts?)/gi },
-    { id: 'disregard-above', re: /\bdisregard\s+(?:all|prior|the)?\s*above/gi },
-    { id: 'anthropic-human-tag', re: /\n\s*Human:\s*/g },
-    { id: 'anthropic-assistant-tag', re: /\n\s*Assistant:\s*/g },
-];
-// ---------------------------------------------------------------------------
-// Public entry point
-// ---------------------------------------------------------------------------
-export function filterOutput(text, options = {}) {
-    if (typeof text !== 'string' || text.length === 0) {
-        return { allowed: true, violations: [] };
-    }
-    const violations = [];
-    // Check order is deterministic — locked by the spec. Each check
-    // pushes its findings to `violations` and never throws.
-    // 1. Citation verify.
-    pushCitationViolations(text, options, violations);
-    // 2. Secret scan. We always scan; redaction is gated by the flag.
-    const redact = options.redactSecrets !== false;
-    const secretMatches = scanForSecrets(text);
-    for (const match of secretMatches) {
-        violations.push({
-            kind: 'secret-leak',
-            location: lineColumnFor(text, match.offset),
-            detail: `Secret pattern '${match.pattern}' (${match.confidence}) detected`,
-        });
-    }
-    let redactedText;
-    if (redact && secretMatches.length > 0) {
-        const result = redactSecretsImpl(text);
-        redactedText = result.redacted;
-    }
-    // 3. Numeric claim guard. Skipped when allowNumericClaims=true.
-    if (options.allowNumericClaims !== true) {
-        pushNumericClaimViolations(text, violations);
-    }
-    // 4. Malicious URL.
-    pushUrlViolations(text, options.allowedURLs ?? [], violations);
-    // 5. Injection echo.
-    pushInjectionEchoViolations(text, violations);
-    return {
-        allowed: violations.length === 0,
-        redactedText,
-        violations,
-    };
-}
-function collectInlineCitations(text) {
-    const out = [];
-    for (const m of text.matchAll(INLINE_CITATION_RE)) {
-        if (m.index === undefined)
-            continue;
-        const path = m[1];
-        const lineStr = m[2];
-        if (path === undefined || lineStr === undefined)
-            continue;
-        const lineNum = Number.parseInt(lineStr, 10);
-        if (!Number.isFinite(lineNum) || lineNum <= 0)
-            continue;
-        out.push({
-            raw: m[0],
-            path,
-            line: lineNum,
-            offset: m.index,
-        });
-    }
-    return out;
-}
-function pushCitationViolations(text, options, violations) {
-    const inline = collectInlineCitations(text);
-    const explicit = options.citations ?? [];
-    // Nothing to check.
-    if (inline.length === 0 && explicit.length === 0)
-        return;
-    const root = options.workspaceRoot;
-    if (root === undefined) {
-        // Fail-closed: cannot verify without a root, but we still surface
-        // the citations so the caller sees them.
-        for (const cite of inline) {
-            violations.push({
-                kind: 'invalid-citation',
-                location: lineColumnFor(text, cite.offset),
-                detail: `Citation '${cite.raw}' cannot be verified (workspaceRoot missing)`,
-            });
-        }
-        for (const cite of explicit) {
-            violations.push({
-                kind: 'invalid-citation',
-                detail: `Citation '${cite.path}:${cite.line}' cannot be verified (workspaceRoot missing)`,
-            });
-        }
-        return;
-    }
-    // Canonicalise the workspace root once. realpath fail = pass-through;
-    // the containment check below will still reject any traversal.
-    let canonicalRoot;
-    try {
-        canonicalRoot = realpathSync.native(root);
-    }
-    catch {
-        canonicalRoot = resolve(root);
-    }
-    for (const cite of inline) {
-        if (!isCitationContained(cite.path, canonicalRoot)) {
-            violations.push({
-                kind: 'invalid-citation',
-                location: lineColumnFor(text, cite.offset),
-                detail: `Citation '${cite.raw}' resolves outside workspace`,
-            });
-            continue;
-        }
-        const abs = resolve(canonicalRoot, cite.path);
-        if (!existsSync(abs)) {
-            violations.push({
-                kind: 'invalid-citation',
-                location: lineColumnFor(text, cite.offset),
-                detail: `Citation '${cite.raw}' references missing file`,
-            });
-        }
-    }
-    for (const cite of explicit) {
-        if (!isCitationContained(cite.path, canonicalRoot)) {
-            violations.push({
-                kind: 'invalid-citation',
-                detail: `Citation '${cite.path}:${cite.line}' resolves outside workspace`,
-            });
-            continue;
-        }
-        const abs = resolve(canonicalRoot, cite.path);
-        if (!existsSync(abs)) {
-            violations.push({
-                kind: 'invalid-citation',
-                detail: `Citation '${cite.path}:${cite.line}' references missing file`,
-            });
-        }
-    }
-}
-function isCitationContained(citationPath, canonicalRoot) {
-    if (isAbsolute(citationPath))
-        return false; // absolute paths in citations are never trusted
-    // Reject `..` segments before any FS work (mirror path-security.ts step #1).
-    const segments = citationPath.split(/[/\\]/);
-    if (segments.some((seg) => seg === '..'))
-        return false;
-    // Resolve relative to the canonical root and reverify containment.
-    const target = resolve(canonicalRoot, citationPath);
-    const rel = relative(canonicalRoot, target);
-    if (!rel)
-        return true;
-    return !rel.startsWith('..');
-}
-function collectNumericHits(text) {
-    const out = [];
-    for (const re of [PERCENT_RE, CURRENCY_RE, BARE_NUMBER_RE]) {
-        for (const m of text.matchAll(re)) {
-            if (m.index === undefined)
-                continue;
-            out.push({ value: m[0], offset: m.index });
-        }
-    }
-    // Deduplicate overlapping hits — `100%` matches PERCENT_RE and the
-    // bare-number rule would not (anchored to no trailing `%`), but a
-    // currency `$100` could overlap a bare `100`. Sort by offset, keep
-    // the longest match at each anchor.
-    out.sort((a, b) => a.offset - b.offset || b.value.length - a.value.length);
-    const deduped = [];
-    let lastEnd = -1;
-    for (const hit of out) {
-        if (hit.offset < lastEnd)
-            continue;
-        deduped.push(hit);
-        lastEnd = hit.offset + hit.value.length;
-    }
-    return deduped;
-}
-function pushNumericClaimViolations(text, violations) {
-    const numbers = collectNumericHits(text);
-    if (numbers.length === 0)
-        return;
-    // Compute citation offsets ONCE — every inline citation in the text
-    // counts as anchorage for nearby numbers regardless of validity.
-    // (Validity is checked separately in pushCitationViolations.)
-    const citationOffsets = [];
-    for (const m of text.matchAll(INLINE_CITATION_RE)) {
-        if (m.index !== undefined)
-            citationOffsets.push(m.index);
-    }
-    for (const hit of numbers) {
-        if (!hasCitationWithin(hit.offset, hit.value.length, citationOffsets, 80)) {
-            violations.push({
-                kind: 'numeric-without-citation',
-                location: lineColumnFor(text, hit.offset),
-                detail: `Numeric claim '${hit.value}' has no citation within 80 chars`,
-            });
-        }
-    }
-}
-function hasCitationWithin(hitOffset, hitLength, citationOffsets, window) {
-    const lo = hitOffset - window;
-    const hi = hitOffset + hitLength + window;
-    for (const cOff of citationOffsets) {
-        if (cOff >= lo && cOff <= hi)
-            return true;
-    }
-    return false;
-}
-// ---------------------------------------------------------------------------
-// Malicious URL
-// ---------------------------------------------------------------------------
-function pushUrlViolations(text, allowed, violations) {
-    const normalisedAllowed = allowed.map((u) => stripTrailingSlash(u.toLowerCase()));
-    for (const m of text.matchAll(URL_RE)) {
-        if (m.index === undefined)
-            continue;
-        const url = m[0];
-        if (!isUrlAllowed(url, normalisedAllowed)) {
-            violations.push({
-                kind: 'malicious-url',
-                location: lineColumnFor(text, m.index),
-                detail: `URL '${url}' is not in the allowlist`,
-            });
-        }
-    }
-}
-function stripTrailingSlash(s) {
-    return s.endsWith('/') ? s.slice(0, -1) : s;
-}
-function isUrlAllowed(url, allowlist) {
-    const lower = stripTrailingSlash(url.toLowerCase());
-    for (const allowed of allowlist) {
-        if (lower === allowed)
-            return true;
-        // Prefix-with-`/` match prevents `https://example.com.evil` from
-        // satisfying an `https://example.com` entry. We also accept the
-        // bare host without path.
-        if (lower.startsWith(`${allowed}/`))
-            return true;
-        if (lower.startsWith(`${allowed}?`))
-            return true;
-        if (lower.startsWith(`${allowed}#`))
-            return true;
-    }
-    return false;
-}
-// ---------------------------------------------------------------------------
-// Injection echo
-// ---------------------------------------------------------------------------
-function pushInjectionEchoViolations(text, violations) {
-    for (const pattern of INJECTION_PATTERNS) {
-        // Clone each regex so concurrent calls do not share `lastIndex`.
-        const rx = new RegExp(pattern.re.source, pattern.re.flags);
-        for (const m of text.matchAll(rx)) {
-            if (m.index === undefined)
-                continue;
-            violations.push({
-                kind: 'injection-echo',
-                location: lineColumnFor(text, m.index),
-                detail: `Injection-echo pattern '${pattern.id}' matched (${truncateMatch(m[0])})`,
-            });
-        }
-    }
-}
-function truncateMatch(s) {
-    if (s.length <= 64)
-        return s;
-    return `${s.slice(0, 64)}...`;
-}
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-/**
- * Compute 1-based line + column for a 0-based byte (UTF-16 code unit)
- * offset within `text`. Mirrors the helper in `secret-scanner.ts` but
- * returns column too — the spec demands a `{ line, column }` shape.
- */
-function lineColumnFor(text, offset) {
-    let line = 1;
-    let column = 1;
-    const cap = Math.min(offset, text.length);
-    for (let i = 0; i < cap; i += 1) {
-        if (text.charCodeAt(i) === 10) {
-            line += 1;
-            column = 1;
-        }
-        else {
-            column += 1;
-        }
-    }
-    return { line, column };
-}
-//# sourceMappingURL=output-filter.js.map

package/dist/core/session/env-file.js

@@ -1,105 +0,0 @@
-import { promises as fs } from 'node:fs';
-import { dirname } from 'node:path';
-const PUGI_PREFIX = 'PUGI_';
-function isPugiKey(key) {
-    return key.startsWith(PUGI_PREFIX);
-}
-function filterPugiVars(env) {
-    const out = {};
-    for (const [k, v] of Object.entries(env)) {
-        if (isPugiKey(k) && typeof v === 'string')
-            out[k] = v;
-    }
-    return out;
-}
-function isValidState(value) {
-    if (!value || typeof value !== 'object')
-        return false;
-    const v = value;
-    if (typeof v.cwd !== 'string')
-        return false;
-    if (!v.environment || typeof v.environment !== 'object' || Array.isArray(v.environment))
-        return false;
-    if (typeof v.updatedAt !== 'string')
-        return false;
-    if (v.personaSlug !== undefined && typeof v.personaSlug !== 'string')
-        return false;
-    for (const [k, entry] of Object.entries(v.environment)) {
-        if (typeof k !== 'string' || typeof entry !== 'string')
-            return false;
-    }
-    return true;
-}
-function warn(message) {
-    process.stderr.write(`[pugi:env-file] ${message}\n`);
-}
-export async function loadEnvState(opts) {
-    let raw;
-    try {
-        raw = await fs.readFile(opts.envFilePath, 'utf8');
-    }
-    catch (err) {
-        const code = err.code;
-        if (code === 'ENOENT')
-            return null;
-        warn(`failed to read ${opts.envFilePath}: ${err.message}`);
-        return null;
-    }
-    let parsed;
-    try {
-        parsed = JSON.parse(raw);
-    }
-    catch (err) {
-        warn(`malformed JSON at ${opts.envFilePath}: ${err.message}`);
-        return null;
-    }
-    if (!isValidState(parsed)) {
-        warn(`invalid env state shape at ${opts.envFilePath}`);
-        return null;
-    }
-    const state = {
-        cwd: parsed.cwd,
-        environment: filterPugiVars(parsed.environment),
-        updatedAt: parsed.updatedAt,
-    };
-    if (parsed.personaSlug !== undefined)
-        state.personaSlug = parsed.personaSlug;
-    return state;
-}
-export async function saveEnvState(state, opts) {
-    const dir = dirname(opts.envFilePath);
-    await fs.mkdir(dir, { recursive: true });
-    const finalState = {
-        cwd: state.cwd,
-        environment: filterPugiVars(state.environment ?? {}),
-        updatedAt: new Date().toISOString(),
-    };
-    if (state.personaSlug !== undefined)
-        finalState.personaSlug = state.personaSlug;
-    const payload = JSON.stringify(finalState, null, 2);
-    const tmpSuffix = `${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}`;
-    const tmpPath = `${opts.envFilePath}.tmp-${tmpSuffix}`;
-    await fs.writeFile(tmpPath, payload, { encoding: 'utf8', mode: 0o600 });
-    try {
-        await fs.rename(tmpPath, opts.envFilePath);
-    }
-    catch (err) {
-        await fs.rm(tmpPath, { force: true }).catch(() => { });
-        throw err;
-    }
-}
-export function mergeIntoEnv(state, processEnv) {
-    const out = {};
-    if (state) {
-        for (const [k, v] of Object.entries(state.environment)) {
-            if (isPugiKey(k) && typeof v === 'string')
-                out[k] = v;
-        }
-    }
-    for (const [k, v] of Object.entries(processEnv)) {
-        if (v !== undefined)
-            out[k] = v;
-    }
-    return out;
-}
-//# sourceMappingURL=env-file.js.map

package/dist/core/session/section-budgets.js

@@ -1,140 +0,0 @@
-import { estimateTokens } from '../compact/token-counter.js';
-export const TRUNCATION_MARKER = '\n[…truncated…]\n';
-const DEFAULT_PRIORITY = 0.5;
-const SHAVE_STEP_RATIO = 0.1;
-const SHAVE_SAFETY_BOUND = 10_000;
-function validateInputs(sections) {
-    const seen = new Set();
-    for (const s of sections) {
-        if (typeof s.name !== 'string' || s.name.length === 0) {
-            throw new TypeError('section name must be a non-empty string');
-        }
-        if (seen.has(s.name)) {
-            throw new TypeError(`duplicate section name: ${s.name}`);
-        }
-        seen.add(s.name);
-        if (!Number.isFinite(s.budget) || s.budget < 0) {
-            throw new RangeError(`section ${s.name}: budget must be a finite number >= 0`);
-        }
-        if (s.priority !== undefined) {
-            if (!Number.isFinite(s.priority) || s.priority < 0 || s.priority > 1) {
-                throw new RangeError(`section ${s.name}: priority must be in [0, 1]`);
-            }
-        }
-    }
-}
-function buildTruncated(content, keepChars, strategy) {
-    if (keepChars <= 0)
-        return '';
-    if (strategy === 'head') {
-        const start = Math.max(0, content.length - keepChars);
-        return TRUNCATION_MARKER + content.slice(start);
-    }
-    if (strategy === 'tail') {
-        return content.slice(0, keepChars) + TRUNCATION_MARKER;
-    }
-    const headChars = Math.floor(keepChars / 2);
-    const tailChars = keepChars - headChars;
-    const head = content.slice(0, headChars);
-    const tailStart = Math.max(headChars, content.length - tailChars);
-    const tail = content.slice(tailStart);
-    return head + TRUNCATION_MARKER + tail;
-}
-function truncateSection(name, content, budget, strategy) {
-    const originalTokens = estimateTokens(content);
-    if (originalTokens <= budget) {
-        return { content, tokens: originalTokens, truncated: false, droppedTokens: 0 };
-    }
-    if (strategy === 'none') {
-        throw new RangeError(`section ${name}: content (${originalTokens} tokens) exceeds budget (${budget}) and strategy='none'`);
-    }
-    if (budget === 0) {
-        return { content: '', tokens: 0, truncated: true, droppedTokens: originalTokens };
-    }
-    const markerTokens = estimateTokens(TRUNCATION_MARKER);
-    if (markerTokens >= budget) {
-        return { content: '', tokens: 0, truncated: true, droppedTokens: originalTokens };
-    }
-    const available = budget - markerTokens;
-    let keepChars = Math.max(0, available * 4);
-    let next = buildTruncated(content, keepChars, strategy);
-    let tokens = estimateTokens(next);
-    while (tokens > budget && keepChars > 0) {
-        keepChars = Math.max(0, keepChars - 4);
-        if (keepChars === 0) {
-            next = '';
-            tokens = 0;
-            break;
-        }
-        next = buildTruncated(content, keepChars, strategy);
-        tokens = estimateTokens(next);
-    }
-    return {
-        content: next,
-        tokens,
-        truncated: true,
-        droppedTokens: originalTokens - tokens,
-    };
-}
-export function applySectionBudgets(sections, options) {
-    validateInputs(sections);
-    const sumBudgets = sections.reduce((sum, s) => sum + s.budget, 0);
-    const totalBudget = options?.totalBudget ?? sumBudgets;
-    const working = sections.map((s) => {
-        const r = truncateSection(s.name, s.content, s.budget, s.strategy);
-        return {
-            input: s,
-            currentBudget: s.budget,
-            content: r.content,
-            tokens: r.tokens,
-            truncated: r.truncated,
-            droppedTokens: r.droppedTokens,
-        };
-    });
-    let totalTokens = working.reduce((sum, w) => sum + w.tokens, 0);
-    if (totalTokens > totalBudget) {
-        const shrinkable = working
-            .map((w, idx) => ({ w, idx, priority: w.input.priority ?? DEFAULT_PRIORITY }))
-            .filter((x) => x.w.input.strategy !== 'none')
-            .sort((a, b) => a.priority - b.priority || a.idx - b.idx);
-        let safety = 0;
-        while (totalTokens > totalBudget && safety < SHAVE_SAFETY_BOUND) {
-            safety++;
-            let shaved = false;
-            for (const x of shrinkable) {
-                if (x.w.currentBudget === 0 && x.w.tokens === 0)
-                    continue;
-                const step = Math.max(1, Math.ceil(x.w.input.budget * SHAVE_STEP_RATIO));
-                const newBudget = Math.max(0, x.w.currentBudget - step);
-                if (newBudget === x.w.currentBudget)
-                    continue;
-                x.w.currentBudget = newBudget;
-                const r = truncateSection(x.w.input.name, x.w.input.content, newBudget, x.w.input.strategy);
-                const delta = x.w.tokens - r.tokens;
-                x.w.content = r.content;
-                x.w.tokens = r.tokens;
-                x.w.truncated = r.truncated;
-                x.w.droppedTokens = r.droppedTokens;
-                totalTokens -= delta;
-                shaved = true;
-                break;
-            }
-            if (!shaved)
-                break;
-        }
-    }
-    const finalSections = working.map((w) => ({
-        name: w.input.name,
-        content: w.content,
-        tokens: w.tokens,
-        truncated: w.truncated,
-        droppedTokens: w.droppedTokens,
-    }));
-    return {
-        sections: finalSections,
-        totalTokens,
-        totalBudget,
-        overBudget: totalTokens > totalBudget,
-    };
-}
-//# sourceMappingURL=section-budgets.js.map