@pugi/cli 0.1.0-beta.98 → 1.0.0-alpha.1

package/dist/tools/web-search.js

@@ -1,458 +0,0 @@
-/**
- * web_search tool — β1b T4 .
- *
- * One-shot web search via the Anvil-proxied Brave Search API. Mirrors
- * the gate + SSRF + sanitize + rate-limit posture of
- * `tools/web-fetch.ts`. Returns the top-N {title, url, snippet}
- * results wrapped in an `<untrusted-search-NONCE>` sentinel so the
- * downstream prompt treats every snippet as data, never as
- * instructions.
- *
- * Why an Anvil proxy and not a direct Brave API call:
- *  - The Brave Search subscription key is server-side. Shipping it in
- *    a customer CLI bundle would burn the rotation budget the first
- *    time the binary lands on a phishing repo.
- *  - The Anvil proxy already terminates the customer's `PUGI_API_KEY`
- *    for tenancy + per-tier rate-limiting + audit logging. Routing
- *    search through the same boundary keeps the security model
- *    uniform with `pugi engine` and `pugi sync`.
- *  - For local dev / offline testing the env var
- *    `PUGI_SEARCH_PROXY_URL` overrides the default proxy endpoint;
- *    unit tests inject `_setSearchFetchForTests()` so no network is
- *    touched.
- *
- * Gate: the tool refuses unless one of:
- *  1. `settings.web.search.enabled === true` (persistent opt-in)
- *  2. `allowSearch === true` (CLI flag `--allow-search`, single dispatch)
- *
- * SSRF: the proxy URL itself runs through `validateHostnameForFetch`
- * from `web-fetch.ts` so a configured `PUGI_SEARCH_PROXY_URL=
- * http://169.254.169.254/...` cannot ride to cloud metadata. We also
- * apply the β1b #62 DNS-rebinding guard via the shared
- * `pinnedAddressAgent` helper (web-fetch.ts) — the same SSRF window
- * that fetch closes, search closes.
- *
- * Rate limit: in-memory session bucket — 5 requests per rolling 60 s
- * keyed by `sessionId`. Burst above the cap returns
- * `{ ok: false, error: 'rate_limited' }` immediately, no network
- * dispatch. Per-session because a noisy session should not starve a
- * quieter one in the same workstation process.
- *
- * Response size cap: hard 1 MiB ceiling on the proxy body. Anything
- * larger drops the entire response with `oversized_response` — the
- * proxy already normalizes Brave's payload to a small JSON shape, so
- * 1 MiB is generous for the typical 10-result payload (~5 KiB).
- *
- * Sanitization: snippet text is stripped of HTML tags before being
- * surfaced to the model. Brave returns raw HTML in `description` for
- * highlight markup; we keep the visible text and drop every `<...>`
- * span via a conservative regex. Cross-checked by the `script/style`
- * spec which asserts a hostile `<script>alert(1)</script>` snippet
- * lands as the inner text only.
- *
- * Brand voice: brief / dispatch / ship / sentinel only — brandbook §08.
- */
-import { request, Agent } from 'undici';
-import { randomBytes } from 'node:crypto';
-import { validateHostnameForFetch, validateIpLiteralForFetch } from './web-fetch.js';
-let activeFetch = null;
-/**
- * Test seam — pass `null` to restore the production undici dispatcher.
- * Mirrors the `_setLookupForTests` pattern from `web-fetch.ts`.
- */
-export function _setSearchFetchForTests(fn) {
-    activeFetch = fn;
-}
-const SEARCH_TIMEOUT_MS = 10_000;
-const MAX_RESPONSE_BYTES = 1 * 1024 * 1024; // 1 MiB hard cap
-const MAX_RESULTS = 10;
-const DEFAULT_RESULTS = 10;
-const MAX_QUERY_LEN = 256;
-const RATE_LIMIT_WINDOW_MS = 60_000;
-const RATE_LIMIT_MAX = 5;
-const USER_AGENT = 'pugi-cli/0.1 (+https://pugi.dev)';
-const DEFAULT_PROXY_URL = 'https://api.pugi.io/api/pugi/web-search';
-export function isWebSearchEnabled(ctx) {
-    if (ctx.allowSearch === true)
-        return true;
-    return ctx.settings.web?.search?.enabled === true;
-}
-const rateBuckets = new Map();
-/**
- * β1b r1: Map sweep cap so a long-running engine session that recycles
- * sessionIds (or a misconfigured caller that passes per-call random
- * ids) cannot grow `rateBuckets` unbounded. 1024 is well above any
- * realistic concurrent-session count for a single CLI process; when
- * we cross the cap we sweep expired buckets first, and if the Map is
- * still over the cap we evict the oldest-touched bucket. Pure LRU
- * would need another timestamp; oldest-by-insertion (Map iteration
- * order) is close enough for a defense-in-depth memory bound.
- */
-const RATE_BUCKETS_CAP = 1024;
-/**
- * Returns true when the dispatch is allowed and records the call;
- * returns false when the per-session bucket is at cap. Pure
- * in-process; CLI dispatch is short-lived so a Map is sufficient.
- *
- * Exported for spec reset between test cases.
- */
-export function _checkRateLimit(sessionId, now = Date.now()) {
-    if (!sessionId)
-        return true;
-    let bucket = rateBuckets.get(sessionId);
-    if (!bucket) {
-        // β1b r1: sweep before allocating a new bucket so we never grow
-        // past the cap. Sweep is O(n) but only runs when we are about to
-        // breach the cap, so per-call cost stays effectively constant.
-        if (rateBuckets.size >= RATE_BUCKETS_CAP) {
-            sweepRateBuckets(now);
-        }
-        bucket = { timestamps: [] };
-        rateBuckets.set(sessionId, bucket);
-    }
-    const cutoff = now - RATE_LIMIT_WINDOW_MS;
-    bucket.timestamps = bucket.timestamps.filter((ts) => ts > cutoff);
-    if (bucket.timestamps.length >= RATE_LIMIT_MAX)
-        return false;
-    bucket.timestamps.push(now);
-    return true;
-}
-/**
- * Drop expired buckets (all timestamps older than the rate-limit
- * window) and, if still over the cap, evict the oldest-inserted
- * buckets until under cap. Memory-bound only — never affects rate
- * limit correctness for live sessions.
- */
-function sweepRateBuckets(now) {
-    const cutoff = now - RATE_LIMIT_WINDOW_MS;
-    for (const [id, b] of rateBuckets) {
-        if (b.timestamps.every((ts) => ts <= cutoff)) {
-            rateBuckets.delete(id);
-        }
-    }
-    while (rateBuckets.size >= RATE_BUCKETS_CAP) {
-        const oldest = rateBuckets.keys().next();
-        if (oldest.done)
-            break;
-        rateBuckets.delete(oldest.value);
-    }
-}
-/** Test seam — clear rate buckets between specs. */
-export function _resetRateLimitForTests() {
-    rateBuckets.clear();
-}
-/* ----------------------- sanitization ---------------------- */
-/**
- * Strip HTML tags + collapse whitespace. Brave's `description` carries
- * highlight markup (`<strong>`); we keep the inner text only so the
- * model never sees raw HTML it could mistake for a directive. The
- * regex is conservative: `<[^>]*>` removes opening + closing tags +
- * self-closing tags + comments + processing instructions. Script
- * BODIES are removed via a second pass that drops the entire
- * `<script>...</script>` and `<style>...</style>` block (case-
- * insensitive) so even a server-rendered snippet cannot leak a
- * `console.log` line into the model context.
- */
-export function sanitizeSnippet(input) {
-    if (!input)
-        return '';
-    // Drop full script + style blocks (with their bodies). The
-    // non-greedy `.*?` handles "..." with embedded newlines via the `s`
-    // flag.
-    const noScripts = input
-        .replace(/<script\b[^>]*>.*?<\/script>/gis, '')
-        .replace(/<style\b[^>]*>.*?<\/style>/gis, '');
-    // Drop any remaining tag.
-    const noTags = noScripts.replace(/<[^>]*>/g, '');
-    // Collapse whitespace runs. Brave already trims but defensive.
-    return noTags.replace(/\s+/g, ' ').trim();
-}
-/**
- * HTML-escape for sentinel body — mirrors `escapeForSentinelBody` from
- * web-fetch.ts. Kept local to avoid coupling the modules tighter than
- * the SSRF helpers already do.
- */
-function escapeForSentinelBody(input) {
-    return input
-        .replace(/&/g, '&amp;')
-        .replace(/</g, '&lt;')
-        .replace(/>/g, '&gt;')
-        .replace(/"/g, '&quot;')
-        .replace(/'/g, '&#39;');
-}
-/* ----------------------- dispatcher ---------------------- */
-/**
- * Resolve the search proxy URL. `PUGI_SEARCH_PROXY_URL` env override
- * lets local dev point at a fixture server; production hits
- * `api.pugi.io`.
- */
-function resolveProxyUrl() {
-    const env = process.env.PUGI_SEARCH_PROXY_URL;
-    if (typeof env === 'string' && env.length > 0)
-        return env;
-    return DEFAULT_PROXY_URL;
-}
-/**
- * Production fetch via undici with the β1b #62 DNS-rebinding guard
- * applied. We resolve the proxy hostname, validate against the SSRF
- * blocklist, then dispatch via an Agent pinned to the resolved IP so
- * a hostile DNS server cannot answer a different address on the
- * connect(2) than on the lookup.
- */
-async function productionFetch(url, init) {
-    // β1b #62 — pinned-address Dispatcher to close the lookup→connect
-    // race. The Agent's `connect.lookup` always returns the address we
-    // already validated, so DNS cannot flip between the SSRF guard and
-    // the socket creation. Agent is per-call (small object) so process
-    // teardown does not need to keep a long-lived dispatcher around.
-    const parsed = new URL(url);
-    const hostname = parsed.hostname.replace(/^\[|\]$/g, '');
-    const dnsGuard = await validateHostnameForFetch(hostname);
-    if (dnsGuard) {
-        throw new Error(`SSRF refused: ${dnsGuard}`);
-    }
-    const { lookup: dnsLookup } = await import('node:dns/promises');
-    const answers = await dnsLookup(hostname, { all: true, verbatim: true });
-    if (answers.length === 0) {
-        throw new Error(`DNS returned no answers for ${hostname}`);
-    }
-    // Pin the first answer of THIS lookup, then re-validate against the
-    // SSRF blocklist. β1b r1: closes the DNS rebinding window where a
-    // hostile resolver returns public IPs to `validateHostnameForFetch`
-    // above and private IPs here. The lookup that feeds the pin is the
-    // lookup whose answer the connect(2) will actually use; without a
-    // re-check on this literal the original guard's IP set can diverge
-    // from the IP we lock into `connect.lookup`.
-    const pinned = answers[0];
-    if (!pinned) {
-        throw new Error(`DNS returned no answers for ${hostname}`);
-    }
-    const ipCheck = validateIpLiteralForFetch(pinned.address, pinned.family);
-    if (ipCheck !== null) {
-        throw new Error(`SSRF refused: ssrf_pinned_address_blocked: ${ipCheck}`);
-    }
-    const agent = new Agent({
-        connect: {
-            // Force the connect path to use the pre-resolved address. undici
-            // accepts the standard Node `dns.LookupFunction` shape here.
-            lookup: (_h, _opts, cb) => {
-                cb(null, pinned.address, pinned.family);
-            },
-        },
-    });
-    try {
-        return await request(url, { ...init, dispatcher: agent });
-    }
-    finally {
-        await agent.close().catch(() => {
-            /* best-effort */
-        });
-    }
-}
-async function readBodyWithCap(body, controller) {
-    const chunks = [];
-    let total = 0;
-    try {
-        for await (const chunk of body) {
-            const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
-            total += buf.length;
-            if (total > MAX_RESPONSE_BYTES) {
-                controller.abort();
-                try {
-                    if (typeof body.destroy === 'function')
-                        body.destroy();
-                }
-                catch {
-                    /* ignore — already aborted */
-                }
-                return { ok: false, error: `oversized_response: > ${MAX_RESPONSE_BYTES} bytes` };
-            }
-            chunks.push(buf);
-        }
-    }
-    catch (error) {
-        const msg = error instanceof Error ? error.message : String(error);
-        return { ok: false, error: `body_read_failed: ${msg}` };
-    }
-    return { ok: true, buffer: Buffer.concat(chunks) };
-}
-/**
- * Validate + clamp the optional `count` arg. Clamp into [1, MAX_RESULTS]
- * and default to DEFAULT_RESULTS when missing. The bridge already
- * validates the type — this enforces the bounds.
- */
-function resolveCount(raw) {
-    if (raw === undefined)
-        return DEFAULT_RESULTS;
-    if (raw < 1)
-        return 1;
-    if (raw > MAX_RESULTS)
-        return MAX_RESULTS;
-    return Math.floor(raw);
-}
-/**
- * Sanitize the operator query before it crosses the proxy boundary.
- * Trim, hard-cap at MAX_QUERY_LEN, reject empty after trim. The proxy
- * also validates, but a CLI-side check keeps the model's mistake
- * visible to the operator (the failed call shows up in
- * `.pugi/events.jsonl`) rather than blamed on a 400 from the proxy.
- */
-function sanitizeQuery(raw) {
-    const trimmed = raw.trim();
-    if (trimmed.length === 0) {
-        throw new Error('empty_query');
-    }
-    if (trimmed.length > MAX_QUERY_LEN) {
-        return trimmed.slice(0, MAX_QUERY_LEN);
-    }
-    return trimmed;
-}
-export async function webSearchTool(input, ctx) {
-    if (!isWebSearchEnabled(ctx)) {
-        return {
-            ok: false,
-            error: 'web_search disabled. Enable with --allow-search or set web.search.enabled=true in .pugi/settings.json.',
-        };
-    }
-    let query;
-    try {
-        query = sanitizeQuery(input.query);
-    }
-    catch (error) {
-        return { ok: false, error: error instanceof Error ? error.message : String(error) };
-    }
-    if (!_checkRateLimit(ctx.sessionId)) {
-        return {
-            ok: false,
-            error: `rate_limited: max ${RATE_LIMIT_MAX} searches per ${RATE_LIMIT_WINDOW_MS / 1000}s per session`,
-        };
-    }
-    const count = resolveCount(input.count);
-    const proxyUrl = resolveProxyUrl();
-    // Validate the proxy URL parses + scheme + SSRF. Even though the
-    // env var is operator-controlled, a careless export of
-    // `http://localhost:8080` would otherwise let an unrelated local
-    // server intercept the call. Default URL is `api.pugi.io` and
-    // resolves clean.
-    let parsedProxy;
-    try {
-        parsedProxy = new URL(proxyUrl);
-    }
-    catch {
-        return { ok: false, error: `invalid_proxy_url: ${proxyUrl}` };
-    }
-    if (parsedProxy.protocol !== 'http:' && parsedProxy.protocol !== 'https:') {
-        return { ok: false, error: `unsupported_proxy_scheme: ${parsedProxy.protocol}` };
-    }
-    const proxyHost = parsedProxy.hostname.replace(/^\[|\]$/g, '');
-    // SSRF guard applies to the proxy hostname even when activeFetch is
-    // a test stub — keeps the spec contract honest. Tests that exercise
-    // the rate limiter use a stub that bypasses productionFetch but the
-    // guard still runs at the entry above test stubs.
-    const ssrfErr = await validateHostnameForFetch(proxyHost);
-    if (ssrfErr) {
-        return { ok: false, error: `SSRF refused: ${ssrfErr}` };
-    }
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), SEARCH_TIMEOUT_MS);
-    // β1b: lifted PUGI_API_KEY from the runtime credential store would
-    // belong here for production — for the proxy call we forward whatever
-    // PUGI_API_KEY the operator has exported. Anonymous proxy access is
-    // permitted; the proxy treats it as the free-tier search quota.
-    const apiKey = process.env.PUGI_API_KEY ?? process.env.PUGI_LOGIN_TOKEN;
-    const headers = {
-        'user-agent': USER_AGENT,
-        'content-type': 'application/json',
-        accept: 'application/json',
-    };
-    if (typeof apiKey === 'string' && apiKey.length > 0) {
-        headers.authorization = `Bearer ${apiKey}`;
-    }
-    let response;
-    try {
-        const fetcher = activeFetch ?? (async (u, i) => (await productionFetch(u, i)));
-        response = (await fetcher(proxyUrl, {
-            method: 'POST',
-            headers,
-            body: JSON.stringify({ query, count }),
-            signal: controller.signal,
-        }));
-    }
-    catch (error) {
-        clearTimeout(timer);
-        const message = error instanceof Error ? error.message : String(error);
-        return { ok: false, error: `search_failed: ${message}` };
-    }
-    finally {
-        clearTimeout(timer);
-    }
-    if (response.statusCode < 200 || response.statusCode >= 300) {
-        // Drain the body so the socket can be reused / released.
-        try {
-            if (typeof response.body.destroy === 'function')
-                response.body.destroy();
-        }
-        catch {
-            /* ignore */
-        }
-        return { ok: false, error: `proxy_http_${response.statusCode}` };
-    }
-    const bodyResult = await readBodyWithCap(response.body, controller);
-    if (!bodyResult.ok)
-        return bodyResult;
-    let parsed;
-    try {
-        parsed = JSON.parse(bodyResult.buffer.toString('utf8'));
-    }
-    catch (error) {
-        const msg = error instanceof Error ? error.message : String(error);
-        return { ok: false, error: `proxy_malformed_json: ${msg}` };
-    }
-    // Expect the proxy to normalize Brave's payload to `{results: [{title, url, snippet}]}`.
-    // When the proxy is missing the `results` array (or it is not an array)
-    // we surface a clean error instead of returning empty.
-    const obj = parsed;
-    if (!obj || typeof obj !== 'object') {
-        return { ok: false, error: 'proxy_malformed_response: not an object' };
-    }
-    const rawResults = obj.results;
-    if (!Array.isArray(rawResults)) {
-        return { ok: false, error: 'proxy_malformed_response: missing results array' };
-    }
-    const results = [];
-    for (const r of rawResults.slice(0, count)) {
-        if (!r || typeof r !== 'object')
-            continue;
-        const row = r;
-        const title = typeof row.title === 'string' ? sanitizeSnippet(row.title) : '';
-        const url = typeof row.url === 'string' ? row.url : '';
-        const snippet = typeof row.snippet === 'string' ? sanitizeSnippet(row.snippet) : '';
-        if (!url)
-            continue;
-        results.push({ title, url, snippet });
-    }
-    // Per-call nonce for the sentinel. Mirrors `web-fetch.ts` so the
-    // downstream prompt's nonce-matching escape logic works uniformly.
-    const nonce = randomBytes(8).toString('hex');
-    const renderedLines = [`<untrusted-search-${nonce}>`, `Query: ${escapeForSentinelBody(query)}`, ''];
-    for (let i = 0; i < results.length; i += 1) {
-        const r = results[i];
-        if (!r)
-            continue;
-        renderedLines.push(`${i + 1}. ${escapeForSentinelBody(r.title || r.url)}`);
-        renderedLines.push(`  ${escapeForSentinelBody(r.url)}`);
-        if (r.snippet)
-            renderedLines.push(`  ${escapeForSentinelBody(r.snippet)}`);
-        renderedLines.push('');
-    }
-    renderedLines.push(`</untrusted-search-${nonce}>`);
-    const content_md = renderedLines.join('\n').trimEnd();
-    return {
-        ok: true,
-        query,
-        results,
-        content_md,
-        fetched_at: new Date().toISOString(),
-    };
-}
-//# sourceMappingURL=web-search.js.map

package/dist/tui/agent-progress-card.js

@@ -1,111 +0,0 @@
-import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
-import { Box, Text } from 'ink';
-/** Width of the progress bar in display cells. Tuned to fit comfortably
- * inside an 80-col terminal alongside the percent label. */
-export const PROGRESS_BAR_WIDTH = 24;
-/** Max milestone rows the card renders before collapsing to the footer
- * summary. Matches the CC `/compact` cutoff. */
-export const MAX_VISIBLE_MILESTONES = 5;
-const STATUS_GLYPH = {
-    done: '◼',
-    active: '▸',
-    pending: '◻',
-};
-const STATUS_COLOR = {
-    done: 'green',
-    active: 'yellow',
-    pending: 'gray',
-};
-const HEADER_DOT_COLOR = {
-    running: 'cyan',
-    completed: 'green',
-    failed: 'red',
-};
-/**
- * Build the unicode progress bar. Exported для тесты — guarantees the
- * filled/empty counts match the percent under all rounding edges.
- */
-export function renderProgressBarCells(percent, width = PROGRESS_BAR_WIDTH) {
-    const safePercent = Math.max(0, Math.min(100, percent));
-    const cells = Math.round((safePercent / 100) * width);
-    const clamped = Math.max(0, Math.min(width, cells));
-    return {
-        filled: '▰'.repeat(clamped),
-        empty: '▱'.repeat(width - clamped),
-        cells: clamped,
-    };
-}
-/**
- * Format milliseconds as the `Hh Mm Ss` / `Mm Ss` / `Ss` label.
- * Mirrors the rule used by status-bar elapsed slot.
- */
-export function formatElapsed(ms) {
-    const total = Math.max(0, Math.floor(ms / 1000));
-    const h = Math.floor(total / 3600);
-    const m = Math.floor((total % 3600) / 60);
-    const s = total % 60;
-    if (h > 0)
-        return `${h}h ${m}m ${s}s`;
-    if (m > 0)
-        return `${m}m ${s}s`;
-    return `${s}s`;
-}
-/**
- * Format a raw token count as `21.7k` / `3.4M` / `812`. Mirrors the
- * formatter in `core/repl/model-pricing.ts` so both surfaces stay
- * visually consistent without coupling.
- */
-export function formatTokenCount(n) {
-    if (n === undefined)
-        return undefined;
-    if (n < 1_000)
-        return `${n}`;
-    if (n < 1_000_000) {
-        const k = n / 1_000;
-        return `${k >= 10 ? k.toFixed(1).replace(/\.0$/, '') : k.toFixed(1)}k`;
-    }
-    const m = n / 1_000_000;
-    return `${m >= 10 ? m.toFixed(1).replace(/\.0$/, '') : m.toFixed(1)}M`;
-}
-/**
- * Compute the "… +N pending, M completed" footer counts. When the
- * agent supplied rollups they win; otherwise we derive from the
- * milestone array.
- */
-export function computeFooterCounts(milestones, visibleCount, rollup) {
-    const pending = rollup.pendingCount
-        ?? milestones.filter((m) => m.status === 'pending').length;
-    const completed = rollup.completedCount
-        ?? milestones.filter((m) => m.status === 'done').length;
-    const hidden = Math.max(0, milestones.length - visibleCount);
-    return { pending, completed, hidden };
-}
-function MilestoneRow({ milestone }) {
-    const glyph = STATUS_GLYPH[milestone.status];
-    const color = STATUS_COLOR[milestone.status];
-    // Truncate to 64 chars so a verbose label can't wrap and break the
-    // grid layout in the watcher.
-    const label = milestone.label.length > 64
-        ? `${milestone.label.slice(0, 63)}…`
-        : milestone.label;
-    return (_jsxs(Box, { children: [_jsx(Text, { children: '  ' }), _jsx(Text, { color: color, children: glyph }), _jsx(Text, { children: " " }), _jsx(Text, { color: color === 'gray' ? 'gray' : undefined, dimColor: milestone.status === 'pending', children: label })] }));
-}
-export function AgentProgressCard({ progress, nowEpochMs, }) {
-    // Re-derive elapsed from the wall clock when the parent supplied it;
-    // this is what makes the card tick once a second without the writer
-    // re-emitting JSON every tick.
-    const elapsed = nowEpochMs !== undefined
-        ? Math.max(progress.elapsedMs, nowEpochMs - Date.parse(progress.startedAt))
-        : progress.elapsedMs;
-    const bar = renderProgressBarCells(progress.percentComplete);
-    const percentLabel = `${Math.round(Math.max(0, Math.min(100, progress.percentComplete)))}%`;
-    const tokensLabel = formatTokenCount(progress.tokensUsed);
-    const dotColor = HEADER_DOT_COLOR[progress.status];
-    const visibleMilestones = progress.milestones.slice(0, MAX_VISIBLE_MILESTONES);
-    const footer = computeFooterCounts(progress.milestones, visibleMilestones.length, { pendingCount: progress.pendingCount, completedCount: progress.completedCount });
-    // CC compact pattern: header has a leading `· ` glyph + the task label.
-    // We append `…` only while running (matches CC's "Compacting…" verb form).
-    const headerVerb = progress.status === 'running' ? '…' : '';
-    return (_jsxs(Box, { flexDirection: "column", paddingX: 1, paddingY: 0, marginBottom: 1, children: [_jsxs(Box, { children: [_jsx(Text, { color: dotColor, children: '· ' }), _jsx(Text, { bold: true, children: progress.agentType }), _jsx(Text, { children: " " }), _jsxs(Text, { children: [progress.task, headerVerb] }), _jsxs(Text, { dimColor: true, children: [' (', formatElapsed(elapsed), tokensLabel ? ` · ↑ ${tokensLabel} tokens` : '', ')'] })] }), _jsxs(Box, { children: [_jsx(Text, { children: ' ' }), _jsx(Text, { color: "cyan", children: bar.filled }), _jsx(Text, { dimColor: true, children: bar.empty }), _jsxs(Text, { children: [' ', percentLabel] })] }), progress.stepDescription ? (_jsxs(Box, { children: [_jsx(Text, { children: ' ' }), _jsxs(Text, { dimColor: true, children: ["step ", progress.currentStep, "/", progress.totalSteps, ": ", progress.stepDescription] })] })) : null, visibleMilestones.length > 0 ? (_jsxs(Box, { flexDirection: "column", children: [_jsxs(Box, { children: [_jsx(Text, { children: ' ' }), _jsx(Text, { dimColor: true, children: "\u23BF" })] }), visibleMilestones.map((m, i) => (_jsx(MilestoneRow, { milestone: m }, `${m.label}-${i}`))), footer.hidden > 0 ? (_jsxs(Box, { children: [_jsx(Text, { children: '    ' }), _jsxs(Text, { dimColor: true, children: ["\u2026 +", footer.pending, " pending, ", footer.completed, " completed"] })] })) : null] })) : null] }));
-}
-//# sourceMappingURL=agent-progress-card.js.map

package/dist/tui/agent-tree-pane.js

@@ -1,9 +0,0 @@
-import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
-import { Box, Text } from 'ink';
-import { AgentTree } from './agent-tree.js';
-export function AgentTreePane(props) {
-    const onWatch = props.agents.filter((a) => a.status === 'queued' || a.status === 'thinking').length;
-    const total = props.agents.length;
-    return (_jsxs(Box, { flexDirection: "column", children: [_jsxs(Box, { children: [_jsx(Text, { bold: true, dimColor: true, children: '─ agents ' }), _jsx(Text, { dimColor: true, children: `(${total} total, ${onWatch} on watch)` })] }), _jsx(AgentTree, { agents: props.agents, nowEpochMs: props.nowEpochMs })] }));
-}
-//# sourceMappingURL=agent-tree-pane.js.map

package/dist/tui/agent-tree.js

@@ -1,87 +0,0 @@
-import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
-import { Box, Text } from 'ink';
-export function AgentTree(props) {
-    if (props.agents.length === 0) {
-        return (_jsx(Box, { children: _jsx(Text, { dimColor: true, children: "No agents on watch. Type a brief to dispatch one." }) }));
-    }
-    const now = props.nowEpochMs ?? Date.now();
-    return (_jsx(Box, { flexDirection: "column", children: props.agents.map((agent, index) => (_jsx(AgentRow, { agent: agent, last: index === props.agents.length - 1, nowEpochMs: now }, agent.taskId))) }));
-}
-function AgentRow({ agent, last, nowEpochMs, }) {
-    const branch = last ? '└' : '├';
-    const glyph = statusGlyph(agent.status);
-    const glyphColor = statusColor(agent.status);
-    const elapsed = formatElapsed(agent.startedAtEpochMs, nowEpochMs);
-    const tokens = formatTokens(agent.tokensIn + agent.tokensOut);
-    const name = agent.personaName.padEnd(8, ' ');
-    const role = agent.role.padEnd(10, ' ');
-    const detail = agent.detail.length > 60 ? `${agent.detail.slice(0, 57)}…` : agent.detail;
-    return (_jsxs(Box, { children: [_jsx(Text, { dimColor: true, children: ` ${branch} ` }), _jsx(Text, { bold: true, children: `${name}` }), _jsx(Text, { dimColor: true, children: ` ${role} ` }), _jsx(Text, { color: glyphColor, children: glyph }), _jsx(Text, { children: ` ${detail}` }), _jsx(Text, { dimColor: true, children: ` (${elapsed}${tokens ? ` · ↓ ${tokens}` : ''})` })] }));
-}
-function statusGlyph(status) {
-    switch (status) {
-        case 'queued':
-            return '□';
-        case 'thinking':
-            return '⏳';
-        case 'shipped':
-            return '✓';
-        // — `replied` = orchestrator finished talking but no
-        // tool/delegate side-effect emitted. Distinct arrow glyph so the
-        // operator can tell at a glance that no real work shipped, even
-        // though the LLM completed cleanly. Defeats the fake-shipped
-        // anti-pattern (memory feedback_no_fake_dispatch_promises).
-        case 'replied':
-            return '→';
-        // `unverified` (PUGI-538c-FU-OUTCOME) — files landed on disk but
-        // the verify-gate did not certify the run (no test command in
-        // the workspace). Tilde glyph reads as "approximately done"
-        // without claiming the verified-shipped guarantee.
-        case 'unverified':
-            return '~';
-        case 'blocked':
-            return '✗';
-        case 'failed':
-            return '✗';
-    }
-}
-function statusColor(status) {
-    switch (status) {
-        case 'queued':
-            return undefined;
-        case 'thinking':
-            return 'cyan';
-        case 'shipped':
-            return 'green';
-        // Dim/grey-ish — succeeded technically but no work was shipped.
-        case 'replied':
-            return 'gray';
-        // Yellow — work landed but the verify-gate could not certify it.
-        // Same hue as `blocked` because both are "advisory, not green";
-        // the glyph distinguishes them (`~` vs `✗`).
-        case 'unverified':
-            return 'yellow';
-        case 'blocked':
-            return 'yellow';
-        case 'failed':
-            return 'red';
-    }
-}
-function formatElapsed(startedAtEpochMs, nowEpochMs) {
-    const ms = Math.max(0, nowEpochMs - startedAtEpochMs);
-    if (ms < 60_000)
-        return `${Math.floor(ms / 1000)}s`;
-    const minutes = Math.floor(ms / 60_000);
-    const seconds = Math.floor((ms % 60_000) / 1000);
-    return `${minutes}m ${seconds.toString().padStart(2, '0')}s`;
-}
-function formatTokens(total) {
-    if (total <= 0)
-        return '';
-    if (total < 1_000)
-        return total.toString();
-    if (total < 1_000_000)
-        return `${(total / 1_000).toFixed(1)}k`;
-    return `${(total / 1_000_000).toFixed(1)}m`;
-}
-//# sourceMappingURL=agent-tree.js.map