@pugi/cli 0.1.0-beta.98 → 1.0.0-alpha.1

package/dist/core/credentials.js

@@ -1,355 +0,0 @@
-import { chmodSync, existsSync, mkdirSync, readFileSync, renameSync, rmSync, writeFileSync, } from 'node:fs';
-import { homedir } from 'node:os';
-import { resolve } from 'node:path';
-import { z } from 'zod';
-/**
- * Local credentials store for the Pugi CLI.
- *
- * Stored at `~/.pugi/credentials.json` (mode 0o600). Mirrors the convention
- * peer CLI uses (`~/.codex/auth.json`) and matches gh CLI's per-host
- * token model. The store is intentionally file-based, not OS keychain —
- * adding the native `keytar` dep would force per-platform native builds
- * across npm distribution and complicate the install path. The 0600
- * file mode plus a strictly typed Zod schema is the minimum-viable
- * substitute for the keychain path.
- *
- * Multi-host: each host (apiUrl) has its own record. `pugi login` adds
- * or replaces the record for the active host; `pugi logout` removes it.
- * `loadActiveCredential` returns the record for the active host (the one
- * matching `PUGI_API_URL` or `apiUrl` from `~/.pugi/config.json`).
- *
- * Future device-flow tokens land in the same `tokens` array with a
- * `kind: 'oauth-device'` discriminator and a refresh-on-use rotation.
- */
-const CREDENTIALS_SCHEMA_VERSION = 1;
-/**
- * How the credential was obtained. Surfaced by `pugi whoami` so the user
- * can confirm at a glance whether a stored record came from an
- * interactive device flow, a paste-in PAT, or an env-var prime in CI.
- *
- * Older credential files written before this discriminator was added do
- * not carry `source` — the field is optional and `pugi whoami` falls
- * back to `unknown` so we never crash on a legacy file.
- */
-export const pugiTokenSourceSchema = z.enum(['token', 'device-flow', 'env']);
-export const pugiTokenRecordSchema = z.object({
-    apiUrl: z.string().url(),
-    apiKey: z.string().min(1),
-    label: z.string().min(1).optional(),
-    createdAt: z.string().datetime(),
-    /**
-     * When the credential was last refreshed in the store. Today the
-     * field is set on `storeApiKey` (create / replace) and on
-     * `switchActiveAccount`. Read paths (`pugi whoami`, every API call)
-     * intentionally do NOT touch the file to keep disk IO off the hot
-     * path — a recency value that lags is acceptable, a 0o600 write per
-     * `pugi <anything>` is not.
-     */
-    lastUsedAt: z.string().datetime().optional(),
-    /**
-     * Provenance discriminator — see `pugiTokenSourceSchema`. Optional so
-     * legacy records (pre-0048) still parse.
-     */
-    source: pugiTokenSourceSchema.optional(),
-});
-export const pugiCredentialsFileSchema = z.object({
-    schema: z.literal(CREDENTIALS_SCHEMA_VERSION),
-    tokens: z.array(pugiTokenRecordSchema).default([]),
-    /**
-     * URL of the host the user most recently logged into. `pugi whoami`
-     * and `resolveActiveCredential` read this when `PUGI_API_URL` is unset
-     * so a self-hosted user who runs `pugi login --api-url https://anvil.acme.corp`
-     * doesn't have to also export PUGI_API_URL for follow-up commands.
-     * Env still wins when set (CI fast path).
-     */
-    activeApiUrl: z.string().url().optional(),
-});
-export const DEFAULT_API_URL = 'https://api.pugi.io';
-export function credentialsPaths(home = homedir()) {
-    const pugiDir = resolve(home, '.pugi');
-    return {
-        homeDir: home,
-        pugiDir,
-        filePath: resolve(pugiDir, 'credentials.json'),
-    };
-}
-export function readCredentialsFile(home = homedir()) {
-    const { filePath } = credentialsPaths(home);
-    if (!existsSync(filePath)) {
-        return { schema: CREDENTIALS_SCHEMA_VERSION, tokens: [] };
-    }
-    const text = readFileSync(filePath, 'utf8');
-    let raw;
-    try {
-        raw = JSON.parse(text);
-    }
-    catch {
-        // Corrupt JSON: a partial/empty write or hand-edit. Rename the bad
-        // file aside so the next write does not silently produce an empty
-        // token list (silent data loss). Returning empty here is acceptable
-        // because the corrupt copy is preserved for forensic recovery.
-        quarantineCorruptCredentials(filePath, 'json-parse');
-        return { schema: CREDENTIALS_SCHEMA_VERSION, tokens: [] };
-    }
-    const parsed = pugiCredentialsFileSchema.safeParse(raw);
-    if (parsed.success)
-        return parsed.data;
-    quarantineCorruptCredentials(filePath, 'schema-mismatch');
-    return { schema: CREDENTIALS_SCHEMA_VERSION, tokens: [] };
-}
-function quarantineCorruptCredentials(filePath, reason) {
-    try {
-        const backup = `${filePath}.corrupt-${reason}-${Date.now()}`;
-        renameSync(filePath, backup);
-        if (process.stderr?.write) {
-            process.stderr.write(`pugi: warning — corrupt credentials file preserved at ${backup}; starting from empty token list\n`);
-        }
-    }
-    catch {
-        // Best-effort. If we cannot rename (e.g. read-only fs), the next
-        // write will overwrite the corrupt file anyway.
-    }
-}
-export function writeCredentialsFile(file, home = homedir()) {
-    const paths = credentialsPaths(home);
-    if (!existsSync(paths.pugiDir)) {
-        mkdirSync(paths.pugiDir, { recursive: true, mode: 0o700 });
-    }
-    // Defensively tighten existing dir permissions — `mkdirSync(mode)` only
-    // applies on creation, not on pre-existing dirs that another tool may
-    // have created with 0o755.
-    try {
-        chmodSync(paths.pugiDir, 0o700);
-    }
-    catch {
-        // Best-effort; FAT/CI filesystems may not support chmod.
-    }
-    // Validate before persisting so a corrupt object never lands on disk.
-    const validated = pugiCredentialsFileSchema.parse(file);
-    // Atomic write: tmp + rename. `rename(2)` is atomic on POSIX same-fs,
-    // so a concurrent reader either sees the old file or the new one — never
-    // a truncated mid-write state that the corrupt-recovery path would
-    // quarantine as data loss. Two concurrent writers still race (no advisory
-    // lock yet), but neither corrupts the target file.
-    const tmp = `${paths.filePath}.${process.pid}.${Date.now()}.tmp`;
-    writeFileSync(tmp, `${JSON.stringify(validated, null, 2)}\n`, {
-        encoding: 'utf8',
-        mode: 0o600,
-    });
-    try {
-        chmodSync(tmp, 0o600);
-    }
-    catch {
-        // Best-effort on filesystems that don't support chmod (FAT, some CIs).
-    }
-    renameSync(tmp, paths.filePath);
-    try {
-        chmodSync(paths.filePath, 0o600);
-    }
-    catch {
-        // Best-effort — rename preserves the tmp file's mode on POSIX, this
-        // is belt-and-braces.
-    }
-}
-/**
- * Add or replace the credential record for the given apiUrl. Returns the
- * stored record (without the `apiKey` echoed back at the caller — the
- * caller already has it). Idempotent.
- */
-export function storeApiKey(input) {
-    const home = input.home ?? homedir();
-    const file = readCredentialsFile(home);
-    const apiUrl = normalizeApiUrl(input.apiUrl);
-    const now = new Date().toISOString();
-    const record = pugiTokenRecordSchema.parse({
-        apiUrl,
-        apiKey: input.apiKey,
-        label: input.label,
-        createdAt: now,
-        lastUsedAt: now,
-        source: input.source,
-    });
-    const others = file.tokens.filter((token) => normalizeApiUrl(token.apiUrl) !== apiUrl);
-    writeCredentialsFile({
-        schema: CREDENTIALS_SCHEMA_VERSION,
-        tokens: [...others, record],
-        // Promote the just-logged-in host to active so subsequent `whoami`
-        // and `review --remote` find it without the user re-exporting
-        // PUGI_API_URL. Env still wins via resolveActiveCredential.
-        activeApiUrl: apiUrl,
-    }, home);
-    return record;
-}
-export function clearApiKey(apiUrl, home = homedir()) {
-    const file = readCredentialsFile(home);
-    const target = normalizeApiUrl(apiUrl);
-    const before = file.tokens.length;
-    const tokens = file.tokens.filter((token) => normalizeApiUrl(token.apiUrl) !== target);
-    if (tokens.length === before)
-        return false;
-    // If the cleared host was the active one, demote `activeApiUrl` to the
-    // most recently-stored remaining record (or undefined when the store
-    // is now empty) so subsequent `whoami` doesn't point at a vanished host.
-    const nextActive = file.activeApiUrl && normalizeApiUrl(file.activeApiUrl) === target
-        ? tokens.at(-1)?.apiUrl
-        : file.activeApiUrl;
-    writeCredentialsFile({
-        schema: CREDENTIALS_SCHEMA_VERSION,
-        tokens,
-        ...(nextActive ? { activeApiUrl: nextActive } : {}),
-    }, home);
-    return true;
-}
-export function loadApiKey(apiUrl, home = homedir()) {
-    const file = readCredentialsFile(home);
-    const target = normalizeApiUrl(apiUrl);
-    return file.tokens.find((token) => normalizeApiUrl(token.apiUrl) === target) ?? null;
-}
-export function resolveActiveCredential(env = process.env, home = homedir()) {
-    // Resolve the active apiUrl with this precedence:
-    //  1. PUGI_API_URL env (lets CI / self-hosted users force a specific endpoint)
-    //  2. credentials.json `activeApiUrl` (set by `pugi login` to the host the
-    //     user most recently authenticated against — covers self-hosted Anvil
-    //     without re-exporting env between commands)
-    //  3. DEFAULT_API_URL (`https://api.pugi.io`)
-    const file = readCredentialsFile(home);
-    const apiUrl = normalizeApiUrl(env.PUGI_API_URL ?? file.activeApiUrl ?? DEFAULT_API_URL);
-    if (env.PUGI_API_KEY) {
-        return { apiUrl, apiKey: env.PUGI_API_KEY, source: 'env' };
-    }
-    const record = file.tokens.find((token) => normalizeApiUrl(token.apiUrl) === apiUrl);
-    if (record) {
-        return {
-            apiUrl: record.apiUrl,
-            apiKey: record.apiKey,
-            source: 'file',
-            fileSource: record.source ?? null,
-            ...(record.label ? { label: record.label } : {}),
-            ...(record.createdAt ? { createdAt: record.createdAt } : {}),
-            ...(record.lastUsedAt ? { lastUsedAt: record.lastUsedAt } : {}),
-        };
-    }
-    return null;
-}
-/**
- * Re-point the credentials store at a different already-stored host or
- * label. Used by `pugi accounts switch <label>` so subsequent commands
- * authenticate against the chosen account without forcing the user to
- * re-export PUGI_API_URL between commands.
- *
- * Match precedence:
- *  1. exact `label` match (case-insensitive, label is user-chosen so
- *     we forgive casing — same convention as `gh auth switch`)
- *  2. exact `apiUrl` match (canonicalised) — lets `pugi accounts
- *     switch https://api.acme.com` work without a label.
- *
- * Returns the now-active record, or null when nothing matched.
- */
-export function switchActiveAccount(selector, home = homedir()) {
-    const file = readCredentialsFile(home);
-    const normalisedSelector = selector.trim();
-    if (!normalisedSelector)
-        return null;
-    const lower = normalisedSelector.toLowerCase();
-    const targetApiUrl = (() => {
-        try {
-            return normalizeApiUrl(normalisedSelector);
-        }
-        catch {
-            return null;
-        }
-    })();
-    const match = file.tokens.find((token) => {
-        if (token.label && token.label.toLowerCase() === lower)
-            return true;
-        if (targetApiUrl && normalizeApiUrl(token.apiUrl) === targetApiUrl)
-            return true;
-        return false;
-    });
-    if (!match)
-        return null;
-    const apiUrl = normalizeApiUrl(match.apiUrl);
-    const now = new Date().toISOString();
-    const updated = pugiTokenRecordSchema.parse({
-        ...match,
-        apiUrl,
-        lastUsedAt: now,
-    });
-    const others = file.tokens.filter((token) => normalizeApiUrl(token.apiUrl) !== apiUrl);
-    writeCredentialsFile({
-        schema: CREDENTIALS_SCHEMA_VERSION,
-        tokens: [...others, updated],
-        activeApiUrl: apiUrl,
-    }, home);
-    return updated;
-}
-/**
- * List every stored credential in stable display order — most recently
- * used first, falling back to creation order. Returned records carry
- * the raw `apiKey`; callers must mask before printing.
- */
-export function listStoredCredentials(home = homedir()) {
-    const file = readCredentialsFile(home);
-    const activeUrl = file.activeApiUrl ? normalizeApiUrl(file.activeApiUrl) : null;
-    return file.tokens
-        .map((token) => ({
-        ...token,
-        isActive: activeUrl !== null && normalizeApiUrl(token.apiUrl) === activeUrl,
-    }))
-        .sort((a, b) => {
-        // Active record always pinned to the top — it's the one the user
-        // is asking about whenever they run `pugi accounts list`.
-        if (a.isActive && !b.isActive)
-            return -1;
-        if (b.isActive && !a.isActive)
-            return 1;
-        const aWhen = a.lastUsedAt ?? a.createdAt;
-        const bWhen = b.lastUsedAt ?? b.createdAt;
-        return bWhen.localeCompare(aWhen);
-    });
-}
-/**
- * Canonicalize an apiUrl so two equivalent inputs always resolve to the
- * same record:
- *  - lowercase scheme + host (URL spec: scheme/host are case-insensitive)
- *  - strip trailing slashes
- *  - preserve path/query/fragment case (those ARE case-sensitive)
- *
- * Falls back to the trimmed input when the URL is not parseable, so a
- * caller that manages to pass a non-URL string still sees a stable key
- * instead of throwing.
- */
-export function normalizeApiUrl(input) {
-    const trimmed = input.trim();
-    try {
-        const url = new URL(trimmed);
-        const path = url.pathname + url.search + url.hash;
-        const stripped = path.replace(/\/+$/, '');
-        return `${url.protocol.toLowerCase()}//${url.host.toLowerCase()}${stripped}`;
-    }
-    catch {
-        return trimmed.replace(/\/+$/, '');
-    }
-}
-/**
- * Best-effort masked token for log lines and `pugi whoami` output.
- * Never returns the raw secret. Keeps the first 4 + last 4 characters so
- * the user can correlate against an issued key without exposing it.
- */
-export function maskApiKey(apiKey) {
-    if (apiKey.length <= 12)
-        return `${'*'.repeat(apiKey.length)}`;
-    return `${apiKey.slice(0, 4)}…${apiKey.slice(-4)}`;
-}
-/**
- * Delete the entire credentials file. Used by `pugi logout --all` and
- * by tests that want a clean slate.
- */
-export function purgeAllCredentials(home = homedir()) {
-    const paths = credentialsPaths(home);
-    if (!existsSync(paths.filePath))
-        return false;
-    rmSync(paths.filePath);
-    return true;
-}
-//# sourceMappingURL=credentials.js.map

package/dist/core/cron/scheduler.js

@@ -1,138 +0,0 @@
-/**
- * Cron scheduler primitive .
- *
- * Wraps `node-cron` (4.2.1, MIT, ~4M weekly downloads) — the de-facto
- * Node cron scheduler. We do NOT parse cron expressions ourselves;
- * node-cron handles validation, timezone math, и DST edge cases.
- *
- * What this module adds:
- *  - Named job registry (schedule/cancel/list by name)
- *  - Concurrency guard — a still-running job is skipped, not stacked,
- *    when the next tick fires (prevents overlap when an action runs
- *    longer than the cron period)
- *  - Stats per job: scheduled, lastRunAt, lastDurationMs, failures
- *
- * Pure-ish: state lives в the CronScheduler instance, no globals.
- * Tool surface (ScheduleCronTool / CronList / CronDelete) wires this
- * primitive into the engine в a separate PR.
- */
-import cron from 'node-cron';
-export class CronScheduler {
-    jobs = new Map();
-    /**
-     * Register a cron job. Replaces any prior job at the same name —
-     * the previous one is stopped и destroyed first.
-     *
-     * Throws `RangeError` when `expression` is invalid per node-cron's
-     * parser. The error originates from node-cron and bubbles unchanged.
-     */
-    schedule(name, expression, action, options = {}) {
-        if (!name)
-            throw new TypeError('cron job name must be non-empty');
-        if (!cron.validate(expression)) {
-            throw new RangeError(`invalid cron expression: ${expression}`);
-        }
-        const existing = this.jobs.get(name);
-        if (existing) {
-            existing.task.stop();
-        }
-        const internal = {
-            task: undefined,
-            expression,
-            scheduledAt: Date.now(),
-            lastRunAt: null,
-            lastDurationMs: null,
-            runs: 0,
-            failures: 0,
-            running: false,
-        };
-        const wrapped = async () => {
-            // Concurrency guard: if previous invocation still running, skip.
-            // Stacking would tie up the event loop с long-running actions.
-            if (internal.running)
-                return;
-            internal.running = true;
-            const start = Date.now();
-            try {
-                await action();
-                internal.runs += 1;
-            }
-            catch {
-                internal.failures += 1;
-            }
-            finally {
-                internal.lastRunAt = start;
-                internal.lastDurationMs = Date.now() - start;
-                internal.running = false;
-            }
-        };
-        const scheduleOptions = {};
-        if (options.timezone !== undefined) {
-            scheduleOptions.timezone = options.timezone;
-        }
-        internal.task = cron.schedule(expression, wrapped, scheduleOptions);
-        this.jobs.set(name, internal);
-        if (options.runOnRegister) {
-            // Don't await — register is sync from the caller's perspective
-            void wrapped();
-        }
-    }
-    /** Cancel + drop a job by name. Returns true когда removed, false absent. */
-    cancel(name) {
-        const job = this.jobs.get(name);
-        if (!job)
-            return false;
-        job.task.stop();
-        this.jobs.delete(name);
-        return true;
-    }
-    /** Stop + drop ALL jobs. Safe to call on an empty scheduler. */
-    cancelAll() {
-        for (const job of this.jobs.values()) {
-            job.task.stop();
-        }
-        this.jobs.clear();
-    }
-    /** Snapshot of all registered jobs. Sorted by name for stable output. */
-    list() {
-        const out = [];
-        for (const [name, job] of this.jobs) {
-            out.push({
-                name,
-                expression: job.expression,
-                scheduledAt: job.scheduledAt,
-                lastRunAt: job.lastRunAt,
-                lastDurationMs: job.lastDurationMs,
-                runs: job.runs,
-                failures: job.failures,
-                running: job.running,
-            });
-        }
-        return out.sort((a, b) => a.name.localeCompare(b.name));
-    }
-    /** Lookup a single job's stats. Returns null when absent. */
-    stats(name) {
-        const job = this.jobs.get(name);
-        if (!job)
-            return null;
-        return {
-            name,
-            expression: job.expression,
-            scheduledAt: job.scheduledAt,
-            lastRunAt: job.lastRunAt,
-            lastDurationMs: job.lastDurationMs,
-            runs: job.runs,
-            failures: job.failures,
-            running: job.running,
-        };
-    }
-}
-/**
- * Standalone helper для callers that only want one-off validation
- * without creating a scheduler. Mirrors node-cron's `validate()` so
- * callers don't need to import node-cron directly.
- */
-export function isValidCronExpression(expression) {
-    return cron.validate(expression);
-}
-//# sourceMappingURL=scheduler.js.map

package/dist/core/denial-tracking/index.js

@@ -1,8 +0,0 @@
-/**
- * Public re-exports for the denial-tracking surface. Engine adapter
- * code imports from here so we can move internals around (e.g. split
- * the diagnostics probe into a sibling file) without churning every
- * call site.
- */
-export { DenialTrackingState, buildDenialContext, canonicalArgHash, DENIAL_TRACKING_MAX_ENTRIES, DENIAL_REMINDER_THRESHOLD, DENIAL_ARGS_SUMMARY_BYTES, } from './state.js';
-//# sourceMappingURL=index.js.map