@pugi/cli 0.1.0-beta.98 → 1.0.0-alpha.1

package/dist/core/engine/anvil-client.js

@@ -1,344 +0,0 @@
-// PR-CLI-SERVER-VERSION-HANDSHAKE . The interceptor stamps the
-// outbound X-Pugi-Cli-Version header, inspects the inbound recommended/
-// server-version headers, and throws PugiCliUpgradeRequiredError on a
-// 426 server response. The top-level catch in `runtime/cli.ts` /
-// `index.ts` renders the upgrade message and exits 1.
-import { assertNotUpgradeRequired, injectClientVersionHeader, inspectVersionResponse, } from '../transport/version-interceptor.js';
-import { PUGI_CLI_VERSION } from '../../runtime/version.js';
-/**
- * Anvil-backed engine loop client.
- *
- * Wire format: OpenAI-compatible `/v1/chat/completions` shape proxied
- * through the admin-api Pugi runtime endpoint. The CLI POSTs:
- *
- *  POST {apiUrl}/api/pugi/engine
- *  Authorization: Bearer {apiKey}
- *  {
- *    "personaSlug": "oes-dev",
- *    "messages":  [...],
- *    "tools":     [...],
- *    "maxTokens": 4096,
- *    "temperature": 0.2
- *  }
- *
- * and expects:
- *
- *  200 OK
- *  {
- *    "stop": "tool_use" | "text",
- *    "content": "...",                   // present when stop=text
- *    "toolCalls": [{id, name, arguments}], // present when stop=tool_use
- *    "tokensUsed": 1234,
- *    "model": "deepseek-chat-v3.1"
- *  }
- *
- *  401/403 -> auth_missing
- *  404    -> endpoint_missing
- *  429    -> rate_limited
- *  other  -> failed
- *
- * The endpoint itself ships in Sprint 2 (Track 2A). Until then the CLI
- * surfaces `endpoint_missing` cleanly and the operator runs `pugi code`
- * with `PUGI_ENGINE_FIXTURE` to point at a fixture client.
- */
-export class AnvilEngineLoopClient {
-    config;
-    constructor(config) {
-        this.config = config;
-    }
-    async send(messages, tools, options) {
-        // Use `new URL(path, base)` so an `apiUrl` that already carries a
-        // path prefix (rare, but possible for self-hosted deployments)
-        // composes correctly instead of double-pathing via raw string
-        // concatenation. The leading `/` anchors resolution to the base
-        // host. Self-hosted operators who need their engine endpoint
-        // nested under a prefix should bake the prefix into `apiUrl`
-        // itself and drop the leading slash here.
-        const url = new URL('/api/pugi/engine', this.config.apiUrl).toString();
-        const controller = new AbortController();
-        const onAbort = () => controller.abort();
-        if (options.signal)
-            options.signal.addEventListener('abort', onAbort);
-        const timeout = setTimeout(() => controller.abort(), this.config.timeoutMs);
-        try {
-            // PR-CLI-SERVER-VERSION-HANDSHAKE . Stamp the outbound
-            // X-Pugi-Cli-Version header so the admin-api middleware can
-            // decide whether to honour, soft-warn, or 426 this request.
-            // PUGI-260: also stamp `X-Pugi-Context-Tier: 1m` when the
-            // operator opted into the long-context lane. The server reads
-            // either the body's `contextTier` field OR this header (header is
-            // a fallback for older runtimes / non-CLI clients), so emitting
-            // both is harmless и belt-and-suspenders. Only emitted for the
-            // `'1m'` value — the absence of the header is wire-equivalent к
-            // `'standard'`, keeping the default-lane path header-free.
-            const baseHeaders = {
-                'content-type': 'application/json',
-                authorization: `Bearer ${this.config.apiKey}`,
-                'user-agent': 'pugi-cli/0.0.1',
-            };
-            if (options.contextTier === '1m') {
-                baseHeaders['x-pugi-context-tier'] = '1m';
-            }
-            const outboundHeaders = injectClientVersionHeader(baseHeaders, PUGI_CLI_VERSION);
-            const res = await fetch(url, {
-                method: 'POST',
-                headers: outboundHeaders,
-                body: JSON.stringify({
-                    personaSlug: options.personaSlug,
-                    messages,
-                    tools,
-                    maxTokens: options.maxTokens,
-                    temperature: options.temperature,
-                    // β1 (audit E2): the admin-api `EngineRequestDto` accepts
-                    // these optional fields (see `pugi-engine.controller.ts:230`
-                    // EngineRequestDto schema). Before this fix the CLI dropped
-                    // them, which forced the controller to fall back to legacy
-                    // per-persona resolution + emit `command="(none)"` in its
-                    // structured logs. `undefined` keys are stripped by
-                    // `JSON.stringify` so the payload stays clean for fixture
-                    // clients that exact-match the body shape.
-                    command: options.command,
-                    // β1a r1: `tag` is `EngineDispatchTag` object shape now —
-                    // `JSON.stringify` serialises it as `{tag, priority?,
-                    // budget_hint?}` matching `EngineDispatchTagDto`. Previously
-                    // this was a bare string and the server's `IsIn` validator
-                    // rejected every payload with HTTP 400.
-                    tag: options.tag,
-                    model: options.model,
-                    // Task: server-side tier gate. Stripped by JSON.stringify
-                    // when undefined so older runtimes без the contextTier DTO
-                    // field never see an unknown key.
-                    contextTier: options.contextTier,
-                }),
-                signal: controller.signal,
-            });
-            const text = await res.text();
-            // PR-CLI-SERVER-VERSION-HANDSHAKE: cache server-recommended +
-            // server-version headers so UpdateBanner / `pugi doctor` can
-            // surface them, then short-circuit on 426 by throwing
-            // PugiCliUpgradeRequiredError. The throw bubbles to the
-            // top-level catch in index.ts which renders the upgrade banner.
-            // The getter shim handles both real `Response` (`.headers.get`)
-            // and minimal fixture/stub responses (`.headers?.[name]`) so
-            // existing transport tests that mock `fetch` with `{status, text}`
-            // don't need to grow a Headers polyfill just to keep passing.
-            //
-            // Cache poison guard: skip the inspect step on 426. A hostile
-            // upstream (proxy with a compromised cert pin, or a transient MITM
-            // on a coffee-shop network) could otherwise forge an
-            // `X-Pugi-Cli-Upgrade-Recommended` header alongside a 426 status
-            // and poison `cachedServerRecommendation` for the rest of the REPL
-            // session — `UpdateBanner` would then surface attacker-chosen
-            // version strings to the operator. The 426 body still carries the
-            // legitimate `recommendedVersion` field, which assertNotUpgrade-
-            // Required parses + throws with, so the operator-facing banner
-            // remains accurate via the error path.
-            if (res.status !== 426) {
-                inspectVersionResponse((name) => {
-                    const h = res.headers;
-                    if (h && typeof h.get === 'function') {
-                        return h.get(name);
-                    }
-                    if (h && typeof h === 'object') {
-                        const lowered = h[name.toLowerCase()];
-                        return lowered ?? null;
-                    }
-                    return null;
-                });
-            }
-            assertNotUpgradeRequired(res.status, text, PUGI_CLI_VERSION);
-            if (res.status === 200) {
-                try {
-                    const json = JSON.parse(text);
-                    if (json.stop === 'text') {
-                        return {
-                            stop: 'text',
-                            assistantMessage: {
-                                role: 'assistant',
-                                content: json.content ?? '',
-                            },
-                            content: json.content ?? '',
-                            tokensUsed: json.tokensUsed ?? 0,
-                        };
-                    }
-                    if (json.stop === 'tool_use') {
-                        const calls = json.toolCalls ?? [];
-                        return {
-                            stop: 'tool_use',
-                            assistantMessage: {
-                                role: 'assistant',
-                                content: json.content ?? '',
-                                toolCalls: calls,
-                            },
-                            tokensUsed: json.tokensUsed ?? 0,
-                        };
-                    }
-                    return {
-                        stop: 'error',
-                        code: 'failed',
-                        message: `runtime returned 200 with unknown stop=${String(json.stop)}`,
-                    };
-                }
-                catch (error) {
-                    return {
-                        stop: 'error',
-                        code: 'failed',
-                        message: `runtime returned 200 with non-JSON body: ${error.message}`,
-                    };
-                }
-            }
-            if (res.status === 404) {
-                return {
-                    stop: 'error',
-                    code: 'endpoint_missing',
-                    message: 'POST /api/pugi/engine not deployed on this runtime',
-                };
-            }
-            if (res.status === 401 || res.status === 403) {
-                // 403 has two distinct causes:
-                //  1. genuinely invalid / expired token (auth_missing) — the
-                //     old default.
-                //  2. tenant authenticated successfully but the privacy mode
-                //     (strict / balanced policy) refused upstream LLM dispatch.
-                //     The admin-api returns
-                //     `{ code: 'privacy_strict_upstream_blocked', mode, model,
-                //        message: '...switch via pugi config set privacy=...' }`.
-                //     Reported as `auth_missing` the user runs `pugi login`
-                //     again, which does nothing — the actual fix is a privacy-
-                //     mode change. Parse the body and route accordingly.
-                // (2026-05-27 P0.3 — dogfood surfaced this on /api/pugi/engine
-                // for a strict-mode tenant; see memory feedback_no_fake_dispatch_promises
-                // for the broader "misleading error" pattern.)
-                try {
-                    const parsed = text ? JSON.parse(text) : null;
-                    // dogfood cycle 2: distinct error code for the
-                    // infra-side "PII scrubber down" case. Previously the engine
-                    // server returned `privacy_strict_upstream_blocked` here even
-                    // when the tenant was on BALANCED (the scrubber crash forced
-                    // a fail-closed). Operators chased the wrong fix ("switch
-                    // privacy") for hours. Server now emits
-                    // `pii_scrubber_unavailable` — surface a distinct remediation
-                    // that points at the infra side, not the operator's privacy
-                    // posture.
-                    if (parsed?.code === 'pii_scrubber_unavailable') {
-                        return {
-                            stop: 'error',
-                            code: 'privacy_blocked',
-                            message: parsed.message ?? 'PII scrubber unavailable; privacy filter refused dispatch.',
-                            remediation: 'Infra-side issue (not your tenant privacy mode). Wait for ops to restore ' +
-                                'the PiiScrubberService, OR temporarily switch your tenant to permissive via ' +
-                                '`pugi config set privacy=permissive`.',
-                        };
-                    }
-                    if (parsed?.code === 'privacy_strict_upstream_blocked' || parsed?.code === 'privacy_blocked') {
-                        return {
-                            stop: 'error',
-                            code: 'privacy_blocked',
-                            message: parsed.message ?? 'Tenant privacy mode forbids upstream LLM dispatch.',
-                            remediation: 'pugi config set privacy=balanced — OR configure a self-hosted Anvil model.',
-                        };
-                    }
-                }
-                catch {
-                    // Body not JSON — fall through to the generic auth_missing
-                    // branch below; the 200-char text echo on `failed` will at
-                    // least give the operator the raw response to triage.
-                }
-                return {
-                    stop: 'error',
-                    code: 'auth_missing',
-                    message: `runtime rejected credentials (HTTP ${res.status})`,
-                };
-            }
-            if (res.status === 429) {
-                return {
-                    stop: 'error',
-                    code: 'rate_limited',
-                    message: 'runtime rate limit reached for this tenant',
-                };
-            }
-            // PUGI-490 (2026-06-03): structured envelope for upstream-proxy
-            // static error pages. When the response body is HTML (the upstream
-            // proxy's static 5xx page rather than a NestJS JSON envelope), the
-            // raw truncated HTML is useless to operators — it cannot point at
-            // what failed. Parse the `cf-ray` request id so the operator can
-            // look the request up in the proxy dashboard, and surface a
-            // remediation hint pointing at the engine VM logs.
-            const cfDetails = detectUpstreamProxyError(res, text);
-            if (cfDetails) {
-                return {
-                    stop: 'error',
-                    code: 'failed',
-                    message: `runtime error (cf-ray: ${cfDetails.cfRay ?? 'unknown'}) — ` +
-                        `upstream proxy returned ${res.status} static page. ` +
-                        `Check engine VM logs for the correlating request id.`,
-                };
-            }
-            return {
-                stop: 'error',
-                code: 'failed',
-                message: `runtime returned HTTP ${res.status}${text ? `: ${text.slice(0, 200)}` : ''}`,
-            };
-        }
-        catch (error) {
-            const message = error instanceof Error
-                ? error.name === 'AbortError'
-                    ? `runtime call timed out after ${this.config.timeoutMs}ms`
-                    : error.message
-                : 'unknown error';
-            return { stop: 'error', code: 'failed', message };
-        }
-        finally {
-            clearTimeout(timeout);
-            if (options.signal)
-                options.signal.removeEventListener('abort', onAbort);
-        }
-    }
-}
-/**
- * PUGI-490 (2026-06-03): detect when the response body is a static HTML
- * error page emitted by the upstream proxy (rather than a JSON envelope
- * produced by admin-api). Returns the cf-ray request id when matched, so
- * the CLI can surface a meaningful runtime-error envelope instead of
- * truncating raw HTML in front of the operator.
- *
- * Heuristic: the body starts with `<!DOCTYPE` or `<html`, or carries the
- * `cf-ray` response header. We require BOTH conditions when the body is
- * non-empty (defense against admin-api accidentally emitting an HTML
- * fragment) and accept just the header when the body is empty (some
- * proxy 5xx variants ship empty bodies). The function is intentionally
- * permissive — false positives produce a clearer error than false
- * negatives, and the message still includes "upstream proxy" so the
- * operator knows the call did not reach a Pugi controller.
- *
- * Exported for unit testing; not for runtime callers.
- */
-export function detectUpstreamProxyError(res, body) {
-    if (res.status < 500)
-        return null;
-    // Pull cf-ray via the same getter shim the version-interceptor uses;
-    // it tolerates both real `Response.headers.get` and fixture/stub
-    // headers represented as plain objects.
-    const h = res.headers;
-    const readHeader = (name) => {
-        if (h && typeof h.get === 'function') {
-            return h.get(name);
-        }
-        if (h && typeof h === 'object') {
-            const lowered = h[name.toLowerCase()];
-            return lowered ?? null;
-        }
-        return null;
-    };
-    const cfRay = readHeader('cf-ray');
-    const bodyTrimmed = (body ?? '').trimStart();
-    const looksHtml = bodyTrimmed.startsWith('<!DOCTYPE') ||
-        bodyTrimmed.startsWith('<!doctype') ||
-        bodyTrimmed.startsWith('<html');
-    if (looksHtml)
-        return { cfRay };
-    if (cfRay && bodyTrimmed.length === 0)
-        return { cfRay };
-    return null;
-}
-//# sourceMappingURL=anvil-client.js.map

package/dist/core/engine/auto-compact.js

@@ -1,179 +0,0 @@
-/**
- * Crude token-count heuristic mirroring `runEngineLoop`'s fallback
- * accounting (transcript char count / 4). The CLI does not have access
- * to a real tokenizer pre-flight — the runtime returns `usage.totalTokens`
- * only on the server response, which is too late for our pre-turn gate.
- * char/4 is in the right order of magnitude for English/TS and matches
- * what the loop's own fallback uses on `tokensUsed === 0` upstream.
- */
-export function estimateTranscriptTokens(messages) {
-    let chars = 0;
-    for (const m of messages) {
-        chars += m.content.length;
-        const calls = m.toolCalls ?? [];
-        for (const c of calls) {
-            chars += c.name.length + c.arguments.length;
-        }
-    }
-    return Math.ceil(chars / 4);
-}
-const FILE_TOOL_NAMES = new Set([
-    'read',
-    'write',
-    'edit',
-    'multi_edit',
-    'multiEdit',
-]);
-/**
- * Walk the dropped slice and pull out tool-call metadata. We parse the
- * `arguments` JSON best-effort — a bad parse is harmless here because
- * the executor surfaced the canonical error to the model already; the
- * gist just under-counts that one call.
- */
-export function summarizeDroppedTurns(dropped) {
-    let toolCalls = 0;
-    let bashCalls = 0;
-    const files = new Set();
-    for (const m of dropped) {
-        if (m.role === 'assistant') {
-            const calls = m.toolCalls ?? [];
-            toolCalls += calls.length;
-            for (const c of calls) {
-                if (c.name === 'bash') {
-                    bashCalls += 1;
-                    continue;
-                }
-                if (FILE_TOOL_NAMES.has(c.name)) {
-                    const p = extractPath(c.arguments);
-                    if (p)
-                        files.add(p);
-                }
-            }
-        }
-    }
-    return {
-        toolCalls,
-        fileCount: files.size,
-        bashCalls,
-        messagesDropped: dropped.length,
-    };
-}
-function extractPath(rawArgs) {
-    if (!rawArgs)
-        return null;
-    try {
-        const parsed = JSON.parse(rawArgs);
-        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
-            const obj = parsed;
-            const path = obj['path'] ?? obj['filePath'];
-            if (typeof path === 'string' && path.length > 0)
-                return path;
-        }
-    }
-    catch {
-        return null;
-    }
-    return null;
-}
-/**
- * Format the deterministic gist string spliced into the synthetic
- * system message. Stable shape so spec assertions and operator
- * logs do not drift turn-over-turn.
- */
-export function renderAutoCompactSentinel(stats) {
-    return (`[auto-compact] Earlier turns ` +
-        `(${stats.toolCalls} tool calls, ${stats.fileCount} files read, ${stats.bashCalls} bash commands) ` +
-        `summarized to free transcript headroom. ` +
-        `Recent turns and the original task remain in context; ` +
-        `re-read any earlier file by name if you need its contents again.`);
-}
-/**
- * Minimum transcript length (in messages) before compact is allowed.
- * We always retain `system + user` (the first 2) + the last 2 turns,
- * so anything <= 4 messages has nothing in the middle to drop.
- * Compacting на 4-message transcript would either be a no-op or
- * accidentally drop the user's original task.
- */
-export const MIN_COMPACT_TRANSCRIPT_LENGTH = 5;
-/**
- * Pure gate. Returns `compact` when ALL of:
- *  - `config.enabled` is true
- *  - estimated transcript tokens >= `thresholdRatio * maxTokens`
- *  - transcript length >= 5 (need history to drop)
- */
-export function evaluateAutoCompactDecision(input) {
-    const usedTokens = estimateTranscriptTokens(input.transcript);
-    if (!input.config.enabled) {
-        return { kind: 'skip', reason: 'disabled', usedTokens };
-    }
-    if (input.transcript.length < MIN_COMPACT_TRANSCRIPT_LENGTH) {
-        return { kind: 'skip', reason: 'transcript-too-short', usedTokens };
-    }
-    const thresholdTokens = Math.floor(input.config.thresholdRatio * input.maxTokens);
-    if (usedTokens < thresholdTokens) {
-        return { kind: 'skip', reason: 'below-threshold', usedTokens };
-    }
-    return { kind: 'compact', usedTokens, thresholdTokens };
-}
-/**
- * Rewrite the transcript: keep the first two messages (system + user
- * task), drop the middle (assistant + tool turns), insert a synthetic
- * system sentinel summarizing what was dropped, then re-append the
- * last 2 messages so the model has the most-recent tool result + its
- * own last reply in full fidelity.
- *
- * Precondition: caller has already checked the decision is `compact`
- * (length >= MIN_COMPACT_TRANSCRIPT_LENGTH). The function still guards
- * with a defensive identity-return on shorter transcripts so a careless
- * caller cannot corrupt the prefix.
- */
-export function compactTranscript(transcript) {
-    const preUsedTokens = estimateTranscriptTokens(transcript);
-    if (transcript.length < MIN_COMPACT_TRANSCRIPT_LENGTH) {
-        return {
-            transcript: transcript.slice(),
-            droppedCount: 0,
-            gist: '',
-            stats: { toolCalls: 0, fileCount: 0, bashCalls: 0, messagesDropped: 0 },
-            preUsedTokens,
-            postUsedTokens: preUsedTokens,
-        };
-    }
-    // Always retain: index 0 (system) + index 1 (original user task) +
-    // last 2 messages. The middle slice is what gets summarised.
-    const head = transcript.slice(0, 2);
-    const tail = transcript.slice(-2);
-    const middle = transcript.slice(2, -2);
-    const stats = summarizeDroppedTurns(middle);
-    const gist = renderAutoCompactSentinel(stats);
-    const sentinelMessage = {
-        role: 'system',
-        content: gist,
-    };
-    const next = [...head, sentinelMessage, ...tail];
-    const postUsedTokens = estimateTranscriptTokens(next);
-    return {
-        transcript: next,
-        droppedCount: middle.length,
-        gist,
-        stats,
-        preUsedTokens,
-        postUsedTokens,
-    };
-}
-/**
- * Convenience composer used by `runEngineLoop`: evaluate → compact in
- * one shot. Returns `null` when the decision was `skip` so the loop
- * driver can branch cheaply без destructuring two layers of records.
- */
-export function maybeCompact(transcript, maxTokens, config) {
-    const decision = evaluateAutoCompactDecision({
-        transcript,
-        maxTokens,
-        config,
-    });
-    if (decision.kind === 'skip')
-        return null;
-    return compactTranscript(transcript);
-}
-//# sourceMappingURL=auto-compact.js.map