@pugi/cli 0.1.0-beta.99 → 1.0.0-alpha.1

package/dist/runtime/commands/config.js

@@ -1,595 +0,0 @@
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
-import { homedir } from 'node:os';
-import { dirname, resolve } from 'node:path';
-import { z } from 'zod';
-import { loadMcpRegistry } from '../../core/mcp/registry.js';
-import { listMcpTrust, setMcpTrust, } from '../../core/mcp/trust.js';
-import { request } from 'undici';
-import { trustWorkspace } from '../../core/trust.js';
-import { resolveActiveCredential } from '../../core/credentials.js';
-/**
- * `pugi config` — operator-level configuration surface.
- *
- * Subcommands:
- *  - `pugi config get <key>`             read a value from `~/.pugi/config.json`
- *  - `pugi config set <key> <value>`     write a value
- *  - `pugi config list`                  dump all values
- *  - `pugi config trust .`               trust the current workspace (delegates to core/trust.ts)
- *  - `pugi config mcp trust <name>`      flip MCP server to trusted
- *  - `pugi config mcp deny <name>`       flip MCP server to denied
- *  - `pugi config mcp list`              show declared servers + their trust state
- *
- * Schema (pugi-config-v1):
- *  {
- *    "permissionMode": "ask" | "acceptEdits" | "auto" | "plan" | "dontAsk" | "bypassPermissions",
- *    "privacy":       "local-only" | "metadata" | "full",
- *    "model":         "<id>" | null,
- *    "preferredEndpoint": "https://api.pugi.io"
- *  }
- *
- * The config file lives at `~/.pugi/config.json` (PUGI_HOME-aware) and uses
- * mode 0o600. Unknown keys are rejected by `set` so a typo never silently
- * persists.
- */
-const configSchema = z
-    .object({
-    permissionMode: z
-        .enum(['plan', 'ask', 'acceptEdits', 'auto', 'dontAsk', 'bypassPermissions'])
-        .optional(),
-    privacy: z.enum(['local-only', 'metadata', 'full']).optional(),
-    model: z.string().nullable().optional(),
-    preferredEndpoint: z.string().url().optional(),
-    // PUGI-260 — persistent default for the 1M context tier opt-in.
-    // `pugi config set contextTier 1m` (or the dotted form
-    // `context.tier 1m`) writes this; per-invocation `--context-tier=...`
-    // flags override it at request time. Closed enum mirrors the CLI
-    // flag и the admin-api DTO so a typo here surfaces as a Zod parse
-    // error при load, not a silent fallback. Stored on the flat user-
-    // level config (~/.pugi/config.json) so all workspaces inherit the
-    // same default — operators с consistent long-context workloads
-    // (large monorepos, audits) set it once instead of remembering к
-    // pass --context-tier=1m on every dispatch.
-    contextTier: z.enum(['1m', 'standard']).optional(),
-})
-    .strict();
-const CONFIG_KEYS = [
-    'permissionMode',
-    'privacy',
-    'model',
-    'preferredEndpoint',
-    // PUGI-260 — exposed на `pugi config list` so operators see the
-    // current default. Hidden synonym `context.tier` accepted by
-    // runConfigSet / runConfigGet for a dotted-key familiar UX.
-    'contextTier',
-];
-/**
- * PUGI-260: legacy / nested key aliasing. `pugi config set context.tier 1m`
- * is the documented form в the feat doc; we normalise it onto the flat
- * `contextTier` key before the strict-schema validation так future
- * settings.json migrations keep one canonical key. Mirrors the
- * legacy privacy-mode aliasing that already lives in the file.
- */
-function normaliseConfigKey(raw) {
-    if (raw === 'context.tier')
-        return 'contextTier';
-    return raw;
-}
-export async function runConfigCommand(args, ctx) {
-    const sub = args[0];
-    if (!sub || sub === '--help' || sub === '-h') {
-        ctx.writeOutput({
-            command: 'config',
-            usage: [
-                'pugi config get <key>',
-                'pugi config set <key> <value>',
-                'pugi config list',
-                'pugi config trust .',
-                'pugi config mcp trust <name>',
-                'pugi config mcp deny <name>',
-                'pugi config mcp list',
-                'pugi config get routing',
-                'pugi config set routing.<tag>.<budget>=<model>',
-                'pugi config unset routing.<tag>.<budget>',
-                'pugi config get privacy',
-                'pugi config set privacy=strict|balanced|permissive',
-            ],
-        }, [
-            'Usage:',
-            ' pugi config get <key>                           Read a config value.',
-            ' pugi config set <key> <value>                   Write a config value.',
-            ' pugi config list                                Show all config values.',
-            ' pugi config trust .                             Trust the current workspace for hooks + MCP.',
-            ' pugi config mcp trust <name>                    Mark an MCP server as trusted.',
-            ' pugi config mcp deny <name>                     Block an MCP server.',
-            ' pugi config mcp list                            Show declared MCP servers + trust state.',
-            ' pugi config get routing                         Show effective routing table (defaults + tenant overrides).',
-            ' pugi config set routing.<tag>.<budget>=<model>  Override the model for one (tag, budget) lane.',
-            ' pugi config unset routing.<tag>.<budget>        Remove a routing override (revert to default).',
-            ' pugi config get privacy                         Show current tenant privacy mode + last-flip metadata.',
-            ' pugi config set privacy=<mode>                  Flip privacy mode (strict | balanced | permissive).',
-        ].join('\n'));
-        return;
-    }
-    switch (sub) {
-        case 'get':
-            // Special form: `pugi config get routing` hits the admin-api surface,
-            // not the local config file. Anything else is a local-config read.
-            if (args[1] === 'routing') {
-                return runRoutingGet(ctx);
-            }
-            // alpha 6.13: `pugi config get privacy` hits the admin-api
-            // /api/admin/privacy/mode surface. The privacy mode is a tenant-
-            // scoped server-side setting (so the Anvil filter can enforce it),
-            // not a local-only preference.
-            if (args[1] === 'privacy') {
-                return runPrivacyGet(ctx);
-            }
-            return runConfigGet(args.slice(1), ctx);
-        case 'set':
-            // Special form: `pugi config set routing.<tag>.<budget>=<model>` hits
-            // the admin-api routing override surface.
-            if (args[1] && args[1].startsWith('routing.')) {
-                return runRoutingSet(args.slice(1), ctx);
-            }
-            // alpha 6.13: `pugi config set privacy=<mode>` (or `privacy <mode>`)
-            // flips the tenant-scoped server-side mode IFF <mode> is one of
-            // the new closed set (strict | balanced | permissive). Legacy
-            // values (local-only | metadata | full) still hit the local
-            // config schema via runConfigSet so existing operators do not
-            // get a surprise 4xx when their playbook still uses the old
-            // names. The unit spec for config.ts has a regression test for
-            // both code paths.
-            //
-            // Triple-review P2 fix : the prior disambiguation
-            // only excluded the bare form (`privacy local-only`) - the `=`
-            // form (`privacy=local-only`) still routed to runPrivacySet and
-            // 4xx'd. We now check the value AFTER `=` and route legacy local
-            // values to runConfigSet; new-style values + unknown values
-            // continue to runPrivacySet so its client-side validator surfaces
-            // a structured "Unknown privacy mode" error (preserves the
-            // existing UX for typos like `privacy=paranoid`).
-            if (args[1]) {
-                const equalsForm = args[1].startsWith('privacy=');
-                const bareForm = args[1] === 'privacy';
-                if (equalsForm) {
-                    const valueAfterEquals = args[1].slice('privacy='.length);
-                    if (isLegacyLocalPrivacyValue(valueAfterEquals)) {
-                        // Legacy local form (`privacy=local-only|metadata|full`) -
-                        // split into `['privacy', '<value>']` so runConfigSet sees
-                        // the same shape it would for the bare form.
-                        return runConfigSet(['privacy', valueAfterEquals], ctx);
-                    }
-                    return runPrivacySet(args.slice(1), ctx);
-                }
-                if (bareForm && isNewPrivacyModeValue(args[2])) {
-                    return runPrivacySet(args.slice(1), ctx);
-                }
-            }
-            return runConfigSet(args.slice(1), ctx);
-        case 'unset':
-            if (args[1] && args[1].startsWith('routing.')) {
-                return runRoutingUnset(args.slice(1), ctx);
-            }
-            throw new Error(`Unknown sub-command "pugi config unset ${args[1] ?? ''}". Only routing.<tag>.<budget> is supported today.`);
-        case 'list':
-            return runConfigList(ctx);
-        case 'trust':
-            return runConfigTrust(args.slice(1), ctx);
-        case 'mcp':
-            return runConfigMcp(args.slice(1), ctx);
-        default:
-            throw new Error(`Unknown sub-command "pugi config ${sub}". Expected get, set, unset, list, trust, or mcp.`);
-    }
-}
-function configPath() {
-    const home = process.env.PUGI_HOME ?? resolve(homedir(), '.pugi');
-    return resolve(home, 'config.json');
-}
-export function readConfig() {
-    const path = configPath();
-    if (!existsSync(path))
-        return {};
-    const raw = readFileSync(path, 'utf8');
-    if (raw.trim() === '')
-        return {};
-    const parsed = JSON.parse(raw);
-    return configSchema.parse(parsed);
-}
-function writeConfig(config) {
-    const path = configPath();
-    mkdirSync(dirname(path), { recursive: true });
-    // 0o600 — `preferredEndpoint` could be a private self-hosted URL; the
-    // config does not contain secrets, but file mode parity with the trust
-    // ledger keeps the audit surface uniform.
-    writeFileSync(path, `${JSON.stringify(config, null, 2)}\n`, {
-        encoding: 'utf8',
-        mode: 0o600,
-    });
-}
-function isConfigKey(value) {
-    return CONFIG_KEYS.includes(value);
-}
-function runConfigGet(args, ctx) {
-    const rawKey = args[0];
-    if (!rawKey)
-        throw new Error('pugi config get requires a key.');
-    const key = normaliseConfigKey(rawKey);
-    if (!isConfigKey(key)) {
-        throw new Error(`Unknown config key "${rawKey}". Allowed: ${CONFIG_KEYS.join(', ')}.`);
-    }
-    const config = readConfig();
-    const value = config[key] ?? null;
-    ctx.writeOutput({ command: 'config.get', key, value }, value === null || value === undefined ? `${key} = (unset)` : `${key} = ${String(value)}`);
-}
-function runConfigSet(args, ctx) {
-    const rawKey = args[0];
-    const value = args.slice(1).join(' ');
-    if (!rawKey)
-        throw new Error('pugi config set requires a key.');
-    if (value.length === 0)
-        throw new Error('pugi config set requires a value.');
-    const key = normaliseConfigKey(rawKey);
-    if (!isConfigKey(key)) {
-        throw new Error(`Unknown config key "${rawKey}". Allowed: ${CONFIG_KEYS.join(', ')}.`);
-    }
-    const current = readConfig();
-    // Build the candidate and validate via the schema so an invalid value
-    // (e.g. `permissionMode = nonsense`) is rejected before persistence.
-    const candidate = { ...current };
-    candidate[key] = coerceValue(key, value);
-    const validated = configSchema.parse(candidate);
-    writeConfig(validated);
-    ctx.writeOutput({
-        command: 'config.set',
-        key,
-        value: validated[key] ?? null,
-    }, `${key} = ${String(validated[key] ?? '')}`);
-}
-function coerceValue(key, raw) {
-    if (key === 'model') {
-        return raw === 'null' || raw === '' ? null : raw;
-    }
-    return raw;
-}
-function runConfigList(ctx) {
-    const config = readConfig();
-    const entries = CONFIG_KEYS.map((key) => ({
-        key,
-        value: config[key] ?? null,
-    }));
-    ctx.writeOutput({ command: 'config.list', config, entries }, entries
-        .map((entry) => entry.value === null || entry.value === undefined
-        ? `${entry.key} = (unset)`
-        : `${entry.key} = ${String(entry.value)}`)
-        .join('\n'));
-}
-async function runConfigTrust(args, ctx) {
-    const target = args[0];
-    if (!target)
-        throw new Error('pugi config trust requires a path (use "." for cwd).');
-    const root = target === '.' ? ctx.workspaceRoot : resolve(ctx.workspaceRoot, target);
-    // Identity for the audit entry: prefer the explicit env override
-    // (`PUGI_TRUSTED_BY`), then `USER` from the shell, then literal
-    // 'cli'. The trust ledger requires a non-empty string and we want
-    // it to mean something for a future audit replay.
-    const by = process.env.PUGI_TRUSTED_BY?.trim() ||
-        process.env.USER?.trim() ||
-        process.env.USERNAME?.trim() ||
-        'cli';
-    await trustWorkspace(root, by);
-    ctx.writeOutput({ command: 'config.trust', workspaceRoot: root, trustedBy: by }, `Trusted workspace: ${root}`);
-}
-async function runConfigMcp(args, ctx) {
-    const sub = args[0];
-    if (!sub) {
-        throw new Error('pugi config mcp requires a sub-command: trust, deny, or list.');
-    }
-    switch (sub) {
-        case 'list':
-            return runConfigMcpList(ctx);
-        case 'trust':
-            return runConfigMcpFlip(args.slice(1), ctx, 'trusted');
-        case 'deny':
-            return runConfigMcpFlip(args.slice(1), ctx, 'denied');
-        default:
-            throw new Error(`Unknown sub-command "pugi config mcp ${sub}". Expected trust, deny, or list.`);
-    }
-}
-async function runConfigMcpList(ctx) {
-    const registry = await loadMcpRegistry(ctx.workspaceRoot, { connect: false });
-    const declared = Array.from(registry.servers.values()).map((state) => ({
-        name: state.name,
-        command: state.config.command,
-        args: state.config.args,
-        trust: state.trust,
-        surfacedTools: state.surfacedTools.length,
-        lastError: state.lastError ?? null,
-    }));
-    const ledger = await listMcpTrust();
-    await registry.shutdown();
-    if (declared.length === 0) {
-        ctx.writeOutput({ command: 'config.mcp.list', servers: [], ledger }, 'No MCP servers declared. Add one to .pugi/mcp.json or ~/.pugi/mcp.json.');
-        return;
-    }
-    ctx.writeOutput({ command: 'config.mcp.list', servers: declared, ledger }, [
-        'MCP servers:',
-        ...declared.map((server) => ` ${server.name.padEnd(20)} ${server.trust.padEnd(8)} ${server.command} ${server.args.join(' ')}`),
-    ].join('\n'));
-}
-async function runConfigMcpFlip(args, ctx, state) {
-    const name = args[0];
-    if (!name) {
-        throw new Error(`pugi config mcp ${state === 'trusted' ? 'trust' : 'deny'} requires a server name.`);
-    }
-    const by = process.env.PUGI_TRUSTED_BY?.trim() ||
-        process.env.USER?.trim() ||
-        process.env.USERNAME?.trim() ||
-        'cli';
-    await setMcpTrust(name, state, by);
-    ctx.writeOutput({ command: `config.mcp.${state === 'trusted' ? 'trust' : 'deny'}`, name, state, decidedBy: by }, state === 'trusted'
-        ? `MCP server "${name}" is now trusted.`
-        : `MCP server "${name}" is now denied.`);
-}
-/* ------------------------------------------------------------------ */
-/* multi-model routing — config.routing.* subcommands           */
-/* ------------------------------------------------------------------ */
-/**
- * Closed sets — match
- * `apps/admin-api/src/pugi/routing/dispatch-tag.ts` verbatim. Pinning
- * them in the CLI lets us reject typos client-side before round-tripping
- * to the admin-api (better UX, smaller blast radius for a wrong typo on
- * a flaky network).
- */
-const ROUTING_TAGS = [
-    'classify',
-    'reason',
-    'codegen',
-    'summarize',
-    'vision',
-    'embed',
-];
-const ROUTING_BUDGETS = ['min', 'std', 'max'];
-function isRoutingTag(value) {
-    return ROUTING_TAGS.includes(value);
-}
-function isRoutingBudget(value) {
-    return ROUTING_BUDGETS.includes(value);
-}
-/**
- * Resolve the admin-api host + bearer token from the CLI credential
- * store. Throws a structured "anonymous" error when the operator has
- * not logged in — same shape as `pugi whoami` so the harness exit
- * codes stay aligned.
- */
-function resolveAdminApi() {
-    const credential = resolveActiveCredential();
-    if (!credential) {
-        throw new Error('pugi config routing requires authentication. Run `pugi login` first.');
-    }
-    return { apiUrl: credential.apiUrl, apiKey: credential.apiKey };
-}
-/**
- * `pugi config get routing` — fetch the static default table + the
- * tenant's override table, merge, and render as `routing.<tag>.<budget> = <model>`.
- * Shows which lanes are overridden vs default.
- */
-async function runRoutingGet(ctx) {
-    const { apiUrl, apiKey } = resolveAdminApi();
-    const [defaults, overrides] = await Promise.all([
-        fetchJson(`${apiUrl}/api/admin/model-routing/defaults`, apiKey),
-        fetchJson(`${apiUrl}/api/admin/model-routing/overrides`, apiKey),
-    ]);
-    const overrideMap = new Map();
-    for (const row of overrides.overrides) {
-        overrideMap.set(`${row.tag}.${row.budgetHint}`, row.model);
-    }
-    const cells = defaults.defaults.map((cell) => {
-        const overridden = overrideMap.get(`${cell.tag}.${cell.budgetHint}`);
-        return {
-            tag: cell.tag,
-            budgetHint: cell.budgetHint,
-            model: overridden ?? cell.model,
-            source: overridden ? 'override' : 'default',
-        };
-    });
-    const text = [
-        'Routing table (effective = override | default):',
-        ...cells.map((cell) => ` routing.${cell.tag.padEnd(10)}.${cell.budgetHint.padEnd(3)} = ${cell.model.padEnd(28)} (${cell.source})`),
-    ].join('\n');
-    ctx.writeOutput({
-        command: 'config.routing.get',
-        apiUrl,
-        cells,
-    }, text);
-}
-/**
- * `pugi config set routing.<tag>.<budget>=<model>` — PUT to the admin-api
- * override surface. Validates tag + budget client-side before round-tripping
- * so a typo fails fast.
- */
-async function runRoutingSet(args, ctx) {
-    // The original arg is `routing.<tag>.<budget>=<model>` — args[0] holds
-    // everything up to the first whitespace, but the value may have been
-    // split. Re-join and re-split on `=` to be robust against a
-    // model slug containing `/` or `-`.
-    const raw = args.join(' ').trim();
-    const eqIdx = raw.indexOf('=');
-    if (eqIdx === -1) {
-        throw new Error('pugi config set routing.<tag>.<budget>=<model> requires an =<model> suffix.');
-    }
-    const lhs = raw.slice(0, eqIdx).trim();
-    const value = raw.slice(eqIdx + 1).trim();
-    const lhsParts = lhs.split('.');
-    if (lhsParts.length !== 3 || lhsParts[0] !== 'routing') {
-        throw new Error(`Expected routing.<tag>.<budget>, got "${lhs}".`);
-    }
-    const tag = lhsParts[1] ?? '';
-    const budget = lhsParts[2] ?? '';
-    if (!isRoutingTag(tag)) {
-        throw new Error(`Unknown routing tag "${tag}". Allowed: ${ROUTING_TAGS.join(', ')}.`);
-    }
-    if (!isRoutingBudget(budget)) {
-        throw new Error(`Unknown routing budget "${budget}". Allowed: ${ROUTING_BUDGETS.join(', ')}.`);
-    }
-    if (value.length === 0) {
-        throw new Error('Model slug must be non-empty.');
-    }
-    const { apiUrl, apiKey } = resolveAdminApi();
-    await fetchJson(`${apiUrl}/api/admin/model-routing/overrides/${tag}/${budget}`, apiKey, { method: 'PUT', body: { model: value } });
-    ctx.writeOutput({
-        command: 'config.routing.set',
-        tag,
-        budget,
-        model: value,
-    }, `routing.${tag}.${budget} = ${value}`);
-}
-/**
- * `pugi config unset routing.<tag>.<budget>` — DELETE the override and
- * revert the lane to its static default. Idempotent.
- */
-async function runRoutingUnset(args, ctx) {
-    const lhs = (args[0] ?? '').trim();
-    const lhsParts = lhs.split('.');
-    if (lhsParts.length !== 3 || lhsParts[0] !== 'routing') {
-        throw new Error(`Expected routing.<tag>.<budget>, got "${lhs}".`);
-    }
-    const tag = lhsParts[1] ?? '';
-    const budget = lhsParts[2] ?? '';
-    if (!isRoutingTag(tag)) {
-        throw new Error(`Unknown routing tag "${tag}". Allowed: ${ROUTING_TAGS.join(', ')}.`);
-    }
-    if (!isRoutingBudget(budget)) {
-        throw new Error(`Unknown routing budget "${budget}". Allowed: ${ROUTING_BUDGETS.join(', ')}.`);
-    }
-    const { apiUrl, apiKey } = resolveAdminApi();
-    const result = await fetchJson(`${apiUrl}/api/admin/model-routing/overrides/${tag}/${budget}`, apiKey, { method: 'DELETE' });
-    ctx.writeOutput({
-        command: 'config.routing.unset',
-        tag,
-        budget,
-        removed: result.removed,
-    }, result.removed
-        ? `routing.${tag}.${budget} reverted to default.`
-        : `routing.${tag}.${budget} had no override (nothing to remove).`);
-}
-/* ------------------------------------------------------------------ */
-/* alpha 6.13 privacy 3-mode - config.privacy.* subcommands            */
-/* ------------------------------------------------------------------ */
-/**
- * Closed mirror of the server-side PRIVACY_MODES enum
- * (apps/admin-api/src/privacy/privacy-mode.ts). Pinning the literal
- * set here lets the CLI reject typos client-side before the round-
- * trip to admin-api (better UX, smaller blast radius on a flaky
- * network).
- */
-const PRIVACY_MODES = ['strict', 'balanced', 'permissive'];
-function isNewPrivacyModeValue(value) {
-    return typeof value === 'string' && PRIVACY_MODES.includes(value);
-}
-function isPrivacyMode(value) {
-    return PRIVACY_MODES.includes(value);
-}
-/**
- * Legacy local-config privacy values from before alpha 6.13. Kept so
- * `pugi config set privacy=local-only` continues to write to the local
- * config file (matching the bare-form behaviour). Triple-review P2 fix
- * : the prior disambiguation only excluded the bare form;
- * the `=` form routed to runPrivacySet and 4xx'd on the unknown mode.
- */
-const LEGACY_LOCAL_PRIVACY_VALUES = [
-    'local-only',
-    'metadata',
-    'full',
-];
-function isLegacyLocalPrivacyValue(value) {
-    return (typeof value === 'string' &&
-        LEGACY_LOCAL_PRIVACY_VALUES.includes(value));
-}
-/**
- * `pugi config get privacy` - fetch the current privacy mode snapshot
- * from /api/admin/privacy/mode + render it in human-readable form.
- */
-async function runPrivacyGet(ctx) {
-    const { apiUrl, apiKey } = resolveAdminApi();
-    const snapshot = await fetchJson(`${apiUrl}/api/admin/privacy/mode`, apiKey);
-    const lastUpdatedLine = snapshot.lastUpdated
-        ? `(last set by ${snapshot.lastUpdatedBy ?? 'unknown'} on ${snapshot.lastUpdated})`
-        : '(no flips recorded; on implicit default)';
-    const text = [
-        `privacy.mode = ${snapshot.mode}`,
-        `privacy.defaultMode = ${snapshot.defaultMode}`,
-        lastUpdatedLine,
-    ].join('\n');
-    ctx.writeOutput({
-        command: 'config.privacy.get',
-        apiUrl,
-        snapshot,
-    }, text);
-}
-/**
- * `pugi config set privacy=<mode>` - PUT to /api/admin/privacy/mode.
- * Validates the mode client-side against the closed set before
- * round-tripping.
- *
- * Accepts both `privacy <mode>` and `privacy=<mode>` argument forms so
- * the operator can type it either way.
- */
-async function runPrivacySet(args, ctx) {
-    const raw = args.join(' ').trim();
-    let mode;
-    if (raw.startsWith('privacy=')) {
-        mode = raw.slice('privacy='.length).trim();
-    }
-    else if (raw === 'privacy') {
-        throw new Error('pugi config set privacy requires a mode. Try: pugi config set privacy=balanced');
-    }
-    else if (raw.startsWith('privacy ')) {
-        mode = raw.slice('privacy '.length).trim();
-    }
-    else {
-        throw new Error(`pugi config set privacy: unrecognised argument "${raw}". Try: pugi config set privacy=balanced`);
-    }
-    if (mode.length === 0) {
-        throw new Error('pugi config set privacy requires a mode. Try: pugi config set privacy=balanced');
-    }
-    if (!isPrivacyMode(mode)) {
-        throw new Error(`Unknown privacy mode "${mode}". Allowed: ${PRIVACY_MODES.join(', ')}.`);
-    }
-    const { apiUrl, apiKey } = resolveAdminApi();
-    const snapshot = await fetchJson(`${apiUrl}/api/admin/privacy/mode`, apiKey, { method: 'PUT', body: { mode } });
-    ctx.writeOutput({
-        command: 'config.privacy.set',
-        mode: snapshot.mode,
-        snapshot,
-    }, `privacy.mode = ${snapshot.mode}`);
-}
-/**
- * Thin authenticated fetch helper. Adds the bearer token + accepts JSON +
- * surfaces structured errors. Uses undici `request` (not native `fetch`)
- * because the test suite intercepts via `MockAgent` + `setGlobalDispatcher`
- * — undici's `request` honours the global dispatcher reliably across the
- * pinned undici version. Kept local (not shared with `pugi whoami`) so
- * the routing surface is self-contained — extracting a common helper is
- * cleanup once we see two callers.
- */
-async function fetchJson(url, apiKey, options = {}) {
-    const method = options.method ?? 'GET';
-    const headers = {
-        authorization: `Bearer ${apiKey}`,
-        accept: 'application/json',
-    };
-    let body;
-    if (options.body !== undefined) {
-        body = JSON.stringify(options.body);
-        headers['content-type'] = 'application/json';
-    }
-    const res = await request(url, { method, headers, body });
-    if (res.statusCode < 200 || res.statusCode >= 300) {
-        const detail = await res.body.text().catch(() => '');
-        throw new Error(`pugi config routing: HTTP ${res.statusCode} on ${method} ${url}${detail ? ` -- ${detail.slice(0, 200)}` : ''}`);
-    }
-    // undici's `request` already returns `body` as a stream wrapped with
-    // helpers — `.json()` parses + closes for us.
-    return (await res.body.json());
-}
-//# sourceMappingURL=config.js.map