@pugi/cli 0.1.0-beta.99 → 1.0.0-alpha.1

package/dist/tools/todo-write.js

@@ -1,184 +0,0 @@
-/**
- * todo_write tool — .
- *
- * Mirrors the standard tool's `TodoWrite` tool 1:1 so a model trained on the
- * upstream grammar speaks Pugi's variant verbatim. The tool dispatches
- * a BATCH replace of the workspace todo board (not an incremental
- * mutation — the model emits the FULL list every call). At most ONE
- * todo may carry `status: 'in_progress'` at any time; violations
- * reject with the `TODO_INVARIANT_VIOLATED` sentinel and the board on
- * disk is left unchanged.
- *
- * Relationship to `task_*` (β1 T1/T6, tools/tasks.ts):
- *  - `task_*` is GRANULAR (create/get/list/update one task at a
- *    time) with an append-only JSONL journal scoped to the SESSION.
- *  - `todo_write` is BATCH (snapshot the whole board) with an atomic
- *    JSON snapshot scoped to the WORKSPACE.
- *  They are complementary surfaces: agents that prefer the upstream
- *  TodoWrite grammar use `todo_write`; agents that want a fine-grained
- *  audit trail use `task_*`.
- *
- * Hard rules (enforced by Zod + dispatcher):
- *  - `todos.length` ≤ 50 (board overload guard).
- *  - Every item: id (≥1 char, ≤128), content (≥1 char), status enum.
- *  - At most ONE item with `status === 'in_progress'`.
- *  - All ids unique within the batch.
- *
- * Dispatch returns the persisted board as JSON; callers can read
- * `todos: [...]` directly. Errors return the sentinel-prefixed message
- * so the engine adapter can pattern-match.
- */
-import { z } from 'zod';
-import { saveTodoBoard } from '../core/todos/state.js';
-/** Cap matches the `task_*` family's title cap for parity. */
-export const TODO_CONTENT_MAX = 2_000;
-/** id is opaque to us but must be slug-safe so file paths could embed it. */
-export const TODO_ID_MIN = 1;
-export const TODO_ID_MAX = 128;
-/** Hard cap on board size. Beyond this the operator should split work. */
-export const TODO_BATCH_MAX = 50;
-export const todoItemSchema = z
-    .strictObject({
-    id: z
-        .string()
-        .min(TODO_ID_MIN)
-        .max(TODO_ID_MAX)
-        .describe('Stable id for this todo. Opaque, ≤128 chars.'),
-    content: z
-        .string()
-        .min(1)
-        .max(TODO_CONTENT_MAX)
-        .describe('Imperative task description. E.g. "Add invariant check".'),
-    status: z
-        .enum(['pending', 'in_progress', 'completed'])
-        .describe('Lifecycle status. At most ONE in_progress per board.'),
-    activeForm: z
-        .string()
-        .min(1)
-        .max(TODO_CONTENT_MAX)
-        .optional()
-        .describe('Present-continuous form. E.g. "Adding invariant check".'),
-});
-export const todoWriteArgsSchema = z.strictObject({
-    todos: z
-        .array(todoItemSchema)
-        .max(TODO_BATCH_MAX)
-        .describe(`Full todo board (batch replace, not incremental). Max ${TODO_BATCH_MAX} items. ` +
-        `At most ONE item may carry status="in_progress".`),
-});
-/**
- * JSON-Schema fragment surfaced to the model via the tool-bridge
- * `parameters` field. Mirrors the Zod schema 1:1 — kept hand-written
- * (same convention as ask_user_question) because the runtime engine
- * wires OpenAI-compatible JSON Schema and we have not greenlit the
- * zod-to-json-schema transitive dep. Keep both in lockstep.
- */
-export const todoWriteJsonSchema = {
-    type: 'object',
-    additionalProperties: false,
-    required: ['todos'],
-    properties: {
-        todos: {
-            type: 'array',
-            maxItems: TODO_BATCH_MAX,
-            description: `Full todo board (batch replace, not incremental). Max ${TODO_BATCH_MAX} items. ` +
-                `At most ONE item may carry status="in_progress".`,
-            items: {
-                type: 'object',
-                additionalProperties: false,
-                required: ['id', 'content', 'status'],
-                properties: {
-                    id: {
-                        type: 'string',
-                        minLength: TODO_ID_MIN,
-                        maxLength: TODO_ID_MAX,
-                        description: 'Stable id for this todo. Opaque, ≤128 chars.',
-                    },
-                    content: {
-                        type: 'string',
-                        minLength: 1,
-                        maxLength: TODO_CONTENT_MAX,
-                        description: 'Imperative task description.',
-                    },
-                    status: {
-                        type: 'string',
-                        enum: ['pending', 'in_progress', 'completed'],
-                        description: 'Lifecycle status. At most ONE in_progress per board.',
-                    },
-                    activeForm: {
-                        type: 'string',
-                        minLength: 1,
-                        maxLength: TODO_CONTENT_MAX,
-                        description: 'Present-continuous form.',
-                    },
-                },
-            },
-        },
-    },
-};
-/**
- * Sentinel prefix the dispatcher returns when Zod schema validation
- * rejects the raw arguments. Distinct from `TODO_INVARIANT_VIOLATED`
- * (>1 in_progress) and `TODO_DUPLICATE_ID` (collision within batch),
- * which are emitted from `saveTodoBoard` AFTER schema parsing.
- *
- * Surfaced as a return string (not a throw) so the engine adapter sees
- * a recoverable tool error and the model can self-correct its args,
- * instead of the engine loop tearing down on an uncaught ZodError.
- */
-export const TODO_INVALID_ARGS = 'INVALID_ARGS';
-/**
- * Render a ZodError into a deterministic `INVALID_ARGS: ...` sentinel
- * the model can pattern-match. Each issue contributes one
- * `path: message` clause; clauses are joined with `; ` so the model
- * sees every offence in a single line. Path with the root scope is
- * rendered as `<root>` to avoid an empty colon.
- */
-function renderZodIssues(error) {
-    const parts = error.issues.map((issue) => {
-        const path = issue.path.length === 0 ? '<root>' : issue.path.join('.');
-        return `${path}: ${issue.message}`;
-    });
-    return `${TODO_INVALID_ARGS}: ${parts.join('; ')}`;
-}
-/**
- * Validate via Zod + persist atomically. Surfaces three sentinel
- * families the dispatcher pattern-matches on:
- *  - `INVALID_ARGS: <path>: <issue>; ...`       — Zod schema rejected
- *    the raw arguments (returned as STRING, not thrown).
- *  - `TODO_INVARIANT_VIOLATED: ...`             — >1 in_progress
- *    (thrown by `saveTodoBoard`).
- *  - `TODO_DUPLICATE_ID: ...`                   — collision within batch
- *    (thrown by `saveTodoBoard`).
- *
- * Why the asymmetry: schema rejection means the model emitted malformed
- * structure (missing field, wrong type) and CAN self-correct given a
- * clear breakdown of the offending path. The invariant + duplicate-id
- * paths mean the model emitted structurally-valid but semantically
- * conflicting state — those still throw so the engine loop's tool-error
- * hook can surface them through `PostToolUseFailure` for observability,
- * mirroring how the file-tools layer surfaces `STALE_READ` / `PermissionDenied`.
- */
-export function dispatchTodoWrite(ctx, rawArgs) {
-    // L16 P1 fix : `.parse` throws a `ZodError` on validation
-    // failure. The previous implementation let that throw bubble through
-    // the engine adapter's catch arm as a free-form `error.message`,
-    // which (a) loses the issue-by-issue structure the model needs to
-    // self-correct, and (b) tears down the tool-call as a hard failure
-    // rather than a recoverable tool result. Switch to `safeParse` and
-    // emit a structured `INVALID_ARGS: <path>: <issue>; ...` sentinel
-    // string instead — the engine sees a successful tool call, the model
-    // sees the offending paths, and the dispatcher's catch arm reserves
-    // throws for the genuine semantic conflicts emitted by `saveTodoBoard`.
-    const parsed = todoWriteArgsSchema.safeParse(rawArgs);
-    if (!parsed.success) {
-        return renderZodIssues(parsed.error);
-    }
-    const stateCtx = {
-        workspaceRoot: ctx.workspaceRoot,
-        ...(ctx.now ? { now: ctx.now } : {}),
-    };
-    const board = saveTodoBoard(stateCtx, parsed.data.todos);
-    return JSON.stringify(board);
-}
-//# sourceMappingURL=todo-write.js.map

package/dist/tools/verify-plan-execution.js

@@ -1,295 +0,0 @@
-/**
- * verify_plan_execution tool — anti-fake-dispatch gate (backlog #5 P0).
- *
- * Gives the engine loop a way to ASSERT that a previously-stated plan's
- * promised steps actually executed. When the model says "Step 1: read
- * file A. Step 2: edit file B. Step 3: run tests" and then emits a
- * "done" final text, this tool lets the engine loop verify the session's
- * recorded tool calls and file mutations cover every requirement.
- *
- * If any gap is found the engine loop continues another turn so the
- * model can either fill the gap or explicitly explain why the step was
- * skipped. Closes the fake-dispatch failure mode documented in
- * memory `feedback_no_fake_dispatch_promises.md`.
- */
-import { existsSync, readFileSync } from 'node:fs';
-export const VERIFY_PLAN_INVALID_ARGS = 'VERIFY_PLAN_INVALID_ARGS';
-export function parseVerifyPlanArgs(raw) {
-    if (typeof raw !== 'object' || raw === null || Array.isArray(raw)) {
-        return `${VERIFY_PLAN_INVALID_ARGS}: arguments must be a JSON object`;
-    }
-    const obj = raw;
-    if (!Object.prototype.hasOwnProperty.call(obj, 'steps')) {
-        return `${VERIFY_PLAN_INVALID_ARGS}: steps is required`;
-    }
-    const rawSteps = obj['steps'];
-    if (!Array.isArray(rawSteps)) {
-        return `${VERIFY_PLAN_INVALID_ARGS}: steps must be an array`;
-    }
-    if (rawSteps.length > 200) {
-        return `${VERIFY_PLAN_INVALID_ARGS}: steps must have <= 200 entries`;
-    }
-    const steps = [];
-    const issues = [];
-    for (let i = 0; i < rawSteps.length; i++) {
-        const s = rawSteps[i];
-        if (typeof s !== 'object' || s === null || Array.isArray(s)) {
-            issues.push(`steps[${i}]: must be an object`);
-            continue;
-        }
-        const step = s;
-        const id = step['id'];
-        if (typeof id !== 'string' || id.trim().length === 0) {
-            issues.push(`steps[${i}].id: must be a non-empty string`);
-            continue;
-        }
-        const intent = step['intent'];
-        if (typeof intent !== 'string') {
-            issues.push(`steps[${i}].intent: must be a string`);
-            continue;
-        }
-        const toolCallsRaw = step['requiredToolCalls'];
-        let requiredToolCalls;
-        if (toolCallsRaw !== undefined && toolCallsRaw !== null) {
-            if (!Array.isArray(toolCallsRaw)) {
-                issues.push(`steps[${i}].requiredToolCalls: must be an array when present`);
-                continue;
-            }
-            requiredToolCalls = [];
-            for (let j = 0; j < toolCallsRaw.length; j++) {
-                const tc = toolCallsRaw[j];
-                if (typeof tc !== 'string' || tc.trim().length === 0) {
-                    issues.push(`steps[${i}].requiredToolCalls[${j}]: must be a non-empty string`);
-                }
-                else {
-                    requiredToolCalls.push(tc);
-                }
-            }
-        }
-        const fileChangesRaw = step['requiredFileChanges'];
-        let requiredFileChanges;
-        if (fileChangesRaw !== undefined && fileChangesRaw !== null) {
-            if (!Array.isArray(fileChangesRaw)) {
-                issues.push(`steps[${i}].requiredFileChanges: must be an array when present`);
-                continue;
-            }
-            requiredFileChanges = [];
-            for (let j = 0; j < fileChangesRaw.length; j++) {
-                const fc = fileChangesRaw[j];
-                if (typeof fc !== 'string' || fc.trim().length === 0) {
-                    issues.push(`steps[${i}].requiredFileChanges[${j}]: must be a non-empty string`);
-                }
-                else {
-                    requiredFileChanges.push(fc);
-                }
-            }
-        }
-        const built = {
-            id: id.trim(),
-            intent,
-            ...(requiredToolCalls !== undefined && requiredToolCalls.length > 0
-                ? { requiredToolCalls }
-                : {}),
-            ...(requiredFileChanges !== undefined && requiredFileChanges.length > 0
-                ? { requiredFileChanges }
-                : {}),
-        };
-        steps.push(built);
-    }
-    if (issues.length > 0) {
-        return `${VERIFY_PLAN_INVALID_ARGS}: ${issues.join('; ')}`;
-    }
-    return { steps };
-}
-export function readRelevantEvents(session) {
-    if (!session.enabled)
-        return [];
-    if (!existsSync(session.eventsPath))
-        return [];
-    const raw = readFileSync(session.eventsPath, 'utf8');
-    const events = [];
-    for (const line of raw.split('\n')) {
-        const trimmed = line.trim();
-        if (trimmed.length === 0)
-            continue;
-        let parsed;
-        try {
-            parsed = JSON.parse(trimmed);
-        }
-        catch {
-            continue;
-        }
-        if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
-            continue;
-        }
-        const obj = parsed;
-        if (obj['type'] === 'tool_call' && typeof obj['tool'] === 'string') {
-            events.push({ type: 'tool_call', tool: obj['tool'] });
-        }
-        else if (obj['type'] === 'file_mutation' && typeof obj['path'] === 'string') {
-            events.push({ type: 'file_mutation', path: obj['path'] });
-        }
-    }
-    return events;
-}
-export function verifyPlan(steps, events) {
-    if (steps.length === 0) {
-        return { status: 'verified', gaps: [] };
-    }
-    // Per-step consumption queues. The previous Set<string> shared across
-    // all steps allowed two steps requiring `edit` к be satisfied by a
-    // single edit call — defeating the per-step verification contract.
-    // We track per-tool counts of remaining (unconsumed) events; each step
-    // consumes one event per requiredToolCall it lists. Same approach for
-    // file mutations: each path-substring requirement consumes one matching
-    // mutation event, so two steps each requiring `foo.ts` need TWO foo.ts
-    // mutations к verify.
-    const toolCallRemaining = new Map();
-    const mutationRemaining = [];
-    for (const event of events) {
-        if (event.type === 'tool_call') {
-            toolCallRemaining.set(event.tool, (toolCallRemaining.get(event.tool) ?? 0) + 1);
-        }
-        else {
-            mutationRemaining.push(event.path);
-        }
-    }
-    const gaps = [];
-    for (const step of steps) {
-        if (step.requiredToolCalls !== undefined) {
-            for (const toolName of step.requiredToolCalls) {
-                const left = toolCallRemaining.get(toolName) ?? 0;
-                if (left <= 0) {
-                    gaps.push({
-                        stepId: step.id,
-                        intent: step.intent,
-                        missing: { kind: 'tool_call', toolName },
-                    });
-                }
-                else {
-                    toolCallRemaining.set(toolName, left - 1);
-                }
-            }
-        }
-        if (step.requiredFileChanges !== undefined) {
-            for (const pathSub of step.requiredFileChanges) {
-                const idx = mutationRemaining.findIndex((p) => pathMatches(p, pathSub));
-                if (idx === -1) {
-                    gaps.push({
-                        stepId: step.id,
-                        intent: step.intent,
-                        missing: { kind: 'file_change', pathSubstring: pathSub },
-                    });
-                }
-                else {
-                    mutationRemaining.splice(idx, 1);
-                }
-            }
-        }
-    }
-    return {
-        status: gaps.length === 0 ? 'verified' : 'gap',
-        gaps,
-    };
-}
-/**
- * Path requirement matcher. Replaces the previous `String.includes`
- * which falsely matched `foo.ts` against `foo.tsbackup` или `notfoo.ts`.
- *
- * Accepts:
- *  - Exact match (`a/b/foo.ts` === `a/b/foo.ts`).
- *  - Suffix match anchored on path separator (`foo.ts` matches
- *    `a/b/foo.ts` but NOT `bar/notfoo.ts`).
- *  - Bare basename (`foo.ts` matches mutation `foo.ts` at any depth).
- * Path separator normalised — `\\` к `/` so Windows mutation paths
- * still match POSIX-style requirements operators write.
- */
-function pathMatches(mutationPath, requirement) {
-    const m = mutationPath.replace(/\\/g, '/');
-    const req = requirement.replace(/\\/g, '/');
-    if (m === req)
-        return true;
-    if (req.startsWith('/')) {
-        return m === req || m.endsWith(req);
-    }
-    return m.endsWith('/' + req);
-}
-export function verifyPlanExecution(session, steps) {
-    // Fail-CLOSED on disabled session audit. The previous vacuous-verified
-    // return turned the entire anti-fake-dispatch gate into a no-op the
-    // moment session.enabled flipped к false — an operator (or runaway
-    // model that learned к disable audit) could silently bypass every
-    // verification. The gate must surface an explicit `session_audit_disabled`
-    // gap so the engine loop forces acknowledgement instead of accepting
-    // silent success. Empty plans still trivially verify.
-    if (steps.length === 0) {
-        return { status: 'verified', gaps: [] };
-    }
-    if (!session.enabled) {
-        return {
-            status: 'gap',
-            gaps: [
-                {
-                    stepId: '__session__',
-                    intent: 'session audit must be enabled к verify plan execution',
-                    missing: { kind: 'session_audit_disabled' },
-                },
-            ],
-        };
-    }
-    const events = readRelevantEvents(session);
-    return verifyPlan(steps, events);
-}
-export function dispatchVerifyPlanExecution(session, raw) {
-    const parsed = parseVerifyPlanArgs(raw);
-    if (typeof parsed === 'string') {
-        return parsed;
-    }
-    const result = verifyPlanExecution(session, parsed.steps);
-    return JSON.stringify(result);
-}
-export const verifyPlanExecutionJsonSchema = {
-    type: 'object',
-    additionalProperties: false,
-    required: ['steps'],
-    properties: {
-        steps: {
-            type: 'array',
-            maxItems: 200,
-            description: 'Ordered list of plan steps to verify. Each step declares what tool calls ' +
-                'and file mutations must have occurred in this session for the step to be ' +
-                'considered executed. An empty array returns status=verified immediately.',
-            items: {
-                type: 'object',
-                additionalProperties: false,
-                required: ['id', 'intent'],
-                properties: {
-                    id: {
-                        type: 'string',
-                        minLength: 1,
-                        description: 'Stable opaque step identifier. Used in gap reports.',
-                    },
-                    intent: {
-                        type: 'string',
-                        description: 'Human-readable description of what the step accomplishes.',
-                    },
-                    requiredToolCalls: {
-                        type: 'array',
-                        items: { type: 'string', minLength: 1 },
-                        description: 'Tool names (e.g. "read", "write", "edit", "bash") that must appear ' +
-                            'as tool_call events in the session audit log. Each entry must match ' +
-                            'at least once. Absent or empty means no tool-call requirement.',
-                    },
-                    requiredFileChanges: {
-                        type: 'array',
-                        items: { type: 'string', minLength: 1 },
-                        description: 'File path substrings that must appear as file_mutation events. ' +
-                            'Each entry must be a substring of at least one mutated path. ' +
-                            'Absent or empty means no file-change requirement.',
-                    },
-                },
-            },
-        },
-    },
-};
-//# sourceMappingURL=verify-plan-execution.js.map

package/dist/tools/web-fetch-injection-scanner.js

@@ -1,207 +0,0 @@
-/**
- * web_fetch injection scanner — task, P1 security follow-up.
- *
- * Threat model: a fetched HTTP body (HTML/text) can be authored by a
- * hostile origin attempting prompt injection against the agent that
- * consumes the markdown downstream. The third-party prompt-injection corpus
- * README incident surfaced three forged `<system-reminder>` blocks in
- * a freshly fetched README — date suppression, fake MCP tool listing,
- * and an instruction-override block. The agents on session correctly
- * ignored them, but that is luck, not guarantee.
- *
- * This scanner is the deterministic guard at the WebFetch return path.
- * It runs BEFORE the model ever sees the body. High-severity findings
- * trigger a defense-in-depth wrap (HTML escape + warning prepend) on
- * top of the existing `<untrusted-content-NONCE>` sentinel. Medium/low
- * findings are recorded but the body is passed through; the call site
- * decides what to do with them (current policy: prepend one-line note
- * for med, no-op for low).
- *
- * Pure function, no IO. Regex-driven so we ship zero new deps.
- */
-/**
- * Zero-width / invisible characters that have been used in prompt
- * injection PoCs to hide instructions inside otherwise plain text.
- * Stripped from `clean` so the model never sees the smuggled bytes.
- *
- * U+200B zero-width space
- * U+200C zero-width non-joiner
- * U+200D zero-width joiner
- * U+2060 word joiner
- * U+FEFF zero-width no-break space (BOM)
- * U+180E mongolian vowel separator
- */
-const ZERO_WIDTH_RE = /[​‌‍⁠᠎]/g;
-const HIGH_RULES = [
-    // Forged system-reminder envelopes — exactly the vector.
-    { pattern: '<system-reminder>', severity: 'high', re: /<system-reminder\b[^>]*>/i },
-    { pattern: '</system-reminder>', severity: 'high', re: /<\/system-reminder\s*>/i },
-    // Other impostor wrappers seen across published PoCs.
-    { pattern: '<important_instructions>', severity: 'high', re: /<important[_\s-]?instructions\b[^>]*>/i },
-    { pattern: '<critical_security_rules>', severity: 'high', re: /<critical[_\s-]?security[_\s-]?rules\b[^>]*>/i },
-    { pattern: '<EXTREMELY_IMPORTANT>', severity: 'high', re: /<extremely[_\s-]?important\b[^>]*>/i },
-    // Instruction-override copy with "IMPORTANT: you MUST | override | ignore previous".
-    {
-        pattern: 'IMPORTANT: instruction override',
-        severity: 'high',
-        re: /important\s*:.*?(you\s+must|override|ignore\s+previous|disregard\s+previous|ignore\s+all\s+prior)/i,
-    },
-    // Date manipulation — observed in the external prompt-injection patterns.
-    { pattern: "Today's date is now ...", severity: 'high', re: /today'?s?\s+date\s+is\s+now\b/i },
-    // Mimics the system-prompt language for tool execution semantics.
-    { pattern: 'Tools are executed in ...', severity: 'high', re: /tools?\s+are\s+executed\s+in\b/i },
-    // Embedded model-name instructions ("You are claude-opus-4-... and you must").
-    {
-        pattern: 'embedded model-name directive',
-        severity: 'high',
-        re: /\b(claude-opus-4-|claude-sonnet-4-)[a-z0-9.\-]*/i,
-    },
-    // Raw ANSI escape — only ever cursor manipulation in fetched markdown.
-    { pattern: 'ANSI escape sequence', severity: 'high', re: /\x1b\[/ },
-];
-const MED_RULES = [
-    // Skill-invocation mimicry.
-    { pattern: 'BLOCKING REQUIREMENT', severity: 'med', re: /blocking\s+requirement/i },
-    { pattern: 'you MUST invoke', severity: 'med', re: /you\s+must\s+invoke/i },
-    { pattern: 'Skill tool', severity: 'med', re: /\bskill\s+tool\b/i },
-    { pattern: 'MCP tool', severity: 'med', re: /\bmcp\s+tool\b/i },
-    // Tool-name mimicry — bare phrasing without obvious code-block
-    // context. These are common English so the rule is intentionally
-    // narrow: word-boundary + literal tool name + word "tool".
-    { pattern: 'Bash tool', severity: 'med', re: /\bbash\s+tool\b/i },
-    { pattern: 'Read tool', severity: 'med', re: /\bread\s+tool\b/i },
-    { pattern: 'Edit tool', severity: 'med', re: /\bedit\s+tool\b/i },
-];
-const LOW_RULES = [
-    { pattern: 'system prompt mention', severity: 'low', re: /\bsystem\s+prompt\b/i },
-    { pattern: 'instructions mention', severity: 'low', re: /\binstructions\b/i },
-    { pattern: 'pre-authorized mention', severity: 'low', re: /\bpre[-\s]?authori[sz]ed\b/i },
-];
-/**
- * Detect a suspicious base64 block: >200 contiguous base64 chars on a
- * single line. Base64 is the standard smuggling format for embedded
- * binary blobs in prompt-injection PoCs (hidden tool definitions,
- * obfuscated instruction sets). Below 200 chars we accept the false
- * positives (commit hashes, JWTs, asset URLs); above 200 the signal
- * dominates.
- */
-const BASE64_BLOCK_RE = /[A-Za-z0-9+/]{200,}={0,2}/;
-/**
- * HTML-escape the five characters that can break out of an element
- * body. Mirrors `escapeForSentinelBody` in web-fetch.ts but applied
- * selectively to flagged tags — we do NOT escape the entire body,
- * only the high-severity matches, so the model still sees readable
- * markdown.
- */
-function escapeHtml(input) {
-    return input
-        .replace(/&/g, '&amp;')
-        .replace(/</g, '&lt;')
-        .replace(/>/g, '&gt;')
-        .replace(/"/g, '&quot;')
-        .replace(/'/g, '&#39;');
-}
-/**
- * Tags that, when matched at HIGH severity, get HTML-escaped in the
- * cleaned output. The list is intentionally narrow: any `<…>` element
- * whose name matches one of these gets `<` and `>` swapped for
- * entities, so a downstream consumer reads the text literally rather
- * than parsing it as structure.
- */
-const TAG_NAMES_TO_ESCAPE = [
-    'system-reminder',
-    'important_instructions',
-    'important-instructions',
-    'critical_security_rules',
-    'critical-security-rules',
-    'extremely_important',
-    'extremely-important',
-];
-/**
- * Build a single regex that captures any opening/closing tag whose
- * name is in `TAG_NAMES_TO_ESCAPE`. Used by `clean` to escape only
- * the dangerous tags, leaving the rest of the body untouched.
- */
-const TAG_ESCAPE_RE = new RegExp(`</?(?:${TAG_NAMES_TO_ESCAPE.join('|')})\\b[^>]*>`, 'gi');
-/**
- * Run the rule dictionaries against a body of text and return the
- * scrubbed clean output plus the list of findings.
- *
- * Line numbers are 1-indexed and reference the ORIGINAL body. The
- * caller can rely on them to point at the same line in `clean`
- * because the only structural changes are (1) zero-width strips and
- * (2) HTML escaping of specific tag tokens — neither alters line
- * counts.
- */
-export function scanForInjection(body) {
-    if (!body)
-        return { clean: '', findings: [] };
-    const findings = [];
-    const lines = body.split(/\r?\n/);
-    for (let i = 0; i < lines.length; i++) {
-        const line = lines[i] ?? '';
-        const lineNumber = i + 1;
-        for (const rule of HIGH_RULES) {
-            if (rule.re.test(line)) {
-                findings.push({ pattern: rule.pattern, line: lineNumber, severity: 'high' });
-            }
-        }
-        for (const rule of MED_RULES) {
-            if (rule.re.test(line)) {
-                findings.push({ pattern: rule.pattern, line: lineNumber, severity: 'med' });
-            }
-        }
-        for (const rule of LOW_RULES) {
-            if (rule.re.test(line)) {
-                findings.push({ pattern: rule.pattern, line: lineNumber, severity: 'low' });
-            }
-        }
-        if (BASE64_BLOCK_RE.test(line)) {
-            findings.push({ pattern: 'long base64 block (>200 chars)', line: lineNumber, severity: 'med' });
-        }
-    }
-    // Always strip zero-width chars from the cleaned output, even when
-    // no rule explicitly flagged them. They have no legitimate use in
-    // fetched markdown content the model is meant to read.
-    let clean = body.replace(ZERO_WIDTH_RE, (match) => {
-        findings.push({
-            pattern: `zero-width char U+${match.charCodeAt(0).toString(16).toUpperCase().padStart(4, '0')}`,
-            line: 0, // multi-line; surfaced separately
-            severity: 'high',
-        });
-        return '';
-    });
-    // HTML-escape the high-severity impostor tags so a downstream parser
-    // (or another LLM) sees text, not structure.
-    clean = clean.replace(TAG_ESCAPE_RE, (match) => escapeHtml(match));
-    return { clean, findings };
-}
-/**
- * Convenience: return the highest severity present in a findings
- * list, or `null` if the list is empty. `high` > `med` > `low`.
- */
-export function topSeverity(findings) {
-    if (findings.some((f) => f.severity === 'high'))
-        return 'high';
-    if (findings.some((f) => f.severity === 'med'))
-        return 'med';
-    if (findings.some((f) => f.severity === 'low'))
-        return 'low';
-    return null;
-}
-/**
- * Render a one-line summary of high-severity findings for the safety
- * envelope. Stable ordering: by line, then by pattern.
- */
-export function formatHighFindings(findings) {
-    const high = findings.filter((f) => f.severity === 'high');
-    if (high.length === 0)
-        return '';
-    const sorted = [...high].sort((a, b) => {
-        if (a.line !== b.line)
-            return a.line - b.line;
-        return a.pattern.localeCompare(b.pattern);
-    });
-    return sorted.map((f) => `[${f.severity}] ${f.pattern} @ line ${f.line}`).join('; ');
-}
-//# sourceMappingURL=web-fetch-injection-scanner.js.map