@pugi/cli 0.1.0-beta.99 → 1.0.0-alpha.10

package/dist/runtime/commands/report.js

@@ -1,299 +0,0 @@
-/**
- * PAVF-7 — `pugi report --from-error` field-bug capture.
- *
- * Operator hit a CLI failure ("pugi explain: failed [auth_missing]...")
- * and wants to file a clean report без manual log-grepping. This command:
- *
- *  1. Locates the most-recently-modified session under .pugi/sessions/
- *     (the engine adapter mirrors EVERY dispatch's events to a fresh
- *     session dir; the latest one is always the failure that just
- *     surprised the operator).
- *  2. Reads events.jsonl + extracts the terminal-state event +
- *     the last 50 frames before it (enough context to triage; small
- *     enough for a GH issue body or email paste).
- *  3. Captures workspace metadata (CLI version, Node version, OS,
- *     tenant id from credentials, current dir, .pugi/PUGI.md presence).
- *  4. Strips secrets — auth tokens, env values, JWT signatures —
- *     before the report ever touches disk OR network.
- *  5. Writes the bundle к .pugi/reports/<ISO-timestamp>-<session-id>/
- *     with both a machine-readable report.json and a human-readable
- *     report.md the operator can paste into a GH issue / email.
- *  6. Prints the path + the canonical share command the operator can
- *     run when ready to upload (the upload endpoint is deferred to a
- *     follow-up; v1 keeps everything LOCAL so an operator working
- *     offline / behind a corporate firewall can still file a clean
- *     report).
- *
- * Why not auto-upload in v1:
- *  The CEO HARD rule `feedback_no_fake_dispatch_promises` says we do
- *  not invent dispatch we cannot deliver. Without a live
- *  /api/pugi/report endpoint, an auto-upload would either silently
- *  no-op or claim shipped и lie. v1 emits the artifacts + a clear
- *  "upload pending" status; v2 (separate PR) wires the endpoint и
- *  flips the default к upload-on-success.
- *
- * Exit codes (match the existing PAVF-1 stage_code table):
- *  0 = report written successfully
- *  8 = no sessions found (operator ran in a workspace без .pugi/)
- *  9 = session events.jsonl unreadable / corrupted
- * 20 = output path not writable (disk full / perms)
- *
- * Secret-redaction posture: PII / tokens / env values are stripped at
- * the report-generation layer, NOT at upload time. Even if the operator
- * never uploads, the report dir on disk MUST NOT carry plaintext
- * secrets — a colleague who later runs `cat .pugi/reports/.../report.md`
- * over the shoulder sees the bug context but not the bearer token.
- */
-import { existsSync, readdirSync, readFileSync, mkdirSync, statSync, writeFileSync } from 'node:fs';
-import { join, resolve as resolvePath } from 'node:path';
-import { homedir, platform, release } from 'node:os';
-import { PUGI_CLI_VERSION } from '../version.js';
-const MAX_TAIL_FRAMES = 50;
-const MAX_DETAIL_CHARS = 400;
-const TERMINAL_TYPES = new Set([
-    'agent.completed',
-    'agent.failed',
-    'agent.blocked',
-    'subagent.outcome',
-    'result',
-]);
-/**
- * Bearer / JWT / env-secret patterns. We do NOT try to be exhaustive
- * (cat-and-mouse with custom secret formats is unwinnable); we cover
- * the shapes that actually appear in Pugi sessions:
- *
- *  - `Authorization: Bearer eyJ...` (JWT header.payload.signature)
- *  - `apiKey: eyJ...` inside captured JSON envelopes
- *  - any long base64-ish token (>= 20 chars, [A-Za-z0-9_-]) following
- *    `token`, `password`, `secret`, or `key` field names
- *
- * Replacement is a length-preserving `[REDACTED:<n>]` marker so the
- * operator can still verify the report at-a-glance ("yes, a 32-char
- * token was here") без leaking the value.
- */
-function redact(text) {
-    if (!text)
-        return text;
-    // Bearer + JWT shape.
-    text = text.replace(/(Bearer\s+)([A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)/gi, (_m, prefix, tok) => `${prefix}[REDACTED:${tok.length}]`);
-    // Bare JWTs (no Bearer prefix) inside JSON / log lines.
-    text = text.replace(/\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g, (tok) => `[REDACTED:${tok.length}]`);
-    // `"token": "..."` / `"apiKey": "..."` / `"password": "..."` shapes.
-    text = text.replace(/("(?:apiKey|api_key|token|access_token|refresh_token|password|secret|bearer)"\s*:\s*")([^"]{10,})(")/gi, (_m, before, val, after) => `${before}[REDACTED:${val.length}]${after}`);
-    // Bare env-style KEY=VALUE на длинных значениях.
-    text = text.replace(/\b((?:PUGI_API_KEY|GITHUB_TOKEN|NPM_TOKEN|ANVIL_API_KEY|OPENAI_API_KEY|ANTHROPIC_API_KEY|GEMINI_API_KEY)=)([^\s"']{10,})/g, (_m, prefix, val) => `${prefix}[REDACTED:${val.length}]`);
-    return text;
-}
-function clampDetail(value) {
-    if (typeof value !== 'string')
-        return undefined;
-    const redacted = redact(value);
-    return redacted.length > MAX_DETAIL_CHARS
-        ? `${redacted.slice(0, MAX_DETAIL_CHARS)}…`
-        : redacted;
-}
-function findLatestSession(cwd) {
-    const dir = resolvePath(cwd, '.pugi/sessions');
-    if (!existsSync(dir))
-        return null;
-    const entries = readdirSync(dir, { withFileTypes: true })
-        .filter((e) => e.isDirectory())
-        .map((e) => {
-        const path = join(dir, e.name);
-        let mtime = 0;
-        try {
-            mtime = statSync(join(path, 'events.jsonl')).mtimeMs;
-        }
-        catch {
-            // Session dir without events.jsonl yet — never opened. Skip.
-            return null;
-        }
-        return { name: e.name, path, mtime };
-    })
-        .filter((x) => x !== null)
-        .sort((a, b) => b.mtime - a.mtime);
-    return entries[0]?.path ?? null;
-}
-function readTenantIdSafely() {
-    const credPath = resolvePath(homedir(), '.pugi/credentials.json');
-    if (!existsSync(credPath))
-        return undefined;
-    try {
-        const raw = JSON.parse(readFileSync(credPath, 'utf8'));
-        const first = raw.tokens?.[0]?.apiKey;
-        if (!first || typeof first !== 'string')
-            return undefined;
-        // JWT payload is the middle segment; base64-decode + parse for the
-        // `customerId` claim. Failure here returns undefined (the report
-        // still emits useful context without it).
-        const parts = first.split('.');
-        if (parts.length !== 3)
-            return undefined;
-        const payload = JSON.parse(Buffer.from(parts[1] ?? '', 'base64').toString('utf8'));
-        return typeof payload.customerId === 'string' ? payload.customerId : undefined;
-    }
-    catch {
-        return undefined;
-    }
-}
-function captureFrames(eventsPath) {
-    const lines = readFileSync(eventsPath, 'utf8')
-        .split('\n')
-        .filter((l) => l.trim().length > 0);
-    const parsed = lines
-        .map((line) => {
-        try {
-            return JSON.parse(line);
-        }
-        catch {
-            return null;
-        }
-    })
-        .filter((f) => f !== null);
-    // Keep the LAST MAX_TAIL_FRAMES frames — failures cluster at the
-    // end, and the tail is where the operator's context actually lives.
-    const tail = parsed.slice(-MAX_TAIL_FRAMES);
-    return tail.map((f) => {
-        const out = {
-            type: typeof f.type === 'string' ? f.type : 'unknown',
-        };
-        if (typeof f.taskId === 'string')
-            out.taskId = f.taskId;
-        if (typeof f.timestamp === 'string')
-            out.timestamp = f.timestamp;
-        if (typeof f.outcome === 'string')
-            out.outcome = f.outcome;
-        // Keep detail / error ONLY on terminal frames (full reply text on
-        // every agent.message would blow the report past the GH issue cap).
-        if (TERMINAL_TYPES.has(out.type)) {
-            const detail = clampDetail(f.detail) ?? clampDetail(f.error);
-            if (detail)
-                out.detail = detail;
-            if (typeof f.error === 'string')
-                out.error = clampDetail(f.error);
-        }
-        return out;
-    });
-}
-export function runReport(args, ctx) {
-    const fromError = args.includes('--from-error');
-    if (!fromError) {
-        ctx.writeOutput({
-            command: 'report',
-            status: 'no_sessions',
-            message: 'pugi report — capture a bug report from the most-recent session.\n\n' +
-                'Usage:\n' +
-                ' pugi report --from-error          Bundle the most-recent failed session as a report.\n\n' +
-                'Output: writes .pugi/reports/<timestamp>-<session-id>/{report.json, report.md}.\n' +
-                'Secrets (bearer tokens, JWTs, named env values) are stripped before disk write.',
-        }, 'pugi report — see `pugi report --help`');
-        return 0;
-    }
-    const sessionPath = findLatestSession(ctx.cwd);
-    if (!sessionPath) {
-        ctx.writeOutput({
-            command: 'report',
-            status: 'no_sessions',
-            message: 'No sessions found under .pugi/sessions/. Run a `pugi` command first.',
-        }, 'pugi report: no sessions found under .pugi/sessions/ — run a `pugi` command first.');
-        return 8;
-    }
-    const eventsPath = join(sessionPath, 'events.jsonl');
-    let frames;
-    try {
-        frames = captureFrames(eventsPath);
-    }
-    catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        ctx.writeOutput({
-            command: 'report',
-            status: 'unreadable',
-            message: `Failed to read ${eventsPath}: ${message}`,
-        }, `pugi report: cannot read session events (${message})`);
-        return 9;
-    }
-    const sessionId = sessionPath.split('/').pop() ?? 'unknown';
-    const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
-    const reportDir = resolvePath(ctx.cwd, '.pugi/reports', `${timestamp}-${sessionId}`);
-    let reportJson;
-    let reportMd;
-    try {
-        mkdirSync(reportDir, { recursive: true });
-        reportJson = join(reportDir, 'report.json');
-        reportMd = join(reportDir, 'report.md');
-        const meta = {
-            schema: 1,
-            generatedAt: new Date().toISOString(),
-            cliVersion: PUGI_CLI_VERSION,
-            nodeVersion: process.version,
-            os: `${platform()} ${release()}`,
-            cwd: ctx.cwd,
-            sessionId,
-            tenantId: readTenantIdSafely() ?? '(not resolvable)',
-            pugiMd: existsSync(resolvePath(ctx.cwd, '.pugi/PUGI.md')),
-            frames,
-        };
-        writeFileSync(reportJson, JSON.stringify(meta, null, 2), 'utf8');
-        const mdLines = [
-            `# Pugi bug report — ${sessionId}`,
-            '',
-            `Generated: \`${meta.generatedAt}\``,
-            `CLI version: \`${meta.cliVersion}\``,
-            `Node: \`${meta.nodeVersion}\` · OS: \`${meta.os}\``,
-            `Workspace: \`${meta.cwd}\` (PUGI.md present: ${meta.pugiMd ? 'yes' : 'no'})`,
-            `Tenant: \`${meta.tenantId}\``,
-            '',
-            `## Last ${frames.length} frames`,
-            '',
-            '```jsonl',
-            ...frames.map((f) => JSON.stringify(f)),
-            '```',
-            '',
-            '## How to share',
-            '',
-            '1. Review `report.md` for accidental PII or sensitive paths.',
-            '2. Paste the contents into a GH issue at https://github.com/pugi-io/pugi/issues',
-            '  OR attach the `report.json` as a file.',
-            '',
-            'Auto-upload to api.pugi.io is planned (`pugi report --upload`) but',
-            'NOT shipped in this build — v1 keeps everything local so an operator',
-            'behind a firewall can still file a clean report.',
-        ];
-        writeFileSync(reportMd, mdLines.join('\n'), 'utf8');
-    }
-    catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        ctx.writeOutput({
-            command: 'report',
-            status: 'output_not_writable',
-            message: `Failed to write report bundle to ${reportDir}: ${message}`,
-        }, `pugi report: cannot write report dir (${message})`);
-        return 20;
-    }
-    ctx.writeOutput({
-        command: 'report',
-        status: 'written',
-        reportDir,
-        reportJson,
-        reportMd,
-        sessionId,
-        message: `Report written: ${reportDir}`,
-    }, [
-        `pugi report: bundle written`,
-        ` Session: ${sessionId}`,
-        ` Frames captured: ${frames.length}`,
-        ` Files:`,
-        `   ${reportJson}`,
-        `   ${reportMd}`,
-        ``,
-        `Review report.md for accidental PII, then paste into a GH issue OR`,
-        `attach report.json. Auto-upload is planned for a follow-up build.`,
-    ].join('\n'));
-    return 0;
-}
-// Test seam — the redactor is the most-tested piece (false negatives
-// leak secrets; false positives garble bug context). Exported so
-// apps/pugi-cli/test/report.spec.ts can assert the regex behaviour
-// без spinning up a full session.
-export const __INTERNAL_FOR_TESTS = { redact, clampDetail };
-//# sourceMappingURL=report.js.map

package/dist/runtime/commands/resume.js

@@ -1,118 +0,0 @@
-/**
- * `/resume` runtime — .
- *
- * Light runner that augments the existing `pugi resume` surface in
- * `runtime/cli.ts` with rewind-aware session listings. The full
- * REPL-mount path stays in cli.ts (it owns the credential resolver +
- * Ink renderer); this module exposes the data-access helpers the slash
- * dispatcher + the cli.ts handler share.
- *
- * Why a separate runner rather than inlining inside cli.ts: the in-REPL
- * `/resume` slash already holds the writer lock, so it cannot use the
- * read-only view path the top-level command relies on. The split lets
- * the slash code call `listResumableSessionsForRepl` (which routes
- * through the live store) while the shell code calls
- * `listResumableSessionsReadOnly` (which uses the no-lock view).
- */
-import { homedir } from 'node:os';
-import { slugForCwd } from '../../core/repl/history.js';
-import { applyAllMasks, listResumableSessions, } from '../../core/checkpoint/resumer.js';
-import { findLatestActiveRewind } from '../../core/checkpoint/rewinder.js';
-/**
- * Read-only `pugi resume --list` path. Uses the no-lock view so a live
- * REPL writing in the same project does not block the listing.
- */
-export async function runResumeList(ctx) {
-    const slug = slugForCwd(ctx.workspaceRoot);
-    const baseInput = {
-        projectSlug: slug,
-        limit: ctx.limit ?? 10,
-        home: ctx.home ?? homedir(),
-    };
-    const sessions = await listResumableSessions(baseInput);
-    const rows = sessions.map(toResumeListRow);
-    const text = renderResumeList(rows, slug);
-    ctx.writeOutput({
-        command: 'resume',
-        status: rows.length === 0 ? 'empty' : 'listed',
-        projectSlug: slug,
-        sessions: rows,
-    }, text);
-    return {
-        command: 'resume',
-        status: rows.length === 0 ? 'empty' : 'listed',
-        projectSlug: slug,
-        sessions: rows,
-    };
-}
-/**
- * In-REPL `/resume` slash variant. The live REPL holds the writer
- * lockfile so we cannot reuse the read-only view path; this routes
- * through the store the session module already opened. Returns the
- * sessions list directly so the slash handler can render system lines.
- */
-export async function runResumeListForRepl(input) {
-    const slug = slugForCwd(input.workspaceRoot);
-    const limit = input.limit ?? 10;
-    const sessionRows = await input.store.listSessions({
-        project: slug,
-        limit,
-        status: 'active+archived',
-    });
-    const out = [];
-    for (const row of sessionRows) {
-        const events = await input.store.loadEvents(row.id);
-        const visible = applyAllMasks(events);
-        const latest = findLatestActiveRewind(events);
-        out.push({
-            id: row.id,
-            title: row.title,
-            branch: row.branch,
-            turnCount: row.turnCount,
-            eventCount: row.eventCount,
-            visibleEventCount: visible.length,
-            hasActiveRewind: latest !== null,
-            updatedAt: row.updatedAt,
-        });
-    }
-    return out;
-}
-function toResumeListRow(input) {
-    return {
-        id: input.row.id,
-        title: input.row.title,
-        branch: input.row.branch,
-        turnCount: input.row.turnCount,
-        eventCount: input.row.eventCount,
-        visibleEventCount: input.visibleEventCount,
-        hasActiveRewind: input.hasActiveRewind,
-        updatedAt: input.row.updatedAt,
-    };
-}
-/**
- * Pretty-print a resume list. Adds a small "rewound" tag when the
- * session carries an unfinished rewind so the operator knows the
- * transcript will load with a masked range.
- */
-export function renderResumeList(rows, projectSlug) {
-    if (rows.length === 0) {
-        return `No stored sessions for project '${projectSlug}' yet.`;
-    }
-    const lines = [
-        `Recent local sessions for '${projectSlug}' (${rows.length}):`,
-        '',
-    ];
-    for (let i = 0; i < rows.length; i += 1) {
-        const row = rows[i];
-        const title = (row.title ?? '(untitled)').slice(0, 64);
-        const idShort = row.id.slice(0, 13);
-        const branch = (row.branch ?? 'no-branch').padEnd(16);
-        const turns = `${row.turnCount}t`.padStart(4);
-        const events = `${row.visibleEventCount}e`.padStart(5);
-        const tag = row.hasActiveRewind ? ' [rewound]' : '';
-        lines.push(` ${idShort} ${branch} ${turns} ${events}${tag} ${title}`);
-    }
-    lines.push('', 'Resume with: pugi resume <id>');
-    return lines.join('\n');
-}
-//# sourceMappingURL=resume.js.map