@pugi/cli 0.1.0-beta.99 → 1.0.0-alpha.10

package/dist/tools/apply-patch.js

@@ -1,556 +0,0 @@
-/**
- * apply_patch tool — Phase 1.
- *
- * Accepts a unified diff (the format produced by `git diff` and
- * consumed by `git apply`) and lands it atomically into the workspace.
- * This is the third edit primitive alongside the 4-layer diff
- * escalation: where the layers escalate from minimal `oldString`/
- * `newString` blocks up to full-file rewrites, apply_patch covers the
- * unified-diff dialect that OpenAI Codex and most external tools emit.
- *
- * Why we have both:
- *
- *  - The 4-layer escalation maximises model-side success rate on
- *    conversational edits (Claude / Gemini / OpenAI all have a
- *    preferred dialect that maps onto one of the layers).
- *  - apply_patch is the "external tools speak this" path. A model
- *    emits a single unified diff (the format `git diff` produces),
- *    and we run it through `git apply` with the same security gate
- *    the layers use.
- *
- * Security: every file mentioned in the patch goes through the same
- * `applySecurityGate` chokepoint as the layers (see
- * `src/core/edits/security-gate.ts`). A patch that touches
- * `../../etc/passwd`, `.env`, or a workspace-local symlink to a protected
- * file is rejected BEFORE `git apply` runs. Symlink escape, protected
- * file, and path traversal are all covered by the same gate the layers
- * inherit — we never roll our own resolver here.
- *
- * Atomicity: a multi-file patch either lands entirely or not at all.
- * `git apply --check` validates the patch end-to-end against the
- * working tree first; only on a clean check do we run the real apply.
- * If the apply still fails partway (extremely rare — usually a race
- * with another writer), we run `git checkout -- <each file>` to roll
- * the tree back. This keeps the dispatcher's invariant: a tool result
- * of `ok: false` means the workspace is unchanged.
- *
- * Idempotency: applying the same patch twice rejects the second with
- * `already_applied`. `git apply` itself returns success only when the
- * patch's pre-image matches the working tree, so a second invocation
- * naturally fails. We translate the specific failure mode into a
- * dedicated reason so callers can short-circuit retry loops.
- *
- * Brand voice: ASCII only, no emoji, no banned words.
- */
-import { spawnSync } from 'node:child_process';
-import { existsSync, rmSync } from 'node:fs';
-import { resolve, sep } from 'node:path';
-import { applySecurityGate } from '../core/edits/security-gate.js';
-import { gateOnCancellation, OperatorAbortedError } from './file-tools.js';
-import { recordToolCall, recordToolResult, recordFileMutation } from '../core/session.js';
-/**
- * Parse the file paths referenced in a unified diff. We look for both
- * `diff --git a/X b/Y` headers (preferred) and the fallback
- * `+++ b/<path>` lines that plain `diff -u` emits. The full set of
- * touched paths feeds the security gate — EVERY file goes through
- * `applySecurityGate` before we trust `git apply` to do anything.
- *
- * Security (R1 fix, PR r1): git emits C-style quoted
- * path headers when a path contains "unusual" bytes (high bits, control
- * chars, double-quote, backslash) and `core.quotePath` is true (the
- * default). The literal header looks like
- * `diff --git "a/.env" "b/.env"`. Before this fix the regex captured
- * the literal `"b/.env"` string and the security gate's basename match
- * never saw `.env` — `basename('"b/.env"')` is `'.env"'` (note the
- * trailing quote) which does NOT match the `.env` protected pattern.
- * `git apply` then de-quoted the header and happily landed on the real
- * `.env`. We strip the surrounding quotes + decode the C-style escapes
- * via `unquoteGitPath` BEFORE passing to the security gate so the
- * basename matcher sees the real target.
- */
-export function extractPatchPaths(patch) {
-    const paths = new Set();
-    for (const line of patch.split('\n')) {
-        if (line.startsWith('diff --git ')) {
-            // `diff --git a/foo b/bar` — paths can contain spaces only when
-            // quoted by git's own diff machinery (rare). The robust extractor
-            // matches the `b/...` half because rename diffs carry the new
-            // name there.
-            // Two variants: unquoted (`a/foo b/bar`) and C-style quoted
-            // (`"a/foo" "b/bar"`). We try the quoted form first because the
-            // unquoted regex below would accept the literal quote as part of
-            // the path otherwise.
-            const quoted = line.match(/^diff --git "a\/(.+)" "b\/(.+)"$/);
-            if (quoted) {
-                if (quoted[1])
-                    paths.add(unquoteGitPath(quoted[1]));
-                if (quoted[2])
-                    paths.add(unquoteGitPath(quoted[2]));
-                continue;
-            }
-            const match = line.match(/^diff --git a\/(.+?) b\/(.+)$/);
-            if (match) {
-                if (match[1])
-                    paths.add(unquoteGitPath(match[1]));
-                if (match[2])
-                    paths.add(unquoteGitPath(match[2]));
-            }
-            continue;
-        }
-        if (line.startsWith('+++ ')) {
-            const after = line.slice(4).trim();
-            if (after === '/dev/null')
-                continue;
-            const stripped = stripQuotedHalf(after, 'b/');
-            if (stripped)
-                paths.add(stripTimestampSuffix(stripped));
-            continue;
-        }
-        if (line.startsWith('--- ')) {
-            const after = line.slice(4).trim();
-            if (after === '/dev/null')
-                continue;
-            const stripped = stripQuotedHalf(after, 'a/');
-            if (stripped)
-                paths.add(stripTimestampSuffix(stripped));
-        }
-    }
-    return Array.from(paths);
-}
-/**
- * Strip the leading `a/` or `b/` prefix from a `---` / `+++` line,
- * handling both unquoted (`b/.env`) and C-style quoted (`"b/.env"`)
- * variants. The returned path is fully de-quoted so the security gate
- * sees the real basename. Returns null when the line does not parse.
- */
-function stripQuotedHalf(after, prefix) {
-    // Quoted form: `"b/path with \"escapes\""`. Detect surrounding quotes
-    // first, strip them, then peel the prefix, then unquote the inner
-    // C-style escapes.
-    if (after.startsWith('"') && after.endsWith('"') && after.length >= 2) {
-        const inner = after.slice(1, -1);
-        const peeled = inner.startsWith(prefix) ? inner.slice(prefix.length) : inner;
-        return unquoteGitPath(peeled);
-    }
-    const trimmed = after.startsWith(prefix) ? after.slice(prefix.length) : after;
-    return trimmed;
-}
-/**
- * Decode git's C-style path quoting. When `core.quotePath` is true
- * (default) git writes paths with high-bit / control / quote bytes as
- * C-string escapes inside double quotes:
- *
- *  `"\.env"` -> `.env`        (backslash before . is just a literal)
- *  `"a\"b"` -> `a"b`         (escaped double-quote)
- *  `"a\\b"` -> `a\b`         (escaped backslash)
- *  `"a\tb"` -> `a` + TAB + `b`
- *  `"a\341\210\264"` -> `a` + UTF-8 bytes 0xe1 0x88 0xb4
- *
- * Accepts a path that is EITHER already unquoted (passed through) OR an
- * inner string previously stripped of its surrounding quotes. The
- * function is idempotent on already-clean ASCII paths.
- *
- * Reference: git source `quote.c::unquote_c_style`.
- */
-export function unquoteGitPath(s) {
-    // If the caller passed us a wrapped string (`"foo"`), peel it now.
-    if (s.startsWith('"') && s.endsWith('"') && s.length >= 2) {
-        s = s.slice(1, -1);
-    }
-    // Fast path: no backslash means no C-style escapes, return as-is.
-    if (!s.includes('\\'))
-        return s;
-    const out = [];
-    for (let i = 0; i < s.length; i += 1) {
-        const ch = s[i];
-        if (ch !== '\\') {
-            // Single-byte ASCII or multi-byte JS string char; the byte we
-            // emit must match its UTF-8 encoding so the security gate sees
-            // the same bytes the filesystem will. JS strings are UTF-16; we
-            // bounce through Buffer to get the canonical UTF-8 bytes.
-            const bytes = Buffer.from(ch ?? '', 'utf8');
-            for (const b of bytes)
-                out.push(b);
-            continue;
-        }
-        const next = s[i + 1];
-        if (next === undefined) {
-            // Trailing backslash with no follower — emit literal.
-            out.push(0x5c);
-            continue;
-        }
-        // Three-digit octal escape: `\NNN` (each digit 0-7).
-        if (next >= '0' && next <= '7' && i + 3 < s.length + 1) {
-            const oct = s.slice(i + 1, i + 4);
-            if (/^[0-7]{3}$/.test(oct)) {
-                out.push(Number.parseInt(oct, 8));
-                i += 3;
-                continue;
-            }
-        }
-        switch (next) {
-            case 'a':
-                out.push(0x07);
-                break;
-            case 'b':
-                out.push(0x08);
-                break;
-            case 't':
-                out.push(0x09);
-                break;
-            case 'n':
-                out.push(0x0a);
-                break;
-            case 'v':
-                out.push(0x0b);
-                break;
-            case 'f':
-                out.push(0x0c);
-                break;
-            case 'r':
-                out.push(0x0d);
-                break;
-            case '"':
-                out.push(0x22);
-                break;
-            case '\\':
-                out.push(0x5c);
-                break;
-            default:
-                // Unknown escape — emit the escape char as a literal so we
-                // don't silently drop bytes. Mirrors git's own permissive
-                // behaviour.
-                out.push(next.charCodeAt(0));
-        }
-        i += 1;
-    }
-    return Buffer.from(out).toString('utf8');
-}
-/**
- * `diff -u` (non-git) emits trailing tab-prefixed timestamps after the
- * path: `--- foo.ts\t2026-05-25 10:00:00`. Strip those so the security
- * gate sees the clean path.
- */
-function stripTimestampSuffix(path) {
-    const tab = path.indexOf('\t');
-    return tab >= 0 ? path.slice(0, tab) : path;
-}
-/**
- * Apply a unified-diff patch to the workspace. Routes every mentioned
- * file through the shared security gate before invoking `git apply`.
- */
-export function applyPatch(ctx, patch, opts = {}) {
-    const toolCallId = recordToolCall(ctx.session, 'apply_patch', `${patch.length} bytes`);
-    try {
-        gateOnCancellation(ctx, 'apply_patch');
-    }
-    catch (error) {
-        if (error instanceof OperatorAbortedError) {
-            recordToolResult(ctx.session, toolCallId, 'cancelled', error.message);
-            throw error;
-        }
-        throw error;
-    }
-    if (patch.trim().length === 0) {
-        const result = {
-            ok: false,
-            filesChanged: [],
-            reason: 'empty_patch',
-            detail: 'patch body is empty',
-        };
-        recordToolResult(ctx.session, toolCallId, 'error', 'empty_patch');
-        return result;
-    }
-    // β7 L4: pre-flight conflict-marker check. A patch that still carries
-    // unresolved `<<<<<<<`/`=======`/`>>>>>>>` lines is almost always
-    // operator error (copy-pasted a half-resolved merge instead of the
-    // clean diff). `git apply` would reject it with a confusing
-    // "corrupt patch" message; the dedicated reason makes the failure
-    // obvious. We only check at body line starts so a legitimate diff
-    // that adds a string literal containing `<<<<<<<` for tests still
-    // applies.
-    if (containsConflictMarkers(patch)) {
-        const result = {
-            ok: false,
-            filesChanged: [],
-            reason: 'conflict_markers',
-            detail: 'patch body contains unresolved git conflict markers (<<<<<<<, =======, >>>>>>>). ' +
-                'Resolve the conflict first or use --3way with --base=<sha> to defer to git.',
-        };
-        recordToolResult(ctx.session, toolCallId, 'error', 'conflict_markers');
-        return result;
-    }
-    const paths = extractPatchPaths(patch);
-    if (paths.length === 0) {
-        const result = {
-            ok: false,
-            filesChanged: [],
-            reason: 'invalid_patch',
-            detail: 'no `diff --git` or `+++` headers found in patch',
-        };
-        recordToolResult(ctx.session, toolCallId, 'error', 'invalid_patch');
-        return result;
-    }
-    // SECURITY GATE — reuse the chokepoint. Every path in the patch
-    // is validated against:
-    //  1. workspace containment (no ../../ escapes)
-    //  2. protected-file basenames (.env, *.pem, id_rsa, etc.)
-    //  3. symlink escape (an in-workspace symlink pointing to /etc/hosts
-    //     or a protected basename gets rejected here)
-    for (const file of paths) {
-        const gate = applySecurityGate(file, { cwd: ctx.root, toolName: 'layer-c' });
-        if (!gate.ok) {
-            const result = {
-                ok: false,
-                filesChanged: [],
-                reason: gate.reason,
-                detail: `${file}: ${gate.detail}`,
-            };
-            recordToolResult(ctx.session, toolCallId, 'error', `${gate.reason}: ${file}`);
-            return result;
-        }
-    }
-    // `git apply --check` validates the patch end-to-end against the
-    // working tree. A passing check is the gate for the actual apply.
-    const checkArgs = ['apply', '--check'];
-    if (opts.baseSha)
-        checkArgs.push('--3way');
-    checkArgs.push('-');
-    const check = runGit(checkArgs, ctx.root, patch);
-    if (check.status === 127) {
-        // No git binary on PATH. Rare on a developer machine but possible
-        // in slim containers / CI images. Surface a dedicated reason so
-        // the operator's message says "install git" not "patch is bad".
-        const result = {
-            ok: false,
-            filesChanged: [],
-            reason: 'git_unavailable',
-            detail: 'git not found on PATH',
-        };
-        recordToolResult(ctx.session, toolCallId, 'error', 'git_unavailable');
-        return result;
-    }
-    if (check.status !== 0) {
-        // Decide whether this is the "already applied" case or a real
-        // failure. `git apply --check` rejects an already-applied patch
-        // with stderr containing patterns like "patch does not apply" or
-        // "already exists in working directory". The simpler signal is
-        // the stderr string containing `already exists in working directory`
-        // (git's own message for a creating patch landing twice) — that's
-        // the only path we treat as `already_applied` here. Other stderr
-        // surfaces fall through to `check_failed` so the operator sees the
-        // raw reason.
-        const stderr = check.stderr.toLowerCase();
-        if (stderr.includes('already exists in working directory')) {
-            const result = {
-                ok: false,
-                filesChanged: [],
-                reason: 'already_applied',
-                detail: 'patch creates a path that already exists — likely already applied',
-            };
-            recordToolResult(ctx.session, toolCallId, 'error', 'already_applied');
-            return result;
-        }
-        const result = {
-            ok: false,
-            filesChanged: [],
-            reason: 'check_failed',
-            detail: check.stderr.trim() || 'git apply --check rejected the patch',
-        };
-        recordToolResult(ctx.session, toolCallId, 'error', `check_failed: ${result.detail}`);
-        return result;
-    }
-    if (opts.dryRun) {
-        const result = {
-            ok: true,
-            filesChanged: paths,
-        };
-        recordToolResult(ctx.session, toolCallId, 'success', `dry-run ok, ${paths.length} files`);
-        return result;
-    }
-    // R1 fix (2026-05-26, PR r1, Fix 6): snapshot which paths exist
-    // BEFORE the apply so rollbackFiles can decide between
-    // `git checkout -- <file>` (for files that existed) and `fs.rmSync`
-    // (for files the patch was creating that may have been half-written
-    // before the failure). Without this snapshot, `git checkout`
-    // gracefully no-ops on a never-tracked file and the partial creation
-    // is left behind.
-    const preExisting = new Map();
-    for (const p of paths) {
-        preExisting.set(p, existsSync(resolve(ctx.root, p)));
-    }
-    const applyArgs = ['apply'];
-    if (opts.baseSha)
-        applyArgs.push('--3way');
-    applyArgs.push('-');
-    const apply = runGit(applyArgs, ctx.root, patch);
-    if (apply.status !== 0) {
-        // Apply failed AFTER --check passed. This is almost always a TOCTOU
-        // (another writer touched a file between the two git calls).
-        // Rollback ANY partial mutation so the workspace stays consistent.
-        const rollback = rollbackFiles(ctx.root, paths, preExisting);
-        const detail = apply.stderr.trim() || 'git apply failed after passing --check';
-        if (!rollback.ok) {
-            const result = {
-                ok: false,
-                filesChanged: [],
-                reason: 'rollback_failed',
-                detail: `${detail}; rollback also failed: ${rollback.detail}`,
-            };
-            recordToolResult(ctx.session, toolCallId, 'error', 'rollback_failed');
-            return result;
-        }
-        const result = {
-            ok: false,
-            filesChanged: [],
-            reason: 'apply_failed',
-            detail,
-        };
-        recordToolResult(ctx.session, toolCallId, 'error', `apply_failed: ${detail}`);
-        return result;
-    }
-    // Audit-log every file the patch mutated. The before/after hashes
-    // are NOT recorded (git owns the staging area for that); the
-    // mutation entry is enough for `pugi undo` to surface "apply_patch
-    // touched these files" in the timeline.
-    for (const file of paths) {
-        recordFileMutation(ctx.session, {
-            toolCallId,
-            path: file,
-            operation: 'update',
-        });
-    }
-    recordToolResult(ctx.session, toolCallId, 'success', `applied ${paths.length} files`);
-    return { ok: true, filesChanged: paths };
-}
-/**
- * Roll back any partial mutation by checking files out from HEAD. Used
- * only on the rare path where `git apply` fails AFTER `git apply --check`
- * passed.
- *
- * R1 fix (2026-05-26, PR r1, Fix 6): a multi-file patch that
- * creates new files leaves them on disk when `git apply` fails partway —
- * `git checkout -- <file>` does NOT delete a path that was never tracked
- * (the file was created by the failed apply). We split paths into two
- * groups using the pre-apply snapshot:
- *
- *  - existed-before -> `git checkout -- <file>` restores tracked content.
- *  - created-by-apply -> `fs.rmSync(file, { force: true })` removes the
- *    half-written file so the workspace ends up identical to its
- *    pre-apply state.
- *
- * This keeps the dispatcher's invariant: a tool result of `ok: false`
- * means the workspace is unchanged.
- */
-function rollbackFiles(cwd, paths, preExisting) {
-    if (paths.length === 0)
-        return { ok: true };
-    // We only attempt to roll back files that are inside the workspace
-    // and were resolved by the security gate. A path that escaped the
-    // gate would have already aborted us above.
-    const safePaths = paths.filter((p) => {
-        const abs = resolve(cwd, p);
-        return abs === cwd || abs.startsWith(cwd + sep);
-    });
-    if (safePaths.length === 0)
-        return { ok: true };
-    const toCheckout = [];
-    const toRemove = [];
-    for (const p of safePaths) {
-        if (preExisting.get(p))
-            toCheckout.push(p);
-        else
-            toRemove.push(p);
-    }
-    // Unlink files that the patch was creating. `force: true` swallows
-    // ENOENT so a creation that never got far enough to write the file
-    // is a no-op. We record every unlink failure but keep going so a
-    // single permission error on one file doesn't strand the others.
-    const removeFailures = [];
-    for (const p of toRemove) {
-        const abs = resolve(cwd, p);
-        try {
-            rmSync(abs, { force: true });
-        }
-        catch (error) {
-            removeFailures.push(`${p}: ${error instanceof Error ? error.message : String(error)}`);
-        }
-    }
-    if (toCheckout.length > 0) {
-        const result = runGit(['checkout', '--', ...toCheckout], cwd);
-        if (result.status !== 0) {
-            const detail = [result.stderr.trim(), ...removeFailures].filter(Boolean).join('; ');
-            return { ok: false, detail };
-        }
-    }
-    if (removeFailures.length > 0) {
-        return { ok: false, detail: `rollback unlink failed: ${removeFailures.join('; ')}` };
-    }
-    return { ok: true };
-}
-function runGit(args, cwd, stdin) {
-    // R1 fix (2026-05-26, PR r1, P2 #13): force the English C locale
-    // for the git child process. The `already_applied` reason-coding
-    // below greps stderr for the literal English string
-    // "already exists in working directory"; on a host where git was
-    // installed with a translated message catalog (de_DE / ru_RU / etc.)
-    // the substring match would silently miss and the operator would see
-    // `check_failed` instead of `already_applied`. C locale (also
-    // LC_ALL) guarantees the canonical message regardless of host env.
-    return spawnSync('git', args, {
-        cwd,
-        input: stdin,
-        encoding: 'utf8',
-        maxBuffer: 64 * 1024 * 1024,
-        env: { ...process.env, LANG: 'C', LC_ALL: 'C' },
-    });
-}
-/**
- * β7 L4: detect unresolved git conflict markers in a patch body.
- *
- * Conflict markers in a unified diff are a sign of operator error —
- * someone copy-pasted a half-merged file instead of the clean diff.
- * `git apply` would reject the patch with a confusing parse error
- * ("corrupt patch at line N"). We check at the START of body lines so
- * a legitimate diff that adds a string literal containing `<<<<<<<`
- * (rare but legitimate for tests) still applies.
- *
- * Conflict marker bytes in a unified diff body look like:
- *
- *  +<<<<<<< HEAD
- *  +=======
- *  +>>>>>>> branch
- *
- * The `+` prefix is the unified-diff line-add marker. We strip it
- * before the marker check; without the strip, an INVERSE diff that
- * REMOVES a real conflict marker (legitimate cleanup commit) would be
- * a false positive.
- *
- * Returns true when ANY conflict marker is detected.
- */
-export function containsConflictMarkers(patch) {
-    for (const line of patch.split('\n')) {
-        // Only inspect body lines (start with `+` or `-` — the diff add/del
-        // markers). Header lines (`diff --git`, `+++`, `---`, `@@`) are
-        // skipped because the marker tokens cannot appear in those positions.
-        if (!(line.startsWith('+') || line.startsWith('-')))
-            continue;
-        // Skip diff header lines (`+++ b/foo` / `--- a/foo`).
-        if (line.startsWith('+++') || line.startsWith('---'))
-            continue;
-        const body = line.slice(1);
-        if (body.startsWith('<<<<<<<') ||
-            body.startsWith('>>>>>>>') ||
-            body === '=======') {
-            return true;
-        }
-    }
-    return false;
-}
-/**
- * Test-only surface for the apply-patch heuristics. Specs poke
- * `extractPatchPaths` directly to assert on the path-parsing layer
- * without paying for a real git invocation.
- */
-export const __test__ = { extractPatchPaths, runGit, unquoteGitPath, containsConflictMarkers };
-//# sourceMappingURL=apply-patch.js.map