@pugi/cli 0.1.0-beta.99 → 1.0.0-alpha.10

package/dist/tools/powershell.js

@@ -1,268 +0,0 @@
-/**
- * PowerShell tool — .
- *
- * Windows operators cannot run native `*.ps1` scripts via the bash tool
- * (which spawns `/bin/sh`). This tool spawns `pwsh -NoProfile -Command`
- * на cross-platform PowerShell 7+ binary so Windows-first workflows are
- * first-class на Pugi.
- *
- * independent implementation re-implementation. Surface mirrors bashTool's permission
- * gate, env sanitiser, output cap, timeout, and exit-code propagation;
- * the only difference is the shell binary selection. Per-platform
- * resolution:
- *  - All OS: try `pwsh` on $PATH first (PowerShell 7+ cross-platform).
- *  - Windows fallback: `powershell.exe` (Windows PowerShell 5.1 baked-in).
- *  - Other OS without pwsh: tool returns a clear "powershell binary
- *    not found" error so the operator can install pwsh or fall back
- *    к bash.
- *
- * Permission class: reuses the bash classifier — destructive patterns,
- * sandbox detection, and additional-directories checks are command-string
- * based and apply equally to pwsh and sh.
- */
-import { spawnSync } from 'node:child_process';
-import { listDestructivePatterns } from '../core/bash-classifier.js';
-import { recordToolCall, recordToolResult } from '../core/session.js';
-export const POWERSHELL_OUTPUT_CAP_BYTES = 64 * 1024;
-export const POWERSHELL_DEFAULT_TIMEOUT_MS = 30_000;
-export const POWERSHELL_MAX_TIMEOUT_MS = 120_000;
-/**
- * PowerShell-specific destructive patterns. Layered ON TOP of the
- * shared `listDestructivePatterns()` from the bash classifier (which
- * covers `rm -rf`, `DROP TABLE`, etc — patterns that also surface в
- * pwsh-via-aliases). These are the cmdlet forms unique to pwsh.
- *
- * Patterns are case-insensitive matched against the command string
- * (pwsh cmdlets accept any case: `remove-item -force` == `Remove-Item -Force`).
- */
-const PWSH_DESTRUCTIVE_PATTERNS = [
-    // Recursive force delete via cmdlet
-    'remove-item -recurse -force',
-    'remove-item -force -recurse',
-    'ri -recurse -force',
-    'ri -force -recurse',
-    'rmdir -recurse -force',
-    'rmdir -force -recurse',
-    // Disk / volume operations
-    'format-volume',
-    'clear-disk',
-    'reset-physicaldisk',
-    // System state
-    'stop-computer',
-    'restart-computer',
-    'shutdown',
-    // Security weakening
-    'set-executionpolicy unrestricted',
-    'set-executionpolicy bypass',
-    // Service / process attack surface
-    'invoke-webrequest', // common phishing-script vector when piped to iex
-    'iex (new-object', // download-execute pattern
-    // Credential exfil
-    'get-credential | export-clixml',
-];
-/**
- * Normalize whitespace before pattern matching: collapse runs of
- * whitespace к single space + lowercase. Defends against the
- * `iex(New-Object`/`IEX (New-Object` style bypass where pattern
- * `iex (new-object` would miss the no-space or double-space variant.
- */
-function normalizeForMatch(text) {
-    return text.toLowerCase().replace(/\s+/g, ' ');
-}
-function findPwshDestructiveMatch(cmd) {
-    const normalized = normalizeForMatch(cmd);
-    for (const pattern of PWSH_DESTRUCTIVE_PATTERNS) {
-        if (normalized.includes(normalizeForMatch(pattern)))
-            return pattern;
-    }
-    // Fall back к the shared bash destructive list (covers cross-shell
-    // patterns like `rm -rf /`, `DROP DATABASE`). Shared patterns may
-    // contain uppercase (case-insensitive SQL verbs); normalize both
-    // sides before compare.
-    const shared = listDestructivePatterns();
-    for (const pattern of shared) {
-        if (normalized.includes(normalizeForMatch(pattern)))
-            return pattern;
-    }
-    return null;
-}
-/**
- * PowerShell-aware permission decision. Differs from
- * `evaluateBashPermission` в two ways:
- *
- *  1. Default class is `allow` (after destructive check) instead of
- *     `unknown → deny`. The bash classifier rejects any first-token
- *     it does not recognise — appropriate for bash where every verb
- *     is a separate binary, hostile for pwsh where the Verb-Noun
- *     cmdlet convention means thousands of legitimate verbs exist
- *     (`Get-Process`, `$PSVersionTable`, `Select-Object`, ...).
- *
- *  2. Destructive patterns combine the shared bash denylist (covers
- *     cross-shell patterns like `rm -rf`) с pwsh-specific cmdlet
- *     forms (`Remove-Item -Recurse -Force`, `Format-Volume`, etc).
- *
- * Mode FSM mirrors bash: plan → deny ALL, ask → ask, auto/bypass → allow,
- * destructive class → deny unless `bypassPermissions + human + ENV override`.
- */
-function evaluatePwshPermission(cmd, mode, source) {
-    const destructive = findPwshDestructiveMatch(cmd);
-    if (destructive !== null) {
-        const overrideOk = mode === 'bypassPermissions' &&
-            source === 'human' &&
-            process.env['PUGI_DESTRUCTIVE_OVERRIDE'] === '1';
-        if (overrideOk) {
-            return {
-                decision: 'allow',
-                reason: `destructive pwsh pattern '${destructive}' allowed via override (bypassPermissions + human + PUGI_DESTRUCTIVE_OVERRIDE=1)`,
-            };
-        }
-        return {
-            decision: 'deny',
-            reason: `destructive pwsh pattern '${destructive}' is always denied (override requires bypassPermissions + human + PUGI_DESTRUCTIVE_OVERRIDE=1)`,
-        };
-    }
-    // Non-destructive pwsh command — mode FSM.
-    switch (mode) {
-        case 'plan':
-            return { decision: 'deny', reason: 'plan mode denies all shell dispatches' };
-        case 'ask':
-        case 'acceptEdits':
-            return { decision: 'ask', reason: 'pwsh command requires operator confirmation' };
-        case 'auto':
-        case 'dontAsk':
-        case 'bypassPermissions':
-            return { decision: 'allow', reason: 'pwsh command allowed by mode' };
-        default:
-            return { decision: 'ask', reason: `unknown mode ${mode}; defaulting к ask` };
-    }
-}
-/** Cached binary path so repeated calls inside one session skip the probe. */
-let cachedShellBinary;
-function resolveShellBinary() {
-    if (cachedShellBinary !== undefined)
-        return cachedShellBinary;
-    // Try pwsh (cross-platform PowerShell 7+) first.
-    const pwshProbe = spawnSync('pwsh', ['-NoProfile', '-Command', 'exit 0'], {
-        encoding: 'utf8',
-        stdio: ['ignore', 'ignore', 'ignore'],
-        timeout: 3000,
-    });
-    if (pwshProbe.status === 0) {
-        cachedShellBinary = 'pwsh';
-        return 'pwsh';
-    }
-    // Windows fallback к the baked-in PowerShell 5.1.
-    if (process.platform === 'win32') {
-        const wpsProbe = spawnSync('powershell.exe', ['-NoProfile', '-Command', 'exit 0'], {
-            encoding: 'utf8',
-            stdio: ['ignore', 'ignore', 'ignore'],
-            timeout: 3000,
-        });
-        if (wpsProbe.status === 0) {
-            cachedShellBinary = 'powershell.exe';
-            return 'powershell.exe';
-        }
-    }
-    cachedShellBinary = null;
-    return null;
-}
-function sanitizeTimeout(value) {
-    if (value === undefined || !Number.isFinite(value) || value <= 0) {
-        return POWERSHELL_DEFAULT_TIMEOUT_MS;
-    }
-    return Math.min(value, POWERSHELL_MAX_TIMEOUT_MS);
-}
-function buildChildEnv() {
-    const env = { ...process.env };
-    delete env['PUGI_API_KEY'];
-    delete env['PUGI_LOGIN_TOKEN'];
-    return env;
-}
-/**
- * Sync PowerShell dispatch. Mirrors bashToolSync shape so dispatchTool
- * can call either tool with the same context shape.
- */
-export function powerShellToolSync(input, ctx) {
-    const cmd = input.cmd ?? '';
-    const source = ctx.source ?? 'agent';
-    const toolCallId = recordToolCall(ctx.session, 'powershell', cmd);
-    // pwsh-aware permission gate (NOT the bash classifier). Bash classifier
-    // would reject `$PSVersionTable`, `Get-Process`, etc as "Unrecognized
-    // command" → default-deny, making the pwsh tool useless. The pwsh gate
-    // applies the shared destructive denylist (rm -rf / DROP TABLE) + a
-    // pwsh-specific list (Remove-Item -Recurse -Force / Format-Volume /
-    // Set-ExecutionPolicy Unrestricted / iex (New-Object ...)) and
-    // defaults non-destructive cmdlets к allow under mode FSM.
-    const decision = evaluatePwshPermission(cmd, ctx.settings.permissions.mode, source);
-    if (decision.decision !== 'allow') {
-        const reason = `Permission ${decision.decision}: ${decision.reason}`;
-        recordToolResult(ctx.session, toolCallId, 'error', reason);
-        return {
-            stdout: '',
-            stderr: `Permission ${decision.decision}: ${decision.reason}`,
-            exitCode: 126,
-            truncated: false,
-            timedOut: false,
-            shellBinary: 'unresolved',
-        };
-    }
-    const shellBinary = resolveShellBinary();
-    if (shellBinary === null) {
-        const reason = 'powershell binary not found (tried pwsh' +
-            (process.platform === 'win32' ? ', powershell.exe' : '') +
-            '). Install PowerShell 7+ from https://aka.ms/powershell or use the bash tool instead.';
-        recordToolResult(ctx.session, toolCallId, 'error', reason);
-        return {
-            stdout: '',
-            stderr: reason,
-            exitCode: 127,
-            truncated: false,
-            timedOut: false,
-            shellBinary: 'unavailable',
-        };
-    }
-    const timeoutMs = sanitizeTimeout(input.timeoutMs);
-    const childEnv = buildChildEnv();
-    const cwd = input.cwd ?? ctx.root;
-    const result = spawnSync(shellBinary, ['-NoProfile', '-Command', cmd], {
-        cwd,
-        env: childEnv,
-        encoding: 'utf8',
-        stdio: ['ignore', 'pipe', 'pipe'],
-        timeout: timeoutMs,
-        maxBuffer: 10 * 1024 * 1024,
-    });
-    const stdoutFull = (result.stdout ?? '').toString();
-    const stderrFull = (result.stderr ?? '').toString();
-    const combined = stdoutFull.length + stderrFull.length;
-    const truncated = combined > POWERSHELL_OUTPUT_CAP_BYTES;
-    let stdoutOut = stdoutFull;
-    let stderrOut = stderrFull;
-    if (truncated) {
-        const halfCap = POWERSHELL_OUTPUT_CAP_BYTES / 2;
-        stdoutOut = stdoutFull.slice(0, halfCap);
-        stderrOut = stderrFull.slice(0, halfCap);
-    }
-    const timedOut = result.error?.code === 'ETIMEDOUT' ||
-        result.signal === 'SIGTERM';
-    const exitCode = timedOut ? 124 : result.status ?? 1;
-    if (timedOut) {
-        recordToolResult(ctx.session, toolCallId, 'error', `powershell timed out after ${timeoutMs}ms`);
-    }
-    else {
-        recordToolResult(ctx.session, toolCallId, 'success', `powershell exit=${exitCode} bytes=${combined} binary=${shellBinary}`);
-    }
-    return {
-        stdout: stdoutOut,
-        stderr: stderrOut,
-        exitCode,
-        truncated,
-        timedOut,
-        shellBinary,
-    };
-}
-/** Visible-for-spec helper: forces a re-probe on next call. */
-export function _resetShellBinaryCacheForSpec() {
-    cachedShellBinary = undefined;
-}
-//# sourceMappingURL=powershell.js.map

package/dist/tools/registry.js

@@ -1,166 +0,0 @@
-const registry = [
-    // : unified-diff patch apply. Routes through the same security
-    // gate as Layer A/B/C, so the risk class matches `edit`/`write`
-    // (medium — writes inside the workspace, never to protected files).
-    { name: 'apply_patch', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
-    // structured multi-choice clarifier tool. Risk =
-    // low because the dispatch is a pure UI surface — no file writes, no
-    // shell, no network. Permission = none (no workspace access required).
-    // concurrencySafe = true because the prompt-budget gate runs in the
-    // engine loop, not via tool-side mutex (one prompt per turn is enforced
-    // by the persona system prompt + the engine's tool_calls budget).
-    { name: 'ask_user_question', permission: 'none', risk: 'low', concurrencySafe: true, m1: true },
-    { name: 'bash', permission: 'bash', risk: 'high', concurrencySafe: false, m1: true },
-    // Tool gap pack : structured progress brief. Writes
-    // one JSONL record to `.pugi/briefs/<session>.jsonl` per call via
-    // atomic tmp+rename. Risk = low (metadata only, no source mutation).
-    // concurrencySafe = false because the read-modify-write loop is not
-    // atomic (the rename is atomic but two parallel dispatches could lose
-    // the loser's record).
-    { name: 'brief', permission: 'none', risk: 'low', concurrencySafe: false, m1: false },
-    // Backlog #5 P0 : verify_plan_execution anti-fake-dispatch gate.
-    // Reads session audit events only; safe для parallel dispatches.
-    { name: 'verify_plan_execution', permission: 'none', risk: 'low', concurrencySafe: true, m1: false },
-    // Backlog PUGI-7 : cron_* tool family. Persists routine registry to
-    // `.pugi/cron/<name>.json` (one file per routine, atomic tmp+rename).
-    // Permission = none because the writes land in metadata, not source —
-    // mirrors the brief / todo_write posture. concurrencySafe = false for
-    // create + delete because per-file persistence is atomic individually
-    // but two parallel creates of the SAME name race on the rename and
-    // the loser's body is dropped silently; cron_list is read-only and
-    // safe for concurrent dispatch. Risk = low across the board: routines
-    // are configuration objects, the actual scheduler runner lives behind
-    // an explicit `pugi routines run` opt-in and is OUT of this surface.
-    { name: 'cron_create', permission: 'none', risk: 'low', concurrencySafe: false, m1: false },
-    { name: 'cron_delete', permission: 'none', risk: 'low', concurrencySafe: false, m1: false },
-    { name: 'cron_list', permission: 'none', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'edit', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
-    // Tool gap pack : scratch worktree open. Spawns
-    // `git worktree add` under `.pugi/worktrees/<taskId>/`. Permission =
-    // edit because the spawn materialises files on disk; risk = medium
-    // to mirror the existing worktree_create posture (PR r1 raised
-    // that one for disk-pressure parity, same applies here).
-    { name: 'enter_worktree', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: false },
-    // Tool gap pack : scratch worktree teardown. The
-    // destructive primitive — runs `git worktree remove --force` then a
-    // recursive rmSync, both gated by a strict containment check that
-    // refuses any path outside <workspace>/.pugi/worktrees/. Mirrors
-    // worktree_drop's medium-risk posture for the same reason.
-    { name: 'exit_worktree', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: false },
-    { name: 'glob', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
-    { name: 'grep', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
-    // Phase 1 runtime evidence pack (PUGI-291..295): http_request issues a
-    // single HTTP call, mostly against loopback URLs produced by
-    // `server_start`. permission = 'network' to share the same egress
-    // gate as web_fetch; risk = 'medium' because the dispatcher will
-    // accept arbitrary verbs (POST/PUT/DELETE) - destructive verbs only
-    // when the caller opts in by URL/body. concurrencySafe = true because
-    // every dispatch is a fresh fetch with no shared state.
-    { name: 'http_request', permission: 'network', risk: 'medium', concurrencySafe: true, m1: false },
-    // : LSP read-only surface. Server runs locally, no Anvil
-    // round-trip. Concurrency-safe because every operation reads
-    // server state without mutating workspace files.
-    { name: 'lsp_definition', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
-    { name: 'lsp_diagnostics', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
-    { name: 'lsp_hover', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
-    { name: 'lsp_references', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
-    // PUGI-78 Phase 1 — symbols.* namespace. 13 first-class tools that
-    // expose the full LSP symbol-aware surface (definition, references,
-    // hover, signature, document/workspace symbols, rename preview, call
-    // hierarchy, implementations, type definition, code actions,
-    // formatter, diagnostics). All read-only in Phase 1 — `rename` /
-    // `format` / `code_actions` return PREVIEW edits the dispatcher
-    // applies via apply_patch in a future ticket. Permission stays
-    // `read` because no workspace mutation happens on dispatch; risk
-    // stays `low` because the LSP server is local and the payload is
-    // capped at 8 KB per tool.
-    { name: 'symbols_call_hierarchy', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'symbols_code_actions', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'symbols_diagnostics', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'symbols_find_definition', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'symbols_find_references', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'symbols_format', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'symbols_hover', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'symbols_implementations', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'symbols_list_in_file', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'symbols_rename', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'symbols_signature', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'symbols_type_definition', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'symbols_workspace_symbols', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    // β7 L5+T11: multi_edit dispatches an ordered batch of Layer A edits
-    // as a single transaction. Risk = medium (same chokepoints as `edit`).
-    // concurrencySafe = false because the journal serialises one dispatch
-    // per session.
-    { name: 'multi_edit', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
-    // PowerShell tool for Windows-first workflows. Same
-    // bash permission class — destructive-pattern classification fires the
-    // same gate. concurrencySafe = false because spawn-shell child cwd /
-    // env carry-over could race across parallel agent calls.
-    { name: 'powershell', permission: 'bash', risk: 'high', concurrencySafe: false, m1: false },
-    { name: 'question', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
-    { name: 'read', permission: 'read', risk: 'low', concurrencySafe: true, m1: true },
-    // Phase 1 runtime evidence pack (PUGI-291..295): server_* family.
-    // server_start spawns a process under /bin/sh -c and persists pid +
-    // log path к .pugi/runs/<runId>/. permission = 'bash' shares the
-    // same destructive-classifier gate as the bash tool (the command
-    // ultimately runs in a real shell). risk = 'high' for start/stop
-    // (process lifecycle mutates the operator's machine) and 'low' for
-    // health/logs (read-only probes). concurrencySafe = false for
-    // start/stop because the pid registry is not transactional;
-    // health/logs are safe to dispatch in parallel.
-    { name: 'server_health', permission: 'network', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'server_logs', permission: 'read', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'server_start', permission: 'bash', risk: 'high', concurrencySafe: false, m1: false },
-    { name: 'server_stop', permission: 'bash', risk: 'high', concurrencySafe: false, m1: false },
-    // Tool gap pack : wall-clock pause primitive. No
-    // filesystem / network / shell side-effects. concurrencySafe = true
-    // because every dispatch is a fresh setTimeout closure with no
-    // shared state.
-    { name: 'sleep', permission: 'none', risk: 'low', concurrencySafe: true, m1: false },
-    // Tool gap pack : experimental engine-only echo
-    // helper. Writes verbatim bytes to the requested stream so a test
-    // harness can assert on the dispatch without spinning the full
-    // engine loop. NOT advertised to customer agents (allowSyntheticOutput
-    // opt-in at the executor level). Risk = low (no source mutation, no
-    // shell), concurrencySafe = true (writes go to fresh stream calls).
-    { name: 'synthetic_output', permission: 'none', risk: 'low', concurrencySafe: true, m1: false },
-    { name: 'task_create', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
-    { name: 'task_get', permission: 'none', risk: 'low', concurrencySafe: true, m1: true },
-    { name: 'task_list', permission: 'none', risk: 'low', concurrencySafe: true, m1: true },
-    { name: 'task_update', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
-    // batch TodoWrite. Mirrors the standard tool's upstream
-    // surface — full board snapshot, single-in-progress invariant, atomic
-    // tmp+rename persistence to `.pugi/todos.json`. `concurrencySafe = false`
-    // because two concurrent writes could lose the loser's snapshot (the
-    // rename is atomic but the read-modify-write loop is not). Risk = low
-    // because the only filesystem mutation lands inside `.pugi/todos.json`,
-    // which is metadata, not source.
-    { name: 'todo_write', permission: 'none', risk: 'low', concurrencySafe: false, m1: true },
-    { name: 'web_fetch', permission: 'network', risk: 'medium', concurrencySafe: true, m1: true },
-    // : scratch worktree management. `worktree_create` writes nothing
-    // dangerous (a clone under `.pugi/worktrees/`); `worktree_promote`
-    // applies a diff back to the main tree, so it shares the `edit`
-    // risk class. `worktree_drop` is the cleanup primitive.
-    //
-    // R1 fix (2026-05-26, PR r1, Fix 9): raised `worktree_create`
-    // and `worktree_drop` from `low` to `medium`. `worktree_drop` runs
-    // `rmSync` on its target — even with the new path-containment gate
-    // in `core/edits/worktree.ts::dropWorktree`, a destructive primitive
-    // belongs in `medium` so the permission FSM prompts on every call.
-    // `worktree_create` is raised for disk-pressure parity (a runaway
-    // agent loop could fill the disk with abandoned scratch worktrees).
-    { name: 'worktree_create', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
-    { name: 'worktree_drop', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
-    { name: 'worktree_promote', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
-    { name: 'write', permission: 'edit', risk: 'medium', concurrencySafe: false, m1: true },
-];
-export const toolRegistry = registry.sort((a, b) => a.name.localeCompare(b.name));
-export function toolSchemaBundleHashInput() {
-    return JSON.stringify(toolRegistry.map((tool) => ({
-        name: tool.name,
-        permission: tool.permission,
-        risk: tool.risk,
-        concurrencySafe: tool.concurrencySafe,
-    })));
-}
-//# sourceMappingURL=registry.js.map