@pugi/cli 0.1.0-beta.99 → 1.0.0-alpha.10

package/dist/core/denial-tracking/state.js

@@ -1,264 +0,0 @@
-/**
- * L11 — DenialTrackingState surface (the upstream tool parity).
- *
- * Per the upstream /  the upstream behavior (``
- * §5.2): the upstream tool's `QueryEngine.ts` maintains a per-session
- * `DenialTrackingState` that records every tool-dispatch denial.
- * Subsequent turns receive a compact reminder so the model does not
- * loop on the same refused operation, the operator can audit pressure
- * points via `/permissions denials` / `/doctor`, and hooks can react
- * to recurring patterns.
- *
- * Pugi pre-L11 surfaced denials only as a one-line sentinel inside the
- * tool error (`HOOK_BLOCKED:`, `PLAN_MODE_REFUSED:`, `STALE_READ:`).
- * The model saw each refusal in isolation; no aggregate, no count, no
- * "do not retry" context across turns. This module closes that gap.
- *
- * Design contract:
- *
- *  - Per-session in-memory state. The engine adapter creates one
- *    instance at session open and threads it through `buildExecutor`
- *    + `runEngineLoop`. No disk persistence — denial history is a
- *    turn-scoped signal, not a forensic log (the audit ledger at
- *    `.pugi/events.jsonl` already carries every refused dispatch).
- *
- *  - Pure: no I/O, no logging. Inputs are passed by caller, output
- *    is in-memory only. The diagnostics probe + system-reminder
- *    splice are pure functions over the snapshot.
- *
- *  - Canonical argHash: sha256 of `canonicalize(args)`. Same call
- *    to same tool with same args = same key. Reordering JSON object
- *    keys does NOT change the hash (we sort keys recursively before
- *    stringification). This makes "repeated denial" detection
- *    deterministic across model retries.
- *
- *  - Bounded: the map caps at 256 entries per session. Once full,
- *    `recordDenial` evicts the oldest entry (lowest `lastDeniedAt`).
- *    A session with > 256 distinct denials is already pathological;
- *    the cap is defensive insurance against pathological loops
- *    blowing memory.
- *
- *  - Reminder threshold: the reminder splice only injects when at
- *    least one record has `count >= 2`. One-off denials are normal
- *    (the operator is shaping the session); repeated denials = the
- *    model is failing to learn from the refusal and we should
- *    reinforce it.
- */
-import { createHash } from 'node:crypto';
-/** Bound on the per-session map. See module header. */
-export const DENIAL_TRACKING_MAX_ENTRIES = 256;
-/** Threshold above which `buildDenialContext` injects a system reminder. */
-export const DENIAL_REMINDER_THRESHOLD = 2;
-/** Per-denial-args summary cap surfaced to the model. */
-export const DENIAL_ARGS_SUMMARY_BYTES = 240;
-/**
- * Per-session denial tracker. Instances are mutable but threaded
- * through `buildExecutor` so every dispatcher in the loop sees the
- * same view.
- */
-export class DenialTrackingState {
-    /** Insertion-ordered map. Eviction walks oldest `lastDeniedAt`. */
-    records = new Map();
-    /**
-     * Wall clock. Defaults to `Date.now`. Injected so tests can drive
-     * deterministic timestamps.
-     */
-    clock;
-    constructor(options = {}) {
-        this.clock = options.clock ?? Date.now;
-    }
-    /**
-     * Record a denial. Increments the count when the (tool, args) pair
-     * has been denied before; otherwise inserts a new record. The reason
-     * is always overwritten with the latest value so the system reminder
-     * surfaces the most-recent context.
-     */
-    recordDenial(toolName, args, reason) {
-        const argHash = canonicalArgHash(args);
-        const key = `${toolName}:${argHash}`;
-        const now = new Date(this.clock());
-        const existing = this.records.get(key);
-        if (existing) {
-            existing.count += 1;
-            existing.lastDeniedAt = now;
-            existing.lastReason = truncateReason(reason);
-            // Re-insert so the iteration order tracks lastDeniedAt (LRU-ish).
-            this.records.delete(key);
-            this.records.set(key, existing);
-            return existing;
-        }
-        if (this.records.size >= DENIAL_TRACKING_MAX_ENTRIES) {
-            // Evict the oldest entry (insertion order = LRU after our delete
-            // + set pattern above). Map iteration order is insertion order
-            // in JS; the first key is the LRU one.
-            const oldestKey = this.records.keys().next().value;
-            if (oldestKey !== undefined) {
-                this.records.delete(oldestKey);
-            }
-        }
-        const record = {
-            key,
-            toolName,
-            argsSummary: summariseArgs(args),
-            firstDeniedAt: now,
-            lastDeniedAt: now,
-            count: 1,
-            lastReason: truncateReason(reason),
-        };
-        this.records.set(key, record);
-        return record;
-    }
-    /**
-     * Snapshot of every recorded denial. Returned in insertion order
-     * (LRU-ish: most-recently-touched at the tail). The caller MUST
-     * treat the array as read-only — mutating it does not affect state.
-     */
-    getDenialHistory() {
-        return Array.from(this.records.values()).map((r) => ({ ...r }));
-    }
-    /** Lookup the record for a specific (tool, args) pair, or undefined. */
-    getPatternFor(toolName, args) {
-        const argHash = canonicalArgHash(args);
-        const key = `${toolName}:${argHash}`;
-        const record = this.records.get(key);
-        return record ? { ...record } : undefined;
-    }
-    /**
-     * Aggregate counts — handy for `/doctor`, `/permissions denials`,
-     * and the system-reminder threshold check.
-     */
-    summary() {
-        let totalDenials = 0;
-        let repeatedPatterns = 0;
-        for (const record of this.records.values()) {
-            totalDenials += record.count;
-            if (record.count >= DENIAL_REMINDER_THRESHOLD)
-                repeatedPatterns += 1;
-        }
-        return {
-            totalDenials,
-            uniquePatterns: this.records.size,
-            repeatedPatterns,
-        };
-    }
-    /** Drop every recorded denial. Called on session end. */
-    clear() {
-        this.records.clear();
-    }
-    /** Number of distinct (tool, args) pairs currently tracked. */
-    size() {
-        return this.records.size;
-    }
-}
-/**
- * Build the operator-facing system-reminder block. Returns an empty
- * string when no record meets the threshold — the caller short-circuits
- * the splice in that case.
- *
- * Rendered shape:
- *
- *  <denial-context>
- *    - Tool `bash` denied 3 times in this session.
- *      Last reason: HOOK_BLOCKED: PreToolUse refused (exit=1).
- *      Args: {"command":"rm -rf node_modules"}
- *      Do not retry without operator intervention.
- *    - Tool `edit` denied 2 times in this session.
- *      Last reason: STALE_READ: file changed since last read.
- *      Args: {"path":"src/index.ts","oldString":"..."}
- *      Do not retry without operator intervention.
- *  </denial-context>
- *
- * Determinism: same snapshot always produces the same block. We sort
- * entries by `count` descending then `lastDeniedAt` descending so the
- * most-pressing patterns surface first.
- */
-export function buildDenialContext(state) {
-    const records = state.getDenialHistory()
-        .filter((r) => r.count >= DENIAL_REMINDER_THRESHOLD)
-        .sort((a, b) => {
-        if (b.count !== a.count)
-            return b.count - a.count;
-        return b.lastDeniedAt.getTime() - a.lastDeniedAt.getTime();
-    });
-    if (records.length === 0)
-        return '';
-    const lines = ['<denial-context>'];
-    for (const record of records) {
-        lines.push(` - Tool \`${record.toolName}\` denied ${record.count} times in this session.`);
-        lines.push(`   Last reason: ${record.lastReason}`);
-        lines.push(`   Args: ${record.argsSummary}`);
-        lines.push('   Do not retry without operator intervention.');
-    }
-    lines.push('</denial-context>');
-    return lines.join('\n');
-}
-/**
- * Canonical sha256 of the args. Object keys are sorted recursively
- * before stringification so `{a:1,b:2}` and `{b:2,a:1}` hash to the
- * same value. Undefined values + functions are stripped (JSON.stringify
- * already does this); circular refs throw — the caller is expected to
- * pass plain JSON objects (every Pugi tool argument set is a JSON
- * object by contract).
- *
- * Returns the full 64-char hex digest. The denial key prepends the
- * tool name (`<tool>:<hash>`) so a hash collision across tools cannot
- * confuse the matcher.
- */
-export function canonicalArgHash(args) {
-    const canonical = canonicalize(args);
-    const hash = createHash('sha256');
-    hash.update(canonical);
-    return hash.digest('hex');
-}
-function canonicalize(value) {
-    if (value === null)
-        return 'null';
-    if (value === undefined)
-        return 'null';
-    const t = typeof value;
-    if (t === 'string')
-        return JSON.stringify(value);
-    if (t === 'number' || t === 'boolean')
-        return JSON.stringify(value);
-    if (t === 'bigint')
-        return JSON.stringify(value.toString());
-    if (Array.isArray(value)) {
-        return `[${value.map((entry) => canonicalize(entry)).join(',')}]`;
-    }
-    if (t === 'object') {
-        const obj = value;
-        const keys = Object.keys(obj).sort();
-        const parts = keys.map((k) => `${JSON.stringify(k)}:${canonicalize(obj[k])}`);
-        return `{${parts.join(',')}}`;
-    }
-    // Functions / symbols — neither should reach here for tool args.
-    // Stringify defensively so the hash is stable.
-    return JSON.stringify(String(value));
-}
-/**
- * Short, operator-readable preview of the args object. Cap so a
- * 32 KB write payload does not blow up the reminder block. Falls back
- * к `[non-JSON args]` when stringification fails (e.g. a circular ref
- * snuck through — unlikely for tool args by contract).
- */
-function summariseArgs(args) {
-    let stringified;
-    try {
-        stringified = JSON.stringify(args);
-    }
-    catch {
-        return '[non-JSON args]';
-    }
-    if (stringified === undefined)
-        return '{}';
-    if (stringified.length <= DENIAL_ARGS_SUMMARY_BYTES)
-        return stringified;
-    return `${stringified.slice(0, DENIAL_ARGS_SUMMARY_BYTES)}…`;
-}
-/** Cap reason at a sane length so a hook script's stdout cannot flood the reminder. */
-function truncateReason(reason, cap = 240) {
-    if (reason.length <= cap)
-        return reason;
-    return `${reason.slice(0, cap)}…`;
-}
-//# sourceMappingURL=state.js.map

package/dist/core/diagnostics/probe-runner.js

@@ -1,93 +0,0 @@
-/**
- * Probe runner — orchestrates a set of diagnostic probes in parallel
- * with per-probe fail-isolation + a global wall-clock budget.
- *
- * Design contract:
- *
- *  - Probes are independent: one probe's throw or timeout NEVER stops
- *    the others. The runner wraps each call in a try/catch + a
- *    `Promise.race` against a timeout sentinel.
- *
- *  - Order preservation: the returned `probes[]` array preserves the
- *    input order so the table renderer always lists rows in the same
- *    sequence (operators rely on muscle memory: "auth is the first
- *    row, api is the second").
- *
- *  - No I/O ownership: the runner owns ZERO file or network calls.
- *    Every external dependency is injected via the probe function
- *    itself. This keeps the test surface minimal and verifies the
- *    fail-isolation contract without spinning real subprocesses.
- *
- *  - Crashes attributed to the probe: a probe that throws maps to a
- *    synthetic `error` ProbeResult with the probe name + the error
- *    message. A probe that exceeds the timeout becomes a synthetic
- *    `warn` (timing out is asymmetric — the host is reachable but
- *    slow).
- *
- *  - The aggregate `DoctorReport` shape comes straight from
- *    `types.ts` so the doctor command + the Ink table renderer both
- *    consume the same struct without any glue layer.
- */
-import { computeOverall, countProbes, } from './types.js';
-/**
- * Run a set of probes in parallel and produce a structured report.
- * Never throws — every failure mode maps to a structured ProbeResult.
- */
-export async function runProbes(probes, options = {}) {
-    const now = options.now ?? Date.now;
-    const defaultTimeoutMs = options.defaultTimeoutMs ?? 5_000;
-    const startedAt = now();
-    // Each probe is wrapped in a fail-isolation envelope.
-    const results = await Promise.all(probes.map(async (entry) => runOne(entry, defaultTimeoutMs)));
-    const overall = computeOverall(results);
-    const counts = countProbes(results);
-    const durationMs = now() - startedAt;
-    return {
-        probes: results,
-        overall,
-        counts,
-        durationMs,
-    };
-}
-async function runOne(entry, defaultTimeoutMs) {
-    const budget = entry.timeoutMs ?? defaultTimeoutMs;
-    try {
-        return await raceWithTimeout(entry, budget);
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        if (error instanceof ProbeTimeoutError) {
-            return {
-                name: entry.name,
-                status: 'warn',
-                detail: `Probe timed out after ${budget}ms`,
-                remediation: 'Re-run later; the host or registry may be slow',
-            };
-        }
-        return {
-            name: entry.name,
-            status: 'error',
-            detail: `Probe crashed: ${message}`,
-        };
-    }
-}
-class ProbeTimeoutError extends Error {
-    constructor(name, budgetMs) {
-        super(`Probe ${name} exceeded ${budgetMs}ms`);
-        this.name = 'ProbeTimeoutError';
-    }
-}
-async function raceWithTimeout(entry, budgetMs) {
-    let timer;
-    const timeoutPromise = new Promise((_, reject) => {
-        timer = setTimeout(() => reject(new ProbeTimeoutError(entry.name, budgetMs)), budgetMs);
-    });
-    try {
-        return await Promise.race([entry.run(), timeoutPromise]);
-    }
-    finally {
-        if (timer !== undefined)
-            clearTimeout(timer);
-    }
-}
-//# sourceMappingURL=probe-runner.js.map

package/dist/core/diagnostics/probes/api.js

@@ -1,46 +0,0 @@
-/**
- * API probe — verifies `api.pugi.io` (or the active apiUrl) is
- * reachable WITHOUT requiring a valid auth token. The auth probe
- * covers the credentialed path; this probe answers the orthogonal
- * "is the network broken" question so the operator can disambiguate
- * "I'm offline" from "my token is bad" without reading two probe
- * details together.
- *
- * Success criteria: any HTTP response (including 401 unauthenticated)
- * proves the host is reachable. A thrown fetch (DNS / TCP / TLS
- * failure) is the only true failure mode.
- */
-export async function probeApi(ctx, deps) {
-    const apiUrl = deps.resolveApiUrl(ctx.env);
-    const startedAt = deps.now();
-    try {
-        const response = await deps.fetchImpl(`${stripTrailingSlash(apiUrl)}/api/pugi/health`, {
-            method: 'GET',
-        });
-        const latencyMs = deps.now() - startedAt;
-        // Any HTTP response confirms the host is reachable. The auth probe
-        // is responsible for verdicting the 401 / 200 split — here we just
-        // confirm we can talk to the server.
-        return {
-            name: 'API',
-            status: 'ok',
-            detail: `${apiUrl} reachable (${response.status})`,
-            latencyMs,
-        };
-    }
-    catch (error) {
-        const latencyMs = deps.now() - startedAt;
-        const message = error instanceof Error ? error.message : String(error);
-        return {
-            name: 'API',
-            status: 'error',
-            detail: `Cannot reach ${apiUrl}`,
-            latencyMs,
-            remediation: `Check network or override with PUGI_API_URL: ${message}`,
-        };
-    }
-}
-function stripTrailingSlash(url) {
-    return url.endsWith('/') ? url.slice(0, -1) : url;
-}
-//# sourceMappingURL=api.js.map

package/dist/core/diagnostics/probes/auth.js

@@ -1,93 +0,0 @@
-/**
- * AUTH probe — verifies the active credential resolves to a working
- * Bearer token by calling `GET /api/pugi/health` with it.
- *
- * Failure modes (deterministic mapping):
- *  - no credential found in env or `~/.pugi/credentials.json`
- *      → status `skipped`, detail = `unauthenticated (no credentials configured)`
- *      Distinguished from "configured but broken" so offline / pre-login
- *      doctor runs do NOT exit 2. The remediation still points operators
- *      to `pugi login` for when they are ready to authenticate.
- *  - credential exists but server returns 401/403
- *      → status `error`, remediation = `pugi login` (token expired/revoked)
- *  - credential exists but server returns 5xx OR network fails
- *      → status `warn` (server-side; don't blame the operator)
- *  - credential exists and server returns 200
- *      → status `ok` (latency captured)
- *
- * NOTE: the probe must NEVER log the token itself. Memory hit
- * `feedback_no_claude_attribution_anywhere_hard_rule` plus the CSO
- * sweep on bearer leaks (history: PR-AGENT-MERGE-GATE)
- * frame why this is enforced at the probe layer.
- */
-export async function probeAuth(ctx, deps) {
-    const credential = deps.resolveCredential(ctx.env, ctx.home);
-    if (!credential) {
-        // "Not configured" vs "configured but broken" — offline / pre-login
-        // operators must not see `pugi doctor` exit 2 because they haven't
-        // authenticated yet. Skipped is the correct status: it carries the
-        // remediation hint without counting against the overall verdict.
-        return {
-            name: 'AUTH',
-            status: 'skipped',
-            detail: 'unauthenticated (no PUGI_API_KEY env and no ~/.pugi/credentials.json)',
-            remediation: 'Run `pugi login` to authenticate',
-        };
-    }
-    const startedAt = deps.now();
-    let response;
-    try {
-        response = await deps.fetchImpl(`${stripTrailingSlash(credential.apiUrl)}/api/pugi/health`, {
-            method: 'GET',
-            headers: {
-                Authorization: `Bearer ${credential.apiKey}`,
-            },
-        });
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        return {
-            name: 'AUTH',
-            status: 'warn',
-            detail: `Auth check skipped — network error contacting ${credential.apiUrl}`,
-            remediation: `Verify network: ${message}`,
-        };
-    }
-    const latencyMs = deps.now() - startedAt;
-    if (response.status === 401 || response.status === 403) {
-        return {
-            name: 'AUTH',
-            status: 'error',
-            detail: `Token rejected (${response.status}) by ${credential.apiUrl}`,
-            latencyMs,
-            remediation: 'Token expired or revoked — run `pugi login`',
-        };
-    }
-    if (response.status >= 500) {
-        return {
-            name: 'AUTH',
-            status: 'warn',
-            detail: `Server error ${response.status} from ${credential.apiUrl}`,
-            latencyMs,
-            remediation: 'Try again in a moment; if it persists, check api.pugi.io status',
-        };
-    }
-    if (response.status !== 200) {
-        return {
-            name: 'AUTH',
-            status: 'warn',
-            detail: `Unexpected status ${response.status} from /api/pugi/health`,
-            latencyMs,
-        };
-    }
-    return {
-        name: 'AUTH',
-        status: 'ok',
-        detail: `Authenticated against ${credential.apiUrl}`,
-        latencyMs,
-    };
-}
-function stripTrailingSlash(url) {
-    return url.endsWith('/') ? url.slice(0, -1) : url;
-}
-//# sourceMappingURL=auth.js.map

package/dist/core/diagnostics/probes/bare-mode.js

@@ -1,42 +0,0 @@
-/**
- * BARE MODE probe — .
- *
- * Surfaces the `--bare` activation state inside `pugi doctor`. The row is
- * informational: bare mode is an opt-in operator choice, never an error.
- * Operators triaging "why is Pugi ignoring my PUGI.md / why was the
- * `.pugi/` scaffold skipped" see the cause without grep'ing the env.
- *
- * Status semantics:
- *  - `skipped` when bare mode is OFF (default). The probe stays silent
- *    in the table since there is nothing to report; the row still
- *    renders so the JSON consumer can read a stable schema.
- *  - `ok` when bare mode is ON via `--bare` or `PUGI_BARE=1`. The detail
- *    enumerates the surfaces that are currently bypassed.
- *
- * No I/O — pure env probe. Wired into `buildDefaultProbes` in
- * `runtime/commands/doctor.ts`.
- */
-import { isBareMode, BARE_MODE_DOCTOR_LABEL } from '../../bare-mode/index.js';
-/**
- * One-line summary printed in the `--bare` row when bare mode is on.
- * Exported so the spec can assert the exact wording — operators reading
- * `pugi doctor` should see the list of surfaces that the flag disables.
- */
-export const BARE_MODE_ACTIVE_DETAIL = 'bare mode active: PUGI.md walk-up + auto-init + persona auto-load disabled';
-export const BARE_MODE_INACTIVE_DETAIL = 'bare mode off (default auto-discovery)';
-export function probeBareMode(input = {}) {
-    const env = input.env ?? process.env;
-    if (isBareMode(env)) {
-        return {
-            name: BARE_MODE_DOCTOR_LABEL,
-            status: 'ok',
-            detail: BARE_MODE_ACTIVE_DETAIL,
-        };
-    }
-    return {
-        name: BARE_MODE_DOCTOR_LABEL,
-        status: 'skipped',
-        detail: BARE_MODE_INACTIVE_DETAIL,
-    };
-}
-//# sourceMappingURL=bare-mode.js.map

package/dist/core/diagnostics/probes/cli-version.js

@@ -1,127 +0,0 @@
-/**
- * CLI VERSION probe — compares the running @pugi/cli version against
- * the npm registry's `latest` tag. Surfaces an upgrade banner when
- * the operator is behind.
- *
- * Semver comparison is intentionally minimal — we only need to answer
- * "is local strictly older than latest" for the WARN gate. Edge cases
- * (pre-release ordering, build metadata) collapse к string equality
- * because the publish pipeline only tags clean `X.Y.Z[-channel.N]`.
- *
- * Network failure is NOT an error — the operator is offline, that's
- * a transient condition surfaced by the API probe; this probe reports
- * `warn` so the doctor table still ships a usable verdict.
- */
-const REGISTRY_URL = 'https://registry.npmjs.org/@pugi/cli/latest';
-/**
- * Strict-newer comparison. Returns true when `b` is strictly newer
- * than `a`. Treats unparseable inputs as equal (no false-positive
- * upgrade banner on a hand-edited local version).
- */
-export function isNewerVersion(a, b) {
-    const left = parseSemver(a);
-    const right = parseSemver(b);
-    if (!left || !right)
-        return false;
-    if (right.major !== left.major)
-        return right.major > left.major;
-    if (right.minor !== left.minor)
-        return right.minor > left.minor;
-    if (right.patch !== left.patch)
-        return right.patch > left.patch;
-    // Same X.Y.Z — pre-release ordering: a stable release is newer
-    // than any pre-release of the same X.Y.Z; otherwise compare
-    // pre-release tokens lexicographically as a coarse heuristic
-    // sufficient for the upgrade banner.
-    if (!right.pre && left.pre)
-        return true;
-    if (right.pre && !left.pre)
-        return false;
-    if (right.pre && left.pre)
-        return right.pre > left.pre;
-    return false;
-}
-function parseSemver(version) {
-    const match = /^v?(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?/.exec(version);
-    if (!match)
-        return null;
-    const major = Number(match[1]);
-    const minor = Number(match[2]);
-    const patch = Number(match[3]);
-    if (!Number.isFinite(major) || !Number.isFinite(minor) || !Number.isFinite(patch)) {
-        return null;
-    }
-    return { major, minor, patch, pre: match[4] ?? '' };
-}
-export async function probeCliVersion(deps) {
-    const url = deps.registryUrl ?? REGISTRY_URL;
-    const timeoutMs = deps.timeoutMs ?? 3_000;
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), timeoutMs);
-    const startedAt = deps.now();
-    let response;
-    try {
-        response = await deps.fetchImpl(url, {
-            method: 'GET',
-            headers: { Accept: 'application/json' },
-            signal: controller.signal,
-        });
-    }
-    catch (error) {
-        clearTimeout(timer);
-        const message = error instanceof Error ? error.message : String(error);
-        return {
-            name: 'CLI VERSION',
-            status: 'warn',
-            detail: `local=${deps.localVersion} — registry unreachable`,
-            remediation: `Skip-able. Network error: ${message}`,
-        };
-    }
-    clearTimeout(timer);
-    const latencyMs = deps.now() - startedAt;
-    if (!response.ok) {
-        return {
-            name: 'CLI VERSION',
-            status: 'warn',
-            detail: `local=${deps.localVersion} — registry returned ${response.status}`,
-            latencyMs,
-        };
-    }
-    let body;
-    try {
-        body = (await response.json());
-    }
-    catch {
-        return {
-            name: 'CLI VERSION',
-            status: 'warn',
-            detail: `local=${deps.localVersion} — registry JSON unparseable`,
-            latencyMs,
-        };
-    }
-    const remote = body.version;
-    if (typeof remote !== 'string' || remote.length === 0) {
-        return {
-            name: 'CLI VERSION',
-            status: 'warn',
-            detail: `local=${deps.localVersion} — registry response missing version`,
-            latencyMs,
-        };
-    }
-    if (isNewerVersion(deps.localVersion, remote)) {
-        return {
-            name: 'CLI VERSION',
-            status: 'warn',
-            detail: `local=${deps.localVersion}, latest=${remote}`,
-            latencyMs,
-            remediation: 'Run `npm i -g @pugi/cli@latest` to upgrade',
-        };
-    }
-    return {
-        name: 'CLI VERSION',
-        status: 'ok',
-        detail: `${deps.localVersion} (latest)`,
-        latencyMs,
-    };
-}
-//# sourceMappingURL=cli-version.js.map