@thegitai/cli 1.0.0-beta.1

package/dist/src/tools/patch-file.js

@@ -0,0 +1,88 @@
+import chalk from 'chalk';
+import { normalizeProjectRelativePath } from '../artifact-policy.js';
+import { applyUnifiedPatch, readProjectFile, renderDiffPreview, writeProjectFile, } from '../patcher.js';
+import { upsertIndexFile } from '../project-index.js';
+import { isTuiMode } from '../runtime-mode.js';
+import { getCurrentFileHash, resolveRedactionTokens } from '../session-safety.js';
+import { invalidateShellDiagnosticsCache, runShellDiagnostics, } from './shell-diagnostics.js';
+export async function patchFile(context, args) {
+    const { rootDir, projectIndex, autoYes, confirmPatch } = context;
+    const filePath = String(args.filePath ?? '').trim();
+    let patch = typeof args.patch === 'string' ? args.patch : '';
+    if (!filePath) {
+        return { ok: false, error: 'filePath is required' };
+    }
+    if (!patch.trim()) {
+        return { ok: false, error: 'patch is required' };
+    }
+    let originalContent;
+    try {
+        originalContent = readProjectFile(rootDir, filePath);
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: `Cannot read file for patching: ${err.message}. Use write_file to create new files.`,
+        };
+    }
+    const coveragePath = normalizeProjectRelativePath(rootDir, filePath) ?? filePath;
+    patch = resolveRedactionTokens(context.safety, patch, coveragePath, getCurrentFileHash(rootDir, filePath));
+    let patchedContent;
+    try {
+        patchedContent = applyUnifiedPatch(originalContent, patch);
+    }
+    catch (err) {
+        return {
+            ok: false,
+            filePath,
+            error: `Patch failed: ${err.message}`,
+            failureCategory: 'conflict',
+            failureDetails: {
+                category: 'conflict',
+                tool: 'patch_file',
+                action: 'Re-read the full file and rebuild the patch against the current exact file content.',
+            },
+        };
+    }
+    renderDiffPreview(filePath, patch);
+    if (!autoYes && confirmPatch) {
+        const confirmed = await confirmPatch(filePath, patch);
+        if (!confirmed) {
+            if (!isTuiMode())
+                console.log(chalk.dim(`  ⏭  Patch skipped: ${filePath}`));
+            return {
+                ok: false,
+                skipped: true,
+                filePath,
+                error: 'User declined patch',
+            };
+        }
+    }
+    const { changed } = writeProjectFile(rootDir, filePath, patchedContent);
+    let indexedChunks = 0;
+    let retrievalTokensUsed = 0;
+    if (changed) {
+        const indexResult = await upsertIndexFile(projectIndex, filePath);
+        indexedChunks = indexResult.indexedChunks;
+        retrievalTokensUsed = indexResult.retrievalTokensUsed ?? 0;
+    }
+    invalidateShellDiagnosticsCache(rootDir, filePath);
+    const diagnostics = runShellDiagnostics(rootDir, filePath);
+    const originalLines = originalContent.split('\n').length;
+    const patchedLines = patchedContent.split('\n').length;
+    if (!isTuiMode()) {
+        const actionLabel = changed ? 'Patched' : 'Patched (no change)';
+        const color = changed ? chalk.green : chalk.yellow;
+        console.log(color(`  ✏️  ${actionLabel}: ${filePath} (${originalLines} → ${patchedLines} lines)`));
+    }
+    return {
+        ok: true,
+        filePath,
+        changed,
+        operation: 'patch',
+        indexedChunks,
+        retrievalTokensUsed,
+        bytesWritten: Buffer.byteLength(patchedContent, 'utf-8'),
+        diagnostics,
+    };
+}

package/dist/src/tools/path-listing.js

@@ -0,0 +1,83 @@
+import { listProjectFiles } from '../scanner.js';
+const LISTING_SCAN_MULTIPLIER = 20;
+const LISTING_MIN_SCAN_LIMIT = 1000;
+const LISTING_MAX_SCAN_LIMIT = 10000;
+export function listFilesystemFiles(rootDir, { pattern = '', limit = 200 } = {}) {
+    return listProjectFiles(rootDir, { limit: scanLimitForListing(limit) })
+        .filter((filePath) => matchesPathPattern(filePath, pattern))
+        .sort()
+        .slice(0, limit);
+}
+export function listFilesystemDirectories(rootDir, { pattern = '', limit = 200 } = {}) {
+    const directories = new Set();
+    for (const filePath of listProjectFiles(rootDir, {
+        limit: scanLimitForListing(limit),
+    })) {
+        const parts = filePath.split(/[\\/]+/).filter(Boolean);
+        for (let i = 1; i < parts.length; i++) {
+            directories.add(parts.slice(0, i).join('/'));
+        }
+        if (directories.size >= limit * LISTING_SCAN_MULTIPLIER)
+            break;
+    }
+    return [...directories]
+        .filter((dirPath) => matchesPathPattern(dirPath, pattern))
+        .sort()
+        .slice(0, limit);
+}
+function scanLimitForListing(limit) {
+    const requested = Number.isFinite(limit) && limit > 0 ? Math.floor(limit) : 200;
+    return Math.min(LISTING_MAX_SCAN_LIMIT, Math.max(LISTING_MIN_SCAN_LIMIT, requested * LISTING_SCAN_MULTIPLIER));
+}
+function matchesPathPattern(filePath, pattern) {
+    if (!pattern || pattern === '*')
+        return true;
+    if (!/[*?{}]/.test(pattern)) {
+        return filePath.includes(pattern);
+    }
+    return globLikePatternToRegExp(pattern).test(filePath);
+}
+function globLikePatternToRegExp(pattern) {
+    let source = '';
+    for (let i = 0; i < pattern.length; i++) {
+        const char = pattern[i];
+        if (char === '*' && pattern[i + 1] === '*') {
+            i++;
+            if (pattern[i + 1] === '/') {
+                source += '(?:[^/]+/)*';
+                i++;
+            }
+            else {
+                source += '.*';
+            }
+            continue;
+        }
+        if (char === '*') {
+            source += '.*';
+        }
+        else if (char === '?') {
+            source += '.';
+        }
+        else if (char === '{') {
+            const end = pattern.indexOf('}', i + 1);
+            if (end === -1) {
+                source += escapeRegExp(char);
+            }
+            else {
+                const alternatives = pattern
+                    .slice(i + 1, end)
+                    .split(',')
+                    .map((part) => escapeRegExp(part.trim()));
+                source += `(?:${alternatives.join('|')})`;
+                i = end;
+            }
+        }
+        else {
+            source += escapeRegExp(char);
+        }
+    }
+    return new RegExp(`^${source}$`);
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}

package/dist/src/tools/read-document.js

@@ -0,0 +1,111 @@
+import path from 'node:path';
+import { existsSync, readFileSync } from 'node:fs';
+import { isSensitiveProjectPath, normalizeProjectRelativePath, } from '../artifact-policy.js';
+import { readCliAuthConfig } from '../api/auth.js';
+export function normalizeDocumentText(raw) {
+    const text = String(raw ?? '').replace(/\r\n?/g, '\n');
+    let output = '';
+    for (let index = 0; index < text.length; index++) {
+        const code = text.charCodeAt(index);
+        if (code === 0) {
+            output += ' ';
+            continue;
+        }
+        if (code >= 0xd800 && code <= 0xdbff) {
+            const next = text.charCodeAt(index + 1);
+            if (next >= 0xdc00 && next <= 0xdfff) {
+                output += text.charAt(index) + text.charAt(index + 1);
+                index += 1;
+            }
+            else {
+                output += String.fromCharCode(0xfffd);
+            }
+            continue;
+        }
+        if (code >= 0xdc00 && code <= 0xdfff) {
+            output += String.fromCharCode(0xfffd);
+            continue;
+        }
+        if (code < 0x20 && code !== 0x09 && code !== 0x0a) {
+            output += ' ';
+            continue;
+        }
+        output += text.charAt(index);
+    }
+    return output;
+}
+async function parseDocumentOnServer(config, fileName, fileData, ext, args) {
+    const includePageArgs = ext === '.pdf';
+    const response = await globalThis.fetch(`${config.serverUrl.replace(/\/+$/, '')}/v1/document/parse`, {
+        method: 'POST',
+        headers: {
+            authorization: `Bearer ${config.token}`,
+            'content-type': 'application/json',
+        },
+        body: JSON.stringify({
+            fileName,
+            fileData: fileData.toString('base64'),
+            ...(includePageArgs && args.firstPage !== undefined
+                ? { firstPage: args.firstPage }
+                : {}),
+            ...(includePageArgs && args.lastPage !== undefined
+                ? { lastPage: args.lastPage }
+                : {}),
+        }),
+    });
+    const data = await response.json().catch(() => null);
+    if (!response.ok) {
+        return {
+            ok: false,
+            error: `Server document parse failed: ${data?.error?.message ?? response.status}`,
+        };
+    }
+    return data;
+}
+export async function readDocument(rootDir, args, env) {
+    const raw = String(args.filePath ?? '').trim();
+    if (!raw) {
+        return { ok: false, error: 'filePath is required' };
+    }
+    const resolvedPath = path.isAbsolute(raw) ? raw : path.resolve(rootDir, raw);
+    const projectPath = normalizeProjectRelativePath(rootDir, resolvedPath);
+    if (projectPath && isSensitiveProjectPath(projectPath)) {
+        return {
+            ok: false,
+            error: 'This path is not permitted.',
+        };
+    }
+    if (!existsSync(resolvedPath)) {
+        return {
+            ok: false,
+            error: `File not found: ${resolvedPath}`,
+            failureCategory: 'not_found',
+        };
+    }
+    const ext = path.extname(resolvedPath).toLowerCase();
+    if (ext !== '.pdf' && ext !== '.xlsx') {
+        return {
+            ok: false,
+            error: `Unsupported file type: "${ext}". read_document only supports .pdf and .xlsx.`,
+        };
+    }
+    const authConfig = readCliAuthConfig(env);
+    if (!authConfig) {
+        return {
+            ok: false,
+            error: 'Document parsing requires a server connection. Please log in first.',
+        };
+    }
+    let fileData;
+    try {
+        fileData = readFileSync(resolvedPath);
+    }
+    catch (err) {
+        return { ok: false, error: `Failed to read file: ${err.message}` };
+    }
+    const result = await parseDocumentOnServer(authConfig, path.basename(resolvedPath), fileData, ext, args);
+    if (result.ok) {
+        result.filePath = path.relative(rootDir, resolvedPath) || resolvedPath;
+    }
+    return result;
+}

package/dist/src/tools/read-file.js

@@ -0,0 +1,109 @@
+import { existsSync, readFileSync } from 'fs';
+import path from 'path';
+import { normalizeProjectRelativePath, shouldIgnoreArtifactPath, } from '../artifact-policy.js';
+import { buildSecretFilePreview, isDotenvLikePath, looksLikeEditableDotenv, shouldUseSecretFilePreview, } from '../secret-preview.js';
+import { readProjectFile } from '../patcher.js';
+import { dotenvFitsRedactionBudget, getCurrentFileHash, recordReadCoverage, redactContentWithStableTokens, redactDotenvWithStableTokens, } from '../session-safety.js';
+import { readFileRange, truncate } from '../utils.js';
+const MAX_FILE_READ_CHARS = 12000;
+export async function readFile(context, args) {
+    const rootDir = typeof context === 'string' ? context : context.rootDir;
+    const safety = typeof context === 'string' ? undefined : context.safety;
+    const filePath = String(args.filePath ?? '').trim();
+    if (!filePath) {
+        return { ok: false, error: 'filePath is required' };
+    }
+    const projectPath = normalizeProjectRelativePath(rootDir, filePath);
+    if (!projectPath && !path.isAbsolute(filePath)) {
+        return {
+            ok: false,
+            error: `Refusing to access path outside the project root: ${filePath}`,
+        };
+    }
+    if (projectPath && shouldIgnoreArtifactPath(projectPath)) {
+        return {
+            ok: false,
+            error: 'This path is not permitted.',
+        };
+    }
+    let content;
+    if (projectPath) {
+        try {
+            content = readProjectFile(rootDir, filePath);
+        }
+        catch (err) {
+            return { ok: false, error: err.message };
+        }
+    }
+    else {
+        const absPath = path.resolve(filePath);
+        if (!existsSync(absPath)) {
+            return { ok: false, error: `File does not exist: ${filePath}` };
+        }
+        try {
+            content = readFileSync(absPath, 'utf-8');
+        }
+        catch (err) {
+            return { ok: false, error: err.message };
+        }
+    }
+    const previewPath = projectPath ?? filePath;
+    // A clean dotenv file is shown with keys visible and values tokenized so the
+    // agent can still edit it (str_replace/write_file round-trip the tokens) and
+    // read coverage is recorded. Any other secret file — PEM, JSON credentials,
+    // or a dotenv with a stray non-assignment line — keeps the opaque blackout.
+    const editableDotenv = Boolean(projectPath) &&
+        Boolean(safety) &&
+        isDotenvLikePath(previewPath) &&
+        looksLikeEditableDotenv(content) &&
+        dotenvFitsRedactionBudget(content);
+    if (shouldUseSecretFilePreview(previewPath, content) && !editableDotenv) {
+        return {
+            ok: true,
+            ...buildSecretFilePreview(previewPath, content),
+        };
+    }
+    const range = readFileRange(content, args.startLine ? Number(args.startLine) : undefined, args.endLine ? Number(args.endLine) : undefined);
+    const hash = projectPath ? getCurrentFileHash(rootDir, filePath) : null;
+    const redacted = projectPath && safety
+        ? editableDotenv
+            ? redactDotenvWithStableTokens(safety, range.content, projectPath, hash)
+            : redactContentWithStableTokens(safety, range.content, projectPath, hash)
+        : { content: range.content, tokens: [] };
+    const contentTruncated = redacted.content.length > MAX_FILE_READ_CHARS;
+    const deliveredEndLine = contentTruncated
+        ? Math.min(range.endLine, range.startLine +
+            redacted.content.slice(0, MAX_FILE_READ_CHARS).split('\n').length -
+            1)
+        : range.endLine;
+    const fullFile = range.startLine === 1 &&
+        deliveredEndLine === range.totalLines &&
+        !contentTruncated;
+    if (projectPath && safety) {
+        recordReadCoverage(safety, {
+            filePath: projectPath,
+            hash,
+            fullFile,
+            startLine: range.startLine,
+            endLine: deliveredEndLine,
+            totalLines: range.totalLines,
+            createdAt: new Date().toISOString(),
+        });
+    }
+    return {
+        ok: true,
+        filePath: projectPath ?? filePath,
+        totalLines: range.totalLines,
+        startLine: range.startLine,
+        endLine: deliveredEndLine,
+        content: truncate(redacted.content, MAX_FILE_READ_CHARS),
+        contentHash: hash,
+        readCoverage: {
+            fullFile,
+            hash,
+            cacheStatus: 'fresh',
+            contentTruncated,
+        },
+        redactionTokens: redacted.tokens,
+    };
+}

package/dist/src/tools/restore-checkpoint.js

@@ -0,0 +1,100 @@
+import chalk from 'chalk';
+import { isTuiMode } from '../runtime-mode.js';
+import { createPromptCheckpoint, restoreCheckpointFiles, } from '../session-safety.js';
+import { invalidateShellDiagnosticsCache, runShellDiagnostics, } from './shell-diagnostics.js';
+function normalizeFilePaths(value) {
+    if (value == null)
+        return undefined;
+    if (!Array.isArray(value))
+        return [];
+    return value.map((item) => String(item ?? '').trim()).filter(Boolean);
+}
+export async function restoreToCheckpoint(context, args) {
+    if (!context.safety) {
+        return { ok: false, error: 'No session safety state is available.' };
+    }
+    const checkpointId = String(args.checkpointId ?? args.checkpoint_id ?? '').trim();
+    if (!checkpointId) {
+        return {
+            ok: false,
+            failureCategory: 'missing_required_argument',
+            error: 'checkpointId is required',
+        };
+    }
+    const filePaths = normalizeFilePaths(args.filePaths ?? args.file_paths);
+    const dryRun = args.dryRun === true || args.dry_run === true;
+    const checkpoint = context.safety.checkpoints.find((item) => item.id === checkpointId);
+    if (!checkpoint) {
+        return {
+            ok: false,
+            failureCategory: 'not_found',
+            checkpointId,
+            error: `Checkpoint not found: ${checkpointId}`,
+        };
+    }
+    if (dryRun) {
+        const targets = filePaths?.length
+            ? checkpoint.files.filter((file) => filePaths.includes(file.filePath))
+            : checkpoint.files;
+        return {
+            ok: true,
+            checkpointId,
+            dryRun: true,
+            changed: false,
+            restored: [],
+            preview: targets.map((file) => ({
+                filePath: file.filePath,
+                exists: file.exists,
+                hash: file.hash,
+                restorable: !file.skipped && (file.content !== null || !file.exists),
+                skipped: file.skipped,
+            })),
+        };
+    }
+    const result = await restoreCheckpointFiles({
+        state: context.safety,
+        rootDir: context.rootDir,
+        projectIndex: context.projectIndex,
+        checkpointId,
+        filePaths,
+        currentTurnId: context.currentTurnId ?? null,
+        currentToolCallId: context.currentToolCallId ?? null,
+    });
+    if (!result.ok) {
+        return {
+            ...result,
+            failureCategory: 'conflict',
+            failureDetails: {
+                category: 'conflict',
+                tool: 'restore_to_checkpoint',
+                action: 'Inspect the listed files before retrying restore. The tool refused to overwrite unknown current content.',
+            },
+        };
+    }
+    invalidateShellDiagnosticsCache(context.rootDir);
+    createPromptCheckpoint(context.safety, `after restore ${checkpointId}`, context.currentTurnId ?? null);
+    if (!isTuiMode()) {
+        console.log(chalk.green(`  Restored checkpoint ${checkpointId}: ${result.restored
+            .map((item) => item.filePath)
+            .join(', ')}`));
+    }
+    return {
+        ...result,
+        operation: 'restore_to_checkpoint',
+        diagnostics: runShellDiagnostics(context.rootDir),
+    };
+}
+export async function restoreFilesToCheckpoint(context, args) {
+    const filePaths = normalizeFilePaths(args.filePaths ?? args.file_paths) ?? [];
+    if (!filePaths.length) {
+        return {
+            ok: false,
+            failureCategory: 'missing_required_argument',
+            error: 'filePaths is required for restore_files_to_checkpoint',
+        };
+    }
+    return restoreToCheckpoint(context, {
+        ...args,
+        filePaths,
+    });
+}

package/dist/src/tools/ripgrep.js

@@ -0,0 +1,29 @@
+import { existsSync } from 'node:fs';
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+function readBundledRipgrepPath() {
+    try {
+        const ripgrep = require('@vscode/ripgrep');
+        const rgPath = ripgrep.rgPath;
+        return typeof rgPath === 'string' && existsSync(rgPath) ? rgPath : null;
+    }
+    catch {
+        return null;
+    }
+}
+export function getRipgrepPath() {
+    return readBundledRipgrepPath() ?? 'rg';
+}
+export function getRipgrepPathCandidates() {
+    const bundled = readBundledRipgrepPath();
+    return bundled ? [bundled, 'rg'] : ['rg'];
+}
+export function isRipgrepExecutionUnavailable(error) {
+    return (error?.code === 'ENOENT' ||
+        error?.code === 'EACCES' ||
+        error?.code === 'ENOEXEC' ||
+        error?.errno === -2 ||
+        error?.errno === -13 ||
+        error?.errno === -8 ||
+        error?.errno === -26);
+}

package/dist/src/tools/run-command.js

@@ -0,0 +1,94 @@
+import chalk from 'chalk';
+import { getBlockedCommandReason, runCommand, } from '../executor.js';
+import { syncIndexFromDisk } from '../project-index.js';
+import { isTuiMode } from '../runtime-mode.js';
+import { redactConnectionStringCredentials } from '../secret-preview.js';
+import { buildNestedGitHint } from '../session-safety.js';
+import { buildDeferredShellDiagnostics, invalidateShellDiagnosticsCache, } from './shell-diagnostics.js';
+const MAX_OUTPUT_CHARS = 4000;
+export async function runShellCommand(context, args) {
+    const { rootDir, projectIndex, autoYes, confirmCommand, requestSudoPassword, onStatus, } = context;
+    const command = String(args.command ?? '').trim();
+    if (!command) {
+        return { ok: false, error: 'command is required' };
+    }
+    const hasTimeout = typeof args.timeout_ms === 'number' && args.timeout_ms > 0;
+    const repoHint = buildNestedGitHint(rootDir, command);
+    const blockedReason = getBlockedCommandReason(command, hasTimeout, rootDir);
+    if (blockedReason) {
+        const error = blockedReason;
+        if (!isTuiMode())
+            console.log(chalk.red(`\n  ✖ ${error}`));
+        return {
+            ok: false,
+            blocked: true,
+            command,
+            error,
+            repoHint,
+        };
+    }
+    if (!isTuiMode())
+        console.log(chalk.bold.yellow(`\n  ⚡ Command: ${command}`));
+    if (!autoYes) {
+        if (confirmCommand == null) {
+            return {
+                ok: false,
+                command,
+                error: 'confirmCommand is required when autoYes is false',
+            };
+        }
+        const approved = await confirmCommand(command);
+        if (!approved) {
+            if (!isTuiMode())
+                console.log(chalk.dim(`  ⏭  Skipped: ${command}`));
+            return {
+                ok: false,
+                skipped: true,
+                command,
+                error: 'User declined command execution',
+            };
+        }
+    }
+    const result = await runCommand(command, rootDir, {
+        requestSudoPassword,
+        timeout: typeof args.timeout_ms === 'number' && args.timeout_ms > 0 ? args.timeout_ms : undefined,
+    });
+    const repoSync = projectIndex.initialized
+        ? await syncIndexFromDisk(projectIndex)
+        : {
+            added: 0,
+            modified: 0,
+            removed: 0,
+            indexedChunks: 0,
+            retrievalTokensUsed: 0,
+        };
+    invalidateShellDiagnosticsCache(rootDir);
+    const diagnostics = buildDeferredShellDiagnostics('run_command');
+    if (repoSync.added || repoSync.modified || repoSync.removed) {
+        onStatus(`Synced repo state after command (${repoSync.added} added, ${repoSync.modified} modified, ${repoSync.removed} removed).`);
+    }
+    // Redact connection-string passwords so shell output (e.g. `cat .env`,
+    // `printenv`) cannot leak them into history or telemetry.
+    let output = typeof result.output === 'string'
+        ? redactConnectionStringCredentials(result.output)
+        : result.output;
+    if (typeof output === 'string' && output.length > MAX_OUTPUT_CHARS) {
+        const headSize = Math.floor(MAX_OUTPUT_CHARS * 0.2);
+        const tailSize = MAX_OUTPUT_CHARS - headSize;
+        output =
+            output.slice(0, headSize) +
+                `\n\n... (${output.length - headSize - tailSize} chars truncated) ...\n\n` +
+                output.slice(-tailSize);
+    }
+    return {
+        ok: result.exitCode === 0,
+        command,
+        exitCode: result.exitCode,
+        timedOut: result.timedOut,
+        output,
+        repoSync,
+        retrievalTokensUsed: repoSync.retrievalTokensUsed,
+        diagnostics,
+        repoHint,
+    };
+}