rubyn-code 0.2.2 → 0.3.0

data/lib/rubyn_code/agent/tool_processor.rb

@@ -0,0 +1,158 @@
+# frozen_string_literal: true
+
+module RubynCode
+  module Agent
+    # Handles tool definition filtering, permission checks, and execution
+    # for the agent loop.
+    module ToolProcessor # rubocop:disable Metrics/ModuleLength -- tool filtering + permissions + execution + decision signals
+      CORE_TOOLS = %w[read_file write_file edit_file glob grep bash spawn_agent background_run].freeze
+      PLAN_MODE_RISK_LEVELS = %i[read].freeze
+
+      private
+
+      def tool_definitions
+        all_tools = @tool_executor.tool_definitions
+        return all_tools if all_tools.size <= CORE_TOOLS.size
+
+        @discovered_tools ||= Set.new
+
+        # Use DynamicToolSchema to filter based on detected task context
+        context = detect_task_context
+        if context
+          active = DynamicToolSchema.active_tools(task_context: context, discovered_tools: @discovered_tools)
+          return DynamicToolSchema.filter(all_tools, active_names: active)
+        end
+
+        all_tools.select { |t| core_or_discovered?(t) }
+      end
+
+      def detect_task_context # rubocop:disable Metrics/CyclomaticComplexity -- safe navigation chain
+        last_msg = @conversation&.messages&.reverse_each&.find { |m| m[:role] == 'user' } # rubocop:disable Style/SafeNavigationChainLength
+        return nil unless last_msg
+
+        text = last_msg[:content]
+        return nil unless text.is_a?(String)
+
+        DynamicToolSchema.detect_context(text)
+      rescue StandardError
+        nil
+      end
+
+      def core_or_discovered?(tool)
+        name = tool[:name] || tool['name']
+        CORE_TOOLS.include?(name) || @discovered_tools&.include?(name)
+      end
+
+      def discover_tool(name)
+        (@discovered_tools ||= Set.new).add(name)
+      end
+
+      def read_only_tool_definitions
+        Tools::Registry.all.select { |t| PLAN_MODE_RISK_LEVELS.include?(t::RISK_LEVEL) }.map(&:to_schema)
+      end
+
+      def process_tool_calls(tool_calls)
+        aggregate_chars = 0
+        budget = Config::Defaults::MAX_MESSAGE_TOOL_RESULTS_CHARS
+
+        tool_calls.each do |tool_call|
+          result, is_error = run_single_tool(tool_call)
+          aggregate_chars += result.to_s.length
+          result = truncate_tool_result(result, aggregate_chars, budget)
+          notify_tool_result(field(tool_call, :name), result, is_error)
+          record_tool_result(tool_call, result, is_error)
+        end
+      end
+
+      def run_single_tool(tool_call)
+        tool_name  = field(tool_call, :name)
+        tool_input = field(tool_call, :input) || {}
+        decision = Permissions::Policy.check(
+          tool_name: tool_name, tool_input: tool_input, tier: @permission_tier, deny_list: @deny_list
+        )
+        @on_tool_call&.call(tool_name, tool_input) rescue nil # rubocop:disable Style/RescueModifier
+        execute_with_permission(decision, tool_name, tool_input)
+      end
+
+      def truncate_tool_result(result, aggregate_chars, budget)
+        return result unless aggregate_chars > budget
+
+        remaining = [budget - (aggregate_chars - result.to_s.length), 500].max
+        RubynCode::Debug.token("Tool result budget exceeded: #{aggregate_chars}/#{budget} chars")
+        "#{result.to_s[0, remaining]}\n\n[truncated — tool result budget exceeded (#{budget} chars/message)]"
+      end
+
+      def notify_tool_result(tool_name, result, is_error)
+        @on_tool_result&.call(tool_name, result, is_error) rescue nil # rubocop:disable Style/RescueModifier
+      end
+
+      def record_tool_result(tool_call, result, is_error)
+        tool_name = field(tool_call, :name)
+        @stall_detector.record(tool_name, field(tool_call, :input) || {})
+        @conversation.add_tool_result(field(tool_call, :id), tool_name, result, is_error: is_error)
+      end
+
+      def execute_with_permission(decision, tool_name, tool_input)
+        case decision
+        when :deny  then ["Tool '#{tool_name}' is blocked by the deny list.", true]
+        when :ask   then ask_and_execute(tool_name, tool_input)
+        when :allow then execute_tool(tool_name, tool_input)
+        else ["Unknown permission decision: #{decision}", true]
+        end
+      end
+
+      def ask_and_execute(tool_name, tool_input)
+        if prompt_user(tool_name,
+                       tool_input)
+          execute_tool(tool_name,
+                       tool_input)
+        else
+          ["User denied permission for '#{tool_name}'.", true]
+        end
+      end
+
+      def execute_tool(tool_name, tool_input)
+        discover_tool(tool_name)
+        @hook_runner.fire(:pre_tool_use, tool_name: tool_name, tool_input: tool_input)
+        result = @tool_executor.execute(tool_name, symbolize_keys(tool_input))
+        @hook_runner.fire(:post_tool_use, tool_name: tool_name, tool_input: tool_input, result: result)
+        signal_decision_compactor(tool_name, tool_input, result)
+        [result.to_s, false]
+      rescue StandardError => e
+        ["Error executing #{tool_name}: #{e.message}", true]
+      end
+
+      def signal_decision_compactor(tool_name, tool_input, result) # rubocop:disable Metrics/CyclomaticComplexity -- tool dispatch
+        return unless @decision_compactor
+
+        case tool_name
+        when 'edit_file', 'write_file'
+          path = tool_input[:path] || tool_input['path']
+          @decision_compactor.signal_file_edited!(path) if path
+        when 'run_specs'
+          @decision_compactor.signal_specs_passed! if result.to_s.include?('0 failures')
+        end
+      rescue StandardError
+        nil
+      end
+
+      def prompt_user(tool_name, tool_input)
+        risk = resolve_tool_risk(tool_name)
+        if risk == :destructive
+          Permissions::Prompter.confirm_destructive(tool_name,
+                                                    tool_input)
+        else
+          Permissions::Prompter.confirm(
+            tool_name, tool_input
+          )
+        end
+      end
+
+      def resolve_tool_risk(tool_name)
+        Tools::Registry.get(tool_name).risk_level
+      rescue ToolNotFoundError
+        :unknown
+      end
+    end
+  end
+end

data/lib/rubyn_code/agent/usage_tracker.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module RubynCode
+  module Agent
+    # Tracks token usage and task budgets from LLM responses.
+    # Extracted from ResponseParser to keep module size manageable.
+    module UsageTracker
+      TASK_BUDGET_TOTAL = 100_000 # tokens per user message
+
+      private
+
+      def track_usage(response)
+        usage = extract_usage(response)
+        return unless usage
+
+        log_usage(usage)
+        @context_manager.track_usage(usage)
+      rescue NoMethodError
+        # context_manager does not implement track_usage yet
+      end
+
+      def extract_usage(response)
+        if response.respond_to?(:usage)
+          response.usage
+        elsif response.is_a?(Hash)
+          response[:usage] || response['usage']
+        end
+      end
+
+      def log_usage(usage)
+        input_tokens  = usage.respond_to?(:input_tokens) ? usage.input_tokens : usage[:input_tokens]
+        output_tokens = usage.respond_to?(:output_tokens) ? usage.output_tokens : usage[:output_tokens]
+        cache_info    = build_cache_info(usage)
+        RubynCode::Debug.token("in=#{input_tokens} out=#{output_tokens}#{cache_info}")
+      end
+
+      def build_cache_info(usage)
+        cache_create = usage.respond_to?(:cache_creation_input_tokens) ? usage.cache_creation_input_tokens.to_i : 0
+        cache_read   = usage.respond_to?(:cache_read_input_tokens) ? usage.cache_read_input_tokens.to_i : 0
+        return '' unless cache_create.positive? || cache_read.positive?
+
+        " cache_create=#{cache_create} cache_read=#{cache_read}"
+      end
+
+      def update_task_budget(response)
+        usage = response.respond_to?(:usage) ? response.usage : nil
+        return unless usage
+
+        output = usage.respond_to?(:output_tokens) ? usage.output_tokens.to_i : 0
+        input  = usage.respond_to?(:input_tokens) ? usage.input_tokens.to_i : 0
+
+        @task_budget_remaining ||= TASK_BUDGET_TOTAL
+        @task_budget_remaining = [@task_budget_remaining - input - output, 0].max
+
+        RubynCode::Debug.token("task_budget_remaining=#{@task_budget_remaining}/#{TASK_BUDGET_TOTAL}")
+      end
+    end
+  end
+end

data/lib/rubyn_code/auth/oauth.rb

@@ -25,25 +25,11 @@ module RubynCode
         code_challenge = derive_code_challenge(code_verifier)
         state = SecureRandom.hex(24)
 
-        auth_url = build_authorization_url(code_challenge:, state:)
-
-        callback_server = Server.new
-        open_browser(auth_url)
-
-        result = callback_server.wait_for_callback(timeout: 120)
-
-        unless secure_compare(result[:state], state)
-          raise StateMismatchError, 'OAuth state parameter mismatch — possible CSRF attack'
-        end
+        result = perform_browser_auth(code_challenge, state)
+        validate_state!(result[:state], state)
 
         tokens = exchange_code(code: result[:code], code_verifier:)
-
-        TokenStore.save(
-          access_token: tokens[:access_token],
-          refresh_token: tokens[:refresh_token],
-          expires_at: Time.now + tokens[:expires_in].to_i
-        )
-
+        persist_tokens(tokens)
         tokens
       end
 
@@ -51,35 +37,13 @@ module RubynCode
         stored = TokenStore.load
         raise RefreshError, 'No stored refresh token available' unless stored&.dig(:refresh_token)
 
-        response = http_client.post(token_url) do |req|
-          req.headers['Content-Type'] = 'application/x-www-form-urlencoded'
-          req.body = URI.encode_www_form(
-            grant_type: 'refresh_token',
-            client_id: client_id,
-            refresh_token: stored[:refresh_token]
-          )
-        end
-
-        unless response.success?
-          body = parse_json(response.body)
-          error_msg = body&.dig('error_description') || body&.dig('error') || response.body
-          raise RefreshError, "Token refresh failed (#{response.status}): #{error_msg}"
-        end
+        response = post_refresh_request(stored[:refresh_token])
+        raise_refresh_error(response) unless response.success?
 
         body = parse_json(response.body)
         raise RefreshError, 'Invalid response from token endpoint' unless body
 
-        TokenStore.save(
-          access_token: body['access_token'],
-          refresh_token: body['refresh_token'] || stored[:refresh_token],
-          expires_at: Time.now + body['expires_in'].to_i
-        )
-
-        {
-          access_token: body['access_token'],
-          refresh_token: body['refresh_token'] || stored[:refresh_token],
-          expires_in: body['expires_in']
-        }
+        save_refreshed_tokens(body, stored)
       end
 
       private
@@ -108,40 +72,92 @@ module RubynCode
       end
 
       def exchange_code(code:, code_verifier:)
-        response = http_client.post(token_url) do |req|
+        response = post_code_exchange(code, code_verifier)
+        raise_exchange_error(response) unless response.success?
+
+        body = parse_json(response.body)
+        raise TokenExchangeError, 'Invalid response from token endpoint' unless body
+
+        { access_token: body['access_token'], refresh_token: body['refresh_token'], expires_in: body['expires_in'] }
+      end
+
+      def post_code_exchange(code, code_verifier)
+        http_client.post(token_url) do |req|
           req.headers['Content-Type'] = 'application/x-www-form-urlencoded'
           req.body = URI.encode_www_form(
-            grant_type: 'authorization_code',
-            client_id: client_id,
-            code: code,
-            redirect_uri: redirect_uri,
-            code_verifier: code_verifier
+            grant_type: 'authorization_code', client_id: client_id,
+            code: code, redirect_uri: redirect_uri, code_verifier: code_verifier
           )
         end
+      end
+
+      def raise_exchange_error(response)
+        body = parse_json(response.body)
+        error_msg = body&.dig('error_description') || body&.dig('error') || response.body
+        raise TokenExchangeError, "Code exchange failed (#{response.status}): #{error_msg}"
+      end
+
+      def perform_browser_auth(code_challenge, state)
+        auth_url = build_authorization_url(code_challenge:, state:)
+        callback_server = Server.new
+        open_browser(auth_url)
+        callback_server.wait_for_callback(timeout: 120)
+      end
+
+      def validate_state!(received, expected)
+        return if secure_compare(received, expected)
+
+        raise StateMismatchError, 'OAuth state parameter mismatch — possible CSRF attack'
+      end
 
-        unless response.success?
-          body = parse_json(response.body)
-          error_msg = body&.dig('error_description') || body&.dig('error') || response.body
-          raise TokenExchangeError, "Code exchange failed (#{response.status}): #{error_msg}"
+      def persist_tokens(tokens)
+        TokenStore.save(
+          access_token: tokens[:access_token],
+          refresh_token: tokens[:refresh_token],
+          expires_at: Time.now + tokens[:expires_in].to_i
+        )
+      end
+
+      def post_refresh_request(refresh_token)
+        http_client.post(token_url) do |req|
+          req.headers['Content-Type'] = 'application/x-www-form-urlencoded'
+          req.body = URI.encode_www_form(
+            grant_type: 'refresh_token',
+            client_id: client_id,
+            refresh_token: refresh_token
+          )
         end
+      end
 
+      def raise_refresh_error(response)
         body = parse_json(response.body)
-        raise TokenExchangeError, 'Invalid response from token endpoint' unless body
+        error_msg = body&.dig('error_description') || body&.dig('error') || response.body
+        raise RefreshError, "Token refresh failed (#{response.status}): #{error_msg}"
+      end
+
+      def save_refreshed_tokens(body, stored)
+        effective_refresh = body['refresh_token'] || stored[:refresh_token]
+
+        TokenStore.save(
+          access_token: body['access_token'],
+          refresh_token: effective_refresh,
+          expires_at: Time.now + body['expires_in'].to_i
+        )
 
         {
           access_token: body['access_token'],
-          refresh_token: body['refresh_token'],
+          refresh_token: effective_refresh,
           expires_in: body['expires_in']
         }
       end
 
       def open_browser(url)
         launcher = case RUBY_PLATFORM
-                   when /darwin/  then 'open'
-                   when /linux/   then 'xdg-open'
-                   when /mingw|mswin/ then 'start'
-                   else 'xdg-open'
+                   when /darwin/       then 'open'
+                   when /linux/        then 'xdg-open'
+                   when /mingw|mswin/  then 'start'
                    end
+        launcher ||= 'xdg-open'
 
         system(launcher, url, exception: false)
       end
@@ -160,13 +176,13 @@ module RubynCode
         nil
       end
 
-      def secure_compare(a, b)
-        return false if a.nil? || b.nil?
-        return false unless a.bytesize == b.bytesize
+      def secure_compare(left, right) # rubocop:disable Naming/PredicateMethod -- constant-time comparison, not a predicate
+        return false if left.nil? || right.nil?
+        return false unless left.bytesize == right.bytesize
 
-        l = a.unpack('C*')
-        r = b.unpack('C*')
-        l.zip(r).reduce(0) { |acc, (x, y)| acc | (x ^ y) }.zero?
+        left_bytes = left.unpack('C*')
+        right_bytes = right.unpack('C*')
+        left_bytes.zip(right_bytes).reduce(0) { |acc, (lhs, rhs)| acc | (lhs ^ rhs) }.zero?
       end
 
       def client_id     = Config::Defaults::OAUTH_CLIENT_ID

data/lib/rubyn_code/auth/server.rb

@@ -56,35 +56,32 @@ module RubynCode
 
       def handle_callback(req, res, server)
         params = parse_query(req.query_string)
-        code = params['code']
-        state = params['state']
-
-        if code
-          @mutex.synchronize do
-            @result = { code: code, state: state }
-            @condvar.signal
-          end
-
-          res.status = 200
-          res.content_type = 'text/html; charset=utf-8'
-          res.body = success_html
+
+        if params['code']
+          handle_success_callback(params, res)
         else
-          error = params['error'] || 'unknown'
-          description = params['error_description'] || 'No authorization code received'
+          handle_error_callback(params, res)
+        end
 
-          res.status = 400
-          res.content_type = 'text/html; charset=utf-8'
-          res.body = error_html(error, description)
+        Thread.new { sleep(0.5) && server.shutdown }
+      end
 
-          @mutex.synchronize do
-            @condvar.signal
-          end
+      def handle_success_callback(params, res)
+        @mutex.synchronize do
+          @result = { code: params['code'], state: params['state'] }
+          @condvar.signal
         end
+        res.status = 200
+        res.content_type = 'text/html; charset=utf-8'
+        res.body = success_html
+      end
 
-        Thread.new do
-          sleep(0.5)
-          server.shutdown
-        end
+      def handle_error_callback(params, res)
+        res.status = 400
+        res.content_type = 'text/html; charset=utf-8'
+        res.body = error_html(params['error'] || 'unknown',
+                              params['error_description'] || 'No authorization code received')
+        @mutex.synchronize { @condvar.signal }
       end
 
       def parse_query(query_string)

data/lib/rubyn_code/auth/token_store.rb

@@ -20,6 +20,15 @@ module RubynCode
           load_from_keychain || load_from_file || load_from_env
         end
 
+        # Load API key for a given provider. Anthropic uses the full fallback chain.
+        def load_for_provider(provider)
+          return load if provider == 'anthropic'
+
+          env_key = resolve_env_key(provider)
+          api_key = ENV.fetch(env_key, nil)
+          api_key&.empty? == false ? { access_token: api_key, type: :api_key, source: :env } : nil
+        end
+
         def save(access_token:, refresh_token:, expires_at:)
           ensure_directory!
 
@@ -34,68 +43,56 @@ module RubynCode
           data
         end
 
-        def clear!
+        def clear! # rubocop:disable Naming/PredicateMethod -- destructive action, not a predicate
           FileUtils.rm_f(tokens_path)
           true
         end
 
         def valid?
           tokens = self.load
-          return false unless tokens
-          return false unless tokens[:access_token]
-
-          # API keys don't expire
+          return false unless tokens&.fetch(:access_token, nil)
           return true if tokens[:type] == :api_key
-
-          # OAuth tokens need expiry check
           return true unless tokens[:expires_at]
 
           tokens[:expires_at] > Time.now + EXPIRY_BUFFER_SECONDS
         end
 
-        def exists?
-          valid?
-        end
+        def exists? = valid?
+        def access_token = self.load&.fetch(:access_token, nil)
 
-        def access_token
-          tokens = self.load
-          tokens&.fetch(:access_token, nil)
-        end
+        private
 
-        def token_type
-          tokens = self.load
-          tokens&.fetch(:type, :oauth)
+        def resolve_env_key(provider)
+          default = Config::Defaults::PROVIDER_ENV_KEYS.fetch(provider, "#{provider.upcase}_API_KEY")
+          Config::Settings.new.provider_config(provider)&.fetch('env_key', nil) || default
+        rescue StandardError
+          default
         end
 
-        private
-
-        # Read Claude Code's OAuth token from macOS Keychain
         def load_from_keychain
           return nil unless RUBY_PLATFORM.include?('darwin')
 
           output = `security find-generic-password -s "#{KEYCHAIN_SERVICE}" -w 2>/dev/null`.strip
           return nil if output.empty?
 
-          data = JSON.parse(output)
-          oauth = data['claudeAiOauth']
-          return nil unless oauth && oauth['accessToken']
+          oauth = JSON.parse(output)['claudeAiOauth']
+          return nil unless oauth&.dig('accessToken')
 
-          expires_at = if oauth['expiresAt']
-                         Time.at(oauth['expiresAt'] / 1000.0) # milliseconds to seconds
-                       end
+          build_keychain_tokens(oauth)
+        rescue StandardError
+          nil
+        end
 
+        def build_keychain_tokens(oauth)
           {
             access_token: oauth['accessToken'],
             refresh_token: oauth['refreshToken'],
-            expires_at: expires_at,
+            expires_at: oauth['expiresAt'] ? Time.at(oauth['expiresAt'] / 1000.0) : nil,
             type: :oauth,
             source: :keychain
           }
-        rescue JSON::ParserError, StandardError
-          nil
         end
 
-        # Read from local YAML token file
         def load_from_file
           return nil unless File.exist?(tokens_path)
 
@@ -114,28 +111,18 @@ module RubynCode
           nil
         end
 
-        # Fall back to ANTHROPIC_API_KEY environment variable
         def load_from_env
           api_key = ENV.fetch('ANTHROPIC_API_KEY', nil)
           return nil unless api_key && !api_key.empty?
 
-          {
-            access_token: api_key,
-            refresh_token: nil,
-            expires_at: nil,
-            type: :api_key,
-            source: :env
-          }
+          { access_token: api_key, refresh_token: nil, expires_at: nil, type: :api_key, source: :env }
         end
 
-        def tokens_path
-          Config::Defaults::TOKENS_FILE
-        end
+        def tokens_path = Config::Defaults::TOKENS_FILE
 
         def ensure_directory!
-          dir = File.dirname(tokens_path)
-          FileUtils.mkdir_p(dir)
-          File.chmod(0o700, dir)
+          FileUtils.mkdir_p(File.dirname(tokens_path))
+          File.chmod(0o700, File.dirname(tokens_path))
         end
 
         def parse_time(value)

data/lib/rubyn_code/autonomous/daemon.rb

@@ -37,24 +37,9 @@ module RubynCode
         max_runs: 100, max_cost: 10.0, poll_interval: 5, idle_timeout: 60,
         on_state_change: nil, on_task_complete: nil, on_task_error: nil
       )
-        @agent_name      = agent_name
-        @role            = role
-        @llm_client      = llm_client
-        @project_root    = File.expand_path(project_root)
-        @task_manager    = task_manager
-        @mailbox         = mailbox
-        @max_runs        = max_runs
-        @max_cost        = max_cost
-        @poll_interval   = poll_interval
-        @idle_timeout    = idle_timeout
-        @on_state_change = on_state_change
-        @on_task_complete = on_task_complete
-        @on_task_error   = on_task_error
-
-        @state           = :spawned
-        @runs_completed  = 0
-        @total_cost      = 0.0
-        @stop_requested  = false
+        assign_core_attrs(agent_name:, role:, llm_client:, project_root:, task_manager:, mailbox:)
+        assign_limits(max_runs:, max_cost:, poll_interval:, idle_timeout:)
+        assign_callbacks_and_state(on_state_change, on_task_complete, on_task_error)
       end
 
       # Enters the work-idle-work cycle. Blocks the calling thread until
@@ -121,6 +106,32 @@ module RubynCode
 
       # ── Signal handling ──────────────────────────────────────────
 
+      def assign_core_attrs(agent_name:, role:, llm_client:, project_root:, task_manager:, mailbox:) # rubocop:disable Metrics/ParameterLists -- mirrors constructor keyword args
+        @agent_name   = agent_name
+        @role         = role
+        @llm_client   = llm_client
+        @project_root = File.expand_path(project_root)
+        @task_manager = task_manager
+        @mailbox      = mailbox
+      end
+
+      def assign_limits(max_runs:, max_cost:, poll_interval:, idle_timeout:)
+        @max_runs      = max_runs
+        @max_cost      = max_cost
+        @poll_interval = poll_interval
+        @idle_timeout  = idle_timeout
+      end
+
+      def assign_callbacks_and_state(on_state_change, on_task_complete, on_task_error)
+        @on_state_change  = on_state_change
+        @on_task_complete = on_task_complete
+        @on_task_error    = on_task_error
+        @state            = :spawned
+        @runs_completed   = 0
+        @total_cost       = 0.0
+        @stop_requested   = false
+      end
+
       def install_signal_handlers!
         %w[INT TERM].each do |sig|
           Signal.trap(sig) { stop! }