@amistio/cli 0.1.13 → 0.1.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/index.js +35 -2
- package/dist/index.js.map +2 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -41,7 +41,7 @@ When `--tool copilot` uses the GitHub Copilot SDK, Amistio approves read-only pe
|
|
|
41
41
|
|
|
42
42
|
`amistio runner status` reports local background runner state, latest heartbeat, and bounded resource usage when available. Resource usage is latest-sample runner process memory/CPU plus safe aggregate system memory/load signals; it does not include source files, environment variables, command lines, process lists, credentials, or arbitrary local paths.
|
|
43
43
|
|
|
44
|
-
The runner advertises its supported work kinds in heartbeats. Current runners can claim read-only `projectContextRefresh` jobs from the workspace Context panel and create due runner-driven refreshes when no fresh approved map exists. Context refreshes inspect the paired checkout locally without modifying files and submit only bounded summaries, slices, entities, relations, safe citations, confidence, freshness, and repo-relative paths. Approved maps are reused as context packs for source-aware assistant and impact-preview work. Current runners can also claim read-only issue diagnosis jobs from the web Issues panel, generate root-cause analysis and a proposed fix, and submit that result without modifying source. They can claim manual read-only `appEvaluationScan` jobs from the workspace Evaluate panel and create at most one due hourly evaluation during normal watch/background polling when app evaluation is enabled for the repository link. Evaluation results contain bounded summaries, safe evidence, suggested actions, lifecycle proposals, and repo-relative paths only. Current runners can also claim manual read-only `securityPostureScan` jobs from the workspace Security panel and create due daily posture checks during normal watch/background polling. Security scan results contain bounded summaries, standard references, safe evidence, and repo-relative paths only; source, secrets, environment variables, command lines, process lists, credentials, provider sessions, and arbitrary local paths stay local. Implementation or cleanup is queued separately only after the user approves an issue analysis, app evaluation finding, or security remediation plan in the app.
|
|
44
|
+
The runner advertises its supported work kinds in heartbeats. Current runners can claim read-only `projectContextRefresh` jobs from the workspace Context panel and create due runner-driven refreshes when no fresh approved map exists. Context refreshes inspect the paired checkout locally without modifying files and submit only bounded summaries, slices, entities, relations, safe citations, confidence, freshness, and repo-relative paths. If a submitted context refresh contains unsafe evidence, unsafe paths, or a map too large to store safely, Amistio marks the refresh failed with a safe reason instead of storing the rejected raw result. Approved maps are reused as context packs for source-aware assistant and impact-preview work. Current runners can also claim read-only issue diagnosis jobs from the web Issues panel, generate root-cause analysis and a proposed fix, and submit that result without modifying source. They can claim manual read-only `appEvaluationScan` jobs from the workspace Evaluate panel and create at most one due hourly evaluation during normal watch/background polling when app evaluation is enabled for the repository link. Evaluation results contain bounded summaries, safe evidence, suggested actions, lifecycle proposals, and repo-relative paths only. Current runners can also claim manual read-only `securityPostureScan` jobs from the workspace Security panel and create due daily posture checks during normal watch/background polling. Security scan results contain bounded summaries, standard references, safe evidence, and repo-relative paths only; source, secrets, environment variables, command lines, process lists, credentials, provider sessions, and arbitrary local paths stay local. Implementation or cleanup is queued separately only after the user approves an issue analysis, app evaluation finding, or security remediation plan in the app.
|
|
45
45
|
|
|
46
46
|
Approved implementation work uses Git as the handoff boundary. After the local tool completes successfully, the runner commits the isolated worktree, pushes an `amistio/work/...` branch to the linked GitHub remote, opens or reuses a pull request with the locally authenticated `gh` CLI, reports only safe PR metadata to Amistio, and removes the local worktree after the PR URL is durable. Prepare the runner machine with Git commit identity, push permission to the linked remote, and `gh auth status`. If commit, push, or PR creation fails, the work item is blocked and the branch/worktree stay on disk for manual recovery; source files and patches are not uploaded to Amistio.
|
|
47
47
|
|
package/dist/index.js
CHANGED
|
@@ -1099,11 +1099,26 @@ var securityFindingResultSchema = z.object({
|
|
|
1099
1099
|
safePaths: z.array(z.string().trim().min(1).max(300)).default([]),
|
|
1100
1100
|
status: securityFindingStatusSchema.default("open")
|
|
1101
1101
|
});
|
|
1102
|
+
var securityPostureGradeSchema = z.enum(["A", "B", "C", "D", "F", "Unknown"]);
|
|
1103
|
+
var securityPostureScanResultGradeSchema = z.preprocess((value) => {
|
|
1104
|
+
if (typeof value !== "string") {
|
|
1105
|
+
return value;
|
|
1106
|
+
}
|
|
1107
|
+
const trimmed = value.trim();
|
|
1108
|
+
if (trimmed.toUpperCase() === "UNKNOWN") {
|
|
1109
|
+
return "Unknown";
|
|
1110
|
+
}
|
|
1111
|
+
const gradeMatch = /^(?:GRADE\s*)?([ABCDF])(?:\s*[+-])?(?:\b|$)/i.exec(trimmed);
|
|
1112
|
+
if (gradeMatch?.[1]) {
|
|
1113
|
+
return gradeMatch[1].toUpperCase();
|
|
1114
|
+
}
|
|
1115
|
+
return "Unknown";
|
|
1116
|
+
}, securityPostureGradeSchema);
|
|
1102
1117
|
var securityPostureScanResultSchema = z.object({
|
|
1103
1118
|
summary: z.string().trim().min(1).max(2e3),
|
|
1104
1119
|
baselineVersion: z.string().trim().min(1).max(80),
|
|
1105
1120
|
postureScore: z.number().min(0).max(100).optional(),
|
|
1106
|
-
postureGrade:
|
|
1121
|
+
postureGrade: securityPostureScanResultGradeSchema.default("Unknown"),
|
|
1107
1122
|
categorySummaries: z.array(securityCategorySummarySchema).default([]),
|
|
1108
1123
|
findings: z.array(securityFindingResultSchema).default([]),
|
|
1109
1124
|
verificationPlan: z.array(z.string().trim().min(1).max(300)).min(1)
|
|
@@ -1162,7 +1177,7 @@ var securityPostureSnapshotItemSchema = baseItemSchema.extend({
|
|
|
1162
1177
|
status: z.enum(["unknown", "fresh", "stale", "running", "failed"]),
|
|
1163
1178
|
baselineVersion: z.string().trim().min(1).max(80).default("amistio-security-baseline-v1"),
|
|
1164
1179
|
postureScore: z.number().min(0).max(100).optional(),
|
|
1165
|
-
postureGrade:
|
|
1180
|
+
postureGrade: securityPostureGradeSchema.default("Unknown"),
|
|
1166
1181
|
severityCounts: securitySeverityCountsSchema.default(defaultSecuritySeverityCounts),
|
|
1167
1182
|
categorySummaries: z.array(securityCategorySummarySchema).default([]),
|
|
1168
1183
|
lastScannedAt: isoDateTimeSchema.optional(),
|
|
@@ -4942,6 +4957,12 @@ function parseProjectContextRefreshResult(output) {
|
|
|
4942
4957
|
const parsed = JSON.parse(stripJsonFence(payload));
|
|
4943
4958
|
return projectContextRefreshResultSchema.parse(parsed);
|
|
4944
4959
|
}
|
|
4960
|
+
function projectContextRefreshSubmissionFailureSummary(result) {
|
|
4961
|
+
if (result.refresh.status !== "failed" && result.workItem.status !== "failed") {
|
|
4962
|
+
return void 0;
|
|
4963
|
+
}
|
|
4964
|
+
return result.refresh.error ?? result.workItem.lastStatusMessage ?? "Server rejected the project context refresh result.";
|
|
4965
|
+
}
|
|
4945
4966
|
function createBrainGenerationPrompt(workItem) {
|
|
4946
4967
|
const wish = workItem.sourceWish ?? workItem.title;
|
|
4947
4968
|
const artifactFormatPreference = workItem.artifactFormatPreference ?? "markdown";
|
|
@@ -7794,6 +7815,18 @@ ${toolResult.stderr}`);
|
|
|
7794
7815
|
...sessionTelemetry,
|
|
7795
7816
|
message: `${toolName} returned a project context refresh.`
|
|
7796
7817
|
});
|
|
7818
|
+
const failureSummary = projectContextRefreshSubmissionFailureSummary(result);
|
|
7819
|
+
if (failureSummary) {
|
|
7820
|
+
await recordRunnerMilestone(apiClient, projectId, workItem, runnerId, repositoryLinkId, {
|
|
7821
|
+
status: "failed",
|
|
7822
|
+
summary: failureSummary,
|
|
7823
|
+
idempotencyKey: `runner_milestone_project_context_failed_${workItem.workItemId}_${result.workItem.idempotencyKey}`,
|
|
7824
|
+
metadata: { tool: toolName, durationMs, sliceCount: refreshResult.slices.length, entityCount: refreshResult.entities.length, verificationSummary: "Server rejected the project context refresh result." }
|
|
7825
|
+
});
|
|
7826
|
+
await apiClient.sendRunnerHeartbeat(projectId, runnerId, repositoryLinkId, "online", runnerHeartbeatMetadata(toolConfig));
|
|
7827
|
+
console.error(failureSummary);
|
|
7828
|
+
return { status: "failed", exitCode: 1 };
|
|
7829
|
+
}
|
|
7797
7830
|
await recordRunnerMilestone(apiClient, projectId, workItem, runnerId, repositoryLinkId, {
|
|
7798
7831
|
status: "completed",
|
|
7799
7832
|
summary: `${toolName} returned a project context refresh.`,
|