npm - @amistio/cli - Versions diffs - 0.1.13 → 0.1.15 - Mend

@amistio/cli 0.1.13 → 0.1.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -41,7 +41,7 @@ When `--tool copilot` uses the GitHub Copilot SDK, Amistio approves read-only pe
 `amistio runner status` reports local background runner state, latest heartbeat, and bounded resource usage when available. Resource usage is latest-sample runner process memory/CPU plus safe aggregate system memory/load signals; it does not include source files, environment variables, command lines, process lists, credentials, or arbitrary local paths.
-The runner advertises its supported work kinds in heartbeats. Current runners can claim read-only `projectContextRefresh` jobs from the workspace Context panel and create due runner-driven refreshes when no fresh approved map exists. Context refreshes inspect the paired checkout locally without modifying files and submit only bounded summaries, slices, entities, relations, safe citations, confidence, freshness, and repo-relative paths. Approved maps are reused as context packs for source-aware assistant and impact-preview work. Current runners can also claim read-only issue diagnosis jobs from the web Issues panel, generate root-cause analysis and a proposed fix, and submit that result without modifying source. They can claim manual read-only `appEvaluationScan` jobs from the workspace Evaluate panel and create at most one due hourly evaluation during normal watch/background polling when app evaluation is enabled for the repository link. Evaluation results contain bounded summaries, safe evidence, suggested actions, lifecycle proposals, and repo-relative paths only. Current runners can also claim manual read-only `securityPostureScan` jobs from the workspace Security panel and create due daily posture checks during normal watch/background polling. Security scan results contain bounded summaries, standard references, safe evidence, and repo-relative paths only; source, secrets, environment variables, command lines, process lists, credentials, provider sessions, and arbitrary local paths stay local. Implementation or cleanup is queued separately only after the user approves an issue analysis, app evaluation finding, or security remediation plan in the app.
+The runner advertises its supported work kinds in heartbeats. Current runners can claim read-only `projectContextRefresh` jobs from the workspace Context panel and create due runner-driven refreshes when no fresh approved map exists. Context refreshes inspect the paired checkout locally without modifying files and submit only bounded summaries, slices, entities, relations, safe citations, confidence, freshness, and repo-relative paths. If a submitted context refresh contains unsafe evidence, unsafe paths, or a map too large to store safely, Amistio marks the refresh failed with a safe reason instead of storing the rejected raw result. Approved maps are reused as context packs for source-aware assistant and impact-preview work. Current runners can also claim read-only issue diagnosis jobs from the web Issues panel, generate root-cause analysis and a proposed fix, and submit that result without modifying source. They can claim manual read-only `appEvaluationScan` jobs from the workspace Evaluate panel and create at most one due hourly evaluation during normal watch/background polling when app evaluation is enabled for the repository link. Evaluation results contain bounded summaries, safe evidence, suggested actions, lifecycle proposals, and repo-relative paths only. Current runners can also claim manual read-only `securityPostureScan` jobs from the workspace Security panel and create due daily posture checks during normal watch/background polling. Security scan results contain bounded summaries, standard references, safe evidence, and repo-relative paths only; source, secrets, environment variables, command lines, process lists, credentials, provider sessions, and arbitrary local paths stay local. Implementation or cleanup is queued separately only after the user approves an issue analysis, app evaluation finding, or security remediation plan in the app.
 Approved implementation work uses Git as the handoff boundary. After the local tool completes successfully, the runner commits the isolated worktree, pushes an `amistio/work/...` branch to the linked GitHub remote, opens or reuses a pull request with the locally authenticated `gh` CLI, reports only safe PR metadata to Amistio, and removes the local worktree after the PR URL is durable. Prepare the runner machine with Git commit identity, push permission to the linked remote, and `gh auth status`. If commit, push, or PR creation fails, the work item is blocked and the branch/worktree stay on disk for manual recovery; source files and patches are not uploaded to Amistio.

package/dist/index.js CHANGED Viewed

@@ -1099,11 +1099,26 @@ var securityFindingResultSchema = z.object({
   safePaths: z.array(z.string().trim().min(1).max(300)).default([]),
   status: securityFindingStatusSchema.default("open")
 });
+var securityPostureGradeSchema = z.enum(["A", "B", "C", "D", "F", "Unknown"]);
+var securityPostureScanResultGradeSchema = z.preprocess((value) => {
+  if (typeof value !== "string") {
+    return value;
+  }
+  const trimmed = value.trim();
+  if (trimmed.toUpperCase() === "UNKNOWN") {
+    return "Unknown";
+  }
+  const gradeMatch = /^(?:GRADE\s*)?([ABCDF])(?:\s*[+-])?(?:\b|$)/i.exec(trimmed);
+  if (gradeMatch?.[1]) {
+    return gradeMatch[1].toUpperCase();
+  }
+  return "Unknown";
+}, securityPostureGradeSchema);
 var securityPostureScanResultSchema = z.object({
   summary: z.string().trim().min(1).max(2e3),
   baselineVersion: z.string().trim().min(1).max(80),
   postureScore: z.number().min(0).max(100).optional(),
-  postureGrade: z.enum(["A", "B", "C", "D", "F", "Unknown"]).default("Unknown"),
+  postureGrade: securityPostureScanResultGradeSchema.default("Unknown"),
   categorySummaries: z.array(securityCategorySummarySchema).default([]),
   findings: z.array(securityFindingResultSchema).default([]),
   verificationPlan: z.array(z.string().trim().min(1).max(300)).min(1)
@@ -1162,7 +1177,7 @@ var securityPostureSnapshotItemSchema = baseItemSchema.extend({
   status: z.enum(["unknown", "fresh", "stale", "running", "failed"]),
   baselineVersion: z.string().trim().min(1).max(80).default("amistio-security-baseline-v1"),
   postureScore: z.number().min(0).max(100).optional(),
-  postureGrade: z.enum(["A", "B", "C", "D", "F", "Unknown"]).default("Unknown"),
+  postureGrade: securityPostureGradeSchema.default("Unknown"),
   severityCounts: securitySeverityCountsSchema.default(defaultSecuritySeverityCounts),
   categorySummaries: z.array(securityCategorySummarySchema).default([]),
   lastScannedAt: isoDateTimeSchema.optional(),
@@ -4370,6 +4385,8 @@ var appEvaluationStart = "AMISTIO_APP_EVALUATION_START";
 var appEvaluationEnd = "AMISTIO_APP_EVALUATION_END";
 var projectContextRefreshStart = "AMISTIO_PROJECT_CONTEXT_REFRESH_START";
 var projectContextRefreshEnd = "AMISTIO_PROJECT_CONTEXT_REFRESH_END";
+var validProjectContextEntityTypes = /* @__PURE__ */ new Set(["project", "system", "component", "domain", "tool", "decision", "feature", "risk", "team", "workflow", "unknown"]);
+var validProjectContextRelationTypes = /* @__PURE__ */ new Set(["uses", "depends_on", "decides", "supersedes", "touches", "blocks", "implements", "mentions"]);
 function createWorkExecutionPrompt(workItem, context) {
   if (workItem.workKind === "brainGeneration") {
     return createBrainGenerationPrompt(workItem);
@@ -4940,7 +4957,13 @@ function parseProjectContextRefreshResult(output) {
   }
   const payload = output.slice(start + projectContextRefreshStart.length, end).trim();
   const parsed = JSON.parse(stripJsonFence(payload));
-  return projectContextRefreshResultSchema.parse(parsed);
+  return projectContextRefreshResultSchema.parse(normalizeProjectContextRefreshEnums(parsed));
+}
+function projectContextRefreshSubmissionFailureSummary(result) {
+  if (result.refresh.status !== "failed" && result.workItem.status !== "failed") {
+    return void 0;
+  }
+  return result.refresh.error ?? result.workItem.lastStatusMessage ?? "Server rejected the project context refresh result.";
 }
 function createBrainGenerationPrompt(workItem) {
   const wish = workItem.sourceWish ?? workItem.title;
@@ -4998,6 +5021,50 @@ function createBrainGenerationPrompt(workItem) {
     "Do not put Markdown fences around the markers. Do not claim implementation is complete."
   ].join("\n");
 }
+function normalizeProjectContextRefreshEnums(value) {
+  if (!isObjectRecord(value)) {
+    return value;
+  }
+  const normalized = { ...value };
+  if (Array.isArray(normalized.entities)) {
+    normalized.entities = normalized.entities.map((entity) => {
+      if (!isObjectRecord(entity)) {
+        return entity;
+      }
+      const normalizedEntity = { ...entity };
+      normalizedEntity.entityType = normalizeProjectContextEntityType(entity.entityType);
+      return normalizedEntity;
+    });
+  }
+  if (Array.isArray(normalized.relations)) {
+    normalized.relations = normalized.relations.map((relation) => {
+      if (!isObjectRecord(relation)) {
+        return relation;
+      }
+      const normalizedRelation = { ...relation };
+      normalizedRelation.relationType = normalizeProjectContextRelationType(relation.relationType);
+      return normalizedRelation;
+    });
+  }
+  return normalized;
+}
+function normalizeProjectContextEntityType(value) {
+  if (typeof value !== "string") {
+    return "unknown";
+  }
+  const normalized = value.trim().toLowerCase();
+  return validProjectContextEntityTypes.has(normalized) ? normalized : "unknown";
+}
+function normalizeProjectContextRelationType(value) {
+  if (typeof value !== "string") {
+    return "mentions";
+  }
+  const normalized = value.trim().toLowerCase();
+  return validProjectContextRelationTypes.has(normalized) ? normalized : "mentions";
+}
+function isObjectRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
 function artifactFormatPreferenceInstructions(preference) {
   if (preference === "html") {
     return "The user chose HTML. Generate .html artifacts under docs/html/<folder>/ and set contentFormat to html.";
@@ -7794,6 +7861,18 @@ ${toolResult.stderr}`);
       ...sessionTelemetry,
       message: `${toolName} returned a project context refresh.`
     });
+    const failureSummary = projectContextRefreshSubmissionFailureSummary(result);
+    if (failureSummary) {
+      await recordRunnerMilestone(apiClient, projectId, workItem, runnerId, repositoryLinkId, {
+        status: "failed",
+        summary: failureSummary,
+        idempotencyKey: `runner_milestone_project_context_failed_${workItem.workItemId}_${result.workItem.idempotencyKey}`,
+        metadata: { tool: toolName, durationMs, sliceCount: refreshResult.slices.length, entityCount: refreshResult.entities.length, verificationSummary: "Server rejected the project context refresh result." }
+      });
+      await apiClient.sendRunnerHeartbeat(projectId, runnerId, repositoryLinkId, "online", runnerHeartbeatMetadata(toolConfig));
+      console.error(failureSummary);
+      return { status: "failed", exitCode: 1 };
+    }
     await recordRunnerMilestone(apiClient, projectId, workItem, runnerId, repositoryLinkId, {
       status: "completed",
       summary: `${toolName} returned a project context refresh.`,