@askexenow/exe-os 0.9.299 → 0.9.301

package/dist/services/codex-reviewd/index.js

@@ -0,0 +1,855 @@
+import "../../chunk-MLKGABMK.js";
+
+// src/services/codex-reviewd/config.ts
+import { readFileSync } from "fs";
+var DEFAULTS = {
+  port: 9300,
+  concurrency: 2,
+  defaultTimeoutMs: 5 * 60 * 1e3,
+  pollIntervalMs: 2e3,
+  repos: {},
+  defaultPrompt: "default-review"
+};
+function loadConfig(configPath) {
+  const filePath = configPath ?? process.env.CODEX_REVIEWD_CONFIG;
+  if (!filePath) {
+    throw new Error(
+      "CODEX_REVIEWD_CONFIG environment variable is not set. Provide a path to the daemon configuration JSON file."
+    );
+  }
+  let raw;
+  try {
+    raw = readFileSync(filePath, "utf-8");
+  } catch (err) {
+    throw new Error(`Failed to read config file at ${filePath}: ${err.message}`);
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(`Failed to parse config file at ${filePath}: ${err.message}`);
+  }
+  if (!parsed.webhookSecret || typeof parsed.webhookSecret !== "string") {
+    throw new Error("Config missing required field: webhookSecret");
+  }
+  if (!parsed.githubAppId || typeof parsed.githubAppId !== "string") {
+    throw new Error("Config missing required field: githubAppId");
+  }
+  if (!parsed.githubAppPrivateKeyPath || typeof parsed.githubAppPrivateKeyPath !== "string") {
+    throw new Error("Config missing required field: githubAppPrivateKeyPath");
+  }
+  if (!parsed.codexApiKeyPath || typeof parsed.codexApiKeyPath !== "string") {
+    throw new Error("Config missing required field: codexApiKeyPath");
+  }
+  return {
+    ...DEFAULTS,
+    ...parsed,
+    port: typeof parsed.port === "number" ? parsed.port : DEFAULTS.port,
+    concurrency: typeof parsed.concurrency === "number" ? parsed.concurrency : DEFAULTS.concurrency,
+    defaultTimeoutMs: typeof parsed.defaultTimeoutMs === "number" ? parsed.defaultTimeoutMs : DEFAULTS.defaultTimeoutMs,
+    pollIntervalMs: typeof parsed.pollIntervalMs === "number" ? parsed.pollIntervalMs : DEFAULTS.pollIntervalMs,
+    repos: parsed.repos && typeof parsed.repos === "object" ? parsed.repos : DEFAULTS.repos,
+    defaultPrompt: typeof parsed.defaultPrompt === "string" ? parsed.defaultPrompt : DEFAULTS.defaultPrompt,
+    webhookSecret: parsed.webhookSecret,
+    githubAppId: parsed.githubAppId,
+    githubAppPrivateKeyPath: parsed.githubAppPrivateKeyPath,
+    codexApiKeyPath: parsed.codexApiKeyPath
+  };
+}
+
+// src/services/codex-reviewd/github.ts
+import { createPrivateKey, createSign } from "crypto";
+import { readFileSync as readFileSync2 } from "fs";
+var GITHUB_API = "https://api.github.com";
+function createAppJwt(appId, privateKeyPem) {
+  const now = Math.floor(Date.now() / 1e3);
+  const header = Buffer.from(JSON.stringify({ alg: "RS256", typ: "JWT" })).toString("base64url");
+  const payload = Buffer.from(JSON.stringify({
+    iat: now - 60,
+    // issued 60s ago (clock skew buffer)
+    exp: now + 600,
+    // expires in 10 minutes
+    iss: appId
+  })).toString("base64url");
+  const signingInput = `${header}.${payload}`;
+  const key = createPrivateKey(privateKeyPem);
+  const signer = createSign("RSA-SHA256");
+  signer.update(signingInput);
+  const signature = signer.sign(key, "base64url");
+  return `${signingInput}.${signature}`;
+}
+var GitHubClient = class {
+  appId;
+  privateKeyPem;
+  tokenCache = /* @__PURE__ */ new Map();
+  constructor(opts) {
+    this.appId = opts.appId;
+    this.privateKeyPem = readFileSync2(opts.privateKeyPath, "utf-8");
+  }
+  /**
+   * Get an installation access token, using cache when possible.
+   * Tokens are cached until 5 minutes before expiry.
+   */
+  async getInstallationToken(installationId) {
+    const cached = this.tokenCache.get(installationId);
+    if (cached && cached.expiresAt > Date.now() + 5 * 60 * 1e3) {
+      return cached.token;
+    }
+    const jwt = createAppJwt(this.appId, this.privateKeyPem);
+    const res = await fetch(`${GITHUB_API}/app/installations/${installationId}/access_tokens`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${jwt}`,
+        Accept: "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28"
+      }
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Failed to get installation token (${res.status}): ${body}`);
+    }
+    const data = await res.json();
+    this.tokenCache.set(installationId, {
+      token: data.token,
+      expiresAt: new Date(data.expires_at).getTime()
+    });
+    return data.token;
+  }
+  /**
+   * Create a check run on a commit.
+   * Used to report "codex/build-my-review" status.
+   */
+  async createCheckRun(params) {
+    const token = await this.getInstallationToken(params.installationId);
+    const res = await fetch(`${GITHUB_API}/repos/${params.owner}/${params.repo}/check-runs`, {
+      method: "POST",
+      headers: {
+        Authorization: `token ${token}`,
+        Accept: "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28",
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        name: "codex/build-my-review",
+        head_sha: params.headSha,
+        status: params.status,
+        ...params.conclusion ? { conclusion: params.conclusion } : {},
+        output: {
+          title: params.title,
+          summary: params.summary,
+          ...params.text ? { text: params.text } : {}
+        }
+      })
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Failed to create check run (${res.status}): ${body}`);
+    }
+    return await res.json();
+  }
+  /**
+   * Update an existing check run.
+   */
+  async updateCheckRun(params) {
+    const token = await this.getInstallationToken(params.installationId);
+    const res = await fetch(`${GITHUB_API}/repos/${params.owner}/${params.repo}/check-runs/${params.checkRunId}`, {
+      method: "PATCH",
+      headers: {
+        Authorization: `token ${token}`,
+        Accept: "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28",
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        status: params.status,
+        ...params.conclusion ? { conclusion: params.conclusion } : {},
+        output: {
+          title: params.title,
+          summary: params.summary,
+          ...params.text ? { text: params.text } : {}
+        }
+      })
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Failed to update check run (${res.status}): ${body}`);
+    }
+  }
+  /**
+   * Post a comment on a PR (via the issues API).
+   */
+  async postPRComment(params) {
+    const token = await this.getInstallationToken(params.installationId);
+    const res = await fetch(`${GITHUB_API}/repos/${params.owner}/${params.repo}/issues/${params.prNumber}/comments`, {
+      method: "POST",
+      headers: {
+        Authorization: `token ${token}`,
+        Accept: "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28",
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ body: params.body })
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Failed to post PR comment (${res.status}): ${body}`);
+    }
+    return await res.json();
+  }
+};
+
+// src/services/codex-reviewd/queue.ts
+var ReviewQueue = class {
+  jobs = /* @__PURE__ */ new Map();
+  pending = [];
+  runningCount = 0;
+  concurrency;
+  maxRetries;
+  nextId = 1;
+  constructor(opts) {
+    this.concurrency = opts.concurrency;
+    this.maxRetries = opts.maxRetries ?? 2;
+  }
+  /**
+   * Add a new review job to the queue.
+   * Returns the job ID.
+   */
+  enqueue(params) {
+    const id = `review-${this.nextId++}`;
+    const job = {
+      id,
+      repo: params.repo,
+      prNumber: params.prNumber,
+      headSha: params.headSha,
+      baseSha: params.baseSha,
+      baseBranch: params.baseBranch,
+      headBranch: params.headBranch,
+      prTitle: params.prTitle,
+      prBody: params.prBody,
+      installationId: params.installationId,
+      status: "pending",
+      result: null,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      startedAt: null,
+      completedAt: null,
+      retries: 0,
+      error: null
+    };
+    this.jobs.set(id, job);
+    this.pending.push(id);
+    return id;
+  }
+  /**
+   * Dequeue the next pending job if concurrency allows.
+   * Returns null if no jobs available or at capacity.
+   */
+  dequeue() {
+    if (this.runningCount >= this.concurrency) return null;
+    if (this.pending.length === 0) return null;
+    const id = this.pending.shift();
+    const job = this.jobs.get(id);
+    if (!job) return null;
+    job.status = "running";
+    job.startedAt = (/* @__PURE__ */ new Date()).toISOString();
+    this.runningCount++;
+    return job;
+  }
+  /**
+   * Mark a job as successfully completed.
+   */
+  complete(id, result) {
+    const job = this.jobs.get(id);
+    if (!job) return;
+    job.status = "complete";
+    job.result = result;
+    job.completedAt = (/* @__PURE__ */ new Date()).toISOString();
+    if (job.status === "complete") {
+      this.runningCount = Math.max(0, this.runningCount - 1);
+    }
+  }
+  /**
+   * Mark a job as failed. Re-enqueues if retries remain.
+   * Returns true if the job will be retried.
+   */
+  fail(id, error) {
+    const job = this.jobs.get(id);
+    if (!job) return false;
+    this.runningCount = Math.max(0, this.runningCount - 1);
+    job.retries++;
+    job.error = error;
+    if (job.retries <= this.maxRetries) {
+      job.status = "pending";
+      job.startedAt = null;
+      this.pending.push(id);
+      return true;
+    }
+    job.status = "failed";
+    job.completedAt = (/* @__PURE__ */ new Date()).toISOString();
+    return false;
+  }
+  /**
+   * Get a job by ID.
+   */
+  get(id) {
+    return this.jobs.get(id);
+  }
+  /**
+   * Check if a review for this repo+PR+SHA is already queued or running.
+   * Prevents duplicate reviews for the same commit.
+   */
+  isDuplicate(repo, prNumber, headSha) {
+    for (const job of this.jobs.values()) {
+      if (job.repo === repo && job.prNumber === prNumber && job.headSha === headSha && (job.status === "pending" || job.status === "running")) {
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Get count of jobs by status.
+   */
+  stats() {
+    const counts = { pending: 0, running: 0, complete: 0, failed: 0 };
+    for (const job of this.jobs.values()) {
+      counts[job.status]++;
+    }
+    return counts;
+  }
+  /**
+   * Number of currently running jobs.
+   */
+  get activeCount() {
+    return this.runningCount;
+  }
+  /**
+   * Number of pending jobs.
+   */
+  get pendingCount() {
+    return this.pending.length;
+  }
+};
+
+// src/services/codex-reviewd/server.ts
+import { createHmac, timingSafeEqual } from "crypto";
+import { createServer } from "http";
+function readBody(req) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    req.on("data", (chunk) => chunks.push(chunk));
+    req.on("end", () => resolve(Buffer.concat(chunks)));
+    req.on("error", reject);
+  });
+}
+function validateSignature(body, secret, signatureHeader) {
+  if (!signatureHeader) return false;
+  const expected = "sha256=" + createHmac("sha256", secret).update(body).digest("hex");
+  if (signatureHeader.length !== expected.length) return false;
+  try {
+    return timingSafeEqual(
+      Buffer.from(signatureHeader, "utf-8"),
+      Buffer.from(expected, "utf-8")
+    );
+  } catch {
+    return false;
+  }
+}
+function isForkPR(event) {
+  return event.pull_request.head.repo.full_name !== event.pull_request.base.repo.full_name;
+}
+function createWebhookServer(opts) {
+  const { port, webhookSecret, queue } = opts;
+  const server = createServer(async (req, res) => {
+    if (req.method === "GET" && req.url === "/health") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({
+        status: "ok",
+        stats: queue.stats()
+      }));
+      return;
+    }
+    if (req.method === "POST" && req.url === "/webhook") {
+      let body;
+      try {
+        body = await readBody(req);
+      } catch {
+        res.writeHead(400);
+        res.end("Bad request: could not read body");
+        return;
+      }
+      const signature = req.headers["x-hub-signature-256"];
+      if (!validateSignature(body, webhookSecret, signature)) {
+        res.writeHead(401);
+        res.end("Unauthorized: invalid signature");
+        return;
+      }
+      const eventType = req.headers["x-github-event"];
+      if (eventType !== "pull_request") {
+        res.writeHead(200);
+        res.end("Ignored: not a pull_request event");
+        return;
+      }
+      let event;
+      try {
+        event = JSON.parse(body.toString("utf-8"));
+      } catch {
+        res.writeHead(400);
+        res.end("Bad request: invalid JSON");
+        return;
+      }
+      const ACCEPTED_ACTIONS = /* @__PURE__ */ new Set(["opened", "synchronize", "reopened", "ready_for_review"]);
+      if (!ACCEPTED_ACTIONS.has(event.action)) {
+        res.writeHead(200);
+        res.end(`Ignored: action "${event.action}"`);
+        return;
+      }
+      if (isForkPR(event)) {
+        res.writeHead(200);
+        res.end("Skipped: fork PR");
+        return;
+      }
+      if (!event.installation?.id) {
+        res.writeHead(400);
+        res.end("Bad request: missing installation ID");
+        return;
+      }
+      const repoName = event.pull_request.base.repo.full_name;
+      const headSha = event.pull_request.head.sha;
+      if (queue.isDuplicate(repoName, event.number, headSha)) {
+        res.writeHead(200);
+        res.end("Duplicate: review already queued for this commit");
+        return;
+      }
+      const jobId = queue.enqueue({
+        repo: repoName,
+        prNumber: event.number,
+        headSha,
+        baseSha: event.pull_request.base.sha,
+        baseBranch: event.pull_request.base.ref,
+        headBranch: event.pull_request.head.ref,
+        prTitle: event.pull_request.title,
+        prBody: event.pull_request.body ?? void 0,
+        installationId: event.installation.id
+      });
+      console.log(`[codex-reviewd] Enqueued job ${jobId}: ${repoName}#${event.number} (${headSha.slice(0, 7)})`);
+      res.writeHead(202, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ jobId, status: "queued" }));
+      return;
+    }
+    res.writeHead(404);
+    res.end("Not found");
+  });
+  server.listen(port, () => {
+    console.log(`[codex-reviewd] Webhook server listening on port ${port}`);
+  });
+  return server;
+}
+
+// src/services/codex-reviewd/worker.ts
+import { spawn } from "child_process";
+import { mkdtempSync, readFileSync as readFileSync3, rmSync } from "fs";
+import { tmpdir } from "os";
+import { join } from "path";
+
+// src/services/codex-reviewd/prompts.ts
+var defaultReview = {
+  name: "default-review",
+  description: "General-purpose code review prompt",
+  render(diff, ctx) {
+    return `You are reviewing PR #${ctx.prNumber} in ${ctx.repo} (${ctx.headBranch} -> ${ctx.baseBranch}).
+${ctx.prTitle ? `PR Title: ${ctx.prTitle}` : ""}
+
+Review this diff for:
+1. **Correctness bugs** \u2014 logic errors, off-by-ones, null/undefined mishandling, race conditions
+2. **Security issues** \u2014 injection, auth bypass, secret leakage, unsafe deserialization
+3. **Performance** \u2014 O(n\xB2) where O(n) is possible, missing indexes, unbounded allocations
+4. **Maintainability** \u2014 dead code, unclear naming, missing error handling
+
+Rules:
+- Be specific: cite file and line numbers from the diff
+- Skip style/formatting nits \u2014 linters handle those
+- If the diff is clean, say "LGTM \u2014 no issues found" and nothing else
+- Categorize each finding as [CRITICAL], [WARNING], or [SUGGESTION]
+
+Diff:
+\`\`\`diff
+${diff}
+\`\`\``;
+  }
+};
+var exeOsReview = {
+  name: "exe-os-review",
+  description: "exe-os specific review with ESM/security/architecture checks",
+  render(diff, ctx) {
+    return `You are reviewing PR #${ctx.prNumber} in ${ctx.repo} (${ctx.headBranch} -> ${ctx.baseBranch}).
+${ctx.prTitle ? `PR Title: ${ctx.prTitle}` : ""}
+
+This is the exe-os repository \u2014 an AI employee operating system with local-first encrypted storage.
+
+Review this diff against exe-os rules:
+
+## Security (CRITICAL)
+- No secrets, PII, or API keys in code
+- Auth middleware must be preserved
+- E2EE/local-first: SQLCipher DB never accessed directly; MCP is the ONLY interface
+- Customer data immutability: identities, behaviors, procedures never overwritten
+- External connections must use TLS
+- No require() in ESM files (src/lib/, src/mcp/, src/tui/) \u2014 this has caused 4+ production outages
+
+## Deployment
+- Stack manifest images must have SHA256 digests
+- No :latest tags in manifests or compose
+- Compose services must have healthchecks
+- CI must be green on exact commit before merge
+
+## Architecture
+- Zero hardcoded employee names \u2014 use role-resolver.ts
+- All queries must filter by session_scope
+- MCP is the only data interface
+
+## General
+- Correctness bugs, race conditions, null handling
+- Performance regressions
+- Missing error handling
+
+Rules:
+- Be specific: cite file and line numbers from the diff
+- Categorize each finding as [CRITICAL], [WARNING], or [SUGGESTION]
+- If clean, say "LGTM \u2014 no issues found"
+
+Diff:
+\`\`\`diff
+${diff}
+\`\`\``;
+  }
+};
+var stackManifestReview = {
+  name: "stack-manifest-review",
+  description: "Review for deploy/stack-manifests changes",
+  render(diff, ctx) {
+    return `You are reviewing PR #${ctx.prNumber} in ${ctx.repo} (${ctx.headBranch} -> ${ctx.baseBranch}).
+${ctx.prTitle ? `PR Title: ${ctx.prTitle}` : ""}
+
+This diff modifies stack manifests (Docker compose, deployment configs).
+
+Review for:
+1. **Image tags** \u2014 MUST use SHA256 digests, NEVER :latest
+2. **Healthchecks** \u2014 every service MUST have a healthcheck
+3. **Secrets** \u2014 no hardcoded credentials, tokens, or API keys
+4. **Resource limits** \u2014 memory/CPU limits should be set
+5. **Network** \u2014 TLS required for external connections
+6. **Volumes** \u2014 persistent data paths must be correct
+7. **Restart policy** \u2014 services should have restart: unless-stopped or always
+
+Rules:
+- Be specific: cite exact service names and line numbers
+- Categorize each finding as [CRITICAL], [WARNING], or [SUGGESTION]
+- If clean, say "LGTM \u2014 no issues found"
+
+Diff:
+\`\`\`diff
+${diff}
+\`\`\``;
+  }
+};
+var TEMPLATES = /* @__PURE__ */ new Map([
+  [defaultReview.name, defaultReview],
+  [exeOsReview.name, exeOsReview],
+  [stackManifestReview.name, stackManifestReview]
+]);
+function getPromptTemplate(name) {
+  return TEMPLATES.get(name) ?? defaultReview;
+}
+function listPromptTemplates() {
+  return Array.from(TEMPLATES.keys());
+}
+
+// src/services/codex-reviewd/worker.ts
+function exec(cmd, args, opts) {
+  return new Promise((resolve, reject) => {
+    const child = spawn(cmd, args, {
+      cwd: opts.cwd,
+      env: opts.env ?? process.env,
+      stdio: ["ignore", "pipe", "pipe"],
+      timeout: opts.timeoutMs
+    });
+    let stdout = "";
+    let stderr = "";
+    child.stdout.on("data", (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on("close", (code) => {
+      if (code === 0) {
+        resolve(stdout);
+      } else {
+        reject(new Error(`Command "${cmd} ${args.join(" ")}" exited with code ${code}: ${stderr}`));
+      }
+    });
+    child.on("error", reject);
+  });
+}
+var MANIFEST_PATTERNS = [
+  /^deploy\/stack-manifests\//,
+  /^stack\.release\.json$/,
+  /^\.github\/workflows\/release/,
+  /^deploy\/docker\//,
+  /^deploy\/compose\//
+];
+function shouldUseManifestPrompt(diff) {
+  const changedFiles = diff.match(/^diff --git a\/(.+?) b\//gm)?.map((m) => m.replace(/^diff --git a\//, "").replace(/ b\/.*/, "")) ?? [];
+  return changedFiles.some((f) => MANIFEST_PATTERNS.some((p) => p.test(f)));
+}
+function determineConclusion(reviewText) {
+  if (!reviewText || reviewText.trim() === "LGTM" || reviewText.includes("no significant issues")) {
+    return "success";
+  }
+  if (reviewText.toLowerCase().includes("lgtm")) {
+    return "success";
+  }
+  const blockingPatterns = /\b(CRITICAL|P0|P1|SECURITY|VULNERABILITY|BLOCKED?)\b/i;
+  if (blockingPatterns.test(reviewText)) {
+    return "failure";
+  }
+  return "neutral";
+}
+async function processJob(job, config, github) {
+  const [owner, repo] = job.repo.split("/");
+  const tmpDir = mkdtempSync(join(tmpdir(), "codex-reviewd-"));
+  let checkRunId;
+  try {
+    const checkRun = await github.createCheckRun({
+      installationId: job.installationId,
+      owner,
+      repo,
+      headSha: job.headSha,
+      status: "in_progress",
+      title: "Codex review in progress",
+      summary: `Reviewing PR #${job.prNumber}...`
+    });
+    checkRunId = checkRun.id;
+    const cloneUrl = `https://github.com/${job.repo}.git`;
+    await exec("git", [
+      "clone",
+      "--depth=1",
+      "--no-tags",
+      "--branch",
+      job.headBranch,
+      cloneUrl,
+      tmpDir
+    ], { timeoutMs: 6e4 });
+    await exec("git", [
+      "fetch",
+      "--depth=1",
+      "origin",
+      job.baseSha
+    ], { cwd: tmpDir, timeoutMs: 6e4 });
+    const diff = await exec("git", [
+      "diff",
+      `${job.baseSha}...${job.headSha}`,
+      "--"
+    ], { cwd: tmpDir, timeoutMs: 3e4 });
+    if (!diff.trim()) {
+      const result2 = "No changes detected in diff.";
+      await github.updateCheckRun({
+        installationId: job.installationId,
+        owner,
+        repo,
+        checkRunId: checkRun.id,
+        status: "completed",
+        conclusion: "neutral",
+        title: "No changes to review",
+        summary: result2
+      });
+      return result2;
+    }
+    const repoConfig = config.repos[job.repo];
+    let templateName = repoConfig?.prompt ?? config.defaultPrompt;
+    if (shouldUseManifestPrompt(diff)) {
+      templateName = "stack-manifest-review";
+    }
+    const template = getPromptTemplate(templateName);
+    const prompt = template.render(diff, {
+      repo: job.repo,
+      prNumber: job.prNumber,
+      baseBranch: job.baseBranch,
+      headBranch: job.headBranch,
+      prTitle: job.prTitle,
+      prBody: job.prBody
+    });
+    const codexApiKey = readFileSync3(config.codexApiKeyPath, "utf-8").trim();
+    const timeoutMs = repoConfig?.timeoutMs ?? config.defaultTimeoutMs;
+    const childEnv = {
+      PATH: process.env.PATH,
+      HOME: process.env.HOME,
+      CODEX_API_KEY: codexApiKey
+    };
+    const result = await exec("codex", [
+      "exec",
+      "--sandbox",
+      "read-only",
+      "--ephemeral",
+      prompt
+    ], {
+      cwd: tmpDir,
+      env: childEnv,
+      timeoutMs
+    });
+    const conclusion = determineConclusion(result);
+    const titleMap = { success: "LGTM", neutral: "Review findings", failure: "Blocking findings" };
+    await github.updateCheckRun({
+      installationId: job.installationId,
+      owner,
+      repo,
+      checkRunId: checkRun.id,
+      status: "completed",
+      conclusion,
+      title: titleMap[conclusion],
+      summary: result.slice(0, 65535)
+      // GitHub API limit
+    });
+    await github.postPRComment({
+      installationId: job.installationId,
+      owner,
+      repo,
+      prNumber: job.prNumber,
+      body: `## Codex Code Review
+
+${result}
+
+---
+*Automated review by codex-reviewd*`
+    });
+    return result;
+  } catch (err) {
+    const errorMessage = err instanceof Error ? err.message : String(err);
+    if (checkRunId) {
+      try {
+        await github.updateCheckRun({
+          installationId: job.installationId,
+          owner,
+          repo,
+          checkRunId,
+          status: "completed",
+          conclusion: "failure",
+          title: "Review failed",
+          summary: `codex-reviewd encountered an error:
+
+${errorMessage}`.slice(0, 65535)
+        });
+      } catch (updateErr) {
+        console.error("[codex-reviewd] Failed to update check-run on error:", updateErr);
+      }
+    } else {
+      try {
+        await github.createCheckRun({
+          installationId: job.installationId,
+          owner,
+          repo,
+          headSha: job.headSha,
+          status: "completed",
+          conclusion: "failure",
+          title: "Review failed",
+          summary: `codex-reviewd encountered an error:
+
+${errorMessage}`.slice(0, 65535)
+        });
+      } catch (createErr) {
+        console.error("[codex-reviewd] Failed to create check-run on error:", createErr);
+      }
+    }
+    throw err;
+  } finally {
+    try {
+      rmSync(tmpDir, { recursive: true, force: true });
+    } catch {
+    }
+  }
+}
+function startWorker(opts) {
+  const { config, queue, github } = opts;
+  let running = true;
+  const poll = async () => {
+    while (running) {
+      const job = queue.dequeue();
+      if (job) {
+        processJob(job, config, github).then((result) => {
+          queue.complete(job.id, result);
+          console.log(`[codex-reviewd] Job ${job.id} completed: ${job.repo}#${job.prNumber}`);
+        }).catch((err) => {
+          const error = err instanceof Error ? err.message : String(err);
+          const willRetry = queue.fail(job.id, error);
+          console.error(
+            `[codex-reviewd] Job ${job.id} failed: ${error}` + (willRetry ? " (will retry)" : " (permanent failure)")
+          );
+        });
+      }
+      await new Promise((resolve) => setTimeout(resolve, config.pollIntervalMs));
+    }
+  };
+  poll().catch((err) => {
+    console.error("[codex-reviewd] Worker loop crashed:", err);
+  });
+  return {
+    stop() {
+      running = false;
+    }
+  };
+}
+
+// src/services/codex-reviewd/index.ts
+function startDaemon(configPath) {
+  const config = loadConfig(configPath);
+  const port = Number(process.env.CODEX_REVIEWD_PORT) || config.port;
+  const queue = new ReviewQueue({
+    concurrency: config.concurrency
+  });
+  const github = new GitHubClient({
+    appId: config.githubAppId,
+    privateKeyPath: config.githubAppPrivateKeyPath
+  });
+  const server = createWebhookServer({
+    port,
+    webhookSecret: config.webhookSecret,
+    queue
+  });
+  const worker = startWorker({
+    config,
+    queue,
+    github
+  });
+  console.log(`[codex-reviewd] Daemon started (port=${port}, concurrency=${config.concurrency})`);
+  const stop = async () => {
+    console.log("[codex-reviewd] Shutting down...");
+    worker.stop();
+    await new Promise((resolve) => {
+      server.close(() => resolve());
+    });
+    console.log("[codex-reviewd] Shutdown complete.");
+  };
+  const onSignal = () => {
+    stop().then(() => process.exit(0)).catch(() => process.exit(1));
+  };
+  process.on("SIGTERM", onSignal);
+  process.on("SIGINT", onSignal);
+  return { stop };
+}
+var isMain = process.argv[1]?.endsWith("codex-reviewd/index.js") || process.argv[1]?.endsWith("codex-reviewd/index.ts");
+if (isMain) {
+  startDaemon();
+}
+export {
+  GitHubClient,
+  ReviewQueue,
+  createWebhookServer,
+  determineConclusion,
+  getPromptTemplate,
+  isForkPR,
+  listPromptTemplates,
+  loadConfig,
+  shouldUseManifestPrompt,
+  startDaemon,
+  startWorker,
+  validateSignature
+};