@basou/cli 0.8.0 → 0.9.0

package/dist/index.js

@@ -124,6 +124,7 @@ import {
   linkYamlFile,
   loadApproval,
   prefixedUlid,
+  readSessionYaml,
   readYamlFile,
   replayEvents,
   resolveRepositoryRoot
@@ -331,6 +332,15 @@ async function doRunApprovalResolve(idInput, options, ctx, decision) {
   if (isLazyExpired(approval, now)) {
     throw new Error(`Approval already expired: ${idInput}`);
   }
+  let sessionStatus = null;
+  try {
+    sessionStatus = (await readSessionYaml(paths, approval.session_id)).session.status;
+  } catch {
+    sessionStatus = null;
+  }
+  if (sessionStatus === "imported") {
+    throw new Error(`Cannot resolve an approval for an imported session: ${idInput}`);
+  }
   const occurredAt = now.toISOString();
   const eventId = prefixedUlid("evt");
   if (decision === "approve") {
@@ -1342,7 +1352,7 @@ import {
   findErrorCode as findErrorCode5,
   importSessionFromJson,
   readManifest as readManifest3,
-  readSessionYaml,
+  readSessionYaml as readSessionYaml2,
   reimportPreservingId,
   resolveRepositoryRoot as resolveRepositoryRoot6,
   SessionImportPayloadSchema
@@ -1524,7 +1534,7 @@ async function importDerivedSessions(paths, manifest, options, sourceKind, candi
         dryRun: options.dryRun === true
       });
       if (outcome.status === "skipped") {
-        const detail = outcome.reason === "prior_events_unreadable" ? "prior events.jsonl has unreadable lines" : "source changed in a non-append way (derived events would be dropped)";
+        const detail = outcome.reason === "prior_events_unreadable" ? "prior events.jsonl has unreadable lines" : outcome.reason === "prior_chain_broken" ? "prior events.jsonl failed hash-chain verification (run 'basou verify')" : "source changed in a non-append way (derived events would be dropped)";
         console.error(`Import: ${externalId} ${detail}; re-import skipped`);
         counts.skippedNoAction++;
         continue;
@@ -1612,7 +1622,7 @@ async function loadExistingByExternalId(paths, sourceKind) {
   for (const sessionId of sessionIds) {
     let session;
     try {
-      session = await readSessionYaml(paths, sessionId);
+      session = await readSessionYaml2(paths, sessionId);
     } catch {
       continue;
     }
@@ -2785,12 +2795,14 @@ import {
   appendEventToExistingSession as appendEventToExistingSession2,
   assertBasouRootSafe as assertBasouRootSafe9,
   basouPaths as basouPaths9,
+  enumerateSessionDirs as enumerateSessionDirs2,
   findErrorCode as findErrorCode8,
   importSessionFromJson as importSessionFromJson2,
   loadSessionEntries,
   readAllEvents,
   readManifest as readManifest5,
   readYamlFile as readYamlFile4,
+  rechainSessionInPlace,
   resolveRepositoryRoot as resolveRepositoryRoot10,
   resolveSessionId as resolveSessionId2,
   resolveTaskId,
@@ -2839,6 +2851,11 @@ function registerSessionCommand(program2) {
   session.command("note <session_id>").description("Append a note_added event to an existing session").option("--body <text>", "Note body (inline)", parseNoteBodyOption).option("--from-file <path>", "Read note body from a file").option("--json", "Output the result as JSON").option("-v, --verbose", "Show error causes").action(async (sessionIdInput, options) => {
     await runSessionNote(sessionIdInput, options);
   });
+  session.command("rechain").description(
+    "Add the tamper-evidence hash chain, in place, to imported sessions created before chaining existed"
+  ).option("--session <id>", "Rechain a single session (unique id prefix accepted)").option("--all", "Rechain every session in the workspace").option("--dry-run", "Compute the outcomes only; do not write").option("--json", "Output the outcomes as JSON").option("-v, --verbose", "Show error causes").action(async (options) => {
+    await runSessionRechain(options);
+  });
 }
 async function runSessionList(options, ctx = {}) {
   try {
@@ -3380,6 +3397,74 @@ function printSessionNoteResult(options, sessionId, eventId, sessionStatus, body
   const preview = body.length > NOTE_BODY_PREVIEW_LIMIT ? `${body.slice(0, NOTE_BODY_PREVIEW_HEAD)}...` : body;
   console.log(`Added note to session ${sid} (${sessionStatus}): ${preview}`);
 }
+async function runSessionRechain(options, ctx = {}) {
+  try {
+    await doRunSessionRechain(options, ctx);
+  } catch (error) {
+    renderCliError(error, { verbose: isVerbose(options) });
+    process.exitCode = 1;
+  }
+}
+async function doRunSessionRechain(options, ctx) {
+  if (options.session !== void 0 && options.all === true) {
+    throw new Error("Specify either --session <id> or --all, not both");
+  }
+  if (options.session === void 0 && options.all !== true) {
+    throw new Error("Specify --session <id> or --all");
+  }
+  const cwd = ctx.cwd ?? process.cwd();
+  const repositoryRoot = await resolveRepositoryRootForSession(cwd, "rechain");
+  const paths = basouPaths9(repositoryRoot);
+  await assertWorkspaceInitialized7(paths.root);
+  const sessionIds = options.session !== void 0 ? [await resolveSessionId2(paths, options.session)] : await enumerateSessionDirs2(paths);
+  const dryRun = options.dryRun === true;
+  const rows = [];
+  for (const sessionId of sessionIds) {
+    let outcome;
+    try {
+      outcome = await rechainSessionInPlace(paths, sessionId, { dryRun });
+    } catch (error) {
+      rows.push({
+        session_id: sessionId,
+        status: "error",
+        message: error instanceof Error ? error.message : "Unknown error"
+      });
+      continue;
+    }
+    if (outcome.status === "rechained") {
+      rows.push({ session_id: sessionId, status: "rechained", event_count: outcome.eventCount });
+    } else {
+      rows.push({ session_id: sessionId, status: "skipped", reason: outcome.reason });
+    }
+  }
+  const tamperedCount = rows.filter((r) => r.reason === "tampered").length;
+  const errorCount = rows.filter((r) => r.status === "error").length;
+  if (options.json === true) {
+    console.log(JSON.stringify(rows, null, 2));
+  } else {
+    for (const row of rows) {
+      console.log(`${row.session_id}  ${renderRechainRow(row, dryRun)}`);
+    }
+    const rechained = rows.filter((r) => r.status === "rechained").length;
+    const skipped = rows.filter((r) => r.status === "skipped").length;
+    console.log(
+      `Sessions: ${rows.length} total \u2014 ${rechained} ${dryRun ? "would be rechained" : "rechained"}, ${skipped} skipped, ${errorCount} errors`
+    );
+  }
+  if (tamperedCount > 0 || errorCount > 0) {
+    process.exitCode = 1;
+  }
+}
+function renderRechainRow(row, dryRun) {
+  switch (row.status) {
+    case "rechained":
+      return `${dryRun ? "would rechain" : "rechained"} (${row.event_count} events)`;
+    case "skipped":
+      return row.reason === "tampered" ? "skipped (TAMPERED \u2014 inspect with 'basou verify')" : `skipped (${row.reason})`;
+    case "error":
+      return `error (${row.message})`;
+  }
+}
 
 // src/commands/stats.ts
 import {
@@ -4716,9 +4801,107 @@ function maxLen3(values, floor) {
   return max;
 }
 
+// src/commands/verify.ts
+import {
+  assertBasouRootSafe as assertBasouRootSafe13,
+  basouPaths as basouPaths13,
+  enumerateSessionDirs as enumerateSessionDirs3,
+  findErrorCode as findErrorCode12,
+  resolveRepositoryRoot as resolveRepositoryRoot14,
+  resolveSessionId as resolveSessionId4,
+  verifyEventsChain
+} from "@basou/core";
+function registerVerifyCommand(program2) {
+  program2.command("verify").description(
+    "Verify the tamper-evidence hash chain of imported sessions' event logs (read-only)"
+  ).option("--session <id>", "Verify a single session (unique id prefix accepted)").option("--all", "Verify every session (the default when --session is omitted)").option("--json", "Output the verdicts as JSON").option("-v, --verbose", "Show error causes").action(async (opts) => {
+    await runVerify(opts);
+  });
+}
+async function runVerify(options, ctx = {}) {
+  try {
+    await doRunVerify(options, ctx);
+  } catch (error) {
+    renderCliError(error, { verbose: isVerbose(options) });
+    process.exitCode = 1;
+  }
+}
+async function doRunVerify(options, ctx) {
+  if (options.session !== void 0 && options.all === true) {
+    throw new Error("Specify either --session <id> or --all, not both");
+  }
+  const cwd = ctx.cwd ?? process.cwd();
+  const repositoryRoot = await resolveRepositoryRootForVerify(cwd);
+  const paths = basouPaths13(repositoryRoot);
+  await assertWorkspaceInitialized10(paths.root);
+  const sessionIds = options.session !== void 0 ? [await resolveSessionId4(paths, options.session)] : await enumerateSessionDirs3(paths);
+  const rows = [];
+  for (const sessionId of sessionIds) {
+    const verdict = await verifyEventsChain(paths, sessionId);
+    rows.push({
+      session_id: sessionId,
+      status: verdict.status,
+      event_count: verdict.eventCount,
+      ...verdict.reason !== void 0 ? { reason: verdict.reason } : {},
+      ...verdict.line !== void 0 ? { line: verdict.line } : {}
+    });
+  }
+  const tamperedCount = rows.filter((r) => r.status === "tampered").length;
+  if (options.json === true) {
+    console.log(JSON.stringify(rows, null, 2));
+  } else {
+    for (const row of rows) {
+      console.log(`${row.session_id}  ${renderVerdict(row)}`);
+    }
+    const tally = (status) => rows.filter((r) => r.status === status).length;
+    console.log(
+      `Sessions: ${rows.length} total \u2014 ${tally("verified")} verified, ${tally("unchained")} unchained, ${tally("empty")} empty, ${tally("incomplete")} incomplete, ${tamperedCount} tampered`
+    );
+  }
+  if (tamperedCount > 0) {
+    process.exitCode = 1;
+  }
+}
+function renderVerdict(row) {
+  switch (row.status) {
+    case "verified":
+      return `verified (${row.event_count} events)`;
+    case "tampered":
+      return row.line !== void 0 ? `TAMPERED (${row.reason} at line ${row.line})` : `TAMPERED (${row.reason})`;
+    case "incomplete":
+      return "incomplete (session.yaml missing; re-import to repair)";
+    case "unchained":
+      return "unchained (not an imported session, or imported before chaining)";
+    case "empty":
+      return "empty";
+  }
+}
+async function resolveRepositoryRootForVerify(cwd) {
+  try {
+    return await resolveRepositoryRoot14(cwd);
+  } catch (error) {
+    if (error instanceof Error && error.message === "Not a git repository") {
+      throw new Error("Not a git repository. Run 'git init' first, then re-run 'basou verify'.", {
+        cause: error
+      });
+    }
+    throw error;
+  }
+}
+async function assertWorkspaceInitialized10(basouRoot) {
+  try {
+    await assertBasouRootSafe13(basouRoot);
+  } catch (error) {
+    if (findErrorCode12(error, "ENOENT")) {
+      throw new Error("Workspace not initialized. Run 'basou init' first.");
+    }
+    throw error;
+  }
+}
+
 // src/commands/view.ts
 import { spawn } from "child_process";
-import { assertBasouRootSafe as assertBasouRootSafe13, basouPaths as basouPaths13, findErrorCode as findErrorCode13, resolveRepositoryRoot as resolveRepositoryRoot14 } from "@basou/core";
+import { assertBasouRootSafe as assertBasouRootSafe14, basouPaths as basouPaths14, findErrorCode as findErrorCode14, resolveRepositoryRoot as resolveRepositoryRoot15 } from "@basou/core";
 import { InvalidArgumentError as InvalidArgumentError5 } from "commander";
 
 // src/lib/view-server.ts
@@ -4727,7 +4910,7 @@ import { join as join8 } from "path";
 import {
   computeWorkStats as computeWorkStats2,
   enumerateApprovals as enumerateApprovals2,
-  findErrorCode as findErrorCode12,
+  findErrorCode as findErrorCode13,
   isLazyExpired as isLazyExpired2,
   loadApproval as loadApproval2,
   loadSessionEntries as loadSessionEntries3,
@@ -4735,7 +4918,7 @@ import {
   readAllEvents as readAllEvents2,
   readManifest as readManifest8,
   readMarkdownFile as readMarkdownFile4,
-  readSessionYaml as readSessionYaml2,
+  readSessionYaml as readSessionYaml3,
   readTaskFile as readTaskFile2,
   renderDecisions as renderDecisions3,
   renderHandoff as renderHandoff3
@@ -5329,7 +5512,7 @@ async function overview(deps) {
   try {
     manifest = await readManifest8(deps.paths);
   } catch (error) {
-    if (findErrorCode12(error, "ENOENT")) {
+    if (findErrorCode13(error, "ENOENT")) {
       return { initialized: false, repoRoot: deps.repoRoot };
     }
     throw error;
@@ -5376,7 +5559,7 @@ async function sessionsList(deps) {
 async function sessionDetail(deps, sessionId) {
   let session;
   try {
-    session = await readSessionYaml2(deps.paths, sessionId);
+    session = await readSessionYaml3(deps.paths, sessionId);
   } catch (error) {
     if (error instanceof Error && error.message === "YAML file not found") {
       throw new HttpError(404, "Session not found");
@@ -5544,8 +5727,8 @@ async function runView(options, ctx = {}) {
 async function doRunView(options, ctx) {
   const cwd = ctx.cwd ?? process.cwd();
   const repositoryRoot = await resolveRepositoryRootForView(cwd);
-  const paths = basouPaths13(repositoryRoot);
-  await assertWorkspaceInitialized10(paths.root);
+  const paths = basouPaths14(repositoryRoot);
+  await assertWorkspaceInitialized11(paths.root);
   const deps = {
     paths,
     repoRoot: repositoryRoot,
@@ -5576,7 +5759,7 @@ async function startListening(port, deps) {
   try {
     return await startViewServer({ port, deps });
   } catch (error) {
-    if (findErrorCode13(error, "EADDRINUSE")) {
+    if (findErrorCode14(error, "EADDRINUSE")) {
       throw new Error(`Port ${port} is already in use. Pass --port <n> to choose another.`, {
         cause: error
       });
@@ -5627,7 +5810,7 @@ function waitForShutdown(signal) {
 }
 async function resolveRepositoryRootForView(cwd) {
   try {
-    return await resolveRepositoryRoot14(cwd);
+    return await resolveRepositoryRoot15(cwd);
   } catch (error) {
     if (error instanceof Error && error.message === "Not a git repository") {
       throw new Error("Not a git repository. Run 'git init' first, then re-run 'basou view'.", {
@@ -5637,11 +5820,11 @@ async function resolveRepositoryRootForView(cwd) {
     throw error;
   }
 }
-async function assertWorkspaceInitialized10(basouRoot) {
+async function assertWorkspaceInitialized11(basouRoot) {
   try {
-    await assertBasouRootSafe13(basouRoot);
+    await assertBasouRootSafe14(basouRoot);
   } catch (error) {
-    if (findErrorCode13(error, "ENOENT")) {
+    if (findErrorCode14(error, "ENOENT")) {
       throw new Error("Workspace not initialized. Run 'basou init' first.");
     }
     throw error;
@@ -5663,6 +5846,7 @@ function buildProgram() {
   registerSessionCommand(program2);
   registerImportCommand(program2);
   registerRefreshCommand(program2);
+  registerVerifyCommand(program2);
   registerViewCommand(program2);
   registerApprovalCommand(program2);
   registerDecisionCommand(program2);