npm - @beastmode-develeap/beastmode - Versions diffs - 0.1.37 → 0.1.38 - Mend

@beastmode-develeap/beastmode 0.1.37 → 0.1.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -7399,7 +7399,25 @@ function step(n, total, text) {
 }
 // src/cli/commands/init.ts
-var initCommand = new Command("init").description("Create a new BeastMode factory").argument("[name]", "Factory name (default: current directory name)").option("--project <path>", "Path to target project").option("--preset <preset>", "Pipeline preset (full, lean, prototype, infra, docs)").option("--backend <backend>", "Task backend (beastmode-board, github-issues)").option("--deploy <target>", "Deploy target (pr-only, vercel, aws-ecs, ...)").option("--methodology <name>", "Development methodology plugin").option("--plugin <name>", "Install plugin (repeatable)", collect, []).option("--from <template>", "Import config from template file").option("--ui", "Open web wizard instead of CLI").option("--yes", "Accept all defaults (non-interactive)").option("--github-token <token>", "GitHub PAT (avoids interactive prompt)").option("--github-token-file <path>", "Read GitHub PAT from file (safer than --github-token)").option("--board-password <password>", "Board UI password (avoids interactive prompt)").option("--board-password-file <path>", "Read board password from file").action(async (name, opts) => {
+var initCommand = new Command("init").description("Create a new BeastMode factory").argument("[name]", "Factory name (default: current directory name)").option("--project <path>", "Path to target project").option("--preset <preset>", "Pipeline preset (full, lean, prototype, infra, docs)").option("--backend <backend>", "Task backend (beastmode-board, github-issues)").option("--deploy <target>", "Deploy target (pr-only, vercel, aws-ecs, ...)").option("--methodology <name>", "Development methodology plugin").option("--plugin <name>", "Install plugin (repeatable)", collect, []).option("--from <template>", "Import config from template file").option("--ui", "Open web wizard instead of CLI").option("--yes", "Accept all defaults (non-interactive)").option(
+  "--project-github-token <token>",
+  "GitHub PAT for the daemon's project operations (commit/push/PR/merge against PROJECT_DIR's git remote \u2014 needs `repo` scope). Alias for the legacy --github-token flag."
+).option(
+  "--project-github-token-file <path>",
+  "Read project GitHub PAT from file (safer than --project-github-token)"
+).option(
+  "--github-token <token>",
+  "Deprecated alias for --project-github-token. Kept for backward compat."
+).option(
+  "--github-token-file <path>",
+  "Deprecated alias for --project-github-token-file. Kept for backward compat."
+).option(
+  "--ghcr-pull-token <token>",
+  "GitHub PAT for pulling private beastmode images from ghcr.io/develeap/beastmode/* \u2014 needs `read:packages` scope. May be the same as --project-github-token but should normally be a separate dedicated token (Gap 16)."
+).option(
+  "--ghcr-pull-token-file <path>",
+  "Read GHCR pull token from file (safer than --ghcr-pull-token)"
+).option("--board-password <password>", "Board UI password (avoids interactive prompt)").option("--board-password-file <path>", "Read board password from file").action(async (name, opts) => {
   try {
     await runInit(name, opts);
   } catch (err) {
@@ -7714,23 +7732,44 @@ async function runImageModeInit(name, opts) {
   const factoryName = name || ".";
   const targetDir = resolve5(factoryName === "." ? "." : factoryName);
   step(1, totalSteps, "Credentials");
-  let githubToken = opts.githubToken || (opts.githubTokenFile ? readSecretFile(opts.githubTokenFile) : "") || process.env.GITHUB_TOKEN || "";
-  if (!githubToken && !opts.yes) {
+  let projectGithubToken = opts.projectGithubToken || (opts.projectGithubTokenFile ? readSecretFile(opts.projectGithubTokenFile) : "") || opts.githubToken || (opts.githubTokenFile ? readSecretFile(opts.githubTokenFile) : "") || process.env.PROJECT_GITHUB_TOKEN || process.env.GITHUB_TOKEN || "";
+  if (!projectGithubToken && !opts.yes) {
     const answer = await inquirer.prompt([
       {
         type: "password",
         name: "token",
-        message: "GITHUB_TOKEN (PAT with repo + workflow scopes):",
+        message: "PROJECT_GITHUB_TOKEN (PAT for project commits/pushes/PRs \u2014 `repo` scope, or `public_repo` for public-only):",
         mask: "*"
       }
     ]);
-    githubToken = answer.token || "";
+    projectGithubToken = answer.token || "";
   }
-  if (githubToken) {
-    success("GITHUB_TOKEN set");
+  if (projectGithubToken) {
+    success("PROJECT_GITHUB_TOKEN set");
   } else {
-    warn("GITHUB_TOKEN not set \u2014 add to .env later");
+    warn("PROJECT_GITHUB_TOKEN not set \u2014 daemon's git operations will fail until added to .env");
   }
+  let ghcrPullToken = opts.ghcrPullToken || (opts.ghcrPullTokenFile ? readSecretFile(opts.ghcrPullTokenFile) : "") || process.env.GHCR_PULL_TOKEN || "";
+  if (!ghcrPullToken && !opts.yes) {
+    const answer = await inquirer.prompt([
+      {
+        type: "password",
+        name: "token",
+        message: "GHCR_PULL_TOKEN (PAT for pulling private beastmode images from ghcr.io/develeap/beastmode/* \u2014 `read:packages` scope. Leave empty to fall back to the project token):",
+        mask: "*"
+      }
+    ]);
+    ghcrPullToken = answer.token || "";
+  }
+  if (!ghcrPullToken && projectGithubToken) {
+    ghcrPullToken = projectGithubToken;
+    info("GHCR_PULL_TOKEN: falling back to PROJECT_GITHUB_TOKEN (you can split them later in .env)");
+  } else if (ghcrPullToken) {
+    success("GHCR_PULL_TOKEN set");
+  } else {
+    warn("GHCR_PULL_TOKEN not set \u2014 `docker compose pull` will fail for private images. Add to .env later.");
+  }
+  const githubToken = projectGithubToken;
   let uiPassword = opts.boardPassword || (opts.boardPasswordFile ? readSecretFile(opts.boardPasswordFile) : "") || "";
   if (!uiPassword && !opts.yes) {
     const { password } = await inquirer.prompt([
@@ -7787,12 +7826,15 @@ async function runImageModeInit(name, opts) {
   }
   step(2, totalSteps, "Docker Registry");
   if (!isGhcrAuthenticated()) {
-    if (githubToken && loginToGhcr(githubToken)) {
-      success("Authenticated to ghcr.io (via GitHub token)");
+    const tokenForLogin = ghcrPullToken || projectGithubToken;
+    if (tokenForLogin && loginToGhcr(tokenForLogin)) {
+      success(
+        `Authenticated to ghcr.io (via ${ghcrPullToken ? "GHCR_PULL_TOKEN" : "PROJECT_GITHUB_TOKEN fallback"})`
+      );
     } else {
       info("Not logged in to ghcr.io \u2014 images may still pull if public");
       info("  To log in manually: docker login ghcr.io -u <your-github-username>");
-      if (!opts.yes && !opts.githubToken) {
+      if (!opts.yes && !opts.githubToken && !opts.projectGithubToken && !opts.ghcrPullToken) {
         const { retry } = await inquirer.prompt([
           {
             type: "confirm",
@@ -7817,23 +7859,44 @@ async function runImageModeInit(name, opts) {
   success("docker-compose.yml");
   const envLines = [
     "# BeastMode environment \u2014 DO NOT COMMIT",
-    `GITHUB_TOKEN=${githubToken}`,
+    "",
+    "# \u2500\u2500 Project credentials (Gap 16 \u2014 two-PAT model) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "# PROJECT_GITHUB_TOKEN: used by the daemon and Claude to commit /",
+    "# push / open PRs / merge / review against the target project repo.",
+    "# Needs `repo` scope for private repos, `public_repo` for public.",
+    "# Aliased to GITHUB_TOKEN for backward compat with the gh CLI and",
+    "# any code that still reads GITHUB_TOKEN.",
+    `PROJECT_GITHUB_TOKEN=${projectGithubToken}`,
+    `GITHUB_TOKEN=${projectGithubToken}`,
+    "",
+    "# GHCR_PULL_TOKEN: used by `docker compose pull` to fetch the",
+    "# beastmode factory images from ghcr.io/develeap/beastmode/*.",
+    "# Maintainer-provided (shared across a team) or your own PAT with",
+    "# `read:packages` scope added. Rotates rarely. May be the same as",
+    "# PROJECT_GITHUB_TOKEN but is normally a separate dedicated token.",
+    `GHCR_PULL_TOKEN=${ghcrPullToken}`,
+    "",
     `BEASTMODE_UI_PASSWORD=${uiPassword}`,
     "",
-    "# Project repo path \u2014 the daemon's git operations target the git remote of this path.",
+    "# \u2500\u2500 Project location \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "# Required. The daemon's git operations target the git remote of",
+    "# this path. The daemon auto-resolves the github repo from",
+    "# `git -C $PROJECT_DIR remote get-url origin` at startup.",
     `PROJECT_DIR=${projectPath}`,
     "",
-    "# Optional: uncomment for faster direct API calls",
+    "# \u2500\u2500 Optional \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
+    "# Uncomment for faster direct Anthropic API calls (bypasses the",
+    "# Claude Code subscription auth via ~/.claude.json).",
     "# ANTHROPIC_API_KEY=sk-ant-...",
     "",
-    "# Optional: last-resort override if the daemon's auto-resolution",
+    "# Last-resort override if the daemon's project_repo auto-resolution",
     "# (git remote get-url origin) doesn't work for your setup.",
     "# The daemon handles this automatically in >99% of cases.",
     "# PROJECT_REPO=owner/repo",
     ""
   ];
   writeFileSync13(join15(targetDir, ".env"), envLines.join("\n"), "utf-8");
-  success(`.env (PROJECT_DIR=${projectPath})`);
+  success(`.env (PROJECT_DIR=${projectPath}, two-PAT model)`);
   for (const dir of ["data", "runs", "daemon/logs", ".beastmode", "config"]) {
     mkdirSync12(join15(targetDir, dir), { recursive: true });
   }
@@ -8740,6 +8803,185 @@ function checkGithubToken(env) {
   }
   return { label: "GITHUB_TOKEN / GH_TOKEN", status: "pass", detail: "set" };
 }
+async function checkProjectGithubToken(env, factoryDir) {
+  const token = env.PROJECT_GITHUB_TOKEN || env.GITHUB_TOKEN;
+  if (!token) {
+    return {
+      label: "PROJECT_GITHUB_TOKEN",
+      status: "fail",
+      detail: "not set in env (or factory .env)",
+      fix: "Add PROJECT_GITHUB_TOKEN=ghp_... to .env (needs `repo` scope for private, `public_repo` for public)"
+    };
+  }
+  let ownerRepo = null;
+  if (factoryDir) {
+    const envPath = join22(factoryDir, ".env");
+    if (existsSync24(envPath)) {
+      try {
+        const content = readFileSync21(envPath, "utf-8");
+        const dirLine = content.split("\n").find(
+          (l) => l.trim().startsWith("PROJECT_DIR=") && !l.trim().startsWith("#")
+        );
+        if (dirLine) {
+          const projectDir = dirLine.split("=").slice(1).join("=").trim();
+          if (projectDir && existsSync24(join22(projectDir, ".git"))) {
+            const remote = tryExec(
+              `git -C "${projectDir}" remote get-url origin 2>/dev/null`
+            );
+            if (remote) {
+              const m = remote.match(
+                /(?:https?:\/\/[^/]+\/|git@[^:]+:)([^/\s]+)\/([^/\s]+?)(?:\.git)?\/?$/
+              );
+              if (m) ownerRepo = `${m[1]}/${m[2]}`;
+            }
+          }
+        }
+      } catch {
+      }
+    }
+  }
+  const apiPath = ownerRepo ? `/repos/${ownerRepo}` : "/user";
+  const result = await new Promise((resolveProm) => {
+    const req = https.request(
+      {
+        hostname: "api.github.com",
+        path: apiPath,
+        method: "GET",
+        headers: {
+          "User-Agent": "beastmode-doctor",
+          Authorization: `Bearer ${token}`,
+          Accept: "application/vnd.github+json"
+        },
+        timeout: 8e3
+      },
+      (res) => {
+        let data = "";
+        res.on("data", (chunk) => {
+          data += chunk;
+        });
+        res.on("end", () => {
+          let canPush = null;
+          try {
+            const parsed = JSON.parse(data);
+            if (parsed.permissions && typeof parsed.permissions.push === "boolean") {
+              canPush = parsed.permissions.push;
+            }
+          } catch {
+          }
+          resolveProm({ status: res.statusCode ?? 0, canPush });
+        });
+      }
+    );
+    req.on("error", () => resolveProm({ status: 0, canPush: null }));
+    req.on("timeout", () => {
+      req.destroy();
+      resolveProm({ status: 0, canPush: null });
+    });
+    req.end();
+  });
+  if (result.status === 0) {
+    return {
+      label: "PROJECT_GITHUB_TOKEN",
+      status: "warn",
+      detail: "set but api.github.com unreachable (network issue?)"
+    };
+  }
+  if (result.status === 401 || result.status === 403) {
+    return {
+      label: "PROJECT_GITHUB_TOKEN",
+      status: "fail",
+      detail: `invalid (HTTP ${result.status}${ownerRepo ? ` for ${ownerRepo}` : ""})`,
+      fix: "Check the token at https://github.com/settings/tokens \u2014 needs `repo` scope (or `public_repo` for public repos only)"
+    };
+  }
+  if (result.status === 404 && ownerRepo) {
+    return {
+      label: "PROJECT_GITHUB_TOKEN",
+      status: "fail",
+      detail: `cannot access ${ownerRepo} (HTTP 404 \u2014 repo missing or token has no read permission)`,
+      fix: "Verify the token has access to the target repo + the repo URL is correct in PROJECT_DIR"
+    };
+  }
+  if (result.status >= 200 && result.status < 300) {
+    if (ownerRepo && result.canPush === true) {
+      return {
+        label: "PROJECT_GITHUB_TOKEN",
+        status: "pass",
+        detail: `valid + write access to ${ownerRepo}`
+      };
+    }
+    if (ownerRepo && result.canPush === false) {
+      return {
+        label: "PROJECT_GITHUB_TOKEN",
+        status: "fail",
+        detail: `valid but NO write access to ${ownerRepo}`,
+        fix: "The token's user is not a collaborator on the target repo OR the token lacks `repo` scope"
+      };
+    }
+    return {
+      label: "PROJECT_GITHUB_TOKEN",
+      status: "pass",
+      detail: ownerRepo ? `valid (couldn't determine permissions \u2014 repo response had no permissions field)` : `valid (skipped per-repo check \u2014 no PROJECT_DIR resolvable)`
+    };
+  }
+  return {
+    label: "PROJECT_GITHUB_TOKEN",
+    status: "warn",
+    detail: `HTTP ${result.status}`
+  };
+}
+function checkGhcrPullToken(env) {
+  const token = env.GHCR_PULL_TOKEN;
+  if (!token) {
+    if (env.GITHUB_TOKEN || env.PROJECT_GITHUB_TOKEN) {
+      return {
+        label: "GHCR_PULL_TOKEN",
+        status: "warn",
+        detail: "not set; falling back to PROJECT_GITHUB_TOKEN (works if it has read:packages scope)",
+        fix: "Set GHCR_PULL_TOKEN=ghp_... in .env for a dedicated read-only token (read:packages scope)"
+      };
+    }
+    return {
+      label: "GHCR_PULL_TOKEN",
+      status: "fail",
+      detail: "not set \u2014 `docker compose pull` cannot fetch private beastmode images",
+      fix: "Set GHCR_PULL_TOKEN=ghp_... in .env (read:packages scope)"
+    };
+  }
+  const loggedIn = tryExec("docker login ghcr.io --get-login 2>/dev/null");
+  if (!loggedIn) {
+    return {
+      label: "GHCR_PULL_TOKEN",
+      status: "warn",
+      detail: "set in env but docker is not logged in to ghcr.io",
+      fix: "Run `docker login ghcr.io -u <github-username> --password-stdin <<< $GHCR_PULL_TOKEN`"
+    };
+  }
+  const inspect = tryExec(
+    "docker manifest inspect ghcr.io/develeap/beastmode/board:latest 2>&1",
+    15e3
+  );
+  if (inspect && (inspect.includes("schemaVersion") || inspect.includes("mediaType"))) {
+    return {
+      label: "GHCR_PULL_TOKEN",
+      status: "pass",
+      detail: `valid (logged in as ${loggedIn}, can pull beastmode images)`
+    };
+  }
+  if (inspect && inspect.includes("denied")) {
+    return {
+      label: "GHCR_PULL_TOKEN",
+      status: "fail",
+      detail: "logged in but lacks read:packages scope (denied)",
+      fix: "Generate a new PAT at https://github.com/settings/tokens with `read:packages` scope"
+    };
+  }
+  return {
+    label: "GHCR_PULL_TOKEN",
+    status: "warn",
+    detail: `logged in as ${loggedIn} but image inspect didn't return a manifest`
+  };
+}
 function checkDocker() {
   const out = tryExec("docker info --format '{{.ServerVersion}}' 2>/dev/null");
   if (out) {
@@ -9374,6 +9616,8 @@ var doctorCommand = new Command11("doctor").description("Health check \u2014 val
   const checks = [];
   checks.push(...await checkClaudeAuth(env.ANTHROPIC_API_KEY));
   checks.push(checkGithubToken(env));
+  checks.push(await checkProjectGithubToken(env, hasFactory ? factoryDir : null));
+  checks.push(checkGhcrPullToken(env));
   checks.push(checkDocker());
   checks.push(checkDockerComposeVersion());
   checks.push(checkGhcrAuth());