@bli-cockpit/cli 0.1.0

package/dist/commands/public-root.js

@@ -0,0 +1,32 @@
+import { localCommandHelp, runLocalCockpitCli, rootCommandNames } from "./local.js";
+
+export async function runCockpitCli(argv, io) {
+  const command = argv[0];
+  if (!command || command === "--help" || command === "-h") {
+    writeLine(io?.stdout ?? process.stdout, cockpitHelp());
+    return 0;
+  }
+
+  if (rootCommandNames.has(command)) {
+    return runLocalCockpitCli(argv, io);
+  }
+
+  writeLine(io?.stderr ?? process.stderr, `Unknown command: ${command}`);
+  writeLine(io?.stderr ?? process.stderr, "");
+  writeLine(io?.stderr ?? process.stderr, cockpitHelp());
+  return 1;
+}
+
+function cockpitHelp() {
+  return [
+    "Usage:",
+    localCommandHelp(),
+    "",
+    "Intern path: run `cockpit onboard` from the repo root; add `--ticket <id>` only when work already has a ticket.",
+    "Manual collector path: `install`, `login`, `start [--ticket <id>]`, `sync`, `status`.",
+  ].join("\n");
+}
+
+function writeLine(stream, text) {
+  stream.write(`${text}\n`);
+}

package/dist/local-state.js

@@ -0,0 +1,471 @@
+import { getUserLocalCockpitPaths, LocalCollectorSessionFileSchema, LocalCollectorConfigSchema, LocalUserSessionReferenceSchema, LocalWorkContextSchema, } from "@bli-cockpit/telemetry-core";
+import crypto from "node:crypto";
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { summarizeLocalUploadSpool } from "./spool/local-spool.js";
+export const LOCAL_COLLECTOR_VERSION = "0.1.0";
+export const DEFAULT_DASHBOARD_URL = "http://127.0.0.1:3100";
+export function getCollectorRuntimePaths(homeDir = os.homedir()) {
+    const paths = getUserLocalCockpitPaths(homeDir);
+    return {
+        ...paths,
+        active_work_context_file: path.join(paths.state_dir, "active-work-context.json"),
+    };
+}
+export async function installLocalCollector(options = {}) {
+    const homeDir = options.homeDir ?? os.homedir();
+    const repoRoot = path.resolve(options.repoRoot ?? process.cwd());
+    const paths = getCollectorRuntimePaths(homeDir);
+    await ensureRuntimeDirectories(paths);
+    const existingConfig = await readLocalCollectorConfig(paths).catch(() => null);
+    const defaultRepoPaths = new Set(existingConfig?.default_repo_paths ?? []);
+    defaultRepoPaths.add(repoRoot);
+    const config = LocalCollectorConfigSchema.parse({
+        schema_version: "telemetry-core.v1",
+        dashboard_url: options.dashboardUrl ?? existingConfig?.dashboard_url ?? DEFAULT_DASHBOARD_URL,
+        supabase_url: options.supabaseUrl ?? existingConfig?.supabase_url,
+        collector_version: LOCAL_COLLECTOR_VERSION,
+        device_id: existingConfig?.device_id ?? `device-${crypto.randomUUID()}`,
+        device_name: normalizeDeviceName(options.deviceName) ??
+            existingConfig?.device_name ??
+            defaultDeviceName(),
+        claimed_owner_email: existingConfig?.claimed_owner_email,
+        operator_id: existingConfig?.operator_id,
+        default_repo_paths: [...defaultRepoPaths],
+        raw_evidence_upload: existingConfig?.raw_evidence_upload ?? "disabled",
+        session_file_path: paths.session_file,
+        state_dir_path: paths.state_dir,
+    });
+    await writeJsonFile(paths.config_file, config);
+    return {
+        config,
+        paths,
+        auth_pairing_state: "missing",
+        message: "Local collector installed. Pair/login is still required before remote upload.",
+    };
+}
+export async function pairLocalCollector(options = {}) {
+    const homeDir = options.homeDir ?? os.homedir();
+    const paths = getCollectorRuntimePaths(homeDir);
+    await ensureRuntimeDirectories(paths);
+    const config = await readLocalCollectorConfig(paths).catch(() => {
+        throw new Error("Local config missing. Run `cockpit install` before `cockpit login`.");
+    });
+    const dashboardUrl = normalizeDashboardUrl(options.dashboardUrl ?? config.dashboard_url);
+    const deviceId = config.device_id ?? `device-${crypto.randomUUID()}`;
+    const deviceName = normalizeDeviceName(options.deviceName) ??
+        config.device_name ??
+        defaultDeviceName();
+    const claimedOwnerEmail = normalizeOptionalEmail(options.claimedOwnerEmail) ??
+        config.claimed_owner_email;
+    if (!config.device_id ||
+        config.device_name !== deviceName ||
+        (claimedOwnerEmail && config.claimed_owner_email !== claimedOwnerEmail)) {
+        await writeJsonFile(paths.config_file, {
+            ...config,
+            device_id: deviceId,
+            device_name: deviceName,
+            claimed_owner_email: claimedOwnerEmail,
+        });
+    }
+    const fetchImpl = options.fetch ?? globalThis.fetch;
+    if (!fetchImpl) {
+        throw new Error("global fetch is unavailable; use Node.js 20 or newer.");
+    }
+    const startResponse = await postPairStart(fetchImpl, dashboardUrl, {
+        device_id: deviceId,
+        device_name: deviceName,
+        claimed_owner_email: claimedOwnerEmail,
+        collector_version: config.collector_version ?? LOCAL_COLLECTOR_VERSION,
+    });
+    options.onPairStarted?.(startResponse);
+    const sessionFile = await pollPairRequest(fetchImpl, dashboardUrl, {
+        paths,
+        startResponse,
+        pollIntervalMs: options.pollIntervalMs,
+        timeoutMs: options.timeoutMs,
+        sleep: options.sleep,
+    });
+    return {
+        status: "paired",
+        session: toSessionReference(sessionFile),
+        session_file: paths.session_file,
+        dashboard_url: dashboardUrl,
+        approve_url: startResponse.approve_url,
+    };
+}
+export async function logoutLocalCollector(options = {}) {
+    const homeDir = options.homeDir ?? os.homedir();
+    const paths = getCollectorRuntimePaths(homeDir);
+    let removed = false;
+    try {
+        await fs.unlink(paths.session_file);
+        removed = true;
+    }
+    catch (error) {
+        if (!isMissingFileError(error))
+            throw error;
+    }
+    return { removed, session_file: paths.session_file };
+}
+export async function startLocalWorkContext(options = {}) {
+    const now = options.now ?? new Date();
+    const homeDir = options.homeDir ?? os.homedir();
+    const repoRoot = path.resolve(options.repoRoot ?? process.cwd());
+    const paths = getCollectorRuntimePaths(homeDir);
+    await ensureRuntimeDirectories(paths);
+    const session = await readLocalSessionReference(paths, {
+        operatorId: options.operatorId,
+        sessionId: options.sessionId,
+    });
+    const branch = options.branch ?? (await resolveGitBranch(repoRoot));
+    const existingContext = await readLocalWorkContext(paths).catch(() => null);
+    const workContextId = existingContext?.work_context_id ?? `work-${crypto.randomUUID()}`;
+    const sessionId = options.sessionId ??
+        (session.session_state === "missing" ? `local-${crypto.randomUUID()}` : session.session_id);
+    const operatorId = options.operatorId ?? session.operator_id;
+    const ticketBindingCandidates = options.activeTicketId
+        ? [
+            {
+                ticket_id: options.activeTicketId,
+                binding_source: "active_work_context",
+                confidence: 1,
+                evidence_labels: ["cockpit_start_ticket"],
+            },
+        ]
+        : [];
+    const context = LocalWorkContextSchema.parse({
+        work_context_id: workContextId,
+        repo: repoRoot,
+        branch,
+        operator_id: operatorId,
+        session_id: sessionId,
+        started_at: existingContext?.started_at ?? now.toISOString(),
+        updated_at: now.toISOString(),
+        active_ticket_id: options.activeTicketId ?? undefined,
+        ticket_binding_candidates: ticketBindingCandidates,
+        pull_request_url: existingContext?.pull_request_url,
+        provenance: {
+            capture_source: "collector_runtime",
+            capture_adapter_version: LOCAL_COLLECTOR_VERSION,
+            collector_version: LOCAL_COLLECTOR_VERSION,
+            repo: repoRoot,
+            branch,
+            operator_id: operatorId,
+            session_id: sessionId,
+            work_context_id: workContextId,
+        },
+    });
+    await writeJsonFile(paths.active_work_context_file, context);
+    return context;
+}
+export async function inspectLocalCollectorStatus(options = {}) {
+    const now = options.now ?? new Date();
+    const homeDir = options.homeDir ?? os.homedir();
+    const repoRoot = path.resolve(options.repoRoot ?? process.cwd());
+    const paths = getCollectorRuntimePaths(homeDir);
+    const config = await readLocalCollectorConfig(paths).catch(() => null);
+    const session = await readLocalSessionReference(paths, {
+        operatorId: options.operatorId,
+        sessionId: options.sessionId,
+    });
+    const context = await readLocalWorkContext(paths).catch(() => null);
+    const branch = options.branch ?? (await resolveGitBranch(repoRoot));
+    const freshness = classifyCollectorFreshness(context, now);
+    const uploadSpool = await summarizeLocalUploadSpool(paths);
+    const uploadState = !config
+        ? "not_installed"
+        : uploadSpool.pending_upload_count > 0
+            ? "retry_pending"
+            : session.session_state === "valid"
+                ? "ready"
+                : "local_only_missing_auth";
+    const details = [];
+    details.push(config
+        ? `Config exists at ${paths.config_file}.`
+        : "Local config missing. Run `cockpit install`.");
+    details.push(session.session_state === "valid"
+        ? "Local user session is valid."
+        : "Local user session missing or not paired; upload remains local-only.");
+    details.push(context
+        ? `Active context ${context.work_context_id} last updated ${context.updated_at ?? context.started_at}.`
+        : "Active work context missing. Run `cockpit start`.");
+    details.push(uploadSpool.last_upload_attempt_at
+        ? `Last upload attempt: ${uploadSpool.last_upload_attempt_at}.`
+        : "No upload has been attempted yet.");
+    details.push(uploadSpool.last_upload_success_at
+        ? `Last upload success: ${uploadSpool.last_upload_success_at}.`
+        : "No successful upload recorded yet.");
+    if (uploadSpool.last_upload_failure_reason) {
+        details.push(`Last upload failure: ${uploadSpool.last_upload_failure_reason}.`);
+    }
+    if (uploadSpool.pending_upload_count > 0) {
+        details.push(`Upload retry pending: ${uploadSpool.pending_upload_count} safe metadata record(s) spooled. Run \`${uploadSpool.retry_command ?? "cockpit sync"}\` to retry.`);
+    }
+    return {
+        installed: Boolean(config),
+        config_file: paths.config_file,
+        session_file: paths.session_file,
+        session_state: session.session_state,
+        repo: repoRoot,
+        branch,
+        active_ticket_id: context?.active_ticket_id ?? null,
+        work_context_id: context?.work_context_id ?? null,
+        collector_freshness: freshness,
+        upload_state: uploadState,
+        last_upload_attempt_at: uploadSpool.last_upload_attempt_at,
+        last_upload_success_at: uploadSpool.last_upload_success_at,
+        last_upload_failure_reason: uploadSpool.last_upload_failure_reason,
+        pending_upload_count: uploadSpool.pending_upload_count,
+        upload_retry_command: uploadSpool.retry_command,
+        details,
+    };
+}
+export async function readLocalCollectorConfig(paths) {
+    return LocalCollectorConfigSchema.parse(await readJsonFile(paths.config_file));
+}
+export async function readLocalWorkContext(paths) {
+    return LocalWorkContextSchema.parse(await readJsonFile(paths.active_work_context_file));
+}
+export async function readLocalSessionReference(paths, fallback = {}) {
+    try {
+        const rawSession = await readJsonFile(paths.session_file);
+        const collectorSession = LocalCollectorSessionFileSchema.safeParse(rawSession);
+        if (collectorSession.success) {
+            return toSessionReference(collectorSession.data);
+        }
+        return LocalUserSessionReferenceSchema.parse(rawSession);
+    }
+    catch {
+        return LocalUserSessionReferenceSchema.parse({
+            operator_id: fallback.operatorId ?? "unknown",
+            auth_subject_id: "unknown",
+            session_id: fallback.sessionId ?? "missing",
+            session_file_path: paths.session_file,
+            session_state: "missing",
+        });
+    }
+}
+export async function readLocalCollectorSessionFile(paths) {
+    return LocalCollectorSessionFileSchema.parse(await readJsonFile(paths.session_file));
+}
+export async function resolveGitBranch(repoRoot) {
+    try {
+        const gitPath = path.join(repoRoot, ".git");
+        const stat = await fs.stat(gitPath);
+        const headPath = stat.isFile()
+            ? path.join(await resolveWorktreeGitDir(gitPath), "HEAD")
+            : path.join(gitPath, "HEAD");
+        const head = (await fs.readFile(headPath, "utf8")).trim();
+        if (head.startsWith("ref: refs/heads/")) {
+            return head.slice("ref: refs/heads/".length);
+        }
+        return head ? `detached:${head.slice(0, 12)}` : "unknown";
+    }
+    catch {
+        return "unknown";
+    }
+}
+async function resolveWorktreeGitDir(gitFile) {
+    const raw = await fs.readFile(gitFile, "utf8");
+    const match = raw.match(/^gitdir:\s*(.+)$/m);
+    if (!match)
+        return path.dirname(gitFile);
+    const gitDir = match[1].trim();
+    return path.isAbsolute(gitDir) ? gitDir : path.resolve(path.dirname(gitFile), gitDir);
+}
+async function ensureRuntimeDirectories(paths) {
+    await fs.mkdir(paths.config_dir, { recursive: true, mode: 0o700 });
+    await fs.mkdir(paths.state_dir, { recursive: true, mode: 0o700 });
+    await fs.mkdir(paths.spool_dir, { recursive: true, mode: 0o700 });
+    await fs.mkdir(paths.cursors_dir, { recursive: true, mode: 0o700 });
+    if (process.platform !== "win32") {
+        await Promise.all([
+            fs.chmod(paths.config_dir, 0o700).catch(() => undefined),
+            fs.chmod(paths.state_dir, 0o700).catch(() => undefined),
+            fs.chmod(paths.spool_dir, 0o700).catch(() => undefined),
+            fs.chmod(paths.cursors_dir, 0o700).catch(() => undefined),
+        ]);
+    }
+}
+async function readJsonFile(filePath) {
+    return JSON.parse(await fs.readFile(filePath, "utf8"));
+}
+async function writeJsonFile(filePath, value) {
+    await fs.mkdir(path.dirname(filePath), { recursive: true });
+    await fs.writeFile(filePath, `${JSON.stringify(value, null, 2)}\n`, {
+        mode: 0o600,
+    });
+    if (process.platform !== "win32") {
+        await fs.chmod(filePath, 0o600).catch(() => undefined);
+    }
+}
+function classifyCollectorFreshness(context, now) {
+    if (!context)
+        return "missing";
+    const updatedAt = Date.parse(context.updated_at ?? context.started_at);
+    if (!Number.isFinite(updatedAt))
+        return "stale";
+    return now.getTime() - updatedAt <= 5 * 60 * 1000 ? "fresh" : "stale";
+}
+function normalizeDashboardUrl(value) {
+    const normalized = value.trim().replace(/\/+$/, "");
+    if (!normalized)
+        throw new Error("Dashboard URL cannot be empty.");
+    return normalized;
+}
+async function postPairStart(fetchImpl, dashboardUrl, body) {
+    const response = await fetchImpl(`${dashboardUrl}/api/ambient/pair/start`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+    });
+    const parsed = await readResponseJson(response);
+    if (!response.ok) {
+        throw new Error(responseErrorMessage(parsed, "Pair request failed"));
+    }
+    return parsePairStartResponse(parsed);
+}
+async function pollPairRequest(fetchImpl, dashboardUrl, options) {
+    const pollIntervalMs = options.pollIntervalMs ?? options.startResponse.poll_after_ms;
+    const timeoutMs = options.timeoutMs ?? 10 * 60 * 1000;
+    const sleepImpl = options.sleep ??
+        ((milliseconds) => new Promise((resolve) => setTimeout(resolve, milliseconds)));
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() <= deadline) {
+        const response = await fetchImpl(`${dashboardUrl}/api/ambient/pair/poll`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                request_id: options.startResponse.request_id,
+                client_secret: options.startResponse.client_secret,
+            }),
+        });
+        const parsed = await readResponseJson(response);
+        if (!response.ok) {
+            throw new Error(responseErrorMessage(parsed, "Pair polling failed"));
+        }
+        const status = readStringField(parsed, "status");
+        if (status === "approved") {
+            const session = parsePairApprovedSession(parsed, options.paths.session_file);
+            await writeJsonFile(options.paths.session_file, session);
+            return session;
+        }
+        if (status === "expired") {
+            throw new Error("Pair request expired. Run `cockpit login` again.");
+        }
+        if (status === "revoked") {
+            throw new Error("Pair request was revoked. Run `cockpit login` again.");
+        }
+        if (status !== "pending") {
+            throw new Error(`Unexpected pair request status: ${status}`);
+        }
+        await sleepImpl(Math.max(250, pollIntervalMs));
+    }
+    throw new Error("Timed out waiting for dashboard approval. Run `cockpit login` again.");
+}
+async function readResponseJson(response) {
+    const text = await response.text();
+    if (!text)
+        return {};
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return { message: text };
+    }
+}
+function parsePairStartResponse(value) {
+    if (!value || typeof value !== "object") {
+        throw new Error("Pair request response was not an object.");
+    }
+    const record = value;
+    return {
+        request_id: requiredString(record, "request_id"),
+        user_code: requiredString(record, "user_code"),
+        approve_url: requiredString(record, "approve_url"),
+        expires_at: requiredString(record, "expires_at"),
+        poll_after_ms: requiredNumber(record, "poll_after_ms"),
+        client_secret: requiredString(record, "client_secret"),
+    };
+}
+function parsePairApprovedSession(value, sessionFilePath) {
+    if (!value || typeof value !== "object") {
+        throw new Error("Pair approval response was not an object.");
+    }
+    const session = value["session"];
+    if (!session || typeof session !== "object") {
+        throw new Error("Pair approval response did not include a session.");
+    }
+    return LocalCollectorSessionFileSchema.parse({
+        ...session,
+        session_file_path: sessionFilePath,
+    });
+}
+function toSessionReference(session) {
+    const now = Date.now();
+    const expiresAt = Date.parse(session.expires_at ?? "");
+    const sessionState = Number.isFinite(expiresAt) && expiresAt <= now ? "expired" : session.session_state;
+    return LocalUserSessionReferenceSchema.parse({
+        operator_id: session.operator_id,
+        auth_subject_id: session.auth_subject_id,
+        email: session.email,
+        team_id: session.team_id,
+        device_id: session.device_id,
+        device_name: session.device_name,
+        session_id: session.session_id,
+        session_file_path: session.session_file_path,
+        session_state: sessionState,
+        auth_method: session.auth_method,
+        issued_at: session.issued_at,
+        expires_at: session.expires_at,
+    });
+}
+function defaultDeviceName() {
+    return normalizeDeviceName(os.hostname()) ?? "Local machine";
+}
+function normalizeDeviceName(value) {
+    const trimmed = value?.trim().replace(/\s+/g, " ");
+    return trimmed ? trimmed.slice(0, 120) : undefined;
+}
+function normalizeOptionalEmail(value) {
+    const trimmed = value?.trim().toLowerCase();
+    return trimmed && trimmed.includes("@") ? trimmed : undefined;
+}
+function responseErrorMessage(value, fallback) {
+    if (value && typeof value === "object") {
+        const record = value;
+        const message = record["message"] ?? record["error"];
+        if (typeof message === "string" && message.trim())
+            return message;
+    }
+    return fallback;
+}
+function readStringField(value, field) {
+    if (value && typeof value === "object") {
+        const entry = value[field];
+        if (typeof entry === "string")
+            return entry;
+    }
+    throw new Error(`Pair response missing ${field}.`);
+}
+function requiredString(record, field) {
+    const value = record[field];
+    if (typeof value !== "string" || !value.trim()) {
+        throw new Error(`Pair response missing ${field}.`);
+    }
+    return value;
+}
+function requiredNumber(record, field) {
+    const value = record[field];
+    if (typeof value !== "number" || !Number.isFinite(value)) {
+        throw new Error(`Pair response missing ${field}.`);
+    }
+    return value;
+}
+function isMissingFileError(error) {
+    return (error instanceof Error &&
+        "code" in error &&
+        error.code === "ENOENT");
+}

package/dist/server.js

@@ -0,0 +1,99 @@
+import { getCollectorRuntimePaths, inspectLocalCollectorStatus, readLocalSessionReference, readLocalWorkContext, } from "./local-state.js";
+import { runLocalSourceCollectors } from "./adapters/local-sources.js";
+import http from "node:http";
+export function createCollectorServer(options = {}) {
+    return http.createServer(async (request, response) => {
+        if (!isLoopbackHostHeader(request.headers.host)) {
+            sendJson(response, 403, {
+                ok: false,
+                error: "Non-loopback Host header rejected.",
+            });
+            return;
+        }
+        if (request.method !== "GET") {
+            sendJson(response, 405, { ok: false, error: "Only GET is supported." });
+            return;
+        }
+        const url = new URL(request.url ?? "/", "http://127.0.0.1");
+        try {
+            switch (url.pathname) {
+                case "/health":
+                    sendJson(response, 200, {
+                        ok: true,
+                        service: "bli-cockpit-local-collector",
+                    });
+                    return;
+                case "/context":
+                    sendJson(response, 200, await contextPayload(options));
+                    return;
+                case "/sources":
+                    sendJson(response, 200, await sourcesPayload(options));
+                    return;
+                case "/flags":
+                    sendJson(response, 200, await flagsPayload(options));
+                    return;
+                default:
+                    sendJson(response, 404, { ok: false, error: "Not found." });
+            }
+        }
+        catch (error) {
+            sendJson(response, 500, {
+                ok: false,
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+    });
+}
+export function isLoopbackHostHeader(hostHeader) {
+    if (!hostHeader)
+        return true;
+    const normalized = hostHeader.trim().toLowerCase();
+    const withoutPort = normalized.startsWith("[")
+        ? normalized.slice(0, normalized.indexOf("]") + 1)
+        : normalized.split(":")[0];
+    return withoutPort === "127.0.0.1" || withoutPort === "localhost" || withoutPort === "[::1]";
+}
+async function contextPayload(options) {
+    const paths = getCollectorRuntimePaths(options.homeDir);
+    const context = await readLocalWorkContext(paths).catch(() => null);
+    return { context };
+}
+async function sourcesPayload(options) {
+    const collected = await collectLocalSources(options);
+    return {
+        status: collected.status,
+        sources: collected.sources.scans,
+        binding: collected.sources.binding,
+    };
+}
+async function flagsPayload(options) {
+    const collected = await collectLocalSources(options);
+    return { flags: collected.sources.risk_flags };
+}
+async function collectLocalSources(options) {
+    const status = await inspectLocalCollectorStatus(options);
+    const paths = getCollectorRuntimePaths(options.homeDir);
+    const activeContext = await readLocalWorkContext(paths).catch(() => null);
+    const session = await readLocalSessionReference(paths);
+    const workContextId = activeContext?.work_context_id ?? status.work_context_id ?? "status-only";
+    const sources = await runLocalSourceCollectors({
+        repoRoot: status.repo,
+        branch: status.branch,
+        operatorId: session.operator_id,
+        sessionId: session.session_id,
+        workContextId,
+        activeWorkContext: activeContext,
+        now: options.now,
+    });
+    return {
+        status,
+        sources,
+    };
+}
+function sendJson(response, statusCode, value) {
+    response.writeHead(statusCode, {
+        "content-type": "application/json; charset=utf-8",
+        "cache-control": "no-store",
+    });
+    response.end(`${JSON.stringify(value)}\n`);
+}