@bridge_gpt/mcp-server 0.2.2 → 0.2.3

package/build/conductor/pr-ci-producer.js

@@ -0,0 +1,427 @@
+/**
+ * PR/CI event production and bounded done-gate waiting (BAPI-395).
+ *
+ * Observes PR/CI state for an immutable `repo + pr_number + head_sha` binding and
+ * emits `git.pr_opened`, `ci.passed`, `ci.failed`, and — when the configured
+ * required checks are green — `gate.met` exactly once per binding + effective gate
+ * config. PR/CI telemetry is INDEPENDENT of gate emission: a disabled/unset/
+ * malformed gate suppresses only `gate.met`. A failed CI poll is never a failed CI
+ * check. All event types come from the existing conductor taxonomy and use only
+ * allowlisted top-level data keys.
+ */
+import { GIT_CI_PRODUCER, } from "./git-ci-types.js";
+import { evaluateDoneGate, normalizeCiSnapshot, parseDoneGateConfig } from "./done-gate.js";
+import { fetchDoneGateConfigField, pollCiChecksForCommit, resolveConductorBridgeApiAccess, } from "./bridge-api-client.js";
+import { resolvePrHeadBinding } from "./pr-discovery.js";
+import { emitConductorEventIfNew } from "./producer-ledger.js";
+const PRODUCER_OBSERVED_VIA = "pr-ci-producer";
+/** Bounded wait constants, consistent with the existing wait_for_event pattern. */
+export const WAIT_FOR_GATE_TIMEOUT_MAX_MS = 120_000;
+export const WAIT_FOR_GATE_TIMEOUT_DEFAULT_MS = 120_000;
+export const WAIT_FOR_GATE_POLL_INTERVAL_DEFAULT_MS = 5_000;
+export const WAIT_FOR_GATE_POLL_INTERVAL_MIN_MS = 500;
+// ---------------------------------------------------------------------------
+// Event builders
+// ---------------------------------------------------------------------------
+/** Build a `git.pr_opened` event bound to repo + PR number + head SHA. */
+export function buildPrOpenedEventInput(binding) {
+    const details = {
+        repo: binding.repo,
+        pr_number: binding.pr_number,
+        head_sha: binding.head_sha,
+    };
+    if (binding.head_ref !== undefined)
+        details.head_ref = binding.head_ref;
+    const data = {
+        summary: `PR ${binding.subject} observed`,
+        status: "open",
+        details,
+    };
+    if (binding.url !== undefined)
+        data.references = { url: binding.url };
+    return {
+        source: "git",
+        type: "git.pr_opened",
+        subject: binding.subject,
+        producer: GIT_CI_PRODUCER,
+        observed_via: PRODUCER_OBSERVED_VIA,
+        data,
+    };
+}
+/**
+ * Build a `ci.passed`/`ci.failed` event from a normalized snapshot, or `null` when
+ * there is nothing terminal to report (no checks, or any check still pending).
+ * `ci.passed` requires every polled check complete and green; `ci.failed` requires
+ * every polled check complete with at least one not green.
+ */
+export function buildCiObservationEventInput(binding, snapshot) {
+    if (snapshot.checks.length === 0)
+        return null;
+    const allComplete = snapshot.checks.every((c) => c.complete);
+    if (!allComplete)
+        return null;
+    const allGreen = snapshot.checks.every((c) => c.green);
+    const type = allGreen ? "ci.passed" : "ci.failed";
+    const details = {
+        repo: binding.repo,
+        pr_number: binding.pr_number,
+        head_sha: binding.head_sha,
+        checks: snapshot.checks,
+        unknown_checks: snapshot.unknown_checks,
+        check_state_hash: snapshot.check_state_hash,
+    };
+    return {
+        source: "ci",
+        type,
+        subject: binding.subject,
+        producer: GIT_CI_PRODUCER,
+        observed_via: PRODUCER_OBSERVED_VIA,
+        data: {
+            summary: allGreen ? `CI passed for ${binding.subject}` : `CI failed for ${binding.subject}`,
+            status: allGreen ? "passed" : "failed",
+            details,
+        },
+    };
+}
+/**
+ * Build a canonical `gate.met` event from a successful {@link GateEvaluationResult}.
+ * Returns `null` when the gate was not met (no event data to emit).
+ */
+export function buildGateMetEventInput(binding, evaluation) {
+    if (!evaluation.met || !evaluation.gateEventData)
+        return null;
+    return {
+        source: "conductor",
+        type: "gate.met",
+        subject: binding.subject,
+        producer: GIT_CI_PRODUCER,
+        observed_via: PRODUCER_OBSERVED_VIA,
+        data: { ...evaluation.gateEventData },
+    };
+}
+function defaultSleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/**
+ * Observe PR/CI state once against an already-resolved binding/access/config and
+ * emit telemetry + (when met) the gate event. Shared by {@link observePrCiOnce}
+ * and {@link waitForDoneGate} so the gate config / binding / access are each
+ * resolved exactly once by the caller.
+ */
+async function observeWithResolved(binding, access, gateConfig, deps) {
+    const emitIfNew = deps.emitIfNew ?? emitConductorEventIfNew;
+    const pollCi = deps.pollCi ?? pollCiChecksForCommit;
+    const now = deps.now ?? (() => new Date().toISOString());
+    const result = {
+        binding,
+        pr_opened_emitted: false,
+        ci_status: null,
+        ci_emitted: false,
+        gate_met: false,
+        gate_emitted: false,
+        reason: "observed",
+    };
+    // 1. PR opened telemetry (independent of CI / gate).
+    const prDecision = emitIfNew(buildPrOpenedEventInput(binding), {
+        event_type: "git.pr_opened",
+        repo: binding.repo,
+        pr_number: binding.pr_number,
+        head_sha: binding.head_sha,
+    });
+    result.pr_opened_emitted = prDecision.emitted;
+    // 2. Poll CI for the bound head SHA. A poll failure is NOT a CI failure event.
+    let rawPoll;
+    try {
+        rawPoll = await pollCi(access, binding.head_sha);
+    }
+    catch {
+        result.ci_status = "unavailable";
+        result.reason = "ci-poll-failed";
+        return result;
+    }
+    const snapshot = normalizeCiSnapshot(rawPoll);
+    // 3. CI observation telemetry (only for terminal states).
+    const ciEvent = buildCiObservationEventInput(binding, snapshot);
+    if (ciEvent === null) {
+        result.ci_status = "pending";
+    }
+    else {
+        result.ci_status = ciEvent.type === "ci.passed" ? "passed" : "failed";
+        const ciDecision = emitIfNew(ciEvent, {
+            event_type: ciEvent.type,
+            repo: binding.repo,
+            pr_number: binding.pr_number,
+            head_sha: binding.head_sha,
+            ci_check_hash: snapshot.check_state_hash,
+        });
+        result.ci_emitted = ciDecision.emitted;
+    }
+    // 4. Gate evaluation — suppressed entirely when config is inactive.
+    if (!gateConfig.enabled || !gateConfig.valid) {
+        result.reason = `gate inactive: ${gateConfig.reason}`;
+        return result;
+    }
+    const evaluation = evaluateDoneGate(gateConfig, binding, snapshot, now());
+    if (!evaluation.met) {
+        result.reason = evaluation.reason;
+        return result;
+    }
+    result.gate_met = true;
+    const gateEvent = buildGateMetEventInput(binding, evaluation);
+    if (gateEvent !== null) {
+        const gateDecision = emitIfNew(gateEvent, {
+            event_type: "gate.met",
+            repo: binding.repo,
+            pr_number: binding.pr_number,
+            head_sha: binding.head_sha,
+            config_hash: gateConfig.config_hash ?? undefined,
+        });
+        result.gate_emitted = gateDecision.emitted;
+        result.gate_event_summary = gateEvent.data?.summary;
+    }
+    result.reason = "gate met";
+    return result;
+}
+/**
+ * One-shot PR/CI observation: resolve the binding, resolve Bridge API access,
+ * fetch + parse the done-gate config, then observe once. Returns a structured
+ * result. Emits no events and polls nothing when there is no PR/head binding.
+ */
+export async function observePrCiOnce(params = {}, deps = {}) {
+    const resolveBinding = deps.resolveBinding ?? resolvePrHeadBinding;
+    const resolveAccess = deps.resolveAccess ?? (() => resolveConductorBridgeApiAccess({ env: deps.env, cwd: deps.cwd }));
+    const fetchGateConfig = deps.fetchGateConfig ?? fetchDoneGateConfigField;
+    const bindingResult = resolveBinding({ repoName: params.repoName, prNumber: params.prNumber, headSha: params.headSha, cwd: params.cwd ?? deps.cwd, env: deps.env }, deps.bindingDeps ?? {});
+    if (!bindingResult.ok) {
+        return {
+            binding: null,
+            pr_opened_emitted: false,
+            ci_status: null,
+            ci_emitted: false,
+            gate_met: false,
+            gate_emitted: false,
+            reason: `no binding: ${bindingResult.reason}`,
+        };
+    }
+    const accessResult = await resolveAccess();
+    if (!accessResult.ok) {
+        return {
+            binding: bindingResult.binding,
+            pr_opened_emitted: false,
+            ci_status: "unavailable",
+            ci_emitted: false,
+            gate_met: false,
+            gate_emitted: false,
+            reason: `access unavailable: ${accessResult.error}`,
+        };
+    }
+    let rawConfig;
+    try {
+        rawConfig = await fetchGateConfig(accessResult.access);
+    }
+    catch {
+        rawConfig = undefined; // fail closed
+    }
+    const gateConfig = parseDoneGateConfig(rawConfig);
+    return observeWithResolved(bindingResult.binding, accessResult.access, gateConfig, deps);
+}
+function clampInt(value, fallback, min, max) {
+    if (typeof value !== "number" || !Number.isFinite(value))
+        return fallback;
+    return Math.min(max, Math.max(min, Math.floor(value)));
+}
+/**
+ * Bounded, synchronous (no background daemon) wait for the done gate. Resolves the
+ * immutable PR/head binding ONCE and fetches the gate config ONCE at loop start,
+ * then polls CI on a clamped interval until the gate is met or the clamped timeout
+ * elapses. All CI polls and emitted events use the SHA captured at loop start.
+ */
+export async function waitForDoneGate(params = {}, deps = {}) {
+    const resolveBinding = deps.resolveBinding ?? resolvePrHeadBinding;
+    const resolveAccess = deps.resolveAccess ?? (() => resolveConductorBridgeApiAccess({ env: deps.env, cwd: params.worktreePath ?? deps.cwd }));
+    const fetchGateConfig = deps.fetchGateConfig ?? fetchDoneGateConfigField;
+    const sleep = deps.sleep ?? defaultSleep;
+    const now = deps.now ?? (() => new Date().toISOString());
+    const timeoutMs = clampInt(params.timeoutMs, WAIT_FOR_GATE_TIMEOUT_DEFAULT_MS, 0, WAIT_FOR_GATE_TIMEOUT_MAX_MS);
+    const pollIntervalMs = clampInt(params.pollIntervalMs, WAIT_FOR_GATE_POLL_INTERVAL_DEFAULT_MS, WAIT_FOR_GATE_POLL_INTERVAL_MIN_MS, WAIT_FOR_GATE_TIMEOUT_MAX_MS);
+    // Bind ONCE — never re-resolve a mutable branch mid-loop.
+    const bindingResult = resolveBinding({ repoName: params.repoName, prNumber: params.prNumber, headSha: params.headSha, cwd: params.worktreePath ?? deps.cwd, env: deps.env }, deps.bindingDeps ?? {});
+    if (!bindingResult.ok) {
+        return {
+            gate_met: false,
+            timed_out: false,
+            reason: `no binding: ${bindingResult.reason}`,
+            repo: null,
+            pr_number: null,
+            head_sha: null,
+        };
+    }
+    const binding = bindingResult.binding;
+    const accessResult = await resolveAccess();
+    if (!accessResult.ok) {
+        return {
+            gate_met: false,
+            timed_out: false,
+            reason: `access unavailable: ${accessResult.error}`,
+            repo: binding.repo,
+            pr_number: binding.pr_number,
+            head_sha: binding.head_sha,
+        };
+    }
+    // Fetch + parse config ONCE.
+    let rawConfig;
+    try {
+        rawConfig = await fetchGateConfig(accessResult.access);
+    }
+    catch {
+        rawConfig = undefined;
+    }
+    const gateConfig = parseDoneGateConfig(rawConfig);
+    if (!gateConfig.enabled || !gateConfig.valid) {
+        return {
+            gate_met: false,
+            timed_out: false,
+            reason: `gate inactive: ${gateConfig.reason}`,
+            repo: binding.repo,
+            pr_number: binding.pr_number,
+            head_sha: binding.head_sha,
+        };
+    }
+    const deadline = Date.now() + timeoutMs;
+    // Use the SAME `now`/sleep deps for every iteration so emitted gate timestamps
+    // and the loop are fully controllable in tests.
+    const loopDeps = { ...deps, now };
+    // Poll at least once; re-poll until met or the deadline passes.
+    // eslint-disable-next-line no-constant-condition
+    while (true) {
+        const observation = await observeWithResolved(binding, accessResult.access, gateConfig, loopDeps);
+        if (observation.gate_met) {
+            return {
+                gate_met: true,
+                timed_out: false,
+                reason: observation.reason,
+                repo: binding.repo,
+                pr_number: binding.pr_number,
+                head_sha: binding.head_sha,
+                gate_event_summary: observation.gate_event_summary,
+            };
+        }
+        if (Date.now() >= deadline) {
+            return {
+                gate_met: false,
+                timed_out: true,
+                reason: observation.reason,
+                repo: binding.repo,
+                pr_number: binding.pr_number,
+                head_sha: binding.head_sha,
+            };
+        }
+        const remaining = deadline - Date.now();
+        await sleep(Math.min(pollIntervalMs, Math.max(1, remaining)));
+    }
+}
+/**
+ * Step-11 opportunistic helper: emit PR/CI/gate events from an ALREADY-FETCHED
+ * `poll_ci_checks` response, but only after validating that `commitRef` binds to
+ * the resolved PR head SHA. Never changes any caller's response; emits nothing
+ * when there is no binding or the commit ref does not match the PR head.
+ */
+export async function observePrCiFromPollResponse(commitRef, pollResponse, deps = {}) {
+    const resolveBinding = deps.resolveBinding ?? resolvePrHeadBinding;
+    const emitIfNew = deps.emitIfNew ?? emitConductorEventIfNew;
+    const now = deps.now ?? (() => new Date().toISOString());
+    const bindingResult = resolveBinding({ cwd: deps.cwd, env: deps.env }, deps.bindingDeps ?? {});
+    if (!bindingResult.ok) {
+        return {
+            binding: null,
+            pr_opened_emitted: false,
+            ci_status: null,
+            ci_emitted: false,
+            gate_met: false,
+            gate_emitted: false,
+            reason: `no binding: ${bindingResult.reason}`,
+        };
+    }
+    const binding = bindingResult.binding;
+    // The poll response must correspond to the bound head SHA.
+    if (commitRef.trim().toLowerCase() !== binding.head_sha) {
+        return {
+            binding,
+            pr_opened_emitted: false,
+            ci_status: null,
+            ci_emitted: false,
+            gate_met: false,
+            gate_emitted: false,
+            reason: "commit ref does not match PR head",
+        };
+    }
+    const result = {
+        binding,
+        pr_opened_emitted: false,
+        ci_status: null,
+        ci_emitted: false,
+        gate_met: false,
+        gate_emitted: false,
+        reason: "observed",
+    };
+    const prDecision = emitIfNew(buildPrOpenedEventInput(binding), {
+        event_type: "git.pr_opened",
+        repo: binding.repo,
+        pr_number: binding.pr_number,
+        head_sha: binding.head_sha,
+    });
+    result.pr_opened_emitted = prDecision.emitted;
+    const snapshot = normalizeCiSnapshot(pollResponse);
+    const ciEvent = buildCiObservationEventInput(binding, snapshot);
+    if (ciEvent === null) {
+        result.ci_status = "pending";
+        return result;
+    }
+    result.ci_status = ciEvent.type === "ci.passed" ? "passed" : "failed";
+    const ciDecision = emitIfNew(ciEvent, {
+        event_type: ciEvent.type,
+        repo: binding.repo,
+        pr_number: binding.pr_number,
+        head_sha: binding.head_sha,
+        ci_check_hash: snapshot.check_state_hash,
+    });
+    result.ci_emitted = ciDecision.emitted;
+    // Best-effort gate evaluation when access + config are available.
+    const resolveAccess = deps.resolveAccess ?? (() => resolveConductorBridgeApiAccess({ env: deps.env, cwd: deps.cwd }));
+    const fetchGateConfig = deps.fetchGateConfig ?? fetchDoneGateConfigField;
+    try {
+        const accessResult = await resolveAccess();
+        if (accessResult.ok) {
+            let rawConfig;
+            try {
+                rawConfig = await fetchGateConfig(accessResult.access);
+            }
+            catch {
+                rawConfig = undefined;
+            }
+            const gateConfig = parseDoneGateConfig(rawConfig);
+            if (gateConfig.enabled && gateConfig.valid) {
+                const evaluation = evaluateDoneGate(gateConfig, binding, snapshot, now());
+                if (evaluation.met) {
+                    result.gate_met = true;
+                    const gateEvent = buildGateMetEventInput(binding, evaluation);
+                    if (gateEvent !== null) {
+                        const gateDecision = emitIfNew(gateEvent, {
+                            event_type: "gate.met",
+                            repo: binding.repo,
+                            pr_number: binding.pr_number,
+                            head_sha: binding.head_sha,
+                            config_hash: gateConfig.config_hash ?? undefined,
+                        });
+                        result.gate_emitted = gateDecision.emitted;
+                        result.gate_event_summary = gateEvent.data?.summary;
+                    }
+                }
+            }
+        }
+    }
+    catch {
+        /* best-effort gate; telemetry already emitted */
+    }
+    return result;
+}

package/build/conductor/pr-discovery.js

@@ -0,0 +1,135 @@
+/**
+ * PR number + immutable head SHA binding discovery (BAPI-395).
+ *
+ * `poll_ci_checks` is SHA-keyed only, so the producer resolves the PR number and
+ * head SHA INDEPENDENTLY here. v1 does one opportunistic `gh pr view` lookup (no
+ * continuous GitHub polling) and binds only when the discovered PR is open and its
+ * head matches the local HEAD. Every failure mode — gh unavailable, no open PR,
+ * head mismatch, invalid identifiers — returns a structured no-binding result so
+ * the producer never evaluates a mutable branch or a stale SHA. Provider-native gh
+ * fields never leak into the binding beyond safe references.
+ */
+import { execFileSync } from "node:child_process";
+import { normalizePrNumber, normalizeRepoName, normalizeSha } from "./git-ci-types.js";
+import { getGitWorktreeContext } from "./git-inspection.js";
+/** Bounded timeout for the one-shot `gh` lookup. */
+export const GH_COMMAND_TIMEOUT_MS = 5_000;
+/** Run `gh <args>` with list args, a bounded timeout, and NO shell. */
+export function runGhCommand(args, options = {}) {
+    try {
+        const stdout = execFileSync("gh", args, {
+            cwd: options.cwd,
+            timeout: GH_COMMAND_TIMEOUT_MS,
+            encoding: "utf-8",
+            maxBuffer: 4 * 1024 * 1024,
+            stdio: ["ignore", "pipe", "ignore"],
+        });
+        return { ok: true, stdout: typeof stdout === "string" ? stdout : "" };
+    }
+    catch {
+        return { ok: false, stdout: "" };
+    }
+}
+const GH_PR_VIEW_ARGS = ["pr", "view", "--json", "number,headRefOid,headRefName,url,state"];
+/**
+ * Perform a one-shot `gh pr view` lookup for the current branch's PR. Returns a
+ * normalized {@link DiscoveredPr} or `null` when gh is unavailable, there is no
+ * PR, or the output cannot be parsed. Never throws; never leaks raw gh output.
+ */
+export function discoverPrWithGhCli(options = {}, deps = {}) {
+    const runGh = deps.runGh ?? runGhCommand;
+    const result = runGh(GH_PR_VIEW_ARGS, { cwd: options.cwd });
+    if (!result.ok)
+        return null;
+    let parsed;
+    try {
+        parsed = JSON.parse(result.stdout);
+    }
+    catch {
+        return null;
+    }
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed))
+        return null;
+    const record = parsed;
+    const number = typeof record.number === "number" ? record.number : null;
+    const state = typeof record.state === "string" ? record.state : "";
+    if (number === null || state.length === 0)
+        return null;
+    const discovered = {
+        number,
+        head_sha: normalizeSha(record.headRefOid),
+        state,
+    };
+    if (typeof record.headRefName === "string" && record.headRefName.trim().length > 0) {
+        discovered.head_ref = record.headRefName.trim();
+    }
+    if (typeof record.url === "string" && record.url.trim().length > 0) {
+        discovered.url = record.url.trim();
+    }
+    return discovered;
+}
+function makeBinding(repo, prNumber, headSha, extra = {}) {
+    const binding = {
+        repo,
+        pr_number: prNumber,
+        head_sha: headSha,
+        subject: `${repo}#${prNumber}`,
+    };
+    if (extra.url !== undefined)
+        binding.url = extra.url;
+    if (extra.head_ref !== undefined)
+        binding.head_ref = extra.head_ref;
+    return binding;
+}
+/**
+ * Resolve an immutable PR/head binding. When both `prNumber` and `headSha` are
+ * supplied they are validated and used directly (no git/gh discovery). Otherwise
+ * the local git context + HEAD SHA are read and a single `gh pr view` lookup must
+ * return an OPEN PR whose head matches local HEAD. Any inconsistency yields a
+ * structured no-binding result — never a branch-only fallback.
+ */
+export function resolvePrHeadBinding(input = {}, deps = {}) {
+    const explicitRepo = input.repoName !== undefined ? normalizeRepoName(input.repoName) : null;
+    // Explicit binding path: validate and return without any discovery.
+    if (input.prNumber !== undefined || input.headSha !== undefined) {
+        const prNumber = normalizePrNumber(input.prNumber);
+        const headSha = normalizeSha(input.headSha);
+        if (prNumber === null || headSha === null) {
+            return { ok: false, reason: "invalid explicit pr_number or head_sha" };
+        }
+        if (input.repoName !== undefined && explicitRepo === null) {
+            return { ok: false, reason: "invalid explicit repo_name" };
+        }
+        const repo = explicitRepo ?? normalizeRepoName(deps.getContext?.({ cwd: input.cwd, env: input.env })?.repo);
+        if (repo === null) {
+            return { ok: false, reason: "could not resolve repo name" };
+        }
+        return { ok: true, binding: makeBinding(repo, prNumber, headSha) };
+    }
+    // Discovery path: local context + one-shot gh lookup.
+    const getContext = deps.getContext ?? getGitWorktreeContext;
+    const context = getContext({ cwd: input.cwd, env: input.env });
+    const repo = explicitRepo ?? normalizeRepoName(context.repo);
+    const localSha = normalizeSha(context.head_sha ?? "");
+    if (repo === null || localSha === null) {
+        return { ok: false, reason: "no local repo/HEAD to bind" };
+    }
+    const pr = discoverPrWithGhCli({ cwd: input.cwd }, deps);
+    if (pr === null) {
+        return { ok: false, reason: "gh unavailable or no PR for current branch" };
+    }
+    if (pr.state.toUpperCase() !== "OPEN") {
+        return { ok: false, reason: `PR is not open (state: ${pr.state})` };
+    }
+    const prNumber = normalizePrNumber(pr.number);
+    if (prNumber === null) {
+        return { ok: false, reason: "discovered PR number is invalid" };
+    }
+    if (pr.head_sha !== null && pr.head_sha !== localSha) {
+        return { ok: false, reason: "PR head SHA does not match local HEAD" };
+    }
+    return {
+        ok: true,
+        binding: makeBinding(repo, prNumber, localSha, { url: pr.url, head_ref: pr.head_ref }),
+    };
+}

package/build/conductor/producer-ledger.js

@@ -0,0 +1,125 @@
+/**
+ * Producer-level deduplication over the generic append-only conductor ledger
+ * (BAPI-395).
+ *
+ * The store stays tool-agnostic and append-only; this layer adds deterministic
+ * dedupe keys / event ids so noisy producers (git hooks, PR/CI observers) never
+ * append the same logical event twice. A stable `dedupe_key` is embedded under
+ * `data.details.dedupe_key` and a deterministic event id is derived from it, so a
+ * pre-check ledger scan AND the `events.id` UNIQUE constraint both guard against
+ * duplicates. Raw provider payloads never enter the dedupe key — only stable
+ * normalized hashes do.
+ */
+import { createHash } from "node:crypto";
+import { emitConductorEvent, pollConductorEvents } from "./store.js";
+import { stableJsonHash } from "./git-ci-types.js";
+/**
+ * Build a stable dedupe key from normalized event dimensions. Undefined
+ * dimensions are dropped, key order is irrelevant (canonical hashing), and no raw
+ * payload material is included — two inputs with identical normalized hashes but
+ * different `raw` objects yield the same key.
+ */
+export function makeProducerDedupeKey(dimensions) {
+    const canonical = {};
+    for (const [key, value] of Object.entries(dimensions)) {
+        if (value !== undefined && value !== null)
+            canonical[key] = value;
+    }
+    return stableJsonHash(canonical);
+}
+/**
+ * Derive a deterministic, UUID-shaped event id from a dedupe key. Repeated calls
+ * with the same key always return the same id, so a retrying producer collides on
+ * the `events.id` UNIQUE constraint instead of appending a duplicate.
+ */
+export function makeStableProducerEventId(dedupeKey) {
+    const h = createHash("sha256").update(`conductor-producer:${dedupeKey}`).digest("hex");
+    return `${h.slice(0, 8)}-${h.slice(8, 12)}-${h.slice(12, 16)}-${h.slice(16, 20)}-${h.slice(20, 32)}`;
+}
+/** Heuristically detect a SQLite duplicate-id / UNIQUE constraint failure. */
+function isDuplicateConstraintError(error) {
+    if (!error || typeof error !== "object")
+        return false;
+    const code = error.code;
+    if (typeof code === "string" && code.startsWith("SQLITE_CONSTRAINT"))
+        return true;
+    const message = error.message;
+    if (typeof message === "string") {
+        const lowered = message.toLowerCase();
+        if (lowered.includes("unique constraint") || lowered.includes("constraint failed"))
+            return true;
+    }
+    return false;
+}
+const LEDGER_SCAN_PAGE_LIMIT = 500;
+const LEDGER_SCAN_MAX_PAGES = 200;
+/**
+ * Return `true` when an event carrying `dedupe_key` under `data.details` already
+ * exists in the ledger. Pages through the ledger with `data_mode: "full"` so the
+ * full details object is visible. Malformed/non-matching events are skipped; the
+ * scan never throws.
+ */
+export function eventAlreadyExists(dedupeKey, deps = {}) {
+    const pollEvents = deps.pollEvents ?? ((options) => pollConductorEvents(options));
+    let sinceSeq = 1;
+    for (let page = 0; page < LEDGER_SCAN_MAX_PAGES; page += 1) {
+        let result;
+        try {
+            result = pollEvents({ since_seq: sinceSeq, data_mode: "full", limit: LEDGER_SCAN_PAGE_LIMIT });
+        }
+        catch {
+            return false;
+        }
+        for (const event of result.events) {
+            if (!event || typeof event !== "object")
+                continue;
+            const data = event.data;
+            if (data && typeof data === "object") {
+                const details = data.details;
+                if (details &&
+                    typeof details === "object" &&
+                    details.dedupe_key === dedupeKey) {
+                    return true;
+                }
+            }
+        }
+        if (result.count === 0 || result.next_seq <= sinceSeq)
+            break;
+        sinceSeq = result.next_seq;
+    }
+    return false;
+}
+/**
+ * Emit a producer event only if no event with the same dedupe key already exists.
+ * Pre-checks the ledger, assigns a deterministic event id, embeds `dedupe_key`
+ * under `data.details`, then emits. A duplicate-id constraint thrown by a racing
+ * producer is classified as a duplicate rather than surfaced as a failure.
+ */
+export function emitConductorEventIfNew(input, dimensions, deps = {}) {
+    const emitEvent = deps.emitEvent ?? emitConductorEvent;
+    const dedupeKey = makeProducerDedupeKey(dimensions);
+    if (eventAlreadyExists(dedupeKey, deps)) {
+        return { emitted: false, reason: "duplicate" };
+    }
+    const eventId = makeStableProducerEventId(dedupeKey);
+    // Embed the dedupe key under data.details so a later scan can find it, without
+    // disturbing any other normalized details the caller supplied.
+    const existingData = input.data ?? {};
+    const existingDetails = existingData.details && typeof existingData.details === "object" && !Array.isArray(existingData.details)
+        ? existingData.details
+        : {};
+    const data = {
+        ...existingData,
+        details: { ...existingDetails, dedupe_key: dedupeKey },
+    };
+    try {
+        emitEvent({ ...input, id: eventId, data });
+        return { emitted: true, event_id: eventId };
+    }
+    catch (error) {
+        if (isDuplicateConstraintError(error)) {
+            return { emitted: false, reason: "duplicate" };
+        }
+        throw error;
+    }
+}