@bridge_gpt/mcp-server 0.2.2 → 0.2.4

package/build/conductor/git-inspection.js

@@ -0,0 +1,185 @@
+/**
+ * Best-effort local git inspection for the conductor producer (BAPI-395).
+ *
+ * These helpers run short, list-argument git subprocesses (never `shell: true`)
+ * with bounded timeouts and treat ALL output as best-effort local telemetry — a
+ * failed or unavailable git invocation degrades to a safe empty result rather than
+ * throwing. Raw stderr/stdout (which can contain credentials) is never surfaced;
+ * remote URLs are credential-stripped before they reach any event payload.
+ */
+import { execFileSync } from "node:child_process";
+import { basename } from "node:path";
+import { normalizeRepoName, normalizeSha } from "./git-ci-types.js";
+/** Default bounded timeout for a single git subprocess. */
+export const GIT_COMMAND_TIMEOUT_MS = 5_000;
+/** Max captured stdout per git command (10 MiB) — bounds memory for large logs. */
+const GIT_COMMAND_MAX_BUFFER = 10 * 1024 * 1024;
+/**
+ * Run `git <args>` with list-based arguments, a bounded timeout, and NO shell.
+ * Returns `{ ok: true, stdout }` on success or `{ ok: false, stdout: "" }` on any
+ * failure. Raw stderr/stdout from a failed command is intentionally discarded so
+ * credential-bearing error text never escapes.
+ */
+export function runGitCommand(args, options = {}) {
+    try {
+        const stdout = execFileSync("git", args, {
+            cwd: options.cwd,
+            timeout: options.timeoutMs ?? GIT_COMMAND_TIMEOUT_MS,
+            encoding: "utf-8",
+            maxBuffer: GIT_COMMAND_MAX_BUFFER,
+            // Capture stdout only; ignore stdin and stderr so raw error text (which may
+            // include credentials) is never read back. `shell` defaults to false.
+            stdio: ["ignore", "pipe", "ignore"],
+        });
+        return { ok: true, stdout: typeof stdout === "string" ? stdout : "" };
+    }
+    catch {
+        return { ok: false, stdout: "" };
+    }
+}
+function firstLine(result) {
+    if (!result.ok)
+        return null;
+    const trimmed = result.stdout.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+/**
+ * Strip embedded credentials from an HTTPS remote URL
+ * (`https://user:token@host/...` → `https://host/...`). SSH-style remotes
+ * (`git@host:org/repo.git`) and unparseable values are returned trimmed and
+ * unchanged — they carry no inline secret to remove.
+ */
+export function sanitizeGitRemoteUrl(url) {
+    if (typeof url !== "string")
+        return null;
+    const trimmed = url.trim();
+    if (trimmed.length === 0)
+        return null;
+    if (/^https?:\/\//i.test(trimmed)) {
+        try {
+            const parsed = new URL(trimmed);
+            parsed.username = "";
+            parsed.password = "";
+            return parsed.toString();
+        }
+        catch {
+            // Fall through: strip a leading `user:pass@` segment defensively.
+            return trimmed.replace(/^(https?:\/\/)[^/@]*@/i, "$1");
+        }
+    }
+    return trimmed;
+}
+/**
+ * Resolve the local worktree context: worktree root, git common dir, current
+ * branch, HEAD SHA, sanitized origin remote, and repo identity. Repo name prefers
+ * `BAPI_CONDUCTOR_REPO_NAME`, then `BAPI_REPO_NAME`, then the git root basename.
+ * Never throws — missing git simply yields a degraded context.
+ */
+export function getGitWorktreeContext(options = {}) {
+    const cwd = options.cwd ?? process.cwd();
+    const env = options.env ?? process.env;
+    const topLevel = firstLine(runGitCommand(["rev-parse", "--show-toplevel"], { cwd }));
+    const isWorktree = topLevel !== null;
+    const worktreePath = topLevel ?? cwd;
+    const gitCommonDir = firstLine(runGitCommand(["rev-parse", "--git-common-dir"], { cwd }));
+    const branchRaw = firstLine(runGitCommand(["rev-parse", "--abbrev-ref", "HEAD"], { cwd }));
+    const branch = branchRaw === null || branchRaw === "HEAD" ? null : branchRaw;
+    const headSha = normalizeSha(firstLine(runGitCommand(["rev-parse", "HEAD"], { cwd })) ?? "");
+    const remoteOrigin = sanitizeGitRemoteUrl(firstLine(runGitCommand(["config", "--get", "remote.origin.url"], { cwd })) ?? "");
+    const repo = normalizeRepoName(env.BAPI_CONDUCTOR_REPO_NAME) ??
+        normalizeRepoName(env.BAPI_REPO_NAME) ??
+        normalizeRepoName(basename(worktreePath)) ??
+        "unknown";
+    return {
+        repo,
+        worktree_path: worktreePath,
+        git_common_dir: gitCommonDir,
+        branch,
+        head_sha: headSha,
+        remote_origin: remoteOrigin,
+        is_worktree: isWorktree,
+    };
+}
+const CO_AUTHOR_RE = /^co-authored-by:\s*(.+?)\s*<([^<>@\s]+@[^<>\s]+)>\s*$/i;
+/**
+ * Parse `Co-Authored-By: Name <email>` trailers from a commit message,
+ * case-insensitively, ignoring malformed lines (missing or invalid email).
+ */
+export function parseCoAuthoredByTrailers(message) {
+    if (typeof message !== "string" || message.length === 0)
+        return [];
+    const out = [];
+    for (const line of message.split(/\r?\n/)) {
+        const match = CO_AUTHOR_RE.exec(line.trim());
+        if (match) {
+            out.push({ name: match[1].trim(), email: match[2].trim() });
+        }
+    }
+    return out;
+}
+/** Unit-separator-delimited field format for `git show -s`. */
+const COMMIT_FORMAT = "%H%x1f%P%x1f%an%x1f%ae%x1f%cn%x1f%ce%x1f%aI%x1f%cI%x1f%s%x1f%b";
+/**
+ * Read normalized metadata for `HEAD` (or another ref): SHA, parent SHAs,
+ * author/committer identity and timestamps, subject, body, and parsed co-authors.
+ * Returns `null` when the commit cannot be read.
+ */
+export function readHeadCommitMetadata(options = {}) {
+    const ref = options.ref ?? "HEAD";
+    const result = runGitCommand(["show", "-s", `--format=${COMMIT_FORMAT}`, ref], { cwd: options.cwd });
+    if (!result.ok)
+        return null;
+    // Split into exactly 10 fields; the final body field may contain newlines.
+    const fields = result.stdout.replace(/\n$/, "").split("\u001f");
+    if (fields.length < 10)
+        return null;
+    const [sha, parentsRaw, authorName, authorEmail, committerName, committerEmail, authoredAt, committedAt, subject, body] = fields;
+    const parents = parentsRaw
+        .trim()
+        .split(/\s+/)
+        .map((p) => normalizeSha(p))
+        .filter((p) => p !== null);
+    const coAuthors = parseCoAuthoredByTrailers(body);
+    return {
+        sha: normalizeSha(sha),
+        parents,
+        author_name: authorName,
+        author_email: authorEmail,
+        committer_name: committerName,
+        committer_email: committerEmail,
+        authored_at: authoredAt,
+        committed_at: committedAt,
+        subject,
+        body,
+        co_authors: coAuthors,
+        attribution_source: coAuthors.length > 0 ? "co-authored-by-trailer" : "commit-author",
+    };
+}
+const REF_CONTROL_CHAR_RE = /[\u0000-\u001F\u007F]/;
+/**
+ * Parse `reference-transaction` stdin (`<old_sha> <new_sha> <ref>` per line) into
+ * normalized updates. Malformed lines — wrong field count, non-hex SHAs, empty or
+ * control-char-bearing refs — are skipped rather than producing unsafe data.
+ */
+export function parseReferenceTransactionUpdates(stdin) {
+    if (typeof stdin !== "string" || stdin.length === 0)
+        return [];
+    const out = [];
+    for (const line of stdin.split(/\r?\n/)) {
+        const trimmed = line.trim();
+        if (trimmed.length === 0)
+            continue;
+        const parts = trimmed.split(/\s+/);
+        if (parts.length !== 3)
+            continue;
+        const oldSha = normalizeSha(parts[0]);
+        const newSha = normalizeSha(parts[1]);
+        const ref = parts[2];
+        if (oldSha === null || newSha === null)
+            continue;
+        if (ref.length === 0 || REF_CONTROL_CHAR_RE.test(ref))
+            continue;
+        out.push({ old_sha: oldSha, new_sha: newSha, ref });
+    }
+    return out;
+}

package/build/conductor/git-producer.js

@@ -0,0 +1,137 @@
+/**
+ * Canonical local git hook event production (BAPI-395).
+ *
+ * Opportunistic, non-blocking local hooks emit `git.commit_created` (post-commit)
+ * and `worktree.changed` (reference-transaction) using normalized conductor event
+ * envelopes. Every producer is best-effort: inspection failures, unmapped phases,
+ * and ledger errors all resolve to a success-compatible result so a git commit or
+ * ref update is NEVER blocked by conductor telemetry. Events use only the
+ * conductor taxonomy and allowlisted top-level data keys; no provider-native or
+ * Claude-specific fields appear.
+ */
+import { GIT_HOOK_PRODUCER, stableJsonHash, } from "./git-ci-types.js";
+import { getGitWorktreeContext, parseReferenceTransactionUpdates, readHeadCommitMetadata, } from "./git-inspection.js";
+import { emitConductorEventIfNew } from "./producer-ledger.js";
+/** The git phase that represents a durable, committed ref transaction. */
+export const COMMITTED_REF_PHASE = "committed";
+/**
+ * Build a canonical `git.commit_created` event input from a worktree context and
+ * HEAD commit metadata. Only allowlisted top-level data keys are used; all commit
+ * facts live under `data.details`.
+ */
+export function buildCommitCreatedEventInput(context, metadata) {
+    const details = {
+        repo: context.repo,
+        branch: context.branch,
+        worktree_path: context.worktree_path,
+        commit_sha: metadata.sha,
+        parent_shas: metadata.parents,
+        author: { name: metadata.author_name, email: metadata.author_email },
+        committer: { name: metadata.committer_name, email: metadata.committer_email },
+        co_authors: metadata.co_authors,
+        authored_at: metadata.authored_at,
+        committed_at: metadata.committed_at,
+        subject: metadata.subject,
+        attribution_source: metadata.attribution_source,
+    };
+    return {
+        source: "git",
+        type: "git.commit_created",
+        subject: context.repo,
+        producer: GIT_HOOK_PRODUCER,
+        observed_via: "git-hook:post-commit",
+        data: {
+            summary: `Commit ${metadata.sha ?? "(unknown)"} on ${context.branch ?? "(detached)"}`,
+            status: "created",
+            details,
+        },
+    };
+}
+/**
+ * Build a canonical `worktree.changed` event input from committed
+ * reference-transaction updates. Only allowlisted top-level data keys are used.
+ */
+export function buildWorktreeChangedEventInput(context, updates, phase) {
+    const updatesHash = stableJsonHash({ phase, updates });
+    const details = {
+        repo: context.repo,
+        branch: context.branch,
+        worktree_path: context.worktree_path,
+        transaction_phase: phase,
+        ref_updates: updates,
+        updates_hash: updatesHash,
+    };
+    return {
+        source: "git",
+        type: "worktree.changed",
+        subject: context.repo,
+        producer: GIT_HOOK_PRODUCER,
+        observed_via: "git-hook:reference-transaction",
+        data: {
+            summary: `${updates.length} ref update(s) on ${context.repo}`,
+            status: "changed",
+            details,
+        },
+    };
+}
+/**
+ * Post-commit hook producer: inspect HEAD, build the `git.commit_created` event,
+ * dedupe by `repo + commit_sha`, and emit best-effort. Returns a
+ * success-compatible result for every failure mode so the commit is never blocked.
+ */
+export function runPostCommitHookProducer(deps = {}) {
+    const getContext = deps.getContext ?? getGitWorktreeContext;
+    const readMetadata = deps.readMetadata ?? readHeadCommitMetadata;
+    const emitIfNew = deps.emitIfNew ?? emitConductorEventIfNew;
+    try {
+        const context = getContext({ cwd: deps.cwd, env: deps.env });
+        const metadata = readMetadata({ cwd: deps.cwd });
+        if (!metadata || metadata.sha === null) {
+            return { ok: true, emitted: false, reason: "no-head-commit" };
+        }
+        const input = buildCommitCreatedEventInput(context, metadata);
+        const decision = emitIfNew(input, {
+            event_type: "git.commit_created",
+            repo: context.repo,
+            commit_sha: metadata.sha,
+        });
+        return { ok: true, emitted: decision.emitted, reason: decision.reason };
+    }
+    catch {
+        // Best-effort: never block the commit on a conductor failure.
+        return { ok: true, emitted: false, reason: "skipped" };
+    }
+}
+/**
+ * Reference-transaction hook producer: ignore non-`committed` phases, parse the
+ * stdin updates, build the `worktree.changed` event, dedupe by
+ * `repo + phase + updates_hash`, and emit best-effort. Returns a
+ * success-compatible result for every failure mode so the ref update is never
+ * blocked.
+ */
+export function runReferenceTransactionHookProducer(args, deps = {}) {
+    const getContext = deps.getContext ?? getGitWorktreeContext;
+    const parseUpdates = deps.parseUpdates ?? parseReferenceTransactionUpdates;
+    const emitIfNew = deps.emitIfNew ?? emitConductorEventIfNew;
+    try {
+        if (args.phase !== COMMITTED_REF_PHASE) {
+            return { ok: true, emitted: false, reason: "non-committed-phase" };
+        }
+        const updates = parseUpdates(args.stdin);
+        if (updates.length === 0) {
+            return { ok: true, emitted: false, reason: "no-updates" };
+        }
+        const context = getContext({ cwd: deps.cwd, env: deps.env });
+        const input = buildWorktreeChangedEventInput(context, updates, args.phase);
+        const refUpdatesHash = stableJsonHash({ phase: args.phase, updates });
+        const decision = emitIfNew(input, {
+            event_type: "worktree.changed",
+            repo: context.repo,
+            ref_updates_hash: refUpdatesHash,
+        });
+        return { ok: true, emitted: decision.emitted, reason: decision.reason };
+    }
+    catch {
+        return { ok: true, emitted: false, reason: "skipped" };
+    }
+}

package/build/conductor/merge-ledger.js

@@ -0,0 +1,198 @@
+/**
+ * Local conductor merge-ledger helpers (Conductor C6, BAPI-398).
+ *
+ * The conductor never performs a provider merge locally — it calls the protected
+ * Bridge API endpoint and records the returned `merge.*` lifecycle events into the
+ * LOCAL SQLite ledger. This module centralizes:
+ *
+ *   - the deterministic action key `merge:{repo}:{pr}:{head_sha}:{gate}` (kept in
+ *     lock-step with the Python `build_merge_action_key`),
+ *   - immutable PR-identity extraction from a worker-scoped `gate.met` event
+ *     (branch names are deliberately ignored — never used to bind a merge),
+ *   - deterministic, idempotency-keyed event ids,
+ *   - read-only terminal-success / dry-run lookups,
+ *   - duplicate-tolerant event emission.
+ *
+ * It performs NO privileged action and never handles VCS write credentials.
+ */
+import { createHash } from "node:crypto";
+import { normalizePrNumber, normalizeRepoName, normalizeSha } from "./git-ci-types.js";
+import { emitConductorEvent, openReadonlyConductorDatabaseIfExists, } from "./store.js";
+/**
+ * Compose the stable gate-identity segment, mirroring the Python
+ * `normalize_gate_identity`: `{name}@{config_hash}` when a hash is present
+ * (lower-cased), otherwise just the gate name.
+ */
+export function buildGateIdentity(gateName, configHash) {
+    const name = gateName.trim();
+    const hash = typeof configHash === "string" ? configHash.trim() : "";
+    return hash ? `${name}@${hash.toLowerCase()}` : name;
+}
+/**
+ * Build the deterministic action key. Normalizes repo / PR / head SHA exactly as
+ * the Python side does (lower-cased SHA, trimmed repo, positive integer PR) so the
+ * conductor-computed key and the API-recomputed key are byte-identical. Throws on
+ * any invalid component. The branch name is never part of the key.
+ */
+export function makeMergeActionKey(repo, prNumber, headSha, gateIdentity) {
+    const r = normalizeRepoName(repo);
+    const pr = normalizePrNumber(prNumber);
+    const sha = normalizeSha(headSha);
+    const gate = (gateIdentity ?? "").trim();
+    if (r === null || pr === null || sha === null || gate.length === 0) {
+        throw new Error("invalid merge action key component");
+    }
+    return `merge:${r}:${pr}:${sha}:${gate}`;
+}
+/**
+ * Resolve the immutable merge identity from a `gate.met` event. Returns `null`
+ * unless the event is a worker-scoped `gate.met` carrying a complete PR binding
+ * (repo, pr_number, head_sha, gate_name). Run-level or incomplete events yield
+ * `null`. Branch-name fields, if present, are ignored.
+ */
+export function extractMergeActionIdentityFromGateEvent(event) {
+    if (event.type !== "gate.met")
+        return null;
+    // Worker scope is required — a run-level gate.met never binds a specific worker.
+    if (typeof event.worker_id !== "string" || event.worker_id.trim().length === 0) {
+        return null;
+    }
+    const data = event.data ?? {};
+    const details = data.details;
+    if (!details || typeof details !== "object")
+        return null;
+    const d = details;
+    const repo = normalizeRepoName(d.repo);
+    const prNumber = normalizePrNumber(d.pr_number);
+    const headSha = normalizeSha(d.head_sha);
+    const gateName = typeof d.gate_name === "string" ? d.gate_name.trim() : "";
+    if (repo === null || prNumber === null || headSha === null || gateName.length === 0) {
+        return null;
+    }
+    const configHash = typeof d.config_hash === "string" && d.config_hash.trim().length > 0
+        ? d.config_hash.trim()
+        : null;
+    const requiredChecks = Array.isArray(d.required_checks)
+        ? d.required_checks.filter((c) => typeof c === "string" && c.trim().length > 0)
+        : [];
+    const gateIdentity = buildGateIdentity(gateName, configHash);
+    const actionKey = makeMergeActionKey(repo, prNumber, headSha, gateIdentity);
+    return {
+        repo,
+        pr_number: prNumber,
+        head_sha: headSha,
+        gate_name: gateName,
+        config_hash: configHash,
+        required_checks: requiredChecks,
+        gate_identity: gateIdentity,
+        action_key: actionKey,
+        gate_event: {
+            id: typeof event.id === "string" ? event.id : undefined,
+            seq: typeof event.seq === "number" ? event.seq : undefined,
+            time: typeof event.time === "string" ? event.time : undefined,
+        },
+    };
+}
+/**
+ * Derive a deterministic, UUID-shaped event id from the event type plus action
+ * key. Repeated emits of the same lifecycle event for the same action key collide
+ * on the `events.id` UNIQUE constraint instead of duplicating. `merge.succeeded`
+ * thus has one terminal id per action key. Mirrors `makeSupervisorAssessmentEventId`.
+ */
+export function makeMergeEventId(eventType, actionKey) {
+    const h = createHash("sha256").update(`${eventType}:${actionKey}`).digest("hex");
+    return `${h.slice(0, 8)}-${h.slice(8, 12)}-${h.slice(12, 16)}-${h.slice(16, 20)}-${h.slice(20, 32)}`;
+}
+function lookupMergeEventByActionKey(eventType, actionKey, deps) {
+    const openDb = deps.openDb ?? (() => openReadonlyConductorDatabaseIfExists());
+    const db = openDb();
+    if (!db)
+        return false;
+    try {
+        const row = db
+            .prepare(`SELECT 1 FROM events
+         WHERE type = ?
+           AND json_extract(data_json, '$.details.action_key') = ?
+         LIMIT 1`)
+            .get(eventType, actionKey);
+        return row !== undefined;
+    }
+    finally {
+        db.close();
+    }
+}
+/**
+ * Return `true` when a terminal `merge.succeeded` event already exists locally for
+ * the action key. Only `merge.succeeded` is terminal — `merge.failed` and
+ * `merge.dry_run` are never terminal.
+ */
+export function hasTerminalMergeSucceeded(actionKey, deps = {}) {
+    return lookupMergeEventByActionKey("merge.succeeded", actionKey, deps);
+}
+/**
+ * Return `true` when a `merge.dry_run` event already exists for the action key.
+ * Dry-run is audit/hygiene only and is NEVER treated as terminal — a later real
+ * merge for the same PR/head/gate may still proceed if the repo flag is enabled.
+ */
+export function hasMergeDryRun(actionKey, deps = {}) {
+    return lookupMergeEventByActionKey("merge.dry_run", actionKey, deps);
+}
+/**
+ * Return `true` when a `merge.pending_approval` event already exists for the
+ * action key. Pending approval is NEVER terminal — the supervisor must re-dispatch
+ * until the backend reports approval (returning `merge.attempted` + `merge.succeeded`).
+ */
+export function hasMergePendingApproval(actionKey, deps = {}) {
+    return lookupMergeEventByActionKey("merge.pending_approval", actionKey, deps);
+}
+/** Heuristically detect a SQLite duplicate-id / UNIQUE constraint failure. */
+function isDuplicateConstraintError(error) {
+    if (!error || typeof error !== "object")
+        return false;
+    const code = error.code;
+    if (typeof code === "string" && code.startsWith("SQLITE_CONSTRAINT"))
+        return true;
+    const message = error.message;
+    if (typeof message === "string") {
+        const lowered = message.toLowerCase();
+        if (lowered.includes("unique constraint") || lowered.includes("constraint failed"))
+            return true;
+    }
+    return false;
+}
+/**
+ * Emit a `merge.*` lifecycle event under a deterministic, action-key-derived id.
+ * Top-level `data` is restricted to the allowlisted `summary`/`status`/`reason`/
+ * `details` keys (repo, PR number, head SHA, gate, action key, and sanitized
+ * outcome fields live under `details`). A duplicate UNIQUE-constraint failure is
+ * classified as `{ emitted: false, reason: "duplicate" }` rather than thrown.
+ */
+export function emitMergeLedgerEventIfNew(input, deps = {}) {
+    const emitEvent = deps.emitEvent ?? emitConductorEvent;
+    const eventId = makeMergeEventId(input.type, input.action_key);
+    const event = {
+        id: eventId,
+        source: "conductor-supervisor",
+        type: input.type,
+        run_id: input.run_id ?? null,
+        worker_id: input.worker_id ?? null,
+        producer: "conductor-merge",
+        observed_via: "supervisor",
+        data: {
+            summary: input.summary ?? `${input.type} ${input.action_key}`,
+            status: input.status,
+            reason: input.reason ?? undefined,
+            details: input.details,
+        },
+    };
+    try {
+        const result = emitEvent(event);
+        return { emitted: true, event_id: eventId, event: result.event };
+    }
+    catch (error) {
+        if (isDuplicateConstraintError(error)) {
+            return { emitted: false, reason: "duplicate" };
+        }
+        throw error;
+    }
+}