@build-astron-co/nimbus 0.2.0 → 0.4.0

package/dist/src/cli/run.js

@@ -0,0 +1,505 @@
+/**
+ * Non-Interactive CLI Mode
+ *
+ * Runs the Nimbus agent with a prompt from the command line.
+ * Outputs results to stdout and exits.
+ *
+ * Usage:
+ *   nimbus run "deploy the staging environment"
+ *   nimbus run "fix the failing tests" --auto-approve
+ *   echo "analyze this repo" | nimbus run --stdin
+ *   nimbus run "estimate costs" --format json --model anthropic/claude-haiku-4-5
+ *   nimbus run --schema   # print the JSON output schema and exit
+ */
+import { runAgentLoop } from '../agent/loop';
+import { createPermissionState, checkPermission } from '../agent/permissions';
+import { defaultToolRegistry } from '../tools/schemas/types';
+import { standardTools } from '../tools/schemas/standard';
+import { devopsTools } from '../tools/schemas/devops';
+import { expandFileReferences } from '../agent/expand-files';
+/**
+ * Parse `nimbus run` CLI arguments.
+ */
+export function parseRunArgs(args) {
+    let prompt = '';
+    let format = 'text';
+    let autoApprove = false;
+    let stdin = false;
+    let stdinJson = false;
+    let model;
+    let mode = 'build';
+    let maxTurns = 50;
+    let timeout;
+    let rawToolOutput = false;
+    let schema = false;
+    let dryRun = false;
+    let exitOnError = true; // C5: default true for CI/CD POSIX convention
+    let context;
+    let workspace;
+    let namespace;
+    let notify;
+    let notifySlack;
+    let budget;
+    const positional = [];
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        switch (arg) {
+            case '--format':
+                format = (args[++i] ?? 'text');
+                break;
+            case '--json':
+                format = 'json';
+                break;
+            case '--auto-approve':
+            case '-y':
+            case '--non-interactive':
+                autoApprove = true;
+                break;
+            case '--stdin':
+                stdin = true;
+                break;
+            case '--stdin-json':
+                stdinJson = true;
+                stdin = true; // also read stdin
+                break;
+            case '--model':
+                model = args[++i];
+                break;
+            case '--mode':
+                mode = (args[++i] ?? 'build');
+                break;
+            case '--max-turns':
+                maxTurns = parseInt(args[++i] ?? '50', 10);
+                break;
+            case '--timeout':
+                // G13: timeout in seconds, converted to ms
+                timeout = parseInt(args[++i] ?? '0', 10) * 1000;
+                break;
+            case '--raw-tool-output':
+                // G15: print last tool output as JSON
+                rawToolOutput = true;
+                break;
+            case '--schema':
+                // G23: print the JSON output schema and exit
+                schema = true;
+                break;
+            case '--json-schema':
+                // GAP-16: print the stable JSON output schema and exit
+                schema = true;
+                break;
+            case '--dry-run':
+                // M1: dry-run forces plan mode — no mutations allowed
+                dryRun = true;
+                mode = 'plan';
+                break;
+            case '--exit-code-on-error':
+                // H3: exit with code 1 on failure
+                exitOnError = true;
+                break;
+            case '--no-exit-on-error':
+                // C5: legacy scripts can opt out of exit-on-error
+                exitOnError = false;
+                break;
+            case '--context':
+                // H3: kubectl context
+                context = args[++i];
+                break;
+            case '--workspace':
+                // H3: terraform workspace
+                workspace = args[++i];
+                break;
+            case '--namespace':
+            case '-n':
+                // H3: kubernetes namespace
+                namespace = args[++i];
+                break;
+            case '--notify':
+                // H3: webhook URL
+                notify = args[++i];
+                break;
+            case '--notify-slack':
+                // H3: slack webhook
+                notifySlack = args[++i];
+                break;
+            case '--budget':
+                // G16: cost budget in USD
+                budget = parseFloat(args[++i] ?? '0');
+                break;
+            default:
+                if (!arg.startsWith('-')) {
+                    positional.push(arg);
+                }
+                break;
+        }
+    }
+    prompt = positional.join(' ');
+    return { prompt, format, autoApprove, stdin, stdinJson, model, mode, maxTurns, timeout, rawToolOutput, schema, dryRun, exitOnError, context, workspace, namespace, notify, notifySlack, budget };
+}
+/**
+ * Execute a non-interactive run.
+ */
+export async function executeRun(router, options) {
+    // G23 / GAP-16: --schema / --json-schema flag: print the JSON output schema and exit immediately
+    if (options.schema) {
+        const schema = {
+            type: 'object',
+            properties: {
+                success: { type: 'boolean', description: 'Whether the agent completed without error' },
+                output: { type: 'string', description: 'Final text response from the agent' },
+                cost: { type: 'number', description: 'Total cost in USD' },
+                turns: { type: 'number', description: 'Number of LLM turns taken' },
+                toolCalls: { type: 'array', items: { type: 'object', properties: { name: { type: 'string' }, success: { type: 'boolean' }, durationMs: { type: 'number' } } } },
+                errors: { type: 'array', items: { type: 'string' }, description: 'Any error messages encountered' },
+            },
+            required: ['success', 'output', 'cost', 'turns', 'toolCalls', 'errors'],
+        };
+        process.stdout.write(JSON.stringify(schema, null, 2) + '\n');
+        return {
+            success: true,
+            output: '',
+            turns: 0,
+            usage: { promptTokens: 0, completionTokens: 0, totalTokens: 0 },
+            cost: 0,
+            interrupted: false,
+        };
+    }
+    // H3: Inject context/workspace/namespace into environment before agent loop
+    if (options.context)
+        process.env.KUBECTL_CONTEXT = options.context;
+    if (options.workspace)
+        process.env.TF_WORKSPACE = options.workspace;
+    if (options.namespace)
+        process.env.K8S_NAMESPACE = options.namespace;
+    // Get prompt from stdin if requested
+    let prompt = options.prompt;
+    if (options.stdin && !prompt) {
+        const stdinContent = await readStdin();
+        // L5: --stdin-json support: parse stdin as { prompt, mode, model, autoApprove, maxTurns }
+        if (options.stdinJson && stdinContent) {
+            try {
+                const config = JSON.parse(stdinContent);
+                if (typeof config.prompt === 'string')
+                    prompt = config.prompt;
+                if (config.mode === 'plan' || config.mode === 'build' || config.mode === 'deploy') {
+                    options = { ...options, mode: config.mode };
+                }
+                if (typeof config.model === 'string')
+                    options = { ...options, model: config.model };
+                if (typeof config.autoApprove === 'boolean')
+                    options = { ...options, autoApprove: config.autoApprove };
+                if (typeof config.maxTurns === 'number')
+                    options = { ...options, maxTurns: config.maxTurns };
+            }
+            catch {
+                // If JSON parse fails, treat stdin as raw prompt text
+                prompt = stdinContent;
+            }
+        }
+        else {
+            prompt = stdinContent;
+        }
+    }
+    // Expand @file references in the prompt
+    prompt = expandFileReferences(prompt, process.cwd());
+    if (!prompt) {
+        return {
+            success: false,
+            output: 'Error: No prompt provided. Usage: nimbus run "your prompt"',
+            turns: 0,
+            usage: { promptTokens: 0, completionTokens: 0, totalTokens: 0 },
+            cost: 0,
+            interrupted: false,
+        };
+    }
+    // Set up tool registry
+    const registry = defaultToolRegistry;
+    if (registry.size === 0) {
+        // Register all built-in tools
+        for (const tool of [...standardTools, ...devopsTools]) {
+            try {
+                registry.register(tool);
+            }
+            catch {
+                /* skip duplicates */
+            }
+        }
+    }
+    // Set up permission state
+    const permissionState = createPermissionState();
+    // Collect output
+    const outputParts = [];
+    const tableRows = [];
+    // G13: Set up timeout AbortController if --timeout was specified
+    let timeoutAbortController;
+    let timeoutHandle;
+    if (options.timeout && options.timeout > 0) {
+        timeoutAbortController = new AbortController();
+        timeoutHandle = setTimeout(() => {
+            timeoutAbortController.abort();
+            if (options.format === 'text') {
+                process.stderr.write(`\n[Timeout: agent loop aborted after ${options.timeout / 1000}s]\n`);
+            }
+        }, options.timeout);
+    }
+    // G15: Track last tool output for --raw-tool-output
+    let lastToolName = '';
+    let lastToolOutput = '';
+    // G23: Track all tool calls for structured JSON output
+    const allToolCalls = [];
+    // H1: Discover infra context for CI/CD pipelines (best-effort, non-blocking)
+    let infraContext;
+    try {
+        const { discoverInfraContext } = await import('../cli/init');
+        infraContext = await discoverInfraContext(process.cwd());
+    }
+    catch { /* non-critical */ }
+    // Run the agent loop
+    const result = await runAgentLoop(prompt, [], {
+        router,
+        toolRegistry: registry,
+        mode: options.mode,
+        maxTurns: options.maxTurns,
+        model: options.model,
+        cwd: process.cwd(),
+        signal: timeoutAbortController?.signal,
+        dryRun: options.dryRun,
+        costBudgetUSD: options.budget,
+        infraContext,
+        onText: text => {
+            outputParts.push(text);
+            if (options.format === 'text') {
+                process.stdout.write(text);
+            }
+        },
+        onToolCallStart: toolCall => {
+            if (options.format === 'text') {
+                process.stderr.write(`\n[Tool: ${toolCall.name}]\n`);
+            }
+        },
+        onToolCallEnd: (toolCall, result) => {
+            if (options.format === 'text' && result.isError) {
+                process.stderr.write(`[Error: ${result.error}]\n`);
+            }
+            if (options.format === 'table') {
+                tableRows.push({
+                    tool: toolCall.name,
+                    status: result.isError ? 'error' : 'ok',
+                    output: (result.output ?? result.error ?? '').slice(0, 80),
+                });
+            }
+            // G15: track last tool output
+            lastToolName = toolCall.name;
+            lastToolOutput = result.isError ? (result.error ?? '') : (result.output ?? '');
+            // G23: accumulate all tool calls for structured JSON output
+            allToolCalls.push({
+                name: toolCall.name,
+                input: toolCall.input && typeof toolCall.input === 'object'
+                    ? toolCall.input
+                    : {},
+                output: result.isError ? (result.error ?? '') : (result.output ?? ''),
+                isError: result.isError ?? false,
+            });
+        },
+        checkPermission: async (tool, input) => {
+            if (options.autoApprove) {
+                return 'allow';
+            }
+            const decision = checkPermission(tool, input, permissionState);
+            if (decision === 'ask') {
+                // In non-interactive mode without --auto-approve, deny by default
+                return 'deny';
+            }
+            return decision;
+        },
+    });
+    // G13: Clear the timeout timer if we finished before it fired
+    if (timeoutHandle) {
+        clearTimeout(timeoutHandle);
+    }
+    const output = outputParts.join('');
+    // G15: --raw-tool-output: print last tool call as JSON to stdout
+    if (options.rawToolOutput && lastToolName) {
+        console.log(JSON.stringify({ tool: lastToolName, output: lastToolOutput }));
+        return {
+            success: !result.interrupted,
+            output,
+            turns: result.turns,
+            usage: result.usage,
+            cost: result.totalCost,
+            interrupted: result.interrupted,
+        };
+    }
+    // Format output
+    if (options.format === 'json') {
+        // GAP-16 / G23: structured JSON output matching the stable RunJsonOutput schema
+        // L2: Extract terraform plan summary from tool outputs for CI-friendly output
+        let planSummary;
+        const tfPlanCall = allToolCalls.find(tc => tc.name === 'terraform' && tc.output && /Plan:/.test(tc.output));
+        if (tfPlanCall?.output) {
+            const planLine = tfPlanCall.output.match(/Plan:\s*(\d+)\s*to add,\s*(\d+)\s*to change,\s*(\d+)\s*to destroy/i);
+            if (planLine) {
+                planSummary = {
+                    toAdd: parseInt(planLine[1]),
+                    toChange: parseInt(planLine[2]),
+                    toDestroy: parseInt(planLine[3]),
+                    raw: planLine[0],
+                };
+            }
+        }
+        const jsonResult = {
+            success: !result.interrupted,
+            output,
+            cost: result.totalCost ?? 0,
+            turns: result.turns ?? 0,
+            toolCalls: allToolCalls.map(tc => ({
+                name: tc.name,
+                success: !tc.isError,
+                durationMs: 0,
+            })),
+            errors: allToolCalls.filter(tc => tc.isError).map(tc => tc.output).filter(Boolean),
+            ...(planSummary ? { planSummary } : {}),
+        };
+        // M3: Build devops_summary from tool calls
+        const DEVOPS_TOOL_NAMES = new Set([
+            'terraform', 'kubectl', 'helm', 'aws', 'gcloud', 'az',
+            'docker', 'secrets', 'cicd', 'monitor', 'gitops', 'cloud_action',
+            'logs', 'certs', 'mesh', 'cfn', 'k8s_rbac', 'generate_infra',
+            'kubectl_context', 'helm_values', 'cost_estimate', 'cloud_discover',
+        ]);
+        const toolsUsed = [...new Set(allToolCalls.map(tc => tc.name))];
+        const devopsToolsUsed = toolsUsed.filter(t => DEVOPS_TOOL_NAMES.has(t));
+        if (devopsToolsUsed.length > 0) {
+            jsonResult.devops_summary = {
+                tools_used: devopsToolsUsed,
+                tool_call_count: allToolCalls.length,
+                devops_tool_count: allToolCalls.filter(tc => DEVOPS_TOOL_NAMES.has(tc.name)).length,
+            };
+        }
+        // M1: Add infraContext and toolsUsed fields
+        jsonResult.toolsUsed = toolsUsed;
+        if (infraContext) {
+            jsonResult.infraContext = {
+                terraformWorkspace: infraContext.terraformWorkspace,
+                kubectlContext: infraContext.kubectlContext,
+                awsAccount: infraContext.awsAccount,
+            };
+        }
+        console.log(JSON.stringify(jsonResult, null, 2));
+    }
+    else if (options.format === 'text') {
+        // Text was already streamed above
+        console.log(''); // Final newline
+    }
+    else if (options.format === 'table') {
+        // ASCII table of tool calls
+        const COL_TOOL = 30;
+        const COL_STATUS = 6;
+        const COL_OUTPUT = 80;
+        const divider = `${'-'.repeat(COL_TOOL + 2)}+${'-'.repeat(COL_STATUS + 2)}+${'-'.repeat(COL_OUTPUT + 2)}`;
+        const pad = (s, n) => s.slice(0, n).padEnd(n);
+        console.log(divider);
+        console.log(`| ${pad('Tool', COL_TOOL)} | ${pad('Status', COL_STATUS)} | ${pad('Output', COL_OUTPUT)} |`);
+        console.log(divider);
+        for (const row of tableRows) {
+            console.log(`| ${pad(row.tool, COL_TOOL)} | ${pad(row.status, COL_STATUS)} | ${pad(row.output, COL_OUTPUT)} |`);
+        }
+        console.log(divider);
+        console.log('');
+        // Also print final text output
+        if (output)
+            process.stdout.write(output + '\n');
+    }
+    const runResult = {
+        success: !result.interrupted,
+        output,
+        turns: result.turns,
+        usage: result.usage,
+        cost: result.totalCost,
+        interrupted: result.interrupted,
+    };
+    // H3: Fire webhook notifications after run completes
+    const duration = Date.now(); // approximate; real duration would need a start time
+    const notifyPayload = {
+        success: runResult.success,
+        output: runResult.output.slice(0, 2000), // truncate for webhook
+        cost: runResult.cost,
+        duration,
+    };
+    if (options.notify) {
+        try {
+            await fetch(options.notify, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(notifyPayload),
+                signal: AbortSignal.timeout(10_000),
+            });
+        }
+        catch {
+            // Webhook failure is non-fatal
+            process.stderr.write(`[Warning: notification webhook failed]\n`);
+        }
+    }
+    if (options.notifySlack) {
+        try {
+            const slackPayload = {
+                text: runResult.success
+                    ? `:white_check_mark: *Nimbus run succeeded*\n${runResult.output.slice(0, 500)}`
+                    : `:x: *Nimbus run failed*\n${runResult.output.slice(0, 500)}`,
+                attachments: [
+                    {
+                        fields: [
+                            { title: 'Cost', value: `$${runResult.cost.toFixed(4)}`, short: true },
+                            { title: 'Turns', value: String(runResult.turns), short: true },
+                        ],
+                    },
+                ],
+            };
+            await fetch(options.notifySlack, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(slackPayload),
+                signal: AbortSignal.timeout(10_000),
+            });
+        }
+        catch {
+            process.stderr.write(`[Warning: Slack notification failed]\n`);
+        }
+    }
+    // H3: Exit with code 1 if the run failed and --exit-code-on-error is set
+    if (options.exitOnError && !runResult.success) {
+        process.exit(1);
+    }
+    return runResult;
+}
+/**
+ * Read all input from stdin.
+ */
+async function readStdin() {
+    // If stdin is a TTY (no pipe), resolve immediately with empty string
+    if (process.stdin.isTTY) {
+        return '';
+    }
+    const chunks = [];
+    return new Promise((resolve, reject) => {
+        // 30-second timeout for stdin reads to prevent hanging
+        const timeout = setTimeout(() => {
+            process.stdin.removeAllListeners();
+            resolve(Buffer.concat(chunks).toString('utf-8').trim());
+        }, 30_000);
+        process.stdin.on('data', chunk => chunks.push(Buffer.from(chunk)));
+        process.stdin.on('end', () => {
+            clearTimeout(timeout);
+            resolve(Buffer.concat(chunks).toString('utf-8').trim());
+        });
+        process.stdin.on('error', err => {
+            clearTimeout(timeout);
+            // On error, use whatever we've collected so far
+            if (chunks.length > 0) {
+                resolve(Buffer.concat(chunks).toString('utf-8').trim());
+            }
+            else {
+                reject(err);
+            }
+        });
+    });
+}

package/dist/src/cli/serve-auth.js

@@ -0,0 +1,56 @@
+/**
+ * HTTP Basic Auth Middleware for `nimbus serve`
+ *
+ * Provides optional HTTP Basic Authentication for the headless API server.
+ * Disabled by default for local development; enabled via `--auth user:pass`.
+ *
+ * Unauthenticated endpoints (always bypassed):
+ *   - GET /api/health
+ *   - GET /api/openapi.json
+ *   - OPTIONS (CORS preflight)
+ *
+ * @module cli/serve-auth
+ */
+// ---------------------------------------------------------------------------
+// Paths that are always public (no auth required)
+// ---------------------------------------------------------------------------
+const PUBLIC_PATHS = new Set(['/api/health', '/api/openapi.json']);
+// ---------------------------------------------------------------------------
+// Middleware Factory
+// ---------------------------------------------------------------------------
+/**
+ * Create an Elysia-compatible `onBeforeHandle` function that enforces
+ * HTTP Basic Authentication on protected endpoints.
+ *
+ * @param options - The username and password to validate against.
+ * @returns A handler that short-circuits with 401 when credentials are
+ *          missing or invalid, or `undefined` to let the request through.
+ */
+export function createAuthMiddleware(options) {
+    const expectedToken = btoa(`${options.username}:${options.password}`);
+    return ({ request, set }) => {
+        const url = new URL(request.url);
+        // Skip auth for public endpoints
+        if (PUBLIC_PATHS.has(url.pathname)) {
+            return undefined;
+        }
+        // Skip auth for CORS preflight requests
+        if (request.method === 'OPTIONS') {
+            return undefined;
+        }
+        const authHeader = request.headers.get('Authorization');
+        if (!authHeader) {
+            set.status = 401;
+            set.headers = { 'WWW-Authenticate': 'Basic realm="Nimbus API"' };
+            return { error: 'Authentication required' };
+        }
+        const [scheme, token] = authHeader.split(' ');
+        if (scheme !== 'Basic' || token !== expectedToken) {
+            set.status = 401;
+            set.headers = { 'WWW-Authenticate': 'Basic realm="Nimbus API"' };
+            return { error: 'Invalid credentials' };
+        }
+        // Credentials valid -- proceed
+        return undefined;
+    };
+}