@corbat-tech/coco 2.36.0 → 2.37.0

package/dist/cli/index.js

@@ -10,7 +10,7 @@ import { z } from 'zod';
 import * as os4 from 'os';
 import os4__default, { homedir } from 'os';
 import * as fs35 from 'fs/promises';
-import fs35__default, { mkdir, writeFile, readFile, access, readdir, rm, constants } from 'fs/promises';
+import fs35__default, { mkdir, writeFile, readFile, access, constants, readdir, rm } from 'fs/promises';
 import JSON5 from 'json5';
 import * as crypto from 'crypto';
 import { randomUUID, randomBytes, createHash } from 'crypto';
@@ -40857,9 +40857,6 @@ function getSessionStore() {
   }
   return defaultStore;
 }
-function createSessionStore(config) {
-  return new SessionStore(config);
-}
 
 // src/cli/repl/commands/resume.ts
 function formatRelativeTime2(date) {
@@ -52606,7 +52603,7 @@ var repoMapCommand = {
   }
 };
 
-// src/cli/repl/modes.ts
+// src/runtime/agent-modes.ts
 var AGENT_MODES = {
   ask: {
     id: "ask",
@@ -57374,6 +57371,39 @@ init_providers();
 
 // src/runtime/agent-runtime.ts
 init_env();
+
+// src/runtime/default-turn-runner.ts
+var DefaultRuntimeTurnRunner = class {
+  async run(input, context) {
+    const messages = [
+      ...context.session.messages,
+      {
+        role: "user",
+        content: input.content
+      }
+    ];
+    const response = await context.provider.chat(messages, {
+      model: input.options?.model,
+      maxTokens: input.options?.maxTokens,
+      temperature: input.options?.temperature,
+      stopSequences: input.options?.stopSequences,
+      system: context.session.instructions ?? input.options?.system,
+      timeout: input.options?.timeout,
+      signal: input.options?.signal,
+      thinking: input.options?.thinking
+    });
+    return {
+      sessionId: context.session.id,
+      content: response.content,
+      usage: response.usage,
+      model: response.model,
+      mode: context.session.mode
+    };
+  }
+};
+function createDefaultRuntimeTurnRunner() {
+  return new DefaultRuntimeTurnRunner();
+}
 var InMemoryEventLog = class {
   events = [];
   record(type, data = {}) {
@@ -57525,6 +57555,22 @@ var DefaultPermissionPolicy = class {
     }
     return { allowed: true, risk };
   }
+  canExecuteToolInput(mode, tool, input) {
+    if (tool.name !== "run_linter") {
+      return this.canExecuteTool(mode, tool);
+    }
+    const definition = getAgentMode(mode);
+    const fixEnabled = input["fix"] === true;
+    const decision = fixEnabled ? { allowed: true, risk: "write" } : { allowed: true, risk: "read-only" };
+    if (definition.readOnly && fixEnabled) {
+      return {
+        allowed: false,
+        reason: `${definition.label} mode is read-only; run_linter with fix=true can modify files.`,
+        risk: "write"
+      };
+    }
+    return decision;
+  }
 };
 function createPermissionPolicy() {
   return new DefaultPermissionPolicy();
@@ -57566,6 +57612,321 @@ var ProviderRegistry = class {
 function createProviderRegistry() {
   return new ProviderRegistry();
 }
+function createSessionId() {
+  return `rt_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+}
+function cloneSession(session) {
+  return structuredClone(session);
+}
+var InMemoryRuntimeSessionStore = class {
+  sessions = /* @__PURE__ */ new Map();
+  create(options = {}) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const session = {
+      id: options.id ?? createSessionId(),
+      createdAt: now,
+      updatedAt: now,
+      mode: options.mode ?? "ask",
+      messages: options.messages ? options.messages.map((message) => ({ ...message })) : [],
+      instructions: options.instructions,
+      metadata: { ...options.metadata }
+    };
+    this.sessions.set(session.id, cloneSession(session));
+    return cloneSession(session);
+  }
+  get(id) {
+    const session = this.sessions.get(id);
+    return session ? cloneSession(session) : void 0;
+  }
+  update(session) {
+    const updated = {
+      ...session,
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      messages: session.messages.map((message) => ({ ...message })),
+      metadata: { ...session.metadata }
+    };
+    this.sessions.set(updated.id, cloneSession(updated));
+    return cloneSession(updated);
+  }
+  list() {
+    return [...this.sessions.values()].map(cloneSession);
+  }
+  delete(id) {
+    return this.sessions.delete(id);
+  }
+};
+function createRuntimeSessionStore() {
+  return new InMemoryRuntimeSessionStore();
+}
+
+// src/runtime/workflow-registry.ts
+function cloneWorkflow(workflow) {
+  return {
+    ...workflow,
+    checks: [...workflow.checks],
+    steps: workflow.steps.map((step) => ({
+      ...step,
+      requiredTools: [...step.requiredTools]
+    }))
+  };
+}
+var WorkflowCatalog = class {
+  workflows = /* @__PURE__ */ new Map();
+  constructor(workflows = DEFAULT_WORKFLOWS) {
+    for (const workflow of workflows) {
+      this.register(workflow);
+    }
+  }
+  register(workflow) {
+    this.workflows.set(workflow.id, cloneWorkflow(workflow));
+  }
+  get(id) {
+    const workflow = this.workflows.get(id);
+    return workflow ? cloneWorkflow(workflow) : void 0;
+  }
+  list() {
+    return [...this.workflows.values()].map(cloneWorkflow).sort((a, b) => a.id.localeCompare(b.id));
+  }
+  createPlan(workflowId, input, eventLog) {
+    const workflow = this.get(workflowId);
+    if (!workflow) {
+      throw new Error(`Unknown workflow: ${workflowId}`);
+    }
+    const plan = {
+      id: `${workflowId}-${Date.now().toString(36)}`,
+      workflowId,
+      input,
+      status: "planned",
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    eventLog?.record("workflow.planned", {
+      workflowId,
+      planId: plan.id,
+      replayable: workflow.replayable,
+      checks: workflow.checks
+    });
+    return plan;
+  }
+};
+var DEFAULT_WORKFLOWS = [
+  {
+    id: "architect-editor-verifier",
+    name: "Architect / Editor / Verifier",
+    description: "Plan read-only, apply approved changes, then verify and summarize risks.",
+    inputSchema: "task: string; approvedPlan?: string",
+    outputKind: "patch",
+    replayable: true,
+    checks: ["pnpm check", "diff summary", "review risks"],
+    steps: [
+      {
+        id: "architect",
+        description: "Inspect context and produce a read-only implementation plan.",
+        requiredTools: ["repo_context", "read_file", "git_diff"],
+        risk: "read-only"
+      },
+      {
+        id: "editor",
+        description: "Apply the approved plan without reinterpreting the objective.",
+        requiredTools: ["read_file", "edit_file", "write_file"],
+        risk: "write"
+      },
+      {
+        id: "verifier",
+        description: "Run checks, review diff, and report residual risk.",
+        requiredTools: ["bash_exec", "git_diff", "review_code"],
+        risk: "destructive"
+      }
+    ]
+  },
+  {
+    id: "provider-diagnosis",
+    name: "Provider Diagnosis",
+    description: "Probe provider/model capabilities, endpoint strategy, credentials, and fallbacks.",
+    inputSchema: "provider?: string; model?: string; live?: boolean",
+    outputKind: "json",
+    replayable: true,
+    checks: ["provider capability matrix", "optional live probe"],
+    steps: [
+      {
+        id: "capability",
+        description: "Resolve catalog metadata and runtime endpoint strategy.",
+        requiredTools: [],
+        risk: "read-only"
+      },
+      {
+        id: "fallbacks",
+        description: "Suggest fallback provider/model choices when unsupported.",
+        requiredTools: [],
+        risk: "read-only"
+      }
+    ]
+  },
+  {
+    id: "review-pr",
+    name: "Review PR",
+    description: "Review a branch or PR read-only and emit severity-ranked findings.",
+    inputSchema: "target: string",
+    outputKind: "markdown",
+    replayable: true,
+    checks: ["git diff", "tests gap review", "security review"],
+    steps: [
+      {
+        id: "collect-diff",
+        description: "Collect PR diff and related context.",
+        requiredTools: ["git_diff", "repo_context"],
+        risk: "read-only"
+      },
+      {
+        id: "findings",
+        description: "Produce prioritized findings with file and line references.",
+        requiredTools: ["read_file", "review_code"],
+        risk: "read-only"
+      }
+    ]
+  },
+  {
+    id: "best-of-n",
+    name: "Best Of N",
+    description: "Run multiple isolated attempts, score them, and select a winning patch.",
+    inputSchema: "task: string; attempts: number",
+    outputKind: "patch",
+    replayable: true,
+    checks: ["worktree isolation", "checks pass", "diff risk score"],
+    steps: [
+      {
+        id: "fanout",
+        description: "Create isolated attempts in temporary worktrees.",
+        requiredTools: ["git_status", "bash_exec"],
+        risk: "destructive"
+      },
+      {
+        id: "score",
+        description: "Run checks and compare quality, cost, latency, and diff risk.",
+        requiredTools: ["bash_exec", "git_diff"],
+        risk: "destructive"
+      },
+      {
+        id: "apply-winner",
+        description: "Apply the winning patch only if conservative checks pass.",
+        requiredTools: ["git_diff", "edit_file"],
+        risk: "write"
+      }
+    ]
+  },
+  {
+    id: "release",
+    name: "Release",
+    description: "Follow the project release skill: changelog, version bump, PR, merge, tag, publish verify.",
+    inputSchema: "bump?: patch|minor|major",
+    outputKind: "release",
+    replayable: true,
+    checks: ["pnpm check", "PR checks", "release.yml", "npm view"],
+    steps: [
+      {
+        id: "preflight",
+        description: "Verify branch, clean tree, GitHub auth, and remote state.",
+        requiredTools: ["git_status", "bash_exec"],
+        risk: "destructive"
+      },
+      {
+        id: "version",
+        description: "Update changelog and package versions using the release skill.",
+        requiredTools: ["read_file", "edit_file", "bash_exec"],
+        risk: "destructive"
+      },
+      {
+        id: "publish",
+        description: "Merge release PR, tag main, and verify release workflow outputs.",
+        requiredTools: ["bash_exec"],
+        risk: "destructive"
+      }
+    ]
+  }
+];
+function createWorkflowCatalog(workflows) {
+  return new WorkflowCatalog(workflows);
+}
+
+// src/runtime/workflow-engine.ts
+var WorkflowEngine = class {
+  constructor(catalog = createWorkflowCatalog(), eventLog = createEventLog()) {
+    this.catalog = catalog;
+    this.eventLog = eventLog;
+  }
+  catalog;
+  eventLog;
+  handlers = /* @__PURE__ */ new Map();
+  registerHandler(workflowId, handler) {
+    if (!this.catalog.get(workflowId)) {
+      throw new Error(`Unknown workflow: ${workflowId}`);
+    }
+    this.handlers.set(workflowId, handler);
+  }
+  createPlan(workflowId, input) {
+    return this.catalog.createPlan(workflowId, input, this.eventLog);
+  }
+  async run(request) {
+    const workflow = this.catalog.get(request.workflowId);
+    if (!workflow) {
+      throw new Error(`Unknown workflow: ${request.workflowId}`);
+    }
+    const handler = this.handlers.get(request.workflowId);
+    if (!handler) {
+      throw new Error(`No handler registered for workflow: ${request.workflowId}`);
+    }
+    const plan = request.plan ?? this.createPlan(request.workflowId, request.input);
+    const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+    const runId = `${request.workflowId}-run-${Date.now().toString(36)}`;
+    this.eventLog.record("workflow.started", {
+      workflowId: request.workflowId,
+      planId: plan.id,
+      runId
+    });
+    try {
+      const output = await handler(request.input, {
+        workflow,
+        plan,
+        eventLog: this.eventLog
+      });
+      const completedAt = (/* @__PURE__ */ new Date()).toISOString();
+      const result = {
+        id: runId,
+        workflowId: request.workflowId,
+        status: "completed",
+        output,
+        startedAt,
+        completedAt
+      };
+      this.eventLog.record("workflow.completed", {
+        workflowId: request.workflowId,
+        planId: plan.id,
+        runId
+      });
+      return result;
+    } catch (error) {
+      const completedAt = (/* @__PURE__ */ new Date()).toISOString();
+      const message = error instanceof Error ? error.message : String(error);
+      this.eventLog.record("workflow.failed", {
+        workflowId: request.workflowId,
+        planId: plan.id,
+        runId,
+        error: message
+      });
+      return {
+        id: runId,
+        workflowId: request.workflowId,
+        status: "failed",
+        output: null,
+        startedAt,
+        completedAt,
+        error: message
+      };
+    }
+  }
+};
+function createWorkflowEngine(catalog, eventLog) {
+  return new WorkflowEngine(catalog, eventLog);
+}
 
 // src/runtime/agent-runtime.ts
 var AgentRuntime = class {
@@ -57573,9 +57934,12 @@ var AgentRuntime = class {
     this.options = options;
     this.providerRegistry = createProviderRegistry();
     this.toolRegistry = options.toolRegistry ?? createFullToolRegistry();
-    this.sessionStore = options.sessionStore ?? createSessionStore({});
-    this.permissionPolicy = options.permissionPolicy ?? createPermissionPolicy();
+    this.sessionStore = options.sessionStore;
+    this.runtimeSessionStore = options.runtimeSessionStore ?? createRuntimeSessionStore();
     this.eventLog = options.eventLog ?? (options.eventLogPath ? createFileEventLog(options.eventLogPath) : createEventLog());
+    this.workflowEngine = options.workflowEngine ?? createWorkflowEngine(void 0, this.eventLog);
+    this.permissionPolicy = options.permissionPolicy ?? createPermissionPolicy();
+    this.turnRunner = options.turnRunner ?? createDefaultRuntimeTurnRunner();
     this.providerType = options.providerType;
     this.model = options.model ?? options.providerConfig?.model ?? getDefaultModel(options.providerType);
   }
@@ -57583,16 +57947,21 @@ var AgentRuntime = class {
   providerRegistry;
   toolRegistry;
   sessionStore;
+  runtimeSessionStore;
+  workflowEngine;
   permissionPolicy;
   eventLog;
+  turnRunner;
   providerType;
   model;
+  provider;
   async initialize() {
     const providerInjected = Boolean(this.options.provider);
     const provider = this.options.provider ?? await this.providerRegistry.createProvider(this.providerType, {
       ...this.options.providerConfig,
       model: this.getModel()
     });
+    this.provider = provider;
     this.publishToGlobalBridge(provider);
     this.eventLog.record(providerInjected ? "provider.attached" : "provider.created", {
       provider: this.providerType,
@@ -57607,6 +57976,7 @@ var AgentRuntime = class {
   updateProvider(providerType, model2, provider) {
     this.providerType = providerType;
     this.model = model2 ?? getDefaultModel(providerType);
+    this.provider = provider;
     this.publishToGlobalBridge(provider);
     this.eventLog.record("provider.updated", {
       provider: this.providerType,
@@ -57634,7 +58004,276 @@ var AgentRuntime = class {
       modes: listAgentModes()
     };
   }
-  assertToolAllowed(mode, toolName) {
+  createSession(options = {}) {
+    const session = this.runtimeSessionStore.create(options);
+    this.eventLog.record("session.created", {
+      sessionId: session.id,
+      mode: session.mode,
+      metadataKeys: Object.keys(session.metadata).sort()
+    });
+    return session;
+  }
+  getSession(sessionId) {
+    return this.runtimeSessionStore.get(sessionId);
+  }
+  listSessions() {
+    return this.runtimeSessionStore.list();
+  }
+  async runTurn(input) {
+    const provider = this.provider;
+    if (!provider) {
+      throw new Error("Runtime provider is not initialized.");
+    }
+    const session = input.sessionId ? this.runtimeSessionStore.get(input.sessionId) : this.createSession({ mode: input.mode, metadata: input.metadata });
+    if (!session) {
+      throw new Error(`Runtime session not found: ${input.sessionId}`);
+    }
+    const effectiveSession = input.mode && input.mode !== session.mode ? { ...session, mode: input.mode } : session;
+    this.eventLog.record("turn.started", {
+      sessionId: effectiveSession.id,
+      provider: this.providerType,
+      model: this.getModel(),
+      mode: effectiveSession.mode,
+      runtimeApi: true
+    });
+    try {
+      const result = await this.turnRunner.run(input, {
+        runtime: this,
+        session: effectiveSession,
+        provider,
+        toolRegistry: this.toolRegistry,
+        permissionPolicy: this.permissionPolicy,
+        eventLog: this.eventLog
+      });
+      const updatedSession = this.runtimeSessionStore.update({
+        ...effectiveSession,
+        messages: [
+          ...effectiveSession.messages,
+          { role: "user", content: input.content },
+          { role: "assistant", content: result.content }
+        ]
+      });
+      this.eventLog.record("session.updated", {
+        sessionId: updatedSession.id,
+        messages: updatedSession.messages.length
+      });
+      this.eventLog.record("turn.completed", {
+        sessionId: updatedSession.id,
+        inputTokens: result.usage.inputTokens,
+        outputTokens: result.usage.outputTokens,
+        model: result.model,
+        runtimeApi: true
+      });
+      return { ...result, sessionId: updatedSession.id, mode: updatedSession.mode };
+    } catch (error) {
+      this.eventLog.record("turn.failed", {
+        sessionId: effectiveSession.id,
+        error: error instanceof Error ? error.message : String(error),
+        runtimeApi: true
+      });
+      throw error;
+    }
+  }
+  async *streamTurn(input) {
+    const provider = this.provider;
+    if (!provider) {
+      throw new Error("Runtime provider is not initialized.");
+    }
+    const session = input.sessionId ? this.runtimeSessionStore.get(input.sessionId) : this.createSession({ mode: input.mode, metadata: input.metadata });
+    if (!session) {
+      throw new Error(`Runtime session not found: ${input.sessionId}`);
+    }
+    const effectiveSession = input.mode && input.mode !== session.mode ? { ...session, mode: input.mode } : session;
+    const messages = [
+      ...effectiveSession.messages,
+      {
+        role: "user",
+        content: input.content
+      }
+    ];
+    this.eventLog.record("turn.started", {
+      sessionId: effectiveSession.id,
+      provider: this.providerType,
+      model: this.getModel(),
+      mode: effectiveSession.mode,
+      streaming: true,
+      runtimeApi: true
+    });
+    let content = "";
+    let completed = false;
+    let failed = false;
+    try {
+      for await (const chunk of provider.stream(messages, {
+        model: input.options?.model,
+        maxTokens: input.options?.maxTokens,
+        temperature: input.options?.temperature,
+        stopSequences: input.options?.stopSequences,
+        system: effectiveSession.instructions ?? input.options?.system,
+        timeout: input.options?.timeout,
+        signal: input.options?.signal,
+        thinking: input.options?.thinking
+      })) {
+        if (chunk.type === "text" && chunk.text) {
+          content += chunk.text;
+          yield {
+            type: "text",
+            sessionId: effectiveSession.id,
+            text: chunk.text
+          };
+        }
+      }
+      const updatedSession = this.runtimeSessionStore.update({
+        ...effectiveSession,
+        messages: [
+          ...effectiveSession.messages,
+          { role: "user", content: input.content },
+          { role: "assistant", content }
+        ]
+      });
+      const result = {
+        sessionId: updatedSession.id,
+        content,
+        usage: {
+          inputTokens: provider.countTokens(input.content),
+          outputTokens: provider.countTokens(content),
+          estimated: true
+        },
+        model: input.options?.model ?? this.getModel(),
+        mode: updatedSession.mode
+      };
+      this.eventLog.record("session.updated", {
+        sessionId: updatedSession.id,
+        messages: updatedSession.messages.length
+      });
+      this.eventLog.record("turn.completed", {
+        sessionId: updatedSession.id,
+        inputTokens: result.usage.inputTokens,
+        outputTokens: result.usage.outputTokens,
+        model: result.model,
+        streaming: true,
+        runtimeApi: true
+      });
+      completed = true;
+      yield { type: "done", sessionId: updatedSession.id, result };
+    } catch (error) {
+      failed = true;
+      const message = error instanceof Error ? error.message : String(error);
+      this.eventLog.record("turn.failed", {
+        sessionId: effectiveSession.id,
+        error: message,
+        streaming: true,
+        runtimeApi: true
+      });
+      yield {
+        type: "error",
+        sessionId: effectiveSession.id,
+        error: message
+      };
+    } finally {
+      if (!completed && !failed) {
+        this.eventLog.record("turn.cancelled", {
+          sessionId: effectiveSession.id,
+          outputTokens: provider.countTokens(content),
+          streaming: true,
+          runtimeApi: true
+        });
+      }
+    }
+  }
+  async executeTool(input) {
+    const startedAt = performance.now();
+    const session = input.sessionId ? this.getSession(input.sessionId) : void 0;
+    if (input.sessionId && !session) {
+      const decision2 = {
+        allowed: false,
+        reason: `Runtime session not found: ${input.sessionId}`,
+        risk: "read-only"
+      };
+      this.eventLog.record("tool.blocked", {
+        sessionId: input.sessionId,
+        mode: input.mode ?? "ask",
+        tool: input.toolName,
+        reason: decision2.reason,
+        runtimeApi: true
+      });
+      return {
+        toolName: input.toolName,
+        success: false,
+        error: decision2.reason,
+        duration: performance.now() - startedAt,
+        decision: decision2
+      };
+    }
+    const mode = input.mode ?? session?.mode ?? "ask";
+    const tool = this.toolRegistry.get(input.toolName);
+    if (!tool) {
+      const decision2 = {
+        allowed: false,
+        reason: "Tool not registered.",
+        risk: "read-only"
+      };
+      this.eventLog.record("tool.blocked", {
+        sessionId: input.sessionId,
+        mode,
+        tool: input.toolName,
+        reason: decision2.reason,
+        runtimeApi: true
+      });
+      return {
+        toolName: input.toolName,
+        success: false,
+        error: decision2.reason,
+        duration: performance.now() - startedAt,
+        decision: decision2
+      };
+    }
+    const decision = this.permissionPolicy.canExecuteToolInput ? this.permissionPolicy.canExecuteToolInput(mode, tool, input.input) : this.permissionPolicy.canExecuteTool(mode, tool);
+    if (!decision.allowed || decision.requiresConfirmation && input.confirmed !== true) {
+      const reason = decision.reason ?? (decision.requiresConfirmation ? "Tool requires explicit runtime confirmation." : "Tool is not allowed.");
+      this.eventLog.record("tool.blocked", {
+        sessionId: input.sessionId,
+        mode,
+        tool: input.toolName,
+        reason,
+        risk: decision.risk,
+        requiresConfirmation: decision.requiresConfirmation,
+        runtimeApi: true
+      });
+      return {
+        toolName: input.toolName,
+        success: false,
+        error: reason,
+        duration: performance.now() - startedAt,
+        decision
+      };
+    }
+    this.eventLog.record("tool.started", {
+      sessionId: input.sessionId,
+      mode,
+      tool: input.toolName,
+      risk: decision.risk,
+      runtimeApi: true,
+      metadataKeys: Object.keys(input.metadata ?? {}).sort()
+    });
+    const result = await this.toolRegistry.execute(input.toolName, input.input);
+    this.eventLog.record("tool.completed", {
+      sessionId: input.sessionId,
+      mode,
+      tool: input.toolName,
+      success: result.success,
+      duration: result.duration,
+      runtimeApi: true
+    });
+    return {
+      toolName: input.toolName,
+      success: result.success,
+      output: result.data,
+      error: result.error,
+      duration: result.duration,
+      decision
+    };
+  }
+  assertToolAllowed(mode, toolName, input) {
     const tool = this.toolRegistry.get(toolName);
     if (!tool) {
       this.eventLog.record("tool.blocked", {
@@ -57644,7 +58283,7 @@ var AgentRuntime = class {
       });
       return false;
     }
-    const decision = this.permissionPolicy.canExecuteTool(mode, tool);
+    const decision = input && this.permissionPolicy.canExecuteToolInput ? this.permissionPolicy.canExecuteToolInput(mode, tool, input) : this.permissionPolicy.canExecuteTool(mode, tool);
     this.eventLog.record(decision.allowed ? "tool.allowed" : "tool.blocked", {
       mode,
       tool: toolName,