@deftai/directive-content 0.55.2 → 0.56.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (217) hide show
  1. package/.githooks/pre-commit +143 -0
  2. package/.githooks/pre-push +121 -0
  3. package/QUICK-START.md +2 -2
  4. package/Taskfile.yml +934 -0
  5. package/UPGRADING.md +47 -1
  6. package/events/README.md +3 -3
  7. package/package.json +5 -4
  8. package/scripts/_agents_md.py +494 -0
  9. package/scripts/_cache_fetch.py +635 -0
  10. package/scripts/_cache_quota.py +529 -0
  11. package/scripts/_cache_refresh.py +163 -0
  12. package/scripts/_cache_validate.py +209 -0
  13. package/scripts/_content_root.py +42 -0
  14. package/scripts/_doctor_state.py +277 -0
  15. package/scripts/_event_detect.py +305 -0
  16. package/scripts/_events.py +514 -0
  17. package/scripts/_lifecycle_hygiene.py +568 -0
  18. package/scripts/_pathspec.py +91 -0
  19. package/scripts/_policy_show_cli.py +266 -0
  20. package/scripts/_precutover.py +92 -0
  21. package/scripts/_project_context.py +224 -0
  22. package/scripts/_project_definition_io.py +164 -0
  23. package/scripts/_relocate_snapshot.py +209 -0
  24. package/scripts/_relocate_states.py +343 -0
  25. package/scripts/_resolve_preflight_path.py +152 -0
  26. package/scripts/_safe_subprocess.py +167 -0
  27. package/scripts/_session_start_hook.py +205 -0
  28. package/scripts/_sor_gate_diff.py +365 -0
  29. package/scripts/_stdio_utf8.py +59 -0
  30. package/scripts/_triage_bootstrap_gitignore.py +904 -0
  31. package/scripts/_triage_classify_cli.py +122 -0
  32. package/scripts/_triage_queue_cli.py +625 -0
  33. package/scripts/_triage_scope_cli.py +343 -0
  34. package/scripts/_triage_scope_drift_cli.py +121 -0
  35. package/scripts/_triage_scope_ignores.py +286 -0
  36. package/scripts/_triage_scope_milestone.py +432 -0
  37. package/scripts/_triage_scope_mutations.py +337 -0
  38. package/scripts/_triage_scope_renderers.py +207 -0
  39. package/scripts/_triage_smoketest_stages.py +674 -0
  40. package/scripts/_triage_subscribe_cli.py +140 -0
  41. package/scripts/_triage_welcome_cli.py +421 -0
  42. package/scripts/_vbrief_build.py +239 -0
  43. package/scripts/_vbrief_fidelity.py +479 -0
  44. package/scripts/_vbrief_legacy.py +589 -0
  45. package/scripts/_vbrief_reconciliation.py +883 -0
  46. package/scripts/_vbrief_routing.py +277 -0
  47. package/scripts/_vbrief_safety.py +778 -0
  48. package/scripts/_vbrief_sources.py +312 -0
  49. package/scripts/_vbrief_speckit.py +262 -0
  50. package/scripts/_vbrief_story_quality.py +353 -0
  51. package/scripts/_vbrief_validation.py +299 -0
  52. package/scripts/build_dist.py +412 -0
  53. package/scripts/cache.py +1078 -0
  54. package/scripts/cache_scanner.py +745 -0
  55. package/scripts/candidates_log.py +432 -0
  56. package/scripts/capacity_backfill.py +680 -0
  57. package/scripts/capacity_show.py +653 -0
  58. package/scripts/ci_local.py +689 -0
  59. package/scripts/code_structure_validate.py +765 -0
  60. package/scripts/codebase_default_extractor.py +495 -0
  61. package/scripts/codebase_map.py +304 -0
  62. package/scripts/codebase_map_fresh.py +104 -0
  63. package/scripts/codebase_projection_registry.py +94 -0
  64. package/scripts/codebase_provider.py +582 -0
  65. package/scripts/doctor.py +2257 -0
  66. package/scripts/framework_commands.py +505 -0
  67. package/scripts/gh_rest.py +882 -0
  68. package/scripts/github_auth_modes.py +437 -0
  69. package/scripts/github_body.py +292 -0
  70. package/scripts/ip_risk.py +531 -0
  71. package/scripts/issue_emit.py +670 -0
  72. package/scripts/issue_ingest.py +1064 -0
  73. package/scripts/migrate_preflight.py +418 -0
  74. package/scripts/migrate_vbrief.py +2677 -0
  75. package/scripts/monitor_pr.py +401 -0
  76. package/scripts/pack_migrate_lessons.py +336 -0
  77. package/scripts/pack_migrate_patterns.py +254 -0
  78. package/scripts/pack_migrate_rules.py +350 -0
  79. package/scripts/pack_migrate_skills.py +423 -0
  80. package/scripts/pack_migrate_strategies.py +311 -0
  81. package/scripts/pack_migrate_swarm_spec.py +250 -0
  82. package/scripts/pack_render.py +434 -0
  83. package/scripts/packs_slice.py +712 -0
  84. package/scripts/platform_capabilities.py +336 -0
  85. package/scripts/policy.py +2826 -0
  86. package/scripts/policy_set.py +324 -0
  87. package/scripts/pr_check_closing_keywords.py +524 -0
  88. package/scripts/pr_check_protected_issues.py +267 -0
  89. package/scripts/pr_merge_readiness.py +1004 -0
  90. package/scripts/pr_wait_mergeable.py +669 -0
  91. package/scripts/prd_render.py +159 -0
  92. package/scripts/preflight_architecture_sor.py +974 -0
  93. package/scripts/preflight_branch.py +289 -0
  94. package/scripts/preflight_cache.py +974 -0
  95. package/scripts/preflight_gh.py +721 -0
  96. package/scripts/preflight_implementation.py +272 -0
  97. package/scripts/preflight_story_start.py +838 -0
  98. package/scripts/preflight_wip_cap.py +149 -0
  99. package/scripts/probe_session.py +545 -0
  100. package/scripts/project_render.py +293 -0
  101. package/scripts/quarantine_ext.py +237 -0
  102. package/scripts/reconcile_issues.py +1442 -0
  103. package/scripts/refresh-path.ps1 +107 -0
  104. package/scripts/release.py +2030 -0
  105. package/scripts/release_e2e.py +1011 -0
  106. package/scripts/release_publish.py +486 -0
  107. package/scripts/release_rollback.py +980 -0
  108. package/scripts/relocate.py +1034 -0
  109. package/scripts/resolve_changelog_unreleased.py +667 -0
  110. package/scripts/resolve_version.py +490 -0
  111. package/scripts/resume_conditions.py +706 -0
  112. package/scripts/ritual_sentinel.py +609 -0
  113. package/scripts/roadmap_render.py +635 -0
  114. package/scripts/rule_ownership_lint.py +325 -0
  115. package/scripts/scm.py +591 -0
  116. package/scripts/scope_audit_log.py +387 -0
  117. package/scripts/scope_decompose.py +654 -0
  118. package/scripts/scope_demote.py +509 -0
  119. package/scripts/scope_lifecycle.py +1126 -0
  120. package/scripts/scope_undo.py +772 -0
  121. package/scripts/session_start.py +406 -0
  122. package/scripts/setup_ghx.py +339 -0
  123. package/scripts/setup_windows.ps1 +220 -0
  124. package/scripts/slice_audit.py +585 -0
  125. package/scripts/slice_record.py +530 -0
  126. package/scripts/slice_record_existing.py +692 -0
  127. package/scripts/slug_normalize.py +178 -0
  128. package/scripts/spec_render.py +477 -0
  129. package/scripts/spec_validate.py +238 -0
  130. package/scripts/subagent_monitor.py +658 -0
  131. package/scripts/swarm_complete_cohort.py +644 -0
  132. package/scripts/swarm_launch.py +1206 -0
  133. package/scripts/swarm_readiness.py +554 -0
  134. package/scripts/swarm_verify_review_clean.py +438 -0
  135. package/scripts/swarm_worktrees.py +497 -0
  136. package/scripts/toolchain-check.py +52 -0
  137. package/scripts/triage_actions.py +871 -0
  138. package/scripts/triage_bootstrap.py +1153 -0
  139. package/scripts/triage_bulk.py +630 -0
  140. package/scripts/triage_classify.py +932 -0
  141. package/scripts/triage_help.py +1685 -0
  142. package/scripts/triage_queue.py +1944 -0
  143. package/scripts/triage_reconcile.py +581 -0
  144. package/scripts/triage_refresh.py +643 -0
  145. package/scripts/triage_scope.py +999 -0
  146. package/scripts/triage_scope_drift.py +575 -0
  147. package/scripts/triage_smoketest.py +396 -0
  148. package/scripts/triage_subscribe.py +399 -0
  149. package/scripts/triage_summary.py +1011 -0
  150. package/scripts/triage_welcome.py +1178 -0
  151. package/scripts/ts_check_lane.py +86 -0
  152. package/scripts/validate-links.py +64 -0
  153. package/scripts/validate_strategy_output.py +212 -0
  154. package/scripts/vbrief_activate.py +228 -0
  155. package/scripts/vbrief_migrate_conformance.py +368 -0
  156. package/scripts/vbrief_reconcile_graph.py +306 -0
  157. package/scripts/vbrief_reconcile_labels.py +460 -0
  158. package/scripts/vbrief_reconcile_umbrellas.py +741 -0
  159. package/scripts/vbrief_validate.py +1195 -0
  160. package/scripts/verify-stubs.py +61 -0
  161. package/scripts/verify_capacity.py +160 -0
  162. package/scripts/verify_encoding.py +699 -0
  163. package/scripts/verify_hooks_installed.py +206 -0
  164. package/scripts/verify_investigation.py +360 -0
  165. package/scripts/verify_judgment_gates.py +827 -0
  166. package/scripts/verify_no_task_runtime.py +171 -0
  167. package/scripts/verify_scm_boundary.py +509 -0
  168. package/scripts/verify_session_ritual.py +389 -0
  169. package/scripts/verify_tools.py +426 -0
  170. package/scripts/verify_vbrief_conformance.py +478 -0
  171. package/tasks/architecture.yml +13 -0
  172. package/tasks/cache.yml +69 -0
  173. package/tasks/capacity.yml +38 -0
  174. package/tasks/change.yml +46 -0
  175. package/tasks/changelog.yml +24 -0
  176. package/tasks/ci.yml +49 -0
  177. package/tasks/codebase.yml +47 -0
  178. package/tasks/commit.yml +30 -0
  179. package/tasks/core.yml +126 -0
  180. package/tasks/deployments.yml +54 -0
  181. package/tasks/framework.yml +74 -0
  182. package/tasks/install.yml +60 -0
  183. package/tasks/issue.yml +50 -0
  184. package/tasks/migrate.yml +73 -0
  185. package/tasks/packs.yml +92 -0
  186. package/tasks/policy.yml +75 -0
  187. package/tasks/pr.yml +89 -0
  188. package/tasks/prd.yml +39 -0
  189. package/tasks/project.yml +27 -0
  190. package/tasks/reconcile.yml +32 -0
  191. package/tasks/relocate.yml +56 -0
  192. package/tasks/roadmap.yml +28 -0
  193. package/tasks/scm.yml +126 -0
  194. package/tasks/scope-undo.yml +36 -0
  195. package/tasks/scope.yml +141 -0
  196. package/tasks/session.yml +19 -0
  197. package/tasks/setup.yml +37 -0
  198. package/tasks/slice.yml +69 -0
  199. package/tasks/spec.yml +41 -0
  200. package/tasks/swarm.yml +85 -0
  201. package/tasks/toolchain.yml +13 -0
  202. package/tasks/triage-actions.yml +94 -0
  203. package/tasks/triage-bootstrap.yml +43 -0
  204. package/tasks/triage-bulk.yml +75 -0
  205. package/tasks/triage-classify.yml +30 -0
  206. package/tasks/triage-queue.yml +50 -0
  207. package/tasks/triage-reconcile.yml +29 -0
  208. package/tasks/triage-scope-drift.yml +29 -0
  209. package/tasks/triage-scope.yml +31 -0
  210. package/tasks/triage-smoketest.yml +33 -0
  211. package/tasks/triage-subscribe.yml +36 -0
  212. package/tasks/triage-summary.yml +29 -0
  213. package/tasks/triage-welcome.yml +32 -0
  214. package/tasks/ts.yml +328 -0
  215. package/tasks/vbrief.yml +206 -0
  216. package/tasks/verify.yml +292 -0
  217. package/templates/agents-entry.md +1 -1
@@ -0,0 +1,437 @@
1
+ #!/usr/bin/env python3
2
+ """github_auth_modes.py -- worker-environment GitHub auth validation (#1557b).
3
+
4
+ Validates ``host-gh`` versus ``injected-token`` credential modes from the
5
+ same execution envelope that will perform GitHub operations. Consumes the
6
+ read-only runtime probe from :mod:`platform_capabilities` to classify the
7
+ worker sandbox and attach remediation when parent host auth can succeed
8
+ while the worker environment cannot.
9
+
10
+ Modes:
11
+
12
+ - ``injected-token`` -- require ``GH_TOKEN`` / ``GITHUB_TOKEN`` (or
13
+ enterprise equivalents). Fail closed when missing; never fall back to
14
+ host ``gh`` credential store state.
15
+ - ``host-gh`` -- permit host ``gh`` auth after ``gh auth status`` and a
16
+ minimal GitHub API reachability check succeed from the worker environment.
17
+ """
18
+
19
+ from __future__ import annotations
20
+
21
+ import argparse
22
+ import json
23
+ import os
24
+ import sys
25
+ from collections.abc import Callable, Mapping, Sequence
26
+ from dataclasses import dataclass
27
+ from pathlib import Path
28
+ from typing import Any
29
+
30
+ sys.path.insert(0, str(Path(__file__).resolve().parent))
31
+
32
+ from _safe_subprocess import run_text # noqa: E402
33
+ from _stdio_utf8 import reconfigure_stdio # noqa: E402
34
+ from platform_capabilities import ( # noqa: E402
35
+ RUNTIME_MODE_CLOUD_HEADLESS,
36
+ RUNTIME_MODE_CURSOR_NATIVE_SANDBOX,
37
+ RuntimeCapabilityReport,
38
+ get_platform_capabilities,
39
+ probe_runtime_capabilities,
40
+ )
41
+
42
+ reconfigure_stdio()
43
+
44
+ GITHUB_AUTH_MODE_INJECTED_TOKEN = "injected-token"
45
+ GITHUB_AUTH_MODE_HOST_GH = "host-gh"
46
+
47
+ KNOWN_GITHUB_AUTH_MODES: frozenset[str] = frozenset(
48
+ {
49
+ GITHUB_AUTH_MODE_INJECTED_TOKEN,
50
+ GITHUB_AUTH_MODE_HOST_GH,
51
+ }
52
+ )
53
+
54
+ _INJECTED_TOKEN_ENV_VARS: tuple[str, ...] = (
55
+ "GH_TOKEN",
56
+ "GITHUB_TOKEN",
57
+ "GH_ENTERPRISE_TOKEN",
58
+ )
59
+
60
+ DEFAULT_VALIDATION_REPO = "deftai/directive"
61
+
62
+ FAILURE_MISSING_INJECTED_TOKEN = "missing_injected_token"
63
+ FAILURE_GH_AUTH = "gh_auth_failed"
64
+ FAILURE_API_UNREACHABLE = "api_unreachable"
65
+ FAILURE_REPO_ACCESS = "repo_access_denied"
66
+ FAILURE_INVALID_MODE = "invalid_auth_mode"
67
+
68
+ _SANDBOX_REMEDIATION = (
69
+ "Remediation options for worker sandbox GitHub auth failures:\n"
70
+ " - Run the GitHub step with full-access execution\n"
71
+ " - Allowlist the trusted gh command path for the worker sandbox\n"
72
+ " - Use injected-token handoff (keep token values out of prompts and "
73
+ "transcripts)"
74
+ )
75
+
76
+ _REPO_ACCESS_REMEDIATION = (
77
+ "Remediation options for repo-access failures:\n"
78
+ " - Confirm the worker credential can read the target repository\n"
79
+ " - Run the GitHub step with full-access execution if host gh has access\n"
80
+ " - Use injected-token handoff scoped to the required repository"
81
+ )
82
+
83
+ GhRunner = Callable[[Sequence[str], Mapping[str, str] | None], Any]
84
+
85
+
86
+ @dataclass(frozen=True)
87
+ class GitHubAuthValidationResult:
88
+ """Outcome of validating a worker's GitHub credential mode."""
89
+
90
+ ok: bool
91
+ github_auth_mode: str
92
+ runtime_mode: str | None
93
+ failure_kind: str | None
94
+ detail: str
95
+ remediation: str | None = None
96
+ login: str | None = None
97
+
98
+ def to_dict(self) -> dict[str, Any]:
99
+ return {
100
+ "ok": self.ok,
101
+ "github_auth_mode": self.github_auth_mode,
102
+ "runtime_mode": self.runtime_mode,
103
+ "failure_kind": self.failure_kind,
104
+ "detail": self.detail,
105
+ "remediation": self.remediation,
106
+ "login": self.login,
107
+ }
108
+
109
+
110
+ def find_injected_token(environ: Mapping[str, str]) -> str | None:
111
+ """Return the first non-empty injected token env var, if any."""
112
+ for name in _INJECTED_TOKEN_ENV_VARS:
113
+ value = environ.get(name, "").strip()
114
+ if value:
115
+ return value
116
+ return None
117
+
118
+
119
+ def infer_github_auth_mode(runtime_report: RuntimeCapabilityReport) -> str:
120
+ """Suggest an auth mode from runtime capability probe output."""
121
+ if runtime_report.runtime_mode == RUNTIME_MODE_CLOUD_HEADLESS:
122
+ return GITHUB_AUTH_MODE_INJECTED_TOKEN
123
+ return GITHUB_AUTH_MODE_HOST_GH
124
+
125
+
126
+ def _default_run_gh(
127
+ args: Sequence[str],
128
+ environ: Mapping[str, str] | None,
129
+ ) -> Any:
130
+ env = dict(os.environ if environ is None else environ)
131
+ return run_text(["gh", *args], env=env)
132
+
133
+
134
+ def _split_repo(repo: str) -> tuple[str, str]:
135
+ owner, _, name = repo.strip().partition("/")
136
+ if not owner or not name:
137
+ msg = f"invalid repository slug: {repo!r} (expected owner/repo)"
138
+ raise ValueError(msg)
139
+ return owner, name
140
+
141
+
142
+ def _sandbox_remediation(runtime_mode: str | None, failure_kind: str) -> str | None:
143
+ if runtime_mode != RUNTIME_MODE_CURSOR_NATIVE_SANDBOX:
144
+ return None
145
+ if failure_kind in {
146
+ FAILURE_GH_AUTH,
147
+ FAILURE_API_UNREACHABLE,
148
+ FAILURE_REPO_ACCESS,
149
+ }:
150
+ return _SANDBOX_REMEDIATION
151
+ return None
152
+
153
+
154
+ def _repo_access_remediation(failure_kind: str) -> str | None:
155
+ if failure_kind == FAILURE_REPO_ACCESS:
156
+ return _REPO_ACCESS_REMEDIATION
157
+ return None
158
+
159
+
160
+ def _merge_remediation(
161
+ runtime_mode: str | None,
162
+ failure_kind: str,
163
+ ) -> str | None:
164
+ parts: list[str] = []
165
+ sandbox = _sandbox_remediation(runtime_mode, failure_kind)
166
+ if sandbox:
167
+ parts.append(sandbox)
168
+ repo = _repo_access_remediation(failure_kind)
169
+ if repo and repo not in parts:
170
+ parts.append(repo)
171
+ if not parts:
172
+ return None
173
+ return "\n\n".join(parts)
174
+
175
+
176
+ def _parse_login(stdout: str) -> str | None:
177
+ text = stdout.strip()
178
+ if not text:
179
+ return None
180
+ try:
181
+ payload = json.loads(text)
182
+ except json.JSONDecodeError:
183
+ return text
184
+ if isinstance(payload, str) and payload:
185
+ return payload
186
+ if isinstance(payload, dict):
187
+ login = payload.get("login")
188
+ if isinstance(login, str) and login:
189
+ return login
190
+ return None
191
+
192
+
193
+ def validate_injected_token_mode(
194
+ environ: Mapping[str, str],
195
+ *,
196
+ repo: str = DEFAULT_VALIDATION_REPO,
197
+ runtime_mode: str | None = None,
198
+ run_gh: GhRunner | None = None,
199
+ ) -> GitHubAuthValidationResult:
200
+ """Validate injected-token mode without falling back to host gh state."""
201
+ runner = _default_run_gh if run_gh is None else run_gh
202
+ token = find_injected_token(environ)
203
+ if token is None:
204
+ return GitHubAuthValidationResult(
205
+ ok=False,
206
+ github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
207
+ runtime_mode=runtime_mode,
208
+ failure_kind=FAILURE_MISSING_INJECTED_TOKEN,
209
+ detail=(
210
+ "injected-token mode requires GH_TOKEN, GITHUB_TOKEN, or "
211
+ "GH_ENTERPRISE_TOKEN; host gh credential store is not used"
212
+ ),
213
+ )
214
+
215
+ auth_status = runner(["auth", "status"], environ)
216
+ if auth_status.returncode != 0:
217
+ return GitHubAuthValidationResult(
218
+ ok=False,
219
+ github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
220
+ runtime_mode=runtime_mode,
221
+ failure_kind=FAILURE_GH_AUTH,
222
+ detail="injected token present but gh auth status failed in worker",
223
+ remediation=_merge_remediation(runtime_mode, FAILURE_GH_AUTH),
224
+ )
225
+
226
+ user_api = runner(["api", "user", "--jq", ".login"], environ)
227
+ if user_api.returncode != 0:
228
+ return GitHubAuthValidationResult(
229
+ ok=False,
230
+ github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
231
+ runtime_mode=runtime_mode,
232
+ failure_kind=FAILURE_API_UNREACHABLE,
233
+ detail="injected token present but GitHub API is unreachable",
234
+ remediation=_merge_remediation(runtime_mode, FAILURE_API_UNREACHABLE),
235
+ )
236
+
237
+ login = _parse_login(user_api.stdout)
238
+ owner, name = _split_repo(repo)
239
+ repo_api = runner(["api", f"repos/{owner}/{name}"], environ)
240
+ if repo_api.returncode != 0:
241
+ return GitHubAuthValidationResult(
242
+ ok=False,
243
+ github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
244
+ runtime_mode=runtime_mode,
245
+ failure_kind=FAILURE_REPO_ACCESS,
246
+ detail=f"injected token can reach GitHub API but cannot access {repo}",
247
+ remediation=_merge_remediation(runtime_mode, FAILURE_REPO_ACCESS),
248
+ login=login,
249
+ )
250
+
251
+ return GitHubAuthValidationResult(
252
+ ok=True,
253
+ github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
254
+ runtime_mode=runtime_mode,
255
+ failure_kind=None,
256
+ detail="injected-token mode validated in worker environment",
257
+ login=login,
258
+ )
259
+
260
+
261
+ def validate_host_gh_mode(
262
+ environ: Mapping[str, str],
263
+ *,
264
+ repo: str = DEFAULT_VALIDATION_REPO,
265
+ runtime_mode: str | None = None,
266
+ run_gh: GhRunner | None = None,
267
+ ) -> GitHubAuthValidationResult:
268
+ """Validate host-gh mode from the worker execution environment."""
269
+ runner = _default_run_gh if run_gh is None else run_gh
270
+
271
+ auth_status = runner(["auth", "status"], environ)
272
+ if auth_status.returncode != 0:
273
+ return GitHubAuthValidationResult(
274
+ ok=False,
275
+ github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
276
+ runtime_mode=runtime_mode,
277
+ failure_kind=FAILURE_GH_AUTH,
278
+ detail="gh auth status failed in worker environment",
279
+ remediation=_merge_remediation(runtime_mode, FAILURE_GH_AUTH),
280
+ )
281
+
282
+ user_api = runner(["api", "user", "--jq", ".login"], environ)
283
+ if user_api.returncode != 0:
284
+ return GitHubAuthValidationResult(
285
+ ok=False,
286
+ github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
287
+ runtime_mode=runtime_mode,
288
+ failure_kind=FAILURE_API_UNREACHABLE,
289
+ detail="gh auth status passed but GitHub API is unreachable",
290
+ remediation=_merge_remediation(runtime_mode, FAILURE_API_UNREACHABLE),
291
+ )
292
+
293
+ owner, name = _split_repo(repo)
294
+ repo_api = runner(["api", f"repos/{owner}/{name}"], environ)
295
+ if repo_api.returncode != 0:
296
+ return GitHubAuthValidationResult(
297
+ ok=False,
298
+ github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
299
+ runtime_mode=runtime_mode,
300
+ failure_kind=FAILURE_REPO_ACCESS,
301
+ detail=f"GitHub API reachable but repository access failed for {repo}",
302
+ remediation=_merge_remediation(runtime_mode, FAILURE_REPO_ACCESS),
303
+ login=_parse_login(user_api.stdout),
304
+ )
305
+
306
+ return GitHubAuthValidationResult(
307
+ ok=True,
308
+ github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
309
+ runtime_mode=runtime_mode,
310
+ failure_kind=None,
311
+ detail="host-gh mode validated in worker environment",
312
+ login=_parse_login(user_api.stdout),
313
+ )
314
+
315
+
316
+ def validate_github_auth(
317
+ github_auth_mode: str,
318
+ *,
319
+ environ: Mapping[str, str] | None = None,
320
+ runtime_report: RuntimeCapabilityReport | None = None,
321
+ repo: str = DEFAULT_VALIDATION_REPO,
322
+ run_gh: GhRunner | None = None,
323
+ ) -> GitHubAuthValidationResult:
324
+ """Validate the requested GitHub auth mode for the worker environment."""
325
+ env = dict(os.environ if environ is None else environ)
326
+ runtime_mode = None if runtime_report is None else runtime_report.runtime_mode
327
+
328
+ if github_auth_mode not in KNOWN_GITHUB_AUTH_MODES:
329
+ return GitHubAuthValidationResult(
330
+ ok=False,
331
+ github_auth_mode=github_auth_mode,
332
+ runtime_mode=runtime_mode,
333
+ failure_kind=FAILURE_INVALID_MODE,
334
+ detail=(
335
+ f"unknown github_auth_mode {github_auth_mode!r}; "
336
+ f"expected one of {sorted(KNOWN_GITHUB_AUTH_MODES)}"
337
+ ),
338
+ )
339
+
340
+ if github_auth_mode == GITHUB_AUTH_MODE_INJECTED_TOKEN:
341
+ return validate_injected_token_mode(
342
+ env,
343
+ repo=repo,
344
+ runtime_mode=runtime_mode,
345
+ run_gh=run_gh,
346
+ )
347
+ return validate_host_gh_mode(
348
+ env,
349
+ repo=repo,
350
+ runtime_mode=runtime_mode,
351
+ run_gh=run_gh,
352
+ )
353
+
354
+
355
+ def validate_github_auth_for_worker(
356
+ github_auth_mode: str | None = None,
357
+ *,
358
+ environ: Mapping[str, str] | None = None,
359
+ runtime_report: RuntimeCapabilityReport | None = None,
360
+ repo: str = DEFAULT_VALIDATION_REPO,
361
+ run_gh: GhRunner | None = None,
362
+ ) -> GitHubAuthValidationResult:
363
+ """Probe runtime (when needed) and validate the worker auth mode."""
364
+ report = (
365
+ get_platform_capabilities()
366
+ if runtime_report is None
367
+ else runtime_report
368
+ )
369
+ mode = infer_github_auth_mode(report) if github_auth_mode is None else github_auth_mode
370
+ return validate_github_auth(
371
+ mode,
372
+ environ=environ,
373
+ runtime_report=report,
374
+ repo=repo,
375
+ run_gh=run_gh,
376
+ )
377
+
378
+
379
+ def main(argv: Sequence[str] | None = None) -> int:
380
+ parser = argparse.ArgumentParser(
381
+ description="Validate GitHub auth mode inside the worker environment (#1557b)."
382
+ )
383
+ parser.add_argument(
384
+ "--github-auth-mode",
385
+ choices=sorted(KNOWN_GITHUB_AUTH_MODES),
386
+ help="Credential mode to validate (default: infer from runtime probe).",
387
+ )
388
+ parser.add_argument(
389
+ "--repo",
390
+ default=DEFAULT_VALIDATION_REPO,
391
+ help=f"Repository slug for host-gh repo-access check (default: {DEFAULT_VALIDATION_REPO}).",
392
+ )
393
+ parser.add_argument(
394
+ "--json",
395
+ action="store_true",
396
+ help="Emit structured JSON on stdout.",
397
+ )
398
+ args = parser.parse_args(list(argv) if argv is not None else None)
399
+
400
+ result = validate_github_auth_for_worker(
401
+ args.github_auth_mode,
402
+ repo=args.repo,
403
+ )
404
+ if args.json:
405
+ print(json.dumps(result.to_dict(), indent=2, sort_keys=True))
406
+ else:
407
+ status = "ok" if result.ok else "failed"
408
+ print(f"github_auth_mode={result.github_auth_mode} status={status}")
409
+ print(f"detail={result.detail}")
410
+ if result.remediation:
411
+ print(result.remediation)
412
+ return 0 if result.ok else 1
413
+
414
+
415
+ __all__ = [
416
+ "DEFAULT_VALIDATION_REPO",
417
+ "FAILURE_API_UNREACHABLE",
418
+ "FAILURE_GH_AUTH",
419
+ "FAILURE_INVALID_MODE",
420
+ "FAILURE_MISSING_INJECTED_TOKEN",
421
+ "FAILURE_REPO_ACCESS",
422
+ "GITHUB_AUTH_MODE_HOST_GH",
423
+ "GITHUB_AUTH_MODE_INJECTED_TOKEN",
424
+ "GitHubAuthValidationResult",
425
+ "find_injected_token",
426
+ "infer_github_auth_mode",
427
+ "validate_github_auth",
428
+ "validate_github_auth_for_worker",
429
+ "validate_host_gh_mode",
430
+ "validate_injected_token_mode",
431
+ "main",
432
+ "probe_runtime_capabilities",
433
+ ]
434
+
435
+
436
+ if __name__ == "__main__":
437
+ raise SystemExit(main())