@deftai/directive-content 0.58.0 → 0.60.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (187) hide show
  1. package/.githooks/pre-push +10 -9
  2. package/Taskfile.yml +57 -67
  3. package/UPGRADING.md +1 -1
  4. package/docs/assets/directive-lifecycle-diagram.png +0 -0
  5. package/docs/directive-lifecycle.md +73 -0
  6. package/docs/getting-started.md +5 -1
  7. package/package.json +3 -3
  8. package/packs/rules/rules-pack-0.1.json +3 -3
  9. package/packs/skills/skills-pack-0.1.json +22 -22
  10. package/scm/github.md +20 -2
  11. package/tasks/change.yml +16 -31
  12. package/tasks/ci.yml +8 -0
  13. package/tasks/commit.yml +12 -19
  14. package/tasks/core.yml +10 -0
  15. package/tasks/engine.yml +42 -0
  16. package/tasks/framework.yml +3 -0
  17. package/tasks/install.yml +20 -19
  18. package/tasks/migrate.yml +26 -15
  19. package/tasks/project.yml +16 -0
  20. package/tasks/relocate.yml +18 -48
  21. package/tasks/toolchain.yml +15 -5
  22. package/tasks/vbrief.yml +4 -3
  23. package/tasks/verify.yml +12 -14
  24. package/templates/agents-entry.md +1 -2
  25. package/scripts/_agents_md.py +0 -494
  26. package/scripts/_cache_fetch.py +0 -635
  27. package/scripts/_cache_quota.py +0 -529
  28. package/scripts/_cache_refresh.py +0 -163
  29. package/scripts/_cache_validate.py +0 -209
  30. package/scripts/_content_root.py +0 -42
  31. package/scripts/_doctor_state.py +0 -277
  32. package/scripts/_event_detect.py +0 -305
  33. package/scripts/_events.py +0 -514
  34. package/scripts/_lifecycle_hygiene.py +0 -568
  35. package/scripts/_pathspec.py +0 -91
  36. package/scripts/_policy_show_cli.py +0 -266
  37. package/scripts/_precutover.py +0 -92
  38. package/scripts/_project_context.py +0 -224
  39. package/scripts/_project_definition_io.py +0 -164
  40. package/scripts/_relocate_snapshot.py +0 -209
  41. package/scripts/_relocate_states.py +0 -343
  42. package/scripts/_resolve_preflight_path.py +0 -152
  43. package/scripts/_safe_subprocess.py +0 -167
  44. package/scripts/_session_start_hook.py +0 -205
  45. package/scripts/_sor_gate_diff.py +0 -365
  46. package/scripts/_stdio_utf8.py +0 -59
  47. package/scripts/_triage_bootstrap_gitignore.py +0 -904
  48. package/scripts/_triage_classify_cli.py +0 -122
  49. package/scripts/_triage_queue_cli.py +0 -625
  50. package/scripts/_triage_scope_cli.py +0 -343
  51. package/scripts/_triage_scope_drift_cli.py +0 -121
  52. package/scripts/_triage_scope_ignores.py +0 -286
  53. package/scripts/_triage_scope_milestone.py +0 -432
  54. package/scripts/_triage_scope_mutations.py +0 -337
  55. package/scripts/_triage_scope_renderers.py +0 -207
  56. package/scripts/_triage_smoketest_stages.py +0 -674
  57. package/scripts/_triage_subscribe_cli.py +0 -140
  58. package/scripts/_triage_welcome_cli.py +0 -421
  59. package/scripts/_vbrief_build.py +0 -239
  60. package/scripts/_vbrief_fidelity.py +0 -479
  61. package/scripts/_vbrief_legacy.py +0 -589
  62. package/scripts/_vbrief_reconciliation.py +0 -883
  63. package/scripts/_vbrief_routing.py +0 -277
  64. package/scripts/_vbrief_safety.py +0 -778
  65. package/scripts/_vbrief_sources.py +0 -312
  66. package/scripts/_vbrief_speckit.py +0 -262
  67. package/scripts/_vbrief_story_quality.py +0 -353
  68. package/scripts/_vbrief_validation.py +0 -299
  69. package/scripts/build_dist.py +0 -412
  70. package/scripts/cache.py +0 -1078
  71. package/scripts/cache_scanner.py +0 -745
  72. package/scripts/candidates_log.py +0 -432
  73. package/scripts/capacity_backfill.py +0 -680
  74. package/scripts/capacity_show.py +0 -653
  75. package/scripts/ci_local.py +0 -689
  76. package/scripts/code_structure_validate.py +0 -765
  77. package/scripts/codebase_default_extractor.py +0 -495
  78. package/scripts/codebase_map.py +0 -304
  79. package/scripts/codebase_map_fresh.py +0 -104
  80. package/scripts/codebase_projection_registry.py +0 -94
  81. package/scripts/codebase_provider.py +0 -582
  82. package/scripts/doctor.py +0 -2551
  83. package/scripts/framework_commands.py +0 -505
  84. package/scripts/gh_rest.py +0 -882
  85. package/scripts/github_auth_modes.py +0 -437
  86. package/scripts/github_body.py +0 -292
  87. package/scripts/ip_risk.py +0 -531
  88. package/scripts/issue_emit.py +0 -670
  89. package/scripts/issue_ingest.py +0 -1064
  90. package/scripts/migrate_preflight.py +0 -418
  91. package/scripts/migrate_vbrief.py +0 -2677
  92. package/scripts/monitor_pr.py +0 -401
  93. package/scripts/pack_migrate_lessons.py +0 -336
  94. package/scripts/pack_migrate_patterns.py +0 -254
  95. package/scripts/pack_migrate_rules.py +0 -350
  96. package/scripts/pack_migrate_skills.py +0 -423
  97. package/scripts/pack_migrate_strategies.py +0 -311
  98. package/scripts/pack_migrate_swarm_spec.py +0 -250
  99. package/scripts/pack_render.py +0 -434
  100. package/scripts/packs_slice.py +0 -712
  101. package/scripts/platform_capabilities.py +0 -336
  102. package/scripts/policy.py +0 -2826
  103. package/scripts/policy_set.py +0 -324
  104. package/scripts/pr_check_closing_keywords.py +0 -524
  105. package/scripts/pr_check_protected_issues.py +0 -267
  106. package/scripts/pr_merge_readiness.py +0 -1004
  107. package/scripts/pr_wait_mergeable.py +0 -669
  108. package/scripts/prd_render.py +0 -159
  109. package/scripts/preflight_architecture_sor.py +0 -974
  110. package/scripts/preflight_branch.py +0 -289
  111. package/scripts/preflight_cache.py +0 -974
  112. package/scripts/preflight_gh.py +0 -721
  113. package/scripts/preflight_implementation.py +0 -272
  114. package/scripts/preflight_story_start.py +0 -838
  115. package/scripts/preflight_wip_cap.py +0 -149
  116. package/scripts/probe_session.py +0 -545
  117. package/scripts/project_render.py +0 -293
  118. package/scripts/quarantine_ext.py +0 -237
  119. package/scripts/reconcile_issues.py +0 -1442
  120. package/scripts/refresh-path.ps1 +0 -107
  121. package/scripts/release.py +0 -2030
  122. package/scripts/release_e2e.py +0 -1011
  123. package/scripts/release_publish.py +0 -486
  124. package/scripts/release_rollback.py +0 -980
  125. package/scripts/relocate.py +0 -1034
  126. package/scripts/resolve_changelog_unreleased.py +0 -667
  127. package/scripts/resolve_version.py +0 -490
  128. package/scripts/resume_conditions.py +0 -706
  129. package/scripts/ritual_sentinel.py +0 -609
  130. package/scripts/roadmap_render.py +0 -635
  131. package/scripts/rule_ownership_lint.py +0 -325
  132. package/scripts/scm.py +0 -591
  133. package/scripts/scope_audit_log.py +0 -387
  134. package/scripts/scope_decompose.py +0 -654
  135. package/scripts/scope_demote.py +0 -509
  136. package/scripts/scope_lifecycle.py +0 -1126
  137. package/scripts/scope_undo.py +0 -772
  138. package/scripts/session_start.py +0 -406
  139. package/scripts/setup_ghx.py +0 -339
  140. package/scripts/setup_windows.ps1 +0 -220
  141. package/scripts/slice_audit.py +0 -585
  142. package/scripts/slice_record.py +0 -530
  143. package/scripts/slice_record_existing.py +0 -692
  144. package/scripts/slug_normalize.py +0 -178
  145. package/scripts/spec_render.py +0 -477
  146. package/scripts/spec_validate.py +0 -238
  147. package/scripts/subagent_monitor.py +0 -658
  148. package/scripts/swarm_complete_cohort.py +0 -644
  149. package/scripts/swarm_launch.py +0 -1206
  150. package/scripts/swarm_readiness.py +0 -554
  151. package/scripts/swarm_verify_review_clean.py +0 -438
  152. package/scripts/swarm_worktrees.py +0 -497
  153. package/scripts/toolchain-check.py +0 -52
  154. package/scripts/triage_actions.py +0 -871
  155. package/scripts/triage_bootstrap.py +0 -1153
  156. package/scripts/triage_bulk.py +0 -630
  157. package/scripts/triage_classify.py +0 -932
  158. package/scripts/triage_help.py +0 -1685
  159. package/scripts/triage_queue.py +0 -1944
  160. package/scripts/triage_reconcile.py +0 -581
  161. package/scripts/triage_refresh.py +0 -643
  162. package/scripts/triage_scope.py +0 -999
  163. package/scripts/triage_scope_drift.py +0 -575
  164. package/scripts/triage_smoketest.py +0 -396
  165. package/scripts/triage_subscribe.py +0 -399
  166. package/scripts/triage_summary.py +0 -1011
  167. package/scripts/triage_welcome.py +0 -1178
  168. package/scripts/ts_check_lane.py +0 -86
  169. package/scripts/validate-links.py +0 -64
  170. package/scripts/validate_strategy_output.py +0 -212
  171. package/scripts/vbrief_activate.py +0 -228
  172. package/scripts/vbrief_migrate_conformance.py +0 -368
  173. package/scripts/vbrief_reconcile_graph.py +0 -306
  174. package/scripts/vbrief_reconcile_labels.py +0 -460
  175. package/scripts/vbrief_reconcile_umbrellas.py +0 -741
  176. package/scripts/vbrief_validate.py +0 -1144
  177. package/scripts/verify-stubs.py +0 -61
  178. package/scripts/verify_capacity.py +0 -160
  179. package/scripts/verify_encoding.py +0 -699
  180. package/scripts/verify_hooks_installed.py +0 -206
  181. package/scripts/verify_investigation.py +0 -360
  182. package/scripts/verify_judgment_gates.py +0 -827
  183. package/scripts/verify_no_task_runtime.py +0 -171
  184. package/scripts/verify_scm_boundary.py +0 -509
  185. package/scripts/verify_session_ritual.py +0 -389
  186. package/scripts/verify_tools.py +0 -426
  187. package/scripts/verify_vbrief_conformance.py +0 -478
@@ -1,437 +0,0 @@
1
- #!/usr/bin/env python3
2
- """github_auth_modes.py -- worker-environment GitHub auth validation (#1557b).
3
-
4
- Validates ``host-gh`` versus ``injected-token`` credential modes from the
5
- same execution envelope that will perform GitHub operations. Consumes the
6
- read-only runtime probe from :mod:`platform_capabilities` to classify the
7
- worker sandbox and attach remediation when parent host auth can succeed
8
- while the worker environment cannot.
9
-
10
- Modes:
11
-
12
- - ``injected-token`` -- require ``GH_TOKEN`` / ``GITHUB_TOKEN`` (or
13
- enterprise equivalents). Fail closed when missing; never fall back to
14
- host ``gh`` credential store state.
15
- - ``host-gh`` -- permit host ``gh`` auth after ``gh auth status`` and a
16
- minimal GitHub API reachability check succeed from the worker environment.
17
- """
18
-
19
- from __future__ import annotations
20
-
21
- import argparse
22
- import json
23
- import os
24
- import sys
25
- from collections.abc import Callable, Mapping, Sequence
26
- from dataclasses import dataclass
27
- from pathlib import Path
28
- from typing import Any
29
-
30
- sys.path.insert(0, str(Path(__file__).resolve().parent))
31
-
32
- from _safe_subprocess import run_text # noqa: E402
33
- from _stdio_utf8 import reconfigure_stdio # noqa: E402
34
- from platform_capabilities import ( # noqa: E402
35
- RUNTIME_MODE_CLOUD_HEADLESS,
36
- RUNTIME_MODE_CURSOR_NATIVE_SANDBOX,
37
- RuntimeCapabilityReport,
38
- get_platform_capabilities,
39
- probe_runtime_capabilities,
40
- )
41
-
42
- reconfigure_stdio()
43
-
44
- GITHUB_AUTH_MODE_INJECTED_TOKEN = "injected-token"
45
- GITHUB_AUTH_MODE_HOST_GH = "host-gh"
46
-
47
- KNOWN_GITHUB_AUTH_MODES: frozenset[str] = frozenset(
48
- {
49
- GITHUB_AUTH_MODE_INJECTED_TOKEN,
50
- GITHUB_AUTH_MODE_HOST_GH,
51
- }
52
- )
53
-
54
- _INJECTED_TOKEN_ENV_VARS: tuple[str, ...] = (
55
- "GH_TOKEN",
56
- "GITHUB_TOKEN",
57
- "GH_ENTERPRISE_TOKEN",
58
- )
59
-
60
- DEFAULT_VALIDATION_REPO = "deftai/directive"
61
-
62
- FAILURE_MISSING_INJECTED_TOKEN = "missing_injected_token"
63
- FAILURE_GH_AUTH = "gh_auth_failed"
64
- FAILURE_API_UNREACHABLE = "api_unreachable"
65
- FAILURE_REPO_ACCESS = "repo_access_denied"
66
- FAILURE_INVALID_MODE = "invalid_auth_mode"
67
-
68
- _SANDBOX_REMEDIATION = (
69
- "Remediation options for worker sandbox GitHub auth failures:\n"
70
- " - Run the GitHub step with full-access execution\n"
71
- " - Allowlist the trusted gh command path for the worker sandbox\n"
72
- " - Use injected-token handoff (keep token values out of prompts and "
73
- "transcripts)"
74
- )
75
-
76
- _REPO_ACCESS_REMEDIATION = (
77
- "Remediation options for repo-access failures:\n"
78
- " - Confirm the worker credential can read the target repository\n"
79
- " - Run the GitHub step with full-access execution if host gh has access\n"
80
- " - Use injected-token handoff scoped to the required repository"
81
- )
82
-
83
- GhRunner = Callable[[Sequence[str], Mapping[str, str] | None], Any]
84
-
85
-
86
- @dataclass(frozen=True)
87
- class GitHubAuthValidationResult:
88
- """Outcome of validating a worker's GitHub credential mode."""
89
-
90
- ok: bool
91
- github_auth_mode: str
92
- runtime_mode: str | None
93
- failure_kind: str | None
94
- detail: str
95
- remediation: str | None = None
96
- login: str | None = None
97
-
98
- def to_dict(self) -> dict[str, Any]:
99
- return {
100
- "ok": self.ok,
101
- "github_auth_mode": self.github_auth_mode,
102
- "runtime_mode": self.runtime_mode,
103
- "failure_kind": self.failure_kind,
104
- "detail": self.detail,
105
- "remediation": self.remediation,
106
- "login": self.login,
107
- }
108
-
109
-
110
- def find_injected_token(environ: Mapping[str, str]) -> str | None:
111
- """Return the first non-empty injected token env var, if any."""
112
- for name in _INJECTED_TOKEN_ENV_VARS:
113
- value = environ.get(name, "").strip()
114
- if value:
115
- return value
116
- return None
117
-
118
-
119
- def infer_github_auth_mode(runtime_report: RuntimeCapabilityReport) -> str:
120
- """Suggest an auth mode from runtime capability probe output."""
121
- if runtime_report.runtime_mode == RUNTIME_MODE_CLOUD_HEADLESS:
122
- return GITHUB_AUTH_MODE_INJECTED_TOKEN
123
- return GITHUB_AUTH_MODE_HOST_GH
124
-
125
-
126
- def _default_run_gh(
127
- args: Sequence[str],
128
- environ: Mapping[str, str] | None,
129
- ) -> Any:
130
- env = dict(os.environ if environ is None else environ)
131
- return run_text(["gh", *args], env=env)
132
-
133
-
134
- def _split_repo(repo: str) -> tuple[str, str]:
135
- owner, _, name = repo.strip().partition("/")
136
- if not owner or not name:
137
- msg = f"invalid repository slug: {repo!r} (expected owner/repo)"
138
- raise ValueError(msg)
139
- return owner, name
140
-
141
-
142
- def _sandbox_remediation(runtime_mode: str | None, failure_kind: str) -> str | None:
143
- if runtime_mode != RUNTIME_MODE_CURSOR_NATIVE_SANDBOX:
144
- return None
145
- if failure_kind in {
146
- FAILURE_GH_AUTH,
147
- FAILURE_API_UNREACHABLE,
148
- FAILURE_REPO_ACCESS,
149
- }:
150
- return _SANDBOX_REMEDIATION
151
- return None
152
-
153
-
154
- def _repo_access_remediation(failure_kind: str) -> str | None:
155
- if failure_kind == FAILURE_REPO_ACCESS:
156
- return _REPO_ACCESS_REMEDIATION
157
- return None
158
-
159
-
160
- def _merge_remediation(
161
- runtime_mode: str | None,
162
- failure_kind: str,
163
- ) -> str | None:
164
- parts: list[str] = []
165
- sandbox = _sandbox_remediation(runtime_mode, failure_kind)
166
- if sandbox:
167
- parts.append(sandbox)
168
- repo = _repo_access_remediation(failure_kind)
169
- if repo and repo not in parts:
170
- parts.append(repo)
171
- if not parts:
172
- return None
173
- return "\n\n".join(parts)
174
-
175
-
176
- def _parse_login(stdout: str) -> str | None:
177
- text = stdout.strip()
178
- if not text:
179
- return None
180
- try:
181
- payload = json.loads(text)
182
- except json.JSONDecodeError:
183
- return text
184
- if isinstance(payload, str) and payload:
185
- return payload
186
- if isinstance(payload, dict):
187
- login = payload.get("login")
188
- if isinstance(login, str) and login:
189
- return login
190
- return None
191
-
192
-
193
- def validate_injected_token_mode(
194
- environ: Mapping[str, str],
195
- *,
196
- repo: str = DEFAULT_VALIDATION_REPO,
197
- runtime_mode: str | None = None,
198
- run_gh: GhRunner | None = None,
199
- ) -> GitHubAuthValidationResult:
200
- """Validate injected-token mode without falling back to host gh state."""
201
- runner = _default_run_gh if run_gh is None else run_gh
202
- token = find_injected_token(environ)
203
- if token is None:
204
- return GitHubAuthValidationResult(
205
- ok=False,
206
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
207
- runtime_mode=runtime_mode,
208
- failure_kind=FAILURE_MISSING_INJECTED_TOKEN,
209
- detail=(
210
- "injected-token mode requires GH_TOKEN, GITHUB_TOKEN, or "
211
- "GH_ENTERPRISE_TOKEN; host gh credential store is not used"
212
- ),
213
- )
214
-
215
- auth_status = runner(["auth", "status"], environ)
216
- if auth_status.returncode != 0:
217
- return GitHubAuthValidationResult(
218
- ok=False,
219
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
220
- runtime_mode=runtime_mode,
221
- failure_kind=FAILURE_GH_AUTH,
222
- detail="injected token present but gh auth status failed in worker",
223
- remediation=_merge_remediation(runtime_mode, FAILURE_GH_AUTH),
224
- )
225
-
226
- user_api = runner(["api", "user", "--jq", ".login"], environ)
227
- if user_api.returncode != 0:
228
- return GitHubAuthValidationResult(
229
- ok=False,
230
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
231
- runtime_mode=runtime_mode,
232
- failure_kind=FAILURE_API_UNREACHABLE,
233
- detail="injected token present but GitHub API is unreachable",
234
- remediation=_merge_remediation(runtime_mode, FAILURE_API_UNREACHABLE),
235
- )
236
-
237
- login = _parse_login(user_api.stdout)
238
- owner, name = _split_repo(repo)
239
- repo_api = runner(["api", f"repos/{owner}/{name}"], environ)
240
- if repo_api.returncode != 0:
241
- return GitHubAuthValidationResult(
242
- ok=False,
243
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
244
- runtime_mode=runtime_mode,
245
- failure_kind=FAILURE_REPO_ACCESS,
246
- detail=f"injected token can reach GitHub API but cannot access {repo}",
247
- remediation=_merge_remediation(runtime_mode, FAILURE_REPO_ACCESS),
248
- login=login,
249
- )
250
-
251
- return GitHubAuthValidationResult(
252
- ok=True,
253
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
254
- runtime_mode=runtime_mode,
255
- failure_kind=None,
256
- detail="injected-token mode validated in worker environment",
257
- login=login,
258
- )
259
-
260
-
261
- def validate_host_gh_mode(
262
- environ: Mapping[str, str],
263
- *,
264
- repo: str = DEFAULT_VALIDATION_REPO,
265
- runtime_mode: str | None = None,
266
- run_gh: GhRunner | None = None,
267
- ) -> GitHubAuthValidationResult:
268
- """Validate host-gh mode from the worker execution environment."""
269
- runner = _default_run_gh if run_gh is None else run_gh
270
-
271
- auth_status = runner(["auth", "status"], environ)
272
- if auth_status.returncode != 0:
273
- return GitHubAuthValidationResult(
274
- ok=False,
275
- github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
276
- runtime_mode=runtime_mode,
277
- failure_kind=FAILURE_GH_AUTH,
278
- detail="gh auth status failed in worker environment",
279
- remediation=_merge_remediation(runtime_mode, FAILURE_GH_AUTH),
280
- )
281
-
282
- user_api = runner(["api", "user", "--jq", ".login"], environ)
283
- if user_api.returncode != 0:
284
- return GitHubAuthValidationResult(
285
- ok=False,
286
- github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
287
- runtime_mode=runtime_mode,
288
- failure_kind=FAILURE_API_UNREACHABLE,
289
- detail="gh auth status passed but GitHub API is unreachable",
290
- remediation=_merge_remediation(runtime_mode, FAILURE_API_UNREACHABLE),
291
- )
292
-
293
- owner, name = _split_repo(repo)
294
- repo_api = runner(["api", f"repos/{owner}/{name}"], environ)
295
- if repo_api.returncode != 0:
296
- return GitHubAuthValidationResult(
297
- ok=False,
298
- github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
299
- runtime_mode=runtime_mode,
300
- failure_kind=FAILURE_REPO_ACCESS,
301
- detail=f"GitHub API reachable but repository access failed for {repo}",
302
- remediation=_merge_remediation(runtime_mode, FAILURE_REPO_ACCESS),
303
- login=_parse_login(user_api.stdout),
304
- )
305
-
306
- return GitHubAuthValidationResult(
307
- ok=True,
308
- github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
309
- runtime_mode=runtime_mode,
310
- failure_kind=None,
311
- detail="host-gh mode validated in worker environment",
312
- login=_parse_login(user_api.stdout),
313
- )
314
-
315
-
316
- def validate_github_auth(
317
- github_auth_mode: str,
318
- *,
319
- environ: Mapping[str, str] | None = None,
320
- runtime_report: RuntimeCapabilityReport | None = None,
321
- repo: str = DEFAULT_VALIDATION_REPO,
322
- run_gh: GhRunner | None = None,
323
- ) -> GitHubAuthValidationResult:
324
- """Validate the requested GitHub auth mode for the worker environment."""
325
- env = dict(os.environ if environ is None else environ)
326
- runtime_mode = None if runtime_report is None else runtime_report.runtime_mode
327
-
328
- if github_auth_mode not in KNOWN_GITHUB_AUTH_MODES:
329
- return GitHubAuthValidationResult(
330
- ok=False,
331
- github_auth_mode=github_auth_mode,
332
- runtime_mode=runtime_mode,
333
- failure_kind=FAILURE_INVALID_MODE,
334
- detail=(
335
- f"unknown github_auth_mode {github_auth_mode!r}; "
336
- f"expected one of {sorted(KNOWN_GITHUB_AUTH_MODES)}"
337
- ),
338
- )
339
-
340
- if github_auth_mode == GITHUB_AUTH_MODE_INJECTED_TOKEN:
341
- return validate_injected_token_mode(
342
- env,
343
- repo=repo,
344
- runtime_mode=runtime_mode,
345
- run_gh=run_gh,
346
- )
347
- return validate_host_gh_mode(
348
- env,
349
- repo=repo,
350
- runtime_mode=runtime_mode,
351
- run_gh=run_gh,
352
- )
353
-
354
-
355
- def validate_github_auth_for_worker(
356
- github_auth_mode: str | None = None,
357
- *,
358
- environ: Mapping[str, str] | None = None,
359
- runtime_report: RuntimeCapabilityReport | None = None,
360
- repo: str = DEFAULT_VALIDATION_REPO,
361
- run_gh: GhRunner | None = None,
362
- ) -> GitHubAuthValidationResult:
363
- """Probe runtime (when needed) and validate the worker auth mode."""
364
- report = (
365
- get_platform_capabilities()
366
- if runtime_report is None
367
- else runtime_report
368
- )
369
- mode = infer_github_auth_mode(report) if github_auth_mode is None else github_auth_mode
370
- return validate_github_auth(
371
- mode,
372
- environ=environ,
373
- runtime_report=report,
374
- repo=repo,
375
- run_gh=run_gh,
376
- )
377
-
378
-
379
- def main(argv: Sequence[str] | None = None) -> int:
380
- parser = argparse.ArgumentParser(
381
- description="Validate GitHub auth mode inside the worker environment (#1557b)."
382
- )
383
- parser.add_argument(
384
- "--github-auth-mode",
385
- choices=sorted(KNOWN_GITHUB_AUTH_MODES),
386
- help="Credential mode to validate (default: infer from runtime probe).",
387
- )
388
- parser.add_argument(
389
- "--repo",
390
- default=DEFAULT_VALIDATION_REPO,
391
- help=f"Repository slug for host-gh repo-access check (default: {DEFAULT_VALIDATION_REPO}).",
392
- )
393
- parser.add_argument(
394
- "--json",
395
- action="store_true",
396
- help="Emit structured JSON on stdout.",
397
- )
398
- args = parser.parse_args(list(argv) if argv is not None else None)
399
-
400
- result = validate_github_auth_for_worker(
401
- args.github_auth_mode,
402
- repo=args.repo,
403
- )
404
- if args.json:
405
- print(json.dumps(result.to_dict(), indent=2, sort_keys=True))
406
- else:
407
- status = "ok" if result.ok else "failed"
408
- print(f"github_auth_mode={result.github_auth_mode} status={status}")
409
- print(f"detail={result.detail}")
410
- if result.remediation:
411
- print(result.remediation)
412
- return 0 if result.ok else 1
413
-
414
-
415
- __all__ = [
416
- "DEFAULT_VALIDATION_REPO",
417
- "FAILURE_API_UNREACHABLE",
418
- "FAILURE_GH_AUTH",
419
- "FAILURE_INVALID_MODE",
420
- "FAILURE_MISSING_INJECTED_TOKEN",
421
- "FAILURE_REPO_ACCESS",
422
- "GITHUB_AUTH_MODE_HOST_GH",
423
- "GITHUB_AUTH_MODE_INJECTED_TOKEN",
424
- "GitHubAuthValidationResult",
425
- "find_injected_token",
426
- "infer_github_auth_mode",
427
- "validate_github_auth",
428
- "validate_github_auth_for_worker",
429
- "validate_host_gh_mode",
430
- "validate_injected_token_mode",
431
- "main",
432
- "probe_runtime_capabilities",
433
- ]
434
-
435
-
436
- if __name__ == "__main__":
437
- raise SystemExit(main())