@deftai/directive-content 0.59.0 → 0.60.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (184) hide show
  1. package/.githooks/pre-push +10 -9
  2. package/Taskfile.yml +48 -58
  3. package/UPGRADING.md +1 -1
  4. package/docs/assets/directive-lifecycle-diagram.png +0 -0
  5. package/docs/directive-lifecycle.md +73 -0
  6. package/docs/getting-started.md +5 -1
  7. package/package.json +3 -3
  8. package/packs/skills/skills-pack-0.1.json +22 -22
  9. package/scm/github.md +20 -2
  10. package/tasks/change.yml +16 -31
  11. package/tasks/ci.yml +8 -0
  12. package/tasks/commit.yml +12 -19
  13. package/tasks/core.yml +10 -0
  14. package/tasks/engine.yml +42 -0
  15. package/tasks/framework.yml +3 -0
  16. package/tasks/install.yml +20 -19
  17. package/tasks/migrate.yml +26 -15
  18. package/tasks/project.yml +16 -0
  19. package/tasks/toolchain.yml +15 -5
  20. package/tasks/vbrief.yml +4 -3
  21. package/tasks/verify.yml +12 -14
  22. package/scripts/_agents_md.py +0 -494
  23. package/scripts/_cache_fetch.py +0 -635
  24. package/scripts/_cache_quota.py +0 -529
  25. package/scripts/_cache_refresh.py +0 -163
  26. package/scripts/_cache_validate.py +0 -209
  27. package/scripts/_content_root.py +0 -42
  28. package/scripts/_doctor_state.py +0 -277
  29. package/scripts/_event_detect.py +0 -305
  30. package/scripts/_events.py +0 -514
  31. package/scripts/_lifecycle_hygiene.py +0 -568
  32. package/scripts/_pathspec.py +0 -91
  33. package/scripts/_policy_show_cli.py +0 -266
  34. package/scripts/_precutover.py +0 -92
  35. package/scripts/_project_context.py +0 -224
  36. package/scripts/_project_definition_io.py +0 -164
  37. package/scripts/_relocate_snapshot.py +0 -209
  38. package/scripts/_relocate_states.py +0 -343
  39. package/scripts/_resolve_preflight_path.py +0 -152
  40. package/scripts/_safe_subprocess.py +0 -167
  41. package/scripts/_session_start_hook.py +0 -205
  42. package/scripts/_sor_gate_diff.py +0 -365
  43. package/scripts/_stdio_utf8.py +0 -59
  44. package/scripts/_triage_bootstrap_gitignore.py +0 -904
  45. package/scripts/_triage_classify_cli.py +0 -122
  46. package/scripts/_triage_queue_cli.py +0 -625
  47. package/scripts/_triage_scope_cli.py +0 -343
  48. package/scripts/_triage_scope_drift_cli.py +0 -121
  49. package/scripts/_triage_scope_ignores.py +0 -286
  50. package/scripts/_triage_scope_milestone.py +0 -432
  51. package/scripts/_triage_scope_mutations.py +0 -337
  52. package/scripts/_triage_scope_renderers.py +0 -207
  53. package/scripts/_triage_smoketest_stages.py +0 -674
  54. package/scripts/_triage_subscribe_cli.py +0 -140
  55. package/scripts/_triage_welcome_cli.py +0 -421
  56. package/scripts/_vbrief_build.py +0 -239
  57. package/scripts/_vbrief_fidelity.py +0 -479
  58. package/scripts/_vbrief_legacy.py +0 -589
  59. package/scripts/_vbrief_reconciliation.py +0 -883
  60. package/scripts/_vbrief_routing.py +0 -277
  61. package/scripts/_vbrief_safety.py +0 -778
  62. package/scripts/_vbrief_sources.py +0 -312
  63. package/scripts/_vbrief_speckit.py +0 -262
  64. package/scripts/_vbrief_story_quality.py +0 -353
  65. package/scripts/_vbrief_validation.py +0 -299
  66. package/scripts/build_dist.py +0 -412
  67. package/scripts/cache.py +0 -1078
  68. package/scripts/cache_scanner.py +0 -745
  69. package/scripts/candidates_log.py +0 -432
  70. package/scripts/capacity_backfill.py +0 -680
  71. package/scripts/capacity_show.py +0 -653
  72. package/scripts/ci_local.py +0 -689
  73. package/scripts/code_structure_validate.py +0 -765
  74. package/scripts/codebase_default_extractor.py +0 -495
  75. package/scripts/codebase_map.py +0 -304
  76. package/scripts/codebase_map_fresh.py +0 -104
  77. package/scripts/codebase_projection_registry.py +0 -94
  78. package/scripts/codebase_provider.py +0 -582
  79. package/scripts/doctor.py +0 -2552
  80. package/scripts/framework_commands.py +0 -505
  81. package/scripts/gh_rest.py +0 -882
  82. package/scripts/github_auth_modes.py +0 -437
  83. package/scripts/github_body.py +0 -292
  84. package/scripts/ip_risk.py +0 -531
  85. package/scripts/issue_emit.py +0 -670
  86. package/scripts/issue_ingest.py +0 -1064
  87. package/scripts/migrate_preflight.py +0 -418
  88. package/scripts/migrate_vbrief.py +0 -2677
  89. package/scripts/monitor_pr.py +0 -401
  90. package/scripts/pack_migrate_lessons.py +0 -336
  91. package/scripts/pack_migrate_patterns.py +0 -254
  92. package/scripts/pack_migrate_rules.py +0 -350
  93. package/scripts/pack_migrate_skills.py +0 -423
  94. package/scripts/pack_migrate_strategies.py +0 -311
  95. package/scripts/pack_migrate_swarm_spec.py +0 -250
  96. package/scripts/pack_render.py +0 -434
  97. package/scripts/packs_slice.py +0 -712
  98. package/scripts/platform_capabilities.py +0 -336
  99. package/scripts/policy.py +0 -2826
  100. package/scripts/policy_set.py +0 -324
  101. package/scripts/pr_check_closing_keywords.py +0 -524
  102. package/scripts/pr_check_protected_issues.py +0 -267
  103. package/scripts/pr_merge_readiness.py +0 -1004
  104. package/scripts/pr_wait_mergeable.py +0 -669
  105. package/scripts/prd_render.py +0 -159
  106. package/scripts/preflight_architecture_sor.py +0 -974
  107. package/scripts/preflight_branch.py +0 -289
  108. package/scripts/preflight_cache.py +0 -974
  109. package/scripts/preflight_gh.py +0 -721
  110. package/scripts/preflight_implementation.py +0 -272
  111. package/scripts/preflight_story_start.py +0 -838
  112. package/scripts/preflight_wip_cap.py +0 -149
  113. package/scripts/probe_session.py +0 -545
  114. package/scripts/project_render.py +0 -293
  115. package/scripts/quarantine_ext.py +0 -237
  116. package/scripts/reconcile_issues.py +0 -1442
  117. package/scripts/refresh-path.ps1 +0 -107
  118. package/scripts/release.py +0 -2030
  119. package/scripts/release_e2e.py +0 -1011
  120. package/scripts/release_publish.py +0 -486
  121. package/scripts/release_rollback.py +0 -980
  122. package/scripts/relocate.py +0 -1034
  123. package/scripts/resolve_changelog_unreleased.py +0 -667
  124. package/scripts/resolve_version.py +0 -490
  125. package/scripts/resume_conditions.py +0 -706
  126. package/scripts/ritual_sentinel.py +0 -609
  127. package/scripts/roadmap_render.py +0 -635
  128. package/scripts/rule_ownership_lint.py +0 -325
  129. package/scripts/scm.py +0 -591
  130. package/scripts/scope_audit_log.py +0 -387
  131. package/scripts/scope_decompose.py +0 -654
  132. package/scripts/scope_demote.py +0 -509
  133. package/scripts/scope_lifecycle.py +0 -1126
  134. package/scripts/scope_undo.py +0 -772
  135. package/scripts/session_start.py +0 -406
  136. package/scripts/setup_ghx.py +0 -339
  137. package/scripts/setup_windows.ps1 +0 -220
  138. package/scripts/slice_audit.py +0 -585
  139. package/scripts/slice_record.py +0 -530
  140. package/scripts/slice_record_existing.py +0 -692
  141. package/scripts/slug_normalize.py +0 -178
  142. package/scripts/spec_render.py +0 -477
  143. package/scripts/spec_validate.py +0 -238
  144. package/scripts/subagent_monitor.py +0 -658
  145. package/scripts/swarm_complete_cohort.py +0 -644
  146. package/scripts/swarm_launch.py +0 -1206
  147. package/scripts/swarm_readiness.py +0 -554
  148. package/scripts/swarm_verify_review_clean.py +0 -438
  149. package/scripts/swarm_worktrees.py +0 -497
  150. package/scripts/toolchain-check.py +0 -52
  151. package/scripts/triage_actions.py +0 -871
  152. package/scripts/triage_bootstrap.py +0 -1153
  153. package/scripts/triage_bulk.py +0 -630
  154. package/scripts/triage_classify.py +0 -932
  155. package/scripts/triage_help.py +0 -1685
  156. package/scripts/triage_queue.py +0 -1944
  157. package/scripts/triage_reconcile.py +0 -581
  158. package/scripts/triage_refresh.py +0 -643
  159. package/scripts/triage_scope.py +0 -999
  160. package/scripts/triage_scope_drift.py +0 -575
  161. package/scripts/triage_smoketest.py +0 -396
  162. package/scripts/triage_subscribe.py +0 -399
  163. package/scripts/triage_summary.py +0 -1011
  164. package/scripts/triage_welcome.py +0 -1178
  165. package/scripts/ts_check_lane.py +0 -86
  166. package/scripts/validate-links.py +0 -64
  167. package/scripts/validate_strategy_output.py +0 -212
  168. package/scripts/vbrief_activate.py +0 -228
  169. package/scripts/vbrief_migrate_conformance.py +0 -368
  170. package/scripts/vbrief_reconcile_graph.py +0 -306
  171. package/scripts/vbrief_reconcile_labels.py +0 -460
  172. package/scripts/vbrief_reconcile_umbrellas.py +0 -741
  173. package/scripts/vbrief_validate.py +0 -1144
  174. package/scripts/verify-stubs.py +0 -61
  175. package/scripts/verify_capacity.py +0 -160
  176. package/scripts/verify_encoding.py +0 -699
  177. package/scripts/verify_hooks_installed.py +0 -206
  178. package/scripts/verify_investigation.py +0 -360
  179. package/scripts/verify_judgment_gates.py +0 -827
  180. package/scripts/verify_no_task_runtime.py +0 -171
  181. package/scripts/verify_scm_boundary.py +0 -509
  182. package/scripts/verify_session_ritual.py +0 -389
  183. package/scripts/verify_tools.py +0 -426
  184. package/scripts/verify_vbrief_conformance.py +0 -478
@@ -1,437 +0,0 @@
1
- #!/usr/bin/env python3
2
- """github_auth_modes.py -- worker-environment GitHub auth validation (#1557b).
3
-
4
- Validates ``host-gh`` versus ``injected-token`` credential modes from the
5
- same execution envelope that will perform GitHub operations. Consumes the
6
- read-only runtime probe from :mod:`platform_capabilities` to classify the
7
- worker sandbox and attach remediation when parent host auth can succeed
8
- while the worker environment cannot.
9
-
10
- Modes:
11
-
12
- - ``injected-token`` -- require ``GH_TOKEN`` / ``GITHUB_TOKEN`` (or
13
- enterprise equivalents). Fail closed when missing; never fall back to
14
- host ``gh`` credential store state.
15
- - ``host-gh`` -- permit host ``gh`` auth after ``gh auth status`` and a
16
- minimal GitHub API reachability check succeed from the worker environment.
17
- """
18
-
19
- from __future__ import annotations
20
-
21
- import argparse
22
- import json
23
- import os
24
- import sys
25
- from collections.abc import Callable, Mapping, Sequence
26
- from dataclasses import dataclass
27
- from pathlib import Path
28
- from typing import Any
29
-
30
- sys.path.insert(0, str(Path(__file__).resolve().parent))
31
-
32
- from _safe_subprocess import run_text # noqa: E402
33
- from _stdio_utf8 import reconfigure_stdio # noqa: E402
34
- from platform_capabilities import ( # noqa: E402
35
- RUNTIME_MODE_CLOUD_HEADLESS,
36
- RUNTIME_MODE_CURSOR_NATIVE_SANDBOX,
37
- RuntimeCapabilityReport,
38
- get_platform_capabilities,
39
- probe_runtime_capabilities,
40
- )
41
-
42
- reconfigure_stdio()
43
-
44
- GITHUB_AUTH_MODE_INJECTED_TOKEN = "injected-token"
45
- GITHUB_AUTH_MODE_HOST_GH = "host-gh"
46
-
47
- KNOWN_GITHUB_AUTH_MODES: frozenset[str] = frozenset(
48
- {
49
- GITHUB_AUTH_MODE_INJECTED_TOKEN,
50
- GITHUB_AUTH_MODE_HOST_GH,
51
- }
52
- )
53
-
54
- _INJECTED_TOKEN_ENV_VARS: tuple[str, ...] = (
55
- "GH_TOKEN",
56
- "GITHUB_TOKEN",
57
- "GH_ENTERPRISE_TOKEN",
58
- )
59
-
60
- DEFAULT_VALIDATION_REPO = "deftai/directive"
61
-
62
- FAILURE_MISSING_INJECTED_TOKEN = "missing_injected_token"
63
- FAILURE_GH_AUTH = "gh_auth_failed"
64
- FAILURE_API_UNREACHABLE = "api_unreachable"
65
- FAILURE_REPO_ACCESS = "repo_access_denied"
66
- FAILURE_INVALID_MODE = "invalid_auth_mode"
67
-
68
- _SANDBOX_REMEDIATION = (
69
- "Remediation options for worker sandbox GitHub auth failures:\n"
70
- " - Run the GitHub step with full-access execution\n"
71
- " - Allowlist the trusted gh command path for the worker sandbox\n"
72
- " - Use injected-token handoff (keep token values out of prompts and "
73
- "transcripts)"
74
- )
75
-
76
- _REPO_ACCESS_REMEDIATION = (
77
- "Remediation options for repo-access failures:\n"
78
- " - Confirm the worker credential can read the target repository\n"
79
- " - Run the GitHub step with full-access execution if host gh has access\n"
80
- " - Use injected-token handoff scoped to the required repository"
81
- )
82
-
83
- GhRunner = Callable[[Sequence[str], Mapping[str, str] | None], Any]
84
-
85
-
86
- @dataclass(frozen=True)
87
- class GitHubAuthValidationResult:
88
- """Outcome of validating a worker's GitHub credential mode."""
89
-
90
- ok: bool
91
- github_auth_mode: str
92
- runtime_mode: str | None
93
- failure_kind: str | None
94
- detail: str
95
- remediation: str | None = None
96
- login: str | None = None
97
-
98
- def to_dict(self) -> dict[str, Any]:
99
- return {
100
- "ok": self.ok,
101
- "github_auth_mode": self.github_auth_mode,
102
- "runtime_mode": self.runtime_mode,
103
- "failure_kind": self.failure_kind,
104
- "detail": self.detail,
105
- "remediation": self.remediation,
106
- "login": self.login,
107
- }
108
-
109
-
110
- def find_injected_token(environ: Mapping[str, str]) -> str | None:
111
- """Return the first non-empty injected token env var, if any."""
112
- for name in _INJECTED_TOKEN_ENV_VARS:
113
- value = environ.get(name, "").strip()
114
- if value:
115
- return value
116
- return None
117
-
118
-
119
- def infer_github_auth_mode(runtime_report: RuntimeCapabilityReport) -> str:
120
- """Suggest an auth mode from runtime capability probe output."""
121
- if runtime_report.runtime_mode == RUNTIME_MODE_CLOUD_HEADLESS:
122
- return GITHUB_AUTH_MODE_INJECTED_TOKEN
123
- return GITHUB_AUTH_MODE_HOST_GH
124
-
125
-
126
- def _default_run_gh(
127
- args: Sequence[str],
128
- environ: Mapping[str, str] | None,
129
- ) -> Any:
130
- env = dict(os.environ if environ is None else environ)
131
- return run_text(["gh", *args], env=env)
132
-
133
-
134
- def _split_repo(repo: str) -> tuple[str, str]:
135
- owner, _, name = repo.strip().partition("/")
136
- if not owner or not name:
137
- msg = f"invalid repository slug: {repo!r} (expected owner/repo)"
138
- raise ValueError(msg)
139
- return owner, name
140
-
141
-
142
- def _sandbox_remediation(runtime_mode: str | None, failure_kind: str) -> str | None:
143
- if runtime_mode != RUNTIME_MODE_CURSOR_NATIVE_SANDBOX:
144
- return None
145
- if failure_kind in {
146
- FAILURE_GH_AUTH,
147
- FAILURE_API_UNREACHABLE,
148
- FAILURE_REPO_ACCESS,
149
- }:
150
- return _SANDBOX_REMEDIATION
151
- return None
152
-
153
-
154
- def _repo_access_remediation(failure_kind: str) -> str | None:
155
- if failure_kind == FAILURE_REPO_ACCESS:
156
- return _REPO_ACCESS_REMEDIATION
157
- return None
158
-
159
-
160
- def _merge_remediation(
161
- runtime_mode: str | None,
162
- failure_kind: str,
163
- ) -> str | None:
164
- parts: list[str] = []
165
- sandbox = _sandbox_remediation(runtime_mode, failure_kind)
166
- if sandbox:
167
- parts.append(sandbox)
168
- repo = _repo_access_remediation(failure_kind)
169
- if repo and repo not in parts:
170
- parts.append(repo)
171
- if not parts:
172
- return None
173
- return "\n\n".join(parts)
174
-
175
-
176
- def _parse_login(stdout: str) -> str | None:
177
- text = stdout.strip()
178
- if not text:
179
- return None
180
- try:
181
- payload = json.loads(text)
182
- except json.JSONDecodeError:
183
- return text
184
- if isinstance(payload, str) and payload:
185
- return payload
186
- if isinstance(payload, dict):
187
- login = payload.get("login")
188
- if isinstance(login, str) and login:
189
- return login
190
- return None
191
-
192
-
193
- def validate_injected_token_mode(
194
- environ: Mapping[str, str],
195
- *,
196
- repo: str = DEFAULT_VALIDATION_REPO,
197
- runtime_mode: str | None = None,
198
- run_gh: GhRunner | None = None,
199
- ) -> GitHubAuthValidationResult:
200
- """Validate injected-token mode without falling back to host gh state."""
201
- runner = _default_run_gh if run_gh is None else run_gh
202
- token = find_injected_token(environ)
203
- if token is None:
204
- return GitHubAuthValidationResult(
205
- ok=False,
206
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
207
- runtime_mode=runtime_mode,
208
- failure_kind=FAILURE_MISSING_INJECTED_TOKEN,
209
- detail=(
210
- "injected-token mode requires GH_TOKEN, GITHUB_TOKEN, or "
211
- "GH_ENTERPRISE_TOKEN; host gh credential store is not used"
212
- ),
213
- )
214
-
215
- auth_status = runner(["auth", "status"], environ)
216
- if auth_status.returncode != 0:
217
- return GitHubAuthValidationResult(
218
- ok=False,
219
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
220
- runtime_mode=runtime_mode,
221
- failure_kind=FAILURE_GH_AUTH,
222
- detail="injected token present but gh auth status failed in worker",
223
- remediation=_merge_remediation(runtime_mode, FAILURE_GH_AUTH),
224
- )
225
-
226
- user_api = runner(["api", "user", "--jq", ".login"], environ)
227
- if user_api.returncode != 0:
228
- return GitHubAuthValidationResult(
229
- ok=False,
230
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
231
- runtime_mode=runtime_mode,
232
- failure_kind=FAILURE_API_UNREACHABLE,
233
- detail="injected token present but GitHub API is unreachable",
234
- remediation=_merge_remediation(runtime_mode, FAILURE_API_UNREACHABLE),
235
- )
236
-
237
- login = _parse_login(user_api.stdout)
238
- owner, name = _split_repo(repo)
239
- repo_api = runner(["api", f"repos/{owner}/{name}"], environ)
240
- if repo_api.returncode != 0:
241
- return GitHubAuthValidationResult(
242
- ok=False,
243
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
244
- runtime_mode=runtime_mode,
245
- failure_kind=FAILURE_REPO_ACCESS,
246
- detail=f"injected token can reach GitHub API but cannot access {repo}",
247
- remediation=_merge_remediation(runtime_mode, FAILURE_REPO_ACCESS),
248
- login=login,
249
- )
250
-
251
- return GitHubAuthValidationResult(
252
- ok=True,
253
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
254
- runtime_mode=runtime_mode,
255
- failure_kind=None,
256
- detail="injected-token mode validated in worker environment",
257
- login=login,
258
- )
259
-
260
-
261
- def validate_host_gh_mode(
262
- environ: Mapping[str, str],
263
- *,
264
- repo: str = DEFAULT_VALIDATION_REPO,
265
- runtime_mode: str | None = None,
266
- run_gh: GhRunner | None = None,
267
- ) -> GitHubAuthValidationResult:
268
- """Validate host-gh mode from the worker execution environment."""
269
- runner = _default_run_gh if run_gh is None else run_gh
270
-
271
- auth_status = runner(["auth", "status"], environ)
272
- if auth_status.returncode != 0:
273
- return GitHubAuthValidationResult(
274
- ok=False,
275
- github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
276
- runtime_mode=runtime_mode,
277
- failure_kind=FAILURE_GH_AUTH,
278
- detail="gh auth status failed in worker environment",
279
- remediation=_merge_remediation(runtime_mode, FAILURE_GH_AUTH),
280
- )
281
-
282
- user_api = runner(["api", "user", "--jq", ".login"], environ)
283
- if user_api.returncode != 0:
284
- return GitHubAuthValidationResult(
285
- ok=False,
286
- github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
287
- runtime_mode=runtime_mode,
288
- failure_kind=FAILURE_API_UNREACHABLE,
289
- detail="gh auth status passed but GitHub API is unreachable",
290
- remediation=_merge_remediation(runtime_mode, FAILURE_API_UNREACHABLE),
291
- )
292
-
293
- owner, name = _split_repo(repo)
294
- repo_api = runner(["api", f"repos/{owner}/{name}"], environ)
295
- if repo_api.returncode != 0:
296
- return GitHubAuthValidationResult(
297
- ok=False,
298
- github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
299
- runtime_mode=runtime_mode,
300
- failure_kind=FAILURE_REPO_ACCESS,
301
- detail=f"GitHub API reachable but repository access failed for {repo}",
302
- remediation=_merge_remediation(runtime_mode, FAILURE_REPO_ACCESS),
303
- login=_parse_login(user_api.stdout),
304
- )
305
-
306
- return GitHubAuthValidationResult(
307
- ok=True,
308
- github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
309
- runtime_mode=runtime_mode,
310
- failure_kind=None,
311
- detail="host-gh mode validated in worker environment",
312
- login=_parse_login(user_api.stdout),
313
- )
314
-
315
-
316
- def validate_github_auth(
317
- github_auth_mode: str,
318
- *,
319
- environ: Mapping[str, str] | None = None,
320
- runtime_report: RuntimeCapabilityReport | None = None,
321
- repo: str = DEFAULT_VALIDATION_REPO,
322
- run_gh: GhRunner | None = None,
323
- ) -> GitHubAuthValidationResult:
324
- """Validate the requested GitHub auth mode for the worker environment."""
325
- env = dict(os.environ if environ is None else environ)
326
- runtime_mode = None if runtime_report is None else runtime_report.runtime_mode
327
-
328
- if github_auth_mode not in KNOWN_GITHUB_AUTH_MODES:
329
- return GitHubAuthValidationResult(
330
- ok=False,
331
- github_auth_mode=github_auth_mode,
332
- runtime_mode=runtime_mode,
333
- failure_kind=FAILURE_INVALID_MODE,
334
- detail=(
335
- f"unknown github_auth_mode {github_auth_mode!r}; "
336
- f"expected one of {sorted(KNOWN_GITHUB_AUTH_MODES)}"
337
- ),
338
- )
339
-
340
- if github_auth_mode == GITHUB_AUTH_MODE_INJECTED_TOKEN:
341
- return validate_injected_token_mode(
342
- env,
343
- repo=repo,
344
- runtime_mode=runtime_mode,
345
- run_gh=run_gh,
346
- )
347
- return validate_host_gh_mode(
348
- env,
349
- repo=repo,
350
- runtime_mode=runtime_mode,
351
- run_gh=run_gh,
352
- )
353
-
354
-
355
- def validate_github_auth_for_worker(
356
- github_auth_mode: str | None = None,
357
- *,
358
- environ: Mapping[str, str] | None = None,
359
- runtime_report: RuntimeCapabilityReport | None = None,
360
- repo: str = DEFAULT_VALIDATION_REPO,
361
- run_gh: GhRunner | None = None,
362
- ) -> GitHubAuthValidationResult:
363
- """Probe runtime (when needed) and validate the worker auth mode."""
364
- report = (
365
- get_platform_capabilities()
366
- if runtime_report is None
367
- else runtime_report
368
- )
369
- mode = infer_github_auth_mode(report) if github_auth_mode is None else github_auth_mode
370
- return validate_github_auth(
371
- mode,
372
- environ=environ,
373
- runtime_report=report,
374
- repo=repo,
375
- run_gh=run_gh,
376
- )
377
-
378
-
379
- def main(argv: Sequence[str] | None = None) -> int:
380
- parser = argparse.ArgumentParser(
381
- description="Validate GitHub auth mode inside the worker environment (#1557b)."
382
- )
383
- parser.add_argument(
384
- "--github-auth-mode",
385
- choices=sorted(KNOWN_GITHUB_AUTH_MODES),
386
- help="Credential mode to validate (default: infer from runtime probe).",
387
- )
388
- parser.add_argument(
389
- "--repo",
390
- default=DEFAULT_VALIDATION_REPO,
391
- help=f"Repository slug for host-gh repo-access check (default: {DEFAULT_VALIDATION_REPO}).",
392
- )
393
- parser.add_argument(
394
- "--json",
395
- action="store_true",
396
- help="Emit structured JSON on stdout.",
397
- )
398
- args = parser.parse_args(list(argv) if argv is not None else None)
399
-
400
- result = validate_github_auth_for_worker(
401
- args.github_auth_mode,
402
- repo=args.repo,
403
- )
404
- if args.json:
405
- print(json.dumps(result.to_dict(), indent=2, sort_keys=True))
406
- else:
407
- status = "ok" if result.ok else "failed"
408
- print(f"github_auth_mode={result.github_auth_mode} status={status}")
409
- print(f"detail={result.detail}")
410
- if result.remediation:
411
- print(result.remediation)
412
- return 0 if result.ok else 1
413
-
414
-
415
- __all__ = [
416
- "DEFAULT_VALIDATION_REPO",
417
- "FAILURE_API_UNREACHABLE",
418
- "FAILURE_GH_AUTH",
419
- "FAILURE_INVALID_MODE",
420
- "FAILURE_MISSING_INJECTED_TOKEN",
421
- "FAILURE_REPO_ACCESS",
422
- "GITHUB_AUTH_MODE_HOST_GH",
423
- "GITHUB_AUTH_MODE_INJECTED_TOKEN",
424
- "GitHubAuthValidationResult",
425
- "find_injected_token",
426
- "infer_github_auth_mode",
427
- "validate_github_auth",
428
- "validate_github_auth_for_worker",
429
- "validate_host_gh_mode",
430
- "validate_injected_token_mode",
431
- "main",
432
- "probe_runtime_capabilities",
433
- ]
434
-
435
-
436
- if __name__ == "__main__":
437
- raise SystemExit(main())