@deftai/directive-content 0.59.0 → 0.61.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.githooks/pre-commit +10 -128
- package/.githooks/pre-push +8 -108
- package/Taskfile.yml +48 -58
- package/UPGRADING.md +19 -3
- package/docs/assets/directive-lifecycle-diagram.png +0 -0
- package/docs/directive-lifecycle.md +73 -0
- package/docs/getting-started.md +5 -1
- package/package.json +3 -3
- package/packs/skills/skills-pack-0.1.json +1 -1
- package/packs/strategies/strategies-pack-0.1.json +19 -19
- package/scm/github.md +37 -6
- package/skills/deft-directive-setup/SKILL.md +24 -15
- package/strategies/speckit.md +14 -14
- package/strategies/v0-20-contract.md +12 -1
- package/tasks/change.yml +16 -31
- package/tasks/ci.yml +8 -0
- package/tasks/commit.yml +12 -19
- package/tasks/core.yml +10 -0
- package/tasks/engine.yml +42 -0
- package/tasks/framework.yml +3 -0
- package/tasks/install.yml +20 -19
- package/tasks/migrate.yml +26 -15
- package/tasks/project.yml +26 -0
- package/tasks/toolchain.yml +15 -5
- package/tasks/vbrief.yml +4 -3
- package/tasks/verify.yml +12 -14
- package/templates/agents-entry.md +1 -1
- package/scripts/_agents_md.py +0 -494
- package/scripts/_cache_fetch.py +0 -635
- package/scripts/_cache_quota.py +0 -529
- package/scripts/_cache_refresh.py +0 -163
- package/scripts/_cache_validate.py +0 -209
- package/scripts/_content_root.py +0 -42
- package/scripts/_doctor_state.py +0 -277
- package/scripts/_event_detect.py +0 -305
- package/scripts/_events.py +0 -514
- package/scripts/_lifecycle_hygiene.py +0 -568
- package/scripts/_pathspec.py +0 -91
- package/scripts/_policy_show_cli.py +0 -266
- package/scripts/_precutover.py +0 -92
- package/scripts/_project_context.py +0 -224
- package/scripts/_project_definition_io.py +0 -164
- package/scripts/_relocate_snapshot.py +0 -209
- package/scripts/_relocate_states.py +0 -343
- package/scripts/_resolve_preflight_path.py +0 -152
- package/scripts/_safe_subprocess.py +0 -167
- package/scripts/_session_start_hook.py +0 -205
- package/scripts/_sor_gate_diff.py +0 -365
- package/scripts/_stdio_utf8.py +0 -59
- package/scripts/_triage_bootstrap_gitignore.py +0 -904
- package/scripts/_triage_classify_cli.py +0 -122
- package/scripts/_triage_queue_cli.py +0 -625
- package/scripts/_triage_scope_cli.py +0 -343
- package/scripts/_triage_scope_drift_cli.py +0 -121
- package/scripts/_triage_scope_ignores.py +0 -286
- package/scripts/_triage_scope_milestone.py +0 -432
- package/scripts/_triage_scope_mutations.py +0 -337
- package/scripts/_triage_scope_renderers.py +0 -207
- package/scripts/_triage_smoketest_stages.py +0 -674
- package/scripts/_triage_subscribe_cli.py +0 -140
- package/scripts/_triage_welcome_cli.py +0 -421
- package/scripts/_vbrief_build.py +0 -239
- package/scripts/_vbrief_fidelity.py +0 -479
- package/scripts/_vbrief_legacy.py +0 -589
- package/scripts/_vbrief_reconciliation.py +0 -883
- package/scripts/_vbrief_routing.py +0 -277
- package/scripts/_vbrief_safety.py +0 -778
- package/scripts/_vbrief_sources.py +0 -312
- package/scripts/_vbrief_speckit.py +0 -262
- package/scripts/_vbrief_story_quality.py +0 -353
- package/scripts/_vbrief_validation.py +0 -299
- package/scripts/build_dist.py +0 -412
- package/scripts/cache.py +0 -1078
- package/scripts/cache_scanner.py +0 -745
- package/scripts/candidates_log.py +0 -432
- package/scripts/capacity_backfill.py +0 -680
- package/scripts/capacity_show.py +0 -653
- package/scripts/ci_local.py +0 -689
- package/scripts/code_structure_validate.py +0 -765
- package/scripts/codebase_default_extractor.py +0 -495
- package/scripts/codebase_map.py +0 -304
- package/scripts/codebase_map_fresh.py +0 -104
- package/scripts/codebase_projection_registry.py +0 -94
- package/scripts/codebase_provider.py +0 -582
- package/scripts/doctor.py +0 -2552
- package/scripts/framework_commands.py +0 -505
- package/scripts/gh_rest.py +0 -882
- package/scripts/github_auth_modes.py +0 -437
- package/scripts/github_body.py +0 -292
- package/scripts/ip_risk.py +0 -531
- package/scripts/issue_emit.py +0 -670
- package/scripts/issue_ingest.py +0 -1064
- package/scripts/migrate_preflight.py +0 -418
- package/scripts/migrate_vbrief.py +0 -2677
- package/scripts/monitor_pr.py +0 -401
- package/scripts/pack_migrate_lessons.py +0 -336
- package/scripts/pack_migrate_patterns.py +0 -254
- package/scripts/pack_migrate_rules.py +0 -350
- package/scripts/pack_migrate_skills.py +0 -423
- package/scripts/pack_migrate_strategies.py +0 -311
- package/scripts/pack_migrate_swarm_spec.py +0 -250
- package/scripts/pack_render.py +0 -434
- package/scripts/packs_slice.py +0 -712
- package/scripts/platform_capabilities.py +0 -336
- package/scripts/policy.py +0 -2826
- package/scripts/policy_set.py +0 -324
- package/scripts/pr_check_closing_keywords.py +0 -524
- package/scripts/pr_check_protected_issues.py +0 -267
- package/scripts/pr_merge_readiness.py +0 -1004
- package/scripts/pr_wait_mergeable.py +0 -669
- package/scripts/prd_render.py +0 -159
- package/scripts/preflight_architecture_sor.py +0 -974
- package/scripts/preflight_branch.py +0 -289
- package/scripts/preflight_cache.py +0 -974
- package/scripts/preflight_gh.py +0 -721
- package/scripts/preflight_implementation.py +0 -272
- package/scripts/preflight_story_start.py +0 -838
- package/scripts/preflight_wip_cap.py +0 -149
- package/scripts/probe_session.py +0 -545
- package/scripts/project_render.py +0 -293
- package/scripts/quarantine_ext.py +0 -237
- package/scripts/reconcile_issues.py +0 -1442
- package/scripts/refresh-path.ps1 +0 -107
- package/scripts/release.py +0 -2030
- package/scripts/release_e2e.py +0 -1011
- package/scripts/release_publish.py +0 -486
- package/scripts/release_rollback.py +0 -980
- package/scripts/relocate.py +0 -1034
- package/scripts/resolve_changelog_unreleased.py +0 -667
- package/scripts/resolve_version.py +0 -490
- package/scripts/resume_conditions.py +0 -706
- package/scripts/ritual_sentinel.py +0 -609
- package/scripts/roadmap_render.py +0 -635
- package/scripts/rule_ownership_lint.py +0 -325
- package/scripts/scm.py +0 -591
- package/scripts/scope_audit_log.py +0 -387
- package/scripts/scope_decompose.py +0 -654
- package/scripts/scope_demote.py +0 -509
- package/scripts/scope_lifecycle.py +0 -1126
- package/scripts/scope_undo.py +0 -772
- package/scripts/session_start.py +0 -406
- package/scripts/setup_ghx.py +0 -339
- package/scripts/setup_windows.ps1 +0 -220
- package/scripts/slice_audit.py +0 -585
- package/scripts/slice_record.py +0 -530
- package/scripts/slice_record_existing.py +0 -692
- package/scripts/slug_normalize.py +0 -178
- package/scripts/spec_render.py +0 -477
- package/scripts/spec_validate.py +0 -238
- package/scripts/subagent_monitor.py +0 -658
- package/scripts/swarm_complete_cohort.py +0 -644
- package/scripts/swarm_launch.py +0 -1206
- package/scripts/swarm_readiness.py +0 -554
- package/scripts/swarm_verify_review_clean.py +0 -438
- package/scripts/swarm_worktrees.py +0 -497
- package/scripts/toolchain-check.py +0 -52
- package/scripts/triage_actions.py +0 -871
- package/scripts/triage_bootstrap.py +0 -1153
- package/scripts/triage_bulk.py +0 -630
- package/scripts/triage_classify.py +0 -932
- package/scripts/triage_help.py +0 -1685
- package/scripts/triage_queue.py +0 -1944
- package/scripts/triage_reconcile.py +0 -581
- package/scripts/triage_refresh.py +0 -643
- package/scripts/triage_scope.py +0 -999
- package/scripts/triage_scope_drift.py +0 -575
- package/scripts/triage_smoketest.py +0 -396
- package/scripts/triage_subscribe.py +0 -399
- package/scripts/triage_summary.py +0 -1011
- package/scripts/triage_welcome.py +0 -1178
- package/scripts/ts_check_lane.py +0 -86
- package/scripts/validate-links.py +0 -64
- package/scripts/validate_strategy_output.py +0 -212
- package/scripts/vbrief_activate.py +0 -228
- package/scripts/vbrief_migrate_conformance.py +0 -368
- package/scripts/vbrief_reconcile_graph.py +0 -306
- package/scripts/vbrief_reconcile_labels.py +0 -460
- package/scripts/vbrief_reconcile_umbrellas.py +0 -741
- package/scripts/vbrief_validate.py +0 -1144
- package/scripts/verify-stubs.py +0 -61
- package/scripts/verify_capacity.py +0 -160
- package/scripts/verify_encoding.py +0 -699
- package/scripts/verify_hooks_installed.py +0 -206
- package/scripts/verify_investigation.py +0 -360
- package/scripts/verify_judgment_gates.py +0 -827
- package/scripts/verify_no_task_runtime.py +0 -171
- package/scripts/verify_scm_boundary.py +0 -509
- package/scripts/verify_session_ritual.py +0 -389
- package/scripts/verify_tools.py +0 -426
- package/scripts/verify_vbrief_conformance.py +0 -478
|
@@ -1,437 +0,0 @@
|
|
|
1
|
-
#!/usr/bin/env python3
|
|
2
|
-
"""github_auth_modes.py -- worker-environment GitHub auth validation (#1557b).
|
|
3
|
-
|
|
4
|
-
Validates ``host-gh`` versus ``injected-token`` credential modes from the
|
|
5
|
-
same execution envelope that will perform GitHub operations. Consumes the
|
|
6
|
-
read-only runtime probe from :mod:`platform_capabilities` to classify the
|
|
7
|
-
worker sandbox and attach remediation when parent host auth can succeed
|
|
8
|
-
while the worker environment cannot.
|
|
9
|
-
|
|
10
|
-
Modes:
|
|
11
|
-
|
|
12
|
-
- ``injected-token`` -- require ``GH_TOKEN`` / ``GITHUB_TOKEN`` (or
|
|
13
|
-
enterprise equivalents). Fail closed when missing; never fall back to
|
|
14
|
-
host ``gh`` credential store state.
|
|
15
|
-
- ``host-gh`` -- permit host ``gh`` auth after ``gh auth status`` and a
|
|
16
|
-
minimal GitHub API reachability check succeed from the worker environment.
|
|
17
|
-
"""
|
|
18
|
-
|
|
19
|
-
from __future__ import annotations
|
|
20
|
-
|
|
21
|
-
import argparse
|
|
22
|
-
import json
|
|
23
|
-
import os
|
|
24
|
-
import sys
|
|
25
|
-
from collections.abc import Callable, Mapping, Sequence
|
|
26
|
-
from dataclasses import dataclass
|
|
27
|
-
from pathlib import Path
|
|
28
|
-
from typing import Any
|
|
29
|
-
|
|
30
|
-
sys.path.insert(0, str(Path(__file__).resolve().parent))
|
|
31
|
-
|
|
32
|
-
from _safe_subprocess import run_text # noqa: E402
|
|
33
|
-
from _stdio_utf8 import reconfigure_stdio # noqa: E402
|
|
34
|
-
from platform_capabilities import ( # noqa: E402
|
|
35
|
-
RUNTIME_MODE_CLOUD_HEADLESS,
|
|
36
|
-
RUNTIME_MODE_CURSOR_NATIVE_SANDBOX,
|
|
37
|
-
RuntimeCapabilityReport,
|
|
38
|
-
get_platform_capabilities,
|
|
39
|
-
probe_runtime_capabilities,
|
|
40
|
-
)
|
|
41
|
-
|
|
42
|
-
reconfigure_stdio()
|
|
43
|
-
|
|
44
|
-
GITHUB_AUTH_MODE_INJECTED_TOKEN = "injected-token"
|
|
45
|
-
GITHUB_AUTH_MODE_HOST_GH = "host-gh"
|
|
46
|
-
|
|
47
|
-
KNOWN_GITHUB_AUTH_MODES: frozenset[str] = frozenset(
|
|
48
|
-
{
|
|
49
|
-
GITHUB_AUTH_MODE_INJECTED_TOKEN,
|
|
50
|
-
GITHUB_AUTH_MODE_HOST_GH,
|
|
51
|
-
}
|
|
52
|
-
)
|
|
53
|
-
|
|
54
|
-
_INJECTED_TOKEN_ENV_VARS: tuple[str, ...] = (
|
|
55
|
-
"GH_TOKEN",
|
|
56
|
-
"GITHUB_TOKEN",
|
|
57
|
-
"GH_ENTERPRISE_TOKEN",
|
|
58
|
-
)
|
|
59
|
-
|
|
60
|
-
DEFAULT_VALIDATION_REPO = "deftai/directive"
|
|
61
|
-
|
|
62
|
-
FAILURE_MISSING_INJECTED_TOKEN = "missing_injected_token"
|
|
63
|
-
FAILURE_GH_AUTH = "gh_auth_failed"
|
|
64
|
-
FAILURE_API_UNREACHABLE = "api_unreachable"
|
|
65
|
-
FAILURE_REPO_ACCESS = "repo_access_denied"
|
|
66
|
-
FAILURE_INVALID_MODE = "invalid_auth_mode"
|
|
67
|
-
|
|
68
|
-
_SANDBOX_REMEDIATION = (
|
|
69
|
-
"Remediation options for worker sandbox GitHub auth failures:\n"
|
|
70
|
-
" - Run the GitHub step with full-access execution\n"
|
|
71
|
-
" - Allowlist the trusted gh command path for the worker sandbox\n"
|
|
72
|
-
" - Use injected-token handoff (keep token values out of prompts and "
|
|
73
|
-
"transcripts)"
|
|
74
|
-
)
|
|
75
|
-
|
|
76
|
-
_REPO_ACCESS_REMEDIATION = (
|
|
77
|
-
"Remediation options for repo-access failures:\n"
|
|
78
|
-
" - Confirm the worker credential can read the target repository\n"
|
|
79
|
-
" - Run the GitHub step with full-access execution if host gh has access\n"
|
|
80
|
-
" - Use injected-token handoff scoped to the required repository"
|
|
81
|
-
)
|
|
82
|
-
|
|
83
|
-
GhRunner = Callable[[Sequence[str], Mapping[str, str] | None], Any]
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
@dataclass(frozen=True)
|
|
87
|
-
class GitHubAuthValidationResult:
|
|
88
|
-
"""Outcome of validating a worker's GitHub credential mode."""
|
|
89
|
-
|
|
90
|
-
ok: bool
|
|
91
|
-
github_auth_mode: str
|
|
92
|
-
runtime_mode: str | None
|
|
93
|
-
failure_kind: str | None
|
|
94
|
-
detail: str
|
|
95
|
-
remediation: str | None = None
|
|
96
|
-
login: str | None = None
|
|
97
|
-
|
|
98
|
-
def to_dict(self) -> dict[str, Any]:
|
|
99
|
-
return {
|
|
100
|
-
"ok": self.ok,
|
|
101
|
-
"github_auth_mode": self.github_auth_mode,
|
|
102
|
-
"runtime_mode": self.runtime_mode,
|
|
103
|
-
"failure_kind": self.failure_kind,
|
|
104
|
-
"detail": self.detail,
|
|
105
|
-
"remediation": self.remediation,
|
|
106
|
-
"login": self.login,
|
|
107
|
-
}
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
def find_injected_token(environ: Mapping[str, str]) -> str | None:
|
|
111
|
-
"""Return the first non-empty injected token env var, if any."""
|
|
112
|
-
for name in _INJECTED_TOKEN_ENV_VARS:
|
|
113
|
-
value = environ.get(name, "").strip()
|
|
114
|
-
if value:
|
|
115
|
-
return value
|
|
116
|
-
return None
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
def infer_github_auth_mode(runtime_report: RuntimeCapabilityReport) -> str:
|
|
120
|
-
"""Suggest an auth mode from runtime capability probe output."""
|
|
121
|
-
if runtime_report.runtime_mode == RUNTIME_MODE_CLOUD_HEADLESS:
|
|
122
|
-
return GITHUB_AUTH_MODE_INJECTED_TOKEN
|
|
123
|
-
return GITHUB_AUTH_MODE_HOST_GH
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
def _default_run_gh(
|
|
127
|
-
args: Sequence[str],
|
|
128
|
-
environ: Mapping[str, str] | None,
|
|
129
|
-
) -> Any:
|
|
130
|
-
env = dict(os.environ if environ is None else environ)
|
|
131
|
-
return run_text(["gh", *args], env=env)
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
def _split_repo(repo: str) -> tuple[str, str]:
|
|
135
|
-
owner, _, name = repo.strip().partition("/")
|
|
136
|
-
if not owner or not name:
|
|
137
|
-
msg = f"invalid repository slug: {repo!r} (expected owner/repo)"
|
|
138
|
-
raise ValueError(msg)
|
|
139
|
-
return owner, name
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
def _sandbox_remediation(runtime_mode: str | None, failure_kind: str) -> str | None:
|
|
143
|
-
if runtime_mode != RUNTIME_MODE_CURSOR_NATIVE_SANDBOX:
|
|
144
|
-
return None
|
|
145
|
-
if failure_kind in {
|
|
146
|
-
FAILURE_GH_AUTH,
|
|
147
|
-
FAILURE_API_UNREACHABLE,
|
|
148
|
-
FAILURE_REPO_ACCESS,
|
|
149
|
-
}:
|
|
150
|
-
return _SANDBOX_REMEDIATION
|
|
151
|
-
return None
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
def _repo_access_remediation(failure_kind: str) -> str | None:
|
|
155
|
-
if failure_kind == FAILURE_REPO_ACCESS:
|
|
156
|
-
return _REPO_ACCESS_REMEDIATION
|
|
157
|
-
return None
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
def _merge_remediation(
|
|
161
|
-
runtime_mode: str | None,
|
|
162
|
-
failure_kind: str,
|
|
163
|
-
) -> str | None:
|
|
164
|
-
parts: list[str] = []
|
|
165
|
-
sandbox = _sandbox_remediation(runtime_mode, failure_kind)
|
|
166
|
-
if sandbox:
|
|
167
|
-
parts.append(sandbox)
|
|
168
|
-
repo = _repo_access_remediation(failure_kind)
|
|
169
|
-
if repo and repo not in parts:
|
|
170
|
-
parts.append(repo)
|
|
171
|
-
if not parts:
|
|
172
|
-
return None
|
|
173
|
-
return "\n\n".join(parts)
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
def _parse_login(stdout: str) -> str | None:
|
|
177
|
-
text = stdout.strip()
|
|
178
|
-
if not text:
|
|
179
|
-
return None
|
|
180
|
-
try:
|
|
181
|
-
payload = json.loads(text)
|
|
182
|
-
except json.JSONDecodeError:
|
|
183
|
-
return text
|
|
184
|
-
if isinstance(payload, str) and payload:
|
|
185
|
-
return payload
|
|
186
|
-
if isinstance(payload, dict):
|
|
187
|
-
login = payload.get("login")
|
|
188
|
-
if isinstance(login, str) and login:
|
|
189
|
-
return login
|
|
190
|
-
return None
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
def validate_injected_token_mode(
|
|
194
|
-
environ: Mapping[str, str],
|
|
195
|
-
*,
|
|
196
|
-
repo: str = DEFAULT_VALIDATION_REPO,
|
|
197
|
-
runtime_mode: str | None = None,
|
|
198
|
-
run_gh: GhRunner | None = None,
|
|
199
|
-
) -> GitHubAuthValidationResult:
|
|
200
|
-
"""Validate injected-token mode without falling back to host gh state."""
|
|
201
|
-
runner = _default_run_gh if run_gh is None else run_gh
|
|
202
|
-
token = find_injected_token(environ)
|
|
203
|
-
if token is None:
|
|
204
|
-
return GitHubAuthValidationResult(
|
|
205
|
-
ok=False,
|
|
206
|
-
github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
|
|
207
|
-
runtime_mode=runtime_mode,
|
|
208
|
-
failure_kind=FAILURE_MISSING_INJECTED_TOKEN,
|
|
209
|
-
detail=(
|
|
210
|
-
"injected-token mode requires GH_TOKEN, GITHUB_TOKEN, or "
|
|
211
|
-
"GH_ENTERPRISE_TOKEN; host gh credential store is not used"
|
|
212
|
-
),
|
|
213
|
-
)
|
|
214
|
-
|
|
215
|
-
auth_status = runner(["auth", "status"], environ)
|
|
216
|
-
if auth_status.returncode != 0:
|
|
217
|
-
return GitHubAuthValidationResult(
|
|
218
|
-
ok=False,
|
|
219
|
-
github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
|
|
220
|
-
runtime_mode=runtime_mode,
|
|
221
|
-
failure_kind=FAILURE_GH_AUTH,
|
|
222
|
-
detail="injected token present but gh auth status failed in worker",
|
|
223
|
-
remediation=_merge_remediation(runtime_mode, FAILURE_GH_AUTH),
|
|
224
|
-
)
|
|
225
|
-
|
|
226
|
-
user_api = runner(["api", "user", "--jq", ".login"], environ)
|
|
227
|
-
if user_api.returncode != 0:
|
|
228
|
-
return GitHubAuthValidationResult(
|
|
229
|
-
ok=False,
|
|
230
|
-
github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
|
|
231
|
-
runtime_mode=runtime_mode,
|
|
232
|
-
failure_kind=FAILURE_API_UNREACHABLE,
|
|
233
|
-
detail="injected token present but GitHub API is unreachable",
|
|
234
|
-
remediation=_merge_remediation(runtime_mode, FAILURE_API_UNREACHABLE),
|
|
235
|
-
)
|
|
236
|
-
|
|
237
|
-
login = _parse_login(user_api.stdout)
|
|
238
|
-
owner, name = _split_repo(repo)
|
|
239
|
-
repo_api = runner(["api", f"repos/{owner}/{name}"], environ)
|
|
240
|
-
if repo_api.returncode != 0:
|
|
241
|
-
return GitHubAuthValidationResult(
|
|
242
|
-
ok=False,
|
|
243
|
-
github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
|
|
244
|
-
runtime_mode=runtime_mode,
|
|
245
|
-
failure_kind=FAILURE_REPO_ACCESS,
|
|
246
|
-
detail=f"injected token can reach GitHub API but cannot access {repo}",
|
|
247
|
-
remediation=_merge_remediation(runtime_mode, FAILURE_REPO_ACCESS),
|
|
248
|
-
login=login,
|
|
249
|
-
)
|
|
250
|
-
|
|
251
|
-
return GitHubAuthValidationResult(
|
|
252
|
-
ok=True,
|
|
253
|
-
github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
|
|
254
|
-
runtime_mode=runtime_mode,
|
|
255
|
-
failure_kind=None,
|
|
256
|
-
detail="injected-token mode validated in worker environment",
|
|
257
|
-
login=login,
|
|
258
|
-
)
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
def validate_host_gh_mode(
|
|
262
|
-
environ: Mapping[str, str],
|
|
263
|
-
*,
|
|
264
|
-
repo: str = DEFAULT_VALIDATION_REPO,
|
|
265
|
-
runtime_mode: str | None = None,
|
|
266
|
-
run_gh: GhRunner | None = None,
|
|
267
|
-
) -> GitHubAuthValidationResult:
|
|
268
|
-
"""Validate host-gh mode from the worker execution environment."""
|
|
269
|
-
runner = _default_run_gh if run_gh is None else run_gh
|
|
270
|
-
|
|
271
|
-
auth_status = runner(["auth", "status"], environ)
|
|
272
|
-
if auth_status.returncode != 0:
|
|
273
|
-
return GitHubAuthValidationResult(
|
|
274
|
-
ok=False,
|
|
275
|
-
github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
|
|
276
|
-
runtime_mode=runtime_mode,
|
|
277
|
-
failure_kind=FAILURE_GH_AUTH,
|
|
278
|
-
detail="gh auth status failed in worker environment",
|
|
279
|
-
remediation=_merge_remediation(runtime_mode, FAILURE_GH_AUTH),
|
|
280
|
-
)
|
|
281
|
-
|
|
282
|
-
user_api = runner(["api", "user", "--jq", ".login"], environ)
|
|
283
|
-
if user_api.returncode != 0:
|
|
284
|
-
return GitHubAuthValidationResult(
|
|
285
|
-
ok=False,
|
|
286
|
-
github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
|
|
287
|
-
runtime_mode=runtime_mode,
|
|
288
|
-
failure_kind=FAILURE_API_UNREACHABLE,
|
|
289
|
-
detail="gh auth status passed but GitHub API is unreachable",
|
|
290
|
-
remediation=_merge_remediation(runtime_mode, FAILURE_API_UNREACHABLE),
|
|
291
|
-
)
|
|
292
|
-
|
|
293
|
-
owner, name = _split_repo(repo)
|
|
294
|
-
repo_api = runner(["api", f"repos/{owner}/{name}"], environ)
|
|
295
|
-
if repo_api.returncode != 0:
|
|
296
|
-
return GitHubAuthValidationResult(
|
|
297
|
-
ok=False,
|
|
298
|
-
github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
|
|
299
|
-
runtime_mode=runtime_mode,
|
|
300
|
-
failure_kind=FAILURE_REPO_ACCESS,
|
|
301
|
-
detail=f"GitHub API reachable but repository access failed for {repo}",
|
|
302
|
-
remediation=_merge_remediation(runtime_mode, FAILURE_REPO_ACCESS),
|
|
303
|
-
login=_parse_login(user_api.stdout),
|
|
304
|
-
)
|
|
305
|
-
|
|
306
|
-
return GitHubAuthValidationResult(
|
|
307
|
-
ok=True,
|
|
308
|
-
github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
|
|
309
|
-
runtime_mode=runtime_mode,
|
|
310
|
-
failure_kind=None,
|
|
311
|
-
detail="host-gh mode validated in worker environment",
|
|
312
|
-
login=_parse_login(user_api.stdout),
|
|
313
|
-
)
|
|
314
|
-
|
|
315
|
-
|
|
316
|
-
def validate_github_auth(
|
|
317
|
-
github_auth_mode: str,
|
|
318
|
-
*,
|
|
319
|
-
environ: Mapping[str, str] | None = None,
|
|
320
|
-
runtime_report: RuntimeCapabilityReport | None = None,
|
|
321
|
-
repo: str = DEFAULT_VALIDATION_REPO,
|
|
322
|
-
run_gh: GhRunner | None = None,
|
|
323
|
-
) -> GitHubAuthValidationResult:
|
|
324
|
-
"""Validate the requested GitHub auth mode for the worker environment."""
|
|
325
|
-
env = dict(os.environ if environ is None else environ)
|
|
326
|
-
runtime_mode = None if runtime_report is None else runtime_report.runtime_mode
|
|
327
|
-
|
|
328
|
-
if github_auth_mode not in KNOWN_GITHUB_AUTH_MODES:
|
|
329
|
-
return GitHubAuthValidationResult(
|
|
330
|
-
ok=False,
|
|
331
|
-
github_auth_mode=github_auth_mode,
|
|
332
|
-
runtime_mode=runtime_mode,
|
|
333
|
-
failure_kind=FAILURE_INVALID_MODE,
|
|
334
|
-
detail=(
|
|
335
|
-
f"unknown github_auth_mode {github_auth_mode!r}; "
|
|
336
|
-
f"expected one of {sorted(KNOWN_GITHUB_AUTH_MODES)}"
|
|
337
|
-
),
|
|
338
|
-
)
|
|
339
|
-
|
|
340
|
-
if github_auth_mode == GITHUB_AUTH_MODE_INJECTED_TOKEN:
|
|
341
|
-
return validate_injected_token_mode(
|
|
342
|
-
env,
|
|
343
|
-
repo=repo,
|
|
344
|
-
runtime_mode=runtime_mode,
|
|
345
|
-
run_gh=run_gh,
|
|
346
|
-
)
|
|
347
|
-
return validate_host_gh_mode(
|
|
348
|
-
env,
|
|
349
|
-
repo=repo,
|
|
350
|
-
runtime_mode=runtime_mode,
|
|
351
|
-
run_gh=run_gh,
|
|
352
|
-
)
|
|
353
|
-
|
|
354
|
-
|
|
355
|
-
def validate_github_auth_for_worker(
|
|
356
|
-
github_auth_mode: str | None = None,
|
|
357
|
-
*,
|
|
358
|
-
environ: Mapping[str, str] | None = None,
|
|
359
|
-
runtime_report: RuntimeCapabilityReport | None = None,
|
|
360
|
-
repo: str = DEFAULT_VALIDATION_REPO,
|
|
361
|
-
run_gh: GhRunner | None = None,
|
|
362
|
-
) -> GitHubAuthValidationResult:
|
|
363
|
-
"""Probe runtime (when needed) and validate the worker auth mode."""
|
|
364
|
-
report = (
|
|
365
|
-
get_platform_capabilities()
|
|
366
|
-
if runtime_report is None
|
|
367
|
-
else runtime_report
|
|
368
|
-
)
|
|
369
|
-
mode = infer_github_auth_mode(report) if github_auth_mode is None else github_auth_mode
|
|
370
|
-
return validate_github_auth(
|
|
371
|
-
mode,
|
|
372
|
-
environ=environ,
|
|
373
|
-
runtime_report=report,
|
|
374
|
-
repo=repo,
|
|
375
|
-
run_gh=run_gh,
|
|
376
|
-
)
|
|
377
|
-
|
|
378
|
-
|
|
379
|
-
def main(argv: Sequence[str] | None = None) -> int:
|
|
380
|
-
parser = argparse.ArgumentParser(
|
|
381
|
-
description="Validate GitHub auth mode inside the worker environment (#1557b)."
|
|
382
|
-
)
|
|
383
|
-
parser.add_argument(
|
|
384
|
-
"--github-auth-mode",
|
|
385
|
-
choices=sorted(KNOWN_GITHUB_AUTH_MODES),
|
|
386
|
-
help="Credential mode to validate (default: infer from runtime probe).",
|
|
387
|
-
)
|
|
388
|
-
parser.add_argument(
|
|
389
|
-
"--repo",
|
|
390
|
-
default=DEFAULT_VALIDATION_REPO,
|
|
391
|
-
help=f"Repository slug for host-gh repo-access check (default: {DEFAULT_VALIDATION_REPO}).",
|
|
392
|
-
)
|
|
393
|
-
parser.add_argument(
|
|
394
|
-
"--json",
|
|
395
|
-
action="store_true",
|
|
396
|
-
help="Emit structured JSON on stdout.",
|
|
397
|
-
)
|
|
398
|
-
args = parser.parse_args(list(argv) if argv is not None else None)
|
|
399
|
-
|
|
400
|
-
result = validate_github_auth_for_worker(
|
|
401
|
-
args.github_auth_mode,
|
|
402
|
-
repo=args.repo,
|
|
403
|
-
)
|
|
404
|
-
if args.json:
|
|
405
|
-
print(json.dumps(result.to_dict(), indent=2, sort_keys=True))
|
|
406
|
-
else:
|
|
407
|
-
status = "ok" if result.ok else "failed"
|
|
408
|
-
print(f"github_auth_mode={result.github_auth_mode} status={status}")
|
|
409
|
-
print(f"detail={result.detail}")
|
|
410
|
-
if result.remediation:
|
|
411
|
-
print(result.remediation)
|
|
412
|
-
return 0 if result.ok else 1
|
|
413
|
-
|
|
414
|
-
|
|
415
|
-
__all__ = [
|
|
416
|
-
"DEFAULT_VALIDATION_REPO",
|
|
417
|
-
"FAILURE_API_UNREACHABLE",
|
|
418
|
-
"FAILURE_GH_AUTH",
|
|
419
|
-
"FAILURE_INVALID_MODE",
|
|
420
|
-
"FAILURE_MISSING_INJECTED_TOKEN",
|
|
421
|
-
"FAILURE_REPO_ACCESS",
|
|
422
|
-
"GITHUB_AUTH_MODE_HOST_GH",
|
|
423
|
-
"GITHUB_AUTH_MODE_INJECTED_TOKEN",
|
|
424
|
-
"GitHubAuthValidationResult",
|
|
425
|
-
"find_injected_token",
|
|
426
|
-
"infer_github_auth_mode",
|
|
427
|
-
"validate_github_auth",
|
|
428
|
-
"validate_github_auth_for_worker",
|
|
429
|
-
"validate_host_gh_mode",
|
|
430
|
-
"validate_injected_token_mode",
|
|
431
|
-
"main",
|
|
432
|
-
"probe_runtime_capabilities",
|
|
433
|
-
]
|
|
434
|
-
|
|
435
|
-
|
|
436
|
-
if __name__ == "__main__":
|
|
437
|
-
raise SystemExit(main())
|