@deftai/directive-content 0.59.0 → 0.61.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (190) hide show
  1. package/.githooks/pre-commit +10 -128
  2. package/.githooks/pre-push +8 -108
  3. package/Taskfile.yml +48 -58
  4. package/UPGRADING.md +19 -3
  5. package/docs/assets/directive-lifecycle-diagram.png +0 -0
  6. package/docs/directive-lifecycle.md +73 -0
  7. package/docs/getting-started.md +5 -1
  8. package/package.json +3 -3
  9. package/packs/skills/skills-pack-0.1.json +1 -1
  10. package/packs/strategies/strategies-pack-0.1.json +19 -19
  11. package/scm/github.md +37 -6
  12. package/skills/deft-directive-setup/SKILL.md +24 -15
  13. package/strategies/speckit.md +14 -14
  14. package/strategies/v0-20-contract.md +12 -1
  15. package/tasks/change.yml +16 -31
  16. package/tasks/ci.yml +8 -0
  17. package/tasks/commit.yml +12 -19
  18. package/tasks/core.yml +10 -0
  19. package/tasks/engine.yml +42 -0
  20. package/tasks/framework.yml +3 -0
  21. package/tasks/install.yml +20 -19
  22. package/tasks/migrate.yml +26 -15
  23. package/tasks/project.yml +26 -0
  24. package/tasks/toolchain.yml +15 -5
  25. package/tasks/vbrief.yml +4 -3
  26. package/tasks/verify.yml +12 -14
  27. package/templates/agents-entry.md +1 -1
  28. package/scripts/_agents_md.py +0 -494
  29. package/scripts/_cache_fetch.py +0 -635
  30. package/scripts/_cache_quota.py +0 -529
  31. package/scripts/_cache_refresh.py +0 -163
  32. package/scripts/_cache_validate.py +0 -209
  33. package/scripts/_content_root.py +0 -42
  34. package/scripts/_doctor_state.py +0 -277
  35. package/scripts/_event_detect.py +0 -305
  36. package/scripts/_events.py +0 -514
  37. package/scripts/_lifecycle_hygiene.py +0 -568
  38. package/scripts/_pathspec.py +0 -91
  39. package/scripts/_policy_show_cli.py +0 -266
  40. package/scripts/_precutover.py +0 -92
  41. package/scripts/_project_context.py +0 -224
  42. package/scripts/_project_definition_io.py +0 -164
  43. package/scripts/_relocate_snapshot.py +0 -209
  44. package/scripts/_relocate_states.py +0 -343
  45. package/scripts/_resolve_preflight_path.py +0 -152
  46. package/scripts/_safe_subprocess.py +0 -167
  47. package/scripts/_session_start_hook.py +0 -205
  48. package/scripts/_sor_gate_diff.py +0 -365
  49. package/scripts/_stdio_utf8.py +0 -59
  50. package/scripts/_triage_bootstrap_gitignore.py +0 -904
  51. package/scripts/_triage_classify_cli.py +0 -122
  52. package/scripts/_triage_queue_cli.py +0 -625
  53. package/scripts/_triage_scope_cli.py +0 -343
  54. package/scripts/_triage_scope_drift_cli.py +0 -121
  55. package/scripts/_triage_scope_ignores.py +0 -286
  56. package/scripts/_triage_scope_milestone.py +0 -432
  57. package/scripts/_triage_scope_mutations.py +0 -337
  58. package/scripts/_triage_scope_renderers.py +0 -207
  59. package/scripts/_triage_smoketest_stages.py +0 -674
  60. package/scripts/_triage_subscribe_cli.py +0 -140
  61. package/scripts/_triage_welcome_cli.py +0 -421
  62. package/scripts/_vbrief_build.py +0 -239
  63. package/scripts/_vbrief_fidelity.py +0 -479
  64. package/scripts/_vbrief_legacy.py +0 -589
  65. package/scripts/_vbrief_reconciliation.py +0 -883
  66. package/scripts/_vbrief_routing.py +0 -277
  67. package/scripts/_vbrief_safety.py +0 -778
  68. package/scripts/_vbrief_sources.py +0 -312
  69. package/scripts/_vbrief_speckit.py +0 -262
  70. package/scripts/_vbrief_story_quality.py +0 -353
  71. package/scripts/_vbrief_validation.py +0 -299
  72. package/scripts/build_dist.py +0 -412
  73. package/scripts/cache.py +0 -1078
  74. package/scripts/cache_scanner.py +0 -745
  75. package/scripts/candidates_log.py +0 -432
  76. package/scripts/capacity_backfill.py +0 -680
  77. package/scripts/capacity_show.py +0 -653
  78. package/scripts/ci_local.py +0 -689
  79. package/scripts/code_structure_validate.py +0 -765
  80. package/scripts/codebase_default_extractor.py +0 -495
  81. package/scripts/codebase_map.py +0 -304
  82. package/scripts/codebase_map_fresh.py +0 -104
  83. package/scripts/codebase_projection_registry.py +0 -94
  84. package/scripts/codebase_provider.py +0 -582
  85. package/scripts/doctor.py +0 -2552
  86. package/scripts/framework_commands.py +0 -505
  87. package/scripts/gh_rest.py +0 -882
  88. package/scripts/github_auth_modes.py +0 -437
  89. package/scripts/github_body.py +0 -292
  90. package/scripts/ip_risk.py +0 -531
  91. package/scripts/issue_emit.py +0 -670
  92. package/scripts/issue_ingest.py +0 -1064
  93. package/scripts/migrate_preflight.py +0 -418
  94. package/scripts/migrate_vbrief.py +0 -2677
  95. package/scripts/monitor_pr.py +0 -401
  96. package/scripts/pack_migrate_lessons.py +0 -336
  97. package/scripts/pack_migrate_patterns.py +0 -254
  98. package/scripts/pack_migrate_rules.py +0 -350
  99. package/scripts/pack_migrate_skills.py +0 -423
  100. package/scripts/pack_migrate_strategies.py +0 -311
  101. package/scripts/pack_migrate_swarm_spec.py +0 -250
  102. package/scripts/pack_render.py +0 -434
  103. package/scripts/packs_slice.py +0 -712
  104. package/scripts/platform_capabilities.py +0 -336
  105. package/scripts/policy.py +0 -2826
  106. package/scripts/policy_set.py +0 -324
  107. package/scripts/pr_check_closing_keywords.py +0 -524
  108. package/scripts/pr_check_protected_issues.py +0 -267
  109. package/scripts/pr_merge_readiness.py +0 -1004
  110. package/scripts/pr_wait_mergeable.py +0 -669
  111. package/scripts/prd_render.py +0 -159
  112. package/scripts/preflight_architecture_sor.py +0 -974
  113. package/scripts/preflight_branch.py +0 -289
  114. package/scripts/preflight_cache.py +0 -974
  115. package/scripts/preflight_gh.py +0 -721
  116. package/scripts/preflight_implementation.py +0 -272
  117. package/scripts/preflight_story_start.py +0 -838
  118. package/scripts/preflight_wip_cap.py +0 -149
  119. package/scripts/probe_session.py +0 -545
  120. package/scripts/project_render.py +0 -293
  121. package/scripts/quarantine_ext.py +0 -237
  122. package/scripts/reconcile_issues.py +0 -1442
  123. package/scripts/refresh-path.ps1 +0 -107
  124. package/scripts/release.py +0 -2030
  125. package/scripts/release_e2e.py +0 -1011
  126. package/scripts/release_publish.py +0 -486
  127. package/scripts/release_rollback.py +0 -980
  128. package/scripts/relocate.py +0 -1034
  129. package/scripts/resolve_changelog_unreleased.py +0 -667
  130. package/scripts/resolve_version.py +0 -490
  131. package/scripts/resume_conditions.py +0 -706
  132. package/scripts/ritual_sentinel.py +0 -609
  133. package/scripts/roadmap_render.py +0 -635
  134. package/scripts/rule_ownership_lint.py +0 -325
  135. package/scripts/scm.py +0 -591
  136. package/scripts/scope_audit_log.py +0 -387
  137. package/scripts/scope_decompose.py +0 -654
  138. package/scripts/scope_demote.py +0 -509
  139. package/scripts/scope_lifecycle.py +0 -1126
  140. package/scripts/scope_undo.py +0 -772
  141. package/scripts/session_start.py +0 -406
  142. package/scripts/setup_ghx.py +0 -339
  143. package/scripts/setup_windows.ps1 +0 -220
  144. package/scripts/slice_audit.py +0 -585
  145. package/scripts/slice_record.py +0 -530
  146. package/scripts/slice_record_existing.py +0 -692
  147. package/scripts/slug_normalize.py +0 -178
  148. package/scripts/spec_render.py +0 -477
  149. package/scripts/spec_validate.py +0 -238
  150. package/scripts/subagent_monitor.py +0 -658
  151. package/scripts/swarm_complete_cohort.py +0 -644
  152. package/scripts/swarm_launch.py +0 -1206
  153. package/scripts/swarm_readiness.py +0 -554
  154. package/scripts/swarm_verify_review_clean.py +0 -438
  155. package/scripts/swarm_worktrees.py +0 -497
  156. package/scripts/toolchain-check.py +0 -52
  157. package/scripts/triage_actions.py +0 -871
  158. package/scripts/triage_bootstrap.py +0 -1153
  159. package/scripts/triage_bulk.py +0 -630
  160. package/scripts/triage_classify.py +0 -932
  161. package/scripts/triage_help.py +0 -1685
  162. package/scripts/triage_queue.py +0 -1944
  163. package/scripts/triage_reconcile.py +0 -581
  164. package/scripts/triage_refresh.py +0 -643
  165. package/scripts/triage_scope.py +0 -999
  166. package/scripts/triage_scope_drift.py +0 -575
  167. package/scripts/triage_smoketest.py +0 -396
  168. package/scripts/triage_subscribe.py +0 -399
  169. package/scripts/triage_summary.py +0 -1011
  170. package/scripts/triage_welcome.py +0 -1178
  171. package/scripts/ts_check_lane.py +0 -86
  172. package/scripts/validate-links.py +0 -64
  173. package/scripts/validate_strategy_output.py +0 -212
  174. package/scripts/vbrief_activate.py +0 -228
  175. package/scripts/vbrief_migrate_conformance.py +0 -368
  176. package/scripts/vbrief_reconcile_graph.py +0 -306
  177. package/scripts/vbrief_reconcile_labels.py +0 -460
  178. package/scripts/vbrief_reconcile_umbrellas.py +0 -741
  179. package/scripts/vbrief_validate.py +0 -1144
  180. package/scripts/verify-stubs.py +0 -61
  181. package/scripts/verify_capacity.py +0 -160
  182. package/scripts/verify_encoding.py +0 -699
  183. package/scripts/verify_hooks_installed.py +0 -206
  184. package/scripts/verify_investigation.py +0 -360
  185. package/scripts/verify_judgment_gates.py +0 -827
  186. package/scripts/verify_no_task_runtime.py +0 -171
  187. package/scripts/verify_scm_boundary.py +0 -509
  188. package/scripts/verify_session_ritual.py +0 -389
  189. package/scripts/verify_tools.py +0 -426
  190. package/scripts/verify_vbrief_conformance.py +0 -478
@@ -1,437 +0,0 @@
1
- #!/usr/bin/env python3
2
- """github_auth_modes.py -- worker-environment GitHub auth validation (#1557b).
3
-
4
- Validates ``host-gh`` versus ``injected-token`` credential modes from the
5
- same execution envelope that will perform GitHub operations. Consumes the
6
- read-only runtime probe from :mod:`platform_capabilities` to classify the
7
- worker sandbox and attach remediation when parent host auth can succeed
8
- while the worker environment cannot.
9
-
10
- Modes:
11
-
12
- - ``injected-token`` -- require ``GH_TOKEN`` / ``GITHUB_TOKEN`` (or
13
- enterprise equivalents). Fail closed when missing; never fall back to
14
- host ``gh`` credential store state.
15
- - ``host-gh`` -- permit host ``gh`` auth after ``gh auth status`` and a
16
- minimal GitHub API reachability check succeed from the worker environment.
17
- """
18
-
19
- from __future__ import annotations
20
-
21
- import argparse
22
- import json
23
- import os
24
- import sys
25
- from collections.abc import Callable, Mapping, Sequence
26
- from dataclasses import dataclass
27
- from pathlib import Path
28
- from typing import Any
29
-
30
- sys.path.insert(0, str(Path(__file__).resolve().parent))
31
-
32
- from _safe_subprocess import run_text # noqa: E402
33
- from _stdio_utf8 import reconfigure_stdio # noqa: E402
34
- from platform_capabilities import ( # noqa: E402
35
- RUNTIME_MODE_CLOUD_HEADLESS,
36
- RUNTIME_MODE_CURSOR_NATIVE_SANDBOX,
37
- RuntimeCapabilityReport,
38
- get_platform_capabilities,
39
- probe_runtime_capabilities,
40
- )
41
-
42
- reconfigure_stdio()
43
-
44
- GITHUB_AUTH_MODE_INJECTED_TOKEN = "injected-token"
45
- GITHUB_AUTH_MODE_HOST_GH = "host-gh"
46
-
47
- KNOWN_GITHUB_AUTH_MODES: frozenset[str] = frozenset(
48
- {
49
- GITHUB_AUTH_MODE_INJECTED_TOKEN,
50
- GITHUB_AUTH_MODE_HOST_GH,
51
- }
52
- )
53
-
54
- _INJECTED_TOKEN_ENV_VARS: tuple[str, ...] = (
55
- "GH_TOKEN",
56
- "GITHUB_TOKEN",
57
- "GH_ENTERPRISE_TOKEN",
58
- )
59
-
60
- DEFAULT_VALIDATION_REPO = "deftai/directive"
61
-
62
- FAILURE_MISSING_INJECTED_TOKEN = "missing_injected_token"
63
- FAILURE_GH_AUTH = "gh_auth_failed"
64
- FAILURE_API_UNREACHABLE = "api_unreachable"
65
- FAILURE_REPO_ACCESS = "repo_access_denied"
66
- FAILURE_INVALID_MODE = "invalid_auth_mode"
67
-
68
- _SANDBOX_REMEDIATION = (
69
- "Remediation options for worker sandbox GitHub auth failures:\n"
70
- " - Run the GitHub step with full-access execution\n"
71
- " - Allowlist the trusted gh command path for the worker sandbox\n"
72
- " - Use injected-token handoff (keep token values out of prompts and "
73
- "transcripts)"
74
- )
75
-
76
- _REPO_ACCESS_REMEDIATION = (
77
- "Remediation options for repo-access failures:\n"
78
- " - Confirm the worker credential can read the target repository\n"
79
- " - Run the GitHub step with full-access execution if host gh has access\n"
80
- " - Use injected-token handoff scoped to the required repository"
81
- )
82
-
83
- GhRunner = Callable[[Sequence[str], Mapping[str, str] | None], Any]
84
-
85
-
86
- @dataclass(frozen=True)
87
- class GitHubAuthValidationResult:
88
- """Outcome of validating a worker's GitHub credential mode."""
89
-
90
- ok: bool
91
- github_auth_mode: str
92
- runtime_mode: str | None
93
- failure_kind: str | None
94
- detail: str
95
- remediation: str | None = None
96
- login: str | None = None
97
-
98
- def to_dict(self) -> dict[str, Any]:
99
- return {
100
- "ok": self.ok,
101
- "github_auth_mode": self.github_auth_mode,
102
- "runtime_mode": self.runtime_mode,
103
- "failure_kind": self.failure_kind,
104
- "detail": self.detail,
105
- "remediation": self.remediation,
106
- "login": self.login,
107
- }
108
-
109
-
110
- def find_injected_token(environ: Mapping[str, str]) -> str | None:
111
- """Return the first non-empty injected token env var, if any."""
112
- for name in _INJECTED_TOKEN_ENV_VARS:
113
- value = environ.get(name, "").strip()
114
- if value:
115
- return value
116
- return None
117
-
118
-
119
- def infer_github_auth_mode(runtime_report: RuntimeCapabilityReport) -> str:
120
- """Suggest an auth mode from runtime capability probe output."""
121
- if runtime_report.runtime_mode == RUNTIME_MODE_CLOUD_HEADLESS:
122
- return GITHUB_AUTH_MODE_INJECTED_TOKEN
123
- return GITHUB_AUTH_MODE_HOST_GH
124
-
125
-
126
- def _default_run_gh(
127
- args: Sequence[str],
128
- environ: Mapping[str, str] | None,
129
- ) -> Any:
130
- env = dict(os.environ if environ is None else environ)
131
- return run_text(["gh", *args], env=env)
132
-
133
-
134
- def _split_repo(repo: str) -> tuple[str, str]:
135
- owner, _, name = repo.strip().partition("/")
136
- if not owner or not name:
137
- msg = f"invalid repository slug: {repo!r} (expected owner/repo)"
138
- raise ValueError(msg)
139
- return owner, name
140
-
141
-
142
- def _sandbox_remediation(runtime_mode: str | None, failure_kind: str) -> str | None:
143
- if runtime_mode != RUNTIME_MODE_CURSOR_NATIVE_SANDBOX:
144
- return None
145
- if failure_kind in {
146
- FAILURE_GH_AUTH,
147
- FAILURE_API_UNREACHABLE,
148
- FAILURE_REPO_ACCESS,
149
- }:
150
- return _SANDBOX_REMEDIATION
151
- return None
152
-
153
-
154
- def _repo_access_remediation(failure_kind: str) -> str | None:
155
- if failure_kind == FAILURE_REPO_ACCESS:
156
- return _REPO_ACCESS_REMEDIATION
157
- return None
158
-
159
-
160
- def _merge_remediation(
161
- runtime_mode: str | None,
162
- failure_kind: str,
163
- ) -> str | None:
164
- parts: list[str] = []
165
- sandbox = _sandbox_remediation(runtime_mode, failure_kind)
166
- if sandbox:
167
- parts.append(sandbox)
168
- repo = _repo_access_remediation(failure_kind)
169
- if repo and repo not in parts:
170
- parts.append(repo)
171
- if not parts:
172
- return None
173
- return "\n\n".join(parts)
174
-
175
-
176
- def _parse_login(stdout: str) -> str | None:
177
- text = stdout.strip()
178
- if not text:
179
- return None
180
- try:
181
- payload = json.loads(text)
182
- except json.JSONDecodeError:
183
- return text
184
- if isinstance(payload, str) and payload:
185
- return payload
186
- if isinstance(payload, dict):
187
- login = payload.get("login")
188
- if isinstance(login, str) and login:
189
- return login
190
- return None
191
-
192
-
193
- def validate_injected_token_mode(
194
- environ: Mapping[str, str],
195
- *,
196
- repo: str = DEFAULT_VALIDATION_REPO,
197
- runtime_mode: str | None = None,
198
- run_gh: GhRunner | None = None,
199
- ) -> GitHubAuthValidationResult:
200
- """Validate injected-token mode without falling back to host gh state."""
201
- runner = _default_run_gh if run_gh is None else run_gh
202
- token = find_injected_token(environ)
203
- if token is None:
204
- return GitHubAuthValidationResult(
205
- ok=False,
206
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
207
- runtime_mode=runtime_mode,
208
- failure_kind=FAILURE_MISSING_INJECTED_TOKEN,
209
- detail=(
210
- "injected-token mode requires GH_TOKEN, GITHUB_TOKEN, or "
211
- "GH_ENTERPRISE_TOKEN; host gh credential store is not used"
212
- ),
213
- )
214
-
215
- auth_status = runner(["auth", "status"], environ)
216
- if auth_status.returncode != 0:
217
- return GitHubAuthValidationResult(
218
- ok=False,
219
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
220
- runtime_mode=runtime_mode,
221
- failure_kind=FAILURE_GH_AUTH,
222
- detail="injected token present but gh auth status failed in worker",
223
- remediation=_merge_remediation(runtime_mode, FAILURE_GH_AUTH),
224
- )
225
-
226
- user_api = runner(["api", "user", "--jq", ".login"], environ)
227
- if user_api.returncode != 0:
228
- return GitHubAuthValidationResult(
229
- ok=False,
230
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
231
- runtime_mode=runtime_mode,
232
- failure_kind=FAILURE_API_UNREACHABLE,
233
- detail="injected token present but GitHub API is unreachable",
234
- remediation=_merge_remediation(runtime_mode, FAILURE_API_UNREACHABLE),
235
- )
236
-
237
- login = _parse_login(user_api.stdout)
238
- owner, name = _split_repo(repo)
239
- repo_api = runner(["api", f"repos/{owner}/{name}"], environ)
240
- if repo_api.returncode != 0:
241
- return GitHubAuthValidationResult(
242
- ok=False,
243
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
244
- runtime_mode=runtime_mode,
245
- failure_kind=FAILURE_REPO_ACCESS,
246
- detail=f"injected token can reach GitHub API but cannot access {repo}",
247
- remediation=_merge_remediation(runtime_mode, FAILURE_REPO_ACCESS),
248
- login=login,
249
- )
250
-
251
- return GitHubAuthValidationResult(
252
- ok=True,
253
- github_auth_mode=GITHUB_AUTH_MODE_INJECTED_TOKEN,
254
- runtime_mode=runtime_mode,
255
- failure_kind=None,
256
- detail="injected-token mode validated in worker environment",
257
- login=login,
258
- )
259
-
260
-
261
- def validate_host_gh_mode(
262
- environ: Mapping[str, str],
263
- *,
264
- repo: str = DEFAULT_VALIDATION_REPO,
265
- runtime_mode: str | None = None,
266
- run_gh: GhRunner | None = None,
267
- ) -> GitHubAuthValidationResult:
268
- """Validate host-gh mode from the worker execution environment."""
269
- runner = _default_run_gh if run_gh is None else run_gh
270
-
271
- auth_status = runner(["auth", "status"], environ)
272
- if auth_status.returncode != 0:
273
- return GitHubAuthValidationResult(
274
- ok=False,
275
- github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
276
- runtime_mode=runtime_mode,
277
- failure_kind=FAILURE_GH_AUTH,
278
- detail="gh auth status failed in worker environment",
279
- remediation=_merge_remediation(runtime_mode, FAILURE_GH_AUTH),
280
- )
281
-
282
- user_api = runner(["api", "user", "--jq", ".login"], environ)
283
- if user_api.returncode != 0:
284
- return GitHubAuthValidationResult(
285
- ok=False,
286
- github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
287
- runtime_mode=runtime_mode,
288
- failure_kind=FAILURE_API_UNREACHABLE,
289
- detail="gh auth status passed but GitHub API is unreachable",
290
- remediation=_merge_remediation(runtime_mode, FAILURE_API_UNREACHABLE),
291
- )
292
-
293
- owner, name = _split_repo(repo)
294
- repo_api = runner(["api", f"repos/{owner}/{name}"], environ)
295
- if repo_api.returncode != 0:
296
- return GitHubAuthValidationResult(
297
- ok=False,
298
- github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
299
- runtime_mode=runtime_mode,
300
- failure_kind=FAILURE_REPO_ACCESS,
301
- detail=f"GitHub API reachable but repository access failed for {repo}",
302
- remediation=_merge_remediation(runtime_mode, FAILURE_REPO_ACCESS),
303
- login=_parse_login(user_api.stdout),
304
- )
305
-
306
- return GitHubAuthValidationResult(
307
- ok=True,
308
- github_auth_mode=GITHUB_AUTH_MODE_HOST_GH,
309
- runtime_mode=runtime_mode,
310
- failure_kind=None,
311
- detail="host-gh mode validated in worker environment",
312
- login=_parse_login(user_api.stdout),
313
- )
314
-
315
-
316
- def validate_github_auth(
317
- github_auth_mode: str,
318
- *,
319
- environ: Mapping[str, str] | None = None,
320
- runtime_report: RuntimeCapabilityReport | None = None,
321
- repo: str = DEFAULT_VALIDATION_REPO,
322
- run_gh: GhRunner | None = None,
323
- ) -> GitHubAuthValidationResult:
324
- """Validate the requested GitHub auth mode for the worker environment."""
325
- env = dict(os.environ if environ is None else environ)
326
- runtime_mode = None if runtime_report is None else runtime_report.runtime_mode
327
-
328
- if github_auth_mode not in KNOWN_GITHUB_AUTH_MODES:
329
- return GitHubAuthValidationResult(
330
- ok=False,
331
- github_auth_mode=github_auth_mode,
332
- runtime_mode=runtime_mode,
333
- failure_kind=FAILURE_INVALID_MODE,
334
- detail=(
335
- f"unknown github_auth_mode {github_auth_mode!r}; "
336
- f"expected one of {sorted(KNOWN_GITHUB_AUTH_MODES)}"
337
- ),
338
- )
339
-
340
- if github_auth_mode == GITHUB_AUTH_MODE_INJECTED_TOKEN:
341
- return validate_injected_token_mode(
342
- env,
343
- repo=repo,
344
- runtime_mode=runtime_mode,
345
- run_gh=run_gh,
346
- )
347
- return validate_host_gh_mode(
348
- env,
349
- repo=repo,
350
- runtime_mode=runtime_mode,
351
- run_gh=run_gh,
352
- )
353
-
354
-
355
- def validate_github_auth_for_worker(
356
- github_auth_mode: str | None = None,
357
- *,
358
- environ: Mapping[str, str] | None = None,
359
- runtime_report: RuntimeCapabilityReport | None = None,
360
- repo: str = DEFAULT_VALIDATION_REPO,
361
- run_gh: GhRunner | None = None,
362
- ) -> GitHubAuthValidationResult:
363
- """Probe runtime (when needed) and validate the worker auth mode."""
364
- report = (
365
- get_platform_capabilities()
366
- if runtime_report is None
367
- else runtime_report
368
- )
369
- mode = infer_github_auth_mode(report) if github_auth_mode is None else github_auth_mode
370
- return validate_github_auth(
371
- mode,
372
- environ=environ,
373
- runtime_report=report,
374
- repo=repo,
375
- run_gh=run_gh,
376
- )
377
-
378
-
379
- def main(argv: Sequence[str] | None = None) -> int:
380
- parser = argparse.ArgumentParser(
381
- description="Validate GitHub auth mode inside the worker environment (#1557b)."
382
- )
383
- parser.add_argument(
384
- "--github-auth-mode",
385
- choices=sorted(KNOWN_GITHUB_AUTH_MODES),
386
- help="Credential mode to validate (default: infer from runtime probe).",
387
- )
388
- parser.add_argument(
389
- "--repo",
390
- default=DEFAULT_VALIDATION_REPO,
391
- help=f"Repository slug for host-gh repo-access check (default: {DEFAULT_VALIDATION_REPO}).",
392
- )
393
- parser.add_argument(
394
- "--json",
395
- action="store_true",
396
- help="Emit structured JSON on stdout.",
397
- )
398
- args = parser.parse_args(list(argv) if argv is not None else None)
399
-
400
- result = validate_github_auth_for_worker(
401
- args.github_auth_mode,
402
- repo=args.repo,
403
- )
404
- if args.json:
405
- print(json.dumps(result.to_dict(), indent=2, sort_keys=True))
406
- else:
407
- status = "ok" if result.ok else "failed"
408
- print(f"github_auth_mode={result.github_auth_mode} status={status}")
409
- print(f"detail={result.detail}")
410
- if result.remediation:
411
- print(result.remediation)
412
- return 0 if result.ok else 1
413
-
414
-
415
- __all__ = [
416
- "DEFAULT_VALIDATION_REPO",
417
- "FAILURE_API_UNREACHABLE",
418
- "FAILURE_GH_AUTH",
419
- "FAILURE_INVALID_MODE",
420
- "FAILURE_MISSING_INJECTED_TOKEN",
421
- "FAILURE_REPO_ACCESS",
422
- "GITHUB_AUTH_MODE_HOST_GH",
423
- "GITHUB_AUTH_MODE_INJECTED_TOKEN",
424
- "GitHubAuthValidationResult",
425
- "find_injected_token",
426
- "infer_github_auth_mode",
427
- "validate_github_auth",
428
- "validate_github_auth_for_worker",
429
- "validate_host_gh_mode",
430
- "validate_injected_token_mode",
431
- "main",
432
- "probe_runtime_capabilities",
433
- ]
434
-
435
-
436
- if __name__ == "__main__":
437
- raise SystemExit(main())