@delegance/claude-autopilot 2.5.0 → 5.0.0-alpha.2

package/src/core/mcp/handlers/review-diff.ts

@@ -0,0 +1,65 @@
+import * as crypto from 'node:crypto';
+import * as path from 'node:path';
+import { resolveWorkspace } from '../workspace.ts';
+import { saveRun, checksumFile, pruneOldRuns } from '../run-store.ts';
+import { runGuardrail } from '../../pipeline/run.ts';
+import { resolveGitTouchedFiles } from '../../git/touched-files.ts';
+import { loadRulesFromConfig } from '../../static-rules/registry.ts';
+import { detectGitContext } from '../../detect/git-context.ts';
+import type { ReviewEngine } from '../../../adapters/review-engine/types.ts';
+import type { GuardrailConfig } from '../../config/types.ts';
+import type { Finding } from '../../findings/types.ts';
+
+export interface ReviewDiffResult {
+  schema_version: 1;
+  run_id: string;
+  findings: Finding[];
+  human_summary: string;
+  usage?: { costUSD?: number };
+}
+
+export async function handleReviewDiff(
+  input: { base?: string; cwd?: string; static_only?: boolean },
+  config: GuardrailConfig,
+  engine: ReviewEngine,
+): Promise<ReviewDiffResult> {
+  const workspace = resolveWorkspace(input.cwd);
+  pruneOldRuns(workspace, 24 * 60 * 60 * 1000);
+
+  const touchedFiles = resolveGitTouchedFiles({ cwd: workspace, base: input.base });
+  const staticRules = config.staticRules ? await loadRulesFromConfig(config.staticRules) : [];
+  const gitCtx = detectGitContext(workspace);
+
+  const result = await runGuardrail({
+    touchedFiles,
+    config,
+    reviewEngine: engine,
+    staticRules,
+    cwd: workspace,
+    gitSummary: gitCtx.summary ?? undefined,
+    base: input.base,
+    skipReview: input.static_only ?? false,
+  });
+
+  const run_id = crypto.randomUUID();
+  const fileChecksums: Record<string, string> = {};
+  for (const f of touchedFiles) {
+    const abs = path.isAbsolute(f) ? f : path.resolve(workspace, f);
+    fileChecksums[f] = checksumFile(abs);
+  }
+  saveRun(workspace, run_id, result.allFindings, fileChecksums);
+
+  const critCount = result.allFindings.filter(f => f.severity === 'critical').length;
+  const warnCount = result.allFindings.filter(f => f.severity === 'warning').length;
+  const human_summary = result.allFindings.length === 0
+    ? 'No findings — looks clean.'
+    : `${result.allFindings.length} finding${result.allFindings.length !== 1 ? 's' : ''}: ${critCount} critical, ${warnCount} warning.`;
+
+  return {
+    schema_version: 1,
+    run_id,
+    findings: result.allFindings,
+    human_summary,
+    usage: result.totalCostUSD !== undefined ? { costUSD: result.totalCostUSD } : undefined,
+  };
+}

package/src/core/mcp/handlers/scan-files.ts

@@ -0,0 +1,65 @@
+import * as crypto from 'node:crypto';
+import * as path from 'node:path';
+import { resolveWorkspace, assertInWorkspace } from '../workspace.ts';
+import { saveRun, checksumFile, pruneOldRuns } from '../run-store.ts';
+import { runReviewPhase } from '../../pipeline/review-phase.ts';
+import { detectStack } from '../../detect/stack.ts';
+import type { ReviewEngine } from '../../../adapters/review-engine/types.ts';
+import type { GuardrailConfig } from '../../config/types.ts';
+import type { Finding } from '../../findings/types.ts';
+
+export interface ScanFilesResult {
+  schema_version: 1;
+  run_id: string;
+  findings: Finding[];
+  human_summary: string;
+}
+
+export async function handleScanFiles(
+  input: { files: string[]; cwd?: string; ask?: string },
+  config: GuardrailConfig,
+  engine: ReviewEngine,
+): Promise<ScanFilesResult> {
+  const workspace = resolveWorkspace(input.cwd);
+  pruneOldRuns(workspace, 24 * 60 * 60 * 1000);
+
+  // Validate all paths before any I/O
+  const resolvedFiles = input.files.map(f => assertInWorkspace(workspace, f));
+
+  const stack = detectStack(workspace) ?? config.stack;
+  const effectiveConfig: GuardrailConfig = input.ask
+    ? { ...config, stack: `${stack ?? 'unknown'}\n\nFocus: ${input.ask}` }
+    : config;
+
+  const result = await runReviewPhase({
+    touchedFiles: resolvedFiles,
+    config: effectiveConfig,
+    engine,
+    cwd: workspace,
+  });
+
+  const run_id = crypto.randomUUID();
+  const fileChecksums: Record<string, string> = {};
+  for (const f of resolvedFiles) {
+    // Store relative key so fix_finding's finding.file lookup matches
+    const relKey = path.relative(workspace, f);
+    fileChecksums[relKey] = checksumFile(f);
+  }
+  // Normalize finding.file to relative paths so downstream lookups against
+  // fileChecksums (keyed by relative paths) work regardless of whether the
+  // review engine echoed absolute or relative paths.
+  const normalizedFindings = result.findings.map(f => {
+    if (!f.file) return f;
+    const rel = path.isAbsolute(f.file) ? path.relative(workspace, f.file) : f.file;
+    return rel === f.file ? f : { ...f, file: rel };
+  });
+  saveRun(workspace, run_id, normalizedFindings, fileChecksums);
+
+  const critCount = result.findings.filter(f => f.severity === 'critical').length;
+  const warnCount = result.findings.filter(f => f.severity === 'warning').length;
+  const human_summary = result.findings.length === 0
+    ? 'No findings.'
+    : `${result.findings.length} finding${result.findings.length !== 1 ? 's' : ''}: ${critCount} critical, ${warnCount} warning.`;
+
+  return { schema_version: 1, run_id, findings: normalizedFindings, human_summary };
+}

package/src/core/mcp/handlers/validate-fix.ts

@@ -0,0 +1,41 @@
+import { spawnSync } from 'node:child_process';
+import { resolveWorkspace } from '../workspace.ts';
+import { withWriteLock } from '../concurrency.ts';
+import type { GuardrailConfig } from '../../config/types.ts';
+
+export interface ValidateFixResult {
+  schema_version: 1;
+  passed: boolean;
+  output: string;
+  durationMs: number;
+}
+
+export async function handleValidateFix(
+  input: { cwd?: string; files?: string[] },
+  config: GuardrailConfig,
+): Promise<ValidateFixResult> {
+  const workspace = resolveWorkspace(input.cwd);
+
+  if (!config.testCommand) {
+    return { schema_version: 1, passed: true, output: '', durationMs: 0 };
+  }
+
+  return withWriteLock(workspace, async () => {
+    const start = Date.now();
+    const result = spawnSync('/bin/sh', ['-c', config.testCommand!], {
+      cwd: workspace,
+      shell: false,
+      timeout: 120_000,
+      encoding: 'utf8',
+    });
+    const durationMs = Date.now() - start;
+    const raw = ((result.stdout ?? '') + (result.stderr ?? '')).slice(0, 4000);
+
+    return {
+      schema_version: 1 as const,
+      passed: result.status === 0,
+      output: raw,
+      durationMs,
+    };
+  });
+}

package/src/core/mcp/run-store.ts

@@ -0,0 +1,85 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as crypto from 'node:crypto';
+import type { Finding } from '../findings/types.ts';
+
+const RUNS_DIR = '.guardrail-cache/runs';
+
+export interface RunRecord {
+  run_id: string;
+  createdAt: string;
+  findings: Finding[];
+  fileChecksums: Record<string, string>;
+}
+
+function runsDir(cwd: string): string {
+  return path.join(cwd, RUNS_DIR);
+}
+
+// Reject any run_id that isn't a safe filename component — path separators,
+// relative segments, hidden files, or empty strings.
+// run_ids are generated server-side as UUIDs (crypto.randomUUID) so strict
+// validation here is safe. MCP clients that fabricate run_ids get a clear
+// rejection instead of silently reading outside RUNS_DIR.
+const VALID_RUN_ID = /^[A-Za-z0-9_-]+$/;
+
+function assertValidRunId(runId: string): void {
+  if (!runId || typeof runId !== 'string' || !VALID_RUN_ID.test(runId)) {
+    throw Object.assign(
+      new Error(`invalid run_id: "${runId}" (expected alphanumeric + dash/underscore)`),
+      { code: 'invalid_run_id' },
+    );
+  }
+}
+
+function runFilePath(cwd: string, runId: string): string {
+  assertValidRunId(runId);
+  return path.join(runsDir(cwd), `${runId}.json`);
+}
+
+export function saveRun(
+  cwd: string,
+  runId: string,
+  findings: Finding[],
+  fileChecksums: Record<string, string>,
+): void {
+  const dir = runsDir(cwd);
+  fs.mkdirSync(dir, { recursive: true });
+  const record: RunRecord = { run_id: runId, createdAt: new Date().toISOString(), findings, fileChecksums };
+  const tmp = runFilePath(cwd, runId) + '.tmp';
+  fs.writeFileSync(tmp, JSON.stringify(record, null, 2), 'utf8');
+  fs.renameSync(tmp, runFilePath(cwd, runId));
+}
+
+export function loadRun(cwd: string, runId: string): RunRecord | null {
+  const p = runFilePath(cwd, runId);
+  if (!fs.existsSync(p)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(p, 'utf8')) as RunRecord;
+  } catch {
+    return null;
+  }
+}
+
+export function checksumFile(filePath: string): string {
+  try {
+    const content = fs.readFileSync(filePath);
+    return crypto.createHash('sha256').update(content).digest('hex');
+  } catch {
+    return '';
+  }
+}
+
+export function pruneOldRuns(cwd: string, maxAgeMs: number): void {
+  const dir = runsDir(cwd);
+  if (!fs.existsSync(dir)) return;
+  const cutoff = Date.now() - maxAgeMs;
+  for (const entry of fs.readdirSync(dir)) {
+    if (!entry.endsWith('.json')) continue;
+    const full = path.join(dir, entry);
+    try {
+      const stat = fs.statSync(full);
+      if (stat.mtimeMs < cutoff) fs.unlinkSync(full);
+    } catch { /* ignore */ }
+  }
+}

package/src/core/mcp/workspace.ts

@@ -0,0 +1,35 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+export function resolveWorkspace(cwd?: string): string {
+  return fs.realpathSync(cwd ?? process.cwd());
+}
+
+export function assertInWorkspace(workspace: string, filePath: string): string {
+  const resolvedWorkspace = fs.realpathSync(workspace);
+  const abs = path.isAbsolute(filePath)
+    ? filePath
+    : path.resolve(resolvedWorkspace, filePath);
+
+  let resolved: string;
+  try {
+    resolved = fs.realpathSync(abs);
+  } catch {
+    // File doesn't exist yet — check the directory
+    const dir = path.dirname(abs);
+    let resolvedDir: string;
+    try {
+      resolvedDir = fs.realpathSync(dir);
+    } catch {
+      // Parent directory doesn't exist — resolve what we can
+      resolvedDir = path.resolve(dir);
+    }
+    resolved = path.join(resolvedDir, path.basename(abs));
+  }
+
+  const root = resolvedWorkspace.endsWith(path.sep) ? resolvedWorkspace : resolvedWorkspace + path.sep;
+  if (!resolved.startsWith(root) && resolved !== resolvedWorkspace) {
+    throw new Error(`Path "${filePath}" is outside workspace "${workspace}"`);
+  }
+  return resolved;
+}

package/src/core/persist/baseline.ts

@@ -0,0 +1,112 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import type { Finding } from '../findings/types.ts';
+
+const BASELINE_FILE = '.guardrail-baseline.json';
+
+export interface BaselineEntry {
+  id: string;
+  file: string;
+  line?: number;
+  severity: string;
+  message: string;
+  pinnedAt: string;
+  note?: string;
+}
+
+export interface Baseline {
+  version: 1;
+  createdAt: string;
+  updatedAt: string;
+  note?: string;
+  entries: BaselineEntry[];
+}
+
+/** Stable key for matching a finding against a baseline entry. */
+function baselineKey(f: { id: string; file: string; line?: number }): string {
+  return `${f.id}::${f.file}::${f.line ?? ''}`;
+}
+
+export function baselineFilePath(cwd: string, overridePath?: string): string {
+  return overridePath
+    ? path.isAbsolute(overridePath) ? overridePath : path.join(cwd, overridePath)
+    : path.join(cwd, BASELINE_FILE);
+}
+
+export function loadBaseline(cwd: string, overridePath?: string): Baseline | null {
+  const p = baselineFilePath(cwd, overridePath);
+  if (!fs.existsSync(p)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(p, 'utf8')) as Baseline;
+  } catch {
+    return null;
+  }
+}
+
+export function saveBaseline(cwd: string, findings: Finding[], options: { note?: string; overridePath?: string } = {}): Baseline {
+  const existing = loadBaseline(cwd, options.overridePath);
+  const now = new Date().toISOString();
+  const baseline: Baseline = {
+    version: 1,
+    createdAt: existing?.createdAt ?? now,
+    updatedAt: now,
+    note: options.note ?? existing?.note,
+    entries: findings.map(f => ({
+      id: f.id,
+      file: f.file,
+      line: f.line,
+      severity: f.severity,
+      message: f.message,
+      pinnedAt: now,
+    })),
+  };
+  const p = baselineFilePath(cwd, options.overridePath);
+  const tmp = p + '.tmp';
+  fs.writeFileSync(tmp, JSON.stringify(baseline, null, 2), 'utf8');
+  fs.renameSync(tmp, p);
+  return baseline;
+}
+
+export function clearBaseline(cwd: string, overridePath?: string): void {
+  const p = baselineFilePath(cwd, overridePath);
+  if (fs.existsSync(p)) fs.unlinkSync(p);
+}
+
+export interface BaselineFilterResult {
+  newFindings: Finding[];
+  baselinedFindings: Finding[];
+  baselinedCount: number;
+}
+
+/** Returns findings NOT present in the baseline (new findings only). */
+export function filterBaselined(findings: Finding[], baseline: Baseline): BaselineFilterResult {
+  const pinned = new Set(baseline.entries.map(baselineKey));
+  const newFindings: Finding[] = [];
+  const baselinedFindings: Finding[] = [];
+  for (const f of findings) {
+    if (pinned.has(baselineKey(f))) {
+      baselinedFindings.push(f);
+    } else {
+      newFindings.push(f);
+    }
+  }
+  return { newFindings, baselinedFindings, baselinedCount: baselinedFindings.length };
+}
+
+export interface BaselineDiff {
+  added: Finding[];       // in current but not in baseline
+  resolved: BaselineEntry[]; // in baseline but not in current
+  unchanged: Finding[];   // in both
+}
+
+/** Diff current findings against a baseline snapshot. */
+export function diffAgainstBaseline(current: Finding[], baseline: Baseline): BaselineDiff {
+  const currentKeys = new Set(current.map(baselineKey));
+  const baselineKeys = new Set(baseline.entries.map(baselineKey));
+
+  return {
+    added:     current.filter(f => !baselineKeys.has(baselineKey(f))),
+    resolved:  baseline.entries.filter(e => !currentKeys.has(baselineKey(e))),
+    unchanged: current.filter(f => baselineKeys.has(baselineKey(f))),
+  };
+}

package/src/core/persist/cost-log.ts

@@ -1,7 +1,7 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 
-const CACHE_DIR = '.autopilot-cache';
+const CACHE_DIR = '.guardrail-cache';
 const LOG_FILE = 'costs.jsonl';
 
 export interface CostLogEntry {

package/src/core/persist/findings-cache.ts

@@ -2,7 +2,7 @@ import * as fs from 'node:fs';
 import * as path from 'node:path';
 import type { Finding } from '../findings/types.ts';
 
-const CACHE_DIR = '.autopilot-cache';
+const CACHE_DIR = '.guardrail-cache';
 const CACHE_FILE = 'findings.json';
 
 function cacheFilePath(cwd: string): string {

package/src/core/persist/triage.ts

@@ -0,0 +1,112 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import type { Finding } from '../findings/types.ts';
+
+const TRIAGE_FILE = '.guardrail-triage.json';
+
+export type TriageState = 'accepted-risk' | 'false-positive';
+
+export interface TriageEntry {
+  id: string;
+  file: string;
+  line?: number;
+  state: TriageState;
+  reason?: string;
+  triagedAt: string;
+  expiresAt?: string;
+}
+
+export interface TriageStore {
+  version: 1;
+  entries: TriageEntry[];
+}
+
+function triageFilePath(cwd: string): string {
+  return path.join(cwd, TRIAGE_FILE);
+}
+
+function entryKey(e: { id: string; file: string; line?: number }): string {
+  return `${e.id}::${e.file}::${e.line ?? ''}`;
+}
+
+export function loadTriage(cwd: string): TriageStore {
+  const p = triageFilePath(cwd);
+  if (!fs.existsSync(p)) return { version: 1, entries: [] };
+  try {
+    return JSON.parse(fs.readFileSync(p, 'utf8')) as TriageStore;
+  } catch {
+    return { version: 1, entries: [] };
+  }
+}
+
+export function saveTriage(cwd: string, store: TriageStore): void {
+  const p = triageFilePath(cwd);
+  const tmp = p + '.tmp';
+  fs.writeFileSync(tmp, JSON.stringify(store, null, 2), 'utf8');
+  fs.renameSync(tmp, p);
+}
+
+export function addTriageEntry(
+  cwd: string,
+  finding: Finding,
+  state: TriageState,
+  options: { reason?: string; expiresInDays?: number } = {},
+): void {
+  const store = loadTriage(cwd);
+  const key = entryKey(finding);
+  store.entries = store.entries.filter(e => entryKey(e) !== key);
+  const entry: TriageEntry = {
+    id: finding.id,
+    file: finding.file,
+    line: finding.line,
+    state,
+    reason: options.reason,
+    triagedAt: new Date().toISOString(),
+  };
+  if (options.expiresInDays !== undefined) {
+    const exp = new Date();
+    exp.setDate(exp.getDate() + options.expiresInDays);
+    entry.expiresAt = exp.toISOString();
+  }
+  store.entries.push(entry);
+  saveTriage(cwd, store);
+}
+
+export function removeTriageEntry(cwd: string, ids: string[]): number {
+  const store = loadTriage(cwd);
+  const before = store.entries.length;
+  store.entries = store.entries.filter(e => !ids.some(id => e.id === id || e.id.startsWith(id)));
+  saveTriage(cwd, store);
+  return before - store.entries.length;
+}
+
+export function clearExpiredEntries(cwd: string): number {
+  const store = loadTriage(cwd);
+  const now = new Date().toISOString();
+  const before = store.entries.length;
+  store.entries = store.entries.filter(e => !e.expiresAt || e.expiresAt > now);
+  saveTriage(cwd, store);
+  return before - store.entries.length;
+}
+
+export interface TriageFilterResult {
+  active: Finding[];
+  triaged: Finding[];
+  triageCount: number;
+}
+
+export function filterTriaged(findings: Finding[], store: TriageStore): TriageFilterResult {
+  const now = new Date().toISOString();
+  const activeKeys = new Set(
+    store.entries
+      .filter(e => !e.expiresAt || e.expiresAt > now)
+      .map(entryKey),
+  );
+  const active: Finding[] = [];
+  const triaged: Finding[] = [];
+  for (const f of findings) {
+    if (activeKeys.has(entryKey(f))) triaged.push(f);
+    else active.push(f);
+  }
+  return { active, triaged, triageCount: triaged.length };
+}

package/src/core/phases/static-rules.ts

@@ -1,16 +1,20 @@
 import type { Finding, FixAttempt, FixStatus } from '../findings/types.ts';
+import type { GuardrailConfig } from '../config/types.ts';
+import type { ReviewEngine } from '../../adapters/review-engine/types.ts';
 import { dedupFindings, findingContentKey } from '../findings/dedup.ts';
 
 export interface StaticRule {
   name: string;
   severity: 'critical' | 'warning' | 'note';
-  check(touchedFiles: string[]): Promise<Finding[]>;
+  check(touchedFiles: string[], config?: Record<string, unknown>): Promise<Finding[]>;
   autofix?(finding: Finding): Promise<FixStatus>;
 }
 
 export interface StaticRulesPhaseInput {
   touchedFiles: string[];
   rules: StaticRule[];
+  config?: GuardrailConfig;
+  engine?: ReviewEngine;
 }
 
 export interface StaticRulesPhaseResult {
@@ -24,7 +28,7 @@ export interface StaticRulesPhaseResult {
 export async function runStaticRulesPhase(input: StaticRulesPhaseInput): Promise<StaticRulesPhaseResult> {
   const start = Date.now();
 
-  const preFixFindings = dedupFindings(await runAllChecks(input.rules, input.touchedFiles));
+  const preFixFindings = dedupFindings(await runAllChecks(input.rules, input.touchedFiles, input.config, input.engine));
 
   const fixAttempts: FixAttempt[] = [];
   let anyFixApplied = false;
@@ -52,7 +56,7 @@ export async function runStaticRulesPhase(input: StaticRulesPhaseInput): Promise
   // findings always returns preFixFindings so callers have a complete record;
   // fixAttempts + re-check set-difference tells them what was resolved.
   const postFixFindings = anyFixApplied
-    ? dedupFindings(await runAllChecks(input.rules, input.touchedFiles))
+    ? dedupFindings(await runAllChecks(input.rules, input.touchedFiles, input.config, input.engine))
     : preFixFindings;
 
   const postFixKeys = new Set(postFixFindings.map(findingContentKey));
@@ -69,9 +73,18 @@ export async function runStaticRulesPhase(input: StaticRulesPhaseInput): Promise
   return { phase: 'static-rules', status, findings: preFixFindings, fixAttempts, durationMs: Date.now() - start };
 }
 
-async function runAllChecks(rules: StaticRule[], files: string[]): Promise<Finding[]> {
+async function runAllChecks(
+  rules: StaticRule[],
+  files: string[],
+  config?: GuardrailConfig,
+  engine?: ReviewEngine,
+): Promise<Finding[]> {
+  const ruleConfig: Record<string, unknown> = {
+    ...(config ? (config as unknown as Record<string, unknown>) : {}),
+    _engine: engine,
+  };
   const all: Finding[] = [];
-  for (const rule of rules) all.push(...(await rule.check(files)));
+  for (const rule of rules) all.push(...(await rule.check(files, ruleConfig)));
   return all;
 }