@episoda/cli 0.2.144

package/dist/hooks/post-checkout

@@ -0,0 +1,327 @@
+#!/bin/bash
+# Git post-checkout hook to update module.checkout_* fields for realtime badge updates
+# EP534: Also checks branch locks and auto-reverts if branch is locked by another user
+# EP649: Added support for cloud VM checkout tracking (Fly.io, Codespaces, Gitpod, etc.)
+# EP749: Simplified to use module.checkout_* as single source of truth (removed branch_checkout table)
+# This runs after every successful git checkout (from API or terminal)
+
+# Set up logging (worktree-safe)
+HOOKS_DIR=$(git rev-parse --git-path hooks 2>/dev/null || echo ".git/hooks")
+mkdir -p "$HOOKS_DIR" 2>/dev/null
+LOG_FILE="${HOOKS_DIR}/post-checkout.log"
+log() {
+  echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
+}
+
+# Get hook parameters
+PREV_HEAD=$1
+NEW_HEAD=$2
+BRANCH_CHECKOUT=$3  # 1 if branch checkout, 0 if file checkout
+
+# Allow automation to skip this hook entirely
+if [ -n "$EPISODA_SKIP_CHECKOUT_HOOK" ]; then
+  log "Skipping update - EPISODA_SKIP_CHECKOUT_HOOK set"
+  exit 0
+fi
+
+# Skip updates during rebase/detached HEAD to avoid guessing branches
+if git rev-parse -q --verify REBASE_HEAD >/dev/null 2>&1; then
+  log "Skipping update - rebase in progress"
+  exit 0
+fi
+
+REBASE_MERGE_DIR=$(git rev-parse --git-path rebase-merge 2>/dev/null || echo "")
+REBASE_APPLY_DIR=$(git rev-parse --git-path rebase-apply 2>/dev/null || echo "")
+if [ -d "$REBASE_MERGE_DIR" ] || [ -d "$REBASE_APPLY_DIR" ]; then
+  log "Skipping update - rebase in progress"
+  exit 0
+fi
+
+# Get the old and new branch names
+OLD_BRANCH=$(git name-rev --name-only $PREV_HEAD 2>/dev/null | sed 's/^remotes\/origin\///')
+NEW_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+
+# If in detached HEAD state, skip update (no guessing)
+if [ "$NEW_BRANCH" = "HEAD" ]; then
+  log "Skipping update - detached HEAD state"
+  exit 0
+fi
+
+log "Branch checkout: $OLD_BRANCH → $NEW_BRANCH"
+
+# Get database connection info from .env.local
+if [ -f .env.local ]; then
+  export $(grep -v '^#' .env.local | grep -E 'NEXT_PUBLIC_SUPABASE_URL|SUPABASE_SERVICE_ROLE_KEY' | xargs)
+fi
+
+# EP553: Atomic branch checkout using checkout_branch_atomic() function
+# Combines lock check and checkout update in a single transaction to prevent race conditions
+CHECKOUT_RESULT=$(node -e "
+let createClient;
+try {
+  ({ createClient } = require('@supabase/supabase-js'));
+} catch (error) {
+  console.log('SKIP:Missing Supabase dependency');
+  process.exit(0);
+}
+const { execSync } = require('child_process');
+
+const supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+const supabaseKey = process.env.SUPABASE_SERVICE_ROLE_KEY;
+
+if (!supabaseUrl || !supabaseKey) {
+  console.log('SKIP:Missing Supabase credentials');
+  process.exit(0);
+}
+
+const supabase = createClient(supabaseUrl, supabaseKey);
+
+(async () => {
+  try {
+    // EP553: Get user ID and workspace ID from git config
+    let userId = null;
+    let configuredWorkspaceId = null;
+
+    try {
+      userId = execSync('git config episoda.userId', { encoding: 'utf8' }).trim();
+    } catch (e) {
+      console.log('SKIP:No user configured');
+      process.exit(0);
+    }
+
+    try {
+      configuredWorkspaceId = execSync('git config episoda.workspaceId', { encoding: 'utf8' }).trim();
+    } catch (e) {
+      console.log('SKIP:No workspace configured');
+      process.exit(0);
+    }
+
+    if (!userId || !configuredWorkspaceId) {
+      console.log('SKIP:Configuration incomplete');
+      process.exit(0);
+    }
+
+    // EP553: Verify user exists and is not banned
+    const { data: userData, error: userError } = await supabase.auth.admin.getUserById(userId);
+
+    if (userError || !userData.user) {
+      console.log('ERROR:Invalid user ID');
+      process.exit(1);
+    }
+
+    if (userData.user.banned) {
+      console.log('ERROR:User account suspended');
+      process.exit(1);
+    }
+
+    // EP553: Get user's actual workspace via workspace_member table
+    const { data: membership, error: membershipError } = await supabase
+      .from('workspace_member')
+      .select('workspace_id')
+      .eq('user_id', userId)
+      .maybeSingle();
+
+    if (membershipError || !membership) {
+      console.log('ERROR:User not member of workspace');
+      process.exit(1);
+    }
+
+    const workspaceId = membership.workspace_id;
+
+    // EP553: Multi-user machine protection
+    if (configuredWorkspaceId !== workspaceId) {
+      console.log('ERROR:Workspace mismatch');
+      process.exit(1);
+    }
+
+    // EP725: Get project ID from git config for main/master checkout tracking
+    // This ensures main branch checkouts are recorded with project_id for badge display
+    let configuredProjectId = null;
+    try {
+      configuredProjectId = execSync('git config episoda.projectId', { encoding: 'utf8' }).trim();
+    } catch (e) {
+      // No projectId configured - will use null (backwards compatible)
+    }
+
+    // EP556: Extract UID from branch name and look up by UID instead of branch_name
+    // This eliminates race conditions during Ready→Doing transitions
+    // EP962: Supports both new format (EP{number}-{description}) and legacy (module/EP{number}-{description})
+    let moduleId = null;
+    let projectId = configuredProjectId || null;  // EP725: Default to configured project for main/master
+    if ('${NEW_BRANCH}' !== 'main' && '${NEW_BRANCH}' !== 'master') {
+      // Match both EP123-description and module/EP123-description
+      const branchMatch = '${NEW_BRANCH}'.match(/^(?:module\/)?EP(\d+)-/);
+      if (branchMatch) {
+        const uid = 'EP' + branchMatch[1];
+        // EP970: Also fetch checkout_at to detect if orchestrator already handled this
+        const { data: module } = await supabase
+          .from('module')
+          .select('id, project_id, checkout_at, checkout_user_id')
+          .eq('uid', uid)
+          .maybeSingle();
+
+        if (module) {
+          moduleId = module.id;
+          projectId = module.project_id;
+
+          // EP970: Skip if orchestrator already handled checkout within last 10 seconds
+          // This prevents duplicate RPC calls when dragging cards on the kanban board
+          if (module.checkout_at && module.checkout_user_id === userId) {
+            const checkoutAge = Date.now() - new Date(module.checkout_at).getTime();
+            if (checkoutAge < 10000) {
+              console.log('SKIP:Orchestrator already handled checkout (' + Math.round(checkoutAge/1000) + 's ago)');
+              process.exit(0);
+            }
+          }
+        }
+      }
+    }
+
+    // EP553: Detect environment type based on where the hook is running
+    // EP649: Added Fly.io cloud VM detection
+    // Check for common cloud development environment variables
+    let environment = 'local';
+    let cloudMachineId = null;
+
+    if (process.env.FLY_MACHINE_ID) {
+      environment = 'cloud';  // Fly.io VM (Episoda cloud dev)
+      cloudMachineId = process.env.FLY_MACHINE_ID;
+    } else if (process.env.CODESPACES === 'true' || process.env.GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN) {
+      environment = 'cloud';  // GitHub Codespaces
+      cloudMachineId = process.env.CODESPACE_NAME || null;
+    } else if (process.env.GITPOD_WORKSPACE_ID) {
+      environment = 'cloud';  // Gitpod
+      cloudMachineId = process.env.GITPOD_WORKSPACE_ID;
+    } else if (process.env.C9_PROJECT || process.env.AWS_CLOUD9_USER) {
+      environment = 'cloud';  // AWS Cloud9
+      cloudMachineId = process.env.C9_PROJECT || null;
+    } else if (process.env.REPL_ID || process.env.REPLIT_DB_URL) {
+      environment = 'cloud';  // Replit
+      cloudMachineId = process.env.REPL_ID || null;
+    }
+
+    // EP726: Get device UUID for checkout tracking
+    // EP773: Tables renamed: local_device → local_machine, cloud_device → cloud_machine
+    // For local: read local_machine.id from git config (cached by CLI daemon)
+    // For cloud: read cloud_machine.id from git config (set during VM provisioning)
+    let localDeviceId = null;
+    let cloudDeviceId = null;
+
+    if (environment === 'local') {
+      // Local checkout: get local_machine.id from git config
+      try {
+        localDeviceId = execSync('git config episoda.deviceId', { encoding: 'utf8' }).trim();
+      } catch (e) {
+        // No deviceId configured yet - will use null (backwards compatible)
+      }
+    } else {
+      // Cloud checkout: get cloud_machine.id from git config
+      // EP773: Renamed cloud_device → cloud_machine
+      try {
+        cloudDeviceId = execSync('git config episoda.cloudDeviceId', { encoding: 'utf8' }).trim();
+      } catch (e) {
+        // No cloudDeviceId configured - try to look up by FLY_MACHINE_ID
+        if (cloudMachineId) {
+          const { data: cloudMachine } = await supabase
+            .from('cloud_machine')
+            .select('id')
+            .eq('machine_id', cloudMachineId)
+            .maybeSingle();
+          if (cloudMachine) {
+            cloudDeviceId = cloudMachine.id;
+          }
+        }
+      }
+    }
+
+    // EP726: Call atomic checkout function with unified machine IDs
+    // EP768: Renamed p_*_device_id → p_*_machine_id to match function signature
+    // - p_local_machine_id: UUID FK to local_machine (for local checkouts)
+    // - p_cloud_machine_id: UUID FK to cloud_machine (for cloud checkouts)
+    const { data: result, error: rpcError } = await supabase
+      .rpc('checkout_branch_atomic', {
+        p_branch_name: '${NEW_BRANCH}',
+        p_user_id: userId,
+        p_workspace_id: workspaceId,
+        p_project_id: projectId,
+        p_environment: environment,
+        p_module_id: moduleId,
+        p_cloud_machine_id: cloudDeviceId,
+        p_local_machine_id: localDeviceId
+      });
+
+    if (rpcError) {
+      console.log('ERROR:' + rpcError.message);
+      process.exit(1);
+    }
+
+    if (!result.success) {
+      if (result.error === 'BRANCH_LOCKED') {
+        console.log('LOCKED:' + result.locked_by + ':' + result.environment);
+      } else if (result.error === 'BRANCH_BUSY') {
+        console.log('BUSY:' + result.message);
+      } else {
+        console.log('ERROR:' + (result.message || 'Unknown error'));
+      }
+      process.exit(0);
+    }
+
+    // Success - branch checked out atomically
+    console.log('SUCCESS:${NEW_BRANCH}');
+  } catch (err) {
+    console.log('ERROR:' + err.message);
+  }
+})();
+")
+
+# Handle the checkout result
+if [[ "$CHECKOUT_RESULT" == SKIP:* ]]; then
+  # Configuration incomplete or credentials missing - skip quietly
+  log "Skipping checkout update: ${CHECKOUT_RESULT#SKIP:}"
+  exit 0
+elif [[ "$CHECKOUT_RESULT" == ERROR:* ]]; then
+  # Fatal error - abort
+  echo ""
+  echo "❌ ERROR: ${CHECKOUT_RESULT#ERROR:}"
+  echo ""
+  exit 1
+elif [[ "$CHECKOUT_RESULT" == LOCKED:* ]]; then
+  # Branch is locked by another user - revert checkout
+  LOCKED_USER=$(echo "$CHECKOUT_RESULT" | cut -d':' -f2)
+  LOCK_ENV=$(echo "$CHECKOUT_RESULT" | cut -d':' -f3)
+
+  echo ""
+  echo "❌ ERROR: Branch '$NEW_BRANCH' is currently checked out by $LOCKED_USER in $LOCK_ENV mode."
+  echo ""
+  echo "This branch is locked to prevent conflicts. Options:"
+  echo "  1. Ask $LOCKED_USER to check in via GitHub Integration modal"
+  echo "  2. Work on a different module/branch"
+  echo "  3. Wait for the lock to be released"
+  echo ""
+  echo "Reverting to previous branch: $OLD_BRANCH"
+  echo ""
+
+  # Revert to old branch
+  git checkout "$OLD_BRANCH" 2>/dev/null
+  exit 1
+elif [[ "$CHECKOUT_RESULT" == BUSY:* ]]; then
+  # Another user is currently checking out - suggest retry
+  echo ""
+  echo "⏳ Branch checkout in progress by another user"
+  echo "Please try again in a moment"
+  echo ""
+  echo "Reverting to previous branch: $OLD_BRANCH"
+  echo ""
+
+  # Revert to old branch
+  git checkout "$OLD_BRANCH" 2>/dev/null
+  exit 1
+elif [[ "$CHECKOUT_RESULT" == SUCCESS:* ]]; then
+  # Success
+  log "Successfully checked out branch: $NEW_BRANCH"
+  exit 0
+else
+  # Unexpected result
+  log "Unexpected checkout result: $CHECKOUT_RESULT"
+  exit 0
+fi

package/dist/hooks/post-commit

@@ -0,0 +1,137 @@
+#!/bin/bash
+#
+# EP837: Record commits made on main branch for machine-aware tracking
+#
+# This hook runs after every successful commit. When on main branch,
+# it records the commit in the local_commit table so that main branch
+# protection only triggers for commits made on THIS machine.
+#
+# Problem: git log origin/main..HEAD shows ALL unpushed commits including
+# commits made on other machines. This causes false positives when
+# origin/main is stale.
+#
+# Solution: Track which commits were made on which machine. Main branch
+# check queries local_commit table filtered by machine_id.
+
+# Get current branch
+BRANCH=$(git branch --show-current)
+
+# Only track commits on main or master branch
+if [ "$BRANCH" != "main" ] && [ "$BRANCH" != "master" ]; then
+  exit 0
+fi
+
+# Get the commit that was just made
+COMMIT_SHA=$(git rev-parse HEAD)
+COMMIT_MESSAGE=$(git log -1 --pretty=format:%s)
+COMMIT_AUTHOR=$(git log -1 --pretty=format:%an)
+
+# Read config from ~/.episoda/config.json
+CONFIG_FILE="$HOME/.episoda/config.json"
+
+if [ ! -f "$CONFIG_FILE" ]; then
+  # No config file - CLI not authenticated, skip silently
+  exit 0
+fi
+
+# Record the commit using the API
+RESULT=$(node -e "
+const fs = require('fs');
+const https = require('https');
+const http = require('http');
+const { execSync } = require('child_process');
+
+(async () => {
+  try {
+    // Read config
+    const config = JSON.parse(fs.readFileSync('$CONFIG_FILE', 'utf8'));
+    const token = config.access_token;
+    const apiUrl = config.api_url || 'https://episoda.dev';
+    const deviceId = config.device_id;
+    const projectId = config.project_id;
+
+    if (!token) {
+      console.log('SKIP:No token');
+      process.exit(0);
+    }
+
+    if (!deviceId) {
+      console.log('SKIP:No device_id');
+      process.exit(0);
+    }
+
+    if (!projectId) {
+      console.log('SKIP:No project_id');
+      process.exit(0);
+    }
+
+    // Record the commit
+    const url = new URL('/api/commits/local', apiUrl);
+    const client = url.protocol === 'https:' ? https : http;
+
+    const postData = JSON.stringify({
+      sha: '$COMMIT_SHA',
+      machine_id: deviceId,
+      project_id: projectId,
+      branch: '$BRANCH',
+      message: \`$COMMIT_MESSAGE\`,
+      author: \`$COMMIT_AUTHOR\`
+    });
+
+    const req = client.request(url, {
+      method: 'POST',
+      headers: {
+        'Authorization': 'Bearer ' + token,
+        'Content-Type': 'application/json',
+        'Content-Length': Buffer.byteLength(postData)
+      },
+      timeout: 5000
+    }, (res) => {
+      let data = '';
+      res.on('data', chunk => data += chunk);
+      res.on('end', () => {
+        try {
+          const json = JSON.parse(data);
+          if (json.success) {
+            console.log('SUCCESS:' + (json.created ? 'recorded' : 'exists'));
+          } else {
+            console.log('ERROR:' + (json.error?.message || 'Unknown error'));
+          }
+        } catch (e) {
+          console.log('ERROR:Parse error - ' + e.message);
+        }
+      });
+    });
+
+    req.on('error', (e) => {
+      console.log('ERROR:Network - ' + e.message);
+    });
+    req.on('timeout', () => {
+      req.destroy();
+      console.log('ERROR:Timeout');
+    });
+
+    req.write(postData);
+    req.end();
+  } catch (e) {
+    console.log('ERROR:' + e.message);
+  }
+})();
+" 2>/dev/null)
+
+# Log result (non-blocking, don't fail the commit)
+case "$RESULT" in
+  SUCCESS:*)
+    # Commit recorded successfully
+    ;;
+  SKIP:*)
+    # Configuration incomplete - skip silently
+    ;;
+  ERROR:*)
+    # Log error but don't fail the commit
+    echo "Warning: Failed to record commit for tracking: ${RESULT#ERROR:}" >&2
+    ;;
+esac
+
+# Always exit successfully - don't block commits
+exit 0

package/dist/hooks/pre-commit

@@ -0,0 +1,140 @@
+#!/bin/bash
+#
+# EP490: Prevent commits directly to main branch
+# EP647: Extended to block ALL non-module branches (except hotfix/*)
+# EP962: Updated to support new branch format (EP123-description instead of module/EP123-...)
+# This hook enforces the module workflow for all development work
+#
+
+BRANCH=$(git branch --show-current)
+
+# Allow module branches - both new format (EP123-description) and legacy (module/EP123-description)
+# EP647: But warn if it's a cloud module being committed locally
+if [[ "$BRANCH" == EP* ]] || [[ "$BRANCH" == module/EP* ]]; then
+  # Extract module UID from branch name (e.g., EP647 from EP647-description or module/EP647-description)
+  MODULE_UID=$(echo "$BRANCH" | grep -oE 'EP[0-9]+')
+
+  if [ -n "$MODULE_UID" ]; then
+    # Check if this is a cloud module
+    # Read config from ~/.episoda/config.json
+    CONFIG_FILE="$HOME/.episoda/config.json"
+
+    if [ -f "$CONFIG_FILE" ]; then
+      # Extract access_token and api_url using node (more reliable than jq which may not be installed)
+      CLOUD_CHECK=$(node -e "
+        const fs = require('fs');
+        const https = require('https');
+        const http = require('http');
+
+        try {
+          const config = JSON.parse(fs.readFileSync('$CONFIG_FILE', 'utf8'));
+          const token = config.access_token;
+          const apiUrl = config.api_url || 'https://episoda.dev';
+
+          if (!token) {
+            console.log('SKIP:No token');
+            process.exit(0);
+          }
+
+          const url = new URL('/api/modules/$MODULE_UID', apiUrl);
+          const client = url.protocol === 'https:' ? https : http;
+
+          const req = client.request(url, {
+            method: 'GET',
+            headers: {
+              'Authorization': 'Bearer ' + token,
+              'Content-Type': 'application/json'
+            },
+            timeout: 3000
+          }, (res) => {
+            let data = '';
+            res.on('data', chunk => data += chunk);
+            res.on('end', () => {
+              try {
+                const json = JSON.parse(data);
+                if (json.success && json.moduleRecord && json.moduleRecord.dev_mode === 'cloud') {
+                  console.log('CLOUD:' + json.moduleRecord.title);
+                } else {
+                  console.log('LOCAL');
+                }
+              } catch (e) {
+                console.log('SKIP:Parse error');
+              }
+            });
+          });
+
+          req.on('error', () => console.log('SKIP:Network error'));
+          req.on('timeout', () => { req.destroy(); console.log('SKIP:Timeout'); });
+          req.end();
+        } catch (e) {
+          console.log('SKIP:Config error');
+        }
+      " 2>/dev/null)
+
+      if [[ "$CLOUD_CHECK" == CLOUD:* ]]; then
+        MODULE_TITLE="${CLOUD_CHECK#CLOUD:}"
+        echo ""
+        echo "⚠️  Warning: '$MODULE_UID' is a CLOUD module"
+        echo ""
+        echo "Module: $MODULE_TITLE"
+        echo ""
+        echo "This module is configured for cloud development (dev_mode: cloud)."
+        echo "Local commits may cause sync issues with the cloud environment."
+        echo ""
+        echo "Recommended workflow:"
+        echo "  1. Connect to cloud VM: episoda dev ssh $MODULE_UID"
+        echo "  2. Make changes and commit in the cloud environment"
+        echo ""
+        echo "To bypass this warning:"
+        echo "  git commit --no-verify"
+        echo ""
+        exit 1
+      fi
+    fi
+  fi
+
+  # Module branch is allowed (local module or cloud check skipped/failed)
+  exit 0
+fi
+
+# Allow hotfix branches (hotfix/description) for emergency fixes
+if [[ "$BRANCH" == hotfix/* ]]; then
+  exit 0
+fi
+
+# Block main branch with specific message
+if [ "$BRANCH" = "main" ] || [ "$BRANCH" = "master" ]; then
+  echo ""
+  echo "❌ Cannot commit directly to main branch!"
+  echo ""
+  echo "Please create a module first:"
+  echo "  1. Go to https://episoda.dev/workflow"
+  echo "  2. Create a new module (or select existing)"
+  echo "  3. Move it to 'Doing' state to create a branch"
+  echo "  4. Then switch to the module branch:"
+  echo "     git stash && git checkout EP-XXX-... && git stash pop"
+  echo ""
+  echo "To bypass this check (not recommended):"
+  echo "  git commit --no-verify"
+  echo ""
+  exit 1
+fi
+
+# Block all other branches
+echo ""
+echo "❌ Cannot commit on branch '$BRANCH'"
+echo ""
+echo "All work must be done on module branches (EP-XXX-...)."
+echo "This ensures proper tracking and code review workflow."
+echo ""
+echo "Options:"
+echo "  1. Create a module at https://episoda.dev/workflow"
+echo "     Move it to 'Doing' to create a branch, then checkout"
+echo ""
+echo "  2. For emergency hotfixes, use a hotfix/* branch:"
+echo "     git checkout -b hotfix/description"
+echo ""
+echo "To bypass this check (not recommended):"
+echo "  git commit --no-verify"
+echo ""
+exit 1

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+
+export {  }