@formigio/fazemos-cli 0.10.17 → 0.10.20

package/dist/index.js

@@ -10,8 +10,9 @@ import { isProjectConnectionUnavailable, renderProjectConnectionUnavailableCopy,
 import { loadYaml, summarize } from './yaml/load.js';
 import { printFindings, printJson } from './yaml/format.js';
 import { validateManifest } from './manifest/checks.js';
-import { findLocalRegistry, resolveRole, buildInboxFile, writeInboxFile, buildNotificationPayload, gitCommitInboxFile, } from './dispatch.js';
+import { findLocalRegistry, resolveRole, buildInboxFile, writeInboxFile, writeInboxFileAtPath, buildRolesSyncPayload, findUnprocessedInboxFiles, computeFileHash, gitCommitInboxFile, } from './dispatch.js';
 import { execSync } from 'child_process';
+import { parseExecutionsJson, resolveWaitOptions, waitForPipelines, buildAwsCommand, validateExecutionEntry, } from './wait-for-pipeline.js';
 import { readFileSync, readdirSync, writeFileSync, mkdirSync, existsSync, statSync } from 'fs';
 import { fileURLToPath } from 'url';
 import { dirname, resolve, basename } from 'path';
@@ -4475,6 +4476,70 @@ pipelines
         process.exit(1);
     }
 });
+// ── P8/I55 — deploy-completion gate ──
+// Poll one or more CodePipeline executions until each reaches a terminal state.
+// Shells out to the `aws` CLI via execSync (no @aws-sdk dependency, consistent
+// with the existing CLI pattern); credentials arrive via the ECS task-role
+// metadata service inside the agent container. Exit-code contract (spec §3.3):
+//   0 Succeeded (or empty map) · 2 Failed/Stopped · 3 Superseded · 4 timeout · 5 aws-call-failure.
+pipelines
+    .command('wait-for-pipeline')
+    .description('Poll CodePipeline execution(s) until terminal; exit 0 on Succeeded, non-zero with a structured diagnostic otherwise (deploy-completion gate)')
+    .argument('[execution-id]', 'CodePipeline pipeline-execution-id (single-pair form; requires --pipeline). Omit when using --executions-json.')
+    .option('--pipeline <name>', 'CodePipeline name (required with the single-pair form; execution-id is only unique within a pipeline)')
+    .option('--executions-json <json>', 'Bulk form: JSON map of {pipelineName: executionId}. Empty/{} is a documented no-op (exit 0).')
+    .option('--timeout <duration>', 'Total wall-clock budget (15m, 900s, or 900). Default 15m.')
+    .option('--poll-interval <duration>', 'Per-poll sleep (floor 60s; values below are clamped + warned). Default 60s.')
+    .option('--region <region>', 'AWS region (reads AWS_REGION/AWS_DEFAULT_REGION, else us-west-2). Passed explicitly to every aws call.')
+    .action(async (executionId, opts) => {
+    try {
+        // Build the (pipeline, executionId) list from whichever form was used.
+        let executions;
+        if (opts.executionsJson !== undefined) {
+            if (executionId || opts.pipeline) {
+                console.error(chalk.red('wait-for-pipeline: pass EITHER --executions-json OR an execution-id + --pipeline, not both'));
+                process.exit(1);
+            }
+            executions = parseExecutionsJson(opts.executionsJson);
+        }
+        else {
+            if (!executionId) {
+                console.error(chalk.red('wait-for-pipeline: an execution-id (with --pipeline) or --executions-json is required'));
+                process.exit(1);
+            }
+            if (!opts.pipeline) {
+                console.error(chalk.red('wait-for-pipeline: --pipeline <name> is required with the single-pair form (execution-id is only unique within a pipeline)'));
+                process.exit(1);
+            }
+            validateExecutionEntry(opts.pipeline, executionId);
+            executions = [{ pipeline: opts.pipeline, executionId }];
+        }
+        const waitOptions = resolveWaitOptions({
+            timeout: opts.timeout,
+            pollInterval: opts.pollInterval,
+            region: opts.region,
+        });
+        // AwsRunner: shell out to the aws CLI, capturing stdout. On non-zero exit
+        // execSync throws an Error carrying .stderr — the gate logic reads it.
+        const aws = (args) => {
+            const cmd = buildAwsCommand(args);
+            return execSync(cmd, {
+                encoding: 'utf-8',
+                stdio: ['ignore', 'pipe', 'pipe'],
+                // Default 1MB can spuriously throw on a large get-pipeline-state
+                // response; that would map to AWS_CALL_FAILED (exit 5) incorrectly.
+                maxBuffer: 10 * 1024 * 1024,
+            });
+        };
+        const exitCode = await waitForPipelines(executions, waitOptions, { aws });
+        process.exit(exitCode);
+    }
+    catch (err) {
+        // Configuration / parse errors (bad --executions-json, bad --timeout, etc.)
+        console.error(chalk.red(err.message));
+        process.exit(1);
+    }
+});
 const step = pipelines.command('step').description('Pipeline step commands');
 step
     .command('list')
@@ -8173,21 +8238,26 @@ Examples:
 });
 // ── `fazemos dispatch` — role-to-role dispatch ─────────────────────
 //
-// Writes an inbox markdown file in the recipient role's operating dir and
-// calls POST /api/notifications/dispatch so the API can fire any
-// configured human-filler notifications (Slack today).
+// F26 data flow (API write-through, Dex S-B):
+//   1. Resolve recipient via .fazemos/roles.json
+//   2. POST /api/dispatches (API writes DB row + fires fan-out + returns file_path)
+//   3. CLI writes inbox file at the returned file_path
+//   4. --commit git-adds the file
 //
-// Recipients are resolved via `.fazemos/roles.json` walked up from cwd.
-// Cross-workspace roles are followed via the local registry's
-// `cross_workspace_roles` block.
+// Legacy / degraded mode (--file-only):
+//   Skips the API call and writes only the local file.
+//   Used by not-yet-migrated playbooks and offline work.
 //
 // Example:
 //   fazemos dispatch founder question --from business-strategist \
 //     --body "Should we ship F19 before F7?" --priority high --commit
 program
     .command('dispatch <to> <type>')
-    .description(`Write an inbox markdown file in <to>'s operating dir and (optionally) fire
-notifications via the API.
+    .description(`Send a role-to-role dispatch. Calls POST /api/dispatches (API writes DB row
++ fires fan-out, returns file_path), then CLI writes the inbox file.
+
+Use --file-only to skip the API and write only the local file (degraded/offline
+mode, for not-yet-migrated playbooks).
 
 Recipients are resolved via the nearest .fazemos/roles.json registry, walking
 up from the current directory. Cross-workspace recipients are followed via
@@ -8198,11 +8268,11 @@ Types: question | task | signal | response | flag | decision | direction`)
     .option('--body <text>', 'markdown body of the dispatch (or use --body-file)')
     .option('--body-file <path>', 'read body from a file')
     .option('--priority <level>', 'low | normal | high', 'normal')
-    .option('--re <ref>', 'optional reference (worksheet id, file path, etc.)')
-    .option('--thread <id>', 'optional prior item id this responds to')
+    .option('--re <ref>', 'optional reference (worksheet id, feature token, etc.)')
+    .option('--thread <id>', 'optional prior dispatch id this is threaded to')
     .option('--expires-at <iso>', 'optional deadline (ISO 8601)')
     .option('--commit', 'git add + commit the inbox file after writing')
-    .option('--no-notify', 'skip the API notification call (file-only)')
+    .option('--file-only', 'skip API call, write only the local inbox file (offline/legacy mode)')
     .action(async (to, type, opts) => {
     try {
         // Validate type
@@ -8241,35 +8311,76 @@ Types: question | task | signal | response | flag | decision | direction`)
             thread: opts.thread,
             expiresAt: opts.expiresAt,
         };
-        // Build + write file
         const { filename, content, summary } = buildInboxFile(input);
-        const fullPath = writeInboxFile(registry._workspaceRoot, role, filename, content);
-        const relPath = fullPath.startsWith(registry._workspaceRoot)
-            ? fullPath.slice(registry._workspaceRoot.length + 1)
-            : fullPath;
-        console.log(chalk.green(`✓ Wrote inbox file:`));
-        console.log(`  ${chalk.cyan(fullPath)}`);
-        console.log(`  Workspace: ${registry.workspace}  Filler: ${role.filler.identity} (${role.filler.type})`);
-        // Notify (unless --no-notify)
-        if (opts.notify !== false) {
+        let fullPath;
+        let relPath;
+        if (opts.fileOnly) {
+            // ── Legacy / offline mode: write file directly, skip API ────────
+            fullPath = writeInboxFile(registry._workspaceRoot, role, filename, content);
+            relPath = fullPath.startsWith(registry._workspaceRoot)
+                ? fullPath.slice(registry._workspaceRoot.length + 1)
+                : fullPath;
+            console.log(chalk.green(`✓ Wrote inbox file (--file-only):`));
+            console.log(`  ${chalk.cyan(fullPath)}`);
+            console.log(`  Workspace: ${registry.workspace}  Filler: ${role.filler.identity} (${role.filler.type})`);
+            console.log(chalk.gray('  (API not called — file-only mode)'));
+        }
+        else {
+            // ── F26 API write-through (Dex S-B) ─────────────────────────────
+            const reqBody = {
+                to,
+                from: opts.from,
+                type,
+                priority: opts.priority ?? 'normal',
+                body,
+                thread_id: opts.thread ?? null,
+                re: opts.re ? [opts.re] : null,
+                expires_at: opts.expiresAt ?? null,
+                source: 'cli',
+            };
+            let apiResp;
             try {
-                const payload = buildNotificationPayload(input, role, relPath, summary);
-                const resp = await api('POST', '/api/notifications/dispatch', payload);
-                if (resp.notified) {
-                    console.log(chalk.green(`✓ Notification fired: ${resp.channel}`));
-                }
-                else {
-                    console.log(chalk.gray(`  (no notification fired — ${resp.reason ?? 'unknown'})`));
-                }
+                apiResp = await api('POST', '/api/dispatches', reqBody);
             }
             catch (err) {
+                // If API is unavailable, fall back to file-only with a warning
                 const msg = err instanceof Error ? err.message : String(err);
-                console.log(chalk.yellow(`  warning: notification call failed — ${msg}`));
-                console.log(chalk.yellow(`  (inbox file was still written successfully)`));
+                console.log(chalk.yellow(`  warning: API call failed (${msg}), falling back to --file-only`));
+                fullPath = writeInboxFile(registry._workspaceRoot, role, filename, content);
+                relPath = fullPath.startsWith(registry._workspaceRoot)
+                    ? fullPath.slice(registry._workspaceRoot.length + 1)
+                    : fullPath;
+                console.log(chalk.green(`✓ Wrote inbox file (fallback):`));
+                console.log(`  ${chalk.cyan(fullPath)}`);
+                if (opts.commit) {
+                    try {
+                        gitCommitInboxFile(registry._workspaceRoot, relPath, `dispatch(${opts.from} → ${to}): ${type}`);
+                        console.log(chalk.green('✓ Committed.'));
+                    }
+                    catch (cerr) {
+                        console.log(chalk.yellow(`  warning: commit failed — ${cerr instanceof Error ? cerr.message : String(cerr)}`));
+                    }
+                }
+                return;
+            }
+            // API returned file_path — CLI writes the actual file (Dex S-B)
+            if (apiResp.file_path) {
+                fullPath = writeInboxFileAtPath(registry._workspaceRoot, apiResp.file_path, content);
+                relPath = apiResp.file_path;
+            }
+            else {
+                // API didn't return a file_path (e.g. cross-workspace agent recipient) — write locally
+                fullPath = writeInboxFile(registry._workspaceRoot, role, filename, content);
+                relPath = fullPath.startsWith(registry._workspaceRoot)
+                    ? fullPath.slice(registry._workspaceRoot.length + 1)
+                    : fullPath;
+            }
+            console.log(chalk.green(`✓ Dispatch created (id: ${apiResp.id}):`));
+            console.log(`  ${chalk.cyan(fullPath)}`);
+            console.log(`  Workspace: ${registry.workspace}  Filler: ${role.filler.identity} (${role.filler.type})`);
+            if (apiResp.thread_id && apiResp.thread_id !== apiResp.id) {
+                console.log(`  Thread: ${apiResp.thread_id}`);
             }
-        }
-        else {
-            console.log(chalk.gray('  (--no-notify; API not called)'));
         }
         // Commit if requested
         if (opts.commit) {
@@ -8288,6 +8399,156 @@ Types: question | task | signal | response | flag | decision | direction`)
         process.exit(1);
     }
 });
+// ── `fazemos roles sync` — upsert roles.json into role_registrations ──
+//
+// F26 (Dex M2): reads cognito_sub from roles.json filler entries and
+// POSTs to POST /api/role-registrations/sync. Fails loud if a human
+// filler lacks cognito_sub (required for inbox mapping).
+program
+    .command('roles sync')
+    .description(`Upsert roles from the nearest .fazemos/roles.json into role_registrations
+via POST /api/role-registrations/sync.
+
+Human fillers MUST have cognito_sub set in roles.json (Dex M2). The command
+fails with a clear error if any human filler is missing it.
+
+Run after editing roles.json to sync inbox access to the API.`)
+    .option('--org-id <id>', 'explicit org ID (defaults to active org from config)')
+    .option('--project-id <id>', 'explicit project ID (defaults to active project from config)')
+    .option('--dry-run', 'build and print the payload without sending to the API')
+    .action(async (opts) => {
+    try {
+        const localRegistry = findLocalRegistry(process.cwd());
+        if (!localRegistry) {
+            throw new Error(`No .fazemos/roles.json found in cwd or any parent. ` +
+                `Run from inside a Fazemos-aware workspace.`);
+        }
+        const orgId = opts.orgId ?? getActiveOrgId() ?? null;
+        const projectId = opts.projectId ?? getActiveProjectId() ?? null;
+        // buildRolesSyncPayload validates cognito_sub and throws loud if missing
+        const payload = buildRolesSyncPayload(localRegistry, orgId, projectId);
+        if (opts.dryRun) {
+            console.log(chalk.cyan('Dry run — payload that would be sent:'));
+            console.log(JSON.stringify(payload, null, 2));
+            return;
+        }
+        const result = await api('POST', '/api/role-registrations/sync', payload, { noProjectHeader: true });
+        console.log(chalk.green(`✓ Roles synced: ${result.synced} registration(s) upserted`));
+        if (result.roles?.length) {
+            for (const slug of result.roles) {
+                console.log(`  ${chalk.cyan(slug)}`);
+            }
+        }
+    }
+    catch (err) {
+        console.error(chalk.red(err instanceof Error ? err.message : String(err)));
+        process.exit(1);
+    }
+});
+// ── `fazemos dispatch-backfill` — phase-B one-time import ────────────
+//
+// F26: Imports UNPROCESSED inbox files as dispatches with source='migration'.
+// Idempotent on content hash — files already imported are skipped.
+// Used once to seed the DB from the existing file-based inbox history.
+// NOTE: hyphenated to avoid Commander conflict with `dispatch <to> <type>`.
+program
+    .command('dispatch-backfill')
+    .description(`Phase-B one-time import of unprocessed inbox files as dispatches
+(status=unread, source=migration). Idempotent: files already imported
+are skipped (content-hash dedup). Skips any file that has a corresponding
+entry in the role's processed/ directory.
+
+Run from the workspace root where roles/*/inbox/ directories live.`)
+    .option('--roles-dir <path>', 'relative path to roles directory', 'roles')
+    .option('--dry-run', 'list files that would be imported without sending to API')
+    .option('--limit <n>', 'max files to import in one run', (v) => parseInt(v, 10))
+    .action(async (opts) => {
+    try {
+        const localRegistry = findLocalRegistry(process.cwd());
+        if (!localRegistry) {
+            throw new Error(`No .fazemos/roles.json found in cwd or any parent. ` +
+                `Run from inside a Fazemos-aware workspace.`);
+        }
+        const files = findUnprocessedInboxFiles(localRegistry._workspaceRoot, opts.rolesDir ?? 'roles');
+        if (files.length === 0) {
+            console.log(chalk.gray('No unprocessed inbox files found.'));
+            return;
+        }
+        const limit = opts.limit ?? files.length;
+        const toProcess = files.slice(0, limit);
+        if (opts.dryRun) {
+            console.log(chalk.cyan(`Dry run — ${toProcess.length} file(s) would be imported:`));
+            for (const f of toProcess) {
+                const hash = computeFileHash(f.content);
+                console.log(`  ${chalk.gray(hash.slice(0, 8))}  ${f.relativePath}`);
+            }
+            return;
+        }
+        let imported = 0;
+        let skipped = 0;
+        const errors = [];
+        for (const f of toProcess) {
+            try {
+                // Extract frontmatter fields for the API call
+                const fmMatch = f.content.match(/^---\n([\s\S]*?)\n---/);
+                let from = f.rolePath; // fallback: role dir name
+                let to = f.rolePath;
+                let type = 'signal';
+                let priority = 'normal';
+                if (fmMatch) {
+                    const fm = fmMatch[1];
+                    const fromM = fm.match(/^from:\s*(.+)$/m);
+                    const toM = fm.match(/^to:\s*(.+)$/m);
+                    const typeM = fm.match(/^type:\s*(.+)$/m);
+                    const prioM = fm.match(/^priority:\s*(.+)$/m);
+                    if (fromM)
+                        from = fromM[1].trim();
+                    if (toM)
+                        to = toM[1].trim();
+                    if (typeM)
+                        type = typeM[1].trim();
+                    if (prioM)
+                        priority = prioM[1].trim();
+                }
+                // Body = content after the closing ---
+                const bodyMatch = f.content.match(/^---\n[\s\S]*?\n---\n\n?([\s\S]*)$/);
+                const body = bodyMatch ? bodyMatch[1].trim() : f.content.trim();
+                const reqBody = {
+                    to,
+                    from,
+                    type,
+                    priority,
+                    body,
+                    no_notify: true, // backfill is historical — never fire Slack fan-out
+                    source: 'migration',
+                };
+                await api('POST', '/api/dispatches', reqBody);
+                imported++;
+                console.log(chalk.green(`  ✓ ${f.relativePath}`));
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                // 409 = already imported (content hash dedup on server side)
+                if (msg.includes('409') || msg.toLowerCase().includes('already imported')) {
+                    skipped++;
+                    console.log(chalk.gray(`  ~ ${f.relativePath} (already imported)`));
+                }
+                else {
+                    errors.push(`${f.relativePath}: ${msg}`);
+                    console.log(chalk.yellow(`  ✗ ${f.relativePath}: ${msg}`));
+                }
+            }
+        }
+        console.log();
+        console.log(`Backfill complete: ${chalk.green(String(imported))} imported, ${chalk.gray(String(skipped))} skipped, ${errors.length > 0 ? chalk.red(String(errors.length)) : '0'} errors`);
+        if (errors.length > 0)
+            process.exit(1);
+    }
+    catch (err) {
+        console.error(chalk.red(err instanceof Error ? err.message : String(err)));
+        process.exit(1);
+    }
+});
 program
     .command('dispatch-list-roles')
     .description('List roles available in the nearest .fazemos/roles.json registry')