@grainulation/orchard 1.0.2 → 1.1.0

package/CONTRIBUTING.md

@@ -63,7 +63,7 @@ The key architectural principle: **orchard operates above individual sprints.**
 
 - Zero dependencies. If you need something, write it or use Node built-ins.
 - No transpilation. Ship what you write.
-- ESM imports (`import`/`export`). Node 18+ required.
+- ESM imports (`import`/`export`). Node 20+ required.
 - Keep functions small. If a function needs a scroll, split it.
 - No emojis in code, CLI output, or dashboards.
 

package/README.md

@@ -3,7 +3,7 @@
 </p>
 
 <p align="center">
-  <a href="https://www.npmjs.com/package/@grainulation/orchard"><img src="https://img.shields.io/npm/v/@grainulation/orchard" alt="npm version"></a> <a href="https://www.npmjs.com/package/@grainulation/orchard"><img src="https://img.shields.io/npm/dm/@grainulation/orchard" alt="npm downloads"></a> <a href="https://github.com/grainulation/orchard/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-green" alt="license"></a> <a href="https://nodejs.org"><img src="https://img.shields.io/node/v/@grainulation/orchard" alt="node"></a> <a href="https://github.com/grainulation/orchard/actions"><img src="https://github.com/grainulation/orchard/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
+  <a href="https://www.npmjs.com/package/@grainulation/orchard"><img src="https://img.shields.io/npm/v/@grainulation/orchard?label=%40grainulation%2Forchard" alt="npm version"></a> <a href="https://www.npmjs.com/package/@grainulation/orchard"><img src="https://img.shields.io/npm/dm/@grainulation/orchard" alt="npm downloads"></a> <a href="https://github.com/grainulation/orchard/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-green" alt="license"></a> <a href="https://nodejs.org"><img src="https://img.shields.io/node/v/@grainulation/orchard" alt="node"></a> <a href="https://github.com/grainulation/orchard/actions"><img src="https://github.com/grainulation/orchard/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
   <a href="https://deepwiki.com/grainulation/orchard"><img src="https://deepwiki.com/badge.svg" alt="Explore on DeepWiki"></a>
 </p>
 

package/bin/orchard.js

@@ -24,6 +24,7 @@ const COMMANDS = {
   dashboard: "Generate unified HTML dashboard",
   serve: "Start the portfolio dashboard web server",
   connect: "Connect to a farmer instance",
+  next: "Show sprints ready for grainulator execution",
   doctor: "Check health of orchard setup",
   help: "Show this help message",
 };
@@ -336,6 +337,16 @@ async function main() {
       }
       break;
     }
+    case "next": {
+      const { emitInstructions, printNext } = require("../lib/emit.js");
+      if (jsonMode) {
+        const instructions = emitInstructions(config, root);
+        console.log(JSON.stringify(instructions, null, 2));
+      } else {
+        printNext(config, root);
+      }
+      break;
+    }
     case "doctor": {
       const { runChecks, printReport } = require("../lib/doctor.js");
       const result = runChecks(root || process.cwd());

package/lib/emit.js

@@ -0,0 +1,72 @@
+"use strict";
+
+const fs = require("node:fs");
+const path = require("node:path");
+const { findReady } = require("./sync.js");
+
+/**
+ * Emit grainulator-compatible instructions for all ready sprints.
+ *
+ * Reads findReady() output + each sprint's claims.json meta to build
+ * a structured instruction per sprint: { dir, question, tools, model }.
+ *
+ * @param {object} config - Parsed orchard.json
+ * @param {string} root   - Orchard root directory
+ * @returns {object[]} Array of grainulator instructions
+ */
+function emitInstructions(config, root) {
+  const ready = findReady(config, root);
+  const instructions = [];
+
+  for (const sprint of ready) {
+    const sprintDir = path.resolve(root, sprint.path);
+    const claimsPath = path.join(sprintDir, "claims.json");
+
+    let question = sprint.question || null;
+
+    // Try to extract question from claims.json meta if not in orchard config
+    if (!question) {
+      try {
+        const raw = fs.readFileSync(claimsPath, "utf8");
+        const data = JSON.parse(raw);
+        question = data.meta?.question || null;
+      } catch {
+        // No claims.json or unreadable -- skip this sprint
+      }
+    }
+
+    if (!question) continue;
+
+    instructions.push({
+      dir: sprintDir,
+      question,
+      tools: ["Read", "Write", "Edit", "Bash", "Glob", "Grep", "WebSearch", "WebFetch"],
+      model: sprint.model || "sonnet",
+    });
+  }
+
+  return instructions;
+}
+
+/**
+ * Print ready sprint instructions to stdout (CLI-friendly).
+ */
+function printNext(config, root) {
+  const instructions = emitInstructions(config, root);
+
+  if (instructions.length === 0) {
+    console.log("\n  No sprints are ready. Check dependencies with `orchard plan`.\n");
+    return instructions;
+  }
+
+  console.log(`\n  ${instructions.length} sprint(s) ready:\n`);
+  for (const inst of instructions) {
+    console.log(`  - ${path.basename(inst.dir)}`);
+    console.log(`    Question: ${inst.question}`);
+    console.log(`    Run: /grainulator:research "${inst.question}"\n`);
+  }
+
+  return instructions;
+}
+
+module.exports = { emitInstructions, printNext };

package/lib/farmer.js

@@ -5,13 +5,27 @@ const path = require("node:path");
 const http = require("node:http");
 const https = require("node:https");
 
+/** Track whether we have already warned about missing token */
+let _warnedNoToken = false;
+
 /**
  * POST an activity event to farmer.
  * Graceful failure -- catch and warn, never crash.
  * @param {string} farmerUrl - Base URL of farmer (e.g. http://localhost:9090)
  * @param {object} event - Event object (e.g. { type: "scan", data: {...} })
+ * @param {object} [opts] - Options
+ * @param {string} [opts.token] - Bearer token for Authorization header
  */
-function notify(farmerUrl, event) {
+function notify(farmerUrl, event, opts) {
+  const token = (opts && opts.token) || null;
+
+  if (!token && !_warnedNoToken) {
+    _warnedNoToken = true;
+    process.stderr.write(
+      "[orchard] no farmer token configured -- requests are unauthenticated\n",
+    );
+  }
+
   return new Promise((resolve) => {
     try {
       const payload = JSON.stringify({
@@ -23,16 +37,21 @@ function notify(farmerUrl, event) {
       const url = new URL(`${farmerUrl}/hooks/activity`);
       const transport = url.protocol === "https:" ? https : http;
 
+      const headers = {
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(payload),
+      };
+      if (token) {
+        headers["Authorization"] = `Bearer ${token}`;
+      }
+
       const req = transport.request(
         {
           hostname: url.hostname,
           port: url.port,
           path: url.pathname,
           method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            "Content-Length": Buffer.byteLength(payload),
-          },
+          headers,
           timeout: 5000,
         },
         (res) => {
@@ -76,7 +95,7 @@ async function connect(targetDir, args) {
   const subcommand = args[0];
   if (subcommand !== "farmer") {
     console.error(
-      "Usage: orchard connect farmer [--url http://localhost:9090]",
+      "Usage: orchard connect farmer --url http://localhost:9090 [--token <t>]",
     );
     process.exit(1);
   }
@@ -86,16 +105,29 @@ async function connect(targetDir, args) {
   const urlIdx = args.indexOf("--url");
   if (urlIdx !== -1 && args[urlIdx + 1]) {
     const url = args[urlIdx + 1];
-    const config = { url };
+
+    // Read optional --token flag
+    const tokenIdx = args.indexOf("--token");
+    const token = tokenIdx !== -1 && args[tokenIdx + 1] ? args[tokenIdx + 1] : null;
+
+    const config = token ? { url, token } : { url };
     fs.writeFileSync(configPath, JSON.stringify(config, null, 2), "utf8");
     console.log(`Farmer connection saved to ${configPath}`);
     console.log(`  URL: ${url}`);
+    if (token) {
+      console.log("  Token: configured");
+    } else {
+      console.log(
+        "  Token: not configured (use --token <t> to enable authenticated requests)",
+      );
+    }
 
     // Test the connection
-    const result = await notify(url, {
-      type: "connect",
-      data: { tool: "orchard" },
-    });
+    const result = await notify(
+      url,
+      { type: "connect", data: { tool: "orchard" } },
+      { token },
+    );
     if (result.ok) {
       console.log("  Connection test: OK");
     } else {
@@ -113,11 +145,47 @@ async function connect(targetDir, args) {
   if (fs.existsSync(configPath)) {
     const config = JSON.parse(fs.readFileSync(configPath, "utf8"));
     console.log(`Farmer connection: ${config.url}`);
+    if (config.token) {
+      console.log("  Token: configured");
+    } else {
+      console.log("  Token: not configured");
+    }
     console.log(`Config: ${configPath}`);
   } else {
     console.log("No farmer connection configured.");
-    console.log("Usage: orchard connect farmer --url http://localhost:9090");
+    console.log(
+      "Usage: orchard connect farmer --url http://localhost:9090 [--token <t>]",
+    );
+  }
+}
+
+/**
+ * Read .farmer.json from a directory.
+ * @param {string} dir - Directory containing .farmer.json
+ * @returns {{ url: string, token?: string } | null}
+ */
+function loadConfig(dir) {
+  const configPath = path.join(dir, ".farmer.json");
+  if (!fs.existsSync(configPath)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(configPath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Convenience: read .farmer.json and notify with auth if token exists.
+ * @param {string} dir - Directory containing .farmer.json
+ * @param {object} event - Event object
+ * @returns {Promise<{ok: boolean, status?: number, body?: string, error?: string}>}
+ */
+function notifyFromConfig(dir, event) {
+  const config = loadConfig(dir);
+  if (!config || !config.url) {
+    return Promise.resolve({ ok: false, error: "no farmer configured" });
   }
+  return notify(config.url, event, { token: config.token || null });
 }
 
-module.exports = { connect, notify };
+module.exports = { connect, notify, loadConfig, notifyFromConfig };

package/lib/server.js

@@ -790,6 +790,14 @@ ${ROUTES.map((r) => "<tr><td><code>" + r.method + "</code></td><td><code>" + r.p
   let filePath = url.pathname;
   filePath = join(PUBLIC_DIR, filePath);
 
+  // Prevent directory traversal
+  const resolved = resolve(filePath);
+  if (!resolved.startsWith(PUBLIC_DIR + "/") && resolved !== PUBLIC_DIR) {
+    res.writeHead(403);
+    res.end("Forbidden");
+    return;
+  }
+
   if (existsSync(filePath) && !statSync(filePath).isDirectory()) {
     const ext = extname(filePath);
     const mime = MIME[ext] || "application/octet-stream";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@grainulation/orchard",
-  "version": "1.0.2",
+  "version": "1.1.0",
   "description": "Multi-sprint research orchestrator — coordinate parallel research across teams",
   "main": "lib/planner.js",
   "exports": {
@@ -11,6 +11,7 @@
     "./conflicts": "./lib/conflicts.js",
     "./hackathon": "./lib/hackathon.js",
     "./decompose": "./lib/decompose.js",
+    "./emit": "./lib/emit.js",
     "./doctor": "./lib/doctor.js",
     "./package.json": "./package.json"
   },
@@ -41,7 +42,6 @@
   ],
   "author": "grainulation contributors",
   "license": "MIT",
-  "type": "module",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/grainulation/orchard.git"