@growthub/cli 0.13.9 → 0.14.0

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-resolver-proposal.js

@@ -0,0 +1,200 @@
+/**
+ * Workspace Resolver Proposal V1 — the governed resolver-file lane for the
+ * helper, aligned to AWaC topology + the Causation-ITT loop.
+ *
+ * AWaC boundary: a resolver is a SERVER FILE under
+ * lib/adapters/integrations/resolvers/, NOT workspace config. It therefore must
+ * NOT travel through the PATCH allowlist (dashboards|widgetTypes|canvas|
+ * dataModel). It is its own proposal lane with affectedField "server-file",
+ * gated by the same filesystem/read-only persistence rule, and it emits a
+ * receipt — so "state → eligibility → guidance → action → evidence" closes.
+ *
+ * This module is PURE (build/validate/generate). The actual confined fs write
+ * lives in lib/server-resolver-write.js (server-only). Secret-safe: the
+ * generated resolver reads its secret from the server env at run time via the
+ * authRef candidate keys — never an inlined value.
+ */
+
+const RESOLVER_PROPOSAL_TYPE = "resolver.create";
+const RESOLVER_AFFECTED_FIELD = "server-file";
+const RESOLVER_DIR = "lib/adapters/integrations/resolvers";
+
+function clean(value) {
+  return String(value == null ? "" : value).trim();
+}
+
+function slugify(value, fallback = "resolver") {
+  const slug = clean(value)
+    .toLowerCase()
+    .replace(/\.js$/, "")
+    .replace(/[^a-z0-9-]/g, "-")
+    .replace(/-+/g, "-")
+    .replace(/^-|-$/g, "")
+    .slice(0, 64);
+  return slug || fallback;
+}
+
+function envCandidates(ref) {
+  const token = clean(ref).replace(/[^a-z0-9]+/gi, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  if (!token) return [];
+  return Array.from(new Set([token, `${token}_API_KEY`, `${token}_TOKEN`]));
+}
+
+/**
+ * Confine a resolver filename to the resolver dir. Mirrors the register-resolver
+ * route's traversal guard so the studio previews exactly what the write accepts.
+ */
+function resolveResolverFilePath(name) {
+  const base = slugify(name, "resolver");
+  if (base.includes("/") || base.includes("..")) {
+    return { ok: false, path: null, filename: null, dir: RESOLVER_DIR, error: "resolver filename must not contain path segments" };
+  }
+  const filename = `${base}.js`;
+  return { ok: true, path: `${RESOLVER_DIR}/${filename}`, filename, dir: RESOLVER_DIR, error: null };
+}
+
+function safeJsString(value) {
+  return JSON.stringify(clean(value));
+}
+
+/**
+ * Generate a concrete, runnable resolver module for a specific API. baseUrl /
+ * endpoint / rootPath / idField are baked in from the registry row + the
+ * response profile, so the file works for THIS API. The secret is read from the
+ * server env via the authRef candidate keys at run time — never inlined.
+ */
+function generateResolverCode({ integrationId, baseUrl, endpoint, method, authRef, headerName, prefix, rootPath, idField, entityType }) {
+  const id = slugify(integrationId, "integration");
+  const url = `${clean(baseUrl).replace(/\/+$/, "")}/${clean(endpoint).replace(/^\/+/, "")}`.replace(/\/$/, "") || clean(baseUrl) || clean(endpoint);
+  const m = (clean(method).toUpperCase() || "GET");
+  const candidates = envCandidates(authRef);
+  const header = clean(headerName) || "authorization";
+  const pfx = clean(prefix);
+  const root = clean(rootPath);
+  const idf = clean(idField) || "id";
+  const ent = clean(entityType) || "records";
+
+  return `// Resolver for "${id}" — generated by the governed helper resolver studio.
+// Server file. Reads its secret from the server env at run time (candidates:
+// ${candidates.join(", ") || "none"}); never hard-code a secret here.
+import { registerSourceResolver } from "../source-resolver-registry.js";
+
+const ENV_CANDIDATES = ${JSON.stringify(candidates)};
+function readSecret() {
+  for (const key of ENV_CANDIDATES) {
+    if (process.env[key]) return process.env[key];
+  }
+  return "";
+}
+function valueAtPath(obj, path) {
+  if (!path) return obj;
+  return String(path).split(".").filter(Boolean).reduce((acc, part) => (acc == null ? acc : acc[part]), obj);
+}
+
+registerSourceResolver({
+  integrationId: ${safeJsString(id)},
+  label: ${safeJsString(`${id} (${ent})`)},
+  // fetchRecords runs server-side. Secret stays in the server env.
+  fetchRecords: async () => {
+    const secret = readSecret();
+    const res = await fetch(${safeJsString(url)}, {
+      method: ${safeJsString(m)},
+      headers: {
+        accept: "application/json",
+        ...(secret ? { ${safeJsString(header)}: ${pfx ? `\`${pfx} \${secret}\`` : "secret"} } : {}),
+      },
+    });
+    const raw = res.headers.get("content-type")?.includes("application/json") ? await res.json() : await res.text();
+    const extracted = valueAtPath(raw, ${safeJsString(root)});
+    const items = Array.isArray(extracted) ? extracted : (Array.isArray(raw) ? raw : []);
+    return items.map((item, index) => ({
+      id: item && item[${safeJsString(idf)}] != null ? String(item[${safeJsString(idf)}]) : String(index),
+      ...item,
+    }));
+  },
+});
+`;
+}
+
+/**
+ * Build an inert resolver.create proposal. Carries the target path, the
+ * generated code, security notes, and the resolver's input/output contract.
+ * Nothing is written until the apply lane writes the file (gated).
+ */
+function buildResolverProposal(input = {}) {
+  const integrationId = slugify(input.integrationId, "integration");
+  const target = resolveResolverFilePath(integrationId);
+  const code = generateResolverCode({
+    integrationId,
+    baseUrl: input.baseUrl,
+    endpoint: input.endpoint,
+    method: input.method,
+    authRef: input.authRef,
+    headerName: input.headerName,
+    prefix: input.prefix,
+    rootPath: input.rootPath,
+    idField: input.idField,
+    entityType: input.entityType,
+  });
+  return {
+    type: RESOLVER_PROPOSAL_TYPE,
+    affectedField: RESOLVER_AFFECTED_FIELD,
+    rationale: `Generate a server resolver that shapes ${integrationId}'s response${clean(input.rootPath) ? ` at "${clean(input.rootPath)}"` : ""} into governed rows.`,
+    confidence: 0.85,
+    target,
+    language: "javascript",
+    code,
+    security: [
+      "Server file — only written in filesystem mode (read-only runtimes get a 409 + guidance).",
+      "Reads its secret from the server env at run time; never inlines a value.",
+      `Path confined to ${RESOLVER_DIR}.`,
+    ],
+    contract: {
+      inputs: ["registry baseUrl/endpoint", `authRef env (${envCandidates(input.authRef).join(", ") || "none"})`],
+      output: `Record[] with a stable id (from "${clean(input.idField) || "id"}").`,
+    },
+    payload: {
+      integrationId,
+      rootPath: clean(input.rootPath),
+      entityType: clean(input.entityType) || "records",
+      filename: target.filename,
+    },
+  };
+}
+
+/**
+ * Validate a resolver.create proposal before the apply lane writes it.
+ * Returns { ok, error }.
+ */
+function validateResolverProposal(proposal) {
+  if (!proposal || proposal.type !== RESOLVER_PROPOSAL_TYPE) {
+    return { ok: false, error: "not a resolver.create proposal" };
+  }
+  if (proposal.affectedField !== RESOLVER_AFFECTED_FIELD) {
+    return { ok: false, error: `resolver.create affectedField must be "${RESOLVER_AFFECTED_FIELD}"` };
+  }
+  const target = proposal.target || resolveResolverFilePath(proposal.payload?.integrationId);
+  if (!target || !target.ok) {
+    return { ok: false, error: target?.error || "invalid resolver target path" };
+  }
+  const code = clean(proposal.code);
+  if (!code) return { ok: false, error: "resolver code is empty" };
+  if (!code.includes("registerSourceResolver")) {
+    return { ok: false, error: "resolver code must call registerSourceResolver()" };
+  }
+  if (!target.filename.endsWith(".js")) {
+    return { ok: false, error: "resolver file must have a .js extension" };
+  }
+  return { ok: true, error: null, target };
+}
+
+export {
+  RESOLVER_PROPOSAL_TYPE,
+  RESOLVER_AFFECTED_FIELD,
+  RESOLVER_DIR,
+  resolveResolverFilePath,
+  generateResolverCode,
+  buildResolverProposal,
+  validateResolverProposal,
+  envCandidates,
+};

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/package.json

@@ -4,7 +4,7 @@
   "private": true,
   "type": "module",
   "scripts": {
-    "dev": "next dev",
+    "dev": "next dev --webpack",
     "build": "next build --webpack",
     "start": "next start",
     "lint": "next lint"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@growthub/cli",
-  "version": "0.13.9",
+  "version": "0.14.0",
   "description": "CLI control plane for Growthub Local and Agent Workspace as Code: export, fork, inspect, operate, sync, and optionally activate governed AI workspaces.",
   "type": "module",
   "bin": {