@jaimevalasek/aioson 1.7.2 → 1.8.0

package/src/commands/agents.js

@@ -8,14 +8,17 @@ const {
   resolveInstructionPath,
   buildAgentPrompt
 } = require('../agents');
-const { resolveAgentLocale } = require('../locales');
-const { validateProjectContextFile } = require('../context');
+const { normalizeInteractionLanguage } = require('../locales');
+const { validateProjectContextFile, getInteractionLanguage } = require('../context');
 const { exists } = require('../utils');
 const { loadOrCreateState, runWorkflowNext } = require('./workflow-next');
 const {
   bootstrapDirectAgentPrompt,
   classifyDirectAgentRuntime
 } = require('../execution-gateway');
+const { readAutonomyProtocol, resolveEffectiveMode } = require('../autonomy-policy');
+const { readAgentManifest, buildAgentCapabilitySummary } = require('../agent-manifests');
+const { emitSecurityRuntimeEvent } = require('../lib/security/runtime-events');
 
 const WORKFLOW_AGENT_IDS = new Set([
   'setup',
@@ -29,13 +32,59 @@ const WORKFLOW_AGENT_IDS = new Set([
   'qa'
 ]);
 
+function normalizePentesterTargetMode(input) {
+  const mode = String(input || '').trim().toLowerCase();
+  if (!mode) return null;
+  if (mode === 'framework_target' || mode === 'app_target') return mode;
+  return '__invalid__';
+}
+
+function buildPentesterActivationContext(options, t) {
+  const targetMode = normalizePentesterTargetMode(options.mode);
+  if (targetMode === '__invalid__') {
+    throw new Error(t('agents.prompt_invalid_target_mode', { mode: options.mode }));
+  }
+
+  const featureSlug = String(options.feature || options.slug || '').trim();
+  const scope = String(options.scope || '').trim();
+
+  if (targetMode !== 'app_target' && !targetMode) return '';
+
+  if (targetMode === 'app_target' && !featureSlug) {
+    throw new Error(t('agents.prompt_missing_feature_for_app_target'));
+  }
+
+  if (targetMode === 'app_target' && !scope) {
+    throw new Error(t('agents.prompt_missing_scope_for_app_target'));
+  }
+
+  const lines = [`Requested target mode: ${targetMode}.`];
+  if (featureSlug) lines.push(`Feature slug: ${featureSlug}.`);
+  if (scope) lines.push(`Requested scope: ${scope}.`);
+
+  if (targetMode === 'app_target') {
+    lines.push(
+      'Use only the app_target surface catalog (`app_target_ownership_idor`, `app_target_secrets_crypto`, `app_target_injection_xss`, `app_target_insecure_design_race`, `app_target_auth_rate_limit`).'
+    );
+    lines.push(
+      'Do not mix framework surfaces unless the feature explicitly touches AIOSON runtime boundaries and you record a `cross_scope_reason`.'
+    );
+  } else {
+    lines.push(
+      'Preserve the legacy framework surface catalog (`memory_context`, `tool_invocation`, `delegation_handoff`, `protocol_contract`, `secret_handling`, `runtime_permissions`).'
+    );
+  }
+
+  return lines.join('\n');
+}
+
 async function resolveLocaleForTarget(targetDir, options) {
   const fromOption = options.language || options.lang;
-  if (fromOption) return resolveAgentLocale(fromOption);
+  if (fromOption) return normalizeInteractionLanguage(fromOption);
 
   const context = await validateProjectContextFile(targetDir);
-  if (context.parsed && context.data && context.data.conversation_language) {
-    return resolveAgentLocale(context.data.conversation_language);
+  if (context.parsed && context.data) {
+    return getInteractionLanguage(context.data, 'en');
   }
 
   return 'en';
@@ -93,6 +142,9 @@ async function runAgentPrompt({ args, options, logger, t }) {
   let promptAgent = agent;
   let instructionPath = null;
   let prompt = null;
+  let effectiveMode = null;
+  let activationContext = '';
+  let pentesterTargetMode = null;
 
   if (WORKFLOW_AGENT_IDS.has(requestedAgent)) {
     const loaded = await loadOrCreateState(targetDir, options);
@@ -114,12 +166,32 @@ async function runAgentPrompt({ args, options, logger, t }) {
       promptAgent = getAgentDefinition(workflowResult.agent) || agent;
       instructionPath = workflowResult.instructionPath;
       prompt = workflowResult.prompt;
+      effectiveMode = workflowResult.effectiveMode || null;
     }
   }
 
   if (!prompt) {
     instructionPath = await resolveExistingInstructionPath(targetDir, promptAgent, locale);
-    prompt = buildAgentPrompt(promptAgent, tool, { instructionPath });
+    if (promptAgent.id === 'pentester') {
+      pentesterTargetMode = normalizePentesterTargetMode(options.mode);
+      activationContext = buildPentesterActivationContext(options, t);
+    }
+    const autonomyProtocol = await readAutonomyProtocol(targetDir);
+    const manifest = await readAgentManifest(targetDir, promptAgent.id);
+    effectiveMode = resolveEffectiveMode({
+      protocol: autonomyProtocol,
+      tool,
+      agentId: promptAgent.id,
+      manifest,
+      requestedMode: options.mode || null
+    });
+    prompt = buildAgentPrompt(promptAgent, tool, {
+      instructionPath,
+      interactionLanguage: locale,
+      autonomyMode: effectiveMode,
+      capabilitySummary: buildAgentCapabilitySummary(manifest, tool),
+      activationContext
+    });
     const runtimeClass = classifyDirectAgentRuntime(promptAgent.id);
     const handoffLabel = runtimeClass.source === 'squad_session'
       ? 'Squad session handoff'
@@ -140,6 +212,28 @@ async function runAgentPrompt({ args, options, logger, t }) {
   logger.log(t('agents.prompt_title', { agent: promptAgent.id, tool, locale }));
   logger.log(prompt);
 
+  if (
+    promptAgent.id === 'pentester' &&
+    pentesterTargetMode === 'app_target' &&
+    runtime &&
+    runtime.runKey
+  ) {
+    await emitSecurityRuntimeEvent({
+      targetDir,
+      runKey: runtime.runKey,
+      eventType: 'pentester_app_target_invoked',
+      message: `@pentester app_target invoked for ${String(options.feature || options.slug || '').trim()}`,
+      status: 'queued',
+      payload: {
+        target_mode: 'app_target',
+        feature_slug: String(options.feature || options.slug || '').trim(),
+        target_scope: String(options.scope || '').trim(),
+        tool,
+        locale
+      }
+    });
+  }
+
   return {
     ok: true,
     targetDir,
@@ -150,7 +244,8 @@ async function runAgentPrompt({ args, options, logger, t }) {
     locale,
     instructionPath,
     prompt,
-    runtime
+    runtime,
+    effectiveMode
   };
 }
 

package/src/commands/artifact-validate.js

@@ -61,12 +61,13 @@ async function runArtifactValidate({ args, options = {}, logger }) {
     ? (artifacts.implementation_plan.frontmatter.status || 'present')
     : null;
 
-  // Requirement count
+  // Requirement count. Accept both simple IDs (REQ-01) and slugged IDs
+  // (REQ-SDLC-01), because feature contracts use slugged identifiers.
   let reqCount = null;
   if (artifacts.requirements.exists && artifacts.requirements.content) {
-    const reqs = artifacts.requirements.content.match(/\bREQ[-\s]?\d+\b/g) || [];
-    const acs = artifacts.requirements.content.match(/\bAC[-\s]?\d+\b/g) || [];
-    reqCount = `${reqs.length} REQs, ${acs.length} ACs`;
+    const reqs = artifacts.requirements.content.match(/\bREQ(?:-[A-Z0-9]+)+\b/g) || [];
+    const acs = artifacts.requirements.content.match(/\bAC(?:-[A-Z0-9]+)+\b/g) || [];
+    reqCount = `${new Set(reqs).size} REQs, ${new Set(acs).size} ACs`;
   }
 
   // Conformance required?
@@ -138,6 +139,26 @@ async function runArtifactValidate({ args, options = {}, logger }) {
 
   const valid = missing.length === 0;
 
+  // Determine next_missing and next_agent (AC-SDLC-22)
+  const ARTIFACT_OWNER_MAP = {
+    'project.context.md': { agent: '@setup', reason: 'setup not complete' },
+    [`prd-${slug}.md`]: { agent: '@product', reason: 'PRD not produced yet' },
+    [`requirements-${slug}.md`]: { agent: '@analyst', reason: 'requirements not produced yet (Gate A)' },
+    'architecture.md': { agent: '@architect', reason: 'architecture not produced yet (Gate B)' },
+    [`implementation-plan-${slug}.md`]: { agent: '@pm', reason: 'implementation plan not produced yet (Gate C)' },
+    [`spec-${slug}.md`]: { agent: '@analyst', reason: 'spec not produced yet — @analyst seeds the feature memory' },
+    [`conformance-${slug}.yaml`]: { agent: '@analyst', reason: 'conformance contract missing — @analyst creates it for MEDIUM features' }
+  };
+
+  let nextMissing = null;
+  let nextAgent = null;
+  if (!valid && missing.length > 0) {
+    const firstMissing = missing[0];
+    nextMissing = firstMissing.name;
+    const ownerInfo = ARTIFACT_OWNER_MAP[firstMissing.name];
+    if (ownerInfo) nextAgent = `${ownerInfo.agent} (${ownerInfo.reason})`;
+  }
+
   const result = {
     ok: valid,
     feature: slug,
@@ -150,6 +171,8 @@ async function runArtifactValidate({ args, options = {}, logger }) {
     })),
     missing_required: missing.map((c) => c.name),
     missing_optional: missingOptional.map((c) => c.name),
+    next_missing: nextMissing,
+    next_agent: nextAgent,
     integrity: valid ? 'VALID' : 'INVALID'
   };
 
@@ -181,6 +204,12 @@ async function runArtifactValidate({ args, options = {}, logger }) {
     logger.log(`Missing optional: ${missingOptional.map((c) => c.name).join(', ')} (${classification || 'SMALL'} — acceptable)`);
   }
 
+  if (!valid && nextAgent) {
+    logger.log('');
+    logger.log(`Next missing: ${nextMissing}`);
+    logger.log(`Next agent: ${nextAgent}`);
+  }
+
   logger.log('');
 
   return result;

package/src/commands/auth.js

@@ -0,0 +1,272 @@
+'use strict';
+
+const http = require('http');
+const crypto = require('crypto');
+const readline = require('readline');
+const { exec } = require('child_process');
+const { readConfig, writeConfig, CONFIG_DIR } = require('./config');
+
+const DEFAULT_BASE_URL = 'https://aioson.com';
+
+function resolveBaseUrl(config, options = {}) {
+  return String(options['base-url'] || config.aiosonBaseUrl || DEFAULT_BASE_URL).replace(/\/+$/, '');
+}
+
+async function fetchAuthMe(baseUrl, token) {
+  try {
+    const response = await fetch(`${baseUrl}/api/me`, {
+      headers: { authorization: `Bearer ${token}`, accept: 'application/json' },
+      signal: AbortSignal.timeout(8000)
+    });
+    if (response.ok) {
+      const data = await response.json();
+      return data.user || data;
+    }
+  } catch {
+    // API unreachable
+  }
+  return null;
+}
+
+// ─── Detectar ambiente sem browser ───────────────────────────────────────
+
+function isHeadlessEnv() {
+  // WSL2, SSH sem X11, CI
+  if (process.env.WSL_DISTRO_NAME || process.env.WSL_INTEROP) return true;
+  if (process.env.CI) return true;
+  if (process.env.SSH_CLIENT && !process.env.DISPLAY) return true;
+  return false;
+}
+
+function openBrowser(url) {
+  return new Promise((resolve) => {
+    const platform = process.platform;
+    const cmd =
+      platform === 'darwin' ? `open "${url}"` :
+      platform === 'win32'  ? `start "" "${url}"` :
+                              `xdg-open "${url}"`;
+    exec(cmd, { timeout: 5000 }, (err) => resolve(!err));
+  });
+}
+
+// ─── Fluxo A: callback local (Mac/Windows nativos) ────────────────────────
+
+function callbackLogin(baseUrl, state, logger, t) {
+  return new Promise((resolve, reject) => {
+    let settled = false;
+    function done(err, value) {
+      if (settled) return;
+      settled = true;
+      if (err) reject(err); else resolve(value);
+    }
+
+    const timeout = setTimeout(() => {
+      server.close();
+      done(new Error(t('auth.browser_timeout')));
+    }, 120_000);
+
+    const server = http.createServer((req, res) => {
+      const url = new URL(req.url, 'http://localhost');
+      if (url.pathname !== '/callback') { res.writeHead(404); res.end(); return; }
+
+      const token = url.searchParams.get('token');
+      const receivedState = url.searchParams.get('state');
+
+      if (receivedState !== state || !token) {
+        res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' });
+        res.end(htmlPage('Erro', 'State inválido ou token ausente. Tente novamente.', false));
+        server.close(); clearTimeout(timeout);
+        done(new Error(t('auth.browser_state_mismatch')));
+        return;
+      }
+
+      res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+      res.end(htmlPage('Autenticado!', 'Login realizado. Pode fechar esta aba e voltar ao terminal.', true));
+      server.close(); clearTimeout(timeout);
+      done(null, token);
+    });
+
+    server.on('error', (err) => {
+      clearTimeout(timeout);
+      done(new Error(`${t('auth.browser_server_error')}: ${err.message}`));
+    });
+
+    server.listen(0, '127.0.0.1');
+    server.once('listening', () => resolve({ _server: server, _port: server.address().port }));
+  });
+}
+
+// ─── Fluxo B: paste — CLI mostra URL, usuário cola o token ───────────────
+
+async function pasteLogin(baseUrl, logger, t) {
+  const state = crypto.randomBytes(16).toString('hex');
+  const loginUrl = `${baseUrl}/auth/cli?state=${state}`;
+
+  logger.log('');
+  logger.log(t('auth.paste_open_browser'));
+  logger.log('');
+  logger.log(`  ${loginUrl}`);
+  logger.log('');
+  logger.log(t('auth.paste_instruction'));
+  logger.log('');
+
+  // Tentar abrir browser automaticamente (ignora falha)
+  openBrowser(loginUrl).catch(() => {});
+
+  // Aguardar input do usuário
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  const token = await new Promise((resolve) => {
+    rl.question(`${t('auth.paste_token_prompt')} `, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+
+  if (!token) throw new Error(t('auth.paste_no_token'));
+  return token;
+}
+
+// ─── Login principal ──────────────────────────────────────────────────────
+
+async function runAuthLogin({ args, options, logger, t }) {
+  const tokenOpt = String(options.token || '').trim();
+  const config = await readConfig();
+  const baseUrl = resolveBaseUrl(config, options);
+
+  let token = tokenOpt;
+
+  if (!token) {
+    const headless = isHeadlessEnv() || options['no-browser'];
+
+    if (headless) {
+      // Fluxo B: paste
+      try {
+        token = await pasteLogin(baseUrl, logger, t);
+      } catch (err) {
+        logger.log(t('auth.browser_failed', { error: err.message }));
+        return { ok: false, error: { code: 'paste_login_failed' } };
+      }
+    } else {
+      // Fluxo A: callback local, com fallback para paste se browser não abrir
+      const state = crypto.randomBytes(16).toString('hex');
+      let server, port;
+
+      try {
+        const result = await new Promise((resolve, reject) => {
+          const s = http.createServer();
+          s.listen(0, '127.0.0.1', () => resolve({ server: s, port: s.address().port }));
+          s.on('error', reject);
+        });
+        server = result.server;
+        port = result.port;
+      } catch {
+        // Sem servidor local → paste
+        token = await pasteLogin(baseUrl, logger, t);
+      }
+
+      if (server && port) {
+        const callbackUrl = `http://127.0.0.1:${port}/callback`;
+        const loginUrl = `${baseUrl}/auth/cli?callback=${encodeURIComponent(callbackUrl)}&state=${state}`;
+
+        const opened = await openBrowser(loginUrl);
+
+        if (!opened) {
+          // Browser não abriu → paste
+          server.close();
+          token = await pasteLogin(baseUrl, logger, t);
+        } else {
+          logger.log(t('auth.browser_opening'));
+          logger.log(t('auth.browser_waiting'));
+
+          // Aguardar callback
+          token = await new Promise((resolve, reject) => {
+            const timeout = setTimeout(() => {
+              server.close();
+              reject(new Error(t('auth.browser_timeout')));
+            }, 120_000);
+
+            server.on('request', (req, res) => {
+              const url = new URL(req.url, 'http://localhost');
+              if (url.pathname !== '/callback') { res.writeHead(404); res.end(); return; }
+              const t2 = url.searchParams.get('token');
+              const s2 = url.searchParams.get('state');
+              if (s2 !== state || !t2) {
+                res.writeHead(400, { 'Content-Type': 'text/html; charset=utf-8' });
+                res.end(htmlPage('Erro', 'State inválido. Tente novamente.', false));
+                server.close(); clearTimeout(timeout);
+                reject(new Error('State inválido'));
+                return;
+              }
+              res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+              res.end(htmlPage('Autenticado!', 'Pode fechar esta aba e voltar ao terminal.', true));
+              server.close(); clearTimeout(timeout);
+              resolve(t2);
+            });
+          });
+        }
+      }
+    }
+  }
+
+  logger.log('');
+  logger.log(t('auth.login_verifying'));
+  const user = await fetchAuthMe(baseUrl, token);
+
+  config.aiosonToken = token;
+  if (baseUrl !== DEFAULT_BASE_URL) config.aiosonBaseUrl = baseUrl;
+  if (user?.username) config.aiosonUsername = user.username;
+  await writeConfig(config);
+
+  if (user?.username) {
+    logger.log(t('auth.login_ok', { username: user.username, path: CONFIG_DIR }));
+  } else {
+    logger.log(t('auth.login_saved', { path: CONFIG_DIR }));
+  }
+
+  return { ok: true, username: user?.username || null };
+}
+
+async function runAuthLogout({ args, options, logger, t }) {
+  const config = await readConfig();
+  delete config.aiosonToken;
+  delete config.aiosonUsername;
+  await writeConfig(config);
+  logger.log(t('auth.logout_ok'));
+  return { ok: true };
+}
+
+async function runAuthStatus({ args, options, logger, t }) {
+  const config = await readConfig();
+  const token = config.aiosonToken;
+
+  if (!token) {
+    logger.log(t('auth.status_not_authenticated'));
+    logger.log(t('auth.login_hint'));
+    return { ok: true, authenticated: false };
+  }
+
+  const baseUrl = resolveBaseUrl(config, options);
+  logger.log(t('auth.status_checking'));
+  const user = await fetchAuthMe(baseUrl, token);
+
+  if (user?.username) {
+    logger.log(t('auth.status_ok', { username: user.username }));
+    return { ok: true, authenticated: true, username: user.username, apiReachable: true };
+  }
+
+  const savedUsername = config.aiosonUsername || '?';
+  logger.log(t('auth.status_token_offline', { username: savedUsername }));
+  return { ok: true, authenticated: true, username: savedUsername, apiReachable: false };
+}
+
+function htmlPage(title, message, success) {
+  const color = success ? '#22c55e' : '#ef4444';
+  const icon = success ? '✓' : '✗';
+  return `<!DOCTYPE html><html lang="pt-BR"><head><meta charset="UTF-8"><title>AIOSON CLI — ${title}</title>
+<style>body{margin:0;font-family:system-ui,sans-serif;background:#0f1117;color:#e8eaf0;display:flex;align-items:center;justify-content:center;min-height:100vh;text-align:center}
+.card{background:#1a1d27;border:1px solid #2e334d;border-radius:14px;padding:40px 48px;max-width:420px}
+.icon{font-size:40px;margin-bottom:16px;color:${color}}h1{font-size:22px;font-weight:700;margin:0 0 10px}p{color:#9ca3af;margin:0;line-height:1.6}</style>
+</head><body><div class="card"><div class="icon">${icon}</div><h1>${title}</h1><p>${message}</p></div></body></html>`;
+}
+
+module.exports = { runAuthLogin, runAuthLogout, runAuthStatus };

package/src/commands/brain-query.js

@@ -0,0 +1,44 @@
+'use strict';
+
+const path = require('node:path');
+const { splitCsv, queryBrains, formatBrainNodesCompact } = require('../brain-query');
+
+async function runBrainQuery({ args, options = {}, logger }) {
+  const targetDir = path.resolve(process.cwd(), args[0] || '.');
+  const result = await queryBrains({
+    targetDir,
+    tags: splitCsv(options.tags),
+    matchMode: options.match || 'any',
+    minQuality: options['min-quality'] || options.minQuality || 0,
+    agent: options.agent || '',
+    verdicts: splitCsv(options.verdict),
+    ids: splitCsv(options.id),
+    avoidOnly: Boolean(options.avoid)
+  });
+
+  if (options.json) return result;
+
+  if (!result.ok) {
+    logger.log(result.warnings.join('\n') || result.reason || 'Brain query failed.');
+    return result;
+  }
+
+  if (result.warnings.length > 0) {
+    for (const warning of result.warnings) logger.log(`Warning: ${warning}`);
+  }
+
+  const format = options.format || 'compact';
+  if (format === 'ids') {
+    logger.log(result.nodes.map((node) => node.id).join('\n'));
+  } else if (format === 'json') {
+    logger.log(JSON.stringify(result.nodes, null, 2));
+  } else {
+    logger.log(formatBrainNodesCompact(result.nodes));
+  }
+  logger.log(`${result.nodes.length} node(s) matched across ${result.brainFiles.length} brain file(s)`);
+  return result;
+}
+
+module.exports = {
+  runBrainQuery
+};