@john-ezra/openralph 0.1.1

package/src/release-check.ts

@@ -0,0 +1,143 @@
+import { readFile } from "node:fs/promises"
+import { homedir } from "node:os"
+import { join, normalize } from "node:path"
+import { pathToFileURL } from "node:url"
+import { runCommand } from "./exec.ts"
+
+export interface ReleaseCheckFinding {
+  file: string
+  line: number
+  reason: string
+  marker: string
+}
+
+export interface ForbiddenPathMarker {
+  reason: string
+  value: string
+}
+
+export interface ReleaseCheckResult {
+  files: string[]
+  findings: ReleaseCheckFinding[]
+}
+
+interface NpmPackFile {
+  path?: string
+}
+
+interface NpmPackEntry {
+  files?: NpmPackFile[]
+}
+
+export async function runReleaseCheck(cwd = process.cwd()): Promise<ReleaseCheckResult> {
+  const [trackedFiles, packedFiles] = await Promise.all([listGitTrackedFiles(cwd), listNpmPackFiles(cwd)])
+  const files = uniqueSorted([...trackedFiles, ...packedFiles])
+  const findings = await scanFilesForForbiddenPaths(cwd, files, buildForbiddenPathMarkers(cwd))
+  return { files, findings }
+}
+
+export function buildForbiddenPathMarkers(projectRoot: string, home = homedir()): ForbiddenPathMarker[] {
+  const markers: ForbiddenPathMarker[] = []
+  const seen = new Set<string>()
+
+  addMarker(markers, seen, pathToFileURL(normalizePath(home)).href, "file URL pointing into the current user's home directory")
+  addMarker(markers, seen, normalizePath(home), "absolute path under the current user's home directory")
+  addMarker(markers, seen, normalizePath(projectRoot), "absolute path into this local OpenRalph checkout")
+
+  return markers
+}
+
+export async function scanFilesForForbiddenPaths(
+  cwd: string,
+  files: string[],
+  markers = buildForbiddenPathMarkers(cwd),
+): Promise<ReleaseCheckFinding[]> {
+  const findings: ReleaseCheckFinding[] = []
+
+  for (const file of files) {
+    let content: Buffer
+    try {
+      content = await readFile(join(cwd, file))
+    } catch (error) {
+      if (isMissingFileError(error)) continue
+      throw error
+    }
+
+    if (content.includes(0)) continue
+
+    const lines = content.toString("utf8").split(/\r?\n/)
+    for (let index = 0; index < lines.length; index += 1) {
+      for (const marker of markers) {
+        if (lines[index].includes(marker.value)) {
+          findings.push({ file, line: index + 1, reason: marker.reason, marker: marker.value })
+          break
+        }
+      }
+    }
+  }
+
+  return findings
+}
+
+function addMarker(markers: ForbiddenPathMarker[], seen: Set<string>, value: string, reason: string): void {
+  if (!value || value === "/" || seen.has(value)) return
+  seen.add(value)
+  markers.push({ value, reason })
+}
+
+function normalizePath(path: string): string {
+  return normalize(path).replace(/\/$/, "")
+}
+
+function isMissingFileError(error: unknown): boolean {
+  return typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT"
+}
+
+async function listGitTrackedFiles(cwd: string): Promise<string[]> {
+  const result = await runCommand("git", ["ls-files", "-z"], cwd)
+  if (result.exitCode !== 0) throw new Error(`git ls-files failed: ${result.stderr.trim() || "unknown error"}`)
+  return result.stdout.split("\0").filter(Boolean)
+}
+
+async function listNpmPackFiles(cwd: string): Promise<string[]> {
+  const result = await runCommand("npm", ["pack", "--dry-run", "--json"], cwd)
+  if (result.exitCode !== 0) throw new Error(`npm pack --dry-run failed: ${result.stderr.trim() || "unknown error"}`)
+
+  let entries: NpmPackEntry[]
+  try {
+    entries = JSON.parse(result.stdout.trim()) as NpmPackEntry[]
+  } catch (error) {
+    throw new Error(`npm pack --dry-run returned invalid JSON: ${formatError(error)}`)
+  }
+  return entries.flatMap((entry) => entry.files?.map((file) => file.path).filter((path): path is string => Boolean(path)) ?? [])
+}
+
+function uniqueSorted(values: string[]): string[] {
+  return [...new Set(values)].sort()
+}
+
+function formatFindings(findings: ReleaseCheckFinding[]): string {
+  return [
+    "Release path check failed: found local machine paths in public files.",
+    ...findings.map((finding) => `${finding.file}:${finding.line}: ${finding.reason}: ${finding.marker}`),
+  ].join("\n")
+}
+
+function formatError(error: unknown): string {
+  return error instanceof Error ? error.message : String(error)
+}
+
+if (import.meta.main) {
+  try {
+    const result = await runReleaseCheck()
+    if (result.findings.length > 0) {
+      process.stderr.write(`${formatFindings(result.findings)}\n`)
+      process.exit(1)
+    }
+
+    process.stdout.write(`Release path check passed: scanned ${result.files.length} public files.\n`)
+  } catch (error) {
+    process.stderr.write(`Release path check failed: ${error instanceof Error ? error.message : String(error)}\n`)
+    process.exit(1)
+  }
+}

package/src/sentinels.ts

@@ -0,0 +1,23 @@
+export const PLAN_COMPLETE = "RALPH_PLAN_COMPLETE"
+export const ITERATION_COMPLETE = "RALPH_ITERATION_COMPLETE"
+export const BUILD_COMPLETE = "RALPH_COMPLETE"
+export const BUILD_BLOCKED = "RALPH_BLOCKED"
+
+export type BuildSentinel = "complete" | "iteration-complete" | "blocked" | "none"
+
+export function isPlanComplete(output: string): boolean {
+  return output.includes(PLAN_COMPLETE)
+}
+
+export function detectBuildSentinel(output: string): BuildSentinel {
+  let detected: BuildSentinel = "none"
+
+  for (const line of output.split(/\r?\n/)) {
+    const trimmed = line.trim()
+    if (trimmed === BUILD_COMPLETE) detected = "complete"
+    else if (trimmed === ITERATION_COMPLETE) detected = "iteration-complete"
+    else if (trimmed === BUILD_BLOCKED) detected = "blocked"
+  }
+
+  return detected
+}

package/src/tags.ts

@@ -0,0 +1,22 @@
+export function createBuildRunId(date = new Date()): string {
+  return createTimestampId(date)
+}
+
+export function createTimestampId(date = new Date()): string {
+  const year = date.getFullYear()
+  const month = pad(date.getMonth() + 1)
+  const day = pad(date.getDate())
+  const hour = pad(date.getHours())
+  const minute = pad(date.getMinutes())
+  const second = pad(date.getSeconds())
+  return `${year}${month}${day}-${hour}${minute}${second}`
+}
+
+export function createBuildTagName(runId: string, index: number): string {
+  if (!Number.isInteger(index) || index < 1) throw new Error("tag index must be a positive integer")
+  return `openralph/build-${runId}/${String(index).padStart(3, "0")}`
+}
+
+function pad(value: number): string {
+  return String(value).padStart(2, "0")
+}

package/src/trust.ts

@@ -0,0 +1,116 @@
+import { randomBytes } from "node:crypto"
+import { access, mkdtemp, readFile, rm, writeFile } from "node:fs/promises"
+import { tmpdir } from "node:os"
+import { isAbsolute, join, relative } from "node:path"
+
+export const DOCKER_TOKEN_PATH = "/run/openralph/docker-token"
+
+export interface TrustDeps {
+  containerEvidence?: () => Promise<boolean>
+  dockerTokenPath?: string
+  pathExists?: (path: string) => Promise<boolean>
+  readTextFile?: (path: string) => Promise<string>
+}
+
+export interface HostLoopToken {
+  env: Record<string, string>
+  cleanup: () => Promise<void>
+}
+
+export async function hasDockerMarker(env: NodeJS.ProcessEnv = process.env, deps: TrustDeps = {}): Promise<boolean> {
+  if (env.OPENRALPH_IN_DOCKER === "1") return true
+  if (env.OPENRALPH_DOCKER_TOKEN) return true
+  return hasContainerEvidence(deps)
+}
+
+export async function attestDockerEnvironment(env: NodeJS.ProcessEnv = process.env, deps: TrustDeps = {}): Promise<boolean> {
+  const token = env.OPENRALPH_DOCKER_TOKEN
+  if (!token || token.trim() === "") return false
+  if (!(await hasContainerEvidence(deps))) return false
+
+  try {
+    const fileToken = await readText(deps.dockerTokenPath ?? DOCKER_TOKEN_PATH, deps)
+    return fileToken.length > 0 && fileToken === token
+  } catch {
+    return false
+  }
+}
+
+export async function authorizeLoopChild(
+  env: NodeJS.ProcessEnv = process.env,
+  projectRoot?: string,
+  deps: TrustDeps = {},
+): Promise<boolean> {
+  if (env.OPENRALPH_LOOP_CHILD !== "1") return false
+  if (await attestDockerEnvironment(env, deps)) return true
+  return authorizeHostLoopChild(env, projectRoot, deps)
+}
+
+export async function authorizeHostLoopChild(
+  env: NodeJS.ProcessEnv = process.env,
+  projectRoot?: string,
+  deps: TrustDeps = {},
+): Promise<boolean> {
+  const token = env.OPENRALPH_HOST_LOOP_TOKEN
+  const tokenFile = env.OPENRALPH_HOST_LOOP_TOKEN_FILE
+  if (!token || token.trim() === "" || !tokenFile || !isAbsolute(tokenFile)) return false
+  if (projectRoot && isPathInside(projectRoot, tokenFile)) return false
+
+  try {
+    const fileToken = await readText(tokenFile, deps)
+    return fileToken.length > 0 && fileToken === token
+  } catch {
+    return false
+  }
+}
+
+export async function createHostLoopToken(): Promise<HostLoopToken> {
+  const tempDir = await mkdtemp(join(tmpdir(), "openralph-host-child-"))
+  const token = randomBytes(32).toString("hex")
+  const tokenFile = join(tempDir, "token")
+  await writeFile(tokenFile, token)
+
+  return {
+    env: {
+      OPENRALPH_HOST_LOOP_TOKEN: token,
+      OPENRALPH_HOST_LOOP_TOKEN_FILE: tokenFile,
+    },
+    cleanup: () => rm(tempDir, { recursive: true, force: true }),
+  }
+}
+
+async function hasContainerEvidence(deps: TrustDeps): Promise<boolean> {
+  if (deps.containerEvidence) return deps.containerEvidence()
+
+  const hasExpectedPaths = (await pathExists("/workspace", deps)) && (await pathExists("/opt/openralph", deps))
+  if (!hasExpectedPaths) return false
+
+  if (await pathExists("/.dockerenv", deps)) return true
+
+  try {
+    const cgroup = await readText("/proc/1/cgroup", deps)
+    return /docker|containerd|kubepods|podman/i.test(cgroup)
+  } catch {
+    return false
+  }
+}
+
+async function pathExists(path: string, deps: TrustDeps): Promise<boolean> {
+  if (deps.pathExists) return deps.pathExists(path)
+  try {
+    await access(path)
+    return true
+  } catch {
+    return false
+  }
+}
+
+async function readText(path: string, deps: TrustDeps): Promise<string> {
+  if (deps.readTextFile) return deps.readTextFile(path)
+  return readFile(path, "utf8")
+}
+
+function isPathInside(root: string, path: string): boolean {
+  const rel = relative(root, path)
+  return rel !== "" && !rel.startsWith("..") && !isAbsolute(rel)
+}