@juspay/shooter 1.21.0 → 1.22.0

package/src/lib/modules/client/dashboard/decide-injection.ts

@@ -0,0 +1,127 @@
+// Pure, deterministic auto-inject safety logic for the phone-resident autonomous loop.
+// No I/O, no LLM. Fully unit-testable (tests/decide-injection.test.cjs).
+// See docs/superpowers/specs/2026-06-01-phone-autonomous-agent-design.md
+// §"Auto-inject safety model".
+
+import type {
+  CommandVerdict,
+  ConsensusResult,
+  GateDecision,
+  InjectionPolicy,
+  InjectionState,
+} from '$lib/types';
+
+/** Default thresholds. Conservative — auto-inject is dangerous, so err toward NOT acting. */
+export const DEFAULT_INJECTION_POLICY: InjectionPolicy = {
+  humanGraceMs: 5_000,
+  injectConfidence: 0.7,
+  maxAutoActions: 8,
+  minIntervalMs: 30_000,
+};
+
+/** Max length of a single injected command. Longer → rejected (likely not one command). */
+const MAX_COMMAND_LENGTH = 400;
+
+/**
+ * Coarse dangerous-payload patterns. This is a SEATBELT, not a security boundary:
+ * auto-inject is the user's accepted risk. We only block the obviously catastrophic.
+ */
+const DANGEROUS_PATTERNS: readonly RegExp[] = [
+  /\brm\s+-[a-z]*r[a-z]*f?\s+(\/|~|\/\*|\$home)/i, // rm -rf /, rm -rf ~, rm -rf /*
+  /\brm\s+-[a-z]*f[a-z]*r?\s+(\/|~|\/\*|\$home)/i, // rm -fr variants
+  /:\(\)\s*\{\s*:\s*\|\s*:\s*&\s*\}\s*;\s*:/, // classic fork bomb :(){ :|:& };:
+  /\bdd\b[^\n]*\bof=\/dev\//i, // dd of=/dev/...
+  />\s*\/dev\/(sd|nvme|disk|hd)/i, // redirect onto a raw disk
+  /\bmkfs(\.[a-z0-9]+)?\b/i, // mkfs, mkfs.ext4, ...
+  /\b(shutdown|reboot|halt|poweroff)\b/i, // power state
+];
+
+/**
+ * The GATE: given a per-terminal snapshot + the current consensus, decide whether the
+ * autonomous loop should act (produce + inject a command). Pure; `now` is passed in so
+ * the function stays deterministic and testable.
+ *
+ * Order matters — the first failing guard short-circuits with a reason.
+ */
+export function decideInjection(
+  state: InjectionState,
+  consensus: ConsensusResult,
+  now: number,
+  policy: InjectionPolicy = DEFAULT_INJECTION_POLICY,
+  opts: { allowTentative?: boolean } = {}
+): GateDecision {
+  const top = consensus.steps[0];
+  if (!top) {
+    return { act: false, reason: 'no consensus step' };
+  }
+  // `tentative` = the 5 distinct lenses didn't reach quorum on the exact next step. That is a
+  // PRECISION filter, not a safety boundary (the real guards are the confidence floor, dedup,
+  // circuit breaker, and guardCommand). For AGENT terminals the injection is a natural-language
+  // PROMPT the agent re-grounds against its goal — not a raw command run verbatim — so a best-
+  // ranked-but-tentative next step is fine and keeps the autonomous loop live instead of stalling
+  // after step 1. Callers pass allowTentative only for agent terminals; shell terminals stay strict.
+  if (top.tentative && !opts.allowTentative) {
+    return { act: false, reason: 'consensus is tentative (no quorum)' };
+  }
+  if (!state.isManaged) {
+    return { act: false, reason: 'terminal is external / read-only (cannot inject)' };
+  }
+  if (state.lastEventType !== 'agent-idle') {
+    return { act: false, reason: `agent not idle (last event: ${state.lastEventType})` };
+  }
+  if (now - state.lastActivityAt < policy.humanGraceMs) {
+    return { act: false, reason: 'recent activity — within human grace window' };
+  }
+  if (now - state.lastInjectedAt < policy.minIntervalMs) {
+    return { act: false, reason: 'rate-limited (min inject interval)' };
+  }
+  if (state.autoActionCount >= policy.maxAutoActions) {
+    return { act: false, reason: 'circuit breaker — max consecutive auto-actions reached' };
+  }
+  if (top.confidence < policy.injectConfidence) {
+    return { act: false, reason: `confidence ${top.confidence.toFixed(2)} below floor` };
+  }
+  if (state.lastActedStep !== null && normalizeStep(top.text) === state.lastActedStep) {
+    return { act: false, reason: 'already acted on this step' };
+  }
+  return { act: true, reason: 'idle + high-confidence consensus', step: top };
+}
+
+/**
+ * Vet a CONCRETE command (produced by the decide step) before it is written to the PTY:
+ * single-line, length-bounded, not obviously catastrophic, not a duplicate of the last one.
+ */
+export function guardCommand(command: string, lastInjectedCommand: null | string): CommandVerdict {
+  const trimmed = command.trim();
+  if (trimmed.length === 0) {
+    return { command: trimmed, reason: 'empty command', safe: false };
+  }
+  if (/[\r\n]/.test(command)) {
+    return {
+      command: trimmed,
+      reason: 'multi-line command rejected (single command only)',
+      safe: false,
+    };
+  }
+  if (trimmed.length > MAX_COMMAND_LENGTH) {
+    return { command: trimmed, reason: `command too long (> ${MAX_COMMAND_LENGTH})`, safe: false };
+  }
+  for (const pattern of DANGEROUS_PATTERNS) {
+    if (pattern.test(trimmed)) {
+      return { command: trimmed, reason: 'matches a dangerous-command pattern', safe: false };
+    }
+  }
+  if (lastInjectedCommand !== null && trimmed === lastInjectedCommand.trim()) {
+    return { command: trimmed, reason: 'duplicate of last injected command', safe: false };
+  }
+  return { command: trimmed, reason: 'ok', safe: true };
+}
+
+/** Normalize a step text for dedup comparison (mirror of the consensus normalizer). */
+export function normalizeStep(text: string): string {
+  return text
+    .toLowerCase()
+    .trim()
+    .replace(/\s+/g, ' ')
+    .replace(/[.,;:!?]+$/, '');
+}

package/src/lib/modules/client/dashboard/store.svelte.ts

@@ -238,6 +238,18 @@ async function connectWs(apiKey: string): Promise<void> {
   }
 }
 
+// Claude Code injects these wrappers as "user" messages (slash-command caveats, system reminders,
+// etc.); none is the real goal. Mirror of SYSTEM_TAG_PREFIXES in server/sessions/jsonl-reader.ts.
+const HARNESS_TAG_PREFIXES = [
+  '<local-command',
+  '<command-name>',
+  '<command-message>',
+  '<command-args>',
+  '<system-reminder>',
+  '<task-notification>',
+  'Caveat:',
+];
+
 function extractGoalText(content: string | { content?: string; type: string }[]): string {
   let text = '';
   if (typeof content === 'string') {
@@ -246,7 +258,10 @@ function extractGoalText(content: string | { content?: string; type: string }[])
     const textPart = content.find((p) => p.type === 'text');
     text = textPart?.content ?? '';
   }
-  return text.slice(0, 200).trim();
+  const trimmed = text.slice(0, 200).trim();
+  // A harness wrapper is not the user's goal — skip it so the caller keeps scanning for the real one
+  // (this is what let "<local-command-caveat>Caveat: …" become the pinned goal).
+  return isHarnessText(trimmed) ? '' : trimmed;
 }
 
 async function fetchTerminals(apiKey: string): Promise<void> {
@@ -291,8 +306,6 @@ function getApiKey(): string {
   return '';
 }
 
-// -- Public API -----------------------------------------------------------
-
 function handleWsMessage(raw: RawEvent): void {
   const type = raw.type as string | undefined;
   if (!type || type === 'welcome') {
@@ -367,6 +380,12 @@ function handleWsMessage(raw: RawEvent): void {
   sessions = sortSessions(sessions);
 }
 
+function isHarnessText(text: string): boolean {
+  return HARNESS_TAG_PREFIXES.some((p) => text.startsWith(p));
+}
+
+// -- Public API -----------------------------------------------------------
+
 function makeSessionState(t: DashboardTerminalRecord): SessionState {
   return {
     command: t.command,
@@ -435,14 +454,17 @@ function mergeSessions(
       if (prev.status !== 'error') {
         prev.status = mapStatus(t.status);
       }
-      // Schedule goal extraction if still missing
-      if (!prev.goal) {
+      // Schedule goal extraction if still missing — but never for an exited terminal (its socket
+      // would open, get a session-end, and the poll would keep reopening it).
+      if (!prev.goal && t.exitedAt === null && t.status !== 'exited') {
         void openSessionSocket(t.id);
       }
     } else {
       map.set(t.id, makeSessionState(t));
-      // Open a session WS for goal extraction on newly discovered terminals
-      void openSessionSocket(t.id);
+      // Open a session WS for goal extraction on newly discovered (live) terminals only
+      if (t.exitedAt === null && t.status !== 'exited') {
+        void openSessionSocket(t.id);
+      }
     }
   }
 
@@ -495,6 +517,12 @@ async function openSessionSocket(terminalId: string): Promise<void> {
         }
         const data = raw as Record<string, unknown>;
 
+        // Session ended — stop watching (no goal will ever arrive on this socket).
+        if (data.type === 'session-end') {
+          closeSessionSocket(terminalId);
+          return;
+        }
+
         // Check if we already have a goal for this terminal
         const currentSession = sessions.find((s) => s.terminalId === terminalId);
         const hasGoal = currentSession?.goal && currentSession.goal.length > 0;
@@ -517,25 +545,23 @@ async function openSessionSocket(terminalId: string): Promise<void> {
             `[DashboardStore] Found ${messages.length} messages, looking for first user message...`
           );
 
-          // Find first user message and extract goal
+          // Find the FIRST non-harness user message and use it as the goal. Keep scanning past
+          // harness-only messages (slash-command caveats, system reminders) so they never become
+          // the goal — and do NOT close the socket when none is found yet: closing here made the
+          // 15s poll reopen it every cycle (the session-watcher churn).
           for (const m of messages) {
-            if (m.role === 'user') {
-              const goal = extractGoalText(m.content);
-              console.log(
-                `[DashboardStore] Extracted goal for ${terminalId}: "${goal.substring(0, 50)}..."`
-              );
-
-              if (goal) {
-                updateSessionGoal(terminalId, goal);
-              }
-              // Goal extracted — close the socket, we no longer need it
+            if (m.role !== 'user') {
+              continue;
+            }
+            const goal = extractGoalText(m.content);
+            if (goal) {
+              updateSessionGoal(terminalId, goal);
+              syncEngineGoal(terminalId, goal);
               closeSessionSocket(terminalId);
               return;
             }
           }
-
-          console.log(`[DashboardStore] No user message found in history for ${terminalId}`);
-          // No user message yet — keep socket open for incoming messages
+          // No real user goal in history yet — keep the socket open for incoming live messages.
           return;
         }
 
@@ -546,10 +572,8 @@ async function openSessionSocket(terminalId: string): Promise<void> {
             data.content as string | { content?: string; type: string }[]
           );
           if (goal) {
-            console.log(
-              `[DashboardStore] Extracted goal from message for ${terminalId}: "${goal.substring(0, 50)}..."`
-            );
             updateSessionGoal(terminalId, goal);
+            syncEngineGoal(terminalId, goal);
             closeSessionSocket(terminalId);
           }
           return;
@@ -625,6 +649,23 @@ function sortSessions(list: SessionState[]): SessionState[] {
   });
 }
 
+// Push a freshly-extracted goal to the SERVER-side autopilot engine so its per-cycle LLM context is
+// anchored to the real user intent. Without this the engine always ran goal-less: its goal store
+// was only reachable via this route, which nothing ever called (the client only updated local
+// state). Best-effort — the engine may not be running (503); the next extraction retries.
+function syncEngineGoal(terminalId: string, goal: string): void {
+  if (!storedApiKey) {
+    return;
+  }
+  void fetch('/api/autopilot/goal', {
+    body: JSON.stringify({ goal, terminalId }),
+    headers: { Authorization: `Bearer ${storedApiKey}`, 'Content-Type': 'application/json' },
+    method: 'POST',
+  }).catch(() => {
+    // best-effort; nothing to do on failure
+  });
+}
+
 function triggerSummarization(session: SessionState): void {
   session.isSummarizing = true;
 

package/src/lib/modules/client/neurolink/fetch-proxy.ts

@@ -25,7 +25,7 @@ export function installFetchProxy(): void {
   globalThis.fetch = async (input: RequestInfo | URL, init?: RequestInit): Promise<Response> => {
     const url = typeof input === 'string' ? input : input instanceof URL ? input.href : input.url;
 
-    const provider = Object.entries(PROXY_PREFIXES).find(([prefix]) => url.startsWith(prefix))?.[1];
+    const provider = resolveProvider(url);
 
     if (!provider) {
       return originalFetch(input, init);
@@ -68,3 +68,40 @@ export function installFetchProxy(): void {
     });
   };
 }
+
+/**
+ * The runtime LiteLLM base URL injected by the root layout into window.process.env, or ''.
+ * Read via window['process'] (bracket access) so the bundler does NOT constant-fold it: a
+ * direct `globalThis.process.env` gets frozen to Node's build-time env by Vite/Rollup, which
+ * never contains the runtime-injected value.
+ */
+function litellmBaseUrl(): string {
+  if (typeof window === 'undefined') {
+    return '';
+  }
+  // eslint-disable-next-line @typescript-eslint/dot-notation -- bracket access is deliberate: it stops the bundler constant-folding process.env to the build-time value
+  const proc = (window as unknown as Record<string, unknown>)['process'] as
+    | undefined
+    | { env?: Record<string, string | undefined> };
+  const base = proc?.env?.LITELLM_BASE_URL;
+  return typeof base === 'string' ? base : '';
+}
+
+/**
+ * Resolve which proxy provider (if any) a URL routes through. Static cloud prefixes plus the
+ * runtime LiteLLM base URL — LiteLLM is self-hosted at a configurable origin, so its prefix
+ * is not known at build time and must be read from the injected env.
+ */
+function resolveProvider(url: string): string | undefined {
+  const staticMatch = Object.entries(PROXY_PREFIXES).find(([prefix]) =>
+    url.startsWith(prefix)
+  )?.[1];
+  if (staticMatch) {
+    return staticMatch;
+  }
+  const base = litellmBaseUrl();
+  if (base && url.startsWith(base)) {
+    return 'litellm';
+  }
+  return undefined;
+}

package/src/lib/modules/server/apn/apns-payload.ts

@@ -0,0 +1,50 @@
+// Pure: cap an APNs JSON payload to APNs' size limit by truncating the alert body (then the
+// subtitle) so a long agent message can't blow past the ~4 KB cap and 413 / fail to deliver.
+// No imports — unit-tested in isolation (tests/apns-payload.test.cjs).
+
+/** APNs caps an alert payload at 4096 bytes; leave headroom for transport framing. */
+export const APNS_MAX_BYTES = 3900;
+
+const ELLIPSIS = '…';
+
+/**
+ * Shrink an APNs payload so its JSON fits under `maxBytes`. Truncates `alert.body` first (the
+ * agent's last message — the usual culprit), then `alert.subtitle`, marking cuts with an
+ * ellipsis. Mutates and returns `body`. Title and custom data are preserved.
+ */
+export function fitApnsPayload(
+  body: Record<string, unknown>,
+  maxBytes: number = APNS_MAX_BYTES
+): Record<string, unknown> {
+  if (payloadBytes(body) <= maxBytes) {
+    return body;
+  }
+  const aps = body.aps as Record<string, unknown> | undefined;
+  const alert = aps?.alert as Record<string, unknown> | undefined;
+  if (!alert) {
+    return body; // nothing safely trimmable (e.g. silent push) — leave as-is
+  }
+  for (const field of ['body', 'subtitle'] as const) {
+    if (payloadBytes(body) <= maxBytes) {
+      break;
+    }
+    const value = alert[field];
+    if (typeof value !== 'string' || value.length === 0) {
+      continue;
+    }
+    let text = value;
+    while (payloadBytes(body) > maxBytes && text.length > 0) {
+      const cut = Math.max(1, Math.ceil(text.length * 0.12));
+      text = text.slice(0, text.length - cut);
+      // When a field is fully truncated away, OMIT it (undefined → dropped by JSON.stringify)
+      // rather than leaving an empty string — applies to body as well as subtitle.
+      alert[field] = text.length > 0 ? text + ELLIPSIS : undefined;
+    }
+  }
+  return body;
+}
+
+/** UTF-8 byte length of the JSON-serialised payload. */
+function payloadBytes(body: Record<string, unknown>): number {
+  return Buffer.byteLength(JSON.stringify(body), 'utf8');
+}

package/src/lib/modules/server/apn/library-apns.ts

@@ -6,6 +6,7 @@ import jwt from 'jsonwebtoken';
 import { promisify } from 'util';
 
 import { toErrorMessage } from '../utils/error';
+import { fitApnsPayload } from './apns-payload.js';
 
 // APNs delivery via curl. Replaces @parse/node-apn (which times out on Node 24
 // regardless of version: 7.1.0, 8.1.0, both reproduce). Node's native http2 +
@@ -109,7 +110,48 @@ export class LibraryAPNsService {
       void _ignoredAps;
       Object.assign(body, customData);
     }
-    const bodyJson = JSON.stringify(body);
+    return this.deliver(deviceToken, body, 'alert', '10');
+  }
+
+  /**
+   * Send a SILENT (content-available) background push to wake a backgrounded app without
+   * showing an alert — used to wake the phone-resident agent loop so it can run a burst.
+   * Uses apns-push-type:background + apns-priority:5 (required by APNs for silent pushes).
+   * iOS throttles these (a few per hour); delivery is best-effort.
+   */
+  async sendSilentNotification(
+    deviceToken: string,
+    data?: Record<string, unknown>
+  ): Promise<APNsSendResult> {
+    if (!this.configured) {
+      throw new Error('APNs service not configured properly');
+    }
+    if (!deviceToken) {
+      throw new Error('Device token is required');
+    }
+    const body: Record<string, unknown> = { aps: { 'content-available': 1 } };
+    if (data) {
+      const { aps: _ignoredAps, ...customData } = data;
+      void _ignoredAps;
+      Object.assign(body, customData);
+    }
+    return this.deliver(deviceToken, body, 'background', '5');
+  }
+
+  shutdown(): void {
+    // No persistent state to release.
+  }
+
+  /** Shared curl/HTTP-2 delivery. `pushType` is 'alert' | 'background', `priority` '10' | '5'. */
+  private async deliver(
+    deviceToken: string,
+    body: Record<string, unknown>,
+    pushType: 'alert' | 'background',
+    priority: '5' | '10'
+  ): Promise<APNsSendResult> {
+    // Cap the payload to APNs' size limit. A long agent message in alert.body otherwise blows
+    // past ~4 KB → APNs 413 PayloadTooLarge (or curl E2BIG), so the notification never arrives.
+    const bodyJson = JSON.stringify(fitApnsPayload(body));
     const jwtToken = this.getJwt();
     const url = `https://${this.host}/3/device/${deviceToken}`;
 
@@ -127,9 +169,9 @@ export class LibraryAPNsService {
       '-H',
       `authorization: bearer ${jwtToken}`,
       '-H',
-      'apns-push-type: alert',
+      `apns-push-type: ${pushType}`,
       '-H',
-      'apns-priority: 10',
+      `apns-priority: ${priority}`,
       '-d',
       bodyJson,
       '-w',
@@ -171,16 +213,16 @@ export class LibraryAPNsService {
       console.error(`[apns] Delivery failed (status=${status}): ${reason}`);
       return { error: reason, failed: 1, sent: 0, success: false };
     } catch (err) {
-      const msg = toErrorMessage(err);
+      // A failed execFile echoes the whole curl command — which carries the APNs JWT and the
+      // device token. Redact both before logging or returning so they don't leak into logs/responses.
+      const msg = toErrorMessage(err)
+        .replace(/bearer\s+[A-Za-z0-9._-]+/gi, 'bearer [REDACTED]')
+        .replace(/device\/[A-Fa-f0-9]+/g, 'device/[REDACTED]');
       console.error(`[apns] curl transport error: ${msg}`);
       return { error: msg, failed: 1, sent: 0, success: false };
     }
   }
 
-  shutdown(): void {
-    // No persistent state to release.
-  }
-
   private getJwt(): string {
     const now = Date.now();
     if (this.cachedJwt && now - this.cachedJwtAt < JWT_REFRESH_INTERVAL_MS) {

package/src/lib/modules/server/apn/pending-requests.ts

@@ -29,11 +29,13 @@ import Database from 'better-sqlite3';
 import * as fs from 'fs';
 import * as path from 'path';
 
+import { shooterDataDir } from '../utils/shooter-home.js';
+
 export type { PendingRequest };
 
 const MAX_AGE_MS = 5 * 60 * 1000;
 
-const DB_DIR = path.join(process.env.HOME || '', '.shooter');
+const DB_DIR = shooterDataDir();
 const DB_PATH = path.join(DB_DIR, 'shooter.db');
 
 export class PendingRequestsStore {

package/src/lib/modules/server/sessions/autopilot-context.ts

@@ -0,0 +1,57 @@
+// Pure context-building + goal store for the autopilot engine.
+//
+// Kept free of server imports (no pty-manager, no SQLite) so it is unit-testable in isolation,
+// the same way next-step-consensus.ts and decide-injection.ts are.
+//
+// WHY a goal store: the engine builds its LLM context from the last ~12 session events, with no
+// memory of what the session is trying to achieve. After a few autonomous cycles the original
+// goal scrolls out of that window and consensus drifts toward "what the agent just did". Pinning
+// a per-terminal goal and prepending it to every context keeps the lenses (and thus the injected
+// next-steps) anchored. It is also the literal "set it as a goal" the autonomous loop needs.
+
+// Per-terminal goal store. Lives in the engine's module graph; the /api/autopilot/goal route
+// reaches setEngineGoal via the globalThis control object (it never imports the engine directly).
+const goals = new Map<string, string>();
+
+/**
+ * Build the LLM context string for one pipeline run. When a goal is present it leads the string
+ * so the summary + every lens see it first; otherwise the format is unchanged from before.
+ */
+export function buildEngineContext(input: {
+  errorCount: number;
+  events: string[];
+  goal?: string;
+  projectName: string;
+  status: string;
+  toolCallCount: number;
+  trigger: string;
+}): string {
+  const goalLine = input.goal && input.goal.trim().length > 0 ? `Goal: ${input.goal.trim()}\n` : '';
+  return (
+    `${goalLine}Project: ${input.projectName}\nStatus: ${input.status}\n` +
+    `Errors: ${input.errorCount}\nTool calls: ${input.toolCallCount}\n` +
+    `Recent events: ${input.events.slice(-12).join('; ')}\nTrigger: ${input.trigger}`
+  );
+}
+
+/** Drop a terminal's goal (called when the terminal exits). */
+export function clearEngineGoal(terminalId: string): void {
+  goals.delete(terminalId);
+}
+
+/** The pinned goal for a terminal, or undefined if none is set. */
+export function getEngineGoal(terminalId: string): string | undefined {
+  return goals.get(terminalId);
+}
+
+/** Set (or, with a blank value, clear) the goal that anchors a terminal's autopilot context. */
+export function setEngineGoal(terminalId: string, goal: string): void {
+  const trimmed = goal.trim();
+  if (trimmed.length > 0) {
+    // Cap defensively: the goal is prepended to EVERY engine LLM context, so an unbounded string
+    // would permanently bloat the prompt. The /api/autopilot/goal route also rejects > 500.
+    goals.set(terminalId, trimmed.slice(0, 500));
+  } else {
+    goals.delete(terminalId);
+  }
+}