npm - @kbediako/codex-orchestrator - Versions diffs - 0.1.38 → 0.2.1 - Mend

@kbediako/codex-orchestrator 0.1.38 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (311) hide show

package/dist/orchestrator/src/cli/config/delegationConfig.js CHANGED Viewed

@@ -5,7 +5,7 @@ import { homedir } from 'node:os';
 import { dirname, isAbsolute, join, relative, resolve, sep } from 'node:path';
 import { logger } from '../../logger.js';
 const require = createRequire(import.meta.url);
-const toml = require('@iarna/toml');
+let tomlParser;
 const DEFAULT_ALLOWED_RUN_ROOTS = [];
 const DEFAULT_CONFIG = {
     delegate: {
@@ -60,6 +60,16 @@ const SOURCE_PRIORITY = {
     env: 3,
     cli: 4
 };
+const DELEGATION_CONFIG_ROOT_KEYS = new Set([
+    'delegate',
+    'rlm',
+    'runner',
+    'ui',
+    'github',
+    'paths',
+    'confirm',
+    'sandbox'
+]);
 export async function loadDelegationConfigFiles(options) {
     const env = options.env ?? process.env;
     const codexHome = options.codexHome ?? resolveCodexHome(env);
@@ -112,7 +122,7 @@ export function computeEffectiveDelegationConfig(options) {
             ...(merged.sandbox ?? {})
         }
     };
-    if (effective.delegate.mode !== 'full' && effective.delegate.mode !== 'question_only') {
+    if (effective.delegate.mode !== 'full' && effective.delegate.mode !== 'question_only' && effective.delegate.mode !== 'status_only') {
         effective.delegate.mode = defaults.delegate.mode;
     }
     const repoAllowedRoots = typeof repoLayer?.paths?.allowedRoots !== 'undefined' ? repoLayer.paths.allowedRoots : [options.repoRoot];
@@ -214,8 +224,7 @@ function mergeSection(base, update) {
 async function readTomlFile(path) {
     try {
         const raw = await readFile(path, 'utf8');
-        const parsed = toml.parse(raw);
-        return parsed;
+        return parseDelegationTomlConfig(raw);
     }
     catch (error) {
         if (error.code === 'ENOENT') {
@@ -477,9 +486,312 @@ export function parseDelegationConfigOverride(value, source) {
     if (!trimmed) {
         return null;
     }
-    const parsed = toml.parse(trimmed);
+    const parsed = parseDelegationTomlConfig(trimmed);
     if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
         return null;
     }
     return normalizeLayer(parsed, source);
 }
+function getTomlParser() {
+    if (typeof tomlParser !== 'undefined') {
+        return tomlParser;
+    }
+    try {
+        tomlParser = require('@iarna/toml');
+    }
+    catch {
+        tomlParser = null;
+    }
+    return tomlParser;
+}
+function parseDelegationTomlConfig(raw) {
+    const parser = getTomlParser();
+    if (parser) {
+        const parsed = parser.parse(raw);
+        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            return parsed;
+        }
+        return {};
+    }
+    return parseDelegationTomlSubset(raw);
+}
+function parseDelegationTomlSubset(raw) {
+    const parsed = {};
+    let currentSection = [];
+    for (const line of raw.split(/\r?\n/u)) {
+        const trimmed = stripTomlComment(line).trim();
+        if (!trimmed) {
+            continue;
+        }
+        const tableMatch = trimmed.match(/^\[(.+)\]$/u);
+        if (tableMatch) {
+            const tablePath = parseTomlDottedPath(tableMatch[1] ?? '');
+            currentSection =
+                tablePath.length > 0 && DELEGATION_CONFIG_ROOT_KEYS.has(tablePath[0] ?? '')
+                    ? tablePath
+                    : null;
+            continue;
+        }
+        const separatorIndex = findTomlAssignmentSeparator(trimmed);
+        if (separatorIndex === -1) {
+            continue;
+        }
+        const keyPath = parseTomlDottedPath(trimmed.slice(0, separatorIndex));
+        if (keyPath.length === 0) {
+            continue;
+        }
+        if (currentSection === null) {
+            continue;
+        }
+        const fullPath = [...currentSection, ...keyPath];
+        if (!DELEGATION_CONFIG_ROOT_KEYS.has(fullPath[0] ?? '')) {
+            continue;
+        }
+        const parsedValue = parseTomlValue(trimmed.slice(separatorIndex + 1).trim());
+        if (typeof parsedValue === 'undefined') {
+            continue;
+        }
+        assignNestedTomlValue(parsed, fullPath, parsedValue);
+    }
+    return parsed;
+}
+function assignNestedTomlValue(target, pathSegments, value) {
+    let current = target;
+    for (let index = 0; index < pathSegments.length - 1; index += 1) {
+        const segment = pathSegments[index];
+        const existing = current[segment];
+        if (!existing || typeof existing !== 'object' || Array.isArray(existing)) {
+            current[segment] = {};
+        }
+        current = current[segment];
+    }
+    const leafKey = pathSegments[pathSegments.length - 1];
+    current[leafKey] = value;
+}
+function parseTomlDottedPath(raw) {
+    const segments = [];
+    let current = '';
+    let quote = null;
+    let escaping = false;
+    const flush = () => {
+        const normalized = normalizeTomlKeySegment(current);
+        if (normalized) {
+            segments.push(normalized);
+        }
+        current = '';
+    };
+    for (const character of raw.trim()) {
+        if (escaping) {
+            current += character;
+            escaping = false;
+            continue;
+        }
+        if (quote && character === '\\') {
+            current += character;
+            escaping = true;
+            continue;
+        }
+        if (character === '"' || character === '\'') {
+            if (quote === character) {
+                quote = null;
+            }
+            else if (!quote) {
+                quote = character;
+            }
+            current += character;
+            continue;
+        }
+        if (!quote && character === '.') {
+            flush();
+            continue;
+        }
+        current += character;
+    }
+    flush();
+    return segments;
+}
+function normalizeTomlKeySegment(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed) {
+        return null;
+    }
+    if ((trimmed.startsWith('"') && trimmed.endsWith('"')) ||
+        (trimmed.startsWith('\'') && trimmed.endsWith('\''))) {
+        return decodeTomlString(trimmed);
+    }
+    return trimmed;
+}
+function parseTomlValue(raw) {
+    if (!raw) {
+        return undefined;
+    }
+    if ((raw.startsWith('"') && raw.endsWith('"')) ||
+        (raw.startsWith('\'') && raw.endsWith('\''))) {
+        return decodeTomlString(raw);
+    }
+    if (raw.startsWith('[') && raw.endsWith(']')) {
+        return splitTomlArrayEntries(raw.slice(1, -1)).map((entry) => parseTomlValue(entry));
+    }
+    if (raw === 'true') {
+        return true;
+    }
+    if (raw === 'false') {
+        return false;
+    }
+    const integer = parseTomlInteger(raw);
+    if (integer !== null) {
+        return integer;
+    }
+    const numeric = Number(raw);
+    if (Number.isFinite(numeric)) {
+        return numeric;
+    }
+    return undefined;
+}
+function parseTomlInteger(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed) {
+        return null;
+    }
+    if (/^[+-]?(?:0|[1-9](?:_?\d)*)$/u.test(trimmed)) {
+        return Number.parseInt(trimmed.replace(/_/gu, ''), 10);
+    }
+    if (/^[+-]?0x[0-9a-f](?:_?[0-9a-f])*$/iu.test(trimmed)) {
+        return parseTomlBasedInteger(trimmed, /^([+-]?)0x/iu, 16);
+    }
+    if (/^[+-]?0o[0-7](?:_?[0-7])*$/iu.test(trimmed)) {
+        return parseTomlBasedInteger(trimmed, /^([+-]?)0o/iu, 8);
+    }
+    if (/^[+-]?0b[01](?:_?[01])*$/iu.test(trimmed)) {
+        return parseTomlBasedInteger(trimmed, /^([+-]?)0b/iu, 2);
+    }
+    return null;
+}
+function parseTomlBasedInteger(raw, prefixPattern, radix) {
+    const normalized = raw.replace(/_/gu, '');
+    const prefixMatch = normalized.match(prefixPattern);
+    if (!prefixMatch) {
+        return null;
+    }
+    const sign = prefixMatch[1] === '-' ? -1 : 1;
+    const digits = normalized.slice(prefixMatch[0].length);
+    return sign * Number.parseInt(digits, radix);
+}
+function splitTomlArrayEntries(raw) {
+    const entries = [];
+    let current = '';
+    let bracketDepth = 0;
+    let quote = null;
+    let escaping = false;
+    const flush = () => {
+        const trimmed = current.trim();
+        if (trimmed) {
+            entries.push(trimmed);
+        }
+        current = '';
+    };
+    for (const character of raw) {
+        if (escaping) {
+            current += character;
+            escaping = false;
+            continue;
+        }
+        if (quote && character === '\\') {
+            current += character;
+            escaping = true;
+            continue;
+        }
+        if (character === '"' || character === '\'') {
+            if (quote === character) {
+                quote = null;
+            }
+            else if (!quote) {
+                quote = character;
+            }
+            current += character;
+            continue;
+        }
+        if (!quote) {
+            if (character === '[') {
+                bracketDepth += 1;
+            }
+            else if (character === ']') {
+                bracketDepth = Math.max(0, bracketDepth - 1);
+            }
+            else if (character === ',' && bracketDepth === 0) {
+                flush();
+                continue;
+            }
+        }
+        current += character;
+    }
+    flush();
+    return entries;
+}
+function findTomlAssignmentSeparator(raw) {
+    let quote = null;
+    let escaping = false;
+    for (let index = 0; index < raw.length; index += 1) {
+        const character = raw[index];
+        if (escaping) {
+            escaping = false;
+            continue;
+        }
+        if (quote && character === '\\') {
+            escaping = true;
+            continue;
+        }
+        if (character === '"' || character === '\'') {
+            if (quote === character) {
+                quote = null;
+            }
+            else if (!quote) {
+                quote = character;
+            }
+            continue;
+        }
+        if (!quote && character === '=') {
+            return index;
+        }
+    }
+    return -1;
+}
+function decodeTomlString(raw) {
+    if (raw.startsWith('"') && raw.endsWith('"')) {
+        try {
+            return JSON.parse(raw);
+        }
+        catch {
+            return raw.slice(1, -1).replace(/\\\\/gu, '\\').replace(/\\"/gu, '"').replace(/\\'/gu, '\'');
+        }
+    }
+    return raw.slice(1, -1).replace(/\\'/gu, '\'');
+}
+function stripTomlComment(line) {
+    let quote = null;
+    let escaping = false;
+    for (let index = 0; index < line.length; index += 1) {
+        const character = line[index];
+        if (escaping) {
+            escaping = false;
+            continue;
+        }
+        if (quote && character === '\\') {
+            escaping = true;
+            continue;
+        }
+        if (character === '"' || character === '\'') {
+            if (quote === character) {
+                quote = null;
+            }
+            else if (!quote) {
+                quote = character;
+            }
+            continue;
+        }
+        if (!quote && character === '#') {
+            return line.slice(0, index);
+        }
+    }
+    return line;
+}

package/dist/orchestrator/src/cli/config/repoConfigPolicy.js CHANGED Viewed

@@ -1,4 +1,3 @@
-import { join } from 'node:path';
 import process from 'node:process';
 export const REPO_CONFIG_REQUIRED_ENV_KEY = 'CODEX_ORCHESTRATOR_REPO_CONFIG_REQUIRED';
 const REPO_CONFIG_REQUIRED_TRUE_VALUES = new Set(['1', 'true', 'yes', 'on']);
@@ -13,10 +12,10 @@ export function isRepoConfigRequired(env = process.env) {
     }
     return REPO_CONFIG_REQUIRED_TRUE_VALUES.has(normalized);
 }
-export function formatRepoConfigRequiredError(repoRoot) {
+export function formatRepoConfigRequiredError(repoConfigPath) {
     return [
         `Repo-local codex.orchestrator.json is required when ${REPO_CONFIG_REQUIRED_ENV_KEY}=1.`,
-        `Expected: ${join(repoRoot, 'codex.orchestrator.json')}.`,
+        `Expected: ${repoConfigPath}.`,
         'Run `codex-orchestrator init codex` to scaffold repo-local config.'
     ].join(' ');
 }

package/dist/orchestrator/src/cli/config/userConfig.js CHANGED Viewed

@@ -1,20 +1,11 @@
+import process from 'node:process';
 import { readFile } from 'node:fs/promises';
-import { join } from 'node:path';
+import { isAbsolute, join, resolve } from 'node:path';
 import { logger } from '../../logger.js';
 import { findPackageRoot } from '../utils/packageInfo.js';
+export const REPO_CONFIG_PATH_ENV_KEY = 'CODEX_ORCHESTRATOR_REPO_CONFIG_PATH';
 export async function loadRepoConfig(env, options = {}) {
-    const repoConfigPath = join(env.repoRoot, 'codex.orchestrator.json');
-    const repoConfig = await readConfig(repoConfigPath);
-    if (repoConfig) {
-        if (!options.quiet) {
-            logger.info(`[codex-config] Loaded user config from ${repoConfigPath}`);
-        }
-        return normalizeUserConfig(repoConfig, 'repo');
-    }
-    if (!options.quiet) {
-        logger.warn(`[codex-config] Missing codex.orchestrator.json at ${repoConfigPath}`);
-    }
-    return null;
+    return await loadRepoConfigFromPath(resolveRepoConfigPath(env, options.processEnv), options);
 }
 export async function loadPackageConfig(env, options = {}) {
     const repoConfigPath = join(env.repoRoot, 'codex.orchestrator.json');
@@ -45,6 +36,30 @@ export async function loadUserConfig(env, options = {}) {
     }
     return await loadPackageConfig(env, options);
 }
+export function resolveRepoConfigPath(env, runtimeEnv = process.env) {
+    const override = runtimeEnv[REPO_CONFIG_PATH_ENV_KEY];
+    if (typeof override !== 'string' || override.trim().length === 0) {
+        return join(env.repoRoot, 'codex.orchestrator.json');
+    }
+    const trimmed = override.trim();
+    return isAbsolute(trimmed) ? trimmed : resolve(env.repoRoot, trimmed);
+}
+export async function loadRepoConfigFromPath(repoConfigPath, options = {}) {
+    const repoConfig = await readConfig(repoConfigPath);
+    if (repoConfig) {
+        if (!options.quiet) {
+            logger.info(`[codex-config] Loaded user config from ${repoConfigPath}`);
+        }
+        return normalizeUserConfig(repoConfig, 'repo');
+    }
+    if (!options.quiet) {
+        logger.warn(`[codex-config] Missing codex.orchestrator.json at ${repoConfigPath}`);
+    }
+    return null;
+}
+export function parseUserConfigRaw(raw, source) {
+    return normalizeUserConfig(JSON.parse(raw), source);
+}
 export function findPipeline(config, id) {
     if (!config?.pipelines) {
         return null;

package/dist/orchestrator/src/cli/control/authenticatedControlRouteGate.js ADDED Viewed

@@ -0,0 +1,69 @@
+import { timingSafeEqual } from 'node:crypto';
+const CSRF_HEADER = 'x-csrf-token';
+export function admitAuthenticatedControlRoute(context) {
+    const auth = resolveAuthToken({
+        authorizationHeader: context.req.headers.authorization,
+        controlToken: context.controlToken,
+        isSessionTokenValid: context.isSessionTokenValid
+    });
+    if (!auth) {
+        writeGateError(context.res, 401, 'unauthorized');
+        return null;
+    }
+    if (requiresCsrfProtection(context.req.method) && !isCsrfValid(context.req, auth.token)) {
+        writeGateError(context.res, 403, 'csrf_invalid');
+        return null;
+    }
+    if (isRunnerOnlyEndpoint(context.pathname, context.req.method) && auth.kind !== 'control') {
+        writeGateError(context.res, 403, 'runner_only');
+        return null;
+    }
+    return auth;
+}
+function resolveAuthToken(input) {
+    const header = typeof input.authorizationHeader === 'string' ? input.authorizationHeader : null;
+    if (!header || !header.startsWith('Bearer ')) {
+        return null;
+    }
+    const token = header.slice('Bearer '.length);
+    if (safeTokenCompare(token, input.controlToken)) {
+        return { token, kind: 'control' };
+    }
+    if (input.isSessionTokenValid(token)) {
+        return { token, kind: 'session' };
+    }
+    return null;
+}
+function isCsrfValid(req, token) {
+    const header = req.headers[CSRF_HEADER];
+    if (!header) {
+        return false;
+    }
+    return safeTokenCompare(header, token);
+}
+function requiresCsrfProtection(method) {
+    const normalized = (method ?? 'GET').toUpperCase();
+    return normalized !== 'GET' && normalized !== 'HEAD';
+}
+function isRunnerOnlyEndpoint(pathname, method) {
+    if ((method ?? 'GET').toUpperCase() !== 'POST') {
+        return false;
+    }
+    const normalized = pathname.endsWith('/') && pathname !== '/' ? pathname.slice(0, -1) : pathname;
+    return (normalized === '/confirmations/issue' ||
+        normalized === '/confirmations/consume' ||
+        normalized === '/confirmations/validate' ||
+        normalized === '/delegation/register' ||
+        normalized === '/questions/enqueue' ||
+        normalized === '/security/violation');
+}
+function writeGateError(res, status, error) {
+    res.writeHead(status, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error }));
+}
+function safeTokenCompare(left, right) {
+    if (left.length !== right.length) {
+        return false;
+    }
+    return timingSafeEqual(Buffer.from(left, 'utf8'), Buffer.from(right, 'utf8'));
+}