@kody-ade/kody-engine 0.4.115 → 0.4.117

package/dist/bin/kody.js

@@ -880,7 +880,7 @@ var init_loadPriorArt = __esm({
 // package.json
 var package_default = {
   name: "@kody-ade/kody-engine",
-  version: "0.4.115",
+  version: "0.4.117",
   description: "kody \u2014 autonomous development engine. Single-session Claude Code agent behind a generic executor + declarative executable profiles.",
   license: "MIT",
   type: "module",
@@ -4785,6 +4785,7 @@ import { createServer as createServer3 } from "http";
 var FLY_API_BASE = "https://api.machines.dev/v1";
 var POOL_METADATA_KEY = "kody_pool";
 var POOL_METADATA_VALUE = "1";
+var POOL_REPO_METADATA_KEY = "kody_pool_repo";
 var FlyClient = class {
   constructor(opts) {
     this.opts = opts;
@@ -4814,7 +4815,7 @@ var FlyClient = class {
     if (!raw.trim()) return null;
     return JSON.parse(raw);
   }
-  /** Create + start a pooled machine in serve mode. */
+  /** Create + start a pooled machine in serve mode, tagged for `repoTag`. */
   async createPooled(input) {
     const body = {
       region: input.region,
@@ -4824,7 +4825,10 @@ var FlyClient = class {
         auto_destroy: true,
         restart: { policy: "no" },
         init: { entrypoint: ["/usr/local/bin/entrypoint-serve.sh"] },
-        metadata: { [POOL_METADATA_KEY]: POOL_METADATA_VALUE },
+        metadata: {
+          [POOL_METADATA_KEY]: POOL_METADATA_VALUE,
+          [POOL_REPO_METADATA_KEY]: input.repoTag
+        },
         env: {
           RUNNER_API_KEY: input.runnerApiKey,
           KODY_LITELLM_URL: input.litellmUrl,
@@ -4839,11 +4843,14 @@ var FlyClient = class {
   async get(id) {
     return this.call(`/apps/${enc(this.opts.app)}/machines/${enc(id)}`, { allow404: true });
   }
-  /** List the app's pooled (kody_pool) machines, excluding destroyed/destroying. */
-  async listPooled() {
+  /**
+   * List pooled machines for `repoTag` (kody_pool + matching repo tag),
+   * excluding destroyed/destroying. Each repo's pool sees only its own.
+   */
+  async listPooled(repoTag) {
     const all = await this.call(`/apps/${enc(this.opts.app)}/machines`, { allow404: true }) ?? [];
     return all.filter(
-      (m) => m.config?.metadata?.[POOL_METADATA_KEY] === POOL_METADATA_VALUE && m.state !== "destroyed" && m.state !== "destroying"
+      (m) => m.config?.metadata?.[POOL_METADATA_KEY] === POOL_METADATA_VALUE && m.config?.metadata?.[POOL_REPO_METADATA_KEY] === repoTag && m.state !== "destroyed" && m.state !== "destroying"
     );
   }
   /** Suspend (freeze) a machine — wakes in ~1s from the snapshot. */
@@ -4884,6 +4891,7 @@ function sleep2(ms) {
 }
 
 // src/pool/manager.ts
+var MAX_CLAIM_ATTEMPTS = 3;
 var PoolManager = class {
   constructor(deps) {
     this.deps = deps;
@@ -4912,7 +4920,7 @@ var PoolManager = class {
    * free; anything else is left to finish/auto-destroy. Then refill to `min`.
    */
   async reconcile() {
-    const machines = await this.deps.fly.listPooled();
+    const machines = await this.deps.fly.listPooled(this.deps.config.repoTag);
     this.free = [];
     for (const m of machines) {
       if ((m.state === "suspended" || m.state === "suspending") && m.private_ip) {
@@ -4923,43 +4931,84 @@ var PoolManager = class {
     await this.refill();
   }
   /**
-   * Claim a warm machine for a job. Returns ok:false (caller falls back to
-   * create-fresh) when the pool is empty or the woken machine fails to take
-   * the job. The pick is synchronous — the atomic step.
+   * Claim a warm machine for a job. Tries free machines in turn: if a woken
+   * machine is stale/unhealthy/rejecting (e.g. it vanished out-of-band), it's
+   * destroyed and the next free one is tried, up to MAX_CLAIM_ATTEMPTS. Only
+   * when none work (or the pool is empty) does it return ok:false so the
+   * caller falls back to create-fresh. The pick (shift) is synchronous — the
+   * atomic step that prevents two concurrent claims grabbing the same machine.
    */
   async claim(job) {
-    const machine = this.free.shift();
-    if (!machine) {
-      this.log("claim: pool empty");
-      void this.refill();
-      return { ok: false, reason: "pool empty" };
-    }
-    this.claimsInFlight++;
-    try {
-      await this.deps.fly.start(machine.id);
-      const base = this.baseUrl(machine);
-      const healthy = await this.deps.fly.waitHealthy(base, { timeoutMs: this.deps.config.healthTimeoutMs });
-      if (!healthy) {
-        this.log(`claim: machine ${machine.id} unhealthy after wake \u2014 destroying`);
-        await this.safeDestroy(machine.id);
-        return { ok: false, reason: "woken machine unhealthy" };
-      }
-      const accepted = await this.postRun(machine, job, this.deps.config);
-      if (!accepted) {
-        this.log(`claim: machine ${machine.id} rejected job \u2014 destroying`);
+    let lastReason = "pool empty";
+    for (let attempt = 0; attempt < MAX_CLAIM_ATTEMPTS; attempt++) {
+      const machine = this.free.shift();
+      if (!machine) break;
+      this.claimsInFlight++;
+      try {
+        await this.deps.fly.start(machine.id);
+        const healthy = await this.deps.fly.waitHealthy(this.baseUrl(machine), {
+          timeoutMs: this.deps.config.healthTimeoutMs
+        });
+        if (!healthy) {
+          this.log(`claim: machine ${machine.id} unhealthy after wake \u2014 destroying, trying next`);
+          await this.safeDestroy(machine.id);
+          lastReason = "woken machine unhealthy";
+          continue;
+        }
+        const accepted = await this.postRun(machine, job, this.deps.config);
+        if (!accepted) {
+          this.log(`claim: machine ${machine.id} rejected job \u2014 destroying, trying next`);
+          await this.safeDestroy(machine.id);
+          lastReason = "machine rejected job";
+          continue;
+        }
+        this.log(`claim: machine ${machine.id} took job ${job.jobId}`);
+        void this.refill();
+        return { ok: true, machineId: machine.id };
+      } catch (err) {
+        this.log(`claim: error on ${machine.id}: ${errMsg2(err)} \u2014 destroying, trying next`);
         await this.safeDestroy(machine.id);
-        return { ok: false, reason: "machine rejected job" };
+        lastReason = errMsg2(err);
+      } finally {
+        this.claimsInFlight--;
       }
-      this.log(`claim: machine ${machine.id} took job ${job.jobId}`);
-      return { ok: true, machineId: machine.id };
+    }
+    void this.refill();
+    return { ok: false, reason: lastReason };
+  }
+  /**
+   * Periodic self-heal: reconcile the in-memory free list against actual Fly
+   * state. Prunes free entries whose machine vanished out-of-band (auto-destroy
+   * after a job, manual ops) so a later claim never tries a dead machine, and
+   * adopts any suspended machines we lost track of. Then tops up. Unlike
+   * reconcile() this MERGES rather than rebuilds, so it won't drop a machine
+   * that's momentarily not yet reflected as suspended by Fly's eventual
+   * consistency.
+   */
+  async resync() {
+    let machines;
+    try {
+      machines = await this.deps.fly.listPooled(this.deps.config.repoTag);
     } catch (err) {
-      this.log(`claim: error on ${machine.id}: ${errMsg2(err)} \u2014 destroying`);
-      await this.safeDestroy(machine.id);
-      return { ok: false, reason: errMsg2(err) };
-    } finally {
-      this.claimsInFlight--;
-      void this.refill();
+      this.log(`resync: listPooled failed: ${errMsg2(err)}`);
+      return;
     }
+    const liveIds = new Set(machines.map((m) => m.id));
+    const before = this.free.length;
+    this.free = this.free.filter((f) => liveIds.has(f.id));
+    const pruned = before - this.free.length;
+    const tracked = new Set(this.free.map((f) => f.id));
+    let adopted = 0;
+    for (const m of machines) {
+      if ((m.state === "suspended" || m.state === "suspending") && m.private_ip && !tracked.has(m.id)) {
+        this.free.push({ id: m.id, privateIp: m.private_ip });
+        adopted++;
+      }
+    }
+    if (pruned > 0 || adopted > 0) {
+      this.log(`resync: pruned ${pruned} stale, adopted ${adopted} (free=${this.free.length})`);
+    }
+    await this.refill();
   }
   /** Top up free machines to `min`. Serialized so it never overshoots. */
   async refill() {
@@ -4989,6 +5038,7 @@ var PoolManager = class {
       guest: cfg.guest,
       runnerApiKey: cfg.runnerApiKey,
       litellmUrl: cfg.litellmUrl,
+      repoTag: cfg.repoTag,
       port: cfg.port
     });
     if (!m.private_ip) {
@@ -5036,6 +5086,160 @@ function errMsg2(err) {
   return err instanceof Error ? err.message : String(err);
 }
 
+// src/pool/vault.ts
+import { createDecipheriv } from "crypto";
+var GITHUB_API = "https://api.github.com";
+var VAULT_PATH = ".kody/secrets.enc";
+var CACHE_TTL_MS = 6e4;
+var cache = /* @__PURE__ */ new Map();
+function decryptVault(payload, masterKey) {
+  const parts = payload.split(":");
+  if (parts.length !== 4 || parts[0] !== "v1") {
+    throw new Error("invalid vault payload format");
+  }
+  const [, ivB64, ctB64, tagB64] = parts;
+  const iv = Buffer.from(ivB64, "base64");
+  const ct = Buffer.from(ctB64, "base64");
+  const tag = Buffer.from(tagB64, "base64");
+  const decipher = createDecipheriv("aes-256-gcm", masterKey, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ct), decipher.final()]).toString("utf8");
+}
+async function readVaultSecrets(opts) {
+  const key = `${opts.owner}/${opts.repo}`.toLowerCase();
+  const hit = cache.get(key);
+  if (hit && hit.expiresAt > Date.now()) return hit.secrets;
+  const doFetch = opts.fetchImpl ?? fetch;
+  const res = await doFetch(
+    `${GITHUB_API}/repos/${encodeURIComponent(opts.owner)}/${encodeURIComponent(opts.repo)}/contents/${VAULT_PATH}`,
+    {
+      headers: {
+        Authorization: `Bearer ${opts.githubToken}`,
+        Accept: "application/vnd.github+json",
+        "User-Agent": "kody-pool-serve"
+      }
+    }
+  );
+  if (res.status === 404) {
+    cache.set(key, { secrets: {}, expiresAt: Date.now() + CACHE_TTL_MS });
+    return {};
+  }
+  if (!res.ok) {
+    throw new Error(`vault read ${res.status} for ${key}: ${(await res.text().catch(() => "")).slice(0, 160)}`);
+  }
+  const body = await res.json();
+  if (!body.content) {
+    cache.set(key, { secrets: {}, expiresAt: Date.now() + CACHE_TTL_MS });
+    return {};
+  }
+  const ciphertext = Buffer.from(body.content, body.encoding ?? "base64").toString("utf8").trim();
+  const doc = JSON.parse(decryptVault(ciphertext, opts.masterKey));
+  const flat = {};
+  for (const [name, entry] of Object.entries(doc.secrets ?? {})) {
+    if (entry && typeof entry.value === "string") flat[name] = entry.value;
+  }
+  cache.set(key, { secrets: flat, expiresAt: Date.now() + CACHE_TTL_MS });
+  return flat;
+}
+async function readRepoSecret(opts) {
+  const secrets = await readVaultSecrets(opts);
+  const v = secrets[opts.name];
+  return v && v.trim() ? v : null;
+}
+async function readRepoSecrets(opts) {
+  return readVaultSecrets(opts);
+}
+
+// src/pool/registry.ts
+var PoolRegistry = class {
+  constructor(cfg) {
+    this.cfg = cfg;
+    this.log = cfg.log ?? (() => {
+    });
+    this.resolveFlyToken = cfg.resolveFlyToken ?? ((owner, repo) => readRepoSecret({
+      githubToken: cfg.githubToken,
+      masterKey: cfg.masterKey,
+      owner,
+      repo,
+      name: "FLY_API_TOKEN"
+    }));
+  }
+  cfg;
+  pools = /* @__PURE__ */ new Map();
+  resolveFlyToken;
+  log;
+  key(owner, repo) {
+    return `${owner}/${repo}`.toLowerCase();
+  }
+  /** Get-or-create the pool for a repo, or null if the repo has no Fly token. */
+  async getPool(owner, repo) {
+    const repoTag = this.key(owner, repo);
+    const existing = this.pools.get(repoTag);
+    if (existing) return existing;
+    let flyToken;
+    try {
+      flyToken = await this.resolveFlyToken(owner, repo);
+    } catch (err) {
+      this.log(`registry: vault read failed for ${repoTag}: ${err instanceof Error ? err.message : String(err)}`);
+      return null;
+    }
+    if (!flyToken) {
+      this.log(`registry: ${repoTag} has no FLY_API_TOKEN \u2014 no pool`);
+      return null;
+    }
+    const fly = new FlyClient({ token: flyToken, app: this.cfg.base.app });
+    const pm = new PoolManager({
+      fly,
+      config: { ...this.cfg.base, repoTag },
+      log: (m) => this.log(`[${repoTag}] ${m}`)
+    });
+    this.pools.set(repoTag, pm);
+    void pm.reconcile().catch((err) => this.log(`[${repoTag}] reconcile: ${err instanceof Error ? err.message : String(err)}`));
+    return pm;
+  }
+  async claim(owner, repo, req) {
+    const pm = await this.getPool(owner, repo);
+    if (!pm) return { ok: false, reason: "repo has no FLY_API_TOKEN (no pool)" };
+    let allSecrets = {};
+    try {
+      const vault = await readRepoSecrets({
+        githubToken: this.cfg.githubToken,
+        masterKey: this.cfg.masterKey,
+        owner,
+        repo
+      });
+      allSecrets = Object.fromEntries(Object.entries(vault).filter(([k]) => k !== "FLY_API_TOKEN"));
+    } catch (err) {
+      this.log(`[${this.key(owner, repo)}] vault secrets read failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const job = {
+      jobId: req.jobId,
+      repo: `${owner}/${repo}`,
+      issueNumber: req.issueNumber,
+      githubToken: this.cfg.githubToken,
+      ref: req.ref,
+      allSecrets,
+      model: req.model,
+      sessionId: req.sessionId,
+      dashboardUrl: req.dashboardUrl
+    };
+    return pm.claim(job);
+  }
+  /** Status for a single repo's pool, or null if none exists yet. */
+  status(owner, repo) {
+    return this.pools.get(this.key(owner, repo))?.status() ?? null;
+  }
+  /** Resync every active repo pool (periodic self-heal). */
+  async resyncAll() {
+    for (const [repoTag, pm] of this.pools) {
+      await pm.resync().catch((err) => this.log(`[${repoTag}] resync: ${err instanceof Error ? err.message : String(err)}`));
+    }
+  }
+  activeRepos() {
+    return [...this.pools.keys()];
+  }
+};
+
 // src/pool/keys.ts
 import { hkdfSync } from "crypto";
 var POOL_API_KEY_INFO = "kody-pool-api:v1";
@@ -5107,7 +5311,7 @@ function readJsonBody3(req) {
     req.on("error", reject);
   });
 }
-function parsePoolJob(body) {
+function parseClaimRequest(body) {
   if (typeof body !== "object" || body === null) return { error: "body must be an object" };
   const b = body;
   const jobId = typeof b.jobId === "string" ? b.jobId.trim() : "";
@@ -5116,15 +5320,12 @@ function parsePoolJob(body) {
   if (!/^[^/\s]+\/[^/\s]+$/.test(repo)) return { error: "repo must be 'owner/name'" };
   const issueNumber = Number(b.issueNumber);
   if (!Number.isInteger(issueNumber) || issueNumber <= 0) return { error: "issueNumber required" };
-  const githubToken = typeof b.githubToken === "string" ? b.githubToken.trim() : "";
-  if (!githubToken) return { error: "githubToken required" };
-  const job = { jobId, repo, issueNumber, githubToken };
-  if (typeof b.ref === "string" && b.ref.trim()) job.ref = b.ref.trim();
-  if (typeof b.model === "string" && b.model.trim()) job.model = b.model.trim();
-  if (typeof b.sessionId === "string" && b.sessionId.trim()) job.sessionId = b.sessionId.trim();
-  if (typeof b.dashboardUrl === "string" && b.dashboardUrl.trim()) job.dashboardUrl = b.dashboardUrl.trim();
-  if (b.allSecrets && typeof b.allSecrets === "object") job.allSecrets = b.allSecrets;
-  return { job };
+  const req = { jobId, repo, issueNumber };
+  if (typeof b.ref === "string" && b.ref.trim()) req.ref = b.ref.trim();
+  if (typeof b.model === "string" && b.model.trim()) req.model = b.model.trim();
+  if (typeof b.sessionId === "string" && b.sessionId.trim()) req.sessionId = b.sessionId.trim();
+  if (typeof b.dashboardUrl === "string" && b.dashboardUrl.trim()) req.dashboardUrl = b.dashboardUrl.trim();
+  return { req };
 }
 function superviseLitellm() {
   if (process.env.POOL_DISABLE_LITELLM === "1") return null;
@@ -5156,8 +5357,8 @@ var poolServe = async (ctx) => {
   ctx.skipAgent = true;
   const masterRaw = process.env.KODY_MASTER_KEY?.trim();
   if (!masterRaw) throw new Error("KODY_MASTER_KEY required for pool-serve");
-  const flyToken = process.env.FLY_API_TOKEN?.trim();
-  if (!flyToken) throw new Error("FLY_API_TOKEN required for pool-serve");
+  const githubToken = process.env.GITHUB_TOKEN?.trim();
+  if (!githubToken) throw new Error("GITHUB_TOKEN required for pool-serve (reads per-repo vaults)");
   const master = masterKeyBytes(masterRaw);
   const poolApiKey = derivePoolApiKey(master);
   const runnerApiKey = deriveRunnerApiKey(master);
@@ -5171,23 +5372,36 @@ var poolServe = async (ctx) => {
   const apiPort = envInt("POOL_API_PORT", 4100);
   const healthTimeoutMs = envInt("POOL_HEALTH_TIMEOUT_MS", 12e4);
   const litellm = superviseLitellm();
-  const fly = new FlyClient({ token: flyToken, app });
-  const manager = new PoolManager({
-    fly,
-    config: { min, image: process.env.FLY_RUNNER_IMAGE ?? "registry.fly.io/kody-runner:latest", region, guest, runnerApiKey, litellmUrl, port: runnerPort, healthTimeoutMs },
+  const registry = new PoolRegistry({
+    githubToken,
+    masterKey: master,
+    base: {
+      min,
+      image: process.env.FLY_RUNNER_IMAGE ?? "registry.fly.io/kody-runner:latest",
+      region,
+      guest,
+      runnerApiKey,
+      litellmUrl,
+      port: runnerPort,
+      healthTimeoutMs,
+      app
+    },
     log
   });
-  manager.reconcile().catch((err) => log(`reconcile failed: ${err instanceof Error ? err.message : String(err)}`));
   const refillMs = envInt("POOL_REFILL_INTERVAL_MS", 6e4);
   const tick = setInterval(() => {
-    manager.refill().catch((err) => log(`refill tick failed: ${err instanceof Error ? err.message : String(err)}`));
+    registry.resyncAll().catch((err) => log(`resync tick failed: ${err instanceof Error ? err.message : String(err)}`));
   }, refillMs);
   const server = createServer3(async (req, res) => {
     try {
       if (!req.method || !req.url) return sendJson3(res, 400, { error: "bad request" });
       const url = new URL(req.url, "http://localhost");
       if (req.method === "GET" && url.pathname === "/healthz") {
-        return sendJson3(res, 200, { ok: true, litellm: litellm ? "supervised" : "off", pool: manager.status() });
+        return sendJson3(res, 200, {
+          ok: true,
+          litellm: litellm ? "supervised" : "off",
+          repos: registry.activeRepos()
+        });
       }
       const authed = bearerOk(
         req.headers["authorization"],
@@ -5196,7 +5410,10 @@ var poolServe = async (ctx) => {
       );
       if (!authed) return sendJson3(res, 401, { error: "unauthorized" });
       if (req.method === "GET" && url.pathname === "/pool/status") {
-        return sendJson3(res, 200, manager.status());
+        const repoParam = (url.searchParams.get("repo") ?? "").trim();
+        const [owner, repo] = repoParam.split("/");
+        if (!owner || !repo) return sendJson3(res, 400, { error: "repo query (owner/name) required" });
+        return sendJson3(res, 200, { status: registry.status(owner, repo) });
       }
       if (req.method === "POST" && url.pathname === "/pool/claim") {
         let body;
@@ -5205,9 +5422,10 @@ var poolServe = async (ctx) => {
         } catch {
           return sendJson3(res, 400, { error: "invalid JSON body" });
         }
-        const parsed = parsePoolJob(body);
+        const parsed = parseClaimRequest(body);
         if ("error" in parsed) return sendJson3(res, 400, { error: parsed.error });
-        const result = await manager.claim(parsed.job);
+        const [owner, repo] = parsed.req.repo.split("/");
+        const result = await registry.claim(owner, repo, parsed.req);
         if (result.ok) return sendJson3(res, 200, { ok: true, machineId: result.machineId });
         return sendJson3(res, 503, { ok: false, reason: result.reason ?? "pool unavailable" });
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kody-ade/kody-engine",
-  "version": "0.4.115",
+  "version": "0.4.117",
   "description": "kody — autonomous development engine. Single-session Claude Code agent behind a generic executor + declarative executable profiles.",
   "license": "MIT",
   "type": "module",