@kody-ade/kody-engine 0.4.188 → 0.4.190

package/dist/bin/kody.js

@@ -1309,7 +1309,7 @@ var init_loadPriorArt = __esm({
 // package.json
 var package_default = {
   name: "@kody-ade/kody-engine",
-  version: "0.4.188",
+  version: "0.4.190",
   description: "kody \u2014 autonomous development engine. Single-session Claude Code agent behind a generic executor + declarative executable profiles.",
   license: "MIT",
   type: "module",
@@ -12365,10 +12365,79 @@ async function runCmd(cmd, args, opts = {}) {
   });
 }
 
+// src/scripts/previewBuildNamespace.ts
+var NSC_OIDC_AUDIENCE = "https://namespace.so";
+var REQ_TIMEOUT_MS = 15e3;
+var NSC_INSTALL = `
+set -euo pipefail
+if [ ! -x /usr/local/bin/nsc ]; then
+  ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
+  OS=$(uname -s | tr '[:upper:]' '[:lower:]')
+  curl -fsSL "https://get.namespace.so/packages/nsc/latest?arch=\${ARCH}&os=\${OS}" -o /tmp/nsc.tar.gz
+  mkdir -p /tmp/nsc-extract
+  tar -xzf /tmp/nsc.tar.gz -C /tmp/nsc-extract
+  NSC_BIN=$(find /tmp/nsc-extract -type f -name nsc | head -1)
+  sudo install -m 0755 "$NSC_BIN" /usr/local/bin/nsc
+fi
+/usr/local/bin/nsc version
+`;
+async function fetchGithubOidcToken(audience) {
+  const url = process.env.ACTIONS_ID_TOKEN_REQUEST_URL?.trim();
+  const requestToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN?.trim();
+  if (!url || !requestToken) return null;
+  const res = await fetch(`${url}&audience=${encodeURIComponent(audience)}`, {
+    headers: { Authorization: `Bearer ${requestToken}` },
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+  });
+  if (!res.ok) {
+    throw new Error(`OIDC token request failed: ${res.status} ${res.statusText}`);
+  }
+  const data = await res.json();
+  if (!data.value) throw new Error("OIDC token response missing `value`");
+  return data.value;
+}
+async function setupNamespaceBuilder(opts) {
+  try {
+    await runCmd("bash", ["-c", NSC_INSTALL]);
+    const jwt = await fetchGithubOidcToken(NSC_OIDC_AUDIENCE);
+    if (!jwt) {
+      console.warn(
+        "[preview-build] no GitHub OIDC token (id-token: write missing?) \u2014 local docker build"
+      );
+      return null;
+    }
+    await runCmd("nsc", [
+      "auth",
+      "exchange-oidc-token",
+      "--tenant_id",
+      opts.tenantId,
+      "--token",
+      jwt
+    ]);
+    await runCmd("nsc", [
+      "docker",
+      "buildx",
+      "setup",
+      "--name",
+      opts.builderName
+    ]);
+    console.log(
+      `[preview-build] Namespace remote builder ready (${opts.builderName})`
+    );
+    return opts.builderName;
+  } catch (err) {
+    console.warn(
+      "[preview-build] Namespace setup failed \u2014 falling back to local docker:",
+      err instanceof Error ? err.message : String(err)
+    );
+    return null;
+  }
+}
+
 // src/scripts/runPreviewBuild.ts
 var FLY_MACHINES = "https://api.machines.dev/v1";
 var FLY_GRAPHQL = "https://api.fly.io/graphql";
-var REQ_TIMEOUT_MS = 3e4;
+var REQ_TIMEOUT_MS2 = 3e4;
 function bundledDockerfilePath(mode) {
   const here = path36.dirname(fileURLToPath(import.meta.url));
   const file = mode === "dev" ? "default-Dockerfile.preview.dev" : "default-Dockerfile.preview.prod";
@@ -12392,7 +12461,7 @@ async function ghJSON(url, token) {
       Accept: "application/vnd.github+json",
       "X-GitHub-Api-Version": "2022-11-28"
     },
-    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS2)
   });
   if (!res.ok) {
     throw new Error(`GitHub ${url}: ${res.status} ${res.statusText}`);
@@ -12411,7 +12480,7 @@ async function fetchVaultDoc(repo, ghToken4, masterKey) {
 async function flyAppExists(name, token) {
   const res = await fetch(`${FLY_MACHINES}/apps/${encodeURIComponent(name)}`, {
     headers: flyHeaders(token),
-    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS2)
   });
   if (res.status === 404) return false;
   if (!res.ok) {
@@ -12424,7 +12493,7 @@ async function flyCreateApp(name, orgSlug, token) {
     method: "POST",
     headers: flyHeaders(token),
     body: JSON.stringify({ app_name: name, org_slug: orgSlug }),
-    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS2)
   });
   if (res.status === 422) return;
   if (!res.ok) {
@@ -12443,7 +12512,7 @@ async function flyAllocateSharedIps(appName, token) {
     method: "POST",
     headers: flyHeaders(token),
     body: JSON.stringify({ query: mutation, variables: { appId: appName } }),
-    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS2)
   });
   if (!res.ok) {
     throw new Error(`allocateSharedIps ${appName}: ${res.status}`);
@@ -12461,7 +12530,7 @@ async function flyListMachines(appName, token) {
     `${FLY_MACHINES}/apps/${encodeURIComponent(appName)}/machines`,
     {
       headers: flyHeaders(token),
-      signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+      signal: AbortSignal.timeout(REQ_TIMEOUT_MS2)
     }
   );
   if (res.status === 404) return [];
@@ -12477,7 +12546,7 @@ async function flyDestroyMachine(appName, machineId, token) {
     {
       method: "POST",
       headers: flyHeaders(token),
-      signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+      signal: AbortSignal.timeout(REQ_TIMEOUT_MS2)
     }
   ).catch(() => void 0);
   const res = await fetch(
@@ -12485,7 +12554,7 @@ async function flyDestroyMachine(appName, machineId, token) {
     {
       method: "DELETE",
       headers: flyHeaders(token),
-      signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+      signal: AbortSignal.timeout(REQ_TIMEOUT_MS2)
     }
   );
   if (res.status === 404) return;
@@ -12538,7 +12607,7 @@ async function flyCreatePreviewMachine(args, token) {
         method: "POST",
         headers: flyHeaders(token),
         body: JSON.stringify(body),
-        signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+        signal: AbortSignal.timeout(REQ_TIMEOUT_MS2)
       }
     );
     if (res.ok) {
@@ -12565,7 +12634,7 @@ async function postOrUpdatePreviewComment(args) {
   };
   const listRes = await fetch(`${base}?per_page=100`, {
     headers,
-    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS2)
   }).catch(() => null);
   let existingId = null;
   if (listRes && listRes.ok) {
@@ -12580,7 +12649,7 @@ async function postOrUpdatePreviewComment(args) {
         method: "PATCH",
         headers,
         body: JSON.stringify({ body: args.body }),
-        signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+        signal: AbortSignal.timeout(REQ_TIMEOUT_MS2)
       }
     );
     return;
@@ -12589,7 +12658,7 @@ async function postOrUpdatePreviewComment(args) {
     method: "POST",
     headers,
     body: JSON.stringify({ body: args.body }),
-    signal: AbortSignal.timeout(REQ_TIMEOUT_MS)
+    signal: AbortSignal.timeout(REQ_TIMEOUT_MS2)
   });
 }
 var runPreviewBuild = async (ctx, _profile, _args) => {
@@ -12633,6 +12702,7 @@ var runPreviewBuild = async (ctx, _profile, _args) => {
     }
     const orgSlug = doc.secrets?.FLY_ORG_SLUG?.value?.trim() || (process.env.FLY_ORG_SLUG ?? "personal").trim();
     const region = doc.secrets?.FLY_DEFAULT_REGION?.value?.trim() || (process.env.FLY_REGION ?? "fra").trim();
+    const nscTenantId = doc.secrets?.NSC_TENANT_ID?.value?.trim() || "";
     console.log(
       `[preview-build] vault: ${Object.keys(buildEnv).length} secrets, mode=${buildMode}`
     );
@@ -12696,22 +12766,42 @@ var runPreviewBuild = async (ctx, _profile, _args) => {
       ["login", "registry.fly.io", "-u", "x", "--password-stdin"],
       { input: flyToken, cwd: ctx.cwd }
     );
-    const buildArgs = [
-      "build",
-      "-f",
-      "Dockerfile.preview",
-      "-t",
-      `registry.fly.io/${appName}:${tag}`
-    ];
-    if (baseImage) buildArgs.push("--build-arg", `BASE_IMAGE=${baseImage}`);
-    buildArgs.push(".");
-    await runCmd("docker", buildArgs, {
-      cwd: ctx.cwd,
-      env: { DOCKER_BUILDKIT: "1" }
-    });
-    await runCmd("docker", ["push", `registry.fly.io/${appName}:${tag}`], {
-      cwd: ctx.cwd
-    });
+    const imageRef = `registry.fly.io/${appName}:${tag}`;
+    const nsBuilder = nscTenantId ? await setupNamespaceBuilder({
+      tenantId: nscTenantId,
+      builderName: `kody-preview-${pr}`
+    }) : null;
+    if (nsBuilder) {
+      const a = [
+        "buildx",
+        "build",
+        "--builder",
+        nsBuilder,
+        "-f",
+        "Dockerfile.preview",
+        "-t",
+        imageRef,
+        "--push"
+      ];
+      if (baseImage) a.push("--build-arg", `BASE_IMAGE=${baseImage}`);
+      a.push(".");
+      await runCmd("docker", a, { cwd: ctx.cwd });
+    } else {
+      const buildArgs = [
+        "build",
+        "-f",
+        "Dockerfile.preview",
+        "-t",
+        imageRef
+      ];
+      if (baseImage) buildArgs.push("--build-arg", `BASE_IMAGE=${baseImage}`);
+      buildArgs.push(".");
+      await runCmd("docker", buildArgs, {
+        cwd: ctx.cwd,
+        env: { DOCKER_BUILDKIT: "1" }
+      });
+      await runCmd("docker", ["push", imageRef], { cwd: ctx.cwd });
+    }
     const stale = await flyListMachines(appName, flyToken);
     for (const m of stale) {
       await flyDestroyMachine(appName, m.id, flyToken).catch(() => void 0);

package/dist/bin/preview-build-templates/default-Dockerfile.preview.dev

@@ -18,7 +18,12 @@ ARG BASE_IMAGE=node:22-alpine
 FROM ${BASE_IMAGE}
 WORKDIR /app
 
-RUN corepack enable 2>/dev/null || true
+# corepack's default pnpm on the base image can fall outside the app's
+# engines.pnpm range → ERR_PNPM_UNSUPPORTED_ENGINE. Pin a current pnpm
+# for repos that don't set packageManager (corepack still honors one
+# when present, so this only affects the unpinned case).
+RUN corepack enable 2>/dev/null || true; \
+    corepack prepare pnpm@10.17.0 --activate 2>/dev/null || npm i -g pnpm@10 2>/dev/null || true
 
 COPY package.json pnpm-lock.yaml* package-lock.json* yarn.lock* ./
 RUN --mount=type=cache,id=kp-pnpm-store,target=/root/.local/share/pnpm/store \

package/dist/bin/preview-build-templates/default-Dockerfile.preview.prod

@@ -12,7 +12,12 @@ ARG BASE_IMAGE=node:22-alpine
 FROM ${BASE_IMAGE}
 WORKDIR /app
 
-RUN corepack enable 2>/dev/null || true
+# corepack's default pnpm on the base image can fall outside the app's
+# engines.pnpm range → ERR_PNPM_UNSUPPORTED_ENGINE. Pin a current pnpm
+# for repos that don't set packageManager (corepack still honors one
+# when present, so this only affects the unpinned case).
+RUN corepack enable 2>/dev/null || true; \
+    corepack prepare pnpm@10.17.0 --activate 2>/dev/null || npm i -g pnpm@10 2>/dev/null || true
 
 COPY package.json pnpm-lock.yaml* package-lock.json* yarn.lock* ./
 RUN --mount=type=cache,id=kp-pnpm-store,target=/root/.local/share/pnpm/store \

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kody-ade/kody-engine",
-  "version": "0.4.188",
+  "version": "0.4.190",
   "description": "kody — autonomous development engine. Single-session Claude Code agent behind a generic executor + declarative executable profiles.",
   "license": "MIT",
   "type": "module",
@@ -12,6 +12,24 @@
     "templates",
     "kody.config.schema.json"
   ],
+  "scripts": {
+    "kody:run": "tsx bin/kody.ts",
+    "serve": "tsx bin/kody.ts serve",
+    "serve:vscode": "tsx bin/kody.ts serve vscode",
+    "serve:claude": "tsx bin/kody.ts serve claude",
+    "build": "tsup && node scripts/copy-assets.cjs",
+    "check:modularity": "tsx scripts/check-script-modularity.ts",
+    "pretest": "pnpm check:modularity",
+    "test": "vitest run tests/unit tests/int --coverage",
+    "test:smoke": "vitest run tests/smoke --no-coverage",
+    "test:e2e": "vitest run tests/e2e --no-coverage",
+    "test:all": "vitest run tests --no-coverage",
+    "typecheck": "tsc --noEmit",
+    "lint": "biome check",
+    "lint:fix": "biome check --write",
+    "format": "biome format --write",
+    "prepublishOnly": "pnpm build"
+  },
   "dependencies": {
     "@actions/cache": "^6.0.0",
     "@anthropic-ai/claude-agent-sdk": "0.2.119",
@@ -34,22 +52,5 @@
     "url": "git+https://github.com/aharonyaircohen/kody-engine.git"
   },
   "homepage": "https://github.com/aharonyaircohen/kody-engine",
-  "bugs": "https://github.com/aharonyaircohen/kody-engine/issues",
-  "scripts": {
-    "kody:run": "tsx bin/kody.ts",
-    "serve": "tsx bin/kody.ts serve",
-    "serve:vscode": "tsx bin/kody.ts serve vscode",
-    "serve:claude": "tsx bin/kody.ts serve claude",
-    "build": "tsup && node scripts/copy-assets.cjs",
-    "check:modularity": "tsx scripts/check-script-modularity.ts",
-    "pretest": "pnpm check:modularity",
-    "test": "vitest run tests/unit tests/int --coverage",
-    "test:smoke": "vitest run tests/smoke --no-coverage",
-    "test:e2e": "vitest run tests/e2e --no-coverage",
-    "test:all": "vitest run tests --no-coverage",
-    "typecheck": "tsc --noEmit",
-    "lint": "biome check",
-    "lint:fix": "biome check --write",
-    "format": "biome format --write"
-  }
-}
+  "bugs": "https://github.com/aharonyaircohen/kody-engine/issues"
+}

package/templates/kody.yml

@@ -77,6 +77,7 @@ jobs:
       pull-requests: write
       contents: write
       actions: read
+      id-token: write # OIDC: lets preview-build federate into Namespace remote builders
     steps:
       - uses: actions/checkout@v4
         with: