@kognai/orchestrator-core 0.1.0

package/dist/lib/notion-direct.js

@@ -0,0 +1,381 @@
+"use strict";
+/**
+ * notion-direct.ts — Zero-dep Notion API client for senior-coder.
+ *
+ * Bypasses both OpenClaw and the @notionhq/client npm package (which would be a
+ * new dep). Uses raw HTTPS to api.notion.com.
+ *
+ * Public surface — only what the bot actually needs:
+ *   - upsertSprint(sprint)        → push a sprint to Notion Sprints DB (create or update by Sprint ID)
+ *   - updateSprintStatus(id, ...) → patch a sprint's status/outcome after completion
+ *   - createBlocker(blocker)      → push a blocker to Notion Blockers DB
+ *   - archiveDailyBrief(date,...) → create a sub-page under the Daily Briefs parent
+ *   - queryNewSprintsInNotion()   → pull sprints with Status=pending that don't exist locally yet
+ *
+ * Fail-open: every function returns {ok: false, reason} on error rather than
+ * throwing, so the bot pipeline doesn't break when Notion is down or the
+ * integration loses access. Callers log the failure and continue.
+ *
+ * Created: 2026-04-29.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.upsertSprint = upsertSprint;
+exports.updateSprintStatus = updateSprintStatus;
+exports.createBlocker = createBlocker;
+exports.archiveDailyBrief = archiveDailyBrief;
+exports.queryPendingSprintsFromNotion = queryPendingSprintsFromNotion;
+exports.getAllNotionSprintStatuses = getAllNotionSprintStatuses;
+exports.notionHealthCheck = notionHealthCheck;
+const https = __importStar(require("https"));
+const NOTION_API_KEY = process.env.NOTION_API_KEY || '';
+const NOTION_VERSION = '2022-06-28';
+const SPRINTS_DB_ID = process.env.NOTION_SPRINTS_DB_ID || '';
+const BLOCKERS_DB_ID = process.env.NOTION_BLOCKERS_DB_ID || '';
+const DAILY_BRIEFS_PARENT_ID = process.env.NOTION_DAILY_BRIEFS_PAGE_ID || '';
+const TIMEOUT_MS = 15_000;
+// ── HTTP helper ──────────────────────────────────────────────────────────────
+function notionRequest(method, path, body) {
+    return new Promise((resolve, reject) => {
+        const data = body ? JSON.stringify(body) : '';
+        const headers = {
+            'Authorization': `Bearer ${NOTION_API_KEY}`,
+            'Notion-Version': NOTION_VERSION,
+            'Content-Type': 'application/json',
+        };
+        if (data)
+            headers['Content-Length'] = Buffer.byteLength(data);
+        const req = https.request({
+            hostname: 'api.notion.com',
+            path: `/v1${path}`,
+            method,
+            headers,
+            timeout: TIMEOUT_MS,
+        }, (res) => {
+            let chunks = '';
+            res.on('data', (c) => (chunks += c));
+            res.on('end', () => {
+                try {
+                    const parsed = JSON.parse(chunks);
+                    if (parsed.object === 'error') {
+                        reject(new Error(`Notion ${parsed.code}: ${parsed.message}`));
+                        return;
+                    }
+                    resolve(parsed);
+                }
+                catch (e) {
+                    reject(new Error(`Notion parse failed (HTTP ${res.statusCode}): ${chunks.slice(0, 300)}`));
+                }
+            });
+        });
+        req.on('error', reject);
+        req.on('timeout', () => { req.destroy(); reject(new Error(`Notion timeout after ${TIMEOUT_MS}ms`)); });
+        if (data)
+            req.write(data);
+        req.end();
+    });
+}
+function envGuard() {
+    if (!NOTION_API_KEY)
+        return { ok: false, reason: 'NOTION_API_KEY not set' };
+    return { ok: true };
+}
+// ── Property builders (Notion's verbose nested format) ───────────────────────
+function rt(text) {
+    return { rich_text: [{ type: 'text', text: { content: (text || '').slice(0, 2000) } }] };
+}
+function title(text) {
+    return { title: [{ type: 'text', text: { content: (text || '').slice(0, 2000) } }] };
+}
+function sel(name) {
+    return name ? { select: { name } } : { select: null };
+}
+function num(n) {
+    return { number: n ?? null };
+}
+function url(u) {
+    return u ? { url: u } : { url: null };
+}
+function dateProp(iso) {
+    return iso ? { date: { start: iso } } : { date: null };
+}
+function relation(pageIds) {
+    return { relation: (pageIds || []).map(id => ({ id })) };
+}
+// ── Sprints DB ──────────────────────────────────────────────────────────────
+/**
+ * Find a sprint row by its Sprint ID title. Returns the page object or null.
+ */
+async function findSprintPage(sprintId) {
+    if (!SPRINTS_DB_ID)
+        return null;
+    try {
+        const r = await notionRequest('POST', `/databases/${SPRINTS_DB_ID}/query`, {
+            filter: { property: 'Sprint ID', title: { equals: sprintId } },
+            page_size: 1,
+        });
+        return r.results[0] || null;
+    }
+    catch (err) {
+        console.warn(`[notion] findSprintPage(${sprintId}) failed: ${err.message}`);
+        return null;
+    }
+}
+/** Build the properties payload for a SprintRow. */
+function sprintRowProps(s) {
+    const props = {
+        'Sprint ID': title(s.sprint_id),
+        'Title': rt(s.title),
+        'Status': sel(s.status),
+    };
+    if (s.priority)
+        props['Priority'] = sel(s.priority);
+    if (s.tasks_summary !== undefined)
+        props['Tasks Summary'] = rt(s.tasks_summary);
+    if (s.authored_by)
+        props['Authored By'] = sel(s.authored_by);
+    if (s.sprint_file_url !== undefined)
+        props['Sprint File'] = url(s.sprint_file_url);
+    if (s.outcome !== undefined)
+        props['Outcome'] = rt(s.outcome);
+    return props;
+}
+/**
+ * Upsert a sprint row in Notion. Creates if not exists (by Sprint ID), updates if it does.
+ * Returns the page_id of the row in Notion (useful for setting Blocker.Sprint relation).
+ */
+async function upsertSprint(s) {
+    const guard = envGuard();
+    if (!guard.ok)
+        return guard;
+    if (!SPRINTS_DB_ID)
+        return { ok: false, reason: 'NOTION_SPRINTS_DB_ID not set' };
+    try {
+        const existing = await findSprintPage(s.sprint_id);
+        if (existing) {
+            await notionRequest('PATCH', `/pages/${existing.id}`, { properties: sprintRowProps(s) });
+            return { ok: true, data: { page_id: existing.id } };
+        }
+        const created = await notionRequest('POST', '/pages', {
+            parent: { database_id: SPRINTS_DB_ID },
+            properties: sprintRowProps(s),
+        });
+        return { ok: true, data: { page_id: created.id } };
+    }
+    catch (err) {
+        return { ok: false, reason: err.message };
+    }
+}
+/**
+ * Lighter-weight update: only patches status (+ optional outcome). Use after sprint completion.
+ */
+async function updateSprintStatus(sprintId, status, outcome, tasksSummary) {
+    const guard = envGuard();
+    if (!guard.ok)
+        return guard;
+    try {
+        const existing = await findSprintPage(sprintId);
+        if (!existing)
+            return { ok: false, reason: `sprint ${sprintId} not in Notion` };
+        const props = { 'Status': sel(status) };
+        if (outcome !== undefined)
+            props['Outcome'] = rt(outcome);
+        if (tasksSummary !== undefined)
+            props['Tasks Summary'] = rt(tasksSummary);
+        await notionRequest('PATCH', `/pages/${existing.id}`, { properties: props });
+        return { ok: true };
+    }
+    catch (err) {
+        return { ok: false, reason: err.message };
+    }
+}
+// ── Blockers DB ─────────────────────────────────────────────────────────────
+async function createBlocker(b) {
+    const guard = envGuard();
+    if (!guard.ok)
+        return guard;
+    if (!BLOCKERS_DB_ID)
+        return { ok: false, reason: 'NOTION_BLOCKERS_DB_ID not set' };
+    const props = {
+        'Title': title(b.title),
+        'Detected At': dateProp(b.detected_at_iso),
+        'Pick Count 24h': num(b.pick_count_24h),
+        'Status': sel(b.status),
+    };
+    if (b.sprint_page_id)
+        props['Sprint'] = relation([b.sprint_page_id]);
+    if (b.diagnosis !== undefined)
+        props['Diagnosis'] = rt(b.diagnosis);
+    if (b.resolution !== undefined)
+        props['Resolution'] = rt(b.resolution);
+    try {
+        const created = await notionRequest('POST', '/pages', {
+            parent: { database_id: BLOCKERS_DB_ID },
+            properties: props,
+        });
+        return { ok: true, data: { page_id: created.id } };
+    }
+    catch (err) {
+        return { ok: false, reason: err.message };
+    }
+}
+// ── Daily Briefs ────────────────────────────────────────────────────────────
+/**
+ * Create a sub-page under the Daily Briefs parent, titled by date, with the
+ * brief text as content. Notion pages support markdown-ish content via blocks;
+ * we use a single paragraph with the brief text (wrapped in code-block-style).
+ */
+async function archiveDailyBrief(dateIso, briefText) {
+    const guard = envGuard();
+    if (!guard.ok)
+        return guard;
+    if (!DAILY_BRIEFS_PARENT_ID)
+        return { ok: false, reason: 'NOTION_DAILY_BRIEFS_PAGE_ID not set' };
+    // Notion paragraph blocks have a 2000-char limit per text segment.
+    // Split the brief into chunks and create one paragraph block per chunk.
+    const CHUNK = 1900;
+    const chunks = [];
+    for (let i = 0; i < briefText.length; i += CHUNK)
+        chunks.push(briefText.slice(i, i + CHUNK));
+    const children = chunks.map(text => ({
+        object: 'block',
+        type: 'paragraph',
+        paragraph: { rich_text: [{ type: 'text', text: { content: text } }] },
+    }));
+    try {
+        const created = await notionRequest('POST', '/pages', {
+            parent: { page_id: DAILY_BRIEFS_PARENT_ID },
+            properties: { title: { title: [{ type: 'text', text: { content: `Brief — ${dateIso}` } }] } },
+            icon: { type: 'emoji', emoji: '🌅' },
+            children,
+        });
+        return { ok: true, data: { page_id: created.id } };
+    }
+    catch (err) {
+        return { ok: false, reason: err.message };
+    }
+}
+/**
+ * Fetch all sprint rows in Notion with Status=pending. Caller compares against
+ * local `workspace/sprints/` to find which ones to materialize as JSON files.
+ */
+async function queryPendingSprintsFromNotion() {
+    const guard = envGuard();
+    if (!guard.ok)
+        return guard;
+    if (!SPRINTS_DB_ID)
+        return { ok: false, reason: 'NOTION_SPRINTS_DB_ID not set' };
+    try {
+        const r = await notionRequest('POST', `/databases/${SPRINTS_DB_ID}/query`, {
+            filter: { property: 'Status', select: { equals: 'pending' } },
+            page_size: 100,
+        });
+        const out = r.results.map((row) => {
+            const p = row.properties || {};
+            const titleArr = p['Sprint ID']?.title || [];
+            const titleText = p['Title']?.rich_text || [];
+            return {
+                page_id: row.id,
+                sprint_id: titleArr[0]?.plain_text || '',
+                title: titleText.map((t) => t.plain_text).join(''),
+                status: p['Status']?.select?.name || '',
+                priority: p['Priority']?.select?.name,
+                tasks_summary: (p['Tasks Summary']?.rich_text || []).map((t) => t.plain_text).join(''),
+                authored_by: p['Authored By']?.select?.name,
+            };
+        });
+        return { ok: true, data: out };
+    }
+    catch (err) {
+        return { ok: false, reason: err.message };
+    }
+}
+// ── Source-of-truth lookup (sprint-runner uses this before picking a local file) ─
+/**
+ * Fetch ALL sprints in the Notion Sprints DB, return a Map of sprint_id → status.
+ * Used by sprint-runner.ts so Notion overrides local file state — protects against
+ * other Claude sessions reverting sprint files locally.
+ * Fail-safe: returns {ok: false} on Notion error so caller falls back to local-only.
+ */
+async function getAllNotionSprintStatuses() {
+    const guard = envGuard();
+    if (!guard.ok)
+        return guard;
+    if (!SPRINTS_DB_ID)
+        return { ok: false, reason: 'NOTION_SPRINTS_DB_ID not set' };
+    try {
+        const r = await notionRequest('POST', `/databases/${SPRINTS_DB_ID}/query`, { page_size: 100 });
+        const map = new Map();
+        for (const row of r.results) {
+            const titleArr = row.properties?.['Sprint ID']?.title || [];
+            const sprintId = titleArr[0]?.plain_text || '';
+            const status = row.properties?.['Status']?.select?.name || '';
+            if (sprintId && status)
+                map.set(sprintId, status);
+        }
+        if (r.has_more)
+            console.warn('[notion] >100 sprint rows; pagination not implemented');
+        return { ok: true, data: map };
+    }
+    catch (err) {
+        return { ok: false, reason: err.message };
+    }
+}
+// ── Health check ────────────────────────────────────────────────────────────
+async function notionHealthCheck() {
+    const guard = envGuard();
+    if (!guard.ok)
+        return guard;
+    try {
+        const me = await notionRequest('GET', '/users/me');
+        const checks = await Promise.all([
+            notionRequest('GET', `/databases/${SPRINTS_DB_ID}`).then(() => true).catch(() => false),
+            notionRequest('GET', `/databases/${BLOCKERS_DB_ID}`).then(() => true).catch(() => false),
+            notionRequest('GET', `/blocks/${DAILY_BRIEFS_PARENT_ID}`).then(() => true).catch(() => false),
+        ]);
+        return {
+            ok: true,
+            data: {
+                bot_name: me.name,
+                sprints_db: checks[0],
+                blockers_db: checks[1],
+                briefs_page: checks[2],
+            },
+        };
+    }
+    catch (err) {
+        return { ok: false, reason: err.message };
+    }
+}

package/dist/lib/ollama-client.d.ts

@@ -0,0 +1,37 @@
+/**
+ * ollama-client.ts — TypeScript client for local Ollama inference
+ *
+ * Calls local models on the Mac Mini vault via the Ollama REST API.
+ * Ollama is always available at localhost:11434 when running.
+ * No API key needed — pure local, $0 cost.
+ */
+export interface OllamaOptions {
+    model: string;
+    prompt: string;
+    systemPrompt?: string;
+    maxTokens?: number;
+    temperature?: number;
+}
+export interface OllamaResult {
+    content: string;
+    model: string;
+    totalDuration: number;
+    evalCount: number;
+    promptEvalCount: number;
+}
+/**
+ * Call a local model via Ollama. Returns the response content.
+ */
+export declare function callOllama(opts: OllamaOptions): Promise<OllamaResult>;
+/**
+ * Check if Ollama is running and accessible.
+ */
+export declare function ollamaIsAvailable(): Promise<boolean>;
+/**
+ * Check if a specific model is currently loaded in Ollama memory.
+ */
+export declare function ollamaModelLoaded(model: string): Promise<boolean>;
+/**
+ * List all models available in Ollama.
+ */
+export declare function ollamaListModels(): Promise<string[]>;

package/dist/lib/ollama-client.js

@@ -0,0 +1,158 @@
+"use strict";
+/**
+ * ollama-client.ts — TypeScript client for local Ollama inference
+ *
+ * Calls local models on the Mac Mini vault via the Ollama REST API.
+ * Ollama is always available at localhost:11434 when running.
+ * No API key needed — pure local, $0 cost.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.callOllama = callOllama;
+exports.ollamaIsAvailable = ollamaIsAvailable;
+exports.ollamaModelLoaded = ollamaModelLoaded;
+exports.ollamaListModels = ollamaListModels;
+const http = __importStar(require("http"));
+const OLLAMA_BASE = (() => { const h = process.env.OLLAMA_HOST || 'http://localhost:11434'; return h.startsWith('http') ? h : `http://${h}`; })();
+const OLLAMA_TIMEOUT_MS = 600_000; // 10 min — local models can be slow
+function httpPost(path, body) {
+    return new Promise((resolve, reject) => {
+        const parsed = new URL(OLLAMA_BASE);
+        const req = http.request({
+            hostname: parsed.hostname,
+            port: parseInt(parsed.port || '11434', 10),
+            path,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(body),
+            },
+        }, (res) => {
+            let data = '';
+            res.on('data', (chunk) => (data += chunk));
+            res.on('end', () => resolve({ status: res.statusCode || 0, data }));
+        });
+        req.on('error', reject);
+        req.setTimeout(OLLAMA_TIMEOUT_MS, () => {
+            req.destroy();
+            reject(new Error(`Ollama timeout after ${OLLAMA_TIMEOUT_MS / 1000}s — model: ${body.slice(0, 60)}`));
+        });
+        req.write(body);
+        req.end();
+    });
+}
+function httpGet(path) {
+    return new Promise((resolve, reject) => {
+        const parsed = new URL(OLLAMA_BASE);
+        const req = http.request({
+            hostname: parsed.hostname,
+            port: parseInt(parsed.port || '11434', 10),
+            path,
+            method: 'GET',
+        }, (res) => {
+            let data = '';
+            res.on('data', (chunk) => (data += chunk));
+            res.on('end', () => resolve({ status: res.statusCode || 0, data }));
+        });
+        req.on('error', reject);
+        req.setTimeout(5000, () => { req.destroy(); resolve({ status: 0, data: '' }); });
+        req.end();
+    });
+}
+/**
+ * Call a local model via Ollama. Returns the response content.
+ */
+async function callOllama(opts) {
+    const { model, prompt, systemPrompt, maxTokens = 4096, temperature = 0.1 } = opts;
+    const requestBody = JSON.stringify({
+        model,
+        prompt,
+        system: systemPrompt,
+        stream: false,
+        options: {
+            num_predict: maxTokens,
+            temperature,
+        },
+    });
+    const response = await httpPost('/api/generate', requestBody);
+    if (response.status !== 200) {
+        throw new Error(`Ollama returned ${response.status}: ${response.data.slice(0, 300)}`);
+    }
+    const json = JSON.parse(response.data);
+    return {
+        content: json.response || '',
+        model: json.model || model,
+        totalDuration: json.total_duration || 0,
+        evalCount: json.eval_count || 0,
+        promptEvalCount: json.prompt_eval_count || 0,
+    };
+}
+/**
+ * Check if Ollama is running and accessible.
+ */
+async function ollamaIsAvailable() {
+    const res = await httpGet('/api/tags').catch(() => ({ status: 0, data: '' }));
+    return res.status === 200;
+}
+/**
+ * Check if a specific model is currently loaded in Ollama memory.
+ */
+async function ollamaModelLoaded(model) {
+    const res = await httpGet('/api/ps').catch(() => ({ status: 0, data: '' }));
+    if (res.status !== 200)
+        return false;
+    try {
+        const json = JSON.parse(res.data);
+        return (json.models || []).some((m) => m.name === model || m.model === model);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * List all models available in Ollama.
+ */
+async function ollamaListModels() {
+    const res = await httpGet('/api/tags').catch(() => ({ status: 0, data: '' }));
+    if (res.status !== 200)
+        return [];
+    try {
+        const json = JSON.parse(res.data);
+        return (json.models || []).map((m) => m.name || m.model);
+    }
+    catch {
+        return [];
+    }
+}

package/dist/lib/omel/credential-vault.d.ts

@@ -0,0 +1,57 @@
+export declare class CredentialVault {
+    private rateCounters;
+    private checkRateLimit;
+    private checkRotation;
+    /**
+     * Read a secret from process.env.
+     * The value is returned to the caller but NEVER written to logs.
+     */
+    getSecret(key: string, agentId?: string): string;
+    /**
+     * Return the NAMES of all env variables matching known secret patterns.
+     * Values are NEVER returned.
+     */
+    listSecrets(agentId?: string): string[];
+    /**
+     * Check if a secret is present (non-empty).
+     */
+    hasSecret(key: string, agentId?: string): boolean;
+    /**
+     * Mask a secret value for safe inclusion in logs or Telegram messages.
+     * Format: first 4 chars + "****...****" + last 4 chars.
+     */
+    maskForLog(value: string): string;
+    /**
+     * Passive leak scanner: check if any known secret value appears verbatim
+     * in the given log line. Returns the leaked key names (never the values).
+     */
+    scanForLeaks(line: string): string[];
+    /**
+     * Scan last N lines of a log file for secret leaks.
+     * Returns list of (key, line_number) tuples where leaks were detected.
+     * Intended for use by CTO gate pre-check and orchestrator run startup.
+     */
+    scanLogFile(logFilePath: string, lastNLines?: number): Array<{
+        key: string;
+        lineIndex: number;
+    }>;
+    /**
+     * Startup required-secrets validation.
+     * Logs + throws if any required key is missing.
+     * Call once at orchestrator startup.
+     */
+    validateRequired(requiredKeys?: string[]): void;
+    /**
+     * CTO approval gate audit report.
+     * Returns a summary of vault state: which secrets are present, rotation status.
+     * Values are NEVER included.
+     */
+    audit(): {
+        total_secrets: number;
+        present: string[];
+        missing: string[];
+        rotation_warnings: string[];
+        generated_at: string;
+    };
+}
+export declare const credentialVault: CredentialVault;