@marcusrbrown/infra 0.4.2 → 0.4.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@marcusrbrown/infra",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "description": "Infrastructure management CLI — deploy automation, health checks, and MCP bridge",
   "keywords": [
     "infra",

package/src/commands/cliproxy/setup.test.ts

@@ -4,13 +4,94 @@ import {describe, expect, it} from 'bun:test'
 import {goke} from 'goke'
 
 import {
+  analyzeFroBotWorkflow,
+  formatWorkflowSnippet,
   getHarnessTemplate,
+  interpretGhContentResult,
   registerCliproxySetup,
   validateSetupOptions,
   type SecretAssignment,
   type VariableAssignment,
 } from './setup'
 
+const COMPLETE_WORKFLOW = `      - uses: fro-bot/agent@abc123
+        with:
+          github-token: \${{ secrets.FRO_BOT_PAT }}
+          auth-json: \${{ secrets.OPENCODE_AUTH_JSON }}
+          model: \${{ vars.FRO_BOT_MODEL }}
+          omo-providers: \${{ secrets.OMO_PROVIDERS }}
+          opencode-config: \${{ secrets.OPENCODE_CONFIG }}
+          prompt: \${{ env.PROMPT }}
+`
+
+const MISSING_OPENCODE_CONFIG_WORKFLOW = `      - uses: fro-bot/agent@abc123
+        with:
+          auth-json: \${{ secrets.OPENCODE_AUTH_JSON }}
+          github-token: \${{ secrets.FRO_BOT_PAT }}
+          model: \${{ vars.FRO_BOT_MODEL }}
+          omo-providers: \${{ secrets.OMO_PROVIDERS }}
+          prompt: \${{ env.PROMPT }}
+`
+
+// Regression fixture for PR #125 review: a sibling step has `model:` as an input,
+// but the fro-bot/agent step is missing it. The step-scoped scan must still flag
+// `model` as missing, otherwise the diagnostic is silently suppressed.
+const SIBLING_STEP_SHADOWS_MODEL_INPUT = `name: ci
+on: [push]
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        model: [opus, sonnet]
+    steps:
+      - uses: actions/some-ai-step@abc
+        with:
+          model: \${{ matrix.model }}
+      - name: Run Fro Bot
+        uses: fro-bot/agent@def
+        with:
+          auth-json: \${{ secrets.OPENCODE_AUTH_JSON }}
+          opencode-config: \${{ secrets.OPENCODE_CONFIG }}
+          omo-providers: \${{ secrets.OMO_PROVIDERS }}
+`
+
+const WORKFLOW_WITHOUT_FRO_BOT_AGENT = `name: ci
+on: [push]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: echo hello
+`
+
+// Follow-up from PR #125 second review: the matchAll refactor must report gaps
+// in any fro-bot/agent step, not just the first. Step #1 is complete, step #2 is
+// missing opencode-config and model — the analyzer should flag only step #2.
+const TWO_AGENT_STEPS_SECOND_BROKEN = `name: fro-bot
+on: [pull_request, schedule]
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Fro Bot review
+        uses: fro-bot/agent@abc123
+        with:
+          auth-json: \${{ secrets.OPENCODE_AUTH_JSON }}
+          opencode-config: \${{ secrets.OPENCODE_CONFIG }}
+          omo-providers: \${{ secrets.OMO_PROVIDERS }}
+          model: \${{ vars.FRO_BOT_MODEL }}
+  dispatch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Fro Bot dispatch
+        uses: fro-bot/agent@abc123
+        with:
+          auth-json: \${{ secrets.OPENCODE_AUTH_JSON }}
+          omo-providers: \${{ secrets.OMO_PROVIDERS }}
+`
+
 describe('cliproxy setup helpers', () => {
   describe('validateSetupOptions', () => {
     it('requires --key in non-interactive mode', () => {
@@ -43,6 +124,146 @@ describe('cliproxy setup helpers', () => {
       ])
       expect(template.variables.map((entry: VariableAssignment) => entry.name)).toEqual(['FRO_BOT_MODEL'])
     })
+
+    it('uses a provider-prefixed FRO_BOT_MODEL default value', () => {
+      const template = getHarnessTemplate('opencode', {keyValue: 'sk-test'})
+      const modelEntry = template.variables.find((entry: VariableAssignment) => entry.name === 'FRO_BOT_MODEL')
+
+      expect(modelEntry?.value).toMatch(/^anthropic\//)
+    })
+
+    it('uses the expected OMO_PROVIDERS default value', () => {
+      const template = getHarnessTemplate('opencode', {keyValue: 'sk-test'})
+      const providersEntry = template.secrets.find((entry: SecretAssignment) => entry.name === 'OMO_PROVIDERS')
+
+      expect(providersEntry?.value).toBe('claude-max20')
+    })
+
+    it('writes an OPENCODE_CONFIG baseURL with the /v1 suffix', () => {
+      const template = getHarnessTemplate('opencode', {keyValue: 'sk-test'})
+      const configEntry = template.secrets.find((entry: SecretAssignment) => entry.name === 'OPENCODE_CONFIG')
+      const parsed = JSON.parse(configEntry?.value ?? '{}')
+
+      expect(parsed.provider.anthropic.options.baseURL).toMatch(/\/v1$/)
+    })
+
+    it('writes OPENCODE_AUTH_JSON with type=api and the supplied key', () => {
+      const template = getHarnessTemplate('opencode', {keyValue: 'sk-test-key'})
+      const authEntry = template.secrets.find((entry: SecretAssignment) => entry.name === 'OPENCODE_AUTH_JSON')
+      const parsed = JSON.parse(authEntry?.value ?? '{}')
+
+      expect(parsed.anthropic).toEqual({type: 'api', key: 'sk-test-key'})
+    })
+  })
+
+  describe('analyzeFroBotWorkflow', () => {
+    it('returns empty stepsWithGaps when all four inputs are wired', () => {
+      const result = analyzeFroBotWorkflow(COMPLETE_WORKFLOW)
+
+      expect(result.kind).toBe('analyzed')
+      if (result.kind !== 'analyzed') throw new Error('unreachable')
+      expect(result.stepsWithGaps).toEqual([])
+    })
+
+    it('detects a missing opencode-config input on step #1', () => {
+      const result = analyzeFroBotWorkflow(MISSING_OPENCODE_CONFIG_WORKFLOW)
+
+      expect(result.kind).toBe('analyzed')
+      if (result.kind !== 'analyzed') throw new Error('unreachable')
+      expect(result.stepsWithGaps).toHaveLength(1)
+      expect(result.stepsWithGaps[0]?.stepOrdinal).toBe(1)
+      expect([...(result.stepsWithGaps[0]?.missingInputs ?? [])]).toEqual(['opencode-config'])
+    })
+
+    it('flags model as missing even when a sibling step uses model: as an input', () => {
+      const result = analyzeFroBotWorkflow(SIBLING_STEP_SHADOWS_MODEL_INPUT)
+
+      expect(result.kind).toBe('analyzed')
+      if (result.kind !== 'analyzed') throw new Error('unreachable')
+      expect(result.stepsWithGaps).toHaveLength(1)
+      expect(result.stepsWithGaps[0]?.stepOrdinal).toBe(1)
+      expect([...(result.stepsWithGaps[0]?.missingInputs ?? [])]).toEqual(['model'])
+    })
+
+    it('returns kind no-agent-step when the workflow has no fro-bot/agent step', () => {
+      const result = analyzeFroBotWorkflow(WORKFLOW_WITHOUT_FRO_BOT_AGENT)
+
+      expect(result.kind).toBe('no-agent-step')
+    })
+
+    it('returns kind no-agent-step for empty content', () => {
+      const result = analyzeFroBotWorkflow('')
+
+      expect(result.kind).toBe('no-agent-step')
+    })
+
+    it('reports only the broken step when a workflow has two fro-bot/agent steps and one is complete', () => {
+      const result = analyzeFroBotWorkflow(TWO_AGENT_STEPS_SECOND_BROKEN)
+
+      expect(result.kind).toBe('analyzed')
+      if (result.kind !== 'analyzed') throw new Error('unreachable')
+      expect(result.stepsWithGaps).toHaveLength(1)
+      expect(result.stepsWithGaps[0]?.stepOrdinal).toBe(2)
+      expect([...(result.stepsWithGaps[0]?.missingInputs ?? [])]).toEqual(['opencode-config', 'model'])
+    })
+  })
+
+  describe('interpretGhContentResult', () => {
+    it('returns kind missing when stderr contains HTTP 404', () => {
+      const result = interpretGhContentResult({
+        exitCode: 1,
+        stdout: '',
+        stderr: 'gh: Not Found (HTTP 404)',
+      })
+
+      expect(result.kind).toBe('missing')
+    })
+
+    it('returns kind unreachable with the stderr reason on non-404 failures', () => {
+      const result = interpretGhContentResult({
+        exitCode: 1,
+        stdout: '',
+        stderr: 'gh: API rate limit exceeded',
+      })
+
+      expect(result.kind).toBe('unreachable')
+      if (result.kind !== 'unreachable') throw new Error('unreachable')
+      expect(result.reason).toBe('gh: API rate limit exceeded')
+    })
+
+    it('falls back to the exit code when stderr is empty on a non-404 failure', () => {
+      const result = interpretGhContentResult({exitCode: 2, stdout: '', stderr: ''})
+
+      expect(result.kind).toBe('unreachable')
+      if (result.kind !== 'unreachable') throw new Error('unreachable')
+      expect(result.reason).toBe('gh api exited with code 2')
+    })
+
+    it('delegates to analyzeFroBotWorkflow on a successful response', () => {
+      const result = interpretGhContentResult({
+        exitCode: 0,
+        stdout: COMPLETE_WORKFLOW,
+        stderr: '',
+      })
+
+      expect(result.kind).toBe('analyzed')
+      if (result.kind !== 'analyzed') throw new Error('unreachable')
+      expect(result.stepsWithGaps).toEqual([])
+    })
+  })
+
+  describe('formatWorkflowSnippet', () => {
+    it('renders snippet lines at 10-space indent so they can be pasted directly under with:', () => {
+      const snippet = formatWorkflowSnippet(['opencode-config', 'model'])
+
+      /* eslint-disable no-template-curly-in-string -- GitHub Actions expression syntax, not JS template literals */
+      const expected = [
+        '          opencode-config: ${{ secrets.OPENCODE_CONFIG }}',
+        '          model: ${{ vars.FRO_BOT_MODEL }}',
+      ].join('\n')
+      /* eslint-enable no-template-curly-in-string */
+      expect(snippet).toBe(expected)
+    })
   })
 
   describe('help output', () => {

package/src/commands/cliproxy/setup.ts

@@ -12,7 +12,7 @@ import {toStringArray} from './keys'
 const DEFAULT_CLIPROXY_URL = 'https://cliproxy.fro.bot'
 const HTTP_TIMEOUT_MS = 10_000
 const DEFAULT_OMO_PROVIDERS = 'claude-max20'
-const DEFAULT_FRO_BOT_MODEL = 'claude-sonnet-4-6'
+const DEFAULT_FRO_BOT_MODEL = 'anthropic/claude-sonnet-4-6'
 
 const harnessSchema = z.enum(['opencode', 'claude-code', 'generic'])
 const ghRepoViewSchema = z.object({
@@ -263,6 +263,126 @@ async function listExistingGhNames(repo: string, kind: 'secret' | 'variable'): P
   return ghNameListSchema.parse(JSON.parse(result.stdout)).map(entry => entry.name)
 }
 
+export type FroBotWorkflowCheck =
+  | {kind: 'missing'}
+  | {kind: 'unreachable'; reason: string}
+  | {kind: 'no-agent-step'}
+  | {
+      kind: 'analyzed'
+      stepsWithGaps: readonly {stepOrdinal: number; missingInputs: readonly string[]}[]
+    }
+
+// github-token and prompt are intentionally excluded from this check:
+// github-token is harness-agnostic (PAT wiring, not secret-routing) and prompt is
+// workflow-defined (the user's prompt body, not a harness default).
+const REQUIRED_OPENCODE_INPUTS = ['auth-json', 'opencode-config', 'omo-providers', 'model'] as const
+
+/**
+ * Slice the workflow content into one entry per `fro-bot/agent` step. Handles
+ * both the `- name:\n  uses: ...` and `- uses: ...` step shapes. Returns an
+ * empty array if no fro-bot/agent step is present.
+ *
+ * Step-scoped slicing prevents false-passes where a same-named input key in a
+ * sibling step (strategy.matrix, custom actions, reusable workflow with:
+ * blocks) could mask a genuine gap in fro-bot/agent's wiring.
+ */
+function findFroBotAgentStepBodies(content: string): {stepOrdinal: number; body: string}[] {
+  const bodies: {stepOrdinal: number; body: string}[] = []
+  const pattern = /^(\s*(?:-\s+)?)uses:\s*fro-bot\/agent@/gm
+
+  for (const match of content.matchAll(pattern)) {
+    if (match.index === undefined || match[1] === undefined) continue
+
+    const stepBodyIndent = match[1].length
+    const dashIndent = Math.max(0, stepBodyIndent - 2)
+    const lines = content.slice(match.index).split('\n')
+    const stepLines: string[] = [lines[0] ?? '']
+
+    for (let index = 1; index < lines.length; index += 1) {
+      const line = lines[index] ?? ''
+      if (!line.trim()) {
+        stepLines.push(line)
+        continue
+      }
+      const firstNonSpace = line.search(/\S/)
+      if (firstNonSpace === dashIndent && line.trimStart().startsWith('-')) break
+      if (firstNonSpace < dashIndent) break
+      stepLines.push(line)
+    }
+
+    bodies.push({stepOrdinal: bodies.length + 1, body: stepLines.join('\n')})
+  }
+
+  return bodies
+}
+
+export function analyzeFroBotWorkflow(workflowContent: string): FroBotWorkflowCheck {
+  const steps = findFroBotAgentStepBodies(workflowContent)
+
+  if (steps.length === 0) {
+    return {kind: 'no-agent-step'}
+  }
+
+  const stepsWithGaps = steps
+    .map(step => ({
+      stepOrdinal: step.stepOrdinal,
+      missingInputs: REQUIRED_OPENCODE_INPUTS.filter(input => {
+        const inputPattern = new RegExp(String.raw`^\s+${input}:`, 'm')
+        return !inputPattern.test(step.body)
+      }),
+    }))
+    .filter(step => step.missingInputs.length > 0)
+
+  return {kind: 'analyzed', stepsWithGaps}
+}
+
+/**
+ * Extracted pure helper: turn a `gh api /repos/.../contents/<file>` result into
+ * a FroBotWorkflowCheck. Separated from checkFroBotWorkflow so tests can exercise
+ * the 404-vs-transport-error logic without mocking Bun.spawn.
+ */
+export function interpretGhContentResult(result: CommandResult): FroBotWorkflowCheck {
+  if (result.exitCode === 0) {
+    return analyzeFroBotWorkflow(result.stdout)
+  }
+
+  // gh prints `gh: Not Found (HTTP 404)` on 404; anything else is auth/network/5xx.
+  if (/HTTP 404/.test(result.stderr)) {
+    return {kind: 'missing'}
+  }
+
+  return {
+    kind: 'unreachable',
+    reason: result.stderr.trim() || `gh api exited with code ${result.exitCode}`,
+  }
+}
+
+async function checkFroBotWorkflow(repo: string): Promise<FroBotWorkflowCheck> {
+  const result = await runGh([
+    'api',
+    '--header',
+    'Accept: application/vnd.github.raw',
+    `/repos/${repo}/contents/.github/workflows/fro-bot.yaml`,
+  ])
+
+  return interpretGhContentResult(result)
+}
+
+// Snippet uses 10-space indent to match the canonical `with:` block depth
+// in marcusrbrown/infra/.github/workflows/fro-bot.yaml, so users can paste
+// directly under their step's `with:` key without re-indenting.
+export function formatWorkflowSnippet(missingInputs: readonly string[]): string {
+  /* eslint-disable no-template-curly-in-string -- GitHub Actions expression syntax, not JS template literals */
+  const inputMap: Record<string, string> = {
+    'auth-json': 'auth-json: ${{ secrets.OPENCODE_AUTH_JSON }}',
+    'opencode-config': 'opencode-config: ${{ secrets.OPENCODE_CONFIG }}',
+    'omo-providers': 'omo-providers: ${{ secrets.OMO_PROVIDERS }}',
+    model: 'model: ${{ vars.FRO_BOT_MODEL }}',
+  }
+  /* eslint-enable no-template-curly-in-string */
+  return missingInputs.map(input => `          ${inputMap[input]}`).join('\n')
+}
+
 async function assertProxyReachable(baseUrl: string): Promise<void> {
   try {
     const response = await fetch(baseUrl, {
@@ -691,6 +811,54 @@ export function registerCliproxySetup(cli: ReturnType<typeof goke>): void {
           await withSpinner('Verifying the new key through the proxy', async () => {
             await assertProxyKeyWorks(baseUrl, plan.keyValue)
           })
+
+          if (plan.harness === 'opencode') {
+            const workflow = await withSpinner(`Checking ${plan.repo} fro-bot.yaml wiring`, async () => {
+              return checkFroBotWorkflow(plan.repo)
+            })
+
+            switch (workflow.kind) {
+              case 'missing': {
+                log.warn(
+                  `No .github/workflows/fro-bot.yaml found in ${plan.repo}. The secrets and variables are set, but Fro Bot won't run until the workflow exists and passes them as inputs. See marcusrbrown/infra/.github/workflows/fro-bot.yaml for a reference.`,
+                )
+                break
+              }
+              case 'unreachable': {
+                log.warn(
+                  `Could not check .github/workflows/fro-bot.yaml in ${plan.repo}: ${workflow.reason}. The secrets and variables are set, but the workflow wiring was not verified. Re-run 'infra cliproxy setup' later to confirm, or inspect the file directly.`,
+                )
+                break
+              }
+              case 'no-agent-step': {
+                log.warn(
+                  `${plan.repo} .github/workflows/fro-bot.yaml exists but has no 'fro-bot/agent' step. Add one that passes the secrets and variables just written. See marcusrbrown/infra/.github/workflows/fro-bot.yaml for a reference.`,
+                )
+                break
+              }
+              case 'analyzed': {
+                for (const step of workflow.stepsWithGaps) {
+                  const missing = [...step.missingInputs]
+                  log.warn(
+                    [
+                      `${plan.repo} .github/workflows/fro-bot.yaml fro-bot/agent step #${step.stepOrdinal} is missing ${missing.length} required input${
+                        missing.length > 1 ? 's' : ''
+                      } (${missing.join(', ')}).`,
+                      `Without ${missing.includes('opencode-config') ? 'opencode-config, the baseURL override is ignored and Fro Bot hits api.anthropic.com with the proxy key, which fails with 401' : 'these, the secrets you just wrote will not reach OpenCode'}.`,
+                      '',
+                      `Add under the 'with:' block of the 'fro-bot/agent' step:`,
+                      formatWorkflowSnippet(missing),
+                    ].join('\n'),
+                  )
+                }
+                break
+              }
+              default: {
+                const _exhaustive: never = workflow
+                throw new Error(`Unhandled FroBotWorkflowCheck kind: ${JSON.stringify(_exhaustive)}`)
+              }
+            }
+          }
         } catch (mutationError) {
           if (keyCreatedByThisRun && managementKey) {
             try {