@massu/core 1.3.0 → 1.4.0

package/src/detect/regex-fallback.ts

@@ -0,0 +1,449 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+/**
+ * Plan 3b — Phase 1: Regex Fallback Introspector.
+ *
+ * Verbatim move of the per-language regex helpers that were previously in
+ * `codebase-introspector.ts` (Plan #2 P3-001). NO regex logic changes — only
+ * the import path. This preserves Plan #2's 13 vitest cases as-is (re-imports
+ * are updated in `codebase-introspector.test.ts` only if needed; the moved
+ * functions retain their original signatures).
+ *
+ * The new 2-tier introspector (`codebase-introspector.ts`) calls these
+ * functions ONLY for fields where AST adapters returned 'none' confidence.
+ * AST adapters produce values into separate `detected.<adapter.id>` blocks;
+ * regex output continues to go into `detected.python` / `.swift` /
+ * `.typescript` blocks.
+ *
+ * Design rules carried over from Plan #2:
+ *   - File size cap: 256KB per file (skip silently if larger).
+ *   - Sample cap: at most 3 files per adapter (sorted, deterministic order).
+ *   - Total wall-clock budget: <2s on a 10K-file repo.
+ *   - Filesystem-only. No network, no child processes, no DB.
+ *   - Returns `null` for any field it can't confidently extract.
+ */
+
+import { existsSync, readdirSync, readFileSync, statSync } from 'fs';
+import { resolve, join, basename } from 'path';
+import type { DetectionResult } from './index.ts';
+
+export const MAX_FILE_BYTES = 256 * 1024;
+export const MAX_SAMPLES_PER_ADAPTER = 3;
+export const MAX_DIR_DEPTH = 6;
+
+// ============================================================
+// Public types (re-exported from codebase-introspector for compat)
+// ============================================================
+
+export interface DetectedPython {
+  auth_dep?: string;
+  api_prefix_base?: string;
+  test_async_pattern?: string;
+  _provenance?: Record<string, string>;
+}
+
+export interface DetectedSwift {
+  api_client_class?: string;
+  biometric_policy?: string;
+  _provenance?: Record<string, string>;
+}
+
+export interface DetectedTypeScript {
+  trpc_router_builder?: string;
+  procedure_pattern?: string;
+  _provenance?: Record<string, string>;
+}
+
+// ============================================================
+// Python adapter (FastAPI + Django)
+// ============================================================
+
+/**
+ * Introspect Python sources. Probes both FastAPI router files (`routers/*.py`,
+ * `api/*.py`) and Django views (`views.py`). Returns the most-extracted shape.
+ */
+export function introspectPython(
+  detection: DetectionResult,
+  projectRoot: string,
+): DetectedPython | null {
+  const sourceDir = resolveSourceDir(detection, 'python', projectRoot);
+  if (!sourceDir) return null;
+
+  // Sample router-shaped files first (FastAPI / Flask), then views.py (Django),
+  // then any .py file as a last resort. Match on PATH, not just filename:
+  // FastAPI projects typically name routers by resource (`options.py`, `tax.py`)
+  // and place them under a `routers/` directory, so basename-only matching
+  // misses them. Also accept files where the basename itself is router-shaped
+  // (e.g., `endpoints.py`, `api.py`).
+  const routerFiles = sampleFiles(sourceDir, /\.py$/, (absPath, name) =>
+    /\/(routers?|api|endpoints?|views)\//.test(absPath) ||
+    /^(routers?|api|endpoints?)\.py$/.test(name),
+  );
+  const viewFiles = sampleFiles(sourceDir, /^views\.py$/);
+  const fallbackFiles = routerFiles.length === 0 && viewFiles.length === 0
+    ? sampleFiles(sourceDir, /\.py$/)
+    : [];
+  const candidates = [...routerFiles, ...viewFiles, ...fallbackFiles].slice(
+    0,
+    MAX_SAMPLES_PER_ADAPTER,
+  );
+
+  if (candidates.length === 0) return null;
+
+  const authDeps = new Map<string, string>(); // value → first source path
+  const prefixBases = new Map<string, string>();
+  const testAsyncPatterns = new Map<string, string>();
+
+  for (const path of candidates) {
+    const body = readSafe(path);
+    if (body === null) continue;
+
+    // Auth dependency: `Depends(<name>)` — capture the call's argument.
+    // ReDoS-safe: anchored, short window, no nested quantifiers.
+    const authRegex = /\bDepends\s*\(\s*([A-Za-z_][A-Za-z0-9_]*)\s*\)/gu;
+    forEachMatch(authRegex, body, m => {
+      const name = m[1];
+      if (!authDeps.has(name)) authDeps.set(name, path);
+    });
+
+    // Django: `@login_required` or `@permission_required` decorators.
+    const djangoAuthRegex = /^@\s*([a-z_][a-z0-9_]*(?:_required|_login))\b/gmu;
+    forEachMatch(djangoAuthRegex, body, m => {
+      const name = m[1];
+      if (!authDeps.has(name)) authDeps.set(name, path);
+    });
+
+    // API prefix base: `APIRouter(prefix="/api/...")` — capture just the BASE
+    // (everything up to the second `/` from the start).
+    const prefixRegex = /\bAPIRouter\s*\(\s*[^)]*?prefix\s*=\s*["']([^"']+)["']/gu;
+    forEachMatch(prefixRegex, body, m => {
+      const fullPrefix = m[1];
+      const base = extractPrefixBase(fullPrefix);
+      if (base && !prefixBases.has(base)) prefixBases.set(base, path);
+    });
+
+    // Test async pattern: `@pytest.mark.asyncio` (with possible parens).
+    const asyncRegex = /^(@pytest\.mark\.asyncio(?:\s*\([^)]*\))?)/gmu;
+    forEachMatch(asyncRegex, body, m => {
+      const pat = m[1].trim();
+      if (!testAsyncPatterns.has(pat)) testAsyncPatterns.set(pat, path);
+    });
+  }
+
+  const authDep = pickBestSingleton(authDeps);
+  const apiPrefixBase = pickBestSingleton(prefixBases);
+  const testAsyncPattern = pickBestSingleton(testAsyncPatterns);
+
+  const result: DetectedPython = {};
+  const provenance: Record<string, string> = {};
+
+  if (authDep) {
+    result.auth_dep = authDep.value;
+    provenance.auth_dep_source = relativeTo(projectRoot, authDep.source);
+  }
+  if (apiPrefixBase) {
+    result.api_prefix_base = apiPrefixBase.value;
+    provenance.api_prefix_base_source = relativeTo(projectRoot, apiPrefixBase.source);
+  }
+  if (testAsyncPattern) {
+    result.test_async_pattern = testAsyncPattern.value;
+    provenance.test_async_pattern_source = relativeTo(projectRoot, testAsyncPattern.source);
+  }
+
+  // Only emit a language block when at least one real field was extracted.
+  // An empty result (provenance-only) clutters the YAML for no value.
+  if (Object.keys(result).length === 0) return null;
+  if (Object.keys(provenance).length > 0) result._provenance = provenance;
+  return result;
+}
+
+/**
+ * Reduce `/api/foo/bar` to `/api`. Returns null if the path doesn't have at
+ * least one slash-segment.
+ */
+function extractPrefixBase(prefix: string): string | null {
+  if (!prefix.startsWith('/')) return null;
+  const stripped = prefix.replace(/^\/+/, '');
+  const firstSeg = stripped.split('/')[0];
+  if (!firstSeg) return null;
+  return '/' + firstSeg;
+}
+
+// ============================================================
+// Swift adapter
+// ============================================================
+
+export function introspectSwift(
+  detection: DetectionResult,
+  projectRoot: string,
+): DetectedSwift | null {
+  const sourceDir = resolveSourceDir(detection, 'swift', projectRoot);
+  if (!sourceDir) return null;
+
+  // Prefer View files first, then any .swift. Path-aware: also match files
+  // under a `Views/` directory, since SwiftUI projects often name files by
+  // feature (e.g., `OrdersList.swift` inside `Features/Orders/Views/`).
+  const viewFiles = sampleFiles(sourceDir, /\.swift$/, (absPath, name) =>
+    /View\.swift$/.test(name) || /\/Views\//.test(absPath),
+  );
+  const fallbackFiles = viewFiles.length === 0
+    ? sampleFiles(sourceDir, /\.swift$/)
+    : [];
+  const candidates = [...viewFiles, ...fallbackFiles].slice(
+    0,
+    MAX_SAMPLES_PER_ADAPTER,
+  );
+
+  if (candidates.length === 0) return null;
+
+  const apiClasses = new Map<string, string>();
+  const biometricPolicies = new Map<string, string>();
+
+  for (const path of candidates) {
+    const body = readSafe(path);
+    if (body === null) continue;
+
+    // API client class: looks like `let api = SomeAPI()` or
+    // `@StateObject var api: SomeAPI = .shared` etc.
+    // Extract `SomeAPI` from `SomeAPI(`/`SomeAPI.shared`/`: SomeAPI`.
+    const apiRegex = /\b([A-Z][A-Za-z0-9_]*API)\s*(?:\(|\.shared|\b)/gu;
+    forEachMatch(apiRegex, body, m => {
+      const name = m[1];
+      if (!apiClasses.has(name)) apiClasses.set(name, path);
+    });
+
+    // LocalAuthentication policy: `LAPolicy.<name>` or `.<name>` after
+    // `evaluatePolicy(`. Whitelist known good values to avoid false positives.
+    const policyRegex = /\.(deviceOwnerAuthentication(?:WithBiometrics)?)\b/gu;
+    forEachMatch(policyRegex, body, m => {
+      const name = m[1];
+      if (!biometricPolicies.has(name)) biometricPolicies.set(name, path);
+    });
+  }
+
+  const apiClass = pickBestSingleton(apiClasses);
+  const biometricPolicy = pickBestSingleton(biometricPolicies);
+
+  const result: DetectedSwift = {};
+  const provenance: Record<string, string> = {};
+
+  if (apiClass) {
+    result.api_client_class = apiClass.value;
+    provenance.api_client_class_source = relativeTo(projectRoot, apiClass.source);
+  }
+  if (biometricPolicy) {
+    result.biometric_policy = biometricPolicy.value;
+    provenance.biometric_policy_source = relativeTo(projectRoot, biometricPolicy.source);
+  }
+
+  if (Object.keys(result).length === 0) return null;
+  if (Object.keys(provenance).length > 0) result._provenance = provenance;
+  return result;
+}
+
+// ============================================================
+// TypeScript / Next.js + tRPC adapter
+// ============================================================
+
+export function introspectTypeScript(
+  detection: DetectionResult,
+  projectRoot: string,
+): DetectedTypeScript | null {
+  const sourceDir = resolveSourceDir(detection, 'typescript', projectRoot)
+    ?? resolveSourceDir(detection, 'javascript', projectRoot);
+  if (!sourceDir) return null;
+
+  // Look for tRPC router files first. Match on PATH or filename: tRPC
+  // projects typically place routers under `server/api/routers/<name>.ts`
+  // where filenames are resource-named (e.g., `accounts.ts`).
+  const routerFiles = sampleFiles(sourceDir, /\.tsx?$/, (absPath, name) =>
+    /(router|trpc)/i.test(name) ||
+    /\/(routers|trpc|server\/api)\//.test(absPath),
+  );
+  const candidates = routerFiles.slice(0, MAX_SAMPLES_PER_ADAPTER);
+
+  if (candidates.length === 0) return null;
+
+  const builders = new Map<string, string>();
+  const procedurePatterns = new Map<string, string>();
+
+  for (const path of candidates) {
+    const body = readSafe(path);
+    if (body === null) continue;
+
+    // tRPC router builder: `createTRPCRouter({ ... })`. Whitelist known names
+    // (createTRPCRouter, router, t.router) — never grep for arbitrary identifiers.
+    const builderRegex = /\b(createTRPCRouter|router|t\.router)\s*\(/gu;
+    forEachMatch(builderRegex, body, m => {
+      const name = m[1];
+      if (!builders.has(name)) builders.set(name, path);
+    });
+
+    // Procedure pattern: `publicProcedure.input(...).query(...)` →
+    // capture just the procedure name (`publicProcedure`/`protectedProcedure`).
+    const procRegex = /\b([a-z]+Procedure)\b/gu;
+    forEachMatch(procRegex, body, m => {
+      const name = m[1];
+      if (!procedurePatterns.has(name)) procedurePatterns.set(name, path);
+    });
+  }
+
+  const builder = pickBestSingleton(builders);
+  const proc = pickBestSingleton(procedurePatterns);
+
+  const result: DetectedTypeScript = {};
+  const provenance: Record<string, string> = {};
+
+  if (builder) {
+    result.trpc_router_builder = builder.value;
+    provenance.trpc_router_builder_source = relativeTo(projectRoot, builder.source);
+  }
+  if (proc) {
+    result.procedure_pattern = proc.value;
+    provenance.procedure_pattern_source = relativeTo(projectRoot, proc.source);
+  }
+
+  if (Object.keys(result).length === 0) return null;
+  if (Object.keys(provenance).length > 0) result._provenance = provenance;
+  return result;
+}
+
+// ============================================================
+// Helpers
+// ============================================================
+
+/**
+ * Resolve the dominant source directory for a language, falling back to the
+ * project root if detection didn't surface anything specific.
+ */
+function resolveSourceDir(
+  detection: DetectionResult,
+  lang: string,
+  projectRoot: string,
+): string | null {
+  const dirs = (detection.sourceDirs as unknown as Record<string, { source_dirs?: string[] }>);
+  const info = dirs[lang];
+  const list = info?.source_dirs ?? [];
+  if (list.length > 0) {
+    const first = list[0];
+    const abs = resolve(projectRoot, first);
+    return existsSync(abs) ? abs : null;
+  }
+  return existsSync(projectRoot) ? projectRoot : null;
+}
+
+/**
+ * Walk `dir` and return up to MAX_SAMPLES_PER_ADAPTER files matching `nameRegex`,
+ * filtered further by `pathFilter` (called with absolute path AND basename, so
+ * filters can match either the filename (e.g., `views.py`) or a path
+ * component (e.g., a `routers/` parent directory). Skips dot-dirs,
+ * node_modules, .venv, etc. Bounded depth.
+ */
+export function sampleFiles(
+  dir: string,
+  nameRegex: RegExp,
+  pathFilter?: (absPath: string, basename: string) => boolean,
+): string[] {
+  const out: string[] = [];
+  const stack: { path: string; depth: number }[] = [{ path: dir, depth: 0 }];
+
+  while (stack.length > 0 && out.length < MAX_SAMPLES_PER_ADAPTER * 4) {
+    const { path, depth } = stack.pop()!;
+    if (depth > MAX_DIR_DEPTH) continue;
+
+    let entries: string[];
+    try {
+      entries = readdirSync(path);
+    } catch {
+      continue;
+    }
+
+    for (const entry of entries) {
+      if (entry.startsWith('.')) continue;
+      if (entry === 'node_modules') continue;
+      if (entry === '__pycache__') continue;
+      if (entry === 'venv' || entry === '.venv') continue;
+      if (entry === 'dist' || entry === 'build') continue;
+
+      const child = join(path, entry);
+      let st;
+      try {
+        st = statSync(child);
+      } catch {
+        continue;
+      }
+
+      if (st.isDirectory()) {
+        stack.push({ path: child, depth: depth + 1 });
+        continue;
+      }
+
+      if (!nameRegex.test(entry)) continue;
+      if (pathFilter && !pathFilter(child, entry)) continue;
+      if (st.size > MAX_FILE_BYTES) continue;
+      out.push(child);
+      if (out.length >= MAX_SAMPLES_PER_ADAPTER * 4) break;
+    }
+  }
+
+  // Stable ordering — deterministic test fixtures.
+  out.sort();
+  return out.slice(0, MAX_SAMPLES_PER_ADAPTER * 2);
+}
+
+/** Read a file as UTF-8. Returns null on any error or if too large. */
+export function readSafe(path: string): string | null {
+  try {
+    const st = statSync(path);
+    if (st.size > MAX_FILE_BYTES) return null;
+    return readFileSync(path, 'utf-8');
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Run a global regex over `body` and call `cb` for each match. Caps iteration
+ * at 1000 matches per regex to defend against pathological inputs.
+ */
+export function forEachMatch(
+  re: RegExp,
+  body: string,
+  cb: (m: RegExpExecArray) => void,
+): void {
+  if (!re.global) return;
+  re.lastIndex = 0;
+  let count = 0;
+  let m: RegExpExecArray | null;
+  while ((m = re.exec(body)) !== null) {
+    cb(m);
+    count++;
+    if (count > 1000) break;
+    // Defensive: zero-width match → bump lastIndex to avoid infinite loop.
+    if (m.index === re.lastIndex) re.lastIndex++;
+  }
+}
+
+/**
+ * If `samples` has exactly one distinct value, return it.
+ * If it has 2 values, return the first-seen (stable, deterministic order from
+ * file walk).
+ * If it has 3+ distinct values, return null — Risk #6 (auth-dep ambiguity).
+ */
+export function pickBestSingleton(
+  samples: Map<string, string>,
+): { value: string; source: string } | null {
+  if (samples.size === 0) return null;
+  if (samples.size >= 3) return null;
+  const [firstKey, firstSource] = samples.entries().next().value as [string, string];
+  return { value: firstKey, source: firstSource };
+}
+
+/** Make a file path relative to the project root. */
+export function relativeTo(projectRoot: string, absPath: string): string {
+  if (absPath.startsWith(projectRoot + '/')) {
+    return absPath.slice(projectRoot.length + 1);
+  }
+  return basename(absPath);
+}

package/src/hooks/session-start.ts

@@ -16,6 +16,7 @@ import { parse as parseYaml } from 'yaml';
 import type Database from 'better-sqlite3';
 import { runDetection } from '../detect/index.ts';
 import { computeFingerprint } from '../detect/drift.ts';
+import { isPidAlive } from '../lib/pidLiveness.ts';
 
 interface HookInput {
   session_id: string;
@@ -68,9 +69,14 @@ async function main(): Promise<void> {
       }
 
       // P5-001: drift banner (runs after memory context, independent of it).
+      // Plan 3a Phase 6: when a live watcher daemon exists, the drift banner
+      // is suppressed in favor of a compact watcher banner.
       const driftBanner = await buildDriftBanner();
       if (driftBanner) {
         process.stdout.write(driftBanner);
+      } else {
+        const watcherBanner = buildWatcherBanner();
+        if (watcherBanner) process.stdout.write(watcherBanner);
       }
     } finally {
       db.close();
@@ -261,6 +267,15 @@ function readStdin(): Promise<string> {
  */
 async function buildDriftBanner(): Promise<string> {
   try {
+    // Plan #2 P4-004: explicit opt-out for users in deliberate mid-migration windows.
+    // Stays at the top so MASSU_DRIFT_QUIET=1 remains the strongest signal
+    // (iter-1 G8: env-var override beats watcher-state suppression).
+    if (process.env.MASSU_DRIFT_QUIET === '1') return '';
+
+    // Plan 3a Phase 6: if a live watcher daemon refreshed within the last 24h,
+    // suppress this banner — the watcher already keeps the config current.
+    if (watcherIsLiveAndFresh()) return '';
+
     const configPath = resolve(process.cwd(), 'massu.config.yaml');
     if (!existsSync(configPath)) return '';
     const content = readFileSync(configPath, 'utf-8');
@@ -269,7 +284,10 @@ async function buildDriftBanner(): Promise<string> {
     const det = parsed.detection as Record<string, unknown> | undefined;
     const storedFp = typeof det?.fingerprint === 'string' ? (det.fingerprint as string) : null;
     if (!storedFp) return '';
-    const detection = await runDetection(process.cwd());
+    // Plan #2 P4-006: skip the codebase introspector pass — the drift banner
+    // only needs the fingerprint, not the introspected detail. Saves up to 2s
+    // wall-clock from the hook's 5-second budget.
+    const detection = await runDetection(process.cwd(), undefined, { skipIntrospect: true });
     const currentFp = computeFingerprint(detection);
     if (currentFp === storedFp) return '';
     return (
@@ -277,6 +295,9 @@ async function buildDriftBanner(): Promise<string> {
       'Detected stack has changed since last config refresh.\n' +
       `Fingerprint:  ${storedFp.slice(0, 16)}  ->  ${currentFp.slice(0, 16)}\n` +
       'Run: npx massu config refresh\n' +
+      '(this will update massu.config.yaml AND any commands that need\n' +
+      ' re-templating for your new stack)\n' +
+      'Tip: set MASSU_DRIFT_QUIET=1 to suppress this banner during mid-migration.\n' +
       '=== END ===\n'
     );
   } catch (_e) {
@@ -306,8 +327,11 @@ function loadCorrectionsPreventionRules(): string[] {
     const cwd = process.cwd();
     const config = getConfig();
     const claudeDirName = config.conventions?.claudeDirName ?? '.claude';
-    // Convert cwd to Claude's directory format: /Users/x/project -> -Users-x-project
-    const projectDirName = cwd.replace(/\//g, '-').replace(/^-/, '');
+    // Convert cwd to Claude's directory format: /Users/x/project -> -Users-x-project.
+    // Match both forward slashes (POSIX) and backslashes (Windows) so the lookup
+    // works cross-platform — without this, Windows users silently miss prevention
+    // rules because their projectDirName never resolves.
+    const projectDirName = cwd.replace(/[/\\]/g, '-').replace(/^-/, '');
     const correctionsPath = join(homeDir, claudeDirName, 'projects', projectDirName, 'memory', 'corrections.md');
 
     if (!existsSync(correctionsPath)) return [];
@@ -341,4 +365,71 @@ function loadCorrectionsPreventionRules(): string[] {
   }
 }
 
+// ============================================================
+// Plan 3a Phase 6: watcher-aware banner support
+// ============================================================
+
+interface WatchStateShape {
+  schema_version?: number;
+  daemonPid?: number | null;
+  lastRefreshAt?: string | null;
+  startedAt?: string | null;
+}
+
+function readWatchStateRaw(cwd: string): WatchStateShape | null {
+  try {
+    const path = resolve(cwd, '.massu', 'watch-state.json');
+    if (!existsSync(path)) return null;
+    const obj = JSON.parse(readFileSync(path, 'utf-8'));
+    if (!obj || typeof obj !== 'object') return null;
+    return obj as WatchStateShape;
+  } catch {
+    return null;
+  }
+}
+
+function watcherIsLiveAndFresh(): boolean {
+  // MASSU_DRIFT_QUIET takes precedence (caller already short-circuited).
+  // Fresh = last refresh within 24h AND daemonPid is alive.
+  const state = readWatchStateRaw(process.cwd());
+  if (!state) return false;
+  if (typeof state.daemonPid !== 'number' || state.daemonPid <= 0) return false;
+  if (!isPidAlive(state.daemonPid)) return false;
+  if (typeof state.lastRefreshAt !== 'string') return false;
+  const last = Date.parse(state.lastRefreshAt);
+  if (!Number.isFinite(last)) return false;
+  const ageMs = Date.now() - last;
+  return ageMs >= 0 && ageMs < 24 * 60 * 60 * 1000;
+}
+
+function buildWatcherBanner(): string {
+  // P4-004 ordering: MASSU_DRIFT_QUIET wins everywhere.
+  if (process.env.MASSU_DRIFT_QUIET === '1') return '';
+  const state = readWatchStateRaw(process.cwd());
+  if (!state) return '';
+  if (typeof state.daemonPid !== 'number' || state.daemonPid <= 0) return '';
+  if (!isPidAlive(state.daemonPid)) return '';
+  if (typeof state.lastRefreshAt !== 'string') return '';
+  const last = Date.parse(state.lastRefreshAt);
+  if (!Number.isFinite(last)) return '';
+  const ageMs = Date.now() - last;
+  if (ageMs < 0 || ageMs >= 24 * 60 * 60 * 1000) return '';
+
+  const ageStr = formatAge(ageMs);
+  return (
+    '=== Massu Watcher ===\n' +
+    `[massu] watcher running, last refresh: ${ageStr} ago (pid ${state.daemonPid})\n` +
+    '=== END ===\n'
+  );
+}
+
+function formatAge(ms: number): string {
+  const sec = Math.round(ms / 1000);
+  if (sec < 60) return `${sec}s`;
+  const min = Math.round(sec / 60);
+  if (min < 60) return `${min}m`;
+  const hr = Math.round(min / 60);
+  return `${hr}h`;
+}
+
 main();

package/src/lib/gitToplevel.ts

@@ -0,0 +1,22 @@
+// Copyright (c) 2026 Massu. All rights reserved.
+// Licensed under BSL 1.1 - see LICENSE file for details.
+
+/**
+ * Resolve the git repository root for a given working directory, falling
+ * back to the cwd itself when not inside a git repo.
+ *
+ * Used by `massu watch` and `massu refresh-log` so the watcher root and the
+ * refresh-log path always anchor on the same toplevel rather than wherever
+ * the user happened to invoke the CLI from.
+ */
+
+import { spawnSync } from 'child_process';
+
+export function gitToplevel(cwd: string): string {
+  const res = spawnSync('git', ['rev-parse', '--show-toplevel'], {
+    cwd,
+    encoding: 'utf-8',
+  });
+  if (res.status === 0 && res.stdout) return res.stdout.trim();
+  return cwd;
+}