@neurcode/action 0.2.1 → 0.2.2

package/src/index.ts

@@ -1,14 +1,25 @@
 import * as core from '@actions/core';
 import * as exec from '@actions/exec';
 import * as github from '@actions/github';
-import { parseCliVerifyJsonPayload } from '@neurcode-ai/contracts';
+import {
+  parseCliVerifyJsonPayload,
+  RUNTIME_COMPATIBILITY_CONTRACT_VERSION,
+} from '@neurcode-ai/contracts';
 import { existsSync, readFileSync, writeFileSync } from 'fs';
+import * as http from 'http';
+import * as https from 'https';
 import { join, resolve } from 'path';
 import {
   buildVerifyArgs,
   getVerifyFallbackDecision,
   isMissingPlanVerificationFailure,
+  resolveEnterpriseEnforcement,
 } from './verify-mode';
+import {
+  parseApiHealthCompatibilityPayload,
+  parseCliCompatibilityPayload,
+  validateActionHandshake,
+} from './runtime-compat';
 
 interface Violation {
   file: string;
@@ -112,6 +123,19 @@ interface CliInvocation {
   description: string;
 }
 
+interface VerifyCapabilities {
+  supportsCompiledPolicy: boolean;
+  supportsChangeContract: boolean;
+  supportsEnforceChangeContract: boolean;
+}
+
+interface HttpJsonResponse {
+  statusCode: number;
+  body: string;
+  payload: unknown | null;
+  url: string;
+}
+
 type CliInstallSource = 'npm' | 'workspace';
 
 const ANSI_PATTERN = /\u001b\[[0-9;]*m/g;
@@ -163,6 +187,16 @@ function parseBoolean(input: string | undefined, fallback: boolean): boolean {
   return fallback;
 }
 
+function parseBooleanOrUndefined(input: string | undefined): boolean | undefined {
+  if (input === undefined || input === null || input.trim() === '') {
+    return undefined;
+  }
+  const normalized = input.trim().toLowerCase();
+  if (['1', 'true', 'yes', 'on'].includes(normalized)) return true;
+  if (['0', 'false', 'no', 'off'].includes(normalized)) return false;
+  return undefined;
+}
+
 function parsePositiveInt(input: string | undefined, fallback: number, min: number, max: number): number {
   const parsed = Number(input);
   if (!Number.isFinite(parsed)) return fallback;
@@ -303,6 +337,70 @@ function readJsonFile(path: string): Record<string, unknown> | null {
   }
 }
 
+function assertStrictDeterministicArtifacts(input: {
+  cwd: string;
+  strictMode: boolean;
+  compiledPolicyPath?: string;
+  changeContractPath?: string;
+  supportsCompiledPolicy: boolean;
+  supportsChangeContract: boolean;
+}): void {
+  if (!input.strictMode) return;
+
+  const errors: string[] = [];
+
+  if (!input.supportsCompiledPolicy) {
+    errors.push('Current CLI does not support --compiled-policy, but strict mode requires a compiled policy artifact.');
+  }
+  if (!input.supportsChangeContract) {
+    errors.push('Current CLI does not support --change-contract, but strict mode requires a change contract artifact.');
+  }
+
+  const compiledPath = input.compiledPolicyPath?.trim();
+  if (!compiledPath) {
+    errors.push('Missing compiled policy artifact path in strict mode (compiled_policy_path).');
+  } else {
+    const absoluteCompiledPath = resolve(input.cwd, compiledPath);
+    const compiled = readJsonFile(absoluteCompiledPath);
+    if (!compiled) {
+      errors.push(`Compiled policy artifact not found or invalid JSON: ${compiledPath}`);
+    } else {
+      const hasFingerprint = typeof compiled.fingerprint === 'string' && compiled.fingerprint.trim().length > 0;
+      const hasRules = Array.isArray(compiled.rules) || Array.isArray(compiled.statements);
+      if (!hasFingerprint && !hasRules) {
+        errors.push(
+          `Compiled policy artifact appears invalid (missing fingerprint/rules): ${compiledPath}`
+        );
+      }
+    }
+  }
+
+  const contractPath = input.changeContractPath?.trim();
+  if (!contractPath) {
+    errors.push('Missing change contract artifact path in strict mode (change_contract_path).');
+  } else {
+    const absoluteContractPath = resolve(input.cwd, contractPath);
+    const contract = readJsonFile(absoluteContractPath);
+    if (!contract) {
+      errors.push(`Change contract artifact not found or invalid JSON: ${contractPath}`);
+    } else {
+      const hasContractId = typeof contract.contractId === 'string' && contract.contractId.trim().length > 0;
+      const hasPlanId = typeof contract.planId === 'string' && contract.planId.trim().length > 0;
+      if (!hasContractId || !hasPlanId) {
+        errors.push(
+          `Change contract artifact appears invalid (missing contractId/planId): ${contractPath}`
+        );
+      }
+    }
+  }
+
+  if (errors.length > 0) {
+    throw new Error(
+      `Strict enterprise mode requires deterministic compiled-policy + change-contract artifacts:\n- ${errors.join('\n- ')}`
+    );
+  }
+}
+
 function detectProjectOrgId(cwd: string): string | undefined {
   const statePath = join(cwd, '.neurcode', 'config.json');
   const state = readJsonFile(statePath);
@@ -381,6 +479,187 @@ function extractLastJsonObject(output: string): unknown | null {
   return null;
 }
 
+function resolveActionPackageVersion(): string {
+  const fromEnv = process.env.NEURCODE_ACTION_VERSION || process.env.npm_package_version;
+  if (fromEnv && fromEnv.trim()) {
+    return fromEnv.trim();
+  }
+
+  const candidates = [
+    resolve(__dirname, '../package.json'),
+    resolve(process.cwd(), 'package.json'),
+  ];
+  for (const candidate of candidates) {
+    try {
+      if (!existsSync(candidate)) continue;
+      const parsed = JSON.parse(readFileSync(candidate, 'utf-8'));
+      const version = parsed?.version;
+      if (typeof version === 'string' && version.trim()) {
+        return version.trim();
+      }
+    } catch {
+      // Ignore and continue to next candidate.
+    }
+  }
+
+  return '0.0.0';
+}
+
+function normalizeApiBaseUrl(value: string): string {
+  return value.trim().replace(/\/+$/, '');
+}
+
+function requestJson(url: string, timeoutMs: number): Promise<HttpJsonResponse> {
+  return new Promise((resolvePromise, rejectPromise) => {
+    let target: URL;
+    try {
+      target = new URL(url);
+    } catch (error) {
+      rejectPromise(new Error(`Invalid API URL: ${url} (${error instanceof Error ? error.message : String(error)})`));
+      return;
+    }
+    const transport = target.protocol === 'http:' ? http : https;
+    const request = transport.request(
+      {
+        protocol: target.protocol,
+        hostname: target.hostname,
+        port: target.port || undefined,
+        path: `${target.pathname}${target.search}`,
+        method: 'GET',
+        headers: {
+          Accept: 'application/json',
+          'User-Agent': 'neurcode-action/runtime-compat',
+        },
+      },
+      (response) => {
+        let body = '';
+        response.setEncoding('utf8');
+        response.on('data', (chunk) => {
+          body += chunk;
+        });
+        response.on('end', () => {
+          let payload: unknown | null = null;
+          try {
+            payload = body ? JSON.parse(body) : null;
+          } catch {
+            payload = null;
+          }
+          resolvePromise({
+            statusCode: response.statusCode || 0,
+            body,
+            payload,
+            url,
+          });
+        });
+      }
+    );
+
+    request.on('error', (error) => {
+      rejectPromise(new Error(`Request failed for ${url}: ${error.message}`));
+    });
+
+    request.setTimeout(timeoutMs, () => {
+      request.destroy(new Error(`Request timed out after ${timeoutMs}ms`));
+    });
+
+    request.end();
+  });
+}
+
+async function resolveApiHealthPayload(apiBaseUrl: string, timeoutMs: number): Promise<unknown> {
+  const baseUrl = normalizeApiBaseUrl(apiBaseUrl);
+  const candidates = [`${baseUrl}/api/v1/health`, `${baseUrl}/health`];
+  const failures: string[] = [];
+
+  for (const url of candidates) {
+    try {
+      const response = await requestJson(url, timeoutMs);
+      const payload = response.payload;
+      const statusValue =
+        payload && typeof payload === 'object' && !Array.isArray(payload)
+          ? (payload as Record<string, unknown>).status
+          : null;
+      if (response.statusCode >= 200 && response.statusCode < 300 && statusValue === 'ok') {
+        return payload;
+      }
+      failures.push(`${url} returned ${response.statusCode}`);
+    } catch (error) {
+      failures.push(error instanceof Error ? error.message : String(error));
+    }
+  }
+
+  throw new Error(
+    `API compatibility probe failed (${failures.join(' | ')}).`
+  );
+}
+
+async function runCompatibilityHandshake(input: {
+  cli: CliInvocation;
+  cwd: string;
+  timeoutMinutes: number;
+  apiUrl?: string;
+  requireApiCompatibility: boolean;
+}): Promise<{
+  actionVersion: string;
+  cliVersion: string;
+  apiVersion?: string;
+}> {
+  const actionVersion = resolveActionPackageVersion();
+
+  const compatCommand = withCliCommandTimeout(input.cli, ['compat', '--json'], input.timeoutMinutes);
+  const compatResult = await runCommand(compatCommand.cmd, compatCommand.args, { cwd: input.cwd });
+  if (compatResult.exitCode !== 0) {
+    throw new Error(
+      `Compatibility handshake failed: unable to run "neurcode compat --json". ` +
+      `Output: ${stripAnsi(compatResult.output).trim() || 'no output'}`
+    );
+  }
+
+  const cliCompatPayload = extractLastJsonObject(compatResult.output);
+  if (!cliCompatPayload) {
+    throw new Error('Compatibility handshake failed: CLI compat output did not contain JSON.');
+  }
+  const cliCompatibility = parseCliCompatibilityPayload(cliCompatPayload);
+
+  let apiCompatibility = null;
+  let apiVersion: string | undefined;
+  if (input.apiUrl) {
+    const apiHealthPayload = await resolveApiHealthPayload(input.apiUrl, 10000);
+    apiCompatibility = parseApiHealthCompatibilityPayload(apiHealthPayload);
+    if (!apiCompatibility && input.requireApiCompatibility) {
+      throw new Error(
+        'Compatibility handshake failed: API health payload does not include compatibility metadata.'
+      );
+    }
+    if (apiCompatibility?.componentVersion) {
+      apiVersion = apiCompatibility.componentVersion;
+    } else if (
+      apiHealthPayload
+      && typeof apiHealthPayload === 'object'
+      && !Array.isArray(apiHealthPayload)
+      && typeof (apiHealthPayload as Record<string, unknown>).version === 'string'
+    ) {
+      apiVersion = (apiHealthPayload as Record<string, unknown>).version as string;
+    }
+  }
+
+  const errors = validateActionHandshake({
+    actionVersion,
+    cliCompatibility,
+    apiCompatibility,
+    requireApiCompatibility: input.requireApiCompatibility && Boolean(input.apiUrl),
+  });
+  if (errors.length > 0) {
+    throw new Error(`Compatibility handshake failed:\n- ${errors.join('\n- ')}`);
+  }
+
+  return {
+    actionVersion,
+    cliVersion: cliCompatibility.componentVersion,
+    apiVersion,
+  };
+}
+
 function parseVerifyResult(output: string): NeurcodeVerifyResult | null {
   const parsed = extractLastJsonObject(output);
   if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) return null;
@@ -893,6 +1172,26 @@ function withCliCommandTimeout(
   return withCommandTimeout(cli.cmd, [...cli.argsPrefix, ...args], timeoutMinutes);
 }
 
+async function resolveVerifyCapabilities(cli: CliInvocation, cwd: string): Promise<VerifyCapabilities> {
+  const helpCommand = withCliCommandTimeout(cli, ['verify', '--help'], 2);
+  const helpResult = await runCommand(helpCommand.cmd, helpCommand.args, { cwd });
+  if (helpResult.exitCode !== 0) {
+    core.warning('Unable to detect verify flag capabilities; defaulting to full verify flag set.');
+    return {
+      supportsCompiledPolicy: true,
+      supportsChangeContract: true,
+      supportsEnforceChangeContract: true,
+    };
+  }
+
+  const helpText = stripAnsi(helpResult.output).toLowerCase();
+  return {
+    supportsCompiledPolicy: helpText.includes('--compiled-policy'),
+    supportsChangeContract: helpText.includes('--change-contract'),
+    supportsEnforceChangeContract: helpText.includes('--enforce-change-contract'),
+  };
+}
+
 async function resolveCliInvocation(cwd: string): Promise<CliInvocation | null> {
   const direct = await runCommand('neurcode', ['--version'], { cwd });
   if (direct.exitCode === 0) {
@@ -1166,10 +1465,26 @@ async function run(): Promise<void> {
     const cliInstallSource = parseCliInstallSource(core.getInput('neurcode_cli_source'));
     const cliWorkspacePath = core.getInput('neurcode_cli_workspace_path') || 'packages/cli';
     const verifyTimeoutMinutes = parsePositiveInt(core.getInput('verify_timeout_minutes'), 8, 1, 120);
+    const enforceCompatibilityHandshake = parseBoolean(
+      core.getInput('enforce_compatibility_handshake'),
+      true
+    );
+    const requireApiCompatibilityHandshake = parseBoolean(
+      core.getInput('require_api_compatibility_handshake'),
+      true
+    );
+    const compatibilityProbeTimeoutMinutes = parsePositiveInt(
+      core.getInput('compatibility_probe_timeout_minutes'),
+      2,
+      1,
+      15
+    );
+    const configuredApiUrl = (process.env.NEURCODE_API_URL || '').trim();
     const verifyPolicyOnly = parseBoolean(core.getInput('verify_policy_only'), false);
+    const enterpriseMode = parseBoolean(core.getInput('enterprise_mode'), true);
     const compiledPolicyPath = (core.getInput('compiled_policy_path') || 'neurcode.policy.compiled.json').trim();
     const changeContractPath = (core.getInput('change_contract_path') || '.neurcode/change-contract.json').trim();
-    const enforceChangeContract = parseBoolean(core.getInput('enforce_change_contract'), false);
+    const enforceChangeContractOverride = parseBooleanOrUndefined(core.getInput('enforce_change_contract'));
     const changedFilesOnly = parseBoolean(core.getInput('changed_files_only'), false);
 
     const autoRemediate = parseBoolean(core.getInput('auto_remediate'), false);
@@ -1189,7 +1504,15 @@ async function run(): Promise<void> {
     );
     const remediationCommit = parseBoolean(core.getInput('remediation_commit'), false);
     const remediationPush = parseBoolean(core.getInput('remediation_push'), false);
-    const enforceStrictVerification = parseBoolean(core.getInput('enforce_strict_verification'), false);
+    const enforceStrictVerificationOverride = parseBooleanOrUndefined(core.getInput('enforce_strict_verification'));
+    const enterpriseEnforcement = resolveEnterpriseEnforcement({
+      enterpriseMode,
+      verifyPolicyOnly,
+      enforceChangeContract: enforceChangeContractOverride,
+      enforceStrictVerification: enforceStrictVerificationOverride,
+    });
+    let enforceChangeContract = enterpriseEnforcement.enforceChangeContract;
+    const enforceStrictVerification = enterpriseEnforcement.enforceStrictVerification;
     const verifyAfterRemediation = parseBoolean(core.getInput('verify_after_remediation'), true);
     const verifyAfterRemediationTimeoutMinutes = parsePositiveInt(
       core.getInput('verify_after_remediation_timeout_minutes'),
@@ -1235,6 +1558,55 @@ async function run(): Promise<void> {
       workspacePath: cliWorkspacePath,
     });
 
+    if (enforceCompatibilityHandshake) {
+      const handshake = await runCompatibilityHandshake({
+        cli: cliInvocation,
+        cwd,
+        timeoutMinutes: compatibilityProbeTimeoutMinutes,
+        apiUrl: configuredApiUrl || undefined,
+        requireApiCompatibility: requireApiCompatibilityHandshake,
+      });
+      core.info(
+        `Compatibility handshake passed (action=${handshake.actionVersion}, cli=${handshake.cliVersion}${handshake.apiVersion ? `, api=${handshake.apiVersion}` : ''}).`
+      );
+      core.setOutput('compatibility_handshake', 'passed');
+      core.setOutput('compatibility_contract_version', RUNTIME_COMPATIBILITY_CONTRACT_VERSION);
+      core.setOutput('compatibility_action_version', handshake.actionVersion);
+      core.setOutput('compatibility_cli_version', handshake.cliVersion);
+      if (handshake.apiVersion) {
+        core.setOutput('compatibility_api_version', handshake.apiVersion);
+      }
+    } else {
+      core.warning('Compatibility handshake is disabled via enforce_compatibility_handshake=false.');
+      core.setOutput('compatibility_handshake', 'skipped');
+    }
+
+    const verifyCapabilities = await resolveVerifyCapabilities(cliInvocation, cwd);
+    const effectiveCompiledPolicyPath = verifyCapabilities.supportsCompiledPolicy
+      ? (compiledPolicyPath || undefined)
+      : undefined;
+    const effectiveChangeContractPath = verifyCapabilities.supportsChangeContract
+      ? (changeContractPath || undefined)
+      : undefined;
+    if (!verifyCapabilities.supportsCompiledPolicy && compiledPolicyPath) {
+      core.warning('CLI does not support --compiled-policy; compiled policy artifact input will be ignored.');
+    }
+    if (!verifyCapabilities.supportsChangeContract && changeContractPath) {
+      core.warning('CLI does not support --change-contract; contract path input will be ignored.');
+    }
+    if (enforceChangeContract && !verifyCapabilities.supportsEnforceChangeContract) {
+      core.warning('CLI does not support --enforce-change-contract; contract hard-fail mode will be disabled.');
+      enforceChangeContract = false;
+    }
+    assertStrictDeterministicArtifacts({
+      cwd,
+      strictMode: enforceStrictVerification,
+      compiledPolicyPath: effectiveCompiledPolicyPath,
+      changeContractPath: effectiveChangeContractPath,
+      supportsCompiledPolicy: verifyCapabilities.supportsCompiledPolicy,
+      supportsChangeContract: verifyCapabilities.supportsChangeContract,
+    });
+
     const pr = github.context.payload.pull_request;
     const defaultBaseRef = pr ? `origin/${pr.base.ref}` : 'HEAD~1';
     const baseRef = baseRefInput.trim() || defaultBaseRef;
@@ -1242,6 +1614,13 @@ async function run(): Promise<void> {
       ? `Running verify in PR context against ${baseRef}`
       : `Running verify in push context against ${baseRef}`);
     core.info(`Verification mode: ${verifyPolicyOnly ? 'policy-only' : 'plan-aware'}`);
+    core.info(`Enterprise mode: ${enterpriseMode ? 'enabled' : 'disabled'}`);
+    core.info(
+      `Verify capabilities => compiled_policy=${verifyCapabilities.supportsCompiledPolicy}, change_contract=${verifyCapabilities.supportsChangeContract}, enforce_change_contract=${verifyCapabilities.supportsEnforceChangeContract}`
+    );
+    core.info(
+      `Enterprise enforcement => enforce_change_contract=${enforceChangeContract}, enforce_strict_verification=${enforceStrictVerification}`
+    );
 
     let changedFiles = new Set<string>();
     if (changedFilesOnly) {
@@ -1255,6 +1634,7 @@ async function run(): Promise<void> {
     }
 
     let effectiveVerifyPolicyOnly = verifyPolicyOnly;
+    let effectiveEnforceChangeContract = enforceChangeContract;
     const hasExplicitPlanId = Boolean(planId && planId.trim());
     let policyOnlyFallbackUsed = false;
     let fallbackFailureHint: string | null = null;
@@ -1264,9 +1644,10 @@ async function run(): Promise<void> {
       projectId: projectId || undefined,
       policyOnly: effectiveVerifyPolicyOnly,
       record,
-      compiledPolicyPath: compiledPolicyPath || undefined,
-      changeContractPath: changeContractPath || undefined,
-      enforceChangeContract,
+      compiledPolicyPath: effectiveCompiledPolicyPath,
+      changeContractPath: effectiveChangeContractPath,
+      enforceChangeContract: effectiveEnforceChangeContract,
+      strictArtifacts: enforceStrictVerification,
     });
 
     let verifyCommand = withCliCommandTimeout(cliInvocation, verifyArgs, verifyTimeoutMinutes);
@@ -1294,15 +1675,22 @@ async function run(): Promise<void> {
       );
       policyOnlyFallbackUsed = true;
       effectiveVerifyPolicyOnly = true;
+      effectiveEnforceChangeContract =
+        (typeof enforceChangeContractOverride === 'boolean' ? enforceChangeContractOverride : false)
+        && verifyCapabilities.supportsEnforceChangeContract;
+      if (typeof enforceChangeContractOverride !== 'boolean' && enforceChangeContract) {
+        core.info('Policy-only fallback detected; auto-disabling change-contract hard-fail for fallback run.');
+      }
       verifyArgs = buildVerifyArgs({
         baseRef,
         projectId: projectId || undefined,
         planId: undefined,
         policyOnly: true,
         record,
-        compiledPolicyPath: compiledPolicyPath || undefined,
-        changeContractPath: changeContractPath || undefined,
-        enforceChangeContract,
+        compiledPolicyPath: effectiveCompiledPolicyPath,
+        changeContractPath: effectiveChangeContractPath,
+        enforceChangeContract: effectiveEnforceChangeContract,
+        strictArtifacts: enforceStrictVerification,
       });
       verifyCommand = withCliCommandTimeout(cliInvocation, verifyArgs, verifyTimeoutMinutes);
       verifyRun = await runCommand(verifyCommand.cmd, verifyCommand.args, {
@@ -1628,6 +2016,9 @@ async function run(): Promise<void> {
         : 'plan_aware';
     core.setOutput('verify_mode', verifyModeOutput);
     core.setOutput('policy_only_fallback_used', policyOnlyFallbackUsed ? 'true' : 'false');
+    core.setOutput('enterprise_mode_active', enterpriseMode ? 'true' : 'false');
+    core.setOutput('enterprise_enforced_change_contract', effectiveEnforceChangeContract ? 'true' : 'false');
+    core.setOutput('enterprise_enforced_strict_verification', enforceStrictVerification ? 'true' : 'false');
 
     if (remediation) {
       core.setOutput('remediation_status', remediation.status);