@obtoai/agent-bridge 0.1.0-beta.1

package/src/claude-driver.js

@@ -0,0 +1,433 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const { encodeProjectDir } = require('./session-scanner');
+const bridgeHttp = require('./bridge-http');
+const { buildBridgeMcpServer } = require('./bridge-mcp-server');
+
+// Per-thread promise queue. Concurrent AMQP messages targeting the same thread
+// are serialized so first-touch session creation completes before any resume,
+// and consecutive resumes don't race the JSONL writer.
+const queues = new Map();
+
+// Freshness guard was for the niche case of a user running
+// `claude --resume <daemon-spawned sid>` interactively while the daemon is
+// driving the same session. In practice the SDK does post-iteration writes
+// to the JSONL that the daemon doesn't see, so the guard was misfiring on
+// every resume after first-touch. Default: OFF. Set BRIDGE_LIVE_GUARD=1
+// to re-enable.
+const FRESHNESS_THRESHOLD_MS =
+  parseInt(process.env.BRIDGE_LIVE_THRESHOLD_MS || '60000', 10);
+const LIVE_GUARD_DISABLED = process.env.BRIDGE_LIVE_GUARD !== '1';
+const ALLOW_ALL = process.env.BRIDGE_ALLOW_ALL === '1';
+const RELAY_PERMISSIONS = process.env.BRIDGE_RELAY_PERMISSIONS === '1';
+const RELAY_TIMEOUT_MS =
+  parseInt(process.env.BRIDGE_RELAY_TIMEOUT_MS || '600000', 10);
+
+const statMtimeMs = (jsonlPath) => {
+  if (!jsonlPath) return null;
+  try {
+    return fs.statSync(jsonlPath).mtimeMs;
+  } catch (_) {
+    return null;
+  }
+};
+
+// Decide whether the JSONL was written by something other than this daemon
+// since our last drive. If we have a known-mtime baseline, current mtime
+// must match it (within fs-precision tolerance) — anything else means an
+// external writer (interactive `claude --resume` etc.) is touching the file.
+// If we have no baseline (first drive on this binding), fall back to a
+// time-based heuristic so we don't barge in on a hot interactive session.
+const isStaleVsBaseline = (jsonlPath, baselineMtimeMs) => {
+  if (LIVE_GUARD_DISABLED) return false;
+  if (!jsonlPath) return false;
+  const cur = statMtimeMs(jsonlPath);
+  if (cur == null) return false;
+  if (baselineMtimeMs == null) {
+    return Date.now() - cur < FRESHNESS_THRESHOLD_MS;
+  }
+  return Math.abs(cur - baselineMtimeMs) > 100;
+};
+
+// Tools auto-approved without any human in the loop. The bridge_* tools are
+// served by our in-process SDK MCP server registered as "bridge", so their
+// fully-qualified names are mcp__bridge__*.
+const ALLOWED_TOOLS = new Set([
+  'mcp__bridge__bridge_post',
+  'mcp__bridge__bridge_thread_read',
+  'Read',
+  'Glob',
+  'Grep',
+  'WebSearch',
+  'WebFetch',
+  'NotebookRead',
+  'TodoWrite',
+]);
+
+// ── Permission relay ──────────────────────────────────────────────────────
+// Single-pending-per-thread. If Claude requests a tool needing approval, we
+// post a bridge question and resolve when a matching reply arrives via the
+// daemon's AMQP consumer (which calls tryResolvePermission below).
+
+const pendingPermissions = new Map();
+
+const requestPermissionViaBridge = async (threadId, toolName, input, log) => {
+  if (pendingPermissions.has(threadId)) {
+    return {
+      behavior: 'deny',
+      message:
+        'Another permission request is already pending on this thread; the daemon ' +
+        'does not multiplex permissions per thread. Wait and retry.',
+    };
+  }
+
+  const permId = 'perm-' + Math.random().toString(36).slice(2, 10);
+  let inputJson;
+  try {
+    inputJson = JSON.stringify(input, null, 2);
+  } catch (_) {
+    inputJson = '<unserializable>';
+  }
+
+  const minutes = Math.max(1, Math.floor(RELAY_TIMEOUT_MS / 60000));
+  const body =
+    '🔐 Permission request ' + permId +
+    '\n\nTool: ' + toolName +
+    '\nInput:\n' + inputJson +
+    '\n\nReply "approve" to allow, or anything else to deny. Times out in ' +
+    minutes + ' minute' + (minutes === 1 ? '' : 's') + '.';
+
+  log('info', 'permission relay: posting question', { threadId, permId, toolName });
+
+  try {
+    const r = await bridgeHttp.postMessage({
+      threadId,
+      author: 'claude-bridge-perm',
+      role: 'agent',
+      kind: 'question',
+      body,
+    });
+    if (!r.ok) {
+      throw new Error('post returned status ' + r.status);
+    }
+  } catch (err) {
+    log('error', 'permission relay: post failed', {
+      threadId,
+      permId,
+      error: err && err.message ? err.message : String(err),
+    });
+    return {
+      behavior: 'deny',
+      message:
+        'Permission relay failed to post the question to the bridge: ' +
+        (err && err.message ? err.message : String(err)),
+    };
+  }
+
+  return await new Promise((resolve) => {
+    const timeoutHandle = setTimeout(() => {
+      pendingPermissions.delete(threadId);
+      log('warn', 'permission relay: timed out', { threadId, permId, toolName });
+      resolve({
+        behavior: 'deny',
+        message:
+          'Permission request timed out — no human reply within ' + minutes +
+          ' minute' + (minutes === 1 ? '' : 's') + '.',
+      });
+    }, RELAY_TIMEOUT_MS);
+
+    pendingPermissions.set(threadId, {
+      permId,
+      toolName,
+      input,
+      resolve,
+      timeoutHandle,
+    });
+  });
+};
+
+// Called by the AMQP consumer for every reply on a thread. If the thread has
+// a pending permission request, resolve it and return true so the consumer
+// skips the normal drive() path. Otherwise return false.
+const tryResolvePermission = (threadId, body, log) => {
+  const pending = pendingPermissions.get(threadId);
+  if (!pending) return false;
+
+  pendingPermissions.delete(threadId);
+  clearTimeout(pending.timeoutHandle);
+
+  const normalized = String(body || '').trim().toLowerCase();
+  const approved = normalized === 'approve' || normalized === 'yes';
+
+  log('info', 'permission relay: resolved by reply', {
+    threadId,
+    permId: pending.permId,
+    toolName: pending.toolName,
+    approved,
+    replyPreview: String(body || '').slice(0, 80),
+  });
+
+  if (approved) {
+    pending.resolve({ behavior: 'allow', updatedInput: pending.input });
+  } else {
+    pending.resolve({
+      behavior: 'deny',
+      message: 'Human declined: ' + String(body || '').slice(0, 200),
+    });
+  }
+  return true;
+};
+
+const buildPermissionOptions = (log, threadId) => {
+  if (ALLOW_ALL) {
+    log('warn', 'BRIDGE_ALLOW_ALL=1 — bypassing all tool permissions', { threadId });
+    return {
+      permissionMode: 'bypassPermissions',
+      bypassPermissionsModeAcknowledged: true,
+    };
+  }
+  return {
+    canUseTool: async (toolName, input) => {
+      if (ALLOWED_TOOLS.has(toolName)) {
+        return { behavior: 'allow', updatedInput: input };
+      }
+      if (RELAY_PERMISSIONS) {
+        return await requestPermissionViaBridge(threadId, toolName, input, log);
+      }
+      log('info', 'tool denied by bridge policy', { threadId, toolName });
+      return {
+        behavior: 'deny',
+        message:
+          'This is a bridge-spawned session running unattended on the user\'s ' +
+          'machine. The tool "' + toolName + '" is not on the auto-approved ' +
+          'list and BRIDGE_RELAY_PERMISSIONS is not enabled. To use it, post a ' +
+          'message via bridge_post with kind="question" on threadId="' + threadId + '" ' +
+          'explaining what you need to do, then end your turn — a human will ' +
+          'reply with guidance, and you can re-evaluate when the bridge resumes ' +
+          'you on the next message.',
+      };
+    },
+  };
+};
+
+// ── Driving sessions ──────────────────────────────────────────────────────
+
+const buildEnvelope = (payload) => {
+  const head =
+    '[OBTO Agent Bridge | thread:' + (payload.threadId || '?') +
+    ' | from:' + (payload.author || 'unknown') +
+    ' | role:' + (payload.role || 'human') +
+    ' | ts:' + (payload.createdAt || new Date().toISOString()) +
+    (payload.messageId ? ' | messageId:' + payload.messageId : '') +
+    ']';
+  const body = (payload.body || '').toString();
+  return head + '\n\n' + body;
+};
+
+const buildBootstrapPrompt = (payload) =>
+  buildEnvelope(payload) +
+  '\n\n---\n' +
+  'You are a Claude session spawned by the OBTO Agent Bridge daemon to handle ' +
+  'thread "' + payload.threadId + '". The human who sent the message above is ' +
+  'NOT watching your terminal output — they are on the OBTO bridge web UI ' +
+  '(possibly on their phone). You CANNOT reach them with plain text replies. ' +
+  'The ONLY way to communicate back is to call the in-process bridge MCP tools ' +
+  'served by the "bridge" server (running locally inside this daemon).\n\n' +
+  'TOOLS YOU MUST USE — by their fully-qualified MCP names:\n' +
+  '  • mcp__bridge__bridge_post — post a reply on this thread\n' +
+  '  • mcp__bridge__bridge_thread_read — read prior messages on this thread\n\n' +
+  'Do NOT use mcp__claude_ai_OBTO-APP__bridge_post if it appears in your tool ' +
+  'list — that one routes through an unreliable proxy that times out and will ' +
+  'silently fail. Always prefer mcp__bridge__*.\n\n' +
+  'Workflow rules (apply to this turn AND every future turn on this thread):\n' +
+  '  1. Investigate / do the requested work using the tools you have.\n' +
+  '  2. Post your final answer via mcp__bridge__bridge_post(threadId="' + payload.threadId + '", ' +
+       'body=<your reply text>, kind="result" for a finished answer, ' +
+       '"status" for a progress update, "question" if you need clarification, ' +
+       '"error" if something failed).\n' +
+  '  3. If you need information from the human before you can finish, ' +
+       'post a single question via mcp__bridge__bridge_post(kind="question") and ' +
+       'end your turn. Do NOT speculate or do unrelated work while waiting.\n' +
+  '  4. To see prior messages on this thread (e.g. on resume), call ' +
+       'mcp__bridge__bridge_thread_read(threadId="' + payload.threadId + '").\n\n' +
+  'IMPORTANT: end every turn with an mcp__bridge__bridge_post call. Plain-text ' +
+  'replies in this conversation are invisible to the human and effectively dropped.\n\n' +
+  'Now respond to the human message above.';
+
+const consumeQuery = async (q) => {
+  let assistantTextChars = 0;
+  let stopReason = null;
+  let observedSessionId = null;
+
+  for await (const event of q) {
+    if (!event || typeof event !== 'object') continue;
+
+    if (event.type === 'system' && event.subtype === 'init' && event.session_id) {
+      observedSessionId = event.session_id;
+    }
+
+    if (event.type === 'assistant' && event.message && Array.isArray(event.message.content)) {
+      for (const c of event.message.content) {
+        if (c && c.type === 'text' && typeof c.text === 'string') {
+          assistantTextChars += c.text.length;
+        }
+      }
+    }
+
+    if (event.type === 'result') {
+      stopReason = event.subtype || event.stop_reason || 'done';
+      break;
+    }
+  }
+
+  return { assistantTextChars, stopReason, observedSessionId };
+};
+
+const driveFirstTouch = async ({ threadId, projectDir, payload, log }) => {
+  const sdk = await import('@anthropic-ai/claude-agent-sdk');
+  const bridgeServer = await buildBridgeMcpServer({ log });
+  const prompt = buildBootstrapPrompt(payload);
+  const options = Object.assign(
+    {
+      cwd: projectDir,
+      mcpServers: { bridge: bridgeServer },
+    },
+    buildPermissionOptions(log, threadId),
+  );
+
+  log('info', 'first-touch spawn', {
+    threadId,
+    projectDir,
+    messageId: payload.messageId,
+  });
+
+  const startedAt = Date.now();
+  const { assistantTextChars, stopReason, observedSessionId } =
+    await consumeQuery(sdk.query({ prompt, options }));
+
+  if (!observedSessionId) {
+    throw new Error('no session_id observed from query() init event');
+  }
+
+  const jsonlPath = path.join(
+    os.homedir(),
+    '.claude',
+    'projects',
+    encodeProjectDir(projectDir),
+    observedSessionId + '.jsonl',
+  );
+
+  const lastJsonlMtimeMs = statMtimeMs(jsonlPath);
+
+  log('info', 'first-touch done', {
+    threadId,
+    sessionId: observedSessionId,
+    stopReason,
+    assistantTextChars,
+    durationMs: Date.now() - startedAt,
+    lastJsonlMtimeMs,
+  });
+
+  return {
+    sessionId: observedSessionId,
+    projectDir,
+    jsonlPath,
+    stopReason,
+    assistantTextChars,
+    lastJsonlMtimeMs,
+  };
+};
+
+const driveResume = async ({ threadId, sessionId, projectDir, jsonlPath, lastJsonlMtimeMs, payload, log }) => {
+  if (isStaleVsBaseline(jsonlPath, lastJsonlMtimeMs)) {
+    const cur = statMtimeMs(jsonlPath);
+    log('warn', 'JSONL changed since last daemon drive — likely live interactive session, skipping resume', {
+      threadId,
+      sessionId,
+      jsonlPath,
+      baselineMtimeMs: lastJsonlMtimeMs,
+      currentMtimeMs: cur,
+    });
+    return { skipped: true, stopReason: 'skipped_live_session' };
+  }
+
+  const sdk = await import('@anthropic-ai/claude-agent-sdk');
+  const bridgeServer = await buildBridgeMcpServer({ log });
+  const prompt = buildEnvelope(payload);
+  const options = Object.assign(
+    {
+      resume: sessionId,
+      cwd: projectDir,
+      mcpServers: { bridge: bridgeServer },
+    },
+    buildPermissionOptions(log, threadId),
+  );
+
+  log('info', 'resuming session', {
+    threadId,
+    sessionId,
+    messageId: payload.messageId,
+  });
+
+  const startedAt = Date.now();
+  const { assistantTextChars, stopReason } =
+    await consumeQuery(sdk.query({ prompt, options }));
+
+  const newMtime = statMtimeMs(jsonlPath);
+
+  log('info', 'resume done', {
+    threadId,
+    sessionId,
+    stopReason,
+    assistantTextChars,
+    durationMs: Date.now() - startedAt,
+    lastJsonlMtimeMs: newMtime,
+  });
+
+  return { stopReason, assistantTextChars, lastJsonlMtimeMs: newMtime };
+};
+
+const drive = (params) => {
+  const key = params.threadId;
+  const prev = queues.get(key) || Promise.resolve();
+  const next = prev
+    .then(() => {
+      if (params.binding && params.binding.sessionId) {
+        return driveResume({
+          threadId: params.threadId,
+          sessionId: params.binding.sessionId,
+          projectDir: params.binding.projectDir,
+          jsonlPath: params.binding.jsonlPath,
+          lastJsonlMtimeMs: params.binding.lastJsonlMtimeMs,
+          payload: params.payload,
+          log: params.log,
+        });
+      }
+      return driveFirstTouch({
+        threadId: params.threadId,
+        projectDir: params.projectDir,
+        payload: params.payload,
+        log: params.log,
+      });
+    })
+    .catch((err) => {
+      params.log('error', 'drive failed', {
+        threadId: params.threadId,
+        error: err && err.message ? err.message : String(err),
+      });
+      throw err;
+    });
+  queues.set(key, next);
+  return next;
+};
+
+module.exports = {
+  drive,
+  buildEnvelope,
+  buildBootstrapPrompt,
+  tryResolvePermission,
+};

package/src/codex-driver.js

@@ -0,0 +1,206 @@
+'use strict';
+
+// Codex driver — drives an OpenAI Codex session per bridge thread, the Codex
+// counterpart of claude-driver.js. Selected when config `agent` === 'codex'.
+//
+// Why this differs in shape from the Claude driver:
+//
+//   • No permission relay. Codex has no per-tool callback — only coarse
+//     sandbox/approval modes. A Codex session runs unattended inside
+//     cfg.codexSandbox (default 'workspace-write'). tryResolvePermission() is
+//     a no-op.
+//
+//   • No bridge MCP tool. Codex cannot auto-approve a *write* MCP tool when
+//     run non-interactively (openai/codex issue #15437) — so a Codex session
+//     could never call a `bridge_post` tool itself. Instead this driver runs
+//     the turn and posts the agent's final response to the bridge ON ITS
+//     BEHALF (the "capture" model). Consequence: a Codex turn delivers exactly
+//     one bridge message — its final answer — with no mid-task status updates
+//     or agent-initiated questions. That is the ceiling of the Codex SDK, and
+//     it keeps the integration free of any ~/.codex/config.toml mutation.
+//
+// SDK-specific calls are isolated in runCodex(), verified against
+// @openai/codex-sdk@0.130.0.
+
+const { loadConfig } = require('./config');
+const { buildEnvelope } = require('./claude-driver');
+const bridgeHttp = require('./bridge-http');
+
+// Per-thread promise queue — concurrent replies on one thread are serialized
+// so first-touch completes before any resume. Mirrors claude-driver.
+const queues = new Map();
+
+const ALLOW_ALL = process.env.BRIDGE_ALLOW_ALL === '1';
+
+const buildCodexPrompt = (payload, isFirst) => {
+  const head = buildEnvelope(payload);
+  if (!isFirst) return head;
+  return head +
+    '\n\n---\n' +
+    'You are a Codex session spawned by the OBTO Agent Bridge to handle thread ' +
+    '"' + payload.threadId + '". The human who sent the message above is on the ' +
+    'OBTO bridge web UI — they do NOT see your terminal, your tool calls, or any ' +
+    'intermediate output. They see ONLY your final response message, which is ' +
+    'delivered to them verbatim.\n\n' +
+    'Therefore: do the requested work, then make your final response a complete, ' +
+    'self-contained answer addressed to that human. Markdown is supported. If you ' +
+    'need information you do not have, make your final response a single clear ' +
+    'question. Do not look for a "post" or "bridge" tool — there is none; simply ' +
+    'produce the answer as your reply and it will be delivered.\n\n' +
+    'Now handle the message above.';
+};
+
+// ── SDK boundary ──────────────────────────────────────────────────────────
+// All @openai/codex-sdk-specific calls. Verified against codex-sdk@0.130.0.
+const runCodex = async ({ prompt, projectDir, resumeId }) => {
+  const { Codex } = await import('@openai/codex-sdk');
+  const cfg = loadConfig();
+  const codex = new Codex();
+
+  const threadOpts = {
+    workingDirectory: projectDir,
+    sandboxMode: ALLOW_ALL
+      ? 'danger-full-access'
+      : (cfg.codexSandbox || 'workspace-write'),
+    // 'never' is the documented non-interactive approval mode — the daemon is
+    // unattended, so the agent must never block on a prompt. sandboxMode is
+    // the actual safety boundary.
+    approvalPolicy: 'never',
+    // The bridge project dir is not necessarily a git repo — don't hard-fail.
+    skipGitRepoCheck: true,
+  };
+
+  const thread = resumeId
+    ? codex.resumeThread(resumeId, threadOpts)
+    : codex.startThread(threadOpts);
+
+  const turn = await thread.run(prompt);
+
+  return {
+    // Thread.id is populated once the first turn starts.
+    sessionId: thread.id || resumeId || null,
+    finalResponse: String((turn && turn.finalResponse) || ''),
+  };
+};
+// ──────────────────────────────────────────────────────────────────────────
+
+const postToBridge = async ({ threadId, body, kind, log }) => {
+  try {
+    const r = await bridgeHttp.postMessage({
+      threadId,
+      body,
+      kind: kind || 'result',
+      author: 'codex-bridge',
+      role: 'agent',
+    });
+    if (!r.ok) {
+      log('error', 'codex bridge post failed', { threadId, status: r.status });
+    }
+    return !!r.ok;
+  } catch (e) {
+    log('error', 'codex bridge post threw', {
+      threadId,
+      error: e && e.message ? e.message : String(e),
+    });
+    return false;
+  }
+};
+
+const driveTurn = async ({ threadId, projectDir, resumeId, payload, log }) => {
+  const isFirst = !resumeId;
+  log('info', isFirst ? 'codex first-touch spawn' : 'codex resume', {
+    threadId,
+    projectDir,
+    resumeId: resumeId || undefined,
+    sandbox: ALLOW_ALL ? 'danger-full-access' : (loadConfig().codexSandbox || 'workspace-write'),
+    messageId: payload.messageId,
+  });
+
+  const startedAt = Date.now();
+  let sessionId = resumeId || null;
+  let finalResponse = '';
+  let failure = null;
+
+  try {
+    const res = await runCodex({
+      prompt: buildCodexPrompt(payload, isFirst),
+      projectDir,
+      resumeId,
+    });
+    sessionId = res.sessionId || sessionId;
+    finalResponse = res.finalResponse;
+  } catch (e) {
+    failure = e && e.message ? e.message : String(e);
+  }
+
+  // The driver delivers Codex's output — Codex cannot post for itself.
+  if (failure) {
+    await postToBridge({ threadId, kind: 'error', body: 'Codex run failed: ' + failure, log });
+  } else if (finalResponse.trim()) {
+    await postToBridge({ threadId, kind: 'result', body: finalResponse, log });
+  } else {
+    await postToBridge({
+      threadId,
+      kind: 'error',
+      body: 'Codex completed the turn but produced no final response.',
+      log,
+    });
+  }
+
+  log('info', isFirst ? 'codex first-touch done' : 'codex resume done', {
+    threadId,
+    sessionId,
+    ok: !failure && !!finalResponse.trim(),
+    assistantTextChars: finalResponse.length,
+    durationMs: Date.now() - startedAt,
+  });
+
+  // If the run failed before Codex even produced a thread id, there is no
+  // session to bind — surface it so the daemon logs a handle failure.
+  if (failure && !sessionId) {
+    throw new Error('codex run failed before a thread id was assigned: ' + failure);
+  }
+
+  // jsonlPath/lastJsonlMtimeMs are Claude-specific — null keeps the binding
+  // shape consistent for daemon.js / state.js.
+  return {
+    sessionId,
+    projectDir,
+    jsonlPath: null,
+    lastJsonlMtimeMs: null,
+    stopReason: failure ? 'error' : 'done',
+    assistantTextChars: finalResponse.length,
+  };
+};
+
+const drive = (params) => {
+  const key = params.threadId;
+  const prev = queues.get(key) || Promise.resolve();
+  const next = prev
+    .then(() => {
+      const binding = params.binding;
+      const resuming = binding && binding.sessionId;
+      return driveTurn({
+        threadId: params.threadId,
+        projectDir: resuming ? binding.projectDir : params.projectDir,
+        resumeId: resuming ? binding.sessionId : null,
+        payload: params.payload,
+        log: params.log,
+      });
+    })
+    .catch((err) => {
+      params.log('error', 'codex drive failed', {
+        threadId: params.threadId,
+        error: err && err.message ? err.message : String(err),
+      });
+      throw err;
+    });
+  queues.set(key, next);
+  return next;
+};
+
+// Codex has no per-tool permission callback — there is nothing to relay, so
+// the daemon's reply path always proceeds straight to drive().
+const tryResolvePermission = () => false;
+
+module.exports = { drive, tryResolvePermission };