@onklave/agent-cli 0.1.29 → 0.1.31

package/main.js

@@ -712,8 +712,8 @@ var PlatformClient = class {
   /*
    * Make an authenticated HTTP request to the platform.
    */
-  async request(method, path7, body, extraHeaders) {
-    const url = `${this.baseUrl}${path7}`;
+  async request(method, path8, body, extraHeaders) {
+    const url = `${this.baseUrl}${path8}`;
     const headers = {
       Authorization: `Bearer ${this.token}`,
       "Content-Type": "application/json",
@@ -2980,7 +2980,7 @@ async function logsCommand(args) {
 }
 
 // _apps/@onklave/agent-cli/src/commands/daemon.command.ts
-import * as fs6 from "fs";
+import * as fs7 from "fs";
 
 // _apps/@onklave/agent-cli/src/services/daemon-comms.service.ts
 var DaemonCommsService = class {
@@ -3070,6 +3070,8 @@ var DaemonClaimHandler = class {
     this.resourceSampler = opts.resourceSampler;
     this.maxCpuPercent = opts.maxCpuPercent ?? 80;
     this.maxMemoryBytes = opts.maxMemoryBytes;
+    this.brokerClient = opts.brokerClient;
+    this.workItemRunner = opts.workItemRunner;
   }
   /**
    * Wire up the inbound event subscriptions. Call after the socket has
@@ -3203,6 +3205,10 @@ var DaemonClaimHandler = class {
       );
       return;
     }
+    if (this.brokerClient && this.workItemRunner) {
+      await this.runLocalPickup(event);
+      return;
+    }
     if (!this.platformClient || !this.deviceToken) {
       console.log(
         `[daemon] assignment:claim-available assignmentId=${event.assignmentId} (platformClient not wired \u2014 Phase 5b config missing)`
@@ -3242,6 +3248,89 @@ var DaemonClaimHandler = class {
       });
     }
   }
+  /**
+   * Phase 2 "Slice B" — the full local-execution path for one assignment:
+   *   broker.accept → clone + run Claude Code locally → broker.report-result.
+   * The daemon authenticates to the broker with its DEVICE token only; the
+   * broker is the only thing that ever touches teams' internal (S2S) endpoints.
+   * Holds an active-session slot for the lifetime of the run so the capacity
+   * gate stays accurate. Best-effort: failures are audited and, where a session
+   * already exists, reported back as `failed`.
+   */
+  async runLocalPickup(event) {
+    const broker = this.brokerClient;
+    const runner = this.workItemRunner;
+    this.activeSessions += 1;
+    let sessionId;
+    try {
+      const accepted = await broker.accept({
+        assignmentId: event.assignmentId,
+        workItemId: event.workItemId,
+        orgId: event.orgId,
+        machineId: this.machineId
+      });
+      sessionId = accepted.sessionId;
+      this.audit.record({
+        sessionId,
+        type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+        action: DAEMON_AUDIT_ACTIONS.SESSION_CLAIMED,
+        details: {
+          machineId: this.machineId,
+          orgId: event.orgId,
+          workItemId: event.workItemId,
+          assignmentId: event.assignmentId,
+          via: "assignment:claim-available"
+        },
+        outcome: "success"
+      });
+      const result = await runner.run(sessionId, accepted.workItem);
+      await broker.reportResult({
+        sessionId,
+        status: result.status,
+        summary: result.summary,
+        branchName: result.branchName,
+        assignmentId: event.assignmentId,
+        machineId: this.machineId
+      });
+      this.audit.record({
+        sessionId,
+        type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+        action: result.status === "failed" ? DAEMON_AUDIT_ACTIONS.SESSION_FAILED : DAEMON_AUDIT_ACTIONS.SESSION_COMPLETED,
+        details: {
+          machineId: this.machineId,
+          status: result.status,
+          ...result.branchName ? { branchName: result.branchName } : {}
+        },
+        outcome: result.status === "failed" ? "failure" : "success"
+      });
+    } catch (err) {
+      const error = err.message;
+      this.audit.record({
+        sessionId: sessionId ?? event.assignmentId,
+        type: "daemon_lifecycle" /* DAEMON_LIFECYCLE */,
+        action: DAEMON_AUDIT_ACTIONS.SESSION_FAILED,
+        details: { machineId: this.machineId, phase: "pickup", error },
+        outcome: "failure"
+      });
+      if (sessionId) {
+        try {
+          await broker.reportResult({
+            sessionId,
+            status: "failed",
+            summary: error,
+            assignmentId: event.assignmentId,
+            machineId: this.machineId
+          });
+        } catch (reportErr) {
+          console.warn(
+            `[daemon] failed to report pickup failure for ${sessionId}: ${reportErr.message}`
+          );
+        }
+      }
+    } finally {
+      this.activeSessions -= 1;
+    }
+  }
   /**
    * Phase 5c — release a previously claimed assignment when the
    * daemon cannot proceed (e.g. drain interrupted, capacity check
@@ -3292,8 +3381,217 @@ function truncate2(s, n) {
   return s.length <= n ? s : `${s.slice(0, n - 1)}\u2026`;
 }
 
-// _apps/@onklave/agent-cli/src/services/daemon-resource-sampler.service.ts
+// _apps/@onklave/agent-cli/src/services/platform-broker-client.ts
+var PlatformBrokerClient = class {
+  constructor(baseUrl, deviceToken) {
+    this.baseUrl = baseUrl;
+    this.deviceToken = deviceToken;
+  }
+  /**
+   * Accept an assignment as this registered machine. The broker accepts on
+   * teams (→ in_progress), persists a tracking session, and returns the
+   * sessionId + work context.
+   */
+  async accept(params) {
+    return this.request(
+      "POST",
+      "/api/v1/work-item-pickup/accept",
+      params
+    );
+  }
+  /** Report a finished local run back to the broker (→ WorkItem). */
+  async reportResult(params) {
+    await this.request(
+      "POST",
+      "/api/v1/work-item-pickup/report-result",
+      params
+    );
+  }
+  async request(method, path8, body) {
+    const url = `${this.baseUrl}${path8}`;
+    const response = await fetch(url, {
+      method,
+      headers: {
+        "x-device-token": this.deviceToken,
+        "Content-Type": "application/json",
+        Accept: "application/json"
+      },
+      body: body ? JSON.stringify(body) : void 0,
+      signal: AbortSignal.timeout(3e4)
+    });
+    if (!response.ok) {
+      let errorMessage = `Broker API error: ${response.status} ${response.statusText}`;
+      try {
+        const errorBody = await response.json();
+        if (errorBody && typeof errorBody === "object" && "message" in errorBody) {
+          errorMessage = `Broker API error: ${errorBody.message}`;
+        }
+      } catch {
+      }
+      throw new Error(errorMessage);
+    }
+    const contentType = response.headers.get("content-type");
+    if (!contentType || !contentType.includes("application/json")) {
+      return void 0;
+    }
+    const text = await response.text();
+    if (!text) {
+      return void 0;
+    }
+    return JSON.parse(text);
+  }
+};
+
+// _apps/@onklave/agent-cli/src/services/work-item-runner.service.ts
+import { spawn as spawn2 } from "child_process";
+import * as fs5 from "fs";
 import * as os4 from "os";
+import * as path6 from "path";
+var WorkItemRunner = class {
+  constructor(opts = {}) {
+    this.sessionManager = opts.sessionManager ?? new SessionManager();
+    this.git = opts.git ?? defaultGit;
+    this.model = opts.model ?? "claude-sonnet-4-6";
+    this.timeoutSeconds = opts.timeoutSeconds ?? 1800;
+  }
+  /**
+   * Clone → branch → run Claude Code. Returns the run outcome; never throws —
+   * failures are mapped to a `failed` result with an error summary so the
+   * caller can always report a status back to the broker.
+   */
+  async run(sessionId, workItem) {
+    const repo = workItem.project?.repos?.[0];
+    if (!repo?.url) {
+      return {
+        status: "failed",
+        summary: `Work item ${workItem.id} has no clonable repo (project.repos[0].url missing).`
+      };
+    }
+    const workDir = fs5.mkdtempSync(
+      path6.join(os4.tmpdir(), `onklave-pickup-${sessionId}-`)
+    );
+    const repoDir = path6.join(workDir, sanitizeName(repo.name) || "repo");
+    const branchName = `onklave/work-item/${workItem.id}`;
+    try {
+      await this.git(["clone", repo.url, repoDir], workDir);
+      await this.git(["checkout", "-b", branchName], repoDir);
+    } catch (err) {
+      cleanup(workDir);
+      return {
+        status: "failed",
+        summary: `Failed to prepare workspace for ${repo.url}: ${err.message}`,
+        branchName
+      };
+    }
+    const guardrails = new GuardrailEnforcer({
+      rules: [],
+      allowedTools: [],
+      deniedTools: [],
+      readablePaths: [repoDir],
+      writablePaths: [repoDir]
+    });
+    const writeCheck = guardrails.checkPathAccess(repoDir, "write");
+    if (!writeCheck.allowed) {
+      cleanup(workDir);
+      return {
+        status: "failed",
+        summary: `Guardrails blocked the workspace: ${writeCheck.reason}`,
+        branchName
+      };
+    }
+    const addDirs = [repoDir];
+    const task = buildTask(workItem);
+    const config = {
+      task,
+      context: repoDir,
+      persona: null,
+      workflow: null,
+      model: this.model,
+      timeout: this.timeoutSeconds,
+      guardrails: [],
+      allowedTools: [],
+      deniedTools: [],
+      addDirs,
+      apiKey: null,
+      headless: true,
+      platformUrl: "",
+      orgId: null,
+      systemPromptAppend: null
+    };
+    let output = "";
+    const exitCode = await new Promise((resolve3) => {
+      const timeout = setTimeout(() => {
+        void this.sessionManager.stopSession(sessionId).catch(() => void 0);
+      }, this.timeoutSeconds * 1e3);
+      void this.sessionManager.spawnSession(sessionId, config, {
+        onStdout: (data) => {
+          output += data;
+        },
+        onStderr: (data) => {
+          output += data;
+        },
+        onExit: (code) => {
+          clearTimeout(timeout);
+          resolve3(code);
+        }
+      });
+    });
+    cleanup(workDir);
+    if (exitCode === 0) {
+      return {
+        status: "in_review",
+        summary: output.trim().slice(-2e3) || "Run completed (no output).",
+        branchName
+      };
+    }
+    return {
+      status: "failed",
+      summary: `Claude Code exited with code ${exitCode}.
+` + output.trim().slice(-2e3),
+      branchName
+    };
+  }
+};
+function buildTask(workItem) {
+  const parts = [workItem.title];
+  if (workItem.description) {
+    parts.push("", workItem.description);
+  }
+  return parts.join("\n");
+}
+function sanitizeName(name) {
+  if (!name) return "";
+  return name.replace(/[^a-zA-Z0-9._-]/g, "-");
+}
+function cleanup(dir) {
+  try {
+    fs5.rmSync(dir, { recursive: true, force: true });
+  } catch {
+  }
+}
+function defaultGit(args, cwd) {
+  return new Promise((resolve3, reject) => {
+    const child = spawn2("git", args, {
+      cwd,
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    let stderr = "";
+    child.stderr?.on("data", (d) => {
+      stderr += d.toString();
+    });
+    child.on("error", (err) => reject(err));
+    child.on("exit", (code) => {
+      if (code === 0) {
+        resolve3();
+      } else {
+        reject(new Error(`git ${args[0]} exited ${code}: ${stderr.trim()}`));
+      }
+    });
+  });
+}
+
+// _apps/@onklave/agent-cli/src/services/daemon-resource-sampler.service.ts
+import * as os5 from "os";
 var DEFAULT_SAMPLE_INTERVAL_MS = 5e3;
 var DEFAULT_WINDOW_MS = 6e4;
 var DaemonResourceSampler = class {
@@ -3361,8 +3659,8 @@ var DaemonResourceSampler = class {
   }
 };
 function defaultCpuPercent() {
-  const cpus2 = os4.cpus().length || 1;
-  const load1m = os4.loadavg()[0];
+  const cpus2 = os5.cpus().length || 1;
+  const load1m = os5.loadavg()[0];
   return load1m / cpus2 * 100;
 }
 function defaultMemoryRss() {
@@ -3639,9 +3937,9 @@ function parseSemverNumeric(v) {
 }
 
 // _apps/@onklave/agent-cli/src/services/daemon-state.service.ts
-import * as fs5 from "fs";
-import * as path6 from "path";
-import * as os5 from "os";
+import * as fs6 from "fs";
+import * as path7 from "path";
+import * as os6 from "os";
 var VALID_TRANSITIONS = {
   installing: ["registered"],
   registered: ["starting"],
@@ -3652,10 +3950,10 @@ var VALID_TRANSITIONS = {
   stopped: ["starting"]
 };
 function defaultStateFilePath() {
-  return path6.join(os5.homedir(), ".config", "onklave", "daemon.state.json");
+  return path7.join(os6.homedir(), ".config", "onklave", "daemon.state.json");
 }
 function defaultPidFilePath() {
-  return path6.join(os5.homedir(), ".config", "onklave", "daemon.pid");
+  return path7.join(os6.homedir(), ".config", "onklave", "daemon.pid");
 }
 var DaemonStateError = class extends Error {
   constructor(message) {
@@ -3679,8 +3977,8 @@ var DaemonStateService = class {
    */
   static readPersisted(stateFile = defaultStateFilePath()) {
     try {
-      if (!fs5.existsSync(stateFile)) return null;
-      const raw = fs5.readFileSync(stateFile, "utf8");
+      if (!fs6.existsSync(stateFile)) return null;
+      const raw = fs6.readFileSync(stateFile, "utf8");
       const parsed = JSON.parse(raw);
       if (!parsed.state || !parsed.enteredAt) return null;
       return parsed;
@@ -3730,8 +4028,8 @@ var DaemonStateService = class {
     }
   }
   persist(reason) {
-    const dir = path6.dirname(this.stateFile);
-    fs5.mkdirSync(dir, { recursive: true });
+    const dir = path7.dirname(this.stateFile);
+    fs6.mkdirSync(dir, { recursive: true });
     const payload = {
       state: this.current,
       enteredAt: this.enteredAt.toISOString(),
@@ -3741,8 +4039,8 @@ var DaemonStateService = class {
       ...this.latestRuntime ? { runtime: this.latestRuntime } : {}
     };
     const tmp = `${this.stateFile}.tmp`;
-    fs5.writeFileSync(tmp, JSON.stringify(payload, null, 2));
-    fs5.renameSync(tmp, this.stateFile);
+    fs6.writeFileSync(tmp, JSON.stringify(payload, null, 2));
+    fs6.renameSync(tmp, this.stateFile);
   }
   /**
    * Publish the latest runtime snapshot. Persists to the state file
@@ -3760,7 +4058,7 @@ var DaemonStateService = class {
    */
   clearPersisted() {
     try {
-      fs5.unlinkSync(this.stateFile);
+      fs6.unlinkSync(this.stateFile);
     } catch {
     }
   }
@@ -3946,6 +4244,8 @@ async function daemonStart() {
   const spawner = new DaemonSpawner({ platformUrl });
   const platformClient = new PlatformClient(platformUrl, creds.token);
   const resourceSampler = new DaemonResourceSampler();
+  const brokerClient = new PlatformBrokerClient(platformUrl, creds.deviceToken);
+  const workItemRunner = new WorkItemRunner();
   const claimHandler = new DaemonClaimHandler({
     machineId: creds.machineId,
     audit: auditStreamer,
@@ -3953,8 +4253,10 @@ async function daemonStart() {
     platformClient,
     deviceToken: creds.deviceToken,
     resourceSampler,
-    maxCpuPercent: 80
+    maxCpuPercent: 80,
     // spec §8.1 default
+    brokerClient,
+    workItemRunner
   });
   const tokenObserver = new DaemonTokenObserver({
     machineId: creds.machineId,
@@ -4211,7 +4513,7 @@ function transitionToAction(next) {
 }
 function readPid(pidFile) {
   try {
-    const raw = fs6.readFileSync(pidFile, "utf8").trim();
+    const raw = fs7.readFileSync(pidFile, "utf8").trim();
     const parsed = Number.parseInt(raw, 10);
     return Number.isFinite(parsed) && parsed > 0 ? parsed : null;
   } catch {
@@ -4220,12 +4522,12 @@ function readPid(pidFile) {
 }
 function writePid(pidFile) {
   const dir = pidFile.replace(/\/[^/]+$/, "");
-  fs6.mkdirSync(dir, { recursive: true });
-  fs6.writeFileSync(pidFile, String(process.pid), { mode: 384 });
+  fs7.mkdirSync(dir, { recursive: true });
+  fs7.writeFileSync(pidFile, String(process.pid), { mode: 384 });
 }
 function removePid(pidFile) {
   try {
-    fs6.unlinkSync(pidFile);
+    fs7.unlinkSync(pidFile);
   } catch {
   }
 }
@@ -4243,8 +4545,8 @@ function readPackageVersion() {
       `${__dirname}/../../../package.json`
     ];
     for (const p of candidates) {
-      if (fs6.existsSync(p)) {
-        const pkg = JSON.parse(fs6.readFileSync(p, "utf8"));
+      if (fs7.existsSync(p)) {
+        const pkg = JSON.parse(fs7.readFileSync(p, "utf8"));
         if (pkg.name === "@onklave/agent-cli" && pkg.version)
           return pkg.version;
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@onklave/agent-cli",
-  "version": "0.1.29",
+  "version": "0.1.31",
   "description": "Onklave Agent CLI — local agent runner with cloud orchestration",
   "bin": {
     "onklave": "./main.js"