@openthink/stamp 2.0.2 → 2.1.0

package/dist/index.js

@@ -52,7 +52,7 @@ import {
   userKeysDir,
   userServerConfigPath,
   verifyBytes
-} from "./chunk-4PFD2DSY.js";
+} from "./chunk-MJULVH4B.js";
 
 // src/index.ts
 import { Command } from "commander";
@@ -541,8 +541,12 @@ function validateConfig(input) {
       throw new Error(`config.reviewers.${name} must be an object`);
     }
     const d = def;
-    if (typeof d.prompt !== "string") {
-      throw new Error(`config.reviewers.${name}.prompt must be a string`);
+    let prompt2;
+    if (d.prompt !== void 0) {
+      if (typeof d.prompt !== "string") {
+        throw new Error(`config.reviewers.${name}.prompt must be a string`);
+      }
+      prompt2 = d.prompt;
     }
     const tools = parseTools(d.tools, name);
     const mcp_servers = parseMcpServers(d.mcp_servers, name);
@@ -564,7 +568,7 @@ function validateConfig(input) {
       `config.reviewers.${name}.timeout_ms`
     );
     reviewers2[name] = {
-      prompt: d.prompt,
+      ...prompt2 !== void 0 ? { prompt: prompt2 } : {},
       ...tools ? { tools } : {},
       ...mcp_servers ? { mcp_servers } : {},
       ...enforce_reads_on_dotstamp !== void 0 ? { enforce_reads_on_dotstamp } : {},
@@ -1412,8 +1416,8 @@ import { createHash as createHash3, createPublicKey, verify } from "crypto";
 import { spawn } from "child_process";
 
 // src/lib/attestationV4.ts
-var CURRENT_V4_SCHEMA_VERSION = 4;
-var MIN_ACCEPTED_V4_SCHEMA_VERSION = 4;
+var CURRENT_V4_SCHEMA_VERSION = 5;
+var MIN_ACCEPTED_V4_SCHEMA_VERSION = 5;
 var MAX_V4_ENVELOPE_BYTES = 64 * 1024;
 function sortKeysDeep(value) {
   if (value === null || typeof value !== "object") return value;
@@ -1547,7 +1551,6 @@ function parseResponseJson(raw) {
     "diff_sha256",
     "base_sha",
     "head_sha",
-    "trusted_keys_snapshot_sha256",
     "issued_at",
     "server_key_id"
   ]) {
@@ -1945,6 +1948,7 @@ function buildTrustAnchorPayload(input) {
     head_sha: input.headSha,
     target_branch: input.targetBranch,
     diff_sha256: input.diffSha256,
+    manifest_snapshot_sha256: input.manifestSnapshotSha256,
     approvals: input.approvals,
     checks: input.checks,
     trust_anchor_signatures: [],
@@ -2027,6 +2031,11 @@ var COMMIT_PHASES_V4 = [
   { name: "verifyV4TargetBranch", fn: verifyV4TargetBranch },
   { name: "verifyV4SignerTrust", fn: verifyV4SignerTrust },
   { name: "verifyV4OuterSignature", fn: verifyV4OuterSignature },
+  // AGT-370: envelope-level manifest snapshot binding (lifted from
+  // the per-approval slot in v4). Runs once before the per-approval
+  // loop in verifyV4ApprovalSignatures — a single check replaces the
+  // N-checks per envelope the v4 verifier did.
+  { name: "verifyV4ManifestSnapshot", fn: verifyV4ManifestSnapshot },
   { name: "verifyV4Approvals", fn: verifyV4Approvals },
   { name: "verifyV4DiffHash", fn: verifyV4DiffHash },
   { name: "verifyV4ApprovalSignatures", fn: verifyV4ApprovalSignatures },
@@ -2159,10 +2168,19 @@ function verifyV4DiffHash(input) {
   }
   return { ok: true };
 }
+function verifyV4ManifestSnapshot(input) {
+  const { sha, payload, manifest } = input;
+  const computed = snapshotSha256(manifest);
+  if (payload.manifest_snapshot_sha256 !== computed) {
+    return {
+      ok: false,
+      reason: `commit ${sha.slice(0, 8)}: v4 manifest_snapshot_sha256 (${payload.manifest_snapshot_sha256.slice(0, 16)}\u2026) does not match the manifest at base ${payload.base_sha.slice(0, 8)} (${computed.slice(0, 16)}\u2026). The envelope was signed against a different snapshot of the trust set than the one committed at the merge base. Re-run \`stamp merge\` (or \`stamp attest\`) so the outer signature binds to the current manifest.`
+    };
+  }
+  return { ok: true };
+}
 function verifyV4ApprovalSignatures(input) {
   const { sha, payload, manifest, pubkeyByFingerprint } = input;
-  const manifestSnapshot = snapshotSha256(manifest);
-  const reviewerDefs = readReviewerDefsAtRef(payload.base_sha);
   for (const entry of payload.approvals) {
     const a = entry.approval;
     const reviewerLabel = `"${a.reviewer}"`;
@@ -2184,12 +2202,6 @@ function verifyV4ApprovalSignatures(input) {
         reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: server_attestation.server_key_id (${entry.server_attestation.server_key_id}) does not match inner approval.server_key_id (${a.server_key_id}). The inner signed payload is authoritative; one of the two was tampered with after signing.`
       };
     }
-    if (a.trusted_keys_snapshot_sha256 !== manifestSnapshot) {
-      return {
-        ok: false,
-        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: trusted_keys_snapshot_sha256 (${a.trusted_keys_snapshot_sha256.slice(0, 16)}\u2026) does not match the manifest at base ${payload.base_sha.slice(0, 8)} (${manifestSnapshot.slice(0, 16)}\u2026). The server signed against a different snapshot of the trust set than the one committed at the merge base.`
-      };
-    }
     const caps = resolveCapability(manifest, a.server_key_id);
     if (caps === null) {
       return {
@@ -2229,29 +2241,6 @@ function verifyV4ApprovalSignatures(input) {
         reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: server signature does not verify against ${a.server_key_id} over canonical approval bytes`
       };
     }
-    const def = reviewerDefs[a.reviewer];
-    if (!def) {
-      return {
-        ok: false,
-        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: reviewer is not defined in .stamp/config.yml at base ${payload.base_sha.slice(0, 8)}`
-      };
-    }
-    let promptText;
-    try {
-      promptText = run(["show", `${payload.base_sha}:${def.prompt}`]);
-    } catch {
-      return {
-        ok: false,
-        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: prompt "${def.prompt}" is unreadable at base ${payload.base_sha.slice(0, 8)}`
-      };
-    }
-    const recomputedPromptSha = hashPromptBytes(Buffer.from(promptText, "utf8"));
-    if (recomputedPromptSha !== a.prompt_sha256) {
-      return {
-        ok: false,
-        reason: `commit ${sha.slice(0, 8)}: v4 approval ${reviewerLabel}: prompt_sha256 mismatch \u2014 server signed ${a.prompt_sha256.slice(0, 12)}\u2026 but prompt file at base hashes to ${recomputedPromptSha.slice(0, 12)}\u2026. The reviewer prompt the server reviewed differs from the one in the merge-base tree.`
-      };
-    }
   }
   return { ok: true };
 }
@@ -2417,22 +2406,6 @@ function readPubkeyMapAt(ref) {
   }
   return buildPubkeyMap(names, (relPath) => run(["show", `${ref}:${relPath}`]));
 }
-function readReviewerDefsAtRef(ref) {
-  let yaml;
-  try {
-    yaml = run(["show", `${ref}:.stamp/config.yml`]);
-  } catch {
-    return {};
-  }
-  const defs = readReviewersFromYaml(yaml);
-  const out = {};
-  for (const [name, def] of Object.entries(defs)) {
-    if (def && typeof def.prompt === "string") {
-      out[name] = { prompt: def.prompt };
-    }
-  }
-  return out;
-}
 function readChangedFilesAtRef(baseSha, headSha) {
   let out;
   try {
@@ -2820,6 +2793,12 @@ function verifyReviewerHashesAtMergeBase(input) {
         reason: `${prefix} reviewer "${approval.reviewer}" not defined in .stamp/config.yml at merge-base`
       };
     }
+    if (def.prompt === void 0) {
+      return {
+        ok: false,
+        reason: `${prefix} reviewer "${approval.reviewer}" has no \`prompt:\` in .stamp/config.yml at merge-base; v3 attestation references prompt_sha256 but the producer flow for server-bundled prompts is v4 (server-attested). The attestation envelope and the config shape are inconsistent.`
+      };
+    }
     let promptBytes;
     try {
       promptBytes = run2(["show", `${baseSha}:${def.prompt}`]);
@@ -3403,6 +3382,11 @@ function buildV3Trailers(input) {
         `reviewer "${a.reviewer}" approved the diff but is not defined in .stamp/config.yml at base ${input.baseSha.slice(0, 8)}. This shouldn't happen \u2014 runReview reads from the same base. File a bug at https://github.com/OpenThinkAi/stamp-cli/issues. Merge rolled back.`
       );
     }
+    if (def.prompt === void 0) {
+      throw new Error(
+        `reviewer "${a.reviewer}": no \`prompt:\` configured and no \`review_server:\` on branch rule \u2014 set \`reviewers.${a.reviewer}.prompt\` in .stamp/config.yml or configure a \`review_server:\` for server-attested mode. Merge rolled back.`
+      );
+    }
     const promptText = showAtRef(input.baseSha, def.prompt, input.repoRoot);
     const source = readReviewerSource(a.reviewer, input.repoRoot);
     return {
@@ -3489,7 +3473,6 @@ function buildV4Trailers(input) {
         "diff_sha256",
         "base_sha",
         "head_sha",
-        "trusted_keys_snapshot_sha256",
         "issued_at",
         "server_key_id"
       ]) {
@@ -3569,12 +3552,14 @@ function buildV4Trailers(input) {
     exit_code: c.exit_code,
     output_sha: c.output_sha
   }));
+  const manifestSnapshot = snapshotSha256(manifest);
   const trustAnchorSigs = collectTrustAnchorSignatures({
     repoRoot: input.repoRoot,
     baseSha: input.baseSha,
     headSha: input.headSha,
     targetBranch: input.targetBranch,
     diffSha256,
+    manifestSnapshotSha256: manifestSnapshot,
     approvals: entries,
     checks: v4Checks,
     operatorFingerprint: input.operatorFingerprint,
@@ -3587,6 +3572,7 @@ function buildV4Trailers(input) {
     head_sha: input.headSha,
     target_branch: input.targetBranch,
     diff_sha256: diffSha256,
+    manifest_snapshot_sha256: manifestSnapshot,
     approvals: entries,
     checks: v4Checks,
     trust_anchor_signatures: trustAnchorSigs,
@@ -3638,6 +3624,7 @@ function collectTrustAnchorSignatures(input) {
     headSha: input.headSha,
     targetBranch: input.targetBranch,
     diffSha256: input.diffSha256,
+    manifestSnapshotSha256: input.manifestSnapshotSha256,
     approvals: input.approvals,
     checks: input.checks,
     signerKeyId: input.operatorFingerprint
@@ -4731,6 +4718,11 @@ function buildReviewPlan(opts) {
   const reviewers2 = [];
   for (const name of reviewerNames) {
     const def = config2.reviewers[name];
+    if (def.prompt === void 0) {
+      throw new Error(
+        `reviewer "${name}": no \`prompt:\` configured and no \`review_server:\` on branch rule \u2014 set \`reviewers.${name}.prompt\` in .stamp/config.yml or configure a \`review_server:\` for server-attested mode.`
+      );
+    }
     let prompt2;
     try {
       prompt2 = showAtRef(resolved.base_sha, def.prompt, opts.repoRoot);
@@ -5340,19 +5332,6 @@ async function runReview(opts) {
       `no reviewers to run at base ${resolved.base_sha.slice(0, 8)} (config there has ${Object.keys(config2.reviewers).length} configured). If this branch ADDS a new reviewer, the new reviewer cannot review its own introduction \u2014 that's a deliberate security boundary. Land the reviewer in a separate PR first, then it can review subsequent diffs.`
     );
   }
-  const promptBytesByReviewer = /* @__PURE__ */ new Map();
-  for (const name of reviewerNames) {
-    const def = config2.reviewers[name];
-    let bytes;
-    try {
-      bytes = showAtRef(resolved.base_sha, def.prompt, repoRoot);
-    } catch (err) {
-      throw new Error(
-        `failed to read prompt for reviewer "${name}" from base ${resolved.base_sha.slice(0, 8)}: ${err instanceof Error ? err.message : String(err)}. (The reviewer is configured at the base but its prompt file is missing there.)`
-      );
-    }
-    promptBytesByReviewer.set(name, bytes);
-  }
   const targetBranch = opts.into ?? inferTargetBranch(opts.diff);
   const branchRule = targetBranch ? findBranchRule(config2.branches, targetBranch) : void 0;
   if (branchRule?.review_server) {
@@ -5360,7 +5339,7 @@ async function runReview(opts) {
       opts,
       config: config2,
       reviewerNames,
-      promptBytesByReviewer,
+      promptBytesByReviewer: /* @__PURE__ */ new Map(),
       resolved,
       repoRoot,
       reviewServerUrl: branchRule.review_server,
@@ -5368,6 +5347,24 @@ async function runReview(opts) {
     });
     return;
   }
+  const promptBytesByReviewer = /* @__PURE__ */ new Map();
+  for (const name of reviewerNames) {
+    const def = config2.reviewers[name];
+    if (def.prompt === void 0) {
+      throw new Error(
+        `reviewer "${name}": no \`prompt:\` configured and no \`review_server:\` on branch rule \u2014 set \`reviewers.${name}.prompt\` in .stamp/config.yml or configure a \`review_server:\` for server-attested mode.`
+      );
+    }
+    let bytes;
+    try {
+      bytes = showAtRef(resolved.base_sha, def.prompt, repoRoot);
+    } catch (err) {
+      throw new Error(
+        `failed to read prompt for reviewer "${name}" from base ${resolved.base_sha.slice(0, 8)}: ${err instanceof Error ? err.message : String(err)}. (The reviewer is configured at the base but its prompt file is missing there.)`
+      );
+    }
+    promptBytesByReviewer.set(name, bytes);
+  }
   maybePrintLlmNotice(repoRoot);
   const userCfg = loadOrCreateUserConfig();
   if (userCfg.created) {
@@ -5896,6 +5893,7 @@ function buildPlan(current, targetBranch, targetRule, opts) {
     }
     newReviewersConfig = seed.config.reviewers;
     for (const [name, def] of Object.entries(seed.config.reviewers)) {
+      if (def.prompt === void 0) continue;
       const promptBody = seed.reviewerFiles.get(def.prompt);
       if (promptBody === void 0) {
         throw new Error(
@@ -9487,11 +9485,13 @@ function signPending(repoRoot, rawSha, opts) {
     }
     predictedSigner = opts.signerKeyId;
   }
+  const manifestSnapshotSha256 = snapshotSha256(manifest);
   const signingBytes = trustAnchorSigningBytes({
     baseSha,
     headSha,
     targetBranch,
     diffSha256,
+    manifestSnapshotSha256,
     approvals,
     checks: [],
     // see trustAnchorPayload.ts "Operational caveat"
@@ -10215,6 +10215,7 @@ function parseEnvelope(bytes) {
     return null;
   }
   if (typeof p.diff_sha256 !== "string") return null;
+  if (typeof p.manifest_snapshot_sha256 !== "string") return null;
   if (!Array.isArray(p.trust_anchor_signatures)) return null;
   if (typeof p.target_branch_tip_sha !== "string") return null;
   return env;
@@ -10436,7 +10437,6 @@ Run \`stamp review --diff ${input.revspec}\` to populate the signed row, then re
         "diff_sha256",
         "base_sha",
         "head_sha",
-        "trusted_keys_snapshot_sha256",
         "issued_at",
         "server_key_id"
       ]) {
@@ -10511,6 +10511,7 @@ Run \`stamp review --diff ${input.revspec}\` to populate the signed row, then re
     db.close();
   }
   const trustAnchorSignatures = [];
+  const manifestSnapshot = snapshotSha256(manifest);
   const payload = {
     schema_version: PR_ATTESTATION_SCHEMA_VERSION,
     patch_id: input.patchId,
@@ -10519,6 +10520,7 @@ Run \`stamp review --diff ${input.revspec}\` to populate the signed row, then re
     target_branch: input.targetBranch,
     target_branch_tip_sha: input.targetBranchTipSha,
     diff_sha256: diffSha256,
+    manifest_snapshot_sha256: manifestSnapshot,
     approvals: entries,
     checks: [],
     // Phase-1 deliberate omission — see file-level comment.
@@ -10579,6 +10581,11 @@ function buildV2Envelope(input) {
         `reviewer "${a.reviewer}" approved the diff but is not defined in .stamp/config.yml at base ${input.baseSha.slice(0, 8)}. This shouldn't happen \u2014 runReview reads from the same base. File a bug at https://github.com/OpenThinkAi/stamp-cli/issues.`
       );
     }
+    if (def.prompt === void 0) {
+      throw new Error(
+        `reviewer "${a.reviewer}": no \`prompt:\` configured and no \`review_server:\` on branch rule \u2014 set \`reviewers.${a.reviewer}.prompt\` in .stamp/config.yml or configure a \`review_server:\` for server-attested PR mode.`
+      );
+    }
     const promptText = showAtRef(input.baseSha, def.prompt, input.repoRoot);
     const source = readReviewerSource2(a.reviewer, input.repoRoot);
     return {
@@ -10951,6 +10958,11 @@ function checkReviewerDrift(repoRoot, reviewerName, def) {
   if (!lock) {
     return unpinnedResult();
   }
+  if (def.prompt === void 0) {
+    throw new Error(
+      `reviewer "${reviewerName}" has a lock file but no \`prompt:\` configured (server-bundled in Shape 4). Lock files pin local prompt bytes and don't apply in server-attested mode. Delete .stamp/reviewers/${reviewerName}.lock.json to un-pin, or set \`reviewers.${reviewerName}.prompt\` in .stamp/config.yml if you intend to author the prompt locally.`
+    );
+  }
   const promptPath = join15(repoRoot, def.prompt);
   if (!existsSync20(promptPath)) {
     throw new Error(
@@ -11036,6 +11048,10 @@ function reviewersList() {
   const maxNameLen = Math.max(...names.map((n) => n.length));
   for (const name of names) {
     const def = config2.reviewers[name];
+    if (def.prompt === void 0) {
+      console.log(`  ${name.padEnd(maxNameLen)}   (server-bundled \u2014 no local prompt)`);
+      continue;
+    }
     const abs = resolve2(repoRoot, def.prompt);
     let annotation = "";
     if (!existsSync21(abs)) {
@@ -11062,6 +11078,11 @@ function reviewersEdit(name) {
       `reviewer "${name}" is not configured. Run \`stamp reviewers list\` to see available reviewers.`
     );
   }
+  if (def.prompt === void 0) {
+    throw new Error(
+      `reviewer "${name}" has no \`prompt:\` configured (server-bundled in Shape 4). There is no local prompt file to edit. To author the prompt locally, set \`reviewers.${name}.prompt\` to a path under .stamp/reviewers/ in .stamp/config.yml.`
+    );
+  }
   const target = resolve2(repoRoot, def.prompt);
   launchEditor(target);
 }
@@ -11126,6 +11147,10 @@ function reviewersRemove(name, opts = {}) {
   delete config2.reviewers[name];
   writeFileSync15(configPath, stringifyConfig(config2));
   console.log(`reviewer "${name}" removed from .stamp/config.yml`);
+  if (def.prompt === void 0) {
+    console.log(`(no local prompt file \u2014 reviewer was server-bundled)`);
+    return;
+  }
   if (opts.deleteFile) {
     const promptAbs = resolve2(repoRoot, def.prompt);
     if (existsSync21(promptAbs)) {
@@ -11159,6 +11184,11 @@ async function reviewersTest(name, diff) {
   console.log(`  prompt sourced from working tree (test/iteration use case)`);
   console.log();
   const def = config2.reviewers[name];
+  if (def.prompt === void 0) {
+    throw new Error(
+      `reviewer "${name}" has no \`prompt:\` configured (server-bundled in Shape 4). \`stamp reviewers test\` is a local prompt-iteration helper and needs a local prompt file to invoke. Set \`reviewers.${name}.prompt\` in .stamp/config.yml to a path under .stamp/reviewers/ to use this command.`
+    );
+  }
   const promptPath = join16(repoRoot, def.prompt);
   const systemPrompt = readFileSync18(promptPath, "utf8");
   const result = await invokeReviewer({
@@ -11203,7 +11233,9 @@ function reviewersShow(name, opts) {
   const bar = "\u2500".repeat(72);
   console.log(bar);
   console.log(`reviewer: ${name}`);
-  console.log(`prompt:   ${config2.reviewers[name].prompt}`);
+  console.log(
+    `prompt:   ${config2.reviewers[name].prompt ?? "(server-bundled \u2014 no local prompt)"}`
+  );
   console.log(bar);
   if (stats.total === 0) {
     console.log("  no verdicts recorded yet");
@@ -11849,6 +11881,12 @@ function verifyReviewerHashes(sha, payload, repoRoot, config2) {
         `v2 attestation: reviewer "${approval.reviewer}" is in payload but not defined in config.reviewers at the merge commit`
       );
     }
+    if (def.prompt === void 0) {
+      fail(
+        sha,
+        `v2 attestation: reviewer "${approval.reviewer}" has no \`prompt:\` in .stamp/config.yml at the merge commit. v2 attestations cite prompt_sha256 over the on-tree prompt file, but the producer flow for server-bundled prompts is v4 (server-attested) \u2014 the envelope and config shape are inconsistent.`
+      );
+    }
     const promptBytes = tryGitShow(`${sha}:${def.prompt}`, repoRoot);
     if (promptBytes === null) {
       fail(
@@ -11981,6 +12019,7 @@ function verifyV3Envelope(envelope, opts, resolved, patch_id, repoRoot) {
     head_sha: envelope.payload.head_sha,
     target_branch: envelope.payload.target_branch,
     diff_sha256: envelope.payload.diff_sha256,
+    manifest_snapshot_sha256: envelope.payload.manifest_snapshot_sha256,
     approvals: envelope.payload.approvals,
     checks: envelope.payload.checks,
     trust_anchor_signatures: envelope.payload.trust_anchor_signatures,
@@ -12618,7 +12657,7 @@ program.command("prune").description(
 });
 program.command("ui").description("launch the interactive terminal UI").action(async () => {
   try {
-    const { runUi } = await import("./ui-P5DRAT3P.js");
+    const { runUi } = await import("./ui-67BDQPER.js");
     runUi();
   } catch (err) {
     handleCliError(err);