npm - @oss-autopilot/core - Versions diffs - 3.12.0 → 3.13.1 - Mend

@oss-autopilot/core 3.12.0 → 3.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/cli-registry.js +11 -11
package/dist/cli.bundle.cjs +114 -99
package/dist/commands/dashboard-data.js +21 -4
package/dist/commands/dashboard-server.js +83 -16
package/dist/commands/features.js +5 -1
package/dist/commands/list-mark-done.d.ts +9 -1
package/dist/commands/list-mark-done.js +14 -1
package/dist/commands/scout-bridge.js +12 -0
package/dist/commands/search.d.ts +8 -0
package/dist/commands/search.js +22 -3
package/dist/core/index.d.ts +1 -1
package/dist/core/index.js +1 -1
package/dist/core/issue-grading.d.ts +2 -5
package/dist/core/issue-grading.js +12 -1
package/dist/core/strategy.js +31 -4
package/dist/core/untrusted-content.d.ts +24 -0
package/dist/core/untrusted-content.js +25 -0
package/dist/formatters/json.d.ts +10 -1
package/dist/formatters/json.js +12 -2
package/package.json +3 -3

package/dist/core/untrusted-content.js CHANGED Viewed

@@ -18,6 +18,9 @@
  *
  *  - `runComments` (commands/comments.ts): review / inline / discussion
  *    comment bodies in the `comments` CLI `--json` + MCP tool output.
+ *  - `deduplicateDigest` (formatters/json.ts) and the MCP PR resources:
+ *    `openPRs[].lastMaintainerComment.body` via {@link fenceFetchedPR}
+ *    (#1420).
  *  - `fetchPRCommentBundle` (core/pr-comments-fetcher.ts): bundle bodies
  *    feeding `guidelines fetch-corpus` (agent-only consumer).
  *  - `toDailyOutput` (commands/daily.ts): `commentedIssues[].lastResponseBody`
@@ -132,3 +135,25 @@ export function safeExtractFromFence(text) {
         return text;
     }
 }
+/**
+ * Fence the attacker-controllable maintainer-comment excerpt on a FetchedPR
+ * for agent-facing serialization (#1420). Applied at the serialization
+ * boundary (daily/startup --json via deduplicateDigest, MCP PR resources)
+ * rather than at fetch time: extractMaintainerActionHints parses the RAW
+ * body inside the pipeline, and human surfaces (dashboard SPA, CLI text
+ * mode) must not render fence markup. Returns a copy; never mutates.
+ */
+export function fenceFetchedPR(pr) {
+    if (!pr.lastMaintainerComment)
+        return pr;
+    return {
+        ...pr,
+        lastMaintainerComment: {
+            ...pr.lastMaintainerComment,
+            body: wrapUntrustedContent(pr.lastMaintainerComment.body, `${pr.repo}#${pr.number}`, {
+                author: pr.lastMaintainerComment.author,
+                source: 'pr-comment',
+            }),
+        },
+    };
+}

package/dist/formatters/json.d.ts CHANGED Viewed

@@ -648,6 +648,7 @@ export declare const SearchOutputSchema: z.ZodObject<{
         }, z.core.$strip>>;
         boostScore: z.ZodOptional<z.ZodNumber>;
         boostReasons: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        diversitySlot: z.ZodOptional<z.ZodBoolean>;
     }, z.core.$strip>>;
     excludedRepos: z.ZodArray<z.ZodString>;
     aiPolicyBlocklist: z.ZodArray<z.ZodString>;
@@ -707,6 +708,7 @@ export declare const FeaturesOutputSchema: z.ZodObject<{
         }, z.core.$strip>>;
         boostScore: z.ZodOptional<z.ZodNumber>;
         boostReasons: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        diversitySlot: z.ZodOptional<z.ZodBoolean>;
         horizon: z.ZodEnum<{
             "quick-win": "quick-win";
             "bigger-bet": "bigger-bet";
@@ -764,6 +766,7 @@ export declare const FeaturesOutputSchema: z.ZodObject<{
         }, z.core.$strip>>;
         boostScore: z.ZodOptional<z.ZodNumber>;
         boostReasons: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        diversitySlot: z.ZodOptional<z.ZodBoolean>;
         horizon: z.ZodEnum<{
             "quick-win": "quick-win";
             "bigger-bet": "bigger-bet";
@@ -816,7 +819,7 @@ export declare const ListMarkDoneOutputSchema: z.ZodObject<{
     url: z.ZodString;
     repoHeadingStruck: z.ZodBoolean;
     remainingUnderRepo: z.ZodNumber;
-    reason: z.ZodOptional<z.ZodString>;
+    reason: z.ZodOptional<z.ZodLiteral<"already marked done">>;
 }, z.core.$strip>;
 export declare const VerifyIssueOutputSchema: z.ZodObject<{
     url: z.ZodString;
@@ -1216,6 +1219,12 @@ export interface SearchCandidate {
      * opportunities (open PR + no updates for 30+ days, scout 0.9.0 #97).
      */
     linkedPR?: CandidateLinkedPR;
+    /** Strategy-bias sort boost from scout (#1244); absent when unboosted. */
+    boostScore?: number;
+    /** Human-readable boost explanations, e.g. "repo affinity: vercel/next.js". */
+    boostReasons?: string[];
+    /** True when this candidate filled a diversity slot (#1244). */
+    diversitySlot?: boolean;
 }
 export interface SearchOutput {
     candidates: SearchCandidate[];

package/dist/formatters/json.js CHANGED Viewed

@@ -3,6 +3,7 @@
  * Provides structured output that can be consumed by scripts and plugins
  */
 import { z } from 'zod';
+import { fenceFetchedPR } from '../core/untrusted-content.js';
 export function buildStalenessWarning(info) {
     return {
         phase: 'gist-staleness',
@@ -43,7 +44,10 @@ export function deduplicateDigest(digest) {
     const toUrls = (prs) => prs.map((pr) => pr.url);
     return {
         generatedAt: digest.generatedAt,
-        openPRs: digest.openPRs,
+        // lastMaintainerComment.body is attacker-controllable on any public PR;
+        // fence it at this agent-facing serialization boundary (#1420). The
+        // digest itself keeps the raw body for pipeline parsing and human UIs.
+        openPRs: digest.openPRs.map(fenceFetchedPR),
         needsAddressingPRs: toUrls(digest.needsAddressingPRs),
         waitingOnMaintainerPRs: toUrls(digest.waitingOnMaintainerPRs),
         recentlyClosedPRs: digest.recentlyClosedPRs,
@@ -353,6 +357,9 @@ const SearchCandidateSchema = z.object({
      */
     boostScore: z.number().optional(),
     boostReasons: z.array(z.string()).optional(),
+    /** True when this candidate filled a diversity slot (#1244) — surfaced so
+     * the user can see the counterweight working, not just its absence. */
+    diversitySlot: z.boolean().optional(),
 });
 export const SearchOutputSchema = z.object({
     candidates: z.array(SearchCandidateSchema),
@@ -421,7 +428,10 @@ export const ListMarkDoneOutputSchema = z.object({
     url: z.string(),
     repoHeadingStruck: z.boolean(),
     remainingUnderRepo: z.number().int().nonnegative(),
-    reason: z.string().optional(),
+    // #1406: not-found now throws before the success envelope, so the only
+    // reachable no-op reason is the idempotent one. Pinned so a new quiet
+    // no-op path trips the #1105 runtime validator instead of shipping silently.
+    reason: z.literal('already marked done').optional(),
 });
 // verify-issue (#1353, #1354): mirrors {@link IssueVerification} from
 // core/issue-verification.ts. Strict shape — additional keys must be added

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@oss-autopilot/core",
-  "version": "3.12.0",
+  "version": "3.13.1",
   "description": "CLI and core library for managing open source contributions",
   "type": "module",
   "bin": {
@@ -54,7 +54,7 @@
   "dependencies": {
     "@octokit/plugin-throttling": "^11.0.3",
     "@octokit/rest": "^22.0.1",
-    "@oss-scout/core": "^0.11.0",
+    "@oss-scout/core": "^1.1.0",
     "commander": "^15.0.0",
     "zod": "^4.4.3"
   },
@@ -72,7 +72,7 @@
     "bundle": "esbuild src/cli.ts --bundle --platform=node --target=node22 --format=cjs --minify --sourcemap --outfile=dist/cli.bundle.cjs",
     "start": "tsx src/cli.ts",
     "dev": "tsx watch src/cli.ts",
-    "typecheck": "tsc --noEmit",
+    "typecheck": "tsc --noEmit && tsc --noEmit -p tsconfig.tests.json",
     "test": "vitest run",
     "test:coverage": "vitest run --coverage",
     "test:watch": "vitest",