@pixelbyte-software/pixcode 1.42.3 → 1.42.5

package/server/modules/orchestration/workflows/workflow-runner.ts

@@ -21,6 +21,13 @@ import {
   classifyWorkflowFailure,
   resolveWorkflowFallbackDecision,
 } from '@/modules/orchestration/workflows/workflow-fallback-policy.js';
+import {
+  evaluatePermissionRequest,
+  resolvePermissionPolicyFromMetadata,
+  type PermissionDecision,
+  type PermissionPolicy,
+  type PermissionPolicyEvent,
+} from '@/modules/orchestration/security/permission-policy.js';
 import {
   type ResolvedWorkspaceTarget,
   resolveWorkflowWorkspace,
@@ -36,7 +43,12 @@ import {
   getStaticProviderModels,
 } from '@/services/model-registry.js';
 // @ts-ignore — plain-JS service
-import { notifyRunFailed, notifyRunStopped } from '@/services/notification-orchestrator.js';
+import {
+  createNotificationEvent,
+  notifyRunFailed,
+  notifyRunStopped,
+  notifyUserIfEnabled,
+} from '@/services/notification-orchestrator.js';
 
 const TERMINAL = new Set(['completed', 'failed', 'canceled']);
 const SKIPPED = 'skipped';
@@ -245,6 +257,49 @@ function notifyWorkflowRunFinished(run: WorkflowRun): void {
   }
 }
 
+function permissionPolicyFromRun(run: WorkflowRun): PermissionPolicy {
+  return resolvePermissionPolicyFromMetadata(run.metadata);
+}
+
+function permissionPolicyEvents(run: WorkflowRun): PermissionPolicyEvent[] {
+  return Array.isArray(run.metadata?.permissionPolicyEvents)
+    ? run.metadata.permissionPolicyEvents.filter((event): event is PermissionPolicyEvent =>
+      Boolean(event && typeof event === 'object'),
+    )
+    : [];
+}
+
+function permissionApprovalRequests(run: WorkflowRun): Array<Record<string, unknown>> {
+  return Array.isArray(run.metadata?.pendingPermissionApprovals)
+    ? run.metadata.pendingPermissionApprovals.filter((event): event is Record<string, unknown> =>
+      Boolean(event && typeof event === 'object'),
+    )
+    : [];
+}
+
+function notifyPermissionApprovalRequested(run: WorkflowRun, decision: PermissionDecision): void {
+  const userId = readNotificationUserId(run.metadata);
+  if (!userId || !decision.approvalRequest) return;
+
+  const event = (createNotificationEvent as unknown as (payload: Record<string, unknown>) => unknown)({
+    provider: 'system',
+    sessionId: run.id,
+    kind: 'action_required',
+    code: 'permission.required',
+    meta: {
+      toolName: decision.capabilities.join(', '),
+      sessionName: workflowNotificationTitle(run),
+    },
+    severity: 'warning',
+    requiresUserAction: true,
+    dedupeKey: `workflow:permission:${run.id}:${decision.requestId}`,
+  });
+  (notifyUserIfEnabled as (payload: { userId: string | number; event: unknown }) => void)({
+    userId,
+    event,
+  });
+}
+
 function readBoolean(value: unknown): boolean | undefined {
   return typeof value === 'boolean' ? value : undefined;
 }
@@ -1216,8 +1271,10 @@ class WorkflowRunner {
     const runtimeWorkflow = expandWorkflowForRun(workflow, metadata);
     validateWorkflow(runtimeWorkflow);
     const workspaceTarget = resolveWorkflowWorkspace(metadata);
+    const permissionPolicy = resolvePermissionPolicyFromMetadata(metadata);
     const runMetadata: Record<string, unknown> = {
       ...metadata,
+      permissionPolicy,
       projectPath: workspaceTarget.projectPath,
       selectedProjectPath: workspaceTarget.selectedProjectPath,
       workspaceTarget: workspaceTargetMetadata(workspaceTarget),
@@ -1602,6 +1659,37 @@ class WorkflowRunner {
     }
   }
 
+  private recordPermissionDecision(
+    run: WorkflowRun,
+    nodeRun: WorkflowNodeRun,
+    decision: PermissionDecision,
+  ): void {
+    nodeRun.permissionDecisions = [
+      ...(nodeRun.permissionDecisions ?? []),
+      decision,
+    ];
+
+    const existingApprovals = permissionApprovalRequests(run)
+      .filter((approval) => approval.id !== decision.approvalRequest?.id);
+    run.metadata = {
+      ...run.metadata,
+      permissionPolicyEvents: [
+        ...permissionPolicyEvents(run),
+        decision.event,
+      ],
+      pendingPermissionApprovals: decision.approvalRequest
+        ? [
+          ...existingApprovals,
+          decision.approvalRequest,
+        ]
+        : existingApprovals,
+    };
+
+    if (decision.approvalRequest) {
+      notifyPermissionApprovalRequested(run, decision);
+    }
+  }
+
   private async executeNode(
     node: WorkflowNode,
     workflow: Workflow,
@@ -1680,6 +1768,49 @@ class WorkflowRunner {
       };
       workflowStore.setRun(run);
     }
+    const permissionPolicy = permissionPolicyFromRun(run);
+    nodeRun.permissionPolicy = permissionPolicy;
+    const permissionDecision = evaluatePermissionRequest({
+      policy: permissionPolicy,
+      request: {
+        source: 'workflow_node',
+        toolName: node.adapterId,
+        input: {
+          assignment: node.assignment,
+          stage: node.stage,
+          toolsSettings: node.toolsSettings,
+        },
+        cwd: projectPath,
+        workspacePath: workspaceTarget.appRoot,
+        targetPaths: [projectPath],
+        summary: [
+          node.agentLabel || node.id,
+          node.stage ? `stage=${node.stage}` : undefined,
+          node.assignment,
+        ].filter(Boolean).join(' / '),
+      },
+      context: {
+        runId: run.id,
+        nodeId: node.id,
+        workflowId: run.workflowId,
+        adapterId: node.adapterId,
+        agentLabel: node.agentLabel,
+        userId: readNotificationUserId(run.metadata),
+      },
+    });
+    this.recordPermissionDecision(run, nodeRun, permissionDecision);
+    workflowStore.setRun(run);
+    if (permissionDecision.behavior === 'deny') {
+      nodeRun.finishedAt = Date.now();
+      nodeRun.status = 'failed';
+      nodeRun.error = permissionDecision.message;
+      workflowStore.setRun(run);
+      if (node.onFail === 'continue') {
+        completed.add(node.id);
+        return;
+      }
+      throw new Error(permissionDecision.message);
+    }
     let body: { id?: string; error?: { message?: string } };
     try {
       const submit = await fetch(`${localA2ABaseUrl()}/tasks`, {
@@ -1701,6 +1832,15 @@ class WorkflowRunner {
             assignment: node.assignment,
             model: effectiveModel,
             permissionMode: effectivePermissionMode,
+            permissionPolicy,
+            permissionPolicyContext: {
+              runId: run.id,
+              nodeId: node.id,
+              workflowId: run.workflowId,
+              adapterId: node.adapterId,
+              agentLabel: node.agentLabel,
+              userId: readNotificationUserId(run.metadata),
+            },
             toolsSettings: node.toolsSettings,
             projectPath,
             workspaceTarget: workspaceTargetMetadata(workspaceTarget),

package/server/modules/orchestration/workflows/workflow-templates.ts

@@ -0,0 +1,272 @@
+export const PIXCODE_WORKFLOW_TEMPLATE_PROTOCOL = 'pixcode.workflow-template.v1' as const;
+
+export interface WorkflowTemplateAgentSlot {
+  id: string;
+  role: string;
+  label: string;
+  instruction: string;
+}
+
+export interface WorkflowTemplate {
+  id: string;
+  protocol: typeof PIXCODE_WORKFLOW_TEMPLATE_PROTOCOL;
+  version: 1;
+  workflowId: string;
+  name: string;
+  description: string;
+  inputPlaceholder: string;
+  agentSlots: WorkflowTemplateAgentSlot[];
+  acceptanceCriteria: string[];
+  defaultSettings?: {
+    maxParallelAgents?: number;
+    maxRepairCycles?: number;
+  };
+}
+
+type AgentRecord = Record<string, unknown>;
+
+export const builtInWorkflowTemplates: WorkflowTemplate[] = [
+  {
+    id: 'bug_fix_team',
+    protocol: PIXCODE_WORKFLOW_TEMPLATE_PROTOCOL,
+    version: 1,
+    workflowId: 'agent_team',
+    name: 'Bug fix team',
+    description: 'Reproduce, fix, and verify a focused bug with an implementation and review loop.',
+    inputPlaceholder: 'Describe the bug, expected behavior, current behavior, and any reproduction steps.',
+    agentSlots: [
+      {
+        id: 'reproducer',
+        role: 'implementation',
+        label: 'Reproducer',
+        instruction: 'Reproduce the bug from the user report, identify the failing path, and keep the scope narrow.',
+      },
+      {
+        id: 'fixer',
+        role: 'implementation',
+        label: 'Fixer',
+        instruction: 'Implement the smallest durable fix and report changed files and verification commands.',
+      },
+      {
+        id: 'reviewer',
+        role: 'review',
+        label: 'Reviewer',
+        instruction: 'Review the fix for regressions, missing validation, and whether the original bug is covered.',
+      },
+    ],
+    acceptanceCriteria: [
+      'The bug has a concrete reproduction or a clearly documented blocker.',
+      'The fix is limited to the failing behavior.',
+      'Verification commands and remaining risks are reported.',
+    ],
+    defaultSettings: {
+      maxParallelAgents: 2,
+      maxRepairCycles: 1,
+    },
+  },
+  {
+    id: 'pr_review_team',
+    protocol: PIXCODE_WORKFLOW_TEMPLATE_PROTOCOL,
+    version: 1,
+    workflowId: 'multi_model_review',
+    name: 'PR review team',
+    description: 'Run independent reviewers and aggregate actionable findings for a pull request or diff.',
+    inputPlaceholder: 'Paste the PR link, branch, or diff summary to review.',
+    agentSlots: [
+      {
+        id: 'correctness',
+        role: 'review',
+        label: 'Correctness reviewer',
+        instruction: 'Prioritize correctness bugs, regressions, missing tests, and broken edge cases.',
+      },
+      {
+        id: 'security',
+        role: 'review',
+        label: 'Security reviewer',
+        instruction: 'Prioritize security, secret handling, permission, and data exposure risks.',
+      },
+      {
+        id: 'reporter',
+        role: 'report',
+        label: 'Report aggregator',
+        instruction: 'Aggregate findings by severity with file references and concrete fix suggestions.',
+      },
+    ],
+    acceptanceCriteria: [
+      'Findings are ordered by severity and avoid speculative noise.',
+      'Each issue includes the concrete impact and suggested fix.',
+      'The final report clearly says when no blocking issue is found.',
+    ],
+    defaultSettings: {
+      maxParallelAgents: 3,
+    },
+  },
+  {
+    id: 'frontend_polish',
+    protocol: PIXCODE_WORKFLOW_TEMPLATE_PROTOCOL,
+    version: 1,
+    workflowId: 'agent_team',
+    name: 'Frontend polish',
+    description: 'Improve a UI workflow with implementation, responsive checks, and UX review.',
+    inputPlaceholder: 'Describe the screen or workflow that needs frontend polish.',
+    agentSlots: [
+      {
+        id: 'ui_implementation',
+        role: 'frontend',
+        label: 'UI implementer',
+        instruction: 'Implement the requested UI change using existing design conventions and responsive constraints.',
+      },
+      {
+        id: 'ux_review',
+        role: 'review',
+        label: 'UX reviewer',
+        instruction: 'Review layout, text overflow, responsive behavior, accessibility, and interaction states.',
+      },
+      {
+        id: 'verification',
+        role: 'review',
+        label: 'Verification reviewer',
+        instruction: 'Verify the change with available typecheck, lint, build, smoke, or manual UI evidence.',
+      },
+    ],
+    acceptanceCriteria: [
+      'The UI follows existing components and visual density.',
+      'Text and controls do not overlap on mobile or desktop.',
+      'Verification evidence is included in the final summary.',
+    ],
+    defaultSettings: {
+      maxParallelAgents: 2,
+      maxRepairCycles: 1,
+    },
+  },
+  {
+    id: 'release_manager',
+    protocol: PIXCODE_WORKFLOW_TEMPLATE_PROTOCOL,
+    version: 1,
+    workflowId: 'sequential_handoff',
+    name: 'Release manager',
+    description: 'Prepare a release checklist, run verification, and summarize publish readiness.',
+    inputPlaceholder: 'Describe the version, release scope, and target channels.',
+    agentSlots: [
+      {
+        id: 'release_plan',
+        role: 'implementation',
+        label: 'Release planner',
+        instruction: 'Create a release checklist, verify version surfaces, and identify publish blockers.',
+      },
+      {
+        id: 'release_verification',
+        role: 'review',
+        label: 'Release verifier',
+        instruction: 'Run or inspect release verification commands and report the exact publish state.',
+      },
+      {
+        id: 'release_report',
+        role: 'report',
+        label: 'Release reporter',
+        instruction: 'Summarize what was released, what was verified, and any blocked channels.',
+      },
+    ],
+    acceptanceCriteria: [
+      'Version surfaces are aligned.',
+      'Build/package verification is reported.',
+      'Remote artifact and publish state are explicitly stated.',
+    ],
+    defaultSettings: {
+      maxParallelAgents: 1,
+    },
+  },
+  {
+    id: 'dependency_audit',
+    protocol: PIXCODE_WORKFLOW_TEMPLATE_PROTOCOL,
+    version: 1,
+    workflowId: 'agent_team',
+    name: 'Dependency audit',
+    description: 'Inspect dependency, runtime, and package risks without making broad upgrades by default.',
+    inputPlaceholder: 'Describe the dependency or runtime area to audit.',
+    agentSlots: [
+      {
+        id: 'audit',
+        role: 'implementation',
+        label: 'Audit analyst',
+        instruction: 'Inspect dependency and runtime risk using existing lockfiles and configured package managers.',
+      },
+      {
+        id: 'risk_review',
+        role: 'review',
+        label: 'Risk reviewer',
+        instruction: 'Validate the findings, call out false positives, and avoid broad upgrade churn unless requested.',
+      },
+      {
+        id: 'report',
+        role: 'report',
+        label: 'Audit reporter',
+        instruction: 'Produce a prioritized remediation plan with commands, risks, and no-secret output.',
+      },
+    ],
+    acceptanceCriteria: [
+      'Findings are tied to actual dependency evidence.',
+      'No unrelated dependency upgrades are proposed as automatic work.',
+      'Security and runtime risks are separated from maintenance suggestions.',
+    ],
+    defaultSettings: {
+      maxParallelAgents: 2,
+    },
+  },
+];
+
+export function getWorkflowTemplate(templateId: string): WorkflowTemplate | undefined {
+  return builtInWorkflowTemplates.find((template) => template.id === templateId);
+}
+
+function applyTemplateSlots(agents: AgentRecord[] | undefined, template: WorkflowTemplate): AgentRecord[] | undefined {
+  if (!Array.isArray(agents) || agents.length === 0) return agents;
+
+  let enabledSlotIndex = 0;
+  return agents.map((agent) => {
+    if (agent.enabled === false) return agent;
+    const slot = template.agentSlots[enabledSlotIndex];
+    enabledSlotIndex += 1;
+    if (!slot) return agent;
+    return {
+      ...agent,
+      role: slot.role,
+      instruction: typeof agent.instruction === 'string' && agent.instruction.trim()
+        ? agent.instruction
+        : slot.instruction,
+      templateSlotId: slot.id,
+      templateSlotLabel: slot.label,
+    };
+  });
+}
+
+export function applyWorkflowTemplateToMetadata(
+  template: WorkflowTemplate,
+  metadata?: Record<string, unknown>,
+): Record<string, unknown> {
+  const settings = metadata?.settings && typeof metadata.settings === 'object'
+    ? metadata.settings as Record<string, unknown>
+    : {};
+
+  return {
+    ...metadata,
+    workflowTemplate: {
+      protocol: template.protocol,
+      id: template.id,
+      version: template.version,
+      name: template.name,
+      workflowId: template.workflowId,
+      acceptanceCriteria: template.acceptanceCriteria,
+      agentSlots: template.agentSlots.map((slot) => ({
+        id: slot.id,
+        role: slot.role,
+        label: slot.label,
+      })),
+    },
+    agents: applyTemplateSlots(metadata?.agents as AgentRecord[] | undefined, template),
+    settings: {
+      ...settings,
+      ...template.defaultSettings,
+    },
+  };
+}

package/server/modules/orchestration/workflows/workflow-trace.ts

@@ -165,6 +165,28 @@ export function buildWorkflowTrace(run: WorkflowRun): WorkflowTraceEvent[] {
     });
   }
 
+  const workflowTemplate = readRecord(run.metadata?.workflowTemplate);
+  if (workflowTemplate) {
+    pushEvent(events, {
+      id: traceId([run.id, 'workflow-template']),
+      type: 'run',
+      severity: 'info',
+      status: run.status,
+      timestamp: run.startedAt + 0.3,
+      actor: 'Pixcode',
+      title: 'Workflow template applied',
+      titleKey: 'workflow.trace.template',
+      summary: redactTraceText([
+        `Template: ${readString(workflowTemplate.name) ?? readString(workflowTemplate.id) ?? 'unknown'}`,
+        `Protocol: ${readString(workflowTemplate.protocol) ?? 'unknown'}`,
+        Array.isArray(workflowTemplate.acceptanceCriteria)
+          ? `Acceptance criteria:\n- ${workflowTemplate.acceptanceCriteria.filter((item) => typeof item === 'string').join('\n- ')}`
+          : undefined,
+      ].filter(Boolean).join('\n'), run),
+      metadata: workflowTemplate,
+    });
+  }
+
   const fallbackEvents = Array.isArray(run.metadata?.fallbackEvents)
     ? run.metadata.fallbackEvents
     : [];
@@ -216,6 +238,38 @@ export function buildWorkflowTrace(run: WorkflowRun): WorkflowTraceEvent[] {
     });
   });
 
+  const permissionPolicyEvents = Array.isArray(run.metadata?.permissionPolicyEvents)
+    ? run.metadata.permissionPolicyEvents
+    : [];
+  permissionPolicyEvents.forEach((event, index) => {
+    const record = readRecord(event);
+    if (!record) return;
+    const behavior = readString(record.behavior);
+    const capabilities = Array.isArray(record.capabilities)
+      ? record.capabilities.filter((item): item is string => typeof item === 'string')
+      : [];
+    pushEvent(events, {
+      id: traceId([run.id, 'permission-policy', readString(record.id) ?? index]),
+      type: 'permission_policy',
+      severity: behavior === 'deny' ? 'error' : behavior === 'prompt' ? 'warning' : 'info',
+      status: behavior === 'deny' ? 'failed' : behavior === 'prompt' ? 'submitted' : 'completed',
+      timestamp: typeof record.createdAt === 'number' ? record.createdAt : run.startedAt + 0.85 + index,
+      actor: 'Pixcode',
+      nodeId: readString(record.nodeId),
+      adapterId: readString(record.adapterId),
+      agentLabel: readString(record.agentLabel),
+      title: 'Permission policy decision',
+      titleKey: 'workflow.trace.permissionPolicy',
+      summary: redactTraceText([
+        `Decision: ${behavior ?? readString(record.status) ?? 'unknown'}`,
+        capabilities.length > 0 ? `Capabilities: ${capabilities.join(', ')}` : undefined,
+        readString(record.summary),
+        readString(record.message),
+      ].filter(Boolean).join('\n'), run),
+      metadata: record,
+    });
+  });
+
   run.nodeRuns.forEach((node, index) => {
     const base = eventBase(node);
     const timestamp = nodeTimestamp(run, node, index);