@pleri/olam-cli 0.1.65 → 0.1.66

package/dist/image-digests.json

@@ -1,9 +1,9 @@
 {
   "auth": "sha256:1e6d3574077ba70ba908b5ae343e9ff669937468ff1f48e3e9a449ac38578cc6",
-  "devbox": "sha256:74ccac7911aad8f9679d27b1c05a74a5414e4aba0c12e336735161ea3d08a19a",
-  "host-cp": "sha256:c747251056dda0aa8c53a69f69972ff789a842d4ca2cf2cdfd91bc51e803ec9b",
+  "devbox": "sha256:51d091385dfea24529a97f0949780b92a3f2fad4011a3b32106645046de3213e",
+  "host-cp": "sha256:b96191c00ca6f1ef5c12990a5802f8737a44500c0d28bcea5182052e28cf0838",
   "mcp-auth": "sha256:cccf9fc022a3b58080007761ff10e4820080d26491e7b6e758e3e766c9eac896",
   "$schema_version": 1,
-  "$published_version": "0.1.65",
+  "$published_version": "0.1.66",
   "$registry": "ghcr.io/pleri"
 }

package/host-cp/src/pr-nanny.mjs

@@ -0,0 +1,284 @@
+/**
+ * PR Nanny — host-side daemon that watches all worlds' open PRs and
+ * dispatches fixes via `olam dispatch` when CI/reviews block them.
+ *
+ * Extends the pr-merge-poller loop pattern. Runs at 60s cadence.
+ * Opt-out: OLAM_PR_NANNY=0 (default: enabled).
+ *
+ * State machine per PR (stored in world-pr-state.json nanny_* fields):
+ *   watching → dispatching → (paused | escalated | halted)
+ *
+ * Halt conditions (stop dispatching but keep watching):
+ *   1. dispatch_count >= MAX_DISPATCHES (configurable, default 5)
+ *   2. wall-clock since first dispatch >= MAX_WALL_CLOCK_MIN (default 60)
+ *   3. same-root-cause loop detected (last 2 dispatch summaries identical)
+ *   4. operator manual pause
+ */
+
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+
+const execFileAsync = promisify(execFile);
+
+const GH_API_BASE = 'https://api.github.com';
+
+// Known external-blocker CI check name patterns.
+// When ALL failing checks match these patterns, the PR is not actionable
+// (the root cause is infrastructure/release-pipeline, not the world's code).
+const EXTERNAL_BLOCKER_PATTERNS = [
+  /detect-image-scopes/i,
+  /publish-mcp-auth/i,
+  /retag-mcp-auth/i,
+  /bootstrap.*publish/i,
+  /release.*pipeline/i,
+  /ghcr.*push/i,
+];
+
+/**
+ * @param {string} checkName
+ * @returns {boolean}
+ */
+function isExternalBlockerCheck(checkName) {
+  return EXTERNAL_BLOCKER_PATTERNS.some((re) => re.test(checkName));
+}
+
+/**
+ * Returns true when ALL failing CI checks are external-blocker patterns.
+ * @param {Array<{name: string, conclusion: string|null}>} checks
+ */
+export function isExternalBlocker(checks) {
+  const failing = checks.filter(
+    (c) => c.conclusion === 'failure' || c.conclusion === 'action_required',
+  );
+  if (failing.length === 0) return false;
+  return failing.every((c) => isExternalBlockerCheck(c.name));
+}
+
+/**
+ * @param {string} prUrl  e.g. https://github.com/org/repo/pull/123
+ * @returns {{ owner: string, repo: string, number: number } | null}
+ */
+function parsePrUrl(prUrl) {
+  const m = /github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)/.exec(prUrl);
+  if (!m) return null;
+  return { owner: m[1], repo: m[2], number: parseInt(m[3], 10) };
+}
+
+/**
+ * @param {{
+ *   prStateStore: ReturnType<import('./world-pr-state.mjs').createWorldPrStateStore>,
+ *   getGhToken: () => Promise<string|null>,
+ *   dispatchToWorld: (worldId: string, prompt: string) => Promise<void>,
+ *   consultCodex: (ctx: string) => Promise<string>,
+ *   pollIntervalMs?: number,
+ *   maxDispatches?: number,
+ *   maxWallClockMin?: number,
+ * }} opts
+ */
+export function createPrNanny({
+  prStateStore,
+  getGhToken,
+  dispatchToWorld,
+  consultCodex,
+  pollIntervalMs = 60_000,
+  maxDispatches = parseInt(process.env.OLAM_PR_NANNY_MAX_DISPATCHES ?? '5', 10),
+  maxWallClockMin = parseInt(process.env.OLAM_PR_NANNY_MAX_WALL_CLOCK_MIN ?? '60', 10),
+}) {
+  const enabled = (process.env.OLAM_PR_NANNY ?? '1') !== '0';
+  if (!enabled) return { start() {}, stop() {} };
+
+  let intervalId = null;
+  let warnedOnce = false;
+
+  /**
+   * Fetch CI check runs for the PR's head SHA.
+   * @param {string} owner @param {string} repo @param {number} prNumber @param {string} ghToken
+   * @returns {Promise<Array<{name: string, conclusion: string|null}>>}
+   */
+  async function fetchChecks(owner, repo, prNumber, ghToken) {
+    try {
+      // First get the PR head SHA
+      const prRes = await fetch(
+        `${GH_API_BASE}/repos/${owner}/${repo}/pulls/${prNumber}`,
+        { headers: { Authorization: `token ${ghToken}`, Accept: 'application/vnd.github+json' } },
+      );
+      if (!prRes.ok) return [];
+      const prData = await prRes.json();
+      const sha = prData.head?.sha;
+      if (!sha) return [];
+
+      const checkRes = await fetch(
+        `${GH_API_BASE}/repos/${owner}/${repo}/commits/${sha}/check-runs?per_page=100`,
+        { headers: { Authorization: `token ${ghToken}`, Accept: 'application/vnd.github+json' } },
+      );
+      if (!checkRes.ok) return [];
+      const checkData = await checkRes.json();
+      return (checkData.check_runs ?? []).map((r) => ({
+        name: r.name,
+        conclusion: r.conclusion,
+        status: r.status,
+      }));
+    } catch {
+      return [];
+    }
+  }
+
+  /**
+   * @param {string} worldId
+   * @param {object} entry  current pr-state entry
+   * @param {string} ghToken
+   */
+  async function processWorld(worldId, entry, ghToken) {
+    if (entry.nanny_paused || entry.nanny_escalated) return;
+    if (entry.pr_state !== 'open') return;
+
+    const parsed = parsePrUrl(entry.pr_url);
+    if (!parsed) return;
+
+    // Halt: dispatch cap
+    const dispatchCount = entry.nanny_dispatch_count ?? 0;
+    if (dispatchCount >= maxDispatches) return;
+
+    // Halt: wall-clock ceiling
+    if (entry.nanny_first_dispatch_at) {
+      const elapsedMin = (Date.now() - new Date(entry.nanny_first_dispatch_at).getTime()) / 60_000;
+      if (elapsedMin >= maxWallClockMin) return;
+    }
+
+    const checks = await fetchChecks(parsed.owner, parsed.repo, parsed.number, ghToken);
+    const hasCiFailure = checks.some(
+      (c) => c.conclusion === 'failure' || c.conclusion === 'action_required',
+    );
+    const allPassing = checks.length > 0 && checks.every(
+      (c) => c.conclusion === 'success' || c.conclusion === 'skipped' || c.conclusion === 'neutral',
+    );
+
+    if (allPassing || checks.length === 0) return;
+    if (!hasCiFailure) return;
+
+    // External blocker — do not dispatch
+    if (isExternalBlocker(checks)) {
+      prStateStore.set(worldId, { nanny_external_blocker: true });
+      return;
+    }
+
+    prStateStore.set(worldId, { nanny_external_blocker: false });
+
+    const failingNames = checks
+      .filter((c) => c.conclusion === 'failure' || c.conclusion === 'action_required')
+      .map((c) => c.name)
+      .join(', ');
+
+    const prompt = `CI is failing on PR ${entry.pr_url}. Failing checks: ${failingNames}. Investigate the root cause, fix the code, and push.`;
+
+    // Halt: same-root-cause loop detection
+    if (entry.nanny_last_dispatch_prompt && entry.nanny_last_dispatch_prompt === prompt) {
+      console.log(`[pr-nanny] loop detected for ${worldId} — same prompt as last dispatch, halting`);
+      prStateStore.set(worldId, { nanny_loop_halted: true });
+      return;
+    }
+
+    // Consult Codex before dispatching
+    const codexCtx = `World ${worldId} has a failing PR: ${entry.pr_url}. Failing CI checks: ${failingNames}. Should we dispatch a fix? Answer: agree, push-back, or rethink.`;
+    let verdict = 'agree';
+    try {
+      verdict = await consultCodex(codexCtx);
+    } catch (err) {
+      console.warn(`[pr-nanny] codex consult failed for ${worldId}: ${err.message} — defaulting to agree`);
+    }
+
+    if (verdict === 'push-back') {
+      prStateStore.set(worldId, { nanny_paused: true, nanny_pause_reason: 'codex_pushback' });
+      console.log(`[pr-nanny] Codex push-back for ${worldId} — pausing nanny`);
+      return;
+    }
+    if (verdict === 'rethink') {
+      prStateStore.set(worldId, { nanny_escalated: true, nanny_escalate_reason: 'codex_rethink' });
+      console.log(`[pr-nanny] Codex rethink for ${worldId} — escalating`);
+      return;
+    }
+
+    // Dispatch fix
+    try {
+      await dispatchToWorld(worldId, prompt);
+      const now = new Date().toISOString();
+      prStateStore.set(worldId, {
+        nanny_dispatch_count: dispatchCount + 1,
+        nanny_first_dispatch_at: entry.nanny_first_dispatch_at ?? now,
+        nanny_last_dispatch_at: now,
+        nanny_last_dispatch_prompt: prompt,
+      });
+      console.log(`[pr-nanny] dispatched fix to ${worldId} (dispatch ${dispatchCount + 1}/${maxDispatches})`);
+    } catch (err) {
+      console.error(`[pr-nanny] dispatch failed for ${worldId}: ${err.message}`);
+    }
+  }
+
+  async function pollOnce() {
+    const ghToken = await getGhToken();
+    if (!ghToken) {
+      if (!warnedOnce) {
+        console.warn('[pr-nanny] no GH token — CI polling disabled');
+        warnedOnce = true;
+      }
+      return;
+    }
+
+    const worlds = prStateStore.getWorldsToWatch();
+    for (const { worldId, ...entry } of worlds) {
+      try {
+        await processWorld(worldId, entry, ghToken);
+      } catch (err) {
+        console.error(`[pr-nanny] processWorld error for ${worldId}: ${err.message}`);
+      }
+    }
+  }
+
+  function start() {
+    if (intervalId !== null) return;
+    // Immediate first poll
+    pollOnce().catch((err) => console.error('[pr-nanny] pollOnce error:', err.message));
+    intervalId = setInterval(() => {
+      pollOnce().catch((err) => console.error('[pr-nanny] pollOnce error:', err.message));
+    }, pollIntervalMs);
+  }
+
+  function stop() {
+    if (intervalId !== null) {
+      clearInterval(intervalId);
+      intervalId = null;
+    }
+  }
+
+  return { start, stop };
+}
+
+/**
+ * Default Codex consultation via the host-side `codex` CLI.
+ * @param {string} ctx
+ * @returns {Promise<'agree'|'push-back'|'rethink'>}
+ */
+export async function defaultConsultCodex(ctx) {
+  try {
+    const { stdout } = await execFileAsync('codex', [
+      '--quiet',
+      '--model', 'codex-mini-latest',
+      `Adversarial review — is this a good idea? ${ctx} Reply with exactly one word: agree, push-back, or rethink.`,
+    ], { timeout: 30_000 });
+    const text = stdout.trim().toLowerCase();
+    if (text.startsWith('push')) return 'push-back';
+    if (text.startsWith('rethink')) return 'rethink';
+    return 'agree';
+  } catch {
+    return 'agree'; // fail-open: if codex unavailable, dispatch anyway
+  }
+}
+
+/**
+ * Default dispatch: shell out to `olam dispatch <worldId> <prompt>`.
+ * @param {string} worldId
+ * @param {string} prompt
+ */
+export async function defaultDispatchToWorld(worldId, prompt) {
+  await execFileAsync('olam', ['dispatch', worldId, prompt], { timeout: 60_000 });
+}

package/host-cp/src/server.mjs

@@ -55,6 +55,7 @@ import { composeWorldsSources } from './compose-worlds-sources.mjs';
 import { createWorldPrStateStore } from './world-pr-state.mjs';
 import { PlanOrchestrator } from './plan-orchestrator.mjs';
 import { createPrMergePoller } from './pr-merge-poller.mjs';
+import { createPrNanny, defaultConsultCodex, defaultDispatchToWorld } from './pr-nanny.mjs';
 import { parse as parseYaml } from 'yaml';
 import { startWorldsDbReconciler } from './worlds-db-source.mjs';
 import { authSecretHint } from './auth-secret-hint.mjs';
@@ -346,6 +347,17 @@ const prPoller = createPrMergePoller({
 });
 prPoller.start();
 
+// ── PR Nanny — watch all open PRs and dispatch fixes ──────────────────────
+
+const prNanny = createPrNanny({
+  prStateStore,
+  getGhToken: resolveGhToken,
+  dispatchToWorld: defaultDispatchToWorld,
+  consultCodex: defaultConsultCodex,
+  pollIntervalMs: parseInt(process.env.OLAM_PR_NANNY_POLL_INTERVAL_MS ?? '60000', 10),
+});
+prNanny.start();
+
 // ── Worlds-DB reconcile loop ────────────────────────────────────
 //
 // When host-cp runs bare-node, the CLI's auto-register may not have fired
@@ -618,6 +630,11 @@ const server = http.createServer(async (req, res) => {
       pr_number: pr.pr_number ?? null,
       pr_url: pr.pr_url ?? null,
       pr_state: prState,
+      nanny_dispatch_count: pr.nanny_dispatch_count ?? 0,
+      nanny_paused: pr.nanny_paused ?? false,
+      nanny_escalated: pr.nanny_escalated ?? false,
+      nanny_loop_halted: pr.nanny_loop_halted ?? false,
+      nanny_external_blocker: pr.nanny_external_blocker ?? false,
     });
   }
 
@@ -1321,6 +1338,56 @@ const server = http.createServer(async (req, res) => {
     return;
   }
 
+  // ── PR Nanny operator overrides ──────────────────────────────────────────
+  //
+  // POST /api/admin/nanny/:worldId/pause    — pause nanny for this world
+  // POST /api/admin/nanny/:worldId/resume   — resume nanny for this world
+  // POST /api/admin/nanny/:worldId/escalate — mark escalated, stop dispatching
+  // GET  /api/admin/nanny                  — dump nanny state for all worlds
+  //
+  // Calling-world identity: X-Olam-World-Id header validated against registry.
+
+  const nannyAction = /^\/api\/admin\/nanny\/([^/?#]+)\/(pause|resume|escalate)$/.exec(url.pathname);
+  if (nannyAction && req.method === 'POST') {
+    if (!auth.isAuthorized(req)) { return res.writeHead(401).end(); }
+    const worldId = decodeURIComponent(nannyAction[1]);
+    const action = nannyAction[2];
+    // Validate calling-world identity when header present
+    const callerWorldId = req.headers['x-olam-world-id'];
+    if (callerWorldId && !(callerWorldId in WORLDS)) {
+      return jsonReply(res, 403, { error: 'caller_world_not_registered' });
+    }
+    const existing = prStateStore.get(worldId);
+    if (!existing) return jsonReply(res, 404, { error: 'world_not_found' });
+    if (action === 'pause') {
+      prStateStore.set(worldId, { nanny_paused: true, nanny_pause_reason: 'operator' });
+    } else if (action === 'resume') {
+      prStateStore.set(worldId, { nanny_paused: false, nanny_loop_halted: false, nanny_escalated: false });
+    } else if (action === 'escalate') {
+      prStateStore.set(worldId, { nanny_escalated: true, nanny_escalate_reason: 'operator' });
+    }
+    return jsonReply(res, 200, prStateStore.get(worldId));
+  }
+
+  if (url.pathname === '/api/admin/nanny' && req.method === 'GET') {
+    if (!auth.isAuthorized(req)) { return res.writeHead(401).end(); }
+    const all = prStateStore.getAll();
+    const nannyStates = Object.fromEntries(
+      Object.entries(all).map(([id, e]) => [id, {
+        nanny_dispatch_count: e.nanny_dispatch_count ?? 0,
+        nanny_paused: e.nanny_paused ?? false,
+        nanny_escalated: e.nanny_escalated ?? false,
+        nanny_loop_halted: e.nanny_loop_halted ?? false,
+        nanny_external_blocker: e.nanny_external_blocker ?? false,
+        nanny_first_dispatch_at: e.nanny_first_dispatch_at ?? null,
+        nanny_last_dispatch_at: e.nanny_last_dispatch_at ?? null,
+        pr_url: e.pr_url ?? null,
+        pr_state: e.pr_state ?? null,
+      }]),
+    );
+    return jsonReply(res, 200, nannyStates);
+  }
+
   // DELETE /api/worlds/:worldId — immediate destroy
   const worldDestroyMatch = /^\/api\/worlds\/([^/?#]+)$/.exec(url.pathname);
   if (worldDestroyMatch && req.method === 'DELETE') {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pleri/olam-cli",
-  "version": "0.1.65",
+  "version": "0.1.66",
   "type": "module",
   "bin": {
     "olam": "./bin/olam.cjs"