npm - @probelabs/visor - Versions diffs - 0.1.146-ee → 0.1.147-ee - Mend

@probelabs/visor 0.1.146-ee → 0.1.147-ee

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

package/dist/sdk/{config-AAB2FL22.mjs → config-G5UU4WXT.mjs} RENAMED Viewed

@@ -2,7 +2,7 @@ import {
   ConfigManager,
   VALID_EVENT_TRIGGERS,
   init_config
-} from "./chunk-YOKAA4IU.mjs";
+} from "./chunk-XNTBSV6M.mjs";
 import "./chunk-NCWIZVOT.mjs";
 import "./chunk-LW3INISN.mjs";
 import "./chunk-SZXICFQ3.mjs";
@@ -13,4 +13,4 @@ export {
   ConfigManager,
   VALID_EVENT_TRIGGERS
 };
-//# sourceMappingURL=config-AAB2FL22.mjs.map
+//# sourceMappingURL=config-G5UU4WXT.mjs.map

package/dist/sdk/{failure-condition-evaluator-O464EJMD.mjs → failure-condition-evaluator-FHNZL2US.mjs} RENAMED Viewed

@@ -1,8 +1,8 @@
 import {
   FailureConditionEvaluator,
   init_failure_condition_evaluator
-} from "./chunk-L3XPYQ6I.mjs";
-import "./chunk-OM3WYVFI.mjs";
+} from "./chunk-V2QW6ECX.mjs";
+import "./chunk-4F5UVWAN.mjs";
 import "./chunk-JL7JXCET.mjs";
 import "./chunk-25IC7KXZ.mjs";
 import "./chunk-LW3INISN.mjs";
@@ -14,4 +14,4 @@ init_failure_condition_evaluator();
 export {
   FailureConditionEvaluator
 };
-//# sourceMappingURL=failure-condition-evaluator-O464EJMD.mjs.map
+//# sourceMappingURL=failure-condition-evaluator-FHNZL2US.mjs.map

package/dist/sdk/github-auth-UPBBBOME.mjs ADDED Viewed

@@ -0,0 +1,196 @@
+import {
+  init_logger,
+  logger
+} from "./chunk-SZXICFQ3.mjs";
+import "./chunk-UCMJJ3IM.mjs";
+import {
+  __esm
+} from "./chunk-J7LXIPZS.mjs";
+// src/github-auth.ts
+import { Octokit } from "@octokit/rest";
+import * as fs from "fs";
+import * as path from "path";
+async function createAuthenticatedOctokit(options) {
+  const { token, appId, installationId, owner, repo } = options;
+  const privateKey = options.privateKey ? resolvePrivateKey(options.privateKey) : void 0;
+  if (appId && privateKey) {
+    const { createAppAuth } = await import("@octokit/auth-app");
+    let finalInstallationId;
+    if (installationId) {
+      finalInstallationId = parseInt(installationId, 10);
+      if (isNaN(finalInstallationId) || finalInstallationId <= 0) {
+        throw new Error("Invalid installation-id. It must be a positive integer.");
+      }
+    }
+    if (!finalInstallationId && owner && repo) {
+      const appOctokit = new Octokit({
+        authStrategy: createAppAuth,
+        auth: { appId, privateKey }
+      });
+      try {
+        const { data: installation } = await appOctokit.rest.apps.getRepoInstallation({
+          owner,
+          repo
+        });
+        finalInstallationId = installation.id;
+      } catch {
+        throw new Error(
+          "GitHub App installation ID could not be auto-detected. Provide --github-installation-id or ensure the app is installed on the repository."
+        );
+      }
+    }
+    if (!finalInstallationId) {
+      throw new Error(
+        "GitHub App installation ID is required. Provide --github-installation-id or set owner/repo for auto-detection."
+      );
+    }
+    const octokit = new Octokit({
+      authStrategy: createAppAuth,
+      auth: {
+        appId,
+        privateKey,
+        installationId: finalInstallationId
+      }
+    });
+    const authResult = await octokit.auth({ type: "installation" });
+    return {
+      octokit,
+      authType: "github-app",
+      token: authResult.token
+    };
+  }
+  if (token) {
+    return {
+      octokit: new Octokit({ auth: token }),
+      authType: "token",
+      token
+    };
+  }
+  return void 0;
+}
+function resolveAuthFromEnvironment() {
+  return {
+    token: process.env.GITHUB_TOKEN || process.env.GH_TOKEN,
+    appId: process.env.GITHUB_APP_ID,
+    privateKey: process.env.GITHUB_APP_PRIVATE_KEY,
+    installationId: process.env.GITHUB_APP_INSTALLATION_ID,
+    owner: process.env.GITHUB_REPOSITORY_OWNER || process.env.GITHUB_REPOSITORY?.split("/")[0],
+    repo: process.env.GITHUB_REPOSITORY?.split("/")[1]
+  };
+}
+function resolvePrivateKey(keyOrPath) {
+  if (keyOrPath.includes("-----BEGIN")) {
+    return keyOrPath;
+  }
+  const resolved = path.resolve(keyOrPath);
+  if (fs.existsSync(resolved)) {
+    return fs.readFileSync(resolved, "utf8");
+  }
+  return keyOrPath;
+}
+function injectGitHubCredentials(token) {
+  process.env.GITHUB_TOKEN = token;
+  process.env.GH_TOKEN = token;
+  const currentCount = parseInt(process.env.GIT_CONFIG_COUNT || "0", 10);
+  let base;
+  if (_authBase === void 0) {
+    base = currentCount;
+  } else if (_lastWrittenCount !== void 0 && currentCount !== _lastWrittenCount) {
+    base = currentCount;
+  } else {
+    base = _authBase;
+  }
+  _authBase = base;
+  const authUrl = `https://x-access-token:${token}@github.com/`;
+  process.env[`GIT_CONFIG_KEY_${base}`] = `url.${authUrl}.insteadOf`;
+  process.env[`GIT_CONFIG_VALUE_${base}`] = "https://github.com/";
+  process.env[`GIT_CONFIG_KEY_${base + 1}`] = `url.${authUrl}.insteadOf`;
+  process.env[`GIT_CONFIG_VALUE_${base + 1}`] = "git@github.com:";
+  const newCount = base + 2;
+  process.env.GIT_CONFIG_COUNT = String(newCount);
+  _lastWrittenCount = newCount;
+}
+function markTokenFresh() {
+  const token = process.env.GITHUB_TOKEN || process.env.GH_TOKEN;
+  if (token) {
+    _cachedAppToken = { token, generatedAt: Date.now() };
+  }
+}
+async function refreshGitHubCredentials() {
+  const appId = process.env.GITHUB_APP_ID;
+  const privateKey = process.env.GITHUB_APP_PRIVATE_KEY;
+  if (!appId || !privateKey) return;
+  const now = Date.now();
+  if (_cachedAppToken && now - _cachedAppToken.generatedAt < TOKEN_REFRESH_MS) {
+    return;
+  }
+  try {
+    const opts = resolveAuthFromEnvironment();
+    const result = await createAuthenticatedOctokit(opts);
+    if (result && result.authType === "github-app") {
+      injectGitHubCredentials(result.token);
+      _cachedAppToken = { token: result.token, generatedAt: now };
+      logger.debug("[github-auth] Refreshed GitHub App installation token");
+    }
+  } catch (err) {
+    const age = _cachedAppToken ? `${Math.round((now - _cachedAppToken.generatedAt) / 6e4)}min old` : "no cached token";
+    logger.warn(
+      `[github-auth] Failed to refresh GitHub App token (${age}): ${err instanceof Error ? err.message : String(err)}. Child processes may fail with authentication errors.`
+    );
+  }
+}
+function startTokenRefreshTimer() {
+  if (_refreshTimer) return;
+  const appId = process.env.GITHUB_APP_ID;
+  const privateKey = process.env.GITHUB_APP_PRIVATE_KEY;
+  if (!appId || !privateKey) return;
+  _refreshTimer = setInterval(() => {
+    refreshGitHubCredentials().catch((err) => {
+      logger.warn(
+        `[github-auth] Background token refresh failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    });
+  }, TIMER_INTERVAL_MS);
+  _refreshTimer.unref();
+  logger.debug("[github-auth] Background token refresh timer started (every 30 min)");
+}
+function stopTokenRefreshTimer() {
+  if (_refreshTimer) {
+    clearInterval(_refreshTimer);
+    _refreshTimer = void 0;
+    logger.debug("[github-auth] Background token refresh timer stopped");
+  }
+}
+function _testSetCachedToken(token, generatedAt) {
+  if (token) {
+    _cachedAppToken = { token, generatedAt: generatedAt ?? Date.now() };
+  } else {
+    _cachedAppToken = void 0;
+  }
+}
+function _testGetCachedToken() {
+  return _cachedAppToken;
+}
+var _authBase, _lastWrittenCount, _cachedAppToken, TOKEN_REFRESH_MS, _refreshTimer, TIMER_INTERVAL_MS;
+var init_github_auth = __esm({
+  "src/github-auth.ts"() {
+    init_logger();
+    TOKEN_REFRESH_MS = 45 * 60 * 1e3;
+    TIMER_INTERVAL_MS = 30 * 60 * 1e3;
+  }
+});
+init_github_auth();
+export {
+  _testGetCachedToken,
+  _testSetCachedToken,
+  createAuthenticatedOctokit,
+  injectGitHubCredentials,
+  markTokenFresh,
+  refreshGitHubCredentials,
+  resolveAuthFromEnvironment,
+  resolvePrivateKey,
+  startTokenRefreshTimer,
+  stopTokenRefreshTimer
+};
+//# sourceMappingURL=github-auth-UPBBBOME.mjs.map

package/dist/sdk/github-auth-UPBBBOME.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/github-auth.ts"],"sourcesContent":["import { Octokit } from '@octokit/rest';\nimport * as fs from 'fs';\nimport * as path from 'path';\nimport { logger } from './logger';\n\n/**\n * Options for GitHub authentication.\n * Supports both personal access token and GitHub App authentication.\n */\nexport interface GitHubAuthOptions {\n /** Personal access token or fine-grained token */\n token?: string;\n /** GitHub App ID */\n appId?: string;\n /** GitHub App private key (PEM content or file path) */\n privateKey?: string;\n /** GitHub App installation ID (auto-detected if omitted) */\n installationId?: string;\n /** Repository owner (for auto-detecting installation ID) */\n owner?: string;\n /** Repository name (for auto-detecting installation ID) */\n repo?: string;\n}\n\n/**\n * Result of successful GitHub authentication.\n */\nexport interface GitHubAuthResult {\n /** Authenticated Octokit instance */\n octokit: Octokit;\n /** Authentication method used */\n authType: 'github-app' | 'token';\n /** Raw token string for environment propagation */\n token: string;\n}\n\n/**\n * Create an authenticated Octokit instance.\n * Returns undefined if no credentials are provided (auth is optional in CLI mode).\n *\n * For token auth: uses the token directly.\n * For GitHub App auth: creates JWT-authenticated client, resolves installation ID,\n * then extracts an installation access token for environment propagation.\n */\nexport async function createAuthenticatedOctokit(\n options: GitHubAuthOptions\n): Promise<GitHubAuthResult | undefined> {\n const { token, appId, installationId, owner, repo } = options;\n const privateKey = options.privateKey ? resolvePrivateKey(options.privateKey) : undefined;\n\n // Prefer GitHub App authentication if app credentials are provided\n if (appId && privateKey) {\n const { createAppAuth } = await import('@octokit/auth-app');\n\n let finalInstallationId: number | undefined;\n\n if (installationId) {\n finalInstallationId = parseInt(installationId, 10);\n if (isNaN(finalInstallationId) || finalInstallationId <= 0) {\n throw new Error('Invalid installation-id. It must be a positive integer.');\n }\n }\n\n // Auto-detect installation ID if not provided\n if (!finalInstallationId && owner && repo) {\n const appOctokit = new Octokit({\n authStrategy: createAppAuth,\n auth: { appId, privateKey },\n });\n\n try {\n const { data: installation } = await appOctokit.rest.apps.getRepoInstallation({\n owner,\n repo,\n });\n finalInstallationId = installation.id;\n } catch {\n throw new Error(\n 'GitHub App installation ID could not be auto-detected. ' +\n 'Provide --github-installation-id or ensure the app is installed on the repository.'\n );\n }\n }\n\n if (!finalInstallationId) {\n throw new Error(\n 'GitHub App installation ID is required. Provide --github-installation-id or set owner/repo for auto-detection.'\n );\n }\n\n // Create the authenticated Octokit instance\n const octokit = new Octokit({\n authStrategy: createAppAuth,\n auth: {\n appId,\n privateKey,\n installationId: finalInstallationId,\n },\n });\n\n // Extract the installation access token for environment propagation\n const authResult = (await octokit.auth({ type: 'installation' })) as { token: string };\n\n return {\n octokit,\n authType: 'github-app',\n token: authResult.token,\n };\n }\n\n // Fall back to token authentication\n if (token) {\n return {\n octokit: new Octokit({ auth: token }),\n authType: 'token',\n token,\n };\n }\n\n // No credentials provided\n return undefined;\n}\n\n/**\n * Resolve GitHub auth options from environment variables.\n * Used as fallback when no explicit CLI arguments are provided.\n */\nexport function resolveAuthFromEnvironment(): GitHubAuthOptions {\n return {\n token: process.env.GITHUB_TOKEN || process.env.GH_TOKEN,\n appId: process.env.GITHUB_APP_ID,\n privateKey: process.env.GITHUB_APP_PRIVATE_KEY,\n installationId: process.env.GITHUB_APP_INSTALLATION_ID,\n owner: process.env.GITHUB_REPOSITORY_OWNER || process.env.GITHUB_REPOSITORY?.split('/')[0],\n repo: process.env.GITHUB_REPOSITORY?.split('/')[1],\n };\n}\n\n/**\n * Resolve private key — supports both inline PEM content and file paths.\n */\nexport function resolvePrivateKey(keyOrPath: string): string {\n if (keyOrPath.includes('-----BEGIN')) {\n return keyOrPath;\n }\n const resolved = path.resolve(keyOrPath);\n if (fs.existsSync(resolved)) {\n return fs.readFileSync(resolved, 'utf8');\n }\n // Return as-is and let the auth library handle errors\n return keyOrPath;\n}\n\n// Track our auth entries position so repeated calls replace instead of stacking.\n// _authBase: the GIT_CONFIG index where our 2 auth entries start.\n// _lastWrittenCount: what we last set GIT_CONFIG_COUNT to (detects external changes).\nlet _authBase: number | undefined;\nlet _lastWrittenCount: number | undefined;\n\n/**\n * Inject GitHub credentials into process.env for child processes.\n *\n * Sets GITHUB_TOKEN/GH_TOKEN for gh CLI, and configures git HTTPS auth\n * via GIT_CONFIG_COUNT/KEY/VALUE env vars so `git clone`, `git push`, etc.\n * work automatically against github.com without any local git config.\n *\n * Uses git's GIT_CONFIG_COUNT mechanism (git 2.31+, March 2021):\n * - No temp files or global config mutation\n * - Inherited by all child processes automatically\n * - Works regardless of local git configuration\n *\n * Safe to call multiple times (e.g. on token refresh) — replaces previous entries.\n */\nexport function injectGitHubCredentials(token: string): void {\n // Set for gh CLI and general GitHub API usage\n process.env.GITHUB_TOKEN = token;\n process.env.GH_TOKEN = token;\n\n const currentCount = parseInt(process.env.GIT_CONFIG_COUNT || '0', 10);\n\n // Determine where to write our 2 auth entries:\n // - First call: append after any pre-existing entries\n // - Subsequent calls with unchanged count: overwrite at same position\n // - If count changed externally: someone added entries, append after them\n let base: number;\n if (_authBase === undefined) {\n base = currentCount;\n } else if (_lastWrittenCount !== undefined && currentCount !== _lastWrittenCount) {\n base = currentCount;\n } else {\n base = _authBase;\n }\n _authBase = base;\n\n // Configure git HTTPS auth via url.<base>.insteadOf\n const authUrl = `https://x-access-token:${token}@github.com/`;\n\n // Rewrite HTTPS URLs\n process.env[`GIT_CONFIG_KEY_${base}`] = `url.${authUrl}.insteadOf`;\n process.env[`GIT_CONFIG_VALUE_${base}`] = 'https://github.com/';\n\n // Rewrite SSH-style URLs (git@github.com:org/repo)\n process.env[`GIT_CONFIG_KEY_${base + 1}`] = `url.${authUrl}.insteadOf`;\n process.env[`GIT_CONFIG_VALUE_${base + 1}`] = 'git@github.com:';\n\n const newCount = base + 2;\n process.env.GIT_CONFIG_COUNT = String(newCount);\n _lastWrittenCount = newCount;\n}\n\n/**\n * Mark the current token as freshly generated (for use after initial startup auth).\n * Prevents the first refreshGitHubCredentials() call from unnecessarily regenerating.\n */\nexport function markTokenFresh(): void {\n const token = process.env.GITHUB_TOKEN || process.env.GH_TOKEN;\n if (token) {\n _cachedAppToken = { token, generatedAt: Date.now() };\n }\n}\n\n// Cached token with generation timestamp for expiry checks\nlet _cachedAppToken: { token: string; generatedAt: number } | undefined;\n\n// Installation tokens live 1 hour; refresh after 45 minutes.\n// Using 45 min (not 50) leaves a 15-minute buffer for long-running tasks\n// that start right before a refresh cycle.\nconst TOKEN_REFRESH_MS = 45 * 60 * 1000;\n\n// Background refresh timer\nlet _refreshTimer: ReturnType<typeof setInterval> | undefined;\n\n// How often the background timer checks (30 minutes)\nconst TIMER_INTERVAL_MS = 30 * 60 * 1000;\n\n/**\n * Refresh GitHub App installation credentials if they are about to expire.\n *\n * No-op when:\n * - No GitHub App credentials are configured (GITHUB_APP_ID + GITHUB_APP_PRIVATE_KEY)\n * - The current token was generated less than 45 minutes ago\n *\n * Call this before each execution in long-running processes (Slack bot, scheduler)\n * to ensure child processes always have a valid token for git/gh operations.\n */\nexport async function refreshGitHubCredentials(): Promise<void> {\n // Quick check: do we have App credentials?\n const appId = process.env.GITHUB_APP_ID;\n const privateKey = process.env.GITHUB_APP_PRIVATE_KEY;\n if (!appId || !privateKey) return;\n\n // Skip if cached token is still fresh\n const now = Date.now();\n if (_cachedAppToken && now - _cachedAppToken.generatedAt < TOKEN_REFRESH_MS) {\n return;\n }\n\n try {\n const opts = resolveAuthFromEnvironment();\n const result = await createAuthenticatedOctokit(opts);\n if (result && result.authType === 'github-app') {\n injectGitHubCredentials(result.token);\n _cachedAppToken = { token: result.token, generatedAt: now };\n logger.debug('[github-auth] Refreshed GitHub App installation token');\n }\n } catch (err) {\n const age = _cachedAppToken\n ? `${Math.round((now - _cachedAppToken.generatedAt) / 60000)}min old`\n : 'no cached token';\n logger.warn(\n `[github-auth] Failed to refresh GitHub App token (${age}): ${err instanceof Error ? err.message : String(err)}. ` +\n 'Child processes may fail with authentication errors.'\n );\n }\n}\n\n/**\n * Start a background timer that refreshes GitHub App tokens every 30 minutes.\n *\n * This ensures tokens stay fresh even during long-running tasks (e.g., an engineer\n * task that takes 40+ minutes). Without this, a token generated at startup could\n * expire mid-execution of a child process.\n *\n * The timer is unref'd so it doesn't prevent Node from exiting.\n * Call stopTokenRefreshTimer() on shutdown.\n */\nexport function startTokenRefreshTimer(): void {\n if (_refreshTimer) return; // Already running\n\n // Only start if we have App credentials\n const appId = process.env.GITHUB_APP_ID;\n const privateKey = process.env.GITHUB_APP_PRIVATE_KEY;\n if (!appId || !privateKey) return;\n\n _refreshTimer = setInterval(() => {\n refreshGitHubCredentials().catch(err => {\n logger.warn(\n `[github-auth] Background token refresh failed: ${err instanceof Error ? err.message : String(err)}`\n );\n });\n }, TIMER_INTERVAL_MS);\n\n // Don't prevent Node from exiting\n _refreshTimer.unref();\n\n logger.debug('[github-auth] Background token refresh timer started (every 30 min)');\n}\n\n/**\n * Stop the background token refresh timer.\n */\nexport function stopTokenRefreshTimer(): void {\n if (_refreshTimer) {\n clearInterval(_refreshTimer);\n _refreshTimer = undefined;\n logger.debug('[github-auth] Background token refresh timer stopped');\n }\n}\n\n/** Visible for testing: override the cached token state. */\nexport function _testSetCachedToken(token: string | undefined, generatedAt?: number): void {\n if (token) {\n _cachedAppToken = { token, generatedAt: generatedAt ?? Date.now() };\n } else {\n _cachedAppToken = undefined;\n }\n}\n\n/** Visible for testing: get the current cached token info. */\nexport function _testGetCachedToken(): { token: string; generatedAt: number } | undefined {\n return _cachedAppToken;\n}\n"],"mappings":";;;;;;;;;;AAAA,SAAS,eAAe;AACxB,YAAY,QAAQ;AACpB,YAAY,UAAU;AA0CtB,eAAsB,2BACpB,SACuC;AACvC,QAAM,EAAE,OAAO,OAAO,gBAAgB,OAAO,KAAK,IAAI;AACtD,QAAM,aAAa,QAAQ,aAAa,kBAAkB,QAAQ,UAAU,IAAI;AAGhF,MAAI,SAAS,YAAY;AACvB,UAAM,EAAE,cAAc,IAAI,MAAM,OAAO,mBAAmB;AAE1D,QAAI;AAEJ,QAAI,gBAAgB;AAClB,4BAAsB,SAAS,gBAAgB,EAAE;AACjD,UAAI,MAAM,mBAAmB,KAAK,uBAAuB,GAAG;AAC1D,cAAM,IAAI,MAAM,yDAAyD;AAAA,MAC3E;AAAA,IACF;AAGA,QAAI,CAAC,uBAAuB,SAAS,MAAM;AACzC,YAAM,aAAa,IAAI,QAAQ;AAAA,QAC7B,cAAc;AAAA,QACd,MAAM,EAAE,OAAO,WAAW;AAAA,MAC5B,CAAC;AAED,UAAI;AACF,cAAM,EAAE,MAAM,aAAa,IAAI,MAAM,WAAW,KAAK,KAAK,oBAAoB;AAAA,UAC5E;AAAA,UACA;AAAA,QACF,CAAC;AACD,8BAAsB,aAAa;AAAA,MACrC,QAAQ;AACN,cAAM,IAAI;AAAA,UACR;AAAA,QAEF;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,qBAAqB;AACxB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAGA,UAAM,UAAU,IAAI,QAAQ;AAAA,MAC1B,cAAc;AAAA,MACd,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA,gBAAgB;AAAA,MAClB;AAAA,IACF,CAAC;AAGD,UAAM,aAAc,MAAM,QAAQ,KAAK,EAAE,MAAM,eAAe,CAAC;AAE/D,WAAO;AAAA,MACL;AAAA,MACA,UAAU;AAAA,MACV,OAAO,WAAW;AAAA,IACpB;AAAA,EACF;AAGA,MAAI,OAAO;AACT,WAAO;AAAA,MACL,SAAS,IAAI,QAAQ,EAAE,MAAM,MAAM,CAAC;AAAA,MACpC,UAAU;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,SAAO;AACT;AAMO,SAAS,6BAAgD;AAC9D,SAAO;AAAA,IACL,OAAO,QAAQ,IAAI,gBAAgB,QAAQ,IAAI;AAAA,IAC/C,OAAO,QAAQ,IAAI;AAAA,IACnB,YAAY,QAAQ,IAAI;AAAA,IACxB,gBAAgB,QAAQ,IAAI;AAAA,IAC5B,OAAO,QAAQ,IAAI,2BAA2B,QAAQ,IAAI,mBAAmB,MAAM,GAAG,EAAE,CAAC;AAAA,IACzF,MAAM,QAAQ,IAAI,mBAAmB,MAAM,GAAG,EAAE,CAAC;AAAA,EACnD;AACF;AAKO,SAAS,kBAAkB,WAA2B;AAC3D,MAAI,UAAU,SAAS,YAAY,GAAG;AACpC,WAAO;AAAA,EACT;AACA,QAAM,WAAgB,aAAQ,SAAS;AACvC,MAAO,cAAW,QAAQ,GAAG;AAC3B,WAAU,gBAAa,UAAU,MAAM;AAAA,EACzC;AAEA,SAAO;AACT;AAsBO,SAAS,wBAAwB,OAAqB;AAE3D,UAAQ,IAAI,eAAe;AAC3B,UAAQ,IAAI,WAAW;AAEvB,QAAM,eAAe,SAAS,QAAQ,IAAI,oBAAoB,KAAK,EAAE;AAMrE,MAAI;AACJ,MAAI,cAAc,QAAW;AAC3B,WAAO;AAAA,EACT,WAAW,sBAAsB,UAAa,iBAAiB,mBAAmB;AAChF,WAAO;AAAA,EACT,OAAO;AACL,WAAO;AAAA,EACT;AACA,cAAY;AAGZ,QAAM,UAAU,0BAA0B,KAAK;AAG/C,UAAQ,IAAI,kBAAkB,IAAI,EAAE,IAAI,OAAO,OAAO;AACtD,UAAQ,IAAI,oBAAoB,IAAI,EAAE,IAAI;AAG1C,UAAQ,IAAI,kBAAkB,OAAO,CAAC,EAAE,IAAI,OAAO,OAAO;AAC1D,UAAQ,IAAI,oBAAoB,OAAO,CAAC,EAAE,IAAI;AAE9C,QAAM,WAAW,OAAO;AACxB,UAAQ,IAAI,mBAAmB,OAAO,QAAQ;AAC9C,sBAAoB;AACtB;AAMO,SAAS,iBAAuB;AACrC,QAAM,QAAQ,QAAQ,IAAI,gBAAgB,QAAQ,IAAI;AACtD,MAAI,OAAO;AACT,sBAAkB,EAAE,OAAO,aAAa,KAAK,IAAI,EAAE;AAAA,EACrD;AACF;AA0BA,eAAsB,2BAA0C;AAE9D,QAAM,QAAQ,QAAQ,IAAI;AAC1B,QAAM,aAAa,QAAQ,IAAI;AAC/B,MAAI,CAAC,SAAS,CAAC,WAAY;AAG3B,QAAM,MAAM,KAAK,IAAI;AACrB,MAAI,mBAAmB,MAAM,gBAAgB,cAAc,kBAAkB;AAC3E;AAAA,EACF;AAEA,MAAI;AACF,UAAM,OAAO,2BAA2B;AACxC,UAAM,SAAS,MAAM,2BAA2B,IAAI;AACpD,QAAI,UAAU,OAAO,aAAa,cAAc;AAC9C,8BAAwB,OAAO,KAAK;AACpC,wBAAkB,EAAE,OAAO,OAAO,OAAO,aAAa,IAAI;AAC1D,aAAO,MAAM,uDAAuD;AAAA,IACtE;AAAA,EACF,SAAS,KAAK;AACZ,UAAM,MAAM,kBACR,GAAG,KAAK,OAAO,MAAM,gBAAgB,eAAe,GAAK,CAAC,YAC1D;AACJ,WAAO;AAAA,MACL,qDAAqD,GAAG,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IAEhH;AAAA,EACF;AACF;AAYO,SAAS,yBAA+B;AAC7C,MAAI,cAAe;AAGnB,QAAM,QAAQ,QAAQ,IAAI;AAC1B,QAAM,aAAa,QAAQ,IAAI;AAC/B,MAAI,CAAC,SAAS,CAAC,WAAY;AAE3B,kBAAgB,YAAY,MAAM;AAChC,6BAAyB,EAAE,MAAM,SAAO;AACtC,aAAO;AAAA,QACL,kDAAkD,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MACpG;AAAA,IACF,CAAC;AAAA,EACH,GAAG,iBAAiB;AAGpB,gBAAc,MAAM;AAEpB,SAAO,MAAM,qEAAqE;AACpF;AAKO,SAAS,wBAA8B;AAC5C,MAAI,eAAe;AACjB,kBAAc,aAAa;AAC3B,oBAAgB;AAChB,WAAO,MAAM,sDAAsD;AAAA,EACrE;AACF;AAGO,SAAS,oBAAoB,OAA2B,aAA4B;AACzF,MAAI,OAAO;AACT,sBAAkB,EAAE,OAAO,aAAa,eAAe,KAAK,IAAI,EAAE;AAAA,EACpE,OAAO;AACL,sBAAkB;AAAA,EACpB;AACF;AAGO,SAAS,sBAA0E;AACxF,SAAO;AACT;AA3UA,IA4JI,WACA,mBAiEA,iBAKE,kBAGF,eAGE;AAzON;AAAA;AAGA;AAgOA,IAAM,mBAAmB,KAAK,KAAK;AAMnC,IAAM,oBAAoB,KAAK,KAAK;AAAA;AAAA;","names":[]}

package/dist/sdk/{github-frontend-MSX6Q2WL.mjs → github-frontend-47EU2HBY.mjs} RENAMED Viewed

@@ -9,8 +9,8 @@ import {
 import {
   failure_condition_evaluator_exports,
   init_failure_condition_evaluator
-} from "./chunk-L3XPYQ6I.mjs";
-import "./chunk-OM3WYVFI.mjs";
+} from "./chunk-V2QW6ECX.mjs";
+import "./chunk-4F5UVWAN.mjs";
 import "./chunk-JL7JXCET.mjs";
 import "./chunk-25IC7KXZ.mjs";
 import "./chunk-LW3INISN.mjs";
@@ -1353,4 +1353,4 @@ init_github_frontend();
 export {
   GitHubFrontend
 };
-//# sourceMappingURL=github-frontend-MSX6Q2WL.mjs.map
+//# sourceMappingURL=github-frontend-47EU2HBY.mjs.map

package/dist/sdk/{host-5BJ25CUZ.mjs → host-GVR4UGZ3.mjs} RENAMED Viewed

@@ -21,7 +21,7 @@ var init_host = __esm({
             const { NdjsonSink } = await import("./ndjson-sink-FD2PSXGD.mjs");
             this.frontends.push(new NdjsonSink(spec.config));
           } else if (spec.name === "github") {
-            const { GitHubFrontend } = await import("./github-frontend-MSX6Q2WL.mjs");
+            const { GitHubFrontend } = await import("./github-frontend-47EU2HBY.mjs");
             this.frontends.push(new GitHubFrontend());
           } else if (spec.name === "slack") {
             const { SlackFrontend } = await import("./slack-frontend-TZU2HIK7.mjs");
@@ -60,4 +60,4 @@ init_host();
 export {
   FrontendsHost
 };
-//# sourceMappingURL=host-5BJ25CUZ.mjs.map
+//# sourceMappingURL=host-GVR4UGZ3.mjs.map

package/dist/sdk/{host-GA76UESS.mjs → host-KGN5OIAM.mjs} RENAMED Viewed

@@ -21,7 +21,7 @@ var init_host = __esm({
             const { NdjsonSink } = await import("./ndjson-sink-FD2PSXGD.mjs");
             this.frontends.push(new NdjsonSink(spec.config));
           } else if (spec.name === "github") {
-            const { GitHubFrontend } = await import("./github-frontend-MSX6Q2WL.mjs");
+            const { GitHubFrontend } = await import("./github-frontend-47EU2HBY.mjs");
             this.frontends.push(new GitHubFrontend());
           } else if (spec.name === "slack") {
             const { SlackFrontend } = await import("./slack-frontend-TZU2HIK7.mjs");
@@ -60,4 +60,4 @@ init_host();
 export {
   FrontendsHost
 };
-//# sourceMappingURL=host-GA76UESS.mjs.map
+//# sourceMappingURL=host-KGN5OIAM.mjs.map

package/dist/sdk/{loader-ZC5G3JGJ.mjs → loader-YSRMVXC3.mjs} RENAMED Viewed

@@ -86,4 +86,4 @@ export {
   loadEnterprisePolicyEngine,
   loadEnterpriseStoreBackend
 };
-//# sourceMappingURL=loader-ZC5G3JGJ.mjs.map
+//# sourceMappingURL=loader-YSRMVXC3.mjs.map

package/dist/sdk/{routing-RIHVCEIU.mjs → routing-CZ36LVVS.mjs} RENAMED Viewed

@@ -4,9 +4,9 @@ import {
   evaluateTransitions,
   handleRouting,
   init_routing
-} from "./chunk-I42ZCVA5.mjs";
-import "./chunk-L3XPYQ6I.mjs";
-import "./chunk-OM3WYVFI.mjs";
+} from "./chunk-FBJ7MC7R.mjs";
+import "./chunk-V2QW6ECX.mjs";
+import "./chunk-4F5UVWAN.mjs";
 import "./chunk-JL7JXCET.mjs";
 import "./chunk-ZUEQNCKB.mjs";
 import "./chunk-25IC7KXZ.mjs";
@@ -22,4 +22,4 @@ export {
   evaluateTransitions,
   handleRouting
 };
-//# sourceMappingURL=routing-RIHVCEIU.mjs.map
+//# sourceMappingURL=routing-CZ36LVVS.mjs.map

package/dist/sdk/{schedule-tool-handler-NYL2ONJB.mjs → schedule-tool-handler-E7XHMU5G.mjs} RENAMED Viewed

@@ -6,7 +6,7 @@ import {
   extractSlackContext,
   init_schedule_tool_handler,
   isScheduleToolCall
-} from "./chunk-3BOOHJI5.mjs";
+} from "./chunk-PNZH3JSI.mjs";
 import "./chunk-KFKHU6CM.mjs";
 import "./chunk-M3BYMES6.mjs";
 import "./chunk-LG4AUKHB.mjs";
@@ -14,12 +14,12 @@ import "./chunk-B7BVQM5K.mjs";
 import "./chunk-XXAEN5KU.mjs";
 import "./chunk-GEW6LS32.mjs";
 import "./chunk-DIND4ZCV.mjs";
-import "./chunk-YOKAA4IU.mjs";
+import "./chunk-XNTBSV6M.mjs";
 import "./chunk-NCWIZVOT.mjs";
 import "./chunk-XKCER23W.mjs";
-import "./chunk-I42ZCVA5.mjs";
-import "./chunk-L3XPYQ6I.mjs";
-import "./chunk-OM3WYVFI.mjs";
+import "./chunk-FBJ7MC7R.mjs";
+import "./chunk-V2QW6ECX.mjs";
+import "./chunk-4F5UVWAN.mjs";
 import "./chunk-JL7JXCET.mjs";
 import "./chunk-ZUEQNCKB.mjs";
 import "./chunk-25IC7KXZ.mjs";
@@ -37,4 +37,4 @@ export {
   extractSlackContext,
   isScheduleToolCall
 };
-//# sourceMappingURL=schedule-tool-handler-NYL2ONJB.mjs.map
+//# sourceMappingURL=schedule-tool-handler-E7XHMU5G.mjs.map

package/dist/sdk/{schedule-tool-handler-62K3NGH6.mjs → schedule-tool-handler-KFYNV7HL.mjs} RENAMED Viewed

@@ -6,20 +6,20 @@ import {
   extractSlackContext,
   init_schedule_tool_handler,
   isScheduleToolCall
-} from "./chunk-74YJMONB.mjs";
+} from "./chunk-EWGX7LI7.mjs";
+import "./chunk-KFKHU6CM.mjs";
 import "./chunk-M3BYMES6.mjs";
 import "./chunk-LG4AUKHB.mjs";
-import "./chunk-KFKHU6CM.mjs";
 import "./chunk-B7BVQM5K.mjs";
 import "./chunk-XXAEN5KU.mjs";
 import "./chunk-GEW6LS32.mjs";
 import "./chunk-DIND4ZCV.mjs";
-import "./chunk-YOKAA4IU.mjs";
+import "./chunk-XNTBSV6M.mjs";
 import "./chunk-NCWIZVOT.mjs";
 import "./chunk-XKCER23W.mjs";
-import "./chunk-I42ZCVA5.mjs";
-import "./chunk-L3XPYQ6I.mjs";
-import "./chunk-OM3WYVFI.mjs";
+import "./chunk-FBJ7MC7R.mjs";
+import "./chunk-V2QW6ECX.mjs";
+import "./chunk-4F5UVWAN.mjs";
 import "./chunk-JL7JXCET.mjs";
 import "./chunk-ZUEQNCKB.mjs";
 import "./chunk-25IC7KXZ.mjs";
@@ -37,4 +37,4 @@ export {
   extractSlackContext,
   isScheduleToolCall
 };
-//# sourceMappingURL=schedule-tool-handler-62K3NGH6.mjs.map
+//# sourceMappingURL=schedule-tool-handler-KFYNV7HL.mjs.map

package/dist/sdk/sdk.js CHANGED Viewed

@@ -760,7 +760,7 @@ var require_package = __commonJS({
         "@opentelemetry/sdk-node": "^0.203.0",
         "@opentelemetry/sdk-trace-base": "^1.30.1",
         "@opentelemetry/semantic-conventions": "^1.30.1",
-        "@probelabs/probe": "^0.6.0-rc260",
+        "@probelabs/probe": "^0.6.0-rc262",
         "@types/commander": "^2.12.0",
         "@types/uuid": "^10.0.0",
         acorn: "^8.16.0",
@@ -8501,12 +8501,15 @@ ${"=".repeat(60)}
           if (!systemPrompt && schema !== "code-review") {
             systemPrompt = "You are general assistant, follow user instructions.";
           }
+          log(
+            `\u{1F527} AIReviewService config: allowEdit=${this.config.allowEdit}, allowBash=${this.config.allowBash}, promptType=${this.config.promptType}`
+          );
           const options = {
             sessionId,
             // Prefer config promptType, then env override, else fallback to code-review when schema is set
             promptType: this.config.promptType && this.config.promptType.trim() ? this.config.promptType.trim() : explicitPromptType ? explicitPromptType : schema === "code-review" ? "code-review-template" : void 0,
             allowEdit: false,
-            // We don't want the agent to modify files
+            // Default: don't allow file modifications
             debug: this.config.debug || false,
             // Use systemPrompt (native in rc168+) with fallback to customPrompt for backward compat
             systemPrompt: systemPrompt || this.config.systemPrompt || this.config.customPrompt
@@ -8595,6 +8598,9 @@ ${"=".repeat(60)}
           if (this.config.model) {
             options.model = this.config.model;
           }
+          log(
+            `\u{1F527} ProbeAgent options: allowEdit=${options.allowEdit}, enableBash=${options.enableBash}, promptType=${options.promptType}`
+          );
           const agent = new import_probe2.ProbeAgent(options);
           if (typeof agent.initialize === "function") {
             await agent.initialize();
@@ -15543,14 +15549,9 @@ ${errors}`);
         const { WorkflowRegistry: WorkflowRegistry2 } = await Promise.resolve().then(() => (init_workflow_registry(), workflow_registry_exports));
         const registry = WorkflowRegistry2.getInstance();
         for (const source of config.imports) {
-          const results = await registry.import(source, { basePath, validate: true });
+          const results = await registry.import(source, { basePath, validate: true, override: true });
           for (const result of results) {
             if (!result.valid && result.errors) {
-              const isAlreadyExists = result.errors.every((e) => e.message.includes("already exists"));
-              if (isAlreadyExists) {
-                logger.debug(`Workflow from '${source}' already imported, skipping`);
-                continue;
-              }
               const errors = result.errors.map((e) => `  ${e.path}: ${e.message}`).join("\n");
               throw new Error(`Failed to import workflow from '${source}':
 ${errors}`);
@@ -45055,7 +45056,7 @@ var init_worktree_manager = __esm({
       /**
        * Get or create bare repository
        */
-      async getOrCreateBareRepo(repository, repoUrl, token, fetchDepth, cloneTimeoutMs) {
+      async getOrCreateBareRepo(repository, repoUrl, _token, fetchDepth, cloneTimeoutMs) {
         const reposDir = this.getReposDir();
         const repoName = repository.replace(/\//g, "-");
         const bareRepoPath = path20.join(reposDir, `${repoName}.git`);
@@ -45071,11 +45072,12 @@ var init_worktree_manager = __esm({
             );
             await fsp.rm(bareRepoPath, { recursive: true, force: true });
           } else {
+            await this.resetBareRepoRemoteUrl(bareRepoPath, repoUrl);
             await this.updateBareRepo(bareRepoPath);
             return bareRepoPath;
           }
         }
-        const cloneUrl = this.buildAuthenticatedUrl(repoUrl, token);
+        const cloneUrl = repoUrl;
         const redactedUrl = this.redactUrl(cloneUrl);
         logger.info(
           `Cloning bare repository: ${redactedUrl}${fetchDepth ? ` (depth: ${fetchDepth})` : ""}`
@@ -45156,6 +45158,33 @@ var init_worktree_manager = __esm({
           return false;
         }
       }
+      /**
+       * Ensure the origin remote URL of a bare repo is a plain URL (no embedded token).
+       *
+       * Older bare repos may have been cloned with a token in the URL
+       * (https://x-access-token:TOKEN@github.com/...). This causes stale-token
+       * failures because GIT_CONFIG insteadOf rules can't rewrite URLs that
+       * already have credentials. Resetting to the plain URL lets insteadOf
+       * handle auth with the freshest token.
+       */
+      async resetBareRepoRemoteUrl(bareRepoPath, plainRepoUrl) {
+        try {
+          const cmd = `git -C ${this.escapeShellArg(bareRepoPath)} remote set-url origin ${this.escapeShellArg(plainRepoUrl)}`;
+          const result = await this.executeGitCommand(cmd, { timeout: 1e4 });
+          if (result.exitCode !== 0) {
+            logger.warn(
+              `Failed to reset bare repo remote URL: ${result.stderr}. Git operations may fail with stale token if the URL has embedded credentials.`
+            );
+          } else {
+            logger.debug(`Reset bare repo remote URL to plain URL for ${bareRepoPath}`);
+          }
+        } catch (error) {
+          const msg = error instanceof Error ? error.message : String(error);
+          logger.warn(
+            `Error resetting bare repo remote URL: ${msg}. Git operations may fail with stale token if the URL has embedded credentials.`
+          );
+        }
+      }
       /**
        * Create a new worktree for the given repository/ref.
        *
@@ -51210,10 +51239,12 @@ var init_bubblewrap_sandbox = __esm({
       name;
       config;
       repoPath;
-      constructor(name, config, repoPath) {
+      visorDistPath;
+      constructor(name, config, repoPath, visorDistPath) {
         this.name = name;
         this.config = config;
         this.repoPath = (0, import_path10.resolve)(repoPath);
+        this.visorDistPath = (0, import_path10.resolve)(visorDistPath);
       }
       /**
        * Check if bwrap binary is available on the system.
@@ -51294,6 +51325,8 @@ var init_bubblewrap_sandbox = __esm({
         } else {
           args.push("--bind", this.repoPath, workdir);
         }
+        const visorPath = this.config.visor_path || "/opt/visor";
+        args.push("--ro-bind", this.visorDistPath, visorPath);
         args.push("--chdir", workdir);
         args.push("--unshare-pid");
         args.push("--new-session");
@@ -51335,10 +51368,12 @@ var init_seatbelt_sandbox = __esm({
       name;
       config;
       repoPath;
-      constructor(name, config, repoPath) {
+      visorDistPath;
+      constructor(name, config, repoPath, visorDistPath) {
         this.name = name;
         this.config = config;
         this.repoPath = (0, import_fs7.realpathSync)((0, import_path11.resolve)(repoPath));
+        this.visorDistPath = (0, import_fs7.realpathSync)((0, import_path11.resolve)(visorDistPath));
       }
       /**
        * Check if sandbox-exec binary is available on the system.
@@ -51439,6 +51474,8 @@ var init_seatbelt_sandbox = __esm({
         if (!this.config.read_only) {
           lines.push(`(allow file-write* (subpath "${repoPath}"))`);
         }
+        const visorDistPath = this.escapePath(this.visorDistPath);
+        lines.push(`(allow file-read* (subpath "${visorDistPath}"))`);
         if (this.config.network !== false) {
           lines.push("(allow network*)");
         }
@@ -51511,13 +51548,13 @@ var init_sandbox_manager = __esm({
         const mode = config.compose ? "compose" : "image";
         if (config.engine === "bubblewrap") {
           const { BubblewrapSandbox: BubblewrapSandbox2 } = (init_bubblewrap_sandbox(), __toCommonJS(bubblewrap_sandbox_exports));
-          const instance = new BubblewrapSandbox2(name, config, this.repoPath);
+          const instance = new BubblewrapSandbox2(name, config, this.repoPath, this.visorDistPath);
           this.instances.set(name, instance);
           return instance;
         }
         if (config.engine === "seatbelt") {
           const { SeatbeltSandbox: SeatbeltSandbox2 } = (init_seatbelt_sandbox(), __toCommonJS(seatbelt_sandbox_exports));
-          const instance = new SeatbeltSandbox2(name, config, this.repoPath);
+          const instance = new SeatbeltSandbox2(name, config, this.repoPath, this.visorDistPath);
           this.instances.set(name, instance);
           return instance;
         }