@proletariat/cli 0.3.48 → 0.3.49

package/dist/lib/execution/storage.js

@@ -18,7 +18,7 @@ function rowToAgentWork(row) {
         executor: row.executor,
         environment: (row.environment || 'host'),
         displayMode: (row.display_mode || 'terminal'),
-        sandboxed: row.sandboxed === 1,
+        permissionMode: (row.permission_mode || 'safe'),
         status: row.status,
         branch: row.branch || undefined,
         pid: row.pid || undefined,
@@ -51,10 +51,10 @@ export class ExecutionStorage {
         const id = `WORK-${randomUUID().substring(0, 8).toUpperCase()}`;
         this.db.prepare(`
       INSERT INTO ${T.agent_work} (
-        id, ticket_id, agent_name, executor, environment, display_mode, sandboxed,
+        id, ticket_id, agent_name, executor, environment, display_mode, permission_mode,
         status, branch, pid, container_id, session_id, host, log_path, started_at
       ) VALUES (?, ?, ?, ?, ?, ?, ?, 'starting', ?, ?, ?, ?, ?, ?, ?)
-    `).run(id, params.ticketId, params.agentName, params.executor, params.environment, params.displayMode, params.sandboxed ? 1 : 0, params.branch || null, params.pid || null, params.containerId || null, params.sessionId || null, params.host || null, params.logPath || null, now);
+    `).run(id, params.ticketId, params.agentName, params.executor, params.environment, params.displayMode, params.permissionMode, params.branch || null, params.pid || null, params.containerId || null, params.sessionId || null, params.host || null, params.logPath || null, now);
         return this.getExecution(id);
     }
     /**

package/dist/lib/execution/types.d.ts

@@ -46,7 +46,7 @@ export interface AgentWork {
     environment: ExecutionEnvironment;
     displayMode: DisplayMode;
     sessionManager?: SessionManager;
-    sandboxed: boolean;
+    permissionMode: PermissionMode;
     status: ExecutionStatus;
     branch?: string;
     pid?: string;
@@ -120,7 +120,7 @@ export interface ExecutionConfig {
     autoExecute: boolean;
     shell: Shell;
     outputMode: OutputMode;
-    sandboxed: boolean;
+    permissionMode: PermissionMode;
     authMethod?: AuthMethod;
     createPrDefault?: boolean;
     tmux: {

package/dist/lib/execution/types.js

@@ -131,7 +131,7 @@ export const DEFAULT_EXECUTION_CONFIG = {
     autoExecute: false,
     shell: 'zsh', // macOS default
     outputMode: 'interactive', // Show streaming UI by default
-    sandboxed: true, // Require approval for dangerous operations by default
+    permissionMode: 'safe', // Require approval for dangerous operations by default
     tmux: {
         session: 'proletariat',
         layout: 'window',

package/dist/lib/external-issues/linear.d.ts

@@ -28,6 +28,12 @@ export declare function buildLinearSpawnContextMessage(envelope: NormalizedIssue
  * Build a CLI command string for selecting a specific Linear issue.
  */
 export declare function buildLinearIssueChoiceCommand(issueIdentifier: string, projectId?: string): string;
+/**
+ * Fetch a single Linear issue by identifier (for example, ENG-123) and normalize it.
+ */
+export declare function getLinearIssueByIdentifier(configInput: LinearAdapterConfig, identifier: string, options?: {
+    fetchImpl?: typeof fetch;
+}): Promise<NormalizedIssueEnvelope | null>;
 /**
  * Fetch and normalize Linear issues into NormalizedIssueEnvelopes.
  */

package/dist/lib/external-issues/linear.js

@@ -30,6 +30,27 @@ const LINEAR_ISSUES_QUERY = `
     }
   }
 `;
+const LINEAR_ISSUE_BY_IDENTIFIER_QUERY = `
+  query IssueForSpawn($id: String!) {
+    issue(id: $id) {
+      id
+      identifier
+      title
+      description
+      url
+      priority
+      labels {
+        nodes {
+          name
+        }
+      }
+      state {
+        name
+        type
+      }
+    }
+  }
+`;
 function priorityFromLinear(value) {
     switch (value) {
         case 1:
@@ -155,6 +176,48 @@ export function buildLinearIssueChoiceCommand(issueIdentifier, projectId) {
     }
     return command;
 }
+/**
+ * Fetch a single Linear issue by identifier (for example, ENG-123) and normalize it.
+ */
+export async function getLinearIssueByIdentifier(configInput, identifier, options) {
+    const config = ensureLinearConfig(configInput);
+    const fetchImpl = options?.fetchImpl || fetch;
+    const response = await fetchImpl(config.apiUrl, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            Authorization: config.apiKey,
+        },
+        body: JSON.stringify({
+            query: LINEAR_ISSUE_BY_IDENTIFIER_QUERY,
+            variables: {
+                id: identifier,
+            },
+        }),
+    });
+    if (response.status === 401 || response.status === 403) {
+        throw new ExternalIssueAdapterError('AUTH_FAILED', 'Linear authentication failed. Verify your LINEAR_API_KEY token.');
+    }
+    if (!response.ok) {
+        throw new ExternalIssueAdapterError('REQUEST_FAILED', `Linear request failed with status ${response.status}.`);
+    }
+    const payload = await response.json();
+    if (payload.errors && payload.errors.length > 0) {
+        const message = payload.errors[0]?.message || 'Unknown Linear API error.';
+        if (/auth|token|forbidden|unauthorized/i.test(message)) {
+            throw new ExternalIssueAdapterError('AUTH_FAILED', `Linear authentication failed: ${message}`);
+        }
+        // "not found" should be treated as null, not hard failure.
+        if (/not found/i.test(message)) {
+            return null;
+        }
+        throw new ExternalIssueAdapterError('REQUEST_FAILED', `Linear API error: ${message}`);
+    }
+    const node = payload.data?.issue;
+    if (!node)
+        return null;
+    return normalizeLinearIssueToEnvelope(node);
+}
 /**
  * Fetch and normalize Linear issues into NormalizedIssueEnvelopes.
  */

package/dist/lib/pmo/schema.d.ts

@@ -67,7 +67,7 @@ export declare const PMO_TABLE_SCHEMAS: {
     readonly project_specs: "\n    CREATE TABLE IF NOT EXISTS pmo_project_specs (\n      project_id TEXT NOT NULL REFERENCES pmo_projects(id) ON DELETE CASCADE,\n      spec_id TEXT NOT NULL REFERENCES pmo_specs(id) ON DELETE CASCADE,\n      created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,\n      PRIMARY KEY (project_id, spec_id)\n    )";
     readonly cache_metadata: "\n    CREATE TABLE IF NOT EXISTS pmo_cache_metadata (\n      key TEXT PRIMARY KEY,\n      value TEXT NOT NULL\n    )";
     readonly settings: "\n    CREATE TABLE IF NOT EXISTS pmo_settings (\n      key TEXT PRIMARY KEY,\n      value TEXT NOT NULL\n    )";
-    readonly agent_work: "\n    CREATE TABLE IF NOT EXISTS agent_work (\n      id TEXT PRIMARY KEY,\n      ticket_id TEXT NOT NULL,\n      agent_name TEXT NOT NULL,\n      executor TEXT NOT NULL,\n      environment TEXT NOT NULL DEFAULT 'host',\n      display_mode TEXT NOT NULL DEFAULT 'terminal',\n      sandboxed INTEGER NOT NULL DEFAULT 0,\n      status TEXT NOT NULL DEFAULT 'starting',\n      branch TEXT,\n      pid TEXT,\n      container_id TEXT,\n      session_id TEXT,\n      host TEXT,\n      log_path TEXT,\n      started_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,\n      completed_at TIMESTAMP,\n      exit_code INTEGER,\n      error_message TEXT,\n      FOREIGN KEY (ticket_id) REFERENCES pmo_tickets(id) ON DELETE CASCADE\n    )";
+    readonly agent_work: "\n    CREATE TABLE IF NOT EXISTS agent_work (\n      id TEXT PRIMARY KEY,\n      ticket_id TEXT NOT NULL,\n      agent_name TEXT NOT NULL,\n      executor TEXT NOT NULL,\n      environment TEXT NOT NULL DEFAULT 'host',\n      display_mode TEXT NOT NULL DEFAULT 'terminal',\n      permission_mode TEXT NOT NULL DEFAULT 'safe',\n      status TEXT NOT NULL DEFAULT 'starting',\n      branch TEXT,\n      pid TEXT,\n      container_id TEXT,\n      session_id TEXT,\n      host TEXT,\n      log_path TEXT,\n      started_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,\n      completed_at TIMESTAMP,\n      exit_code INTEGER,\n      error_message TEXT,\n      FOREIGN KEY (ticket_id) REFERENCES pmo_tickets(id) ON DELETE CASCADE\n    )";
     readonly containers: "\n    CREATE TABLE IF NOT EXISTS containers (\n      id TEXT PRIMARY KEY,\n      agent_name TEXT NOT NULL,\n      docker_id TEXT NOT NULL,\n      docker_name TEXT,\n      image TEXT,\n      status TEXT NOT NULL DEFAULT 'unknown',\n      current_execution_id TEXT,\n      created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,\n      last_seen_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,\n      FOREIGN KEY (agent_name) REFERENCES agents(name) ON DELETE CASCADE,\n      FOREIGN KEY (current_execution_id) REFERENCES agent_work(id) ON DELETE SET NULL\n    )";
     readonly id_sequences: "\n    CREATE TABLE IF NOT EXISTS id_sequences (\n      table_name TEXT PRIMARY KEY,\n      next_id INTEGER NOT NULL DEFAULT 1\n    )";
     readonly statuses: "\n    CREATE TABLE IF NOT EXISTS pmo_statuses (\n      id TEXT PRIMARY KEY,\n      project_id TEXT NOT NULL,\n      name TEXT NOT NULL,\n      category TEXT NOT NULL,\n      position INTEGER NOT NULL DEFAULT 0,\n      color TEXT,\n      description TEXT,\n      is_default INTEGER NOT NULL DEFAULT 0,\n      created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,\n      FOREIGN KEY (project_id) REFERENCES pmo_projects(id) ON DELETE CASCADE,\n      UNIQUE(project_id, name)\n    )";

package/dist/lib/pmo/schema.js

@@ -328,7 +328,7 @@ export const PMO_TABLE_SCHEMAS = {
       executor TEXT NOT NULL,
       environment TEXT NOT NULL DEFAULT 'host',
       display_mode TEXT NOT NULL DEFAULT 'terminal',
-      sandboxed INTEGER NOT NULL DEFAULT 0,
+      permission_mode TEXT NOT NULL DEFAULT 'safe',
       status TEXT NOT NULL DEFAULT 'starting',
       branch TEXT,
       pid TEXT,

package/dist/lib/pmo/storage/base.js

@@ -345,6 +345,37 @@ export function runMigrations(db) {
             // Non-critical migration - don't fail initialization
         }
     }
+    // Migration: Rename sandboxed column to permission_mode in agent_work table
+    if (tableExists(T.agent_work)) {
+        const awColumns = db.pragma(`table_info(${T.agent_work})`);
+        const awColumnNames = new Set(awColumns.map(c => c.name));
+        if (awColumnNames.has('sandboxed') && !awColumnNames.has('permission_mode')) {
+            try {
+                db.exec(`ALTER TABLE ${T.agent_work} ADD COLUMN permission_mode TEXT NOT NULL DEFAULT 'safe'`);
+                // Migrate existing data: sandboxed=1 → 'safe', sandboxed=0 → 'danger'
+                db.exec(`UPDATE ${T.agent_work} SET permission_mode = CASE WHEN sandboxed = 1 THEN 'safe' ELSE 'danger' END`);
+            }
+            catch {
+                // Column may already exist
+            }
+        }
+    }
+    // Migration: Rename execution.sandboxed setting to execution.permission_mode
+    if (tableExists('workspace_settings')) {
+        try {
+            const oldSetting = db.prepare(`SELECT value FROM workspace_settings WHERE key = 'execution.sandboxed'`).get();
+            if (oldSetting) {
+                const permMode = oldSetting.value === 'true' ? 'safe' : 'danger';
+                db.prepare(`
+          INSERT INTO workspace_settings (key, value) VALUES ('execution.permission_mode', ?)
+          ON CONFLICT(key) DO UPDATE SET value = excluded.value
+        `).run(permMode);
+            }
+        }
+        catch {
+            // Non-critical migration
+        }
+    }
 }
 /**
  * Seed built-in workflows from BUILTIN_TEMPLATES (single source of truth).

package/dist/lib/repos/index.js

@@ -451,7 +451,7 @@ export async function addRepository(hqPath, repoPath, action) {
         addRepositoriesToDatabase(hqPath, dbRepoData);
         // Create worktrees for existing agents
         await createWorktreesForRepo(hqPath, repoName, targetPath);
-        // Create devcontainer config for sandboxed execution in the central repo
+        // Create devcontainer config for isolated execution in the central repo
         console.log(styles.muted(`Creating devcontainer config for ${repoName}...`));
         const gitIdentity = getGitIdentity();
         createDevcontainerConfig({