@ps-neko/nekowork 0.1.0-alpha.0

package/scripts/lib/router.js

@@ -0,0 +1,138 @@
+// 라우팅 결정 라이브러리.
+// 입력: stage, task, files, ecoMode, riskLevel
+// 출력: { agent, model, provider, rationale, alternatives }
+//
+// SKILL claude-led-codex-review 의 Stage Routing 표 + AGENTS.md 의
+// 권한 매트릭스를 코드로 구현.
+
+import fs from 'node:fs';
+import path from 'node:path';
+
+const STAGE_TABLE = {
+  ideate: {
+    required: [{ agent: 'planner' }],
+    optional: [{ agent: 'research' }, { agent: 'architect', when: 'ambiguous' }],
+  },
+  plan: {
+    required: [{ agent: 'planner' }],
+    optional: [{ agent: 'architect', when: 'ambiguous' }],
+  },
+  implement: {
+    required: [{ agent: 'executor' }],
+    optional: [{ agent: 'debugger', when: 'bug' }, { agent: 'test-engineer' }],
+  },
+  'self-review': {
+    required: [{ agent: 'code-reviewer' }],
+    optional: [{ agent: 'security-reviewer', when: 'sensitive' }],
+  },
+  'codex-review':    { required: [{ agent: 'codex-reviewer' }], optional: [] },
+  'codex-challenge': { required: [{ agent: 'codex-challenger' }], optional: [] },
+  ship:              { required: [{ agent: 'doc-writer' }], optional: [] },
+};
+
+const ECO_DOWNGRADE = { opus: 'sonnet', sonnet: 'haiku', haiku: 'haiku' };
+const FLOORED_STAGES = new Set(['self-review', 'codex-review', 'codex-challenge']);
+
+/**
+ * @param {object} ctx
+ * @param {string} ctx.stage
+ * @param {string} [ctx.task]
+ * @param {string[]} [ctx.files]
+ * @param {boolean} [ctx.ecoMode]
+ * @param {string} [ctx.riskLevel]
+ * @param {string} [ctx.harnessRoot]
+ * @returns {object} routing decision
+ */
+export function decide(ctx) {
+  const root = ctx.harnessRoot || process.cwd();
+  const table = STAGE_TABLE[ctx.stage];
+  if (!table) throw new Error(`unknown stage: ${ctx.stage}`);
+
+  const requiredAgent = table.required[0].agent;
+  const fm = loadAgentFm(requiredAgent, root);
+  if (!fm) throw new Error(`agent ${requiredAgent} 의 frontmatter 로드 실패`);
+
+  let model = fm.model;
+  let downgraded = false;
+  if (ctx.ecoMode && ECO_DOWNGRADE[model]) {
+    const target = ECO_DOWNGRADE[model];
+    if (FLOORED_STAGES.has(ctx.stage) && model === 'sonnet') {
+      // floor: 단계 4·5·6 은 sonnet 미만으로 안 내림
+    } else {
+      model = target;
+      downgraded = true;
+    }
+  }
+
+  const rationale = [];
+  rationale.push(`stage=${ctx.stage} 의 required agent=${requiredAgent}`);
+  if (downgraded) rationale.push(`eco mode → ${fm.model} 다운그레이드: ${model}`);
+  if (ctx.riskLevel === 'critical') rationale.push('risk=critical → human gate 권장');
+
+  // optional 에이전트 escalate 후보
+  const alternatives = [];
+  for (const opt of table.optional) {
+    const ofm = loadAgentFm(opt.agent, root);
+    if (!ofm) continue;
+    let why = '';
+    if (opt.when === 'sensitive' && (ctx.riskLevel === 'high' || ctx.riskLevel === 'critical')) {
+      why = `risk=${ctx.riskLevel} → escalate 권장`;
+    } else if (opt.when === 'ambiguous') {
+      why = '요구사항 모호 시';
+    } else if (opt.when === 'bug' && /(bug|fix|회귀|regression)/i.test(ctx.task || '')) {
+      why = 'task 키워드가 bug 시사';
+    } else if (!opt.when) {
+      why = '옵션';
+    }
+    alternatives.push({ agent: opt.agent, model: ofm.model, when: why });
+  }
+
+  return {
+    agent: requiredAgent,
+    model,
+    provider: fm.provider,
+    rationale: rationale.join(' / '),
+    alternatives,
+    eco_mode: !!ctx.ecoMode,
+    risk_level: ctx.riskLevel || 'low',
+    blast_radius: (ctx.files || []).length,
+  };
+}
+
+/**
+ * routing.jsonl 에 결정 한 줄 append.
+ */
+export function trace(sessionDir, decision, extras = {}) {
+  const f = path.join(sessionDir, 'routing.jsonl');
+  fs.mkdirSync(path.dirname(f), { recursive: true });
+  const line = JSON.stringify({
+    timestamp: new Date().toISOString(),
+    stage: extras.stage,
+    input_summary: (extras.task || '').slice(0, 280),
+    decision: { agent: decision.agent, model: decision.model, provider: decision.provider, rationale: decision.rationale },
+    alternatives: decision.alternatives,
+    eco_mode: decision.eco_mode,
+    risk_level: decision.risk_level,
+    blast_radius: decision.blast_radius,
+  });
+  fs.appendFileSync(f, line + '\n');
+}
+
+function loadAgentFm(name, root) {
+  const f = path.join(root, 'agents', `${name}.md`);
+  if (!fs.existsSync(f)) return null;
+  const raw = fs.readFileSync(f, 'utf8');
+  const m = raw.match(/^---\s*\n([\s\S]*?)\n---/);
+  if (!m) return null;
+  const fm = {};
+  for (const line of m[1].split('\n')) {
+    const kv = line.match(/^([a-z_]+):\s*(.*)$/);
+    if (!kv) continue;
+    let v = kv[2].trim().replace(/^["']|["']$/g, '');
+    if (v === 'true') v = true;
+    else if (v === 'false') v = false;
+    else if (/^\d+$/.test(v)) v = Number(v);
+    fm[kv[1]] = v;
+  }
+  return fm;
+}

package/scripts/lib/severity.js

@@ -0,0 +1,99 @@
+// Severity / category 분류 + blast radius 계산.
+// REVIEW.md 의 분류 규칙을 코드로 옮긴 것. 단위 테스트 가능.
+
+const CATEGORY_PATTERNS = [
+  { c: 'security',    re: /(auth|crypto|password|secret|jwt|oauth|cookie|csrf|xss|sql\s*injection|injection|sanitiz|escape)/i },
+  { c: 'correctness', re: /(off.by.one|null|undefined|race|deadlock|leak|infinite|wrong|incorrect|edge case|boundary)/i },
+  { c: 'performance', re: /(n\+1|slow|memory|cpu|leak|allocation|throughput|latency)/i },
+  { c: 'test',        re: /(test|coverage|assert|mock)/i },
+  { c: 'docs',        re: /(docs?|readme|comment|changelog)/i },
+];
+
+const SECURITY_PATHS = /(\/|\\)(auth|crypto|payment|session|permission|oauth)(\/|\\)/i;
+const SECURITY_KEYWORDS = /\b(jwt|password|secret|cookie|token)\b/i;
+
+/** issue 의 summary + why 텍스트로 category 추정. 명시값이 있으면 그대로. */
+export function classifyCategory(issue) {
+  if (issue.category) return issue.category;
+  const text = `${issue.summary || ''} ${issue.why || ''}`;
+  for (const { c, re } of CATEGORY_PATTERNS) if (re.test(text)) return c;
+  return 'style';
+}
+
+/**
+ * Severity 자동 분류 (명시값 없을 때 휴리스틱).
+ *   - security 카테고리 + injection / bypass / leak 키워드 → critical
+ *   - security + 일반 → high
+ *   - correctness + race / deadlock → high
+ *   - 그 외 default medium.
+ */
+export function classifySeverity(issue) {
+  if (issue.severity) return issue.severity;
+  const cat = classifyCategory(issue);
+  const text = `${issue.summary || ''} ${issue.why || ''}`.toLowerCase();
+  if (cat === 'security' && /(injection|bypass|leak|exposure|rce|deserializ|escalation)/.test(text)) return 'critical';
+  if (cat === 'security') return 'high';
+  if (cat === 'correctness' && /(race|deadlock|panic|crash)/.test(text)) return 'high';
+  if (cat === 'docs') return 'low';
+  return 'medium';
+}
+
+/**
+ * 변경 파일 목록 + task 키워드로 risk level 결정.
+ *   - critical: security path + 변경 파일 ≥ 5
+ *   - high:     security path 또는 변경 파일 ≥ 20
+ *   - medium:   변경 파일 ≥ 5
+ *   - low:      나머지
+ */
+export function riskLevel(files = [], task = '') {
+  const isSec = files.some(f => SECURITY_PATHS.test(f) || SECURITY_KEYWORDS.test(f)) ||
+                SECURITY_PATHS.test(task) || SECURITY_KEYWORDS.test(task);
+  const blast = files.length;
+  if (isSec && blast >= 5)  return 'critical';
+  if (isSec)                return 'high';
+  if (blast >= 20)          return 'high';
+  if (blast >= 5)           return 'medium';
+  return 'low';
+}
+
+/** 이슈 배열 → severity 분포 카운트. */
+export function severityCounts(issues = []) {
+  const c = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  for (const i of issues) {
+    const s = classifySeverity(i);
+    if (c[s] !== undefined) c[s]++;
+  }
+  return c;
+}
+
+/**
+ * 이슈 배열 + 선택 가중치(confidence, blastRadius) → verdict 자동 판정.
+ *
+ * BLOCK 강성 룰 (하나라도 충족):
+ *   - critical >= 1
+ *   - high > 5                (high 다수면 추가 검토 필수)
+ *   - confidence < 0.6        (codex 가 자신없게 답할 때 보수 안전망)
+ *
+ * APPROVE_WITH_FIXES:
+ *   - high in [1, 5]
+ *   - medium >= 1
+ *   - blast_radius >= 10 + issues.length >= 1   (큰 변경은 작은 issue 라도 강등)
+ *
+ * 그 외 → approve. opts 미전달 시 기존 동작 유지(후방 호환).
+ *
+ * SKILL.md 의 Verdict 처리 섹션과 sync 유지.
+ */
+export function deriveVerdict(issues = [], opts = {}) {
+  const c = severityCounts(issues);
+  const { confidence, blastRadius } = opts;
+
+  if (c.critical > 0)                                                            return 'block';
+  if (c.high > 5)                                                                return 'block';
+  if (typeof confidence === 'number' && confidence < 0.6)                        return 'block';
+
+  if (c.high > 0)                                                                return 'approve_with_fixes';
+  if (c.medium > 0)                                                              return 'approve_with_fixes';
+  if (typeof blastRadius === 'number' && blastRadius >= 10 && issues.length > 0) return 'approve_with_fixes';
+
+  return 'approve';
+}

package/scripts/lib/token-vault.js

@@ -0,0 +1,136 @@
+// scripts/lib/token-vault.js
+// auth.token_store: os-keychain (default) 또는 encrypted-file.
+// 백엔드 결정:
+//   HARNESS_TOKEN_STORE_KIND=os-keychain  → keychain only (실패 시 throw)
+//   HARNESS_TOKEN_STORE_KIND=encrypted-file → file only
+//   HARNESS_TOKEN_STORE_KIND=auto (기본) → keychain 시도, 실패하면 file fallback
+// audit: ~/.harness/audit/<date>.jsonl.
+// 자세한 정책은 docs/AUTH-MIGRATION.md.
+
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+import * as keychain from './keychain.js';
+
+function home() { return process.env.HARNESS_HOME || path.join(os.homedir(), '.harness'); }
+function vaultDir() { return path.join(home(), 'oauth'); }
+function vaultPath(provider) { return path.join(vaultDir(), `${provider}.json`); }
+
+function resolvedKind() {
+  const env = (process.env.HARNESS_TOKEN_STORE_KIND || 'auto').toLowerCase();
+  if (env === 'os-keychain' || env === 'encrypted-file') return env;
+  return 'auto';
+}
+
+export async function backend() {
+  const k = resolvedKind();
+  if (k === 'encrypted-file') return 'file';
+  if (k === 'os-keychain') {
+    if (!(await keychain.isAvailable())) {
+      throw new Error('HARNESS_TOKEN_STORE_KIND=os-keychain 강제했으나 keychain 가용 불가.');
+    }
+    return 'keychain';
+  }
+  return (await keychain.isAvailable()) ? 'keychain' : 'file';
+}
+
+// ── file backend ──
+
+function fileSave(provider, payload) {
+  const dir = vaultDir();
+  fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  const file = vaultPath(provider);
+  const data = { provider, ...payload, saved_at: new Date().toISOString() };
+  fs.writeFileSync(file, JSON.stringify(data, null, 2));
+  try { fs.chmodSync(file, 0o600); } catch { /* Windows 무시 */ }
+  return file;
+}
+
+function fileLoad(provider) {
+  const file = vaultPath(provider);
+  if (!fs.existsSync(file)) return null;
+  try { return JSON.parse(fs.readFileSync(file, 'utf8')); } catch { return null; }
+}
+
+function fileRemove(provider) {
+  const file = vaultPath(provider);
+  if (!fs.existsSync(file)) return false;
+  fs.unlinkSync(file);
+  return true;
+}
+
+function fileList() {
+  const dir = vaultDir();
+  if (!fs.existsSync(dir)) return [];
+  return fs.readdirSync(dir).filter((f) => f.endsWith('.json')).map((f) => f.replace(/\.json$/, ''));
+}
+
+// ── keychain backend ──
+// keychain 은 단일 string 만 저장 → JSON 직렬화/역직렬화.
+
+async function keychainSave(provider, payload) {
+  const data = { provider, ...payload, saved_at: new Date().toISOString() };
+  await keychain.set(provider, JSON.stringify(data));
+  return `keychain:harness/${provider}`;
+}
+
+async function keychainLoad(provider) {
+  const v = await keychain.get(provider);
+  if (!v) return null;
+  try { return JSON.parse(v); } catch { return null; }
+}
+
+async function keychainRemove(provider) {
+  return keychain.remove(provider);
+}
+
+async function keychainList() {
+  return keychain.list();
+}
+
+// ── public API (async) ──
+
+export async function save(provider, payload) {
+  const b = await backend();
+  return b === 'keychain' ? keychainSave(provider, payload) : fileSave(provider, payload);
+}
+
+export async function load(provider) {
+  const b = await backend();
+  return b === 'keychain' ? keychainLoad(provider) : fileLoad(provider);
+}
+
+export async function remove(provider) {
+  const b = await backend();
+  return b === 'keychain' ? keychainRemove(provider) : fileRemove(provider);
+}
+
+export async function list() {
+  const b = await backend();
+  return b === 'keychain' ? keychainList() : fileList();
+}
+
+// ── redact / audit (sync 유지) ──
+// secret_redaction: agent.yaml security.secret_redaction 와 동기.
+export function redact(s) {
+  if (typeof s !== 'string' || !s) return s;
+  let out = s.replace(/\bgh[opsur]_[A-Za-z0-9]{20,}\b/g, '***REDACTED-GH***');
+  out = out.replace(/\b[A-Za-z0-9_-]{40,}\b/g, '***REDACTED***');
+  return out;
+}
+
+export function audit(event, details = {}) {
+  const auditDir = path.join(home(), 'audit');
+  fs.mkdirSync(auditDir, { recursive: true });
+  const today = new Date().toISOString().slice(0, 10);
+  const f = path.join(auditDir, `${today}.jsonl`);
+  const safe = {};
+  for (const [k, v] of Object.entries(details)) {
+    safe[k] = (k === 'access_token' || k === 'token') ? '***REDACTED***' : v;
+  }
+  fs.appendFileSync(f, JSON.stringify({
+    ts: new Date().toISOString(),
+    event,
+    ...safe,
+  }) + '\n');
+}

package/scripts/orchestrators/apply.js

@@ -0,0 +1,225 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { applyExecutionDiff } from '../core/execution-workspace.js';
+import { readGitStatus } from '../core/git-mutation-guard.js';
+import { gateStatus } from './gate.js';
+
+export function applyCycle(opts) {
+  const projectRoot = opts.projectRoot || process.cwd();
+  if (!opts.sessionId) throw new Error('apply requires --session <id> from a shipped work cycle');
+
+  const sessionId = opts.sessionId;
+  const sessionDir = path.join(projectRoot, '.harness', 'state', 'sessions', sessionId);
+  const handoffDir = path.join(sessionDir, 'handoffs');
+  if (!fs.existsSync(sessionDir)) throw new Error('apply requires an existing session');
+
+  const priorHandoffs = readPriorHandoffs(handoffDir);
+  const latestImplement = latestStageHandoff(priorHandoffs, 'implement');
+  if (!latestImplement) {
+    throw new Error('apply requires an implement handoff. Run harness work first, using the same --session.');
+  }
+  const latestCodexReview = latestStageHandoff(priorHandoffs, 'codex-review');
+  if (!latestCodexReview) {
+    throw new Error('apply requires Codex verification. Run harness verify first, using the same --session.');
+  }
+
+  const gate = gateStatus({ sessionId, projectRoot });
+  if (gate.status === 'open' || gate.status === 'blocked') {
+    return writeBlockedSummary({
+      sessionId,
+      sessionDir,
+      reason: gate.reason || gate.humanGateReason || 'human gate is not cleared',
+      gate,
+      latestImplement,
+      diffPath: latestImplement.diffPath || null,
+    });
+  }
+
+  const shipReady = readMarker(sessionDir, 'SHIP_READY');
+  const noShip = readMarker(sessionDir, 'NO_SHIP');
+  if (noShip && (!shipReady || markerTime(noShip) > markerTime(shipReady))) {
+    return writeBlockedSummary({
+      sessionId,
+      sessionDir,
+      reason: noShip.reason || 'NO_SHIP is present',
+      gate,
+      latestImplement,
+      diffPath: latestImplement.diffPath || null,
+      noShip: true,
+    });
+  }
+  if (!shipReady) {
+    throw new Error('apply requires SHIP_READY. Run harness ship first after verification and gate resolution.');
+  }
+
+  const appliedMarker = readMarker(sessionDir, 'APPLIED_DIFF');
+  if (appliedMarker && !opts.force) {
+    const result = {
+      sessionId,
+      sessionDir,
+      applied: false,
+      alreadyApplied: true,
+      humanGate: false,
+      noShip: false,
+      reason: appliedMarker.reason || 'diff already applied',
+      diffPath: appliedMarker.diffPath || latestImplement.diffPath || null,
+      files: latestImplement.files || [],
+    };
+    writeSummary(sessionDir, result, latestImplement, gate);
+    return result;
+  }
+
+  const diffInfo = readDiffForHandoff(sessionDir, latestImplement);
+  if (!String(diffInfo.diff || '').trim()) {
+    throw new Error('apply requires a captured diff from live work. Rerun harness work --live, then verify, ship, and apply.');
+  }
+
+  const status = readApplyGitStatus(projectRoot);
+  if (!status) throw new Error('apply requires project root to be a git worktree');
+  if (status.dirty && !opts.allowDirty) {
+    throw new Error('apply requires a clean git worktree. Commit, stash, or rerun with --allow-dirty.');
+  }
+
+  const applied = applyExecutionDiff(projectRoot, diffInfo.diff);
+  writeApplyMarker(sessionDir, diffInfo.path, latestImplement.files || []);
+
+  const result = {
+    sessionId,
+    sessionDir,
+    applied,
+    alreadyApplied: false,
+    humanGate: false,
+    noShip: false,
+    reason: applied ? null : 'diff was empty',
+    diffPath: diffInfo.path,
+    files: latestImplement.files || [],
+  };
+  writeSummary(sessionDir, result, latestImplement, gate);
+  return result;
+}
+
+function readPriorHandoffs(handoffDir) {
+  if (!fs.existsSync(handoffDir)) return [];
+  return fs.readdirSync(handoffDir)
+    .filter(f => f.endsWith('.json'))
+    .sort()
+    .map(f => {
+      try {
+        return JSON.parse(fs.readFileSync(path.join(handoffDir, f), 'utf8'));
+      } catch {
+        return null;
+      }
+    })
+    .filter(Boolean);
+}
+
+function latestStageHandoff(handoffs, stage) {
+  return handoffs
+    .filter(h => h.stage === stage)
+    .sort((a, b) => Number(b.round || 1) - Number(a.round || 1))
+    .at(0) || null;
+}
+
+function readDiffForHandoff(sessionDir, handoff) {
+  const candidates = [];
+  if (handoff.diffPath) candidates.push(handoff.diffPath);
+  const diffDir = path.join(sessionDir, 'diffs');
+  if (fs.existsSync(diffDir)) {
+    candidates.push(...fs.readdirSync(diffDir).filter(f => f.endsWith('.diff')).sort().reverse().map(f => path.join(diffDir, f)));
+  }
+  for (const f of candidates) {
+    try {
+      if (fs.existsSync(f)) {
+        return { path: f, diff: fs.readFileSync(f, 'utf8') };
+      }
+    } catch {}
+  }
+  return { path: null, diff: '' };
+}
+
+function readMarker(sessionDir, name) {
+  const file = path.join(sessionDir, name);
+  if (!fs.existsSync(file)) return null;
+  const raw = fs.readFileSync(file, 'utf8');
+  return {
+    file,
+    raw,
+    reason: raw.match(/^reason:\s*(.+)$/m)?.[1] || null,
+    at: raw.match(/^at:\s*(.+)$/m)?.[1] || null,
+    diffPath: raw.match(/^diff_path:\s*(.+)$/m)?.[1] || null,
+  };
+}
+
+function readApplyGitStatus(projectRoot) {
+  const status = readGitStatus(projectRoot);
+  if (!status) return null;
+  const relevantLines = (status.text || '')
+    .split(/\r?\n/)
+    .map(line => line.trimEnd())
+    .filter(Boolean)
+    .filter(line => !/^\?\?\s+\.harness(?:\/|\\)/.test(line))
+    .filter(line => !/^[ MADRCU?!]{1,2}\s+\.harness(?:\/|\\)/.test(line));
+  return {
+    ...status,
+    relevantText: relevantLines.join('\n'),
+    dirty: relevantLines.length > 0,
+  };
+}
+
+function markerTime(marker) {
+  const time = Date.parse(marker?.at || '');
+  return Number.isFinite(time) ? time : 0;
+}
+
+function writeApplyMarker(sessionDir, diffPath, files) {
+  const lines = [];
+  lines.push('reason: verified diff applied');
+  if (diffPath) lines.push(`diff_path: ${diffPath}`);
+  if (files?.length) lines.push(`files: ${files.join(', ')}`);
+  lines.push(`at: ${new Date().toISOString()}`);
+  fs.writeFileSync(path.join(sessionDir, 'APPLIED_DIFF'), lines.join('\n') + '\n');
+}
+
+function writeBlockedSummary({ sessionId, sessionDir, reason, gate, latestImplement, diffPath, noShip = false }) {
+  const result = {
+    sessionId,
+    sessionDir,
+    applied: false,
+    alreadyApplied: false,
+    humanGate: gate.status === 'open' || gate.status === 'blocked',
+    noShip,
+    reason,
+    diffPath,
+    files: latestImplement.files || [],
+  };
+  writeSummary(sessionDir, result, latestImplement, gate);
+  return result;
+}
+
+function writeSummary(sessionDir, result, implementHandoff, gate) {
+  fs.writeFileSync(path.join(sessionDir, 'apply-summary.json'), JSON.stringify({
+    sessionId: result.sessionId,
+    implement_round: implementHandoff?.round || null,
+    implement_files: implementHandoff?.files || [],
+    diff_path: result.diffPath || null,
+    applied: result.applied,
+    already_applied: result.alreadyApplied,
+    human_gate: result.humanGate,
+    no_ship: result.noShip,
+    reason: result.reason || null,
+    gate_status: gate?.status || null,
+    target_project_mutated: Boolean(result.applied),
+    next_step: result.applied
+      ? 'review git diff, run project tests, then commit manually'
+      : result.alreadyApplied
+        ? 'diff was already applied; inspect project git status'
+        : 'resolve gate/ship/apply blocker',
+  }, null, 2));
+}
+
+export {
+  readPriorHandoffs as _readPriorHandoffs,
+  latestStageHandoff as _latestStageHandoff,
+  readDiffForHandoff as _readDiffForHandoff,
+  readApplyGitStatus as _readApplyGitStatus,
+};