@pugi/cli 0.1.0-beta.99 → 1.0.0-alpha.2

package/dist/core/consensus/diff-capture.js

@@ -1,491 +0,0 @@
-/**
- * Diff capture — `pugi review --consensus` .
- *
- * Captures the diff that the consensus fan-out will send to Anvil. Four
- * supported source kinds (in order of precedence):
- *
- *  1. `--pr <number>`   — uses `gh pr diff <num>` (gh CLI required).
- *  2. `--commit <sha>`  — diff of that commit vs its first parent.
- *                          When `--base <ref>` is ALSO provided, the
- *                          diff is the range `<base>..<commit>` instead
- *                          (mirrors `git diff base..commit` — covers the
- *                          full PR-style payload, not just the tip).
- *  3. `--branch <name>` — diff of HEAD vs `origin/<name>` merge-base.
- *  4. (default)         — diff of HEAD vs `origin/main` merge-base
- *                          covering BOTH committed-since-base AND
- *                          uncommitted (staged + working tree) edits.
- *
- * The shape mirrors the existing `performRemoteTripleReview` flow:
- * uncommitted edits are deliberately included by computing the diff
- * against the merge-base SHA rather than `base...HEAD`, otherwise the
- * common case ("review what I'm about to commit") would lose signal.
- *
- * Protected paths (`.env*`, `*.key`, `*.pem`, `*.sql` etc) are excluded
- * at the git layer so a secret cannot leak into the egress payload even
- * if the operator has it staged.
- */
-import { execFileSync } from 'node:child_process';
-/**
- * Hard cap on the diff payload sent egress. Anvil enforces its own cap
- * server-side; this is a defense-in-depth so a runaway monorepo merge
- * doesn't OOM the SSE encoder. 1 MiB ≈ 30k LOC, which is well above the
- * largest review the rubric can reason about.
- */
-export const DIFF_MAX_BYTES = 1 * 1024 * 1024;
-/**
- * Git pathspec exclusions for sensitive blobs. This is the source of truth
- * for both the consensus surface AND the legacy `PROTECTED_DIFF_EXCLUDES`
- * in cli.ts; keep both lists in sync when adding new patterns.
- *
- * Coverage policy: a credential committed under ANY plausible filename
- * pattern must be excluded. Adversarial PRs can stage secrets under
- * unconventional names (deploy.crt, credentials, .netrc) to bypass a
- * narrow exclude list and exfiltrate to the reviewer payload.
- *
- * Pathspec form `:(exclude,glob)<starstar>/<pattern>` (where `<starstar>`
- * is the `*` `*` doubled glob) matches at the repo root AND in any
- * subdirectory; without the doubled-star prefix git's literal pathspec
- * syntax silently misses subdir matches in pnpm/turbo monorepos.
- */
-export const PROTECTED_PATHSPEC_EXCLUDES = Object.freeze([
-    // Dotfiles + RC files that frequently hold tokens.
-    ':(exclude,glob)**/.env',
-    ':(exclude,glob)**/.env.*',
-    ':(exclude,glob)**/.npmrc',
-    ':(exclude,glob)**/.yarnrc',
-    ':(exclude,glob)**/.pypirc',
-    ':(exclude,glob)**/.gitconfig',
-    ':(exclude,glob)**/.netrc',
-    // SSH private keys (every algorithm we have seen committed in the wild).
-    ':(exclude,glob)**/id_rsa',
-    ':(exclude,glob)**/id_ed25519',
-    ':(exclude,glob)**/id_ecdsa',
-    ':(exclude,glob)**/id_dsa',
-    // PEM-encoded + DER-encoded private keys / certs / containers.
-    ':(exclude,glob)**/*.pem',
-    ':(exclude,glob)**/*.key',
-    ':(exclude,glob)**/*.crt',
-    ':(exclude,glob)**/*.cer',
-    ':(exclude,glob)**/*.der',
-    ':(exclude,glob)**/*.pfx',
-    ':(exclude,glob)**/*.p12',
-    // SQL dumps / DB exports often contain real PII + credentials.
-    ':(exclude,glob)**/*.dump',
-    ':(exclude,glob)**/*.sql',
-    // Generic credential blobs under any directory.
-    ':(exclude,glob)**/*.secret',
-    ':(exclude,glob)**/credentials',
-    ':(exclude,glob)**/credentials.json',
-    // `secrets/**` (not `secrets/*`) so nested credential paths recurse:
-    // `secrets/prod/token.txt`, `apps/foo/secrets/nested/key`, and any
-    // arbitrarily deep `**/secrets/<...>/<file>` get excluded. With glob
-    // pathspec magic enabled, a single `*` does NOT cross path separators,
-    // so the non-recursive form would leak nested-directory secrets.
-    ':(exclude,glob)**/secrets/**',
-]);
-/**
- * Captures the diff per the source spec and returns the augmented payload
- * plus narrative context (branch, commit, title) that gets attached to
- * the egress request.
- *
- * Errors are returned as thrown `Error` instances; the caller (the
- * command handler) translates them to JSON error payloads + exit codes
- * so the CLI never crashes on a malformed ref.
- */
-export function captureDiff(spec) {
-    const cwd = spec.cwd ?? process.cwd();
-    // Source precedence: pr > commit > branch > default.
-    if (typeof spec.pr === 'number' && Number.isFinite(spec.pr) && spec.pr > 0) {
-        return captureFromPr(cwd, spec.pr);
-    }
-    if (typeof spec.commit === 'string' && spec.commit.length > 0) {
-        // When `--base` is supplied alongside `--commit`, callers want the
-        // full PR-style range diff (`base..commit`), not just the tip
-        // commit's parent diff. This matches the convention used by
-        // `git diff <base>..<commit>` everywhere else in the toolchain and
-        // is the verified-correct mode for reviewing a PR head ref. Without
-        // this branch, `--base` was silently ignored when `--commit` was
-        // present — see feedback_pugi_review_use_range_diff_not_worktree.
-        if (typeof spec.baseRef === 'string' && spec.baseRef.length > 0) {
-            return captureFromRange(cwd, spec.baseRef, spec.commit);
-        }
-        return captureFromCommit(cwd, spec.commit);
-    }
-    if (typeof spec.branch === 'string' && spec.branch.length > 0) {
-        return captureFromBranch(cwd, spec.branch, spec.baseRef ?? 'origin/main');
-    }
-    return captureFromBase(cwd, spec.baseRef ?? 'origin/main');
-}
-function captureFromPr(cwd, pr) {
-    // CRITICAL: `gh pr diff <num>` bypasses PROTECTED_PATHSPEC_EXCLUDES,
-    // exfiltrating `.env`, `*.key`, `*.pem`, `*.sql`, secrets/* to the
-    // reviewer payload. We instead fetch the PR head ref locally and run
-    // `git diff` with the same pathspec excludes as every other capture
-    // path. PR metadata still comes from `gh pr view` (read-only).
-    const metaRaw = safeExec(cwd, 'gh', ['pr', 'view', String(pr), '--json', 'title,headRefName,headRefOid,baseRefName']);
-    const meta = safeParseJson(metaRaw);
-    const tempRef = `refs/pugi/consensus-pr-${pr}`;
-    // Fetch the PR head into a private ref so we have local objects to
-    // diff against. `pull/<num>/head` is GitHub's special refspec exposed
-    // to anyone with read access on the repo.
-    //
-    // The leading `+` (force-update) is REQUIRED: if a prior invocation
-    // died before reaching the `finally` cleanup (SIGKILL, host crash,
-    // operator Ctrl-C inside a `try` block in a wrapping caller, hung
-    // gh CLI), the tempRef survives on disk. Without `+`, the next
-    // `fetch <pr>/head:<tempRef>` aborts with
-    //  `! [rejected] pull/N/head -> refs/pugi/consensus-pr-N (non-fast-forward)`
-    // and the entire consensus run fails for an operator who did nothing
-    // wrong. `+` semantics: replace the ref unconditionally — exactly
-    // the recovery behavior we want for a sandboxed `refs/pugi/...` slot
-    // that no human ever reads.
-    safeExec(cwd, 'git', ['fetch', 'origin', `+pull/${pr}/head:${tempRef}`]);
-    try {
-        // Resolve the base ref to diff against. Prefer the PR's declared
-        // base; fall back to `origin/main`. We compute the merge-base so a
-        // PR that's behind main still shows only the author's hunks.
-        const baseRef = meta?.baseRefName ? `origin/${meta.baseRefName}` : 'origin/main';
-        const mergeBase = safeExecOptional(cwd, 'git', ['merge-base', baseRef, tempRef]).trim();
-        const range = mergeBase ? `${mergeBase}..${tempRef}` : `${baseRef}..${tempRef}`;
-        const diff = safeExec(cwd, 'git', [
-            'diff',
-            range,
-            '--',
-            '.',
-            ...PROTECTED_PATHSPEC_EXCLUDES,
-        ]);
-        const cappedDiff = capDiff(diff);
-        const stats = computeStats(cappedDiff);
-        return {
-            diff: cappedDiff,
-            context: {
-                branch: meta?.headRefName ?? `pr-${pr}`,
-                commit: shortSha(meta?.headRefOid ?? ''),
-                title: meta?.title ?? `PR #${pr}`,
-                ref: `pr:${pr}`,
-                stats,
-            },
-        };
-    }
-    finally {
-        // Best-effort cleanup of the private ref. Never throw from the
-        // cleanup path so the operator's primary error (if any) reaches them.
-        try {
-            safeExec(cwd, 'git', ['update-ref', '-d', tempRef]);
-        }
-        catch {
-            // Swallow: a leftover ref under refs/pugi/ is harmless. The
-            // next run force-overwrites it via `fetch +pull/<n>/head:<ref>`
-            // (note the leading `+` in the refspec above), so a stale tempRef
-            // never blocks a future invocation even if cleanup never runs.
-        }
-    }
-}
-function captureFromCommit(cwd, commit) {
-    // `<sha>~1..<sha>` covers exactly that commit's changes. For a ROOT
-    // commit (no parent) the `~1` lookup explodes and produces an empty
-    // diff masquerading as success. Detect this up front and fall back
-    // to the git empty-tree sha so the first commit's introduction shows
-    // up in the diff.
-    const fullSha = safeExec(cwd, 'git', ['rev-parse', commit]).trim();
-    if (!fullSha)
-        throw new Error(`Unknown commit ref: ${commit}`);
-    // Probe for a parent. `rev-parse --verify <sha>~1` exits non-zero on
-    // a root commit; we treat that as "diff against the empty tree".
-    const hasParent = safeExecOptional(cwd, 'git', ['rev-parse', '--verify', `${fullSha}~1`]).trim().length > 0;
-    // The well-known git "empty tree" SHA. Stable across all git versions
-    // since 2005; documented in `git hash-object -t tree /dev/null`.
-    const EMPTY_TREE_SHA = '4b825dc642cb6eb9a060e54bf8d69288fbee4904';
-    const range = hasParent ? `${fullSha}~1..${fullSha}` : `${EMPTY_TREE_SHA}..${fullSha}`;
-    const diff = safeExec(cwd, 'git', [
-        'diff',
-        range,
-        '--',
-        '.',
-        ...PROTECTED_PATHSPEC_EXCLUDES,
-    ]);
-    const cappedDiff = capDiff(diff);
-    const subject = safeExec(cwd, 'git', ['log', '-1', '--pretty=%s', fullSha]).trim();
-    const branch = safeExec(cwd, 'git', ['name-rev', '--name-only', fullSha]).trim() || 'detached';
-    const stats = computeStats(cappedDiff);
-    return {
-        diff: cappedDiff,
-        context: {
-            branch,
-            commit: shortSha(fullSha),
-            title: subject || `commit ${shortSha(fullSha)}`,
-            ref: `commit:${shortSha(fullSha)}`,
-            stats,
-        },
-    };
-}
-/**
- * Range capture for `--commit <X> --base <Y>` — diff equivalent to
- * `git diff <base>..<commit>`. Used when the operator names BOTH endpoints
- * (typical PR review against a remote head SHA).
- *
- * Critical: this MUST be a pure read-only range diff against named refs.
- * The previous behavior fell through to `captureFromCommit` which only
- * showed the tip commit (`commit~1..commit`) — fine for single-commit
- * review, wrong for multi-commit PRs. Worse, a stale fallback path was
- * sending the working tree diff (`git diff` with no args), which caused
- * every review on to surface identical noise from uncommitted
- * `.gitignore` edits instead of the actual PR contents.
- *
- * Working tree integrity: only `git diff <ref>..<ref>` and metadata
- * `log` / `rev-parse` / `name-rev` are used — none of these touch the
- * index, working tree, or HEAD.
- */
-function captureFromRange(cwd, baseRef, commit) {
-    // Resolve both endpoints up front so an unknown ref errors with a
-    // clear message before the diff invocation. `rev-parse` is read-only.
-    const fullCommit = safeExec(cwd, 'git', ['rev-parse', commit]).trim();
-    if (!fullCommit)
-        throw new Error(`Unknown commit ref: ${commit}`);
-    // Task #63 — refresh the base ref via `git fetch` BEFORE
-    // resolving. Previously a stale local `main` (last fetched days ago)
-    // would silently produce a diff containing every commit that landed
-    // upstream after the fetch, swamping the model's review с unrelated
-    // changes. The fetch is opportunistic: failures (offline, auth) are
-    // swallowed so the existing rev-parse path stays the safety net и
-    // returns the clear "Unknown base ref" error if the stale local copy
-    // is also missing.
-    //
-    // We fetch ONLY the base ref (not all refs) so the overhead is
-    // bounded — typical PR-style review payload, base = main, one ref.
-    // `--no-tags --quiet` keeps the network footprint minimal.
-    const remoteCandidate = baseRef.includes('/') ? baseRef : `origin/${baseRef}`;
-    if (remoteCandidate.startsWith('origin/')) {
-        const bareRef = remoteCandidate.slice('origin/'.length);
-        safeExecOptional(cwd, 'git', [
-            'fetch',
-            '--no-tags',
-            '--quiet',
-            'origin',
-            bareRef,
-        ]);
-    }
-    // Resolve the base: accept already-qualified refs (`origin/main`,
-    // `refs/heads/foo`) and bare branch names. If the bare name isn't
-    // locally resolvable, retry against `origin/<name>` — the common
-    // CI shape where local main is absent but the remote tracking ref is.
-    let resolvedBase = safeExecOptional(cwd, 'git', ['rev-parse', baseRef]).trim();
-    let effectiveBase = baseRef;
-    if (!resolvedBase && !baseRef.includes('/')) {
-        const remoteBase = `origin/${baseRef}`;
-        resolvedBase = safeExecOptional(cwd, 'git', ['rev-parse', remoteBase]).trim();
-        if (resolvedBase)
-            effectiveBase = remoteBase;
-    }
-    if (!resolvedBase)
-        throw new Error(`Unknown base ref: ${baseRef}`);
-    const diff = safeExec(cwd, 'git', [
-        'diff',
-        `${resolvedBase}..${fullCommit}`,
-        '--',
-        '.',
-        ...PROTECTED_PATHSPEC_EXCLUDES,
-    ]);
-    const cappedDiff = capDiff(diff);
-    const subject = safeExec(cwd, 'git', ['log', '-1', '--pretty=%s', fullCommit]).trim();
-    const branch = safeExec(cwd, 'git', ['name-rev', '--name-only', fullCommit]).trim() || 'detached';
-    const stats = computeStats(cappedDiff);
-    return {
-        diff: cappedDiff,
-        context: {
-            branch,
-            commit: shortSha(fullCommit),
-            title: subject || `commit ${shortSha(fullCommit)}`,
-            ref: `range:${effectiveBase}..${shortSha(fullCommit)}`,
-            stats,
-        },
-    };
-}
-function captureFromBranch(cwd, branch, baseRef) {
-    const remoteRef = branch.includes('/') ? branch : `origin/${branch}`;
-    const mergeBase = safeExec(cwd, 'git', ['merge-base', baseRef, remoteRef]).trim();
-    if (!mergeBase)
-        throw new Error(`Cannot compute merge-base of ${baseRef} and ${remoteRef}`);
-    const diff = safeExec(cwd, 'git', [
-        'diff',
-        `${mergeBase}..${remoteRef}`,
-        '--',
-        '.',
-        ...PROTECTED_PATHSPEC_EXCLUDES,
-    ]);
-    const cappedDiff = capDiff(diff);
-    const head = safeExec(cwd, 'git', ['rev-parse', remoteRef]).trim();
-    const subject = safeExec(cwd, 'git', ['log', '-1', '--pretty=%s', remoteRef]).trim();
-    const stats = computeStats(cappedDiff);
-    return {
-        diff: cappedDiff,
-        context: {
-            branch,
-            commit: shortSha(head),
-            title: subject || `branch ${branch}`,
-            ref: `branch:${branch}`,
-            stats,
-        },
-    };
-}
-function captureFromBase(cwd, baseRef) {
-    // The default surface — diff HEAD against the merge-base of the
-    // protected base. When the merge-base lookup fails (shallow clone,
-    // no upstream, baseRef not configured), fall back to the working-tree
-    // diff so the consensus gate still has signal rather than crashing.
-    const mergeBase = safeExecOptional(cwd, 'git', ['merge-base', baseRef, 'HEAD']).trim();
-    if (mergeBase) {
-        // Two parts (non-overlapping):
-        //  1. Committed since base: `<base>..HEAD`
-        //  2. Uncommitted (staged + working tree as a single union): `git diff HEAD`
-        // `git diff HEAD` already reports BOTH staged AND working-tree
-        // changes relative to HEAD, so we MUST NOT add a separate
-        // `--cached` invocation: doing so emits the same staged hunks
-        // twice, inflating reviewer cost and confusing the rubric on
-        // duplicate-finding correlation.
-        const committedDiff = safeExec(cwd, 'git', [
-            'diff',
-            `${mergeBase}..HEAD`,
-            '--',
-            '.',
-            ...PROTECTED_PATHSPEC_EXCLUDES,
-        ]);
-        const uncommittedDiff = safeExec(cwd, 'git', [
-            'diff',
-            'HEAD',
-            '--',
-            '.',
-            ...PROTECTED_PATHSPEC_EXCLUDES,
-        ]);
-        const combined = [committedDiff, uncommittedDiff]
-            .map((s) => s.trim())
-            .filter((s) => s.length > 0)
-            .join('\n');
-        const cappedDiff = capDiff(combined);
-        const branch = safeExec(cwd, 'git', ['branch', '--show-current']).trim() || 'detached';
-        const head = safeExec(cwd, 'git', ['rev-parse', 'HEAD']).trim();
-        const subject = safeExec(cwd, 'git', ['log', '-1', '--pretty=%s', 'HEAD']).trim();
-        const stats = computeStats(cappedDiff);
-        return {
-            diff: cappedDiff,
-            context: {
-                branch,
-                commit: shortSha(head),
-                title: subject || branch,
-                ref: `merge-base:${baseRef}`,
-                stats,
-            },
-        };
-    }
-    // Fallback path: no merge-base available. `git diff HEAD` reports
-    // BOTH staged AND working-tree changes relative to HEAD in a single
-    // unified diff, so it's the right one-shot capture for "what would I
-    // commit if I ran `git add -A && git commit` right now". A separate
-    // `--cached` call would double-report the staged hunks.
-    const cappedDiff = capDiff(safeExec(cwd, 'git', ['diff', 'HEAD', '--', '.', ...PROTECTED_PATHSPEC_EXCLUDES]));
-    const branch = safeExec(cwd, 'git', ['branch', '--show-current']).trim() || 'detached';
-    const head = safeExec(cwd, 'git', ['rev-parse', 'HEAD']).trim();
-    const subject = safeExec(cwd, 'git', ['log', '-1', '--pretty=%s', 'HEAD']).trim();
-    const stats = computeStats(cappedDiff);
-    return {
-        diff: cappedDiff,
-        context: {
-            branch,
-            commit: shortSha(head),
-            title: subject || branch,
-            ref: 'head-only',
-            stats,
-        },
-    };
-}
-/**
- * Non-throwing variant of `safeExec`. Returns an empty string on
- * non-zero exit instead of throwing. Used for the optional `merge-base`
- * lookup which fails legitimately in shallow clones / no-upstream setups.
- */
-function safeExecOptional(cwd, file, args) {
-    try {
-        return safeExec(cwd, file, args);
-    }
-    catch {
-        return '';
-    }
-}
-/** Compute file / insertion / deletion counts from a unified diff. */
-function computeStats(diff) {
-    let filesChanged = 0;
-    let insertions = 0;
-    let deletions = 0;
-    for (const line of diff.split(/\r?\n/)) {
-        if (line.startsWith('diff --git '))
-            filesChanged += 1;
-        else if (line.startsWith('+') && !line.startsWith('+++'))
-            insertions += 1;
-        else if (line.startsWith('-') && !line.startsWith('---'))
-            deletions += 1;
-    }
-    return { filesChanged, insertions, deletions };
-}
-/**
- * Truncate the diff if it grows past `DIFF_MAX_BYTES`. Truncation is
- * marked with a sentinel comment so reviewers see the cap explicitly
- * instead of silently reasoning over a partial patch.
- */
-function capDiff(diff) {
-    // `Buffer.byteLength` is required — `.length` counts UTF-16 code units
-    // and underestimates multi-byte sequences common in diffs that touch
-    // i18n / cyrillic content.
-    if (Buffer.byteLength(diff, 'utf8') <= DIFF_MAX_BYTES)
-        return diff;
-    // Slice by code units, then re-check byte length. UTF-8 is variable-
-    // width, so 1 MiB of code units can exceed the cap; iterate until it
-    // fits. Two passes is the worst case for any reasonable input.
-    let slice = diff.slice(0, DIFF_MAX_BYTES);
-    while (Buffer.byteLength(slice, 'utf8') > DIFF_MAX_BYTES && slice.length > 0) {
-        slice = slice.slice(0, slice.length - 1024);
-    }
-    return `${slice}\n\n# [pugi-cli] diff truncated at ${DIFF_MAX_BYTES} bytes; reviewers see a partial patch.\n`;
-}
-function shortSha(sha) {
-    if (!sha)
-        return '';
-    return sha.length > 7 ? sha.slice(0, 7) : sha;
-}
-/**
- * Wrapper around `execFileSync` that returns stdout as a UTF-8 string,
- * swallows stderr, and throws with a stable shape on non-zero exit.
- *
- * The `execFileSync` form avoids shell injection (no shell process is
- * spawned), which matters because we pass user-supplied refs / branch
- * names into the command line.
- */
-function safeExec(cwd, file, args) {
-    try {
-        const out = execFileSync(file, args, {
-            cwd,
-            stdio: ['ignore', 'pipe', 'pipe'],
-            // 32 MiB buffer — covers the worst-case PR diff before our 1 MiB
-            // cap kicks in. The cap is applied after capture so we can report
-            // truncation honestly.
-            maxBuffer: 32 * 1024 * 1024,
-            encoding: 'utf8',
-        });
-        // Specifying `encoding: 'utf8'` narrows the return type to string,
-        // but TS still types `out` as `string` always here — defensively
-        // coerce via `String()` to satisfy lint without an `as` cast.
-        return String(out);
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        throw new Error(`${file} ${args.slice(0, 2).join(' ')} failed: ${message.split('\n')[0]}`);
-    }
-}
-function safeParseJson(raw) {
-    try {
-        return JSON.parse(raw);
-    }
-    catch {
-        return null;
-    }
-}
-//# sourceMappingURL=diff-capture.js.map