@pushpalsdev/cli 1.0.17 → 1.0.19

package/runtime/sandbox/packages/shared/src/config_template_parity.ts

@@ -0,0 +1,70 @@
+import { readFileSync } from "fs";
+
+function isObject(value: unknown): value is Record<string, unknown> {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+
+export function collectDotEnvKeys(raw: string): Set<string> {
+  const keys = new Set<string>();
+  const lines = raw.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const match = trimmed.match(/^(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=/);
+    if (!match) continue;
+    const key = match[1]?.trim();
+    if (key) keys.add(key);
+  }
+  return keys;
+}
+
+function collectTomlLeafKeysFromNode(
+  node: unknown,
+  prefix: string,
+  out: Set<string>,
+): void {
+  if (!isObject(node)) return;
+  for (const [rawKey, value] of Object.entries(node)) {
+    const key = rawKey.trim();
+    if (!key) continue;
+    const path = prefix ? `${prefix}.${key}` : key;
+    if (isObject(value)) {
+      collectTomlLeafKeysFromNode(value, path, out);
+    } else {
+      out.add(path);
+    }
+  }
+}
+
+export function collectTomlLeafKeys(raw: string): Set<string> {
+  const parsed = Bun.TOML.parse(raw) as unknown;
+  const keys = new Set<string>();
+  collectTomlLeafKeysFromNode(parsed, "", keys);
+  return keys;
+}
+
+export function missingTemplateKeys(templateKeys: Iterable<string>, localKeys: Set<string>): string[] {
+  const templateSet = new Set(templateKeys);
+  const missing: string[] = [];
+  for (const key of templateSet) {
+    if (!localKeys.has(key)) missing.push(key);
+  }
+  return missing.sort((a, b) => a.localeCompare(b));
+}
+
+export function extraLocalKeys(templateKeys: Iterable<string>, localKeys: Set<string>): string[] {
+  const templateSet = new Set(templateKeys);
+  const extras: string[] = [];
+  for (const key of localKeys) {
+    if (!templateSet.has(key)) extras.push(key);
+  }
+  return extras.sort((a, b) => a.localeCompare(b));
+}
+
+export function readDotEnvKeys(filePath: string): Set<string> {
+  return collectDotEnvKeys(readFileSync(filePath, "utf8"));
+}
+
+export function readTomlLeafKeys(filePath: string): Set<string> {
+  return collectTomlLeafKeys(readFileSync(filePath, "utf8"));
+}

package/runtime/sandbox/packages/shared/src/git_backend.ts

@@ -0,0 +1,205 @@
+export type GitBackendId = "github" | "gitlab" | "unknown";
+export type GitTokenSource = "configured" | "env" | "cli" | "none";
+
+export interface CommandCaptureResult {
+  ok: boolean;
+  stdout: string;
+  stderr: string;
+  exitCode: number;
+}
+
+export interface ResolveGitTokenOptions {
+  remoteUrl: string;
+  configuredToken?: string | null;
+  env?: Record<string, string | undefined>;
+  cwd?: string;
+  runCommand?: (command: string[], cwd?: string) => Promise<CommandCaptureResult>;
+}
+
+export interface GitTokenResolution {
+  backend: GitBackendId;
+  host: string;
+  token: string;
+  source: GitTokenSource;
+}
+
+export interface GitHubRepoRef {
+  owner: string;
+  repo: string;
+}
+
+function trimToken(value: string | null | undefined): string {
+  return String(value ?? "").trim();
+}
+
+/**
+ * Remove userinfo credentials from HTTPS git remote URLs.
+ * Example: https://oauth2:token@github.com/org/repo.git -> https://github.com/org/repo.git
+ */
+export function sanitizeGitRemoteUrl(remoteUrl: string): string {
+  const raw = trimToken(remoteUrl);
+  if (!raw) return "";
+  return raw.replace(/^(https?:\/\/)[^@/]+@/i, "$1");
+}
+
+function firstNonEmpty(
+  env: Record<string, string | undefined>,
+  keys: readonly string[],
+): string {
+  for (const key of keys) {
+    const value = trimToken(env[key]);
+    if (value) return value;
+  }
+  return "";
+}
+
+export function parseGitRemoteHost(remoteUrl: string): string {
+  const raw = trimToken(remoteUrl);
+  if (!raw) return "";
+
+  const patterns = [
+    /^https?:\/\/(?:[^@/]+@)?([^/:?#]+)(?::\d+)?(?:[/?#].*)?$/i,
+    /^ssh:\/\/(?:[^@/]+@)?([^/:?#]+)(?::\d+)?(?:[/?#].*)?$/i,
+    /^(?:[^@:\s]+@)?([^:/\s]+):[^?\s]+$/i,
+  ];
+
+  for (const pattern of patterns) {
+    const match = raw.match(pattern);
+    const host = match?.[1] ? trimToken(match[1]) : "";
+    if (host) return host.toLowerCase();
+  }
+  return "";
+}
+
+export function inferGitBackendFromRemote(remoteUrl: string): GitBackendId {
+  const host = parseGitRemoteHost(remoteUrl);
+  if (!host) return "unknown";
+  if (host === "github.com" || host.endsWith(".github.com") || host.includes("github")) {
+    return "github";
+  }
+  if (host === "gitlab.com" || host.endsWith(".gitlab.com") || host.includes("gitlab")) {
+    return "gitlab";
+  }
+  return "unknown";
+}
+
+export function parseGitHubRepo(remoteUrl: string): GitHubRepoRef | null {
+  const sanitized = sanitizeGitRemoteUrl(remoteUrl);
+  if (!sanitized) return null;
+
+  const httpsMatch = sanitized.match(
+    /^https?:\/\/(?:[^@/]+@)?github\.com\/([^/\s]+)\/([^/\s]+?)(?:\.git)?(?:[/?#].*)?$/i,
+  );
+  if (httpsMatch) {
+    return { owner: httpsMatch[1], repo: httpsMatch[2] };
+  }
+
+  const sshMatch = sanitized.match(
+    /^(?:ssh:\/\/)?(?:[^@/\s]+@)?github\.com[:/]([^/\s]+)\/([^/\s]+?)(?:\.git)?$/i,
+  );
+  if (sshMatch) {
+    return { owner: sshMatch[1], repo: sshMatch[2] };
+  }
+
+  return null;
+}
+
+export function toGitHubRepoWebUrl(remoteUrl: string): string | null {
+  const repo = parseGitHubRepo(remoteUrl);
+  if (!repo) return null;
+  return `https://github.com/${repo.owner}/${repo.repo}`;
+}
+
+async function defaultRunCommand(
+  command: string[],
+  cwd?: string,
+): Promise<CommandCaptureResult> {
+  try {
+    const proc = Bun.spawn(command, {
+      cwd,
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+    const [stdout, stderr, exitCode] = await Promise.all([
+      new Response(proc.stdout).text(),
+      new Response(proc.stderr).text(),
+      proc.exited,
+    ]);
+    return {
+      ok: exitCode === 0,
+      stdout: stdout.trim(),
+      stderr: stderr.trim(),
+      exitCode,
+    };
+  } catch (err) {
+    return {
+      ok: false,
+      stdout: "",
+      stderr: String(err),
+      exitCode: 127,
+    };
+  }
+}
+
+async function resolveGitHubCliToken(
+  host: string,
+  runCommand: (command: string[], cwd?: string) => Promise<CommandCaptureResult>,
+  cwd?: string,
+): Promise<string> {
+  const useHostname = host && host !== "github.com";
+  const command = useHostname ? ["gh", "auth", "token", "--hostname", host] : ["gh", "auth", "token"];
+  const result = await runCommand(command, cwd);
+  return result.ok ? trimToken(result.stdout) : "";
+}
+
+async function resolveGitLabCliToken(
+  runCommand: (command: string[], cwd?: string) => Promise<CommandCaptureResult>,
+  cwd?: string,
+): Promise<string> {
+  const result = await runCommand(["glab", "auth", "token"], cwd);
+  return result.ok ? trimToken(result.stdout) : "";
+}
+
+export async function resolveGitTokenForRemote(
+  options: ResolveGitTokenOptions,
+): Promise<GitTokenResolution> {
+  const configuredToken = trimToken(options.configuredToken);
+  const host = parseGitRemoteHost(options.remoteUrl);
+  const backend = inferGitBackendFromRemote(options.remoteUrl);
+  const env = options.env ?? (process.env as Record<string, string | undefined>);
+
+  if (configuredToken) {
+    return { backend, host, token: configuredToken, source: "configured" };
+  }
+
+  const envVarOrder =
+    backend === "gitlab"
+      ? (["PUSHPALS_GIT_TOKEN", "GITLAB_TOKEN", "GL_TOKEN"] as const)
+      : backend === "github"
+        ? (["PUSHPALS_GIT_TOKEN", "GITHUB_TOKEN", "GH_TOKEN"] as const)
+        : (["PUSHPALS_GIT_TOKEN", "GITHUB_TOKEN", "GH_TOKEN", "GITLAB_TOKEN", "GL_TOKEN"] as const);
+
+  const envToken = firstNonEmpty(env, envVarOrder);
+  if (envToken) {
+    return { backend, host, token: envToken, source: "env" };
+  }
+
+  const runCommand = options.runCommand ?? defaultRunCommand;
+  let cliToken = "";
+  if (backend === "github") {
+    cliToken = await resolveGitHubCliToken(host, runCommand, options.cwd);
+  } else if (backend === "gitlab") {
+    cliToken = await resolveGitLabCliToken(runCommand, options.cwd);
+  } else {
+    // Unknown remotes still try both CLIs as a best-effort fallback.
+    cliToken = await resolveGitHubCliToken(host, runCommand, options.cwd);
+    if (!cliToken) {
+      cliToken = await resolveGitLabCliToken(runCommand, options.cwd);
+    }
+  }
+  if (cliToken) {
+    return { backend, host, token: cliToken, source: "cli" };
+  }
+
+  return { backend, host, token: "", source: "none" };
+}

package/runtime/sandbox/packages/shared/src/index.ts

@@ -0,0 +1,100 @@
+/**
+ * Shared utilities package
+ */
+
+export {
+  detectRepoRoot,
+  findGitRepoRoot,
+  getRepoContext,
+  resolveGitMetadataDir,
+  resolveGitStateFilePath,
+} from "./repo.js";
+export { CommunicationManager, type CommunicationManagerOptions } from "./communication.js";
+export { loadPromptTemplate, loadRepoDocText } from "./prompts.js";
+export {
+  evaluateClientRuntimePreflight,
+  formatClientRuntimePreflightLines,
+  type ClientPreflightCopyCommands,
+  type ClientPreflightIssue,
+  type ClientRuntimePreflightResult,
+} from "./client_preflight.js";
+export {
+  extractVisionKeyItems,
+  normalizeVisionSectionRef,
+  normalizeVisionSectionRefs,
+  parseVisionDoc,
+  validateVisionDocStructure,
+  type ParsedVisionDoc,
+  type VisionDocValidation,
+  type VisionKeyItems,
+  type VisionSection,
+} from "./vision.js";
+export {
+  inferGitBackendFromRemote,
+  parseGitHubRepo,
+  parseGitRemoteHost,
+  resolveGitTokenForRemote,
+  sanitizeGitRemoteUrl,
+  toGitHubRepoWebUrl,
+  type CommandCaptureResult,
+  type GitBackendId,
+  type GitHubRepoRef,
+  type GitTokenResolution,
+  type GitTokenSource,
+  type ResolveGitTokenOptions,
+} from "./git_backend.js";
+export {
+  invalidatePushPalsConfigCache,
+  loadPushPalsConfig,
+  sanitizePushPalsConfigForLogging,
+  type PushPalsConfig,
+  type PushPalsLlmConfig,
+  type PushPalsLmStudioConfig,
+} from "./config.js";
+export {
+  buildLocalCorsHeaders,
+  isLoopbackOrigin,
+  isLoopbackHost,
+  normalizeLoopbackHost,
+  normalizeLoopbackHttpUrl,
+  resolveLocalServerConnection,
+} from "./local_network.js";
+export {
+  isHeartbeatStatusSessionEvent,
+  shouldDisplayInteractiveSessionEvent,
+} from "./session_event_visibility.js";
+export {
+  DEFAULT_LOCALBUDDY_PORT,
+  computeLocalBuddyRestartBackoffMs,
+  loadLocalBuddyRuntimeSnapshotFromFiles,
+  parseLocalBuddyRuntimeSnapshot,
+  resolveLocalBuddyRuntimeAction,
+  resolveLocalBuddyStartGate,
+  type LocalBuddyRuntimeAction,
+  type LocalBuddyRuntimeSnapshot,
+  type LocalBuddyStartGateReason,
+} from "./localbuddy_runtime.js";
+export {
+  classifyGlobBreadth,
+  componentRootPrefix,
+  containsGlobMeta,
+  deriveAutonomyComponentArea,
+  globBreadthScore,
+  literalPrefix,
+  makePatternKey,
+  matchesGlob,
+  normalizeAutonomyComponentArea,
+  normalizePenalties,
+  normalizeRepoRelativePath,
+  normalizeTargetPath,
+  normalizeWriteGlob,
+  penaltyTotal,
+  validateScopeInvariants,
+  type AutonomyComponentArea,
+  type AutonomyGlobBreadth,
+  type AutonomyObjectiveType,
+  type AutonomyPenalty,
+  type AutonomyPenaltyKind,
+  type AutonomyRiskLevel,
+  type ScopeValidationResult,
+} from "./autonomy_policy.js";

package/runtime/sandbox/packages/shared/src/local_network.ts

@@ -0,0 +1,101 @@
+const DEFAULT_LOCAL_LOOPBACK_HOST = "127.0.0.1";
+
+export function isLoopbackHost(hostname: string): boolean {
+  const normalized = String(hostname ?? "")
+    .trim()
+    .toLowerCase()
+    .replace(/^\[(.*)\]$/, "$1");
+  return normalized === "127.0.0.1" || normalized === "::1" || normalized === "localhost";
+}
+
+export function normalizeLoopbackHost(hostname: string | null | undefined): string {
+  const normalized = String(hostname ?? "")
+    .trim()
+    .toLowerCase()
+    .replace(/^\[(.*)\]$/, "$1");
+  if (isLoopbackHost(normalized)) return DEFAULT_LOCAL_LOOPBACK_HOST;
+  return DEFAULT_LOCAL_LOOPBACK_HOST;
+}
+
+export function isLoopbackOrigin(origin: string | null | undefined): boolean {
+  const text = String(origin ?? "").trim();
+  if (!text) return false;
+  try {
+    const parsed = new URL(text);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      return false;
+    }
+    return isLoopbackHost(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+
+export function buildLocalCorsHeaders(options: {
+  origin: string | null | undefined;
+  allowAuthorizationHeader?: boolean;
+}): Record<string, string> {
+  const headers: Record<string, string> = {
+    "Access-Control-Allow-Methods": "GET,POST,OPTIONS",
+    "Access-Control-Allow-Headers": options.allowAuthorizationHeader
+      ? "content-type, authorization"
+      : "content-type",
+  };
+  const origin = String(options.origin ?? "").trim();
+  if (isLoopbackOrigin(origin)) {
+    headers["Access-Control-Allow-Origin"] = origin;
+    headers["Vary"] = "Origin";
+  }
+  return headers;
+}
+
+export function normalizeLoopbackHttpUrl(
+  value: string | null | undefined,
+  fallbackPort: number,
+): string {
+  const fallback = `http://${DEFAULT_LOCAL_LOOPBACK_HOST}:${Math.max(1, fallbackPort)}`;
+  const text = String(value ?? "").trim();
+  if (!text) return fallback;
+
+  try {
+    const parsed = new URL(text);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      return fallback;
+    }
+    parsed.protocol = "http:";
+    parsed.username = "";
+    parsed.password = "";
+    parsed.hostname = normalizeLoopbackHost(parsed.hostname);
+    // Force server endpoints to the local root path in local-only mode.
+    parsed.pathname = "/";
+    parsed.search = "";
+    parsed.hash = "";
+    if (!parsed.port) {
+      parsed.port = String(Math.max(1, fallbackPort));
+    }
+    return parsed.toString().replace(/\/+$/, "");
+  } catch {
+    return fallback;
+  }
+}
+
+export function resolveLocalServerConnection(options: {
+  serverUrl: string | null | undefined;
+  authToken: string | null | undefined;
+  fallbackPort: number;
+}): {
+  serverUrl: string;
+  authToken: null;
+  serverWasNormalized: boolean;
+  authTokenWasIgnored: boolean;
+} {
+  const rawServer = String(options.serverUrl ?? "").trim().replace(/\/+$/, "");
+  const normalizedServer = normalizeLoopbackHttpUrl(rawServer, options.fallbackPort);
+  const authToken = String(options.authToken ?? "").trim();
+  return {
+    serverUrl: normalizedServer,
+    authToken: null,
+    serverWasNormalized: !!rawServer && normalizedServer !== rawServer,
+    authTokenWasIgnored: authToken.length > 0,
+  };
+}