@pushpalsdev/cli 1.0.32 → 1.0.34

package/runtime/prompts/remotebuddy/remotebuddy_system_prompt.md

@@ -23,6 +23,7 @@ Intent taxonomy (choose the single best fit):
 - `other` — do NOT use `other` with `requires_worker=false`. `other` must always have `requires_worker=true`. When in doubt, prefer `code_change`.
 
 Classification rules (applied in order):
+
 1. Action verb present (add, fix, update, implement, create, remove, test, run, build, configure, refactor, improve, etc.) → `code_change` + `requires_worker=true`
 2. File/test/config/component reference + no explicit read-only ask → `code_change` + `requires_worker=true`
 3. Read-only analysis explicitly requested → `analysis` + `requires_worker=false`

package/runtime/prompts/review_agent/review_prompt_template.md

@@ -11,6 +11,7 @@ Pull Request: #{{pr_number}} - {{pr_title}}
 Branch: {{head_ref}} -> {{base_ref}}
 
 Diff:
+
 ```diff
 {{diff}}
 ```

package/runtime/prompts/review_agent/reviewer.md

@@ -7,6 +7,7 @@ Return an objective quality score and specific, actionable feedback. The ReviewA
 ## Rating Criteria
 
 ### 9.0-10.0: Distinguished Engineer quality
+
 - Code is correct, complete, and production-ready with zero known defects
 - All edge cases and error paths are handled explicitly
 - Tests cover both positive (happy path) and negative (failure/edge) cases with meaningful assertions
@@ -21,6 +22,7 @@ Return an objective quality score and specific, actionable feedback. The ReviewA
 ### 1.0-6.9: Not production-ready - list specific issues and remediation steps
 
 Common rejection reasons:
+
 - Missing negative test assertions
 - Incomplete error handling
 - Tests that pass trivially (no real assertions)
@@ -32,8 +34,8 @@ Common rejection reasons:
 
 Respond with a JSON object only (no markdown wrapper):
 {
-  "score": <number 1.0-10.0>,
-  "summary": "<one sentence verdict>",
-  "issues": ["<issue 1>", "<issue 2>", ...],
-  "fix_instruction": "<precise instruction for the worker to fix all issues - this will be sent directly to the WorkerPal as its task>"
+"score": <number 1.0-10.0>,
+"summary": "<one sentence verdict>",
+"issues": ["<issue 1>", "<issue 2>", ...],
+"fix_instruction": "<precise instruction for the worker to fix all issues - this will be sent directly to the WorkerPal as its task>"
 }

package/runtime/prompts/workerpals/commit_message_prompt.md

@@ -10,6 +10,7 @@ Output only the raw commit message text — no markdown fences, no explanation,
 - <specific implementation detail>
 
 Tests:
+
 - <test runner command>
 
 ## Writing rules
@@ -25,12 +26,14 @@ Background context: "can you add one more unit test for localbuddy"
 
 Bad (copies instruction / uses planning language):
 {{type}}({{area}}): lets add one more unit test for localbuddy
+
 - At least one new unit test is added validating a meaningful LocalBuddy behavior.
 - All existing and new tests pass.
 - No unrelated files are modified.
 
 Good (reads the diff):
 {{type}}({{area}}): add unit test for LocalBuddy request routing and error response handling
+
 - add test case in localbuddy.test.ts asserting router returns 404 for unknown tool calls
 - add negative test for malformed request payload returning 400 with error message
 - extract shared test fixtures into testHelpers.ts to reduce duplication

package/runtime/prompts/workerpals/miniswe_broker_system_prompt.md

@@ -5,18 +5,19 @@ Repository root: {{repo}}
 
 Output format (STRICT JSON, no markdown, no extra keys unless specified):
 {
-  "actions": [
-    {"type":"read_file","path":"README.md"},
-    {"type":"append_line","path":"README.md","line":"..."},
-    {"type":"replace_text_once","path":"x","old":"a","new":"b"},
-    {"type":"write_file","path":"x","content":"..."},
-    {"type":"run_shell","command":"git status --porcelain"}
-  ],
-  "done": false,
-  "note": "short explanation"
+"actions": [
+{"type":"read_file","path":"README.md"},
+{"type":"append_line","path":"README.md","line":"..."},
+{"type":"replace_text_once","path":"x","old":"a","new":"b"},
+{"type":"write_file","path":"x","content":"..."},
+{"type":"run_shell","command":"git status --porcelain"}
+],
+"done": false,
+"note": "short explanation"
 }
 
 Rules:
+
 - Keep actions minimal and directly relevant.
 - JSON syntax must be exact: use ":" between keys and values, never ",".
 - Use double quotes for all keys and string values.

package/runtime/prompts/workerpals/miniswe_strict_tool_use_guidance.md

@@ -1,4 +1,5 @@
 CRITICAL: You must use tools to make progress.
+
 - Use the environment's tools (file read/list/search, and file edit/write/patch) to inspect and modify the repo.
 - Do NOT only describe what you would do; actually do it.
 - Avoid broad scans; choose one target file quickly.

package/runtime/prompts/workerpals/openai_codex_runtime_policy_appendix.md

@@ -1,4 +1,5 @@
 Runtime policy guardrails (mandatory):
+
 - Codex CLI is required infrastructure in this environment.
 - Never bypass Codex usage by changing tests/code expectations.
 - If Codex CLI auth/execution is unavailable, hard-fail and stop.

package/runtime/prompts/workerpals/openai_codex_task_execute_system_prompt.md

@@ -1,12 +1,14 @@
 You are PushPals WorkerPal running via the OpenAI Codex CLI backend.
 
 Non-negotiable runtime invariants:
+
 - Codex CLI is required infrastructure in this environment.
 - Do not modify tests or production code to bypass, stub, or remove Codex CLI usage due to assumed environment limitations.
 - Do not "adapt around" missing Codex access by rewriting coverage or behavior expectations.
 - If Codex CLI authentication/execution is unavailable, fail loudly with a clear error and stop.
 
 Execution rules:
+
 - Keep edits minimal, correct, and scoped to the requested task.
 - Read relevant files before editing, then run focused validation.
 - Report blockers explicitly; do not hide platform/runtime issues with workaround edits.

package/runtime/prompts/workerpals/task_quality_critic_system_prompt.md

@@ -2,8 +2,9 @@ You are a strict code-review critic for worker-generated patches.
 Return exactly one JSON object with keys:
 {"score": <0-10 number>, "findings": [string], "must_fix": [string], "revision_guidance": string}
 Scoring rubric:
+
 - 10: complete, correct, and robust with strong validation coverage.
 - 8-9: good quality with minor non-blocking issues.
 - <=7: requires revision before commit.
-must_fix must list blocking issues only.
-Do not include markdown or prose outside JSON.
+  must_fix must list blocking issues only.
+  Do not include markdown or prose outside JSON.

package/runtime/sandbox/apps/workerpals/src/backends/openai_codex_backend.ts

@@ -27,14 +27,14 @@ function warmupProbeCommand(sharedVenvPython: string): string {
     'AUTH_MODE="$(printf %s "$AUTH_MODE_RAW" | tr "[:upper:]" "[:lower:]")"; ' +
     'if [ ! -x "$PY" ]; then PY="$(command -v python3 || command -v python || true)"; fi; ' +
     '[ -n "$PY" ] || { echo "python runtime not found" >&2; exit 1; }; ' +
-    'if command -v bunx >/dev/null 2>&1; then ' +
+    "if command -v bunx >/dev/null 2>&1; then " +
     '  CODEX_CMD="bunx --yes @openai/codex"; ' +
-    'elif command -v codex >/dev/null 2>&1; then ' +
+    "elif command -v codex >/dev/null 2>&1; then " +
     '  CODEX_CMD="codex"; ' +
-    'else ' +
+    "else " +
     '  echo "Neither bunx nor codex was found in PATH" >&2; ' +
     "  exit 1; " +
-    'fi; ' +
+    "fi; " +
     'sh -lc "$CODEX_CMD --version"; ' +
     'NEED_LOGIN="0"; ' +
     'if [ "$AUTH_MODE" = "chatgpt" ] || [ "$AUTH_MODE" = "chatgpt_login" ] || [ "$AUTH_MODE" = "subscription" ]; then NEED_LOGIN="1"; fi; ' +

package/runtime/sandbox/apps/workerpals/src/backends/openhands_task_execute.ts

@@ -55,10 +55,7 @@ function estimateJobTokenUsage(
   };
 }
 
-function coerceJobTokenUsage(
-  value: unknown,
-  fallback: JobTokenUsage,
-): JobTokenUsage {
+function coerceJobTokenUsage(value: unknown, fallback: JobTokenUsage): JobTokenUsage {
   if (!value || typeof value !== "object" || Array.isArray(value)) {
     return fallback;
   }

package/runtime/sandbox/apps/workerpals/src/common/execution_utils.ts

@@ -16,8 +16,7 @@ export function resolveOutputCompactionPolicy(
   const maxOutputChars = Number(overrides.maxOutputChars ?? worker.outputMaxChars);
   const maxOutputLines = Number(overrides.maxOutputLines ?? worker.outputMaxLines);
   const maxOutputHeadLines = Number(overrides.maxOutputHeadLines ?? worker.outputMaxHeadLines);
-  const executorResultPrefixRaw =
-    overrides.executorResultPrefix ?? worker.executorResultPrefix;
+  const executorResultPrefixRaw = overrides.executorResultPrefix ?? worker.executorResultPrefix;
   const executorResultPrefix =
     typeof executorResultPrefixRaw === "string" && executorResultPrefixRaw.length > 0
       ? executorResultPrefixRaw
@@ -42,7 +41,10 @@ export function resolveOutputCompactionPolicy(
 
 // ---- Output truncation -------------------------------------------------------
 
-export function compactJobOutput(text: string, policyOverrides: Partial<OutputCompactionPolicy> = {}): string {
+export function compactJobOutput(
+  text: string,
+  policyOverrides: Partial<OutputCompactionPolicy> = {},
+): string {
   if (!text) return "";
   const policy = resolveOutputCompactionPolicy(policyOverrides);
   const maxOutputChars = policy.maxOutputChars;

package/runtime/sandbox/apps/workerpals/src/common/generic_python_executor.ts

@@ -58,10 +58,7 @@ function estimateJobTokenUsage(
   };
 }
 
-function coerceJobTokenUsage(
-  value: unknown,
-  fallback: JobTokenUsage,
-): JobTokenUsage {
+function coerceJobTokenUsage(value: unknown, fallback: JobTokenUsage): JobTokenUsage {
   if (!value || typeof value !== "object" || Array.isArray(value)) {
     return fallback;
   }

package/runtime/sandbox/apps/workerpals/src/common/worktree_cleanup.ts

@@ -39,7 +39,9 @@ export async function forceDeleteWorktreePath(
   const retries = Math.max(1, Math.floor(options.retries ?? 5));
   const delayMs = Math.max(0, Math.floor(options.delayMs ?? 120));
   const sleep = options.sleepFn ?? defaultSleep;
-  const removePath = options.removeFn ?? ((targetPath: string) => rmSync(targetPath, { recursive: true, force: true }));
+  const removePath =
+    options.removeFn ??
+    ((targetPath: string) => rmSync(targetPath, { recursive: true, force: true }));
   const pathExists = options.existsFn ?? ((targetPath: string) => existsSync(targetPath));
   let lastError = "";
 
@@ -63,4 +65,3 @@ export async function forceDeleteWorktreePath(
     ...(lastError ? { lastError } : {}),
   };
 }
-

package/runtime/sandbox/apps/workerpals/src/docker_executor.ts

@@ -75,7 +75,10 @@ function resolveDockerExecutable(): string {
   return process.platform === "win32" ? "docker.exe" : "docker";
 }
 
-function resolveWorkerpalSandboxBuildContext(repoRoot: string): { root: string; dockerfilePath: string } {
+function resolveWorkerpalSandboxBuildContext(repoRoot: string): {
+  root: string;
+  dockerfilePath: string;
+} {
   const configuredRoot = String(process.env.PUSHPALS_WORKERPALS_SANDBOX_ROOT ?? "").trim();
   const sandboxRoot = configuredRoot || repoRoot;
   const dockerfilePath = configuredRoot
@@ -233,6 +236,7 @@ export class DockerExecutor {
   private readonly jobRetryMaxAttempts: number;
   private readonly jobRetryBackoffMs: number;
   private readonly failureCooldownMs: number;
+  private readonly worktreeVisibilityTimeoutMs: number;
   private lastLoggedExecutionConfig = "";
   private lastLoggedEndpointRewrite = "";
   private warmedBackends = new Set<string>();
@@ -291,6 +295,7 @@ export class DockerExecutor {
       20_000,
       300_000,
     );
+    this.worktreeVisibilityTimeoutMs = process.platform === "win32" ? 15_000 : 5_000;
 
     // Ensure worktrees directory exists
     try {
@@ -413,7 +418,10 @@ export class DockerExecutor {
     try {
       await this.createWorktree(worktreePath, this.options.baseRef);
       await this.runGitSelfCheckContainer(worktreePath);
-      console.log(`[DockerExecutor] Startup self-check passed (git/worktree in container).`);
+      await this.ensureWorktreeAccessibleInWarmContainer(worktreePath);
+      console.log(
+        `[DockerExecutor] Startup self-check passed (git/worktree in container and warm container).`,
+      );
     } finally {
       await this.removeWorktree(worktreePath).catch(() => {
         // Ignore cleanup failures for startup self-check artifacts.
@@ -446,14 +454,11 @@ export class DockerExecutor {
       });
       await prune.exited;
 
-      proc = Bun.spawn(
-        ["git", "worktree", "add", "--force", "--detach", worktreePath, baseRef],
-        {
-          cwd: this.options.repo,
-          stdout: "pipe",
-          stderr: "pipe",
-        },
-      );
+      proc = Bun.spawn(["git", "worktree", "add", "--force", "--detach", worktreePath, baseRef], {
+        cwd: this.options.repo,
+        stdout: "pipe",
+        stderr: "pipe",
+      });
       exitCode = await proc.exited;
       stdout = await new Response(proc.stdout).text();
       stderr = await new Response(proc.stderr).text();
@@ -713,7 +718,10 @@ export class DockerExecutor {
 
     args.push("--entrypoint", "/bin/sh", this.options.imageName, "-lc", startupCmd);
 
-    const proc = Bun.spawn([resolveDockerExecutable(), ...args], { stdout: "pipe", stderr: "pipe" });
+    const proc = Bun.spawn([resolveDockerExecutable(), ...args], {
+      stdout: "pipe",
+      stderr: "pipe",
+    });
     const [exitCode, stdout, stderr] = await Promise.all([
       proc.exited,
       new Response(proc.stdout).text(),
@@ -814,10 +822,48 @@ export class DockerExecutor {
     stderr: string;
     exitCode: number;
   }> {
-    const proc = Bun.spawn([resolveDockerExecutable(), "exec", this.warmContainerName, "/bin/sh", "-lc", command], {
-      stdout: "pipe",
-      stderr: "pipe",
-    });
+    const proc = Bun.spawn(
+      [resolveDockerExecutable(), "exec", this.warmContainerName, "/bin/sh", "-lc", command],
+      {
+        stdout: "pipe",
+        stderr: "pipe",
+      },
+    );
+    const [stdout, stderr, exitCode] = await Promise.all([
+      new Response(proc.stdout).text(),
+      new Response(proc.stderr).text(),
+      proc.exited,
+    ]);
+    return {
+      ok: exitCode === 0,
+      stdout: stdout.trim(),
+      stderr: stderr.trim(),
+      exitCode,
+    };
+  }
+
+  private async runWarmWorktreeProbe(containerWorktreePath: string): Promise<{
+    ok: boolean;
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+  }> {
+    const proc = Bun.spawn(
+      [
+        resolveDockerExecutable(),
+        "exec",
+        "-w",
+        containerWorktreePath,
+        this.warmContainerName,
+        "/bin/sh",
+        "-lc",
+        "git rev-parse --is-inside-work-tree && git rev-parse --git-dir",
+      ],
+      {
+        stdout: "pipe",
+        stderr: "pipe",
+      },
+    );
     const [stdout, stderr, exitCode] = await Promise.all([
       new Response(proc.stdout).text(),
       new Response(proc.stderr).text(),
@@ -854,10 +900,13 @@ export class DockerExecutor {
   }
 
   private async readWarmContainerLogs(tail = 160): Promise<string> {
-    const proc = Bun.spawn([resolveDockerExecutable(), "logs", "--tail", String(tail), this.warmContainerName], {
-      stdout: "pipe",
-      stderr: "pipe",
-    });
+    const proc = Bun.spawn(
+      [resolveDockerExecutable(), "logs", "--tail", String(tail), this.warmContainerName],
+      {
+        stdout: "pipe",
+        stderr: "pipe",
+      },
+    );
     const [stdout, stderr, exitCode] = await Promise.all([
       new Response(proc.stdout).text(),
       new Response(proc.stderr).text(),
@@ -1045,10 +1094,10 @@ export class DockerExecutor {
   ): Promise<DockerJobResult> {
     await this.ensureWarmRuntimeReady(job, onLog);
     const startedAtMs = Date.now();
-
-    const worktreeRelPath = relative(this.options.repo, worktreePath).replace(/\\/g, "/");
-    const containerWorktreePath = `/repo/${worktreeRelPath}`;
-    await this.waitForWorktreePathInWarmContainer(containerWorktreePath);
+    const containerWorktreePath = await this.ensureWorktreeAccessibleInWarmContainer(
+      worktreePath,
+      onLog,
+    );
 
     const args: string[] = [
       "exec",
@@ -1145,6 +1194,51 @@ export class DockerExecutor {
     );
   }
 
+  private async ensureWorktreeAccessibleInWarmContainer(
+    worktreePath: string,
+    onLog?: (stream: "stdout" | "stderr", line: string) => void,
+  ): Promise<string> {
+    const worktreeRelPath = relative(this.options.repo, worktreePath).replace(/\\/g, "/");
+    const containerWorktreePath = `/repo/${worktreeRelPath}`;
+    let lastError: unknown = null;
+
+    for (let attempt = 1; attempt <= 2; attempt++) {
+      try {
+        await this.ensureWarmContainer();
+        await this.waitForWorktreePathInWarmContainer(
+          containerWorktreePath,
+          this.worktreeVisibilityTimeoutMs,
+        );
+        const probe = await this.runWarmWorktreeProbe(containerWorktreePath);
+        if (probe.ok) {
+          return containerWorktreePath;
+        }
+        const detail = [probe.stderr, probe.stdout].filter(Boolean).join("\n").trim();
+        throw new Error(
+          `warm container git probe failed (exit ${probe.exitCode})${detail ? `: ${detail}` : ""}`,
+        );
+      } catch (err) {
+        lastError = err;
+        if (attempt >= 2) {
+          const diagnostics = await this.inspectWarmContainerState().catch(() => "");
+          throw new Error(
+            `worktree not accessible inside warm container after ${attempt} attempts: ${containerWorktreePath}${
+              lastError ? ` (${this.compactError(lastError)})` : ""
+            }${diagnostics ? ` | container=${diagnostics}` : ""}`,
+          );
+        }
+        const note =
+          `[DockerExecutor] Warm container could not access worktree ${containerWorktreePath}; ` +
+          `recycling container and retrying once (${this.compactError(err)}).`;
+        console.warn(note);
+        onLog?.("stderr", note);
+        await this.stopWarmContainer("worktree visibility retry", true);
+      }
+    }
+
+    return containerWorktreePath;
+  }
+
   private normalizeProvider(raw: string): string {
     const value = raw.trim().toLowerCase();
     if (!value) return "auto";
@@ -1555,11 +1649,14 @@ export class DockerExecutor {
       `[DockerExecutor] Worktree path already exists; forcing cleanup before create: ${worktreePath}`,
     );
 
-    const unregister = Bun.spawn(["git", "worktree", "remove", "--force", "--force", worktreePath], {
-      cwd: this.options.repo,
-      stdout: "pipe",
-      stderr: "pipe",
-    });
+    const unregister = Bun.spawn(
+      ["git", "worktree", "remove", "--force", "--force", worktreePath],
+      {
+        cwd: this.options.repo,
+        stdout: "pipe",
+        stderr: "pipe",
+      },
+    );
     await unregister.exited;
 
     const prune = Bun.spawn(["git", "worktree", "prune"], {
@@ -1777,10 +1874,13 @@ export class DockerExecutor {
    * Check if the Docker image exists locally
    */
   private async imageExists(): Promise<boolean> {
-    const proc = Bun.spawn([resolveDockerExecutable(), "image", "inspect", this.options.imageName], {
-      stdout: "pipe",
-      stderr: "pipe",
-    });
+    const proc = Bun.spawn(
+      [resolveDockerExecutable(), "image", "inspect", this.options.imageName],
+      {
+        stdout: "pipe",
+        stderr: "pipe",
+      },
+    );
     const exitCode = await proc.exited;
     return exitCode === 0;
   }

package/runtime/sandbox/apps/workerpals/src/execute_job.ts

@@ -173,7 +173,10 @@ export function buildQualityGateRevisionIssues(
   if (!critic || critic.score >= qualityCriticMinScore) {
     return [...normalizedQualityIssues];
   }
-  const merged = [...normalizedQualityIssues, ...buildCriticRevisionIssues(critic, qualityCriticMinScore)];
+  const merged = [
+    ...normalizedQualityIssues,
+    ...buildCriticRevisionIssues(critic, qualityCriticMinScore),
+  ];
   return [...new Set(merged)];
 }
 
@@ -2569,7 +2572,8 @@ function validateTaskExecutePlanning(
       if (!componentArea) {
         return {
           ok: false,
-          message: "task.execute planning.targetPaths must resolve to a repo-relative componentArea",
+          message:
+            "task.execute planning.targetPaths must resolve to a repo-relative componentArea",
         };
       }
       if (
@@ -3056,11 +3060,7 @@ export async function executeJob(
       return result;
     }
 
-    const issues = buildQualityGateRevisionIssues(
-      quality.issues,
-      critic,
-      qualityCriticMinScore,
-    );
+    const issues = buildQualityGateRevisionIssues(quality.issues, critic, qualityCriticMinScore);
     const issueSummary = issues.map((entry) => toSingleLine(entry, 180)).join(" | ");
     if (revisionAttempt >= qualityMaxAutoRevisions) {
       if (qualitySoftPassOnExhausted) {

package/runtime/sandbox/apps/workerpals/src/job_runner.ts

@@ -67,10 +67,13 @@ echo "password=${token}"
     writeFileSync(helperPath, helperScript, { mode: 0o755 });
 
     // Remove any legacy URL rewrite rules that may have embedded token credentials.
-    const urlRules = Bun.spawnSync(["git", "config", "--global", "--get-regexp", "^url\\..*\\.insteadOf$"], {
-      stdout: "pipe",
-      stderr: "pipe",
-    });
+    const urlRules = Bun.spawnSync(
+      ["git", "config", "--global", "--get-regexp", "^url\\..*\\.insteadOf$"],
+      {
+        stdout: "pipe",
+        stderr: "pipe",
+      },
+    );
     if (urlRules.exitCode === 0) {
       const lines = String(urlRules.stdout ?? "")
         .split(/\r?\n/)