@pushpalsdev/cli 1.0.93 → 1.0.95

package/runtime/sandbox/apps/workerpals/src/execute_job.ts

@@ -3,10 +3,9 @@
  * Used by both the host Worker (direct mode) and the Docker job runner.
  */
 
-import { existsSync, readFileSync, rmSync, unlinkSync } from "fs";
+import { existsSync, lstatSync, readFileSync, renameSync, rmSync, unlinkSync } from "fs";
 import { resolve } from "path";
 import {
-  deriveAutonomyComponentArea,
   buildGitCommitArgs as buildSourceControlGitCommitArgs,
   explicitSourceControlCommitIdentityFromEnv,
   loadPromptTemplate,
@@ -15,11 +14,9 @@ import {
   extractVisionKeyItems,
   formatToolRequirement,
   matchesGlob,
-  normalizeAutonomyComponentArea,
   normalizeTargetPath,
   requirementsForValidationCommand,
   sanitizeSourceControlIdentityField,
-  type AutonomyComponentArea,
   type SourceControlCommitIdentity,
   type ToolRequirement,
 } from "shared";
@@ -388,13 +385,6 @@ export function shouldEnqueueNoChangeReviewCompletion(
   return extractReviewFixContext(params) == null;
 }
 
-function reviewAgentAllowsMultiRootScope(value: unknown): boolean {
-  const normalized = String(value ?? "")
-    .trim()
-    .toLowerCase();
-  return normalized === "review_fix" || normalized === "merge_conflict";
-}
-
 export function deriveQualityGatePolicy(
   params: Record<string, unknown> | null | undefined,
   runtimeConfig: WorkerpalsRuntimeConfig = DEFAULT_CONFIG,
@@ -1655,7 +1645,7 @@ async function runDeterministicQualityGate(
   if (scopedValidationFailure === "outside_task_scope") {
     onLog?.(
       "stderr",
-      "[ValidationGate] Required validation failures appear outside the task write scope; treating them as publish blockers, not repair instructions.",
+      "[ValidationGate] Required validation failures appear outside the task target/relevance hints; treating them as publish blockers, not repair instructions.",
     );
   }
 
@@ -2176,6 +2166,12 @@ export type WorkerGitCommitIdentity = SourceControlCommitIdentity;
 
 export const explicitWorkerCommitIdentityFromEnv = explicitSourceControlCommitIdentityFromEnv;
 
+async function unstageSandboxArtifactPaths(
+  repo: string,
+): Promise<{ ok: boolean; stdout: string; stderr: string }> {
+  return git(repo, ["reset", "-q", "--", ...SANDBOX_STAGE_ARTIFACT_PATHS]);
+}
+
 async function resolveGitConfigValue(repo: string, key: string): Promise<string> {
   const value = await git(repo, ["config", "--get", key]);
   return value.ok ? sanitizeSourceControlIdentityField(value.stdout) : "";
@@ -2292,19 +2288,21 @@ export async function createJobCommit(
         console.warn(
           `[WorkerPals] Stage target invalid/missing for ${job.kind}; retrying with fallback "git add -A".`,
         );
-        result = await git(repo, [
-          "add",
-          "-A",
-          "--",
-          ".",
-          ":(exclude)workspace/**",
-          ":(exclude)outputs/**",
-        ]);
+        result = await git(repo, ["add", "-A"]);
       }
       if (!result.ok) {
         return { ok: false, error: `Failed to stage changes: ${result.stderr || result.stdout}` };
       }
     }
+    if (job.kind === "task.execute") {
+      const unstageArtifacts = await unstageSandboxArtifactPaths(repo);
+      if (!unstageArtifacts.ok) {
+        return {
+          ok: false,
+          error: `Failed to unstage sandbox artifact paths: ${unstageArtifacts.stderr || unstageArtifacts.stdout}`,
+        };
+      }
+    }
 
     // Check if there are changes to commit
     result = await git(repo, ["diff", "--cached", "--quiet"]);
@@ -2504,16 +2502,7 @@ function buildStageTargets(kind: string, params?: Record<string, unknown>): stri
 
 export function buildStageCommand(kind: string, params?: Record<string, unknown>): string[] | null {
   if (kind === "task.execute") {
-    return [
-      "add",
-      "-A",
-      "--",
-      ".",
-      ":(exclude)workspace/**",
-      ":(exclude)outputs/**",
-      ":(exclude).codex",
-      ":(exclude).codex/**",
-    ];
+    return ["add", "-A"];
   }
   const targets = buildStageTargets(kind, params);
   if (targets.length === 0) {
@@ -3058,25 +3047,11 @@ export async function resumePreparedMergeConflictRebase(
           "stdout",
           `[MergeConflict] Stage target invalid/missing for ${kind}; retrying with fallback "git add -A".`,
         );
-        stageResult = await git(repo, [
-          "add",
-          "-A",
-          "--",
-          ".",
-          ":(exclude)workspace/**",
-          ":(exclude)outputs/**",
-        ]);
+        stageResult = await git(repo, ["add", "-A"]);
       }
     }
   } else {
-    stageResult = await git(repo, [
-      "add",
-      "-A",
-      "--",
-      ".",
-      ":(exclude)workspace/**",
-      ":(exclude)outputs/**",
-    ]);
+    stageResult = await git(repo, ["add", "-A"]);
   }
   if (!stageResult.ok) {
     return {
@@ -3086,6 +3061,15 @@ export async function resumePreparedMergeConflictRebase(
         combinedGitOutput(stageResult),
     };
   }
+  const unstageArtifacts = await unstageSandboxArtifactPaths(repo);
+  if (!unstageArtifacts.ok) {
+    return {
+      ok: false,
+      error:
+        "Failed to unstage sandbox artifact paths before continuing rebase: " +
+        combinedGitOutput(unstageArtifacts),
+    };
+  }
 
   let rebaseContinue = await git(repo, ["-c", "core.editor=true", "rebase", "--continue"]);
   let continueOutput = combinedGitOutput(rebaseContinue);
@@ -3235,19 +3219,19 @@ async function createMergeConflictJobCommit(
       console.warn(
         `[WorkerPals] Stage target invalid/missing for merge-conflict job ${job.id}; retrying with fallback "git add -A".`,
       );
-      result = await git(repo, [
-        "add",
-        "-A",
-        "--",
-        ".",
-        ":(exclude)workspace/**",
-        ":(exclude)outputs/**",
-      ]);
+      result = await git(repo, ["add", "-A"]);
     }
     if (!result.ok) {
       return { ok: false, error: `Failed to stage merge-conflict changes: ${result.stderr || result.stdout}` };
     }
   }
+  const unstageArtifacts = await unstageSandboxArtifactPaths(repo);
+  if (!unstageArtifacts.ok) {
+    return {
+      ok: false,
+      error: `Failed to unstage sandbox artifact paths: ${unstageArtifacts.stderr || unstageArtifacts.stdout}`,
+    };
+  }
 
   const cachedDiffQuiet = await git(repo, ["diff", "--cached", "--quiet"]);
   let headSha = await currentRefSha(repo, "HEAD");
@@ -3610,6 +3594,85 @@ export function shouldUseCodexCliForExecutor(executor: string): boolean {
   return executor.trim().toLowerCase() === "openai_codex";
 }
 
+type MaskedRepoLocalCodexFile = {
+  codexPath: string;
+  backupPath: string;
+};
+
+function codexProjectConfigRoots(repo: string, env: Record<string, string>): string[] {
+  const roots: string[] = [];
+  const seen = new Set<string>();
+  const add = (raw: unknown) => {
+    const text = String(raw ?? "").trim();
+    if (!text) return;
+    const root = resolve(text);
+    const key = root.toLowerCase();
+    if (seen.has(key)) return;
+    seen.add(key);
+    roots.push(root);
+  };
+  add(repo);
+  for (const key of [
+    "PUSHPALS_REPO_ROOT_OVERRIDE",
+    "PUSHPALS_PROJECT_ROOT_OVERRIDE",
+    "PUSHPALS_ASSIGNED_REPO_ROOT",
+    "PUSHPALS_REPO_PATH",
+  ]) {
+    add(env[key]);
+  }
+  return roots;
+}
+
+function maskRepoLocalCodexFilesForCodexCli(
+  repo: string,
+  env: Record<string, string>,
+): MaskedRepoLocalCodexFile[] {
+  const masked: MaskedRepoLocalCodexFile[] = [];
+  for (const root of codexProjectConfigRoots(repo, env)) {
+    const codexPath = resolve(root, ".codex");
+    if (!existsSync(codexPath)) continue;
+    try {
+      if (lstatSync(codexPath).isDirectory()) continue;
+      let backupPath = resolve(root, `.codex.pushpals-masked-${process.pid}-${masked.length}`);
+      let suffix = 0;
+      while (existsSync(backupPath)) {
+        suffix += 1;
+        backupPath = resolve(
+          root,
+          `.codex.pushpals-masked-${process.pid}-${masked.length}-${suffix}`,
+        );
+      }
+      renameSync(codexPath, backupPath);
+      masked.push({ codexPath, backupPath });
+      console.warn(
+        `[WorkerPals] Temporarily masked repo-local .codex file so Codex CLI can use CODEX_HOME: ${codexPath}`,
+      );
+    } catch (error) {
+      console.warn(
+        `[WorkerPals] Failed to mask repo-local .codex file ${codexPath}: ${String(error)}`,
+      );
+    }
+  }
+  return masked;
+}
+
+function restoreRepoLocalCodexFilesForCodexCli(masked: MaskedRepoLocalCodexFile[]): void {
+  for (const entry of [...masked].reverse()) {
+    try {
+      if (existsSync(entry.codexPath)) {
+        rmSync(entry.codexPath, { recursive: true, force: true });
+      }
+      if (existsSync(entry.backupPath)) {
+        renameSync(entry.backupPath, entry.codexPath);
+      }
+    } catch (error) {
+      console.warn(
+        `[WorkerPals] Failed to restore repo-local .codex file ${entry.codexPath}: ${String(error)}`,
+      );
+    }
+  }
+}
+
 function normalizeCodexReasoningEffort(
   value: unknown,
   model = "",
@@ -3720,11 +3783,13 @@ async function generateCommitMessageFromDiffViaCodex(
   if (model) cmd.push("-m", model);
   cmd.push("-");
 
+  const env = buildWorkerSandboxWritableEnv(repo);
+  const codexMask = maskRepoLocalCodexFilesForCodexCli(repo, env);
   try {
     const stdinText = `${prompt.systemPrompt}\n\n${prompt.userMessage}`;
     const proc = Bun.spawn(cmd, {
       cwd: repo,
-      env: buildWorkerSandboxWritableEnv(repo),
+      env,
       stdout: "pipe",
       stderr: "pipe",
       stdin: new Blob([stdinText]),
@@ -3759,6 +3824,7 @@ async function generateCommitMessageFromDiffViaCodex(
   } catch {
     return null;
   } finally {
+    restoreRepoLocalCodexFilesForCodexCli(codexMask);
     try {
       unlinkSync(tmpOutputPath);
     } catch {
@@ -3938,9 +4004,7 @@ function hasInvalidRepoPathHint(values: string[]): boolean {
   return values.some((entry) => normalizeStagePath(entry) === null);
 }
 
-function asAutonomyComponentArea(value: unknown): AutonomyComponentArea | null {
-  return normalizeAutonomyComponentArea(value);
-}
+const SANDBOX_STAGE_ARTIFACT_PATHS = ["workspace", "outputs", ".codex"];
 
 function taskExecuteOrigin(params: Record<string, unknown>): "autonomy" | "user" {
   const explicit = String(params.origin ?? "")
@@ -3961,20 +4025,11 @@ export function collectWriteScopeIssuesFromChangedPaths(
   changedPaths: string[],
   planning: TaskExecutePlanning,
 ): string[] {
-  const normalizedChangedPaths = changedPaths
-    .map((entry) => normalizeStagePath(entry))
-    .filter((entry): entry is string => Boolean(entry) && entry !== ".");
-  if (normalizedChangedPaths.length === 0) return [];
-
-  const forbidden = toStringArray(planning.scope.forbiddenGlobs ?? []);
-  const issues: string[] = [];
-  const forbiddenTouched = normalizedChangedPaths.filter((path) =>
-    forbidden.some((glob) => matchesGlob(path, glob)),
-  );
-  if (forbiddenTouched.length > 0) {
-    issues.push(`modified paths matching forbiddenGlobs: ${forbiddenTouched.join(", ")}`);
-  }
-  return issues;
+  void changedPaths;
+  void planning;
+  // WorkerPals run in isolated worktrees and may write anywhere in that repo sandbox.
+  // Scope hints guide planning/review, but they are not hard write privileges.
+  return [];
 }
 
 function sanitizeTaskExecutePlanningPathHints(value: unknown): unknown {
@@ -4096,37 +4151,6 @@ function validateTaskExecutePlanning(
         message: "task.execute planning.targetPaths must contain literal repo-relative paths",
       };
     }
-    const normalizedWriteGlobs = isStringArray(scope.writeGlobs)
-      ? toStringArray(scope.writeGlobs)
-      : [];
-    const allowMultiRootAutonomyScope =
-      origin === "autonomy" &&
-      reviewAgentAllowsMultiRootScope(options?.reviewAgentResolutionType);
-    if (origin === "autonomy") {
-      const declaredComponentArea = asAutonomyComponentArea(options?.autonomyComponentArea);
-      if (!allowMultiRootAutonomyScope && declaredComponentArea) {
-        const inferredComponentArea = deriveAutonomyComponentArea(
-          normalizedTargetPaths,
-          normalizedWriteGlobs,
-        );
-        if (inferredComponentArea && declaredComponentArea !== inferredComponentArea) {
-          return {
-            ok: false,
-            message: "task.execute planning.targetPaths do not match autonomy componentArea",
-          };
-        }
-      }
-    } else if (normalizedWriteGlobs.length > 0) {
-      const uncoveredPaths = normalizedTargetPaths.filter(
-        (targetPath) => !normalizedWriteGlobs.some((glob) => matchesGlob(targetPath, glob)),
-      );
-      if (uncoveredPaths.length > 0) {
-        return {
-          ok: false,
-          message: `task.execute planning.targetPaths must be covered by planning.scope.writeGlobs: ${uncoveredPaths.join(", ")}`,
-        };
-      }
-    }
   }
 
   if (planning.discovery !== undefined) {
@@ -4353,10 +4377,12 @@ async function runCodexCriticReview(
     "-",
   ];
 
+  const env = buildWorkerSandboxWritableEnv(repo);
+  const codexMask = maskRepoLocalCodexFilesForCodexCli(repo, env);
   try {
     const proc = Bun.spawn(cmd, {
       cwd: repo,
-      env: buildWorkerSandboxWritableEnv(repo),
+      env,
       stdout: "pipe",
       stderr: "pipe",
       stdin: new Blob([criticInstruction]),
@@ -4436,6 +4462,13 @@ async function runCodexCriticReview(
   } catch (err) {
     onLog?.("stderr", `[CriticGate] Codex error: ${toSingleLine(err, 220)} (skipping).`);
     return null;
+  } finally {
+    restoreRepoLocalCodexFilesForCodexCli(codexMask);
+    try {
+      unlinkSync(tmpOutputPath);
+    } catch {
+      /* ignore */
+    }
   }
 }
 
@@ -4750,7 +4783,7 @@ export async function executeJob(
           [
             result.stderr ?? "",
             validationOutsideTaskScope
-              ? "Validation failures appear outside the task write scope and are treated as pre-existing repo blockers."
+              ? "Validation failures appear outside the task target/relevance hints and are treated as pre-existing repo blockers."
               : "",
             ...quality.validationRuns.flatMap((run) => [run.stdout, run.stderr]).filter(Boolean),
           ]