@remogram/core 0.1.0-beta.0 → 0.1.0-beta.2

package/auth-classes.js

@@ -0,0 +1,44 @@
+/** Per-command auth requirements for structured provider capabilities. */
+export const AUTH_CLASS = {
+  NONE: 'none',
+  GIT_ONLY: 'git_only',
+  TOKEN_REQUIRED: 'token_required',
+};
+
+const AUTH_CLASS_VALUES = new Set(Object.values(AUTH_CLASS));
+
+/** Runtime auth requirements for fully implemented API providers. */
+export const API_PROVIDER_COMMAND_AUTH = {
+  repo_status: AUTH_CLASS.NONE,
+  ref_compare: AUTH_CLASS.GIT_ONLY,
+  pr_status: AUTH_CLASS.TOKEN_REQUIRED,
+  pr_checks: AUTH_CLASS.TOKEN_REQUIRED,
+  merge_plan: AUTH_CLASS.TOKEN_REQUIRED,
+  sync_plan: AUTH_CLASS.GIT_ONLY,
+};
+
+export function commandCapability(name, { implemented = true } = {}) {
+  const auth_class = API_PROVIDER_COMMAND_AUTH[name];
+  if (!auth_class) {
+    throw new Error(`Unknown command: ${name}`);
+  }
+  return { name, implemented, auth_class };
+}
+
+export function apiProviderCommands() {
+  return Object.keys(API_PROVIDER_COMMAND_AUTH).map((name) =>
+    commandCapability(name, { implemented: true }),
+  );
+}
+
+export function stubProviderCommands() {
+  return Object.keys(API_PROVIDER_COMMAND_AUTH).map((name) =>
+    commandCapability(name, { implemented: false }),
+  );
+}
+
+export function assertAuthClass(value) {
+  if (!AUTH_CLASS_VALUES.has(value)) {
+    throw new Error(`Invalid auth_class: ${value}`);
+  }
+}

package/caps.js

@@ -1,5 +1,24 @@
 export const DEFAULT_MAX_BYTES = 8192;
 export const DEFAULT_FIELD_MAX_BYTES = 512;
+export const FORGE_INGEST_MAX_BYTES_ENV = 'REMOGRAM_FORGE_INGEST_MAX_BYTES';
+
+export function getEffectiveIngestMaxBytes() {
+  const raw = process.env[FORGE_INGEST_MAX_BYTES_ENV];
+  if (raw == null || raw === '') {
+    return { bytes: DEFAULT_MAX_BYTES, envOverride: false };
+  }
+  const parsed = Number.parseInt(String(raw), 10);
+  if (!Number.isFinite(parsed) || parsed <= 0) {
+    return { bytes: DEFAULT_MAX_BYTES, envOverride: false, invalidEnv: true };
+  }
+  return { bytes: parsed, envOverride: true };
+}
+
+/** Facts for provider capabilities packets (forge ingest policy). */
+export function forgeIngestCapabilityFacts() {
+  const { bytes } = getEffectiveIngestMaxBytes();
+  return { forge_ingest_cap_bytes: bytes };
+}
 
 export function capText(text, maxBytes = DEFAULT_MAX_BYTES) {
   if (!text) return { text: '', truncated: false, bytes: 0 };
@@ -19,7 +38,17 @@ export function sanitizeField(value, maxBytes = DEFAULT_FIELD_MAX_BYTES) {
     .replace(/[\x00-\x1f\x7f]/g, ' ')
     .replace(/\r?\n/g, ' ')
     .trim();
-  return capText(singleLine, maxBytes).text;
+  const redacted = redactSecretPatterns(singleLine);
+  return capText(redacted, maxBytes).text;
+}
+
+function redactSecretPatterns(text) {
+  return text
+    .replace(/Bearer\s+\S+/gi, 'Bearer [REDACTED]')
+    .replace(/\bghp_[A-Za-z0-9]+\b/g, '[REDACTED]')
+    .replace(/\bgho_[A-Za-z0-9]+\b/g, '[REDACTED]')
+    .replace(/\bglpat-[A-Za-z0-9_-]+\b/g, '[REDACTED]')
+    .replace(/\b(GITHUB_TOKEN|GH_TOKEN|GITLAB_TOKEN|GITEA_TOKEN)\b/gi, '[REDACTED]');
 }
 
 export function sanitizeUrl(value, maxBytes = DEFAULT_FIELD_MAX_BYTES) {
@@ -27,6 +56,8 @@ export function sanitizeUrl(value, maxBytes = DEFAULT_FIELD_MAX_BYTES) {
   try {
     const u = new URL(String(value));
     if (u.protocol !== 'http:' && u.protocol !== 'https:') return null;
+    u.username = '';
+    u.password = '';
     return sanitizeField(u.href, maxBytes);
   } catch {
     return null;

package/git-local.js

@@ -24,7 +24,17 @@ export function gitCurrentBranch(cwd) {
   }
 }
 
+export function gitRepoRoot(cwd) {
+  try {
+    return gitExec(cwd, ['rev-parse', '--show-toplevel']);
+  } catch {
+    return null;
+  }
+}
+
 export function gitAheadBehind(cwd, base, head) {
+  assertGitRef(base, 'base');
+  assertGitRef(head, 'head');
   try {
     const out = gitExec(cwd, ['rev-list', '--left-right', '--count', `${base}...${head}`]);
     const [behind, ahead] = out.split(/\s+/).map(Number);

package/http.js

@@ -1,8 +1,8 @@
 import { ERROR_CODES, forgeError } from './contracts/errors.js';
-import { readStreamCapped, DEFAULT_MAX_BYTES, sanitizeField } from './caps.js';
+import { readStreamCapped, getEffectiveIngestMaxBytes, sanitizeField } from './caps.js';
 
 const DEFAULT_TIMEOUT_MS = 30_000;
-const DEFAULT_JSON_MAX_BYTES = DEFAULT_MAX_BYTES;
+const DEFAULT_JSON_MAX_BYTES = () => getEffectiveIngestMaxBytes().bytes;
 
 export async function fetchWithTimeout(url, options = {}, timeoutMs = DEFAULT_TIMEOUT_MS) {
   const signal = AbortSignal.timeout(timeoutMs);
@@ -25,7 +25,7 @@ export async function fetchJson(
   url,
   options = {},
   timeoutMs = DEFAULT_TIMEOUT_MS,
-  maxBytes = DEFAULT_JSON_MAX_BYTES,
+  maxBytes = DEFAULT_JSON_MAX_BYTES(),
 ) {
   const res = await fetchWithTimeout(url, options, timeoutMs);
   if (res.status >= 300 && res.status < 400) {
@@ -56,7 +56,52 @@ export async function fetchJson(
   return body;
 }
 
-export async function fetchTextCapped(url, options = {}, maxBytes = DEFAULT_MAX_BYTES) {
+export function parseLinkHeader(linkHeader) {
+  if (!linkHeader) return {};
+  const links = {};
+  for (const segment of String(linkHeader).split(',')) {
+    const match = segment.trim().match(/^<([^>]+)>;\s*rel="([^"]+)"/);
+    if (match) links[match[2]] = match[1];
+  }
+  return links;
+}
+
+export async function fetchJsonWithMeta(
+  url,
+  options = {},
+  timeoutMs = DEFAULT_TIMEOUT_MS,
+  maxBytes = DEFAULT_JSON_MAX_BYTES(),
+) {
+  const res = await fetchWithTimeout(url, options, timeoutMs);
+  if (res.status >= 300 && res.status < 400) {
+    const message = 'HTTP redirect rejected';
+    throw Object.assign(new Error(message), {
+      forgeError: forgeError(ERROR_CODES.API_ERROR, message, res.status),
+      status: res.status,
+    });
+  }
+  const text = await readResponseTextCapped(res, maxBytes);
+  let body;
+  try {
+    body = text ? JSON.parse(text) : null;
+  } catch {
+    throw Object.assign(new Error('Unparseable JSON from provider'), {
+      forgeError: forgeError(ERROR_CODES.UNPARSEABLE_PROVIDER_OUTPUT, 'Provider returned invalid JSON'),
+      status: res.status,
+    });
+  }
+  if (!res.ok) {
+    const raw = body?.message || body?.error || res.statusText || 'API error';
+    const message = sanitizeField(raw) || 'API error';
+    throw Object.assign(new Error(message), {
+      forgeError: forgeError(ERROR_CODES.API_ERROR, message, res.status),
+      status: res.status,
+    });
+  }
+  return { body, headers: res.headers, status: res.status };
+}
+
+export async function fetchTextCapped(url, options = {}, maxBytes = getEffectiveIngestMaxBytes().bytes) {
   const res = await fetchWithTimeout(url, options);
   if (res.status >= 300 && res.status < 400) {
     const message = 'HTTP redirect rejected';

package/index.js

@@ -1,8 +1,26 @@
 export { SCHEMA_VERSION, PACKET_TYPES, forgePacket, forgeErrorPacket, unknownForgeContext, FORBIDDEN_PACKET_KEYS } from './contracts/envelope.js';
 export { ERROR_CODES, forgeError } from './contracts/errors.js';
-export { capText, sanitizeField, sanitizeUrl, readStreamCapped, DEFAULT_MAX_BYTES, DEFAULT_FIELD_MAX_BYTES } from './caps.js';
+export {
+  capText,
+  sanitizeField,
+  sanitizeUrl,
+  readStreamCapped,
+  DEFAULT_MAX_BYTES,
+  DEFAULT_FIELD_MAX_BYTES,
+  FORGE_INGEST_MAX_BYTES_ENV,
+  getEffectiveIngestMaxBytes,
+  forgeIngestCapabilityFacts,
+} from './caps.js';
 export { assertGitRef, assertGitRemote } from './git-args.js';
-export { gitRevParse, gitCurrentBranch, gitAheadBehind } from './git-local.js';
+export { gitRevParse, gitCurrentBranch, gitAheadBehind, gitRepoRoot } from './git-local.js';
+export {
+  localHeadShaForPr,
+  staleHeadDetails,
+  staleHeadForgeError,
+  staleHeadForgeError as staleHeadError,
+  STALE_HEAD_MESSAGE,
+  throwIfStaleHeadByNumber,
+} from './pr-head-reconcile.js';
 export { parseConfigFile, configSchema } from './config-schema.js';
 export {
   findConfigPath,
@@ -14,4 +32,12 @@ export {
   assertForgeReady,
   forgeContext,
 } from './resolve.js';
-export { fetchWithTimeout, fetchJson, fetchTextCapped } from './http.js';
+export { fetchWithTimeout, fetchJson, fetchJsonWithMeta, parseLinkHeader, fetchTextCapped } from './http.js';
+export {
+  AUTH_CLASS,
+  API_PROVIDER_COMMAND_AUTH,
+  commandCapability,
+  apiProviderCommands,
+  stubProviderCommands,
+  assertAuthClass,
+} from './auth-classes.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@remogram/core",
-  "version": "0.1.0-beta.0",
+  "version": "0.1.0-beta.2",
   "description": "Remogram forge envelope, config, caps, and HTTP utilities",
   "type": "module",
   "license": "MIT",

package/pr-head-reconcile.js

@@ -0,0 +1,38 @@
+import { assertGitRemote } from './git-args.js';
+import { ERROR_CODES, forgeError } from './contracts/errors.js';
+import { gitRevParse } from './git-local.js';
+
+export const STALE_HEAD_MESSAGE =
+  'Forge PR head SHA diverges from locally resolved git; fetch or refresh before trusting head_sha';
+
+export function localHeadShaForPr(cwd, remoteName, headRef) {
+  if (!headRef) return null;
+  assertGitRemote(remoteName, 'remote');
+  const trackingRef = `${remoteName}/${headRef}`;
+  return gitRevParse(cwd, trackingRef) ?? gitRevParse(cwd, headRef);
+}
+
+export function staleHeadDetails(cwd, remoteName, headRef, forgeHeadSha) {
+  if (!headRef || !forgeHeadSha) return null;
+  const localHeadSha = localHeadShaForPr(cwd, remoteName, headRef);
+  if (!localHeadSha) return null;
+  if (localHeadSha.toLowerCase() === String(forgeHeadSha).toLowerCase()) return null;
+  return {
+    head_ref: headRef,
+    head_sha: forgeHeadSha,
+    local_head_sha: localHeadSha,
+  };
+}
+
+export function staleHeadForgeError() {
+  return forgeError(ERROR_CODES.STALE_HEAD, STALE_HEAD_MESSAGE);
+}
+
+export function throwIfStaleHeadByNumber(ctx, packetType, body, headRef, forgeHeadSha) {
+  const details = staleHeadDetails(ctx.cwd, ctx.config?.remote ?? ctx.remoteName, headRef, forgeHeadSha);
+  if (!details) return;
+  const err = new Error(STALE_HEAD_MESSAGE);
+  err.forgeError = staleHeadForgeError();
+  err.staleHeadPacket = { type: packetType, body: { ...body, ...details } };
+  throw err;
+}

package/resolve.js

@@ -1,20 +1,35 @@
 import { execFileSync } from 'node:child_process';
-import { readFileSync, existsSync } from 'node:fs';
-import { dirname, join } from 'node:path';
+import { readFileSync, existsSync, realpathSync } from 'node:fs';
+import { dirname, join, resolve } from 'node:path';
 import { parseConfigFile } from './config-schema.js';
 import { ERROR_CODES, forgeError } from './contracts/errors.js';
 import { assertGitRemote } from './git-args.js';
+import { gitRepoRoot } from './git-local.js';
 
 const HOST_ALIASES = new Map([
   ['localhost:3000', '127.0.0.1:3000'],
   ['127.0.0.1:3000', 'localhost:3000'],
 ]);
 
+function samePath(a, b) {
+  try {
+    return realpathSync(a) === realpathSync(b);
+  } catch {
+    return resolve(a) === resolve(b);
+  }
+}
+
 export function findConfigPath(startDir = process.cwd()) {
+  const repoRoot = gitRepoRoot(startDir);
   let dir = startDir;
   while (true) {
     const candidate = join(dir, '.remogram.json');
     if (existsSync(candidate)) return candidate;
+    if (repoRoot) {
+      if (samePath(dir, repoRoot)) break;
+    } else {
+      break;
+    }
     const parent = dirname(dir);
     if (parent === dir) break;
     dir = parent;

package/stub-provider.js

@@ -1,4 +1,5 @@
 import { ERROR_CODES, forgeError } from './contracts/errors.js';
+import { stubProviderCommands } from './auth-classes.js';
 
 export function createStubProvider(id) {
   function unsupported() {
@@ -8,14 +9,7 @@ export function createStubProvider(id) {
   }
   function providerCapabilities() {
     return {
-      commands: [
-        { name: 'repo_status', implemented: false },
-        { name: 'ref_compare', implemented: false },
-        { name: 'pr_status', implemented: false },
-        { name: 'pr_checks', implemented: false },
-        { name: 'merge_plan', implemented: false },
-        { name: 'sync_plan', implemented: false },
-      ],
+      commands: stubProviderCommands(),
       auth_envs: [],
       check_sources: [],
       mergeability_confidence: 'unknown',