@remogram/core 0.1.0-beta.5 → 0.1.0-beta.6

package/caps.js

@@ -1,6 +1,8 @@
 export const DEFAULT_MAX_BYTES = 8192;
 export const DEFAULT_FIELD_MAX_BYTES = 512;
 export const FORGE_INGEST_MAX_BYTES_ENV = 'REMOGRAM_FORGE_INGEST_MAX_BYTES';
+/** Upper bound for undocumented REMOGRAM_FORGE_INGEST_MAX_BYTES debug override. */
+export const MAX_FORGE_INGEST_ENV_BYTES = 65536;
 
 /** Conservative check/status page size vs DEFAULT_MAX_BYTES raw ingest cap (pre-parse). */
 export const DEFAULT_CHECK_STATUS_PAGE_SIZE = 25;
@@ -20,13 +22,20 @@ export function getEffectiveIngestMaxBytes() {
   if (!Number.isFinite(parsed) || parsed <= 0) {
     return { bytes: DEFAULT_MAX_BYTES, envOverride: false, invalidEnv: true };
   }
+  if (parsed > MAX_FORGE_INGEST_ENV_BYTES) {
+    return { bytes: MAX_FORGE_INGEST_ENV_BYTES, envOverride: true, clamped: true };
+  }
   return { bytes: parsed, envOverride: true };
 }
 
 /** Facts for provider capabilities packets (forge ingest policy). */
 export function forgeIngestCapabilityFacts() {
-  const { bytes } = getEffectiveIngestMaxBytes();
-  return { forge_ingest_cap_bytes: bytes };
+  const { bytes, envOverride, clamped } = getEffectiveIngestMaxBytes();
+  return {
+    forge_ingest_cap_bytes: bytes,
+    ...(envOverride ? { forge_ingest_env_override: true } : {}),
+    ...(clamped ? { forge_ingest_cap_clamped: true } : {}),
+  };
 }
 
 /**

package/index.js

@@ -28,6 +28,7 @@ export {
   DEFAULT_MAX_BYTES,
   DEFAULT_FIELD_MAX_BYTES,
   FORGE_INGEST_MAX_BYTES_ENV,
+  MAX_FORGE_INGEST_ENV_BYTES,
   DEFAULT_CHECK_STATUS_PAGE_SIZE,
   MAX_CHECK_STATUS_PAGES,
   DEFAULT_OPEN_PULL_LIST_PAGE_SIZE,
@@ -135,15 +136,26 @@ export {
 } from './write-config.js';
 export { mergeBlockersFromFacts, isOpenPrState } from './merge-blockers.js';
 export {
+  applyForgePathScopeForMergePlan,
+  isCrFilesScopeComplete,
   resolveMergePlanPathScope,
   buildMergePlanBody,
   buildMergePlanBodyFromFacts,
+  normalizeAllowedPaths,
 } from './merge-plan.js';
+export {
+  isMergePlanForgeScopeRethrowError,
+  MERGE_PLAN_FORGE_SCOPE_RETHROW_CODES,
+  resolveMergePlanOptsWithForgePaths,
+  buildMergePlanFromProviderFacts,
+} from './merge-plan-forge.js';
 export {
   matchPathAllowlist,
   isPathAllowed,
   pathsOutsideAllowlist,
   allPathsAllowed,
+  normalizeRepoRelativePath,
+  normalizeChangedPathList,
 } from './path-allowlist.js';
 export {
   localHeadShaForPr,

package/merge-blockers.js

@@ -1,4 +1,4 @@
-import { allPathsAllowed } from './path-allowlist.js';
+import { allPathsAllowed, normalizeChangedPathList } from './path-allowlist.js';
 
 /**
  * Derive merge blockers from already-fetched PR view and checks facts.
@@ -27,8 +27,15 @@ export function mergeBlockersFromFacts(view, checks, pathScope = {}) {
     const changedPaths = pathScope.changed_paths;
     if (changedPaths == null) {
       blockers.push('changed_paths_unavailable');
-    } else if (!allPathsAllowed(allowedPaths, changedPaths)) {
-      blockers.push('path_scope_violation');
+    } else if (Array.isArray(changedPaths)) {
+      const normalizedPaths = normalizeChangedPathList(changedPaths);
+      if (normalizedPaths == null) {
+        blockers.push('changed_paths_unavailable');
+      } else if (!allPathsAllowed(allowedPaths, normalizedPaths)) {
+        blockers.push('path_scope_violation');
+      }
+    } else {
+      blockers.push('changed_paths_unavailable');
     }
   }
 

package/merge-plan-forge.js

@@ -0,0 +1,62 @@
+import { ERROR_CODES } from './contracts/errors.js';
+import {
+  applyForgePathScopeForMergePlan,
+  buildMergePlanBodyFromFacts,
+  normalizeAllowedPaths,
+} from './merge-plan.js';
+
+/** Errors that must propagate from crFiles during merge-plan path scope — not mapped to changed_paths_unavailable. */
+export const MERGE_PLAN_FORGE_SCOPE_RETHROW_CODES = new Set([
+  ERROR_CODES.UNAUTHENTICATED_PROVIDER,
+  ERROR_CODES.INVALID_ARGS,
+  ERROR_CODES.UNTRUSTED_BASE_URL,
+  ERROR_CODES.PROVIDER_UNSUPPORTED,
+  ERROR_CODES.CONFIG_INVALID,
+  ERROR_CODES.OVERSIZED_RAW_OUTPUT,
+  ERROR_CODES.CONFIG_NOT_FOUND,
+  ERROR_CODES.UNPARSEABLE_PROVIDER_OUTPUT,
+  ERROR_CODES.STALE_HEAD,
+  ERROR_CODES.MISSING_REF,
+  ERROR_CODES.PR_NOT_OPEN,
+  ERROR_CODES.REMOTE_INFER_FAILED,
+]);
+
+export function isMergePlanForgeScopeRethrowError(err) {
+  const code = err?.forgeError?.code;
+  return typeof code === 'string' && MERGE_PLAN_FORGE_SCOPE_RETHROW_CODES.has(code);
+}
+
+export { normalizeAllowedPaths } from './merge-plan.js';
+
+/**
+ * Resolve merge plan opts with forge cr_files when an allowlist is configured.
+ * @param {object} opts
+ * @param {() => Promise<object>} crFilesFn
+ */
+export async function resolveMergePlanOptsWithForgePaths(opts, crFilesFn) {
+  if (!normalizeAllowedPaths(opts.allowed_paths)) return opts;
+  try {
+    const crFilesBody = await crFilesFn();
+    return applyForgePathScopeForMergePlan(opts, crFilesBody);
+  } catch (err) {
+    if (isMergePlanForgeScopeRethrowError(err)) throw err;
+    // Intentional mask bucket: transient api_error → changed_paths_unavailable.
+    // write_not_configured / idempotency codes are not emitted by crFiles today.
+    return applyForgePathScopeForMergePlan(opts, null);
+  }
+}
+
+/**
+ * Build merge_plan body from provider deps (shared tri-provider orchestration).
+ * @param {object} ctx
+ * @param {object} opts
+ * @param {{ prView: Function, prChecks: Function, crFiles: Function }} deps
+ */
+export async function buildMergePlanFromProviderFacts(ctx, opts, deps) {
+  const view = await deps.prView(ctx, opts);
+  const checks = await deps.prChecks(ctx, { number: view.pr_number });
+  const mergeOpts = await resolveMergePlanOptsWithForgePaths(opts, () =>
+    deps.crFiles(ctx, { number: view.pr_number }),
+  );
+  return buildMergePlanBodyFromFacts(view, checks, mergeOpts);
+}

package/merge-plan.js

@@ -1,25 +1,64 @@
-import { gitDiffNameOnly } from './git-local.js';
 import { mergeBlockersFromFacts } from './merge-blockers.js';
+import { normalizeChangedPathList } from './path-allowlist.js';
 
-function normalizeAllowedPaths(allowedPaths) {
+function allowlistGlobHasDotDotSegment(glob) {
+  if (typeof glob !== 'string') return false;
+  const normalized = glob.replace(/\\/g, '/');
+  if (normalized === '..' || normalized.startsWith('../') || normalized.includes('/../')) {
+    return true;
+  }
+  return normalized.split('/').some((segment) => segment === '..');
+}
+
+export function normalizeAllowedPaths(allowedPaths) {
   if (!Array.isArray(allowedPaths)) return null;
-  const normalized = allowedPaths.filter((entry) => typeof entry === 'string' && entry.length > 0);
+  const normalized = allowedPaths
+    .filter((entry) => typeof entry === 'string')
+    .map((entry) => entry.trim())
+    .filter((entry) => entry.length > 0 && !allowlistGlobHasDotDotSegment(entry));
   return normalized.length > 0 ? normalized : null;
 }
 
-export function resolveMergePlanPathScope(ctx, view, opts = {}) {
+/** True when cr_files body is complete enough for merge-plan path scope. */
+export function isCrFilesScopeComplete(crFilesBody) {
+  if (!crFilesBody || crFilesBody.paths_truncated) return false;
+  const changedPaths = crFilesBody.changed_paths;
+  if (!Array.isArray(changedPaths)) return false;
+  const pathCount = Number.isFinite(Number(crFilesBody.path_count))
+    ? Math.floor(Number(crFilesBody.path_count))
+    : changedPaths.length;
+  if (pathCount > 0 && changedPaths.length === 0) return false;
+  if (pathCount > changedPaths.length) return false;
+  if (changedPaths.length > pathCount) return false;
+  return true;
+}
+
+/** Apply forge cr_files facts to merge plan opts when an allowlist is configured. */
+export function applyForgePathScopeForMergePlan(opts, crFilesBody) {
+  if (!normalizeAllowedPaths(opts.allowed_paths)) return opts;
+  if (!isCrFilesScopeComplete(crFilesBody)) {
+    return { ...opts, changed_paths: null };
+  }
+  const normalizedPaths = normalizeChangedPathList(crFilesBody.changed_paths);
+  if (normalizedPaths == null) {
+    return { ...opts, changed_paths: null };
+  }
+  return { ...opts, changed_paths: normalizedPaths };
+}
+
+export function resolveMergePlanPathScope(opts = {}) {
   const allowedPaths = normalizeAllowedPaths(opts.allowed_paths);
   if (!allowedPaths) {
     return { allowed_paths: null, changed_paths: null };
   }
   if (Array.isArray(opts.changed_paths)) {
-    return { allowed_paths: allowedPaths, changed_paths: opts.changed_paths };
-  }
-  if (!view.base_sha || !view.head_sha) {
-    return { allowed_paths: allowedPaths, changed_paths: null };
+    const normalizedPaths = normalizeChangedPathList(opts.changed_paths);
+    return {
+      allowed_paths: allowedPaths,
+      changed_paths: normalizedPaths,
+    };
   }
-  const changedPaths = gitDiffNameOnly(ctx.cwd, view.base_sha, view.head_sha);
-  return { allowed_paths: allowedPaths, changed_paths: changedPaths };
+  return { allowed_paths: allowedPaths, changed_paths: null };
 }
 
 export function buildMergePlanBody(view, checks, pathScope = {}) {
@@ -31,7 +70,7 @@ export function buildMergePlanBody(view, checks, pathScope = {}) {
   };
 }
 
-export function buildMergePlanBodyFromFacts(ctx, view, checks, opts = {}) {
-  const pathScope = resolveMergePlanPathScope(ctx, view, opts);
+export function buildMergePlanBodyFromFacts(view, checks, opts = {}) {
+  const pathScope = resolveMergePlanPathScope(opts);
   return buildMergePlanBody(view, checks, pathScope);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@remogram/core",
-  "version": "0.1.0-beta.5",
+  "version": "0.1.0-beta.6",
   "description": "Remogram forge envelope, config, caps, and HTTP utilities",
   "type": "module",
   "license": "MIT",

package/path-allowlist.js

@@ -3,6 +3,56 @@
  * Supports `**`, `*`, and literal path segments (e.g. README.md).
  */
 
+/**
+ * Collapse `.` / `..` segments; reject absolute paths and repo-root escape.
+ * @param {string} filePath
+ * @returns {string|null}
+ */
+export function normalizeRepoRelativePath(filePath) {
+  if (typeof filePath !== 'string') return null;
+  let path = filePath.replace(/\\/g, '/').replace(/^\.\//, '');
+  if (path === '') return null;
+  if (path.startsWith('/')) return null;
+  if (path === '..' || path.startsWith('../')) return null;
+  const parts = path.split('/');
+  const out = [];
+  for (const part of parts) {
+    if (part === '' || part === '.') continue;
+    if (part === '..') {
+      if (out.length > 0) out.pop();
+      continue;
+    }
+    out.push(part);
+  }
+  return out.join('/');
+}
+
+function changedPathHasDotDotSegment(filePath) {
+  if (typeof filePath !== 'string') return false;
+  const normalized = filePath.replace(/\\/g, '/').replace(/^\.\//, '');
+  if (normalized === '..' || normalized.startsWith('../') || normalized.includes('/../')) {
+    return true;
+  }
+  return normalized.split('/').some((segment) => segment === '..');
+}
+
+/**
+ * Normalize a forge changed-path list for allowlist scope; null if any path is unnormalizable.
+ * @param {unknown} changedPaths
+ * @returns {string[]|null}
+ */
+export function normalizeChangedPathList(changedPaths) {
+  if (!Array.isArray(changedPaths)) return null;
+  const normalized = [];
+  for (const filePath of changedPaths) {
+    if (changedPathHasDotDotSegment(filePath)) return null;
+    const repoPath = normalizeRepoRelativePath(filePath);
+    if (repoPath == null) return null;
+    normalized.push(repoPath);
+  }
+  return normalized;
+}
+
 function globToRegExp(glob) {
   let pattern = '';
   for (let i = 0; i < glob.length; i += 1) {
@@ -29,7 +79,8 @@ function globToRegExp(glob) {
  */
 export function matchPathAllowlist(glob, filePath) {
   if (typeof glob !== 'string' || typeof filePath !== 'string') return false;
-  const normalized = filePath.replace(/\\/g, '/').replace(/^\.\//, '');
+  const normalized = normalizeRepoRelativePath(filePath);
+  if (normalized == null) return false;
   return globToRegExp(glob).test(normalized);
 }