@rigour-labs/core 4.0.5 → 4.1.0

package/dist/inference/model-manager.js

@@ -4,21 +4,74 @@
  */
 import path from 'path';
 import fs from 'fs-extra';
+import { createHash } from 'crypto';
 import { RIGOUR_DIR } from '../storage/db.js';
 import { MODELS } from './types.js';
 const MODELS_DIR = path.join(RIGOUR_DIR, 'models');
+const SHA256_RE = /^[a-f0-9]{64}$/i;
+function getModelMetadataPath(tier) {
+    return path.join(MODELS_DIR, MODELS[tier].filename + '.meta.json');
+}
+function isValidMetadata(raw) {
+    return !!raw &&
+        typeof raw.sha256 === 'string' &&
+        SHA256_RE.test(raw.sha256) &&
+        typeof raw.sizeBytes === 'number' &&
+        typeof raw.verifiedAt === 'string' &&
+        typeof raw.sourceUrl === 'string';
+}
+export function extractSha256FromEtag(etag) {
+    if (!etag)
+        return null;
+    const normalized = etag.replace(/^W\//i, '').replace(/^"+|"+$/g, '').trim();
+    return SHA256_RE.test(normalized) ? normalized.toLowerCase() : null;
+}
+export async function hashFileSha256(filePath) {
+    const hash = createHash('sha256');
+    const stream = fs.createReadStream(filePath);
+    for await (const chunk of stream) {
+        hash.update(chunk);
+    }
+    return hash.digest('hex');
+}
+async function writeModelMetadata(tier, metadata) {
+    const metadataPath = getModelMetadataPath(tier);
+    await fs.writeJson(metadataPath, metadata, { spaces: 2 });
+}
+async function readModelMetadata(tier) {
+    const metadataPath = getModelMetadataPath(tier);
+    if (!(await fs.pathExists(metadataPath))) {
+        return null;
+    }
+    try {
+        const raw = await fs.readJson(metadataPath);
+        return isValidMetadata(raw) ? raw : null;
+    }
+    catch {
+        return null;
+    }
+}
 /**
  * Check if a model is already downloaded and valid.
  */
-export function isModelCached(tier) {
+export async function isModelCached(tier) {
     const model = MODELS[tier];
     const modelPath = path.join(MODELS_DIR, model.filename);
-    if (!fs.existsSync(modelPath))
+    if (!(await fs.pathExists(modelPath)))
         return false;
-    // Basic size check (within 10% tolerance)
-    const stat = fs.statSync(modelPath);
+    const metadata = await readModelMetadata(tier);
+    if (!metadata)
+        return false;
+    // Size check + "changed since verification" check.
+    const stat = await fs.stat(modelPath);
     const tolerance = model.sizeBytes * 0.1;
-    return stat.size > model.sizeBytes - tolerance;
+    if (stat.size <= model.sizeBytes - tolerance)
+        return false;
+    if (metadata.sizeBytes !== stat.size)
+        return false;
+    if (new Date(metadata.verifiedAt).getTime() < stat.mtimeMs)
+        return false;
+    return true;
 }
 /**
  * Get the path to a cached model.
@@ -42,7 +95,7 @@ export async function downloadModel(tier, onProgress) {
     const tempPath = destPath + '.download';
     fs.ensureDirSync(MODELS_DIR);
     // Already cached
-    if (isModelCached(tier)) {
+    if (await isModelCached(tier)) {
         onProgress?.(`Model ${model.name} already cached`, 100);
         return destPath;
     }
@@ -52,18 +105,22 @@ export async function downloadModel(tier, onProgress) {
         if (!response.ok) {
             throw new Error(`HTTP ${response.status}: ${response.statusText}`);
         }
+        const expectedSha256 = extractSha256FromEtag(response.headers.get('etag'));
         const contentLength = parseInt(response.headers.get('content-length') || '0', 10);
         const reader = response.body?.getReader();
         if (!reader)
             throw new Error('No response body');
         const writeStream = fs.createWriteStream(tempPath);
+        const hash = createHash('sha256');
         let downloaded = 0;
         let lastProgressPercent = 0;
         while (true) {
             const { done, value } = await reader.read();
             if (done)
                 break;
-            writeStream.write(Buffer.from(value));
+            const chunk = Buffer.from(value);
+            writeStream.write(chunk);
+            hash.update(chunk);
             downloaded += value.length;
             if (contentLength > 0) {
                 const percent = Math.round((downloaded / contentLength) * 100);
@@ -78,8 +135,19 @@ export async function downloadModel(tier, onProgress) {
             writeStream.on('finish', resolve);
             writeStream.on('error', reject);
         });
+        const actualSha256 = hash.digest('hex');
+        if (expectedSha256 && actualSha256 !== expectedSha256) {
+            throw new Error(`Model checksum mismatch for ${model.name}: expected ${expectedSha256}, got ${actualSha256}`);
+        }
         // Atomic rename
         fs.renameSync(tempPath, destPath);
+        await writeModelMetadata(tier, {
+            sha256: actualSha256,
+            sizeBytes: downloaded,
+            verifiedAt: new Date().toISOString(),
+            sourceUrl: model.url,
+            sourceEtag: response.headers.get('etag') || undefined,
+        });
         onProgress?.(`Model ${model.name} ready`, 100);
         return destPath;
     }
@@ -93,7 +161,7 @@ export async function downloadModel(tier, onProgress) {
  * Ensure a model is available, downloading if needed.
  */
 export async function ensureModel(tier, onProgress) {
-    if (isModelCached(tier)) {
+    if (await isModelCached(tier)) {
         return getModelPath(tier);
     }
     return downloadModel(tier, onProgress);

package/dist/inference/model-manager.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/inference/model-manager.test.js

@@ -0,0 +1,24 @@
+import { describe, it, expect } from 'vitest';
+import fs from 'fs-extra';
+import os from 'os';
+import path from 'path';
+import { extractSha256FromEtag, hashFileSha256 } from './model-manager.js';
+describe('model manager integrity helpers', () => {
+    it('extracts sha256 digest from a strong ETag', () => {
+        const digest = 'a'.repeat(64);
+        expect(extractSha256FromEtag(`"${digest}"`)).toBe(digest);
+        expect(extractSha256FromEtag(`W/"${digest}"`)).toBe(digest);
+    });
+    it('returns null for non-sha ETags', () => {
+        expect(extractSha256FromEtag('"not-a-digest"')).toBeNull();
+        expect(extractSha256FromEtag(null)).toBeNull();
+    });
+    it('hashes file contents with sha256', async () => {
+        const dir = await fs.mkdtemp(path.join(os.tmpdir(), 'rigour-model-hash-'));
+        const filePath = path.join(dir, 'sample.gguf');
+        await fs.writeFile(filePath, 'rigour-model-check');
+        const digest = await hashFileSha256(filePath);
+        expect(digest).toBe('e123266ea4b37a81948a0a844dd58eddfc81737aa6fdf9dafc818fd23bae75f0');
+        await fs.remove(dir);
+    });
+});

package/dist/inference/sidecar-provider.d.ts

@@ -11,6 +11,7 @@ export declare class SidecarProvider implements InferenceProvider {
     analyze(prompt: string, options?: InferenceOptions): Promise<string>;
     dispose(): void;
     private getPlatformKey;
+    private getPlatformPackageName;
     private resolveBinaryPath;
     private installSidecarBinary;
 }

package/dist/inference/sidecar-provider.js

@@ -10,7 +10,9 @@ import os from 'os';
 import fs from 'fs-extra';
 import { createRequire } from 'module';
 import { ensureModel, isModelCached, getModelInfo } from './model-manager.js';
+import { ensureExecutableBinary } from './executable.js';
 const execFileAsync = promisify(execFile);
+const SIDECAR_INSTALL_DIR = path.join(os.homedir(), '.rigour', 'sidecar');
 /** Platform → npm package mapping */
 const PLATFORM_PACKAGES = {
     'darwin-arm64': '@rigour-labs/brain-darwin-arm64',
@@ -34,11 +36,10 @@ export class SidecarProvider {
         return binary !== null;
     }
     async setup(onProgress) {
-        const platformKey = this.getPlatformKey();
-        const packageName = PLATFORM_PACKAGES[platformKey];
+        const packageName = this.getPlatformPackageName();
         // 1. Check/resolve binary
         this.binaryPath = await this.resolveBinaryPath();
-        // Auto-bootstrap local sidecar once before failing.
+        // Auto-bootstrap local sidecar when missing.
         if (!this.binaryPath && packageName) {
             const installed = await this.installSidecarBinary(packageName, onProgress);
             if (installed) {
@@ -47,12 +48,31 @@ export class SidecarProvider {
         }
         if (!this.binaryPath) {
             onProgress?.('⚠ Inference engine not found. Install @rigour-labs/brain-* or add llama-cli to PATH');
-            const installHint = packageName || `@rigour-labs/brain-${platformKey}`;
+            const installHint = packageName || `@rigour-labs/brain-${this.getPlatformKey()}`;
             throw new Error(`Sidecar binary not found. Run: npm install ${installHint}`);
         }
+        let executableCheck = ensureExecutableBinary(this.binaryPath);
+        // If the discovered binary is not executable, try a managed reinstall once.
+        if (!executableCheck.ok && packageName) {
+            onProgress?.('⚠ Inference engine is present but not executable. Reinstalling managed sidecar...');
+            const installed = await this.installSidecarBinary(packageName, onProgress);
+            if (installed) {
+                const refreshedPath = await this.resolveBinaryPath();
+                if (refreshedPath) {
+                    this.binaryPath = refreshedPath;
+                    executableCheck = ensureExecutableBinary(this.binaryPath);
+                }
+            }
+        }
+        if (!executableCheck.ok) {
+            throw new Error(`Sidecar binary is not executable: ${this.binaryPath}. Run: chmod +x "${this.binaryPath}"`);
+        }
+        if (executableCheck.fixed) {
+            onProgress?.('✓ Fixed execute permission for inference engine');
+        }
         onProgress?.('✓ Inference engine ready');
         // 2. Ensure model is downloaded
-        if (!isModelCached(this.tier)) {
+        if (!(await isModelCached(this.tier))) {
             const modelInfo = getModelInfo(this.tier);
             onProgress?.(`⬇ Downloading analysis model (${modelInfo.sizeHuman})...`);
         }
@@ -86,9 +106,45 @@ export class SidecarProvider {
                 maxBuffer: 10 * 1024 * 1024, // 10MB
                 env: { ...process.env, LLAMA_LOG_DISABLE: '1' },
             };
-            const { stdout } = process.platform === 'win32' && this.binaryPath.endsWith('.cmd')
-                ? await execFileAsync('cmd.exe', ['/d', '/s', '/c', [this.binaryPath, ...args].map(quoteCmdArg).join(' ')], execOptions)
-                : await execFileAsync(this.binaryPath, args, execOptions);
+            const runInference = async () => {
+                return process.platform === 'win32' && this.binaryPath.endsWith('.cmd')
+                    ? await execFileAsync('cmd.exe', ['/d', '/s', '/c', [this.binaryPath, ...args].map(quoteCmdArg).join(' ')], execOptions)
+                    : await execFileAsync(this.binaryPath, args, execOptions);
+            };
+            let stdout;
+            try {
+                ({ stdout } = await runInference());
+            }
+            catch (error) {
+                // One retry path for stale/bad file mode in packaged installs.
+                if (error?.code === 'EACCES') {
+                    const check = ensureExecutableBinary(this.binaryPath);
+                    if (check.ok) {
+                        ({ stdout } = await runInference());
+                    }
+                    else {
+                        const packageName = this.getPlatformPackageName();
+                        if (packageName) {
+                            const installed = await this.installSidecarBinary(packageName);
+                            if (installed) {
+                                const refreshedPath = await this.resolveBinaryPath();
+                                if (refreshedPath) {
+                                    this.binaryPath = refreshedPath;
+                                    const refreshedCheck = ensureExecutableBinary(this.binaryPath);
+                                    if (refreshedCheck.ok) {
+                                        ({ stdout } = await runInference());
+                                        return stdout.trim();
+                                    }
+                                }
+                            }
+                        }
+                        throw error;
+                    }
+                }
+                else {
+                    throw error;
+                }
+            }
             // llama.cpp sometimes outputs to stderr for diagnostics — ignore
             return stdout.trim();
         }
@@ -96,6 +152,9 @@ export class SidecarProvider {
             if (error.killed) {
                 throw new Error(`Inference timed out after ${(options?.timeout || 60000) / 1000}s`);
             }
+            if (error?.code === 'EACCES') {
+                throw new Error(`Inference binary is not executable: ${this.binaryPath}. Run: chmod +x "${this.binaryPath}"`);
+            }
             throw new Error(`Inference failed: ${error.message}`);
         }
     }
@@ -107,11 +166,25 @@ export class SidecarProvider {
     getPlatformKey() {
         return `${os.platform()}-${os.arch()}`;
     }
+    getPlatformPackageName() {
+        const platformKey = this.getPlatformKey();
+        return PLATFORM_PACKAGES[platformKey];
+    }
     async resolveBinaryPath() {
         const platformKey = this.getPlatformKey();
         // Strategy 1: Check @rigour-labs/brain-{platform} optional dependency
         const packageName = PLATFORM_PACKAGES[platformKey];
         if (packageName) {
+            // Prefer Rigour-managed sidecar install root first to avoid brittle global/homebrew layouts.
+            const managedPath = path.join(SIDECAR_INSTALL_DIR, 'node_modules', ...packageName.split('/'), 'bin', 'rigour-brain');
+            const managedCandidates = os.platform() === 'win32'
+                ? [managedPath + '.exe', managedPath + '.cmd', managedPath]
+                : [managedPath];
+            for (const managedBinPath of managedCandidates) {
+                if (await fs.pathExists(managedBinPath)) {
+                    return managedBinPath;
+                }
+            }
             try {
                 const require = createRequire(import.meta.url);
                 const pkgJsonPath = require.resolve(path.posix.join(packageName, 'package.json'));
@@ -165,9 +238,10 @@ export class SidecarProvider {
             }
         }
         // Strategy 3: Check PATH for llama-cli (llama.cpp CLI)
+        const locator = os.platform() === 'win32' ? 'where' : 'which';
         try {
-            const { stdout } = await execFileAsync('which', ['llama-cli']);
-            const llamaPath = stdout.trim();
+            const { stdout } = await execFileAsync(locator, ['llama-cli']);
+            const llamaPath = stdout.split(/\r?\n/).map(s => s.trim()).find(Boolean) || '';
             if (llamaPath && await fs.pathExists(llamaPath)) {
                 return llamaPath;
             }
@@ -179,9 +253,10 @@ export class SidecarProvider {
         const altNames = ['llama-cli', 'llama', 'main'];
         for (const name of altNames) {
             try {
-                const { stdout } = await execFileAsync('which', [name]);
-                if (stdout.trim())
-                    return stdout.trim();
+                const { stdout } = await execFileAsync(locator, [name]);
+                const resolved = stdout.split(/\r?\n/).map(s => s.trim()).find(Boolean);
+                if (resolved && await fs.pathExists(resolved))
+                    return resolved;
             }
             catch {
                 // Continue
@@ -192,8 +267,9 @@ export class SidecarProvider {
     async installSidecarBinary(packageName, onProgress) {
         onProgress?.(`⬇ Inference engine missing. Attempting automatic install: ${packageName}`);
         try {
-            await execFileAsync('npm', ['install', '--no-save', '--no-package-lock', packageName], {
-                cwd: process.cwd(),
+            await fs.ensureDir(SIDECAR_INSTALL_DIR);
+            await execFileAsync(os.platform() === 'win32' ? 'npm.cmd' : 'npm', ['install', '--no-save', '--no-package-lock', '--prefix', SIDECAR_INSTALL_DIR, packageName], {
+                cwd: SIDECAR_INSTALL_DIR,
                 timeout: 120000,
                 maxBuffer: 10 * 1024 * 1024,
             });

package/dist/services/context-engine.js

@@ -47,7 +47,7 @@ export class ContextEngine {
             anchors,
             metadata: {
                 scannedFiles,
-                detectedCasing: 'unknown', // TODO: Implement casing discovery
+                detectedCasing: 'unknown', // Placeholder until casing discovery is implemented
             }
         };
     }

package/dist/templates/universal-config.js

@@ -113,9 +113,9 @@ export const UNIVERSAL_CONFIG = {
         },
         context_window_artifacts: {
             enabled: true,
-            min_file_lines: 100,
-            degradation_threshold: 0.4,
-            signals_required: 2,
+            min_file_lines: 180,
+            degradation_threshold: 0.55,
+            signals_required: 4,
         },
         promise_safety: {
             enabled: true,

package/dist/types/index.js

@@ -125,9 +125,9 @@ export const GatesSchema = z.object({
     }).optional().default({}),
     context_window_artifacts: z.object({
         enabled: z.boolean().optional().default(true),
-        min_file_lines: z.number().optional().default(100),
-        degradation_threshold: z.number().min(0).max(1).optional().default(0.4),
-        signals_required: z.number().optional().default(2),
+        min_file_lines: z.number().optional().default(180),
+        degradation_threshold: z.number().min(0).max(1).optional().default(0.55),
+        signals_required: z.number().optional().default(4),
     }).optional().default({}),
     promise_safety: z.object({
         enabled: z.boolean().optional().default(true),

package/dist/utils/scanner.js

@@ -6,6 +6,12 @@ export class FileScanner {
     static DEFAULT_IGNORE = [
         '**/node_modules/**',
         '**/dist/**',
+        '**/studio-dist/**',
+        '**/.next/**',
+        '**/coverage/**',
+        '**/out/**',
+        '**/target/**',
+        '**/examples/**',
         '**/package-lock.json',
         '**/pnpm-lock.yaml',
         '**/.git/**',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/core",
-  "version": "4.0.5",
+  "version": "4.1.0",
   "description": "Deterministic quality gate engine for AI-generated code. AST analysis, drift detection, and Fix Packet generation across TypeScript, JavaScript, Python, Go, Ruby, and C#.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -59,11 +59,11 @@
     "@xenova/transformers": "^2.17.2",
     "better-sqlite3": "^11.0.0",
     "openai": "^4.104.0",
-    "@rigour-labs/brain-darwin-arm64": "4.0.5",
-    "@rigour-labs/brain-darwin-x64": "4.0.5",
-    "@rigour-labs/brain-linux-x64": "4.0.5",
-    "@rigour-labs/brain-linux-arm64": "4.0.5",
-    "@rigour-labs/brain-win-x64": "4.0.5"
+    "@rigour-labs/brain-darwin-arm64": "4.1.0",
+    "@rigour-labs/brain-darwin-x64": "4.1.0",
+    "@rigour-labs/brain-win-x64": "4.1.0",
+    "@rigour-labs/brain-linux-x64": "4.1.0",
+    "@rigour-labs/brain-linux-arm64": "4.1.0"
   },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.12",