@rubytech/create-maxy 1.0.856 → 1.0.859

package/payload/platform/scripts/check-no-task-id-leaks.mjs

@@ -0,0 +1,110 @@
+#!/usr/bin/env node
+// Build-time gate: rejects `(Task NNN)` citations in operator-visible production
+// strings. Citations are allowed in inline comments and test titles/bodies only.
+//
+// Live repro that motivated the gate: setup-tunnel.sh on realagent 192.168.88.8
+// emitted `Re-run the installer to provision Chromium (Task 929).` to the
+// operator's chat surface — the citation made the operator chase Task 929's
+// history rather than execute the verb. Operator surfaces strip citations;
+// internal references keep them.
+//
+// Comment-skip is line-leading-character based, not AST. The repo's actual
+// comment forms are: `#` (shell), `//` (TS/JS line), `*`/`/*`/`/**` (JSDoc
+// continuation, block, doc), and `{/*` (JSX). Any line whose first non-
+// whitespace token is one of these is skipped. Test files (`__tests__/` and
+// `*.test.{ts,tsx,js}`) are skipped wholesale because the brief's out-of-scope
+// rule covers test titles, and test bodies that assert on citations are
+// equivalent to titles for this gate's purpose.
+
+import { readFileSync, readdirSync, statSync } from 'node:fs'
+import { dirname, join, relative, sep, basename } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const SCRIPT_DIR = dirname(fileURLToPath(import.meta.url))
+const REPO_ROOT = join(SCRIPT_DIR, '..', '..')
+
+const SCAN_ROOTS = [
+  join(REPO_ROOT, 'platform', 'scripts'),
+  join(REPO_ROOT, 'platform', 'plugins'),
+  join(REPO_ROOT, 'platform', 'ui', 'server'),
+  join(REPO_ROOT, 'platform', 'ui', 'app'),
+  join(REPO_ROOT, 'packages', 'create-maxy', 'src'),
+]
+
+const ALLOWED_EXTS = new Set(['.sh', '.ts', '.tsx', '.js', '.mjs', '.cjs'])
+const SKIP_DIR_NAMES = new Set([
+  'node_modules', 'dist', 'build', '.next', 'payload', '__tests__',
+])
+const TASK_ID_RE = /\(Task \d+\)/
+
+function isCommentLine(line) {
+  const trimmed = line.replace(/^\s+/, '')
+  if (trimmed.startsWith('#')) return true
+  if (trimmed.startsWith('//')) return true
+  if (trimmed.startsWith('/*')) return true
+  if (trimmed.startsWith('*')) return true
+  if (trimmed.startsWith('{/*')) return true
+  return false
+}
+
+function shouldScanFile(filePath) {
+  const name = basename(filePath)
+  if (name.endsWith('.test.ts')) return false
+  if (name.endsWith('.test.tsx')) return false
+  if (name.endsWith('.test.js')) return false
+  const ext = name.includes('.') ? '.' + name.split('.').pop() : ''
+  return ALLOWED_EXTS.has(ext)
+}
+
+function* walk(root) {
+  let entries
+  try {
+    entries = readdirSync(root)
+  } catch {
+    return
+  }
+  for (const name of entries) {
+    if (SKIP_DIR_NAMES.has(name)) continue
+    const full = join(root, name)
+    let st
+    try { st = statSync(full) } catch { continue }
+    if (st.isDirectory()) {
+      yield* walk(full)
+    } else if (st.isFile()) {
+      yield full
+    }
+  }
+}
+
+const leaks = []
+
+for (const root of SCAN_ROOTS) {
+  for (const file of walk(root)) {
+    if (!shouldScanFile(file)) continue
+    let content
+    try {
+      content = readFileSync(file, 'utf-8')
+    } catch {
+      continue
+    }
+    const lines = content.split('\n')
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i]
+      if (!TASK_ID_RE.test(line)) continue
+      if (isCommentLine(line)) continue
+      leaks.push({ file: relative(REPO_ROOT, file), line: i + 1, content: line.trim() })
+    }
+  }
+}
+
+if (leaks.length > 0) {
+  console.error(`check-no-task-id-leaks: ${leaks.length} operator-visible (Task NNN) citation(s) found:`)
+  for (const leak of leaks) {
+    console.error(`  ${leak.file}:${leak.line}: ${leak.content}`)
+  }
+  console.error('')
+  console.error('Citations belong in inline comments only, never in operator-visible strings')
+  console.error('(stderr/stdout, log files surfaced via logs-read.sh, systemd unit')
+  console.error('--description=, error messages, console.log/warn/error, throw new Error).')
+  process.exit(1)
+}

package/payload/platform/scripts/test-laptop-vnc-boot.sh

@@ -29,7 +29,14 @@ pass()   { echo "OK: $*"; }
 [ -r "$BRAND_JSON" ] || fail "${BRAND_JSON} unreadable"
 command -v jq >/dev/null 2>&1 || fail "jq not on PATH (apt install jq)"
 CONFIG_DIR=$(jq -r '.configDir // ".maxy"' "$BRAND_JSON")
-CDP_PORT=$(jq -r '.cdpPort // 9222' "$BRAND_JSON")
+# Task 959 — brand.json is the single source of truth for cdpPort at
+# runtime; a missing field is a doctrinal violation, not a fallback.
+if ! CDP_PORT=$(jq -er '.cdpPort' "$BRAND_JSON" 2>/dev/null); then
+  _keys=$(jq -r 'keys | join(",")' "$BRAND_JSON" 2>/dev/null || echo "unparseable")
+  _brand=$(echo "$CONFIG_DIR" | sed 's/^\.//')
+  echo "[test-laptop-vnc-boot] error reason=cdp-port-unresolved brand=$_brand path=$BRAND_JSON field=cdpPort json_keys=$_keys" >&2
+  exit 1
+fi
 PERSIST_DIR="${HOME}/${CONFIG_DIR}"
 VNC_LOG="${PERSIST_DIR}/logs/vnc-boot.log"
 

package/payload/platform/scripts/vnc.sh

@@ -41,36 +41,42 @@ set -uo pipefail
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 PLATFORM_ROOT="${MAXY_PLATFORM_ROOT:-$(dirname "$SCRIPT_DIR")}"
 BRAND_JSON="${PLATFORM_ROOT}/config/brand.json"
-CONFIG_DIR=".maxy"
-VNC_DISPLAY_NUM=99
-RFB_PORT=""
-WEBSOCKIFY_PORT=""
-CDP_PORT=""
-BRAND_HOSTNAME="maxy"
-if [ -f "$BRAND_JSON" ] && command -v jq >/dev/null 2>&1; then
-  _dir=$(jq -r '.configDir // empty' "$BRAND_JSON" 2>/dev/null) || true
-  [ -n "$_dir" ] && CONFIG_DIR="$_dir"
-  _vd=$(jq -r '.vncDisplay // empty' "$BRAND_JSON" 2>/dev/null) || true
-  if [ -n "$_vd" ] && [ "$_vd" -eq "$_vd" ] 2>/dev/null; then
-    VNC_DISPLAY_NUM="$_vd"
-  fi
-  _rfb=$(jq -r '.rfbPort // empty' "$BRAND_JSON" 2>/dev/null) || true
-  if [ -n "$_rfb" ] && [ "$_rfb" -eq "$_rfb" ] 2>/dev/null; then RFB_PORT="$_rfb"; fi
-  _wsp=$(jq -r '.websockifyPort // empty' "$BRAND_JSON" 2>/dev/null) || true
-  if [ -n "$_wsp" ] && [ "$_wsp" -eq "$_wsp" ] 2>/dev/null; then WEBSOCKIFY_PORT="$_wsp"; fi
-  _cdp=$(jq -r '.cdpPort // empty' "$BRAND_JSON" 2>/dev/null) || true
-  if [ -n "$_cdp" ] && [ "$_cdp" -eq "$_cdp" ] 2>/dev/null; then CDP_PORT="$_cdp"; fi
-  _hn=$(jq -r '.hostname // empty' "$BRAND_JSON" 2>/dev/null) || true
-  [ -n "$_hn" ] && BRAND_HOSTNAME="$_hn"
+
+# Task 959 — brand.json is the single source of truth at runtime; missing
+# fields loud-fail rather than silently substituting a vncDisplay-derived
+# offset (silent-fallback-masks-root-cause recurrence). The install-time
+# offset rule in packages/create-maxy/src/index.ts stamps every brand at
+# build time, so a correctly-installed device always has all five fields.
+if [ ! -f "$BRAND_JSON" ]; then
+  echo "[vnc.sh] error reason=brand-config-missing path=$BRAND_JSON" >&2
+  exit 1
+fi
+if ! command -v jq >/dev/null 2>&1; then
+  echo "[vnc.sh] error reason=brand-config-missing path=$BRAND_JSON detail=\"jq not on PATH\"" >&2
+  exit 1
 fi
 
-# Task 924 — deterministic fallback when brand.json omits any of the three
-# new port fields. Mirrors the rule in paths.ts so vnc.sh and the runtime
-# always agree on the port set even when only `vncDisplay` is stamped.
-_offset=$((VNC_DISPLAY_NUM - 99))
-[ -z "$RFB_PORT" ] && RFB_PORT=$((5900 + _offset))
-[ -z "$WEBSOCKIFY_PORT" ] && WEBSOCKIFY_PORT=$((6080 + _offset))
-[ -z "$CDP_PORT" ] && CDP_PORT=$((9222 + _offset))
+# `exit 1` inside a `$(…)` command substitution only kills the subshell, so
+# the loud-fail uses a parent-context `||` chain instead. Each field is read
+# with `jq -e` (exit non-zero on null/missing) and a parent-context error
+# helper invokes the script-level `exit 1`.
+_fail_brand_field() {
+  local field="$1"
+  local keys
+  keys=$(jq -r 'keys | join(",")' "$BRAND_JSON" 2>/dev/null || echo "unparseable")
+  local brand_label
+  brand_label=$(jq -r '.configDir // "unknown"' "$BRAND_JSON" 2>/dev/null | sed 's/^\.//')
+  echo "[vnc.sh] error reason=cdp-port-unresolved brand=$brand_label path=$BRAND_JSON field=$field json_keys=$keys" >&2
+  exit 1
+}
+
+CONFIG_DIR=$(jq -er '.configDir' "$BRAND_JSON" 2>/dev/null) || _fail_brand_field configDir
+VNC_DISPLAY_NUM=$(jq -er '.vncDisplay' "$BRAND_JSON" 2>/dev/null) || _fail_brand_field vncDisplay
+RFB_PORT=$(jq -er '.rfbPort' "$BRAND_JSON" 2>/dev/null) || _fail_brand_field rfbPort
+WEBSOCKIFY_PORT=$(jq -er '.websockifyPort' "$BRAND_JSON" 2>/dev/null) || _fail_brand_field websockifyPort
+CDP_PORT=$(jq -er '.cdpPort' "$BRAND_JSON" 2>/dev/null) || _fail_brand_field cdpPort
+BRAND_HOSTNAME=$(jq -r '.hostname // empty' "$BRAND_JSON" 2>/dev/null)
+[ -z "$BRAND_HOSTNAME" ] && BRAND_HOSTNAME="${CONFIG_DIR#.}"
 
 VNC_DISPLAY=":${VNC_DISPLAY_NUM}"
 MAXY_DIR="${HOME}/${CONFIG_DIR}"
@@ -96,18 +102,18 @@ CHROMIUM_BIN_FILE="${PLATFORM_ROOT}/config/chromium-binary.path"
 if [ ! -r "$CHROMIUM_BIN_FILE" ]; then
   log "[vnc.sh:chromium] FATAL: ${CHROMIUM_BIN_FILE} missing or unreadable"
   echo "ERROR: ${CHROMIUM_BIN_FILE} missing or unreadable." >&2
-  echo "       Re-run the installer to provision a non-snap Chromium (Task 929)." >&2
+  echo "       Re-run the installer to provision a non-snap Chromium." >&2
   exit 1
 fi
 CHROMIUM_BIN="$(head -n1 "$CHROMIUM_BIN_FILE" | tr -d '[:space:]')"
 if [ -z "$CHROMIUM_BIN" ]; then
   log "[vnc.sh:chromium] FATAL: ${CHROMIUM_BIN_FILE} is empty"
-  echo "ERROR: ${CHROMIUM_BIN_FILE} is empty — re-run installer (Task 929)." >&2
+  echo "ERROR: ${CHROMIUM_BIN_FILE} is empty — re-run installer." >&2
   exit 1
 fi
 if [ ! -x "$CHROMIUM_BIN" ]; then
   log "[vnc.sh:chromium] FATAL: configured CHROMIUM_BIN=${CHROMIUM_BIN} is not executable"
-  echo "ERROR: configured Chromium binary ${CHROMIUM_BIN} is not executable — re-run installer (Task 929)." >&2
+  echo "ERROR: configured Chromium binary ${CHROMIUM_BIN} is not executable — re-run installer." >&2
   exit 1
 fi
 CHROMIUM_REALPATH="$(readlink -f "$CHROMIUM_BIN" 2>/dev/null || echo "$CHROMIUM_BIN")"
@@ -115,7 +121,7 @@ case ":$(echo "$CHROMIUM_REALPATH" | tr '/' ':'):" in
   *:snap:*)
     log "[vnc.sh:chromium] FATAL: CHROMIUM_BIN=${CHROMIUM_BIN} resolves to ${CHROMIUM_REALPATH} (snap-confined)"
     echo "ERROR: configured Chromium ${CHROMIUM_BIN} resolves to ${CHROMIUM_REALPATH} which is snap-confined." >&2
-    echo "       Snap AppArmor denies writes to ~/.{brand}/chromium-profile/. Re-run installer to install Google Chrome (Task 929)." >&2
+    echo "       Snap AppArmor denies writes to ~/.{brand}/chromium-profile/. Re-run installer to install Google Chrome." >&2
     exit 1
     ;;
 esac
@@ -305,7 +311,7 @@ start_chrome_on() {
     if check_window_on_display "${target_display}"; then
       log "Chromium ready (${label}) with CDP on :${CDP_PORT} windowPresent=true"
     else
-      log "WARNING: Chromium CDP up on :${CDP_PORT} but no window visible on ${target_display} (${label}) — observability-only, not gating (Task 632)"
+      log "WARNING: Chromium CDP up on :${CDP_PORT} but no window visible on ${target_display} (${label}) — observability-only, not gating"
     fi
   else
     log "ERROR: Chromium failed to start on ${target_display} (${label}) — CDP port ${CDP_PORT} not listening (browser-specialist degraded)"
@@ -381,7 +387,7 @@ start_chrome_native() {
     elif [ "$NATIVE_SESSION_TYPE" = "wayland" ]; then
       log "Chromium ready (native) with CDP on :${CDP_PORT} windowPresent=unknown (wayland)"
     else
-      log "WARNING: Chromium CDP up on :${CDP_PORT} but no window visible on ${NATIVE_DISPLAY} (native) — observability-only, not gating (Task 632)"
+      log "WARNING: Chromium CDP up on :${CDP_PORT} but no window visible on ${NATIVE_DISPLAY} (native) — observability-only, not gating"
     fi
   else
     log "ERROR: Chromium failed to start on ${NATIVE_DISPLAY} (native) — CDP port ${CDP_PORT} not listening (browser-specialist degraded)"