@semalt-ai/code 1.8.5 → 1.20.0

package/.claude/settings.local.json

@@ -17,7 +17,13 @@
       "Bash(sed -i \"s/addMessage\\('>>> AI MSG 2'.*$/addMessage\\('>>> AI MSG 2',   ['response body 2a', 'response body 2b']\\);\\\\nfor \\(let k = 3; k <= 8; k++\\) { addMessage\\('>>> USER MSG ' + k, ['line body ' + k]\\); addMessage\\('>>> AI MSG ' + k, ['response body ' + k + 'a', 'response body ' + k + 'b']\\); }/\" scroll-capture.js)",
       "Bash(echo \"exit=$?\")",
       "Bash(echo \"---grep done, exit=$?---\")",
-      "Bash(grep *)"
+      "Bash(grep *)",
+      "Bash(npm test *)",
+      "Read(//srv/www/ai/**)",
+      "Read(//srv/www/ai/cli.semalt.ai/**)",
+      "Bash(npm run *)",
+      "Bash(— normalized\\\\|mcp)",
+      "Bash(awk '{print $5, $9}')"
     ]
   }
 }

package/.github/workflows/ci.yml

@@ -0,0 +1,69 @@
+name: CI
+
+# Green-pipeline gate: lint + tests must pass on every push and PR across the
+# supported OS/Node matrix before changes can land.
+#
+# Supply-chain guardrails (Task 3.2): the project has runtime dependencies
+# (`@modelcontextprotocol/sdk`; plus `@mozilla/readability` + `linkedom` +
+# `turndown` for the web-fetch pipeline, Task W.1). Two checks protect that
+# surface:
+#   * `npm ci` installs strictly from the committed package-lock.json and fails
+#     if package.json and the lockfile disagree — i.e. lockfile integrity.
+#   * `npm audit --omit=dev --audit-level=high` fails the build on a HIGH or
+#     CRITICAL advisory in the runtime dependency tree (dev deps excluded; there
+#     are none today). Audit-findings policy lives in CLAUDE.md
+#     › "Dependency & Supply-Chain Policy".
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+jobs:
+  lint-and-test:
+    name: lint + test (Node ${{ matrix.node }} / ${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        node: [18, 20]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js ${{ matrix.node }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node }}
+          cache: npm
+
+      # Lockfile integrity: install strictly from package-lock.json. Fails the
+      # build if package.json and the lockfile have drifted apart.
+      - name: Install dependencies (npm ci)
+        run: npm ci
+
+      # Supply-chain audit: fail on HIGH/CRITICAL advisories in the runtime
+      # (production) dependency tree. See CLAUDE.md for how findings are handled.
+      - name: Security audit (npm audit)
+        run: npm audit --omit=dev --audit-level=high
+
+      # Install ripgrep so the grep rg-vs-Node parity tests (Task 2.1) execute
+      # rather than skip. ripgrep is an optional accelerator for the `grep`
+      # tool, never a runtime dependency — the suite still passes without it.
+      - name: Install ripgrep (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y ripgrep
+      - name: Install ripgrep (macOS)
+        if: runner.os == 'macOS'
+        run: brew install ripgrep
+      - name: Install ripgrep (Windows)
+        if: runner.os == 'Windows'
+        run: choco install ripgrep -y
+
+      - name: Lint (node --check across all sources)
+        run: npm run lint
+
+      - name: Test (node --test)
+        run: npm test

package/ARCHITECTURE.md

@@ -1,99 +1,10 @@
-# semalt-code — Architecture Reference
+# semalt-code — Architecture
 
-## lib/ File Responsibilities
+The architecture documentation has moved. The current, maintained reference lives at:
 
-| File | Responsibility |
-|------|----------------|
-| `lib/agent.js` | Agent loop: iterates up to 10 times, streams LLM response, extracts tool calls, dispatches execution, accumulates results back into the message history |
-| `lib/api.js` | HTTP client for both OpenAI-compatible inference (`chatStream`, `chatSync`) and dashboard REST calls (auth, models, chat history); manually parses `text/event-stream` |
-| `lib/args.js` | CLI argument parser; maps flags (`-m`, `-f`, `--dry-run`, …) to an `opts` object and collects positional args |
-| `lib/commands.js` | All top-level command handlers: `cmdChat`, `cmdCode`, `cmdEdit`, `cmdShell`, `cmdLogin`, `cmdLogout`, `cmdWhoAmI`, `cmdModels`, `cmdInit` |
-| `lib/config.js` | Read/write `~/.semalt-ai/config.json`; `normalizeConfig` merges defaults, migrates legacy keys, validates types |
-| `lib/constants.js` | `DEFAULT_CONFIG`, `DEFAULT_API_TIMEOUT_MS`, `CONFIG_PATH`, `PACKAGE_JSON` |
-| `lib/context.js` | Loads file or directory trees into a prompt context string; caps directory walks at 50 files, single files at 10 000 chars |
-| `lib/permissions.js` | Per-session approval tracking; interactive yes/always/no prompt before each tool action; `toggleAll` for `/approve` |
-| `lib/prompts.js` | Returns the system prompt string that instructs the LLM which XML tool tags to use and how |
-| `lib/tools.js` | Implements `agentExecShell` and `agentExecFile` (16 file/env/network actions) plus `extractToolCalls` regex parser |
-| `lib/ui.js` | All terminal rendering: ANSI constants, `StreamRenderer` (markdown + tool-call display + inline diff), `readInteractiveInput`, `interactiveSelect`, `printBanner`, `printStatusBar` |
+**[docs/ARCHITECTURE.md](./docs/ARCHITECTURE.md)** — per-subsystem internals (MCP, checkpoints, sandbox, web-fetch pipeline, SDK, subagents, hooks, git tools, …).
 
----
+See also:
 
-## Agent Loop Flow
-
-1. `runAgentLoop(messages, model)` is called with the current message array (max 10 iterations).
-2. `chatStream(messages, { model })` sends the array to the LLM and streams tokens through `StreamRenderer` to the terminal.
-3. The full assistant text is appended to `messages` as `{ role: 'assistant', content }`.
-4. `extractToolCalls(reply)` scans the text for XML tool tags and fenced shell blocks; returns an ordered list of `[action, ...args]` tuples.
-5. If no tool calls are found, the loop ends.
-6. For each tool call, `permissionManager.askPermission(type, description)` prompts the user (yes / yes-always / no).
-7. Approved shell calls go to `agentExecShell`; all other calls go to `agentExecFile`.
-8. Results (or denial messages) are concatenated and pushed to `messages` as a `user` turn: `"Tool execution results:\n\n…\n\nContinue with the task."`.
-9. If any call was denied, a warning is printed and the loop continues with partial results.
-10. Go to step 2.
-
----
-
-## Tool Tags
-
-All tags are parsed by `extractToolCalls` in `lib/tools.js` and displayed by `StreamRenderer` in `lib/ui.js`.
-
-| Tag | Syntax | Action dispatched |
-|-----|--------|-------------------|
-| `exec` | `<exec>command</exec>` | `shell` |
-| `shell` | `<shell>command</shell>` | `shell` (alias) |
-| `run_command` | `<run_command>command</run_command>` | `shell` (alias) |
-| `run` | `<run>command</run>` | `shell` (alias) |
-| Fenced shell block | ` ```shell\ncommand\n``` ` | `shell` (one call per non-comment line) |
-| `read_file` (content) | `<read_file>/path</read_file>` | `read` |
-| `read_file` (attribute) | `<read_file path="/path"/>` | `read` |
-| `write_file` | `<write_file path="/path">content</write_file>` | `write` |
-| `append_file` | `<append_file path="/path">content</append_file>` | `append` |
-| `list_dir` | `<list_dir>/path</list_dir>` | `list_dir` |
-| `search_files` | `<search_files>pattern</search_files>` | `search_files` |
-| `delete_file` | `<delete_file>/path</delete_file>` | `delete_file` |
-| `make_dir` | `<make_dir>/path</make_dir>` | `make_dir` |
-| `remove_dir` | `<remove_dir>/path</remove_dir>` | `remove_dir` |
-| `get_env` | `<get_env>VAR_NAME</get_env>` | `get_env` |
-| `set_env` | `<set_env name="VAR" value="val"/>` | `set_env` |
-| `move_file` | `<move_file src="/src" dst="/dst"/>` | `move_file` |
-| `copy_file` | `<copy_file src="/src" dst="/dst"/>` | `copy_file` |
-| `edit_file` | `<edit_file path="/path" line="N">new line content</edit_file>` | `edit_file` |
-| `search_in_file` | `<search_in_file path="/path">regex</search_in_file>` | `search_in_file` |
-| `replace_in_file` | `<replace_in_file path="/path" search="old" replace="new"></replace_in_file>` | `replace_in_file` |
-| `download` | `<download>https://url</download>` | `download` |
-| `upload` | `<upload path="/path">base64content</upload>` | `upload` |
-
----
-
-## DEFAULT_CONFIG Keys
-
-Defined in `lib/constants.js` and merged/validated by `lib/config.js`.
-
-| Key | Default | Description |
-|-----|---------|-------------|
-| `api_base` | `"http://127.0.0.1:8800"` | OpenAI-compatible inference base URL (normalized to include `/v1`) |
-| `api_key` | `"any"` | API key sent as `Authorization: Bearer` to the inference endpoint |
-| `dashboard_url` | `"https://cli.semalt.ai"` | Base URL for the web dashboard (auth, models, chat history) |
-| `auth_token` | `""` | Bearer token written by `semalt login`, cleared by `logout` |
-| `default_model` | `"default"` | Model identifier sent in chat completions payloads |
-| `dashboard_model_id` | `null` | Integer PK of the active model in `available_models`; required for chat history sync |
-| `temperature` | `0.7` | Sampling temperature passed to the LLM |
-| `request_timeout_ms` | `900000` | HTTP request timeout for inference calls (ms) |
-| `stream` | `true` | Whether to use streaming (`text/event-stream`) for inference |
-| `models` | `[]` | Local model profile overrides (each: `api_base`, `api_key`, `model`) |
-| `theme` | `"dark"` | Terminal color theme |
-| `max_file_size_kb` | `512` | Maximum file size the agent will read (KB) |
-| `command_timeout_ms` | `30000` | Timeout for shell command execution (ms) |
-| `max_output_lines` | `50` | Maximum lines of tool output shown before truncation |
-| `show_token_count` | `true` | Display token usage in the status line after each turn |
-| `show_cost` | `false` | Display estimated cost alongside token count |
-
----
-
-## Planned Additions
-
-| File | Intended Responsibility |
-|------|------------------------|
-| `lib/audit.js` | Persistent log of all tool calls executed per session (command, args, exit code, timestamp); used for replay and compliance review |
-| `lib/storage.js` | Local SQLite or JSON-lines store for offline chat history, message deduplication, and cache of dashboard responses |
-| `lib/metrics.js` | Collects per-session telemetry (token counts, latency, tool-call frequency) and exposes summary output for `/compact` and future analytics export |
+- [docs/CONFIG.md](./docs/CONFIG.md) — config keys, CLI flags/commands, slash commands, tool tags.
+- [docs/HISTORY.md](./docs/HISTORY.md) — design rationale, dependency policy, and roadmap.