@sentry/warden 0.0.0

package/src/config/loader.test.ts

@@ -0,0 +1,313 @@
+import { describe, it, expect } from 'vitest';
+import { resolveTrigger } from './loader.js';
+import { WardenConfigSchema, type Trigger, type WardenConfig } from './schema.js';
+
+describe('resolveTrigger', () => {
+  const baseTrigger: Trigger = {
+    name: 'test-trigger',
+    event: 'pull_request',
+    actions: ['opened'],
+    skill: 'test-skill',
+  };
+
+  const baseConfig: WardenConfig = {
+    version: 1,
+    triggers: [baseTrigger],
+  };
+
+  it('returns trigger with empty filters and output when no defaults', () => {
+    const resolved = resolveTrigger(baseTrigger, baseConfig);
+
+    expect(resolved.filters).toEqual({
+      paths: undefined,
+      ignorePaths: undefined,
+    });
+    expect(resolved.output).toEqual({
+      failOn: undefined,
+      commentOn: undefined,
+      maxFindings: undefined,
+    });
+    expect(resolved.model).toBeUndefined();
+  });
+
+  it('applies defaults when trigger has no config', () => {
+    const config: WardenConfig = {
+      ...baseConfig,
+      defaults: {
+        filters: { paths: ['src/**'], ignorePaths: ['*.test.ts'] },
+        output: { failOn: 'high', commentOn: 'critical', maxFindings: 10 },
+        model: 'claude-sonnet-4-20250514',
+      },
+    };
+
+    const resolved = resolveTrigger(baseTrigger, config);
+
+    expect(resolved.filters.paths).toEqual(['src/**']);
+    expect(resolved.filters.ignorePaths).toEqual(['*.test.ts']);
+    expect(resolved.output.failOn).toBe('high');
+    expect(resolved.output.commentOn).toBe('critical');
+    expect(resolved.output.maxFindings).toBe(10);
+    expect(resolved.model).toBe('claude-sonnet-4-20250514');
+  });
+
+  it('trigger config overrides defaults', () => {
+    const trigger: Trigger = {
+      ...baseTrigger,
+      filters: { paths: ['lib/**'] },
+      output: { failOn: 'critical', commentOn: 'high' },
+      model: 'claude-opus-4-20250514',
+    };
+
+    const config: WardenConfig = {
+      ...baseConfig,
+      triggers: [trigger],
+      defaults: {
+        filters: { paths: ['src/**'], ignorePaths: ['*.test.ts'] },
+        output: { failOn: 'high', commentOn: 'critical', maxFindings: 10 },
+        model: 'claude-sonnet-4-20250514',
+      },
+    };
+
+    const resolved = resolveTrigger(trigger, config);
+
+    // Trigger overrides
+    expect(resolved.filters.paths).toEqual(['lib/**']);
+    expect(resolved.output.failOn).toBe('critical');
+    expect(resolved.output.commentOn).toBe('high');
+    expect(resolved.model).toBe('claude-opus-4-20250514');
+
+    // Defaults still applied where trigger doesn't specify
+    expect(resolved.filters.ignorePaths).toEqual(['*.test.ts']);
+    expect(resolved.output.maxFindings).toBe(10);
+  });
+
+  it('partial defaults are applied correctly', () => {
+    const config: WardenConfig = {
+      ...baseConfig,
+      defaults: {
+        filters: { ignorePaths: ['*.md'] },
+      },
+    };
+
+    const resolved = resolveTrigger(baseTrigger, config);
+
+    expect(resolved.filters.paths).toBeUndefined();
+    expect(resolved.filters.ignorePaths).toEqual(['*.md']);
+    expect(resolved.output.failOn).toBeUndefined();
+    expect(resolved.model).toBeUndefined();
+  });
+
+  it('preserves other trigger properties', () => {
+    const trigger: Trigger = {
+      ...baseTrigger,
+      name: 'my-trigger',
+      skill: 'security-review',
+    };
+
+    const resolved = resolveTrigger(trigger, baseConfig);
+
+    expect(resolved.name).toBe('my-trigger');
+    expect(resolved.event).toBe('pull_request');
+    expect(resolved.actions).toEqual(['opened']);
+    expect(resolved.skill).toBe('security-review');
+  });
+
+  describe('model precedence', () => {
+    it('trigger.model takes precedence over cliModel', () => {
+      const trigger: Trigger = {
+        ...baseTrigger,
+        model: 'claude-opus-4-20250514',
+      };
+
+      const resolved = resolveTrigger(trigger, baseConfig, 'claude-haiku-3-5-20241022');
+
+      expect(resolved.model).toBe('claude-opus-4-20250514');
+    });
+
+    it('defaults.model takes precedence over cliModel', () => {
+      const config: WardenConfig = {
+        ...baseConfig,
+        defaults: {
+          model: 'claude-sonnet-4-20250514',
+        },
+      };
+
+      const resolved = resolveTrigger(baseTrigger, config, 'claude-haiku-3-5-20241022');
+
+      expect(resolved.model).toBe('claude-sonnet-4-20250514');
+    });
+
+    it('cliModel is used when no config model is set', () => {
+      const resolved = resolveTrigger(baseTrigger, baseConfig, 'claude-haiku-3-5-20241022');
+
+      expect(resolved.model).toBe('claude-haiku-3-5-20241022');
+    });
+
+    it('trigger.model takes precedence over defaults.model', () => {
+      const trigger: Trigger = {
+        ...baseTrigger,
+        model: 'claude-opus-4-20250514',
+      };
+      const config: WardenConfig = {
+        ...baseConfig,
+        triggers: [trigger],
+        defaults: {
+          model: 'claude-sonnet-4-20250514',
+        },
+      };
+
+      const resolved = resolveTrigger(trigger, config, 'claude-haiku-3-5-20241022');
+
+      expect(resolved.model).toBe('claude-opus-4-20250514');
+    });
+
+    it('empty string cliModel is treated as undefined', () => {
+      const config: WardenConfig = {
+        ...baseConfig,
+        defaults: {
+          model: 'claude-sonnet-4-20250514',
+        },
+      };
+
+      const resolved = resolveTrigger(baseTrigger, config, '');
+
+      expect(resolved.model).toBe('claude-sonnet-4-20250514');
+    });
+
+    it('empty string model values fall through to next in precedence', () => {
+      // Simulates GitHub Actions substituting unconfigured secrets with ''
+      const trigger: Trigger = {
+        ...baseTrigger,
+        model: '',
+      };
+      const config: WardenConfig = {
+        ...baseConfig,
+        triggers: [trigger],
+        defaults: {
+          model: '',
+        },
+      };
+
+      const resolved = resolveTrigger(trigger, config, 'claude-haiku-3-5-20241022');
+
+      expect(resolved.model).toBe('claude-haiku-3-5-20241022');
+    });
+  });
+});
+
+describe('maxTurns config', () => {
+  it('accepts maxTurns in defaults', () => {
+    const config = {
+      version: 1,
+      defaults: {
+        maxTurns: 25,
+      },
+      triggers: [],
+    };
+
+    const result = WardenConfigSchema.safeParse(config);
+    expect(result.success).toBe(true);
+    expect(result.data?.defaults?.maxTurns).toBe(25);
+  });
+
+  it('accepts maxTurns in trigger', () => {
+    const config = {
+      version: 1,
+      triggers: [
+        {
+          name: 'test',
+          event: 'pull_request',
+          actions: ['opened'],
+          skill: 'security-review',
+          maxTurns: 30,
+        },
+      ],
+    };
+
+    const result = WardenConfigSchema.safeParse(config);
+    expect(result.success).toBe(true);
+    expect(result.data?.triggers[0]?.maxTurns).toBe(30);
+  });
+
+  it('rejects non-positive maxTurns', () => {
+    const config = {
+      version: 1,
+      defaults: {
+        maxTurns: 0,
+      },
+      triggers: [],
+    };
+
+    const result = WardenConfigSchema.safeParse(config);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects non-integer maxTurns', () => {
+    const config = {
+      version: 1,
+      defaults: {
+        maxTurns: 10.5,
+      },
+      triggers: [],
+    };
+
+    const result = WardenConfigSchema.safeParse(config);
+    expect(result.success).toBe(false);
+  });
+});
+
+describe('batchDelayMs config', () => {
+  it('accepts batchDelayMs in defaults', () => {
+    const config = {
+      version: 1,
+      defaults: {
+        batchDelayMs: 1000,
+      },
+      triggers: [],
+    };
+
+    const result = WardenConfigSchema.safeParse(config);
+    expect(result.success).toBe(true);
+    expect(result.data?.defaults?.batchDelayMs).toBe(1000);
+  });
+
+  it('accepts zero batchDelayMs', () => {
+    const config = {
+      version: 1,
+      defaults: {
+        batchDelayMs: 0,
+      },
+      triggers: [],
+    };
+
+    const result = WardenConfigSchema.safeParse(config);
+    expect(result.success).toBe(true);
+    expect(result.data?.defaults?.batchDelayMs).toBe(0);
+  });
+
+  it('rejects negative batchDelayMs', () => {
+    const config = {
+      version: 1,
+      defaults: {
+        batchDelayMs: -100,
+      },
+      triggers: [],
+    };
+
+    const result = WardenConfigSchema.safeParse(config);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects non-integer batchDelayMs', () => {
+    const config = {
+      version: 1,
+      defaults: {
+        batchDelayMs: 100.5,
+      },
+      triggers: [],
+    };
+
+    const result = WardenConfigSchema.safeParse(config);
+    expect(result.success).toBe(false);
+  });
+});

package/src/config/loader.ts

@@ -0,0 +1,103 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { parse as parseToml } from 'smol-toml';
+import {
+  WardenConfigSchema,
+  type WardenConfig,
+  type Trigger,
+  type PathFilter,
+  type OutputConfig,
+} from './schema.js';
+
+export class ConfigLoadError extends Error {
+  constructor(message: string, options?: { cause?: unknown }) {
+    super(message, options);
+    this.name = 'ConfigLoadError';
+  }
+}
+
+export function loadWardenConfig(repoPath: string): WardenConfig {
+  const configPath = join(repoPath, 'warden.toml');
+
+  if (!existsSync(configPath)) {
+    throw new ConfigLoadError(`Configuration file not found: ${configPath}`);
+  }
+
+  let content: string;
+  try {
+    content = readFileSync(configPath, 'utf-8');
+  } catch (error) {
+    throw new ConfigLoadError(`Failed to read configuration file: ${configPath}`, { cause: error });
+  }
+
+  let rawConfig: unknown;
+  try {
+    rawConfig = parseToml(content);
+  } catch (error) {
+    throw new ConfigLoadError('Failed to parse TOML configuration', { cause: error });
+  }
+
+  const result = WardenConfigSchema.safeParse(rawConfig);
+  if (!result.success) {
+    const issues = result.error.issues.map(i => `  - ${i.path.join('.')}: ${i.message}`).join('\n');
+    throw new ConfigLoadError(`Invalid configuration:\n${issues}`);
+  }
+
+  return result.data;
+}
+
+/**
+ * Resolved trigger configuration with defaults applied.
+ */
+export interface ResolvedTrigger extends Trigger {
+  filters: PathFilter;
+  output: OutputConfig;
+}
+
+/**
+ * Convert empty strings to undefined.
+ * GitHub Actions substitutes unconfigured secrets with empty strings,
+ * so we need to treat '' as "not set" for optional config values.
+ */
+function emptyToUndefined(value: string | undefined): string | undefined {
+  return value === '' ? undefined : value;
+}
+
+/**
+ * Resolve a trigger's configuration by merging with defaults.
+ * Trigger-specific values override defaults.
+ *
+ * Model precedence (highest to lowest):
+ * 1. trigger.model (warden.toml trigger-level)
+ * 2. defaults.model (warden.toml [defaults])
+ * 3. cliModel (--model flag)
+ * 4. WARDEN_MODEL env var
+ * 5. SDK default (not set here)
+ */
+export function resolveTrigger(
+  trigger: Trigger,
+  config: WardenConfig,
+  cliModel?: string
+): ResolvedTrigger {
+  const defaults = config.defaults;
+  const envModel = emptyToUndefined(process.env['WARDEN_MODEL']);
+
+  return {
+    ...trigger,
+    filters: {
+      paths: trigger.filters?.paths ?? defaults?.filters?.paths,
+      ignorePaths: trigger.filters?.ignorePaths ?? defaults?.filters?.ignorePaths,
+    },
+    output: {
+      failOn: trigger.output?.failOn ?? defaults?.output?.failOn,
+      commentOn: trigger.output?.commentOn ?? defaults?.output?.commentOn,
+      maxFindings: trigger.output?.maxFindings ?? defaults?.output?.maxFindings,
+      commentOnSuccess: trigger.output?.commentOnSuccess ?? defaults?.output?.commentOnSuccess,
+    },
+    model:
+      emptyToUndefined(trigger.model) ??
+      emptyToUndefined(defaults?.model) ??
+      emptyToUndefined(cliModel) ??
+      envModel,
+  };
+}

package/src/config/schema.ts

@@ -0,0 +1,168 @@
+import { z } from 'zod';
+import { SeverityThresholdSchema } from '../types/index.js';
+
+// Tool names that can be allowed/denied
+export const ToolNameSchema = z.enum([
+  'Read',
+  'Write',
+  'Edit',
+  'Bash',
+  'Glob',
+  'Grep',
+  'WebFetch',
+  'WebSearch',
+]);
+export type ToolName = z.infer<typeof ToolNameSchema>;
+
+// Tool configuration for skills
+export const ToolConfigSchema = z.object({
+  allowed: z.array(ToolNameSchema).optional(),
+  denied: z.array(ToolNameSchema).optional(),
+});
+export type ToolConfig = z.infer<typeof ToolConfigSchema>;
+
+// Skill definition
+export const SkillDefinitionSchema = z.object({
+  name: z.string().min(1),
+  description: z.string(),
+  prompt: z.string(),
+  tools: ToolConfigSchema.optional(),
+  outputSchema: z.string().optional(),
+  /** Directory where the skill was loaded from, for resolving resources (scripts/, references/, assets/) */
+  rootDir: z.string().optional(),
+});
+export type SkillDefinition = z.infer<typeof SkillDefinitionSchema>;
+
+// Path filter for triggers
+export const PathFilterSchema = z.object({
+  paths: z.array(z.string()).optional(),
+  ignorePaths: z.array(z.string()).optional(),
+});
+export type PathFilter = z.infer<typeof PathFilterSchema>;
+
+// Output configuration per trigger
+export const OutputConfigSchema = z.object({
+  failOn: SeverityThresholdSchema.optional(),
+  commentOn: SeverityThresholdSchema.optional(),
+  maxFindings: z.number().int().positive().optional(),
+  /** Post a PR comment even when there are no findings (default: false) */
+  commentOnSuccess: z.boolean().optional(),
+});
+export type OutputConfig = z.infer<typeof OutputConfigSchema>;
+
+// Schedule-specific configuration
+export const ScheduleConfigSchema = z.object({
+  /** Title for the tracking issue (default: "Warden: {triggerName}") */
+  issueTitle: z.string().optional(),
+  /** Create PR with fixes when suggestedFix is available */
+  createFixPR: z.boolean().default(false),
+  /** Branch prefix for fix PRs (default: "warden-fix") */
+  fixBranchPrefix: z.string().default('warden-fix'),
+});
+export type ScheduleConfig = z.infer<typeof ScheduleConfigSchema>;
+
+// Trigger definition
+export const TriggerSchema = z.object({
+  name: z.string().min(1),
+  event: z.enum(['pull_request', 'issues', 'issue_comment', 'schedule']),
+  /** Actions to trigger on. Required for all events except 'schedule'. */
+  actions: z.array(z.string()).min(1).optional(),
+  skill: z.string().min(1),
+  /** Remote repository reference for the skill (e.g., "owner/repo" or "owner/repo@sha") */
+  remote: z.string().optional(),
+  filters: PathFilterSchema.optional(),
+  output: OutputConfigSchema.optional(),
+  /** Model to use for this trigger (e.g., 'claude-sonnet-4-20250514'). Uses SDK default if not specified. */
+  model: z.string().optional(),
+  /** Maximum agentic turns (API round-trips) per hunk analysis. Overrides defaults.maxTurns. */
+  maxTurns: z.number().int().positive().optional(),
+  /** Schedule-specific configuration. Only used when event is 'schedule'. */
+  schedule: ScheduleConfigSchema.optional(),
+}).refine(
+  (data) => {
+    // actions is required unless event is 'schedule'
+    if (data.event !== 'schedule') {
+      return data.actions !== undefined && data.actions.length > 0;
+    }
+    return true;
+  },
+  {
+    message: "actions is required for non-schedule events",
+    path: ["actions"],
+  }
+).refine(
+  (data) => {
+    // paths filter is required for schedule events
+    if (data.event === 'schedule') {
+      return data.filters?.paths !== undefined && data.filters.paths.length > 0;
+    }
+    return true;
+  },
+  {
+    message: "filters.paths is required for schedule events",
+    path: ["filters", "paths"],
+  }
+);
+export type Trigger = z.infer<typeof TriggerSchema>;
+
+// Runner configuration
+export const RunnerConfigSchema = z.object({
+  /** Max concurrent trigger executions (default: 4) */
+  concurrency: z.number().int().positive().optional(),
+});
+export type RunnerConfig = z.infer<typeof RunnerConfigSchema>;
+
+// File pattern for chunking configuration
+export const FilePatternSchema = z.object({
+  /** Glob pattern to match files (e.g., "**\/pnpm-lock.yaml") */
+  pattern: z.string(),
+  /** How to handle matching files: 'per-hunk' (default), 'whole-file', or 'skip' */
+  mode: z.enum(['per-hunk', 'whole-file', 'skip']).default('skip'),
+});
+export type FilePattern = z.infer<typeof FilePatternSchema>;
+
+// Coalescing configuration for merging nearby hunks
+export const CoalesceConfigSchema = z.object({
+  /** Enable hunk coalescing (default: true) */
+  enabled: z.boolean().default(true),
+  /** Max lines gap between hunks to merge (default: 30) */
+  maxGapLines: z.number().int().nonnegative().default(30),
+  /** Target max size per chunk in characters (default: 8000) */
+  maxChunkSize: z.number().int().positive().default(8000),
+});
+export type CoalesceConfig = z.infer<typeof CoalesceConfigSchema>;
+
+// Chunking configuration for controlling how files are processed
+export const ChunkingConfigSchema = z.object({
+  /** Patterns to control file processing mode */
+  filePatterns: z.array(FilePatternSchema).optional(),
+  /** Coalescing options for merging nearby hunks */
+  coalesce: CoalesceConfigSchema.optional(),
+});
+export type ChunkingConfig = z.infer<typeof ChunkingConfigSchema>;
+
+// Default configuration that triggers inherit from
+export const DefaultsSchema = z.object({
+  filters: PathFilterSchema.optional(),
+  output: OutputConfigSchema.optional(),
+  /** Default model for all triggers (e.g., 'claude-sonnet-4-20250514') */
+  model: z.string().optional(),
+  /** Maximum agentic turns (API round-trips) per hunk analysis. Default: 50 */
+  maxTurns: z.number().int().positive().optional(),
+  /** Default branch for the repository (e.g., 'main', 'master', 'develop'). Auto-detected if not specified. */
+  defaultBranch: z.string().optional(),
+  /** Chunking configuration for controlling how files are processed */
+  chunking: ChunkingConfigSchema.optional(),
+  /** Delay in milliseconds between batch starts when processing files in parallel. Default: 0 */
+  batchDelayMs: z.number().int().nonnegative().optional(),
+});
+export type Defaults = z.infer<typeof DefaultsSchema>;
+
+// Main warden.toml configuration
+export const WardenConfigSchema = z.object({
+  version: z.literal(1),
+  defaults: DefaultsSchema.optional(),
+  triggers: z.array(TriggerSchema).default([]),
+  runner: RunnerConfigSchema.optional(),
+});
+export type WardenConfig = z.infer<typeof WardenConfigSchema>;

package/src/config/writer.test.ts

@@ -0,0 +1,119 @@
+import { describe, it, expect } from 'vitest';
+import { generateTriggerToml } from './writer.js';
+import type { Trigger } from './schema.js';
+
+describe('generateTriggerToml', () => {
+  it('generates basic trigger TOML', () => {
+    const trigger: Trigger = {
+      name: 'security-review',
+      event: 'pull_request',
+      actions: ['opened', 'synchronize'],
+      skill: 'security-review',
+    };
+
+    const result = generateTriggerToml(trigger);
+
+    expect(result).toContain('[[triggers]]');
+    expect(result).toContain('name = "security-review"');
+    expect(result).toContain('event = "pull_request"');
+    expect(result).toContain('actions = ["opened", "synchronize"]');
+    expect(result).toContain('skill = "security-review"');
+  });
+
+  it('includes remote field when present', () => {
+    const trigger: Trigger = {
+      name: 'security-review',
+      event: 'pull_request',
+      actions: ['opened'],
+      skill: 'security-review',
+      remote: 'getsentry/skills@abc123',
+    };
+
+    const result = generateTriggerToml(trigger);
+
+    expect(result).toContain('remote = "getsentry/skills@abc123"');
+  });
+
+  it('omits remote field when not present', () => {
+    const trigger: Trigger = {
+      name: 'security-review',
+      event: 'pull_request',
+      actions: ['opened'],
+      skill: 'security-review',
+    };
+
+    const result = generateTriggerToml(trigger);
+
+    expect(result).not.toContain('remote');
+  });
+
+  it('includes filters when present', () => {
+    const trigger: Trigger = {
+      name: 'security-review',
+      event: 'pull_request',
+      actions: ['opened'],
+      skill: 'security-review',
+      filters: {
+        paths: ['src/**/*.ts'],
+        ignorePaths: ['**/*.test.ts'],
+      },
+    };
+
+    const result = generateTriggerToml(trigger);
+
+    expect(result).toContain('[triggers.filters]');
+    expect(result).toContain('paths = ["src/**/*.ts"]');
+    expect(result).toContain('ignorePaths = ["**/*.test.ts"]');
+  });
+
+  it('includes output config when present', () => {
+    const trigger: Trigger = {
+      name: 'security-review',
+      event: 'pull_request',
+      actions: ['opened'],
+      skill: 'security-review',
+      output: {
+        failOn: 'high',
+        commentOn: 'medium',
+        maxFindings: 10,
+      },
+    };
+
+    const result = generateTriggerToml(trigger);
+
+    expect(result).toContain('[triggers.output]');
+    expect(result).toContain('failOn = "high"');
+    expect(result).toContain('commentOn = "medium"');
+    expect(result).toContain('maxFindings = 10');
+  });
+
+  it('includes model when present', () => {
+    const trigger: Trigger = {
+      name: 'security-review',
+      event: 'pull_request',
+      actions: ['opened'],
+      skill: 'security-review',
+      model: 'claude-sonnet-4-20250514',
+    };
+
+    const result = generateTriggerToml(trigger);
+
+    expect(result).toContain('model = "claude-sonnet-4-20250514"');
+  });
+
+  it('handles schedule events without actions', () => {
+    const trigger: Trigger = {
+      name: 'weekly-scan',
+      event: 'schedule',
+      skill: 'security-review',
+      filters: {
+        paths: ['src/**/*.ts'],
+      },
+    };
+
+    const result = generateTriggerToml(trigger);
+
+    expect(result).toContain('event = "schedule"');
+    expect(result).not.toContain('actions');
+  });
+});