@structor-dev/cli 0.1.0 → 0.2.0

package/template/scripts/lib/worktree-bootstrap.mjs.tpl

@@ -1,11 +1,14 @@
-import { access, mkdir, readFile, stat, writeFile } from "node:fs/promises";
-import { constants as fsConstants } from "node:fs";
+import { mkdir, readFile, stat, writeFile } from "node:fs/promises";
 import { execFile } from "node:child_process";
 import path from "node:path";
 import { promisify } from "node:util";
+import { assertSafeWriteTarget, exists } from "./path-safety.mjs";
+
+export { exists };
 
 const execFileAsync = promisify(execFile);
 
+const projectName = {{PROJECT_NAME_JSON}};
 export const canonicalRepos = ["{{HARNESS_REPO_NAME}}", ...{{CONSUMER_REPO_NAMES_JSON}}];
 export const models = {
   openai: {{MODEL_OPENAI_ENABLED}},
@@ -19,15 +22,6 @@ export const optionalPointerFiles = [];
 
 const repairableStates = new Set(["missing", "stale_relative", "wrong_harness_root"]);
 
-export async function exists(filePath) {
-  try {
-    await access(filePath, fsConstants.F_OK);
-    return true;
-  } catch {
-    return false;
-  }
-}
-
 export function repoNameFromRemote(remoteUrl) {
   if (!remoteUrl) return null;
   const withoutGitSuffix = remoteUrl.trim().replace(/\.git$/, "");
@@ -290,7 +284,7 @@ export async function inspectCheckout({ targetPath, harnessRoot, worktreeRecord
 
 export function renderPointerFile({ relativePath, harnessRoot, repoName }) {
   const normalizedHarnessRoot = path.resolve(harnessRoot);
-  const bootstrapCommand = `node ${path.join(normalizedHarnessRoot, "scripts/bootstrap-codex-worktree.mjs")} <checkout-path>`;
+  const bootstrapCommand = repairCommand({ harnessRoot: normalizedHarnessRoot, targetPath: "<checkout-path>" });
   const title = relativePath === "CLAUDE.md" ? "Project Agent Guide" : "Agent Bootstrap";
   const guidance = [
     ...(relativePath === "AGENTS.md" && models.openai ? [path.join(normalizedHarnessRoot, "AGENTS.md")] : []),
@@ -301,7 +295,7 @@ export function renderPointerFile({ relativePath, harnessRoot, repoName }) {
   ];
   return `# ${title}
 
-This checkout is part of the {{PROJECT_NAME}} workspace.
+This checkout is part of the ${projectName} workspace.
 The canonical AI guidance lives in the harness repo.
 
 Canonical repo: \`${repoName}\`
@@ -325,6 +319,7 @@ export function buildRepairPlan({ inspection, harnessRoot }) {
   const affectedRequiredPaths = new Set(inspection.issues.filter((issue) => issue.required).map((issue) => issue.relativePath));
   const writes = [...affectedRequiredPaths].map((relativePath) => ({
     relativePath,
+    rootPath: inspection.targetPath,
     targetPath: path.join(inspection.targetPath, relativePath),
     content: renderPointerFile({ relativePath, harnessRoot, repoName: inspection.repoName }),
   }));
@@ -333,6 +328,14 @@ export function buildRepairPlan({ inspection, harnessRoot }) {
 
 export async function writeRepairPlan(repairPlan) {
   for (const write of repairPlan.writes) {
+    if (!write.rootPath) {
+      throw new Error(`Worktree pointer ${write.relativePath} is unsafe: missing write root.`);
+    }
+    await assertSafeWriteTarget({
+      targetPath: write.targetPath,
+      rootPath: write.rootPath,
+      label: `Worktree pointer ${write.relativePath}`,
+    });
     await mkdir(path.dirname(write.targetPath), { recursive: true });
     await writeFile(write.targetPath, write.content);
   }

package/template/scripts/validate-governance.mjs.tpl

@@ -1,9 +1,10 @@
 #!/usr/bin/env node
 
-import { access, constants as fsConstants } from "node:fs/promises";
+import { access, constants as fsConstants, readFile } from "node:fs/promises";
 import { execFileSync } from "node:child_process";
+import { createHash } from "node:crypto";
 import path from "node:path";
-import { fileURLToPath } from "node:url";
+import { fileURLToPath, pathToFileURL } from "node:url";
 
 const repoRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
 const models = {
@@ -13,26 +14,12 @@ const models = {
 const clientSupport = {
   codexHooks: {{CLIENT_CODEX_HOOKS_ENABLED}},
 };
-const mandatoryChecks = [
-  "scripts/check-readiness.mjs",
-  "scripts/check-issue-template.mjs",
-  "scripts/check-knowledge-manifest.mjs",
-  "scripts/check-plans.mjs",
-  "scripts/check-review-skills.mjs",
-  "scripts/check-garbage-collection.mjs",
-  "scripts/check-contract-manifests.mjs",
-  "scripts/check-html-views.mjs",
-  "scripts/check-worktree-bootstrap-fixtures.mjs",
-];
-const optionalChecks = [
-  "scripts/check-repo-name-consistency.mjs",
-  "scripts/check-linear-contract.mjs",
-  "scripts/check-contract-conformance.mjs",
-  "scripts/check-domain-contract-matrix.mjs",
-];
-const checkCodexHooksScript = "scripts/check-codex-hooks.mjs";
-const checkClaudeCompatibilityScript = "scripts/check-claude-compatibility.mjs";
-const checkOverlayDriftScript = "scripts/check-overlay-drift.mjs";
+const generatedContractScript = "scripts/generated-harness-contract.mjs";
+const generatedScriptHashes = {{GENERATED_SCRIPT_HASHES_JSON}};
+
+function sha256(content) {
+  return createHash("sha256").update(content).digest("hex");
+}
 
 async function exists(relativePath) {
   try {
@@ -43,36 +30,65 @@ async function exists(relativePath) {
   }
 }
 
+async function assertTrustedCheck(relativePath) {
+  const expectedHash = generatedScriptHashes[relativePath];
+  if (!expectedHash) {
+    throw new Error(
+      `Refusing to execute ${relativePath}: no trusted generated hash is recorded. ` +
+        "Inspect the file and regenerate with --force after review if it should be replaced.",
+    );
+  }
+
+  let content;
+  try {
+    content = await readFile(path.join(repoRoot, relativePath));
+  } catch (error) {
+    if (error?.code === "ENOENT") {
+      throw new Error(
+        `Refusing to execute ${relativePath}: the expected generated script is missing. ` +
+          "Regenerate the harness after reviewing the output directory.",
+      );
+    }
+    throw error;
+  }
+
+  const actualHash = sha256(content);
+  if (actualHash !== expectedHash) {
+    throw new Error(
+      `Refusing to execute ${relativePath}: content does not match the current generated template. ` +
+        "Inspect the preserved file and regenerate with --force after review if it should be replaced.",
+    );
+  }
+}
+
 async function runCheck(relativePath) {
+  await assertTrustedCheck(relativePath);
+  for (const dependency of validationPlan.checkDependencies[relativePath] ?? []) {
+    await assertTrustedCheck(dependency);
+  }
+
   execFileSync(process.execPath, [path.join(repoRoot, relativePath)], {
     cwd: repoRoot,
     stdio: "inherit",
   });
 }
 
-await runCheck("scripts/check-template-governance.mjs");
-await runCheck("scripts/check-task-template.mjs");
+await assertTrustedCheck(generatedContractScript);
+const { validationPlanForSettings } = await import(pathToFileURL(path.join(repoRoot, generatedContractScript)).href);
+const validationPlan = validationPlanForSettings({ models, clientSupport });
 
-for (const check of mandatoryChecks) {
+for (const check of validationPlan.requiredChecks) {
   await runCheck(check);
 }
 
-for (const optionalCheck of optionalChecks) {
+for (const optionalCheck of validationPlan.optionalChecks) {
   if (await exists(optionalCheck)) {
     await runCheck(optionalCheck);
   }
 }
 
-if (clientSupport.codexHooks) {
-  await runCheck(checkCodexHooksScript);
-}
-
-if (models.anthropic) {
-  await runCheck(checkClaudeCompatibilityScript);
-}
-
-if (models.openai || models.anthropic) {
-  await runCheck(checkOverlayDriftScript);
+for (const check of validationPlan.conditionalChecks) {
+  await runCheck(check);
 }
 
 console.log("Governance validation passed.");

package/schemas/task-brief.schema.json

@@ -1,37 +0,0 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://example.com/schemas/task-brief.schema.json",
-  "title": "Task Brief",
-  "type": "object",
-  "additionalProperties": false,
-  "required": [
-    "id",
-    "status",
-    "risk",
-    "autonomy",
-    "model_policy",
-    "model",
-    "repos",
-    "allowed_paths",
-    "forbidden_paths",
-    "requires_human_approval"
-  ],
-  "properties": {
-    "id": { "type": "string", "minLength": 1 },
-    "status": {
-      "type": "string",
-      "enum": ["backlog", "ready", "running", "needs_fix", "report_ready", "pr_ready", "blocked", "done"]
-    },
-    "risk": { "type": "string", "enum": ["low", "medium", "high"] },
-    "autonomy": { "type": "string", "enum": ["report_only", "pr_ready", "auto_merge"] },
-    "model_policy": {
-      "type": "string",
-      "enum": ["cheap", "standard", "reasoning", "frontier", "review_only"]
-    },
-    "model": { "type": "string", "minLength": 1 },
-    "repos": { "type": "array", "items": { "type": "string" }, "minItems": 1 },
-    "allowed_paths": { "type": "array", "items": { "type": "string" } },
-    "forbidden_paths": { "type": "array", "items": { "type": "string" } },
-    "requires_human_approval": { "type": "boolean" }
-  }
-}