@syntesseraai/opencode-feature-factory 0.2.3 → 0.2.4

package/dist/stop-quality-gate.js

@@ -0,0 +1,378 @@
+const SERVICE_NAME = 'feature-factory';
+const IDLE_DEBOUNCE_MS = 500;
+const CI_TIMEOUT_MS = 300000; // 5 minutes
+const SESSION_TTL_MS = 3600000; // 1 hour
+const CLEANUP_INTERVAL_MS = 600000; // 10 minutes
+export const SECRET_PATTERNS = [
+    // AWS Access Key IDs
+    { pattern: /AKIA[0-9A-Z]{16}/g, replacement: '[REDACTED_AWS_KEY]' },
+    // GitHub Personal Access Tokens (classic)
+    { pattern: /ghp_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_GH_TOKEN]' },
+    // GitHub Personal Access Tokens (fine-grained)
+    { pattern: /github_pat_[A-Za-z0-9_]{22,}/g, replacement: '[REDACTED_GH_TOKEN]' },
+    // GitHub OAuth tokens
+    { pattern: /gho_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_GH_TOKEN]' },
+    // GitHub App tokens (user-to-server and server-to-server)
+    { pattern: /ghu_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_GH_TOKEN]' },
+    { pattern: /ghs_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_GH_TOKEN]' },
+    // GitLab Personal Access Tokens
+    { pattern: /glpat-[A-Za-z0-9-]{20,}/g, replacement: '[REDACTED_GITLAB_TOKEN]' },
+    // npm tokens
+    { pattern: /npm_[A-Za-z0-9]{36}/g, replacement: '[REDACTED_NPM_TOKEN]' },
+    // Slack bot tokens
+    { pattern: /xoxb-[0-9A-Za-z-]+/g, replacement: '[REDACTED_SLACK_TOKEN]' },
+    // Slack user tokens
+    { pattern: /xoxp-[0-9A-Za-z-]+/g, replacement: '[REDACTED_SLACK_TOKEN]' },
+    // Slack app tokens
+    { pattern: /xapp-[0-9A-Za-z-]+/g, replacement: '[REDACTED_SLACK_TOKEN]' },
+    // Slack webhook URLs
+    { pattern: /hooks\.slack\.com\/services\/[A-Z0-9/]+/g, replacement: '[REDACTED_SLACK_WEBHOOK]' },
+    // Stripe live secret keys
+    { pattern: /sk_live_[0-9a-zA-Z]{24,}/g, replacement: '[REDACTED_STRIPE_KEY]' },
+    // Stripe test secret keys
+    { pattern: /sk_test_[0-9a-zA-Z]{24,}/g, replacement: '[REDACTED_STRIPE_KEY]' },
+    // Stripe live restricted keys
+    { pattern: /rk_live_[0-9a-zA-Z]{24,}/g, replacement: '[REDACTED_STRIPE_KEY]' },
+    // Stripe test restricted keys
+    { pattern: /rk_test_[0-9a-zA-Z]{24,}/g, replacement: '[REDACTED_STRIPE_KEY]' },
+    // Bearer tokens
+    { pattern: /Bearer\s+[\w\-.]+/gi, replacement: 'Bearer [REDACTED]' },
+    // API keys (api_key, api-key, apikey, apikeys, etc.)
+    { pattern: /api[_-]?keys?[=:\s]+['"]?[\w-]+['"]?/gi, replacement: 'api_key=[REDACTED]' },
+    // Tokens (token, tokens) - require minimum 8 char value to reduce false positives
+    { pattern: /tokens?[=:\s]+['"]?([A-Za-z0-9_-]{8,})['"]?/gi, replacement: 'token=[REDACTED]' },
+    // Passwords
+    { pattern: /passwords?[=:\s]+['"]?[^\s'"]+['"]?/gi, replacement: 'password=[REDACTED]' },
+    // Generic secrets
+    { pattern: /secrets?[=:\s]+['"]?[^\s'"]+['"]?/gi, replacement: 'secret=[REDACTED]' },
+    // Base64-encoded long strings that look like secrets (40-500 chars to prevent ReDoS)
+    { pattern: /[A-Za-z0-9+/]{40,500}={0,2}/g, replacement: '[REDACTED_BASE64]' },
+    // Private keys (RSA, DSA, EC, OpenSSH, etc.)
+    {
+        pattern: /-----BEGIN[\s\w]+PRIVATE KEY-----[\s\S]*?-----END[\s\w]+PRIVATE KEY-----/g,
+        replacement: '[REDACTED_PRIVATE_KEY]',
+    },
+    // Database connection strings with credentials (postgres, postgresql, mysql, mongodb, redis)
+    // Password portion handles URL-encoded characters like %40 (for @) and %23 (for #)
+    {
+        pattern: /(postgres|postgresql|mysql|mongodb(\+srv)?|rediss?):\/\/[^\s/:]+:(?:[^@\s]|%[0-9A-Fa-f]{2})+@[^\s]+/gi,
+        replacement: '[REDACTED_CONNECTION_STRING]',
+    },
+    // GCP API keys
+    { pattern: /AIza[0-9A-Za-z_-]{35}/g, replacement: '[REDACTED_GCP_KEY]' },
+    // GCP OAuth tokens
+    { pattern: /ya29\.[0-9A-Za-z_-]+/g, replacement: '[REDACTED_GCP_TOKEN]' },
+];
+/**
+ * Sanitizes CI output by redacting common secret patterns before sending to the LLM.
+ * This helps prevent accidental exposure of sensitive information in prompts.
+ */
+export function sanitizeOutput(output) {
+    let sanitized = output;
+    for (const { pattern, replacement } of SECRET_PATTERNS) {
+        sanitized = sanitized.replace(pattern, replacement);
+    }
+    return sanitized;
+}
+/**
+ * Truncates CI output to the last N lines to reduce prompt size and focus on relevant errors.
+ * Adds a header indicating truncation if the output was longer than the limit.
+ */
+export function truncateOutput(output, maxLines = 20) {
+    const lines = output.split('\n');
+    if (lines.length <= maxLines) {
+        return output;
+    }
+    const truncatedLines = lines.slice(-maxLines);
+    const omittedCount = lines.length - maxLines;
+    return `... (${omittedCount} lines omitted)\n${truncatedLines.join('\n')}`;
+}
+const sessions = new Map();
+let cleanupIntervalId = null;
+/**
+ * Removes sessions that haven't been accessed within the TTL period.
+ * Skips sessions that are currently running a quality gate check.
+ */
+function cleanupStaleSessions() {
+    const now = Date.now();
+    for (const [sessionId, state] of sessions) {
+        if (state.running)
+            continue; // Don't evict active sessions
+        if (now - state.lastAccess > SESSION_TTL_MS) {
+            if (state.idleDebounce) {
+                clearTimeout(state.idleDebounce);
+            }
+            sessions.delete(sessionId);
+        }
+    }
+}
+function startCleanupInterval() {
+    if (cleanupIntervalId)
+        return;
+    cleanupIntervalId = setInterval(cleanupStaleSessions, CLEANUP_INTERVAL_MS);
+    // Allow the process to exit even if the interval is running
+    if (cleanupIntervalId.unref) {
+        cleanupIntervalId.unref();
+    }
+}
+function getSessionState(sessionId) {
+    const existing = sessions.get(sessionId);
+    if (existing) {
+        existing.lastAccess = Date.now();
+        return existing;
+    }
+    startCleanupInterval();
+    const now = Date.now();
+    const state = {
+        lastRunAt: 0,
+        dirty: true,
+        qualityGatePassed: false,
+        idleDebounce: null,
+        running: false,
+        lastAccess: now,
+    };
+    sessions.set(sessionId, state);
+    return state;
+}
+function isSessionReadOnly(permission) {
+    if (!permission)
+        return false;
+    return permission.some((rule) => (rule.permission === 'edit' || rule.permission === 'bash') && rule.action === 'deny');
+}
+async function log(client, level, message, extra) {
+    try {
+        await client.app.log({
+            body: {
+                service: SERVICE_NAME,
+                level,
+                message,
+                extra,
+            },
+        });
+    }
+    catch {
+        return undefined;
+    }
+}
+export async function createQualityGateHooks(input) {
+    const { client, $, directory } = input;
+    async function ciShExists() {
+        try {
+            await $ `test -f ${directory}/management/ci.sh`.quiet();
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async function _ensureSessionMetadata(sessionId, state) {
+        if (state.isReadOnly !== undefined)
+            return;
+        try {
+            const response = await client.session.get({ path: { id: sessionId } });
+            if (response.data) {
+                state.parentID = response.data.parentID;
+                const permission = response.data.permission;
+                state.isReadOnly = isSessionReadOnly(permission);
+                await log(client, 'debug', 'session.metadata-fetched', {
+                    sessionId,
+                    parentID: state.parentID,
+                    isReadOnly: state.isReadOnly,
+                });
+            }
+        }
+        catch {
+            state.isReadOnly = false;
+            await log(client, 'warn', 'session.metadata-fetch-failed', { sessionId });
+        }
+    }
+    async function runQualityGate(sessionId) {
+        const state = getSessionState(sessionId);
+        if (!sessions.has(sessionId)) {
+            await log(client, 'debug', 'quality-gate.skipped (session deleted)', { sessionId });
+            return;
+        }
+        if (state.running) {
+            await log(client, 'debug', 'quality-gate.skipped (already running)', { sessionId });
+            return;
+        }
+        const now = Date.now();
+        const cacheExpired = now - state.lastRunAt > 30 * 1000;
+        if (state.qualityGatePassed && !state.dirty && !cacheExpired) {
+            await log(client, 'debug', 'quality-gate.skipped (cached pass)', { sessionId });
+            return;
+        }
+        const hasCiSh = await ciShExists();
+        if (!hasCiSh) {
+            await log(client, 'debug', 'quality-gate.skipped (no ci.sh)', { sessionId });
+            return;
+        }
+        state.running = true;
+        try {
+            await log(client, 'info', 'quality-gate.started', { sessionId, directory });
+            let ciOutput = '';
+            let ciPassed = false;
+            let timedOut = false;
+            const ciPath = `${directory}/management/ci.sh`;
+            // eslint-disable-next-line no-undef
+            const proc = Bun.spawn(['bash', ciPath], {
+                cwd: directory,
+                stdout: 'pipe',
+                stderr: 'pipe',
+            });
+            let timeoutId = null;
+            let forceKillTimeoutId = null;
+            const timeoutPromise = new Promise((resolve) => {
+                timeoutId = setTimeout(() => {
+                    timedOut = true;
+                    // Graceful termination: SIGTERM first, then SIGKILL after grace period
+                    proc.kill('SIGTERM');
+                    forceKillTimeoutId = setTimeout(() => {
+                        // Force kill if still running after grace period
+                        try {
+                            proc.kill('SIGKILL');
+                        }
+                        catch {
+                            // Process already terminated
+                        }
+                    }, 5000);
+                    resolve();
+                }, CI_TIMEOUT_MS);
+            });
+            // Race the process completion against the timeout
+            await Promise.race([proc.exited, timeoutPromise]);
+            // Clear timeouts if process completed before timeout
+            if (timeoutId) {
+                clearTimeout(timeoutId);
+            }
+            if (forceKillTimeoutId) {
+                clearTimeout(forceKillTimeoutId);
+            }
+            const exitCode = proc.exitCode;
+            const stdout = await new Response(proc.stdout).text();
+            const stderr = await new Response(proc.stderr).text();
+            if (timedOut) {
+                await log(client, 'warn', 'quality-gate.timeout', {
+                    sessionId,
+                    timeoutMs: CI_TIMEOUT_MS,
+                });
+                ciOutput =
+                    `CI execution timed out after ${CI_TIMEOUT_MS / 1000} seconds\n\n${stdout}\n${stderr}`.trim();
+                ciPassed = false;
+            }
+            else {
+                ciOutput = stdout + (stderr ? `\n${stderr}` : '');
+                ciPassed = exitCode === 0;
+            }
+            state.lastRunAt = Date.now();
+            state.dirty = false;
+            state.qualityGatePassed = ciPassed;
+            if (!ciPassed) {
+                // Sanitize secrets first, then truncate to last 20 lines to reduce prompt size
+                const sanitizedOutput = truncateOutput(sanitizeOutput(ciOutput), 20);
+                const instructions = `
+
+**Important:** Do not interrupt your current task. Add "Fix quality gate failures" to your todo list and continue with what you were doing. Address the quality gate issues after completing your current task.
+
+If the failure details are missing or truncated, run "management/ci.sh" to get the full output.`;
+                const message = timedOut
+                    ? `⏱️ Quality gate timed out\n\nThe CI execution exceeded the ${CI_TIMEOUT_MS / 1000} second timeout. The build may be hanging or taking too long.\n\n\`\`\`\n${sanitizedOutput}\n\`\`\`${instructions}`
+                    : `❌ Quality gate failed\n\nThe CI checks did not pass. Please review the output below and fix the issues:\n\n\`\`\`\n${sanitizedOutput}\n\`\`\`${instructions}`;
+                await client.session.prompt({
+                    path: { id: sessionId },
+                    body: {
+                        parts: [
+                            {
+                                type: 'text',
+                                text: message,
+                            },
+                        ],
+                    },
+                });
+                await log(client, 'debug', timedOut ? 'quality-gate.timeout-reported' : 'quality-gate.failed', { sessionId });
+            }
+        }
+        finally {
+            state.running = false;
+        }
+    }
+    return {
+        event: async ({ event }) => {
+            const eventProps = event.properties;
+            const sessionId = eventProps?.sessionID;
+            if (event.type === 'session.created') {
+                const sessionInfo = event.properties?.info;
+                const id = sessionInfo?.id;
+                if (id) {
+                    startCleanupInterval();
+                    const isReadOnly = isSessionReadOnly(sessionInfo?.permission);
+                    sessions.set(id, {
+                        lastRunAt: 0,
+                        dirty: true,
+                        qualityGatePassed: false,
+                        idleDebounce: null,
+                        running: false,
+                        parentID: sessionInfo?.parentID,
+                        isReadOnly,
+                        lastAccess: Date.now(),
+                    });
+                    await log(client, 'debug', 'session.created', {
+                        sessionId: id,
+                        parentID: sessionInfo?.parentID,
+                        isReadOnly,
+                    });
+                }
+            }
+            if (event.type === 'session.deleted' && sessionId) {
+                const state = sessions.get(sessionId);
+                if (state?.idleDebounce) {
+                    clearTimeout(state.idleDebounce);
+                }
+                sessions.delete(sessionId);
+                await log(client, 'debug', 'session.deleted', { sessionId });
+            }
+            if (event.type === 'session.idle' && sessionId) {
+                const state = getSessionState(sessionId);
+                if (state.parentID) {
+                    await log(client, 'debug', 'quality-gate.skipped (sub-agent session)', {
+                        sessionId,
+                        parentID: state.parentID,
+                    });
+                    return;
+                }
+                if (state.isReadOnly) {
+                    await log(client, 'debug', 'quality-gate.skipped (read-only session)', { sessionId });
+                    return;
+                }
+                if (state.idleDebounce) {
+                    clearTimeout(state.idleDebounce);
+                }
+                state.idleDebounce = setTimeout(async () => {
+                    state.idleDebounce = null;
+                    if (sessions.has(sessionId)) {
+                        try {
+                            await runQualityGate(sessionId);
+                        }
+                        catch (err) {
+                            await log(client, 'error', 'quality-gate.unhandled-error', {
+                                sessionId,
+                                error: String(err),
+                            });
+                        }
+                    }
+                }, IDLE_DEBOUNCE_MS);
+            }
+        },
+        'tool.execute.before': async (input) => {
+            const sessionId = input.sessionID;
+            if (!sessionId)
+                return;
+            const state = getSessionState(sessionId);
+            if (input.tool === 'edit' || input.tool === 'write' || input.tool === 'patch') {
+                state.dirty = true;
+                state.qualityGatePassed = false;
+                await log(client, 'debug', 'session.dirty', { sessionId, tool: input.tool });
+            }
+        },
+    };
+}

package/dist/stop-quality-gate.test.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Unit tests for stop-quality-gate module
+ *
+ * Tests focus on pure functions that can be tested in isolation:
+ * - sanitizeOutput: redacts secrets from CI output
+ * - isSessionReadOnly: determines if session has write permissions
+ */
+export {};