npm - @themoltnet/legreffier - Versions diffs - 0.29.0 → 0.29.1 - Mend

@themoltnet/legreffier 0.29.0 → 0.29.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,19 +1,27 @@
 # @themoltnet/legreffier
-One-command setup for accountable AI agent commits on
+End-to-end attribution for AI coding agents — so you know who wrote the code,
+why, and whether the context behind it actually worked. Built on
 [MoltNet](https://themolt.net).
-`legreffier init` generates a cryptographic identity, creates a GitHub App,
-configures git signing, and wires up your AI coding agent — all in one
-interactive flow.
+`legreffier init` gives your agent its own cryptographic identity, a persistent
+diary for decisions and rationale, and SSH-signed commits linked to signed
+reasoning — all wired up in one interactive flow. Memory that's _attributed_,
+rationale that's _signed_, and context that can be _measured_ — across sessions
+and across agents.
 ## What You Get
 1. **Own identity** — commits show the agent's name and avatar, not yours
-2. **SSH-signed commits** — every commit is signed with the agent's Ed25519 key
-3. **Signed diary entries** — non-trivial commits get a cryptographic rationale
-   linked via a `MoltNet-Diary:` trailer
-4. **GitHub App authentication** — push access via installation tokens, no
+2. **Persistent diary** — signed, content-addressed entries for decisions,
+   rationale, and context that survive across sessions and across agents
+3. **Rationale linked to code** — non-trivial commits carry a `MoltNet-Diary:`
+   trailer pointing at a signed entry explaining _why_
+4. **SSH-signed commits** — every commit is signed with the agent's Ed25519 key
+5. **Measured context** — compiled packs can be scored against real coding
+   tasks via the MoltNet eval runner, so memory earns its place instead of just
+   accumulating
+6. **GitHub App authentication** — push access via installation tokens, no
    personal access tokens
 ## Prerequisites

package/dist/index.js CHANGED Viewed

@@ -410,14 +410,14 @@ function CliHero({ animated = false }) {
 				/* @__PURE__ */ jsx(Text, { children: " " }),
 				/* @__PURE__ */ jsxs(Text, { children: [
 					"  ",
-					/* @__PURE__ */ jsx(Text, {
+					/* @__PURE__ */ jsxs(Text, {
 						color: cliTheme.color.text,
-						children: "Accountable AI commits. "
+						children: ["Attribution for AI coding agents.", " "]
 					}),
 					/* @__PURE__ */ jsx(Text, {
 						color: cliTheme.color.accent,
 						bold: true,
-						children: "Cryptographic identity."
+						children: "Identity, memory, signed rationale."
 					})
 				] }),
 				/* @__PURE__ */ jsxs(Text, { children: [
@@ -7532,33 +7532,60 @@ async function downloadSkills(repoDir, skillDir) {
 		}
 	}
 }
-function buildGhTokenRule(agentName) {
+function buildGhTokenRule() {
 	return [
-		"# GitHub CLI Authentication (LeGreffier)",
+		"# GitHub CLI Authentication (MoltNet agents)",
+		"",
+		"> **STRICT RULE — read this before every `gh` call.**",
+		">",
+		"> When `GIT_CONFIG_GLOBAL` is set (matches `.moltnet/<agent>/gitconfig`), you",
+		"> **MUST NOT** run bare `gh <command>`. You **MUST** prefix every `gh` call",
+		"> with a `GH_TOKEN` resolved from an **absolute path** to `moltnet.json`.",
+		"> Running bare `gh` silently falls back to the human personal token and",
+		"> attributes the action to the wrong identity — this is a correctness bug,",
+		"> not a warning.",
 		"",
-		`When \`GIT_CONFIG_GLOBAL\` is set to \`.moltnet/${agentName}/gitconfig\`,`,
-		"authenticate `gh` CLI commands as the GitHub App by prefixing them with:",
+		"## The only correct form",
 		"",
 		"```bash",
-		"GH_TOKEN=$(npx @themoltnet/cli github token --credentials \"$(dirname \"$GIT_CONFIG_GLOBAL\")/moltnet.json\") gh <command>",
+		"# 1. Resolve credentials to an ABSOLUTE path (never trust $GIT_CONFIG_GLOBAL as-is).",
+		"CREDS=\"$(cd \"$(dirname \"$GIT_CONFIG_GLOBAL\")\" 2>/dev/null && pwd)/moltnet.json\"",
+		"",
+		"# 2. Refuse to proceed if the file does not exist at that absolute path.",
+		"[ -f \"$CREDS\" ] || { echo \"FATAL: moltnet.json not found at $CREDS\" >&2; exit 1; }",
+		"",
+		"# 3. Call gh with GH_TOKEN inlined.",
+		"GH_TOKEN=$(npx @themoltnet/cli github token --credentials \"$CREDS\") gh <command>",
 		"```",
 		"",
-		"The token is cached locally (~1 hour lifetime, 5-min expiry buffer),",
+		"The credentials file (`moltnet.json`) always lives next to the `gitconfig`",
+		"inside the same `.moltnet/<agent>/` directory, regardless of which agent is",
+		"active. The token is cached locally (~1 hour lifetime, 5-min expiry buffer),",
 		"so repeated calls are fast after the first API hit.",
 		"",
-		"## Worktree warning",
+		"## Why absolute paths are mandatory",
 		"",
-		`\`GIT_CONFIG_GLOBAL\` may be a **relative path** (e.g. \`.moltnet/${agentName}/gitconfig\`).`,
-		"In git worktrees the CWD differs from the main worktree root, so `$(dirname \"$GIT_CONFIG_GLOBAL\")`",
-		"resolves incorrectly and `no credentials found` is printed — the command then falls back to your",
-		"personal `gh` token silently.",
+		"`GIT_CONFIG_GLOBAL` is almost always a **relative path** (e.g. `.moltnet/<agent>/gitconfig`).",
+		"Every git worktree has a different CWD from the main worktree root, so",
+		"`$(dirname \"$GIT_CONFIG_GLOBAL\")` resolves differently depending on where you are.",
+		"When it resolves to a non-existent directory:",
 		"",
-		"**Always resolve to an absolute path first:**",
+		"- `npx @themoltnet/cli github token` prints `no credentials found` to stderr,",
+		"- the command substitution yields an empty `GH_TOKEN`,",
+		"- `gh` silently falls back to your personal token,",
+		"- the resulting API call is attributed to the **human**, not the agent.",
 		"",
-		"```bash",
-		"CREDS=\"$(cd \"$(dirname \"$GIT_CONFIG_GLOBAL\")\" && pwd)/moltnet.json\"",
-		"GH_TOKEN=$(npx @themoltnet/cli github token --credentials \"$CREDS\") gh <command>",
-		"```",
+		"This failure is invisible in normal output. The `cd ... && pwd` dance in step 1",
+		"is the only reliable way to get an absolute path that works across worktrees.",
+		"",
+		"## Forbidden patterns",
+		"",
+		"- `gh <command>` — bare, no `GH_TOKEN`. **Never.**",
+		"- `GH_TOKEN=$(... --credentials \"$(dirname \"$GIT_CONFIG_GLOBAL\")/moltnet.json\") gh ...`",
+		"  — uses the raw relative path. Breaks in worktrees.",
+		"- `GH_TOKEN=$(... --credentials \"./moltnet.json\") gh ...` — relative. Breaks.",
+		"- `GH_TOKEN=$(... --credentials \"~/.moltnet/...\") gh ...` — `~` is not expanded",
+		"  inside double quotes; use `$HOME` or the literal absolute path.",
 		"",
 		"## Allowed `gh` subcommands",
 		"",
@@ -7780,7 +7807,7 @@ var ClaudeAdapter = class {
 	async writeRules(opts) {
 		const dir = join(opts.repoDir, ".claude", "rules");
 		await mkdir(dir, { recursive: true });
-		await writeFile(join(dir, "legreffier-gh.md"), buildGhTokenRule(opts.agentName), "utf-8");
+		await writeFile(join(dir, "legreffier-gh.md"), buildGhTokenRule(), "utf-8");
 	}
 };
 //#endregion
@@ -8057,17 +8084,21 @@ async function writePem(pem, appSlug, configDir) {
 /**
 * Write a standalone gitconfig file to <configDir>/gitconfig and return
 * its path. The config sets user.name/email and enables SSH commit signing
-* using the agent's SSH key.
+* using the agent's SSH public key.
+*
+* **Important:** `signingkey` must live under `[user]`, not `[gpg "ssh"]`.
+* Git only reads `user.signingkey`; a key declared as `gpg.ssh.signingkey`
+* is silently ignored and `git commit -S` fails with
+* `fatal: either user.signingkey or gpg.ssh.defaultKeyCommand needs to be configured`.
 */
-async function writeGitConfig({ configDir, name, email, sshKeyPath }) {
+async function writeGitConfig({ configDir, name, email, sshPublicKeyPath }) {
 	const content = [
 		"[user]",
 		`\tname = ${name}`,
 		`\temail = ${email}`,
+		`\tsigningkey = ${sshPublicKeyPath}`,
 		"[gpg]",
 		"	format = ssh",
-		"[gpg \"ssh\"]",
-		`\tsigningKey = ${sshKeyPath}`,
 		"[commit]",
 		"	gpgsign = true",
 		""
@@ -8322,7 +8353,7 @@ async function runGitSetupPhase(opts) {
 		key: "gitSetup",
 		status: "running"
 	});
-	const { privatePath } = await exportSSHKey({ configDir });
+	const { publicPath } = await exportSSHKey({ configDir });
 	const email = buildBotEmail((await lookupBotUser(appSlug, { maxRetries: 5 })).id, appSlug);
 	await updateConfigSection("git", {
 		name: agentName,
@@ -8332,7 +8363,7 @@ async function runGitSetupPhase(opts) {
 			configDir,
 			name: agentName,
 			email,
-			sshKeyPath: privatePath
+			sshPublicKeyPath: publicPath
 		})
 	}, configDir);
 	dispatch({
@@ -9252,7 +9283,7 @@ async function runPortRewritePhase(opts) {
 		configDir: targetDir,
 		name: config.git.name,
 		email: config.git.email,
-		sshKeyPath: newSshPriv
+		sshPublicKeyPath: newSshPub
 	});
 	await writeEnvFile({
 		envDir: targetDir,

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@themoltnet/legreffier",
-  "version": "0.29.0",
-  "description": "LeGreffier — one-command accountable AI agent setup",
+  "version": "0.29.1",
+  "description": "LeGreffier — attribution and measured memory for AI coding agents.",
   "license": "AGPL-3.0-only",
   "type": "module",
   "repository": {
@@ -36,8 +36,8 @@
     "@moltnet/api-client": "0.1.0",
     "@themoltnet/design-system": "0.3.2",
     "@moltnet/crypto-service": "0.1.0",
-    "@themoltnet/github-agent": "0.23.0",
-    "@themoltnet/sdk": "0.88.0"
+    "@themoltnet/sdk": "0.88.0",
+    "@themoltnet/github-agent": "0.23.0"
   },
   "scripts": {
     "dev": "vite build --watch",