@tplog/pi-zendy 0.2.17 → 0.3.0

package/extensions/source-cleanup.ts

@@ -1,162 +0,0 @@
-/**
- * Source-clone cleanup extension (deterministic, code-level defense).
- *
- * dify-enterprise / dify-enterprise-frontend are PRIVATE repositories.
- * Relying on skill-level ("please remember to clean up") guidance is
- * prompt-level defense — an AI can forget. This extension enforces
- * cleanup in code:
- *
- *   - on session_start:
- *       · create /tmp/zendy-session-<pid>-<ts>/ (mode 0700)
- *       · export its path via process.env.ZENDY_SRC_DIR so bash
- *         subprocesses spawned by pi (and the source-check skill)
- *         clone into it
- *       · sweep orphan session dirs whose owning pid is dead
- *
- *   - on session_shutdown AND on process exit / SIGINT / SIGTERM /
- *     uncaughtException:
- *       · rm -rf this session's dir (idempotent, best-effort)
- *
- *   - /cleanup-src slash command inside pi: wipe all dify-* and
- *     orphan zendy-session-* dirs on demand.
- *
- * Caveats (do not oversell):
- *   - kill -9 / OOM / power loss bypass handlers → rely on the
- *     next startup's orphan sweep.
- *   - rm -rf is not secure erase. For at-rest confidentiality,
- *     disk encryption (FileVault/LUKS) is required.
- */
-
-import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
-import { mkdirSync, rmSync, readdirSync } from "node:fs";
-import { join } from "node:path";
-
-const BASE_DIR = "/tmp";
-const SESSION_PREFIX = "zendy-session-";
-const WIPE_PREFIXES = ["dify-", SESSION_PREFIX];
-
-function parseSessionDir(name: string): { pid: number } | null {
-  const m = /^zendy-session-(\d+)-(\d+)$/.exec(name);
-  return m ? { pid: parseInt(m[1]!, 10) } : null;
-}
-
-function isAlive(pid: number): boolean {
-  try {
-    process.kill(pid, 0);
-    return true;
-  } catch (e) {
-    return (e as NodeJS.ErrnoException).code === "EPERM";
-  }
-}
-
-function safeRmrf(path: string): boolean {
-  try {
-    rmSync(path, { recursive: true, force: true });
-    return true;
-  } catch {
-    return false;
-  }
-}
-
-function sweepOrphans(base: string, exclude: string): string[] {
-  let entries;
-  try {
-    entries = readdirSync(base, { withFileTypes: true });
-  } catch {
-    return [];
-  }
-  const removed: string[] = [];
-  for (const e of entries) {
-    if (!e.isDirectory()) continue;
-    const info = parseSessionDir(e.name);
-    if (!info) continue;
-    const full = join(base, e.name);
-    if (full === exclude) continue;
-    if (isAlive(info.pid)) continue;
-    if (safeRmrf(full)) removed.push(full);
-  }
-  return removed;
-}
-
-export default function (pi: ExtensionAPI) {
-  const ts = Date.now();
-  const sessionDir = join(BASE_DIR, `${SESSION_PREFIX}${process.pid}-${ts}`);
-  let cleanedUp = false;
-
-  function ensureDir(): void {
-    try {
-      mkdirSync(sessionDir, { recursive: true, mode: 0o700 });
-    } catch {
-      // non-fatal; clone commands will also create subpaths with mkdir -p
-    }
-  }
-
-  function cleanupSession(): void {
-    if (cleanedUp) return;
-    cleanedUp = true;
-    safeRmrf(sessionDir);
-  }
-
-  // Belt-and-suspenders: if session_shutdown doesn't fire (some exit paths
-  // skip event dispatch), rely on node's process signals. All idempotent.
-  process.on("exit", cleanupSession);
-  process.on("SIGINT", () => {
-    cleanupSession();
-    process.exit(130);
-  });
-  process.on("SIGTERM", () => {
-    cleanupSession();
-    process.exit(143);
-  });
-  process.on("uncaughtException", (err) => {
-    cleanupSession();
-    // Preserve original Node behavior of non-zero exit + stderr trace.
-    // eslint-disable-next-line no-console
-    console.error(err);
-    process.exit(1);
-  });
-
-  pi.on("session_start", async (_event, ctx) => {
-    ensureDir();
-    process.env["ZENDY_SRC_DIR"] = sessionDir;
-    const removed = sweepOrphans(BASE_DIR, sessionDir);
-    if (ctx.hasUI && removed.length > 0) {
-      ctx.ui.notify(
-        `[source-cleanup] swept ${removed.length} orphan session dir(s)`,
-        "info",
-      );
-    }
-  });
-
-  pi.on("session_shutdown", async () => {
-    cleanupSession();
-  });
-
-  pi.registerCommand("cleanup-src", {
-    description:
-      "Wipe all Dify source clones (/tmp/dify-*) and orphan zendy session dirs",
-    handler: async (_args, ctx) => {
-      let entries;
-      try {
-        entries = readdirSync(BASE_DIR, { withFileTypes: true });
-      } catch {
-        ctx.ui.notify(`[source-cleanup] cannot read ${BASE_DIR}`, "error");
-        return;
-      }
-      const removed: string[] = [];
-      for (const e of entries) {
-        if (!e.isDirectory()) continue;
-        if (!WIPE_PREFIXES.some((p) => e.name.startsWith(p))) continue;
-        const full = join(BASE_DIR, e.name);
-        if (full === sessionDir) continue; // never nuke our own live session
-        if (safeRmrf(full)) removed.push(full);
-      }
-      ctx.ui.notify(
-        removed.length === 0
-          ? `[source-cleanup] nothing to remove`
-          : `[source-cleanup] removed ${removed.length} dir(s):\n${removed.join("\n")}`,
-        "info",
-      );
-    },
-  });
-}

package/extensions/status.ts

@@ -1,82 +0,0 @@
-/**
- * Status slash-command extension.
- *
- * Registers `/status` inside pi. On invocation it shells out to
- * `zendy preflight --json` and renders the result as a single notification.
- *
- * Why subprocess instead of duplicating check logic here? The canonical
- * checks live in `src/preflight.ts` (pi/zcli/github), and the npm-published
- * `zendy` binary is in PATH (pi was launched by it). One source of truth,
- * trivial extension, ~50ms cold start per invocation — fine for an
- * interactive on-demand command.
- */
-
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import { execFile } from "node:child_process";
-
-interface CheckResult {
-  name: string;
-  label: string;
-  level: "fatal" | "core" | "enhanced";
-  status: "ok" | "missing" | "auth_error";
-  hint: string;
-}
-
-interface PreflightReport {
-  results: CheckResult[];
-  hasFatal: boolean;
-  hasCore: boolean;
-  hasEnhanced: boolean;
-}
-
-function runZendyPreflight(): Promise<
-  { ok: true; report: PreflightReport } | { ok: false; error: string }
-> {
-  return new Promise((resolve) => {
-    execFile(
-      "zendy",
-      ["preflight", "--json"],
-      { timeout: 15000, encoding: "utf-8" },
-      (err, stdout, stderr) => {
-        if (err && (err as NodeJS.ErrnoException).code === "ENOENT") {
-          resolve({ ok: false, error: "`zendy` not found in PATH" });
-          return;
-        }
-        if (err) {
-          const msg = stderr.trim() || (err as Error).message;
-          resolve({ ok: false, error: msg });
-          return;
-        }
-        try {
-          const report = JSON.parse(stdout.trim()) as PreflightReport;
-          resolve({ ok: true, report });
-        } catch {
-          resolve({ ok: false, error: `could not parse preflight JSON: ${stdout.slice(0, 200)}` });
-        }
-      },
-    );
-  });
-}
-
-function formatLine(r: CheckResult): string {
-  if (r.status === "ok") return `  ✓ ${r.label}`;
-  const firstHintLine = r.hint.split("\n")[0] ?? "";
-  return `  ✗ ${r.label}${firstHintLine ? ` — ${firstHintLine}` : ""}`;
-}
-
-export default function (pi: ExtensionAPI) {
-  pi.registerCommand("status", {
-    description: "Show pi / Zendesk / GitHub connection status",
-    handler: async (_args, ctx) => {
-      const result = await runZendyPreflight();
-      if (!result.ok) {
-        ctx.ui.notify(`[status] could not run preflight: ${result.error}`, "error");
-        return;
-      }
-      const { report } = result;
-      const body = report.results.map(formatLine).join("\n");
-      const hasIssue = report.hasFatal || report.hasCore || report.hasEnhanced;
-      ctx.ui.notify(`zendy status:\n${body}`, hasIssue ? "error" : "info");
-    },
-  });
-}

package/extensions/zendy-context.ts

@@ -1,24 +0,0 @@
-import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
-import { readFileSync } from "node:fs";
-import { dirname, join } from "node:path";
-import { fileURLToPath } from "node:url";
-
-const __dirname = dirname(fileURLToPath(import.meta.url));
-const AGENTS_PATH = join(__dirname, "..", "agents.md");
-
-let cachedContext: string | undefined;
-
-function loadZendyContext(): string {
-  if (cachedContext === undefined) {
-    cachedContext = readFileSync(AGENTS_PATH, "utf-8");
-  }
-  return cachedContext;
-}
-
-export default function (pi: ExtensionAPI) {
-  pi.on("before_agent_start", async (event) => {
-    return {
-      systemPrompt: `${event.systemPrompt}\n\n${loadZendyContext()}`,
-    };
-  });
-}

package/skills/helm-watchdog/SKILL.md

@@ -1,146 +0,0 @@
----
-name: helm-watchdog
-description: "Query Dify Helm chart metadata — values.yaml, container images, validation results, and version info. Use when analyzing Helm-level configuration for a specific Dify Enterprise version."
----
-
-# Dify Helm Watchdog Skill
-
-Query the dify-helm-watchdog **HTTP API** to inspect Helm chart data for any cached Dify version.
-
-**IMPORTANT: This is a REST API, not a CLI tool. There is no `helm-watchdog` binary. Use `curl` to call the endpoints below.**
-
-## Quick Reference — Copy-Paste Commands
-
-```bash
-# Get values.yaml for a version
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/3.8.0/values"
-
-# Get version metadata (chart version → app version mapping)
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/3.8.0" | jq .
-
-# List all container images with their paths and tags
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/3.8.0/images" | jq '.[] | {path, tag}'
-
-# Find a specific component's image (e.g., plugin-connector)
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/3.8.0/images" | jq '.[] | select(.path | test("plugin-connector"))'
-
-# Check image validation status
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/3.8.0/images?validate=true" | jq '.[] | {path, tag, status}'
-
-# Get latest version number
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/latest?versionOnly=true"
-```
-
-### Images API response structure
-
-The `/images` endpoint returns a JSON array. Each element has these fields:
-```json
-{
-  "path": "langgenius/dify-api",        // image repository path
-  "tag": "7a1f0e32...",                 // image tag
-  "registry": "docker.io",             // registry (may be absent)
-  "valuesPath": "api.image"            // location in values.yaml
-}
-```
-
-Key: the field is `.path`, not `.name` or `.repository`.
-
-## When to Use
-
-- Looking up `values.yaml` for a specific Dify chart version
-- Checking what container images a chart version uses
-- Finding the latest chart version
-- Validating chart image availability
-- Answering customer questions about Helm configuration, default values, or image tags
-
-## When NOT to Use
-
-- Modifying chart values or deploying — this is read-only
-- Anything outside the Helm chart layer (application code, runtime behavior)
-
-## Base URL
-
-```
-https://dify-helm-watchdog.vercel.app/api/v1
-```
-
-## API Endpoints
-
-### List cached versions
-
-```bash
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions" | jq .
-```
-
-### Get latest version
-
-```bash
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/latest"
-# Plain text version number only:
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/latest?versionOnly=true"
-```
-
-### Get version metadata
-
-```bash
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/3.8.0" | jq .
-```
-
-Returns chart version, app version, creation date, and asset URLs.
-
-### Get values.yaml
-
-```bash
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/3.8.0/values"
-```
-
-Returns the full `values.yaml` for the requested chart version. This is the most commonly used endpoint — use it to check default configuration, environment variables, image tags, and feature flags.
-
-### Get container images
-
-```bash
-# JSON output
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/3.8.0/images" | jq .
-# With validation status
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/3.8.0/images?validate=true" | jq .
-```
-
-Lists all container image references from the chart's values. Useful for answering questions about image tags (`latest` vs pinned), base images, and vulnerability scoping.
-
-### Get validation results
-
-```bash
-# All validations
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/3.8.0/validation" | jq .
-# Only missing images
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/versions/3.8.0/validation?status=MISSING" | jq .
-```
-
-### Inspect cache metadata
-
-```bash
-curl -s "https://dify-helm-watchdog.vercel.app/api/v1/cache" | jq .
-```
-
-## Practical Guidance
-
-1. **Start with version metadata** to confirm the chart version exists and get the app version mapping (e.g., chart 3.8.0 → app 1.12.0).
-2. **Use values.yaml** to answer configuration questions — most customer inquiries about Helm settings can be resolved here.
-3. **Use images** endpoint when the question is about container images, tags, or vulnerability scope.
-4. When a customer reports an issue on a specific version, always pull the values.yaml for **that exact version** — defaults change between releases.
-5. Output is JSON unless otherwise noted (values endpoint returns raw YAML).
-
-## Version Mapping
-
-Chart versions map to Dify app versions. Common mappings:
-- Chart 3.8.0 → App 1.12.0
-- Chart 3.7.5 → App 1.11.4
-
-Use the version metadata endpoint to confirm the mapping for any version.
-
-## Notes for the Agent
-
-- All endpoints are public and read-only, no authentication needed for GET requests.
-- Use `curl -s` and pipe to `jq` for readable output.
-- The values.yaml can be large — if you only need a specific section, pipe through `grep` or use `yq` if available.
-- When comparing versions, pull values for both and diff them.

package/skills/source-check/SKILL.md

@@ -1,143 +0,0 @@
----
-name: source-check
-description: "Clone and analyze Dify source code to investigate customer issues. Knows the repo map: enterprise backend/frontend, open-source core, plugin daemon, sandbox. Human-triggered only."
----
-
-# Dify Source Analysis Skill
-
-Clone the correct Dify repository and analyze source code to investigate customer issues.
-
-## When to Use
-
-- The user explicitly asks to look at the source code
-- A question cannot be answered from Helm chart values alone
-
-## When NOT to Use
-
-- Do NOT proactively decide to clone source code — wait for the user to ask
-- Do NOT use for questions answerable from values.yaml or documentation
-
-## Repository Map
-
-**First, determine which repo to clone based on the problem area:**
-
-**Clone destination:** always clone under `"$ZENDY_SRC_DIR"` (set by the `source-cleanup`
-extension at session start). The extension will wipe the whole directory when the
-session ends, so anything inside is guaranteed to be cleaned up — even if you forget.
-If for some reason `$ZENDY_SRC_DIR` is not set, fall back to `/tmp` but tell the user.
-
-| Problem area | Repo | Access | Language | Clone command |
-|---|---|---|---|---|
-| SSO, token, session, SCIM, license, audit, branding, MFA, password policy | `langgenius/dify-enterprise` | private | Go | `git clone --depth 1 --branch <tag> git@github.com:langgenius/dify-enterprise.git "$ZENDY_SRC_DIR/dify-enterprise-<tag>"` |
-| Enterprise Dashboard UI, admin console frontend | `langgenius/dify-enterprise-frontend` | private | TypeScript | `git clone --depth 1 --branch <tag> git@github.com:langgenius/dify-enterprise-frontend.git "$ZENDY_SRC_DIR/dify-enterprise-frontend-<tag>"` |
-| API, workflow, knowledge base, model provider, RAG, chat | `langgenius/dify` | public | Python | `git clone --depth 1 --branch <tag> git@github.com:langgenius/dify.git "$ZENDY_SRC_DIR/dify-<tag>"` |
-| Plugin runtime, plugin execution | `langgenius/dify-plugin-daemon` | public | Go/Python | `git clone --depth 1 --branch <tag> git@github.com:langgenius/dify-plugin-daemon.git "$ZENDY_SRC_DIR/dify-plugin-daemon-<tag>"` |
-| Code sandbox execution | `langgenius/dify-sandbox` | public | Go | `git clone --depth 1 --branch <tag> git@github.com:langgenius/dify-sandbox.git "$ZENDY_SRC_DIR/dify-sandbox-<tag>"` |
-
-Enterprise repos also contain these components (all in dify-enterprise):
-- **gateway** — enterprise API gateway (`cmd/gateway/`, `pkg/gateway/`)
-- **plugin-connector** — plugin pod orchestration on K8s (`cmd/plugin-connector/`, `pkg/connector/`)
-- **plugin-manager** — enterprise plugin management (`cmd/plugin-manager/`, `pkg/plugin-manager/`)
-- **plugin-crd** — K8s CRD controller for plugins (`cmd/plugin-crd/`, `pkg/plugincrd/`)
-- **audit** — audit logging (`cmd/audit/`, `pkg/audit/`)
-
-## Version Mapping
-
-Customer's Dify version → correct git tag:
-
-1. Get chart version from Zendesk ticket fields (e.g., `3.8.0`)
-2. Use helm-watchdog to get the image tags from values.yaml:
-   - `enterprise.image.tag` → tag for `dify-enterprise` and `dify-enterprise-frontend` (e.g., `0.15.0`)
-   - `api.image.tag` → tag for `dify` (usually a commit hash, e.g., `7a1f0e32...`)
-   - `pluginDaemon.image.tag` → tag for `dify-plugin-daemon`
-   - `sandbox.image.tag` → tag for `dify-sandbox`
-
-## dify-enterprise Directory Structure (Go)
-
-```
-cmd/                              # Entry points (one per component)
-├── enterprise/                   # Main enterprise backend
-├── gateway/                      # API gateway
-├── audit/                        # Audit service
-├── plugin-connector/             # Plugin K8s orchestrator
-├── plugin-manager/               # Plugin manager
-├── plugin-crd/                   # K8s CRD controller
-└── plugin-shader/                # Plugin image builder
-
-pkg/
-├── enterprise/
-│   └── service/                  # Core business logic
-│       ├── console-sso.go        # Console SSO login (SAML/OIDC/OAuth2)
-│       ├── web-sso.go            # WebApp SSO login
-│       ├── dashboard-sso.go      # Dashboard SSO
-│       ├── cookie.go             # Cookie/session management
-│       ├── ssoconfig.go          # SSO configuration
-│       ├── member.go             # User/member management
-│       ├── license.go            # License validation
-│       ├── mfa.go                # Multi-factor auth
-│       ├── password-policy.go    # Password policy
-│       ├── scim.go               # SCIM provisioning
-│       ├── scim-users.go         # SCIM user sync
-│       ├── scim-groups.go        # SCIM group sync
-│       ├── branding.go           # Custom branding
-│       ├── workspace.go          # Workspace management
-│       ├── admin-*.go            # Admin operations
-│       └── webapp.go             # WebApp config
-├── sysconf/
-│   ├── keys.go                   # Configuration key definitions
-│   └── values.go                 # Default values
-├── auth/                         # Authentication
-├── connector/                    # Plugin connector logic
-├── gateway/                      # Gateway logic
-├── plugin/                       # Plugin management
-├── plugin-manager/               # Plugin manager logic
-├── plugincrd/                    # K8s CRD logic
-├── audit/                        # Audit logic
-├── kube/                         # Kubernetes utilities
-└── data/                         # Data layer
-
-ts/                               # TypeScript code
-├── connector/                    # Plugin connector frontend
-├── enterprise_client/            # Enterprise API client
-└── dify/                         # Dify integrations
-```
-
-## dify (open-source) Directory Structure (Python)
-
-```
-api/                              # Backend API (Flask)
-├── controllers/                  # HTTP handlers
-├── core/
-│   ├── workflow/                 # Workflow engine
-│   ├── rag/                      # RAG pipeline
-│   ├── model_runtime/            # Model provider integrations
-│   ├── app/                      # App orchestration
-│   └── tools/                    # Built-in tools
-├── services/                     # Business logic
-├── models/                       # Database models
-└── configs/                      # Configuration
-
-web/                              # Frontend (Next.js / TypeScript)
-├── app/                          # Pages
-├── components/                   # UI components
-└── service/                      # API client
-```
-
-## Analysis Approach
-
-1. **grep first** — find relevant files by keyword (feature name, config key, error message)
-2. **Read identified files** — understand the logic
-3. **Trace the flow** — API endpoint → handler → service → data layer
-4. **Compare** with the customer's reported behavior
-5. **Conclude** — bug, misconfiguration, or expected behavior
-
-## Rules
-
-- Always shallow clone (`--depth 1`) for speed
-- State confidence level: "confirmed from code" vs "inferred from structure"
-- Read-only — never modify source code
-- Clone into `"$ZENDY_SRC_DIR"`. The `source-cleanup` extension wipes this directory
-  on session shutdown, so manual `rm -rf` after analysis is no longer required.
-  If the user asks for immediate cleanup mid-session, use the `/cleanup-src` slash
-  command (wipes `/tmp/dify-*` and orphan session dirs).
-- If clone fails (permission denied), tell the user to configure SSH keys

package/skills/zendesk-cli/SKILL.md

@@ -1,37 +0,0 @@
----
-name: zendesk-cli
-description: "Zendesk ticket lookup via the zcli CLI. Provides ticket metadata, comment threads, and search — all as JSON."
----
-
-# zendesk-cli
-
-`zcli` is a Zendesk CLI that outputs JSON. Use it to fetch tickets, comments, and search results.
-
-## Quick start
-
-Discover all commands and options:
-
-```bash
-zcli --help
-zcli <command> --help
-```
-
-## Install (if missing)
-
-```bash
-npm install -g @tplog/zendesk-cli
-zcli configure
-```
-
-## Key behaviors the agent must know
-
-- **`zcli <email>` is assignee lookup, not requester.** This is the most common mistake.
-- **`zcli follower <email>`** is a separate command — don't try to filter assignee results manually.
-- **Output is already JSON.** No `--json` flag needed. Summarize directly from stdout.
-- **When summarizing a ticket, always parallel-call both:**
-  ```bash
-  zcli <id>            # ticket metadata
-  zcli comments <id>   # comment thread
-  ```
-  Ticket metadata alone is not enough for a complete summary.
-- **Errors are also JSON on stdout** with non-zero exit code. Check stdout, not just stderr.