@uluops/setup 0.4.0 → 0.6.3

package/dist/steps/metrics.js

@@ -4,7 +4,7 @@
  * Installs agent-metrics tool files and configures post-agent hooks.
  * Only active for harnesses that support hooks (currently Claude Code only).
  */
-import { mkdir, readdir, copyFile, rm, access } from "node:fs/promises";
+import { mkdir, readdir, copyFile, rm, access, readFile } from "node:fs/promises";
 import { join } from "node:path";
 /** Where agent-metrics dist files are installed (derived from profile) */
 function getMetricsToolDir(profile) {
@@ -18,30 +18,52 @@ export function getHookCommand(profile) {
     const toolDir = getMetricsToolDir(profile);
     if (!toolDir)
         throw new Error("No tool dir for this harness");
-    return `"${process.execPath}" "${join(toolDir, "dist", "hook.js")}"`;
+    const nodePath = process.execPath;
+    const hookPath = join(toolDir, "dist", "hook.js");
+    if (nodePath.includes('"') || hookPath.includes('"')) {
+        throw new Error("Hook command paths must not contain double-quote characters");
+    }
+    return `"${nodePath}" "${hookPath}"`;
 }
 /**
  * Find the agent-metrics package source directory.
  * Looks for it as a sibling package in the monorepo or as an npm dependency.
+ *
+ * Also reads the source package.json's version so the manifest can record
+ * which agent-metrics version was actually copied — the shared version
+ * ledger across the setup↔agent-metrics seam.
  */
 async function findMetricsSource() {
-    // Try to find the package via Node.js module resolution
     try {
         const resolved = import.meta.resolve("@uluops/agent-metrics");
         // resolved is like file:///path/to/dist/index.js — get the package root
         const distDir = new URL(".", resolved).pathname;
         const pkgRoot = join(distDir, "..");
-        return pkgRoot;
+        const version = await readSourceVersion(pkgRoot);
+        return { pkgRoot, version };
+    }
+    catch {
+        return null;
+    }
+}
+async function readSourceVersion(pkgRoot) {
+    try {
+        const raw = await readFile(join(pkgRoot, "package.json"), "utf-8");
+        const parsed = JSON.parse(raw);
+        return typeof parsed.version === "string" ? parsed.version : null;
     }
     catch {
-        // Not installed as dependency
+        return null;
     }
-    return null;
 }
 /**
- * Copy agent-metrics dist files to the tool directory.
- * Copies all .js files needed for the hook and CLI.
+ * Read the installed agent-metrics version from the harness tree.
+ * Returns null when the file is missing or unparseable.
+ * Exported so verify.ts can detect drift between installed and source.
  */
+export async function readInstalledMetricsVersion(toolDir) {
+    return readSourceVersion(toolDir);
+}
 /** Copy .js files from a source dir to a dest dir, skipping test files. */
 async function copyJsDir(srcDir, destDir, dryRun) {
     let count = 0;
@@ -64,7 +86,13 @@ async function copyToolFiles(srcRoot, destRoot, dryRun) {
     const srcDist = join(srcRoot, "dist");
     const destDist = join(destRoot, "dist");
     const subDirs = ["commands", "display"];
+    // Replace, don't merge. The previous behavior copied new files over old
+    // ones without removing stale entries — if agent-metrics renames or
+    // removes a file in a future version, the stale file would persist on
+    // disk and shadow the new one. Wipe dist/ before repopulating so the
+    // installed tree matches the source tree exactly.
     if (!dryRun) {
+        await rm(destDist, { recursive: true, force: true });
         await mkdir(destDist, { recursive: true });
         for (const sub of subDirs) {
             await mkdir(join(destDist, sub), { recursive: true });
@@ -74,7 +102,7 @@ async function copyToolFiles(srcRoot, destRoot, dryRun) {
     for (const sub of subDirs) {
         filesCopied += await copyJsDir(join(srcDist, sub), join(destDist, sub), dryRun);
     }
-    // Copy package.json (needed for CLI bin resolution)
+    // Copy package.json (needed for CLI bin resolution and version detection)
     try {
         if (!dryRun) {
             await copyFile(join(srcRoot, "package.json"), join(destRoot, "package.json"));
@@ -92,25 +120,22 @@ async function copyToolFiles(srcRoot, destRoot, dryRun) {
  */
 export async function installMetrics(profile, dryRun) {
     if (!profile.hooks || !profile.paths.toolsDir || !profile.paths.settingsPath) {
-        return { toolFilesCopied: 0, hookConfigured: false, skippedReason: "no-hook-support" };
+        return {
+            toolFilesCopied: 0,
+            hookConfigured: false,
+            hooksInstalledVersion: null,
+            skippedReason: "no-hook-support",
+        };
     }
     const toolDir = profile.paths.toolsDir;
     const settingsPath = profile.paths.settingsPath;
-    const srcRoot = await findMetricsSource();
+    const source = await findMetricsSource();
     let toolFilesCopied = 0;
-    if (srcRoot) {
+    if (source) {
         if (!dryRun) {
             await mkdir(toolDir, { recursive: true });
         }
-        toolFilesCopied = await copyToolFiles(srcRoot, toolDir, dryRun);
-    }
-    else {
-        try {
-            await access(join(toolDir, "dist", "hook.js"));
-        }
-        catch {
-            // Not found anywhere
-        }
+        toolFilesCopied = await copyToolFiles(source.pkgRoot, toolDir, dryRun);
     }
     let hookConfigured = false;
     const hookJsPath = join(toolDir, "dist", "hook.js");
@@ -123,7 +148,12 @@ export async function installMetrics(profile, dryRun) {
     else if (hookJsExists && dryRun) {
         hookConfigured = true;
     }
-    return { toolFilesCopied, hookConfigured };
+    // Prefer the source version (from import.meta.resolve); fall back to reading
+    // the just-copied package.json from the harness tree so the manifest still
+    // records something useful when the source resolution returned null but a
+    // prior install left files behind.
+    const hooksInstalledVersion = source?.version ?? (hookJsExists ? await readInstalledMetricsVersion(toolDir) : null);
+    return { toolFilesCopied, hookConfigured, hooksInstalledVersion };
 }
 /**
  * Uninstall agent-metrics: remove hook and tool files.

package/dist/steps/shell.js

@@ -1,5 +1,8 @@
 import { readFile } from "node:fs/promises";
+import { join } from "node:path";
 import { atomicWrite } from "../lib/atomic-write.js";
+import { backupFile } from "../lib/file-ops.js";
+import { getUluopsDir } from "../lib/paths.js";
 const FENCE_START = "# --- UluOps (managed by @uluops/setup) ---";
 const FENCE_END = "# --- /UluOps ---";
 /** Characters safe for shell variable values (no metacharacters). */
@@ -16,12 +19,15 @@ export async function writeShellExport(profilePath, apiKey, dryRun) {
     }
     catch {
         if (!dryRun) {
-            await atomicWrite(profilePath, block + "\n");
+            await atomicWrite(profilePath, block + "\n", { mode: 0o600 });
         }
         return;
     }
     const startIdx = content.indexOf(FENCE_START);
     const endIdx = content.indexOf(FENCE_END);
+    if (!dryRun) {
+        await backupProfile(profilePath);
+    }
     if (startIdx !== -1 && endIdx !== -1 && endIdx > startIdx) {
         // Replace existing fenced block (use last FENCE_END after FENCE_START to handle duplicates)
         const before = content.slice(0, startIdx);
@@ -48,8 +54,12 @@ export async function removeShellExport(profilePath) {
     const startIdx = content.indexOf(FENCE_START);
     const endIdx = content.indexOf(FENCE_END);
     if (startIdx !== -1 && endIdx !== -1 && endIdx > startIdx) {
+        await backupProfile(profilePath);
         const before = content.slice(0, startIdx);
         const after = content.slice(endIdx + FENCE_END.length);
         await atomicWrite(profilePath, (before + after).replace(/\n{3,}/g, "\n\n"));
     }
 }
+async function backupProfile(profilePath) {
+    await backupFile(profilePath, join(getUluopsDir(), "backups", "shell"));
+}

package/dist/steps/signup.d.ts

@@ -4,7 +4,7 @@ import type { AuthResult } from "./auth.js";
  * but all are non-blocking — server validation is the authority.
  * @internal Exported for testing only — not part of the public API.
  */
-declare function validatePassword(password: string): true;
+declare function hintPassword(password: string): true;
 /** @internal Exported for testing only — not part of the public API. */
 declare function validateEmail(email: string): string | true;
 /**
@@ -13,4 +13,4 @@ declare function validateEmail(email: string): string | true;
  */
 export declare function signup(): Promise<AuthResult>;
 /** @internal Exported for testing only — not part of the public API. */
-export { validatePassword, validateEmail };
+export { hintPassword, validateEmail };

package/dist/steps/signup.js

@@ -4,7 +4,7 @@ const API_BASE = "https://api.uluops.ai/api/v1";
  * but all are non-blocking — server validation is the authority.
  * @internal Exported for testing only — not part of the public API.
  */
-function validatePassword(password) {
+function hintPassword(password) {
     if (password.length < 8)
         console.warn("  ⚠ Hint: server may require at least 8 characters");
     else if (password.length > 128)
@@ -38,25 +38,19 @@ export async function signup() {
     const pwd = await password({
         message: "Password",
         mask: "*",
-        validate: validatePassword,
+        validate: hintPassword,
     });
     // Register
-    const registerRes = await callApi(`${API_BASE}/auth/register`, "POST", { email, password: pwd });
-    if (!registerRes.data?.sessionToken) {
-        throw new Error("Registration succeeded but response missing session token");
-    }
+    const registerRes = await callApi(`${API_BASE}/auth/register`, "POST", { email, password: pwd }, undefined, (res) => !!res.data?.sessionToken && typeof res.data.user?.email === "string");
     const sessionToken = registerRes.data.sessionToken;
     // Create API key using the session
-    const keyRes = await callApi(`${API_BASE}/auth/keys`, "POST", { name: "Setup CLI" }, sessionToken);
-    if (!keyRes.data?.key) {
-        throw new Error("API key creation succeeded but response missing key");
-    }
+    const keyRes = await callApi(`${API_BASE}/auth/keys`, "POST", { name: "Setup CLI" }, sessionToken, (res) => !!res.data?.key);
     return {
         apiKey: keyRes.data.key,
         email: registerRes.data.user?.email ?? email,
     };
 }
-async function callApi(url, method, body, bearerToken) {
+async function callApi(url, method, body, bearerToken, validate) {
     const headers = {
         "Content-Type": "application/json",
     };
@@ -83,6 +77,9 @@ async function callApi(url, method, body, bearerToken) {
         if (typeof body !== "object" || body === null) {
             throw new Error("Unexpected API response shape");
         }
+        if (validate && !validate(body)) {
+            throw new Error("API response failed structural validation");
+        }
         return body;
     }
     // Handle known error codes
@@ -101,4 +98,4 @@ async function callApi(url, method, body, bearerToken) {
     throw new Error(`Signup failed (${res.status}): ${message}`);
 }
 /** @internal Exported for testing only — not part of the public API. */
-export { validatePassword, validateEmail };
+export { hintPassword, validateEmail };

package/dist/steps/verify.js

@@ -1,8 +1,9 @@
-import { readdir, access } from "node:fs/promises";
+import { readdir, access, stat } from "node:fs/promises";
 import { join } from "node:path";
 import { loadManifest } from "../lib/manifest.js";
 import { getHealthTimeout } from "../lib/health.js";
 import { getProfile } from "../harnesses/index.js";
+import { readInstalledMetricsVersion } from "./metrics.js";
 /** Verify a single harness entry, appending results to checks. Returns false if any check fails. */
 async function verifyHarness(harnessName, hm, checks) {
     let allOk = true;
@@ -14,7 +15,24 @@ async function verifyHarness(harnessName, hm, checks) {
         checks.push({ label: `Harness: ${harnessName}`, passed: false, detail: "Unknown harness in manifest" });
         return false;
     }
-    // MCP config
+    // 1. Readiness Check (Harness Restart)
+    try {
+        const configStat = await stat(hm.mcpConfigPath);
+        const installedTime = new Date(hm.installedAt).getTime();
+        const configTime = configStat.mtimeMs;
+        // If config was modified AFTER install, it's a proxy for the harness having read it.
+        // We add a 100ms buffer to handle near-simultaneous writes.
+        const isReady = configTime > (installedTime + 100);
+        checks.push({
+            label: `[${profile.displayName}] Readiness`,
+            passed: true,
+            detail: isReady ? "Active (loaded)" : "Waiting for restart",
+        });
+    }
+    catch {
+        // If we can't stat it, we'll catch the error in the MCP config check below.
+    }
+    // 2. MCP config
     try {
         const config = await profile.mcpConfig.read(hm.mcpConfigPath);
         if (profile.mcpConfig.check(config)) {
@@ -49,14 +67,16 @@ async function verifyHarness(harnessName, hm, checks) {
     // Command files
     if (hm.commands.length > 0) {
         const commandsDir = join(hm.defsPath, "commands");
-        let found = 0;
-        for (const cmd of hm.commands) {
+        const cmdResults = await Promise.all(hm.commands.map(async (cmd) => {
             try {
                 await access(join(commandsDir, cmd));
-                found++;
+                return true;
             }
-            catch { /* Missing */ }
-        }
+            catch {
+                return false;
+            }
+        }));
+        const found = cmdResults.filter(Boolean).length;
         checks.push({
             label: `[${profile.displayName}] ${found}/${hm.commands.length} commands`,
             passed: found === hm.commands.length,
@@ -77,7 +97,26 @@ async function verifyHarness(harnessName, hm, checks) {
             catch { /* Missing */ }
         }
         if (hookPresent && hookFilePresent) {
-            checks.push({ label: `[${profile.displayName}] Agent metrics hook configured`, passed: true });
+            // Existence is necessary but not sufficient — check version drift against the
+            // currently-resolvable agent-metrics. Without this, verify cannot detect that
+            // a fresh setup release is shipping while the installed hook is stale.
+            const installedVersion = profile.paths.toolsDir
+                ? await readInstalledMetricsVersion(profile.paths.toolsDir)
+                : null;
+            const recordedVersion = hm.hooksInstalledVersion ?? null;
+            const detail = installedVersion
+                ? `v${installedVersion}${recordedVersion && recordedVersion !== installedVersion ? ` (manifest records v${recordedVersion} — out of sync)` : ""}`
+                : "version unknown";
+            checks.push({
+                label: `[${profile.displayName}] Agent metrics hook configured`,
+                passed: true,
+                detail,
+            });
+            if (recordedVersion && installedVersion && recordedVersion !== installedVersion) {
+                // Drift between manifest record and on-disk hook copy — not a hard failure
+                // because verify is read-only, but surface it so the user re-runs setup.
+                allOk = false;
+            }
         }
         else {
             const missing = [

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@uluops/setup",
-  "version": "0.4.0",
+  "version": "0.6.3",
   "description": "Zero-friction installer for UluOps agentic harnesses",
-  "license": "SEE LICENSE IN LICENSE",
+  "license": "MIT",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/Uluops/-uluops-setup.git"
@@ -32,6 +32,7 @@
     "dist/lib/**",
     "dist/steps/**",
     "dist/harnesses/**",
+    "dist/commands/**",
     "assets"
   ],
   "engines": {
@@ -46,16 +47,16 @@
     "prepublishOnly": "npm run build"
   },
   "dependencies": {
-    "@inquirer/prompts": "^7.0.0",
-    "@uluops/agent-metrics": "^0.2.0",
-    "chalk": "^5.0.0",
-    "commander": "^12.0.0",
-    "jsonc-parser": "^3.3.1"
+    "@inquirer/prompts": "7.10.1",
+    "@uluops/agent-metrics": "0.4.0",
+    "chalk": "5.6.2",
+    "commander": "12.1.0",
+    "jsonc-parser": "3.3.1"
   },
   "devDependencies": {
-    "@types/node": "^22.0.0",
-    "tsx": "^4.0.0",
-    "typescript": "^5.7.0",
-    "vitest": "^3.0.0"
+    "@types/node": "22.19.15",
+    "tsx": "4.21.0",
+    "typescript": "5.9.3",
+    "vitest": "3.2.4"
   }
 }