@valescoagency/runway 0.2.0 → 0.4.0

package/dist/commands/run.js

@@ -2,8 +2,18 @@ import { loadConfig } from "../config.js";
 import { createLinearGateway } from "../linear.js";
 import { createGithubGateway } from "../github.js";
 import { assertSandcastleInitialised, drainQueue, } from "../orchestrator.js";
-function parseRunArgs(argv) {
+export function parseRunArgs(argv) {
     const opts = {};
+    const collectAllow = (raw) => {
+        const paths = raw
+            .split(",")
+            .map((s) => s.trim())
+            .filter(Boolean);
+        if (paths.length === 0) {
+            throw new Error("--allow-paths requires at least one glob");
+        }
+        opts.allowPaths = [...(opts.allowPaths ?? []), ...paths];
+    };
     for (let i = 0; i < argv.length; i += 1) {
         const a = argv[i];
         if (a === "--max" || a === "-n") {
@@ -27,6 +37,16 @@ function parseRunArgs(argv) {
         else if (a?.startsWith("--project=")) {
             opts.project = a.slice("--project=".length);
         }
+        else if (a === "--allow-paths") {
+            const v = argv[i + 1];
+            if (!v)
+                throw new Error("--allow-paths requires a value");
+            collectAllow(v);
+            i += 1;
+        }
+        else if (a?.startsWith("--allow-paths=")) {
+            collectAllow(a.slice("--allow-paths=".length));
+        }
         else if (a === "--help" || a === "-h") {
             printRunUsage();
             process.exit(0);
@@ -45,20 +65,32 @@ USAGE
   runway run [--max N]
 
 OPTIONS
-  --max, -n N     Process at most N issues then exit. Default: drain queue.
+  --max, -n N     Attempt at most N issues then exit (counts every
+                  attempt — success, HITL, or revert-to-Todo).
+                  Default: drain queue.
   --project ID    Scope the queue to a single Linear project under the
                   team. Accepts project UUID, slug, or name. Overrides
                   RUNWAY_LINEAR_PROJECT. Default: team-wide.
+  --allow-paths GLOBS
+                  Comma-separated globs removed from the impl policy's
+                  forbidden-paths list for this invocation only.
+                  Example: --allow-paths='.github/workflows/**' lets
+                  the agent touch CI for issues whose AC require it.
+                  Repeatable; pairs with .runway/policy.yml.
   --help, -h      Show this help.
 
 ENVIRONMENT
   LINEAR_API_KEY              required
   RUNWAY_LINEAR_TEAM          default "VA"
   RUNWAY_LINEAR_PROJECT       optional — scope to one project
+  RUNWAY_BASE_BRANCH          optional — override the auto-detected base
+                              branch (the branch runway diffs against
+                              and targets with PRs). Detected from
+                              origin/HEAD when unset.
   RUNWAY_READY_STATUS         default "Todo"
   RUNWAY_IN_PROGRESS_STATUS   default "In Progress"
   RUNWAY_IN_REVIEW_STATUS     default "In Review"
-  RUNWAY_HITL_LABEL           default "needs-human"
+  RUNWAY_HITL_LABEL           default "ready-for-human"
   RUNWAY_MAX_ITERATIONS       default 5
 `);
 }
@@ -76,6 +108,6 @@ export async function runCommand(argv) {
         ? `team ${config.linearTeam} / project ${config.linearProject}`
         : `team ${config.linearTeam}`;
     console.log(`[runway] draining queue from ${scope} (status="${config.readyStatus}") against ${cwd}`);
-    const result = await drainQueue({ config, linear, github, cwd }, { max: opts.max });
-    console.log(`[runway] done — processed=${result.processed} opened=${result.opened} hitl=${result.hitl} errored=${result.errored}`);
+    const result = await drainQueue({ config, linear, github, cwd }, { max: opts.max, allowPaths: opts.allowPaths });
+    console.log(`[runway] done — attempts=${result.attempts} opened=${result.opened} hitl=${result.hitl} errored=${result.errored}`);
 }

package/dist/commands/upgrade-repo.js

@@ -27,7 +27,9 @@ OPTIONS
                       lines outside the runway templates (manual edits).
   --op-vault=NAME     Override the 1Password vault. By default, upgrade-repo
                       extracts this from the existing .env.schema.
-  --anthropic-item=N  Override the ANTHROPIC_API_KEY item name.
+  --anthropic-item=N  Override the Claude Code credential item name
+                      (i.e. the ANTHROPIC_API_KEY or
+                      CLAUDE_CODE_OAUTH_TOKEN 1Password item).
   --gh-token-item=N   Override the GH_TOKEN item name.
   --help, -h          Show this help.
 
@@ -118,6 +120,7 @@ export async function upgradeRepoCommand(argv) {
         opVault: "placeholder",
         anthropicItem: "placeholder",
         ghTokenItem: "placeholder",
+        authMode: "api-key",
     };
     await preflight(cwd, preflightOpts);
     // Render new file contents in memory.
@@ -165,6 +168,7 @@ export async function upgradeRepoCommand(argv) {
         opVault: resolved?.opVault ?? "placeholder",
         anthropicItem: resolved?.anthropicItem ?? "placeholder",
         ghTokenItem: resolved?.ghTokenItem ?? "placeholder",
+        authMode: resolved?.authMode ?? "api-key",
     };
     await verify(cwd, verifyOpts);
     console.log(`[runway upgrade-repo] done — tier ${tier} scaffold refreshed`);
@@ -180,8 +184,10 @@ function detectTier(cwd) {
     }
     if (existsSync(schemaPath)) {
         const schema = readFileSync(schemaPath, "utf8");
-        // Tier-2 marker: ANTHROPIC_API_KEY uses the varlock shell-call form.
-        const tier2Marker = new RegExp(`ANTHROPIC_API_KEY\\s*=\\s*${execName()}\\(`);
+        // Tier-2 marker: the Claude Code credential (whichever env var
+        // name the user picked at init time) uses the varlock shell-call
+        // form.
+        const tier2Marker = new RegExp(`(ANTHROPIC_API_KEY|CLAUDE_CODE_OAUTH_TOKEN)\\s*=\\s*${execName()}\\(`);
         if (tier2Marker.test(schema)) {
             return 2;
         }
@@ -197,17 +203,29 @@ function execName() {
 // ---------------------------------------------------------------------------
 // op:// extraction
 // ---------------------------------------------------------------------------
-const ANTHROPIC_RE = new RegExp(`^\\s*ANTHROPIC_API_KEY\\s*=\\s*${execName()}\\(\\s*['"]op read "op://([^/"]+)/([^"]+)"['"]\\s*\\)\\s*$`, "m");
+// Either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN — capture which
+// it is so upgrade-repo can re-render in the same auth mode.
+const ANTHROPIC_RE = new RegExp(`^\\s*(ANTHROPIC_API_KEY|CLAUDE_CODE_OAUTH_TOKEN)\\s*=\\s*${execName()}\\(\\s*['"]op read "op://([^/"]+)/([^"]+)"['"]\\s*\\)\\s*$`, "m");
 const GH_TOKEN_RE = new RegExp(`^\\s*GH_TOKEN\\s*=\\s*${execName()}\\(\\s*['"]op read "op://([^/"]+)/([^"]+)"['"]\\s*\\)\\s*$`, "m");
 function resolveOpRefs(cwd, opts) {
     const schemaPath = join(cwd, ".env.schema");
     const schema = readFileSync(schemaPath, "utf8");
+    return parseOpRefs(schema, opts);
+}
+/**
+ * Pure schema-string → ResolvedOpRefs parser. Split out from
+ * `resolveOpRefs` so it can be unit-tested without touching the
+ * filesystem. The regex captures + override / vault-mismatch logic
+ * live here; the disk read lives in `resolveOpRefs`.
+ */
+export function parseOpRefs(schema, opts) {
     const anthropicMatch = schema.match(ANTHROPIC_RE);
     const ghTokenMatch = schema.match(GH_TOKEN_RE);
     // Per-field override > extracted > error.
-    const opVault = opts.opVault ?? anthropicMatch?.[1] ?? ghTokenMatch?.[1] ?? null;
-    const anthropicItem = opts.anthropicItem ?? anthropicMatch?.[2] ?? null;
+    const opVault = opts.opVault ?? anthropicMatch?.[2] ?? ghTokenMatch?.[1] ?? null;
+    const anthropicItem = opts.anthropicItem ?? anthropicMatch?.[3] ?? null;
     const ghTokenItem = opts.ghTokenItem ?? ghTokenMatch?.[2] ?? null;
+    const authMode = anthropicMatch?.[1] === "CLAUDE_CODE_OAUTH_TOKEN" ? "oauth" : "api-key";
     if (!opVault || !anthropicItem || !ghTokenItem) {
         throw new Error("could not parse existing .env.schema; pass --op-vault, --anthropic-item, --gh-token-item explicitly to override.");
     }
@@ -217,10 +235,10 @@ function resolveOpRefs(cwd, opts) {
     if (!opts.opVault &&
         anthropicMatch &&
         ghTokenMatch &&
-        anthropicMatch[1] !== ghTokenMatch[1]) {
-        throw new Error(`vault mismatch in .env.schema: ANTHROPIC_API_KEY uses "${anthropicMatch[1]}", GH_TOKEN uses "${ghTokenMatch[1]}". Pass --op-vault to disambiguate.`);
+        anthropicMatch[2] !== ghTokenMatch[1]) {
+        throw new Error(`vault mismatch in .env.schema: ${anthropicMatch[1]} uses "${anthropicMatch[2]}", GH_TOKEN uses "${ghTokenMatch[1]}". Pass --op-vault to disambiguate.`);
     }
-    return { opVault, anthropicItem, ghTokenItem };
+    return { opVault, anthropicItem, ghTokenItem, authMode };
 }
 // ---------------------------------------------------------------------------
 // Render: Dockerfile
@@ -270,15 +288,25 @@ function renderEnvSchema(cwd, resolved) {
     const schemaPath = join(cwd, ".env.schema");
     const before = readFileSync(schemaPath, "utf8");
     const tmpl = readFileSync(join(TEMPLATES_DIR, ".env.schema.target-repo"), "utf8");
+    const anthropicEnvVar = resolved.authMode === "oauth" ? "CLAUDE_CODE_OAUTH_TOKEN" : "ANTHROPIC_API_KEY";
     let body = tmpl
         .replaceAll("{{OP_VAULT}}", resolved.opVault)
         .replaceAll("{{ANTHROPIC_ITEM}}", resolved.anthropicItem)
-        .replaceAll("{{GH_TOKEN_ITEM}}", resolved.ghTokenItem);
-    // Preserve user-added `KEY=<call>(...)` lines for keys other than the two
-    // we own. Match any `KEY = <execName>(` line in the existing schema and
-    // append the whole line if its key isn't ANTHROPIC_API_KEY or GH_TOKEN.
+        .replaceAll("{{GH_TOKEN_ITEM}}", resolved.ghTokenItem)
+        .replaceAll("{{ANTHROPIC_ENV_VAR}}", anthropicEnvVar);
+    // Preserve user-added `KEY=<call>(...)` lines for keys other than the
+    // ones we own. Match any `KEY = <execName>(` line in the existing
+    // schema and append the whole line if its key isn't the active
+    // Claude Code auth var or GH_TOKEN.
     const userExecRe = new RegExp(`^([A-Z_][A-Z0-9_]*)\\s*=\\s*${execName()}\\(`, "gm");
-    const ownedKeys = new Set(["ANTHROPIC_API_KEY", "GH_TOKEN"]);
+    // Both possible auth-mode vars are reserved so a user who switches
+    // modes doesn't end up with the dead one duplicated as a "preserved"
+    // line.
+    const ownedKeys = new Set([
+        "ANTHROPIC_API_KEY",
+        "CLAUDE_CODE_OAUTH_TOKEN",
+        "GH_TOKEN",
+    ]);
     const preservedLines = [];
     for (const match of before.matchAll(userExecRe)) {
         const key = match[1];

package/dist/config.js

@@ -33,10 +33,26 @@ const ConfigSchema = z.object({
      * `--project` CLI flag on `runway run`.
      */
     linearProject: z.string().optional(),
+    /**
+     * Optional. Override the auto-detected base branch — the branch
+     * runway diffs against, opens PRs against, and uses to count
+     * agent-branch commits. Source: `RUNWAY_BASE_BRANCH` env var. When
+     * unset, runway resolves the default branch from `origin/HEAD` at
+     * orchestrator startup. Set this when the repo's default branch is
+     * not on the origin (rare) or when you want to target a release
+     * branch instead.
+     */
+    baseBranch: z.string().optional(),
     readyStatus: z.string().default("Todo"),
     inProgressStatus: z.string().default("In Progress"),
     inReviewStatus: z.string().default("In Review"),
-    hitlLabel: z.string().default("needs-human"),
+    // VA-354: default to the Flightplan canonical state label
+    // `ready-for-human`. The previous default (`needs-human`) doesn't
+    // exist on Flightplan-aligned Linear workspaces (the common case
+    // for Valesco repos), and `linear.applyLabel` failures cascaded
+    // into the substantive rejection reason being lost. Workspaces that
+    // use a different label override via `RUNWAY_HITL_LABEL`.
+    hitlLabel: z.string().default("ready-for-human"),
     maxIterations: z.coerce.number().int().positive().default(5),
 });
 export function loadConfig() {
@@ -45,6 +61,7 @@ export function loadConfig() {
         opServiceAccountToken: process.env.OP_SERVICE_ACCOUNT_TOKEN,
         linearTeam: process.env.RUNWAY_LINEAR_TEAM,
         linearProject: process.env.RUNWAY_LINEAR_PROJECT,
+        baseBranch: process.env.RUNWAY_BASE_BRANCH,
         readyStatus: process.env.RUNWAY_READY_STATUS,
         inProgressStatus: process.env.RUNWAY_IN_PROGRESS_STATUS,
         inReviewStatus: process.env.RUNWAY_IN_REVIEW_STATUS,

package/dist/git.js

@@ -0,0 +1,41 @@
+import { execa } from "execa";
+/**
+ * Resolve the default branch name of the cwd repo. Tries
+ * `git symbolic-ref` against `origin/HEAD` first (fast, works on any
+ * clone where the symbolic ref has been set), then falls back to
+ * `git remote show origin` (slower, hits the network but works on
+ * fresh clones that never had `origin/HEAD` set locally).
+ *
+ * Throws if neither path resolves a branch name — better to fail
+ * fast at orchestrator startup than to crash mid-diff with a stale
+ * "ambiguous argument" git error.
+ */
+export async function detectBaseBranch(repoPath) {
+    // Fast path: local symbolic ref. Returns e.g. `origin/main` or `origin/master`.
+    try {
+        const { stdout, exitCode } = await execa("git", ["symbolic-ref", "--short", "refs/remotes/origin/HEAD"], { cwd: repoPath, reject: false });
+        if (exitCode === 0) {
+            const name = stdout.trim().replace(/^origin\//, "");
+            if (name)
+                return name;
+        }
+    }
+    catch {
+        // fall through to remote-show fallback
+    }
+    // Slow path: ask the remote. Output line looks like `  HEAD branch: master`.
+    try {
+        const { stdout } = await execa("git", ["remote", "show", "origin"], {
+            cwd: repoPath,
+        });
+        const match = stdout.match(/^\s*HEAD branch:\s*(\S+)\s*$/m);
+        if (match?.[1])
+            return match[1];
+    }
+    catch {
+        // fall through to error
+    }
+    throw new Error(`Could not detect the default branch of ${repoPath}. ` +
+        `Set RUNWAY_BASE_BRANCH explicitly, or run ` +
+        `\`git remote set-head origin --auto\` to populate origin/HEAD.`);
+}

package/dist/github.js

@@ -12,13 +12,13 @@ export function createGithubGateway() {
                 stdio: "inherit",
             });
         },
-        async openPullRequest({ repoPath, branch, issue, body }) {
+        async openPullRequest({ repoPath, branch, base, issue, body }) {
             const title = `${issue.identifier}: ${issue.title}`;
             const { stdout } = await execa("gh", [
                 "pr",
                 "create",
                 "--base",
-                "main",
+                base,
                 "--head",
                 branch,
                 "--title",

package/dist/linear.js

@@ -104,3 +104,44 @@ export function createLinearGateway(config) {
         },
     };
 }
+export async function validateLinearConfig(config) {
+    const client = new LinearClient({ apiKey: config.linearApiKey });
+    const teams = await client.teams({
+        filter: { key: { eq: config.linearTeam } },
+    });
+    const team = teams.nodes[0];
+    if (!team) {
+        return {
+            team: { kind: "missing", key: config.linearTeam },
+            readyStatus: { kind: "skipped", reason: "team missing" },
+            inProgressStatus: { kind: "skipped", reason: "team missing" },
+            inReviewStatus: { kind: "skipped", reason: "team missing" },
+            hitlLabel: { kind: "skipped", reason: "team missing" },
+        };
+    }
+    const states = await client.workflowStates({
+        filter: { team: { id: { eq: team.id } } },
+    });
+    const stateNames = states.nodes.map((s) => s.name);
+    const checkState = (want) => stateNames.includes(want)
+        ? { kind: "ok", name: want }
+        : { kind: "missing", name: want, available: stateNames };
+    const labels = await client.issueLabels({
+        filter: { team: { id: { eq: team.id } } },
+    });
+    const labelNames = labels.nodes.map((l) => l.name);
+    const hitlLabel = labelNames.includes(config.hitlLabel)
+        ? { kind: "ok", name: config.hitlLabel }
+        : {
+            kind: "missing",
+            name: config.hitlLabel,
+            available: labelNames.slice(0, 50),
+        };
+    return {
+        team: { kind: "ok", id: team.id },
+        readyStatus: checkState(config.readyStatus),
+        inProgressStatus: checkState(config.inProgressStatus),
+        inReviewStatus: checkState(config.inReviewStatus),
+        hitlLabel,
+    };
+}