@venturewild/workspace 0.3.5 → 0.3.7

package/server/src/session-reporter.mjs

@@ -1,201 +1,201 @@
-// SessionReporter — the proactive, consented "is this user okay?" feed.
-//
-// WHY: the get-in path is self-serve, but if a real user gets stuck or their
-// install breaks, we were blind unless they ran `operator enable` and messaged
-// us — which makes us a bottleneck (docs/user-experience.md §5). This forwards a
-// LIVE, REDACTED stream of session events + install health to bmo-sync, keyed by
-// account, established at first load — so a stuck/broken user is never invisible
-// and never has to ask.
-//
-// PRIVACY — the load-bearing boundary: this feed carries WHAT happened (a turn
-// ran, tool X fired, an error, token/cost), NEVER the words. Chat text, tool
-// inputs, file contents, and paths are reduced to lengths/counts before anything
-// leaves the machine. Conversation *content* is a separate, separately-consented
-// channel (transcript.mjs). `redactEvent` is an ALLOWLIST projection — any event
-// type we don't explicitly model forwards only `{type}`, so a new event can
-// never leak by default. The matching test asserts a secret typed into a chat
-// turn never appears in the payload.
-//
-// Modeled on error-reporter.mjs (fire-and-forget, rate-limited, disable-able).
-// Gated by BOTH consent (user toggle) AND the shared WILD_WORKSPACE_NO_TELEMETRY
-// kill switch; inert without an accountToken (can't key it) or on a localhost
-// bmo-sync URL (dev).
-
-import os from 'node:os';
-import { APP_VERSION } from './config.mjs';
-
-function sanitizeUsage(u) {
-  if (!u || typeof u !== 'object') return null;
-  const out = {
-    input_tokens: Number(u.input_tokens) || 0,
-    output_tokens: Number(u.output_tokens) || 0,
-  };
-  if (typeof u.cost_usd === 'number') out.cost_usd = u.cost_usd;
-  return out;
-}
-
-/**
- * Project one ActivityBus event to a SAFE shape. Allowlist by type; anything not
- * listed forwards only {type, ts, id}. NEVER returns chat text, tool inputs,
- * file paths, or file contents.
- */
-export function redactEvent(ev) {
-  if (!ev || typeof ev !== 'object') return null;
-  const base = { type: ev.type, ts: ev.ts, id: ev.id };
-  if (ev.messageId) base.messageId = ev.messageId;
-  switch (ev.type) {
-    case 'chat-user':
-      // The user's prompt — length only, never the words.
-      return { ...base, textLen: typeof ev.text === 'string' ? ev.text.length : 0 };
-    case 'chat-stream': {
-      const c = ev.chunk || {};
-      const safe = { ...base, chunkType: c.type };
-      if (c.type === 'text' && typeof c.text === 'string') safe.textLen = c.text.length;
-      // tool NAME is safe ("Edit", "Bash"); the tool INPUT is not — never forward it.
-      if (c.type === 'tool-use') safe.tool = typeof c.name === 'string' ? c.name : c.tool || null;
-      if (c.type === 'usage' && c.usage) safe.usage = sanitizeUsage(c.usage);
-      if (c.type === 'error') safe.hasError = true; // the flag, not the message
-      return safe;
-    }
-    case 'usage':
-      return { ...base, usage: sanitizeUsage(ev.usage) };
-    case 'chat-end':
-      return { ...base, code: ev.code };
-    case 'identity-changed':
-      return { ...base, tone: ev.tone || null }; // tone only; drop the agent's name
-    case 'onboarded':
-      return { ...base, at: ev.at || null };
-    case 'agent-changed':
-      return { ...base, agentId: ev.agentId || null };
-    case 'daemon-status':
-      return { ...base, status: ev.status || null };
-    case 'operator-action':
-      return { ...base, action: ev.action || null }; // action verb, not its detail
-    case 'inbox-change':
-      return { ...base, count: Array.isArray(ev.snapshot) ? ev.snapshot.length : undefined };
-    case 'presence-join':
-    case 'presence-leave':
-    case 'presence-focus':
-      // sessionId + role are safe; `focus` can be a file path → dropped.
-      return { ...base, sessionId: ev.sessionId, role: ev.role };
-    default:
-      // Unknown event → minimal envelope only. Privacy fails CLOSED.
-      return { type: ev.type, ts: ev.ts, id: ev.id };
-  }
-}
-
-const FLUSH_INTERVAL_MS = 15_000; // batch window
-const MAX_BATCH = 50; //            flush early once this many buffer
-const MAX_BUFFER = 500; //          hard cap — drop oldest beyond this
-
-export class SessionReporter {
-  constructor({
-    bmoSyncUrl,
-    accountToken,
-    slug = null,
-    workspaceId = 'workspace',
-    sessionId = null,
-    enabled = true,
-    endpointPath = '/api/telemetry',
-    flushIntervalMs = FLUSH_INTERVAL_MS,
-    maxBatch = MAX_BATCH,
-    fetchImpl = (...a) => globalThis.fetch(...a),
-    nowImpl = () => Date.now(),
-  } = {}) {
-    this.bmoSyncUrl = bmoSyncUrl ? bmoSyncUrl.replace(/\/$/, '') : null;
-    this.accountToken = accountToken || null;
-    this.slug = slug;
-    this.workspaceId = workspaceId;
-    this.sessionId = sessionId;
-    this.endpointPath = endpointPath;
-    this.flushIntervalMs = flushIntervalMs;
-    this.maxBatch = maxBatch;
-    this.fetchImpl = fetchImpl;
-    this.nowImpl = nowImpl;
-    this.buffer = [];
-    this.timer = null;
-    // Inert without a token, without a server, or on localhost (dev).
-    this._capable =
-      Boolean(this.accountToken) &&
-      Boolean(this.bmoSyncUrl) &&
-      !this.bmoSyncUrl.startsWith('http://127') &&
-      !this.bmoSyncUrl.startsWith('http://localhost');
-    this.enabled = enabled !== false && this._capable;
-  }
-
-  /** Live consent toggle — no restart needed when the user flips observability. */
-  setEnabled(on) {
-    this.enabled = Boolean(on) && this._capable;
-    if (!this.enabled) this.buffer = [];
-  }
-
-  /** Feed one ActivityBus event. Redacts + buffers; flushes on size. No-op when off. */
-  ingest(ev) {
-    if (!this.enabled) return;
-    const safe = redactEvent(ev);
-    if (!safe) return;
-    this.buffer.push(safe);
-    if (this.buffer.length > MAX_BUFFER) this.buffer.splice(0, this.buffer.length - MAX_BUFFER);
-    if (this.buffer.length >= this.maxBatch) this.flush();
-  }
-
-  /** POST the install-health snapshot alongside events (called by the supervisor path too). */
-  envelope(events, extra = {}) {
-    return {
-      account_token: this.accountToken,
-      slug: this.slug,
-      workspace_id: this.workspaceId,
-      session_id: this.sessionId,
-      app_version: APP_VERSION,
-      os: `${os.platform()}-${os.arch()}`,
-      sent_at: Math.floor(this.nowImpl() / 1000),
-      events,
-      ...extra,
-    };
-  }
-
-  /** Fire-and-forget flush of the current buffer. Never throws. */
-  flush() {
-    if (!this.enabled || !this.buffer.length) return;
-    const events = this.buffer;
-    this.buffer = [];
-    this._post(this.envelope(events));
-  }
-
-  _post(body) {
-    const url = `${this.bmoSyncUrl}${this.endpointPath}`;
-    const ctrl = new AbortController();
-    const timer = setTimeout(() => ctrl.abort(), 5000);
-    if (timer.unref) timer.unref();
-    let p;
-    try {
-      // Call synchronously so the request is observable without awaiting a tick.
-      p = this.fetchImpl(url, {
-        method: 'POST',
-        headers: { 'content-type': 'application/json' },
-        body: JSON.stringify(body),
-        signal: ctrl.signal,
-      });
-    } catch {
-      clearTimeout(timer);
-      return; // telemetry must never break the user's path
-    }
-    Promise.resolve(p)
-      .catch(() => {})
-      .finally(() => clearTimeout(timer));
-  }
-
-  start() {
-    if (this.timer || !this._capable) return;
-    this.timer = setInterval(() => this.flush(), this.flushIntervalMs);
-    if (this.timer.unref) this.timer.unref(); // never keep the process alive
-  }
-
-  stop() {
-    if (this.timer) {
-      clearInterval(this.timer);
-      this.timer = null;
-    }
-    this.flush();
-  }
-}
+// SessionReporter — the proactive, consented "is this user okay?" feed.
+//
+// WHY: the get-in path is self-serve, but if a real user gets stuck or their
+// install breaks, we were blind unless they ran `operator enable` and messaged
+// us — which makes us a bottleneck (docs/user-experience.md §5). This forwards a
+// LIVE, REDACTED stream of session events + install health to bmo-sync, keyed by
+// account, established at first load — so a stuck/broken user is never invisible
+// and never has to ask.
+//
+// PRIVACY — the load-bearing boundary: this feed carries WHAT happened (a turn
+// ran, tool X fired, an error, token/cost), NEVER the words. Chat text, tool
+// inputs, file contents, and paths are reduced to lengths/counts before anything
+// leaves the machine. Conversation *content* is a separate, separately-consented
+// channel (transcript.mjs). `redactEvent` is an ALLOWLIST projection — any event
+// type we don't explicitly model forwards only `{type}`, so a new event can
+// never leak by default. The matching test asserts a secret typed into a chat
+// turn never appears in the payload.
+//
+// Modeled on error-reporter.mjs (fire-and-forget, rate-limited, disable-able).
+// Gated by BOTH consent (user toggle) AND the shared WILD_WORKSPACE_NO_TELEMETRY
+// kill switch; inert without an accountToken (can't key it) or on a localhost
+// bmo-sync URL (dev).
+
+import os from 'node:os';
+import { APP_VERSION } from './config.mjs';
+
+function sanitizeUsage(u) {
+  if (!u || typeof u !== 'object') return null;
+  const out = {
+    input_tokens: Number(u.input_tokens) || 0,
+    output_tokens: Number(u.output_tokens) || 0,
+  };
+  if (typeof u.cost_usd === 'number') out.cost_usd = u.cost_usd;
+  return out;
+}
+
+/**
+ * Project one ActivityBus event to a SAFE shape. Allowlist by type; anything not
+ * listed forwards only {type, ts, id}. NEVER returns chat text, tool inputs,
+ * file paths, or file contents.
+ */
+export function redactEvent(ev) {
+  if (!ev || typeof ev !== 'object') return null;
+  const base = { type: ev.type, ts: ev.ts, id: ev.id };
+  if (ev.messageId) base.messageId = ev.messageId;
+  switch (ev.type) {
+    case 'chat-user':
+      // The user's prompt — length only, never the words.
+      return { ...base, textLen: typeof ev.text === 'string' ? ev.text.length : 0 };
+    case 'chat-stream': {
+      const c = ev.chunk || {};
+      const safe = { ...base, chunkType: c.type };
+      if (c.type === 'text' && typeof c.text === 'string') safe.textLen = c.text.length;
+      // tool NAME is safe ("Edit", "Bash"); the tool INPUT is not — never forward it.
+      if (c.type === 'tool-use') safe.tool = typeof c.name === 'string' ? c.name : c.tool || null;
+      if (c.type === 'usage' && c.usage) safe.usage = sanitizeUsage(c.usage);
+      if (c.type === 'error') safe.hasError = true; // the flag, not the message
+      return safe;
+    }
+    case 'usage':
+      return { ...base, usage: sanitizeUsage(ev.usage) };
+    case 'chat-end':
+      return { ...base, code: ev.code };
+    case 'identity-changed':
+      return { ...base, tone: ev.tone || null }; // tone only; drop the agent's name
+    case 'onboarded':
+      return { ...base, at: ev.at || null };
+    case 'agent-changed':
+      return { ...base, agentId: ev.agentId || null };
+    case 'daemon-status':
+      return { ...base, status: ev.status || null };
+    case 'operator-action':
+      return { ...base, action: ev.action || null }; // action verb, not its detail
+    case 'inbox-change':
+      return { ...base, count: Array.isArray(ev.snapshot) ? ev.snapshot.length : undefined };
+    case 'presence-join':
+    case 'presence-leave':
+    case 'presence-focus':
+      // sessionId + role are safe; `focus` can be a file path → dropped.
+      return { ...base, sessionId: ev.sessionId, role: ev.role };
+    default:
+      // Unknown event → minimal envelope only. Privacy fails CLOSED.
+      return { type: ev.type, ts: ev.ts, id: ev.id };
+  }
+}
+
+const FLUSH_INTERVAL_MS = 15_000; // batch window
+const MAX_BATCH = 50; //            flush early once this many buffer
+const MAX_BUFFER = 500; //          hard cap — drop oldest beyond this
+
+export class SessionReporter {
+  constructor({
+    bmoSyncUrl,
+    accountToken,
+    slug = null,
+    workspaceId = 'workspace',
+    sessionId = null,
+    enabled = true,
+    endpointPath = '/api/telemetry',
+    flushIntervalMs = FLUSH_INTERVAL_MS,
+    maxBatch = MAX_BATCH,
+    fetchImpl = (...a) => globalThis.fetch(...a),
+    nowImpl = () => Date.now(),
+  } = {}) {
+    this.bmoSyncUrl = bmoSyncUrl ? bmoSyncUrl.replace(/\/$/, '') : null;
+    this.accountToken = accountToken || null;
+    this.slug = slug;
+    this.workspaceId = workspaceId;
+    this.sessionId = sessionId;
+    this.endpointPath = endpointPath;
+    this.flushIntervalMs = flushIntervalMs;
+    this.maxBatch = maxBatch;
+    this.fetchImpl = fetchImpl;
+    this.nowImpl = nowImpl;
+    this.buffer = [];
+    this.timer = null;
+    // Inert without a token, without a server, or on localhost (dev).
+    this._capable =
+      Boolean(this.accountToken) &&
+      Boolean(this.bmoSyncUrl) &&
+      !this.bmoSyncUrl.startsWith('http://127') &&
+      !this.bmoSyncUrl.startsWith('http://localhost');
+    this.enabled = enabled !== false && this._capable;
+  }
+
+  /** Live consent toggle — no restart needed when the user flips observability. */
+  setEnabled(on) {
+    this.enabled = Boolean(on) && this._capable;
+    if (!this.enabled) this.buffer = [];
+  }
+
+  /** Feed one ActivityBus event. Redacts + buffers; flushes on size. No-op when off. */
+  ingest(ev) {
+    if (!this.enabled) return;
+    const safe = redactEvent(ev);
+    if (!safe) return;
+    this.buffer.push(safe);
+    if (this.buffer.length > MAX_BUFFER) this.buffer.splice(0, this.buffer.length - MAX_BUFFER);
+    if (this.buffer.length >= this.maxBatch) this.flush();
+  }
+
+  /** POST the install-health snapshot alongside events (called by the supervisor path too). */
+  envelope(events, extra = {}) {
+    return {
+      account_token: this.accountToken,
+      slug: this.slug,
+      workspace_id: this.workspaceId,
+      session_id: this.sessionId,
+      app_version: APP_VERSION,
+      os: `${os.platform()}-${os.arch()}`,
+      sent_at: Math.floor(this.nowImpl() / 1000),
+      events,
+      ...extra,
+    };
+  }
+
+  /** Fire-and-forget flush of the current buffer. Never throws. */
+  flush() {
+    if (!this.enabled || !this.buffer.length) return;
+    const events = this.buffer;
+    this.buffer = [];
+    this._post(this.envelope(events));
+  }
+
+  _post(body) {
+    const url = `${this.bmoSyncUrl}${this.endpointPath}`;
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), 5000);
+    if (timer.unref) timer.unref();
+    let p;
+    try {
+      // Call synchronously so the request is observable without awaiting a tick.
+      p = this.fetchImpl(url, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify(body),
+        signal: ctrl.signal,
+      });
+    } catch {
+      clearTimeout(timer);
+      return; // telemetry must never break the user's path
+    }
+    Promise.resolve(p)
+      .catch(() => {})
+      .finally(() => clearTimeout(timer));
+  }
+
+  start() {
+    if (this.timer || !this._capable) return;
+    this.timer = setInterval(() => this.flush(), this.flushIntervalMs);
+    if (this.timer.unref) this.timer.unref(); // never keep the process alive
+  }
+
+  stop() {
+    if (this.timer) {
+      clearInterval(this.timer);
+      this.timer = null;
+    }
+    this.flush();
+  }
+}

package/server/src/settings.mjs

@@ -0,0 +1,145 @@
+// Settings store + the autonomy-dial resolver (§8 "Surface B"). Two things live here:
+//   1. resolveAutonomyMode() — the SAFETY-CRITICAL mapping from the user-facing
+//      autonomy level to the agent's permission mode. This is the guardrail.
+//   2. createSettings() — a file-backed store under ~/.wild-workspace/settings/ for
+//      the autonomy level + the conversation title (/rename override of the derived
+//      presence label). CLAUDE.md #1: never the synced repo, never localStorage.
+//
+// THE AUTONOMY DIAL — and why the middle tier is "coming soon", not built (read this):
+//
+//   The §8 build-risk is explicit: "Work, then show me" is NOT one native flag. It is
+//   acceptEdits PLUS our own confirm-gate on dangerous non-edit ops (deploy/delete/
+//   send/spend). A TRUE inline confirm-gate needs to intercept a tool call mid-turn,
+//   round-trip a confirmation to the browser, and resume — which our architecture
+//   can't do cleanly tonight: we wrap `claude -p` per turn (AR-17: no Agent SDK, so no
+//   `canUseTool` callback), and headless `-p` has no interactive permission prompt, so
+//   `default`/`acceptEdits` modes can't "ask" — they just deny. Building that
+//   round-trip is a real piece of infra, not a flag.
+//
+//   So per the pre-approved fallback we ship only the TWO UNAMBIGUOUS tiers and leave
+//   the middle DISABLED ("coming soon"):
+//     • 'check' (Check with me) → 'plan'  — read-only; the agent proposes, you approve.
+//     • 'full'  (Full autonomy) → honors the Build/Plan toggle (Build → bypass).
+//   The middle ('work') and ANY unknown value SAFELY fall back to 'plan' — NEVER
+//   bypassPermissions. That is the guardrail the build-risk warns about: an unbuilt or
+//   unrecognized autonomy level must never silently behave like Full autonomy.
+//
+//   DEFAULT = UNSET. An install with no chosen level keeps today's behavior exactly
+//   (the per-message Build/Plan toggle drives the mode — Build is already bypass). The
+//   dial is purely ADDITIVE: it lets a nervous user LOCK to read-only, which they
+//   couldn't before. We did NOT change the product's existing default, and we did NOT
+//   map the middle tier to Full. (Whether the default SHOULD become a guarded
+//   auto-build once the confirm-gate ships is a product call flagged for Tuan.)
+
+import fs from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+
+// The three user-facing tiers. 'work' is DEFINED (so the UI can render it) but NOT
+// BUILD-BACKED — see resolveAutonomyMode (it falls back to the safe 'plan').
+export const AUTONOMY_LEVELS = ['check', 'work', 'full'];
+// Which tiers a user may actually SELECT today. 'work' is excluded — "coming soon".
+export const SELECTABLE_AUTONOMY = ['check', 'full'];
+
+/**
+ * Map an autonomy level + the per-message Build/Plan toggle to the agent permission
+ * mode buildClaudeArgs understands ('plan' | 'build'). THE GUARDRAIL lives here:
+ *   - unknown / 'work' (middle, not built)  → 'plan'  (read-only — NEVER bypass)
+ *   - 'check'                                → 'plan'  (hard read-only lock)
+ *   - 'full'                                 → honors the toggle (Build → bypass)
+ *   - null/undefined (unset)                 → honors the toggle (today's behavior)
+ * The invariant tested in settings.test.mjs: NOTHING except 'full'/unset+Build ever
+ * yields 'build' (which is the only path to bypassPermissions).
+ */
+export function resolveAutonomyMode(level, requestedMode) {
+  const toggle = requestedMode === 'plan' ? 'plan' : 'build';
+  switch (level) {
+    case 'full':
+      return toggle; //                 Full autonomy → honor the toggle (Build = bypass)
+    case 'check':
+      return 'plan'; //                 Check with me → always read-only propose
+    case null:
+    case undefined:
+    case '':
+      return toggle; //                 unset → unchanged product behavior
+    default:
+      // 'work' (middle, not built) AND any unrecognized value → SAFE read-only.
+      // This is the anti-regression: an unbuilt guardrail never becomes Full.
+      return 'plan';
+  }
+}
+
+function defaultSettingsDir(env = process.env, home = os.homedir()) {
+  const base = env.WILD_WORKSPACE_GLOBAL_DIR || path.join(home, '.wild-workspace');
+  return path.join(base, 'settings');
+}
+
+function readJsonSafe(file, fallback) {
+  try { return JSON.parse(fs.readFileSync(file, 'utf8')); } catch { return fallback; }
+}
+
+const TITLE_CAP = 120;
+
+export function createSettings({ baseDir, env = process.env, home = os.homedir() } = {}) {
+  const dir = baseDir || defaultSettingsDir(env, home);
+  const file = path.join(dir, 'settings.json');
+
+  function read() {
+    const v = readJsonSafe(file, null);
+    return v && typeof v === 'object' ? v : {};
+  }
+
+  function write(patch) {
+    const next = { ...read(), ...patch, ts: Date.now() };
+    try {
+      fs.mkdirSync(dir, { recursive: true });
+      const tmp = `${file}.${process.pid}.tmp`;
+      fs.writeFileSync(tmp, JSON.stringify(next, null, 2));
+      fs.renameSync(tmp, file);
+    } catch { /* read-only fs — degrade to not-persisted */ }
+    return next;
+  }
+
+  // autonomyLevel: 'check' | 'full' | null. We REFUSE to persist 'work' (not
+  // selectable) or any unknown value — storing it would be a latent foot-gun. null
+  // clears back to the unset/default behavior.
+  function getAutonomyLevel() {
+    const lvl = read().autonomyLevel;
+    return SELECTABLE_AUTONOMY.includes(lvl) ? lvl : null;
+  }
+  function setAutonomyLevel(level) {
+    const clean = SELECTABLE_AUTONOMY.includes(level) ? level : null;
+    write({ autonomyLevel: clean });
+    return clean;
+  }
+
+  function getConversationTitle() {
+    const t = read().conversationTitle;
+    return typeof t === 'string' && t.trim() ? t.trim() : null;
+  }
+  function setConversationTitle(title) {
+    const clean = typeof title === 'string' ? title.trim().slice(0, TITLE_CAP) : '';
+    write({ conversationTitle: clean || null });
+    return clean || null;
+  }
+
+  function getAll() {
+    return {
+      autonomyLevel: getAutonomyLevel(),
+      conversationTitle: getConversationTitle(),
+      // Surface what's selectable + which is build-backed, so the UI doesn't hardcode it.
+      autonomy: {
+        levels: AUTONOMY_LEVELS,
+        selectable: SELECTABLE_AUTONOMY,
+        comingSoon: AUTONOMY_LEVELS.filter((l) => !SELECTABLE_AUTONOMY.includes(l)),
+      },
+    };
+  }
+
+  return {
+    dir, file,
+    getAutonomyLevel, setAutonomyLevel,
+    getConversationTitle, setConversationTitle,
+    getAll,
+  };
+}