@worca/ui 0.35.0 → 0.37.0

package/server/integrations/index.js

@@ -31,10 +31,61 @@ const NO_OP_STUB = {
   status() {
     return { enabled: false };
   },
+  enabledPlatforms() {
+    return [];
+  },
+  async sendOutbound() {
+    return {
+      results: [
+        {
+          platform: '(none)',
+          ok: false,
+          error: 'integrations subsystem disabled',
+        },
+      ],
+    };
+  },
   strictInboxVerification: false,
   secrets: [],
 };
 
+// Chat-capable adapter names. `webhook_out` is excluded — it's an
+// event-fan-out destination, not a chat platform users can address by name.
+const CHAT_PLATFORMS = ['telegram', 'discord', 'slack'];
+
+/**
+ * Strip credentials from adapter error messages before surfacing them
+ * through sendOutbound results. Adapters' underlying `fetch` failures
+ * frequently embed the full request URL (including bot tokens for
+ * Telegram and webhook secrets for Slack/Discord) in the error text;
+ * one redaction pattern per known shape.
+ *
+ * Patterns covered:
+ *   - Telegram bot URL token:          `bot<digits>:<token>`
+ *   - Slack incoming-webhook URL:      `hooks.slack.com/services/T…/B…/<24>`
+ *   - Discord webhook URL:             `discord(app)?.com/api/webhooks/<id>/<token>`
+ *   - Slack OAuth tokens:              `xox[abprs]-<token>`
+ *
+ * Exported for tests; the per-platform error path in sendOutbound is the
+ * sole production caller today.
+ *
+ * @param {unknown} input
+ * @returns {string}
+ */
+export function redactSecrets(input) {
+  return String(input)
+    .replace(/bot\d+:[A-Za-z0-9_-]+/g, 'bot<redacted>')
+    .replace(
+      /hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/g,
+      'hooks.slack.com/services/<redacted>',
+    )
+    .replace(
+      /discord(?:app)?\.com\/api\/webhooks\/\d+\/[A-Za-z0-9_-]+/g,
+      'discord.com/api/webhooks/<redacted>',
+    )
+    .replace(/xox[abprs]-[A-Za-z0-9-]+/g, 'xox<redacted>');
+}
+
 /**
  * @param {{
  *   port: number,
@@ -195,6 +246,116 @@ export function createIntegrations({
     }
   }
 
+  /**
+   * Names of chat-capable adapters currently booted (enabled in config and
+   * successfully constructed). Drives the worca-notify skill's default
+   * fan-out target list. Excludes webhook_out (not a chat platform).
+   * @returns {string[]}
+   */
+  function enabledPlatforms() {
+    return [...adapterMap.keys()].filter((n) => CHAT_PLATFORMS.includes(n));
+  }
+
+  /**
+   * Send a NormalizedMessage to one or more chat platforms through the same
+   * allowlist + rate-limiter pipeline as pipeline-event fan-out. Used by the
+   * POST /api/integrations/send route (which the worca-notify skill calls).
+   *
+   * Per-platform failures are returned as individual result entries, never
+   * thrown — the caller decides whether a partial success is acceptable. The
+   * overall promise rejects only for caller-error inputs (invalid message).
+   *
+   * @param {{
+   *   platforms?: string[],
+   *   message: import('./adapter.js').NormalizedMessage,
+   *   chatIdOverride?: string,
+   * }} opts
+   * @returns {Promise<{results: Array<{platform: string, ok: boolean, error?: string}>}>}
+   */
+  async function sendOutbound({ platforms, message, chatIdOverride }) {
+    if (!message || typeof message !== 'object') {
+      throw new Error('message must be an object');
+    }
+    if (!Array.isArray(message.body)) {
+      throw new Error('message.body must be an array of segments');
+    }
+    if (
+      chatIdOverride !== undefined &&
+      chatIdOverride !== null &&
+      typeof chatIdOverride !== 'string' &&
+      typeof chatIdOverride !== 'number'
+    ) {
+      throw new Error('chat_id must be a string or number');
+    }
+
+    const targets =
+      Array.isArray(platforms) && platforms.length > 0
+        ? platforms
+        : enabledPlatforms();
+
+    const results = [];
+    for (const name of targets) {
+      const entry = adapterMap.get(name);
+      if (!entry) {
+        results.push({
+          platform: name,
+          ok: false,
+          error: CHAT_PLATFORMS.includes(name)
+            ? 'platform not enabled or not configured'
+            : 'unknown platform',
+        });
+        continue;
+      }
+
+      const chatId =
+        chatIdOverride !== undefined && chatIdOverride !== null
+          ? String(chatIdOverride)
+          : String(
+              entry.adapterCfg.chat_id ?? entry.adapterCfg.channel_id ?? '',
+            );
+
+      if (!chatId) {
+        results.push({
+          platform: name,
+          ok: false,
+          error: 'no chat_id configured for this platform',
+        });
+        continue;
+      }
+
+      if (!allowlist.isAllowed({ platform: name, chatId })) {
+        results.push({
+          platform: name,
+          ok: false,
+          error: 'chat_id not in allowlist',
+        });
+        continue;
+      }
+
+      try {
+        const rl = rateLimiters.get(name);
+        const sendFn = (m) => entry.adapter.send(chatId, m);
+        if (rl) {
+          await rl.send(message, sendFn);
+        } else {
+          await sendFn(message);
+        }
+        results.push({ platform: name, ok: true });
+      } catch (err) {
+        // Strip credentials from the error before surfacing — adapters'
+        // fetch failures can echo full request URLs that embed bot tokens
+        // (Telegram), webhook secrets (Slack/Discord), or OAuth tokens.
+        results.push({
+          platform: name,
+          ok: false,
+          error: redactSecrets(err?.message ?? err),
+        });
+      }
+    }
+
+    return { results };
+  }
+
   function onEvent(stored) {
     const rawBody = stored[RAW_BODY];
     const sigHeader = stored.headers?.['x-worca-signature'];
@@ -276,6 +437,8 @@ export function createIntegrations({
     status,
     reloadAdapter,
     removeAdapter,
+    enabledPlatforms,
+    sendOutbound,
     /** @internal — used by detect endpoint to pause/resume adapter */
     _getAdapter: (name) => adapterMap.get(name) ?? null,
     strictInboxVerification: cfg.strict_inbox_verification ?? false,

package/server/project-routes.js

@@ -76,7 +76,9 @@ function validateRunId(runId) {
 // worktree runs registered in <worcaDir>/multi/pipelines.d/.
 import {
   findRunStatusPath,
+  listPlanIterations,
   readPipelineOverlay,
+  resolveRunDir,
   updatePipelineStatus,
 } from './run-dir-resolver.js';
 export { findRunStatusPath };
@@ -783,25 +785,77 @@ export function createProjectScopedRoutes({
     }
   });
 
-  // GET /api/projects/:projectId/runs/:runId/plan — per-run plan markdown
+  // GET /api/projects/:projectId/runs/:runId/plan-iterations — list the
+  // append-only numbered plan revisions (W-061). plan-001 is the original
+  // input; each plan_review revision appends the next number. Returns
+  // `{ ok, iterations: [{n, file}], latest }` (empty list for pre-W-061 runs).
+  router.get('/runs/:runId/plan-iterations', requireWorcaDir, (req, res) => {
+    const { runId } = req.params;
+    if (!validateRunId(runId)) {
+      return res.status(400).json({ ok: false, error: 'Invalid runId' });
+    }
+    const { worcaDir } = req.project;
+    const runDir = resolveRunDir(worcaDir, runId);
+    const iterations = listPlanIterations(runDir);
+    const latest = iterations.length
+      ? iterations[iterations.length - 1].n
+      : null;
+    return res.json({
+      ok: true,
+      iterations: iterations.map((it) => ({ n: it.n, file: it.file })),
+      latest,
+    });
+  });
+
+  // GET /api/projects/:projectId/runs/:runId/plan — plan markdown.
   //
-  // Returns the markdown content of the run's plan file. Two sources, in
-  // priority order:
+  // W-061: prefers the run dir's numbered plan iterations (plan-NNN.md) and
+  // serves the latest by default, or a specific one via `?iteration=N`. Falls
+  // back, for pre-W-061 runs, to:
   //   1. stages.plan.plan_file — set by workspace children that received a
-  //      pre-built per-repo plan from the workspace planner. May point at
-  //      an absolute path under the workspace run dir.
+  //      pre-built per-repo plan from the workspace planner.
   //   2. <worktree>/MASTER_PLAN.md — generated by a standalone pipeline's
-  //      own PLAN stage. status.json doesn't always carry the path so we
-  //      reconstruct it from the worktree.
+  //      own PLAN stage.
   //
-  // Returns 404 when neither path exists / is readable. Replies in
-  // text/markdown so the client just streams it into the dialog body.
+  // Returns 404 when nothing is readable. Replies in text/markdown so the
+  // client just streams it into the dialog body.
   router.get('/runs/:runId/plan', requireWorcaDir, (req, res) => {
     const { runId } = req.params;
     if (!validateRunId(runId)) {
       return res.status(400).json({ ok: false, error: 'Invalid runId' });
     }
     const { worcaDir } = req.project;
+
+    // W-061: numbered plan iterations are the authoritative source.
+    const runDir = resolveRunDir(worcaDir, runId);
+    const iterations = listPlanIterations(runDir);
+    if (iterations.length > 0) {
+      let chosen;
+      const wantRaw = req.query.iteration;
+      if (wantRaw !== undefined) {
+        const want = Number.parseInt(wantRaw, 10);
+        chosen = iterations.find((it) => it.n === want);
+        if (!chosen) {
+          return res
+            .status(404)
+            .json({ ok: false, error: `Plan iteration ${wantRaw} not found` });
+        }
+      } else {
+        chosen = iterations[iterations.length - 1]; // latest = current plan
+      }
+      try {
+        res.setHeader('Content-Type', 'text/markdown; charset=utf-8');
+        res.send(readFileSync(chosen.path, 'utf8'));
+        return;
+      } catch (err) {
+        return res.status(500).json({
+          ok: false,
+          error: `Failed to read plan file: ${err.message}`,
+        });
+      }
+    }
+
+    // Legacy fallback (pre-W-061 runs with no numbered plan files).
     const statusPath = findRunStatusPath(worcaDir, runId);
     if (!statusPath) {
       return res
@@ -817,10 +871,6 @@ export function createProjectScopedRoutes({
         .json({ ok: false, error: `Failed to read status: ${err.message}` });
     }
     const planFile = status?.stages?.plan?.plan_file ?? null;
-    // `status.worktree` is a boolean flag (true when the run is hosted in a
-    // worktree), not a path. The actual worktree path lives in the
-    // pipelines.d registry entry. Walk it via the overlay so we can offer
-    // the MASTER_PLAN.md fallback even when stage.plan_file isn't set.
     const overlay = readPipelineOverlay(worcaDir, runId);
     const worktreePath =
       typeof overlay?.worktree_path === 'string' ? overlay.worktree_path : null;

package/server/run-dir-resolver.js

@@ -13,9 +13,45 @@
  *   3. `<worcaDir>/multi/pipelines.d/<runId>.json` → `<worktree_path>/.worca/runs/<runId>/`
  */
 
-import { existsSync, readFileSync, renameSync, writeFileSync } from 'node:fs';
+import {
+  existsSync,
+  readdirSync,
+  readFileSync,
+  renameSync,
+  writeFileSync,
+} from 'node:fs';
 import { join } from 'node:path';
 
+// W-061: plans are stored in the run dir as append-only numbered files
+// (plan-001.md, plan-002.md, …). plan-001 is the original input — the ingested
+// copy for a provided plan, or the Planner's first draft. Each plan_review
+// revision appends the next number; the highest number is the current plan.
+const PLAN_ITERATION_RE = /^plan-(\d{3})\.md$/;
+
+/**
+ * List the numbered plan iterations in a run dir, ascending by number.
+ * @param {string|null} runDir - absolute path to the run dir
+ * @returns {Array<{n:number,file:string,path:string}>} ascending by n; [] if none
+ */
+export function listPlanIterations(runDir) {
+  if (!runDir || !existsSync(runDir)) return [];
+  let files;
+  try {
+    files = readdirSync(runDir);
+  } catch {
+    return [];
+  }
+  return files
+    .map((f) => {
+      const m = f.match(PLAN_ITERATION_RE);
+      return m
+        ? { n: Number.parseInt(m[1], 10), file: f, path: join(runDir, f) }
+        : null;
+    })
+    .filter((it) => it !== null)
+    .sort((a, b) => a.n - b.n);
+}
+
 /**
  * Resolve a runId to its on-disk run directory.
  * @param {string} worcaDir - the parent project's .worca directory

package/server/settings-validator.js

@@ -25,6 +25,8 @@ const VALID_EFFORT_RUNGS = ['low', 'medium', 'high', 'xhigh', 'max'];
 const VALID_AUTO_MODES = ['disabled', 'reactive', 'adaptive'];
 const VALID_EFFORT_KEYS = ['auto_mode', 'auto_cap'];
 const VALID_MILESTONES = ['plan_approval', 'pr_approval', 'deploy_approval'];
+const VALID_PLAN_REVIEW_MODES = ['review', 'review_and_edit'];
+const VALID_PLAN_REVIEW_ENFORCE = ['auto', 'review', 'review_and_edit'];
 const VALID_GUARDS = [
   'block_rm_rf',
   'block_env_write',
@@ -176,6 +178,16 @@ export function validateSettingsPayload(body, options = {}) {
             if (cfg.agent !== undefined && !VALID_AGENTS.includes(cfg.agent)) {
               details.push(`Invalid agent "${cfg.agent}" for stage "${name}"`);
             }
+            if (name === 'plan_review' && cfg.mode !== undefined) {
+              if (
+                typeof cfg.mode !== 'string' ||
+                !VALID_PLAN_REVIEW_MODES.includes(cfg.mode)
+              ) {
+                details.push(
+                  `stages.plan_review.mode must be one of: ${VALID_PLAN_REVIEW_MODES.join(', ')}`,
+                );
+              }
+            }
           }
         }
       }
@@ -407,6 +419,16 @@ export function validateSettingsPayload(body, options = {}) {
         details.push('worca.governance must be an object');
       } else {
         const g = w.governance;
+        if (g.plan_review_enforce !== undefined) {
+          if (
+            typeof g.plan_review_enforce !== 'string' ||
+            !VALID_PLAN_REVIEW_ENFORCE.includes(g.plan_review_enforce)
+          ) {
+            details.push(
+              `governance.plan_review_enforce must be one of: ${VALID_PLAN_REVIEW_ENFORCE.join(', ')}`,
+            );
+          }
+        }
         if (g.guards !== undefined) {
           if (
             typeof g.guards !== 'object' ||