@wrongstack/webui 0.8.5 → 0.9.0

package/dist/server/index.js

@@ -135,22 +135,36 @@ function patchConfig(config, updates) {
 }
 
 // src/server/autophase-ws-handler.ts
+import { spawnSync } from "child_process";
 import {
   AutoPhasePlanner,
   PhaseGraphBuilder,
   PhaseOrchestrator,
-  PhaseStore
+  PhaseStore,
+  WorktreeManager
 } from "@wrongstack/core";
+function isGitRepo(cwd) {
+  try {
+    const r = spawnSync("git", ["rev-parse", "--is-inside-work-tree"], { cwd, encoding: "utf8" });
+    return r.status === 0 && r.stdout.trim() === "true";
+  } catch {
+    return false;
+  }
+}
 var AutoPhaseWebSocketHandler = class {
-  constructor(agent, context, logger, storeDir) {
+  constructor(agent, context, logger, storeDir, events, projectRoot) {
     this.agent = agent;
     this.context = context;
     this.logger = logger;
+    this.events = events;
+    this.projectRoot = projectRoot;
     this.store = new PhaseStore({ baseDir: storeDir });
   }
   agent;
   context;
   logger;
+  events;
+  projectRoot;
   orchestrator = null;
   graph = null;
   store;
@@ -158,6 +172,8 @@ var AutoPhaseWebSocketHandler = class {
   broadcastInterval = null;
   /** Aborts in-flight task agents when the run is stopped. */
   abort = null;
+  /** Optional per-phase git-worktree isolation (lazily created at start). */
+  worktrees = null;
   addClient(ws) {
     const client = { ws, id: crypto.randomUUID() };
     this.clients.add(client);
@@ -245,12 +261,15 @@ var AutoPhaseWebSocketHandler = class {
     this.graph = graph;
     this.abort = new AbortController();
     await this.store.save(graph);
+    if (!this.worktrees && this.events && this.projectRoot && process.env["WRONGSTACK_AUTOPHASE_WORKTREES"] !== "0" && isGitRepo(this.projectRoot)) {
+      this.worktrees = new WorktreeManager({ projectRoot: this.projectRoot, events: this.events });
+    }
     this.orchestrator = new PhaseOrchestrator({
       graph,
       ctx: {
-        executeTask: async (task, phaseId) => {
+        executeTask: async (task, phaseId, env) => {
           this.logger.info(`[AutoPhase] [${phaseId}] Executing: ${task.title}`);
-          const result = await this.executeTaskWithAgent(task, phaseId);
+          const result = await this.executeTaskWithAgent(task, phaseId, env);
           this.logger.info(`[AutoPhase] [${phaseId}] Completed: ${task.title}`);
           return result;
         },
@@ -265,10 +284,13 @@ var AutoPhaseWebSocketHandler = class {
           this.broadcastState();
         }
       },
+      worktrees: this.worktrees ?? void 0,
       autonomous,
+      // Must stay 1: phase tasks run on the single shared context whose cwd we
+      // swap per phase, so parallel phases would race on context.cwd.
       maxConcurrentPhases: 1,
       // Sequential within a phase: each todo is a full-tool agent editing the
-      // shared working tree, so running two at once risks concurrent writes.
+      // phase worktree, so running two at once risks concurrent writes.
       maxConcurrentTasks: 1
     });
     this.startBroadcast();
@@ -320,7 +342,7 @@ var AutoPhaseWebSocketHandler = class {
     }
     return this.defaultPhases();
   }
-  async executeTaskWithAgent(task, phaseId) {
+  async executeTaskWithAgent(task, phaseId, env) {
     const prompt = `Execute task: ${task.title}
 
 Description: ${task.description}
@@ -328,8 +350,13 @@ Phase: ${phaseId}
 Priority: ${task.priority}
 Type: ${task.type}`;
     const signal = this.abort?.signal ?? new AbortController().signal;
-    const result = await this.agent.run(prompt, { signal });
-    return result;
+    const prevCwd = this.context.cwd;
+    if (env?.cwd) this.context.cwd = env.cwd;
+    try {
+      return await this.agent.run(prompt, { signal });
+    } finally {
+      this.context.cwd = prevCwd;
+    }
   }
   async handleTaskStatusChange(taskId, status) {
     if (!this.graph) return;
@@ -436,8 +463,145 @@ Type: ${task.type}`;
   }
 };
 
+// src/server/worktree-ws-handler.ts
+var MAX_ACTIVITY = 6;
+var WorktreeWebSocketHandler = class {
+  constructor(events, logger) {
+    this.events = events;
+    this.logger = logger;
+    this.subscribe();
+  }
+  events;
+  logger;
+  clients = /* @__PURE__ */ new Set();
+  handles = /* @__PURE__ */ new Map();
+  baseBranch = "";
+  broadcastInterval = null;
+  offs = [];
+  addClient(ws) {
+    this.clients.add(ws);
+    ws.on("close", () => this.clients.delete(ws));
+    ws.on("error", () => this.clients.delete(ws));
+    this.send(ws, this.stateMessage());
+  }
+  dispose() {
+    for (const off of this.offs) off();
+    this.offs.length = 0;
+    this.stopBroadcast();
+  }
+  // ── internals ───────────────────────────────────────────────────────────
+  subscribe() {
+    const on = this.events.on.bind(this.events);
+    this.offs.push(
+      on("worktree.allocated", (p) => {
+        const e = p;
+        this.baseBranch = e.baseBranch || this.baseBranch;
+        this.upsert(e.handleId, {
+          handleId: e.handleId,
+          ownerId: e.ownerId,
+          ownerLabel: e.ownerLabel,
+          branch: e.branch,
+          baseBranch: e.baseBranch,
+          status: "active",
+          insertions: 0,
+          deletions: 0,
+          files: 0,
+          allocatedAt: Date.now(),
+          lastEventAt: Date.now(),
+          recentActivity: []
+        });
+        this.activity(e.handleId, "allocated", `branch ${e.branch}`);
+        this.ensureBroadcast();
+      }),
+      on("worktree.committed", (p) => {
+        const e = p;
+        this.patch(e.handleId, { status: "committing", insertions: e.insertions, deletions: e.deletions, files: e.files });
+        if (e.committed) this.activity(e.handleId, "committed", `+${e.insertions}/-${e.deletions} (${e.files}f)`);
+        this.broadcastState();
+      }),
+      on("worktree.merged", (p) => {
+        const e = p;
+        this.patch(e.handleId, { status: "merged" });
+        this.activity(e.handleId, "merged", `\u2192 ${e.baseBranch}`);
+        this.broadcastState();
+      }),
+      on("worktree.conflict", (p) => {
+        const e = p;
+        this.patch(e.handleId, { status: "needs-review", conflictFiles: e.conflictFiles });
+        this.activity(e.handleId, "conflict", e.conflictFiles.join(", "));
+        this.broadcastState();
+      }),
+      on("worktree.failed", (p) => {
+        const e = p;
+        this.patch(e.handleId, { status: "failed" });
+        this.activity(e.handleId, "failed", e.error);
+        this.broadcastState();
+      }),
+      on("worktree.released", (p) => {
+        const e = p;
+        if (!e.kept) this.handles.delete(e.handleId);
+        this.activity(e.handleId, "released", e.kept ? "kept for review" : "removed");
+        if (this.handles.size === 0) this.stopBroadcast();
+        else this.broadcastState();
+      })
+    );
+  }
+  upsert(id, view) {
+    this.handles.set(id, view);
+  }
+  patch(id, patch) {
+    const cur = this.handles.get(id);
+    if (!cur) return;
+    this.handles.set(id, { ...cur, ...patch, lastEventAt: Date.now() });
+  }
+  activity(id, kind, text) {
+    const cur = this.handles.get(id);
+    if (cur) {
+      const recentActivity = [...cur.recentActivity, { kind, text, at: Date.now() }].slice(-MAX_ACTIVITY);
+      this.handles.set(id, { ...cur, recentActivity });
+    }
+    this.broadcast({ type: "worktree.event", payload: { kind, handleId: id, text, at: Date.now() } });
+  }
+  stateMessage() {
+    return {
+      type: "worktree.state",
+      payload: { worktrees: [...this.handles.values()], baseBranch: this.baseBranch }
+    };
+  }
+  broadcastState() {
+    this.broadcast(this.stateMessage());
+  }
+  ensureBroadcast() {
+    this.broadcast(this.stateMessage());
+    if (this.broadcastInterval) return;
+    this.broadcastInterval = setInterval(() => this.broadcast(this.stateMessage()), 2e3);
+  }
+  stopBroadcast() {
+    this.broadcast(this.stateMessage());
+    if (this.broadcastInterval) {
+      clearInterval(this.broadcastInterval);
+      this.broadcastInterval = null;
+    }
+  }
+  broadcast(msg) {
+    const data = JSON.stringify(msg);
+    for (const ws of this.clients) {
+      try {
+        if (ws.readyState === 1) ws.send(data);
+      } catch (err) {
+        this.logger.debug?.(`worktree broadcast failed: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    }
+  }
+  send(ws, msg) {
+    try {
+      if (ws.readyState === 1) ws.send(JSON.stringify(msg));
+    } catch {
+    }
+  }
+};
+
 // src/server/index.ts
-var HTML_CSP = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws: wss:; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'";
 async function startWebUI(opts = {}) {
   const wsPort = opts.wsPort ?? 3457;
   const wsHost = opts.wsHost ?? "127.0.0.1";
@@ -447,7 +611,7 @@ async function startWebUI(opts = {}) {
   let config = baseConfig;
   let configWriteLock = Promise.resolve();
   console.log("[WebUI] Config loaded:", config.provider ?? "(none)", "/", config.model ?? "(none)");
-  if (!config.provider && config.providers && Object.keys(config.providers).length > 0) {
+  if (!config.provider && config.providers && typeof config.providers === "object" && config.providers !== null && !Array.isArray(config.providers) && Object.keys(config.providers).length > 0) {
     const firstKey = Object.keys(config.providers)[0];
     config = patchConfig(config, { provider: firstKey });
     console.log("[WebUI] No active provider \u2014 auto-selected:", firstKey);
@@ -639,7 +803,15 @@ async function startWebUI(opts = {}) {
     toolExecutor
   });
   console.log("[WebUI] Agent initialized");
-  const autoPhaseHandler = new AutoPhaseWebSocketHandler(agent, context, logger, wpaths.projectAutophase);
+  const autoPhaseHandler = new AutoPhaseWebSocketHandler(
+    agent,
+    context,
+    logger,
+    wpaths.projectAutophase,
+    events,
+    projectRoot
+  );
+  const worktreeHandler = new WorktreeWebSocketHandler(events, logger);
   async function sessionStartPayload() {
     let maxContext = 0;
     let inputCost = 0;
@@ -730,11 +902,12 @@ async function startWebUI(opts = {}) {
   const RATE_LIMIT_MESSAGES = 60;
   const RATE_LIMIT_WINDOW_MS = 6e4;
   const rateLimits = /* @__PURE__ */ new Map();
-  function checkRateLimit(ws) {
+  function checkRateLimit(ws, client) {
     const now = Date.now();
-    const limit = rateLimits.get(ws);
+    const key = client.sessionId ?? String(ws);
+    const limit = rateLimits.get(key);
     if (!limit || now > limit.resetAt) {
-      rateLimits.set(ws, { count: 1, resetAt: now + RATE_LIMIT_WINDOW_MS });
+      rateLimits.set(key, { count: 1, resetAt: now + RATE_LIMIT_WINDOW_MS });
       return true;
     }
     if (limit.count >= RATE_LIMIT_MESSAGES) return false;
@@ -861,8 +1034,9 @@ async function startWebUI(opts = {}) {
       send(ws, { type: "session.start", payload });
     });
     autoPhaseHandler.addClient(ws);
+    worktreeHandler.addClient(ws);
     ws.on("message", async (data) => {
-      if (!checkRateLimit(ws)) {
+      if (!checkRateLimit(ws, client)) {
         send(ws, {
           type: "error",
           payload: {
@@ -873,15 +1047,24 @@ async function startWebUI(opts = {}) {
         return;
       }
       try {
-        const msg = JSON.parse(data.toString());
-        await handleMessage(ws, client, msg);
+        const rawObj = JSON.parse(data.toString());
+        if (typeof rawObj === "object" && rawObj !== null) {
+          const obj = rawObj;
+          if ("__proto__" in obj || "constructor" in obj || "prototype" in obj) {
+            send(ws, { type: "error", payload: { phase: "parse", message: "Invalid message object" } });
+          } else {
+            await handleMessage(ws, client, rawObj);
+          }
+        } else {
+          await handleMessage(ws, client, rawObj);
+        }
       } catch (err) {
         console.error("[WebUI] Failed to parse message", err);
       }
     });
     ws.on("close", () => {
       clients.delete(ws);
-      rateLimits.delete(ws);
+      rateLimits.delete(String(ws));
       console.log("[WebUI] Client disconnected, total:", clients.size);
       if (pendingConfirms.size > 0) {
         for (const [id, resolve2] of pendingConfirms) {
@@ -1875,7 +2058,10 @@ async function startWebUI(opts = {}) {
       res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
       if (ext === ".html") {
         res.setHeader("Cache-Control", "no-cache");
-        res.setHeader("Content-Security-Policy", HTML_CSP);
+        res.setHeader(
+          "Content-Security-Policy",
+          `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws://127.0.0.1:${wsPort} wss://127.0.0.1:${wsPort} ws://[::1]:${wsPort} wss://[::1]:${wsPort}; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`
+        );
       }
       const fileContent = await fs2.readFile(resolvedPath);
       res.writeHead(200);
@@ -1891,7 +2077,7 @@ async function startWebUI(opts = {}) {
             "Referrer-Policy": "strict-origin-when-cross-origin",
             // SPA fallback previously shipped no CSP — apply the same policy as
             // the direct .html branch so deep-linked routes aren't unprotected.
-            "Content-Security-Policy": HTML_CSP
+            "Content-Security-Policy": `default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' ws://127.0.0.1:${wsPort} wss://127.0.0.1:${wsPort} ws://[::1]:${wsPort} wss://[::1]:${wsPort}; img-src 'self' data:; font-src 'self' data:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'`
           });
           res.end(fileContent);
         } catch {