agentflow-core 0.5.2 → 0.6.0

package/dist/{chunk-YTMQBL3T.js → chunk-VF4FSBXR.js}

@@ -209,7 +209,6 @@ function getTraceTree(trace) {
 // src/live.ts
 import { existsSync, readdirSync, readFileSync, statSync, watch } from "fs";
 import { basename, join, resolve } from "path";
-import { execSync } from "child_process";
 var C = {
   reset: "\x1B[0m",
   bold: "\x1B[1m",
@@ -480,18 +479,20 @@ function processJsonFile(file) {
         const w = info;
         const status2 = findStatus(w);
         const ts2 = findTimestamp(w) || findTimestamp(obj) || file.mtime;
-        const pid = w.pid;
+        const rawPid = w.pid;
+        const pid = typeof rawPid === "number" ? rawPid : Number(rawPid);
+        const validPid = Number.isFinite(pid) && pid > 0;
         let validatedStatus = status2;
         let pidAlive = true;
-        if (pid && (status2 === "running" || status2 === "ok")) {
+        if (validPid && (status2 === "running" || status2 === "ok")) {
           try {
-            execSync(`kill -0 ${pid} 2>/dev/null`, { stdio: "ignore" });
+            process.kill(pid, 0);
           } catch {
             pidAlive = false;
             validatedStatus = "error";
           }
         }
-        const pidLabel = pid ? pidAlive ? `pid: ${pid}` : `pid: ${pid} (dead)` : "";
+        const pidLabel = validPid ? pidAlive ? `pid: ${pid}` : `pid: ${pid} (dead)` : "";
         const detail2 = pidLabel || extractDetail(w);
         records.push({
           id: name,
@@ -978,11 +979,14 @@ function render(config) {
   writeLine(L, `  ${C.dim}Press Ctrl+C to exit${C.reset}`);
   flushLines(L);
 }
-function getDistDepth(dt, spanId) {
+function getDistDepth(dt, spanId, visited) {
   if (!spanId) return 0;
+  const seen = visited ?? /* @__PURE__ */ new Set();
+  if (seen.has(spanId)) return 0;
+  seen.add(spanId);
   const g = dt.graphs.get(spanId);
   if (!g || !g.parentSpanId) return 0;
-  return 1 + getDistDepth(dt, g.parentSpanId);
+  return 1 + getDistDepth(dt, g.parentSpanId, seen);
 }
 function startLive(argv) {
   const config = parseArgs(argv);
@@ -1015,6 +1019,262 @@ function startLive(argv) {
   });
 }
 
+// src/process-audit.ts
+import { execSync } from "child_process";
+import { existsSync as existsSync2, readdirSync as readdirSync2, readFileSync as readFileSync2, statSync as statSync2 } from "fs";
+import { basename as basename2, join as join2 } from "path";
+function isPidAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function pidMatchesName(pid, name) {
+  try {
+    const cmdline = readFileSync2(`/proc/${pid}/cmdline`, "utf8");
+    return cmdline.includes(name);
+  } catch {
+    return false;
+  }
+}
+function readPidFile(path) {
+  try {
+    const pid = parseInt(readFileSync2(path, "utf8").trim(), 10);
+    return isNaN(pid) ? null : pid;
+  } catch {
+    return null;
+  }
+}
+function auditPidFile(config) {
+  if (!config.pidFile) return null;
+  const pid = readPidFile(config.pidFile);
+  if (pid === null) {
+    return {
+      path: config.pidFile,
+      pid: null,
+      alive: false,
+      matchesProcess: false,
+      stale: !existsSync2(config.pidFile),
+      reason: existsSync2(config.pidFile) ? "PID file exists but content is invalid" : "No PID file found"
+    };
+  }
+  const alive = isPidAlive(pid);
+  const matchesProcess = alive ? pidMatchesName(pid, config.processName) : false;
+  const stale = !alive || alive && !matchesProcess;
+  let reason;
+  if (alive && matchesProcess) {
+    reason = `PID ${pid} alive and matches ${config.processName}`;
+  } else if (alive && !matchesProcess) {
+    reason = `PID ${pid} alive but is NOT ${config.processName} (PID reused by another process)`;
+  } else {
+    reason = `PID ${pid} no longer exists`;
+  }
+  return { path: config.pidFile, pid, alive, matchesProcess, stale, reason };
+}
+function auditSystemd(config) {
+  if (config.systemdUnit === null || config.systemdUnit === void 0) return null;
+  const unit = config.systemdUnit;
+  try {
+    const raw = execSync(
+      `systemctl --user show ${unit} --property=ActiveState,SubState,MainPID,NRestarts,Result --no-pager 2>/dev/null`,
+      { encoding: "utf8", timeout: 5e3 }
+    );
+    const props = {};
+    for (const line of raw.trim().split("\n")) {
+      const [k, ...v] = line.split("=");
+      if (k) props[k.trim()] = v.join("=").trim();
+    }
+    const activeState = props["ActiveState"] ?? "unknown";
+    const subState = props["SubState"] ?? "unknown";
+    const mainPid = parseInt(props["MainPID"] ?? "0", 10);
+    const restarts = parseInt(props["NRestarts"] ?? "0", 10);
+    const result = props["Result"] ?? "unknown";
+    return {
+      unit,
+      activeState,
+      subState,
+      mainPid,
+      restarts,
+      result,
+      crashLooping: activeState === "activating" && subState === "auto-restart",
+      failed: activeState === "failed"
+    };
+  } catch {
+    return null;
+  }
+}
+function auditWorkers(config) {
+  if (!config.workersFile || !existsSync2(config.workersFile)) return null;
+  try {
+    const data = JSON.parse(readFileSync2(config.workersFile, "utf8"));
+    const orchPid = data.pid ?? null;
+    const orchAlive = orchPid ? isPidAlive(orchPid) : false;
+    const workers = [];
+    for (const [name, info] of Object.entries(data.tools ?? {})) {
+      const w = info;
+      const wPid = w.pid ?? null;
+      const wAlive = wPid ? isPidAlive(wPid) : false;
+      workers.push({
+        name,
+        pid: wPid,
+        declaredStatus: w.status ?? "unknown",
+        alive: wAlive,
+        stale: w.status === "running" && !wAlive
+      });
+    }
+    return {
+      orchestratorPid: orchPid,
+      orchestratorAlive: orchAlive,
+      startedAt: data.started_at ?? "",
+      workers
+    };
+  } catch {
+    return null;
+  }
+}
+function getOsProcesses(processName) {
+  try {
+    const raw = execSync(`ps aux`, { encoding: "utf8", timeout: 5e3 });
+    return raw.split("\n").filter((line) => line.includes(processName) && !line.includes("process-audit") && !line.includes("grep")).map((line) => {
+      const parts = line.trim().split(/\s+/);
+      return {
+        pid: parseInt(parts[1] ?? "0", 10),
+        cpu: parts[2] ?? "0",
+        mem: parts[3] ?? "0",
+        command: parts.slice(10).join(" ")
+      };
+    }).filter((p) => !isNaN(p.pid) && p.pid > 0);
+  } catch {
+    return [];
+  }
+}
+function discoverProcessConfig(dirs) {
+  let pidFile;
+  let workersFile;
+  let processName = "";
+  for (const dir of dirs) {
+    if (!existsSync2(dir)) continue;
+    let entries;
+    try {
+      entries = readdirSync2(dir);
+    } catch {
+      continue;
+    }
+    for (const f of entries) {
+      const fp = join2(dir, f);
+      try {
+        if (!statSync2(fp).isFile()) continue;
+      } catch {
+        continue;
+      }
+      if (f.endsWith(".pid") && !pidFile) {
+        pidFile = fp;
+        if (!processName) {
+          processName = basename2(f, ".pid");
+        }
+      }
+      if ((f === "workers.json" || f.endsWith("-workers.json")) && !workersFile) {
+        workersFile = fp;
+        if (!processName && f !== "workers.json") {
+          processName = basename2(f, "-workers.json");
+        }
+      }
+    }
+  }
+  if (!processName && !pidFile && !workersFile) return null;
+  if (!processName) processName = "agent";
+  return { processName, pidFile, workersFile };
+}
+function auditProcesses(config) {
+  const pidFile = auditPidFile(config);
+  const systemd = auditSystemd(config);
+  const workers = auditWorkers(config);
+  const osProcesses = getOsProcesses(config.processName);
+  const knownPids = /* @__PURE__ */ new Set();
+  if (pidFile?.pid && !pidFile.stale) knownPids.add(pidFile.pid);
+  if (workers) {
+    if (workers.orchestratorPid) knownPids.add(workers.orchestratorPid);
+    for (const w of workers.workers) {
+      if (w.pid) knownPids.add(w.pid);
+    }
+  }
+  if (systemd?.mainPid) knownPids.add(systemd.mainPid);
+  const orphans = osProcesses.filter((p) => !knownPids.has(p.pid));
+  const problems = [];
+  if (pidFile?.stale) problems.push(`Stale PID file: ${pidFile.reason}`);
+  if (systemd?.crashLooping) problems.push("Systemd unit is crash-looping (auto-restart)");
+  if (systemd?.failed) problems.push("Systemd unit has failed");
+  if (systemd && systemd.restarts > 10) problems.push(`High systemd restart count: ${systemd.restarts}`);
+  if (pidFile?.pid && systemd?.mainPid && pidFile.pid !== systemd.mainPid) {
+    problems.push(`PID mismatch: file says ${pidFile.pid}, systemd says ${systemd.mainPid}`);
+  }
+  if (workers) {
+    for (const w of workers.workers) {
+      if (w.stale) problems.push(`Worker "${w.name}" (pid ${w.pid}) declares running but is dead`);
+    }
+  }
+  if (orphans.length > 0) problems.push(`${orphans.length} orphan process(es) not tracked by PID file or workers registry`);
+  return { pidFile, systemd, workers, osProcesses, orphans, problems };
+}
+function formatAuditReport(result) {
+  const lines = [];
+  lines.push("");
+  lines.push("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557");
+  lines.push("\u2551            \u{1F50D}  P R O C E S S   A U D I T                      \u2551");
+  lines.push("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D");
+  if (result.pidFile) {
+    const pf = result.pidFile;
+    const icon = pf.pid && pf.alive && pf.matchesProcess ? "\u2705" : pf.stale ? "\u26A0\uFE0F " : "\u2139\uFE0F ";
+    lines.push(`
+  PID File: ${pf.path}`);
+    lines.push(`  ${icon} ${pf.reason}`);
+  }
+  if (result.systemd) {
+    const sd = result.systemd;
+    const icon = sd.activeState === "active" ? "\u{1F7E2}" : sd.crashLooping ? "\u{1F7E1}" : sd.failed ? "\u{1F534}" : "\u26AA";
+    lines.push(`
+  Systemd: ${sd.unit}`);
+    lines.push(`  ${icon} State: ${sd.activeState} (${sd.subState})  Result: ${sd.result}`);
+    lines.push(`     Main PID: ${sd.mainPid || "none"}  Restarts: ${sd.restarts}`);
+  }
+  if (result.workers) {
+    const w = result.workers;
+    lines.push(`
+  Workers (orchestrator pid ${w.orchestratorPid ?? "unknown"} ${w.orchestratorAlive ? "\u2705" : "\u274C"})`);
+    for (const worker of w.workers) {
+      const icon = worker.declaredStatus === "running" && worker.alive ? "\u{1F7E2}" : worker.stale ? "\u{1F534} STALE" : "\u26AA";
+      lines.push(`  ${icon}  ${worker.name.padEnd(14)} pid=${String(worker.pid ?? "-").padEnd(8)} status=${worker.declaredStatus}`);
+    }
+  }
+  if (result.osProcesses.length > 0) {
+    lines.push(`
+  OS Processes (${result.osProcesses.length} total)`);
+    for (const p of result.osProcesses) {
+      lines.push(`    PID ${String(p.pid).padEnd(8)} CPU=${p.cpu.padEnd(6)} MEM=${p.mem.padEnd(6)} ${p.command.substring(0, 55)}`);
+    }
+  }
+  if (result.orphans.length > 0) {
+    lines.push(`
+  \u26A0\uFE0F  ${result.orphans.length} ORPHAN PROCESS(ES):`);
+    for (const p of result.orphans) {
+      lines.push(`     PID ${p.pid} \u2014 not tracked by PID file or workers registry`);
+    }
+  }
+  lines.push("");
+  if (result.problems.length === 0) {
+    lines.push("  \u2705 All checks passed \u2014 no process issues detected.");
+  } else {
+    lines.push(`  \u26A0\uFE0F  ${result.problems.length} issue(s):`);
+    for (const p of result.problems) {
+      lines.push(`     \u2022 ${p}`);
+    }
+  }
+  lines.push("");
+  return lines.join("\n");
+}
+
 // src/graph-builder.ts
 import { randomUUID } from "crypto";
 function deepFreeze(obj) {
@@ -1243,20 +1503,20 @@ function createGraphBuilder(config) {
 
 // src/runner.ts
 import { spawnSync } from "child_process";
-import { existsSync as existsSync2, mkdirSync, readdirSync as readdirSync2, statSync as statSync2, writeFileSync } from "fs";
-import { basename as basename2, join as join2, resolve as resolve2 } from "path";
+import { existsSync as existsSync3, mkdirSync, readdirSync as readdirSync3, statSync as statSync3, writeFileSync } from "fs";
+import { basename as basename3, join as join3, resolve as resolve2 } from "path";
 function globToRegex(pattern) {
   const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".");
   return new RegExp(`^${escaped}$`);
 }
 function snapshotDir(dir, patterns) {
   const result = /* @__PURE__ */ new Map();
-  if (!existsSync2(dir)) return result;
-  for (const entry of readdirSync2(dir)) {
+  if (!existsSync3(dir)) return result;
+  for (const entry of readdirSync3(dir)) {
     if (!patterns.some((re) => re.test(entry))) continue;
-    const full = join2(dir, entry);
+    const full = join3(dir, entry);
     try {
-      const stat = statSync2(full);
+      const stat = statSync3(full);
       if (stat.isFile()) {
         result.set(full, stat.mtimeMs);
       }
@@ -1266,7 +1526,7 @@ function snapshotDir(dir, patterns) {
   return result;
 }
 function agentIdFromFilename(filePath) {
-  const base = basename2(filePath, ".json");
+  const base = basename3(filePath, ".json");
   const cleaned = base.replace(/-state$/, "");
   return `alfred-${cleaned}`;
 }
@@ -1371,14 +1631,18 @@ async function runTraced(config) {
     childBuilder.endNode(childRootId);
     allGraphs.push(childBuilder.build());
   }
-  if (!existsSync2(resolvedTracesDir)) {
+  if (!existsSync3(resolvedTracesDir)) {
     mkdirSync(resolvedTracesDir, { recursive: true });
   }
   const ts = fileTimestamp();
   const tracePaths = [];
   for (const graph of allGraphs) {
     const filename = `${graph.agentId}-${ts}.json`;
-    const outPath = join2(resolvedTracesDir, filename);
+    const outPath = join3(resolvedTracesDir, filename);
+    const resolvedOut = resolve2(outPath);
+    if (!resolvedOut.startsWith(resolvedTracesDir + "/") && resolvedOut !== resolvedTracesDir) {
+      throw new Error(`Path traversal detected: agentId "${graph.agentId}" escapes traces directory`);
+    }
     writeFileSync(outPath, JSON.stringify(graphToJson(graph), null, 2), "utf-8");
     tracePaths.push(outPath);
   }
@@ -1397,7 +1661,7 @@ async function runTraced(config) {
 
 // src/trace-store.ts
 import { mkdir, readdir, readFile, writeFile } from "fs/promises";
-import { join as join3 } from "path";
+import { join as join4, resolve as resolve3 } from "path";
 function createTraceStore(dir) {
   async function ensureDir() {
     await mkdir(dir, { recursive: true });
@@ -1414,7 +1678,7 @@ function createTraceStore(dir) {
     for (const file of files) {
       if (!file.endsWith(".json")) continue;
       try {
-        const content = await readFile(join3(dir, file), "utf-8");
+        const content = await readFile(join4(dir, file), "utf-8");
         const graph = loadGraph(content);
         graphs.push(graph);
       } catch {
@@ -1426,13 +1690,18 @@ function createTraceStore(dir) {
     async save(graph) {
       await ensureDir();
       const json = graphToJson(graph);
-      const filePath = join3(dir, `${graph.id}.json`);
+      const filePath = join4(dir, `${graph.id}.json`);
+      const resolvedBase = resolve3(dir);
+      const resolvedPath = resolve3(filePath);
+      if (!resolvedPath.startsWith(resolvedBase + "/") && resolvedPath !== resolvedBase) {
+        throw new Error(`Path traversal detected: "${graph.id}" escapes base directory`);
+      }
       await writeFile(filePath, JSON.stringify(json, null, 2), "utf-8");
       return filePath;
     },
     async get(graphId) {
       await ensureDir();
-      const filePath = join3(dir, `${graphId}.json`);
+      const filePath = join4(dir, `${graphId}.json`);
       try {
         const content = await readFile(filePath, "utf-8");
         return loadGraph(content);
@@ -1625,9 +1894,9 @@ function toTimeline(graph) {
 }
 
 // src/watch.ts
-import { existsSync as existsSync4 } from "fs";
+import { existsSync as existsSync5 } from "fs";
 import { hostname } from "os";
-import { join as join4, resolve as resolve3 } from "path";
+import { join as join5, resolve as resolve4 } from "path";
 
 // src/watch-alerts.ts
 import { exec } from "child_process";
@@ -1685,7 +1954,7 @@ function sendTelegram(payload, botToken, chatId) {
     text: formatTelegram(payload),
     parse_mode: "Markdown"
   });
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve5, reject) => {
     const req = httpsRequest(
       `https://api.telegram.org/bot${botToken}/sendMessage`,
       {
@@ -1694,7 +1963,7 @@ function sendTelegram(payload, botToken, chatId) {
       },
       (res) => {
         res.resume();
-        if (res.statusCode && res.statusCode >= 200 && res.statusCode < 300) resolve4();
+        if (res.statusCode && res.statusCode >= 200 && res.statusCode < 300) resolve5();
         else reject(new Error(`Telegram API returned ${res.statusCode}`));
       }
     );
@@ -1707,7 +1976,7 @@ function sendWebhook(payload, url) {
   const body = JSON.stringify(payload);
   const isHttps = url.startsWith("https");
   const doRequest = isHttps ? httpsRequest : httpRequest;
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve5, reject) => {
     const req = doRequest(
       url,
       {
@@ -1716,7 +1985,7 @@ function sendWebhook(payload, url) {
       },
       (res) => {
         res.resume();
-        if (res.statusCode && res.statusCode >= 200 && res.statusCode < 300) resolve4();
+        if (res.statusCode && res.statusCode >= 200 && res.statusCode < 300) resolve5();
         else reject(new Error(`Webhook returned ${res.statusCode}`));
       }
     );
@@ -1729,7 +1998,7 @@ function sendWebhook(payload, url) {
   });
 }
 function sendCommand(payload, cmd) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve5, reject) => {
     const env = {
       ...process.env,
       AGENTFLOW_ALERT_AGENT: payload.agentId,
@@ -1742,13 +2011,13 @@ function sendCommand(payload, cmd) {
     };
     exec(cmd, { env, timeout: 3e4 }, (err) => {
       if (err) reject(err);
-      else resolve4();
+      else resolve5();
     });
   });
 }
 
 // src/watch-state.ts
-import { existsSync as existsSync3, readFileSync as readFileSync2, renameSync, writeFileSync as writeFileSync2 } from "fs";
+import { existsSync as existsSync4, readFileSync as readFileSync3, renameSync, writeFileSync as writeFileSync2 } from "fs";
 function parseDuration(input) {
   const match = input.match(/^(\d+(?:\.\d+)?)\s*(s|m|h|d)$/i);
   if (!match) {
@@ -1773,9 +2042,9 @@ function emptyState() {
   return { version: 1, agents: {}, lastPollTime: 0 };
 }
 function loadWatchState(filePath) {
-  if (!existsSync3(filePath)) return emptyState();
+  if (!existsSync4(filePath)) return emptyState();
   try {
-    const raw = JSON.parse(readFileSync2(filePath, "utf8"));
+    const raw = JSON.parse(readFileSync3(filePath, "utf8"));
     if (raw.version !== 1 || typeof raw.agents !== "object") return emptyState();
     return raw;
   } catch {
@@ -2017,20 +2286,20 @@ function parseWatchArgs(argv) {
       recursive = true;
       i++;
     } else if (!arg.startsWith("-")) {
-      dirs.push(resolve3(arg));
+      dirs.push(resolve4(arg));
       i++;
     } else {
       i++;
     }
   }
-  if (dirs.length === 0) dirs.push(resolve3("."));
+  if (dirs.length === 0) dirs.push(resolve4("."));
   if (alertConditions.length === 0) {
     alertConditions.push({ type: "error" });
     alertConditions.push({ type: "recovery" });
   }
   notifyChannels.unshift({ type: "stdout" });
   if (!stateFilePath) {
-    stateFilePath = join4(dirs[0], ".agentflow-watch-state.json");
+    stateFilePath = join5(dirs[0], ".agentflow-watch-state.json");
   }
   return {
     dirs,
@@ -2038,7 +2307,7 @@ function parseWatchArgs(argv) {
     pollIntervalMs,
     alertConditions,
     notifyChannels,
-    stateFilePath: resolve3(stateFilePath),
+    stateFilePath: resolve4(stateFilePath),
     cooldownMs
   };
 }
@@ -2092,12 +2361,12 @@ Examples:
 }
 function startWatch(argv) {
   const config = parseWatchArgs(argv);
-  const valid = config.dirs.filter((d) => existsSync4(d));
+  const valid = config.dirs.filter((d) => existsSync5(d));
   if (valid.length === 0) {
     console.error(`No valid directories found: ${config.dirs.join(", ")}`);
     process.exit(1);
   }
-  const invalid = config.dirs.filter((d) => !existsSync4(d));
+  const invalid = config.dirs.filter((d) => !existsSync5(d));
   if (invalid.length > 0) {
     console.warn(`Skipping non-existent: ${invalid.join(", ")}`);
   }
@@ -2191,6 +2460,9 @@ export {
   stitchTrace,
   getTraceTree,
   startLive,
+  discoverProcessConfig,
+  auditProcesses,
+  formatAuditReport,
   createGraphBuilder,
   runTraced,
   createTraceStore,