agentic-loop 3.8.0 → 3.9.0

package/.claude/commands/idea.md

@@ -54,7 +54,7 @@ Help the user flesh out the idea through conversation:
 **Security (IMPORTANT - ask if feature involves):**
 - Authentication: Who can access this? Login required?
 - Passwords: How stored? (must be hashed, never plain text)
-- User input: What validation needed? (prevent injection)
+- User input: What validation needed? (SQL injection, XSS, command injection)
 - Sensitive data: What should NEVER be in API responses?
 - Rate limiting: Should this be rate limited? (login attempts, API calls)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentic-loop",
-  "version": "3.8.0",
+  "version": "3.9.0",
   "description": "Autonomous AI coding loop - PRD-driven development with Claude Code",
   "author": "Allie Jones <allie@allthrive.ai>",
   "license": "MIT",

package/ralph/init.sh

@@ -496,6 +496,89 @@ auto_configure_project() {
     done
   fi
 
+  # 7. Detect test directory and patterns
+  local test_dir=""
+  local test_patterns=""
+
+  # Check for common test directories
+  for dir in "tests" "test" "__tests__" "spec" \
+             "src/__tests__" "src/test" \
+             "apps/api/tests" "apps/web/tests" \
+             "backend/tests" "frontend/tests"; do
+    if [[ -d "$dir" ]]; then
+      test_dir="$dir"
+      break
+    fi
+  done
+
+  # If no directory found, check for colocated test files
+  if [[ -z "$test_dir" ]]; then
+    # Look for test files anywhere (colocated pattern)
+    local test_file=""
+    test_file=$(find . -type f \( \
+      -name "*_test.py" -o -name "test_*.py" -o \
+      -name "*.test.ts" -o -name "*.test.js" -o -name "*.test.tsx" -o \
+      -name "*.spec.ts" -o -name "*.spec.js" -o \
+      -name "*_test.go" -o -name "*_test.rs" \
+    \) -not -path "*/node_modules/*" -not -path "*/.venv/*" -not -path "*/venv/*" \
+       -not -path "*/.git/*" -not -path "*/dist/*" -not -path "*/build/*" \
+       -not -path "*/__pycache__/*" -not -path "*/coverage/*" 2>/dev/null | head -1 || true)
+
+    if [[ -n "$test_file" ]]; then
+      # Tests are colocated with source (e.g., src/component.test.ts)
+      test_dir="src"
+      [[ ! -d "src" ]] && test_dir="."
+    fi
+  fi
+
+  # Detect test patterns based on project type (combine for mixed projects)
+  test_patterns=""
+  if [[ -f "pyproject.toml" || -f "requirements.txt" ]]; then
+    test_patterns="*_test.py,test_*.py"
+  fi
+  if [[ -f "package.json" ]]; then
+    [[ -n "$test_patterns" ]] && test_patterns+=","
+    test_patterns+="*.test.ts,*.test.tsx,*.test.js,*.spec.ts,*.spec.tsx,*.spec.js"
+  fi
+  if [[ -f "go.mod" ]]; then
+    [[ -n "$test_patterns" ]] && test_patterns+=","
+    test_patterns+="*_test.go"
+  fi
+  if [[ -f "Cargo.toml" ]]; then
+    [[ -n "$test_patterns" ]] && test_patterns+=","
+    test_patterns+="*_test.rs"
+  fi
+  if [[ -f "mix.exs" ]]; then
+    [[ -n "$test_patterns" ]] && test_patterns+=","
+    test_patterns+="*_test.exs"
+  fi
+
+  if [[ -n "$test_dir" ]]; then
+    if ! jq -e '.tests.directory' "$tmpfile" >/dev/null 2>&1 || [[ "$(jq -r '.tests.directory' "$tmpfile")" == "" ]]; then
+      jq --arg dir "$test_dir" --arg patterns "$test_patterns" \
+         '.tests.directory = $dir | .tests.patterns = $patterns' \
+         "$tmpfile" > "${tmpfile}.new" && mv "${tmpfile}.new" "$tmpfile"
+      echo "  Auto-detected tests.directory: $test_dir"
+      updated=true
+    fi
+  else
+    # No tests found - check if warning is suppressed
+    local require_tests
+    require_tests=$(jq -r '.checks.requireTests // true' "$tmpfile" 2>/dev/null)
+
+    if [[ "$require_tests" == "true" ]]; then
+      echo ""
+      print_warning "No test directory or test files found."
+      echo "  Without tests, Ralph can only verify syntax and API responses."
+      echo "  Import errors and integration issues won't be caught."
+      echo ""
+      echo "  To fix: Add tests, or set in .ralph/config.json:"
+      echo "    {\"tests\": {\"directory\": \"src\", \"patterns\": \"*.test.ts\"}}"
+      echo "  To silence: {\"checks\": {\"requireTests\": false}}"
+      echo ""
+    fi
+  fi
+
   # Save if updated
   if [[ "$updated" == "true" ]]; then
     mv "$tmpfile" "$config"

package/ralph/utils.sh

@@ -509,6 +509,27 @@ validate_prd() {
     print_warning "PRD is missing feature name (will show as 'unnamed')"
   fi
 
+  # Check if project has tests (from config)
+  local config="$RALPH_DIR/config.json"
+  if [[ -f "$config" ]]; then
+    local require_tests
+    require_tests=$(jq -r '.checks.requireTests // true' "$config" 2>/dev/null)
+    local test_dir
+    test_dir=$(jq -r '.tests.directory // empty' "$config" 2>/dev/null)
+
+    if [[ "$require_tests" == "true" && -z "$test_dir" ]]; then
+      echo ""
+      print_warning "No test directory configured in .ralph/config.json"
+      echo "  Without tests, Ralph can only verify syntax and API responses."
+      echo "  Import errors and integration issues won't be caught."
+      echo ""
+      echo "  To fix: Add tests, or set in .ralph/config.json:"
+      echo "    {\"tests\": {\"directory\": \"src\", \"patterns\": \"*.test.ts\"}}"
+      echo "  To silence: {\"checks\": {\"requireTests\": false}}"
+      echo ""
+    fi
+  fi
+
   # Validate and fix individual stories
   validate_and_fix_stories "$prd_file" || return 1
 
@@ -589,7 +610,8 @@ validate_and_fix_stories() {
     fi
 
     # Check 5: List endpoints need scale criteria
-    if echo "$story_title" | grep -qiE "(list|get all|fetch all|index|search)"; then
+    # Note: "search" excluded - search endpoints often return single/filtered results
+    if echo "$story_title" | grep -qiE "(list|get all|fetch all|index)"; then
       local criteria
       criteria=$(jq -r --arg id "$story_id" '.stories[] | select(.id==$id) | .acceptanceCriteria // [] | join(" ")' "$prd_file")
       if ! echo "$criteria" | grep -qiE "(pagina|limit|page=|per.?page)"; then
@@ -656,36 +678,51 @@ RULES FOR FIXING:
 CURRENT PRD:
 $(cat "$prd_file")
 
-Output ONLY the fixed JSON, no explanation."
+Output ONLY the fixed JSON, no explanation. Start with { and end with }."
 
+  local raw_response
+  raw_response=$(echo "$fix_prompt" | run_with_timeout "$CODE_REVIEW_TIMEOUT_SECONDS" claude -p 2>/dev/null)
+
+  # Extract JSON from response (Claude sometimes adds text before/after)
   local fixed_prd
-  fixed_prd=$(echo "$fix_prompt" | claude -p 2>/dev/null)
+  fixed_prd=$(echo "$raw_response" | sed -n '/^[[:space:]]*{/,/^[[:space:]]*}[[:space:]]*$/p' | head -1000)
+
+  # If sed extraction failed, try the raw response
+  if [[ -z "$fixed_prd" ]]; then
+    fixed_prd="$raw_response"
+  fi
 
-  # Validate the response is valid JSON
-  if echo "$fixed_prd" | jq -e . >/dev/null 2>&1; then
-    # Backup original
-    cp "$prd_file" "${prd_file}.bak"
+  # Validate the response is valid JSON with required structure
+  if echo "$fixed_prd" | jq -e '.stories' >/dev/null 2>&1; then
+    # Timestamped backup (preserves history across multiple fixes)
+    local backup_file="${prd_file}.$(date +%Y%m%d-%H%M%S).bak"
+    cp "$prd_file" "$backup_file"
 
     # Write fixed PRD
     echo "$fixed_prd" > "$prd_file"
-    print_success "PRD auto-fixed (backup at ${prd_file}.bak)"
+    print_success "PRD auto-fixed (backup at $backup_file)"
 
     # Re-validate to confirm fixes
     echo "  Re-validating..."
     local remaining_issues
     remaining_issues=$(validate_stories_quick "$prd_file")
     if [[ -n "$remaining_issues" ]]; then
-      print_warning "Some issues remain - may need manual fixes"
+      print_warning "Some issues remain - may need manual fixes:"
+      echo "$remaining_issues" | tr ',' '\n' | while IFS= read -r line; do
+        [[ -n "$line" ]] && echo "    $line"
+      done
     else
       print_success "All issues resolved"
     fi
   else
     print_error "Claude returned invalid JSON - fix manually"
+    echo "  Response preview: $(echo "$raw_response" | head -3)"
     return 1
   fi
 }
 
 # Quick validation without auto-fix (for re-checking after fix)
+# Checks all the same things as validate_and_fix_stories() but returns issues string
 validate_stories_quick() {
   local prd_file="$1"
   local issues=""
@@ -698,17 +735,55 @@ validate_stories_quick() {
 
     local story_type
     story_type=$(jq -r --arg id "$story_id" '.stories[] | select(.id==$id) | .type // "unknown"' "$prd_file")
+    local story_title
+    story_title=$(jq -r --arg id "$story_id" '.stories[] | select(.id==$id) | .title // ""' "$prd_file")
     local test_steps
     test_steps=$(jq -r --arg id "$story_id" '.stories[] | select(.id==$id) | .testSteps // [] | join(" ")' "$prd_file")
 
+    # Check 1: testSteps quality
     if [[ "$story_type" == "backend" ]] && ! echo "$test_steps" | grep -q "curl "; then
-      issues+="$story_id: still missing curl tests, "
+      issues+="$story_id: missing curl tests, "
+    fi
+    if [[ "$story_type" == "frontend" ]] && ! echo "$test_steps" | grep -qE "(tsc --noEmit|playwright)"; then
+      issues+="$story_id: missing tsc/playwright tests, "
     fi
 
+    # Check 2: Backend needs apiContract
+    if [[ "$story_type" == "backend" ]]; then
+      local has_contract
+      has_contract=$(jq -r --arg id "$story_id" '.stories[] | select(.id==$id) | .apiContract // empty' "$prd_file")
+      if [[ -z "$has_contract" || "$has_contract" == "null" ]]; then
+        issues+="$story_id: missing apiContract, "
+      fi
+    fi
+
+    # Check 3: Frontend needs testUrl and contextFiles
     if [[ "$story_type" == "frontend" ]]; then
       local has_url
       has_url=$(jq -r --arg id "$story_id" '.stories[] | select(.id==$id) | .testUrl // empty' "$prd_file")
-      [[ -z "$has_url" ]] && issues+="$story_id: still missing testUrl, "
+      [[ -z "$has_url" || "$has_url" == "null" ]] && issues+="$story_id: missing testUrl, "
+
+      local context_files
+      context_files=$(jq -r --arg id "$story_id" '.stories[] | select(.id==$id) | .contextFiles // [] | length' "$prd_file")
+      [[ "$context_files" == "0" ]] && issues+="$story_id: missing contextFiles, "
+    fi
+
+    # Check 4: Auth stories need security criteria
+    if echo "$story_title" | grep -qiE "(login|auth|password|register|signup|sign.?up)"; then
+      local criteria
+      criteria=$(jq -r --arg id "$story_id" '.stories[] | select(.id==$id) | .acceptanceCriteria // [] | join(" ")' "$prd_file")
+      if ! echo "$criteria" | grep -qiE "(hash|bcrypt|sanitiz|inject|rate.?limit)"; then
+        issues+="$story_id: missing security criteria, "
+      fi
+    fi
+
+    # Check 5: List endpoints need scale criteria
+    if echo "$story_title" | grep -qiE "(list|get all|fetch all|index)"; then
+      local criteria
+      criteria=$(jq -r --arg id "$story_id" '.stories[] | select(.id==$id) | .acceptanceCriteria // [] | join(" ")' "$prd_file")
+      if ! echo "$criteria" | grep -qiE "(pagina|limit|page=|per.?page)"; then
+        issues+="$story_id: missing pagination criteria, "
+      fi
     fi
   done <<< "$story_ids"
 

package/templates/config/elixir.json

@@ -39,9 +39,15 @@
     "typecheck": false,
     "build": true,
     "test": true,
+    "requireTests": true,
     "fastapi": false
   },
 
+  "tests": {
+    "directory": "test",
+    "patterns": "*_test.exs"
+  },
+
   "api": {
     "baseUrl": "http://localhost:4000",
     "healthEndpoint": "/api/health",

package/templates/config/fastmcp.json

@@ -40,9 +40,15 @@
     "typecheck": true,
     "build": false,
     "test": true,
+    "requireTests": true,
     "fastmcp": true
   },
 
+  "tests": {
+    "directory": "tests",
+    "patterns": "*_test.py,test_*.py"
+  },
+
   "api": {
     "baseUrl": "http://localhost:8000",
     "healthEndpoint": "/health",

package/templates/config/fullstack.json

@@ -41,9 +41,15 @@
     "typecheck": true,
     "build": "final",
     "test": true,
+    "requireTests": true,
     "fastapi": true
   },
 
+  "tests": {
+    "directory": "tests",
+    "patterns": "*.test.ts,*.test.tsx,*_test.py,test_*.py"
+  },
+
   "api": {
     "baseUrl": "http://localhost:8000",
     "healthEndpoint": "/api/health",

package/templates/config/go.json

@@ -39,9 +39,15 @@
     "typecheck": false,
     "build": true,
     "test": true,
+    "requireTests": true,
     "fastapi": false
   },
 
+  "tests": {
+    "directory": ".",
+    "patterns": "*_test.go"
+  },
+
   "api": {
     "baseUrl": "http://localhost:8080",
     "healthEndpoint": "/health",

package/templates/config/minimal.json

@@ -39,9 +39,15 @@
     "typecheck": true,
     "build": "final",
     "test": true,
+    "requireTests": false,
     "fastapi": false
   },
 
+  "tests": {
+    "directory": "",
+    "patterns": ""
+  },
+
   "api": {
     "baseUrl": "http://localhost:3000",
     "healthEndpoint": "/health",

package/templates/config/node.json

@@ -39,9 +39,15 @@
     "typecheck": true,
     "build": "final",
     "test": true,
+    "requireTests": true,
     "fastapi": false
   },
 
+  "tests": {
+    "directory": "tests",
+    "patterns": "*.test.ts,*.test.tsx,*.test.js,*.spec.ts,*.spec.tsx,*.spec.js"
+  },
+
   "api": {
     "baseUrl": "http://localhost:3000",
     "healthEndpoint": "/api/health",

package/templates/config/python.json

@@ -39,9 +39,15 @@
     "typecheck": false,
     "build": false,
     "test": true,
+    "requireTests": true,
     "fastapi": true
   },
 
+  "tests": {
+    "directory": "tests",
+    "patterns": "*_test.py,test_*.py"
+  },
+
   "api": {
     "baseUrl": "http://localhost:8000",
     "healthEndpoint": "/api/health",

package/templates/config/rust.json

@@ -39,9 +39,15 @@
     "typecheck": false,
     "build": true,
     "test": true,
+    "requireTests": true,
     "fastapi": false
   },
 
+  "tests": {
+    "directory": "tests",
+    "patterns": "*_test.rs"
+  },
+
   "api": {
     "baseUrl": "http://localhost:8080",
     "healthEndpoint": "/health",