agentloopkit 0.24.1 → 0.24.3

package/README.md

@@ -39,18 +39,21 @@ Coding agents often move fast but leave reviewers with weak evidence: unclear sc
 
 ## Install
 
-Use it with `npx` inside an existing repository:
+Use it with `npx` from the root of the repository you want to configure:
 
 ```bash
-npx agentloopkit init
+cd /path/to/your/repo
 npx agentloopkit init --dry-run
+npx agentloopkit init
 ```
 
+`init` writes files into the current directory. Do not run it from `~` unless you intend to configure your home directory. `--dry-run` previews the file changes without writing them.
+
 Pin the current version when you need repeatable CI or team setup:
 
 ```bash
-npx --yes agentloopkit@0.24.1 version
-npx --yes agentloopkit@0.24.1 init
+npx --yes agentloopkit@0.24.2 version
+npx --yes agentloopkit@0.24.2 init
 ```
 
 Run the CLI after install:
@@ -112,6 +115,7 @@ pnpm build
 | --------------------------------------- | ------------------------------------------------------------------------------ |
 | `agentloop init`                        | Generate the repo harness and config                                           |
 | `agentloop init --dry-run`              | Preview generated files without writing them                                   |
+| `agentloop init --force`                | Allow initialization when the current directory is your home directory          |
 | `agentloop doctor`                      | Check setup health, template version, commands, git state, and risk categories |
 | `agentloop create-task`                 | Create a task contract in `.agentloop/tasks/`                                  |
 | `agentloop task list`                   | List task contracts and show the pinned active task                            |
@@ -265,7 +269,7 @@ Each contract records:
 .agentloop/reports/YYYY-MM-DD-HH-mm-verification-report.md
 ```
 
-Pass `--task .agentloop/tasks/file.md` to include task title, type, status, and path in the report. AgentLoopKit reads Markdown task contracts for this flag. It reports `.env`-style paths as unavailable instead of reading them.
+Pass `--task .agentloop/tasks/file.md` to include task title, type, status, and path in the report. The path must point to a Markdown task contract inside the configured task directory. Invalid paths are reported as unavailable instead of being read.
 
 It does not hide failures. Failed reports include a short failure summary with each failed command, exit code, and final useful output lines before the full command output. If long logs are truncated, the report keeps the first and last output so the final error stays visible. If no commands are configured, it writes a report saying nothing was verified.
 
@@ -380,7 +384,7 @@ See `docs/ci-summary.md`.
 ```bash
 agentloop release-notes
 agentloop release-notes --from v0.19.0 --to HEAD
-agentloop release-notes --release-version 0.24.0
+agentloop release-notes --release-version 0.24.2
 agentloop release-notes --json
 agentloop release-notes --write
 ```
@@ -446,7 +450,7 @@ Use `agentloop check-gates --strict` as a review-evidence gate in pull request C
 
 CI-generated verification reports include GitHub Actions provenance when available, so reviewers can trace an artifact back to the workflow run that created it.
 
-See `docs/github-actions.md`, `examples/github-actions/`, `examples/gitlab-ci/`, and `examples/buildkite/` for copy-pasteable workflows. Pin `agentloopkit@0.24.1` or a newer vetted release when reproducibility matters.
+See `docs/github-actions.md`, `examples/github-actions/`, `examples/gitlab-ci/`, and `examples/buildkite/` for copy-pasteable workflows. Pin `agentloopkit@0.24.2` or a newer vetted release when reproducibility matters.
 
 ## PR Summaries
 

package/dist/cli/index.js

@@ -8,7 +8,8 @@ import { Command } from "commander";
 
 // src/core/init.ts
 import path6 from "path";
-import { readdir as readdir3 } from "fs/promises";
+import { readdir as readdir3, realpath } from "fs/promises";
+import { homedir } from "os";
 
 // src/core/constants.ts
 var PACKAGE_NAME = "agentloopkit";
@@ -196,14 +197,20 @@ async function listFilesRecursive(root, options = {}) {
     options.ignore ?? [".git", ".agentloop", "node_modules", "dist", "coverage"]
   );
   const files = [];
-  async function walk(current) {
+  let inspectedEntries = 0;
+  async function walk(current, depth) {
     if (!await pathExists(current)) return;
+    if (options.maxEntries !== void 0 && inspectedEntries >= options.maxEntries) return;
     const entries = await readdir(current, { withFileTypes: true }).catch(() => []);
     for (const entry of entries) {
+      if (options.maxEntries !== void 0 && inspectedEntries >= options.maxEntries) break;
+      inspectedEntries += 1;
       if (ignore.has(entry.name)) continue;
       const absolute = path2.join(current, entry.name);
       if (entry.isDirectory()) {
-        await walk(absolute);
+        if (options.maxDepth === void 0 || depth < options.maxDepth) {
+          await walk(absolute, depth + 1);
+        }
       } else if (entry.isFile()) {
         files.push(absolute);
       }
@@ -211,7 +218,7 @@ async function listFilesRecursive(root, options = {}) {
   }
   const rootStat = await stat(root).catch(() => void 0);
   if (!rootStat?.isDirectory()) return [];
-  await walk(root);
+  await walk(root, 0);
   return files;
 }
 
@@ -247,6 +254,8 @@ var MONOREPO_FILE_MARKERS = [
   "lerna.json",
   "rush.json"
 ];
+var FALLBACK_PROJECT_DETECTION_MAX_DEPTH = 2;
+var FALLBACK_PROJECT_DETECTION_MAX_ENTRIES = 500;
 async function readPackageJson(cwd) {
   const filePath = path4.join(cwd, "package.json");
   if (!await pathExists(filePath)) return void 0;
@@ -267,7 +276,10 @@ async function detectProjectType(cwd) {
   if (await pathExists(path4.join(cwd, "pyproject.toml")) || await pathExists(path4.join(cwd, "requirements.txt"))) {
     return "python";
   }
-  const files = await listFilesRecursive(cwd);
+  const files = await listFilesRecursive(cwd, {
+    maxDepth: FALLBACK_PROJECT_DETECTION_MAX_DEPTH,
+    maxEntries: FALLBACK_PROJECT_DETECTION_MAX_ENTRIES
+  });
   const relativeFiles = files.map((file) => path4.relative(cwd, file));
   const hasCode = relativeFiles.some(
     (file) => /\.(ts|tsx|js|jsx|py|go|rs|java|rb|php|cs)$/.test(file)
@@ -383,6 +395,13 @@ ${section.trim()}
 `);
   result.updated.push(filePath);
 }
+async function resolveComparablePath(filePath) {
+  try {
+    return await realpath(filePath);
+  } catch {
+    return path6.resolve(filePath);
+  }
+}
 async function initializeAgentLoop(options) {
   const result = {
     created: [],
@@ -391,6 +410,16 @@ async function initializeAgentLoop(options) {
     dryRun: Boolean(options.dryRun)
   };
   const cwd = options.cwd;
+  const homeDirectory = options.homeDirectory ?? homedir();
+  const [resolvedCwd, resolvedHomeDirectory] = await Promise.all([
+    resolveComparablePath(cwd),
+    resolveComparablePath(homeDirectory)
+  ]);
+  if (!options.force && resolvedCwd === resolvedHomeDirectory) {
+    throw new Error(
+      "Refusing to initialize your home directory. Run this inside a project repository, or pass --force if you intentionally want AgentLoopKit files in your home directory."
+    );
+  }
   const packageManager = await detectPackageManager(cwd);
   const projectType = await detectProjectType(cwd);
   const projectName = await detectProjectName(cwd);
@@ -473,8 +502,12 @@ var consoleLogger = {
 
 // src/cli/commands/init.ts
 function initCommand() {
-  return new Command("init").description("Initialize AgentLoopKit in the current repository").option("--dry-run", "show planned changes without writing files").option("--json", "print machine-readable output").action(async (options) => {
-    const result = await initializeAgentLoop({ cwd: process.cwd(), dryRun: options.dryRun });
+  return new Command("init").description("Initialize AgentLoopKit in the current repository").option("--dry-run", "show planned changes without writing files").option("--json", "print machine-readable output").option("--force", "allow initialization when the current directory is your home directory").action(async (options) => {
+    const result = await initializeAgentLoop({
+      cwd: process.cwd(),
+      dryRun: options.dryRun,
+      force: options.force
+    });
     if (options.json) {
       consoleLogger.info(JSON.stringify(result, null, 2));
       return;
@@ -821,7 +854,17 @@ ${input.rollbackNotes || "Document how to revert or disable this change."}
 async function createTaskContractFile(options) {
   const createdDate = options.input.createdDate ?? formatDate();
   const relativePath2 = options.out ?? path9.join(options.config.paths.tasksDir, `${createdDate}-${slugify(options.input.title)}.md`);
-  const absolutePath = path9.isAbsolute(relativePath2) ? relativePath2 : path9.join(options.cwd, relativePath2);
+  const absolutePath = path9.isAbsolute(relativePath2) ? path9.resolve(relativePath2) : path9.resolve(options.cwd, relativePath2);
+  const tasksRoot2 = path9.resolve(options.cwd, options.config.paths.tasksDir);
+  const relativeToTasks = path9.relative(tasksRoot2, absolutePath);
+  if (relativeToTasks === "" || relativeToTasks.startsWith("..") || path9.isAbsolute(relativeToTasks)) {
+    throw new AgentLoopError(
+      `Task output path must stay inside ${options.config.paths.tasksDir}.`
+    );
+  }
+  if (!absolutePath.endsWith(".md")) {
+    throw new AgentLoopError("Task output path must be a Markdown file.");
+  }
   const markdown = generateTaskContract({ ...options.input, createdDate });
   await writeTextFile(absolutePath, markdown);
   return { path: absolutePath, markdown };
@@ -1076,10 +1119,16 @@ function isMarkdownTaskPath(taskPath) {
   const segments = normalized.split("/").filter(Boolean);
   return normalized.endsWith(".md") && !segments.some((segment) => segment === ".env" || segment.startsWith(".env."));
 }
-async function renderTaskContext(cwd, taskPath) {
+function isInside(parent, child) {
+  const relative2 = path10.relative(parent, child);
+  return relative2 === "" || !relative2.startsWith("..") && !path10.isAbsolute(relative2);
+}
+async function renderTaskContext(cwd, config, taskPath) {
   if (!taskPath?.trim()) return "";
   const cleanPath = taskPath.trim();
-  if (!isMarkdownTaskPath(cleanPath)) {
+  const absolutePath = path10.isAbsolute(cleanPath) ? path10.resolve(cleanPath) : path10.resolve(cwd, cleanPath);
+  const tasksRoot2 = path10.resolve(cwd, config.paths.tasksDir);
+  if (!isMarkdownTaskPath(cleanPath) || !isInside(tasksRoot2, absolutePath)) {
     return `## Task Context
 - Path: ${cleanPath}
 - Status: unavailable
@@ -1087,7 +1136,6 @@ async function renderTaskContext(cwd, taskPath) {
 
 `;
   }
-  const absolutePath = path10.isAbsolute(cleanPath) ? cleanPath : path10.join(cwd, cleanPath);
   try {
     const markdown = await readFile6(absolutePath, "utf8");
     const metadata = parseTaskMetadata(markdown);
@@ -1146,7 +1194,7 @@ async function runVerification(options) {
   const branch = await getGitBranch(options.cwd);
   const commit = await getGitCommit(options.cwd);
   const status = await getGitStatus(options.cwd);
-  const taskContext = await renderTaskContext(options.cwd, options.taskPath);
+  const taskContext = await renderTaskContext(options.cwd, options.config, options.taskPath);
   const markdown = `# Verification Report
 
 - Timestamp: ${nowIso}
@@ -1252,7 +1300,7 @@ function statePath(cwd, config) {
 function toStoredPath(cwd, absolutePath) {
   return path12.relative(cwd, absolutePath).split(path12.sep).join("/");
 }
-function isInside(parent, child) {
+function isInside2(parent, child) {
   const relative2 = path12.relative(parent, child);
   return relative2 === "" || !relative2.startsWith("..") && !path12.isAbsolute(relative2);
 }
@@ -1281,7 +1329,7 @@ async function resolveTaskPath(options) {
   const absolutePath = path12.isAbsolute(options.taskPath) ? path12.resolve(options.taskPath) : path12.resolve(options.cwd, options.taskPath);
   const root = tasksRoot(options.cwd, options.config);
   const displayRoot = options.config.paths.tasksDir;
-  if (!isInside(root, absolutePath)) {
+  if (!isInside2(root, absolutePath)) {
     if (!options.strict) return void 0;
     throw new AgentLoopError(`Active task must be inside ${displayRoot}.`);
   }