ai-control-center 1.15.2

package/lib/utils/security.js

@@ -0,0 +1,191 @@
+/**
+ * Security Module — credential sanitization, cost guard, route exclusion,
+ * form safety, and agent authority enforcement.
+ */
+
+import { readFileSync, existsSync, appendFileSync } from 'fs';
+import { resolve } from 'path';
+import { getWorkflowDir } from './pipeline.js';
+
+// ─── Route Exclusion ────────────────────────────────────────────────────────
+
+/**
+ * Check if a URL matches any exclusion pattern.
+ * Uses simple glob-style matching (supports * wildcard).
+ */
+export function isExcluded(url, excludePatterns) {
+  if (!excludePatterns || excludePatterns.length === 0) return false;
+
+  let pathname;
+  try {
+    pathname = new URL(url).pathname;
+  } catch {
+    pathname = url;
+  }
+
+  return excludePatterns.some(pattern => {
+    // Convert glob pattern to regex
+    const escaped = pattern
+      .replace(/[.+^${}()|[\]\\]/g, '\\$&')
+      .replace(/\*/g, '.*');
+    return new RegExp(`^${escaped}$`).test(pathname);
+  });
+}
+
+// ─── Form Safety ────────────────────────────────────────────────────────────
+
+/**
+ * Check if a form is safe to submit.
+ * NEVER submit POST forms unless action is in allowedFormActions.
+ */
+export function isFormSafe(action, method, allowedActions = []) {
+  // Never submit forms with dangerous keywords in action
+  if (/delete|remove|destroy|purge|deactivate/i.test(action || '')) {
+    return false;
+  }
+
+  // Never submit POST forms unless whitelisted
+  if ((method || 'GET').toUpperCase() === 'POST') {
+    if (!allowedActions.some(a => (action || '').includes(a))) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
+// ─── Credential Security ────────────────────────────────────────────────────
+
+/**
+ * Credential resolver — loads QA credentials from multiple sources.
+ * Priority: env vars > config file > vault (future)
+ *
+ * NEVER log credentials. NEVER write credentials to reports.
+ * NEVER include credentials in AI prompts.
+ */
+export function resolveCredentials(config) {
+  const envPrefix = config?.envPrefix || 'AICC';
+
+  return {
+    email:    process.env[`${envPrefix}_QA_EMAIL`]    || config?.browserQA?.credentials?.email,
+    password: process.env[`${envPrefix}_QA_PASSWORD`] || config?.browserQA?.credentials?.password,
+    loginUrl: config?.browserQA?.credentials?.loginUrl,
+    loginSelectors: config?.browserQA?.credentials?.loginSelectors,
+  };
+}
+
+/**
+ * Sanitize function — strip credentials from any string before logging/reporting.
+ */
+export function sanitize(text, config) {
+  if (!text) return text;
+
+  const creds = resolveCredentials(config);
+  let cleaned = text;
+  if (creds.email) cleaned = cleaned.replaceAll(creds.email, '[REDACTED_EMAIL]');
+  if (creds.password) cleaned = cleaned.replaceAll(creds.password, '[REDACTED_PASSWORD]');
+
+  // Also strip common env var patterns (API keys, tokens)
+  cleaned = cleaned.replace(/(?:sk_|pk_|ghp_|whsec_|gho_|glpat-)[a-zA-Z0-9_-]+/g, '[REDACTED_TOKEN]');
+
+  return cleaned;
+}
+
+// ─── Cost Guard ─────────────────────────────────────────────────────────────
+
+/**
+ * Cost guard — tracks AI spend per pipeline run.
+ * Pauses pipeline and escalates if spend exceeds threshold.
+ */
+export function getCurrentRunCost() {
+  const costsFile = resolve(getWorkflowDir(), 'costs.jsonl');
+  if (!existsSync(costsFile)) return 0;
+
+  let lines;
+  try {
+    lines = readFileSync(costsFile, 'utf8').trim().split('\n');
+  } catch {
+    return 0;
+  }
+
+  const currentRun = [];
+
+  // Read from bottom — find last "pipeline_start" marker
+  for (let i = lines.length - 1; i >= 0; i--) {
+    try {
+      const entry = JSON.parse(lines[i]);
+      currentRun.push(entry);
+      if (entry.event === 'pipeline_start') {
+        break;
+      }
+    } catch { continue; }
+  }
+
+  return currentRun.reduce((sum, e) => sum + (e.cost_usd || 0), 0);
+}
+
+export function checkCostGuard(config) {
+  const maxCost = config?.costGuard?.maxPerRun || 5.0; // $5 default
+  const current = getCurrentRunCost();
+
+  if (current >= maxCost) {
+    return {
+      exceeded: true,
+      current,
+      max: maxCost,
+      message: `AI spend $${current.toFixed(2)} exceeded limit $${maxCost.toFixed(2)} — escalating to CEO`,
+    };
+  }
+
+  return { exceeded: false, current, max: maxCost };
+}
+
+// ─── Agent Authority ────────────────────────────────────────────────────────
+
+/**
+ * Authority check — ensures agents only do what they're allowed to.
+ * See Decision Authority Matrix in V1 doc.
+ */
+const AUTHORITY = {
+  PM:       { canDeploy: false, canEscalate: true,  canRetry: true,  canCreateIssue: false, canSpendOver5: false },
+  CODER:    { canDeploy: false, canEscalate: false, canRetry: false, canCreateIssue: false, canSpendOver5: false },
+  QA:       { canDeploy: false, canEscalate: true,  canRetry: true,  canCreateIssue: true,  canSpendOver5: false },
+  REVIEWER: { canDeploy: false, canEscalate: true,  canRetry: false, canCreateIssue: false, canSpendOver5: false },
+  DEPLOYER: { canDeploy: true,  canEscalate: true,  canRetry: true,  canCreateIssue: false, canSpendOver5: false },
+};
+
+export function checkAuthority(agent, action) {
+  const perms = AUTHORITY[agent];
+  if (!perms) throw new Error(`Unknown agent: ${agent}`);
+
+  const key = `can${action.charAt(0).toUpperCase() + action.slice(1)}`;
+  if (perms[key] === false) {
+    return { allowed: false, reason: `${agent} is not authorized to ${action}. Requires CEO approval.` };
+  }
+  return { allowed: true };
+}
+
+// ─── Pipeline History ───────────────────────────────────────────────────────
+
+/**
+ * Record a completed pipeline run.
+ */
+export function recordPipelineRun(data) {
+  const historyFile = resolve(getWorkflowDir(), 'pipeline-history.jsonl');
+  const entry = JSON.stringify({
+    ...data,
+    completedAt: new Date().toISOString(),
+  });
+  try {
+    appendFileSync(historyFile, entry + '\n');
+  } catch { /* best effort */ }
+}
+
+// ─── Session Validity ───────────────────────────────────────────────────────
+
+/**
+ * Check if browser session is still valid (not redirected to login page).
+ */
+export function isSessionExpired(currentUrl) {
+  return /login|signin|auth\/(login|signin)|sign-in/i.test(currentUrl);
+}

package/lib/utils/self-healer.js

@@ -0,0 +1,144 @@
+/**
+ * Self-Healing Pipeline — automatically runs tests after implementation
+ * and sends failures back to Copilot for fixing (up to N retries).
+ */
+import { execSync } from 'child_process';
+import { logActivity } from './activity-log.js';
+import { getRootDir } from './pipeline.js';
+
+const DEFAULT_MAX_ATTEMPTS = 3;
+const DEFAULT_TEST_TIMEOUT = 120_000;
+
+/**
+ * Run tests after implementation and attempt self-healing on failure.
+ *
+ * @param {string} featureId
+ * @param {object} config - { selfHeal: { enabled, maxAttempts, testCommand } }
+ * @param {Function} runCopilotFn - async (prompt, opts) => string
+ * @returns {{ success: boolean, attempts: number, errors: string[] }}
+ */
+export async function postImplValidation(featureId, config, runCopilotFn) {
+  const selfHeal = config?.selfHeal || {};
+  if (selfHeal.enabled === false) {
+    return { success: true, attempts: 0, errors: [], skipped: true };
+  }
+
+  const testCommand = selfHeal.testCommand || 'npm test';
+  const maxAttempts = selfHeal.maxAttempts || DEFAULT_MAX_ATTEMPTS;
+  const timeout = selfHeal.testTimeout || DEFAULT_TEST_TIMEOUT;
+  const root = getRootDir();
+  const errors = [];
+
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    logActivity('PIPELINE', `Self-heal: running tests (attempt ${attempt}/${maxAttempts})`, 'info');
+
+    try {
+      execSync(testCommand, {
+        cwd: root,
+        encoding: 'utf8',
+        timeout,
+        stdio: ['pipe', 'pipe', 'pipe'],
+      });
+
+      logActivity('PIPELINE', `Self-heal: all tests pass after ${attempt} attempt(s)`, 'success');
+      return { success: true, attempts: attempt, errors };
+    } catch (err) {
+      const stderr = err.stderr || '';
+      const stdout = err.stdout || '';
+      const errorOutput = (stderr + '\n' + stdout).trim().slice(0, 5000);
+      errors.push(errorOutput);
+
+      logActivity('PIPELINE', `Self-heal: tests failed (attempt ${attempt}/${maxAttempts}) — ${errorOutput.split('\n')[0]}`, 'warn');
+
+      if (attempt < maxAttempts && runCopilotFn) {
+        const healPrompt =
+          `The following test failures occurred after implementing feature ${featureId}.\n` +
+          `Fix ONLY the test failures. Do NOT break existing functionality.\n` +
+          `Do NOT rewrite tests to make them pass — fix the actual code.\n\n` +
+          `Test command: ${testCommand}\n\n` +
+          `Error output:\n\`\`\`\n${errorOutput}\n\`\`\``;
+
+        try {
+          await runCopilotFn(healPrompt, {
+            featureId,
+            stage: 'self-heal',
+            sessionResume: true,
+          });
+        } catch (healErr) {
+          logActivity('PIPELINE', `Self-heal: Copilot fix attempt failed — ${healErr.message}`, 'error');
+        }
+      }
+    }
+  }
+
+  logActivity('PIPELINE', `Self-heal: exhausted ${maxAttempts} attempts — proceeding with test failures`, 'error');
+  return { success: false, attempts: maxAttempts, errors };
+}
+
+/**
+ * Check whether the test command is available and runs without hanging.
+ */
+export function isTestCommandAvailable(config) {
+  const testCommand = config?.selfHeal?.testCommand || 'npm test';
+  const root = getRootDir();
+  try {
+    const cmd = testCommand.split(' ')[0];
+    execSync(`which ${cmd} 2>/dev/null || where ${cmd} 2>/dev/null`, {
+      cwd: root,
+      encoding: 'utf8',
+      timeout: 5000,
+      stdio: 'pipe',
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Post-implementation browser QA validation.
+ * Runs browser tests after implementation and attempts self-healing on failure.
+ * Call this AFTER postImplValidation() if browserQA is enabled.
+ */
+export async function postImplBrowserValidation(featureId, config) {
+  if (!config?.browserQA?.enabled) {
+    return { success: true, skipped: true, reason: 'browserQA disabled' };
+  }
+
+  const { browserTestAction } = await import('../actions/browser-test.js');
+  const maxAttempts = config.browserQA?.maxBugfixCycles || 3;
+  const errors = [];
+
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    logActivity('SELF-HEAL', `Browser QA validation attempt ${attempt}/${maxAttempts}`, 'info');
+
+    const result = await browserTestAction({ featureId, config });
+
+    if (result.success || result.skipped) {
+      logActivity('SELF-HEAL', `Browser QA passed on attempt ${attempt}`, 'success');
+      return { success: true, attempts: attempt, errors };
+    }
+
+    errors.push(`Attempt ${attempt}: ${result.failCount} page(s) failed`);
+
+    if (attempt < maxAttempts && result.report) {
+      const { runCopilot } = await import('./runner.js');
+      const fixPrompt = buildBrowserFixPrompt(result.report, featureId);
+      await runCopilot(fixPrompt, { featureId, stage: 'browser-heal' }).catch(() => {});
+    }
+  }
+
+  logActivity('SELF-HEAL', `Browser QA failed after ${maxAttempts} attempts`, 'error');
+  return { success: false, attempts: maxAttempts, errors };
+}
+
+function buildBrowserFixPrompt(qaReport, featureId) {
+  return (
+    `Browser QA tests failed after implementing feature ${featureId}.\n` +
+    `Fix the following browser errors without breaking other pages.\n\n` +
+    `Failed pages:\n` +
+    qaReport.failed.map(f =>
+      `- ${f.url}\n  Errors: ${f.errors.join('; ')}`
+    ).join('\n')
+  );
+}

package/lib/utils/skill-loader.js

@@ -0,0 +1,255 @@
+import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, copyFileSync } from 'fs';
+import { resolve, join, basename, dirname } from 'path';
+import { homedir } from 'os';
+import { fileURLToPath } from 'url';
+import { getRootDir, getWorkflowDir } from './pipeline.js';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+const VALID_STAGES = ['capture', 'spec', 'arch', 'impl', 'review', 'all'];
+let _skillsEnsured = false;
+
+function getProjectSkillsDir() {
+  return join(getWorkflowDir(), 'skills');
+}
+
+/**
+ * Ensure pipeline skills exist in .ai-workflow/skills/.
+ * Auto-generates from templates on first call if directory is empty.
+ * This guarantees skills are available even if user never ran `aicc start` or `aicc openclaw`.
+ */
+function ensureSkills() {
+  if (_skillsEnsured) return;
+  _skillsEnsured = true;
+
+  const dir = getProjectSkillsDir();
+  // If skills directory already has .md files, nothing to do
+  if (existsSync(dir)) {
+    try {
+      const files = readdirSync(dir).filter(f => f.endsWith('.md'));
+      if (files.length > 0) return;
+    } catch { /* fall through to generate */ }
+  }
+
+  // Auto-generate skills from templates
+  try {
+    // Locate templates relative to this file (lib/utils/ → ../../templates/)
+    const templateDir = resolve(__dirname, '../../templates');
+    if (!existsSync(templateDir)) return; // Not in package context
+
+    // Minimal template vars — read project name from aicc.config.js
+    const root = getRootDir();
+    const configPath = join(root, 'aicc.config.js');
+    let projectName = 'project';
+    let projectDesc = '';
+    if (existsSync(configPath)) {
+      const raw = readFileSync(configPath, 'utf-8');
+      const nameMatch = raw.match(/name\s*:\s*['"]([^'"]+)['"]/);
+      if (nameMatch) projectName = nameMatch[1];
+      const descMatch = raw.match(/description\s*:\s*['"]([^'"]+)['"]/);
+      if (descMatch) projectDesc = descMatch[1];
+    }
+
+    const vars = {
+      PROJECT_NAME: projectName,
+      DESCRIPTION: projectDesc || `AI Control Center for ${projectName}`,
+      PROJECT_ROOT: root,
+      PROJECT_DESCRIPTION: projectDesc || `AI Control Center for ${projectName}`,
+      STAGES: '',
+      QUERIES: '_No custom queries configured._',
+      WORKFLOW_DIR: getWorkflowDir(),
+      EXTRA_COMMANDS: '',
+    };
+
+    mkdirSync(dir, { recursive: true });
+
+    const STAGE_TEMPLATES = [
+      { template: 'skill-pm-spec.md',     output: 'SKILL-pm-spec.md',     stage: 'spec' },
+      { template: 'skill-architect.md',    output: 'SKILL-architect.md',   stage: 'arch' },
+      { template: 'skill-implement.md',    output: 'SKILL-implement.md',   stage: 'impl' },
+      { template: 'skill-review.md',       output: 'SKILL-review.md',      stage: 'review' },
+      { template: 'skill-requirement-capture.md', output: 'SKILL-requirement-capture.md', stage: 'capture' },
+    ];
+
+    for (const def of STAGE_TEMPLATES) {
+      const tplPath = resolve(templateDir, def.template);
+      if (!existsSync(tplPath)) continue;
+      let content = readFileSync(tplPath, 'utf-8');
+      for (const [key, value] of Object.entries(vars)) {
+        content = content.replace(new RegExp(`\\{\\{${key}\\}\\}`, 'g'), value);
+      }
+      writeFileSync(join(dir, def.output), content);
+    }
+  } catch {
+    // Non-fatal — pipeline works without skills
+  }
+}
+
+/**
+ * Get the OpenClaw skills directory for the current project.
+ * Reads project name from aicc.config.js at project root to find
+ * ~/.openclaw/skills/<project-slug>/
+ */
+function getOpenClawSkillsDir() {
+  try {
+    // Read project name from aicc.config.js without importing config module
+    // to avoid circular dependencies. We just need the name field.
+    const root = getRootDir();
+    const configPath = join(root, 'aicc.config.js');
+    if (existsSync(configPath)) {
+      const raw = readFileSync(configPath, 'utf-8');
+      // Extract name from: name: 'ProjectName' or name: "ProjectName"
+      const nameMatch = raw.match(/name\s*:\s*['"]([^'"]+)['"]/);
+      if (nameMatch) {
+        const slug = nameMatch[1]
+          .toLowerCase()
+          .replace(/[^a-z0-9]+/g, '-')
+          .replace(/^-|-$/g, '');
+        const dir = join(homedir(), '.openclaw', 'skills', slug);
+        if (existsSync(dir)) return dir;
+      }
+    }
+  } catch {
+    // Not in a project, or config not parseable
+  }
+  return null;
+}
+
+function getGlobalSkillsDir() {
+  return join(homedir(), '.aicc', 'skills');
+}
+
+/**
+ * Parse frontmatter and body from a SKILL.md file.
+ * Expects --- delimited YAML-style frontmatter.
+ */
+function parseSkillFile(filePath) {
+  const raw = readFileSync(filePath, 'utf-8');
+  const meta = { name: '', stage: 'all', description: '', tags: [] };
+  let body = raw;
+
+  const fmMatch = raw.match(/^---\s*\n([\s\S]*?)\n---\s*\n([\s\S]*)$/);
+  if (fmMatch) {
+    const frontmatter = fmMatch[1];
+    body = fmMatch[2];
+
+    for (const line of frontmatter.split('\n')) {
+      const m = line.match(/^(\w+):\s*(.+)$/);
+      if (!m) continue;
+      const [, key, value] = m;
+      if (key === 'name') meta.name = value.trim();
+      else if (key === 'stage') meta.stage = value.trim();
+      else if (key === 'description') meta.description = value.trim();
+      else if (key === 'tags') meta.tags = value.split(',').map(t => t.trim()).filter(Boolean);
+    }
+  }
+
+  if (!meta.name) {
+    meta.name = basename(filePath, '.md');
+  }
+
+  return { ...meta, content: body.trim(), path: filePath };
+}
+
+/**
+ * Discover and parse all available skills from project and global directories.
+ * @returns {Array<{name: string, stage: string, description: string, tags: string[], content: string, path: string}>}
+ */
+export function loadSkills() {
+  // Auto-generate skills from templates if .ai-workflow/skills/ is empty
+  ensureSkills();
+
+  const skills = [];
+  const seen = new Set();
+
+  // Priority order: project-local > OpenClaw project skills > global
+  const openclawDir = getOpenClawSkillsDir();
+  const dirs = [
+    getProjectSkillsDir(),      // 1. .ai-workflow/skills/ (highest priority)
+    openclawDir,                // 2. ~/.openclaw/skills/<project-slug>/
+    getGlobalSkillsDir(),       // 3. ~/.aicc/skills/ (global fallback)
+  ];
+  for (const dir of dirs) {
+    if (!dir || !existsSync(dir)) continue;
+    const files = readdirSync(dir).filter(f => f.endsWith('.md'));
+    for (const file of files) {
+      try {
+        const skill = parseSkillFile(join(dir, file));
+        if (!seen.has(skill.name)) {
+          seen.add(skill.name);
+          skills.push(skill);
+        }
+      } catch {
+        // Skip unparseable skill files
+      }
+    }
+  }
+
+  return skills;
+}
+
+/**
+ * Return skills filtered for a specific pipeline stage.
+ * @param {string} stage - One of: spec, arch, impl, review
+ * @returns {Array} Skills matching the stage or scoped to 'all'
+ */
+export function getSkillsForStage(stage) {
+  return loadSkills().filter(s => s.stage === stage || s.stage === 'all');
+}
+
+/**
+ * Append matching skill content to a prompt string.
+ * @param {string} prompt - The base prompt
+ * @param {string} stage - Pipeline stage to filter skills by
+ * @returns {string} Prompt with skill content appended
+ */
+export function injectSkills(prompt, stage) {
+  const skills = getSkillsForStage(stage);
+  if (skills.length === 0) return prompt;
+
+  const sections = skills.map(s => `## Skill: ${s.name}\n${s.content}`);
+  return `${prompt}\n\n${sections.join('\n\n')}`;
+}
+
+/**
+ * Download/copy a skill from a URL or local path to the project skills directory.
+ * @param {string} source - URL (http/https) or local file path
+ * @returns {Promise<{name: string, path: string}>} Installed skill info
+ */
+export async function installSkill(source) {
+  const dir = getProjectSkillsDir();
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+
+  if (source.startsWith('http://') || source.startsWith('https://')) {
+    const res = await fetch(source);
+    if (!res.ok) throw new Error(`Failed to download skill: ${res.statusText}`);
+    const content = await res.text();
+    const filename = basename(new URL(source).pathname) || 'skill.md';
+    const dest = join(dir, filename);
+    writeFileSync(dest, content, 'utf-8');
+    const skill = parseSkillFile(dest);
+    return { name: skill.name, path: dest };
+  }
+
+  const srcPath = resolve(source);
+  if (!existsSync(srcPath)) throw new Error(`Skill file not found: ${srcPath}`);
+  const filename = basename(srcPath);
+  const dest = join(dir, filename);
+  copyFileSync(srcPath, dest);
+  const skill = parseSkillFile(dest);
+  return { name: skill.name, path: dest };
+}
+
+/**
+ * Return a formatted list of all available skills.
+ * @returns {Array<{name: string, stage: string, description: string}>}
+ */
+export function listSkills() {
+  return loadSkills().map(s => ({
+    name: s.name,
+    stage: s.stage,
+    description: s.description,
+  }));
+}