aiden-runtime 4.1.0 → 4.1.2

package/dist/cli/v4/doctorLiveness.js

@@ -0,0 +1,384 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * cli/v4/doctorLiveness.ts — Phase v4.1.1-oauth-fix Phase 4.
+ *
+ * `aiden doctor --providers` deep-mode helper. Pings every configured /
+ * authed provider with a minimal request, reports green / red / skipped
+ * + per-provider latency + verbatim upstream error message.
+ *
+ * Why a separate file:
+ *   - Default doctor (`aiden doctor` with no flag) stays unchanged and
+ *     fast — config-shape checks only.
+ *   - `--providers` is opt-in. When the user types it we extend the
+ *     report with one liveness row per probe, then render a summary
+ *     line at the bottom.
+ *   - Tool-catalog validation is deliberately OUT of scope. The
+ *     probe ships ONE hardcoded no-op tool (`probe_noop`) so the
+ *     Codex backend accepts the request (it rejects empty `tools`),
+ *     while user-registered tool schemas stay un-validated here. The
+ *     eval-harness / registration-time schema validator (v4.1.1
+ *     main) is the right home for that concern.
+ *
+ * Trust artifact:
+ *   - On failure we surface `err.message` VERBATIM (truncated to 200
+ *     chars). Phase 3 (`providers/v4/errors.ts`) already composes the
+ *     upstream response body into ProviderError.message — so a 400
+ *     prints the actual OpenAI reason, not a generic "provider failed."
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pickProbeModel = pickProbeModel;
+exports.enumerateConfiguredProviders = enumerateConfiguredProviders;
+exports.checkProviderLiveness = checkProviderLiveness;
+exports.runProviderLiveness = runProviderLiveness;
+exports.renderProviderLivenessSection = renderProviderLivenessSection;
+const registry_1 = require("../../providers/v4/registry");
+const runtimeResolver_1 = require("../../providers/v4/runtimeResolver");
+const credentialResolver_1 = require("../../providers/v4/credentialResolver");
+const tokenStore_1 = require("../../core/v4/auth/tokenStore");
+const DEFAULT_LIVENESS_TIMEOUT_MS = 8000;
+const PROBE_MAX_TOKENS = 4;
+const ERROR_TRUNCATE_CHARS = 200;
+const OLLAMA_PROBE_TIMEOUT_MS = 1500;
+const OLLAMA_HEALTH_URL = 'http://127.0.0.1:11434/api/tags';
+// ── Helpers ─────────────────────────────────────────────────────────────
+/**
+ * Truncate a long error string for display. The full error remains on
+ * the in-memory `LivenessResult.error` for programmatic consumers /
+ * test assertions.
+ */
+function truncate(s, max = ERROR_TRUNCATE_CHARS) {
+    if (s.length <= max)
+        return s;
+    return `${s.slice(0, max - 1)}…`;
+}
+/**
+ * Phase v4.1.2-slice5: pick a probe-safe model id from the registry.
+ *
+ * Some providers list model slugs that only work for enterprise / CLI
+ * accounts. ChatGPT Plus is the canonical case: the registry's
+ * `modelIds[0]` is `gpt-5.1-codex-max`, which is rejected by the
+ * subscription-account Codex backend with
+ * `"The 'gpt-5.1-codex-max' model is not supported when using Codex
+ * with a ChatGPT account."` — even though real REPL chat on the same
+ * account works because the user has selected a non-Codex slug
+ * (`gpt-5.5`).
+ *
+ * Heuristic: skip any slug containing `-codex` (covers `-codex-max`,
+ * `-codex-mini`, plain `-codex` suffix variants). Falls back to
+ * `modelIds[0]` if every slug is Codex-flavoured. No provider id
+ * special-casing — the heuristic is shape-based so future-similar
+ * providers benefit too.
+ */
+function pickProbeModel(entry) {
+    const safe = entry.modelIds.find((m) => !m.includes('-codex'));
+    return safe ?? entry.modelIds[0] ?? '';
+}
+/**
+ * Wrap a promise with a hard timeout. Resolves to the inner result on
+ * success, throws a clearly-labelled `Error` on timeout. Cleans up the
+ * timer either way.
+ */
+async function withTimeout(p, ms, label) {
+    let timer;
+    try {
+        return await Promise.race([
+            p,
+            new Promise((_, reject) => {
+                timer = setTimeout(() => reject(new Error(`${label}: timeout after ${ms}ms`)), ms);
+            }),
+        ]);
+    }
+    finally {
+        if (timer)
+            clearTimeout(timer);
+    }
+}
+/**
+ * Decide whether a provider counts as "configured" for liveness purposes.
+ * Three paths:
+ *   1. API key in env (`apiKeyEnvVar` set and the env var is non-empty).
+ *   2. OAuth (entry.oauth present and a non-expired token sits in the
+ *      tokenStore at <paths.root>/auth/<providerId>.json).
+ *   3. Local providers (ollama) — probed via a quick HTTP health check.
+ *
+ * Anything else is `configured: false` and gets a `skip_reason`.
+ */
+async function enumerateConfiguredProviders(opts) {
+    const env = opts.env ?? process.env;
+    const fetchImpl = opts.fetchImpl ?? fetch;
+    const out = [];
+    for (const entry of Object.values(registry_1.PROVIDER_REGISTRY)) {
+        // Every provider needs at least one model to probe against.
+        const model = pickProbeModel(entry);
+        if (!model) {
+            out.push({
+                entry,
+                model: '',
+                configured: false,
+                reason: 'no models declared in registry',
+            });
+            continue;
+        }
+        // 1. API-key providers.
+        if (entry.apiKeyEnvVar) {
+            const value = env[entry.apiKeyEnvVar];
+            if (value && value.length > 0) {
+                out.push({ entry, model, configured: true });
+            }
+            else {
+                out.push({
+                    entry,
+                    model,
+                    configured: false,
+                    reason: `env ${entry.apiKeyEnvVar} not set`,
+                });
+            }
+            continue;
+        }
+        // 2. OAuth providers — check tokenStore.
+        if (entry.oauth) {
+            try {
+                const tokens = await (0, tokenStore_1.loadTokens)(opts.paths, entry.oauth.providerId);
+                if (tokens && tokens.accessToken) {
+                    if ((0, tokenStore_1.isExpired)(tokens, tokenStore_1.PREFLIGHT_REFRESH_WINDOW_MS)) {
+                        out.push({
+                            entry,
+                            model,
+                            configured: false,
+                            reason: 'OAuth token expired — run `/auth refresh` or `/auth login`',
+                        });
+                    }
+                    else {
+                        out.push({ entry, model, configured: true });
+                    }
+                }
+                else {
+                    out.push({
+                        entry,
+                        model,
+                        configured: false,
+                        reason: 'no OAuth token — run `/auth login`',
+                    });
+                }
+            }
+            catch (err) {
+                out.push({
+                    entry,
+                    model,
+                    configured: false,
+                    reason: `tokenStore read failed: ${err.message}`,
+                });
+            }
+            continue;
+        }
+        // 3. Local / no-credential providers (ollama). Configured = the
+        // local daemon answers a health probe.
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), OLLAMA_PROBE_TIMEOUT_MS);
+        try {
+            const res = await fetchImpl(OLLAMA_HEALTH_URL, { signal: controller.signal });
+            if (res.ok) {
+                out.push({ entry, model, configured: true });
+            }
+            else {
+                out.push({
+                    entry,
+                    model,
+                    configured: false,
+                    reason: `local daemon HTTP ${res.status}`,
+                });
+            }
+        }
+        catch (err) {
+            out.push({
+                entry,
+                model,
+                configured: false,
+                reason: `not running on ${OLLAMA_HEALTH_URL}`,
+            });
+        }
+        finally {
+            clearTimeout(timer);
+        }
+    }
+    return out;
+}
+/**
+ * Probe one provider/model pair via a minimal `adapter.call()`. Returns
+ * a structured result; never throws.
+ *
+ * On failure, `result.error` is `err.message` verbatim truncated to
+ * 200 chars. Phase v4.1.1-oauth-fix Phase 3 made `ProviderError.message`
+ * carry the upstream response body, so a 400 surfaces the actual
+ * reason (e.g. "Invalid schema for function 'subagent_fanout': …").
+ */
+async function checkProviderLiveness(provider, model, adapter, opts) {
+    const timeoutMs = opts?.timeoutMs ?? DEFAULT_LIVENESS_TIMEOUT_MS;
+    const start = Date.now();
+    // Liveness probes "is this provider reachable + authenticated?".
+    // Tool-catalog validation is a separate concern (eval harness,
+    // v4.1.1 main).
+    //
+    // Phase v4.1.2-slice5: the probe used to send `messages: [user]`
+    // only, with `tools: []`. That body 400s against the Codex backend
+    // for two reasons:
+    //   1. No system message → empty `instructions` field in the wire
+    //      body. Codex rejects requests without `instructions` (same
+    //      root cause as the eval-runner fix in 6535d531).
+    //   2. Empty tools array → the codex adapter omits `tools`,
+    //      `tool_choice`, `parallel_tool_calls` from the wire body
+    //      entirely. The Codex backend treats this as malformed.
+    //
+    // Fix: add a minimal one-line system message (collapses into
+    // `instructions`) and one hand-crafted no-op tool. The probe tool
+    // is hardcoded with a conservative JSON Schema
+    // (`additionalProperties: false`) so strict validators accept it.
+    // The "one bad tool schema false-reds everyone" concern from the
+    // pre-slice5 comment applied to USER tools; this tool is internal.
+    const input = {
+        messages: [
+            {
+                role: 'system',
+                content: 'You are an availability probe. Respond with a single word.',
+            },
+            { role: 'user', content: 'ping' },
+        ],
+        tools: [
+            {
+                name: 'probe_noop',
+                description: 'Probe placeholder. Do not call — the probe ignores any tool calls.',
+                inputSchema: {
+                    type: 'object',
+                    properties: {},
+                },
+            },
+        ],
+        maxTokens: PROBE_MAX_TOKENS,
+    };
+    try {
+        await withTimeout(adapter.call(input), timeoutMs, `liveness ${provider}`);
+        return {
+            provider,
+            model,
+            status: 'green',
+            latency_ms: Date.now() - start,
+        };
+    }
+    catch (err) {
+        const raw = err instanceof Error ? err.message : String(err);
+        return {
+            provider,
+            model,
+            status: 'red',
+            latency_ms: Date.now() - start,
+            error: truncate(raw),
+        };
+    }
+}
+/**
+ * Run liveness probes against every provider returned by
+ * `enumerateConfiguredProviders`. Unconfigured providers come back as
+ * `status: 'skipped'` without any network traffic.
+ *
+ * Returns `{ results, summary }`. Summary tallies + a wall-clock total
+ * so the UI can print "X green · Y red · Z skipped · NNNms total".
+ */
+async function runProviderLiveness(opts) {
+    const start = Date.now();
+    const parallel = opts.parallel ?? true;
+    const resolver = opts.resolverImpl ?? new runtimeResolver_1.RuntimeResolver(new credentialResolver_1.CredentialResolver(opts.paths.authJson));
+    const configured = await enumerateConfiguredProviders({
+        paths: opts.paths,
+        env: opts.env,
+        fetchImpl: opts.fetchImpl,
+    });
+    const probe = async (c) => {
+        if (!c.configured) {
+            return {
+                provider: c.entry.id,
+                status: 'skipped',
+                latency_ms: 0,
+                skip_reason: c.reason ?? 'not configured',
+            };
+        }
+        try {
+            const adapter = await resolver.resolve({
+                providerId: c.entry.id,
+                modelId: c.model,
+                paths: opts.paths,
+            });
+            return await checkProviderLiveness(c.entry.id, c.model, adapter, { timeoutMs: opts.timeoutMs });
+        }
+        catch (err) {
+            // Resolve failure (missing credential, unknown model, etc.).
+            // Same surface treatment as a probe failure.
+            const raw = err instanceof Error ? err.message : String(err);
+            return {
+                provider: c.entry.id,
+                model: c.model,
+                status: 'red',
+                latency_ms: 0,
+                error: truncate(raw),
+            };
+        }
+    };
+    const results = parallel
+        ? await Promise.all(configured.map(probe))
+        : await runSequential(configured.map((c) => () => probe(c)));
+    const summary = {
+        green: results.filter((r) => r.status === 'green').length,
+        red: results.filter((r) => r.status === 'red').length,
+        skipped: results.filter((r) => r.status === 'skipped').length,
+        total_ms: Date.now() - start,
+    };
+    return { results, summary };
+}
+async function runSequential(thunks) {
+    const out = [];
+    for (const t of thunks)
+        out.push(await t());
+    return out;
+}
+/**
+ * Render the liveness section as plain-text rows. The doctor command
+ * prints this BELOW the standard health box so the default `aiden doctor`
+ * output stays byte-identical.
+ *
+ * Visual style matches the existing doctor rows (✓ / ✗ / -) but lays
+ * out as a tabular block rather than a box — the rows can be long
+ * (upstream error bodies) and forcing them into the 100-col box would
+ * truncate the diagnostic that's the whole point of the feature.
+ */
+function renderProviderLivenessSection(results, summary) {
+    const nameWidth = Math.max(8, ...results.map((r) => r.provider.length));
+    const lines = [];
+    lines.push('');
+    lines.push('  Provider liveness (deep check)');
+    lines.push(`  ${'─'.repeat(60)}`);
+    for (const r of results) {
+        const icon = r.status === 'green' ? '✓'
+            : r.status === 'red' ? '✗'
+                : '-';
+        const name = r.provider.padEnd(nameWidth);
+        const status = r.status === 'green' ? 'green'.padEnd(8)
+            : r.status === 'red' ? 'red  '.padEnd(8)
+                : 'skip '.padEnd(8);
+        const latency = r.latency_ms > 0
+            ? `${r.latency_ms}ms`.padEnd(8)
+            : ''.padEnd(8);
+        const tail = r.status === 'green' ? (r.model ?? '')
+            : r.status === 'red' ? (r.error ?? 'unknown error')
+                : (r.skip_reason ?? 'not configured');
+        lines.push(`  ${icon} ${name}  ${status}${latency}${tail}`);
+    }
+    lines.push(`  ${'─'.repeat(60)}`);
+    lines.push(`  ${summary.green} green · ${summary.red} red · ${summary.skipped} skipped · ${summary.total_ms}ms total`);
+    lines.push('');
+    return lines.join('\n');
+}

package/dist/cli/v4/promotionPrompt.js

@@ -0,0 +1,202 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * cli/v4/promotionPrompt.ts — Phase v4.1.2-memory-D.
+ *
+ * REPL-side glue for the durable-facts promotion flow:
+ *   - `parsePromotionInput(raw, count)`  — pure: parse user reply into
+ *                                          a 0-indexed array of approved
+ *                                          candidate indices.
+ *   - `formatCandidateList(candidates)`  — pure: render the prompt body
+ *                                          the user sees.
+ *   - `promptForApproval(api, ...)`      — drives the prompt loop;
+ *                                          re-prompts ONCE on garbage,
+ *                                          then defaults to skip.
+ *   - `writeApprovedDurableFacts(...)`   — append approved candidates
+ *                                          to MEMORY.md `## Durable facts`
+ *                                          via MemoryGuard.replaceSection.
+ *
+ * Input grammar (per Phase D's Q3):
+ *   - "all"                  → every shown candidate
+ *   - "none" / "skip" / ""   → none
+ *   - "1,3"                  → 0-indexed 0 and 2
+ *   - "1-3"                  → 0-indexed 0, 1, 2 (inclusive range)
+ *   - "1, 3-5"               → mixed; whitespace tolerated
+ *   - Anything unparseable   → re-prompt once, then default skip
+ *
+ * The function intentionally keeps the parser pure so unit tests
+ * don't have to drive a prompt API. The prompt-loop function wires
+ * the parser to the existing `ChatPromptApi.readLine`.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parsePromotionInput = parsePromotionInput;
+exports.formatCandidateList = formatCandidateList;
+exports.promptForApproval = promptForApproval;
+exports.buildDurableFactsBody = buildDurableFactsBody;
+exports.readExistingDurableFactsBody = readExistingDurableFactsBody;
+exports.writeApprovedDurableFacts = writeApprovedDurableFacts;
+// ── Parser ────────────────────────────────────────────────────────────────
+/**
+ * Parse a user reply into the set of approved candidate indices
+ * (0-indexed). Returns `null` to signal "unparseable input — re-prompt
+ * once" so callers can distinguish "explicit skip" (empty array) from
+ * "garbage typed".
+ *
+ * Pure, deterministic; safe for unit tests.
+ */
+function parsePromotionInput(raw, count) {
+    const trimmed = raw.trim().toLowerCase();
+    if (trimmed === '' || trimmed === 'none' || trimmed === 'skip')
+        return [];
+    if (trimmed === 'all') {
+        return Array.from({ length: count }, (_, i) => i);
+    }
+    const out = new Set();
+    let sawAnyValid = false;
+    // Tolerate "1, 3-5 ,7"  with mixed whitespace.
+    for (const token of trimmed.split(',')) {
+        const piece = token.trim();
+        if (!piece)
+            continue;
+        const range = piece.match(/^(\d+)\s*-\s*(\d+)$/);
+        if (range) {
+            const start = Number.parseInt(range[1], 10);
+            const end = Number.parseInt(range[2], 10);
+            if (!Number.isFinite(start) || !Number.isFinite(end))
+                continue;
+            const [lo, hi] = start <= end ? [start, end] : [end, start];
+            for (let n = lo; n <= hi; n += 1) {
+                if (n >= 1 && n <= count) {
+                    out.add(n - 1);
+                    sawAnyValid = true;
+                }
+            }
+            continue;
+        }
+        const single = piece.match(/^\d+$/);
+        if (single) {
+            const n = Number.parseInt(piece, 10);
+            if (n >= 1 && n <= count) {
+                out.add(n - 1);
+                sawAnyValid = true;
+            }
+            continue;
+        }
+        // Non-numeric token alongside others — treat the WHOLE input as
+        // unparseable so the user gets one re-prompt instead of a silent
+        // partial selection.
+        return null;
+    }
+    if (!sawAnyValid)
+        return []; // numbers given but all out of range
+    return [...out].sort((a, b) => a - b);
+}
+// ── Renderer ──────────────────────────────────────────────────────────────
+/**
+ * Build the text the user sees. Pure — caller writes this to display.
+ */
+function formatCandidateList(candidates) {
+    const lines = [];
+    lines.push(`${candidates.length} thing${candidates.length === 1 ? '' : 's'} worth remembering this session. Promote which?`);
+    lines.push('');
+    for (let i = 0; i < candidates.length; i += 1) {
+        const c = candidates[i];
+        const sourceTag = c.source === 'explicit' ? '[user said]'
+            : c.source === 'decision' ? '[decision]'
+                : '[open item]';
+        lines.push(`  [${i + 1}] ${sourceTag} ${c.text}`);
+    }
+    lines.push('');
+    lines.push('Reply: numbers to approve (e.g. "1,3" or "1-3"), "all", or skip.');
+    return lines.join('\n');
+}
+/**
+ * Drive the approval prompt. Renders the candidate list, reads ONE
+ * line, parses, returns approved Candidate[]. On unparseable input
+ * re-prompts ONCE; second failure defaults to skip with a dim line
+ * explaining why nothing was promoted.
+ *
+ * No mid-session state leakage — purely a session-end interaction.
+ */
+async function promptForApproval(api, display, candidates) {
+    if (candidates.length === 0)
+        return [];
+    display.write('\n' + formatCandidateList(candidates) + '\n');
+    for (let attempt = 0; attempt < 2; attempt += 1) {
+        const raw = await api.readLine('Promote > ');
+        const parsed = parsePromotionInput(raw, candidates.length);
+        if (parsed !== null) {
+            if (parsed.length === 0) {
+                display.dim('Nothing promoted to durable facts.');
+                return [];
+            }
+            return parsed.map((i) => candidates[i]);
+        }
+        if (attempt === 0) {
+            display.warn('Could not parse input. Use numbers ("1,3"), ranges ("1-3"), "all", or "skip".');
+        }
+    }
+    display.dim('Skipped: input still unparseable. Nothing promoted to durable facts.');
+    return [];
+}
+// ── Persistence ───────────────────────────────────────────────────────────
+const DURABLE_FACTS_HEADER = '## Durable facts';
+/**
+ * Render the section body for `## Durable facts` by combining existing
+ * entries with newly-approved candidates. Newest at the BOTTOM so
+ * read order reflects when each fact landed — matches how users scan
+ * MEMORY.md.
+ *
+ * Pure — caller passes existing body (extracted via the same regex
+ * pattern MemoryGuard uses in replaceSection).
+ */
+function buildDurableFactsBody(existingBody, approved) {
+    const existingLines = existingBody
+        .split('\n')
+        .map((l) => l.trim())
+        .filter((l) => l.length > 0);
+    const newLines = approved.map((c) => `- ${c.text}`);
+    return [...existingLines, ...newLines].join('\n');
+}
+/**
+ * Read the current `## Durable facts` body from MEMORY.md (returns
+ * empty string when the section doesn't yet exist). Mirrors the
+ * regex pattern MemoryGuard.replaceSection uses.
+ */
+async function readExistingDurableFactsBody(memoryManager) {
+    const snap = await memoryManager.loadSnapshot();
+    const md = snap.memoryMd ?? '';
+    const headerEscaped = DURABLE_FACTS_HEADER.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const sectionRe = new RegExp(`${headerEscaped}[^\\n]*\\n([\\s\\S]*?)(?=\\n## |$)`);
+    const m = md.match(sectionRe);
+    return m ? (m[1] ?? '').trim() : '';
+}
+/**
+ * Persist the approved candidates. Reads existing body (so a second
+ * session-end appends rather than overwrites), folds in new lines,
+ * and writes via MemoryGuard.replaceSection — which handles
+ * verify-on-disk + section auto-creation.
+ *
+ * Returns the GuardedResult so the caller can dim-log success or
+ * warn on a failed verify.
+ */
+async function writeApprovedDurableFacts(memoryManager, memoryGuard, approved) {
+    if (approved.length === 0) {
+        return { ok: true, verified: true, entryCount: 0 };
+    }
+    const existingBody = await readExistingDurableFactsBody(memoryManager);
+    const newBody = buildDurableFactsBody(existingBody, approved);
+    const entryCount = newBody.split('\n').filter((l) => l.trim().length > 0).length;
+    const result = await memoryGuard.replaceSection('memory', DURABLE_FACTS_HEADER, newBody);
+    return {
+        ok: result.ok,
+        verified: result.verified,
+        reason: result.reason,
+        entryCount,
+    };
+}