astrocode-workflow 0.1.59 → 0.2.1

package/src/tools/injects.ts

@@ -5,34 +5,51 @@ import { withTx } from "../state/db";
 import { nowISO } from "../shared/time";
 import { sha256Hex } from "../shared/hash";
 
-const VALID_INJECT_TYPES = ['note', 'policy', 'reminder', 'debug'] as const;
-type InjectType = typeof VALID_INJECT_TYPES[number];
+const VALID_INJECT_TYPES = ["note", "policy", "reminder", "debug"] as const;
+type InjectType = (typeof VALID_INJECT_TYPES)[number];
 
 function validateInjectType(type: string): InjectType {
   if (!VALID_INJECT_TYPES.includes(type as InjectType)) {
-    throw new Error(`Invalid inject type "${type}". Must be one of: ${VALID_INJECT_TYPES.join(', ')}`);
+    throw new Error(`Invalid inject type "${type}". Must be one of: ${VALID_INJECT_TYPES.join(", ")}`);
   }
   return type as InjectType;
 }
 
-function validateTimestamp(timestamp: string | null): string | null {
+function validateTimestamp(timestamp: string | null | undefined): string | null {
   if (!timestamp) return null;
 
-  // Check if it's a valid ISO 8601 timestamp with Z suffix
+  // Strict ISO 8601 UTC with Z suffix, sortable as string.
   const isoRegex = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d{3})?Z$/;
   if (!isoRegex.test(timestamp)) {
-    throw new Error(`Invalid timestamp format. Expected ISO 8601 UTC with Z suffix (e.g., "2026-01-23T13:05:19.000Z"), got: "${timestamp}"`);
+    throw new Error(
+      `Invalid timestamp format. Expected ISO 8601 UTC with Z suffix (e.g., "2026-01-23T13:05:19.000Z"), got: "${timestamp}"`
+    );
   }
 
-  // Additional validation: ensure it's parseable and represents a valid date
-  const parsed = new Date(timestamp);
-  if (isNaN(parsed.getTime())) {
+  const parsed = Date.parse(timestamp);
+  if (!Number.isFinite(parsed)) {
     throw new Error(`Invalid timestamp: "${timestamp}" does not represent a valid date`);
   }
 
   return timestamp;
 }
 
+function parseJsonStringArray(name: string, raw: string): string[] {
+  let v: unknown;
+  try {
+    v = JSON.parse(raw);
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : String(e);
+    throw new Error(`${name} must be valid JSON. Parse error: ${msg}`);
+  }
+
+  if (!Array.isArray(v) || !v.every((x) => typeof x === "string")) {
+    throw new Error(`${name} must be a JSON array of strings`);
+  }
+
+  return v as string[];
+}
+
 function newInjectId(): string {
   return `inj_${Date.now()}_${Math.random().toString(16).slice(2)}`;
 }
@@ -58,17 +75,36 @@ export function createAstroInjectPutTool(opts: { ctx: any; config: AstrocodeConf
       const now = nowISO();
       const sha = sha256Hex(body_md);
 
-      // Validate inputs
       const validatedType = validateInjectType(type);
       const validatedExpiresAt = validateTimestamp(expires_at);
 
+      // Ensure tags_json is at least valid JSON (we do not enforce schema here beyond validity).
+      try {
+        JSON.parse(tags_json);
+      } catch (e) {
+        const msg = e instanceof Error ? e.message : String(e);
+        throw new Error(`tags_json must be valid JSON. Parse error: ${msg}`);
+      }
+
       return withTx(db, () => {
         const existing = db.prepare("SELECT inject_id FROM injects WHERE inject_id=?").get(id) as any;
 
         if (existing) {
-          // Use INSERT ... ON CONFLICT for atomic updates
           db.prepare(`
-            INSERT INTO injects (inject_id, type, title, body_md, tags_json, scope, source, priority, expires_at, sha256, created_at, updated_at)
+            INSERT INTO injects (
+              inject_id,
+              type,
+              title,
+              body_md,
+              tags_json,
+              scope,
+              source,
+              priority,
+              expires_at,
+              sha256,
+              created_at,
+              updated_at
+            )
             VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
             ON CONFLICT(inject_id) DO UPDATE SET
               type=excluded.type,
@@ -81,7 +117,8 @@ export function createAstroInjectPutTool(opts: { ctx: any; config: AstrocodeConf
               expires_at=excluded.expires_at,
               sha256=excluded.sha256,
               updated_at=excluded.updated_at
-          `).run(id, type, title, body_md, tags_json, scope, source, priority, validatedExpiresAt, sha, now, now);
+          `).run(id, validatedType, title, body_md, tags_json, scope, source, priority, validatedExpiresAt, sha, now, now);
+
           return `✅ Updated inject ${id}: ${title}`;
         }
 
@@ -108,9 +145,27 @@ export function createAstroInjectListTool(opts: { ctx: any; config: AstrocodeCon
     execute: async ({ scope, type, limit }) => {
       const where: string[] = [];
       const params: any[] = [];
-      if (scope) { where.push("scope = ?"); params.push(scope); }
-      if (type) { where.push("type = ?"); params.push(type); }
-      const sql = `SELECT inject_id, type, title, scope, priority, created_at, updated_at FROM injects ${where.length ? "WHERE " + where.join(" AND ") : ""} ORDER BY priority DESC, updated_at DESC LIMIT ?`;
+
+      if (scope) {
+        where.push("scope = ?");
+        params.push(scope);
+      }
+
+      if (type) {
+        // Keep list tool permissive (debugging), but still prevents obvious garbage if used.
+        validateInjectType(type);
+        where.push("type = ?");
+        params.push(type);
+      }
+
+      const sql = `
+        SELECT inject_id, type, title, scope, priority, created_at, updated_at
+        FROM injects
+        ${where.length ? "WHERE " + where.join(" AND ") : ""}
+        ORDER BY priority DESC, updated_at DESC
+        LIMIT ?
+      `;
+
       const rows = db.prepare(sql).all(...params, limit) as any[];
       return JSON.stringify(rows, null, 2);
     },
@@ -147,8 +202,20 @@ export function createAstroInjectSearchTool(opts: { ctx: any; config: AstrocodeC
       const like = `%${q}%`;
       const where: string[] = ["(title LIKE ? OR body_md LIKE ? OR tags_json LIKE ?)"];
       const params: any[] = [like, like, like];
-      if (scope) { where.push("scope = ?"); params.push(scope); }
-      const sql = `SELECT inject_id, type, title, scope, priority, updated_at FROM injects WHERE ${where.join(" AND ")} ORDER BY priority DESC, updated_at DESC LIMIT ?`;
+
+      if (scope) {
+        where.push("scope = ?");
+        params.push(scope);
+      }
+
+      const sql = `
+        SELECT inject_id, type, title, scope, priority, updated_at
+        FROM injects
+        WHERE ${where.join(" AND ")}
+        ORDER BY priority DESC, updated_at DESC
+        LIMIT ?
+      `;
+
       const rows = db.prepare(sql).all(...params, limit) as any[];
       return JSON.stringify(rows, null, 2);
     },
@@ -170,15 +237,25 @@ export type InjectRow = {
   updated_at: string;
 };
 
-export function selectEligibleInjects(db: SqliteDb, opts: {
-  nowIso: string;
-  scopeAllowlist: string[];
-  typeAllowlist: string[];
-  limit?: number;
-}): InjectRow[] {
+export function selectEligibleInjects(
+  db: SqliteDb,
+  opts: {
+    nowIso: string;
+    scopeAllowlist: string[];
+    typeAllowlist: string[];
+    limit?: number;
+  }
+): InjectRow[] {
   const { nowIso, scopeAllowlist, typeAllowlist, limit = 50 } = opts;
 
-  // Build placeholders safely
+  if (!Array.isArray(scopeAllowlist) || scopeAllowlist.length === 0) {
+    throw new Error("selectEligibleInjects: scopeAllowlist must be a non-empty array");
+  }
+  if (!Array.isArray(typeAllowlist) || typeAllowlist.length === 0) {
+    throw new Error("selectEligibleInjects: typeAllowlist must be a non-empty array");
+  }
+
+  // Build placeholders safely (guaranteed non-empty).
   const scopeQs = scopeAllowlist.map(() => "?").join(", ");
   const typeQs = typeAllowlist.map(() => "?").join(", ");
 
@@ -208,8 +285,11 @@ export function createAstroInjectEligibleTool(opts: { ctx: any; config: Astrocod
     },
     execute: async ({ scopes_json, types_json, limit }) => {
       const now = nowISO();
-      const scopes = JSON.parse(scopes_json) as string[];
-      const types = JSON.parse(types_json) as string[];
+      const scopes = parseJsonStringArray("scopes_json", scopes_json);
+      const types = parseJsonStringArray("types_json", types_json);
+
+      // Validate types against the known set to keep selection sane.
+      for (const t of types) validateInjectType(t);
 
       const rows = selectEligibleInjects(db, {
         nowIso: now,
@@ -234,10 +314,13 @@ export function createAstroInjectDebugDueTool(opts: { ctx: any; config: Astrocod
     },
     execute: async ({ scopes_json, types_json }) => {
       const now = nowISO();
-      const scopes = JSON.parse(scopes_json) as string[];
-      const types = JSON.parse(types_json) as string[];
+      const nowMs = Date.parse(now);
+
+      const scopes = parseJsonStringArray("scopes_json", scopes_json);
+      const types = parseJsonStringArray("types_json", types_json);
+
+      for (const t of types) validateInjectType(t);
 
-      // Get ALL injects to analyze filtering
       const allInjects = db.prepare("SELECT * FROM injects").all() as any[];
 
       let total = allInjects.length;
@@ -245,25 +328,31 @@ export function createAstroInjectDebugDueTool(opts: { ctx: any; config: Astrocod
       let skippedExpired = 0;
       let skippedScope = 0;
       let skippedType = 0;
+      let skippedUnparseableExpiresAt = 0;
+
       const excludedReasons: any[] = [];
       const selectedInjects: any[] = [];
 
       for (const inject of allInjects) {
         const reasons: string[] = [];
 
-        // Check expiration
-        if (inject.expires_at && inject.expires_at <= now) {
-          reasons.push("expired");
-          skippedExpired++;
+        // Expiration: parse to ms for correctness across legacy rows.
+        if (inject.expires_at) {
+          const expMs = Date.parse(String(inject.expires_at));
+          if (!Number.isFinite(expMs)) {
+            reasons.push("expires_at_unparseable");
+            skippedUnparseableExpiresAt++;
+          } else if (expMs <= nowMs) {
+            reasons.push("expired");
+            skippedExpired++;
+          }
         }
 
-        // Check scope
         if (!scopes.includes(inject.scope)) {
           reasons.push("scope");
           skippedScope++;
         }
 
-        // Check type
         if (!types.includes(inject.type)) {
           reasons.push("type");
           skippedType++;
@@ -273,7 +362,7 @@ export function createAstroInjectDebugDueTool(opts: { ctx: any; config: Astrocod
           excludedReasons.push({
             inject_id: inject.inject_id,
             title: inject.title,
-            reasons: reasons,
+            reasons,
             scope: inject.scope,
             type: inject.type,
             expires_at: inject.expires_at,
@@ -290,23 +379,28 @@ export function createAstroInjectDebugDueTool(opts: { ctx: any; config: Astrocod
         }
       }
 
-      return JSON.stringify({
-        now,
-        scopes_considered: scopes,
-        types_considered: types,
-        summary: {
-          total_injects: total,
-          selected_eligible: selected,
-          excluded_total: total - selected,
-          skipped_breakdown: {
-            expired: skippedExpired,
-            scope: skippedScope,
-            type: skippedType,
-          }
+      return JSON.stringify(
+        {
+          now,
+          scopes_considered: scopes,
+          types_considered: types,
+          summary: {
+            total_injects: total,
+            selected_eligible: selected,
+            excluded_total: total - selected,
+            skipped_breakdown: {
+              expired: skippedExpired,
+              expires_at_unparseable: skippedUnparseableExpiresAt,
+              scope: skippedScope,
+              type: skippedType,
+            },
+          },
+          selected_injects: selectedInjects,
+          excluded_injects: excludedReasons,
         },
-        selected_injects: selectedInjects,
-        excluded_injects: excludedReasons,
-      }, null, 2);
+        null,
+        2
+      );
     },
   });
 }