auriga-cli 1.15.2 → 1.17.0

package/dist/scan-catalog.js

@@ -0,0 +1,138 @@
+// Build the scan-time Catalog (the shape src/state.ts consumes) from
+// auriga-cli's installed package state. This bridges the build-time
+// `dist/catalog.json` (which carries names + descriptions for the menu)
+// and the runtime scanner's need for expected hashes + versions.
+//
+// Inputs (all under packageRoot):
+//   dist/catalog.json     — names + descriptions for 5 categories
+//   skills-lock.json      — expected SHA256 for every vendored skill
+//   .claude/plugins.json  — Claude plugin entries (agent = "claude")
+//   .agents/plugins/install.json — Codex plugin entries (agent = "codex")
+//   .claude/hooks/<name>/index.mjs — runtime SHA256 = expected hash
+//   CLAUDE.md             — `# auriga Workflow (vX.Y.Z)` provides
+//                           workflowVersion
+//
+// Anything missing is treated as "no expectation" (empty hash / version)
+// rather than throwing; scanState will still produce a structurally valid
+// StateReport — items just classify as not-installed or installed
+// depending on whether the user-side data exists.
+import { createHash } from "node:crypto";
+import { readFile } from "node:fs/promises";
+import path from "node:path";
+import { loadCatalog } from "./catalog.js";
+const WORKFLOW_VERSION_RE = /^#\s*auriga Workflow\s*\(v([\d.]+)\)/m;
+async function tryReadFile(p) {
+    try {
+        return await readFile(p, "utf8");
+    }
+    catch {
+        return null;
+    }
+}
+async function sha256File(p) {
+    const bytes = await readFile(p);
+    return createHash("sha256").update(bytes).digest("hex");
+}
+export async function buildScanCatalog(packageRoot) {
+    const dist = loadCatalog(packageRoot);
+    // Workflow version: parse from auriga-cli's own CLAUDE.md template.
+    // If missing, leave as empty string so workflow always classifies as
+    // not-installed (no expectation set).
+    const claudeMd = await tryReadFile(path.join(packageRoot, "CLAUDE.md"));
+    const m = claudeMd ? WORKFLOW_VERSION_RE.exec(claudeMd) : null;
+    const workflowVersion = m ? m[1] : "";
+    // Skills + recommended: hashes from skills-lock.json.
+    let lock = {};
+    const lockText = await tryReadFile(path.join(packageRoot, "skills-lock.json"));
+    if (lockText) {
+        try {
+            lock = JSON.parse(lockText);
+        }
+        catch {
+            // corrupted lock → no expectations; user state still classifies safely
+        }
+    }
+    const skills = {};
+    for (const entry of dist.workflowSkills) {
+        skills[entry.name] = {
+            description: entry.description,
+            expectedHash: lock.skills?.[entry.name]?.computedHash ?? "",
+            isWorkflow: true,
+        };
+    }
+    const recommendedSkills = {};
+    for (const entry of dist.recommendedSkills) {
+        recommendedSkills[entry.name] = {
+            description: entry.description,
+            expectedHash: lock.skills?.[entry.name]?.computedHash ?? "",
+        };
+    }
+    // Plugins: split by agent based on which config file lists them. A
+    // plugin can appear in both registries (cross-agent plugins like
+    // auriga-go); we represent it once per agent.
+    const plugins = {};
+    const claudePluginsText = await tryReadFile(path.join(packageRoot, ".claude", "plugins.json"));
+    const claudeNames = new Set();
+    if (claudePluginsText) {
+        try {
+            const parsed = JSON.parse(claudePluginsText);
+            for (const p of parsed.plugins ?? []) {
+                if (p.name)
+                    claudeNames.add(p.name);
+            }
+        }
+        catch {
+            /* ignore */
+        }
+    }
+    const codexInstallText = await tryReadFile(path.join(packageRoot, ".agents", "plugins", "install.json"));
+    const codexNames = new Set();
+    if (codexInstallText) {
+        try {
+            const parsed = JSON.parse(codexInstallText);
+            for (const p of parsed.plugins ?? []) {
+                if (p.name)
+                    codexNames.add(p.name);
+            }
+        }
+        catch {
+            /* ignore */
+        }
+    }
+    for (const entry of dist.plugins) {
+        // Collect every agent that registers this plugin. A plugin can ship in
+        // both registries (cross-agent plugins like auriga-go); we emit it as
+        // a single multi-agent record so the UI shows one row + BOTH badge and
+        // Apply installs to each side.
+        const agents = [];
+        if (claudeNames.has(entry.name))
+            agents.push("claude");
+        if (codexNames.has(entry.name))
+            agents.push("codex");
+        if (agents.length === 0)
+            agents.push("claude"); // unknown defaults to claude
+        plugins[entry.name] = { description: entry.description, agents };
+    }
+    // Hooks: runtime SHA256 of each hook's index.mjs serves as the expected
+    // hash. If the file can't be read, leave the expectation empty so the
+    // hook classifies as not-installed.
+    const hooks = {};
+    for (const entry of dist.hooks) {
+        const hookEntry = path.join(packageRoot, ".claude", "hooks", entry.name, "index.mjs");
+        let expectedHash = "";
+        try {
+            expectedHash = await sha256File(hookEntry);
+        }
+        catch {
+            /* missing or unreadable hook payload; leave hash empty */
+        }
+        hooks[entry.name] = { description: entry.description, expectedHash };
+    }
+    return {
+        workflowVersion,
+        skills,
+        recommendedSkills,
+        plugins,
+        hooks,
+    };
+}

package/dist/server.d.ts

@@ -0,0 +1,71 @@
+export type LogLevel = "info" | "warn" | "error";
+export interface ApplyHandlerOptions {
+    onLog: (line: string, level: LogLevel) => void;
+    /** Installer scope from the ApplyItemRef. Forwarded as-is — handlers
+     *  translate into the per-installer flag (`--scope project|user`). The
+     *  workflow handler ignores it (workflow has no scope concept). */
+    scope?: "project" | "user";
+    /** Workflow CLAUDE.md language variant. Only meaningful for the workflow
+     *  handler; other handlers ignore it. Omitted = "en". */
+    lang?: "en" | "zh-CN";
+}
+export type ApplyHandler = (action: ApplyAction, name: string, opts: ApplyHandlerOptions) => Promise<void>;
+export interface ApplyHandlers {
+    workflow: ApplyHandler;
+    skill: ApplyHandler;
+    "recommended-skill": ApplyHandler;
+    plugin: ApplyHandler;
+    hook: ApplyHandler;
+}
+export interface ApplyCatalog {
+    workflow: Set<string>;
+    skill: Set<string>;
+    "recommended-skill": Set<string>;
+    plugin: Set<string>;
+    hook: Set<string>;
+}
+export interface StartServerOptions {
+    port?: number;
+    token: string;
+    cwd: string;
+    /** Where auriga-cli itself lives — source of dist/catalog.json,
+     *  skills-lock.json, hook payloads, etc. Defaults to cwd, which is
+     *  correct when running tests from the auriga-cli checkout. CLI mode
+     *  must pass getPackageRoot() so the server uses the installed package
+     *  rather than the user's project. */
+    packageRoot?: string;
+    /** Idle-shutdown timeout in ms. The browser POSTs /api/ping every 5s;
+     *  if no ping arrives for this duration, the server shuts down
+     *  gracefully (closing-browser-closes-server UX). `0` disables the
+     *  heartbeat (used by tests so a single suite doesn't time-bomb). */
+    heartbeatTimeoutMs?: number;
+    /** Apply handlers per category. When omitted, /api/apply falls back to
+     *  built-in installers wired by the CLI. Tests inject mocks to make apply
+     *  behavior deterministic without touching real installers. */
+    applyHandlers?: ApplyHandlers;
+    /** Per-category name whitelist. When set, /api/apply rejects (400) any
+     *  item whose name is not present in the matching category's Set. When
+     *  omitted, name membership is not enforced (CLI builds a default
+     *  catalog at boot time). */
+    applyCatalog?: ApplyCatalog;
+    /** Directory whose contents are served for non-/api paths (the extracted
+     *  UI bundle). When undefined, every static path returns 404 — useful in
+     *  tests and the M1 server smoke checks. */
+    uiDir?: string;
+    /** Max time to wait for an in-flight job during graceful shutdown before
+     *  force-closing sockets (spec §4.3 / §6.6). Defaults to 30000 ms in
+     *  production; tests override to a small value (e.g. 200 ms) so they
+     *  don't time-bomb. */
+    shutdownGraceMs?: number;
+}
+export interface RunningServer {
+    port: number;
+    /** Explicit shutdown. Idempotent. */
+    close(): Promise<void>;
+    /** Resolves when the server has fully stopped — either via close() or the
+     *  heartbeat-driven shutdown. CLI callers await this to block their event
+     *  loop until "browser was closed" actually fires. */
+    closed: Promise<void>;
+}
+import type { ApplyAction } from "./api-types.js";
+export declare function startServer(opts: StartServerOptions): Promise<RunningServer>;