avorelo 0.1.0 → 0.3.0

package/scripts/lib/launch-readiness.js

@@ -1,628 +0,0 @@
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-const { spawnSync } = require("child_process");
-const { validateInstallClaims } = require("./public-install-claim-checker");
-
-const LAUNCH_READINESS_CONTRACT = "avorelo.launchReadiness.v1";
-const LAUNCH_READINESS_SCHEMA_VERSION = 1;
-const DISTRIBUTION_STATES = new Set([
-  "private_local_only",
-  "local_verified",
-  "ready_to_publish",
-  "published_verified",
-  "publish_blocked",
-]);
-
-// Files that must exist for a valid CLI install
-const REQUIRED_BIN_ENTRIES = ["bin/avorelo"];
-
-// Patterns that must not appear in committed config files (clone-specific paths)
-const ABSOLUTE_PATH_PATTERNS = [
-  /\/mnt\/[a-z]\/[A-Za-z]/,
-  /^[A-Z]:\\[A-Za-z]/,
-  /\/home\/[a-zA-Z0-9_-]+\/[A-Za-z]/,
-];
-
-// Runtime artifact dirs that must not be in a shipped package
-const RUNTIME_ARTIFACT_PATTERNS = [
-  /^\.claude\/cco\//,
-  /^\.avorelo\//,
-  /^\.codex-worktree-/,
-  /^\.tmp-/,
-  /^_wasp_build_tmp\//,
-  /^\.wasp\/out\//,
-  /handoff-local-state\.txt$/,
-  /handoff-worktree-locator\.txt$/,
-  /^avorelo-activation-smoke\//,
-];
-
-const WORKS_EVERYWHERE_PATTERNS = [
-  /works everywhere/i,
-  /works on every machine/i,
-  /works in every repo/i,
-  /works in every environment/i,
-];
-
-// Config files tracked in git that should not contain absolute paths
-const CHECKED_CONFIG_FILES = [".codex/config.toml", ".cursor/rules/wuz-project.mdc"];
-
-function safeReadJson(absPath) {
-  try {
-    if (!fs.existsSync(absPath)) return null;
-    return JSON.parse(fs.readFileSync(absPath, "utf8"));
-  } catch {
-    return null;
-  }
-}
-
-function safeReadText(absPath) {
-  try {
-    if (!fs.existsSync(absPath)) return null;
-    return fs.readFileSync(absPath, "utf8");
-  } catch {
-    return null;
-  }
-}
-
-function collectMarkdownFiles(dir, collected = [], limit = 200) {
-  if (!fs.existsSync(dir) || collected.length >= limit) return collected;
-  let entries = [];
-  try {
-    entries = fs.readdirSync(dir, { withFileTypes: true });
-  } catch {
-    return collected;
-  }
-  for (const entry of entries) {
-    if (collected.length >= limit) break;
-    const absPath = path.join(dir, entry.name);
-    if (entry.isDirectory()) {
-      if (/node_modules|\.git|\.tmp|artifacts|vendor/i.test(entry.name)) continue;
-      collectMarkdownFiles(absPath, collected, limit);
-      continue;
-    }
-    if (entry.isFile() && entry.name.endsWith(".md")) {
-      collected.push(absPath);
-    }
-  }
-  return collected;
-}
-
-function scanWorksEverywhereClaims(repoRoot, opts = {}) {
-  if (Array.isArray(opts.worksEverywhereClaims)) {
-    return { claims: opts.worksEverywhereClaims };
-  }
-
-  const claims = [];
-  const filesToScan = [];
-  const readmePath = path.join(repoRoot, "README.md");
-  if (fs.existsSync(readmePath)) filesToScan.push(readmePath);
-  collectMarkdownFiles(path.join(repoRoot, "docs"), filesToScan);
-
-  for (const absPath of filesToScan) {
-    const text = safeReadText(absPath);
-    if (!text) continue;
-    const lines = text.split(/\r?\n/);
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      if (!WORKS_EVERYWHERE_PATTERNS.some((pattern) => pattern.test(line))) continue;
-      claims.push({
-        file: path.relative(repoRoot, absPath).replace(/\\/g, "/"),
-        line: i + 1,
-        text: line.trim(),
-      });
-    }
-  }
-
-  return { claims };
-}
-
-function buildLaunchDistributionEvidence(repoRoot, opts = {}) {
-  const pkgPath = path.join(repoRoot, "package.json");
-  const pkg = safeReadJson(pkgPath);
-  const hasPackageJson = !!pkg;
-  const hasNpmIgnore = fs.existsSync(path.join(repoRoot, ".npmignore"));
-  const hasFilesField = !!(pkg && Array.isArray(pkg.files) && pkg.files.length > 0);
-  const distributionEvidence = opts.distributionEvidence || {};
-  const explicitState = distributionEvidence.state
-    || (pkg && typeof pkg.avoreloDistributionState === "string" ? pkg.avoreloDistributionState : null);
-  const packagePrivate = !!(pkg && pkg.private === true);
-  const packagePublic = !!(pkg && pkg.private === false);
-  const claimsReport = opts.installClaimsReport || validateInstallClaims(repoRoot);
-  const worksEverywhere = scanWorksEverywhereClaims(repoRoot, opts);
-  const localSmokePassed = distributionEvidence.localSmokePassed === true;
-  const publicSmokePassed = distributionEvidence.publicSmokePassed === true;
-  const publishAuthAvailable = distributionEvidence.publishAuthAvailable === true;
-  const publishApproved = distributionEvidence.publishApproved === true;
-  const packageContentSafe = distributionEvidence.packageContentSafe !== undefined
-    ? distributionEvidence.packageContentSafe === true
-    : (hasNpmIgnore || hasFilesField);
-
-  const reasons = [];
-  let state = explicitState;
-
-  if (explicitState && !DISTRIBUTION_STATES.has(explicitState)) {
-    reasons.push(`Unknown distribution state '${explicitState}'.`);
-    state = "publish_blocked";
-  }
-
-  if (!state) {
-    state = packagePrivate ? "private_local_only" : "publish_blocked";
-    if (!packagePrivate) {
-      reasons.push("package.json is public-ready but no explicit distribution state evidence is present.");
-    }
-  }
-
-  if (state === "private_local_only" && !packagePrivate) {
-    reasons.push("private_local_only requires package.json private: true.");
-    state = "publish_blocked";
-  }
-
-  if (state === "local_verified" && packagePublic && !localSmokePassed) {
-    reasons.push("local_verified needs explicit local smoke evidence before a public-ready package can pass.");
-    state = "publish_blocked";
-  }
-
-  if (state === "ready_to_publish") {
-    if (!packagePublic) {
-      reasons.push("ready_to_publish requires package.json private: false.");
-      state = "publish_blocked";
-    }
-    if (!packageContentSafe) {
-      reasons.push("ready_to_publish requires package exclusion control or equivalent package-content evidence.");
-      state = "publish_blocked";
-    }
-  }
-
-  if (state === "published_verified") {
-    if (!packagePublic) {
-      reasons.push("published_verified requires package.json private: false.");
-      state = "publish_blocked";
-    }
-    if (!publicSmokePassed) {
-      reasons.push("published_verified requires verified public npx smoke evidence.");
-      state = "publish_blocked";
-    }
-    if (!publishAuthAvailable || !publishApproved) {
-      reasons.push("published_verified requires explicit publish auth and approval evidence.");
-      state = "publish_blocked";
-    }
-  }
-
-  if (state === "publish_blocked" && reasons.length === 0) {
-    reasons.push("Distribution state is blocked until public distribution evidence is made explicit.");
-  }
-
-  const effectiveBlockedClaims = (claimsReport.blockedClaims || []).filter((claim) => {
-    if (state !== "published_verified") return true;
-    const reason = String(claim.reason || "");
-    return !/not verified|private\/not on npm/i.test(reason);
-  });
-
-  if (effectiveBlockedClaims.length > 0) {
-    reasons.push("Blocked public install claims detected.");
-    state = "publish_blocked";
-  }
-
-  if (worksEverywhere.claims.length > 0) {
-    reasons.push("Works-everywhere claims are not allowed.");
-    state = "publish_blocked";
-  }
-
-  const publicClaimChecksPass = effectiveBlockedClaims.length === 0;
-  const worksEverywherePass = worksEverywhere.claims.length === 0;
-  const packageStateAligned = state !== "publish_blocked";
-  const checkDetails = {
-    explicitState: explicitState || null,
-    packagePrivate,
-    packagePublic,
-    packageContentSafe,
-    localSmokePassed,
-    publicSmokePassed,
-    publishAuthAvailable,
-    publishApproved,
-  };
-
-  return {
-    state,
-    explicitState: explicitState || null,
-    packagePrivate,
-    packagePublic,
-    packageContentSafe,
-    hasNpmIgnore,
-    hasFilesField,
-    localSmokePassed,
-    publicSmokePassed,
-    publishAuthAvailable,
-    publishApproved,
-    installClaimsReport: claimsReport,
-    effectiveBlockedClaims,
-    worksEverywhereClaims: worksEverywhere.claims,
-    hasPackageJson,
-    reasons,
-    checks: [
-      {
-        id: "package_distribution_state_alignment",
-        pass: packageStateAligned,
-        blocking: true,
-        detail: packageStateAligned
-          ? `Distribution state ${state} is compatible with launch readiness.`
-          : reasons.join(" "),
-        evidence: checkDetails,
-      },
-      {
-        id: "public_install_claims_honest",
-        pass: publicClaimChecksPass,
-        blocking: true,
-        detail: publicClaimChecksPass
-          ? `Blocked claims: ${claimsReport.blockedCount}. Caveated claims: ${claimsReport.caveatedCount}.`
-          : `Blocked claims: ${effectiveBlockedClaims.length}. Public install claims require published_verified.`,
-        evidence: {
-          blockedCount: effectiveBlockedClaims.length,
-          caveatedCount: claimsReport.caveatedCount,
-          allowedCount: claimsReport.allowedCount,
-        },
-      },
-      {
-        id: "no_works_everywhere_claim",
-        pass: worksEverywherePass,
-        blocking: true,
-        detail: worksEverywherePass
-          ? "No works-everywhere claims detected."
-          : `Works-everywhere claim found in ${worksEverywhere.claims[0].file}:${worksEverywhere.claims[0].line}.`,
-        evidence: {
-          claimCount: worksEverywhere.claims.length,
-        },
-      },
-      {
-        id: "published_verified_requires_public_smoke",
-        pass: state !== "published_verified" || publicSmokePassed,
-        blocking: true,
-        detail: state === "published_verified" && !publicSmokePassed
-          ? "published_verified requires public smoke evidence."
-          : "Public smoke evidence gate is aligned with distribution state.",
-      },
-      {
-        id: "published_verified_requires_publish_approval",
-        pass: state !== "published_verified" || (publishAuthAvailable && publishApproved),
-        blocking: true,
-        detail: state === "published_verified" && (!publishAuthAvailable || !publishApproved)
-          ? "Publish auth/approval evidence is required before launch readiness can treat the package as published."
-          : "Publish approval gate is aligned with distribution state.",
-      },
-    ],
-  };
-}
-
-function evaluatePackageDistributionState(repoRoot, opts = {}) {
-  return buildLaunchDistributionEvidence(repoRoot, opts).state;
-}
-
-function buildPackageAudit(repoRoot, opts = {}) {
-  const pkgPath = path.join(repoRoot, "package.json");
-  const checks = [];
-  let runtimeArtifactsFound = [];
-  let absolutePathViolations = [];
-
-  if (!fs.existsSync(pkgPath)) {
-    checks.push({ id: "package_json_exists", pass: false, blocking: true, detail: "package.json not found" });
-    return {
-      checks,
-      runtimeArtifactsFound,
-      absolutePathViolations,
-      distributionState: "publish_blocked",
-      distributionEvidence: buildLaunchDistributionEvidence(repoRoot, opts),
-    };
-  }
-
-  const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
-  checks.push({ id: "package_json_exists", pass: true, blocking: true });
-
-  const binEntries = pkg.bin || {};
-  const missingBin = REQUIRED_BIN_ENTRIES.filter(
-    (rel) => !Object.values(binEntries).some((value) => value === rel || value.replace(/\\/g, "/") === rel)
-  );
-  checks.push({
-    id: "bin_entry_exists",
-    pass: missingBin.length === 0,
-    blocking: true,
-    detail: missingBin.length ? `Missing bin entries: ${missingBin.join(", ")}` : "bin/avorelo present",
-  });
-
-  for (const [name, rel] of Object.entries(binEntries)) {
-    const absPath = path.join(repoRoot, rel);
-    checks.push({
-      id: `bin_file_${name}`,
-      pass: fs.existsSync(absPath),
-      blocking: true,
-      detail: fs.existsSync(absPath) ? `${rel} exists` : `${rel} not found on disk`,
-    });
-  }
-
-  const gitLsResult = spawnSync("git", ["ls-files", "--cached"], {
-    cwd: repoRoot,
-    encoding: "utf8",
-  });
-
-  if (gitLsResult.status === 0) {
-    const trackedFiles = gitLsResult.stdout.trim().split("\n").filter(Boolean);
-    runtimeArtifactsFound = trackedFiles.filter((file) =>
-      RUNTIME_ARTIFACT_PATTERNS.some((pattern) => pattern.test(file))
-    );
-    checks.push({
-      id: "no_runtime_artifacts_committed",
-      pass: runtimeArtifactsFound.length === 0,
-      blocking: true,
-      detail: runtimeArtifactsFound.length === 0
-        ? "No runtime artifacts in tracked files"
-        : `Runtime artifacts tracked: ${runtimeArtifactsFound.slice(0, 5).join(", ")}`,
-    });
-  } else {
-    checks.push({
-      id: "no_runtime_artifacts_committed",
-      pass: null,
-      blocking: true,
-      detail: "Could not run git ls-files",
-    });
-  }
-
-  for (const relPath of CHECKED_CONFIG_FILES) {
-    const absPath = path.join(repoRoot, relPath);
-    if (!fs.existsSync(absPath)) continue;
-    const content = fs.readFileSync(absPath, "utf8");
-    const lines = content.split("\n");
-    for (let i = 0; i < lines.length; i++) {
-      for (const pattern of ABSOLUTE_PATH_PATTERNS) {
-        if (pattern.test(lines[i])) {
-          absolutePathViolations.push({ file: relPath, line: i + 1, content: lines[i].trim() });
-        }
-      }
-    }
-  }
-  checks.push({
-    id: "no_absolute_paths_in_config",
-    pass: absolutePathViolations.length === 0,
-    blocking: true,
-    detail: absolutePathViolations.length === 0
-      ? "No absolute paths in committed config files"
-      : `Absolute paths found: ${absolutePathViolations.map((violation) => `${violation.file}:${violation.line}`).join(", ")}`,
-  });
-
-  const hasNpmIgnore = fs.existsSync(path.join(repoRoot, ".npmignore"));
-  const hasFilesField = Array.isArray(pkg.files) && pkg.files.length > 0;
-  checks.push({
-    id: "package_exclusion_control",
-    pass: hasNpmIgnore || hasFilesField,
-    blocking: true,
-    detail: hasNpmIgnore
-      ? ".npmignore present"
-      : hasFilesField
-      ? "package.json files field present"
-      : "Neither .npmignore nor files field - npm pack falls back to .gitignore",
-  });
-
-  const distributionEvidence = buildLaunchDistributionEvidence(repoRoot, opts);
-  checks.push(...distributionEvidence.checks);
-
-  if (opts.skipInstallDeliveryValidation !== true) {
-    const verifyResult = spawnSync(
-      "node",
-      ["app-scripts/validate-install-delivery.mjs"],
-      { cwd: repoRoot, encoding: "utf8" }
-    );
-    checks.push({
-      id: "install_delivery_validates",
-      pass: verifyResult.status === 0,
-      blocking: false,
-      detail: verifyResult.status === 0
-        ? "validate-install-delivery passed"
-        : (verifyResult.stderr || verifyResult.stdout || "").trim(),
-    });
-  }
-
-  return {
-    checks,
-    runtimeArtifactsFound,
-    absolutePathViolations,
-    distributionState: distributionEvidence.state,
-    distributionEvidence,
-  };
-}
-
-function buildExternalRepoCheck(repoRoot, externalCwd) {
-  const checks = [];
-
-  if (!fs.existsSync(externalCwd)) {
-    checks.push({ id: "external_dir_exists", pass: false, blocking: true, detail: `External dir not found: ${externalCwd}` });
-    return { checks };
-  }
-
-  const pkgPath = path.join(externalCwd, "package.json");
-  if (!fs.existsSync(pkgPath)) {
-    fs.writeFileSync(pkgPath, JSON.stringify({ name: "external-dogfood-repo", version: "0.0.1" }, null, 2), "utf8");
-  }
-
-  const activateResult = spawnSync(
-    "node",
-    [path.join(repoRoot, "bin/avorelo"), "activate", "--json"],
-    { cwd: externalCwd, encoding: "utf8", timeout: 30000 }
-  );
-
-  let activationData = null;
-  try {
-    activationData = JSON.parse(activateResult.stdout);
-  } catch {}
-
-  const isAlphaContract = activationData?.contract === "avorelo.alphaActivation.v1";
-  const activationOk = activateResult.status === 0 && (
-    activationData?.ready === true ||
-    (isAlphaContract && activationData?.status !== "blocked" && activationData?.status != null)
-  );
-  checks.push({
-    id: "external_activation_ready",
-    pass: activationOk,
-    blocking: true,
-    detail: activationOk
-      ? `activation ready from external cwd (${activationData?.contract || "unknown contract"})`
-      : `activation failed: ${activateResult.stderr?.slice(0, 200) || "unknown"}`,
-  });
-
-  if (activationData) {
-    const noFakeSavings = isAlphaContract
-      ? true
-      : activationData.valueClaimsShown === false;
-    checks.push({
-      id: "external_no_fake_savings",
-      pass: noFakeSavings,
-      blocking: true,
-      detail: noFakeSavings
-        ? "no fake savings in activation output"
-        : "valueClaimsShown is not false - savings shown without evidence",
-    });
-
-    const firstValueReady = isAlphaContract
-      ? activationData.firstValuePath != null
-      : activationData.firstValueReadiness?.ready === true;
-    checks.push({
-      id: "external_first_value_readiness",
-      pass: firstValueReady,
-      blocking: true,
-      detail: firstValueReady
-        ? "first value path/readiness present"
-        : isAlphaContract
-          ? "firstValuePath is null in alphaActivation response"
-          : `firstValueReadiness.ready=${activationData.firstValueReadiness?.ready}`,
-    });
-  }
-
-  const pinnedEnv = { ...process.env, AVORELO_WORKSPACE: externalCwd };
-
-  const tokenResult = spawnSync(
-    "node",
-    [path.join(repoRoot, "bin/avorelo"), "token-evidence", "--json"],
-    { cwd: externalCwd, env: pinnedEnv, encoding: "utf8", timeout: 15000 }
-  );
-  checks.push({
-    id: "external_token_evidence_safe",
-    pass: tokenResult.status === 0,
-    blocking: false,
-    detail: tokenResult.status === 0 ? "token-evidence exits 0" : `token-evidence failed: ${tokenResult.stderr?.slice(0, 200) || "unknown"}`,
-  });
-
-  const hygieneResult = spawnSync(
-    "node",
-    [path.join(repoRoot, "bin/avorelo"), "skills", "hygiene", "--json"],
-    { cwd: externalCwd, env: pinnedEnv, encoding: "utf8", timeout: 15000 }
-  );
-  checks.push({
-    id: "external_skills_hygiene_safe",
-    pass: hygieneResult.status === 0,
-    blocking: false,
-    detail: hygieneResult.status === 0 ? "skills hygiene exits 0" : `skills hygiene failed: ${hygieneResult.stderr?.slice(0, 200) || "unknown"}`,
-  });
-
-  const operatingValueResult = spawnSync(
-    "node",
-    [path.join(repoRoot, "bin/avorelo"), "operating-value", "--json"],
-    { cwd: externalCwd, env: pinnedEnv, encoding: "utf8", timeout: 15000 }
-  );
-  checks.push({
-    id: "external_operating_value_safe",
-    pass: operatingValueResult.status === 0,
-    blocking: false,
-    detail: operatingValueResult.status === 0 ? "operating-value exits 0" : `operating-value failed: ${operatingValueResult.stderr?.slice(0, 200) || "unknown"}`,
-  });
-
-  return { checks };
-}
-
-function buildLaunchReadiness(repoRoot, opts = {}) {
-  const { runExternalDogfood = false, externalCwd = null } = opts;
-  const startedAt = new Date().toISOString();
-
-  const packageAudit = buildPackageAudit(repoRoot, opts);
-  const externalCheck = runExternalDogfood && externalCwd
-    ? buildExternalRepoCheck(repoRoot, externalCwd)
-    : { checks: [], skipped: true };
-
-  const allChecks = [...packageAudit.checks, ...externalCheck.checks];
-  const passingChecks = allChecks.filter((check) => check.pass === true);
-  const failingChecks = allChecks.filter((check) => check.pass === false);
-  const skippedChecks = allChecks.filter((check) => check.pass === null);
-  const blockingFailure = failingChecks.some((check) => check.blocking === true);
-
-  let verdict;
-  if (failingChecks.length === 0) {
-    verdict = "LAUNCH_GATE_PASS";
-  } else if (blockingFailure) {
-    verdict = "LAUNCH_GATE_BLOCKED";
-  } else {
-    verdict = "LAUNCH_GATE_PARTIAL";
-  }
-
-  return {
-    schemaVersion: LAUNCH_READINESS_SCHEMA_VERSION,
-    contract: LAUNCH_READINESS_CONTRACT,
-    generatedAt: startedAt,
-    verdict,
-    summary: {
-      total: allChecks.length,
-      pass: passingChecks.length,
-      fail: failingChecks.length,
-      skip: skippedChecks.length,
-    },
-    packageAudit: {
-      checks: packageAudit.checks,
-      runtimeArtifactsFound: packageAudit.runtimeArtifactsFound,
-      absolutePathViolations: packageAudit.absolutePathViolations,
-      distributionState: packageAudit.distributionState,
-      distributionEvidence: packageAudit.distributionEvidence,
-    },
-    externalRepoCheck: externalCheck,
-    failingChecks,
-    passingChecks: passingChecks.map((check) => check.id),
-  };
-}
-
-function formatLaunchReadinessText(result) {
-  const lines = [];
-  lines.push("Avorelo Launch Readiness Gate");
-  lines.push("");
-  lines.push(`Verdict: ${result.verdict}`);
-  lines.push(`Checks: ${result.summary.pass} pass, ${result.summary.fail} fail, ${result.summary.skip} skip`);
-  if (result.packageAudit?.distributionState) {
-    lines.push(`Distribution state: ${result.packageAudit.distributionState}`);
-  }
-  lines.push("");
-
-  if (result.failingChecks.length > 0) {
-    lines.push("Failing:");
-    for (const check of result.failingChecks) {
-      lines.push(`  FAIL  ${check.id}: ${check.detail || ""}`);
-    }
-    lines.push("");
-  }
-
-  lines.push("Passing:");
-  for (const id of result.passingChecks) {
-    lines.push(`  pass  ${id}`);
-  }
-
-  if (result.externalRepoCheck.skipped) {
-    lines.push("");
-    lines.push("External repo check: skipped (run with --external-cwd <path> to enable)");
-  }
-
-  return lines.join("\n");
-}
-
-module.exports = {
-  buildLaunchDistributionEvidence,
-  buildLaunchReadiness,
-  buildPackageAudit,
-  buildExternalRepoCheck,
-  evaluatePackageDistributionState,
-  formatLaunchReadinessText,
-  LAUNCH_READINESS_CONTRACT,
-};