avorelo 0.1.0

package/scripts/lib/launch-readiness.js

@@ -0,0 +1,628 @@
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+const { spawnSync } = require("child_process");
+const { validateInstallClaims } = require("./public-install-claim-checker");
+
+const LAUNCH_READINESS_CONTRACT = "avorelo.launchReadiness.v1";
+const LAUNCH_READINESS_SCHEMA_VERSION = 1;
+const DISTRIBUTION_STATES = new Set([
+  "private_local_only",
+  "local_verified",
+  "ready_to_publish",
+  "published_verified",
+  "publish_blocked",
+]);
+
+// Files that must exist for a valid CLI install
+const REQUIRED_BIN_ENTRIES = ["bin/avorelo"];
+
+// Patterns that must not appear in committed config files (clone-specific paths)
+const ABSOLUTE_PATH_PATTERNS = [
+  /\/mnt\/[a-z]\/[A-Za-z]/,
+  /^[A-Z]:\\[A-Za-z]/,
+  /\/home\/[a-zA-Z0-9_-]+\/[A-Za-z]/,
+];
+
+// Runtime artifact dirs that must not be in a shipped package
+const RUNTIME_ARTIFACT_PATTERNS = [
+  /^\.claude\/cco\//,
+  /^\.avorelo\//,
+  /^\.codex-worktree-/,
+  /^\.tmp-/,
+  /^_wasp_build_tmp\//,
+  /^\.wasp\/out\//,
+  /handoff-local-state\.txt$/,
+  /handoff-worktree-locator\.txt$/,
+  /^avorelo-activation-smoke\//,
+];
+
+const WORKS_EVERYWHERE_PATTERNS = [
+  /works everywhere/i,
+  /works on every machine/i,
+  /works in every repo/i,
+  /works in every environment/i,
+];
+
+// Config files tracked in git that should not contain absolute paths
+const CHECKED_CONFIG_FILES = [".codex/config.toml", ".cursor/rules/wuz-project.mdc"];
+
+function safeReadJson(absPath) {
+  try {
+    if (!fs.existsSync(absPath)) return null;
+    return JSON.parse(fs.readFileSync(absPath, "utf8"));
+  } catch {
+    return null;
+  }
+}
+
+function safeReadText(absPath) {
+  try {
+    if (!fs.existsSync(absPath)) return null;
+    return fs.readFileSync(absPath, "utf8");
+  } catch {
+    return null;
+  }
+}
+
+function collectMarkdownFiles(dir, collected = [], limit = 200) {
+  if (!fs.existsSync(dir) || collected.length >= limit) return collected;
+  let entries = [];
+  try {
+    entries = fs.readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return collected;
+  }
+  for (const entry of entries) {
+    if (collected.length >= limit) break;
+    const absPath = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (/node_modules|\.git|\.tmp|artifacts|vendor/i.test(entry.name)) continue;
+      collectMarkdownFiles(absPath, collected, limit);
+      continue;
+    }
+    if (entry.isFile() && entry.name.endsWith(".md")) {
+      collected.push(absPath);
+    }
+  }
+  return collected;
+}
+
+function scanWorksEverywhereClaims(repoRoot, opts = {}) {
+  if (Array.isArray(opts.worksEverywhereClaims)) {
+    return { claims: opts.worksEverywhereClaims };
+  }
+
+  const claims = [];
+  const filesToScan = [];
+  const readmePath = path.join(repoRoot, "README.md");
+  if (fs.existsSync(readmePath)) filesToScan.push(readmePath);
+  collectMarkdownFiles(path.join(repoRoot, "docs"), filesToScan);
+
+  for (const absPath of filesToScan) {
+    const text = safeReadText(absPath);
+    if (!text) continue;
+    const lines = text.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (!WORKS_EVERYWHERE_PATTERNS.some((pattern) => pattern.test(line))) continue;
+      claims.push({
+        file: path.relative(repoRoot, absPath).replace(/\\/g, "/"),
+        line: i + 1,
+        text: line.trim(),
+      });
+    }
+  }
+
+  return { claims };
+}
+
+function buildLaunchDistributionEvidence(repoRoot, opts = {}) {
+  const pkgPath = path.join(repoRoot, "package.json");
+  const pkg = safeReadJson(pkgPath);
+  const hasPackageJson = !!pkg;
+  const hasNpmIgnore = fs.existsSync(path.join(repoRoot, ".npmignore"));
+  const hasFilesField = !!(pkg && Array.isArray(pkg.files) && pkg.files.length > 0);
+  const distributionEvidence = opts.distributionEvidence || {};
+  const explicitState = distributionEvidence.state
+    || (pkg && typeof pkg.avoreloDistributionState === "string" ? pkg.avoreloDistributionState : null);
+  const packagePrivate = !!(pkg && pkg.private === true);
+  const packagePublic = !!(pkg && pkg.private === false);
+  const claimsReport = opts.installClaimsReport || validateInstallClaims(repoRoot);
+  const worksEverywhere = scanWorksEverywhereClaims(repoRoot, opts);
+  const localSmokePassed = distributionEvidence.localSmokePassed === true;
+  const publicSmokePassed = distributionEvidence.publicSmokePassed === true;
+  const publishAuthAvailable = distributionEvidence.publishAuthAvailable === true;
+  const publishApproved = distributionEvidence.publishApproved === true;
+  const packageContentSafe = distributionEvidence.packageContentSafe !== undefined
+    ? distributionEvidence.packageContentSafe === true
+    : (hasNpmIgnore || hasFilesField);
+
+  const reasons = [];
+  let state = explicitState;
+
+  if (explicitState && !DISTRIBUTION_STATES.has(explicitState)) {
+    reasons.push(`Unknown distribution state '${explicitState}'.`);
+    state = "publish_blocked";
+  }
+
+  if (!state) {
+    state = packagePrivate ? "private_local_only" : "publish_blocked";
+    if (!packagePrivate) {
+      reasons.push("package.json is public-ready but no explicit distribution state evidence is present.");
+    }
+  }
+
+  if (state === "private_local_only" && !packagePrivate) {
+    reasons.push("private_local_only requires package.json private: true.");
+    state = "publish_blocked";
+  }
+
+  if (state === "local_verified" && packagePublic && !localSmokePassed) {
+    reasons.push("local_verified needs explicit local smoke evidence before a public-ready package can pass.");
+    state = "publish_blocked";
+  }
+
+  if (state === "ready_to_publish") {
+    if (!packagePublic) {
+      reasons.push("ready_to_publish requires package.json private: false.");
+      state = "publish_blocked";
+    }
+    if (!packageContentSafe) {
+      reasons.push("ready_to_publish requires package exclusion control or equivalent package-content evidence.");
+      state = "publish_blocked";
+    }
+  }
+
+  if (state === "published_verified") {
+    if (!packagePublic) {
+      reasons.push("published_verified requires package.json private: false.");
+      state = "publish_blocked";
+    }
+    if (!publicSmokePassed) {
+      reasons.push("published_verified requires verified public npx smoke evidence.");
+      state = "publish_blocked";
+    }
+    if (!publishAuthAvailable || !publishApproved) {
+      reasons.push("published_verified requires explicit publish auth and approval evidence.");
+      state = "publish_blocked";
+    }
+  }
+
+  if (state === "publish_blocked" && reasons.length === 0) {
+    reasons.push("Distribution state is blocked until public distribution evidence is made explicit.");
+  }
+
+  const effectiveBlockedClaims = (claimsReport.blockedClaims || []).filter((claim) => {
+    if (state !== "published_verified") return true;
+    const reason = String(claim.reason || "");
+    return !/not verified|private\/not on npm/i.test(reason);
+  });
+
+  if (effectiveBlockedClaims.length > 0) {
+    reasons.push("Blocked public install claims detected.");
+    state = "publish_blocked";
+  }
+
+  if (worksEverywhere.claims.length > 0) {
+    reasons.push("Works-everywhere claims are not allowed.");
+    state = "publish_blocked";
+  }
+
+  const publicClaimChecksPass = effectiveBlockedClaims.length === 0;
+  const worksEverywherePass = worksEverywhere.claims.length === 0;
+  const packageStateAligned = state !== "publish_blocked";
+  const checkDetails = {
+    explicitState: explicitState || null,
+    packagePrivate,
+    packagePublic,
+    packageContentSafe,
+    localSmokePassed,
+    publicSmokePassed,
+    publishAuthAvailable,
+    publishApproved,
+  };
+
+  return {
+    state,
+    explicitState: explicitState || null,
+    packagePrivate,
+    packagePublic,
+    packageContentSafe,
+    hasNpmIgnore,
+    hasFilesField,
+    localSmokePassed,
+    publicSmokePassed,
+    publishAuthAvailable,
+    publishApproved,
+    installClaimsReport: claimsReport,
+    effectiveBlockedClaims,
+    worksEverywhereClaims: worksEverywhere.claims,
+    hasPackageJson,
+    reasons,
+    checks: [
+      {
+        id: "package_distribution_state_alignment",
+        pass: packageStateAligned,
+        blocking: true,
+        detail: packageStateAligned
+          ? `Distribution state ${state} is compatible with launch readiness.`
+          : reasons.join(" "),
+        evidence: checkDetails,
+      },
+      {
+        id: "public_install_claims_honest",
+        pass: publicClaimChecksPass,
+        blocking: true,
+        detail: publicClaimChecksPass
+          ? `Blocked claims: ${claimsReport.blockedCount}. Caveated claims: ${claimsReport.caveatedCount}.`
+          : `Blocked claims: ${effectiveBlockedClaims.length}. Public install claims require published_verified.`,
+        evidence: {
+          blockedCount: effectiveBlockedClaims.length,
+          caveatedCount: claimsReport.caveatedCount,
+          allowedCount: claimsReport.allowedCount,
+        },
+      },
+      {
+        id: "no_works_everywhere_claim",
+        pass: worksEverywherePass,
+        blocking: true,
+        detail: worksEverywherePass
+          ? "No works-everywhere claims detected."
+          : `Works-everywhere claim found in ${worksEverywhere.claims[0].file}:${worksEverywhere.claims[0].line}.`,
+        evidence: {
+          claimCount: worksEverywhere.claims.length,
+        },
+      },
+      {
+        id: "published_verified_requires_public_smoke",
+        pass: state !== "published_verified" || publicSmokePassed,
+        blocking: true,
+        detail: state === "published_verified" && !publicSmokePassed
+          ? "published_verified requires public smoke evidence."
+          : "Public smoke evidence gate is aligned with distribution state.",
+      },
+      {
+        id: "published_verified_requires_publish_approval",
+        pass: state !== "published_verified" || (publishAuthAvailable && publishApproved),
+        blocking: true,
+        detail: state === "published_verified" && (!publishAuthAvailable || !publishApproved)
+          ? "Publish auth/approval evidence is required before launch readiness can treat the package as published."
+          : "Publish approval gate is aligned with distribution state.",
+      },
+    ],
+  };
+}
+
+function evaluatePackageDistributionState(repoRoot, opts = {}) {
+  return buildLaunchDistributionEvidence(repoRoot, opts).state;
+}
+
+function buildPackageAudit(repoRoot, opts = {}) {
+  const pkgPath = path.join(repoRoot, "package.json");
+  const checks = [];
+  let runtimeArtifactsFound = [];
+  let absolutePathViolations = [];
+
+  if (!fs.existsSync(pkgPath)) {
+    checks.push({ id: "package_json_exists", pass: false, blocking: true, detail: "package.json not found" });
+    return {
+      checks,
+      runtimeArtifactsFound,
+      absolutePathViolations,
+      distributionState: "publish_blocked",
+      distributionEvidence: buildLaunchDistributionEvidence(repoRoot, opts),
+    };
+  }
+
+  const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
+  checks.push({ id: "package_json_exists", pass: true, blocking: true });
+
+  const binEntries = pkg.bin || {};
+  const missingBin = REQUIRED_BIN_ENTRIES.filter(
+    (rel) => !Object.values(binEntries).some((value) => value === rel || value.replace(/\\/g, "/") === rel)
+  );
+  checks.push({
+    id: "bin_entry_exists",
+    pass: missingBin.length === 0,
+    blocking: true,
+    detail: missingBin.length ? `Missing bin entries: ${missingBin.join(", ")}` : "bin/avorelo present",
+  });
+
+  for (const [name, rel] of Object.entries(binEntries)) {
+    const absPath = path.join(repoRoot, rel);
+    checks.push({
+      id: `bin_file_${name}`,
+      pass: fs.existsSync(absPath),
+      blocking: true,
+      detail: fs.existsSync(absPath) ? `${rel} exists` : `${rel} not found on disk`,
+    });
+  }
+
+  const gitLsResult = spawnSync("git", ["ls-files", "--cached"], {
+    cwd: repoRoot,
+    encoding: "utf8",
+  });
+
+  if (gitLsResult.status === 0) {
+    const trackedFiles = gitLsResult.stdout.trim().split("\n").filter(Boolean);
+    runtimeArtifactsFound = trackedFiles.filter((file) =>
+      RUNTIME_ARTIFACT_PATTERNS.some((pattern) => pattern.test(file))
+    );
+    checks.push({
+      id: "no_runtime_artifacts_committed",
+      pass: runtimeArtifactsFound.length === 0,
+      blocking: true,
+      detail: runtimeArtifactsFound.length === 0
+        ? "No runtime artifacts in tracked files"
+        : `Runtime artifacts tracked: ${runtimeArtifactsFound.slice(0, 5).join(", ")}`,
+    });
+  } else {
+    checks.push({
+      id: "no_runtime_artifacts_committed",
+      pass: null,
+      blocking: true,
+      detail: "Could not run git ls-files",
+    });
+  }
+
+  for (const relPath of CHECKED_CONFIG_FILES) {
+    const absPath = path.join(repoRoot, relPath);
+    if (!fs.existsSync(absPath)) continue;
+    const content = fs.readFileSync(absPath, "utf8");
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      for (const pattern of ABSOLUTE_PATH_PATTERNS) {
+        if (pattern.test(lines[i])) {
+          absolutePathViolations.push({ file: relPath, line: i + 1, content: lines[i].trim() });
+        }
+      }
+    }
+  }
+  checks.push({
+    id: "no_absolute_paths_in_config",
+    pass: absolutePathViolations.length === 0,
+    blocking: true,
+    detail: absolutePathViolations.length === 0
+      ? "No absolute paths in committed config files"
+      : `Absolute paths found: ${absolutePathViolations.map((violation) => `${violation.file}:${violation.line}`).join(", ")}`,
+  });
+
+  const hasNpmIgnore = fs.existsSync(path.join(repoRoot, ".npmignore"));
+  const hasFilesField = Array.isArray(pkg.files) && pkg.files.length > 0;
+  checks.push({
+    id: "package_exclusion_control",
+    pass: hasNpmIgnore || hasFilesField,
+    blocking: true,
+    detail: hasNpmIgnore
+      ? ".npmignore present"
+      : hasFilesField
+      ? "package.json files field present"
+      : "Neither .npmignore nor files field - npm pack falls back to .gitignore",
+  });
+
+  const distributionEvidence = buildLaunchDistributionEvidence(repoRoot, opts);
+  checks.push(...distributionEvidence.checks);
+
+  if (opts.skipInstallDeliveryValidation !== true) {
+    const verifyResult = spawnSync(
+      "node",
+      ["app-scripts/validate-install-delivery.mjs"],
+      { cwd: repoRoot, encoding: "utf8" }
+    );
+    checks.push({
+      id: "install_delivery_validates",
+      pass: verifyResult.status === 0,
+      blocking: false,
+      detail: verifyResult.status === 0
+        ? "validate-install-delivery passed"
+        : (verifyResult.stderr || verifyResult.stdout || "").trim(),
+    });
+  }
+
+  return {
+    checks,
+    runtimeArtifactsFound,
+    absolutePathViolations,
+    distributionState: distributionEvidence.state,
+    distributionEvidence,
+  };
+}
+
+function buildExternalRepoCheck(repoRoot, externalCwd) {
+  const checks = [];
+
+  if (!fs.existsSync(externalCwd)) {
+    checks.push({ id: "external_dir_exists", pass: false, blocking: true, detail: `External dir not found: ${externalCwd}` });
+    return { checks };
+  }
+
+  const pkgPath = path.join(externalCwd, "package.json");
+  if (!fs.existsSync(pkgPath)) {
+    fs.writeFileSync(pkgPath, JSON.stringify({ name: "external-dogfood-repo", version: "0.0.1" }, null, 2), "utf8");
+  }
+
+  const activateResult = spawnSync(
+    "node",
+    [path.join(repoRoot, "bin/avorelo"), "activate", "--json"],
+    { cwd: externalCwd, encoding: "utf8", timeout: 30000 }
+  );
+
+  let activationData = null;
+  try {
+    activationData = JSON.parse(activateResult.stdout);
+  } catch {}
+
+  const isAlphaContract = activationData?.contract === "avorelo.alphaActivation.v1";
+  const activationOk = activateResult.status === 0 && (
+    activationData?.ready === true ||
+    (isAlphaContract && activationData?.status !== "blocked" && activationData?.status != null)
+  );
+  checks.push({
+    id: "external_activation_ready",
+    pass: activationOk,
+    blocking: true,
+    detail: activationOk
+      ? `activation ready from external cwd (${activationData?.contract || "unknown contract"})`
+      : `activation failed: ${activateResult.stderr?.slice(0, 200) || "unknown"}`,
+  });
+
+  if (activationData) {
+    const noFakeSavings = isAlphaContract
+      ? true
+      : activationData.valueClaimsShown === false;
+    checks.push({
+      id: "external_no_fake_savings",
+      pass: noFakeSavings,
+      blocking: true,
+      detail: noFakeSavings
+        ? "no fake savings in activation output"
+        : "valueClaimsShown is not false - savings shown without evidence",
+    });
+
+    const firstValueReady = isAlphaContract
+      ? activationData.firstValuePath != null
+      : activationData.firstValueReadiness?.ready === true;
+    checks.push({
+      id: "external_first_value_readiness",
+      pass: firstValueReady,
+      blocking: true,
+      detail: firstValueReady
+        ? "first value path/readiness present"
+        : isAlphaContract
+          ? "firstValuePath is null in alphaActivation response"
+          : `firstValueReadiness.ready=${activationData.firstValueReadiness?.ready}`,
+    });
+  }
+
+  const pinnedEnv = { ...process.env, AVORELO_WORKSPACE: externalCwd };
+
+  const tokenResult = spawnSync(
+    "node",
+    [path.join(repoRoot, "bin/avorelo"), "token-evidence", "--json"],
+    { cwd: externalCwd, env: pinnedEnv, encoding: "utf8", timeout: 15000 }
+  );
+  checks.push({
+    id: "external_token_evidence_safe",
+    pass: tokenResult.status === 0,
+    blocking: false,
+    detail: tokenResult.status === 0 ? "token-evidence exits 0" : `token-evidence failed: ${tokenResult.stderr?.slice(0, 200) || "unknown"}`,
+  });
+
+  const hygieneResult = spawnSync(
+    "node",
+    [path.join(repoRoot, "bin/avorelo"), "skills", "hygiene", "--json"],
+    { cwd: externalCwd, env: pinnedEnv, encoding: "utf8", timeout: 15000 }
+  );
+  checks.push({
+    id: "external_skills_hygiene_safe",
+    pass: hygieneResult.status === 0,
+    blocking: false,
+    detail: hygieneResult.status === 0 ? "skills hygiene exits 0" : `skills hygiene failed: ${hygieneResult.stderr?.slice(0, 200) || "unknown"}`,
+  });
+
+  const operatingValueResult = spawnSync(
+    "node",
+    [path.join(repoRoot, "bin/avorelo"), "operating-value", "--json"],
+    { cwd: externalCwd, env: pinnedEnv, encoding: "utf8", timeout: 15000 }
+  );
+  checks.push({
+    id: "external_operating_value_safe",
+    pass: operatingValueResult.status === 0,
+    blocking: false,
+    detail: operatingValueResult.status === 0 ? "operating-value exits 0" : `operating-value failed: ${operatingValueResult.stderr?.slice(0, 200) || "unknown"}`,
+  });
+
+  return { checks };
+}
+
+function buildLaunchReadiness(repoRoot, opts = {}) {
+  const { runExternalDogfood = false, externalCwd = null } = opts;
+  const startedAt = new Date().toISOString();
+
+  const packageAudit = buildPackageAudit(repoRoot, opts);
+  const externalCheck = runExternalDogfood && externalCwd
+    ? buildExternalRepoCheck(repoRoot, externalCwd)
+    : { checks: [], skipped: true };
+
+  const allChecks = [...packageAudit.checks, ...externalCheck.checks];
+  const passingChecks = allChecks.filter((check) => check.pass === true);
+  const failingChecks = allChecks.filter((check) => check.pass === false);
+  const skippedChecks = allChecks.filter((check) => check.pass === null);
+  const blockingFailure = failingChecks.some((check) => check.blocking === true);
+
+  let verdict;
+  if (failingChecks.length === 0) {
+    verdict = "LAUNCH_GATE_PASS";
+  } else if (blockingFailure) {
+    verdict = "LAUNCH_GATE_BLOCKED";
+  } else {
+    verdict = "LAUNCH_GATE_PARTIAL";
+  }
+
+  return {
+    schemaVersion: LAUNCH_READINESS_SCHEMA_VERSION,
+    contract: LAUNCH_READINESS_CONTRACT,
+    generatedAt: startedAt,
+    verdict,
+    summary: {
+      total: allChecks.length,
+      pass: passingChecks.length,
+      fail: failingChecks.length,
+      skip: skippedChecks.length,
+    },
+    packageAudit: {
+      checks: packageAudit.checks,
+      runtimeArtifactsFound: packageAudit.runtimeArtifactsFound,
+      absolutePathViolations: packageAudit.absolutePathViolations,
+      distributionState: packageAudit.distributionState,
+      distributionEvidence: packageAudit.distributionEvidence,
+    },
+    externalRepoCheck: externalCheck,
+    failingChecks,
+    passingChecks: passingChecks.map((check) => check.id),
+  };
+}
+
+function formatLaunchReadinessText(result) {
+  const lines = [];
+  lines.push("Avorelo Launch Readiness Gate");
+  lines.push("");
+  lines.push(`Verdict: ${result.verdict}`);
+  lines.push(`Checks: ${result.summary.pass} pass, ${result.summary.fail} fail, ${result.summary.skip} skip`);
+  if (result.packageAudit?.distributionState) {
+    lines.push(`Distribution state: ${result.packageAudit.distributionState}`);
+  }
+  lines.push("");
+
+  if (result.failingChecks.length > 0) {
+    lines.push("Failing:");
+    for (const check of result.failingChecks) {
+      lines.push(`  FAIL  ${check.id}: ${check.detail || ""}`);
+    }
+    lines.push("");
+  }
+
+  lines.push("Passing:");
+  for (const id of result.passingChecks) {
+    lines.push(`  pass  ${id}`);
+  }
+
+  if (result.externalRepoCheck.skipped) {
+    lines.push("");
+    lines.push("External repo check: skipped (run with --external-cwd <path> to enable)");
+  }
+
+  return lines.join("\n");
+}
+
+module.exports = {
+  buildLaunchDistributionEvidence,
+  buildLaunchReadiness,
+  buildPackageAudit,
+  buildExternalRepoCheck,
+  evaluatePackageDistributionState,
+  formatLaunchReadinessText,
+  LAUNCH_READINESS_CONTRACT,
+};