brainclaw 1.7.5 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +28 -11
- package/dist/brainclaw-vscode.vsix +0 -0
- package/dist/cli.js +139 -13
- package/dist/commands/add-step.js +1 -1
- package/dist/commands/bootstrap.js +2 -26
- package/dist/commands/check-security-mcp.js +50 -33
- package/dist/commands/check-security.js +86 -43
- package/dist/commands/claim.js +22 -21
- package/dist/commands/confirm.js +26 -0
- package/dist/commands/context-diff.js +1 -1
- package/dist/commands/dispatch-watch.js +142 -0
- package/dist/commands/doctor.js +113 -2
- package/dist/commands/estimation-report.js +115 -16
- package/dist/commands/harvest.js +502 -16
- package/dist/commands/init.js +123 -21
- package/dist/commands/loops-handlers.js +4 -0
- package/dist/commands/mcp-read-handlers.js +198 -29
- package/dist/commands/mcp.js +615 -92
- package/dist/commands/memory.js +21 -17
- package/dist/commands/migrate.js +81 -17
- package/dist/commands/prune.js +78 -4
- package/dist/commands/reflect.js +26 -20
- package/dist/commands/register-agent.js +57 -1
- package/dist/commands/repair.js +20 -0
- package/dist/commands/session-end.js +15 -6
- package/dist/commands/session-start.js +18 -1
- package/dist/commands/setup-security.js +39 -18
- package/dist/commands/setup.js +26 -27
- package/dist/commands/stale.js +16 -2
- package/dist/commands/uninstall.js +126 -34
- package/dist/commands/update-step.js +6 -0
- package/dist/commands/worktree.js +60 -0
- package/dist/core/actions.js +12 -3
- package/dist/core/agent-capability.js +11 -13
- package/dist/core/agent-files.js +844 -547
- package/dist/core/agent-integrations.js +0 -3
- package/dist/core/agent-inventory.js +67 -0
- package/dist/core/agent-registry.js +163 -29
- package/dist/core/agentrun-reconciler.js +33 -2
- package/dist/core/agentruns.js +7 -1
- package/dist/core/ai-agent-detection.js +31 -44
- package/dist/core/archival.js +15 -9
- package/dist/core/assignment-reconciler.js +56 -0
- package/dist/core/assignment-sweeper.js +127 -4
- package/dist/core/assignments.js +69 -11
- package/dist/core/bootstrap.js +233 -67
- package/dist/core/brainclaw-version.js +22 -0
- package/dist/core/candidates.js +21 -1
- package/dist/core/claims.js +313 -150
- package/dist/core/config.js +6 -1
- package/dist/core/context-diff.js +148 -20
- package/dist/core/context.js +129 -8
- package/dist/core/coordination.js +22 -3
- package/dist/core/dispatch-status.js +109 -5
- package/dist/core/dispatcher.js +65 -11
- package/dist/core/entity-operations.js +45 -24
- package/dist/core/entity-registry.js +31 -5
- package/dist/core/event-log.js +138 -21
- package/dist/core/events/checkpoint.js +258 -0
- package/dist/core/events/genesis.js +220 -0
- package/dist/core/events/journal.js +507 -0
- package/dist/core/events/materialize.js +126 -0
- package/dist/core/events/registry-post-image.js +110 -0
- package/dist/core/events/verify.js +109 -0
- package/dist/core/execution-adapters.js +23 -0
- package/dist/core/execution.js +25 -0
- package/dist/core/facade-schema.js +48 -0
- package/dist/core/gc-semantic.js +130 -5
- package/dist/core/handoff-snapshot.js +68 -0
- package/dist/core/ids.js +19 -8
- package/dist/core/instruction-templates.js +34 -115
- package/dist/core/io.js +39 -3
- package/dist/core/json-store.js +10 -1
- package/dist/core/lock.js +153 -28
- package/dist/core/loops/bootstrap-acquire.js +25 -1
- package/dist/core/loops/facade-schema.js +2 -0
- package/dist/core/loops/hooks/survey-signals-baseline.js +36 -0
- package/dist/core/loops/index.js +1 -0
- package/dist/core/loops/presets/bootstrap.js +7 -0
- package/dist/core/loops/store.js +17 -0
- package/dist/core/loops/verbs.js +24 -1
- package/dist/core/markdown.js +8 -76
- package/dist/core/mcp-command-resolution.js +245 -0
- package/dist/core/memory-compactor.js +5 -3
- package/dist/core/memory-lifecycle.js +282 -0
- package/dist/core/merge-risk.js +150 -0
- package/dist/core/messaging.js +8 -1
- package/dist/core/migration.js +11 -1
- package/dist/core/observer-mode.js +26 -0
- package/dist/core/operations/memory-mutation.js +90 -65
- package/dist/core/operations/plan.js +27 -1
- package/dist/core/protocol-skills.js +210 -0
- package/dist/core/reflection-safety.js +6 -7
- package/dist/core/reputation.js +84 -2
- package/dist/core/runtime-signals.js +71 -9
- package/dist/core/runtime.js +84 -1
- package/dist/core/schema.js +125 -0
- package/dist/core/security-detectors.js +125 -0
- package/dist/core/security-extract.js +189 -0
- package/dist/core/security-guard.js +107 -29
- package/dist/core/security-packages.js +121 -0
- package/dist/core/security-scoring.js +76 -9
- package/dist/core/security.js +34 -2
- package/dist/core/sequence.js +11 -2
- package/dist/core/setup-flow.js +141 -13
- package/dist/core/spawn-check.js +110 -4
- package/dist/core/staleness.js +109 -1
- package/dist/core/state.js +250 -54
- package/dist/core/store-resolution.js +19 -5
- package/dist/core/worktree.js +169 -7
- package/dist/facts.js +8 -8
- package/dist/facts.json +7 -7
- package/docs/PROTOCOL.md +223 -0
- package/docs/cli.md +11 -10
- package/docs/concepts/coordinator-runbook.md +129 -0
- package/docs/concepts/dispatch-lifecycle.md +17 -0
- package/docs/concepts/event-log-store-critique-A.md +333 -0
- package/docs/concepts/event-log-store-critique-B.md +353 -0
- package/docs/concepts/event-log-store-phase0-measurements.md +58 -0
- package/docs/concepts/event-log-store-proposal-A.md +365 -0
- package/docs/concepts/event-log-store-proposal-B.md +404 -0
- package/docs/concepts/event-log-store.md +928 -0
- package/docs/concepts/identity-model-proposal.md +371 -0
- package/docs/concepts/memory.md +5 -4
- package/docs/concepts/observer-protocol.md +361 -0
- package/docs/concepts/parallel-merge-protocol.md +71 -0
- package/docs/concepts/plans-and-claims.md +43 -0
- package/docs/concepts/skills.md +78 -0
- package/docs/concepts/workspace-bootstrapping.md +61 -0
- package/docs/integrations/agents.md +4 -4
- package/docs/integrations/cline.md +10 -11
- package/docs/integrations/codex.md +2 -2
- package/docs/integrations/continue.md +5 -5
- package/docs/integrations/copilot.md +14 -12
- package/docs/integrations/openclaw.md +7 -6
- package/docs/integrations/overview.md +7 -7
- package/docs/integrations/roo.md +3 -3
- package/docs/integrations/windsurf.md +6 -6
- package/docs/mcp-schema-changelog.md +51 -20
- package/docs/quickstart.md +48 -47
- package/docs/security.md +174 -15
- package/docs/storage.md +4 -2
- package/package.json +8 -6
package/dist/core/state.js
CHANGED
|
@@ -1,11 +1,13 @@
|
|
|
1
1
|
import fs from 'node:fs';
|
|
2
2
|
import path from 'node:path';
|
|
3
3
|
import { ConstraintSchema, DecisionSchema, TrapSchema, HandoffSchema, PlanItemSchema } from './schema.js';
|
|
4
|
-
import { ensureMemoryDir, resolveEntityDir } from './io.js';
|
|
4
|
+
import { ensureMemoryDir, resolveEntityDir, writeFileAtomic } from './io.js';
|
|
5
5
|
import { mutate } from './mutation-pipeline.js';
|
|
6
6
|
import { commitMemoryChange } from './memory-git.js';
|
|
7
7
|
import { appendEvent } from './event-log.js';
|
|
8
|
-
import {
|
|
8
|
+
import { appendJournalRecords, resolveJournalMode, resolveCheckpointRead } from './events/journal.js';
|
|
9
|
+
import { materializeStateFromCheckpoint } from './events/checkpoint.js';
|
|
10
|
+
import { loadVersionedJsonFile, serializeVersionedJson, preparePersistedDocument } from './migration.js';
|
|
9
11
|
import { rebuildProjectMd } from './markdown.js';
|
|
10
12
|
import { refreshLiveCompanions } from '../commands/export.js';
|
|
11
13
|
import { logger } from './logger.js';
|
|
@@ -102,6 +104,24 @@ export function findLoadValidationWarning(entity, id, cwd) {
|
|
|
102
104
|
export function loadState(cwd) {
|
|
103
105
|
// Load from entity-aligned directories (with legacy fallback)
|
|
104
106
|
const effectiveCwd = cwd ?? process.cwd();
|
|
107
|
+
// pln#566 Inc0 s2 — checkpointRead fast path. OFF by default (dual/off mode):
|
|
108
|
+
// projection files remain the read substrate. When the capability is enabled
|
|
109
|
+
// (primary soak) AND a verified journal-derived checkpoint exists, serve from
|
|
110
|
+
// checkpoint + sealed tail instead of reading every projection file. ANY
|
|
111
|
+
// failure (no checkpoint, failed verification, replay error) falls through to
|
|
112
|
+
// the projection read below — the checkpoint is never the sole truth.
|
|
113
|
+
if (resolveCheckpointRead(effectiveCwd)) {
|
|
114
|
+
try {
|
|
115
|
+
const fast = materializeStateFromCheckpoint(effectiveCwd);
|
|
116
|
+
// Merge over emptyState so the served State carries the same envelope
|
|
117
|
+
// fields (version/write_version) a projection read produces; the
|
|
118
|
+
// checkpoint only materializes the 5 entity collections. Already sorted
|
|
119
|
+
// by projectLiveToState.
|
|
120
|
+
if (fast)
|
|
121
|
+
return { ...emptyState(), ...fast };
|
|
122
|
+
}
|
|
123
|
+
catch { /* fall through to projection read */ }
|
|
124
|
+
}
|
|
105
125
|
const state = emptyState();
|
|
106
126
|
state.active_constraints = loadDirectoryItems(resolveEntityDir('constraints', effectiveCwd, 'read'), ConstraintSchema, 'constraint');
|
|
107
127
|
state.recent_decisions = loadDirectoryItems(resolveEntityDir('decisions', effectiveCwd, 'read'), DecisionSchema, 'decision');
|
|
@@ -116,72 +136,189 @@ export function loadState(cwd) {
|
|
|
116
136
|
state.plan_items.sort((a, b) => a.created_at.localeCompare(b.created_at));
|
|
117
137
|
return state;
|
|
118
138
|
}
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
139
|
+
const persistWriteStats = { written: 0, skippedUnchanged: 0 };
|
|
140
|
+
export function readPersistWriteStats() {
|
|
141
|
+
return { ...persistWriteStats };
|
|
142
|
+
}
|
|
143
|
+
export function resetPersistWriteStats() {
|
|
144
|
+
persistWriteStats.written = 0;
|
|
145
|
+
persistWriteStats.skippedUnchanged = 0;
|
|
146
|
+
}
|
|
147
|
+
/**
|
|
148
|
+
* Order-insensitive canonical form of a JSON document, for the dirty-tracking
|
|
149
|
+
* skip compare. Recursively sorts object keys; returns the raw input on parse
|
|
150
|
+
* failure so corrupt/non-JSON bytes never compare equal to a valid desired doc.
|
|
151
|
+
*/
|
|
152
|
+
function canonicalJson(raw) {
|
|
153
|
+
const sortKeys = (value) => {
|
|
154
|
+
if (Array.isArray(value))
|
|
155
|
+
return value.map(sortKeys);
|
|
156
|
+
if (value && typeof value === 'object') {
|
|
157
|
+
return Object.fromEntries(Object.entries(value)
|
|
158
|
+
.sort(([a], [b]) => a.localeCompare(b))
|
|
159
|
+
.map(([k, v]) => [k, sortKeys(v)]));
|
|
160
|
+
}
|
|
161
|
+
return value;
|
|
162
|
+
};
|
|
163
|
+
try {
|
|
164
|
+
return JSON.stringify(sortKeys(JSON.parse(raw)));
|
|
165
|
+
}
|
|
166
|
+
catch {
|
|
167
|
+
return raw; // unparseable → never equals a canonical desired doc
|
|
122
168
|
}
|
|
123
|
-
|
|
169
|
+
}
|
|
170
|
+
/**
|
|
171
|
+
* Pure planning pass: compute which projection files WOULD change, without
|
|
172
|
+
* writing anything. Same dirty-tracking + canonical-compare + parseable-guard
|
|
173
|
+
* logic as the old syncDirectory; only the IO is deferred to applySyncPlan.
|
|
174
|
+
*/
|
|
175
|
+
function planSyncDirectory(dirPath, items, documentType, schema, deleteMissing) {
|
|
176
|
+
const plan = { dirPath, writes: [], deletes: [] };
|
|
177
|
+
// Write only the items whose on-disk bytes would change (dirty-tracking,
|
|
178
|
+
// pln#543 step 3). The comparison uses the writer's own serializer so a
|
|
179
|
+
// "skip" can never diverge from what saveVersionedJsonFile would produce.
|
|
180
|
+
// Safe against trp#126: a missing/byte-different file never matches, so an
|
|
181
|
+
// in-state entity whose projection is absent/corrupt is always rewritten.
|
|
124
182
|
const currentIds = new Set();
|
|
125
183
|
for (const item of items) {
|
|
126
184
|
currentIds.add(item.id);
|
|
127
185
|
const filepath = path.join(dirPath, `${item.id}.json`);
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
186
|
+
const desired = serializeVersionedJson(documentType, item);
|
|
187
|
+
let existing;
|
|
188
|
+
try {
|
|
189
|
+
existing = fs.readFileSync(filepath, 'utf-8');
|
|
190
|
+
}
|
|
191
|
+
catch {
|
|
192
|
+
existing = undefined; // missing/unreadable → write
|
|
193
|
+
}
|
|
194
|
+
// Semantic (canonical, sorted-key) compare, not byte compare: loadState
|
|
195
|
+
// re-parses through zod which can reorder keys; a byte compare would
|
|
196
|
+
// rewrite the whole store every persist. Unparseable bytes never match
|
|
197
|
+
// → rewrite (keeps trp#126 safety).
|
|
198
|
+
if (existing !== undefined && canonicalJson(existing) === canonicalJson(desired)) {
|
|
199
|
+
persistWriteStats.skippedUnchanged += 1;
|
|
200
|
+
continue;
|
|
201
|
+
}
|
|
202
|
+
plan.writes.push({ filepath, desired, item, created: existing === undefined });
|
|
203
|
+
}
|
|
204
|
+
if (!deleteMissing)
|
|
205
|
+
return plan;
|
|
206
|
+
// Plan removals of files no longer in state. CRITICAL: distinguish an
|
|
207
|
+
// intentional drop from a file silently dropped by loadDirectoryItems on a
|
|
208
|
+
// schema.parse throw (deleting the second kind corrupts data — trp#126). Only
|
|
209
|
+
// parseable + not-in-state files are unlinked; unparseable are preserved.
|
|
210
|
+
const files = fs.existsSync(dirPath)
|
|
211
|
+
? fs.readdirSync(dirPath).filter(f => f.endsWith('.json'))
|
|
212
|
+
: [];
|
|
138
213
|
for (const file of files) {
|
|
139
214
|
const id = file.replace('.json', '');
|
|
140
215
|
if (currentIds.has(id))
|
|
141
216
|
continue;
|
|
142
217
|
const filepath = path.join(dirPath, file);
|
|
143
|
-
let parseable = false;
|
|
144
218
|
try {
|
|
145
219
|
schema.parse(loadVersionedJsonFile(documentType, filepath).document);
|
|
146
|
-
parseable = true;
|
|
147
220
|
}
|
|
148
221
|
catch {
|
|
149
222
|
// Already logged by loadDirectoryItems — leave the file in place.
|
|
223
|
+
continue;
|
|
150
224
|
}
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
225
|
+
plan.deletes.push({ filepath, id });
|
|
226
|
+
}
|
|
227
|
+
return plan;
|
|
228
|
+
}
|
|
229
|
+
/** Apply a planned sync: the actual projection-file writes/unlinks (the IO that
|
|
230
|
+
* must happen AFTER the journal append+fsync). Returns the dirty result. */
|
|
231
|
+
function applySyncPlan(plan) {
|
|
232
|
+
const result = { written: [], deleted: [] };
|
|
233
|
+
// Create the entity dir unconditionally (matches the pre-split syncDirectory,
|
|
234
|
+
// which always ensured the dir even for an empty/unchanged collection).
|
|
235
|
+
if (!fs.existsSync(plan.dirPath)) {
|
|
236
|
+
fs.mkdirSync(plan.dirPath, { recursive: true });
|
|
237
|
+
}
|
|
238
|
+
for (const { filepath, desired, item, created } of plan.writes) {
|
|
239
|
+
writeFileAtomic(filepath, desired);
|
|
240
|
+
persistWriteStats.written += 1;
|
|
241
|
+
result.written.push({ item, created });
|
|
154
242
|
}
|
|
243
|
+
for (const { filepath, id } of plan.deletes) {
|
|
244
|
+
fs.unlinkSync(filepath);
|
|
245
|
+
result.deleted.push(id);
|
|
246
|
+
}
|
|
247
|
+
return result;
|
|
155
248
|
}
|
|
156
249
|
export function saveState(state, cwd) {
|
|
157
250
|
persistState(state, cwd, { writeProjectMarkdown: false });
|
|
158
251
|
}
|
|
159
252
|
function persistStateUnlocked(state, cwd, options = {}) {
|
|
160
|
-
|
|
253
|
+
ensureMemoryDir(cwd);
|
|
254
|
+
const effectiveCwd = cwd ?? process.cwd();
|
|
255
|
+
// pln#566 F1 — JOURNAL BEFORE PROJECTIONS (invariant I2). Persist now runs in
|
|
256
|
+
// three ordered phases so the journal can never lag the projections: a crash
|
|
257
|
+
// mid-persist leaves the journal AHEAD (the only direction lazy-reconcile can
|
|
258
|
+
// recover), never projections ahead (which materialize/verify could not
|
|
259
|
+
// explain). Phase 1 PLAN (pure compute, no IO) → Phase 2 emit+fsync the
|
|
260
|
+
// per-entity post-images to the journal → Phase 3 APPLY projection writes.
|
|
261
|
+
const { plans, legacyDeletes, dirty } = planStateDirectories(state, effectiveCwd, options.deleteMissing ?? false);
|
|
262
|
+
emitPerEntityJournalRecords(dirty, options.eventAction, effectiveCwd);
|
|
263
|
+
faultPoint('after_journal'); // test-only: crash AFTER journal, BEFORE projections
|
|
264
|
+
applyStatePlans(plans, legacyDeletes);
|
|
265
|
+
faultPoint('after_projection'); // test-only: crash AFTER projections written
|
|
161
266
|
if (options.writeProjectMarkdown ?? true) {
|
|
162
|
-
rebuildProjectMd(state,
|
|
267
|
+
rebuildProjectMd(state, effectiveCwd);
|
|
163
268
|
}
|
|
269
|
+
// v1 events.jsonl: keep the coarse store event for existing consumers, but
|
|
270
|
+
// suppress its envelope-only journal dual-write — the v2 per-entity emit
|
|
271
|
+
// above is the authoritative §2.8 diff choke point.
|
|
164
272
|
appendEvent({
|
|
165
273
|
action: options.eventAction ?? 'update',
|
|
166
274
|
item_type: 'state',
|
|
167
275
|
agent: 'system',
|
|
168
276
|
summary: options.eventSummary,
|
|
169
|
-
},
|
|
170
|
-
|
|
171
|
-
//
|
|
172
|
-
//
|
|
277
|
+
}, effectiveCwd, { journalDualWrite: false });
|
|
278
|
+
// NOTE (pln#558 step 2): the git commit and refreshLiveCompanions used to
|
|
279
|
+
// run here, INSIDE the mutation lock. A single persistState was holding
|
|
280
|
+
// the lock for >5s on Juan's machine (full-store rewrite + git add -A +
|
|
281
|
+
// git commit + live-companion refresh), which serialized every other
|
|
282
|
+
// writer. They are now invoked by persistState / mutateState AFTER the
|
|
283
|
+
// lock releases — see runPostWriteHooks below. The critical section is
|
|
284
|
+
// now writes-only; commit / companion-refresh are best-effort observers.
|
|
285
|
+
}
|
|
286
|
+
function runPostWriteHooks(cwd, commitMessage) {
|
|
287
|
+
// git add + git commit. Safe outside the lock because (a) git itself
|
|
288
|
+
// serializes concurrent index access via .git/index.lock, (b) the
|
|
289
|
+
// implementation already swallows failures (see memory-git.ts), and
|
|
290
|
+
// (c) the commit is an audit trail, not the data itself.
|
|
291
|
+
try {
|
|
292
|
+
commitMemoryChange(commitMessage, cwd);
|
|
293
|
+
}
|
|
294
|
+
catch { /* best-effort */ }
|
|
295
|
+
// Live companion files (Tier B/C agent surfaces). Already best-effort.
|
|
173
296
|
try {
|
|
174
297
|
refreshLiveCompanions(cwd);
|
|
175
298
|
}
|
|
176
299
|
catch { /* best-effort */ }
|
|
177
300
|
}
|
|
178
|
-
|
|
301
|
+
/**
|
|
302
|
+
* Test-only crash injection (pln#566 F1). No-op unless BRAINCLAW_FAULT_POINT
|
|
303
|
+
* matches the label — then it throws, simulating a process death at that exact
|
|
304
|
+
* point in the persist pipeline so crash-ordering invariants can be tested
|
|
305
|
+
* deterministically without racing a real SIGKILL.
|
|
306
|
+
*/
|
|
307
|
+
function faultPoint(label) {
|
|
308
|
+
if (process.env.BRAINCLAW_FAULT_POINT === label) {
|
|
309
|
+
throw new Error(`fault-injection: crashed at "${label}" (BRAINCLAW_FAULT_POINT)`);
|
|
310
|
+
}
|
|
311
|
+
}
|
|
312
|
+
/**
|
|
313
|
+
* Plan (do not apply) the removal of legacy-dir orphans. Read-only: matches
|
|
314
|
+
* syncDirectory's safety condition (only parseable records absent from state
|
|
315
|
+
* are deletable; unparseable are preserved for inspection/repair). The actual
|
|
316
|
+
* unlink is deferred to applyStatePlans so it lands AFTER the journal append.
|
|
317
|
+
*/
|
|
318
|
+
function planCleanupLegacyDir(entityName, currentIds, cwd, documentType, schema) {
|
|
319
|
+
const out = [];
|
|
179
320
|
const writeDir = resolveEntityDir(entityName, cwd, 'write');
|
|
180
321
|
const readDir = resolveEntityDir(entityName, cwd, 'read');
|
|
181
|
-
// If read resolves to a different (legacy) directory, clean orphans there too.
|
|
182
|
-
// Match syncDirectory's safety condition: only delete parseable records that
|
|
183
|
-
// are absent from the current state. Schema-invalid legacy files may be drifted
|
|
184
|
-
// data that operators still need to inspect or repair.
|
|
185
322
|
if (readDir !== writeDir && fs.existsSync(readDir)) {
|
|
186
323
|
const files = fs.readdirSync(readDir).filter(f => f.endsWith('.json'));
|
|
187
324
|
for (const file of files) {
|
|
@@ -189,51 +326,110 @@ function cleanupLegacyDir(entityName, currentIds, cwd, documentType, schema) {
|
|
|
189
326
|
if (currentIds.has(id))
|
|
190
327
|
continue;
|
|
191
328
|
const filepath = path.join(readDir, file);
|
|
192
|
-
let parseable = false;
|
|
193
329
|
try {
|
|
194
330
|
schema.parse(loadVersionedJsonFile(documentType, filepath).document);
|
|
195
|
-
parseable = true;
|
|
196
331
|
}
|
|
197
332
|
catch {
|
|
198
333
|
logger.warn(`Preserving unparseable legacy ${entityName} file ${file}`);
|
|
199
334
|
continue;
|
|
200
335
|
}
|
|
201
|
-
|
|
202
|
-
fs.unlinkSync(filepath);
|
|
203
|
-
}
|
|
336
|
+
out.push({ filepath, id }); // O3: surfaced so a delete tombstone is emitted
|
|
204
337
|
}
|
|
205
338
|
}
|
|
339
|
+
return out;
|
|
206
340
|
}
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
341
|
+
/**
|
|
342
|
+
* Phase 1 of persist: compute every projection change WITHOUT writing. The
|
|
343
|
+
* returned `dirty` (post-images + tombstone ids) lets the journal be emitted +
|
|
344
|
+
* fsync'd before applyStatePlans touches any file (pln#566 F1 / I2).
|
|
345
|
+
*/
|
|
346
|
+
function planStateDirectories(state, cwd, deleteMissing) {
|
|
210
347
|
const entities = [
|
|
211
|
-
{ name: 'constraints', items: state.active_constraints, docType: 'constraint', schema: ConstraintSchema },
|
|
212
|
-
{ name: 'decisions', items: state.recent_decisions, docType: 'decision', schema: DecisionSchema },
|
|
213
|
-
{ name: 'traps', items: state.known_traps, docType: 'trap', schema: TrapSchema },
|
|
214
|
-
{ name: 'handoffs', items: state.open_handoffs, docType: 'handoff', schema: HandoffSchema },
|
|
215
|
-
{ name: 'plans', items: state.plan_items, docType: 'plan', schema: PlanItemSchema },
|
|
348
|
+
{ name: 'constraints', itemType: 'constraint', items: state.active_constraints, docType: 'constraint', schema: ConstraintSchema },
|
|
349
|
+
{ name: 'decisions', itemType: 'decision', items: state.recent_decisions, docType: 'decision', schema: DecisionSchema },
|
|
350
|
+
{ name: 'traps', itemType: 'trap', items: state.known_traps, docType: 'trap', schema: TrapSchema },
|
|
351
|
+
{ name: 'handoffs', itemType: 'handoff', items: state.open_handoffs, docType: 'handoff', schema: HandoffSchema },
|
|
352
|
+
{ name: 'plans', itemType: 'plan', items: state.plan_items, docType: 'plan', schema: PlanItemSchema },
|
|
216
353
|
];
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
354
|
+
const plans = [];
|
|
355
|
+
const legacyDeletes = [];
|
|
356
|
+
const dirty = [];
|
|
357
|
+
for (const { name, itemType, items, docType, schema } of entities) {
|
|
358
|
+
const writeDir = resolveEntityDir(name, cwd, 'write');
|
|
359
|
+
const plan = planSyncDirectory(writeDir, items, docType, schema, deleteMissing);
|
|
360
|
+
plans.push(plan);
|
|
361
|
+
const deleted = plan.deletes.map(d => d.id);
|
|
362
|
+
if (deleteMissing) {
|
|
363
|
+
// O3: legacy-dir orphans must also emit a delete tombstone.
|
|
364
|
+
const legacy = planCleanupLegacyDir(name, new Set(items.map(i => i.id)), cwd, docType, schema);
|
|
365
|
+
for (const l of legacy) {
|
|
366
|
+
legacyDeletes.push(l);
|
|
367
|
+
deleted.push(l.id);
|
|
368
|
+
}
|
|
369
|
+
}
|
|
370
|
+
dirty.push({ itemType, written: plan.writes.map(w => ({ item: w.item, created: w.created })), deleted });
|
|
371
|
+
}
|
|
372
|
+
return { plans, legacyDeletes, dirty };
|
|
373
|
+
}
|
|
374
|
+
/** Phase 3 of persist: apply the planned projection writes/unlinks (the IO that
|
|
375
|
+
* must follow the journal append+fsync). */
|
|
376
|
+
function applyStatePlans(plans, legacyDeletes) {
|
|
377
|
+
for (const plan of plans)
|
|
378
|
+
applySyncPlan(plan);
|
|
379
|
+
for (const { filepath } of legacyDeletes) {
|
|
380
|
+
try {
|
|
381
|
+
fs.unlinkSync(filepath);
|
|
382
|
+
}
|
|
383
|
+
catch { /* already gone — idempotent */ }
|
|
384
|
+
}
|
|
385
|
+
}
|
|
386
|
+
/**
|
|
387
|
+
* Emit one journal record per dirty entity with its full post-image
|
|
388
|
+
* (entity-state class, §2.1.1 / §2.8): the persist path is where the store's
|
|
389
|
+
* source-of-truth events are minted, because only it holds the entity docs.
|
|
390
|
+
* No-op when the journal flag is off. Failures are swallowed inside
|
|
391
|
+
* appendJournalRecords (dual mode: v1 projections remain the truth).
|
|
392
|
+
*/
|
|
393
|
+
function emitPerEntityJournalRecords(dirty, storeAction, cwd) {
|
|
394
|
+
if (resolveJournalMode(cwd) === 'off')
|
|
395
|
+
return;
|
|
396
|
+
const records = [];
|
|
397
|
+
for (const { itemType, written, deleted } of dirty) {
|
|
398
|
+
for (const { item, created } of written) {
|
|
399
|
+
// Post-image = the prepared document (with schema_version), so the
|
|
400
|
+
// journal record is byte-faithful to the projection: materialize can
|
|
401
|
+
// reconstruct an identical file, and verify compares like-for-like.
|
|
402
|
+
records.push({
|
|
403
|
+
action: storeAction && storeAction !== 'update' ? storeAction : (created ? 'create' : 'update'),
|
|
404
|
+
item_type: itemType,
|
|
405
|
+
item_id: item.id,
|
|
406
|
+
agent: 'system',
|
|
407
|
+
payload: preparePersistedDocument(itemType, item),
|
|
408
|
+
});
|
|
409
|
+
}
|
|
410
|
+
for (const id of deleted) {
|
|
411
|
+
records.push({ action: 'delete', item_type: itemType, item_id: id, agent: 'system' });
|
|
412
|
+
}
|
|
222
413
|
}
|
|
414
|
+
if (records.length > 0)
|
|
415
|
+
appendJournalRecords(records, cwd);
|
|
223
416
|
}
|
|
224
417
|
export function persistState(state, cwd, options = {}) {
|
|
225
418
|
const effectiveCwd = cwd ?? process.cwd();
|
|
226
419
|
mutate({ cwd: effectiveCwd }, () => {
|
|
227
420
|
persistStateUnlocked(state, effectiveCwd, options);
|
|
228
421
|
});
|
|
422
|
+
runPostWriteHooks(effectiveCwd, options.commitMessage ?? 'state update');
|
|
229
423
|
}
|
|
230
424
|
export function mutateState(mutateFn, cwd, options = {}) {
|
|
231
425
|
const effectiveCwd = cwd ?? process.cwd();
|
|
232
|
-
|
|
426
|
+
const result = mutate({ cwd: effectiveCwd }, () => {
|
|
233
427
|
const state = loadState(effectiveCwd);
|
|
234
|
-
const
|
|
235
|
-
persistStateUnlocked(state, effectiveCwd, options);
|
|
236
|
-
return
|
|
428
|
+
const value = mutateFn(state);
|
|
429
|
+
persistStateUnlocked(state, effectiveCwd, { ...options, deleteMissing: true });
|
|
430
|
+
return value;
|
|
237
431
|
});
|
|
432
|
+
runPostWriteHooks(effectiveCwd, options.commitMessage ?? 'state update');
|
|
433
|
+
return result;
|
|
238
434
|
}
|
|
239
435
|
//# sourceMappingURL=state.js.map
|
|
@@ -166,12 +166,24 @@ export function resolveProjectRef(ref, cwd = process.cwd(), storeChainOptions) {
|
|
|
166
166
|
?? resolveWorkspaceRoot(cwd, storeChainOptions);
|
|
167
167
|
if (!wsRoot)
|
|
168
168
|
return undefined;
|
|
169
|
-
//
|
|
169
|
+
// The trust boundary for raw path refs is the provided cwd. Callers in
|
|
170
|
+
// MCP context set cwd to the workspace root, so child projects resolve
|
|
171
|
+
// naturally. Walking further up (to a user-level store at home) would
|
|
172
|
+
// allow path-injection to sibling or home stores — that is the vulnerability
|
|
173
|
+
// we are closing. Name-based lookup below is unrestricted since it matches
|
|
174
|
+
// by project_name / project_id, not by arbitrary path.
|
|
175
|
+
const trustBoundary = path.resolve(cwd);
|
|
176
|
+
// Try as absolute path — only allowed if within the cwd boundary.
|
|
170
177
|
if (path.isAbsolute(ref)) {
|
|
178
|
+
if (!isAtOrBelow(ref, trustBoundary))
|
|
179
|
+
return undefined;
|
|
171
180
|
return fs.existsSync(path.join(ref, MEMORY_DIR, 'config.yaml')) ? ref : undefined;
|
|
172
181
|
}
|
|
173
|
-
// Try as relative path from
|
|
174
|
-
|
|
182
|
+
// Try as relative path resolved from the cwd boundary.
|
|
183
|
+
// Guards against ../ traversal (e.g. "../sibling-project").
|
|
184
|
+
const asPath = path.resolve(trustBoundary, ref);
|
|
185
|
+
if (!isAtOrBelow(asPath, trustBoundary))
|
|
186
|
+
return undefined;
|
|
175
187
|
if (fs.existsSync(path.join(asPath, MEMORY_DIR, 'config.yaml'))) {
|
|
176
188
|
return asPath;
|
|
177
189
|
}
|
|
@@ -315,8 +327,10 @@ function findClosestStoreBelow(target, ceiling) {
|
|
|
315
327
|
*/
|
|
316
328
|
function isAtOrBelow(dir, ancestor) {
|
|
317
329
|
const rel = path.relative(ancestor, dir);
|
|
318
|
-
//
|
|
319
|
-
|
|
330
|
+
// '..' prefix → dir is above ancestor. An absolute result means a different
|
|
331
|
+
// Windows drive (path.relative returns the absolute `to` path then), which is
|
|
332
|
+
// also outside the boundary — without this check `D:\evil` would pass.
|
|
333
|
+
return !rel.startsWith('..') && !path.isAbsolute(rel);
|
|
320
334
|
}
|
|
321
335
|
function resolveAbsoluteTargetPath(cwd, target) {
|
|
322
336
|
if (path.isAbsolute(target)) {
|
package/dist/core/worktree.js
CHANGED
|
@@ -10,6 +10,30 @@ import { parsePorcelainZ, isSystemDirtyPath } from './dirty-scope.js';
|
|
|
10
10
|
function gitPath(p) {
|
|
11
11
|
return p.replace(/\\/g, '/');
|
|
12
12
|
}
|
|
13
|
+
/**
|
|
14
|
+
* can_45316d5c — sanitize a scope-derived slug into a valid git branch
|
|
15
|
+
* component (`git check-ref-format` rules). Scopes like `.github/workflows`
|
|
16
|
+
* produced `feat/.github-workflows`, which git rejects (component starting
|
|
17
|
+
* with a dot), failing the whole worktree creation.
|
|
18
|
+
*
|
|
19
|
+
* Rules covered: no leading dots/dashes, no trailing dots, no `..`, no
|
|
20
|
+
* `@{`, no control/space/`~^:?*[\\` characters, no trailing `.lock`.
|
|
21
|
+
*/
|
|
22
|
+
export function sanitizeBranchComponent(raw, fallback = 'scope') {
|
|
23
|
+
let slug = raw
|
|
24
|
+
.replace(/[\s~^:?*[\]\\]/g, '-') // chars forbidden by check-ref-format
|
|
25
|
+
.replace(/@\{/g, '-') // reflog syntax
|
|
26
|
+
.replace(/\.\.+/g, '.') // no double dots
|
|
27
|
+
.replace(/[^a-zA-Z0-9._-]/g, '-') // conservative whitelist for the rest
|
|
28
|
+
.replace(/-+/g, '-') // collapse dashes
|
|
29
|
+
.replace(/^[.-]+/, '') // no leading dot/dash
|
|
30
|
+
.replace(/[.-]+$/, ''); // no trailing dot/dash
|
|
31
|
+
if (/\.lock$/i.test(slug))
|
|
32
|
+
slug = slug.slice(0, -'.lock'.length);
|
|
33
|
+
if (!slug)
|
|
34
|
+
slug = fallback;
|
|
35
|
+
return slug.slice(0, 48);
|
|
36
|
+
}
|
|
13
37
|
/**
|
|
14
38
|
* Stack marker → shared directories mapping.
|
|
15
39
|
* Maven/Gradle/Cargo intentionally excluded — their dep caches live
|
|
@@ -138,7 +162,15 @@ function canonicalizeScopePath(target) {
|
|
|
138
162
|
* project even when two projects share the same repo name.
|
|
139
163
|
*/
|
|
140
164
|
export function worktreesBaseDir(mainWorktreePath) {
|
|
141
|
-
|
|
165
|
+
let stablePath = path.resolve(mainWorktreePath);
|
|
166
|
+
try {
|
|
167
|
+
stablePath = fs.realpathSync.native(stablePath);
|
|
168
|
+
}
|
|
169
|
+
catch { /* path may not exist yet; path.resolve is still deterministic */ }
|
|
170
|
+
if (process.platform === 'win32' || /^[a-zA-Z]:[\\/]/.test(mainWorktreePath)) {
|
|
171
|
+
stablePath = stablePath.toLowerCase();
|
|
172
|
+
}
|
|
173
|
+
const hash = crypto.createHash('sha1').update(stablePath).digest('hex').slice(0, 12);
|
|
142
174
|
return path.join(os.homedir(), '.brainclaw', 'worktrees', hash);
|
|
143
175
|
}
|
|
144
176
|
/**
|
|
@@ -176,6 +208,104 @@ export function hasGitLock(cwd) {
|
|
|
176
208
|
const lockPath = path.join(gitDir.stdout.trim(), 'index.lock');
|
|
177
209
|
return fs.existsSync(lockPath);
|
|
178
210
|
}
|
|
211
|
+
/**
|
|
212
|
+
* True when `worktreePath` is a LINKED git worktree (created by `git worktree
|
|
213
|
+
* add`), NOT the main repository. The key invariant for pln#534's commit-on-
|
|
214
|
+
* behalf: brainclaw must NEVER commit into the integration repo, only into the
|
|
215
|
+
* isolated worktree it dispatched.
|
|
216
|
+
*
|
|
217
|
+
* Detection uses the canonical, platform-stable signal: in a linked worktree
|
|
218
|
+
* the entry at `<worktree>/.git` is a FILE (a `gitdir: …` pointer into the main
|
|
219
|
+
* repo's `.git/worktrees/<name>`), whereas the main repository's `.git` is a
|
|
220
|
+
* DIRECTORY. (An earlier implementation compared `git rev-parse
|
|
221
|
+
* --absolute-git-dir` against `--git-common-dir`, but those returned
|
|
222
|
+
* differently-normalized paths on the Windows CI runner — short 8.3 names /
|
|
223
|
+
* drive-letter case — so the main repo was misread as linked. The file-vs-dir
|
|
224
|
+
* check needs no path normalization.)
|
|
225
|
+
*/
|
|
226
|
+
export function isLinkedWorktree(worktreePath) {
|
|
227
|
+
if (!fs.existsSync(worktreePath))
|
|
228
|
+
return false;
|
|
229
|
+
try {
|
|
230
|
+
const dotGit = path.join(worktreePath, '.git');
|
|
231
|
+
const st = fs.statSync(dotGit);
|
|
232
|
+
// main repo → .git is a directory; linked worktree → .git is a file pointer.
|
|
233
|
+
return st.isFile();
|
|
234
|
+
}
|
|
235
|
+
catch {
|
|
236
|
+
return false; // no .git entry → not a git worktree
|
|
237
|
+
}
|
|
238
|
+
}
|
|
239
|
+
/**
|
|
240
|
+
* pln#534 (worktree-as-contract) — commit the uncommitted diff of a dispatched
|
|
241
|
+
* worktree ON BEHALF of a worker that cannot commit itself (a sandboxed agent
|
|
242
|
+
* whose root excludes `.git`, i.e. `dispatchCanCommit=false`). The worker's only
|
|
243
|
+
* contract is "edit files in this worktree + drop LANE-RESULT.json"; brainclaw
|
|
244
|
+
* carries the commit so the code lands on the lane branch and propagates.
|
|
245
|
+
*
|
|
246
|
+
* GUARDS (defence-in-depth, since this writes git history):
|
|
247
|
+
* - the path must exist and be a LINKED worktree — NEVER the main repo;
|
|
248
|
+
* - no commit when an index.lock is present (concurrent git op);
|
|
249
|
+
* - no commit when the worktree is clean;
|
|
250
|
+
* - all git runs are `spawnSync('git', [...])` with `-C <worktree>` semantics
|
|
251
|
+
* (cwd-scoped, no shell) so nothing can escape the worktree.
|
|
252
|
+
* Returns a structured result instead of throwing so callers degrade gracefully.
|
|
253
|
+
*/
|
|
254
|
+
export function commitWorktreeOnBehalf(worktreePath, message, options = {}) {
|
|
255
|
+
if (!fs.existsSync(worktreePath)) {
|
|
256
|
+
return { committed: false, files_changed: [], reason: `worktree path does not exist: ${worktreePath}` };
|
|
257
|
+
}
|
|
258
|
+
if (!isLinkedWorktree(worktreePath)) {
|
|
259
|
+
return { committed: false, files_changed: [], reason: `refusing to commit: ${worktreePath} is not a linked git worktree (main-repo guard)` };
|
|
260
|
+
}
|
|
261
|
+
if (hasGitLock(worktreePath)) {
|
|
262
|
+
return { committed: false, files_changed: [], reason: 'git index.lock present — another git operation is in progress' };
|
|
263
|
+
}
|
|
264
|
+
const status = runGit(['status', '--porcelain'], worktreePath);
|
|
265
|
+
if (!status.ok) {
|
|
266
|
+
return { committed: false, files_changed: [], reason: `git status failed: ${status.stderr.trim()}` };
|
|
267
|
+
}
|
|
268
|
+
if (status.stdout.trim().length === 0) {
|
|
269
|
+
return { committed: false, files_changed: [], reason: 'worktree clean — nothing to commit' };
|
|
270
|
+
}
|
|
271
|
+
// Stage everything, then UNSTAGE the transient files that must never land on
|
|
272
|
+
// the lane branch: the worker's own `LANE-RESULT.json` report and any
|
|
273
|
+
// `.brainclaw/` coordination state. Committing those would pollute the branch
|
|
274
|
+
// (and master, on merge) with non-deliverable artefacts.
|
|
275
|
+
const add = runGit(['add', '-A'], worktreePath);
|
|
276
|
+
if (!add.ok) {
|
|
277
|
+
return { committed: false, files_changed: [], reason: `git add failed: ${add.stderr.trim()}` };
|
|
278
|
+
}
|
|
279
|
+
runGit(['reset', '-q', '--', 'LANE-RESULT.json', '.brainclaw', '.brainclaw-heartbeat-*'], worktreePath);
|
|
280
|
+
// The files actually staged for this commit (post-exclusion) — also the
|
|
281
|
+
// truthful files_changed report.
|
|
282
|
+
const staged = runGit(['diff', '--cached', '--name-only'], worktreePath);
|
|
283
|
+
const files = staged.stdout.split(/\r?\n/).map((l) => l.trim()).filter(Boolean);
|
|
284
|
+
if (files.length === 0) {
|
|
285
|
+
// Only transient files changed — nothing deliverable to commit. Restore the
|
|
286
|
+
// index so the worktree is left exactly as the worker left it.
|
|
287
|
+
runGit(['reset', '-q'], worktreePath);
|
|
288
|
+
return { committed: false, files_changed: [], reason: 'no committable changes (only transient LANE-RESULT.json / .brainclaw)' };
|
|
289
|
+
}
|
|
290
|
+
const authorName = options.authorName ?? 'brainclaw (on behalf)';
|
|
291
|
+
const authorEmail = options.authorEmail ?? 'brainclaw@on-behalf.local';
|
|
292
|
+
const commit = runGit([
|
|
293
|
+
'-c', `user.name=${authorName}`,
|
|
294
|
+
'-c', `user.email=${authorEmail}`,
|
|
295
|
+
'-c', 'commit.gpgsign=false',
|
|
296
|
+
'commit', '-m', message,
|
|
297
|
+
], worktreePath);
|
|
298
|
+
if (!commit.ok) {
|
|
299
|
+
return { committed: false, files_changed: files, reason: `git commit failed: ${commit.stderr.trim()}` };
|
|
300
|
+
}
|
|
301
|
+
const head = runGit(['rev-parse', 'HEAD'], worktreePath);
|
|
302
|
+
return {
|
|
303
|
+
committed: true,
|
|
304
|
+
sha: head.ok ? head.stdout.trim() : undefined,
|
|
305
|
+
files_changed: files,
|
|
306
|
+
reason: 'committed on behalf of worker',
|
|
307
|
+
};
|
|
308
|
+
}
|
|
179
309
|
/**
|
|
180
310
|
* Re-points an EXISTING worktree to `ref` via a hard reset of its checked-out
|
|
181
311
|
* branch + working tree. Used when a dispatch reuses an existing claim/worktree
|
|
@@ -222,6 +352,7 @@ export function resetWorktreeToRef(worktreePath, ref) {
|
|
|
222
352
|
const norm = p.replace(/\\/g, '/');
|
|
223
353
|
return norm !== '.brainclaw-worktree.json'
|
|
224
354
|
&& !norm.startsWith('.brainclaw/')
|
|
355
|
+
&& !norm.startsWith('.brainclaw-heartbeat-')
|
|
225
356
|
&& !norm.startsWith('.git/');
|
|
226
357
|
});
|
|
227
358
|
if (residue.length > 0) {
|
|
@@ -322,14 +453,42 @@ export function createWorktree(mainWorktreePath, branchName, options = {}) {
|
|
|
322
453
|
const branchCheck = runGit(['rev-parse', '--verify', branchName], mainWorktreePath);
|
|
323
454
|
const branchExists = branchCheck.ok;
|
|
324
455
|
const baseRef = options.baseRef ?? 'HEAD';
|
|
325
|
-
if (branchExists
|
|
456
|
+
if (branchExists) {
|
|
326
457
|
const attachedWorktreePath = findWorktreePathForBranch(listWorktrees(mainWorktreePath), branchName);
|
|
327
458
|
if (attachedWorktreePath) {
|
|
328
|
-
throw new Error(`Cannot
|
|
459
|
+
throw new Error(`Cannot reuse branch ${branchName}: it is checked out in worktree ${attachedWorktreePath}. Remove or merge that worktree first.`);
|
|
460
|
+
}
|
|
461
|
+
if (options.resetExistingBranch) {
|
|
462
|
+
const reset = runGit(['branch', '--force', branchName, baseRef], mainWorktreePath);
|
|
463
|
+
if (!reset.ok) {
|
|
464
|
+
throw new Error(`git branch --force failed for ${branchName}: ${reset.stderr.trim()}`);
|
|
465
|
+
}
|
|
329
466
|
}
|
|
330
|
-
|
|
331
|
-
|
|
332
|
-
|
|
467
|
+
else {
|
|
468
|
+
// can_2e282880 (worktree-as-contract at creation): a reused branch is a
|
|
469
|
+
// CONTRACT that the worker starts from the dispatch base, not from
|
|
470
|
+
// whatever stale base the branch happened to sit on (observed live: a
|
|
471
|
+
// June dispatch reused a feat/<scope> branch based on April master).
|
|
472
|
+
// - branch has NO commits ahead of the base → silently re-point it to
|
|
473
|
+
// the base (it carries nothing worth keeping);
|
|
474
|
+
// - branch HAS commits not on the base → REFUSE and name them: they
|
|
475
|
+
// are unharvested work — merging/harvesting first is the only safe
|
|
476
|
+
// move, a silent reset would destroy it and a silent reuse would
|
|
477
|
+
// run the worker on a stale base.
|
|
478
|
+
const ahead = runGit(['rev-list', '--count', `${baseRef}..${branchName}`], mainWorktreePath);
|
|
479
|
+
const aheadCount = ahead.ok ? parseInt(ahead.stdout.trim(), 10) : NaN;
|
|
480
|
+
if (!Number.isFinite(aheadCount)) {
|
|
481
|
+
throw new Error(`Cannot assess divergence of existing branch ${branchName} vs ${baseRef}: ${ahead.stderr.trim()}`);
|
|
482
|
+
}
|
|
483
|
+
if (aheadCount > 0) {
|
|
484
|
+
const commits = runGit(['log', '--oneline', '-n', '5', `${baseRef}..${branchName}`], mainWorktreePath);
|
|
485
|
+
throw new Error(`Refusing to reuse branch ${branchName}: it has ${aheadCount} commit(s) not on ${baseRef} (unharvested work). ` +
|
|
486
|
+
`Harvest/merge or delete the branch first. Divergent commits:\n${commits.stdout.trim()}`);
|
|
487
|
+
}
|
|
488
|
+
const reset = runGit(['branch', '--force', branchName, baseRef], mainWorktreePath);
|
|
489
|
+
if (!reset.ok) {
|
|
490
|
+
throw new Error(`git branch --force failed for ${branchName}: ${reset.stderr.trim()}`);
|
|
491
|
+
}
|
|
333
492
|
}
|
|
334
493
|
}
|
|
335
494
|
// Use forward-slash paths for git on Windows
|
|
@@ -719,7 +878,10 @@ export function worktreeHasOnlyBirthNoise(statusZStdout) {
|
|
|
719
878
|
const paths = parsePorcelainZ(statusZStdout);
|
|
720
879
|
return paths.every((p) => {
|
|
721
880
|
const norm = p.replace(/\\/g, '/');
|
|
722
|
-
return WORKTREE_BIRTH_NOISE.has(norm)
|
|
881
|
+
return WORKTREE_BIRTH_NOISE.has(norm)
|
|
882
|
+
|| norm.startsWith('.brainclaw-heartbeat-') // worker liveness sentinel (sprint 1.5)
|
|
883
|
+
|| norm === 'LANE-RESULT.json' // worker outcome report — harvested, never committed
|
|
884
|
+
|| isSystemDirtyPath(norm);
|
|
723
885
|
});
|
|
724
886
|
}
|
|
725
887
|
/**
|