convene-cli 1.13.1 → 1.13.2

package/dist/commands/gate-push.js

@@ -129,7 +129,23 @@ function loudOpen(systemMessage) {
 }
 const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
 async function run(opts) {
-    const top = (0, git_1.gitToplevel)();
+    // Read the PreToolUse / pre-push payload ONCE up front. stdin can only be read
+    // once, so everything downstream reuses `payloadRaw`. For the Claude Code
+    // PreToolUse path we need it to resolve the directory the push ACTUALLY runs in
+    // BEFORE resolving the repo — a release is routinely pushed from a SEPARATE
+    // worktree, and gating the SESSION-ROOT checkout instead false-blocks it (bug
+    // deff9ab9).
+    const payloadRaw = opts.stdin ? await readStdin(1500) : null;
+    const trimmed = (payloadRaw ?? '').trim();
+    const isHookPayload = trimmed.startsWith('{');
+    // Effective push directory: the PreToolUse `cwd` (reflects a persisted `cd`)
+    // overridden by a leading in-command `cd`; process.cwd() otherwise — which is
+    // also correct for the real git pre-push hook, where cwd already IS the pushed
+    // worktree.
+    const pushCwd = isHookPayload
+        ? (0, guard_1.resolvePushCwd)(payloadRaw, (0, guard_1.commandFromPayload)(payloadRaw))
+        : { dir: process.cwd(), indeterminate: false };
+    const top = (0, git_1.gitToplevel)(pushCwd.dir);
     if (!top)
         return 0; // not a git repo → no-op
     const cwd = top;
@@ -143,15 +159,14 @@ async function run(opts) {
     // Determine the ref(s) being pushed.
     let refs;
     if (opts.stdin) {
-        const stdin = await readStdin(1500);
-        const trimmed = (stdin ?? '').trim();
-        if (trimmed.startsWith('{')) {
+        if (isHookPayload) {
             // Claude Code PreToolUse/PostToolUse payload (JSON). Gate ONLY a real
             // `git push` — classify the command with the SAME anchored classifier as
             // `guard`, so an ordinary Bash command (even one whose ARGS contain
             // "deploy"/"release"/a ref name) is a zero-network no-op and NEVER claims a
-            // lane. A bare `git push` (no refspec) falls back to the current branch.
-            const cls = (0, guard_1.classifyCommand)((0, guard_1.commandFromPayload)(stdin));
+            // lane. A bare `git push` (no refspec) falls back to the current branch (of
+            // the RESOLVED push worktree).
+            const cls = (0, guard_1.classifyCommand)((0, guard_1.commandFromPayload)(payloadRaw));
             if (cls.kind === 'push') {
                 const cb = (0, git_1.currentBranch)(cwd);
                 refs = cls.refs.length ? cls.refs : cb ? [`refs/heads/${cb}`] : [];
@@ -162,7 +177,7 @@ async function run(opts) {
         }
         else {
             // git pre-push hook context: real refspecs arrive on stdin.
-            refs = stdin ? parseRefsFromStdin(stdin) : [];
+            refs = payloadRaw ? parseRefsFromStdin(payloadRaw) : [];
             if (!refs.length) {
                 const b = (0, git_1.currentBranch)(cwd);
                 refs = b ? [`refs/heads/${b}`] : [];
@@ -280,13 +295,26 @@ async function run(opts) {
     }
     // 200 → we hold the lane (claimed fresh or self-reclaimed). Now the COMPAT gate.
     const compat = await compatP;
-    if (compat.behind) {
-        // Behind HEAD after a fresh fetch → CONFIRMED positive → release + hard block.
+    if (compat.behind && !pushCwd.indeterminate) {
+        // Behind HEAD after a fresh fetch, against the RESOLVED push worktree →
+        // CONFIRMED positive → release + hard block.
         await api.laneRelease(slug, lane, NET_TIMEOUT_MS).catch(() => undefined);
         blockReason(`convene: BLOCKED — HEAD is behind origin/${ref.replace(/^refs\/heads\//, '')} after fetch. ` +
             `Run \`git pull --rebase\` then push again.`);
         return 2;
     }
+    if (compat.behind && pushCwd.indeterminate) {
+        // A dynamic in-command `cd` meant we could NOT resolve the pushed worktree, so
+        // this "behind" verdict may have come from an unrelated checkout. The lane IS
+        // held (the claim succeeded); keep it and ALLOW — degrade only the LOCAL
+        // freshness check to fail-open-loud rather than risk a false block (bug
+        // deff9ab9). NOTE: the committed git pre-push hook only RE-gates freshness when
+        // `convene.blockingPush` is enabled (it otherwise just posts a status), so this
+        // is a genuine skip of the freshness check, not a deferral to another gate.
+        loudOpen(`convene: deploy lane ${lane} claimed; could not resolve the push worktree from the ` +
+            `command, so the behind-HEAD freshness check was SKIPPED — proceeding UNGATED on freshness. ` +
+            `Confirm the branch is current before relying on this deploy.`);
+    }
     // Also honor a directed halt even when the lane was free (defense in depth).
     const halt = await directedHaltFor(api, slug, ref);
     if (halt) {

package/dist/commands/guard.js

@@ -1,8 +1,13 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.classifyPushRefs = classifyPushRefs;
 exports.classifyCommand = classifyCommand;
 exports.commandFromPayload = commandFromPayload;
+exports.cwdFromPayload = cwdFromPayload;
+exports.resolvePushCwd = resolvePushCwd;
 exports.guard = guard;
 /**
  * `convene guard` (WP9) — the PreToolUse halt+lane gate for Bash commands. Wired
@@ -30,6 +35,7 @@ exports.guard = guard;
  *   (b) a CONFIRMED held lane for a DEPLOY command (different instance).
  * A SOFT held-lane conflict (foreign live lane, no directed halt) → 'ask'.
  */
+const node_path_1 = __importDefault(require("node:path"));
 const git_1 = require("../git");
 const config_1 = require("../config");
 const cache_1 = require("../cache");
@@ -167,6 +173,123 @@ function commandFromPayload(raw) {
         return '';
     }
 }
+/**
+ * Pull the top-level `cwd` (the directory the tool will run in) out of a Claude
+ * Code PreToolUse payload, or null if absent/unparseable. Claude Code stamps this
+ * with the session's CURRENT working directory, which already reflects any `cd`
+ * that PERSISTED from a prior Bash call (within the project / additional dirs).
+ */
+function cwdFromPayload(raw) {
+    if (!raw)
+        return null;
+    try {
+        const j = JSON.parse(raw);
+        const c = j?.cwd;
+        return typeof c === 'string' && c.trim() ? c.trim() : null;
+    }
+    catch {
+        return null;
+    }
+}
+function isPush(w) {
+    return w[0] === 'git' && w[1] === 'push';
+}
+/**
+ * Resolve a `cd`/`pushd` target to an absolute dir against `from`, or report it
+ * unresolvable. Strips cd option flags (`--`, `-L`, `-P`, …); rejects `-` (OLDPWD)
+ * and any dynamic/quoted/glob/`~`/escaped path — only a single literal path is safe.
+ */
+function resolveCdTarget(args, from) {
+    let rest = args;
+    while (rest.length && (rest[0] === '--' || /^-[A-Za-z]+$/.test(rest[0])))
+        rest = rest.slice(1);
+    const target = rest[0];
+    if (!target || target === '-' || rest.length > 1 || /[$*?`"'~\\]/.test(target))
+        return null;
+    return node_path_1.default.isAbsolute(target) ? target : node_path_1.default.resolve(from, target);
+}
+/**
+ * Resolve the directory a gated `git push` will run in, for the PreToolUse gate.
+ *
+ * The base is the PreToolUse payload's `cwd` (the session's current dir, already
+ * reflecting a PERSISTED `cd`), falling back to `process.cwd()` — which is also
+ * the right answer for the real git pre-push hook path, where the process cwd IS
+ * the pushed worktree. But the hook fires BEFORE the command runs, so a `cd`
+ * performed INSIDE the gated command — `(cd ../repo-release; git push origin main)`
+ * or `cd ../wt && git push` — is NOT yet reflected in `cwd`. We therefore also walk
+ * the command and apply a leading `cd`/`pushd` that precedes the push.
+ *
+ * Shell-faithful enough for the real cases: a `(` opens a SUBSHELL scope (a `cd`
+ * inside it that `)` closes BEFORE the push does not persist — `(cd X); git push`
+ * runs in the base, `(cd X; git push)` runs in X); a `cd` whose `||`/pipe RHS IS
+ * the push does not apply (the push then runs in the base); anything we cannot
+ * resolve statically (a `$var`/glob/quoted target, a bare `popd`, an over-long
+ * command) flags `indeterminate` so the caller degrades to fail-open-loud rather
+ * than trusting a guessed dir.
+ *
+ * Why this matters (bug deff9ab9): a release is routinely pushed from a SEPARATE
+ * git worktree — the one-worktree-per-session pattern Convene itself recommends.
+ * Resolving the repo from the SESSION-ROOT checkout instead of the pushed worktree
+ * made the behind-HEAD gate compare against a stale, unrelated HEAD and false-block
+ * the push.
+ */
+function resolvePushCwd(raw, command, fallback = process.cwd()) {
+    const base = cwdFromPayload(raw) ?? fallback;
+    const cmd = (command ?? '').trim();
+    if (!cmd)
+        return { dir: base, indeterminate: false };
+    // An absurdly long command is pathological (and could waste work pre-watchdog) —
+    // do not try to parse it; fail-open on the local freshness check.
+    if (cmd.length > 8192)
+        return { dir: base, indeterminate: true };
+    // Split on shell connectors, KEEPING them. `||` must precede `|` in the
+    // alternation so a single pipe never shadows it.
+    const parts = cmd.split(/(\s*&&\s*|\s*\|\|\s*|\s*;\s*|\s*\|\s*|\n)/);
+    const segs = [];
+    for (let i = 0; i < parts.length; i += 2) {
+        const rawSeg = parts[i] ?? '';
+        const open = (rawSeg.match(/^\s*\(+/)?.[0].match(/\(/g) || []).length;
+        const close = (rawSeg.match(/\)+\s*$/)?.[0].match(/\)/g) || []).length;
+        const seg = rawSeg.replace(/^[\s(]+/, '').replace(/[\s)]+$/, '');
+        const words = seg.split(/\s+/).filter(Boolean);
+        let k = 0;
+        while (k < words.length && (/^[A-Za-z_][A-Za-z0-9_]*=/.test(words[k]) || /^(sudo|command|exec|time|env)$/.test(words[k])))
+            k++;
+        segs.push({ open, close, words: words.slice(k), conn: (parts[i + 1] ?? '').trim() });
+    }
+    let dir = base;
+    let indeterminate = false;
+    const scope = []; // saved dirs at each OPEN `(` — restored when it `)` closes
+    for (let idx = 0; idx < segs.length; idx++) {
+        const s = segs[idx];
+        for (let o = 0; o < s.open; o++)
+            scope.push(dir); // enter subshell(s)
+        const w = s.words;
+        if (isPush(w))
+            break; // reached the push — `dir` is its cwd (still inside any open subshell)
+        if (w[0] === 'cd' || w[0] === 'pushd') {
+            // A pipe RHS, or a `||` RHS that IS the push, means the push does NOT run in
+            // this cd's dir (cd in a pipe is a subshell; `cd X || git push` only pushes
+            // when the cd FAILED) — leave the dir untouched. A `cd X || handler; … push`
+            // still applies (its success persists to the later push).
+            const pushIsRhs = (s.conn === '||' || s.conn === '|') && isPush(segs[idx + 1]?.words ?? []);
+            if (s.conn !== '|' && !pushIsRhs) {
+                const resolved = resolveCdTarget(w.slice(1), dir);
+                if (resolved === null)
+                    indeterminate = true;
+                else
+                    dir = resolved;
+            }
+        }
+        else if (w[0] === 'popd') {
+            indeterminate = true; // we do not model the pushd/popd stack
+        }
+        for (let c = 0; c < s.close; c++)
+            if (scope.length)
+                dir = scope.pop(); // exit subshell(s)
+    }
+    return { dir, indeterminate };
+}
 function emitJson(obj) {
     process.stdout.write(JSON.stringify(obj) + '\n');
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "convene-cli",
-  "version": "1.13.1",
+  "version": "1.13.2",
   "description": "Convene CLI — AI development coordination bus client + UserPromptSubmit hook. Install: npm i -g convene-cli; then `convene setup`.",
   "license": "MIT",
   "homepage": "https://convene.live",