create-interview-cockpit 0.17.3 → 0.18.0

package/template/server/src/gha-runner.ts

@@ -0,0 +1,468 @@
+import fs from "fs/promises";
+import path from "path";
+import { randomUUID } from "crypto";
+import { spawn } from "child_process";
+import * as storage from "./storage.js";
+
+// ─── Types ───────────────────────────────────────────────────────────────
+
+interface GithubActionsLabWorkspace {
+  version: 1;
+  label: string;
+  activeFile: string;
+  files: Record<string, string>;
+  defaultEvent?: string;
+  defaultWorkflow?: string;
+}
+
+type OutputKind = "stdout" | "stderr" | "info";
+
+export type GhaStreamMessage =
+  | { type: "output"; kind: OutputKind; text: string }
+  | { type: "complete"; runId: string; exitCode: number; durationMs: number }
+  | { type: "error"; error: string };
+
+// ─── Constants & guards ──────────────────────────────────────────────────
+
+const MAX_FILE_COUNT = 60;
+const MAX_TOTAL_SOURCE_BYTES = 1_000_000;
+const MAX_LOG_CHARS = 400_000;
+const SOURCE_MANIFEST = ".gha-source-files.json";
+
+// `act` accepts these events; we restrict to common ones so the console
+// can't be used to run arbitrary subcommands.
+const ALLOWED_EVENTS = new Set([
+  "push",
+  "pull_request",
+  "workflow_dispatch",
+  "release",
+  "schedule",
+  "issues",
+  "issue_comment",
+]);
+
+// Only these top-level `act` flags are honored from console input.
+// Long-form is preferred to keep parsing simple.
+const ALLOWED_ACT_FLAGS = new Set([
+  "-l",
+  "--list",
+  "-n",
+  "--dryrun",
+  "-W",
+  "--workflows",
+  "-j",
+  "--job",
+  "-e",
+  "--eventpath",
+  "--container-architecture",
+  "-P",
+  "--platform",
+  "--rm",
+  "--verbose",
+  "-v",
+]);
+
+// ─── Utilities ───────────────────────────────────────────────────────────
+
+function getGhaRunsDir(): string {
+  return path.resolve(storage.getContextFilesDir(), "..", "gha-runs");
+}
+
+function getGhaSessionsDir(): string {
+  return path.resolve(storage.getContextFilesDir(), "..", "gha-sessions");
+}
+
+function stripAnsi(text: string): string {
+  return text.replace(/\x1b\[[0-9;]*[A-Za-z]/g, "");
+}
+
+function appendLog(buffer: string, chunk: string): string {
+  if (!chunk || buffer.length >= MAX_LOG_CHARS) return buffer;
+  const remaining = MAX_LOG_CHARS - buffer.length;
+  if (chunk.length <= remaining) return buffer + chunk;
+  return `${buffer}${chunk.slice(0, remaining)}\n[log truncated]\n`;
+}
+
+function sanitizeKey(value: string): string {
+  return value.replace(/[^a-zA-Z0-9_-]/g, "-").slice(0, 120) || "session";
+}
+
+function assertSafeRelativePath(filePath: string, label: string): void {
+  if (!filePath || path.isAbsolute(filePath) || filePath.includes("..")) {
+    throw new Error(`${label} must stay within the workspace`);
+  }
+  // Reject any path that escapes via symlink-style tricks
+  if (filePath.startsWith("/") || /^[a-zA-Z]:[\\/]/.test(filePath)) {
+    throw new Error(`${label} must be a relative path`);
+  }
+}
+
+function parseWorkspace(input: unknown): GithubActionsLabWorkspace {
+  if (!input || typeof input !== "object") {
+    throw new Error("workspace payload is required");
+  }
+  const candidate = input as Partial<GithubActionsLabWorkspace> & {
+    files?: Record<string, unknown>;
+  };
+  if (!candidate.files || typeof candidate.files !== "object") {
+    throw new Error("workspace.files must be provided");
+  }
+  const files = Object.fromEntries(
+    Object.entries(candidate.files)
+      .filter(
+        (entry): entry is [string, string] =>
+          typeof entry[0] === "string" && typeof entry[1] === "string",
+      )
+      .map(([name, content]) => [name.trim(), content]),
+  );
+  const fileNames = Object.keys(files).filter(Boolean);
+  if (fileNames.length === 0) {
+    throw new Error("workspace must contain at least one file");
+  }
+  if (fileNames.length > MAX_FILE_COUNT) {
+    throw new Error(`workspace exceeds the ${MAX_FILE_COUNT} file limit`);
+  }
+  let totalBytes = 0;
+  for (const name of fileNames) {
+    assertSafeRelativePath(name, "Workspace file path");
+    totalBytes += Buffer.byteLength(files[name], "utf8");
+  }
+  if (totalBytes > MAX_TOTAL_SOURCE_BYTES) {
+    throw new Error("workspace source exceeds the allowed size limit");
+  }
+  return {
+    version: 1,
+    label:
+      typeof candidate.label === "string" && candidate.label.trim()
+        ? candidate.label.trim()
+        : "GitHub Actions Lab",
+    activeFile:
+      typeof candidate.activeFile === "string" && files[candidate.activeFile]
+        ? candidate.activeFile
+        : fileNames[0],
+    defaultEvent:
+      typeof candidate.defaultEvent === "string"
+        ? candidate.defaultEvent
+        : undefined,
+    defaultWorkflow:
+      typeof candidate.defaultWorkflow === "string"
+        ? candidate.defaultWorkflow
+        : undefined,
+    files,
+  };
+}
+
+// ─── File materialization ───────────────────────────────────────────────
+
+async function writeWorkspaceFiles(
+  workspaceDir: string,
+  workspace: GithubActionsLabWorkspace,
+): Promise<void> {
+  await fs.mkdir(workspaceDir, { recursive: true });
+  await Promise.all(
+    Object.entries(workspace.files).map(async ([name, content]) => {
+      const target = path.join(workspaceDir, name);
+      const targetDir = path.dirname(target);
+      const rel = path.relative(workspaceDir, target);
+      // Defense in depth: make sure the resolved target stays under workspaceDir.
+      if (rel.startsWith("..") || path.isAbsolute(rel)) {
+        throw new Error(`Refusing to write file outside workspace: ${name}`);
+      }
+      await fs.mkdir(targetDir, { recursive: true });
+      await fs.writeFile(target, content, "utf8");
+    }),
+  );
+}
+
+async function readJsonFile(filePath: string): Promise<unknown | undefined> {
+  try {
+    const raw = await fs.readFile(filePath, "utf8");
+    return JSON.parse(raw);
+  } catch {
+    return undefined;
+  }
+}
+
+async function syncWorkspaceToSession(
+  sessionKey: string,
+  workspace: GithubActionsLabWorkspace,
+): Promise<string> {
+  const sessionDir = path.join(getGhaSessionsDir(), sanitizeKey(sessionKey));
+  const workspaceDir = path.join(sessionDir, "workspace");
+  const manifestPath = path.join(sessionDir, SOURCE_MANIFEST);
+  await fs.mkdir(sessionDir, { recursive: true });
+
+  const previous = await readJsonFile(manifestPath);
+  const previousFiles = Array.isArray(previous)
+    ? previous.filter((item): item is string => typeof item === "string")
+    : [];
+  const nextFiles = Object.keys(workspace.files);
+
+  await Promise.all(
+    previousFiles
+      .filter((fileName) => !nextFiles.includes(fileName))
+      .map(async (fileName) => {
+        try {
+          await fs.unlink(path.join(workspaceDir, fileName));
+        } catch {
+          // ignore
+        }
+      }),
+  );
+  await writeWorkspaceFiles(workspaceDir, workspace);
+  await fs.writeFile(manifestPath, JSON.stringify(nextFiles, null, 2), "utf8");
+  return workspaceDir;
+}
+
+// ─── Command parsing ────────────────────────────────────────────────────
+
+function splitCommand(command: string): string[] {
+  const tokens: string[] = [];
+  let current = "";
+  let quote: '"' | "'" | null = null;
+  let escape = false;
+  for (const char of command.trim()) {
+    if (escape) {
+      current += char;
+      escape = false;
+      continue;
+    }
+    if (char === "\\") {
+      escape = true;
+      continue;
+    }
+    if (quote) {
+      if (char === quote) quote = null;
+      else current += char;
+      continue;
+    }
+    if (char === '"' || char === "'") {
+      quote = char;
+      continue;
+    }
+    if (/\s/.test(char)) {
+      if (current) {
+        tokens.push(current);
+        current = "";
+      }
+      continue;
+    }
+    current += char;
+  }
+  if (quote) throw new Error("Command has an unclosed quote");
+  if (current) tokens.push(current);
+  return tokens;
+}
+
+interface ParsedActCommand {
+  event: string | null; // null when -l is used (just listing)
+  args: string[];
+  displayCommand: string;
+}
+
+function parseActCommand(command: string): ParsedActCommand {
+  const tokens = splitCommand(command);
+  if (tokens.length === 0) throw new Error("Type a command to run");
+  if (tokens[0] !== "act") {
+    throw new Error(
+      "Only 'act' commands are supported in this lab. Try: act -l, act push, act workflow_dispatch -j greet, act -n",
+    );
+  }
+
+  const rest = tokens.slice(1);
+  let event: string | null = null;
+  const args: string[] = [];
+  let i = 0;
+
+  // First non-flag token is treated as the event name (matching real act CLI).
+  while (i < rest.length) {
+    const tok = rest[i];
+    if (!tok.startsWith("-")) {
+      if (event !== null) {
+        throw new Error(`Unexpected positional argument: ${tok}`);
+      }
+      if (!ALLOWED_EVENTS.has(tok)) {
+        throw new Error(
+          `Event '${tok}' is not allowed. Allowed: ${Array.from(ALLOWED_EVENTS).join(", ")}`,
+        );
+      }
+      event = tok;
+      args.push(tok);
+      i += 1;
+      continue;
+    }
+
+    // Flag handling — only the allow-listed flags are accepted.
+    // Support `--flag=value`, `--flag value`, and short flags.
+    const eq = tok.indexOf("=");
+    const flagName = eq === -1 ? tok : tok.slice(0, eq);
+    if (!ALLOWED_ACT_FLAGS.has(flagName)) {
+      throw new Error(`Flag '${flagName}' is not allowed in the act console`);
+    }
+    args.push(tok);
+
+    // Flags that take a value
+    const takesValue = new Set([
+      "-W",
+      "--workflows",
+      "-j",
+      "--job",
+      "-e",
+      "--eventpath",
+      "--container-architecture",
+      "-P",
+      "--platform",
+    ]);
+    if (takesValue.has(flagName) && eq === -1) {
+      const next = rest[i + 1];
+      if (!next || next.startsWith("-")) {
+        throw new Error(`Flag '${flagName}' requires a value`);
+      }
+      // For workflow/eventpath, keep it inside workspace
+      if (flagName === "-W" || flagName === "--workflows") {
+        assertSafeRelativePath(next, "workflow path");
+      }
+      if (flagName === "-e" || flagName === "--eventpath") {
+        assertSafeRelativePath(next, "event path");
+      }
+      args.push(next);
+      i += 2;
+      continue;
+    }
+    i += 1;
+  }
+
+  return {
+    event,
+    args,
+    displayCommand: `$ act ${args.join(" ")}\n`.replace(/\s+\n$/, "\n"),
+  };
+}
+
+// ─── Run ─────────────────────────────────────────────────────────────────
+
+interface RunInput {
+  questionId?: string;
+  fileId?: string;
+  label?: string;
+  command: string;
+  workspace: unknown;
+  onMessage?: (message: GhaStreamMessage) => void;
+}
+
+export interface GhaRunMetadata {
+  id: string;
+  fileId?: string;
+  questionId?: string;
+  label: string;
+  command: string;
+  status: "completed" | "failed";
+  startedAt: string;
+  completedAt: string;
+  durationMs: number;
+  exitCode: number;
+  error?: string;
+}
+
+export async function streamGhaCommand(
+  input: RunInput,
+): Promise<GhaRunMetadata> {
+  const workspace = parseWorkspace(input.workspace);
+
+  const parsed = parseActCommand(input.command);
+  const sessionKey =
+    input.fileId ?? input.questionId ?? `draft-${randomUUID()}`;
+  const runId = randomUUID();
+  const startedAt = new Date().toISOString();
+  const runDir = path.join(getGhaRunsDir(), runId);
+  const workspaceDir = await syncWorkspaceToSession(sessionKey, workspace);
+  await fs.mkdir(runDir, { recursive: true });
+
+  let logs = "";
+  let status: "completed" | "failed" = "completed";
+  let errorMessage: string | undefined;
+  let exitCode = 0;
+
+  const emit = (msg: GhaStreamMessage) => input.onMessage?.(msg);
+  emit({ type: "output", kind: "info", text: parsed.displayCommand });
+
+  const child = spawn("act", parsed.args, {
+    cwd: workspaceDir,
+    env: {
+      ...process.env,
+      // Avoid TTY-only progress spinners — they spam control codes through SSE
+      ACT_LOG_LEVEL: process.env.ACT_LOG_LEVEL || "info",
+      // Disable pager-like output
+      NO_COLOR: "1",
+    },
+  });
+
+  await new Promise<void>((resolve) => {
+    let settled = false;
+    const finish = () => {
+      if (settled) return;
+      settled = true;
+      resolve();
+    };
+    child.stdout.on("data", (chunk: Buffer) => {
+      const text = stripAnsi(chunk.toString());
+      logs = appendLog(logs, text);
+      emit({ type: "output", kind: "stdout", text });
+    });
+    child.stderr.on("data", (chunk: Buffer) => {
+      const text = stripAnsi(chunk.toString());
+      logs = appendLog(logs, text);
+      emit({ type: "output", kind: "stderr", text });
+    });
+    child.on("error", (err: NodeJS.ErrnoException) => {
+      status = "failed";
+      exitCode = 1;
+      if (err.code === "ENOENT") {
+        errorMessage =
+          "`act` is not installed on this machine. Install it with `brew install act` (macOS) or follow https://github.com/nektos/act#installation, then click Run again.";
+      } else {
+        errorMessage = err.message;
+      }
+      const text = `\n[error] ${errorMessage}\n`;
+      logs = appendLog(logs, text);
+      emit({ type: "output", kind: "stderr", text });
+      finish();
+    });
+    child.on("close", (code) => {
+      exitCode = typeof code === "number" ? code : 1;
+      if (exitCode !== 0) {
+        status = "failed";
+        errorMessage = errorMessage || `act exited with code ${exitCode}`;
+      }
+      finish();
+    });
+  });
+
+  const completedAt = new Date().toISOString();
+  const durationMs =
+    new Date(completedAt).getTime() - new Date(startedAt).getTime();
+
+  const metadata: GhaRunMetadata = {
+    id: runId,
+    ...(input.fileId ? { fileId: input.fileId } : {}),
+    ...(input.questionId ? { questionId: input.questionId } : {}),
+    label: input.label?.trim() || workspace.label,
+    command: parsed.displayCommand.replace(/^\$\s*/, "").trim(),
+    status,
+    startedAt,
+    completedAt,
+    durationMs,
+    exitCode,
+    ...(errorMessage ? { error: errorMessage } : {}),
+  };
+
+  await fs.writeFile(
+    path.join(runDir, "metadata.json"),
+    JSON.stringify(metadata, null, 2),
+    "utf8",
+  );
+  await fs.writeFile(path.join(runDir, "run.log"), logs, "utf8");
+
+  emit({ type: "complete", runId, exitCode, durationMs });
+  return metadata;
+}

package/template/server/src/google-drive.ts

@@ -261,9 +261,6 @@ export async function syncWorkspace(
     errors: [],
   };
 
-  // ── Phase 0: fast wipe (parallel deletes instead of serial deleteTopic calls) ──
-  await storage.clearWorkspaceData(workspaceId);
-
   const importedQuestionKeys = new Set<string>();
 
   // ── Phase 1: fetch all folder listings in parallel ──────────────────────────
@@ -301,15 +298,14 @@ export async function syncWorkspace(
       : Promise.resolve([]),
   ]);
 
-  // ── Phase 2: write all topics in one batch (one topics.json write) ───────────
+  // ── Phase 2: build topic records in memory ─────────────────────────────────
   const topicRecords: storage.Topic[] = folderData.map(({ folder }) => ({
     id: randomUUID(),
     name: folder.name,
     contextFiles: [],
     createdAt: new Date().toISOString(),
   }));
-  await storage.replaceAllTopics(topicRecords);
-  result.topicsUpserted = topicRecords.length;
+  const extraTopicRecords: storage.Topic[] = [];
 
   const topicIdByFolderId = new Map(
     folderData.map(({ folder }, i) => [folder.id, topicRecords[i].id]),
@@ -394,8 +390,7 @@ export async function syncWorkspace(
       contextFiles: [],
       createdAt: new Date().toISOString(),
     };
-    await storage.saveTopic(generalTopic);
-    result.topicsUpserted++;
+    extraTopicRecords.push(generalTopic);
 
     await Promise.all(
       rootFiles.map(async (file) => {
@@ -420,6 +415,18 @@ export async function syncWorkspace(
     );
   }
 
+  // If downloads hit private Drive files or an old token lacks enough scope,
+  // stop before wiping the local workspace. The route will prompt re-auth.
+  if (result.errors.some((error) => /\b403\b/.test(error))) {
+    return result;
+  }
+
+  // ── Phase 3b: fast wipe + write all topics in one batch ────────────────────
+  await storage.clearWorkspaceData(workspaceId);
+  const allTopicRecords = [...topicRecords, ...extraTopicRecords];
+  await storage.replaceAllTopics(allTopicRecords);
+  result.topicsUpserted = allTopicRecords.length;
+
   // ── Phase 4: save questions in parallel (each is an individual file) ─────────
   const questions = pending.filter((p) => !p.isContextFile);
   const contextFiles = pending.filter((p) => p.isContextFile);
@@ -563,19 +570,19 @@ export async function syncWorkspace(
 
   // ── Phase 5: save workspace/topic context file blobs ───────────────────────
   if (pendingWorkspaceFiles.length > 0) {
-    await Promise.all(
-      pendingWorkspaceFiles.map(async ({ filename, buffer }) => {
-        const fileId = randomUUID();
-        const text = await extractText(buffer, filename);
-        await storage.writeOriginalBlob(fileId, buffer, workspaceId);
-        await storage.saveWorkspaceContextFile(
-          fileId,
-          filename,
-          Buffer.from(text, "utf-8"),
-          workspaceId,
-        );
-      }),
-    );
+    // saveWorkspaceContextFile updates workspace-files.json; do this
+    // sequentially so concurrent reads/writes do not overwrite metadata.
+    for (const { filename, buffer } of pendingWorkspaceFiles) {
+      const fileId = randomUUID();
+      const text = await extractText(buffer, filename);
+      await storage.writeOriginalBlob(fileId, buffer, workspaceId);
+      await storage.saveWorkspaceContextFile(
+        fileId,
+        filename,
+        Buffer.from(text, "utf-8"),
+        workspaceId,
+      );
+    }
     result.filesImported += pendingWorkspaceFiles.length;
   }
 
@@ -631,6 +638,10 @@ export async function listDriveSubfolders(
   if (!ws?.driveConfig?.folderId) {
     throw new Error("No Drive folder linked to this workspace");
   }
+  if (await isExportAuthed()) {
+    const drive = await getExportDriveClient();
+    return listFoldersAuthed(drive, ws.driveConfig.folderId);
+  }
   return listFolders(ws.driveConfig.folderId);
 }
 
@@ -663,11 +674,11 @@ const EXPORT_TOKENS_FILE = path.resolve(
 );
 
 function createExportOAuthClient() {
+  const defaultRedirectUri = `http://localhost:${process.env.GOOGLE_EXPORT_REDIRECT_PORT || "3001"}/api/drive/export-callback`;
   return new google.auth.OAuth2(
     process.env.GOOGLE_CLIENT_ID,
     process.env.GOOGLE_CLIENT_SECRET,
-    process.env.GOOGLE_EXPORT_REDIRECT_URI ||
-      "http://localhost:3001/api/drive/export-callback",
+    process.env.GOOGLE_EXPORT_REDIRECT_URI || defaultRedirectUri,
   );
 }
 
@@ -675,7 +686,7 @@ export function getExportAuthUrl(): string {
   const client = createExportOAuthClient();
   return client.generateAuthUrl({
     access_type: "offline",
-    scope: ["https://www.googleapis.com/auth/drive.file"],
+    scope: ["https://www.googleapis.com/auth/drive"],
     prompt: "consent",
   });
 }