create-interview-cockpit 0.28.0 → 0.30.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-interview-cockpit",
-  "version": "0.28.0",
+  "version": "0.30.0",
   "description": "Scaffold a personal AI-powered interview prep cockpit",
   "type": "module",
   "bin": {

package/template/client/src/awsGovernanceIamLab.ts

@@ -0,0 +1,526 @@
+import type { InfraLabWorkspace } from "./types";
+
+// Mirrors the structure of a real `governance-iam` Terraform module
+// (roles, policies, attachments, users, OIDC providers, multi-account
+// `for_each` expansion) but trimmed down so it can run end-to-end
+// against LocalStack inside the Infra Lab runner.
+//
+// What works on LocalStack (free):
+//   - aws_iam_policy / aws_iam_role / *_policy_attachment / aws_iam_user
+//   - aws_iam_openid_connect_provider (object exists, trust is not exercised)
+//
+// What does NOT work realistically on LocalStack (left as plan-only / read):
+//   - real cross-account assume-role via Organizations
+//   - real OIDC federation (Azure DevOps, EKS IRSA, etc.)
+export const AWS_GOVERNANCE_IAM_FILES: Record<string, string> = {
+  "README.md": `# AWS Governance IAM Lab
+
+Practice the *shape* of an enterprise \`governance-iam\` Terraform module
+against LocalStack. You get the same patterns the real module uses:
+
+1. **OIDC providers** (\`aws_iam_openid_connect_provider\`)
+2. **Custom IAM policies** loaded from JSON files in \`policy/\`
+3. **IAM roles** with trust documents from \`assume_role/\`
+4. **Policy attachments** (custom + AWS-managed)
+5. **IAM users** with attachments
+6. **Multi-account expansion** via \`for_each\` keyed as \`account/name\`
+
+## How to run it
+
+In the Infra Lab console, one command at a time:
+
+1. \`terraform init\`
+2. \`terraform validate\`
+3. \`terraform plan -out=tfplan\`
+4. \`terraform apply -auto-approve\`
+5. Inspect with \`terraform state list\` and \`terraform show\`
+6. \`terraform destroy -auto-approve\` when done
+
+## What's real vs simulated
+
+LocalStack accepts the IAM CRUD calls, so all roles/policies/users/attachments
+are actually created. The OIDC providers are stored as objects, but no real
+external identity (Azure DevOps, EKS, GKE) can federate into them here.
+
+For the real federation handshake, you'd point this at a free-tier AWS
+account by replacing the \`endpoints\` block in \`provider.tf\` and giving
+real credentials.
+
+## Multi-account note
+
+LocalStack free tier is single-account, so the two "accounts"
+(\`access\`, \`workload\`) are simulated by provider aliases pointing at the
+same LocalStack endpoint. The \`for_each\` and \`account/name\` key shape is
+the same as in a real Organizations setup — flip the endpoints and you can
+reuse it as-is.
+
+## Suggested experiments
+
+- Add a new JSON file in \`policy/\` and reference it in \`terraform.tfvars\`.
+- Add a new role in \`terraform.tfvars\` and watch the keyspace expand.
+- Change a trust policy in \`assume_role/\` and run \`terraform plan\` to see
+  the in-place update.
+- Try \`terraform plan\` after removing an attachment to learn how detach
+  works without destroying the role.
+`,
+  "provider.tf": `terraform {
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+# Two provider aliases simulate the multi-account fan-out used by the real
+# governance-iam module. Both point at the same LocalStack endpoint here;
+# in production they would target different AWS accounts via assume-role.
+provider "aws" {
+  alias                       = "access"
+  region                      = "us-east-1"
+  access_key                  = "test"
+  secret_key                  = "test"
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  skip_requesting_account_id  = true
+
+  endpoints {
+    iam = "http://localhost:4566"
+    sts = "http://localhost:4566"
+  }
+}
+
+provider "aws" {
+  alias                       = "workload"
+  region                      = "us-east-1"
+  access_key                  = "test"
+  secret_key                  = "test"
+  skip_credentials_validation = true
+  skip_metadata_api_check     = true
+  skip_requesting_account_id  = true
+
+  endpoints {
+    iam = "http://localhost:4566"
+    sts = "http://localhost:4566"
+  }
+}
+`,
+  "variables.tf": `# Logical inputs that mirror the real module. Swap values in
+# terraform.tfvars to re-shape the deployment without touching main.tf.
+
+variable "accounts" {
+  description = "Logical AWS account name -> provider alias key."
+  type        = map(string)
+  default = {
+    access   = "access"
+    workload = "workload"
+  }
+}
+
+variable "policies" {
+  description = "Custom policies to create. Keyed as <account>/<name>."
+  type = map(object({
+    path        = string
+    description = string
+  }))
+  default = {}
+}
+
+variable "roles" {
+  description = "Roles to create. Keyed as <account>/<name>."
+  type = map(object({
+    name                        = string
+    assume_role_policy_file     = string
+    assume_role_policy_variable = map(string)
+    custom_policies             = list(string) # tf_policy_keys to attach
+    managed_policy_arns         = list(string) # AWS-managed ARNs to attach
+  }))
+  default = {}
+}
+
+variable "users" {
+  description = "IAM users to create. Keyed as <account>/<name>."
+  type = map(object({
+    name                = string
+    custom_policies     = list(string)
+    managed_policy_arns = list(string)
+  }))
+  default = {}
+}
+
+variable "oidc_identity" {
+  description = "OIDC providers to register. Keyed as <account>/<label>."
+  type = map(object({
+    account    = string
+    oidc_url   = string
+    audiences  = list(string)
+    thumbprint = list(string)
+  }))
+  default = {}
+}
+`,
+  "local.tf": `# Real governance-iam splits a single declaration into per-account
+# resources. We do the same here; the keys are "<account>/<name>" so a
+# role declared in two accounts becomes two distinct resources.
+locals {
+  account_policies = var.policies
+  account_roles    = var.roles
+  account_users    = var.users
+
+  # Flatten role -> custom policy attachments.
+  custom_role_attachments = merge([
+    for role_key, role in var.roles : {
+      for pol_key in role.custom_policies :
+      "\${role_key}::\${pol_key}" => {
+        tf_role_key   = role_key
+        tf_policy_key = pol_key
+      }
+    }
+  ]...)
+
+  # Flatten role -> AWS-managed policy attachments.
+  managed_role_attachments = merge([
+    for role_key, role in var.roles : {
+      for arn in role.managed_policy_arns :
+      "\${role_key}::\${arn}" => {
+        tf_role_key = role_key
+        policy_arn  = arn
+      }
+    }
+  ]...)
+
+  custom_user_attachments = merge([
+    for user_key, user in var.users : {
+      for pol_key in user.custom_policies :
+      "\${user_key}::\${pol_key}" => {
+        tf_user_key   = user_key
+        tf_policy_key = pol_key
+      }
+    }
+  ]...)
+
+  managed_user_attachments = merge([
+    for user_key, user in var.users : {
+      for arn in user.managed_policy_arns :
+      "\${user_key}::\${arn}" => {
+        tf_user_key = user_key
+        policy_arn  = arn
+      }
+    }
+  ]...)
+}
+`,
+  "main.tf": `# @ref: aws-oidc-provider
+# Trust links so external systems (ADO, EKS, GKE) can federate without
+# storing AWS keys. On LocalStack the object is created but no real JWT
+# is verified against it.
+resource "aws_iam_openid_connect_provider" "oidc" {
+  for_each = var.oidc_identity
+  provider = aws.access
+
+  url             = each.value.oidc_url
+  client_id_list  = each.value.audiences
+  thumbprint_list = each.value.thumbprint
+}
+
+# @ref: aws-custom-policy
+# Custom permission documents loaded from JSON files in ./policy.
+# The split() trick is what the real module uses to derive a name from
+# the "<account>/<group>/<file>.json" key shape.
+resource "aws_iam_policy" "policies" {
+  for_each = local.account_policies
+  provider = aws.access
+
+  name        = split("/", each.key)[1]
+  description = each.value.description
+  policy      = file("\${path.module}/policy/\${each.value.path}")
+}
+
+# @ref: aws-iam-role
+# Trust policy != permission policy. The trust policy answers
+# "who is allowed to become this role?". Permissions come from attachments.
+resource "aws_iam_role" "roles" {
+  for_each = local.account_roles
+  provider = aws.access
+
+  name = each.value.name
+  assume_role_policy = templatefile(
+    "\${path.module}/assume_role/\${each.value.assume_role_policy_file}",
+    each.value.assume_role_policy_variable,
+  )
+}
+
+# @ref: aws-role-policy-attachment (custom)
+resource "aws_iam_role_policy_attachment" "custom_role_policy" {
+  for_each = local.custom_role_attachments
+  provider = aws.access
+
+  role       = aws_iam_role.roles[each.value.tf_role_key].name
+  policy_arn = aws_iam_policy.policies[each.value.tf_policy_key].arn
+}
+
+# @ref: aws-role-policy-attachment (managed)
+resource "aws_iam_role_policy_attachment" "managed_role_policy" {
+  for_each = local.managed_role_attachments
+  provider = aws.access
+
+  role       = aws_iam_role.roles[each.value.tf_role_key].name
+  policy_arn = each.value.policy_arn
+}
+
+# @ref: aws-iam-user
+# Long-lived identity. Kept as an exercise; modern setups prefer roles
+# + federation, but the real module still supports both.
+resource "aws_iam_user" "users" {
+  for_each = local.account_users
+  provider = aws.access
+
+  name          = each.value.name
+  path          = "/"
+  force_destroy = true
+}
+
+resource "aws_iam_user_policy_attachment" "custom_user_policy" {
+  for_each = local.custom_user_attachments
+  provider = aws.access
+
+  user       = aws_iam_user.users[each.value.tf_user_key].name
+  policy_arn = aws_iam_policy.policies[each.value.tf_policy_key].arn
+}
+
+resource "aws_iam_user_policy_attachment" "managed_user_policy" {
+  for_each = local.managed_user_attachments
+  provider = aws.access
+
+  user       = aws_iam_user.users[each.value.tf_user_key].name
+  policy_arn = each.value.policy_arn
+}
+`,
+  "ado.tf": `# @ref: aws-ado-role
+# Mirrors the real ado.tf: a per-account role assumed by an Azure DevOps
+# pipeline via OIDC, with AdministratorAccess attached. On LocalStack the
+# role exists but the actual federation handshake is not exercised.
+locals {
+  ado_accounts = ["access", "workload"]
+}
+
+resource "aws_iam_role" "ado_role" {
+  for_each = toset(local.ado_accounts)
+  provider = aws.access
+
+  name = "ado-role-\${each.key}"
+  assume_role_policy = templatefile(
+    "\${path.module}/assume_role/ado-assume-role.json",
+    {
+      account_id  = "000000000000"
+      environment = "lab"
+    },
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "ado_admin" {
+  for_each = toset(local.ado_accounts)
+  provider = aws.access
+
+  role       = aws_iam_role.ado_role[each.key].name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+resource "aws_iam_role" "ado_readonly" {
+  for_each = toset(local.ado_accounts)
+  provider = aws.access
+
+  name = "ado-role-readonly-\${each.key}"
+  assume_role_policy = templatefile(
+    "\${path.module}/assume_role/ado-assume-role.json",
+    {
+      account_id  = "000000000000"
+      environment = "lab"
+    },
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "ado_readonly" {
+  for_each = toset(local.ado_accounts)
+  provider = aws.access
+
+  role       = aws_iam_role.ado_readonly[each.key].name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+`,
+  "outputs.tf": `output "policy_arns" {
+  description = "ARNs of all custom policies that were created."
+  value       = { for k, p in aws_iam_policy.policies : k => p.arn }
+}
+
+output "role_arns" {
+  description = "ARNs of all roles that were created."
+  value       = { for k, r in aws_iam_role.roles : k => r.arn }
+}
+
+output "ado_role_arns" {
+  description = "ARNs of the Azure DevOps deployment roles."
+  value       = { for k, r in aws_iam_role.ado_role : k => r.arn }
+}
+`,
+  "terraform.tfvars": `# Sample data that drives the module. Everything below is what would
+# normally live in variables.<env>.tfvars in the real repo.
+
+policies = {
+  "access/external-dns-policy-v1" = {
+    path        = "external-dns-policy-v1.json"
+    description = "Allows external-dns to manage Route53 records."
+  }
+  "access/cloudwatch-exporter-policy-v1" = {
+    path        = "cloudwatch-exporter-policy-v1.json"
+    description = "Allows the cloudwatch exporter to read metrics."
+  }
+}
+
+roles = {
+  "access/external-dns" = {
+    name                        = "external-dns-role"
+    assume_role_policy_file     = "eks-irsa-assume-role.json"
+    assume_role_policy_variable = {
+      account_id     = "000000000000"
+      oidc_provider  = "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633"
+      namespace      = "kube-system"
+      service_account = "external-dns"
+    }
+    custom_policies = [
+      "access/external-dns-policy-v1",
+    ]
+    managed_policy_arns = []
+  }
+  "access/cw-exporter" = {
+    name                        = "cloudwatch-exporter-role"
+    assume_role_policy_file     = "eks-irsa-assume-role.json"
+    assume_role_policy_variable = {
+      account_id     = "000000000000"
+      oidc_provider  = "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633"
+      namespace      = "monitoring"
+      service_account = "cloudwatch-exporter"
+    }
+    custom_policies = [
+      "access/cloudwatch-exporter-policy-v1",
+    ]
+    managed_policy_arns = [
+      "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess",
+    ]
+  }
+}
+
+users = {
+  "access/break-glass" = {
+    name = "break-glass-admin"
+    custom_policies = []
+    managed_policy_arns = [
+      "arn:aws:iam::aws:policy/ReadOnlyAccess",
+    ]
+  }
+}
+
+oidc_identity = {
+  "access/eks-main" = {
+    account    = "access"
+    oidc_url   = "https://oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633"
+    audiences  = ["sts.amazonaws.com"]
+    thumbprint = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
+  }
+  "access/azure-devops" = {
+    account    = "access"
+    oidc_url   = "https://vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000"
+    audiences  = ["api://AzureADTokenExchange"]
+    thumbprint = ["9e99a48a9960b14926bb7f3b02e22da2b0ab7280"]
+  }
+}
+`,
+  "policy/external-dns-policy-v1.json": `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "route53:ChangeResourceRecordSets"
+      ],
+      "Resource": "arn:aws:route53:::hostedzone/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "route53:ListHostedZones",
+        "route53:ListResourceRecordSets"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+`,
+  "policy/cloudwatch-exporter-policy-v1.json": `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:GetMetricData",
+        "cloudwatch:GetMetricStatistics",
+        "cloudwatch:ListMetrics",
+        "tag:GetResources"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+`,
+  "assume_role/eks-irsa-assume-role.json": `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::\${account_id}:oidc-provider/\${oidc_provider}"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "\${oidc_provider}:sub": "system:serviceaccount:\${namespace}:\${service_account}",
+          "\${oidc_provider}:aud": "sts.amazonaws.com"
+        }
+      }
+    }
+  ]
+}
+`,
+  "assume_role/ado-assume-role.json": `{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::\${account_id}:oidc-provider/vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000:aud": "api://AzureADTokenExchange"
+        },
+        "StringLike": {
+          "vstoken.dev.azure.com/00000000-0000-0000-0000-000000000000:sub": "sc://my-org/my-project/\${environment}-*"
+        }
+      }
+    }
+  ]
+}
+`,
+};
+
+export const AWS_GOVERNANCE_IAM_LAB: InfraLabWorkspace = {
+  version: 1,
+  label: "AWS Governance IAM Lab",
+  provider: "aws",
+  executionMode: "localstack",
+  activeFile: "README.md",
+  files: AWS_GOVERNANCE_IAM_FILES,
+};

package/template/client/src/codeowners.ts

@@ -790,3 +790,123 @@ export function findCodeOwnersPath(
 export function isCodeOwnersPath(path: string): boolean {
   return (CODEOWNERS_LOCATIONS as readonly string[]).includes(path);
 }
+
+// ─── Pull request templates ───────────────────────────────────────────
+//
+// GitHub doesn't have a settings UI for PR templates — they're picked
+// up purely from files in the repo. The lookup rules we mirror:
+//
+//   1. Single template: the first match wins, in priority order:
+//        .github/pull_request_template.md
+//        .github/PULL_REQUEST_TEMPLATE.md
+//        pull_request_template.md (repo root)
+//        PULL_REQUEST_TEMPLATE.md (repo root)
+//        docs/pull_request_template.md
+//        docs/PULL_REQUEST_TEMPLATE.md
+//      Lookup is also case-insensitive on the filename.
+//
+//   2. Multiple templates: any *.md (or *.txt) file inside
+//        .github/PULL_REQUEST_TEMPLATE/
+//        PULL_REQUEST_TEMPLATE/
+//        docs/PULL_REQUEST_TEMPLATE/
+//      Each becomes a pick-able template; on github.com you'd append
+//      ?template=foo.md to the compare URL. We just show a picker.
+//
+// If both kinds are present, github.com shows the directory picker but
+// also still lists the single template; we follow the same behaviour.
+
+export interface PullRequestTemplate {
+  /** Workspace path of the file. */
+  path: string;
+  /** Display name (file basename minus extension, prettified). */
+  name: string;
+  /** Raw markdown body of the template. */
+  body: string;
+  /** True if this is the repo's default single template. */
+  isDefault: boolean;
+}
+
+const SINGLE_PR_TEMPLATE_DIRS: readonly string[] = [".github/", "", "docs/"];
+const MULTI_PR_TEMPLATE_DIRS: readonly string[] = [
+  ".github/PULL_REQUEST_TEMPLATE/",
+  "PULL_REQUEST_TEMPLATE/",
+  "docs/PULL_REQUEST_TEMPLATE/",
+];
+
+function isPullRequestTemplateFilename(filename: string): boolean {
+  // GitHub matches pull_request_template.md case-insensitively, with .md
+  // or .markdown extensions. We accept both.
+  return /^pull_request_template\.(md|markdown)$/i.test(filename);
+}
+
+function prettifyTemplateName(filename: string): string {
+  const base = filename.replace(/\.(md|markdown|txt)$/i, "");
+  return base.replace(/[-_]+/g, " ").replace(/\b\w/g, (c) => c.toUpperCase());
+}
+
+/**
+ * Discover all PR templates in the workspace, in github.com priority
+ * order. Returns an empty array if no templates exist.
+ */
+export function findPullRequestTemplates(
+  files: Record<string, string>,
+): PullRequestTemplate[] {
+  const out: PullRequestTemplate[] = [];
+  const seen = new Set<string>();
+
+  // 1. Single-template lookup
+  for (const dir of SINGLE_PR_TEMPLATE_DIRS) {
+    for (const path of Object.keys(files)) {
+      if (seen.has(path)) continue;
+      if (!path.startsWith(dir)) continue;
+      const rest = path.slice(dir.length);
+      if (rest.includes("/")) continue; // not directly in this dir
+      if (!isPullRequestTemplateFilename(rest)) continue;
+      out.push({
+        path,
+        name: "Default",
+        body: files[path] ?? "",
+        isDefault: true,
+      });
+      seen.add(path);
+      break; // first match per dir; priority order handles the rest
+    }
+  }
+
+  // 2. Multi-template directory lookup
+  for (const dir of MULTI_PR_TEMPLATE_DIRS) {
+    for (const path of Object.keys(files)) {
+      if (seen.has(path)) continue;
+      if (!path.startsWith(dir)) continue;
+      const rest = path.slice(dir.length);
+      if (!rest || rest.includes("/")) continue;
+      if (!/\.(md|markdown|txt)$/i.test(rest)) continue;
+      out.push({
+        path,
+        name: prettifyTemplateName(rest),
+        body: files[path] ?? "",
+        isDefault: false,
+      });
+      seen.add(path);
+    }
+  }
+
+  return out;
+}
+
+/** True if the path is a recognised PR-template location. */
+export function isPullRequestTemplatePath(path: string): boolean {
+  for (const dir of SINGLE_PR_TEMPLATE_DIRS) {
+    if (!path.startsWith(dir)) continue;
+    const rest = path.slice(dir.length);
+    if (!rest.includes("/") && isPullRequestTemplateFilename(rest)) return true;
+  }
+  for (const dir of MULTI_PR_TEMPLATE_DIRS) {
+    if (!path.startsWith(dir)) continue;
+    const rest = path.slice(dir.length);
+    if (rest && !rest.includes("/") && /\.(md|markdown|txt)$/i.test(rest)) {
+      return true;
+    }
+  }
+  return false;
+}

package/template/client/src/components/ChatView.tsx

@@ -482,13 +482,24 @@ export default function ChatView({ question }: Props) {
   // and triggering an update loop.
   const initialMessages = useMemo(
     () =>
-      (question.messages ?? []).map((m) => ({
-        id: m.id,
-        role: m.role as "user" | "assistant",
-        parts: (m.parts ?? [
-          { type: "text" as const, text: m.content },
-        ]) as UIMessage["parts"],
-      })),
+      (question.messages ?? []).map((m) => {
+        // Older saved messages persist as `{ content, parts: [] }` — the empty
+        // array is truthy so a plain `m.parts ?? fallback` keeps `parts`
+        // empty, which makes `getTextContent` return "" and breaks any feature
+        // that reads message text (annotations, copy-to-clipboard, etc.).
+        // Treat empty `parts` the same as missing and rebuild from `content`.
+        const hasParts = Array.isArray(m.parts) && m.parts.length > 0;
+        const parts = hasParts
+          ? (m.parts as UIMessage["parts"])
+          : ([
+              { type: "text" as const, text: m.content ?? "" },
+            ] as UIMessage["parts"]);
+        return {
+          id: m.id,
+          role: m.role as "user" | "assistant",
+          parts,
+        };
+      }),
     // eslint-disable-next-line react-hooks/exhaustive-deps
     [question.id],
   );