create-ironclaws 1.0.0

package/template/src/worktree.ts

@@ -0,0 +1,206 @@
+/**
+ * Git Clone Manager for NanoClaw
+ *
+ * Creates per-group isolated clones so container agents work on a clean copy
+ * of the production repository, never the user's local checkout.
+ *
+ * Clone strategy:
+ *   - Always clones from the GitHub remote (not local disk).
+ *     The remote URL is read from GITHUB_REPO in config, authenticated with
+ *     a fresh GitHub App token. This ensures agents always see production code
+ *     even when NanoClaw runs on a VM with no local repo present.
+ *   - On every subsequent run the clone is fetched from GitHub and reset to
+ *     the latest origin/main, so agents never operate on stale code.
+ *
+ * Fails fast if no GitHub token can be generated — no point starting an
+ * agent that won't be able to push its work.
+ *
+ * All git commands use execFileSync (no shell) to prevent injection via
+ * paths or branch names containing shell metacharacters.
+ */
+import { execFileSync } from 'child_process';
+import fs from 'fs';
+import path from 'path';
+
+import { DATA_DIR } from './config.js';
+import { readEnvFile } from './env.js';
+import { generateGitHubToken } from './github-token.js';
+import { logger } from './logger.js';
+
+const WORKTREES_DIR = path.join(DATA_DIR, 'worktrees');
+
+const GIT_OPTS: { encoding: 'utf-8'; stdio: ['pipe', 'pipe', 'pipe'] } = {
+  encoding: 'utf-8',
+  stdio: ['pipe', 'pipe', 'pipe'],
+};
+
+/**
+ * Build an authenticated GitHub clone URL from GITHUB_REPO config + token.
+ * Returns null if GITHUB_REPO or the token is missing.
+ */
+function buildGitHubUrl(token: string): string | null {
+  const githubRepo = readEnvFile(['GITHUB_REPO']).GITHUB_REPO;
+  if (!githubRepo) return null;
+  return `https://x-access-token:${token}@github.com/${githubRepo}.git`;
+}
+
+/**
+ * Get the remote URL from a local repo path.
+ * Returns null if the path is not a git repo or has no origin remote.
+ */
+function getRemoteUrl(repoPath: string): string | null {
+  if (!fs.existsSync(repoPath)) return null;
+  try {
+    return execFileSync(
+      'git', ['remote', 'get-url', 'origin'],
+      { ...GIT_OPTS, cwd: repoPath },
+    ).trim();
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Build git env with the GitHub App token for authenticated fetches.
+ * Throws if no valid token can be generated — fail fast so the agent
+ * doesn't do work it can't push.
+ */
+async function getGitAuthEnv(): Promise<{ env: Record<string, string>; token: string }> {
+  const envConfig = readEnvFile(['GITHUB_TOKEN']);
+  const token = await generateGitHubToken(envConfig.GITHUB_TOKEN);
+
+  if (!token) {
+    throw new Error(
+      'No GitHub token available — cannot clone from GitHub. ' +
+      'Check GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID, github-app.pem, or GITHUB_TOKEN in .env',
+    );
+  }
+
+  return {
+    token,
+    env: {
+      GH_TOKEN: token,
+      GIT_TERMINAL_PROMPT: '0',
+      GIT_CONFIG_COUNT: '1',
+      GIT_CONFIG_KEY_0: 'credential.helper',
+      GIT_CONFIG_VALUE_0: `!f() { echo "username=x-access-token"; echo "password=${token}"; }; f`,
+    },
+  };
+}
+
+/**
+ * Ensure an isolated clone exists for a given group and source repo.
+ * Always fetches from GitHub and resets to latest origin/main so agents
+ * work on production code regardless of what's on local disk.
+ * Returns the absolute path to the clone directory.
+ *
+ * Throws if the GitHub App token can't be generated — fail fast.
+ */
+export async function ensureWorktree(
+  sourceRepoPath: string,
+  groupFolder: string,
+  containerPath: string,
+): Promise<string> {
+  const cloneBase = path.join(WORKTREES_DIR, groupFolder);
+  const cloneDir = path.join(cloneBase, containerPath);
+
+  fs.mkdirSync(cloneBase, { recursive: true });
+
+  const { env: gitAuthEnv, token } = await getGitAuthEnv();
+  const execEnv = { ...process.env, ...gitAuthEnv };
+  const defaultBranch = 'main';
+
+  const dotGit = path.join(cloneDir, '.git');
+  // Must be a directory (self-contained clone), not a file (old worktree reference).
+  // Worktree .git files contain host paths that don't resolve inside containers.
+  if (fs.existsSync(dotGit) && fs.statSync(dotGit).isDirectory()) {
+    // Clone exists — fetch latest from GitHub and reset to clean state
+    logger.info(
+      { groupFolder, cloneDir },
+      'Fetching latest from GitHub and resetting to origin/main',
+    );
+
+    try {
+      execFileSync('git', ['fetch', 'origin'], {
+        ...GIT_OPTS,
+        cwd: cloneDir,
+        timeout: 120_000,
+        env: execEnv,
+      });
+
+      execFileSync('git', ['checkout', '--detach', `origin/${defaultBranch}`], {
+        ...GIT_OPTS,
+        cwd: cloneDir,
+      });
+
+      execFileSync('git', ['clean', '-fd'], {
+        ...GIT_OPTS,
+        cwd: cloneDir,
+      });
+
+      execFileSync('git', ['checkout', '--', '.'], {
+        ...GIT_OPTS,
+        cwd: cloneDir,
+      });
+
+      logger.info({ groupFolder, cloneDir }, 'Clone reset to latest origin/main');
+    } catch (err) {
+      logger.warn(
+        { groupFolder, cloneDir, err },
+        'Failed to reset clone, recreating',
+      );
+      fs.rmSync(cloneDir, { recursive: true, force: true });
+      return createClone(sourceRepoPath, token, cloneDir, defaultBranch, groupFolder, execEnv);
+    }
+  } else {
+    // If cloneDir exists but .git is a file (stale worktree) or missing, wipe and recreate
+    if (fs.existsSync(cloneDir)) {
+      logger.warn({ groupFolder, cloneDir }, 'Removing stale clone directory');
+      fs.rmSync(cloneDir, { recursive: true, force: true });
+    }
+    return createClone(sourceRepoPath, token, cloneDir, defaultBranch, groupFolder, execEnv);
+  }
+
+  return cloneDir;
+}
+
+function createClone(
+  sourceRepoPath: string,
+  token: string,
+  cloneDir: string,
+  defaultBranch: string,
+  groupFolder: string,
+  execEnv: Record<string, string | undefined>,
+): string {
+  logger.info(
+    { groupFolder, cloneDir, defaultBranch },
+    'Creating fresh clone from GitHub',
+  );
+
+  fs.mkdirSync(path.dirname(cloneDir), { recursive: true });
+
+  if (fs.existsSync(cloneDir)) {
+    fs.rmSync(cloneDir, { recursive: true, force: true });
+  }
+
+  // Determine the GitHub URL to clone from.
+  // Prefer GITHUB_REPO config (works on any machine, including the VM).
+  // Fall back to reading the remote URL from the local repo if present.
+  const cloneUrl = buildGitHubUrl(token) ?? getRemoteUrl(sourceRepoPath);
+  if (!cloneUrl) {
+    throw new Error(
+      `Cannot determine GitHub URL for clone of ${sourceRepoPath}. ` +
+      'Set GITHUB_REPO in .env or ensure the source repo has an origin remote.',
+    );
+  }
+
+  // Shallow clone of latest main — fast and gives agents exactly what's in production.
+  execFileSync('git', ['clone', '--depth', '1', '--branch', defaultBranch, cloneUrl, cloneDir], {
+    ...GIT_OPTS,
+    timeout: 120_000,
+    env: execEnv,
+  });
+
+  logger.info({ groupFolder, cloneDir }, 'Clone created at latest origin/main');
+  return cloneDir;
+}

package/template/tsconfig.json

@@ -0,0 +1,20 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "lib": ["ES2022"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}