create-openthrottle 1.0.0

package/templates/docker/entrypoint.sh

@@ -0,0 +1,285 @@
+#!/usr/bin/env bash
+# =============================================================================
+# entrypoint.sh — Daytona sandbox entrypoint for openthrottle
+#
+# Replaces the 400-line bootstrap.sh with a simple config-driven flow.
+# Runs as root, configures the environment, then drops to the daytona user.
+# =============================================================================
+
+set -euo pipefail
+
+: "${GITHUB_REPO:?GITHUB_REPO is required}"
+: "${GITHUB_TOKEN:?GITHUB_TOKEN is required}"
+: "${TASK_TYPE:?TASK_TYPE is required}"
+: "${WORK_ITEM:?WORK_ITEM is required}"
+
+SANDBOX_HOME="/home/daytona"
+REPO="${SANDBOX_HOME}/repo"
+
+log() { echo "[entrypoint $(date +%H:%M:%S)] $1"; }
+
+seal_file() {
+  local FILE="$1"
+  if chattr +i "$FILE" 2>/dev/null; then
+    log "Sealed: $FILE (immutable)"
+  else
+    chown root:root "$FILE"
+    chmod 444 "$FILE"
+    log "WARNING: chattr +i not supported — sealed $FILE with permissions (weaker)"
+  fi
+}
+
+# ---------------------------------------------------------------------------
+# 1. Clone repo
+# ---------------------------------------------------------------------------
+log "Cloning ${GITHUB_REPO}"
+gh repo clone "$GITHUB_REPO" "$REPO" -- --depth=50
+cd "$REPO"
+
+# ---------------------------------------------------------------------------
+# 2. Read .openthrottle.yml
+# ---------------------------------------------------------------------------
+CONFIG="${REPO}/.openthrottle.yml"
+if [[ ! -f "$CONFIG" ]]; then
+  log "FATAL: .openthrottle.yml not found in repo"
+  exit 1
+fi
+
+read_config() {
+  local result
+  result=$(yq -r "$1 // \"$2\"" "$CONFIG") || {
+    log "FATAL: Failed to read config key $1 from $CONFIG"
+    exit 1
+  }
+  echo "$result"
+}
+
+BASE_BRANCH=$(read_config '.base_branch' 'main')
+TEST_CMD=$(read_config '.test' '')
+LINT_CMD=$(read_config '.lint' '')
+AGENT=$(read_config '.agent' 'claude')
+
+# ---------------------------------------------------------------------------
+# 3. Run post_bootstrap commands (as daytona user, not root)
+# ---------------------------------------------------------------------------
+POST_BOOTSTRAP=$(yq -r '.post_bootstrap // [] | .[]' "$CONFIG") || {
+  log "FATAL: Failed to parse post_bootstrap from .openthrottle.yml — check YAML syntax"
+  exit 1
+}
+if [[ -n "$POST_BOOTSTRAP" ]]; then
+  log "Running post_bootstrap"
+  while IFS= read -r cmd; do
+    log "  > $cmd"
+    gosu daytona bash -c "$cmd" || {
+      log "FATAL: post_bootstrap command failed (exit $?): $cmd"
+      exit 1
+    }
+  done <<< "$POST_BOOTSTRAP"
+fi
+
+# ---------------------------------------------------------------------------
+# 4. Configure agent settings (per-agent)
+# ---------------------------------------------------------------------------
+log "Configuring agent settings (${AGENT})"
+
+# 4a. Install universal git hooks and seal git config (works for ALL agent runtimes)
+git -C "$REPO" config core.hooksPath /opt/openthrottle/git-hooks
+log "Installed git hooks (pre-push)"
+# Seal .git/config to prevent agents from changing core.hooksPath
+seal_file "${REPO}/.git/config" 2>/dev/null || true
+
+# 4b. Per-agent configuration
+case "$AGENT" in
+  claude)
+    SETTINGS_DIR="${SANDBOX_HOME}/.claude"
+    mkdir -p "$SETTINGS_DIR"
+
+    # Build stop hooks from config
+    STOP_HOOKS="[]"
+    if [[ -n "$LINT_CMD" ]] || [[ -n "$TEST_CMD" ]]; then
+      STOP_CMDS="[]"
+      [[ -n "$LINT_CMD" ]] && STOP_CMDS=$(echo "$STOP_CMDS" | jq --arg c "$LINT_CMD" '. + [$c]')
+      [[ -n "$TEST_CMD" ]] && STOP_CMDS=$(echo "$STOP_CMDS" | jq --arg c "$TEST_CMD" '. + [$c]')
+      STOP_HOOKS=$(echo "$STOP_CMDS" | jq '[{"hooks": .}]')
+    fi
+
+    # Build base settings with hooks
+    jq -n \
+      --argjson stop_hooks "$STOP_HOOKS" \
+      '{
+        "permissions": {"allow": [], "deny": []},
+        "hooks": {
+          "PreToolUse": [
+            {"matcher": "Bash", "hooks": ["/opt/openthrottle/hooks/block-push-to-main.sh"]}
+          ],
+          "PostToolUse": [
+            {"matcher": "Bash", "hooks": ["/opt/openthrottle/hooks/log-commands.sh"]},
+            {"matcher": "Write|Edit", "hooks": ["/opt/openthrottle/hooks/auto-format.sh"]}
+          ],
+          "Stop": $stop_hooks
+        }
+      }' > "${SETTINGS_DIR}/settings.json"
+
+    # Merge default MCP servers (Telegram, Context7)
+    DEFAULT_MCPS=$(jq -n '{
+      "telegram": {
+        "command": "npx",
+        "args": ["-y", "@punkpeye/telegram-mcp"],
+        "env": {
+          "TELEGRAM_BOT_TOKEN": env.TELEGRAM_BOT_TOKEN,
+          "TELEGRAM_CHAT_ID": env.TELEGRAM_CHAT_ID
+        }
+      },
+      "context7": {
+        "command": "npx",
+        "args": ["-y", "@upstash/context7-mcp"]
+      }
+    }')
+
+    # Merge project-specific MCP servers, resolving "from-env" placeholders
+    PROJECT_MCPS=$(yq -o=json '.mcp_servers // {}' "$CONFIG") || {
+      log "WARNING: Failed to parse mcp_servers — project MCP servers will not be configured"
+      PROJECT_MCPS='{}'
+    }
+    if [[ "$PROJECT_MCPS" != "{}" ]]; then
+      PROJECT_MCPS=$(echo "$PROJECT_MCPS" | jq '
+        walk(if type == "object" then
+          with_entries(
+            if .value == "from-env" then
+              .value = (env[.key] // null) |
+              if .value == null then
+                error("Environment variable \(.key) is required by mcp_servers config but not set")
+              else . end
+            else . end
+          )
+        else . end)
+      ') || {
+        log "FATAL: Missing required environment variable for MCP server configuration"
+        exit 1
+      }
+    fi
+
+    # Merge all MCP servers into settings
+    ALL_MCPS=$(echo "$DEFAULT_MCPS" "$PROJECT_MCPS" | jq -s '.[0] * .[1]')
+    jq --argjson mcps "$ALL_MCPS" '.mcpServers = $mcps' \
+      "${SETTINGS_DIR}/settings.json" > "${SETTINGS_DIR}/settings.json.tmp" \
+      && mv "${SETTINGS_DIR}/settings.json.tmp" "${SETTINGS_DIR}/settings.json"
+
+    # Apply Supabase tool allowlist if supabase MCP is configured
+    if echo "$ALL_MCPS" | jq -e '.supabase' > /dev/null 2>&1; then
+      log "Supabase MCP detected — applying tool allowlist"
+      jq '.permissions.allow += [
+        "mcp__supabase__create_branch",
+        "mcp__supabase__delete_branch",
+        "mcp__supabase__list_branches",
+        "mcp__supabase__reset_branch",
+        "mcp__supabase__list_tables",
+        "mcp__supabase__get_schemas",
+        "mcp__supabase__list_migrations",
+        "mcp__supabase__get_project_url",
+        "mcp__supabase__search_docs",
+        "mcp__supabase__get_logs"
+      ] | .permissions.deny += [
+        "mcp__supabase__execute_sql",
+        "mcp__supabase__apply_migration",
+        "mcp__supabase__deploy_edge_function",
+        "mcp__supabase__merge_branch"
+      ]' "${SETTINGS_DIR}/settings.json" > "${SETTINGS_DIR}/settings.json.tmp" \
+        && mv "${SETTINGS_DIR}/settings.json.tmp" "${SETTINGS_DIR}/settings.json"
+    fi
+    ;;
+
+  codex)
+    SETTINGS_DIR="${SANDBOX_HOME}/.codex"
+    mkdir -p "$SETTINGS_DIR"
+    # Codex reads AGENTS.md for project instructions
+    # No equivalent to Claude's settings.json hooks — git hooks provide safety
+    log "Codex configured (safety via git hooks)"
+    ;;
+
+  aider)
+    SETTINGS_DIR="${SANDBOX_HOME}"
+    # Write Aider config
+    cat > "${SANDBOX_HOME}/.aider.conf.yml" <<AIDEREOF
+auto-commits: false
+model: ${AGENT_MODEL:-claude-sonnet-4-20250514}
+AIDEREOF
+    log "Aider configured (safety via git hooks)"
+    ;;
+
+  *)
+    log "WARNING: Unknown agent '${AGENT}' — using git hooks only for safety"
+    SETTINGS_DIR="${SANDBOX_HOME}"
+    ;;
+esac
+
+# ---------------------------------------------------------------------------
+# 5. Seal settings (immutable — only root can undo)
+# ---------------------------------------------------------------------------
+
+# Seal agent-specific settings
+if [[ "$AGENT" == "claude" ]]; then
+  seal_file "${SETTINGS_DIR}/settings.json"
+  touch "${SETTINGS_DIR}/settings.local.json"
+  seal_file "${SETTINGS_DIR}/settings.local.json"
+
+  # Nullify repo-level .claude/settings.json (prevent agent overrides)
+  if [[ -f "${REPO}/.claude/settings.json" ]]; then
+    : > "${REPO}/.claude/settings.json"
+    seal_file "${REPO}/.claude/settings.json"
+  fi
+elif [[ "$AGENT" == "aider" ]] && [[ -f "${SANDBOX_HOME}/.aider.conf.yml" ]]; then
+  seal_file "${SANDBOX_HOME}/.aider.conf.yml"
+fi
+
+# ---------------------------------------------------------------------------
+# 7. Fix ownership (skip sealed files — chattr prevents chown on them)
+# ---------------------------------------------------------------------------
+chown -R daytona:daytona "$SANDBOX_HOME" 2>/dev/null || true
+
+# ---------------------------------------------------------------------------
+# 8. Start heartbeat (resets autoStopInterval every 5 min)
+#
+# Daytona auto-stop only resets on Toolbox SDK API calls, NOT on internal
+# process activity. The Toolbox agent runs inside the sandbox on port 63650.
+# A lightweight filesystem list call keeps the sandbox alive.
+# ---------------------------------------------------------------------------
+(
+  TOOLBOX_PORT="${DAYTONA_TOOLBOX_PORT:-63650}"
+  FAIL_COUNT=0
+  MAX_CONSECUTIVE_FAILURES=3
+  while true; do
+    sleep 300
+    if curl -sf "http://localhost:${TOOLBOX_PORT}/filesystem/list?path=/" > /dev/null 2>&1; then
+      FAIL_COUNT=0
+    else
+      FAIL_COUNT=$((FAIL_COUNT + 1))
+      echo "[heartbeat $(date +%H:%M:%S)] WARNING: Toolbox heartbeat failed (attempt ${FAIL_COUNT}/${MAX_CONSECUTIVE_FAILURES})" >&2
+      if [[ $FAIL_COUNT -ge $MAX_CONSECUTIVE_FAILURES ]]; then
+        echo "[heartbeat $(date +%H:%M:%S)] CRITICAL: Toolbox heartbeat failed ${MAX_CONSECUTIVE_FAILURES} times. Sandbox may auto-stop." >&2
+      fi
+    fi
+  done
+) &
+HEARTBEAT_PID=$!
+
+# ---------------------------------------------------------------------------
+# 9. Drop to daytona user and run the appropriate runner
+# ---------------------------------------------------------------------------
+log "Task: ${TASK_TYPE} #${WORK_ITEM} (agent: ${AGENT})"
+
+export SANDBOX_HOME REPO BASE_BRANCH AGENT
+export AGENT_RUNTIME="$AGENT"
+
+case "$TASK_TYPE" in
+  prd|bug|review-fix)
+    exec gosu daytona /opt/openthrottle/run-builder.sh
+    ;;
+  review|investigation)
+    exec gosu daytona /opt/openthrottle/run-reviewer.sh
+    ;;
+  *)
+    log "Unknown TASK_TYPE: ${TASK_TYPE}"
+    exit 1
+    ;;
+esac

package/templates/docker/git-hooks/pre-push

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+# pre-push — Universal git hook that works for ANY agent runtime.
+# Blocks push to main/master and force push.
+# Installed by entrypoint.sh via git config core.hooksPath.
+
+while read -r local_ref local_sha remote_ref remote_sha; do
+  # Block push to main/master
+  if [[ "$remote_ref" =~ refs/heads/(main|master)$ ]]; then
+    echo "BLOCKED: Direct push to main/master is not allowed." >&2
+    echo "Use: git push origin HEAD  (pushes the current feature branch)" >&2
+    exit 1
+  fi
+done
+
+exit 0

package/templates/docker/hooks/auto-format.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+# auto-format.sh
+# PostToolUse hook — fires after Write or Edit tool calls.
+# Runs the project's formatter on any changed file if one is configured.
+
+INPUT=$(cat)
+FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // ""')
+
+[[ -z "$FILE" ]] && exit 0
+[[ ! -f "$FILE" ]] && exit 0
+
+SANDBOX_HOME="${SANDBOX_HOME:-/home/daytona}"
+cd "${SANDBOX_HOME}/repo" 2>/dev/null || exit 0
+
+EXT="${FILE##*.}"
+
+case "$EXT" in
+  ts|tsx|js|jsx|mjs|cjs|json|css|scss|html|md|yaml|yml)
+    if [[ -f "node_modules/.bin/prettier" ]]; then
+      node_modules/.bin/prettier --write "$FILE" --log-level silent 2>/dev/null
+    elif command -v prettier &>/dev/null; then
+      prettier --write "$FILE" --log-level silent 2>/dev/null
+    fi
+    ;;
+  py)
+    if command -v black &>/dev/null; then
+      black "$FILE" --quiet 2>/dev/null
+    elif command -v ruff &>/dev/null; then
+      ruff format "$FILE" --quiet 2>/dev/null
+    fi
+    ;;
+  go)
+    if command -v gofmt &>/dev/null; then
+      gofmt -w "$FILE" 2>/dev/null
+    fi
+    ;;
+  rb)
+    if command -v rubocop &>/dev/null; then
+      rubocop -a "$FILE" --no-color 2>/dev/null
+    fi
+    ;;
+esac
+
+exit 0

package/templates/docker/hooks/block-push-to-main.sh

@@ -0,0 +1,116 @@
+#!/usr/bin/env bash
+# sandbox-guard.sh
+# PreToolUse hook — fires before every Bash command.
+# Enforces safety guardrails for autonomous agent execution.
+#
+# IMPORTANT: This guard fails CLOSED — if input cannot be parsed,
+# the command is DENIED. A security guard must never fail open.
+#
+# Blocks:
+#   1. Pushes to main/master
+#   2. Force pushes to any branch
+#   3. Settings.json / git config tampering
+#   4. Git remote manipulation (prevents push to attacker-controlled remotes)
+#   5. Secret exfiltration via curl/wget/nc/gh api (env var references in outbound calls)
+#   6. /proc/self/environ reads in outbound contexts
+#   7. Direct reads of .env files in outbound contexts
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // ""') || {
+  echo "BLOCKED: Could not parse hook input — denying command for safety." >&2
+  exit 2
+}
+
+if [[ -z "$COMMAND" ]]; then
+  echo "BLOCKED: Empty command in hook input — denying for safety." >&2
+  exit 2
+fi
+
+# ---------------------------------------------------------------------------
+# Git safety
+# ---------------------------------------------------------------------------
+
+# Block pushes to main/master via any syntax (including refspec HEAD:main)
+if echo "$COMMAND" | grep -qE 'git\s+push\b.*\b(main|master)\b'; then
+  echo "BLOCKED: Direct push to main/master is not allowed in the pipeline." >&2
+  echo "Use: git push origin HEAD  (pushes the current feature branch)" >&2
+  exit 2
+fi
+
+# Block force push to any branch — match flags anywhere in command
+if echo "$COMMAND" | grep -qE 'git\s+push\b' && echo "$COMMAND" | grep -qE '(-f|--force|--force-with-lease)\b'; then
+  echo "BLOCKED: Force push is not allowed in the pipeline." >&2
+  exit 2
+fi
+
+# Block git remote manipulation (prevents adding attacker-controlled remotes)
+if echo "$COMMAND" | grep -qE 'git\s+remote\s+(add|set-url)\b'; then
+  echo "BLOCKED: Modifying git remotes is not allowed in the pipeline." >&2
+  exit 2
+fi
+
+# Block git alias creation (prevents aliasing blocked commands)
+if echo "$COMMAND" | grep -qE 'git\s+config\s+.*alias\.'; then
+  echo "BLOCKED: Creating git aliases is not allowed in the pipeline." >&2
+  exit 2
+fi
+
+# ---------------------------------------------------------------------------
+# Settings / config tampering
+# ---------------------------------------------------------------------------
+
+# Block writes to settings.json (hooks, permissions, allowlists)
+if echo "$COMMAND" | grep -qE '(>|>>|tee|mv|cp|chmod|chattr|rm).*\.claude/(settings|settings\.local)\.json'; then
+  echo "BLOCKED: Modifying Claude settings is not allowed in the pipeline." >&2
+  exit 2
+fi
+
+# Block git hooks path changes
+if echo "$COMMAND" | grep -qE 'git\s+config.*(core\.hooksPath|hooks)'; then
+  echo "BLOCKED: Modifying git hooks configuration is not allowed." >&2
+  exit 2
+fi
+
+# ---------------------------------------------------------------------------
+# Secret exfiltration prevention
+# ---------------------------------------------------------------------------
+SECRET_VARS='GITHUB_TOKEN|ANTHROPIC_API_KEY|CLAUDE_CODE_OAUTH_TOKEN|SUPABASE_ACCESS_TOKEN|TELEGRAM_BOT_TOKEN|OPENAI_API_KEY'
+OUTBOUND_TOOLS='curl|wget|nc|ncat|netcat|python.*http|node.*http|fetch|gh\s+api'
+
+# Check if command uses an outbound tool AND references a secret env var
+if echo "$COMMAND" | grep -qE "(${OUTBOUND_TOOLS})\b"; then
+  if echo "$COMMAND" | grep -qE "\\\$(${SECRET_VARS})|\\$\{(${SECRET_VARS})"; then
+    echo "BLOCKED: Outbound commands cannot reference secret environment variables." >&2
+    exit 2
+  fi
+fi
+
+# Block piping env/printenv/set output to outbound commands
+if echo "$COMMAND" | grep -qE '(env|printenv|set)\s*\|.*(curl|wget|nc|netcat|gh)'; then
+  echo "BLOCKED: Cannot pipe environment variables to outbound commands." >&2
+  exit 2
+fi
+
+# Block specific printenv calls for known secrets piped to outbound commands
+if echo "$COMMAND" | grep -qE "printenv\s+(${SECRET_VARS})"; then
+  if echo "$COMMAND" | grep -qE "(${OUTBOUND_TOOLS})\b"; then
+    echo "BLOCKED: Cannot read secret env vars in outbound command context." >&2
+    exit 2
+  fi
+fi
+
+# Block reading .env files and piping to outbound commands
+if echo "$COMMAND" | grep -qE 'cat.*\.env.*\|.*(curl|wget|nc|gh)'; then
+  echo "BLOCKED: Cannot pipe .env contents to outbound commands." >&2
+  exit 2
+fi
+
+# Block /proc/self/environ reads in outbound contexts
+if echo "$COMMAND" | grep -qE '/proc/(self|1)/environ'; then
+  if echo "$COMMAND" | grep -qE "(${OUTBOUND_TOOLS}|base64)\b"; then
+    echo "BLOCKED: Cannot read /proc/environ in outbound command context." >&2
+    exit 2
+  fi
+fi
+
+exit 0

package/templates/docker/hooks/log-commands.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# log-commands.sh
+# PostToolUse hook — fires after every Bash command.
+# Appends a timestamped log of every command the agent ran.
+# Sanitizes known secrets to prevent accidental leakage.
+#
+# Logs go to the Daytona volume at ~/.claude/logs/ so they persist
+# across ephemeral sandboxes for debugging and audit.
+
+INPUT=$(cat)
+COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // ""')
+EXIT_CODE=$(echo "$INPUT" | jq -r '.tool_response.exit_code // "?"')
+PRD_ID="${PRD_ID:-unknown}"
+
+SANDBOX_HOME="${SANDBOX_HOME:-/home/daytona}"
+mkdir -p "${SANDBOX_HOME}/.claude/logs"
+
+# Sanitize secrets before logging — redact known env vars and common patterns
+SANITIZED="$COMMAND"
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  SANITIZED="${SANITIZED//$GITHUB_TOKEN/[REDACTED]}"
+fi
+if [[ -n "${TELEGRAM_BOT_TOKEN:-}" ]]; then
+  SANITIZED="${SANITIZED//$TELEGRAM_BOT_TOKEN/[REDACTED]}"
+fi
+if [[ -n "${ANTHROPIC_API_KEY:-}" ]]; then
+  SANITIZED="${SANITIZED//$ANTHROPIC_API_KEY/[REDACTED]}"
+fi
+if [[ -n "${CLAUDE_CODE_OAUTH_TOKEN:-}" ]]; then
+  SANITIZED="${SANITIZED//$CLAUDE_CODE_OAUTH_TOKEN/[REDACTED]}"
+fi
+if [[ -n "${SUPABASE_ACCESS_TOKEN:-}" ]]; then
+  SANITIZED="${SANITIZED//$SUPABASE_ACCESS_TOKEN/[REDACTED]}"
+fi
+if [[ -n "${OPENAI_API_KEY:-}" ]]; then
+  SANITIZED="${SANITIZED//$OPENAI_API_KEY/[REDACTED]}"
+fi
+# Catch common token patterns that might not be in env vars
+SANITIZED=$(echo "$SANITIZED" | sed \
+  -e 's/ghp_[A-Za-z0-9_]\{36,\}/[REDACTED]/g' \
+  -e 's/ghs_[A-Za-z0-9_]\{36,\}/[REDACTED]/g' \
+  -e 's/Bearer [^ ]*/Bearer [REDACTED]/g' \
+  -e 's/sk-[A-Za-z0-9_-]\{20,\}/[REDACTED]/g')
+
+echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] [${PRD_ID}] [exit:${EXIT_CODE}] ${SANITIZED}" \
+  >> "${SANDBOX_HOME}/.claude/logs/bash-commands.log"
+
+exit 0