edsger 0.72.3 → 0.72.5

package/dist/commands/quality-benchmark/index.d.ts

@@ -1,11 +1,10 @@
 /**
  * CLI command: `edsger quality-benchmark <productId>`
  *
- * Runs the quality-benchmark phase against the product's GitHub repo and
- * writes the resulting JSON report to disk. Persistence to the
- * `quality_reports` table is the caller's responsibility — desktop-app
- * picks the JSON up via stdout / file and writes via its supabase
- * client, exactly the same pattern used by other CLI commands.
+ * Runs the quality-benchmark phase against the product's GitHub repo,
+ * writes the resulting JSON report to disk, and persists it to the
+ * `quality_reports` table via the supabase SDK (RLS-scoped; MCP
+ * fallback when no desktop session is synced) unless --no-save.
  *
  * Default invocation (desktop): no --repo, no --branch — the CLI fetches
  * the product's GitHub config via MCP, clones (or reuses) the repo into
@@ -33,7 +32,7 @@ export interface QualityBenchmarkCliOptions {
     install?: boolean;
     output?: string;
     verbose?: boolean;
-    /** When false, skip the quality_reports/save MCP call. */
+    /** When false, skip persisting the report to quality_reports. */
     save?: boolean;
     /** Overwrite any existing report row for this (product, commit, rubric). */
     force?: boolean;

package/dist/commands/quality-benchmark/index.js

@@ -1,11 +1,10 @@
 /**
  * CLI command: `edsger quality-benchmark <productId>`
  *
- * Runs the quality-benchmark phase against the product's GitHub repo and
- * writes the resulting JSON report to disk. Persistence to the
- * `quality_reports` table is the caller's responsibility — desktop-app
- * picks the JSON up via stdout / file and writes via its supabase
- * client, exactly the same pattern used by other CLI commands.
+ * Runs the quality-benchmark phase against the product's GitHub repo,
+ * writes the resulting JSON report to disk, and persists it to the
+ * `quality_reports` table via the supabase SDK (RLS-scoped; MCP
+ * fallback when no desktop session is synced) unless --no-save.
  *
  * Default invocation (desktop): no --repo, no --branch — the CLI fetches
  * the product's GitHub config via MCP, clones (or reuses) the repo into
@@ -26,10 +25,10 @@
 import { mkdirSync, writeFileSync } from 'node:fs';
 import { dirname, resolve } from 'node:path';
 import { getGitHubConfigByProduct, getGitHubConfigByRepository, getRepositoryBasics, } from '../../api/github.js';
-import { callMcpEndpoint } from '../../api/mcp-client.js';
 import { fetchProductBasics } from '../../phases/find-shared/mcp.js';
 import { runQualityBenchmark, } from '../../phases/quality-benchmark/index.js';
 import { prepareQualityWorkspace } from '../../phases/quality-benchmark/workspace.js';
+import { saveQualityReport } from '../../services/quality-reports.js';
 import { getSupabase } from '../../supabase/client.js';
 import { logError, logInfo, logSuccess, logWarning, } from '../../utils/logger.js';
 export async function runQualityBenchmarkCli(productId, options) {
@@ -166,10 +165,12 @@ export async function runQualityBenchmarkCli(productId, options) {
     mkdirSync(dirname(outputPath), { recursive: true });
     writeFileSync(outputPath, JSON.stringify(reportEnvelope, null, 2), 'utf8');
     logSuccess(`Report written to ${outputPath}`);
-    // Persist via MCP unless the caller opted out.
+    // Persist to quality_reports unless the caller opted out. Goes through
+    // the supabase SDK directly (RLS-scoped), with an MCP fallback for
+    // sessions authorized by an MCP token only.
     if (options.save !== false) {
         try {
-            const saved = (await callMcpEndpoint('quality_reports/save', {
+            const saved = await saveQualityReport({
                 product_id: repoOnly ? null : productId,
                 repository_id: repositoryId,
                 commit_sha: outcome.commitSha,
@@ -193,14 +194,13 @@ export async function runQualityBenchmarkCli(productId, options) {
                 completed_at: outcome.completedAt,
                 duration_seconds: outcome.durationSeconds,
                 replace_existing: options.force === true,
-            }));
-            const row = JSON.parse(saved.content?.[0]?.text ?? '{}');
-            if (row.id) {
-                logSuccess(`Saved to quality_reports.id = ${row.id}`);
+            });
+            if (saved.id) {
+                logSuccess(`Saved to quality_reports.id = ${saved.id}`);
             }
         }
         catch (err) {
-            logWarning(`Failed to persist report via MCP (will keep local file): ${err instanceof Error ? err.message : String(err)}`);
+            logWarning(`Failed to persist report (will keep local file): ${err instanceof Error ? err.message : String(err)}`);
         }
     }
     logInfo(`Overall: grade ${outcome.report.overall_grade ?? '?'} (${outcome.report.overall_score ?? '?'})`);

package/dist/services/quality-reports.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Quality reports service — persists `edsger quality-benchmark` results.
+ *
+ * Writes go through the supabase SDK directly when the desktop-synced
+ * session is available (RLS gates access: product owner / active team
+ * member, or repo team access via `user_has_repository_access` for
+ * repo-only reports). Falls back to the MCP edge function
+ * (`quality_reports/save`) when no usable session is synced — e.g.
+ * standalone CLI runs authorized by an MCP token.
+ */
+export interface SaveQualityReportParams {
+    /** Product scope; null for repo-only reports. */
+    product_id: string | null;
+    /** Repository scope; required when product_id is null. */
+    repository_id: string | null;
+    commit_sha: string;
+    rubric_version: string;
+    branch?: string | null;
+    repo_root?: string | null;
+    detected_context?: unknown;
+    tool_versions?: Record<string, string>;
+    unavailable_tools?: unknown[];
+    applied_checks?: unknown;
+    tool_outputs?: Record<string, unknown>;
+    external_signals?: unknown;
+    dropped_findings?: number;
+    dimension_scores?: unknown;
+    overall_score?: number | null;
+    overall_grade?: string | null;
+    executive_summary?: string | null;
+    low_confidence?: boolean;
+    status?: string;
+    started_at?: string | null;
+    completed_at?: string | null;
+    duration_seconds?: number | null;
+    /** Delete any existing row for this (scope, commit, rubric) before insert. */
+    replace_existing?: boolean;
+}
+/**
+ * Insert a completed quality report row. Returns the new row id, or null
+ * if the saved row could not be parsed (MCP path only).
+ */
+export declare function saveQualityReport(params: SaveQualityReportParams): Promise<{
+    id: string | null;
+}>;

package/dist/services/quality-reports.js

@@ -0,0 +1,93 @@
+/**
+ * Quality reports service — persists `edsger quality-benchmark` results.
+ *
+ * Writes go through the supabase SDK directly when the desktop-synced
+ * session is available (RLS gates access: product owner / active team
+ * member, or repo team access via `user_has_repository_access` for
+ * repo-only reports). Falls back to the MCP edge function
+ * (`quality_reports/save`) when no usable session is synced — e.g.
+ * standalone CLI runs authorized by an MCP token.
+ */
+import { callMcpEndpoint } from '../api/mcp-client.js';
+import { ensureSupabaseSession, getSupabase } from '../supabase/client.js';
+/**
+ * Insert a completed quality report row. Returns the new row id, or null
+ * if the saved row could not be parsed (MCP path only).
+ */
+export async function saveQualityReport(params) {
+    const { product_id, repository_id, commit_sha, rubric_version } = params;
+    if (!product_id && !repository_id) {
+        throw new Error('Either product_id or repository_id is required');
+    }
+    if (await ensureSupabaseSession()) {
+        const supabase = getSupabase();
+        if (params.replace_existing) {
+            // Clear the existing row on the natural cache key for this report's
+            // scope. Product-scoped: UNIQUE(product_id, commit_sha, rubric_version).
+            // Repo-only: UNIQUE(repository_id, commit_sha, rubric_version) WHERE
+            // product_id IS NULL — the repo-only delete MUST also require
+            // product_id IS NULL so it never clobbers a product report of the same
+            // linked repo at this commit.
+            let del = supabase
+                .from('quality_reports')
+                .delete()
+                .eq('commit_sha', commit_sha)
+                .eq('rubric_version', rubric_version);
+            del = product_id
+                ? del.eq('product_id', product_id)
+                : del.eq('repository_id', repository_id).is('product_id', null);
+            const { error: delErr } = await del;
+            if (delErr) {
+                throw new Error(`Failed to clear existing report: ${delErr.message}`);
+            }
+        }
+        const { data: { user }, } = await supabase.auth.getUser();
+        const { data, error } = await supabase
+            .from('quality_reports')
+            .insert({
+            product_id: product_id ?? null,
+            repository_id: repository_id ?? null,
+            commit_sha,
+            rubric_version,
+            branch: params.branch ?? null,
+            repo_root: params.repo_root ?? null,
+            detected_context: params.detected_context ?? {},
+            tool_versions: params.tool_versions ?? {},
+            unavailable_tools: params.unavailable_tools ?? [],
+            applied_checks: params.applied_checks ?? {},
+            tool_outputs: params.tool_outputs ?? {},
+            external_signals: params.external_signals ?? {},
+            dropped_findings: params.dropped_findings ?? 0,
+            dimension_scores: params.dimension_scores ?? {},
+            overall_score: params.overall_score ?? null,
+            overall_grade: params.overall_grade ?? null,
+            executive_summary: params.executive_summary ?? null,
+            low_confidence: params.low_confidence ?? false,
+            status: params.status ?? 'completed',
+            started_at: params.started_at ?? null,
+            completed_at: params.completed_at ?? new Date().toISOString(),
+            duration_seconds: params.duration_seconds ?? null,
+            created_by: user?.id ?? null,
+        })
+            .select('id')
+            .single();
+        if (error) {
+            if (error.code === '23505') {
+                throw new Error(`quality report already exists for ` +
+                    `(${product_id ? 'product' : 'repository'}, commit, rubric); ` +
+                    `pass --force to overwrite`);
+            }
+            throw new Error(`Failed to save quality report: ${error.message}`);
+        }
+        return { id: data?.id ?? null };
+    }
+    // No synced session — fall back to the MCP edge function (MCP-token auth).
+    const saved = (await callMcpEndpoint('quality_reports/save', params));
+    try {
+        const row = JSON.parse(saved.content?.[0]?.text ?? '{}');
+        return { id: row.id ?? null };
+    }
+    catch {
+        return { id: null };
+    }
+}

package/dist/utils/validation.d.ts

@@ -1,5 +1,37 @@
 import { loadConfig } from '../config.js';
 import { type CliOptions } from '../types/index.js';
+/**
+ * Determine the correct npm install target for optional dependencies.
+ *
+ * `Function('return import("pkg")')()` resolves from the edsger module's
+ * own location, walking up the node_modules chain.  We need to install
+ * packages into a directory that sits on that resolution path.
+ *
+ * - Source checkout / monorepo  → `npm install` in the edsger package dir
+ * - Project dependency  → `npm install` in the project root (has package.json)
+ * - Global-style install  → `npm install -g --prefix <prefix>`
+ *
+ * The global-style case covers both a plain `npm install -g edsger` and the
+ * desktop app's managed install (`npm install -g edsger --prefix <userData>/cli`).
+ * In both, edsger lives at `<prefix>/lib/node_modules/edsger` (or
+ * `<prefix>/node_modules/edsger` on Windows) and there is NO package.json at
+ * the directory that owns that node_modules. Running a *project-local*
+ * `npm install` there would treat every already-installed package — including
+ * edsger and all its dependencies — as extraneous and PRUNE them, destroying
+ * the install. We must install with `--prefix` into the same prefix instead.
+ */
+export interface NpmInstallTarget {
+    global: boolean;
+    cwd?: string;
+    prefix?: string;
+}
+/**
+ * Pure resolution of the npm install target, given edsger's own directory and
+ * a predicate for testing whether a path exists. Separated from
+ * {@link getNpmInstallTarget} so it can be unit-tested without touching the
+ * real filesystem or `import.meta.url`.
+ */
+export declare function resolveNpmInstallTarget(edsgerDir: string, fileExists: (p: string) => boolean): NpmInstallTarget;
 export interface ValidationResult {
     config: ReturnType<typeof loadConfig>;
     mcpServerUrl: string;

package/dist/utils/validation.js

@@ -1,9 +1,37 @@
 import { execSync, spawnSync } from 'child_process';
-import { dirname, resolve, sep } from 'path';
+import { existsSync } from 'fs';
+import { basename, dirname, join, resolve, sep } from 'path';
 import { fileURLToPath } from 'url';
 import { getMcpServerUrl, getMcpToken } from '../auth/auth-store.js';
 import { loadConfig, validateConfig } from '../config.js';
 import { logInfo, logWarning } from './logger.js';
+/**
+ * Pure resolution of the npm install target, given edsger's own directory and
+ * a predicate for testing whether a path exists. Separated from
+ * {@link getNpmInstallTarget} so it can be unit-tested without touching the
+ * real filesystem or `import.meta.url`.
+ */
+export function resolveNpmInstallTarget(edsgerDir, fileExists) {
+    const nodeModulesSegment = `${sep}node_modules${sep}`;
+    if (!edsgerDir.includes(nodeModulesSegment)) {
+        // Source checkout / monorepo — install in edsger's own package dir
+        return { global: false, cwd: edsgerDir };
+    }
+    // edsger is inside some node_modules tree. The directory that owns the
+    // outermost node_modules containing edsger is the candidate install root.
+    const installRoot = edsgerDir.split(nodeModulesSegment)[0];
+    // A real project dependency has a package.json at that root, so a
+    // project-local install safely adds to its dependencies without pruning.
+    if (fileExists(join(installRoot, 'package.json'))) {
+        return { global: false, cwd: installRoot };
+    }
+    // No package.json → global-style install. Derive the npm prefix so the
+    // package lands on edsger's resolution path. Unix global installs nest
+    // under `<prefix>/lib`; Windows installs put node_modules directly under
+    // `<prefix>`.
+    const prefix = basename(installRoot) === 'lib' ? dirname(installRoot) : installRoot;
+    return { global: true, prefix };
+}
 /**
  * Determine the correct npm install target for optional dependencies.
  *
@@ -11,33 +39,22 @@ import { logInfo, logWarning } from './logger.js';
  * own location, walking up the node_modules chain.  We need to install
  * packages into a directory that sits on that resolution path.
  *
- * - Global install  → `npm install -g`
- * - Project dependency  → `npm install` in the project root
- * - Monorepo / development  → `npm install` in the edsger package dir
+ * - Source checkout / monorepo  → `npm install` in the edsger package dir
+ * - Project dependency  → `npm install` in the project root (has package.json)
+ * - Global-style install  → `npm install -g --prefix <prefix>`
+ *
+ * The global-style case covers both a plain `npm install -g edsger` and the
+ * desktop app's managed install (`npm install -g edsger --prefix <userData>/cli`).
+ * In both, edsger lives at `<prefix>/lib/node_modules/edsger` (or
+ * `<prefix>/node_modules/edsger` on Windows) and there is NO package.json at
+ * the directory that owns that node_modules. Running a *project-local*
+ * `npm install` there would treat every already-installed package — including
+ * edsger and all its dependencies — as extraneous and PRUNE them, destroying
+ * the install. We must install with `--prefix` into the same prefix instead.
  */
 function getNpmInstallTarget() {
     const edsgerDir = resolve(dirname(fileURLToPath(import.meta.url)), '../..');
-    const nodeModulesSegment = `${sep}node_modules${sep}`;
-    if (!edsgerDir.includes(nodeModulesSegment)) {
-        // Source checkout / monorepo — install in edsger's own package dir
-        return { global: false, cwd: edsgerDir };
-    }
-    // edsger is inside some node_modules tree
-    try {
-        const globalPrefix = execSync('npm config get prefix', {
-            encoding: 'utf-8',
-            stdio: ['pipe', 'pipe', 'ignore'],
-        }).trim();
-        if (edsgerDir.startsWith(globalPrefix)) {
-            return { global: true };
-        }
-    }
-    catch {
-        // ignore — fall through to project-local
-    }
-    // Project dependency — install at the project root (parent of node_modules)
-    const projectRoot = edsgerDir.split(nodeModulesSegment)[0];
-    return { global: false, cwd: projectRoot };
+    return resolveNpmInstallTarget(edsgerDir, existsSync);
 }
 /**
  * Common configuration validation for all CLI commands
@@ -106,7 +123,8 @@ const restartProcess = (envFlag) => {
 function npmInstall(packageName) {
     const target = getNpmInstallTarget();
     const globalFlag = target.global ? ' -g' : '';
-    const cmd = `npm install${globalFlag} ${packageName}`;
+    const prefixFlag = target.prefix ? ` --prefix "${target.prefix}"` : '';
+    const cmd = `npm install${globalFlag}${prefixFlag} ${packageName}`;
     logInfo(`  $ ${cmd}${target.cwd ? ` (in ${target.cwd})` : ''}`);
     execSync(cmd, { cwd: target.cwd, stdio: 'inherit' });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "edsger",
-  "version": "0.72.3",
+  "version": "0.72.5",
   "type": "module",
   "bin": {
     "edsger": "dist/index.js"
@@ -54,8 +54,8 @@
     "commander": "^12.0.0",
     "cosmiconfig": "^9.0.0",
     "dotenv": "^16.4.5",
-    "edsger-contract": "0.9.1",
-    "edsger-tools": "0.9.1",
+    "edsger-contract": "0.9.2",
+    "edsger-tools": "0.9.2",
     "gray-matter": "^4.0.3",
     "zod": "^4.0.0"
   },