everything-claude-code 1.4.3

package/schemas/plugin.schema.json

@@ -0,0 +1,13 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Claude Plugin Configuration",
+  "type": "object",
+  "required": ["name"],
+  "properties": {
+    "name": { "type": "string" },
+    "description": { "type": "string" },
+    "author": { "type": "string" },
+    "repository": { "type": "string" },
+    "license": { "type": "string" }
+  }
+}

package/scripts/ecc/catalog.js

@@ -0,0 +1,82 @@
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+
+const { packsDir, promptsDir, ENGINE_ROOT } = require('./paths');
+
+function listJsonFiles(dirAbs) {
+  if (!fs.existsSync(dirAbs)) return [];
+  const entries = fs.readdirSync(dirAbs, { withFileTypes: true });
+  return entries
+    .filter(e => e.isFile() && e.name.endsWith('.json'))
+    .map(e => path.join(dirAbs, e.name))
+    .sort();
+}
+
+function listPromptFiles(dirAbs) {
+  if (!fs.existsSync(dirAbs)) return [];
+  const entries = fs.readdirSync(dirAbs, { withFileTypes: true });
+  return entries
+    .filter(e => e.isFile() && e.name.endsWith('.md'))
+    .map(e => path.join(dirAbs, e.name))
+    .sort();
+}
+
+function readJson(filePath) {
+  const raw = fs.readFileSync(filePath, 'utf8');
+  return JSON.parse(raw);
+}
+
+function loadPacks() {
+  const files = listJsonFiles(packsDir());
+  const packs = [];
+
+  for (const filePath of files) {
+    const data = readJson(filePath);
+    packs.push({
+      id: String(data.id || '').trim(),
+      name: String(data.name || '').trim(),
+      description: String(data.description || '').trim(),
+      tags: Array.isArray(data.tags) ? data.tags.filter(t => typeof t === 'string') : [],
+      modules: Array.isArray(data.modules) ? data.modules.filter(m => typeof m === 'string') : [],
+      path: filePath
+    });
+  }
+
+  packs.sort((a, b) => a.id.localeCompare(b.id));
+  return packs;
+}
+
+function getDefaultPacks() {
+  return ['blueprint', 'forge', 'proof', 'sentinel'];
+}
+
+/**
+ * Compute a digest for the embedded catalog.
+ *
+ * P0 definition: hash packs/*.json + prompts/ecc/*.md.
+ */
+function computeEmbeddedCatalogDigest() {
+  const hash = crypto.createHash('sha256');
+
+  const packFiles = listJsonFiles(packsDir());
+  const promptFiles = listPromptFiles(promptsDir());
+  const all = [...packFiles, ...promptFiles].sort();
+
+  for (const filePath of all) {
+    const rel = path.relative(ENGINE_ROOT, filePath).split(path.sep).join('/');
+    hash.update(rel);
+    hash.update('\n');
+    hash.update(fs.readFileSync(filePath));
+    hash.update('\n');
+  }
+
+  return `sha256:${hash.digest('hex')}`;
+}
+
+module.exports = {
+  loadPacks,
+  getDefaultPacks,
+  computeEmbeddedCatalogDigest
+};
+

package/scripts/ecc/config.js

@@ -0,0 +1,43 @@
+const fs = require('fs');
+
+const { readJson, writeJson } = require('./json');
+const { configPath } = require('./project');
+const { validateConfig, throwIfErrors } = require('./validate');
+
+function nowIso() {
+  return new Date().toISOString();
+}
+
+function defaultVerifyConfig() {
+  return { mode: 'auto' };
+}
+
+function createConfig({ backend, packs }) {
+  return {
+    version: 1,
+    backend,
+    packs,
+    verify: defaultVerifyConfig(),
+    createdAt: nowIso()
+  };
+}
+
+function loadConfig(projectRoot) {
+  const p = configPath(projectRoot);
+  if (!fs.existsSync(p)) return null;
+  const cfg = readJson(p);
+  throwIfErrors(validateConfig(cfg), 'ecc config');
+  return cfg;
+}
+
+function saveConfig(projectRoot, cfg) {
+  throwIfErrors(validateConfig(cfg), 'ecc config');
+  writeJson(configPath(projectRoot), cfg);
+}
+
+module.exports = {
+  createConfig,
+  loadConfig,
+  saveConfig
+};
+

package/scripts/ecc/diff.js

@@ -0,0 +1,113 @@
+const fs = require('fs');
+const path = require('path');
+
+const { spawnSync } = require('child_process');
+
+const { runKernel } = require('./kernel');
+
+function runGit(args, opts = {}) {
+  const res = spawnSync('git', args, {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+    ...opts
+  });
+  return {
+    ok: res.status === 0,
+    status: res.status,
+    stdout: (res.stdout || '').trimEnd(),
+    stderr: (res.stderr || '').trimEnd()
+  };
+}
+
+function normalizeRepoPath(p) {
+  const posix = String(p || '').replace(/\\/g, '/');
+  // Prevent sneaky absolute paths and traversal.
+  if (posix.startsWith('/') || /^[A-Za-z]:\//.test(posix)) return null;
+  const norm = path.posix.normalize(posix);
+  if (norm === '.' || norm.startsWith('../') || norm.includes('/../')) return null;
+  return norm;
+}
+
+function touchedFilesFromUnifiedDiff(patchText) {
+  const files = [];
+  const seen = new Set();
+  const lines = String(patchText || '').split(/\r?\n/);
+  for (const line of lines) {
+    if (!line.startsWith('diff --git ')) continue;
+    // Typical: diff --git a/foo/bar b/foo/bar
+    const m = line.match(/^diff --git a\/(.+?) b\/(.+)$/);
+    if (!m) continue;
+    const aPath = m[1];
+    const bPath = m[2];
+    const file = bPath === '/dev/null' ? aPath : bPath;
+    const normalized = normalizeRepoPath(file);
+    if (!normalized) {
+      files.push({ path: file, invalid: true });
+      continue;
+    }
+    if (seen.has(normalized)) continue;
+    seen.add(normalized);
+    files.push({ path: normalized, invalid: false });
+  }
+  return files;
+}
+
+function ensureOwned({ touchedFiles, allowedPathPrefixes }) {
+  const allowed = (Array.isArray(allowedPathPrefixes) ? allowedPathPrefixes : [])
+    .map(p => String(p || '').replace(/\\/g, '/'))
+    .map(p => (p.endsWith('/') ? p : `${p}/`))
+    .filter(Boolean);
+
+  if (!allowed.length) throw new Error('allowedPathPrefixes is empty');
+
+  const violations = [];
+  for (const f of touchedFiles) {
+    if (f.invalid) {
+      violations.push(`invalid path in patch: ${f.path}`);
+      continue;
+    }
+    const ok = allowed.some(prefix => f.path === prefix.slice(0, -1) || f.path.startsWith(prefix));
+    if (!ok) violations.push(`unauthorized path: ${f.path}`);
+  }
+
+  if (violations.length) {
+    throw new Error(`patch ownership check failed:\n- ${violations.join('\n- ')}`);
+  }
+}
+
+function applyPatch({ worktreePath, patchPath, allowedPathPrefixes }) {
+  const kernelOut = runKernel('patch.apply', {
+    worktreePath,
+    patchPath,
+    allowedPathPrefixes: Array.isArray(allowedPathPrefixes) ? allowedPathPrefixes : []
+  });
+  if (kernelOut && Array.isArray(kernelOut.touchedFiles)) {
+    return { touchedFiles: kernelOut.touchedFiles };
+  }
+
+  const patchText = fs.readFileSync(patchPath, 'utf8');
+  const trimmed = patchText.trim();
+  if (!trimmed) {
+    return { touchedFiles: [] };
+  }
+
+  const touched = touchedFilesFromUnifiedDiff(patchText);
+  if (!touched.length) {
+    throw new Error('patch has content but no "diff --git" headers (not a unified diff?)');
+  }
+
+  ensureOwned({ touchedFiles: touched, allowedPathPrefixes });
+
+  let res = runGit(['-C', worktreePath, 'apply', '--check', patchPath]);
+  if (!res.ok) throw new Error(res.stderr || 'git apply --check failed');
+
+  res = runGit(['-C', worktreePath, 'apply', patchPath]);
+  if (!res.ok) throw new Error(res.stderr || 'git apply failed');
+
+  return { touchedFiles: touched.map(t => t.path) };
+}
+
+module.exports = {
+  touchedFilesFromUnifiedDiff,
+  applyPatch
+};

package/scripts/ecc/exec.js

@@ -0,0 +1,121 @@
+const fs = require('fs');
+const path = require('path');
+
+const { readJson, writeJson } = require('./json');
+const { runPaths, loadRun, saveRun } = require('./run');
+const git = require('./git');
+const diff = require('./diff');
+const { validateApplyResult, throwIfErrors } = require('./validate');
+
+function nowIso() {
+  return new Date().toISOString();
+}
+
+function topoSortTasks(tasks) {
+  const byId = new Map(tasks.map(t => [t.id, t]));
+  const visited = new Set();
+  const visiting = new Set();
+  const out = [];
+
+  function visit(id) {
+    if (visited.has(id)) return;
+    if (visiting.has(id)) throw new Error(`cycle detected at task "${id}"`);
+    visiting.add(id);
+    const t = byId.get(id);
+    const deps = Array.isArray(t.dependsOn) ? t.dependsOn : [];
+    for (const dep of deps) visit(dep);
+    visiting.delete(id);
+    visited.add(id);
+    out.push(t);
+  }
+
+  for (const t of tasks) visit(t.id);
+  return out;
+}
+
+async function execRun({ projectRoot, runId, provider, worktreeRoot }) {
+  const run = loadRun(projectRoot, runId);
+  if (!run) throw new Error(`unknown runId: ${runId}`);
+
+  const paths = runPaths(projectRoot, runId);
+  if (!fs.existsSync(paths.planJson)) throw new Error(`missing plan.json (run ecc plan first): ${paths.planJson}`);
+  const plan = readJson(paths.planJson);
+
+  const repoRoot = git.getRepoRoot(projectRoot);
+  if (!repoRoot) throw new Error('ecc exec requires a git repository');
+
+  const baseSha = run.base && run.base.sha ? run.base.sha : git.getHeadSha(repoRoot);
+  const branch = run.worktree && run.worktree.branch ? run.worktree.branch : `ecc/${runId}`;
+
+  const desiredWorktreePath =
+    run.worktree && run.worktree.path && fs.existsSync(run.worktree.path)
+      ? run.worktree.path
+      : git.defaultWorktreePath({ repoRoot, runId, worktreeRoot });
+
+  const worktreePath = git.ensureWorktree({
+    repoRoot,
+    worktreePath: desiredWorktreePath,
+    branch,
+    baseSha
+  });
+
+  run.status = 'executing';
+  run.worktree.path = worktreePath;
+  run.worktree.branch = branch;
+  saveRun(projectRoot, runId, run);
+
+  const ordered = topoSortTasks(plan.tasks);
+
+  const applyResult = {
+    version: 1,
+    appliedAt: nowIso(),
+    baseSha,
+    tasks: []
+  };
+
+  for (const task of ordered) {
+    const patchPath = path.join(paths.patchesDir, `${task.id}.diff`);
+    const patchOut = await provider.generatePatch({
+      task,
+      repoRoot: worktreePath,
+      packs: run.packs,
+      patchPath
+    });
+
+    const patch = patchOut && typeof patchOut.patch === 'string' ? patchOut.patch : null;
+    const patchOutPath = patchOut && typeof patchOut.patchPath === 'string' ? patchOut.patchPath : null;
+
+    if (patchOutPath && path.resolve(patchOutPath) !== path.resolve(patchPath)) {
+      applyResult.tasks.push({ id: task.id, patchPath, ok: false, error: 'provider returned unexpected patchPath' });
+      writeJson(paths.applyJson, applyResult);
+      throw new Error(`provider returned unexpected patchPath for task: ${task.id}`);
+    }
+
+    if (patch !== null) {
+      fs.writeFileSync(patchPath, patch.endsWith('\n') ? patch : patch + '\n', 'utf8');
+    } else if (!fs.existsSync(patchPath)) {
+      applyResult.tasks.push({ id: task.id, patchPath, ok: false, error: 'provider did not produce patch' });
+      writeJson(paths.applyJson, applyResult);
+      throw new Error(`provider did not produce patch for task: ${task.id}`);
+    }
+
+    try {
+      diff.applyPatch({ worktreePath, patchPath, allowedPathPrefixes: task.allowedPathPrefixes });
+      applyResult.tasks.push({ id: task.id, patchPath, ok: true });
+    } catch (err) {
+      const msg = err && err.message ? err.message : String(err);
+      applyResult.tasks.push({ id: task.id, patchPath, ok: false, error: msg });
+      writeJson(paths.applyJson, applyResult);
+      throw err;
+    }
+  }
+
+  throwIfErrors(validateApplyResult(applyResult), 'apply result');
+  writeJson(paths.applyJson, applyResult);
+
+  return { worktreePath, applyResult, run, plan, paths, repoRoot };
+}
+
+module.exports = {
+  execRun
+};

package/scripts/ecc/fixtures/basic/patches/impl-core.diff

@@ -0,0 +1,8 @@
+diff --git a/src/ecc-demo.txt b/src/ecc-demo.txt
+new file mode 100644
+index 0000000..3f67f1e
+--- /dev/null
++++ b/src/ecc-demo.txt
+@@ -0,0 +1 @@
++ecc-demo: ok
+

package/scripts/ecc/fixtures/basic/patches/tests.diff

@@ -0,0 +1,8 @@
+diff --git a/tests/ecc-demo.txt b/tests/ecc-demo.txt
+new file mode 100644
+index 0000000..3f67f1e
+--- /dev/null
++++ b/tests/ecc-demo.txt
+@@ -0,0 +1 @@
++ecc-demo: ok
+

package/scripts/ecc/fixtures/basic/plan.json

@@ -0,0 +1,23 @@
+{
+  "version": 1,
+  "intent": "demo",
+  "tasks": [
+    {
+      "id": "impl-core",
+      "title": "Implement core demo change",
+      "kind": "patch",
+      "dependsOn": [],
+      "allowedPathPrefixes": ["src/"],
+      "prompt": "Create a demo marker file at src/ecc-demo.txt with a single line: \"ecc-demo: ok\"."
+    },
+    {
+      "id": "tests",
+      "title": "Add demo smoke test artifact",
+      "kind": "patch",
+      "dependsOn": ["impl-core"],
+      "allowedPathPrefixes": ["tests/"],
+      "prompt": "Create a demo marker file at tests/ecc-demo.txt with a single line: \"ecc-demo: ok\"."
+    }
+  ]
+}
+

package/scripts/ecc/fixtures/unauthorized/patches/impl-core.diff

@@ -0,0 +1,8 @@
+diff --git a/README.md b/README.md
+new file mode 100644
+index 0000000..3f67f1e
+--- /dev/null
++++ b/README.md
+@@ -0,0 +1 @@
++unauthorized
+

package/scripts/ecc/fixtures/unauthorized/plan.json

@@ -0,0 +1,15 @@
+{
+  "version": 1,
+  "intent": "unauthorized-demo",
+  "tasks": [
+    {
+      "id": "impl-core",
+      "title": "Unauthorized patch demo",
+      "kind": "patch",
+      "dependsOn": [],
+      "allowedPathPrefixes": ["src/"],
+      "prompt": "Attempt to write outside allowedPathPrefixes (should be blocked by executor)."
+    }
+  ]
+}
+

package/scripts/ecc/git.js

@@ -0,0 +1,139 @@
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const { spawnSync } = require('child_process');
+
+const { runKernel } = require('./kernel');
+
+function runGit(args, opts = {}) {
+  const res = spawnSync('git', args, {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+    ...opts
+  });
+  return {
+    ok: res.status === 0,
+    status: res.status,
+    stdout: (res.stdout || '').trimEnd(),
+    stderr: (res.stderr || '').trimEnd()
+  };
+}
+
+function getRepoRoot(cwd) {
+  const res = runGit(['-C', cwd, 'rev-parse', '--show-toplevel']);
+  if (!res.ok) return null;
+  return res.stdout.trim();
+}
+
+function getHeadSha(repoRoot) {
+  const res = runGit(['-C', repoRoot, 'rev-parse', 'HEAD']);
+  if (!res.ok) throw new Error(res.stderr || 'git rev-parse HEAD failed');
+  return res.stdout.trim();
+}
+
+function getCurrentBranch(repoRoot) {
+  const res = runGit(['-C', repoRoot, 'rev-parse', '--abbrev-ref', 'HEAD']);
+  if (!res.ok) throw new Error(res.stderr || 'git rev-parse --abbrev-ref HEAD failed');
+  return res.stdout.trim();
+}
+
+function isClean(repoRoot) {
+  // Ignore untracked files; they won't be part of the worktree branch anyway.
+  const res = runGit(['-C', repoRoot, 'status', '--porcelain', '--untracked-files=no']);
+  if (!res.ok) throw new Error(res.stderr || 'git status --porcelain failed');
+  return res.stdout.trim().length === 0;
+}
+
+function branchExists(repoRoot, branch) {
+  const res = runGit(['-C', repoRoot, 'show-ref', '--verify', '--quiet', `refs/heads/${branch}`]);
+  return res.status === 0;
+}
+
+function ensureBranchAt(repoRoot, branch, baseSha) {
+  if (branchExists(repoRoot, branch)) return;
+  const res = runGit(['-C', repoRoot, 'branch', branch, baseSha]);
+  if (!res.ok) throw new Error(res.stderr || `git branch ${branch} ${baseSha} failed`);
+}
+
+function defaultWorktreePath({ repoRoot, runId, worktreeRoot }) {
+  const repoName = path.basename(repoRoot);
+  const root = worktreeRoot || path.join(os.tmpdir(), 'ecc-worktrees');
+  return path.join(root, repoName, runId);
+}
+
+function assertExternalWorktreePath({ repoRoot, worktreePath }) {
+  const rel = path.relative(repoRoot, worktreePath);
+  const isInside = rel && !rel.startsWith('..') && !path.isAbsolute(rel);
+  if (isInside) {
+    throw new Error(
+      `Refusing to create worktree inside repo root (would recurse): repoRoot=${repoRoot} worktreePath=${worktreePath}`
+    );
+  }
+}
+
+function isGitWorktree(dir) {
+  if (!fs.existsSync(dir)) return false;
+  const res = runGit(['-C', dir, 'rev-parse', '--is-inside-work-tree']);
+  return res.ok && res.stdout.trim() === 'true';
+}
+
+function ensureWorktree({ repoRoot, worktreePath, branch, baseSha }) {
+  const kernelOut = runKernel('worktree.ensure', { repoRoot, worktreePath, branch, baseSha });
+  if (kernelOut && kernelOut.worktreePath) return kernelOut.worktreePath;
+
+  assertExternalWorktreePath({ repoRoot, worktreePath });
+  ensureBranchAt(repoRoot, branch, baseSha);
+
+  if (fs.existsSync(worktreePath)) {
+    if (!isGitWorktree(worktreePath)) {
+      throw new Error(`Worktree path exists but is not a git worktree: ${worktreePath}`);
+    }
+    return worktreePath;
+  }
+
+  fs.mkdirSync(path.dirname(worktreePath), { recursive: true });
+
+  const res = runGit(['-C', repoRoot, 'worktree', 'add', worktreePath, branch]);
+  if (!res.ok) throw new Error(res.stderr || `git worktree add failed: ${worktreePath}`);
+  return worktreePath;
+}
+
+function removeWorktree({ repoRoot, worktreePath, force = true }) {
+  const kernelOut = runKernel('worktree.remove', { repoRoot, worktreePath, force: !!force });
+  if (kernelOut && kernelOut.ok) return;
+
+  const args = ['-C', repoRoot, 'worktree', 'remove'];
+  if (force) args.push('--force');
+  args.push(worktreePath);
+  const res = runGit(args);
+  if (!res.ok) throw new Error(res.stderr || `git worktree remove failed: ${worktreePath}`);
+}
+
+function commitAll({ repoRoot, message }) {
+  const kernelOut = runKernel('git.commit_all', { repoRoot, message });
+  if (kernelOut && kernelOut.sha) return kernelOut.sha;
+
+  let res = runGit(['-C', repoRoot, 'add', '-A']);
+  if (!res.ok) throw new Error(res.stderr || 'git add failed');
+
+  res = runGit(['-C', repoRoot, 'commit', '-m', message]);
+  if (!res.ok) throw new Error(res.stderr || 'git commit failed');
+
+  const sha = getHeadSha(repoRoot);
+  return sha;
+}
+
+module.exports = {
+  runGit,
+  getRepoRoot,
+  getHeadSha,
+  getCurrentBranch,
+  isClean,
+  defaultWorktreePath,
+  assertExternalWorktreePath,
+  isGitWorktree,
+  ensureBranchAt,
+  ensureWorktree,
+  removeWorktree,
+  commitAll
+};

package/scripts/ecc/id.js

@@ -0,0 +1,37 @@
+const path = require('path');
+
+const { getDateString } = require('../lib/utils');
+const { runsDir } = require('./project');
+
+function slugify(s, fallback = 'run') {
+  const cleaned = String(s || '')
+    .toLowerCase()
+    .trim()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-+|-+$/g, '');
+  return cleaned || fallback;
+}
+
+function defaultRunId(intent) {
+  return `${getDateString()}-${slugify(intent, 'task')}`;
+}
+
+function ensureUniqueRunId(projectRoot, runIdBase) {
+  const base = slugify(runIdBase);
+  const root = runsDir(projectRoot);
+  let candidate = base;
+  let n = 2;
+  while (true) {
+    const p = path.join(root, candidate);
+    if (!require('fs').existsSync(p)) return candidate;
+    candidate = `${base}-${n}`;
+    n++;
+  }
+}
+
+module.exports = {
+  slugify,
+  defaultRunId,
+  ensureUniqueRunId
+};
+