git-daemon 0.1.8 → 0.1.10

package/README.md

@@ -8,10 +8,19 @@ Git Daemon is a local Node.js service that exposes a small, authenticated HTTP A
 ## What it does
 
 - Clone, fetch, list branches, and read Git status using your system Git credentials
+- Provide a status summary for UI badges/tooltips
 - Stream long-running job logs via Server-Sent Events (SSE)
+- Run user-defined healthchecks and return normalized results
 - Open a repo in the OS file browser, terminal, or VS Code (with approvals)
 - Install dependencies with safer defaults (`--ignore-scripts` by default)
 
+## Healthchecks
+
+Healthchecks are user-supplied executables/scripts stored in local suites (which can be
+private repos). The daemon runs them as jobs, streams logs over SSE, and returns a
+normalized status (`na`, `failed`, `pass-partial`, `pass-full`) plus details. Suites are
+configured via local paths, and each check has a `healthcheck.json` manifest.
+
 ## Security model (high level)
 
 - **Loopback-only**: binds to `127.0.0.1`
@@ -24,7 +33,7 @@ Git Daemon is a local Node.js service that exposes a small, authenticated HTTP A
 ## Requirements
 
 - Node.js (for running the daemon)
-- Git (for clone/fetch/branches/status)
+- Git (for clone/fetch/branches/status/summary)
 - Optional: `code` CLI for VS Code, `pnpm`/`yarn` for dependency installs
 
 ## Install
@@ -161,6 +170,33 @@ curl -H "Origin: https://app.example.com" \
   "http://127.0.0.1:8790/v1/git/branches?repoPath=owner/repo"
 ```
 
+Status summary (UI-friendly):
+
+```bash
+curl -H "Origin: https://app.example.com" \
+  -H "Authorization: Bearer <TOKEN>" \
+  "http://127.0.0.1:8790/v1/git/summary?repoPath=owner/repo"
+```
+
+Run healthchecks (job):
+
+```bash
+curl -X POST \
+  -H "Origin: https://app.example.com" \
+  -H "Authorization: Bearer <TOKEN>" \
+  -H "Content-Type: application/json" \
+  -d '{"repoPath":"owner/repo","checks":[{"suiteId":"team-default","checkId":"lint","config":{"strict":true}}]}' \
+  http://127.0.0.1:8790/v1/healthchecks/run
+```
+
+Fetch healthcheck results:
+
+```bash
+curl -H "Origin: https://app.example.com" \
+  -H "Authorization: Bearer <TOKEN>" \
+  http://127.0.0.1:8790/v1/healthchecks/jobs/<JOB_ID>/result
+```
+
 ## Configuration
 
 Config is stored in OS-specific directories:
@@ -181,6 +217,7 @@ Key settings live in `config.json`:
 - `workspaceRoot`: absolute path to the workspace root
 - `deps.defaultSafer`: defaults to `true` for `--ignore-scripts`
 - `jobs.maxConcurrent` and `jobs.timeoutSeconds`
+- `healthchecks.suites`: array of absolute or config-relative suite paths
 
 Tokens are stored (hashed) in `tokens.json`. Logs are written under the configured `logging.directory` with rotation.
 

package/config.schema.json

@@ -124,6 +124,25 @@
         }
       }
     },
+    "healthchecks": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "suites"
+      ],
+      "properties": {
+        "suites": {
+          "type": "array",
+          "default": [],
+          "items": {
+            "type": "string"
+          }
+        },
+        "defaultSuiteId": {
+          "type": "string"
+        }
+      }
+    },
     "logging": {
       "type": "object",
       "additionalProperties": false,

package/design.md

@@ -26,6 +26,7 @@ The daemon exposes a **localhost HTTP API** guarded by:
   * run dependency installation (`npm i` / pnpm / yarn)
 * Prevent any website other than the approved UI origins from controlling the daemon.
 * Prevent the approved UI from writing outside a user-approved local workspace root.
+* Run user-defined healthchecks against local repos and return normalized results.
 
 ## Non-goals
 
@@ -33,6 +34,7 @@ The daemon exposes a **localhost HTTP API** guarded by:
 * Building or shipping the React UI.
 * Acting as a full Git GUI (diff viewer, staging UI, merge tools) — those are UI concerns.
 * Running arbitrary shell commands. (Only explicit, whitelisted operations.)
+* Shipping or hosting healthcheck suites (healthchecks remain user-managed).
 
 ---
 
@@ -150,6 +152,12 @@ First-time use of high-risk features requires explicit user approval:
 * Any endpoint that would accept arbitrary args must be constrained/validated.
 * Validate `repoUrl` formats (SSH/HTTPS only); disallow `file://` and local paths.
 
+#### 6b) Healthcheck execution boundaries
+
+* Healthchecks are user-supplied but executed by the daemon with strict inputs.
+* Repo access is read-only; the runner provides only `REPO_PATH`, `REPO_INFO`, and `CHECK_CONFIG`.
+* Network access is disabled by default and must be explicitly allowed by the check manifest.
+
 #### 7) Abuse limits (recommended)
 
 * Rate limit pairing attempts and auth failures.
@@ -169,6 +177,7 @@ First-time use of high-risk features requires explicit user approval:
   * `config.json` (workspace root, approvals, options)
   * `tokens.json` (hashed tokens, per-origin records)
   * `logs/` (structured logs with rotation)
+  * `healthchecks/` (optional local suites, if not stored elsewhere)
 * Log rotation: keep 5 files × 5MB each.
 
 ---
@@ -229,6 +238,121 @@ Capture output:
 
 ---
 
+## Healthchecks
+
+Healthchecks are user-provided executables/scripts that run against a local repo and
+return normalized results. Suites can be private repos; the daemon only executes
+locally configured suites and never ships or hosts them.
+
+### Suite discovery
+
+* A suite is a folder or repo containing one or more checks.
+* The daemon is configured with one or more suite roots (e.g., `healthchecks.suites` in config).
+* Each check includes a `healthcheck.json` manifest next to its entrypoint.
+* Suites can include shared libraries or scripts used by multiple checks.
+
+### Manifest format (healthcheck.json)
+
+```json
+{
+  "id": "lint",
+  "name": "Repo Lint",
+  "version": "1.2.0",
+  "description": "Runs repo-specific lint checks",
+  "entrypoint": "./run.sh",
+  "args": ["--strict"],
+  "timeoutSeconds": 120,
+  "permissions": {
+    "repoRead": true,
+    "network": false,
+    "secrets": []
+  },
+  "configSchema": {
+    "type": "object",
+    "properties": {
+      "strict": { "type": "boolean", "default": false }
+    },
+    "additionalProperties": false
+  },
+  "cacheable": true,
+  "cacheMaxAgeSeconds": 3600,
+  "outputSchemaVersion": 1
+}
+```
+
+### Runtime input contract
+
+Checks receive inputs via environment variables:
+
+* `REPO_PATH`: absolute path to the repo (read-only).
+* `REPO_INFO`: JSON string of repo metadata supplied by the UI (GitHub-facing fields).
+* `CHECK_CONFIG`: JSON string validated against `configSchema` (if provided).
+
+The daemon does not call GitHub APIs; it passes through `REPO_INFO` from the UI.
+Suggested fields include `owner`, `name`, `fullName`, `defaultBranch`, `visibility`,
+`cloneUrl`, `htmlUrl`, `topics`, `archived`, and `fork`.
+
+### Runtime output contract
+
+Checks write JSON to `stdout` (logs go to `stderr`):
+
+```json
+{
+  "status": "na|failed|pass-partial|pass-full",
+  "summary": "Short human summary",
+  "explanation": "Longer explanation of the status",
+  "details": [
+    {
+      "code": "CHK001",
+      "severity": "info|low|medium|high|critical",
+      "message": "Missing README",
+      "path": "README.md",
+      "line": 1,
+      "column": 1,
+      "remediation": "Add a README.md with project description"
+    }
+  ],
+  "metrics": {
+    "filesChecked": 134,
+    "issuesFound": 2
+  },
+  "artifacts": [
+    {
+      "name": "full-report.json",
+      "path": "reports/report.json",
+      "contentType": "application/json"
+    }
+  ],
+  "durationMs": 5234
+}
+```
+
+### Status model
+
+* `na`: not applicable (missing stack, no files, or explicitly skipped).
+* `failed`: healthcheck failed a required condition.
+* `pass-partial`: issues found but acceptable or best-effort.
+* `pass-full`: all requirements met.
+
+For a multi-check run, the aggregate status is derived by severity ordering:
+`failed` > `pass-partial` > `pass-full` > `na`.
+
+### Execution and security
+
+* Healthchecks run as daemon-managed jobs; logs stream via SSE like clone/fetch.
+* Repo contents are read-only to healthchecks.
+* Network access defaults to off and must be explicitly allowed via manifest
+  permissions (and optionally user approval).
+
+### Results and caching
+
+* Results are stored per job and retrieved via a dedicated results endpoint.
+* Cache key includes repo commit SHA, check id/version, config, and daemon version.
+* Caching is opt-in per check (`cacheable` + `cacheMaxAgeSeconds`) and can be
+  overridden per run with `cacheMode` (`prefer`, `refresh`, or `bypass`).
+
+---
+
 ## API Design
 
 ### Conventions
@@ -280,6 +404,10 @@ Meta response fields (examples):
 
   * returns: `{ branches: [{ name, fullName, type: "local"|"remote", current, upstream? }] }`
   * `includeRemote` defaults to `true` and includes remote tracking branches (e.g. `origin/main`)
+* `GET /v1/git/summary?repoPath=...` → status summary for UI badges/tooltips
+
+  * returns: `{ repoPath, exists, branch, upstream, ahead, behind, dirty, staged, unstaged, untracked, conflicts, detached }`
+  * if repo is missing, `exists` is `false` with zeroed counts
 * `GET /v1/git/status?repoPath=...` → structured status
 
   * returns: `{ branch, ahead, behind, stagedCount, unstagedCount, untrackedCount, conflictsCount, clean }`
@@ -300,6 +428,16 @@ Recommendations:
 * `safer=true` maps to flags that reduce script execution risk (e.g., `--ignore-scripts` for npm/pnpm/yarn).
 * Default to `safer=true` for all runs; allow a per-repo override to enable scripts.
 
+### Healthcheck endpoints
+
+* `GET /v1/healthchecks` → list installed suites and checks.
+* `POST /v1/healthchecks/run` → job
+
+  * body: `{ repoPath, repoInfo?, suiteId?, checks?: [{ suiteId?, checkId, config?, cacheMode? }] }`
+  * `repoInfo` is a UI-supplied GitHub metadata object (passed through to checks).
+  * If `checks` is omitted, run all checks in the default suite.
+* `GET /v1/healthchecks/jobs/:id/result` → structured healthcheck results for a completed job.
+
 ---
 
 ## Job Model
@@ -313,7 +451,7 @@ Recommendations:
 Each event is JSON:
 
 * `{ type: "log", stream: "stdout"|"stderr", line: "..." }`
-* `{ type: "progress", kind: "git"|"deps", percent?: number, detail?: string }`
+* `{ type: "progress", kind: "git"|"deps"|"healthcheck", percent?: number, detail?: string }`
 * `{ type: "state", state: "running"|"done"|"error", message?: string }`
 
 ### Cancellation
@@ -369,7 +507,8 @@ Each event is JSON:
 4. Pair once (code/confirm)
 5. User clicks “Clone locally”
 6. UI calls daemon `/v1/git/clone`, streams job logs
-7. UI shows “Open in VS Code / Terminal / Folder”
+7. UI optionally calls `/v1/healthchecks/run`, streams job logs, and fetches results
+8. UI shows “Open in VS Code / Terminal / Folder”
 
 ### 2) Local UI + daemon (dev)
 
@@ -429,6 +568,25 @@ curl -N \
   http://127.0.0.1:8790/v1/jobs/<JOB_ID>/stream
 ```
 
+### Run healthchecks (job)
+
+```bash
+curl -X POST \
+  -H "Origin: https://app.example.com" \
+  -H "Authorization: Bearer <TOKEN>" \
+  -H "Content-Type: application/json" \
+  -d '{"repoPath":"owner/repo","checks":[{"suiteId":"team-default","checkId":"lint","config":{"strict":true}}]}' \
+  http://127.0.0.1:8790/v1/healthchecks/run
+```
+
+### Fetch healthcheck results
+
+```bash
+curl -H "Origin: https://app.example.com" \
+  -H "Authorization: Bearer <TOKEN>" \
+  http://127.0.0.1:8790/v1/healthchecks/jobs/<JOB_ID>/result
+```
+
 ---
 
 ## Error Handling

package/dist/app.js

@@ -1,4 +1,37 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -7,7 +40,9 @@ exports.createApp = void 0;
 const express_1 = __importDefault(require("express"));
 const express_rate_limit_1 = __importDefault(require("express-rate-limit"));
 const fs_1 = require("fs");
+const fsSync = __importStar(require("fs"));
 const path_1 = __importDefault(require("path"));
+const readline_1 = __importDefault(require("readline"));
 const logger_1 = require("./logger");
 const security_1 = require("./security");
 const errors_1 = require("./errors");
@@ -16,7 +51,9 @@ const workspace_1 = require("./workspace");
 const git_1 = require("./git");
 const deps_1 = require("./deps");
 const os_1 = require("./os");
+const healthchecks_1 = require("./healthchecks");
 const approvals_1 = require("./approvals");
+const config_1 = require("./config");
 const parseBody = (schema, body, opts) => {
     const parsed = schema.safeParse(body);
     if (!parsed.success) {
@@ -213,6 +250,56 @@ const createApp = (ctx) => {
             next(err);
         }
     });
+    app.get("/v1/git/branches", (0, security_1.authGuard)(ctx.tokenStore), async (req, res, next) => {
+        try {
+            const payload = parseBody(validation_1.gitBranchesQuerySchema, req.query);
+            const workspaceRoot = (0, workspace_1.ensureWorkspaceRoot)(ctx.config.workspaceRoot);
+            const includeRemote = payload.includeRemote !== "false";
+            const branches = await (0, git_1.listRepoBranches)(workspaceRoot, payload.repoPath, {
+                includeRemote,
+            });
+            res.json({ branches });
+        }
+        catch (err) {
+            if (err instanceof git_1.RepoNotFoundError ||
+                err instanceof workspace_1.MissingPathError) {
+                next((0, errors_1.repoNotFound)());
+                return;
+            }
+            next(err);
+        }
+    });
+    app.get("/v1/git/summary", (0, security_1.authGuard)(ctx.tokenStore), async (req, res, next) => {
+        let payload;
+        try {
+            payload = parseBody(validation_1.gitSummaryQuerySchema, req.query);
+            const workspaceRoot = (0, workspace_1.ensureWorkspaceRoot)(ctx.config.workspaceRoot);
+            const summary = await (0, git_1.getRepoSummary)(workspaceRoot, payload.repoPath);
+            res.json(summary);
+        }
+        catch (err) {
+            if ((err instanceof git_1.RepoNotFoundError ||
+                err instanceof workspace_1.MissingPathError) &&
+                payload) {
+                res.json({
+                    repoPath: payload.repoPath,
+                    exists: false,
+                    branch: "",
+                    upstream: null,
+                    ahead: 0,
+                    behind: 0,
+                    dirty: false,
+                    staged: 0,
+                    unstaged: 0,
+                    untracked: 0,
+                    conflicts: 0,
+                    detached: false,
+                });
+                return;
+            }
+            next(err);
+        }
+    });
     app.get("/v1/git/status", (0, security_1.authGuard)(ctx.tokenStore), async (req, res, next) => {
         try {
             const { repoPath } = parseBody(validation_1.gitStatusQuerySchema, req.query);
@@ -236,10 +323,10 @@ const createApp = (ctx) => {
             const workspaceRoot = (0, workspace_1.ensureWorkspaceRoot)(ctx.config.workspaceRoot);
             const resolved = await (0, workspace_1.resolveInsideWorkspace)(workspaceRoot, payload.path);
             if (payload.target === "terminal") {
-                (0, approvals_1.requireApproval)(ctx.config, origin, resolved, "open-terminal", workspaceRoot);
+                await ensureApproval(ctx, origin, resolved, "open-terminal", workspaceRoot);
             }
             if (payload.target === "vscode") {
-                (0, approvals_1.requireApproval)(ctx.config, origin, resolved, "open-vscode", workspaceRoot);
+                await ensureApproval(ctx, origin, resolved, "open-vscode", workspaceRoot);
             }
             await (0, os_1.openTarget)(payload.target, resolved);
             res.json({ ok: true });
@@ -264,7 +351,7 @@ const createApp = (ctx) => {
             catch {
                 throw (0, errors_1.repoNotFound)();
             }
-            (0, approvals_1.requireApproval)(ctx.config, origin, resolved, "deps/install", workspaceRoot);
+            await ensureApproval(ctx, origin, resolved, "deps/install", workspaceRoot);
             const job = ctx.jobManager.enqueue(async (jobCtx) => {
                 await (0, deps_1.installDeps)(jobCtx, workspaceRoot, {
                     repoPath: payload.repoPath,
@@ -283,6 +370,68 @@ const createApp = (ctx) => {
             next(err);
         }
     });
+    app.get("/v1/healthchecks", (0, security_1.authGuard)(ctx.tokenStore), async (_req, res, next) => {
+        try {
+            const suites = await (0, healthchecks_1.loadHealthcheckSuites)(ctx.configDir, ctx.config.healthchecks?.suites ?? []);
+            res.json({ suites: (0, healthchecks_1.listHealthcheckSuites)(suites) });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    app.post("/v1/healthchecks/run", (0, security_1.authGuard)(ctx.tokenStore), async (req, res, next) => {
+        try {
+            const payload = parseBody(validation_1.healthcheckRunRequestSchema, req.body);
+            const workspaceRoot = (0, workspace_1.ensureWorkspaceRoot)(ctx.config.workspaceRoot);
+            const resolved = await (0, git_1.resolveRepoPath)(workspaceRoot, payload.repoPath);
+            const suites = await (0, healthchecks_1.loadHealthcheckSuites)(ctx.configDir, ctx.config.healthchecks?.suites ?? []);
+            let selections;
+            try {
+                selections = (0, healthchecks_1.resolveSelections)(suites, payload, ctx.config.healthchecks?.defaultSuiteId);
+            }
+            catch (err) {
+                throw new errors_1.ApiError(422, (0, errors_1.errorBody)("internal_error", err instanceof Error
+                    ? err.message
+                    : "Invalid healthcheck request."));
+            }
+            const job = ctx.jobManager.enqueue(async (jobCtx) => {
+                const result = await (0, healthchecks_1.runHealthchecks)(jobCtx, jobCtx.jobId, resolved, selections, payload.repoInfo);
+                ctx.healthcheckStore.set(jobCtx.jobId, {
+                    ...result,
+                    repoPath: payload.repoPath,
+                });
+            });
+            res.status(202).json({ jobId: job.id });
+        }
+        catch (err) {
+            if (err instanceof git_1.RepoNotFoundError ||
+                err instanceof workspace_1.MissingPathError) {
+                next((0, errors_1.repoNotFound)());
+                return;
+            }
+            next(err);
+        }
+    });
+    app.get("/v1/healthchecks/jobs/:id/result", (0, security_1.authGuard)(ctx.tokenStore), (req, res, next) => {
+        try {
+            const jobId = req.params.id;
+            const job = ctx.jobManager.get(jobId);
+            if (!job) {
+                throw (0, errors_1.jobNotFound)();
+            }
+            const result = ctx.healthcheckStore.get(jobId);
+            if (!result) {
+                res
+                    .status(409)
+                    .json((0, errors_1.errorBody)("internal_error", "Healthcheck results not available."));
+                return;
+            }
+            res.json(result);
+        }
+        catch (err) {
+            next(err);
+        }
+    });
     app.get("/v1/diagnostics", (0, security_1.authGuard)(ctx.tokenStore), (req, res, next) => {
         try {
             const summary = {
@@ -293,6 +442,7 @@ const createApp = (ctx) => {
                 pairing: ctx.config.pairing,
                 jobs: ctx.config.jobs,
                 deps: ctx.config.deps,
+                healthchecks: ctx.config.healthchecks,
                 logging: ctx.config.logging,
             };
             res.json({
@@ -306,8 +456,17 @@ const createApp = (ctx) => {
             next(err);
         }
     });
-    app.use((err, _req, res, _next) => {
+    app.use((err, req, res, _next) => {
         if (err instanceof errors_1.ApiError) {
+            if (err.status === 409) {
+                console.warn(`[Git Daemon] 409 ${err.body.errorCode} ${req.method} ${req.originalUrl} origin=${req.headers.origin ?? ""}`);
+                ctx.logger.warn({
+                    errorCode: err.body.errorCode,
+                    method: req.method,
+                    path: req.originalUrl,
+                    origin: req.headers.origin,
+                }, "Request rejected with conflict");
+            }
             res.status(err.status).json(err.body);
             return;
         }
@@ -324,3 +483,61 @@ const createApp = (ctx) => {
     return app;
 };
 exports.createApp = createApp;
+const ensureApproval = async (ctx, origin, repoPath, capability, workspaceRoot) => {
+    if ((0, approvals_1.hasApproval)(ctx.config, origin, repoPath, capability, workspaceRoot)) {
+        return;
+    }
+    const approved = await promptApproval(origin, repoPath, capability);
+    if (!approved) {
+        (0, approvals_1.requireApproval)(ctx.config, origin, repoPath, capability, workspaceRoot);
+        return;
+    }
+    upsertOriginApproval(ctx, origin, capability);
+    await (0, config_1.saveConfig)(ctx.configDir, ctx.config);
+};
+const createPromptInterface = () => {
+    if (process.stdin.isTTY && process.stdout.isTTY) {
+        return readline_1.default.createInterface({
+            input: process.stdin,
+            output: process.stdout,
+        });
+    }
+    const ttyPath = process.platform === "win32" ? "CON" : "/dev/tty";
+    try {
+        const input = fsSync.createReadStream(ttyPath, { encoding: "utf8" });
+        const output = fsSync.createWriteStream(ttyPath);
+        return readline_1.default.createInterface({ input, output });
+    }
+    catch {
+        return null;
+    }
+};
+const askQuestion = (rl, question) => new Promise((resolve) => {
+    rl.question(question, (answer) => resolve(answer));
+});
+const promptApproval = async (origin, repoPath, capability) => {
+    const rl = createPromptInterface();
+    if (!rl) {
+        return false;
+    }
+    const answer = await askQuestion(rl, `Approve ${capability} for origin ${origin} (all repos)? [y/N] Requested path: ${repoPath} `);
+    rl.close();
+    const normalized = answer.trim().toLowerCase();
+    return normalized === "y" || normalized === "yes";
+};
+const upsertOriginApproval = (ctx, origin, capability) => {
+    const existing = ctx.config.approvals.entries.find((entry) => entry.origin === origin &&
+        (entry.repoPath === null || entry.repoPath === "*"));
+    if (existing) {
+        if (!existing.capabilities.includes(capability)) {
+            existing.capabilities.push(capability);
+        }
+        return;
+    }
+    ctx.config.approvals.entries.push({
+        origin,
+        repoPath: null,
+        capabilities: [capability],
+        approvedAt: new Date().toISOString(),
+    });
+};

package/dist/approvals.js

@@ -10,10 +10,13 @@ const hasApproval = (config, origin, repoPath, capability, workspaceRoot) => con
     if (entry.origin !== origin || !entry.capabilities.includes(capability)) {
         return false;
     }
+    if (entry.repoPath === null || entry.repoPath === "*") {
+        return true;
+    }
     if (entry.repoPath === repoPath) {
         return true;
     }
-    if (workspaceRoot && !path_1.default.isAbsolute(entry.repoPath)) {
+    if (workspaceRoot && entry.repoPath && !path_1.default.isAbsolute(entry.repoPath)) {
         return path_1.default.resolve(workspaceRoot, entry.repoPath) === repoPath;
     }
     return false;

package/dist/config.js

@@ -45,6 +45,9 @@ const defaultConfig = () => ({
     deps: {
         defaultSafer: true,
     },
+    healthchecks: {
+        suites: [],
+    },
     logging: {
         directory: "logs",
         maxFiles: 5,
@@ -88,6 +91,14 @@ const loadConfig = async (configDir) => {
                 ...(0, exports.defaultConfig)().deps,
                 ...data.deps,
             },
+            healthchecks: (() => {
+                const defaults = (0, exports.defaultConfig)().healthchecks ?? { suites: [] };
+                return {
+                    ...defaults,
+                    ...data.healthchecks,
+                    suites: data.healthchecks?.suites ?? defaults.suites,
+                };
+            })(),
             logging: {
                 ...(0, exports.defaultConfig)().logging,
                 ...data.logging,

package/dist/context.js

@@ -12,6 +12,7 @@ const config_1 = require("./config");
 const tokens_1 = require("./tokens");
 const pairing_1 = require("./pairing");
 const jobs_1 = require("./jobs");
+const healthchecks_1 = require("./healthchecks");
 const readPackageVersion = async () => {
     try {
         const pkgPath = path_1.default.resolve(__dirname, "..", "package.json");
@@ -38,6 +39,7 @@ const createContext = async () => {
     const capabilities = await (0, tools_1.detectCapabilities)();
     const pairingManager = new pairing_1.PairingManager(tokenStore, config.pairing.tokenTtlDays);
     const jobManager = new jobs_1.JobManager(config.jobs.maxConcurrent, config.jobs.timeoutSeconds);
+    const healthcheckStore = new healthchecks_1.HealthcheckResultStore();
     const version = await readPackageVersion();
     const build = {
         commit: process.env.GIT_DAEMON_BUILD_COMMIT,
@@ -49,6 +51,7 @@ const createContext = async () => {
         tokenStore,
         pairingManager,
         jobManager,
+        healthcheckStore,
         capabilities,
         logger,
         version,