its-magic 0.1.2-39 → 0.1.2-42

package/template/docs/engineering/runtime-connectivity.md

@@ -32,3 +32,50 @@ For each enabled target include:
 - Do not write inline credentials/tokens/private keys.
 - Only env reference names are permitted in connectivity artifacts.
 - Redact auth details in handoffs and release outputs.
+
+## `*Env` variable sourcing (US-0085 / DEC-0071)
+
+Operators may populate `release-targets.json`-referenced `*Env` variables
+(such as `SSH_HOST`, `DOCKER_TOKEN`, `AWS_PROFILE`, etc.) from a sourced
+`.env` file at repository root. Values are never stored in JSON configs —
+only env-reference **names** appear in committed artifacts. See
+`docs/engineering/runbook.md` for the copy/source recipe and
+`.env.example` for the full 20-name inventory.
+
+## Dev/QA remote profiles vs `release-targets.json` (US-0084)
+
+Use this table to map **where you run tests** to the **US-0064** release/QA
+connectivity model (**no parallel schema**). Cursor/dev **`REMOTE_CONFIG`** is
+documented in the runbook; it complements, not replaces, **`release-targets.json`**.
+
+| Operator path | Maps in `release-targets.json` | Scratchpad / dev config |
+|---------------|----------------------------------|-------------------------|
+| **WSL** | Local Linux on the same machine — not a separate target row by default. | Usually **`REMOTE_EXECUTION=0`**. Cite **environment label** **`WSL`** in QA evidence. |
+| **Bare SSH Linux** | **`ssh-server`**: `hostEnv`, `userEnv`, `authEnv`, `remoteCommand`, `runtime`, ingress. | **`REMOTE_EXECUTION=1`**, **`REMOTE_CONFIG=.cursor/remote.json`** (see **`.cursor/scratchpad.md`**). |
+| **Docker-over-SSH** | **`ssh-server.dockerOverSsh`**: `dockerHostEnv`, `dockerContextEnv`, `composeFile`, `service`. | Same scratchpad keys; operator sets **`DOCKER_HOST`** / context using **env names** only in docs. |
+
+### `docker_over_ssh` (operator summary)
+
+When **`dockerOverSsh.enabled`** is true on **`ssh-server`**, connectivity flows
+through SSH to a host where Docker commands run; **`dockerHostEnv`** and
+**`dockerContextEnv`** name the operator env vars (values never pasted into
+artifacts). **`composeFile`** and **`service`** identify the stack slice. Full
+fields remain in **`docs/engineering/release-targets.json`** and **DEC-0044**.
+
+## Optional deterministic CI routing recipe (US-0086)
+
+This recipe is optional and applies only when automation routing is explicitly
+enabled.
+
+- Keep `AUTO_REMOTE_AUTOMATION_PROFILE=off` as the default in CI unless the
+  workflow intentionally opts into automation routing.
+- Use deterministic path filters to set an execution label:
+  - `docker` label for container surfaces (`Dockerfile*`, `docker-compose*.yml`,
+    container runtime scripts)
+  - `ssh` label for ssh/deploy/runtime host scripts
+  - `local` label for all other changes
+- If explicit NL intent `start container <target_id>` is provided by automation,
+  target-id resolution takes precedence over path filters.
+- Emit names-only routing evidence:
+  `target_id`, `environment_label`, `automation_profile`, `routing_source`,
+  `secret_surface=names_only`.

package/template/docs/engineering/us-0084-remote-e2e.md

@@ -0,0 +1,44 @@
+# US-0084 — Minimal remote sanity path (Windows → WSL or SSH Linux)
+
+Sprint **S0069** / story **US-0084**. This is a short operator walkthrough; normative
+contracts live in **`docs/engineering/architecture.md`** **`# US-0084`**,
+**`docs/engineering/release-targets.json`**, and **`docs/engineering/runtime-connectivity.md`**
+(**US-0064**).
+
+## Path A — WSL (local Linux on the Windows machine)
+
+1. Install/launch **WSL** and open a Linux shell in the repo (or clone the repo inside WSL).
+2. Ensure **Node.js** and **Python 3** are available on **PATH** (same as host runbook).
+3. Run **`npm pack`** / local **`its-magic`** or **`sh installer.sh --target <repo> --mode missing --create`** from the package root.
+4. Run **`python tests/installer_shell_bug0004_test.py`** and your stack’s **`TEST_COMMAND`** (from merged runbook / scratchpad).
+5. Evidence: set **environment label** **`WSL`** in QA handoffs; **`REMOTE_EXECUTION=0`** is typical (no **`.cursor/remote.json`** validation required).
+
+## Path B — SSH to a Linux host
+
+1. SSH into the Linux machine; clone or sync the repo there.
+2. Copy **`.env.example`** to **`.env`** and fill in values for `SSH_HOST`,
+   `SSH_USER`, `SSH_PRIVATE_KEY`, and any other relevant `REMOTE_*` vars.
+   Source the file (`source .env` or equivalent) before running remote ops.
+   See **`docs/engineering/runbook.md`** § Operator `.env` setup.
+3. Run the same **`sh`/`dash`** installer and **`python`** tests as on native Linux.
+4. For **release/QA connectivity** semantics, align with **`ssh-server`** in
+   **`docs/engineering/release-targets.json`** (`hostEnv`, `userEnv`, `authEnv`, …).
+5. For **Cursor/dev remote** validation, set **`REMOTE_EXECUTION=1`** and
+   **`REMOTE_CONFIG=.cursor/remote.json`** on the merged scratchpad; run
+   **`python scripts/remote_config_summary.py`** — stdout must list **names only**
+   (no keys/passwords).
+6. Evidence: cite **`ssh:<hostEnv>`** (the **env var name**, not the host value) plus
+   **environment label**; never paste private key material.
+
+## Path C — Docker-over-SSH
+
+1. Follow **Path B** on the SSH host (including **`.env`** setup from
+   **`.env.example`**); enable **`dockerOverSsh`** patterns per
+   **`runtime-connectivity.md`** (**`dockerHostEnv`**, **`dockerContextEnv`**, **`composeFile`**, **`service`**).
+2. Ensure **`DOCKER_HOST`** and **`DOCKER_CONTEXT`** are set in your **`.env`**;
+   source before running Docker commands. Document **env names** only in handoffs.
+
+## Related
+
+- **`tests/run-tests.sh`** / **`tests/run-tests.ps1`** — **H1–H5** (**US-0084** / AC-10).
+- **`python scripts/guard_installer_publish.py`** — publish-time LF + POSIX guard.

package/template/scripts/guard_installer_publish.py

@@ -0,0 +1,88 @@
+#!/usr/bin/env python3
+"""Prepublish / CI guard: installer.sh LF + POSIX-safe startup tokens (US-0084 / AC-2).
+
+BUG-0008: reject CR bytes in installer-owned-paths.manifest (CRLF breaks POSIX awk section match).
+"""
+
+from __future__ import annotations
+
+import shutil
+import subprocess
+import sys
+from pathlib import Path
+
+ROOT = Path(__file__).resolve().parents[1]
+INSTALLER_SH = ROOT / "installer.sh"
+INSTALLER_MANIFESTS = (
+    ROOT / "docs" / "engineering" / "context" / "installer-owned-paths.manifest",
+    ROOT / "template" / "docs" / "engineering" / "context" / "installer-owned-paths.manifest",
+)
+
+FORBIDDEN_TOKENS = (
+    "set -euo",
+    "set -o pipefail",
+    "set -eu -o pipefail",
+    "set -o errexit",
+    "set -o nounset",
+)
+
+
+def main() -> int:
+    if not INSTALLER_SH.is_file():
+        print("guard_installer_publish: installer.sh missing", file=sys.stderr)
+        return 1
+    data = INSTALLER_SH.read_bytes()
+    if b"\r" in data:
+        print(
+            "guard_installer_publish: CR/LF (\\r) bytes found in installer.sh — "
+            "use LF only; see docs/engineering/runbook.md (US-0084).",
+            file=sys.stderr,
+        )
+        return 1
+    for man in INSTALLER_MANIFESTS:
+        if not man.is_file():
+            continue
+        mdata = man.read_bytes()
+        if b"\r" in mdata:
+            print(
+                f"guard_installer_publish: CR/LF (\\r) bytes found in {man.relative_to(ROOT)} — "
+                "use LF only (.gitattributes *.manifest; BUG-0008).",
+                file=sys.stderr,
+            )
+            return 1
+    text = data.decode("utf-8", errors="replace")
+    for token in FORBIDDEN_TOKENS:
+        if token in text:
+            print(
+                f"guard_installer_publish: forbidden startup token {token!r} in installer.sh",
+                file=sys.stderr,
+            )
+            return 1
+    dash = shutil.which("dash")
+    if dash:
+        r = subprocess.run(
+            [dash, "-n", str(INSTALLER_SH)],
+            cwd=ROOT,
+            capture_output=True,
+            text=True,
+            encoding="utf-8",
+            errors="replace",
+        )
+        if r.returncode != 0:
+            print(
+                "guard_installer_publish: dash -n installer.sh failed:\n"
+                + (r.stderr or r.stdout or ""),
+                file=sys.stderr,
+            )
+            return 1
+    else:
+        print(
+            "guard_installer_publish: dash not on PATH; skipping dash -n "
+            "(Python CRLF + token checks still enforced).",
+            file=sys.stderr,
+        )
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

package/template/scripts/remote_config_summary.py

@@ -0,0 +1,243 @@
+#!/usr/bin/env python3
+"""
+Summarize .cursor/remote.json for operators (US-0084 / US-0064 alignment).
+
+Stdout: non-secret labels and env-reference names only (no key material).
+Stderr: errors and skip reasons.
+
+Exit codes:
+  0 OK or REMOTE_EXECUTION=0 skip (DEC-0070)
+  1 usage / CLI error
+  2 config missing or unreadable
+  3 invalid JSON
+  4 schema / contract mismatch vs runbook remote.json contract
+  5 reserved (unused; DEC-0070 maps REMOTE_EXECUTION=0 to 0)
+"""
+
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import re
+import sys
+from pathlib import Path
+from typing import Any
+
+ENV_VAR_NAME = re.compile(r"^[A-Z][A-Z0-9_]*$")
+ALLOWED_TYPES = frozenset({"docker", "ssh", "vm"})
+AUTH_MODES = frozenset({"none", "env"})
+
+
+def _truthy_remote_execution(raw: str | None) -> bool:
+    if raw is None:
+        return False
+    return raw.strip() in {"1", "true", "TRUE", "yes", "YES", "on", "ON"}
+
+
+def _parse_args(argv: list[str]) -> tuple[argparse.Namespace, list[str]]:
+    p = argparse.ArgumentParser(description=__doc__.split("\n\n")[0], add_help=True)
+    p.add_argument(
+        "--config",
+        default=None,
+        help="Path to remote JSON (default: REMOTE_CONFIG env or .cursor/remote.json)",
+    )
+    return p.parse_known_args(argv)
+
+
+def _config_path(explicit: str | None) -> Path:
+    if explicit:
+        return Path(explicit).expanduser()
+    env = os.environ.get("REMOTE_CONFIG")
+    if env:
+        return Path(env).expanduser()
+    return Path(".cursor/remote.json")
+
+
+def _validate_env_ref(name: str, value: Any, prefix: str) -> str | None:
+    if not isinstance(value, str):
+        return f"{prefix}: {name} must be a string env-reference name"
+    if not ENV_VAR_NAME.match(value):
+        return f"{prefix}: {name} must look like an env var name (A-Z_0-9)"
+    return None
+
+
+def validate_and_summarize(path: Path, data: dict[str, Any]) -> tuple[list[str], list[str]]:
+    """Return (stdout_lines, error_messages)."""
+    errs: list[str] = []
+    out: list[str] = []
+    out.append(f"remote_config={path.as_posix()}")
+
+    if not isinstance(data.get("version"), int):
+        errs.append("[REMOTE_CONFIG_ERROR] root.version: expected integer")
+    if not isinstance(data.get("defaultTarget"), str) or not data["defaultTarget"]:
+        errs.append("[REMOTE_CONFIG_ERROR] root.defaultTarget: expected non-empty string")
+    targets = data.get("targets")
+    if not isinstance(targets, list) or not targets:
+        errs.append("[REMOTE_CONFIG_ERROR] root.targets: expected non-empty array")
+
+    if errs:
+        return out, errs
+
+    by_id: dict[str, dict[str, Any]] = {}
+    for i, t in enumerate(targets):
+        prefix = f"targets[{i}]"
+        if not isinstance(t, dict):
+            errs.append(f"[REMOTE_CONFIG_ERROR] {prefix}: expected object")
+            continue
+        tid = t.get("id")
+        if not isinstance(tid, str) or not tid:
+            errs.append(f"[REMOTE_CONFIG_ERROR] {prefix}.id: expected non-empty string")
+        ttype = t.get("type")
+        if ttype not in ALLOWED_TYPES:
+            errs.append(
+                f"[REMOTE_CONFIG_ERROR] {prefix}.type: expected one of {sorted(ALLOWED_TYPES)}"
+            )
+        if not isinstance(t.get("enabled"), bool):
+            errs.append(f"[REMOTE_CONFIG_ERROR] {prefix}.enabled: expected boolean")
+        if not isinstance(t.get("host"), str) or not t["host"]:
+            errs.append(f"[REMOTE_CONFIG_ERROR] {prefix}.host: expected non-empty string")
+        port = t.get("port")
+        if not isinstance(port, int) or not (1 <= port <= 65535):
+            errs.append(f"[REMOTE_CONFIG_ERROR] {prefix}.port: expected integer 1..65535")
+        if not isinstance(t.get("workspaceRoot"), str) or not t["workspaceRoot"]:
+            errs.append(
+                f"[REMOTE_CONFIG_ERROR] {prefix}.workspaceRoot: expected non-empty string"
+            )
+        auth = t.get("auth")
+        if auth is not None:
+            if not isinstance(auth, dict):
+                errs.append(f"[REMOTE_CONFIG_ERROR] {prefix}.auth: expected object")
+            else:
+                mode = auth.get("mode")
+                if mode not in AUTH_MODES:
+                    errs.append(
+                        f"[REMOTE_CONFIG_ERROR] {prefix}.auth.mode: expected one of {sorted(AUTH_MODES)}"
+                    )
+                elif mode == "env":
+                    env_keys = (
+                        "tokenEnv",
+                        "passwordEnv",
+                        "privateKeyPathEnv",
+                        "usernameEnv",
+                    )
+                    any_ref = False
+                    for k in env_keys:
+                        if k not in auth:
+                            continue
+                        any_ref = True
+                        err = _validate_env_ref(k, auth[k], f"{prefix}.auth")
+                        if err:
+                            errs.append(f"[REMOTE_CONFIG_ERROR] {err}")
+                    if not any_ref:
+                        errs.append(
+                            f"[REMOTE_CONFIG_ERROR] {prefix}.auth: mode=env requires at least one *Env field"
+                        )
+        if isinstance(tid, str) and tid:
+            by_id[tid] = t
+
+    default = data["defaultTarget"]
+    if default not in by_id:
+        errs.append(
+            f"[REMOTE_CONFIG_ERROR] defaultTarget={default!r} not found in targets[].id"
+        )
+    elif not by_id[default].get("enabled"):
+        errs.append(
+            f"[REMOTE_CONFIG_ERROR] defaultTarget={default!r} must reference an enabled target"
+        )
+
+    if errs:
+        return out, errs
+
+    out.append(f"defaultTarget={data['defaultTarget']}")
+    for t in targets:
+        assert isinstance(t, dict)
+        tid = t["id"]
+        parts = [
+            f"id={tid}",
+            f"type={t['type']}",
+            f"enabled={t['enabled']!s}",
+            f"host={t['host']}",
+            f"port={t['port']}",
+            f"workspaceRoot={t['workspaceRoot']}",
+        ]
+        auth = t.get("auth")
+        if isinstance(auth, dict):
+            parts.append(f"auth.mode={auth.get('mode')}")
+            for k in (
+                "tokenEnv",
+                "passwordEnv",
+                "privateKeyPathEnv",
+                "usernameEnv",
+            ):
+                if k in auth and isinstance(auth[k], str):
+                    parts.append(f"auth.{k}={auth[k]}")
+        out.append("target:" + " ".join(parts))
+
+    return out, []
+
+
+def main(argv: list[str] | None = None) -> int:
+    args, rest = _parse_args(argv or sys.argv[1:])
+    if rest:
+        print(
+            f"[REMOTE_CONFIG_SUMMARY] unknown arguments: {' '.join(rest)}",
+            file=sys.stderr,
+        )
+        return 1
+    if not _truthy_remote_execution(os.environ.get("REMOTE_EXECUTION")):
+        print(
+            "[REMOTE_CONFIG_SUMMARY] REMOTE_EXECUTION!=1: skip validation/summary "
+            "(zero overhead; DEC-0070 / US-0084).",
+            file=sys.stderr,
+        )
+        return 0
+
+    path = _config_path(args.config)
+    if not path.is_file():
+        print(
+            f"[REMOTE_CONFIG_ERROR] {path}: file missing or unreadable. "
+            "Fix: create config or set REMOTE_EXECUTION=0.",
+            file=sys.stderr,
+        )
+        return 2
+    try:
+        raw = path.read_text(encoding="utf-8")
+    except OSError as e:
+        print(
+            f"[REMOTE_CONFIG_ERROR] {path}: read failed ({e}). Fix: permissions/path.",
+            file=sys.stderr,
+        )
+        return 2
+    try:
+        data = json.loads(raw)
+    except json.JSONDecodeError as e:
+        print(
+            f"[REMOTE_CONFIG_ERROR] {path}: invalid JSON ({e}). Fix: syntax.",
+            file=sys.stderr,
+        )
+        return 3
+    if not isinstance(data, dict):
+        print(
+            f"[REMOTE_CONFIG_ERROR] {path}: expected JSON object at root.",
+            file=sys.stderr,
+        )
+        return 4
+
+    lines, errs = validate_and_summarize(path, data)
+    if errs:
+        for line in errs:
+            print(line, file=sys.stderr)
+        print(
+            f"[REMOTE_CONFIG_ERROR] {path}: contract check failed. "
+            "Fix: align with docs/engineering/runbook.md remote contract (US-0084).",
+            file=sys.stderr,
+        )
+        return 4
+    for line in lines:
+        print(line)
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())