lastlight 0.1.15 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +265 -118
- package/agent-context/rules.md +62 -9
- package/agent-context/security.md +69 -0
- package/config/default.yaml +89 -0
- package/deploy/.env.production.example +20 -2
- package/deploy/entrypoint.sh +16 -17
- package/deploy/native/README.md +160 -0
- package/deploy/native/install.sh +110 -0
- package/deploy/native/lastlight.env.example +95 -0
- package/deploy/native/lastlight.service +50 -0
- package/deploy/sandbox-entrypoint.sh +59 -42
- package/dist/admin/auth.d.ts +1 -1
- package/dist/admin/auth.js +3 -1
- package/dist/admin/auth.js.map +1 -1
- package/dist/admin/chat-session-reader.d.ts +11 -14
- package/dist/admin/chat-session-reader.js +27 -51
- package/dist/admin/chat-session-reader.js.map +1 -1
- package/dist/admin/docker.d.ts +37 -0
- package/dist/admin/docker.js +86 -1
- package/dist/admin/docker.js.map +1 -1
- package/dist/admin/index.js +38 -3
- package/dist/admin/index.js.map +1 -1
- package/dist/admin/log-search.test.d.ts +1 -0
- package/dist/admin/log-search.test.js +78 -0
- package/dist/admin/log-search.test.js.map +1 -0
- package/dist/admin/routes.d.ts +52 -3
- package/dist/admin/routes.js +780 -63
- package/dist/admin/routes.js.map +1 -1
- package/dist/admin/routes.test.js +680 -14
- package/dist/admin/routes.test.js.map +1 -1
- package/dist/admin/server-logs.test.d.ts +1 -0
- package/dist/admin/server-logs.test.js +58 -0
- package/dist/admin/server-logs.test.js.map +1 -0
- package/dist/admin/sessions.d.ts +26 -39
- package/dist/admin/sessions.js +86 -310
- package/dist/admin/sessions.js.map +1 -1
- package/dist/admin/sessions.test.d.ts +1 -0
- package/dist/admin/sessions.test.js +78 -0
- package/dist/admin/sessions.test.js.map +1 -0
- package/dist/admin/version.d.ts +15 -0
- package/dist/admin/version.js +73 -0
- package/dist/admin/version.js.map +1 -0
- package/dist/admin/version.test.d.ts +1 -0
- package/dist/admin/version.test.js +71 -0
- package/dist/admin/version.test.js.map +1 -0
- package/dist/cli-config.d.ts +55 -0
- package/dist/cli-config.js +119 -0
- package/dist/cli-config.js.map +1 -0
- package/dist/cli-config.test.d.ts +1 -0
- package/dist/cli-config.test.js +92 -0
- package/dist/cli-config.test.js.map +1 -0
- package/dist/cli-format.d.ts +19 -0
- package/dist/cli-format.js +107 -0
- package/dist/cli-format.js.map +1 -0
- package/dist/cli-server.d.ts +73 -0
- package/dist/cli-server.js +347 -0
- package/dist/cli-server.js.map +1 -0
- package/dist/cli-server.test.d.ts +1 -0
- package/dist/cli-server.test.js +38 -0
- package/dist/cli-server.test.js.map +1 -0
- package/dist/cli-timeline.d.ts +35 -0
- package/dist/cli-timeline.js +373 -0
- package/dist/cli-timeline.js.map +1 -0
- package/dist/cli-timeline.test.d.ts +1 -0
- package/dist/cli-timeline.test.js +104 -0
- package/dist/cli-timeline.test.js.map +1 -0
- package/dist/cli.d.ts +0 -19
- package/dist/cli.js +910 -194
- package/dist/cli.js.map +1 -1
- package/dist/config-overlay.test.d.ts +1 -0
- package/dist/config-overlay.test.js +112 -0
- package/dist/config-overlay.test.js.map +1 -0
- package/dist/config-resolve.d.ts +28 -0
- package/dist/config-resolve.js +47 -0
- package/dist/config-resolve.js.map +1 -0
- package/dist/config-resolve.test.d.ts +1 -0
- package/dist/config-resolve.test.js +68 -0
- package/dist/config-resolve.test.js.map +1 -0
- package/dist/config.d.ts +62 -49
- package/dist/config.js +452 -76
- package/dist/config.js.map +1 -1
- package/dist/config.test.js +201 -32
- package/dist/config.test.js.map +1 -1
- package/dist/connectors/github-webhook.js +83 -5
- package/dist/connectors/github-webhook.js.map +1 -1
- package/dist/connectors/github-webhook.test.d.ts +1 -0
- package/dist/connectors/github-webhook.test.js +156 -0
- package/dist/connectors/github-webhook.test.js.map +1 -0
- package/dist/connectors/messaging/session-manager.d.ts +18 -0
- package/dist/connectors/messaging/session-manager.js +83 -2
- package/dist/connectors/messaging/session-manager.js.map +1 -1
- package/dist/connectors/messaging/session-manager.test.d.ts +1 -0
- package/dist/connectors/messaging/session-manager.test.js +144 -0
- package/dist/connectors/messaging/session-manager.test.js.map +1 -0
- package/dist/connectors/slack/connector.d.ts +9 -0
- package/dist/connectors/slack/connector.js +15 -0
- package/dist/connectors/slack/connector.js.map +1 -1
- package/dist/connectors/slack/mrkdwn.js +81 -0
- package/dist/connectors/slack/mrkdwn.js.map +1 -1
- package/dist/connectors/slack/mrkdwn.test.js +49 -0
- package/dist/connectors/slack/mrkdwn.test.js.map +1 -1
- package/dist/connectors/types.d.ts +1 -1
- package/dist/cron/fanout.d.ts +33 -0
- package/dist/cron/fanout.js +55 -0
- package/dist/cron/fanout.js.map +1 -0
- package/dist/cron/fanout.test.d.ts +1 -0
- package/dist/cron/fanout.test.js +73 -0
- package/dist/cron/fanout.test.js.map +1 -0
- package/dist/cron/jobs.d.ts +5 -0
- package/dist/cron/jobs.js +10 -3
- package/dist/cron/jobs.js.map +1 -1
- package/dist/cron/scheduler.d.ts +12 -0
- package/dist/cron/scheduler.js +27 -1
- package/dist/cron/scheduler.js.map +1 -1
- package/dist/engine/agent-executor.d.ts +158 -0
- package/dist/engine/agent-executor.js +1140 -0
- package/dist/engine/agent-executor.js.map +1 -0
- package/dist/engine/agent-executor.test.d.ts +1 -0
- package/dist/engine/agent-executor.test.js +395 -0
- package/dist/engine/agent-executor.test.js.map +1 -0
- package/dist/engine/chat-runner.d.ts +123 -0
- package/dist/engine/chat-runner.js +379 -0
- package/dist/engine/chat-runner.js.map +1 -0
- package/dist/engine/chat-runner.test.d.ts +1 -0
- package/dist/engine/chat-runner.test.js +104 -0
- package/dist/engine/chat-runner.test.js.map +1 -0
- package/dist/engine/chat-skills.d.ts +45 -0
- package/dist/engine/chat-skills.js +184 -0
- package/dist/engine/chat-skills.js.map +1 -0
- package/dist/engine/chat-skills.test.d.ts +1 -0
- package/dist/engine/chat-skills.test.js +20 -0
- package/dist/engine/chat-skills.test.js.map +1 -0
- package/dist/engine/chat.d.ts +20 -23
- package/dist/engine/chat.js +251 -155
- package/dist/engine/chat.js.map +1 -1
- package/dist/engine/chat.test.d.ts +1 -0
- package/dist/engine/chat.test.js +42 -0
- package/dist/engine/chat.test.js.map +1 -0
- package/dist/engine/classifier.d.ts +35 -2
- package/dist/engine/classifier.js +170 -31
- package/dist/engine/classifier.js.map +1 -1
- package/dist/engine/classifier.test.d.ts +1 -0
- package/dist/engine/classifier.test.js +115 -0
- package/dist/engine/classifier.test.js.map +1 -0
- package/dist/engine/dispatcher.d.ts +60 -0
- package/dist/engine/dispatcher.js +601 -0
- package/dist/engine/dispatcher.js.map +1 -0
- package/dist/engine/dispatcher.test.d.ts +1 -0
- package/dist/engine/dispatcher.test.js +511 -0
- package/dist/engine/dispatcher.test.js.map +1 -0
- package/dist/engine/event-shim.d.ts +117 -0
- package/dist/engine/event-shim.js +435 -0
- package/dist/engine/event-shim.js.map +1 -0
- package/dist/engine/event-shim.test.d.ts +1 -0
- package/dist/engine/event-shim.test.js +194 -0
- package/dist/engine/event-shim.test.js.map +1 -0
- package/dist/engine/git-auth.d.ts +13 -17
- package/dist/engine/git-auth.js +99 -42
- package/dist/engine/git-auth.js.map +1 -1
- package/dist/engine/git-auth.test.d.ts +1 -0
- package/dist/engine/git-auth.test.js +117 -0
- package/dist/engine/git-auth.test.js.map +1 -0
- package/dist/engine/github-app-client.d.ts +7 -0
- package/dist/engine/github-app-client.js +16 -0
- package/dist/engine/github-app-client.js.map +1 -0
- package/dist/engine/github-app-client.test.d.ts +1 -0
- package/dist/engine/github-app-client.test.js +44 -0
- package/dist/engine/github-app-client.test.js.map +1 -0
- package/dist/engine/github-tools.d.ts +12 -0
- package/dist/engine/github-tools.js +261 -0
- package/dist/engine/github-tools.js.map +1 -0
- package/dist/engine/github.d.ts +1027 -43
- package/dist/engine/github.js +153 -14
- package/dist/engine/github.js.map +1 -1
- package/dist/engine/llm.d.ts +47 -0
- package/dist/engine/llm.js +221 -0
- package/dist/engine/llm.js.map +1 -0
- package/dist/engine/llm.test.d.ts +1 -0
- package/dist/engine/llm.test.js +189 -0
- package/dist/engine/llm.test.js.map +1 -0
- package/dist/engine/profiles.d.ts +249 -0
- package/dist/engine/profiles.js +42 -0
- package/dist/engine/profiles.js.map +1 -0
- package/dist/engine/router.d.ts +12 -6
- package/dist/engine/router.js +339 -81
- package/dist/engine/router.js.map +1 -1
- package/dist/engine/router.test.js +428 -78
- package/dist/engine/router.test.js.map +1 -1
- package/dist/engine/screen.d.ts +41 -0
- package/dist/engine/screen.js +93 -0
- package/dist/engine/screen.js.map +1 -0
- package/dist/engine/screen.test.d.ts +1 -0
- package/dist/engine/screen.test.js +82 -0
- package/dist/engine/screen.test.js.map +1 -0
- package/dist/index.js +377 -432
- package/dist/index.js.map +1 -1
- package/dist/managed-repos.d.ts +7 -9
- package/dist/managed-repos.js +12 -15
- package/dist/managed-repos.js.map +1 -1
- package/dist/managed-repos.test.js +24 -19
- package/dist/managed-repos.test.js.map +1 -1
- package/dist/notify/index.d.ts +15 -0
- package/dist/notify/index.js +6 -0
- package/dist/notify/index.js.map +1 -0
- package/dist/notify/model.d.ts +57 -0
- package/dist/notify/model.js +89 -0
- package/dist/notify/model.js.map +1 -0
- package/dist/notify/model.test.d.ts +1 -0
- package/dist/notify/model.test.js +109 -0
- package/dist/notify/model.test.js.map +1 -0
- package/dist/notify/notifier.d.ts +17 -0
- package/dist/notify/notifier.js +87 -0
- package/dist/notify/notifier.js.map +1 -0
- package/dist/notify/notifier.test.d.ts +1 -0
- package/dist/notify/notifier.test.js +100 -0
- package/dist/notify/notifier.test.js.map +1 -0
- package/dist/notify/render.d.ts +21 -0
- package/dist/notify/render.js +59 -0
- package/dist/notify/render.js.map +1 -0
- package/dist/notify/render.test.d.ts +1 -0
- package/dist/notify/render.test.js +65 -0
- package/dist/notify/render.test.js.map +1 -0
- package/dist/notify/transports/github.d.ts +26 -0
- package/dist/notify/transports/github.js +26 -0
- package/dist/notify/transports/github.js.map +1 -0
- package/dist/notify/transports/slack.d.ts +26 -0
- package/dist/notify/transports/slack.js +28 -0
- package/dist/notify/transports/slack.js.map +1 -0
- package/dist/notify/transports.test.d.ts +1 -0
- package/dist/notify/transports.test.js +71 -0
- package/dist/notify/transports.test.js.map +1 -0
- package/dist/notify/types.d.ts +95 -0
- package/dist/notify/types.js +16 -0
- package/dist/notify/types.js.map +1 -0
- package/dist/sandbox/docker-compose.test.d.ts +1 -0
- package/dist/sandbox/docker-compose.test.js +128 -0
- package/dist/sandbox/docker-compose.test.js.map +1 -0
- package/dist/sandbox/docker.d.ts +97 -9
- package/dist/sandbox/docker.js +192 -41
- package/dist/sandbox/docker.js.map +1 -1
- package/dist/sandbox/docker.test.d.ts +1 -0
- package/dist/sandbox/docker.test.js +137 -0
- package/dist/sandbox/docker.test.js.map +1 -0
- package/dist/sandbox/egress-allowlist.d.ts +69 -0
- package/dist/sandbox/egress-allowlist.js +164 -0
- package/dist/sandbox/egress-allowlist.js.map +1 -0
- package/dist/sandbox/egress-allowlist.test.d.ts +1 -0
- package/dist/sandbox/egress-allowlist.test.js +65 -0
- package/dist/sandbox/egress-allowlist.test.js.map +1 -0
- package/dist/sandbox/egress-firewall-config.d.ts +127 -0
- package/dist/sandbox/egress-firewall-config.js +434 -0
- package/dist/sandbox/egress-firewall-config.js.map +1 -0
- package/dist/sandbox/egress-firewall-config.test.d.ts +1 -0
- package/dist/sandbox/egress-firewall-config.test.js +244 -0
- package/dist/sandbox/egress-firewall-config.test.js.map +1 -0
- package/dist/sandbox/images.d.ts +23 -0
- package/dist/sandbox/images.js +55 -0
- package/dist/sandbox/images.js.map +1 -0
- package/dist/sandbox/index.d.ts +82 -3
- package/dist/sandbox/index.js +223 -93
- package/dist/sandbox/index.js.map +1 -1
- package/dist/sandbox/index.test.d.ts +1 -0
- package/dist/sandbox/index.test.js +157 -0
- package/dist/sandbox/index.test.js.map +1 -0
- package/dist/session-log.d.ts +63 -0
- package/dist/session-log.js +290 -0
- package/dist/session-log.js.map +1 -0
- package/dist/session-log.test.d.ts +1 -0
- package/dist/session-log.test.js +85 -0
- package/dist/session-log.test.js.map +1 -0
- package/dist/setup.d.ts +30 -1
- package/dist/setup.js +241 -25
- package/dist/setup.js.map +1 -1
- package/dist/setup.test.js +138 -6
- package/dist/setup.test.js.map +1 -1
- package/dist/state/approval-store.d.ts +86 -0
- package/dist/state/approval-store.js +140 -0
- package/dist/state/approval-store.js.map +1 -0
- package/dist/state/build-assets.d.ts +50 -0
- package/dist/state/build-assets.js +154 -0
- package/dist/state/build-assets.js.map +1 -0
- package/dist/state/build-assets.test.d.ts +1 -0
- package/dist/state/build-assets.test.js +106 -0
- package/dist/state/build-assets.test.js.map +1 -0
- package/dist/state/db.d.ts +65 -333
- package/dist/state/db.js +112 -835
- package/dist/state/db.js.map +1 -1
- package/dist/state/db.test.js +127 -91
- package/dist/state/db.test.js.map +1 -1
- package/dist/state/execution-store.d.ts +257 -0
- package/dist/state/execution-store.js +527 -0
- package/dist/state/execution-store.js.map +1 -0
- package/dist/state/migrate.d.ts +15 -0
- package/dist/state/migrate.js +175 -0
- package/dist/state/migrate.js.map +1 -0
- package/dist/state/workflow-run-store.d.ts +195 -0
- package/dist/state/workflow-run-store.js +363 -0
- package/dist/state/workflow-run-store.js.map +1 -0
- package/dist/state/workflow-run-store.test.d.ts +1 -0
- package/dist/state/workflow-run-store.test.js +264 -0
- package/dist/state/workflow-run-store.test.js.map +1 -0
- package/dist/telemetry/index.d.ts +38 -0
- package/dist/telemetry/index.js +253 -0
- package/dist/telemetry/index.js.map +1 -0
- package/dist/telemetry/index.test.d.ts +1 -0
- package/dist/telemetry/index.test.js +73 -0
- package/dist/telemetry/index.test.js.map +1 -0
- package/dist/telemetry/pi-events.d.ts +12 -0
- package/dist/telemetry/pi-events.js +134 -0
- package/dist/telemetry/pi-events.js.map +1 -0
- package/dist/telemetry/pi-events.test.d.ts +1 -0
- package/dist/telemetry/pi-events.test.js +69 -0
- package/dist/telemetry/pi-events.test.js.map +1 -0
- package/dist/workflows/dag.d.ts +13 -1
- package/dist/workflows/dag.js +7 -3
- package/dist/workflows/dag.js.map +1 -1
- package/dist/workflows/dag.test.js +22 -0
- package/dist/workflows/dag.test.js.map +1 -1
- package/dist/workflows/golden-build.test.d.ts +1 -0
- package/dist/workflows/golden-build.test.js +45 -0
- package/dist/workflows/golden-build.test.js.map +1 -0
- package/dist/workflows/loader-overlay.test.d.ts +1 -0
- package/dist/workflows/loader-overlay.test.js +101 -0
- package/dist/workflows/loader-overlay.test.js.map +1 -0
- package/dist/workflows/loader.d.ts +36 -11
- package/dist/workflows/loader.js +311 -87
- package/dist/workflows/loader.js.map +1 -1
- package/dist/workflows/loader.test.js +114 -10
- package/dist/workflows/loader.test.js.map +1 -1
- package/dist/workflows/loop-eval.js +2 -0
- package/dist/workflows/loop-eval.js.map +1 -1
- package/dist/workflows/loop-eval.test.js +14 -0
- package/dist/workflows/loop-eval.test.js.map +1 -1
- package/dist/workflows/phase-executor.d.ts +145 -0
- package/dist/workflows/phase-executor.js +691 -0
- package/dist/workflows/phase-executor.js.map +1 -0
- package/dist/workflows/phase-executor.test.d.ts +1 -0
- package/dist/workflows/phase-executor.test.js +434 -0
- package/dist/workflows/phase-executor.test.js.map +1 -0
- package/dist/workflows/phase-ref.d.ts +44 -0
- package/dist/workflows/phase-ref.js +78 -0
- package/dist/workflows/phase-ref.js.map +1 -0
- package/dist/workflows/phase-ref.test.d.ts +1 -0
- package/dist/workflows/phase-ref.test.js +24 -0
- package/dist/workflows/phase-ref.test.js.map +1 -0
- package/dist/workflows/resume.d.ts +5 -11
- package/dist/workflows/resume.js +88 -7
- package/dist/workflows/resume.js.map +1 -1
- package/dist/workflows/runner.d.ts +34 -27
- package/dist/workflows/runner.js +252 -930
- package/dist/workflows/runner.js.map +1 -1
- package/dist/workflows/runner.test.js +346 -35
- package/dist/workflows/runner.test.js.map +1 -1
- package/dist/workflows/schema.d.ts +52 -10
- package/dist/workflows/schema.js +147 -7
- package/dist/workflows/schema.js.map +1 -1
- package/dist/workflows/simple.d.ts +67 -3
- package/dist/workflows/simple.js +248 -87
- package/dist/workflows/simple.js.map +1 -1
- package/dist/workflows/simple.test.d.ts +1 -0
- package/dist/workflows/simple.test.js +107 -0
- package/dist/workflows/simple.test.js.map +1 -0
- package/dist/workflows/templates.d.ts +29 -0
- package/dist/workflows/templates.js +42 -4
- package/dist/workflows/templates.js.map +1 -1
- package/dist/workflows/templates.test.js +103 -0
- package/dist/workflows/templates.test.js.map +1 -1
- package/dist/workflows/triggers.d.ts +21 -0
- package/dist/workflows/triggers.js +44 -0
- package/dist/workflows/triggers.js.map +1 -0
- package/dist/workflows/verdict.d.ts +19 -0
- package/dist/workflows/verdict.js +30 -0
- package/dist/workflows/verdict.js.map +1 -0
- package/dist/workflows/verdict.test.d.ts +1 -0
- package/dist/workflows/verdict.test.js +44 -0
- package/dist/workflows/verdict.test.js.map +1 -0
- package/dist/worktree/manager.d.ts +1 -1
- package/dist/worktree/manager.js +14 -14
- package/dist/worktree/manager.js.map +1 -1
- package/dist/worktree/manager.test.d.ts +1 -0
- package/dist/worktree/manager.test.js +87 -0
- package/dist/worktree/manager.test.js.map +1 -0
- package/docker-compose.yml +206 -5
- package/package.json +19 -9
- package/sandbox.Dockerfile +97 -18
- package/skills/README.md +40 -0
- package/skills/browser-qa/SKILL.md +193 -0
- package/skills/browser-qa/scripts/agent-browser.mjs +380 -0
- package/skills/building/SKILL.md +95 -0
- package/skills/chat/SKILL.md +30 -11
- package/skills/code-review/SKILL.md +59 -0
- package/skills/debug-production/SKILL.md +108 -0
- package/skills/demo/SKILL.md +194 -0
- package/skills/demo/scripts/compose-demo.sh +205 -0
- package/skills/issue-answer/SKILL.md +90 -0
- package/skills/issue-comment/SKILL.md +38 -24
- package/skills/issue-triage/SKILL.md +103 -37
- package/skills/issue-triage/references/AGENT-BRIEF.md +61 -0
- package/skills/pr-comment/SKILL.md +64 -0
- package/skills/pr-review/SKILL.md +65 -49
- package/skills/qa-test/SKILL.md +97 -0
- package/skills/repo-health/SKILL.md +48 -45
- package/skills/security-feedback/SKILL.md +173 -0
- package/skills/security-feedback/references/templates.md +77 -0
- package/skills/security-review/SKILL.md +213 -0
- package/skills/security-review/references/issue-format.md +302 -0
- package/skills/verify/SKILL.md +118 -0
- package/workflows/answer.yaml +37 -0
- package/workflows/build.yaml +32 -22
- package/workflows/cron-security.yaml +6 -0
- package/workflows/demo.yaml +55 -0
- package/workflows/explore.yaml +9 -0
- package/workflows/pr-comment.yaml +16 -0
- package/workflows/pr-fix.yaml +3 -0
- package/workflows/pr-review.yaml +4 -1
- package/workflows/prompts/answer.md +67 -0
- package/workflows/prompts/architect.md +24 -7
- package/workflows/prompts/demo.md +100 -0
- package/workflows/prompts/executor.md +29 -20
- package/workflows/prompts/explore-ask.md +51 -22
- package/workflows/prompts/explore-publish.md +2 -2
- package/workflows/prompts/explore-read.md +24 -10
- package/workflows/prompts/explore-synthesize.md +15 -8
- package/workflows/prompts/fix.md +9 -10
- package/workflows/prompts/guardrails.md +26 -8
- package/workflows/prompts/pr-fix.md +6 -7
- package/workflows/prompts/pr.md +11 -10
- package/workflows/prompts/qa-browser.md +95 -0
- package/workflows/prompts/qa-synth.md +44 -0
- package/workflows/prompts/qa-test.md +60 -0
- package/workflows/prompts/re-reviewer.md +8 -9
- package/workflows/prompts/reviewer.md +10 -9
- package/workflows/prompts/verify-browser.md +93 -0
- package/workflows/prompts/verify-synth.md +44 -0
- package/workflows/prompts/verify.md +63 -0
- package/workflows/qa-test.yaml +87 -0
- package/workflows/security-feedback.yaml +25 -0
- package/workflows/security-review.yaml +29 -0
- package/workflows/verify.yaml +85 -0
- package/deploy/mcp-config.tmpl.json +0 -14
- package/dist/cron/rate-limits.d.ts +0 -26
- package/dist/cron/rate-limits.js +0 -193
- package/dist/cron/rate-limits.js.map +0 -1
- package/dist/engine/executor.d.ts +0 -75
- package/dist/engine/executor.js +0 -292
- package/dist/engine/executor.js.map +0 -1
- package/mcp-github-app/package.json +0 -18
- package/mcp-github-app/src/auth.js +0 -66
- package/mcp-github-app/src/github.js +0 -371
- package/mcp-github-app/src/index.js +0 -534
- package/skills/devops/webhook-subscriptions/SKILL.md +0 -180
- package/skills/github/DESCRIPTION.md +0 -3
- package/skills/github/codebase-inspection/SKILL.md +0 -115
- package/skills/github/github-auth/SKILL.md +0 -54
- package/skills/github/github-auth/scripts/gh-env.sh +0 -66
- package/skills/github/github-code-review/SKILL.md +0 -480
- package/skills/github/github-code-review/references/review-output-template.md +0 -74
- package/skills/github/github-issues/SKILL.md +0 -369
- package/skills/github/github-issues/templates/bug-report.md +0 -35
- package/skills/github/github-issues/templates/feature-request.md +0 -31
- package/skills/github/github-pr-workflow/SKILL.md +0 -395
- package/skills/github/github-pr-workflow/references/ci-troubleshooting.md +0 -183
- package/skills/github/github-pr-workflow/references/conventional-commits.md +0 -71
- package/skills/github/github-pr-workflow/templates/pr-body-bugfix.md +0 -35
- package/skills/github/github-pr-workflow/templates/pr-body-feature.md +0 -33
- package/skills/github/github-repo-management/SKILL.md +0 -515
- package/skills/github/github-repo-management/references/github-api-cheatsheet.md +0 -161
- package/skills/github-orchestrator/SKILL.md +0 -103
- package/skills/mcp/DESCRIPTION.md +0 -3
- package/skills/mcp/mcporter/SKILL.md +0 -122
- package/skills/mcp/native-mcp/SKILL.md +0 -356
- package/skills/software-development/architect/SKILL.md +0 -154
- package/skills/software-development/assure-guardrails/SKILL.md +0 -239
- package/skills/software-development/plan/SKILL.md +0 -64
- package/skills/software-development/requesting-code-review/SKILL.md +0 -291
- package/skills/software-development/subagent-driven-development/SKILL.md +0 -433
- package/skills/software-development/systematic-debugging/SKILL.md +0 -366
- package/skills/software-development/test-driven-development/SKILL.md +0 -342
|
@@ -0,0 +1,302 @@
|
|
|
1
|
+
# § Issue format
|
|
2
|
+
|
|
3
|
+
This is the **contract** between `security-review` (producer) and
|
|
4
|
+
`security-feedback` (consumer). Every rule here is machine-parsed; do not
|
|
5
|
+
deviate. `security-feedback` is staged into a separate workspace and cannot read
|
|
6
|
+
this file, so it keeps its own copy of the row/severity grammar — **if you change
|
|
7
|
+
the grammar here, update `skills/security-feedback/SKILL.md` in lockstep.**
|
|
8
|
+
|
|
9
|
+
## Title
|
|
10
|
+
|
|
11
|
+
```
|
|
12
|
+
Security scan — YYYY-MM-DD
|
|
13
|
+
```
|
|
14
|
+
|
|
15
|
+
- Exactly one em-dash (` — `, U+2014), surrounded by single spaces.
|
|
16
|
+
- Date is the scan's UTC date in ISO form.
|
|
17
|
+
- Same-day re-scans produce a second issue with the same title. GitHub disambiguates by issue number; the scanner never edits a prior-run issue.
|
|
18
|
+
|
|
19
|
+
## Body
|
|
20
|
+
|
|
21
|
+
The body is assembled from eight blocks, in this exact order, separated by blank lines:
|
|
22
|
+
|
|
23
|
+
```
|
|
24
|
+
{header comments}
|
|
25
|
+
|
|
26
|
+
{intro paragraph}
|
|
27
|
+
|
|
28
|
+
{how-to-respond section}
|
|
29
|
+
|
|
30
|
+
{summary table}
|
|
31
|
+
|
|
32
|
+
{suppression note}
|
|
33
|
+
|
|
34
|
+
{scope note}
|
|
35
|
+
|
|
36
|
+
{overflow note — omitted when overflow == 0}
|
|
37
|
+
|
|
38
|
+
{findings sections}
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
### Block 1 — header comments
|
|
42
|
+
|
|
43
|
+
Three HTML comments, each on its own line, in this exact order:
|
|
44
|
+
|
|
45
|
+
```
|
|
46
|
+
<!-- lastlight-security-scan-version: 1 -->
|
|
47
|
+
<!-- lastlight-security-scan-date: YYYY-MM-DD -->
|
|
48
|
+
<!-- lastlight-security-scan-ts: YYYY-MM-DDTHH:MM:SSZ -->
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
- `version` is a format version. Bump if the structure changes incompatibly — `security-feedback` will check this and refuse to parse unknown versions.
|
|
52
|
+
- `date` matches the title.
|
|
53
|
+
- `ts` is an ISO-8601 UTC timestamp with second precision (no milliseconds).
|
|
54
|
+
|
|
55
|
+
### Block 2 — intro paragraph
|
|
56
|
+
|
|
57
|
+
Exactly one paragraph, with the commit count and short-SHA range substituted:
|
|
58
|
+
|
|
59
|
+
```
|
|
60
|
+
Reviewing {N} commits since {priorScanDate} ({firstShortSha}..{lastShortSha}). Findings here focus on SDLC and workflow changes — Dependabot, GitHub Code Scanning, and Renovate handle the rest. Tick the box once the underlying issue is resolved or recorded in `SECURITY.md`.
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
`{N}` is the size of `commitsReviewed`. `{priorScanDate}` is the YYYY-MM-DD of the prior scan (or the bootstrap floor). When `N == 1`, both short SHAs are the same — render as `({onlyShortSha})` rather than `({sha}..{sha})`.
|
|
64
|
+
|
|
65
|
+
### Block 3 — how-to-respond section
|
|
66
|
+
|
|
67
|
+
Verbatim, including the heading:
|
|
68
|
+
|
|
69
|
+
```
|
|
70
|
+
## How to respond
|
|
71
|
+
|
|
72
|
+
**Preferred flow** — tick the boxes on the findings you want broken out, then comment:
|
|
73
|
+
|
|
74
|
+
- `@last-light create issues` — files one issue per **ticked** finding (default)
|
|
75
|
+
|
|
76
|
+
**Other shortcuts:**
|
|
77
|
+
|
|
78
|
+
- `@last-light create issues for the criticals` — every Critical finding (ticked or not)
|
|
79
|
+
- `@last-light create issues for the highs` — same, for High
|
|
80
|
+
- `@last-light create issues for items 1, 3, 5` — specific items by number (1-based, top to bottom)
|
|
81
|
+
- `@last-light create issues for all` — every finding in this scan
|
|
82
|
+
- `@last-light accept-risk for item N: <reason>` — suppress this finding in future scans
|
|
83
|
+
- `@last-light false-positive for item N: <reason>` — suppress this finding in future scans
|
|
84
|
+
- Comment freely to ask questions or discuss
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
(Item positions in commands map to the `item:N` HTML-comment markers defined below. Ticking a box in GitHub's UI rewrites the row from `[ ]` to `[x]` — the feedback skill treats that as your selection.)
|
|
88
|
+
|
|
89
|
+
### Block 4 — summary table
|
|
90
|
+
|
|
91
|
+
Verbatim header, with numbers substituted. Always include all four severity rows, even when the count is 0.
|
|
92
|
+
|
|
93
|
+
`{nC}`, `{nH}`, `{nM}`, `{nL}` and `{nTotal}` are **TRUE counts** (post-filtering, pre-cap) — i.e. how many findings of each severity actually survived the SECURITY.md filtering, regardless of whether each individual row is listed below the cap. The same numbers appear in the `### 🔴 Critical ({nC})` etc. section headers. The overflow note (Block 6) communicates how many of those counts were truncated from the listed rows.
|
|
94
|
+
|
|
95
|
+
```
|
|
96
|
+
## Summary
|
|
97
|
+
|
|
98
|
+
| Severity | Count |
|
|
99
|
+
|----------|------:|
|
|
100
|
+
| Critical | {nC} |
|
|
101
|
+
| High | {nH} |
|
|
102
|
+
| Medium | {nM} |
|
|
103
|
+
| Low | {nL} |
|
|
104
|
+
| **Total**| **{nTotal}** |
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
### Block 5 — suppression note
|
|
108
|
+
|
|
109
|
+
A single line:
|
|
110
|
+
|
|
111
|
+
```
|
|
112
|
+
Suppressed by `SECURITY.md`: {nSuppressed} (accepted: {nA}, false-positives: {nFP}). Below severity floor: {nFloor}.
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
Set each count to 0 when N/A. Emit the line unconditionally so the structure is stable.
|
|
116
|
+
|
|
117
|
+
### Block 6 — scope note
|
|
118
|
+
|
|
119
|
+
Always emit, immediately after the suppression note. Lists the human (non-bot) commits actually reviewed, so a maintainer can see what diff produced these findings:
|
|
120
|
+
|
|
121
|
+
```
|
|
122
|
+
> Commits reviewed: {short-sha-1} {subject-1}, {short-sha-2} {subject-2}, …
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
Cap at 10 entries; if there are more, append ` +{N} more` after the last item. Subjects are truncated to 60 chars with `…` if longer. Renovate/Dependabot commits are filtered out at § 1.5 and never appear here.
|
|
126
|
+
|
|
127
|
+
### Block 7 — overflow note
|
|
128
|
+
|
|
129
|
+
Emit **only** when `overflow > 0`:
|
|
130
|
+
|
|
131
|
+
```
|
|
132
|
+
> **Note** — {overflow} lower-severity findings are not listed here. The cap is: ALL critical and high, plus the first 10 medium/low (after sort). Tighten `SECURITY.md` severity floors or break out items from this scan, then re-run to surface the rest.
|
|
133
|
+
```
|
|
134
|
+
|
|
135
|
+
### Block 8 — findings sections
|
|
136
|
+
|
|
137
|
+
Four sections, in this **exact order** (Critical → High → Medium → Low). Always emit all four headers, even when a section has zero findings — the feedback skill relies on stable anchors.
|
|
138
|
+
|
|
139
|
+
The header counts (`{nC}` etc.) are the **true** post-filter counts, identical to those in Block 4's summary table. The rows listed under each header are subject to the § 7 cap: critical and high are always complete; medium + low are truncated to the first 10 combined. When a section is partially listed, append `(showing first N of {nM})` after the marker — see the per-section header rule below.
|
|
140
|
+
|
|
141
|
+
```
|
|
142
|
+
## Findings
|
|
143
|
+
|
|
144
|
+
### 🔴 Critical ({nC})
|
|
145
|
+
|
|
146
|
+
{rows or "_No findings._"}
|
|
147
|
+
|
|
148
|
+
### 🟠 High ({nH})
|
|
149
|
+
|
|
150
|
+
{rows or "_No findings._"}
|
|
151
|
+
|
|
152
|
+
### 🟡 Medium ({nM}){if truncated: " (showing first {kM} of {nM})"}
|
|
153
|
+
|
|
154
|
+
{rows or "_No findings._"}
|
|
155
|
+
|
|
156
|
+
### 🟢 Low ({nL}){if truncated: " (showing first {kL} of {nL})"}
|
|
157
|
+
|
|
158
|
+
{rows or "_No findings._"}
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
Where `kM` and `kL` are the actual rows listed in this issue (sum of the two ≤ 10). When `kM == nM` or `kL == nL` (no truncation in that section), omit the parenthetical.
|
|
162
|
+
|
|
163
|
+
### Finding-row grammar
|
|
164
|
+
|
|
165
|
+
Every finding is exactly two lines: a task-list row, then a `<details>` block (one blank line between rows within a section).
|
|
166
|
+
|
|
167
|
+
The task-list row is **one physical line** with this exact shape:
|
|
168
|
+
|
|
169
|
+
```
|
|
170
|
+
- [ ] <!-- item:N fp:FINGERPRINT --> **TITLE** — `FILE:LINE` (TOOL · `RULE`)
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
Matched by this canonical regex (multiline, case-sensitive) — covers all three row states:
|
|
174
|
+
|
|
175
|
+
```
|
|
176
|
+
/^- \[([ x])\] <!-- item:(\d+) fp:([0-9a-f]{8,}) --> (?:~~)?\*\*(.+?)\*\* — `([^`]+):(\d+)` \(([a-z][a-z0-9-]*) · `([^`]+)`\)(?:~~ → #(\d+))?$/m
|
|
177
|
+
```
|
|
178
|
+
|
|
179
|
+
Capture groups, in order:
|
|
180
|
+
|
|
181
|
+
1. `checkbox` — `" "` (unticked) or `"x"` (ticked or broken-out)
|
|
182
|
+
2. `itemNumber` (1-based across all severities)
|
|
183
|
+
3. `fingerprint` (lowercase hex, ≥ 8 chars)
|
|
184
|
+
4. `title` (plain text; no backticks, no asterisks)
|
|
185
|
+
5. `file` (no backticks, forward-slash path)
|
|
186
|
+
6. `line` (integer; use `0` when not line-scoped)
|
|
187
|
+
7. `tool` (lowercase, hyphenated — e.g. `npm-audit`, `semgrep`, `gitleaks`, `claude`)
|
|
188
|
+
8. `rule` (the tool's native rule id; may contain dots, hyphens)
|
|
189
|
+
9. `subIssueNumber` — present **only** when the row has been broken out to a sub-issue; `undefined` otherwise
|
|
190
|
+
|
|
191
|
+
Derived state (the feedback skill computes these from the captures):
|
|
192
|
+
|
|
193
|
+
| State | Written as | `checkbox` | `subIssueNumber` |
|
|
194
|
+
|-------|------------|------------|------------------|
|
|
195
|
+
| **pending** | `- [ ] <!-- item:N fp:FP --> **TITLE** — …` | `" "` | `undefined` |
|
|
196
|
+
| **user-ticked** (maintainer clicked the box in GitHub's UI) | `- [x] <!-- item:N fp:FP --> **TITLE** — …` | `"x"` | `undefined` |
|
|
197
|
+
| **broken-out** (feedback skill created a sub-issue) | `- [x] <!-- item:N fp:FP --> ~~**TITLE** — …~~ → #SUBISSUE` | `"x"` | the sub-issue number |
|
|
198
|
+
|
|
199
|
+
Rules:
|
|
200
|
+
|
|
201
|
+
- `alreadyBrokenOut` ≡ `subIssueNumber != null`. Broken-out rows are immutable — the feedback skill never re-opens them, never touches their checkbox, never re-creates sub-issues from them.
|
|
202
|
+
- `userTicked` ≡ `checkbox === "x" && subIssueNumber == null`. These are the candidates the default `@last-light create issues` command selects.
|
|
203
|
+
- When creating sub-issues from ticked rows, the feedback skill transitions each row from **user-ticked** → **broken-out** by wrapping the visible text in `~~…~~` and appending ` → #{subIssueNumber}`. The checkbox stays `[x]`; the strikethrough + link is the canonical broken-out marker.
|
|
204
|
+
- Un-ticking (moving a user-ticked row back to `[ ]`) is fine — the row just becomes pending again. The scanner doesn't police this.
|
|
205
|
+
|
|
206
|
+
The per-finding detail block follows immediately on the next line:
|
|
207
|
+
|
|
208
|
+
````
|
|
209
|
+
<details><summary>Details</summary>
|
|
210
|
+
|
|
211
|
+
```{LANGUAGE}
|
|
212
|
+
{SNIPPET}
|
|
213
|
+
```
|
|
214
|
+
|
|
215
|
+
{EXPLANATION}
|
|
216
|
+
|
|
217
|
+
**Suggested fix:** {SUGGESTED_FIX}
|
|
218
|
+
|
|
219
|
+
</details>
|
|
220
|
+
````
|
|
221
|
+
|
|
222
|
+
Rules:
|
|
223
|
+
- `LANGUAGE` is the fenced-code language tag; empty string when unknown.
|
|
224
|
+
- `SNIPPET` is the code excerpt; no surrounding fences, no trailing blank line inside the fence.
|
|
225
|
+
- `EXPLANATION` and `SUGGESTED_FIX` are markdown strings; they may contain their own fenced code blocks and line breaks.
|
|
226
|
+
- The `<details>` block ends with `</details>` on its own line.
|
|
227
|
+
|
|
228
|
+
## Worked example
|
|
229
|
+
|
|
230
|
+
A scan with 1 critical + 1 high finding renders like:
|
|
231
|
+
|
|
232
|
+
````markdown
|
|
233
|
+
<!-- lastlight-security-scan-version: 1 -->
|
|
234
|
+
<!-- lastlight-security-scan-date: 2026-04-21 -->
|
|
235
|
+
<!-- lastlight-security-scan-ts: 2026-04-21T10:00:00Z -->
|
|
236
|
+
|
|
237
|
+
Reviewing 3 commits since 2026-04-14 (a1b2c3d..f9e8d7c). Findings here focus on SDLC and workflow changes — Dependabot, GitHub Code Scanning, and Renovate handle the rest. Tick the box once the underlying issue is resolved or recorded in `SECURITY.md`.
|
|
238
|
+
|
|
239
|
+
## How to respond
|
|
240
|
+
|
|
241
|
+
- `@last-light create issues for the criticals` — file individual issues for every Critical finding
|
|
242
|
+
- `@last-light create issues for the highs` — same, for High
|
|
243
|
+
- `@last-light create issues for items 1, 3, 5` — file issues for specific items by number (1-based, top to bottom)
|
|
244
|
+
- `@last-light create issues for all` — every finding in this scan
|
|
245
|
+
- `@last-light accept-risk for item N: <reason>` — suppress this finding in future scans
|
|
246
|
+
- `@last-light false-positive for item N: <reason>` — suppress this finding in future scans
|
|
247
|
+
- Comment freely to ask questions or discuss
|
|
248
|
+
|
|
249
|
+
## Summary
|
|
250
|
+
|
|
251
|
+
| Severity | Count |
|
|
252
|
+
|----------|------:|
|
|
253
|
+
| Critical | 1 |
|
|
254
|
+
| High | 1 |
|
|
255
|
+
| Medium | 0 |
|
|
256
|
+
| Low | 0 |
|
|
257
|
+
| **Total**| **2** |
|
|
258
|
+
|
|
259
|
+
Suppressed by `SECURITY.md`: 0 (accepted: 0, false-positives: 0). Below severity floor: 0.
|
|
260
|
+
|
|
261
|
+
> Commits reviewed: a1b2c3d wire user-supplied repo into git clone, e5f6a7b add admin shell endpoint, f9e8d7c rotate webhook secret
|
|
262
|
+
|
|
263
|
+
## Findings
|
|
264
|
+
|
|
265
|
+
### 🔴 Critical (1)
|
|
266
|
+
|
|
267
|
+
- [ ] <!-- item:1 fp:abc123def4567890 --> **Command injection in git clone** — `mcp-github-app/src/index.js:42` (semgrep · `javascript.lang.security.exec-shell-command`)
|
|
268
|
+
<details><summary>Details</summary>
|
|
269
|
+
|
|
270
|
+
```javascript
|
|
271
|
+
execSync(`git clone ${userInput}`)
|
|
272
|
+
```
|
|
273
|
+
|
|
274
|
+
`userInput` originates from an HTTP request and is concatenated directly into a shell command, allowing arbitrary command execution.
|
|
275
|
+
|
|
276
|
+
**Suggested fix:** use `execFileSync('git', ['clone', userInput])` so arguments aren't re-parsed by a shell.
|
|
277
|
+
|
|
278
|
+
</details>
|
|
279
|
+
|
|
280
|
+
### 🟠 High (1)
|
|
281
|
+
|
|
282
|
+
- [ ] <!-- item:2 fp:def456abc7890123 --> **Hardcoded API key in config** — `src/config.ts:18` (gitleaks · `generic-api-key`)
|
|
283
|
+
<details><summary>Details</summary>
|
|
284
|
+
|
|
285
|
+
```typescript
|
|
286
|
+
const API_KEY = "sk_live_abc123..."
|
|
287
|
+
```
|
|
288
|
+
|
|
289
|
+
A live API key is committed to the repo. Anyone with read access to the repo (or the git history of a former branch) can use it.
|
|
290
|
+
|
|
291
|
+
**Suggested fix:** move the key to an environment variable (`process.env.API_KEY`) and rotate the exposed one immediately.
|
|
292
|
+
|
|
293
|
+
</details>
|
|
294
|
+
|
|
295
|
+
### 🟡 Medium (0)
|
|
296
|
+
|
|
297
|
+
_No findings._
|
|
298
|
+
|
|
299
|
+
### 🟢 Low (0)
|
|
300
|
+
|
|
301
|
+
_No findings._
|
|
302
|
+
````
|
|
@@ -0,0 +1,118 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: verify
|
|
3
|
+
description: Test a behaviour claim as an investigator and report whether the evidence confirms or refutes it — CONFIRMED / REFUTED / INCONCLUSIVE with bash-captured evidence. Use when asked to verify a claim, prove a fix works, or check that a PR does what it says.
|
|
4
|
+
version: 1.0.0
|
|
5
|
+
tags: [github, verify, testing, evidence]
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
# Verify
|
|
9
|
+
|
|
10
|
+
Test a specific claim about behaviour and report whether the evidence supports
|
|
11
|
+
or refutes it. The deliverable is a **verdict with evidence**, not an opinion.
|
|
12
|
+
|
|
13
|
+
This skill uses the **building** skill for installing dependencies and running
|
|
14
|
+
the repo's build/test commands in the sandbox.
|
|
15
|
+
|
|
16
|
+
> **Scope (text-evidence path).** In the default text phase the sandbox agent
|
|
17
|
+
> has bash, file read, and the github tools — no browser, no screenshots, no
|
|
18
|
+
> video. Prove claims with what bash can capture: test output, command
|
|
19
|
+
> stdout/stderr, `curl` against a dev-server you start, log excerpts, file
|
|
20
|
+
> contents, exit codes. Driving a real browser and attaching screenshots is the
|
|
21
|
+
> separate `browser-qa` skill, which is staged only in the gated browser phase
|
|
22
|
+
> running on the docker QA image (Playwright + Chromium). If that skill isn't in
|
|
23
|
+
> your catalogue and a claim genuinely can only be shown in a rendered UI, say
|
|
24
|
+
> so under **INCONCLUSIVE** rather than guessing — the browser phase will pick
|
|
25
|
+
> it up when available.
|
|
26
|
+
|
|
27
|
+
## Ground rule — investigator, not advocate
|
|
28
|
+
|
|
29
|
+
Your job is to find out whether the claim is **true**, not to make it look true.
|
|
30
|
+
A conclusive "this is broken" with clear evidence is exactly as valuable as a
|
|
31
|
+
"this works". Specifically:
|
|
32
|
+
|
|
33
|
+
- **Never fabricate, hardcode, mock, or stage evidence** to match an expected
|
|
34
|
+
outcome. Do not edit the code under test to make a result appear.
|
|
35
|
+
- If the behaviour you observe **contradicts** the claim, that is the result —
|
|
36
|
+
report it as REFUTED with the evidence inline. Don't bury it.
|
|
37
|
+
- **Don't retry a failing test hoping for a different answer.** Retry only after
|
|
38
|
+
*changing* the environment or procedure (wrong branch, missing build step),
|
|
39
|
+
and only when you have reason to believe the test setup — not the code — was
|
|
40
|
+
wrong. One unexpected result that reproduces is a finding.
|
|
41
|
+
|
|
42
|
+
## Parse the target
|
|
43
|
+
|
|
44
|
+
The Context block gives you the claim and (usually) a PR or issue. The claim may
|
|
45
|
+
arrive as:
|
|
46
|
+
|
|
47
|
+
- A **direct claim** — "ESC cancels streaming in bash mode", "the `--fork` flag
|
|
48
|
+
creates a new session".
|
|
49
|
+
- A **PR reference + claim** — verify the claim against that PR's head.
|
|
50
|
+
- A **PR reference only** — read the PR description + diff and identify the most
|
|
51
|
+
important, most testable claim it makes; state which claim you chose.
|
|
52
|
+
|
|
53
|
+
When a PR/issue is given, read its description and diff for context (from the
|
|
54
|
+
local checkout — see the **building** skill's workspace notes; don't pull the
|
|
55
|
+
diff through the API).
|
|
56
|
+
|
|
57
|
+
## Decide what would convince a skeptic
|
|
58
|
+
|
|
59
|
+
Name the single behaviour to observe and the evidence that settles it:
|
|
60
|
+
|
|
61
|
+
- **Functional claim** (a feature works, a flow completes) → run it and capture
|
|
62
|
+
the output / exit code / resulting state.
|
|
63
|
+
- **Regression / fix claim** ("no longer clears the screen", "stops erroring") →
|
|
64
|
+
show the **before and after**: reproduce on the base ref, then show it gone on
|
|
65
|
+
the head ref. Both states must appear in the evidence — an off-camera "it's
|
|
66
|
+
fixed" doesn't count.
|
|
67
|
+
- **Output/encoding claim** → capture the exact bytes/text (`xxd`, `od -c`, raw
|
|
68
|
+
stdout) rather than describing them.
|
|
69
|
+
|
|
70
|
+
## Run the test
|
|
71
|
+
|
|
72
|
+
Follow the **building** skill to install and build. Then exercise the claim with
|
|
73
|
+
the minimal sequence that demonstrates it, capturing evidence at the decisive
|
|
74
|
+
step. Start a dev-server in the background and `curl` it when the claim is about
|
|
75
|
+
a running service; run the CLI directly when it's a CLI claim; run the targeted
|
|
76
|
+
test when the repo already encodes the behaviour as a test.
|
|
77
|
+
|
|
78
|
+
If the environment blocks a clean test (missing dependency the sandbox can't
|
|
79
|
+
provide, build failure you can't resolve, infra that won't run), capture what
|
|
80
|
+
blocked it — that drives an **INCONCLUSIVE** result, not a guess.
|
|
81
|
+
|
|
82
|
+
## Report
|
|
83
|
+
|
|
84
|
+
Produce your report as your **final message** in this shape — the workflow posts
|
|
85
|
+
it for you (don't `github_add_issue_comment` yourself; that would double-post).
|
|
86
|
+
**Keep it concise**: a one-line environment summary, the decisive evidence
|
|
87
|
+
(commands + key output, not every line), and a one-paragraph conclusion — not an
|
|
88
|
+
exhaustive walkthrough.
|
|
89
|
+
|
|
90
|
+
```
|
|
91
|
+
## Verify: <claim>
|
|
92
|
+
|
|
93
|
+
**Environment:** <branch / commit, package manager, how the app was run>
|
|
94
|
+
|
|
95
|
+
### Evidence
|
|
96
|
+
<commands run + their captured output — fenced. Include both states for a
|
|
97
|
+
before/after claim.>
|
|
98
|
+
|
|
99
|
+
### Conclusion
|
|
100
|
+
**CONFIRMED** | **REFUTED** | **INCONCLUSIVE**
|
|
101
|
+
|
|
102
|
+
<one paragraph: what the evidence shows and why it settles the claim.>
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
- **REFUTED** — state the expected behaviour (from the claim), the observed
|
|
106
|
+
behaviour (from the evidence), include the evidence inline, and note any
|
|
107
|
+
environmental factors (branch, commit, OS). This is a valuable finding, not a
|
|
108
|
+
failed run.
|
|
109
|
+
- **INCONCLUSIVE** — report exactly what blocked the test and what would be
|
|
110
|
+
needed to resolve it. Do not guess at the outcome.
|
|
111
|
+
|
|
112
|
+
## Do NOT
|
|
113
|
+
|
|
114
|
+
- Retry a failing test more than once without changing the environment/procedure.
|
|
115
|
+
- Hardcode expected output, mock responses, or edit the code under test to force
|
|
116
|
+
a result.
|
|
117
|
+
- Assume unexpected behaviour means *you* made a mistake — it may be a real bug.
|
|
118
|
+
- Omit evidence that contradicts the claim.
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
kind: answer
|
|
2
|
+
name: answer
|
|
3
|
+
description: |
|
|
4
|
+
Answer a question issue directly. Used when a newly-opened issue asks for
|
|
5
|
+
information, an explanation, or a comparison rather than a code change — the
|
|
6
|
+
bot researches (repo docs + web search) and posts a single sourced answer
|
|
7
|
+
comment, labels the issue `question`, and leaves it open. No agent brief, no
|
|
8
|
+
ready-for-agent, no PR.
|
|
9
|
+
|
|
10
|
+
Delivery is uniform: the agent's final message (the answer) is captured as
|
|
11
|
+
`answerResult` and posted by the harness via `postComment` — as a comment on
|
|
12
|
+
the originating issue for GitHub-initiated runs, or into the Slack thread for
|
|
13
|
+
Slack-initiated runs. The skill therefore does NOT post the answer itself; it
|
|
14
|
+
only applies the `question` label when answering a GitHub issue.
|
|
15
|
+
|
|
16
|
+
Triggered by:
|
|
17
|
+
- issue.opened webhook when the router classifies the issue as a question
|
|
18
|
+
- a Slack message classified as a question against a managed repo
|
|
19
|
+
- manual override via routes.github.issue_answer / routes.slack.answer
|
|
20
|
+
|
|
21
|
+
phases:
|
|
22
|
+
- name: phase_0
|
|
23
|
+
label: Context
|
|
24
|
+
type: context
|
|
25
|
+
|
|
26
|
+
- name: answer
|
|
27
|
+
label: Answer
|
|
28
|
+
prompt: prompts/answer.md
|
|
29
|
+
skill: issue-answer
|
|
30
|
+
model: "{{models.answer}}"
|
|
31
|
+
web_search: true
|
|
32
|
+
unrestricted_egress: true
|
|
33
|
+
output_var: answerResult
|
|
34
|
+
messages:
|
|
35
|
+
on_start: "Researching and drafting an answer..."
|
|
36
|
+
on_success: "{{answerResult}}"
|
|
37
|
+
on_failure: "I couldn't put together an answer — see the logs for details."
|
package/workflows/build.yaml
CHANGED
|
@@ -2,6 +2,10 @@ kind: build
|
|
|
2
2
|
name: build
|
|
3
3
|
description: "Architect -> Executor -> Reviewer build cycle"
|
|
4
4
|
trigger: build
|
|
5
|
+
# Render progress as a single in-place task-list comment/message that updates
|
|
6
|
+
# as phases run, instead of a new comment per phase. The per-phase
|
|
7
|
+
# `messages.on_*` below become the one-line detail on each checklist step.
|
|
8
|
+
status_checklist: true
|
|
5
9
|
|
|
6
10
|
phases:
|
|
7
11
|
- name: phase_0
|
|
@@ -12,6 +16,7 @@ phases:
|
|
|
12
16
|
label: Guardrails
|
|
13
17
|
prompt: prompts/guardrails.md
|
|
14
18
|
model: "{{models.guardrails}}"
|
|
19
|
+
variant: "{{variants.guardrails}}"
|
|
15
20
|
on_output:
|
|
16
21
|
contains_BLOCKED:
|
|
17
22
|
action: fail
|
|
@@ -27,7 +32,7 @@ phases:
|
|
|
27
32
|
contains_READY:
|
|
28
33
|
action: continue
|
|
29
34
|
messages:
|
|
30
|
-
on_success: "
|
|
35
|
+
on_success: "READY — foundational tooling verified — [guardrails-report.md]({{artifactUrl guardrails-report.md}})"
|
|
31
36
|
on_blocked: |
|
|
32
37
|
**Guardrails check: BLOCKED** — missing foundational tooling.
|
|
33
38
|
|
|
@@ -38,67 +43,72 @@ phases:
|
|
|
38
43
|
label: Architect
|
|
39
44
|
prompt: prompts/architect.md
|
|
40
45
|
model: "{{models.architect}}"
|
|
46
|
+
variant: "{{variants.architect}}"
|
|
41
47
|
approval_gate: post_architect
|
|
48
|
+
approval_artifact: architect-plan.md
|
|
42
49
|
approval_gate_message: |
|
|
43
50
|
**Architect analysis complete** — approval required before implementation.
|
|
44
51
|
|
|
45
52
|
- Branch: `{{branch}}`
|
|
46
53
|
- Plan: `{{issueDir}}/architect-plan.md`
|
|
47
54
|
|
|
48
|
-
**
|
|
49
|
-
**
|
|
55
|
+
**Review & decide:** {{approvalUrl}}
|
|
56
|
+
**Or comment:** `@last-light approve` / `@last-light reject [reason]`
|
|
50
57
|
messages:
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
- Plan: `{{issueDir}}/architect-plan.md`
|
|
55
|
-
|
|
56
|
-
Starting implementation...
|
|
58
|
+
# Single-line messages become the one-line detail on the checklist step,
|
|
59
|
+
# so keep them concise and link the artifact on the branch.
|
|
60
|
+
on_success: "Plan ready — [architect-plan.md]({{artifactUrl architect-plan.md}})"
|
|
57
61
|
|
|
58
62
|
- name: executor
|
|
59
63
|
label: Executor
|
|
60
64
|
prompt: prompts/executor.md
|
|
65
|
+
skill: building
|
|
61
66
|
model: "{{models.executor}}"
|
|
67
|
+
variant: "{{variants.executor}}"
|
|
62
68
|
messages:
|
|
63
|
-
on_start: "
|
|
64
|
-
on_skipped_done: "
|
|
65
|
-
on_success:
|
|
66
|
-
**Implementation complete.** Running independent review...
|
|
67
|
-
- Branch: `{{branch}}`
|
|
68
|
-
- Summary: `{{issueDir}}/executor-summary.md`
|
|
69
|
+
on_start: "implementing the architect's plan…"
|
|
70
|
+
on_skipped_done: "already completed"
|
|
71
|
+
on_success: "Implemented — [executor-summary.md]({{artifactUrl executor-summary.md}})"
|
|
69
72
|
|
|
70
73
|
- name: reviewer
|
|
71
74
|
label: Reviewer
|
|
72
75
|
prompt: prompts/reviewer.md
|
|
76
|
+
# code-review: rubric for the review + re-review prompts.
|
|
77
|
+
# building: the fix cycle (fix.md) runs under this node and needs the gate.
|
|
78
|
+
skills: [code-review, building]
|
|
73
79
|
model: "{{models.reviewer}}"
|
|
80
|
+
variant: "{{variants.reviewer}}"
|
|
74
81
|
output_var: review
|
|
75
82
|
loop:
|
|
76
83
|
max_cycles: 2
|
|
77
84
|
on_request_changes:
|
|
78
85
|
fix_prompt: prompts/fix.md
|
|
79
86
|
fix_model: "{{models.fix}}"
|
|
87
|
+
fix_variant: "{{variants.fix}}"
|
|
80
88
|
re_review_prompt: prompts/re-reviewer.md
|
|
81
89
|
approval_gate: post_reviewer
|
|
90
|
+
approval_artifact: reviewer-verdict.md
|
|
82
91
|
messages:
|
|
83
|
-
on_cycle_start: "
|
|
84
|
-
on_approved: "
|
|
85
|
-
on_request_changes: "**Review: REQUEST_CHANGES** — fixing issues (cycle {{cycle}}/{{maxCycles}})..."
|
|
92
|
+
on_cycle_start: "independent verification (cycle {{cycle}})…"
|
|
93
|
+
on_approved: "Approved — [reviewer-verdict.md]({{artifactUrl reviewer-verdict.md}})"
|
|
94
|
+
on_request_changes: "**Review: REQUEST_CHANGES** — [reviewer-verdict.md]({{artifactUrl reviewer-verdict.md}}) — fixing issues (cycle {{cycle}}/{{maxCycles}})..."
|
|
86
95
|
on_fix_start: "**Starting fix loop** (cycle {{cycle}}/{{maxCycles}}) — addressing reviewer feedback..."
|
|
87
96
|
on_fix_failed: "Fix cycle {{cycle}} failed. Proceeding to PR with known issues."
|
|
88
|
-
on_max_cycles: "**Review: REQUEST_CHANGES** after {{maxCycles}} fix cycles. Proceeding with remaining issues noted."
|
|
97
|
+
on_max_cycles: "**Review: REQUEST_CHANGES** after {{maxCycles}} fix cycles — see [reviewer-verdict.md]({{artifactUrl reviewer-verdict.md}}). Proceeding with remaining issues noted."
|
|
89
98
|
on_pause_for_approval: |
|
|
90
99
|
**Review: REQUEST_CHANGES** — approval required before fix loop.
|
|
91
100
|
|
|
92
101
|
- Verdict: `{{issueDir}}/reviewer-verdict.md`
|
|
93
102
|
|
|
94
|
-
**
|
|
95
|
-
**
|
|
103
|
+
**Review & decide:** {{approvalUrl}}
|
|
104
|
+
**Or comment:** `@last-light approve` / `@last-light reject [reason]`
|
|
96
105
|
|
|
97
106
|
- name: pr
|
|
98
107
|
label: PR
|
|
99
108
|
prompt: prompts/pr.md
|
|
100
109
|
model: "{{models.pr}}"
|
|
110
|
+
variant: "{{variants.pr}}"
|
|
101
111
|
on_success:
|
|
102
112
|
set_phase: complete
|
|
103
113
|
messages:
|
|
104
|
-
on_start: "
|
|
114
|
+
on_start: "packaging changes for review…"
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
kind: demo
|
|
2
|
+
name: demo
|
|
3
|
+
description: |
|
|
4
|
+
Record a short demo VIDEO of a PR or feature and post it. Drives the repo's
|
|
5
|
+
web UI in a real headless browser, screen-records the session, and composites
|
|
6
|
+
a titled, size-capped mp4 with ffmpeg — delivered inline on the originating
|
|
7
|
+
issue/PR (and in the dashboard Artifacts view). Does not modify code.
|
|
8
|
+
|
|
9
|
+
This workflow's demo phase runs ENTIRELY on the docker backend with the
|
|
10
|
+
browser-QA image (Playwright + Chromium + ffmpeg baked in). On gondolin, or a
|
|
11
|
+
docker host without that image, the demo phase is silently SKIPPED (graceful
|
|
12
|
+
degradation) and the run completes without a video — it never fails the
|
|
13
|
+
trigger. Compositing is ffmpeg-only (title card, optional before/after,
|
|
14
|
+
trim/speed, size cap) — there is no Remotion / cinematic pipeline.
|
|
15
|
+
|
|
16
|
+
Delivery is a single in-place status comment (`status_checklist`): the run
|
|
17
|
+
shows its phases ticking off, then the demo phase's report — with the playable
|
|
18
|
+
video embedded — becomes the comment footer via `final_message`. The agent
|
|
19
|
+
does NOT post anything itself.
|
|
20
|
+
|
|
21
|
+
Triggered by:
|
|
22
|
+
- a `@last-light demo [notes]` comment on an issue/PR
|
|
23
|
+
- manual CLI: tsx src/cli.ts demo owner/repo#N [-- "notes"]
|
|
24
|
+
|
|
25
|
+
status_checklist: true
|
|
26
|
+
final_message: "{{demoResult}}"
|
|
27
|
+
|
|
28
|
+
phases:
|
|
29
|
+
- name: phase_0
|
|
30
|
+
label: Context
|
|
31
|
+
type: context
|
|
32
|
+
depends_on: []
|
|
33
|
+
|
|
34
|
+
# The demo phase. Gated to the docker backend AND the enriched
|
|
35
|
+
# `lastlight-sandbox-qa:latest` image (Playwright + Chromium + ffmpeg). On
|
|
36
|
+
# gondolin, or a docker host without that image, the scheduler silently skips
|
|
37
|
+
# it (the run still completes — there is no text fallback for a video).
|
|
38
|
+
- name: demo
|
|
39
|
+
label: Demo
|
|
40
|
+
depends_on: [phase_0]
|
|
41
|
+
prompt: prompts/demo.md
|
|
42
|
+
# demo: the director procedure + compose-demo.sh wrapper (primary).
|
|
43
|
+
# browser-qa: the headless driver (agent-browser.mjs) with --record-dir.
|
|
44
|
+
# building: install + run the repo's dev-server to drive.
|
|
45
|
+
skills: [demo, browser-qa, building]
|
|
46
|
+
model: "{{models.demo}}"
|
|
47
|
+
variant: "{{variants.demo}}"
|
|
48
|
+
requires_sandbox: docker
|
|
49
|
+
sandbox_image: qa
|
|
50
|
+
output_var: demoResult
|
|
51
|
+
messages:
|
|
52
|
+
on_start: "Recording a demo — installing, running the app, and capturing the UI..."
|
|
53
|
+
on_success: "Demo recorded — see the video below."
|
|
54
|
+
on_failure: "I couldn't record the demo — see the logs for details."
|
|
55
|
+
on_skipped_done: "Demo unavailable on this host (needs the docker browser-QA image)."
|
package/workflows/explore.yaml
CHANGED
|
@@ -8,6 +8,9 @@ description: |
|
|
|
8
8
|
for Slack-initiated runs).
|
|
9
9
|
|
|
10
10
|
trigger: explore
|
|
11
|
+
# Single in-place task-list comment/message instead of a comment per phase.
|
|
12
|
+
# Reply-gate questions and the published spec still post as standalone notes.
|
|
13
|
+
status_checklist: true
|
|
11
14
|
|
|
12
15
|
phases:
|
|
13
16
|
- name: phase_0
|
|
@@ -19,6 +22,8 @@ phases:
|
|
|
19
22
|
prompt: prompts/explore-read.md
|
|
20
23
|
model: "{{models.explore}}"
|
|
21
24
|
output_var: baseline
|
|
25
|
+
unrestricted_egress: true
|
|
26
|
+
web_search: true
|
|
22
27
|
messages:
|
|
23
28
|
on_start: "Cloning `{{owner}}/{{repo}}` and reading the codebase..."
|
|
24
29
|
|
|
@@ -26,6 +31,8 @@ phases:
|
|
|
26
31
|
label: Socratic questioning
|
|
27
32
|
prompt: prompts/explore-ask.md
|
|
28
33
|
model: "{{models.explore}}"
|
|
34
|
+
unrestricted_egress: true
|
|
35
|
+
web_search: true
|
|
29
36
|
generic_loop:
|
|
30
37
|
max_iterations: 8
|
|
31
38
|
until: "output.contains('READY')"
|
|
@@ -41,6 +48,8 @@ phases:
|
|
|
41
48
|
prompt: prompts/explore-synthesize.md
|
|
42
49
|
model: "{{models.architect}}"
|
|
43
50
|
output_var: spec
|
|
51
|
+
unrestricted_egress: true
|
|
52
|
+
web_search: true
|
|
44
53
|
messages:
|
|
45
54
|
on_start: "Writing up the spec from our conversation..."
|
|
46
55
|
|