npm - mandrel - Versions diffs - 1.58.0 → 1.59.0 - Mend

mandrel 1.58.0 → 1.59.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (129) hide show

package/.agents/scripts/lib/orchestration/review-providers/security-review.js CHANGED Viewed

@@ -32,6 +32,7 @@
  */
 import { spawnSync } from 'node:child_process';
+import { parseProviderFindings } from './parse-findings.js';
 import { renderDepthDirective } from './review-depth.js';
 /**
@@ -138,65 +139,12 @@ export function mapSecurityReviewSeverity(raw) {
  * @throws {Error} when stdout is not parseable JSON.
  */
 export function parseSecurityReviewFindings(rawStdout) {
-  const text = (rawStdout ?? '').trim();
-  if (text.length === 0) return [];
-  let parsed;
-  try {
-    parsed = JSON.parse(text);
-  } catch (err) {
-    throw new Error(
-      `[security-review] Failed to parse /security-review stdout as JSON: ${
-        err?.message ?? err
-      }`,
-    );
-  }
-  if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
-    if (Array.isArray(parsed.findings)) parsed = parsed.findings;
-    else if (parsed.result !== undefined) parsed = parsed.result;
-    else if (parsed.data !== undefined) parsed = parsed.data;
-  }
-  if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
-    if (Array.isArray(parsed.findings)) parsed = parsed.findings;
-  }
-  if (!Array.isArray(parsed)) return [];
-  /** @type {Finding[]} */
-  const findings = [];
-  for (const entry of parsed) {
-    if (!entry || typeof entry !== 'object') continue;
-    const title =
-      typeof entry.title === 'string' && entry.title.trim().length > 0
-        ? entry.title.trim()
-        : null;
-    const body =
-      typeof entry.body === 'string' && entry.body.trim().length > 0
-        ? entry.body
-        : typeof entry.message === 'string' && entry.message.trim().length > 0
-          ? entry.message
-          : null;
-    if (!title || !body) continue;
-    /** @type {Finding} */
-    const finding = {
-      severity: mapSecurityReviewSeverity(entry.severity),
-      title,
-      body,
-      category:
-        typeof entry.category === 'string' && entry.category.length > 0
-          ? entry.category
-          : 'security',
-    };
-    if (typeof entry.file === 'string' && entry.file.length > 0) {
-      finding.file = entry.file;
-    }
-    if (Number.isInteger(entry.line) && entry.line > 0) {
-      finding.line = entry.line;
-    }
-    findings.push(finding);
-  }
-  return findings;
+  return parseProviderFindings(rawStdout, {
+    errorPrefix:
+      '[security-review] Failed to parse /security-review stdout as JSON',
+    mapSeverity: mapSecurityReviewSeverity,
+    defaultCategory: 'security',
+  });
 }
 /**

package/.agents/scripts/lib/orchestration/single-story-close/phases/close-validation.js CHANGED Viewed

@@ -22,10 +22,8 @@
  * that mock the upstream module URLs.
  */
-import {
-  buildDefaultGates as defaultBuildDefaultGates,
-  runCloseValidation as defaultRunCloseValidation,
-} from '../../../close-validation.js';
+import { buildDefaultGates as defaultBuildDefaultGates } from '../../../close-validation/gates.js';
+import { runCloseValidation as defaultRunCloseValidation } from '../../../close-validation/runner.js';
 import { Logger } from '../../../Logger.js';
 /**

package/.agents/scripts/lib/orchestration/single-story-close/phases/options.js CHANGED Viewed

@@ -10,7 +10,7 @@
 import path from 'node:path';
 import { parseSprintArgs } from '../../../cli-args.js';
-import { PROJECT_ROOT } from '../../../config-resolver.js';
+import { PROJECT_ROOT } from '../../../project-root.js';
 /**
  * Resolve a flag value from an explicit override, a parsed CLI arg, or a

package/.agents/scripts/lib/orchestration/single-story-close/runner.js CHANGED Viewed

@@ -1,9 +1,7 @@
 import nodeFs from 'node:fs';
 import path from 'node:path';
-import {
-  buildDefaultGates,
-  runCloseValidation,
-} from '../../close-validation.js';
+import { buildDefaultGates } from '../../close-validation/gates.js';
+import { runCloseValidation } from '../../close-validation/runner.js';
 import { resolveConfig } from '../../config-resolver.js';
 import { getStoryBranch, gitSync } from '../../git-utils.js';
 import { Logger } from '../../Logger.js';

package/.agents/scripts/lib/orchestration/single-story-lease-guard.js CHANGED Viewed

@@ -39,16 +39,20 @@
  */
 import {
-  acquireLease,
-  normalizeOperatorHandle,
-  releaseLease,
-} from './ticket-lease.js';
+  acquireLeaseFailClosed,
+  resolveOperatorFromCandidates,
+} from './lease-guard-shared.js';
+import { releaseLease } from './ticket-lease.js';
 /**
  * Resolve the operator handle used as the lease owner from resolved config.
- * Routes through the shared `normalizeOperatorHandle` so a leading `@` is
+ * Routes through the shared lease-guard kernel
+ * (`lease-guard-shared.resolveOperatorFromCandidates`) so a leading `@` is
  * stripped (the assignees API expects bare logins, not `@`-prefixed mentions)
- * and the self-held-claim comparison matches.
+ * and the self-held-claim comparison matches. The standalone surface's
+ * missing-handle policy is `'throw'` (intentional divergence from the plan
+ * path's `'null'`): init has no best-effort leg that can degrade, so an
+ * unowned lease must refuse immediately.
  *
  * @param {object} config Resolved `.agentrc.json` config.
  * @returns {string} Bare operator handle.
@@ -58,17 +62,16 @@ import {
  *   path cannot safely serialise concurrent runs.
  */
 export function resolveOperator(config) {
-  const handle = normalizeOperatorHandle(config?.github?.operatorHandle);
-  if (handle === null) {
-    throw new Error(
+  return resolveOperatorFromCandidates({
+    candidates: [config?.github?.operatorHandle],
+    missingHandleBehavior: 'throw',
+    missingHandleMessage:
       'single-story lease: no operator identity is configured. ' +
-        'github.operatorHandle is unset or still the shipped `@[USERNAME]` ' +
-        'placeholder, so the standalone Story lease has no owner. Set your own ' +
-        'handle in .agentrc.local.json (e.g. { "github": { "operatorHandle": ' +
-        '"@your-login" } }) and re-run.',
-    );
-  }
-  return handle;
+      'github.operatorHandle is unset or still the shipped `@[USERNAME]` ' +
+      'placeholder, so the standalone Story lease has no owner. Set your own ' +
+      'handle in .agentrc.local.json (e.g. { "github": { "operatorHandle": ' +
+      '"@your-login" } }) and re-run.',
+  });
 }
 /**
@@ -99,31 +102,25 @@ export async function acquireStoryLease({
   now,
 }) {
   const owner = operator ?? resolveOperator(config);
-  // Fail closed: with no live-heartbeat source on the standalone path, treat a
-  // foreign assignee as a live claim. Anchoring `heartbeatAt` to the same
-  // `now` the primitive evaluates against makes `isClaimLive` return true for
-  // any foreign owner, so `acquireLease` refuses unless `steal` is set.
-  const resolvedNow =
-    typeof now === 'number' && Number.isFinite(now) ? now : Date.now();
-  const result = await acquireLease({
+  // Fail closed: with no live-heartbeat source on the standalone path, the
+  // shared kernel anchors `heartbeatAt` to the same `now` the primitive
+  // evaluates against, so `isClaimLive` returns true for any foreign owner
+  // and `acquireLease` refuses unless `steal` is set.
+  return acquireLeaseFailClosed({
     provider,
     ticketId: storyId,
     operator: owner,
-    heartbeatAt: resolvedNow,
     steal,
     config,
-    now: resolvedNow,
-  });
-  if (!result.acquired) {
-    throw new Error(
+    now,
+    anchorHeartbeatToNow: true,
+    renderRefusal: (result) =>
       `single-story lease: Story #${storyId} is currently held by @${result.owner}. ` +
-        'Another /single-story-deliver run owns this Story. Coordinate with that ' +
-        'operator, or re-run with --steal to forcibly transfer the claim once you ' +
-        'have confirmed the other run is dead. (The standalone path has no Epic ' +
-        'heartbeat ledger, so a foreign assignee always blocks unless stolen.)',
-    );
-  }
-  return result;
+      'Another /single-story-deliver run owns this Story. Coordinate with that ' +
+      'operator, or re-run with --steal to forcibly transfer the claim once you ' +
+      'have confirmed the other run is dead. (The standalone path has no Epic ' +
+      'heartbeat ledger, so a foreign assignee always blocks unless stolen.)',
+  });
 }
 /**

package/.agents/scripts/lib/orchestration/skill-capsule-loader.js CHANGED Viewed

@@ -12,9 +12,8 @@
 import fs from 'node:fs';
 import path from 'node:path';
-import { PROJECT_ROOT } from '../config-resolver.js';
 import { Logger } from '../Logger.js';
+import { PROJECT_ROOT } from '../project-root.js';
 const POLICY_HEADING_RE = /^## Policy Capsule\s*$/;
 const ANY_H2_RE = /^## /;