orch-code 0.1.1

package/internal/auth/store.go

@@ -0,0 +1,287 @@
+package auth
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/furkanbeydemir/orch/internal/config"
+)
+
+const authFile = "auth.json"
+
+type State struct {
+	Provider     string    `json:"provider"`
+	Mode         string    `json:"mode"`
+	AccessToken  string    `json:"accessToken"`
+	RefreshToken string    `json:"refreshToken,omitempty"`
+	ExpiresAt    time.Time `json:"expiresAt,omitempty"`
+	AccountID    string    `json:"accountId,omitempty"`
+	Email        string    `json:"email,omitempty"`
+	UpdatedAt    time.Time `json:"updatedAt"`
+}
+
+type Credential struct {
+	Type         string    `json:"type"`
+	Key          string    `json:"key,omitempty"`
+	AccessToken  string    `json:"accessToken,omitempty"`
+	RefreshToken string    `json:"refreshToken,omitempty"`
+	ExpiresAt    time.Time `json:"expiresAt,omitempty"`
+	AccountID    string    `json:"accountId,omitempty"`
+	Email        string    `json:"email,omitempty"`
+	UpdatedAt    time.Time `json:"updatedAt"`
+}
+
+func Load(repoRoot string) (*State, error) {
+	cred, err := Get(repoRoot, "openai")
+	if err != nil {
+		return nil, err
+	}
+	if cred == nil {
+		return nil, nil
+	}
+
+	state := &State{
+		Provider:     "openai",
+		UpdatedAt:    cred.UpdatedAt,
+		RefreshToken: strings.TrimSpace(cred.RefreshToken),
+		ExpiresAt:    cred.ExpiresAt,
+		AccountID:    strings.TrimSpace(cred.AccountID),
+		Email:        strings.TrimSpace(cred.Email),
+	}
+
+	switch strings.TrimSpace(strings.ToLower(cred.Type)) {
+	case "oauth", "account":
+		state.Mode = "account"
+		state.AccessToken = strings.TrimSpace(cred.AccessToken)
+	case "api", "api_key":
+		state.Mode = "api_key"
+	default:
+		state.Mode = strings.TrimSpace(cred.Type)
+	}
+
+	return state, nil
+}
+
+func LoadAll(repoRoot string) (map[string]Credential, error) {
+	path := filepath.Join(repoRoot, config.OrchDir, authFile)
+	data, err := os.ReadFile(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return map[string]Credential{}, nil
+		}
+		return nil, fmt.Errorf("read auth state: %w", err)
+	}
+
+	parsed := map[string]Credential{}
+	if err := json.Unmarshal(data, &parsed); err == nil {
+		clean := map[string]Credential{}
+		for provider, cred := range parsed {
+			id := strings.ToLower(strings.TrimSpace(provider))
+			if id == "" {
+				continue
+			}
+
+			cred.Type = strings.ToLower(strings.TrimSpace(cred.Type))
+			cred.Key = strings.TrimSpace(cred.Key)
+			cred.AccessToken = strings.TrimSpace(cred.AccessToken)
+			cred.RefreshToken = strings.TrimSpace(cred.RefreshToken)
+			cred.AccountID = strings.TrimSpace(cred.AccountID)
+			cred.Email = strings.TrimSpace(cred.Email)
+
+			if cred.Type == "" {
+				continue
+			}
+			if cred.Type == "api_key" {
+				cred.Type = "api"
+			}
+			if cred.Type == "account" {
+				cred.Type = "oauth"
+			}
+			clean[id] = cred
+		}
+		if len(clean) > 0 {
+			return clean, nil
+		}
+	}
+
+	var state State
+	if err := json.Unmarshal(data, &state); err != nil {
+		return nil, fmt.Errorf("parse auth state: %w", err)
+	}
+
+	provider := strings.ToLower(strings.TrimSpace(state.Provider))
+	if provider == "" {
+		provider = "openai"
+	}
+
+	mode := strings.ToLower(strings.TrimSpace(state.Mode))
+	cred := Credential{
+		RefreshToken: strings.TrimSpace(state.RefreshToken),
+		ExpiresAt:    state.ExpiresAt,
+		AccountID:    strings.TrimSpace(state.AccountID),
+		Email:        strings.TrimSpace(state.Email),
+		UpdatedAt:    state.UpdatedAt,
+	}
+	if mode == "account" {
+		cred.Type = "oauth"
+		cred.AccessToken = strings.TrimSpace(state.AccessToken)
+	}
+	if mode == "api_key" {
+		cred.Type = "api"
+		cred.Key = strings.TrimSpace(state.AccessToken)
+	}
+	if cred.Type == "" {
+		cred.Type = mode
+	}
+
+	if cred.Type == "" {
+		return map[string]Credential{}, nil
+	}
+
+	return map[string]Credential{provider: cred}, nil
+}
+
+func Save(repoRoot string, state *State) error {
+	if state == nil {
+		return fmt.Errorf("auth state cannot be nil")
+	}
+	provider := strings.ToLower(strings.TrimSpace(state.Provider))
+	if provider == "" {
+		provider = "openai"
+	}
+
+	mode := strings.ToLower(strings.TrimSpace(state.Mode))
+	cred := Credential{
+		Email:        strings.TrimSpace(state.Email),
+		AccessToken:  strings.TrimSpace(state.AccessToken),
+		RefreshToken: strings.TrimSpace(state.RefreshToken),
+		ExpiresAt:    state.ExpiresAt,
+		AccountID:    strings.TrimSpace(state.AccountID),
+	}
+	if mode == "account" {
+		cred.Type = "oauth"
+	}
+	if mode == "api_key" {
+		cred.Type = "api"
+		cred.Key = strings.TrimSpace(state.AccessToken)
+		cred.AccessToken = ""
+	}
+	if cred.Type == "" {
+		return fmt.Errorf("unsupported auth mode: %s", state.Mode)
+	}
+
+	return Set(repoRoot, provider, cred)
+}
+
+func Clear(repoRoot string) error {
+	path := filepath.Join(repoRoot, config.OrchDir, authFile)
+	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove auth state: %w", err)
+	}
+	return nil
+}
+
+func Get(repoRoot, provider string) (*Credential, error) {
+	all, err := LoadAll(repoRoot)
+	if err != nil {
+		return nil, err
+	}
+	id := strings.ToLower(strings.TrimSpace(provider))
+	if id == "" {
+		return nil, nil
+	}
+	cred, ok := all[id]
+	if !ok {
+		return nil, nil
+	}
+	return &cred, nil
+}
+
+func Set(repoRoot, provider string, cred Credential) error {
+	id := strings.ToLower(strings.TrimSpace(provider))
+	if id == "" {
+		return fmt.Errorf("provider is required")
+	}
+
+	kind := strings.ToLower(strings.TrimSpace(cred.Type))
+	if kind == "api_key" {
+		kind = "api"
+	}
+	if kind == "account" {
+		kind = "oauth"
+	}
+	if kind != "api" && kind != "oauth" && kind != "wellknown" {
+		return fmt.Errorf("unsupported credential type: %s", cred.Type)
+	}
+	if kind == "api" && strings.TrimSpace(cred.Key) == "" {
+		return fmt.Errorf("api credential key cannot be empty")
+	}
+	if kind == "oauth" && strings.TrimSpace(cred.AccessToken) == "" {
+		return fmt.Errorf("oauth access token cannot be empty")
+	}
+
+	if err := config.EnsureOrchDir(repoRoot); err != nil {
+		return err
+	}
+
+	all, err := LoadAll(repoRoot)
+	if err != nil {
+		return err
+	}
+
+	cred.Type = kind
+	cred.Key = strings.TrimSpace(cred.Key)
+	cred.AccessToken = strings.TrimSpace(cred.AccessToken)
+	cred.RefreshToken = strings.TrimSpace(cred.RefreshToken)
+	cred.AccountID = strings.TrimSpace(cred.AccountID)
+	cred.Email = strings.TrimSpace(cred.Email)
+	cred.UpdatedAt = time.Now().UTC()
+
+	all[id] = cred
+
+	data, err := json.MarshalIndent(all, "", "  ")
+	if err != nil {
+		return fmt.Errorf("serialize auth state: %w", err)
+	}
+
+	path := filepath.Join(repoRoot, config.OrchDir, authFile)
+	if err := os.WriteFile(path, data, 0o600); err != nil {
+		return fmt.Errorf("write auth state: %w", err)
+	}
+
+	return nil
+}
+
+func Remove(repoRoot, provider string) error {
+	all, err := LoadAll(repoRoot)
+	if err != nil {
+		return err
+	}
+	id := strings.ToLower(strings.TrimSpace(provider))
+	if id == "" {
+		return fmt.Errorf("provider is required")
+	}
+	if _, ok := all[id]; !ok {
+		return nil
+	}
+	delete(all, id)
+
+	if len(all) == 0 {
+		return Clear(repoRoot)
+	}
+
+	data, err := json.MarshalIndent(all, "", "  ")
+	if err != nil {
+		return fmt.Errorf("serialize auth state: %w", err)
+	}
+
+	path := filepath.Join(repoRoot, config.OrchDir, authFile)
+	if err := os.WriteFile(path, data, 0o600); err != nil {
+		return fmt.Errorf("write auth state: %w", err)
+	}
+	return nil
+}

package/internal/confidence/policy.go

@@ -0,0 +1,174 @@
+package confidence
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/furkanbeydemir/orch/internal/config"
+	"github.com/furkanbeydemir/orch/internal/models"
+)
+
+type Policy struct {
+	enabled     bool
+	completeMin float64
+	failBelow   float64
+}
+
+func NewPolicy(cfg *config.Config) *Policy {
+	defaults := config.DefaultConfig()
+	policy := &Policy{
+		enabled:     defaults.Safety.FeatureFlags.ConfidenceEnforcement,
+		completeMin: defaults.Safety.Confidence.CompleteMin,
+		failBelow:   defaults.Safety.Confidence.FailBelow,
+	}
+	if cfg == nil {
+		return policy
+	}
+	policy.enabled = cfg.Safety.FeatureFlags.ConfidenceEnforcement
+	if cfg.Safety.Confidence.CompleteMin > 0 {
+		policy.completeMin = cfg.Safety.Confidence.CompleteMin
+	}
+	if cfg.Safety.Confidence.FailBelow > 0 {
+		policy.failBelow = cfg.Safety.Confidence.FailBelow
+	}
+	return policy
+}
+
+func (p *Policy) Apply(state *models.RunState) error {
+	if state == nil {
+		return nil
+	}
+
+	appendOrReplaceReviewGate(state, models.ValidationResult{
+		Name:     "review_scorecard_valid",
+		Stage:    "review",
+		Status:   models.ValidationPass,
+		Severity: models.SeverityLow,
+		Summary:  "review scorecard produced successfully",
+	})
+
+	if state.ReviewScorecard == nil {
+		appendOrReplaceReviewGate(state, models.ValidationResult{
+			Name:     "review_scorecard_valid",
+			Stage:    "review",
+			Status:   models.ValidationFail,
+			Severity: models.SeverityHigh,
+			Summary:  "review scorecard is missing",
+		})
+		return fmt.Errorf("review scorecard is missing")
+	}
+	if state.Review == nil {
+		appendOrReplaceReviewGate(state, models.ValidationResult{
+			Name:     "review_decision_threshold_met",
+			Stage:    "review",
+			Status:   models.ValidationFail,
+			Severity: models.SeverityHigh,
+			Summary:  "review result is missing",
+		})
+		return fmt.Errorf("review result is missing")
+	}
+	if state.Confidence == nil {
+		appendOrReplaceReviewGate(state, models.ValidationResult{
+			Name:     "review_decision_threshold_met",
+			Stage:    "review",
+			Status:   models.ValidationFail,
+			Severity: models.SeverityHigh,
+			Summary:  "confidence report is missing",
+		})
+		return fmt.Errorf("confidence report is missing")
+	}
+
+	if !p.enabled {
+		appendOrReplaceReviewGate(state, models.ValidationResult{
+			Name:     "review_decision_threshold_met",
+			Stage:    "review",
+			Status:   models.ValidationPass,
+			Severity: models.SeverityLow,
+			Summary:  "confidence enforcement disabled; review threshold considered satisfied",
+		})
+		return nil
+	}
+
+	score := state.Confidence.Score
+	if score < p.failBelow {
+		message := fmt.Sprintf("confidence %.2f is below fail threshold %.2f", score, p.failBelow)
+		markReviewRevise(state, message)
+		appendOrReplaceReviewGate(state, models.ValidationResult{
+			Name:            "review_decision_threshold_met",
+			Stage:           "review",
+			Status:          models.ValidationFail,
+			Severity:        models.SeverityHigh,
+			Summary:         message,
+			ActionableItems: []string{"Do not complete the run; inspect the confidence warnings and regenerate the patch with tighter scope and stronger verification."},
+		})
+		return fmt.Errorf("%s", message)
+	}
+
+	if score < p.completeMin {
+		message := fmt.Sprintf("confidence %.2f is below completion threshold %.2f", score, p.completeMin)
+		markReviewRevise(state, message)
+		appendOrReplaceReviewGate(state, models.ValidationResult{
+			Name:            "review_decision_threshold_met",
+			Stage:           "review",
+			Status:          models.ValidationFail,
+			Severity:        models.SeverityMedium,
+			Summary:         message,
+			ActionableItems: []string{"Retry the patch until confidence reaches the completion threshold or reduce uncertainty in validation/test signals."},
+		})
+		return nil
+	}
+
+	appendOrReplaceReviewGate(state, models.ValidationResult{
+		Name:     "review_decision_threshold_met",
+		Stage:    "review",
+		Status:   models.ValidationPass,
+		Severity: models.SeverityLow,
+		Summary:  fmt.Sprintf("confidence %.2f meets completion threshold %.2f", score, p.completeMin),
+	})
+	return nil
+}
+
+func appendOrReplaceReviewGate(state *models.RunState, gate models.ValidationResult) {
+	if state == nil {
+		return
+	}
+	for i, result := range state.ValidationResults {
+		if result.Name == gate.Name && strings.EqualFold(result.Stage, gate.Stage) {
+			state.ValidationResults[i] = gate
+			return
+		}
+	}
+	state.ValidationResults = append(state.ValidationResults, gate)
+}
+
+func markReviewRevise(state *models.RunState, message string) {
+	if state == nil {
+		return
+	}
+	if state.Review != nil {
+		state.Review.Decision = models.ReviewRevise
+		state.Review.Comments = uniqueNonEmptyPolicy(append(state.Review.Comments, message))
+		state.Review.Suggestions = uniqueNonEmptyPolicy(append(state.Review.Suggestions, "Increase confidence by improving validation, tests, or review findings before completion."))
+	}
+	if state.ReviewScorecard != nil {
+		state.ReviewScorecard.Decision = models.ReviewRevise
+		state.ReviewScorecard.Findings = uniqueNonEmptyPolicy(append(state.ReviewScorecard.Findings, message))
+	}
+}
+
+func uniqueNonEmptyPolicy(values []string) []string {
+	result := make([]string, 0, len(values))
+	seen := map[string]struct{}{}
+	for _, value := range values {
+		trimmed := strings.TrimSpace(value)
+		if trimmed == "" {
+			continue
+		}
+		if _, ok := seen[trimmed]; ok {
+			continue
+		}
+		seen[trimmed] = struct{}{}
+		result = append(result, trimmed)
+	}
+	return result
+}

package/internal/confidence/policy_test.go

@@ -0,0 +1,71 @@
+package confidence
+
+import (
+	"testing"
+
+	"github.com/furkanbeydemir/orch/internal/config"
+	"github.com/furkanbeydemir/orch/internal/models"
+)
+
+func TestPolicyPassesWhenConfidenceMeetsThreshold(t *testing.T) {
+	policy := NewPolicy(config.DefaultConfig())
+	state := &models.RunState{
+		Review:          &models.ReviewResult{Decision: models.ReviewAccept},
+		ReviewScorecard: &models.ReviewScorecard{Decision: models.ReviewAccept},
+		Confidence:      &models.ConfidenceReport{Score: 0.82, Band: "medium"},
+	}
+
+	if err := policy.Apply(state); err != nil {
+		t.Fatalf("expected policy pass, got error: %v", err)
+	}
+	if state.Review.Decision != models.ReviewAccept {
+		t.Fatalf("expected accept decision to remain")
+	}
+	if !hasGate(state.ValidationResults, "review_decision_threshold_met", models.ValidationPass) {
+		t.Fatalf("expected passing review threshold gate")
+	}
+}
+
+func TestPolicyRevisesWhenConfidenceBelowCompletionThreshold(t *testing.T) {
+	policy := NewPolicy(config.DefaultConfig())
+	state := &models.RunState{
+		Review:          &models.ReviewResult{Decision: models.ReviewAccept},
+		ReviewScorecard: &models.ReviewScorecard{Decision: models.ReviewAccept},
+		Confidence:      &models.ConfidenceReport{Score: 0.61, Band: "low"},
+	}
+
+	if err := policy.Apply(state); err != nil {
+		t.Fatalf("expected revise path without hard error, got: %v", err)
+	}
+	if state.Review.Decision != models.ReviewRevise {
+		t.Fatalf("expected review decision to downgrade to revise")
+	}
+	if !hasGate(state.ValidationResults, "review_decision_threshold_met", models.ValidationFail) {
+		t.Fatalf("expected failing review threshold gate")
+	}
+}
+
+func TestPolicyFailsWhenConfidenceBelowFailThreshold(t *testing.T) {
+	policy := NewPolicy(config.DefaultConfig())
+	state := &models.RunState{
+		Review:          &models.ReviewResult{Decision: models.ReviewAccept},
+		ReviewScorecard: &models.ReviewScorecard{Decision: models.ReviewAccept},
+		Confidence:      &models.ConfidenceReport{Score: 0.30, Band: "very_low"},
+	}
+
+	if err := policy.Apply(state); err == nil {
+		t.Fatalf("expected hard failure for very low confidence")
+	}
+	if state.Review.Decision != models.ReviewRevise {
+		t.Fatalf("expected decision to downgrade to revise before failure")
+	}
+}
+
+func hasGate(results []models.ValidationResult, name string, status models.ValidationStatus) bool {
+	for _, result := range results {
+		if result.Name == name && result.Status == status {
+			return true
+		}
+	}
+	return false
+}