oxe-cc 0.9.3 → 1.0.0

package/packages/runtime/src/delivery/ci-checks.ts

@@ -0,0 +1,252 @@
+import fs from 'fs';
+import path from 'path';
+import type { EvidenceStore } from '../evidence/evidence-store';
+
+export type CICheckStatus = 'pass' | 'fail' | 'skip' | 'error';
+
+export interface CICheckContext {
+  projectRoot: string;
+  sessionId: string | null;
+  runId?: string;
+  evidenceStore?: EvidenceStore;
+}
+
+export interface CICheckResult {
+  check: string;
+  status: CICheckStatus;
+  message: string;
+  details?: unknown;
+}
+
+export interface CICheck {
+  name: string;
+  description: string;
+  run(ctx: CICheckContext): Promise<CICheckResult>;
+}
+
+// ─── Check: plan-consistency ─────────────────────────────────────────────────
+
+export const planConsistencyCheck: CICheck = {
+  name: 'oxe-plan-consistency',
+  description: 'Verifies ACTIVE-RUN.json exists and has a compiled ExecutionGraph',
+  async run(ctx) {
+    const activeRunPath = ctx.sessionId
+      ? path.join(ctx.projectRoot, '.oxe', ctx.sessionId, 'execution', 'ACTIVE-RUN.json')
+      : path.join(ctx.projectRoot, '.oxe', 'ACTIVE-RUN.json');
+
+    if (!fs.existsSync(activeRunPath)) {
+      return { check: this.name, status: 'skip', message: 'No ACTIVE-RUN.json found' };
+    }
+
+    try {
+      const raw = JSON.parse(fs.readFileSync(activeRunPath, 'utf8')) as Record<string, unknown>;
+      const hasGraph = raw.compiled_graph && typeof raw.compiled_graph === 'object';
+      const hasRunId = typeof raw.run_id === 'string';
+
+      if (!hasRunId) {
+        return { check: this.name, status: 'fail', message: 'ACTIVE-RUN.json missing run_id', details: raw };
+      }
+      if (!hasGraph) {
+        return { check: this.name, status: 'fail', message: 'No compiled ExecutionGraph found in ACTIVE-RUN.json', details: { run_id: raw.run_id } };
+      }
+      return { check: this.name, status: 'pass', message: `Run ${String(raw.run_id)} has compiled graph` };
+    } catch (err) {
+      return { check: this.name, status: 'error', message: `Failed to parse ACTIVE-RUN.json: ${String(err)}` };
+    }
+  },
+};
+
+// ─── Check: verify-acceptance ────────────────────────────────────────────────
+
+export const verifyAcceptanceCheck: CICheck = {
+  name: 'oxe-verify-acceptance',
+  description: 'Checks that VERIFY.md exists and contains no failed criteria',
+  async run(ctx) {
+    const verifyPath = ctx.sessionId
+      ? path.join(ctx.projectRoot, '.oxe', ctx.sessionId, 'verification', 'VERIFY.md')
+      : path.join(ctx.projectRoot, '.oxe', 'VERIFY.md');
+
+    if (!fs.existsSync(verifyPath)) {
+      return { check: this.name, status: 'skip', message: 'No VERIFY.md found — run /oxe-verify first' };
+    }
+
+    const content = fs.readFileSync(verifyPath, 'utf8');
+    const failLines = content.split('\n').filter((l) => l.includes('✗ FAIL'));
+    const passLines = content.split('\n').filter((l) => l.includes('✓ PASS'));
+
+    if (failLines.length > 0) {
+      return {
+        check: this.name,
+        status: 'fail',
+        message: `${failLines.length} acceptance criteria failed`,
+        details: { failed: failLines, passed: passLines.length },
+      };
+    }
+    if (passLines.length === 0) {
+      return { check: this.name, status: 'skip', message: 'VERIFY.md has no pass/fail markers' };
+    }
+    return { check: this.name, status: 'pass', message: `${passLines.length} acceptance criteria passed` };
+  },
+};
+
+// ─── Check: policy ───────────────────────────────────────────────────────────
+
+export const policyCheck: CICheck = {
+  name: 'oxe-policy',
+  description: 'Checks that no gates are pending (unresolved human approval)',
+  async run(ctx) {
+    const gatesPath = ctx.sessionId
+      ? path.join(ctx.projectRoot, '.oxe', ctx.sessionId, 'execution', 'GATES.json')
+      : path.join(ctx.projectRoot, '.oxe', 'execution', 'GATES.json');
+
+    if (!fs.existsSync(gatesPath)) {
+      return { check: this.name, status: 'pass', message: 'No pending gates' };
+    }
+
+    try {
+      const gates = JSON.parse(fs.readFileSync(gatesPath, 'utf8')) as Array<{ status: string; scope: string; gate_id: string }>;
+      const pending = gates.filter((g) => g.status === 'pending');
+      if (pending.length > 0) {
+        return {
+          check: this.name,
+          status: 'fail',
+          message: `${pending.length} unresolved gate(s)`,
+          details: pending.map((g) => ({ gate_id: g.gate_id, scope: g.scope })),
+        };
+      }
+      return { check: this.name, status: 'pass', message: 'All gates resolved' };
+    } catch (err) {
+      return { check: this.name, status: 'error', message: `Failed to read GATES.json: ${String(err)}` };
+    }
+  },
+};
+
+// ─── Check: security-baseline ────────────────────────────────────────────────
+
+const SECRET_PATTERNS = [
+  /(?:password|passwd|secret|api[_-]?key|auth[_-]?token)\s*[:=]\s*['"]?\S{8,}/i,
+  /(?:AKIA|ASIA)[A-Z0-9]{16}/,
+  /-----BEGIN (?:RSA|EC|OPENSSH) PRIVATE KEY-----/,
+];
+
+export const securityBaselineCheck: CICheck = {
+  name: 'oxe-security-baseline',
+  description: 'Scans evidence artifacts for common secret patterns',
+  async run(ctx) {
+    if (!ctx.evidenceStore || !ctx.runId) {
+      return { check: this.name, status: 'skip', message: 'No evidence store or run ID provided' };
+    }
+
+    const evidenceDir = path.join(ctx.projectRoot, '.oxe', 'evidence', 'runs', ctx.runId);
+    if (!fs.existsSync(evidenceDir)) {
+      return { check: this.name, status: 'skip', message: 'No evidence found for this run' };
+    }
+
+    const findings: string[] = [];
+    walkDir(evidenceDir, (filePath) => {
+      if (filePath.endsWith('.json') || filePath.endsWith('.patch') || filePath.endsWith('.txt')) {
+        try {
+          const content = fs.readFileSync(filePath, 'utf8');
+          for (const pattern of SECRET_PATTERNS) {
+            if (pattern.test(content)) {
+              findings.push(`${path.basename(filePath)}: matches pattern ${pattern.source.slice(0, 40)}`);
+              break;
+            }
+          }
+        } catch { /* skip unreadable */ }
+      }
+    });
+
+    if (findings.length > 0) {
+      return { check: this.name, status: 'fail', message: `Secret patterns detected in ${findings.length} evidence file(s)`, details: findings };
+    }
+    return { check: this.name, status: 'pass', message: 'No secret patterns detected in evidence' };
+  },
+};
+
+// ─── Check: runtime-evidence-integrity ───────────────────────────────────────
+
+export const runtimeEvidenceIntegrityCheck: CICheck = {
+  name: 'oxe-runtime-evidence-integrity',
+  description: 'Validates that all evidence index files are valid JSON and files exist on disk',
+  async run(ctx) {
+    if (!ctx.runId) {
+      return { check: this.name, status: 'skip', message: 'No run ID provided' };
+    }
+
+    const runEvidenceDir = path.join(ctx.projectRoot, '.oxe', 'evidence', 'runs', ctx.runId);
+    if (!fs.existsSync(runEvidenceDir)) {
+      return { check: this.name, status: 'skip', message: 'No evidence directory for this run' };
+    }
+
+    const errors: string[] = [];
+    let indexCount = 0;
+    let evidenceCount = 0;
+
+    walkDir(runEvidenceDir, (filePath) => {
+      if (path.basename(filePath) !== 'index.json') return;
+      indexCount++;
+      try {
+        const items = JSON.parse(fs.readFileSync(filePath, 'utf8')) as Array<{ path: string; evidence_id: string }>;
+        for (const item of items) {
+          evidenceCount++;
+          const absPath = path.join(ctx.projectRoot, item.path);
+          if (!fs.existsSync(absPath)) {
+            errors.push(`Missing file for ${item.evidence_id}: ${item.path}`);
+          }
+        }
+      } catch (err) {
+        errors.push(`Corrupt index at ${filePath}: ${String(err)}`);
+      }
+    });
+
+    if (errors.length > 0) {
+      return { check: this.name, status: 'fail', message: `${errors.length} integrity error(s)`, details: errors };
+    }
+    return {
+      check: this.name,
+      status: indexCount === 0 ? 'skip' : 'pass',
+      message: `${evidenceCount} evidence artifact(s) across ${indexCount} index(es) — all valid`,
+    };
+  },
+};
+
+// ─── Suite ───────────────────────────────────────────────────────────────────
+
+export const OXE_CI_CHECKS: CICheck[] = [
+  planConsistencyCheck,
+  verifyAcceptanceCheck,
+  policyCheck,
+  securityBaselineCheck,
+  runtimeEvidenceIntegrityCheck,
+];
+
+export async function runCIChecks(
+  ctx: CICheckContext,
+  checks: CICheck[] = OXE_CI_CHECKS
+): Promise<CICheckResult[]> {
+  const results: CICheckResult[] = [];
+  for (const check of checks) {
+    results.push(await check.run(ctx));
+  }
+  return results;
+}
+
+export function summarizeCIResults(results: CICheckResult[]): {
+  total: number; pass: number; fail: number; skip: number; error: number; allPassed: boolean;
+} {
+  const counts = { total: results.length, pass: 0, fail: 0, skip: 0, error: 0 };
+  for (const r of results) counts[r.status]++;
+  return { ...counts, allPassed: counts.fail === 0 && counts.error === 0 };
+}
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+function walkDir(dir: string, visitor: (filePath: string) => void): void {
+  if (!fs.existsSync(dir)) return;
+  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) walkDir(full, visitor);
+    else visitor(full);
+  }
+}

package/packages/runtime/src/delivery/index.ts

@@ -0,0 +1,3 @@
+export * from './branch-manager';
+export * from './pr-manager';
+export * from './ci-checks';

package/packages/runtime/src/delivery/pr-manager.ts

@@ -0,0 +1,112 @@
+import { spawnSync } from 'child_process';
+
+export interface PRDraftOptions {
+  title: string;
+  body: string;
+  base?: string;
+  head?: string;
+  draft?: boolean;
+}
+
+export interface PRInfo {
+  number: number;
+  title: string;
+  url: string;
+  state: string;
+  draft: boolean;
+  head: string;
+  base: string;
+}
+
+export interface PRResult {
+  success: boolean;
+  url?: string;
+  error?: string;
+  pr?: PRInfo;
+}
+
+function isGhAvailable(cwd: string): boolean {
+  const result = spawnSync('gh', ['--version'], { cwd, encoding: 'utf8' });
+  return result.status === 0;
+}
+
+export class PRManager {
+  constructor(private readonly projectRoot: string) {}
+
+  isAvailable(): boolean {
+    return isGhAvailable(this.projectRoot);
+  }
+
+  createDraft(opts: PRDraftOptions): PRResult {
+    if (!this.isAvailable()) {
+      return { success: false, error: 'gh CLI not available — install from https://cli.github.com' };
+    }
+    const args = [
+      'pr', 'create',
+      '--title', opts.title,
+      '--body', opts.body,
+    ];
+    if (opts.draft !== false) args.push('--draft');
+    if (opts.base) args.push('--base', opts.base);
+    if (opts.head) args.push('--head', opts.head);
+
+    const result = spawnSync('gh', args, {
+      cwd: this.projectRoot,
+      encoding: 'utf8',
+    });
+
+    if (result.status !== 0) {
+      return { success: false, error: result.stderr?.trim() ?? 'gh pr create failed' };
+    }
+    const url = result.stdout?.trim();
+    return { success: true, url };
+  }
+
+  view(prNumberOrUrl: string | number): PRResult {
+    if (!this.isAvailable()) {
+      return { success: false, error: 'gh CLI not available' };
+    }
+    const result = spawnSync(
+      'gh',
+      ['pr', 'view', String(prNumberOrUrl), '--json', 'number,title,url,state,isDraft,headRefName,baseRefName'],
+      { cwd: this.projectRoot, encoding: 'utf8' }
+    );
+    if (result.status !== 0) {
+      return { success: false, error: result.stderr?.trim() };
+    }
+    try {
+      const raw = JSON.parse(result.stdout) as {
+        number: number; title: string; url: string; state: string;
+        isDraft: boolean; headRefName: string; baseRefName: string;
+      };
+      return {
+        success: true,
+        url: raw.url,
+        pr: {
+          number: raw.number,
+          title: raw.title,
+          url: raw.url,
+          state: raw.state.toLowerCase(),
+          draft: raw.isDraft,
+          head: raw.headRefName,
+          base: raw.baseRefName,
+        },
+      };
+    } catch {
+      return { success: false, error: 'Failed to parse gh output' };
+    }
+  }
+
+  mergePR(prNumber: number, method: 'merge' | 'squash' | 'rebase' = 'merge'): PRResult {
+    if (!this.isAvailable()) {
+      return { success: false, error: 'gh CLI not available' };
+    }
+    const result = spawnSync('gh', ['pr', 'merge', String(prNumber), `--${method}`, '--delete-branch'], {
+      cwd: this.projectRoot,
+      encoding: 'utf8',
+    });
+    return result.status === 0
+      ? { success: true }
+      : { success: false, error: result.stderr?.trim() };
+  }
+}

package/packages/runtime/src/events/bus.ts

@@ -0,0 +1,92 @@
+import type { OxeEvent } from './envelope';
+import type { EventType } from './catalog';
+import path from 'path';
+import fs from 'fs';
+
+export type EventInput = Partial<Omit<OxeEvent, 'type'>> & { type: EventType };
+
+interface OperationalEvent {
+  event_id?: string;
+  type?: string;
+  timestamp?: string;
+  session_id?: string | null;
+  run_id?: string | null;
+  task_id?: string | null;
+  work_item_id?: string | null;
+  attempt_id?: string | null;
+  causation_id?: string | null;
+  correlation_id?: string | null;
+  payload?: Record<string, unknown>;
+}
+
+function loadOperationalModule(): {
+  appendEvent: (projectRoot: string, sessionId: string | null, event: Record<string, unknown>) => OperationalEvent;
+  readEvents: (projectRoot: string, sessionId: string | null) => OperationalEvent[];
+} {
+  const candidates = [
+    path.resolve(__dirname, '../../../bin/lib/oxe-operational.cjs'),
+    path.resolve(__dirname, '../../../../bin/lib/oxe-operational.cjs'),
+    path.resolve(__dirname, '../../../../../bin/lib/oxe-operational.cjs'),
+  ];
+  for (const candidate of candidates) {
+    if (!fs.existsSync(candidate)) continue;
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    return require(candidate) as {
+      appendEvent: (projectRoot: string, sessionId: string | null, event: Record<string, unknown>) => OperationalEvent;
+      readEvents: (projectRoot: string, sessionId: string | null) => OperationalEvent[];
+    };
+  }
+  throw new Error(`Unable to locate oxe-operational.cjs from ${__dirname}`);
+}
+
+const operational = loadOperationalModule();
+
+function fromOperationalEvent(raw: OperationalEvent): OxeEvent {
+  return {
+    id: String(raw.event_id || ''),
+    type: String(raw.type || 'RunStarted') as EventType,
+    timestamp: String(raw.timestamp || new Date().toISOString()),
+    session_id: raw.session_id ?? null,
+    run_id: raw.run_id ?? null,
+    work_item_id: raw.work_item_id ?? raw.task_id ?? null,
+    attempt_id: raw.attempt_id ?? null,
+    causation_id: raw.causation_id ?? null,
+    correlation_id: raw.correlation_id ?? null,
+    payload: raw.payload && typeof raw.payload === 'object' ? raw.payload : {},
+  };
+}
+
+export function appendEvent(
+  projectRoot: string,
+  sessionId: string | null,
+  input: EventInput,
+  causationId?: string
+): OxeEvent {
+  const event = operational.appendEvent(projectRoot, sessionId, {
+    event_id: input.id,
+    type: input.type,
+    timestamp: input.timestamp,
+    run_id: input.run_id ?? null,
+    work_item_id: input.work_item_id ?? null,
+    attempt_id: input.attempt_id ?? null,
+    causation_id: input.causation_id ?? causationId ?? null,
+    correlation_id: input.correlation_id ?? null,
+    payload: input.payload && typeof input.payload === 'object' ? input.payload : {},
+  });
+  return fromOperationalEvent(event);
+}
+
+export function readEvents(
+  projectRoot: string,
+  sessionId: string | null
+): OxeEvent[] {
+  return operational.readEvents(projectRoot, sessionId).map(fromOperationalEvent);
+}
+
+export function filterByRun(events: OxeEvent[], runId: string): OxeEvent[] {
+  return events.filter((e) => e.run_id === runId);
+}
+
+export function filterByWorkItem(events: OxeEvent[], workItemId: string): OxeEvent[] {
+  return events.filter((e) => e.work_item_id === workItemId);
+}

package/packages/runtime/src/events/catalog.ts

@@ -0,0 +1,29 @@
+export const EVENT_TYPES = [
+  'SessionCreated',
+  'RunStarted',
+  'GraphCompiled',
+  'WorkItemReady',
+  'WorkspaceAllocated',
+  'AttemptStarted',
+  'ToolInvoked',
+  'ToolCompleted',
+  'ToolFailed',
+  'EvidenceCollected',
+  'PolicyEvaluated',
+  'GateRequested',
+  'GateResolved',
+  'VerificationStarted',
+  'VerificationCompleted',
+  'RetryScheduled',
+  'WorkItemCompleted',
+  'WorkItemBlocked',
+  'RunCompleted',
+  'RetroPublished',
+  'LessonPromoted',
+] as const;
+
+export type EventType = (typeof EVENT_TYPES)[number];
+
+export function isValidEventType(type: string): type is EventType {
+  return (EVENT_TYPES as readonly string[]).includes(type);
+}

package/packages/runtime/src/events/envelope.ts

@@ -0,0 +1,14 @@
+import type { EventType } from './catalog';
+
+export interface OxeEvent {
+  id: string;
+  type: EventType;
+  timestamp: string;
+  session_id: string | null;
+  run_id: string | null;
+  work_item_id: string | null;
+  attempt_id: string | null;
+  causation_id: string | null;
+  correlation_id: string | null;
+  payload: Record<string, unknown>;
+}

package/packages/runtime/src/events/index.ts

@@ -0,0 +1,3 @@
+export * from './catalog';
+export * from './envelope';
+export * from './bus';

package/packages/runtime/src/evidence/evidence-store.ts

@@ -0,0 +1,130 @@
+import crypto from 'crypto';
+import path from 'path';
+import fs from 'fs';
+import type { Evidence, EvidenceType } from '../models/evidence';
+
+export interface EvidenceCollectOptions {
+  work_item_id: string;
+  run_id: string;
+  attempt_number: number;
+}
+
+export interface EvidenceContent {
+  evidence: Evidence;
+  content: Buffer;
+}
+
+const EXT_MAP: Record<EvidenceType, string> = {
+  diff: 'patch',
+  stdout: 'txt',
+  stderr: 'txt',
+  junit_xml: 'xml',
+  coverage: 'json',
+  screenshot: 'png',
+  trace: 'json',
+  log: 'txt',
+  security_report: 'json',
+  api_output: 'json',
+  summary: 'json',
+};
+
+export class EvidenceStore {
+  constructor(private readonly projectRoot: string) {}
+
+  private evidenceDir(runId: string, workItemId: string, attemptNumber: number): string {
+    return path.join(
+      this.projectRoot,
+      '.oxe',
+      'evidence',
+      'runs',
+      runId,
+      workItemId,
+      `attempt-${attemptNumber}`
+    );
+  }
+
+  private indexPath(runId: string, workItemId: string, attemptNumber: number): string {
+    return path.join(this.evidenceDir(runId, workItemId, attemptNumber), 'index.json');
+  }
+
+  private readIndex(runId: string, workItemId: string, attemptNumber: number): Evidence[] {
+    const p = this.indexPath(runId, workItemId, attemptNumber);
+    if (!fs.existsSync(p)) return [];
+    try {
+      return JSON.parse(fs.readFileSync(p, 'utf8')) as Evidence[];
+    } catch {
+      return [];
+    }
+  }
+
+  private writeIndex(runId: string, workItemId: string, attemptNumber: number, items: Evidence[]): void {
+    fs.writeFileSync(this.indexPath(runId, workItemId, attemptNumber), JSON.stringify(items, null, 2), 'utf8');
+  }
+
+  async collect(
+    type: EvidenceType,
+    content: Buffer | string,
+    opts: EvidenceCollectOptions
+  ): Promise<Evidence> {
+    const { work_item_id, run_id, attempt_number } = opts;
+    const dir = this.evidenceDir(run_id, work_item_id, attempt_number);
+    fs.mkdirSync(dir, { recursive: true });
+
+    const buf = Buffer.isBuffer(content) ? content : Buffer.from(content, 'utf8');
+    const checksum = crypto.createHash('sha256').update(buf).digest('hex').slice(0, 16);
+    const ext = EXT_MAP[type] ?? 'bin';
+
+    const existing = this.readIndex(run_id, work_item_id, attempt_number);
+    const seq = existing.filter((e) => e.type === type).length + 1;
+    const filename = seq === 1 ? `${type}.${ext}` : `${type}-${seq}.${ext}`;
+    const filePath = path.join(dir, filename);
+
+    fs.writeFileSync(filePath, buf);
+
+    const evidence: Evidence = {
+      evidence_id: `ev-${run_id}-${work_item_id}-a${attempt_number}-${type}-${seq}`,
+      attempt_id: `${work_item_id}-a${attempt_number}`,
+      type,
+      path: path.relative(this.projectRoot, filePath),
+      checksum,
+      created_at: new Date().toISOString(),
+    };
+
+    this.writeIndex(run_id, work_item_id, attempt_number, [...existing, evidence]);
+    return evidence;
+  }
+
+  async list(opts: EvidenceCollectOptions): Promise<Evidence[]> {
+    return this.readIndex(opts.run_id, opts.work_item_id, opts.attempt_number);
+  }
+
+  async get(evidenceId: string, opts: EvidenceCollectOptions): Promise<EvidenceContent | null> {
+    const items = this.readIndex(opts.run_id, opts.work_item_id, opts.attempt_number);
+    const ev = items.find((e) => e.evidence_id === evidenceId);
+    if (!ev) return null;
+    const absPath = path.join(this.projectRoot, ev.path);
+    if (!fs.existsSync(absPath)) return null;
+    return { evidence: ev, content: fs.readFileSync(absPath) };
+  }
+
+  async listByRun(runId: string): Promise<Evidence[]> {
+    const runDir = path.join(this.projectRoot, '.oxe', 'evidence', 'runs', runId);
+    if (!fs.existsSync(runDir)) return [];
+    const all: Evidence[] = [];
+    for (const workItem of fs.readdirSync(runDir)) {
+      const wiDir = path.join(runDir, workItem);
+      for (const attempt of fs.readdirSync(wiDir)) {
+        const indexPath = path.join(wiDir, attempt, 'index.json');
+        if (fs.existsSync(indexPath)) {
+          try {
+            const items = JSON.parse(fs.readFileSync(indexPath, 'utf8')) as Evidence[];
+            all.push(...items);
+          } catch {
+            // skip corrupt index
+          }
+        }
+      }
+    }
+    return all;
+  }
+}

package/packages/runtime/src/evidence/index.ts

@@ -0,0 +1 @@
+export * from './evidence-store';