oxe-cc 0.9.3 → 1.2.1

package/packages/runtime/src/verification/verification-manifest.ts

@@ -0,0 +1,192 @@
+import crypto from 'crypto';
+import path from 'path';
+import fs from 'fs';
+import type { VerificationStatus } from '../models/verification-result';
+import type { CheckResult } from './verification-compiler';
+
+export type VerificationProfile = 'quick' | 'standard' | 'critical';
+
+export type FailureClass =
+  | 'deterministic'
+  | 'flaky'
+  | 'timeout'
+  | 'env_setup'
+  | 'policy_failure'
+  | 'evidence_missing';
+
+export type VerificationGranularity = 'work_item' | 'wave' | 'run';
+
+export interface ManifestCheck {
+  check_id: string;
+  acceptance_ref: string | null;
+  status: VerificationStatus;
+  failure_class: FailureClass | null;
+  evidence_refs: string[];
+  duration_ms: number;
+}
+
+export interface VerificationManifest {
+  manifest_id: string;
+  run_id: string;
+  work_item_id: string | null;
+  wave: number | null;
+  granularity: VerificationGranularity;
+  profile: VerificationProfile;
+  compiled_at: string;
+  checks: ManifestCheck[];
+  summary: {
+    total: number;
+    pass: number;
+    fail: number;
+    skip: number;
+    error: number;
+    all_passed: boolean;
+  };
+}
+
+export interface ResidualRisk {
+  risk_id: string;
+  work_item_id: string | null;
+  check_id: string | null;
+  failure_class: FailureClass;
+  description: string;
+  severity: 'low' | 'medium' | 'high' | 'critical';
+  mitigation: string | null;
+}
+
+export interface ResidualRiskLedger {
+  run_id: string;
+  generated_at: string;
+  risks: ResidualRisk[];
+}
+
+const PROFILE_REQUIRED_CHECKS: Record<VerificationProfile, FailureClass[]> = {
+  quick: ['deterministic'],
+  standard: ['deterministic', 'policy_failure'],
+  critical: ['deterministic', 'policy_failure', 'evidence_missing', 'flaky'],
+};
+
+export function classifyFailure(result: CheckResult): FailureClass | null {
+  if (result.status === 'pass' || result.status === 'skip') return null;
+  if (result.error && (result.error.toLowerCase().includes('timeout') || result.error.toLowerCase().includes('timed out'))) return 'timeout';
+  if (result.exit_code === null && result.error) return 'env_setup';
+  if (result.stderr.toLowerCase().includes('policy') || result.stderr.toLowerCase().includes('denied')) {
+    return 'policy_failure';
+  }
+  if (result.exit_code !== 0 && result.stderr === '' && result.stdout === '') return 'evidence_missing';
+  // Default: non-deterministic signals (no reliable exit code pattern)
+  return 'deterministic';
+}
+
+export function buildManifest(
+  runId: string,
+  results: CheckResult[],
+  options: {
+    workItemId?: string;
+    wave?: number;
+    granularity?: VerificationGranularity;
+    profile?: VerificationProfile;
+    evidenceRefs?: Map<string, string[]>;
+  } = {}
+): VerificationManifest {
+  const profile = options.profile ?? 'standard';
+  const granularity = options.granularity ?? 'run';
+  const evidenceRefs = options.evidenceRefs ?? new Map();
+
+  const checks: ManifestCheck[] = results.map((r) => ({
+    check_id: r.check_id,
+    acceptance_ref: r.acceptance_ref,
+    status: r.status,
+    failure_class: classifyFailure(r),
+    evidence_refs: evidenceRefs.get(r.check_id) ?? [],
+    duration_ms: r.duration_ms,
+  }));
+
+  const summary = {
+    total: checks.length,
+    pass: checks.filter((c) => c.status === 'pass').length,
+    fail: checks.filter((c) => c.status === 'fail').length,
+    skip: checks.filter((c) => c.status === 'skip').length,
+    error: checks.filter((c) => c.status === 'error').length,
+    all_passed: checks.every((c) => c.status === 'pass' || c.status === 'skip'),
+  };
+
+  return {
+    manifest_id: `vm-${crypto.randomBytes(4).toString('hex')}`,
+    run_id: runId,
+    work_item_id: options.workItemId ?? null,
+    wave: options.wave ?? null,
+    granularity,
+    profile,
+    compiled_at: new Date().toISOString(),
+    checks,
+    summary,
+  };
+}
+
+export function buildRiskLedger(
+  runId: string,
+  manifest: VerificationManifest
+): ResidualRiskLedger {
+  const risks: ResidualRisk[] = [];
+
+  for (const check of manifest.checks) {
+    if (check.status === 'pass' || check.status === 'skip') continue;
+    if (!check.failure_class) continue;
+
+    const required = PROFILE_REQUIRED_CHECKS[manifest.profile];
+    if (!required.includes(check.failure_class)) continue;
+
+    risks.push({
+      risk_id: `risk-${crypto.randomBytes(3).toString('hex')}`,
+      work_item_id: manifest.work_item_id,
+      check_id: check.check_id,
+      failure_class: check.failure_class,
+      description: `Check ${check.check_id} ${check.status}: ${check.failure_class}`,
+      severity: check.failure_class === 'policy_failure' || check.failure_class === 'deterministic'
+        ? 'high'
+        : check.failure_class === 'evidence_missing'
+        ? 'medium'
+        : 'low',
+      mitigation: null,
+    });
+  }
+
+  return {
+    run_id: runId,
+    generated_at: new Date().toISOString(),
+    risks,
+  };
+}
+
+export function saveManifest(projectRoot: string, runId: string, manifest: VerificationManifest): void {
+  const p = path.join(projectRoot, '.oxe', 'runs', runId, 'verification-manifest.json');
+  fs.mkdirSync(path.dirname(p), { recursive: true });
+  fs.writeFileSync(p, JSON.stringify(manifest, null, 2), 'utf8');
+}
+
+export function loadManifest(projectRoot: string, runId: string): VerificationManifest | null {
+  const p = path.join(projectRoot, '.oxe', 'runs', runId, 'verification-manifest.json');
+  if (!fs.existsSync(p)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(p, 'utf8')) as VerificationManifest;
+  } catch {
+    return null;
+  }
+}
+
+export function saveRiskLedger(projectRoot: string, runId: string, ledger: ResidualRiskLedger): void {
+  const p = path.join(projectRoot, '.oxe', 'runs', runId, 'residual-risks.json');
+  fs.mkdirSync(path.dirname(p), { recursive: true });
+  fs.writeFileSync(p, JSON.stringify(ledger, null, 2), 'utf8');
+}
+
+export function loadRiskLedger(projectRoot: string, runId: string): ResidualRiskLedger | null {
+  const p = path.join(projectRoot, '.oxe', 'runs', runId, 'residual-risks.json');
+  if (!fs.existsSync(p)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(p, 'utf8')) as ResidualRiskLedger;
+  } catch {
+    return null;
+  }
+}

package/packages/runtime/src/workspace/index.ts

@@ -0,0 +1,5 @@
+export * from './workspace-manager';
+export { InplaceWorkspaceManager } from './strategies/inplace';
+export { GitWorktreeManager } from './strategies/git-worktree';
+export { EphemeralContainerManager } from './strategies/ephemeral-container';
+export type { ContainerOptions } from './strategies/ephemeral-container';

package/packages/runtime/src/workspace/strategies/ephemeral-container.ts

@@ -0,0 +1,121 @@
+import { execFileSync, spawnSync } from 'child_process';
+import crypto from 'crypto';
+import type { WorkspaceManager, WorkspaceRequest } from '../workspace-manager';
+import type { WorkspaceLease, SnapshotRef } from '../../models/workspace';
+import { GitWorktreeManager } from './git-worktree';
+
+export interface ContainerOptions {
+  image: string;
+  mountPath: string;
+  extraEnv?: Record<string, string>;
+  /** Gracefully fall back to git_worktree if Docker is unavailable */
+  fallback?: boolean;
+}
+
+function isDockerAvailable(): boolean {
+  const result = spawnSync('docker', ['version', '--format', '{{.Server.Version}}'], {
+    encoding: 'utf8',
+    timeout: 5000,
+  });
+  return result.status === 0;
+}
+
+export class EphemeralContainerManager implements WorkspaceManager {
+  private readonly fallbackManager: GitWorktreeManager;
+  private containerIds = new Map<string, string>();
+  private useFallback = false;
+
+  constructor(
+    private readonly projectRoot: string,
+    private readonly opts: ContainerOptions = { image: 'node:20-alpine', mountPath: '/workspace', fallback: true }
+  ) {
+    this.fallbackManager = new GitWorktreeManager(projectRoot);
+    if (!isDockerAvailable()) {
+      if (opts.fallback !== false) {
+        this.useFallback = true;
+      } else {
+        throw new Error('Docker is not available and fallback is disabled');
+      }
+    }
+  }
+
+  get usingFallback(): boolean { return this.useFallback; }
+
+  async allocate(req: WorkspaceRequest): Promise<WorkspaceLease> {
+    if (this.useFallback) return this.fallbackManager.allocate(req);
+
+    const wsId = `ws-container-${req.work_item_id}-a${req.attempt_number}`;
+    const envArgs = Object.entries(this.opts.extraEnv ?? {}).flatMap(([k, v]) => ['-e', `${k}=${v}`]);
+
+    const result = spawnSync('docker', [
+      'run', '-d',
+      '-v', `${this.projectRoot}:${this.opts.mountPath}`,
+      '-w', this.opts.mountPath,
+      ...envArgs,
+      this.opts.image,
+      'sleep', '3600',
+    ], { encoding: 'utf8' });
+
+    if (result.status !== 0) {
+      if (this.opts.fallback !== false) {
+        this.useFallback = true;
+        return this.fallbackManager.allocate(req);
+      }
+      throw new Error(`docker run failed: ${result.stderr}`);
+    }
+
+    const containerId = result.stdout.trim().slice(0, 12);
+    this.containerIds.set(wsId, containerId);
+
+    return {
+      workspace_id: wsId,
+      strategy: 'ephemeral_container',
+      branch: null,
+      base_commit: null,
+      root_path: `docker:${containerId}:${this.opts.mountPath}`,
+      ttl_minutes: 60,
+    };
+  }
+
+  async snapshot(id: string): Promise<SnapshotRef> {
+    if (this.useFallback) return this.fallbackManager.snapshot(id);
+    const containerId = this.containerIds.get(id);
+    if (!containerId) throw new Error(`Container for workspace ${id} not found`);
+
+    const tag = `oxe-snap-${crypto.randomBytes(4).toString('hex')}`;
+    execFileSync('docker', ['commit', containerId, tag]);
+
+    return {
+      snapshot_id: tag,
+      workspace_id: id,
+      commit: tag,
+      created_at: new Date().toISOString(),
+    };
+  }
+
+  async reset(id: string, snapRef: SnapshotRef): Promise<void> {
+    if (this.useFallback) return this.fallbackManager.reset(id, snapRef);
+    const containerId = this.containerIds.get(id);
+    if (!containerId) return;
+    // Stop current container and start from snapshot
+    spawnSync('docker', ['stop', containerId]);
+    spawnSync('docker', ['rm', containerId]);
+    const result = spawnSync('docker', [
+      'run', '-d',
+      '-v', `${this.projectRoot}:${this.opts.mountPath}`,
+      snapRef.commit,
+      'sleep', '3600',
+    ], { encoding: 'utf8' });
+    const newId = result.stdout.trim().slice(0, 12);
+    this.containerIds.set(id, newId);
+  }
+
+  async dispose(id: string): Promise<void> {
+    if (this.useFallback) return this.fallbackManager.dispose(id);
+    const containerId = this.containerIds.get(id);
+    if (!containerId) return;
+    spawnSync('docker', ['stop', containerId], { encoding: 'utf8' });
+    spawnSync('docker', ['rm', containerId], { encoding: 'utf8' });
+    this.containerIds.delete(id);
+  }
+}

package/packages/runtime/src/workspace/strategies/git-worktree.ts

@@ -0,0 +1,77 @@
+import { execFileSync } from 'child_process';
+import path from 'path';
+import fs from 'fs';
+import crypto from 'crypto';
+import type { WorkspaceManager, WorkspaceRequest } from '../workspace-manager';
+import type { WorkspaceLease, SnapshotRef } from '../../models/workspace';
+
+export class GitWorktreeManager implements WorkspaceManager {
+  private leases = new Map<string, WorkspaceLease>();
+
+  constructor(private readonly projectRoot: string) {}
+
+  async allocate(req: WorkspaceRequest): Promise<WorkspaceLease> {
+    const wsId = `ws-${req.work_item_id}-a${req.attempt_number}`;
+    const branch = `oxe/${req.work_item_id}-attempt${req.attempt_number}`;
+    const worktreePath = path.join(this.projectRoot, '.oxe', 'workspaces', wsId);
+
+    const baseCommit = this.git(['rev-parse', 'HEAD']).trim();
+
+    fs.mkdirSync(path.dirname(worktreePath), { recursive: true });
+
+    // Create worktree on a new branch starting from HEAD
+    this.git(['worktree', 'add', worktreePath, '-b', branch]);
+
+    const lease: WorkspaceLease = {
+      workspace_id: wsId,
+      strategy: 'git_worktree',
+      branch,
+      base_commit: baseCommit,
+      root_path: worktreePath,
+      ttl_minutes: 45,
+    };
+    this.leases.set(wsId, lease);
+    return lease;
+  }
+
+  async snapshot(id: string): Promise<SnapshotRef> {
+    const lease = this.leases.get(id);
+    if (!lease || !lease.root_path) throw new Error(`Workspace ${id} not found`);
+    const commit = this.git(['rev-parse', 'HEAD'], lease.root_path).trim();
+    return {
+      snapshot_id: `snap-${crypto.randomBytes(4).toString('hex')}`,
+      workspace_id: id,
+      commit,
+      created_at: new Date().toISOString(),
+    };
+  }
+
+  async reset(id: string, snapRef: SnapshotRef): Promise<void> {
+    const lease = this.leases.get(id);
+    if (!lease) return;
+    this.git(['reset', '--hard', snapRef.commit], lease.root_path);
+  }
+
+  async dispose(id: string): Promise<void> {
+    const lease = this.leases.get(id);
+    if (!lease) return;
+    try {
+      this.git(['worktree', 'remove', lease.root_path, '--force']);
+    } catch {
+      // worktree may already be gone
+    }
+    try {
+      if (lease.branch) this.git(['branch', '-D', lease.branch]);
+    } catch {
+      // branch may already be deleted
+    }
+    this.leases.delete(id);
+  }
+
+  private git(args: string[], cwd?: string): string {
+    return execFileSync('git', args, {
+      cwd: cwd ?? this.projectRoot,
+      encoding: 'utf8',
+    });
+  }
+}

package/packages/runtime/src/workspace/strategies/inplace.ts

@@ -0,0 +1,35 @@
+import crypto from 'crypto';
+import type { WorkspaceManager, WorkspaceRequest } from '../workspace-manager';
+import type { WorkspaceLease, SnapshotRef } from '../../models/workspace';
+
+export class InplaceWorkspaceManager implements WorkspaceManager {
+  constructor(private readonly projectRoot: string) {}
+
+  async allocate(req: WorkspaceRequest): Promise<WorkspaceLease> {
+    return {
+      workspace_id: `ws-inplace-${req.work_item_id}-a${req.attempt_number}`,
+      strategy: 'inplace',
+      branch: null,
+      base_commit: null,
+      root_path: this.projectRoot,
+      ttl_minutes: 60,
+    };
+  }
+
+  async snapshot(id: string): Promise<SnapshotRef> {
+    return {
+      snapshot_id: `snap-${crypto.randomBytes(4).toString('hex')}`,
+      workspace_id: id,
+      commit: 'HEAD',
+      created_at: new Date().toISOString(),
+    };
+  }
+
+  async reset(_id: string, _snapRef: SnapshotRef): Promise<void> {
+    // inplace: no filesystem isolation — reset is a no-op
+  }
+
+  async dispose(_id: string): Promise<void> {
+    // inplace: nothing to tear down
+  }
+}

package/packages/runtime/src/workspace/workspace-manager.ts

@@ -0,0 +1,15 @@
+import type { WorkspaceLease, SnapshotRef, WorkspaceStrategy } from '../models/workspace';
+
+export interface WorkspaceRequest {
+  work_item_id: string;
+  attempt_number: number;
+  strategy: WorkspaceStrategy;
+  mutation_scope: string[];
+}
+
+export interface WorkspaceManager {
+  allocate(req: WorkspaceRequest): Promise<WorkspaceLease>;
+  snapshot(id: string): Promise<SnapshotRef>;
+  reset(id: string, snapRef: SnapshotRef): Promise<void>;
+  dispose(id: string): Promise<void>;
+}

package/packages/runtime/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "commonjs",
+    "moduleResolution": "node",
+    "strict": true,
+    "esModuleInterop": true,
+    "declaration": true,
+    "declarationMap": false,
+    "sourceMap": false,
+    "outDir": "../../lib/runtime",
+    "rootDir": "src",
+    "skipLibCheck": true
+  },
+  "include": ["src/**/*.ts"],
+  "exclude": ["tests/**", "node_modules/**", "dist-tests/**"]
+}

package/vscode-extension/package.json

@@ -2,7 +2,7 @@
   "name": "oxe-agents",
   "displayName": "OXE Agents",
   "description": "Agentes OXE para GitHub Copilot Chat — cada fase do ciclo como um @agente no VS Code",
-  "version": "0.9.2",
+  "version": "1.0.0",
   "publisher": "oxe-cc",
   "license": "MIT",
   "engines": {