patchwork-os 0.2.0-alpha.34 → 0.2.0-alpha.36

package/dist/recipesHttp.js

@@ -1,8 +1,190 @@
+import { createHash } from "node:crypto";
 import { existsSync, mkdirSync, readdirSync, readFileSync, rmSync, statSync, writeFileSync, } from "node:fs";
-import path from "node:path";
+import { homedir } from "node:os";
+import * as path from "node:path";
 import { parse as parseYaml } from "yaml";
 import { loadConfig } from "./patchworkConfig.js";
 import { validateRecipeDefinition } from "./recipes/validation.js";
+/**
+ * Per-recipe disabled marker — must match the constant in
+ * `src/commands/recipeInstall.ts` and `src/recipes/scheduler.ts` (kept inline
+ * here to avoid a circular import via commands → recipesHttp → commands).
+ *
+ * Absence on a recipe's install dir = enabled (legacy default).
+ * Presence = disabled — `runRecipeInstall` writes one on every fresh install.
+ */
+const DISABLED_MARKER = ".disabled";
+/**
+ * Returns true unless `filePath` lives inside an install dir whose
+ * `.disabled` marker is present. Top-level legacy recipes (direct children
+ * of `recipesDir`) are always considered enabled — there's no install dir
+ * to put a marker in. Used by every trigger surface (webhook, manual fire,
+ * automation) so the marker means the same thing everywhere.
+ */
+export function isRecipeFileEnabled(filePath, recipesDir) {
+    const rel = path.relative(recipesDir, filePath);
+    // Top-level file in recipesDir → no install dir → enabled by default.
+    if (rel === "" || rel.startsWith("..") || !rel.includes(path.sep)) {
+        return true;
+    }
+    const installDirName = rel.split(path.sep)[0];
+    if (!installDirName)
+        return true;
+    const installDir = path.join(recipesDir, installDirName);
+    return !existsSync(path.join(installDir, DISABLED_MARKER));
+}
+/**
+ * Iterate one level of subdirectories under `recipesDir` that look like
+ * install dirs (directory containing `recipe.json` or at least one `.yaml`).
+ * Skips dirs whose `.disabled` marker is present so callers automatically
+ * honor the marker without having to remember.
+ *
+ * Yields `{ installDir, entrypointPath }` pairs where `entrypointPath` is the
+ * file the caller should parse:
+ *   - `recipe.json`'s `recipes.main` if a manifest exists
+ *   - otherwise the first `*.yaml` / `*.yml` in the dir
+ *
+ * Used by webhook + manual-fire path resolvers to find recipes installed
+ * via `runRecipeInstall`.
+ */
+function* iterateInstallDirs(recipesDir, options = {}) {
+    const includeDisabled = options.includeDisabled === true;
+    let entries;
+    try {
+        entries = readdirSync(recipesDir);
+    }
+    catch {
+        return;
+    }
+    for (const f of entries) {
+        const fullPath = path.join(recipesDir, f);
+        let isDir = false;
+        try {
+            isDir = statSync(fullPath).isDirectory();
+        }
+        catch {
+            continue;
+        }
+        if (!isDir)
+            continue;
+        const enabled = !existsSync(path.join(fullPath, DISABLED_MARKER));
+        if (!enabled && !includeDisabled)
+            continue;
+        let entrypoint = null;
+        const manifestPath = path.join(fullPath, "recipe.json");
+        if (existsSync(manifestPath)) {
+            try {
+                const m = JSON.parse(readFileSync(manifestPath, "utf-8"));
+                if (m.recipes?.main) {
+                    const candidate = path.join(fullPath, m.recipes.main);
+                    if (existsSync(candidate))
+                        entrypoint = candidate;
+                }
+            }
+            catch {
+                // malformed manifest — fall through to first-yaml fallback
+            }
+        }
+        if (!entrypoint) {
+            try {
+                const yaml = readdirSync(fullPath).find((x) => /\.ya?ml$/i.test(x));
+                if (yaml)
+                    entrypoint = path.join(fullPath, yaml);
+            }
+            catch {
+                // unreadable
+            }
+        }
+        if (entrypoint) {
+            yield { installDir: fullPath, entrypointPath: entrypoint, enabled };
+        }
+    }
+}
+/**
+ * Locate an install dir by the *recipe name* declared inside its entrypoint
+ * (not the directory name). The dashboard reports recipes by the parsed
+ * `name` field, while `runRecipeEnable` looks them up by dir name —
+ * the two are usually different (`morning-pkg` vs `morning-brief`). Includes
+ * disabled dirs so re-enabling actually finds them.
+ */
+function findInstallDirByRecipeName(recipesDir, name) {
+    for (const { installDir, entrypointPath } of iterateInstallDirs(recipesDir, {
+        includeDisabled: true,
+    })) {
+        try {
+            const ext = path.extname(entrypointPath).toLowerCase();
+            const raw = readFileSync(entrypointPath, "utf-8");
+            const parsed = (ext === ".json" ? JSON.parse(raw) : parseYaml(raw));
+            if (parsed.name === name)
+                return installDir;
+        }
+        catch {
+            // skip malformed
+        }
+    }
+    return null;
+}
+/**
+ * Unified enable/disable for install-dir AND legacy top-level recipes.
+ *
+ * Routing:
+ *   1. Try to find an install dir whose entrypoint declares this `name`.
+ *      If found, write/remove the `.disabled` marker on that dir. This
+ *      matches CLI `recipe enable/disable` and the trigger-side
+ *      enforcement landed in PRs #43 / #49.
+ *   2. Otherwise the recipe is a top-level legacy file — fall back to
+ *      the legacy `cfg.recipes.disabled` config-file array, which the
+ *      scheduler already honors as a parallel mechanism (it checks both).
+ *
+ * Replaces the old dashboard-only `setRecipeEnabledFn` that wrote ONLY to
+ * the legacy config — which silently did nothing for install-dir recipes.
+ */
+export function setRecipeEnabled(name, enabled, options = {}) {
+    const recipesDir = options.recipesDir ?? path.join(homedir(), ".patchwork", "recipes");
+    try {
+        const installDir = findInstallDirByRecipeName(recipesDir, name);
+        if (installDir) {
+            const markerPath = path.join(installDir, DISABLED_MARKER);
+            if (enabled) {
+                if (existsSync(markerPath))
+                    rmSync(markerPath);
+            }
+            else {
+                writeFileSync(markerPath, "");
+            }
+            return { ok: true };
+        }
+        // Legacy top-level path — fall back to config-file disabled list
+        const cfg = (options.loadConfigFn ?? loadConfig)();
+        const disabled = new Set(cfg.recipes?.disabled ?? []);
+        if (enabled)
+            disabled.delete(name);
+        else
+            disabled.add(name);
+        const next = {
+            ...cfg,
+            recipes: {
+                ...(cfg.recipes ?? {}),
+                disabled: [...disabled],
+            },
+        };
+        if (options.saveConfigFn)
+            options.saveConfigFn(next);
+        else {
+            // Dynamic import to avoid coupling at module-load time and to keep
+            // tests able to swap the saver via options.saveConfigFn.
+            const mod = require("./patchworkConfig.js");
+            mod.savePatchworkConfig(next);
+        }
+        return { ok: true };
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: err instanceof Error ? err.message : String(err),
+        };
+    }
+}
 function normalizeRecipeDraftTrigger(trigger) {
     if (trigger.type === "schedule" || trigger.type === "cron") {
         const schedule = typeof trigger.schedule === "string" && trigger.schedule.trim()
@@ -170,6 +352,22 @@ function resolveJsonRecipePathByName(recipesDir, safeName) {
     catch {
         return null;
     }
+    // Also search install dirs from `recipeInstall`. Skips dirs with
+    // `.disabled` marker so the manual-fire / orchestrator path can't
+    // resolve a recipe the user has explicitly disabled.
+    for (const { entrypointPath } of iterateInstallDirs(recipesDir)) {
+        if (!entrypointPath.endsWith(".json"))
+            continue;
+        try {
+            const parsed = JSON.parse(readFileSync(entrypointPath, "utf-8"));
+            if (parsed.name?.toLowerCase() === safeName) {
+                return entrypointPath;
+            }
+        }
+        catch {
+            // skip malformed
+        }
+    }
     return null;
 }
 export function loadRecipeContent(recipesDir, name) {
@@ -264,7 +462,7 @@ export function deleteRecipeContent(recipesDir, name) {
         return { ok: false, error: "Invalid recipe name" };
     }
     const base = path.resolve(recipesDir);
-    let target = findYamlRecipePath(recipesDir, safeName) ??
+    const target = findYamlRecipePath(recipesDir, safeName) ??
         resolveJsonRecipePathByName(recipesDir, safeName);
     if (!target) {
         return { ok: false, error: "Recipe not found" };
@@ -293,6 +491,116 @@ export function deleteRecipeContent(recipesDir, name) {
         };
     }
 }
+/**
+ * Duplicate a recipe as a variant. Copies the source YAML, rewrites the
+ * `name:` field to `<original>-v<N>` (first available suffix), and writes
+ * the copy to disk. Returns the new variant name and path on success.
+ *
+ * The variant name follows the same validation rules as recipe names.
+ * Suffixes v2..v9 are tried before returning an error.
+ */
+export function duplicateRecipe(recipesDir, sourceName) {
+    const safeName = sourceName.toLowerCase();
+    if (!/^[a-z0-9][a-z0-9_-]{0,63}$/.test(safeName)) {
+        return { ok: false, error: "Invalid recipe name" };
+    }
+    const source = loadRecipeContent(recipesDir, safeName);
+    if (!source) {
+        return { ok: false, error: "Recipe not found" };
+    }
+    // Determine next available variant name: strip any existing -vN suffix,
+    // then try -v2 through -v9.
+    const base = safeName.replace(/-v\d+$/, "");
+    let variantName = null;
+    for (let n = 2; n <= 9; n++) {
+        const candidate = `${base}-v${n}`;
+        if (!findYamlRecipePath(recipesDir, candidate)) {
+            variantName = candidate;
+            break;
+        }
+    }
+    if (!variantName) {
+        return {
+            ok: false,
+            error: "Too many variants already exist (v2–v9 taken)",
+        };
+    }
+    // Rewrite the name: field in the YAML. Simple line-by-line replacement
+    // is safe here: the name field is always a scalar on its own line.
+    const newContent = source.content.replace(/^name:\s*.+$/m, `name: ${variantName}`);
+    const saveResult = saveRecipeContent(recipesDir, variantName, newContent);
+    if (!saveResult.ok) {
+        return { ok: false, error: saveResult.error };
+    }
+    return { ok: true, variantName, path: saveResult.path };
+}
+/**
+ * Promote a variant recipe to become the canonical name.
+ *
+ * Steps:
+ *   1. Load the variant's YAML.
+ *   2. Rewrite its `name:` field to `targetName`.
+ *   3. Save under `targetName` (overwrites any existing file at that name).
+ *   4. Delete the variant file so only one copy exists.
+ *
+ * The caller supplies `variantName` (e.g. "morning-brief-v2") and
+ * `targetName` (e.g. "morning-brief"). Both must pass the recipe name
+ * validation regex. Returns `{ ok, path }` on success.
+ */
+export async function promoteRecipeVariant(recipesDir, variantName, targetName, options) {
+    const safeVariant = variantName.toLowerCase();
+    const safeTarget = targetName.toLowerCase();
+    const nameRe = /^[a-z0-9][a-z0-9_-]{0,63}$/;
+    if (!nameRe.test(safeVariant) || !nameRe.test(safeTarget)) {
+        return { ok: false, error: "Invalid recipe name" };
+    }
+    if (safeVariant === safeTarget) {
+        return { ok: false, error: "Variant and target names must differ" };
+    }
+    const source = loadRecipeContent(recipesDir, safeVariant);
+    if (!source) {
+        return { ok: false, error: "Variant recipe not found" };
+    }
+    // Guard against silent overwrites: if the target already exists the caller
+    // must pass force:true. We also capture the prior content hash for audit.
+    const existing = loadRecipeContent(recipesDir, safeTarget);
+    if (existing && !options?.force) {
+        return {
+            ok: false,
+            targetExists: true,
+            error: `Recipe "${safeTarget}" already exists. Pass force:true to overwrite.`,
+        };
+    }
+    // Write audit log entry before the overwrite so the replaced content is
+    // traceable even if the variant file is deleted in the next step.
+    if (existing) {
+        try {
+            const priorHash = createHash("sha256")
+                .update(existing.content)
+                .digest("hex");
+            const auditPath = existing.path.replace(/\.ya?ml$/, ".promote-audit.json");
+            writeFileSync(auditPath, JSON.stringify({
+                ts: new Date().toISOString(),
+                action: "promote_overwrite",
+                variantName: safeVariant,
+                targetName: safeTarget,
+                priorContentHash: priorHash,
+                priorContentPath: existing.path,
+            }, null, 2), "utf-8");
+        }
+        catch {
+            // Audit log failure must not block the promote — log and continue.
+        }
+    }
+    const newContent = source.content.replace(/^name:\s*.+$/m, `name: ${safeTarget}`);
+    const saveResult = saveRecipeContent(recipesDir, safeTarget, newContent);
+    if (!saveResult.ok) {
+        return { ok: false, error: saveResult.error };
+    }
+    // Delete the variant file — best-effort; don't fail the promote if cleanup fails.
+    deleteRecipeContent(recipesDir, safeVariant);
+    return { ok: true, path: saveResult.path };
+}
 /**
  * Lints raw YAML/JSON recipe content without writing to disk. Used by the
  * dashboard edit UI to surface validateRecipeDefinition warnings live, in
@@ -324,6 +632,57 @@ export function lintRecipeContent(content) {
     }
     return { ok: errors.length === 0, errors, warnings };
 }
+// ---------------------------------------------------------------------------
+// Recipe trust levels
+// ---------------------------------------------------------------------------
+export const TRUST_LEVELS = [
+    "draft",
+    "manual_run",
+    "ask_every_time",
+    "ask_novel",
+    "mostly_trusted",
+    "fully_trusted",
+];
+const TRUST_LEVELS_FILE = "trust_levels.json";
+function trustLevelsPath(recipesDir) {
+    return path.join(recipesDir, TRUST_LEVELS_FILE);
+}
+function loadTrustLevels(recipesDir) {
+    const p = trustLevelsPath(recipesDir);
+    try {
+        const raw = readFileSync(p, "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return {};
+    }
+}
+function saveTrustLevels(recipesDir, levels) {
+    const p = trustLevelsPath(recipesDir);
+    mkdirSync(recipesDir, { recursive: true });
+    writeFileSync(p, JSON.stringify(levels, null, 2), "utf-8");
+}
+export function getTrustLevel(recipesDir, name) {
+    const levels = loadTrustLevels(recipesDir);
+    return levels[name] ?? "draft";
+}
+export function setTrustLevel(recipesDir, name, level) {
+    if (!TRUST_LEVELS.includes(level)) {
+        return { ok: false, error: `Invalid trust level: ${level}` };
+    }
+    try {
+        const levels = loadTrustLevels(recipesDir);
+        levels[name] = level;
+        saveTrustLevels(recipesDir, levels);
+        return { ok: true };
+    }
+    catch (err) {
+        return {
+            ok: false,
+            error: err instanceof Error ? err.message : String(err),
+        };
+    }
+}
 export function listInstalledRecipes(recipesDir) {
     let entries;
     try {
@@ -334,6 +693,7 @@ export function listInstalledRecipes(recipesDir) {
     }
     const cfg = loadConfig();
     const disabledSet = new Set(cfg.recipes?.disabled ?? []);
+    const trustLevels = loadTrustLevels(recipesDir);
     const recipes = [];
     for (const f of entries) {
         const isYaml = f.endsWith(".yaml") || f.endsWith(".yml");
@@ -345,15 +705,6 @@ export function listInstalledRecipes(recipesDir) {
             const raw = readFileSync(fullPath, "utf-8");
             const parsed = (isYaml ? parseYaml(raw) : JSON.parse(raw));
             const stat = statSync(fullPath);
-            const permsPath = `${fullPath}.permissions.json`;
-            let hasPermissions = false;
-            try {
-                statSync(permsPath);
-                hasPermissions = true;
-            }
-            catch {
-                // no permissions sidecar
-            }
             const resolvedRecipesDir = path.resolve(recipesDir);
             let source;
             if (fullPath.startsWith(resolvedRecipesDir + path.sep) ||
@@ -394,9 +745,11 @@ export function listInstalledRecipes(recipesDir) {
                 stepCount: Array.isArray(parsed.steps) ? parsed.steps.length : 0,
                 path: fullPath,
                 installedAt: stat.mtimeMs,
-                hasPermissions,
                 source,
+                // Top-level legacy recipes don't have install dirs to put a marker
+                // in, so the `enabled` field still comes from the legacy config list.
                 enabled: !disabledSet.has(parsedName),
+                trustLevel: (trustLevels[parsedName] ?? "draft"),
                 ...(Array.isArray(parsed.vars) && parsed.vars.length > 0
                     ? { vars: parsed.vars }
                     : {}),
@@ -412,6 +765,72 @@ export function listInstalledRecipes(recipesDir) {
             // skip malformed recipe file
         }
     }
+    // Second pass — recipes installed via `runRecipeInstall` into subdirs.
+    // `enabled` reflects the per-install `.disabled` marker; the legacy
+    // config disabled list is a top-level concern (we still apply it as a
+    // safety belt in case a name collides).
+    for (const { installDir, entrypointPath, enabled: installEnabled, } of iterateInstallDirs(recipesDir, { includeDisabled: true })) {
+        try {
+            const ext = path.extname(entrypointPath).toLowerCase();
+            const isYaml = ext === ".yaml" || ext === ".yml";
+            const isJson = ext === ".json";
+            if (!isYaml && !isJson)
+                continue;
+            const raw = readFileSync(entrypointPath, "utf-8");
+            const parsed = (isYaml ? parseYaml(raw) : JSON.parse(raw));
+            const stat = statSync(entrypointPath);
+            const parsedName = parsed.name ??
+                path.basename(entrypointPath, path.extname(entrypointPath));
+            const lintRes = validateRecipeDefinition(parsed);
+            let errCount = 0;
+            let warnCount = 0;
+            let firstError;
+            for (const issue of lintRes.issues) {
+                if (issue.level === "error") {
+                    errCount++;
+                    if (!firstError)
+                        firstError = issue.message;
+                }
+                else {
+                    warnCount++;
+                }
+            }
+            const webhookPath = parsed.trigger?.type === "webhook" &&
+                typeof parsed.trigger?.path === "string"
+                ? parsed.trigger.path
+                : undefined;
+            recipes.push({
+                name: parsedName,
+                description: parsed.description,
+                trigger: parsed.trigger?.type,
+                ...(webhookPath ? { webhookPath } : {}),
+                stepCount: Array.isArray(parsed.steps) ? parsed.steps.length : 0,
+                path: entrypointPath,
+                installedAt: stat.mtimeMs,
+                source: "user",
+                // Disabled if EITHER the install marker is set OR the legacy config
+                // names this recipe — defence-in-depth so a stale config entry can't
+                // accidentally re-enable a recipe the user explicitly disabled, and
+                // the dashboard can't accidentally enable one disabled by an admin
+                // through the legacy file.
+                enabled: installEnabled && !disabledSet.has(parsedName),
+                trustLevel: (trustLevels[parsedName] ?? "draft"),
+                ...(Array.isArray(parsed.vars) && parsed.vars.length > 0
+                    ? { vars: parsed.vars }
+                    : {}),
+                lint: {
+                    ok: errCount === 0,
+                    errorCount: errCount,
+                    warningCount: warnCount,
+                    ...(firstError ? { firstError } : {}),
+                },
+            });
+            void installDir;
+        }
+        catch {
+            // skip malformed install dir
+        }
+    }
     recipes.sort((a, b) => a.name.localeCompare(b.name));
     return { recipesDir, recipes };
 }
@@ -454,6 +873,22 @@ export function findYamlRecipePath(recipesDir, name) {
             // skip malformed candidate
         }
     }
+    // Also search install dirs from `recipeInstall`. Skips dirs with
+    // `.disabled` marker so the manual-fire / orchestrator path can't
+    // resolve a recipe the user has explicitly disabled.
+    for (const { entrypointPath } of iterateInstallDirs(recipesDir)) {
+        if (!/\.ya?ml$/i.test(entrypointPath))
+            continue;
+        try {
+            const parsed = parseYaml(readFileSync(entrypointPath, "utf-8"));
+            if (parsed.name?.toLowerCase() === safeName) {
+                return entrypointPath;
+            }
+        }
+        catch {
+            // skip malformed
+        }
+    }
     return null;
 }
 /**
@@ -469,6 +904,7 @@ export function findWebhookRecipe(recipesDir, requestPath) {
     catch {
         return null;
     }
+    // Pass 1 — top-level files (legacy)
     for (const f of entries) {
         const isYaml = f.endsWith(".yaml") || f.endsWith(".yml");
         const isJson = f.endsWith(".json") && !f.endsWith(".permissions.json");
@@ -493,6 +929,32 @@ export function findWebhookRecipe(recipesDir, requestPath) {
             // skip malformed
         }
     }
+    // Pass 2 — install dirs (skips dirs marked .disabled).
+    for (const { entrypointPath } of iterateInstallDirs(recipesDir)) {
+        const ext = path.extname(entrypointPath).toLowerCase();
+        const isYaml = ext === ".yaml" || ext === ".yml";
+        const isJson = ext === ".json";
+        if (!isYaml && !isJson)
+            continue;
+        try {
+            const raw = readFileSync(entrypointPath, "utf-8");
+            const parsed = (isYaml ? parseYaml(raw) : JSON.parse(raw));
+            if (parsed.trigger?.type !== "webhook")
+                continue;
+            if (parsed.trigger.path === requestPath) {
+                return {
+                    name: parsed.name ??
+                        path.basename(entrypointPath, path.extname(entrypointPath)),
+                    path: requestPath,
+                    filePath: entrypointPath,
+                    format: isYaml ? "yaml" : "json",
+                };
+            }
+        }
+        catch {
+            // skip malformed
+        }
+    }
     return null;
 }
 /**