npm - patchwork-os - Versions diffs - 0.2.0-alpha.9 → 0.2.0-beta.1 - Mend

patchwork-os 0.2.0-alpha.9 → 0.2.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (618) hide show

package/README.bridge.md +6 -0
package/README.md +318 -35
package/deploy/bootstrap-new-vps.sh +12 -12
package/deploy/bootstrap-vps.sh +187 -0
package/deploy/deploy-dashboard.sh +174 -0
package/deploy/deploy-landing.sh +136 -0
package/dist/activationMetrics.d.ts +67 -0
package/dist/activationMetrics.js +255 -0
package/dist/activationMetrics.js.map +1 -0
package/dist/activityLog.d.ts +49 -0
package/dist/activityLog.js +78 -0
package/dist/activityLog.js.map +1 -1
package/dist/analyticsAggregator.d.ts +5 -1
package/dist/analyticsAggregator.js +15 -4
package/dist/analyticsAggregator.js.map +1 -1
package/dist/analyticsPrefs.d.ts +11 -0
package/dist/analyticsPrefs.js +33 -0
package/dist/analyticsPrefs.js.map +1 -1
package/dist/approvalHttp.d.ts +49 -2
package/dist/approvalHttp.js +217 -21
package/dist/approvalHttp.js.map +1 -1
package/dist/approvalInsights.d.ts +49 -0
package/dist/approvalInsights.js +97 -0
package/dist/approvalInsights.js.map +1 -0
package/dist/approvalQueue.d.ts +27 -1
package/dist/approvalQueue.js +123 -3
package/dist/approvalQueue.js.map +1 -1
package/dist/approvalSignals.d.ts +124 -0
package/dist/approvalSignals.js +512 -0
package/dist/approvalSignals.js.map +1 -0
package/dist/automation.d.ts +57 -0
package/dist/automation.js +156 -59
package/dist/automation.js.map +1 -1
package/dist/automationSuggestions.d.ts +79 -0
package/dist/automationSuggestions.js +150 -0
package/dist/automationSuggestions.js.map +1 -0
package/dist/bridge.d.ts +3 -0
package/dist/bridge.js +194 -153
package/dist/bridge.js.map +1 -1
package/dist/bridgeToken.js +57 -19
package/dist/bridgeToken.js.map +1 -1
package/dist/ccPermissions.d.ts +15 -0
package/dist/ccPermissions.js +21 -4
package/dist/ccPermissions.js.map +1 -1
package/dist/claudeDriver.d.ts +0 -16
package/dist/claudeDriver.js +93 -36
package/dist/claudeDriver.js.map +1 -1
package/dist/claudeMdPatch.d.ts +9 -3
package/dist/claudeMdPatch.js +79 -13
package/dist/claudeMdPatch.js.map +1 -1
package/dist/claudeOrchestrator.d.ts +13 -1
package/dist/claudeOrchestrator.js +16 -8
package/dist/claudeOrchestrator.js.map +1 -1
package/dist/commands/dashboard.js +1 -1
package/dist/commands/dashboard.js.map +1 -1
package/dist/commands/launchd.d.ts +2 -0
package/dist/commands/launchd.js +94 -0
package/dist/commands/launchd.js.map +1 -0
package/dist/commands/marketplace.d.ts +15 -10
package/dist/commands/marketplace.js +27 -115
package/dist/commands/marketplace.js.map +1 -1
package/dist/commands/patchworkInit.d.ts +8 -0
package/dist/commands/patchworkInit.js +77 -11
package/dist/commands/patchworkInit.js.map +1 -1
package/dist/commands/recipe.d.ts +289 -0
package/dist/commands/recipe.js +1359 -0
package/dist/commands/recipe.js.map +1 -0
package/dist/commands/recipeInstall.d.ts +150 -0
package/dist/commands/recipeInstall.js +647 -0
package/dist/commands/recipeInstall.js.map +1 -0
package/dist/commands/tracesExport.d.ts +83 -0
package/dist/commands/tracesExport.js +269 -0
package/dist/commands/tracesExport.js.map +1 -0
package/dist/commands/tracesImport.d.ts +56 -0
package/dist/commands/tracesImport.js +161 -0
package/dist/commands/tracesImport.js.map +1 -0
package/dist/commitIssueLinkLog.d.ts +8 -0
package/dist/commitIssueLinkLog.js +53 -1
package/dist/commitIssueLinkLog.js.map +1 -1
package/dist/config.d.ts +23 -2
package/dist/config.js +119 -9
package/dist/config.js.map +1 -1
package/dist/connectorRoutes.d.ts +43 -0
package/dist/connectorRoutes.js +1300 -0
package/dist/connectorRoutes.js.map +1 -0
package/dist/connectors/asana.d.ts +198 -0
package/dist/connectors/asana.js +679 -0
package/dist/connectors/asana.js.map +1 -0
package/dist/connectors/baseConnector.d.ts +153 -0
package/dist/connectors/baseConnector.js +336 -0
package/dist/connectors/baseConnector.js.map +1 -0
package/dist/connectors/confluence.d.ts +111 -0
package/dist/connectors/confluence.js +406 -0
package/dist/connectors/confluence.js.map +1 -0
package/dist/connectors/datadog.d.ts +116 -0
package/dist/connectors/datadog.js +385 -0
package/dist/connectors/datadog.js.map +1 -0
package/dist/connectors/discord.d.ts +150 -0
package/dist/connectors/discord.js +543 -0
package/dist/connectors/discord.js.map +1 -0
package/dist/connectors/fixtureLibrary.d.ts +21 -0
package/dist/connectors/fixtureLibrary.js +70 -0
package/dist/connectors/fixtureLibrary.js.map +1 -0
package/dist/connectors/fixtureRecorder.d.ts +1 -0
package/dist/connectors/fixtureRecorder.js +35 -0
package/dist/connectors/fixtureRecorder.js.map +1 -0
package/dist/connectors/github.js +17 -18
package/dist/connectors/github.js.map +1 -1
package/dist/connectors/gitlab.d.ts +180 -0
package/dist/connectors/gitlab.js +582 -0
package/dist/connectors/gitlab.js.map +1 -0
package/dist/connectors/gmail.d.ts +4 -1
package/dist/connectors/gmail.js +149 -27
package/dist/connectors/gmail.js.map +1 -1
package/dist/connectors/googleCalendar.d.ts +4 -1
package/dist/connectors/googleCalendar.js +88 -25
package/dist/connectors/googleCalendar.js.map +1 -1
package/dist/connectors/googleDrive.d.ts +34 -0
package/dist/connectors/googleDrive.js +321 -0
package/dist/connectors/googleDrive.js.map +1 -0
package/dist/connectors/htmlEscape.d.ts +5 -0
package/dist/connectors/htmlEscape.js +13 -0
package/dist/connectors/htmlEscape.js.map +1 -0
package/dist/connectors/hubspot.d.ts +112 -0
package/dist/connectors/hubspot.js +408 -0
package/dist/connectors/hubspot.js.map +1 -0
package/dist/connectors/intercom.d.ts +102 -0
package/dist/connectors/intercom.js +402 -0
package/dist/connectors/intercom.js.map +1 -0
package/dist/connectors/jira.d.ts +98 -0
package/dist/connectors/jira.js +396 -0
package/dist/connectors/jira.js.map +1 -0
package/dist/connectors/linear.js +30 -19
package/dist/connectors/linear.js.map +1 -1
package/dist/connectors/mcpOAuth.d.ts +3 -0
package/dist/connectors/mcpOAuth.js +64 -10
package/dist/connectors/mcpOAuth.js.map +1 -1
package/dist/connectors/mockConnector.d.ts +28 -0
package/dist/connectors/mockConnector.js +81 -0
package/dist/connectors/mockConnector.js.map +1 -0
package/dist/connectors/notion.d.ts +143 -0
package/dist/connectors/notion.js +424 -0
package/dist/connectors/notion.js.map +1 -0
package/dist/connectors/oauthStateStore.d.ts +31 -0
package/dist/connectors/oauthStateStore.js +52 -0
package/dist/connectors/oauthStateStore.js.map +1 -0
package/dist/connectors/pagerduty.d.ts +160 -0
package/dist/connectors/pagerduty.js +464 -0
package/dist/connectors/pagerduty.js.map +1 -0
package/dist/connectors/sentry.js +5 -13
package/dist/connectors/sentry.js.map +1 -1
package/dist/connectors/slack.d.ts +16 -1
package/dist/connectors/slack.js +155 -32
package/dist/connectors/slack.js.map +1 -1
package/dist/connectors/stripe.d.ts +116 -0
package/dist/connectors/stripe.js +379 -0
package/dist/connectors/stripe.js.map +1 -0
package/dist/connectors/tokenStorage.d.ts +35 -0
package/dist/connectors/tokenStorage.js +484 -0
package/dist/connectors/tokenStorage.js.map +1 -0
package/dist/connectors/zendesk.d.ts +104 -0
package/dist/connectors/zendesk.js +442 -0
package/dist/connectors/zendesk.js.map +1 -0
package/dist/cors.d.ts +10 -0
package/dist/cors.js +29 -0
package/dist/cors.js.map +1 -0
package/dist/decisionReplay.d.ts +72 -0
package/dist/decisionReplay.js +92 -0
package/dist/decisionReplay.js.map +1 -0
package/dist/decisionTraceLog.d.ts +6 -0
package/dist/decisionTraceLog.js +54 -2
package/dist/decisionTraceLog.js.map +1 -1
package/dist/drivers/claude/subprocess.d.ts +12 -2
package/dist/drivers/claude/subprocess.js +79 -6
package/dist/drivers/claude/subprocess.js.map +1 -1
package/dist/drivers/gemini/api.d.ts +18 -0
package/dist/drivers/gemini/api.js +29 -0
package/dist/drivers/gemini/api.js.map +1 -0
package/dist/drivers/gemini/index.d.ts +5 -1
package/dist/drivers/gemini/index.js +39 -5
package/dist/drivers/gemini/index.js.map +1 -1
package/dist/drivers/index.d.ts +8 -1
package/dist/drivers/index.js +10 -2
package/dist/drivers/index.js.map +1 -1
package/dist/drivers/local/index.d.ts +26 -0
package/dist/drivers/local/index.js +41 -0
package/dist/drivers/local/index.js.map +1 -0
package/dist/featureFlags.d.ts +79 -0
package/dist/featureFlags.js +208 -0
package/dist/featureFlags.js.map +1 -0
package/dist/fp/automationInterpreter.js +26 -21
package/dist/fp/automationInterpreter.js.map +1 -1
package/dist/fp/automationProgram.d.ts +1 -1
package/dist/fp/automationProgram.js.map +1 -1
package/dist/fp/automationState.js +4 -1
package/dist/fp/automationState.js.map +1 -1
package/dist/fp/policyParser.js +21 -1
package/dist/fp/policyParser.js.map +1 -1
package/dist/httpErrorResponse.d.ts +36 -0
package/dist/httpErrorResponse.js +46 -0
package/dist/httpErrorResponse.js.map +1 -0
package/dist/inboxRoutes.d.ts +22 -0
package/dist/inboxRoutes.js +193 -0
package/dist/inboxRoutes.js.map +1 -0
package/dist/index.d.ts +1 -1
package/dist/index.js +1403 -203
package/dist/index.js.map +1 -1
package/dist/installGuard.d.ts +25 -0
package/dist/installGuard.js +48 -0
package/dist/installGuard.js.map +1 -0
package/dist/mcpRoutes.d.ts +37 -0
package/dist/mcpRoutes.js +76 -0
package/dist/mcpRoutes.js.map +1 -0
package/dist/oauth.d.ts +20 -1
package/dist/oauth.js +214 -39
package/dist/oauth.js.map +1 -1
package/dist/oauthRoutes.d.ts +32 -0
package/dist/oauthRoutes.js +119 -0
package/dist/oauthRoutes.js.map +1 -0
package/dist/orchestrator/orchestratorBridge.js +2 -2
package/dist/orchestrator/orchestratorBridge.js.map +1 -1
package/dist/patchworkConfig.d.ts +29 -0
package/dist/patchworkConfig.js +100 -5
package/dist/patchworkConfig.js.map +1 -1
package/dist/pluginLoader.d.ts +28 -0
package/dist/pluginLoader.js +77 -11
package/dist/pluginLoader.js.map +1 -1
package/dist/pluginWatcher.js +8 -3
package/dist/pluginWatcher.js.map +1 -1
package/dist/preToolUseHook.d.ts +12 -0
package/dist/preToolUseHook.js +30 -1
package/dist/preToolUseHook.js.map +1 -1
package/dist/prompts.js +4 -0
package/dist/prompts.js.map +1 -1
package/dist/recipeOrchestration.d.ts +121 -0
package/dist/recipeOrchestration.js +965 -0
package/dist/recipeOrchestration.js.map +1 -0
package/dist/recipeRoutes.d.ts +185 -0
package/dist/recipeRoutes.js +1369 -0
package/dist/recipeRoutes.js.map +1 -0
package/dist/recipes/RecipeOrchestrator.d.ts +40 -0
package/dist/recipes/RecipeOrchestrator.js +51 -0
package/dist/recipes/RecipeOrchestrator.js.map +1 -0
package/dist/recipes/agentExecutor.d.ts +38 -0
package/dist/recipes/agentExecutor.js +50 -0
package/dist/recipes/agentExecutor.js.map +1 -0
package/dist/recipes/chainedRunner.d.ts +191 -0
package/dist/recipes/chainedRunner.js +759 -0
package/dist/recipes/chainedRunner.js.map +1 -0
package/dist/recipes/compiler.js +3 -3
package/dist/recipes/compiler.js.map +1 -1
package/dist/recipes/dependencyGraph.d.ts +39 -0
package/dist/recipes/dependencyGraph.js +199 -0
package/dist/recipes/dependencyGraph.js.map +1 -0
package/dist/recipes/disabledMarkers.d.ts +48 -0
package/dist/recipes/disabledMarkers.js +52 -0
package/dist/recipes/disabledMarkers.js.map +1 -0
package/dist/recipes/installer.js +3 -3
package/dist/recipes/installer.js.map +1 -1
package/dist/recipes/legacyRecipeCompat.d.ts +10 -0
package/dist/recipes/legacyRecipeCompat.js +131 -0
package/dist/recipes/legacyRecipeCompat.js.map +1 -0
package/dist/recipes/manifest.d.ts +47 -0
package/dist/recipes/manifest.js +156 -0
package/dist/recipes/manifest.js.map +1 -0
package/dist/recipes/migrationWarnings.d.ts +12 -0
package/dist/recipes/migrationWarnings.js +44 -0
package/dist/recipes/migrationWarnings.js.map +1 -0
package/dist/recipes/migrations/index.d.ts +24 -0
package/dist/recipes/migrations/index.js +55 -0
package/dist/recipes/migrations/index.js.map +1 -0
package/dist/recipes/migrations/types.d.ts +28 -0
package/dist/recipes/migrations/types.js +2 -0
package/dist/recipes/migrations/types.js.map +1 -0
package/dist/recipes/migrations/v1.d.ts +11 -0
package/dist/recipes/migrations/v1.js +18 -0
package/dist/recipes/migrations/v1.js.map +1 -0
package/dist/recipes/names.d.ts +40 -0
package/dist/recipes/names.js +66 -0
package/dist/recipes/names.js.map +1 -0
package/dist/recipes/nestedRecipeStep.d.ts +58 -0
package/dist/recipes/nestedRecipeStep.js +95 -0
package/dist/recipes/nestedRecipeStep.js.map +1 -0
package/dist/recipes/outputRegistry.d.ts +28 -0
package/dist/recipes/outputRegistry.js +52 -0
package/dist/recipes/outputRegistry.js.map +1 -0
package/dist/recipes/parser.js +4 -1
package/dist/recipes/parser.js.map +1 -1
package/dist/recipes/replayRun.d.ts +62 -0
package/dist/recipes/replayRun.js +97 -0
package/dist/recipes/replayRun.js.map +1 -0
package/dist/recipes/resolveRecipePath.d.ts +69 -0
package/dist/recipes/resolveRecipePath.js +202 -0
package/dist/recipes/resolveRecipePath.js.map +1 -0
package/dist/recipes/scheduler.d.ts +23 -7
package/dist/recipes/scheduler.js +225 -45
package/dist/recipes/scheduler.js.map +1 -1
package/dist/recipes/schema.d.ts +17 -2
package/dist/recipes/schemaGenerator.d.ts +28 -0
package/dist/recipes/schemaGenerator.js +565 -0
package/dist/recipes/schemaGenerator.js.map +1 -0
package/dist/recipes/stepObservation.d.ts +44 -0
package/dist/recipes/stepObservation.js +232 -0
package/dist/recipes/stepObservation.js.map +1 -0
package/dist/recipes/templateEngine.d.ts +62 -0
package/dist/recipes/templateEngine.js +201 -0
package/dist/recipes/templateEngine.js.map +1 -0
package/dist/recipes/toolRegistry.d.ts +186 -0
package/dist/recipes/toolRegistry.js +309 -0
package/dist/recipes/toolRegistry.js.map +1 -0
package/dist/recipes/tools/asana.d.ts +16 -0
package/dist/recipes/tools/asana.js +524 -0
package/dist/recipes/tools/asana.js.map +1 -0
package/dist/recipes/tools/calendar.d.ts +6 -0
package/dist/recipes/tools/calendar.js +61 -0
package/dist/recipes/tools/calendar.js.map +1 -0
package/dist/recipes/tools/confluence.d.ts +6 -0
package/dist/recipes/tools/confluence.js +254 -0
package/dist/recipes/tools/confluence.js.map +1 -0
package/dist/recipes/tools/datadog.d.ts +6 -0
package/dist/recipes/tools/datadog.js +239 -0
package/dist/recipes/tools/datadog.js.map +1 -0
package/dist/recipes/tools/diagnostics.d.ts +6 -0
package/dist/recipes/tools/diagnostics.js +36 -0
package/dist/recipes/tools/diagnostics.js.map +1 -0
package/dist/recipes/tools/discord.d.ts +18 -0
package/dist/recipes/tools/discord.js +254 -0
package/dist/recipes/tools/discord.js.map +1 -0
package/dist/recipes/tools/file.d.ts +12 -0
package/dist/recipes/tools/file.js +174 -0
package/dist/recipes/tools/file.js.map +1 -0
package/dist/recipes/tools/git.d.ts +6 -0
package/dist/recipes/tools/git.js +63 -0
package/dist/recipes/tools/git.js.map +1 -0
package/dist/recipes/tools/github.d.ts +6 -0
package/dist/recipes/tools/github.js +116 -0
package/dist/recipes/tools/github.js.map +1 -0
package/dist/recipes/tools/gitlab.d.ts +11 -0
package/dist/recipes/tools/gitlab.js +285 -0
package/dist/recipes/tools/gitlab.js.map +1 -0
package/dist/recipes/tools/gmail.d.ts +6 -0
package/dist/recipes/tools/gmail.js +451 -0
package/dist/recipes/tools/gmail.js.map +1 -0
package/dist/recipes/tools/googleDrive.d.ts +1 -0
package/dist/recipes/tools/googleDrive.js +55 -0
package/dist/recipes/tools/googleDrive.js.map +1 -0
package/dist/recipes/tools/hubspot.d.ts +6 -0
package/dist/recipes/tools/hubspot.js +232 -0
package/dist/recipes/tools/hubspot.js.map +1 -0
package/dist/recipes/tools/index.d.ts +30 -0
package/dist/recipes/tools/index.js +33 -0
package/dist/recipes/tools/index.js.map +1 -0
package/dist/recipes/tools/intercom.d.ts +6 -0
package/dist/recipes/tools/intercom.js +226 -0
package/dist/recipes/tools/intercom.js.map +1 -0
package/dist/recipes/tools/jira.d.ts +14 -0
package/dist/recipes/tools/jira.js +369 -0
package/dist/recipes/tools/jira.js.map +1 -0
package/dist/recipes/tools/linear.d.ts +7 -0
package/dist/recipes/tools/linear.js +307 -0
package/dist/recipes/tools/linear.js.map +1 -0
package/dist/recipes/tools/meetingNotes.d.ts +21 -0
package/dist/recipes/tools/meetingNotes.js +701 -0
package/dist/recipes/tools/meetingNotes.js.map +1 -0
package/dist/recipes/tools/notion.d.ts +6 -0
package/dist/recipes/tools/notion.js +278 -0
package/dist/recipes/tools/notion.js.map +1 -0
package/dist/recipes/tools/pagerduty.d.ts +15 -0
package/dist/recipes/tools/pagerduty.js +451 -0
package/dist/recipes/tools/pagerduty.js.map +1 -0
package/dist/recipes/tools/sentry.d.ts +12 -0
package/dist/recipes/tools/sentry.js +73 -0
package/dist/recipes/tools/sentry.js.map +1 -0
package/dist/recipes/tools/slack.d.ts +6 -0
package/dist/recipes/tools/slack.js +82 -0
package/dist/recipes/tools/slack.js.map +1 -0
package/dist/recipes/tools/stripe.d.ts +6 -0
package/dist/recipes/tools/stripe.js +265 -0
package/dist/recipes/tools/stripe.js.map +1 -0
package/dist/recipes/tools/zendesk.d.ts +6 -0
package/dist/recipes/tools/zendesk.js +245 -0
package/dist/recipes/tools/zendesk.js.map +1 -0
package/dist/recipes/validation.d.ts +13 -0
package/dist/recipes/validation.js +617 -0
package/dist/recipes/validation.js.map +1 -0
package/dist/recipes/yamlRunner.d.ts +130 -2
package/dist/recipes/yamlRunner.js +1009 -402
package/dist/recipes/yamlRunner.js.map +1 -1
package/dist/recipesHttp.d.ts +151 -6
package/dist/recipesHttp.js +999 -29
package/dist/recipesHttp.js.map +1 -1
package/dist/riskTier.js +7 -1
package/dist/riskTier.js.map +1 -1
package/dist/runLog.d.ts +100 -1
package/dist/runLog.js +258 -5
package/dist/runLog.js.map +1 -1
package/dist/schemas/dry-run-plan.v1.json +139 -0
package/dist/schemas/recipe.v1.json +684 -0
package/dist/server.d.ts +127 -8
package/dist/server.js +740 -933
package/dist/server.js.map +1 -1
package/dist/ssrfGuard.d.ts +54 -0
package/dist/ssrfGuard.js +122 -0
package/dist/ssrfGuard.js.map +1 -0
package/dist/streamableHttp.d.ts +39 -1
package/dist/streamableHttp.js +128 -17
package/dist/streamableHttp.js.map +1 -1
package/dist/tokenUsageTracker.d.ts +33 -0
package/dist/tokenUsageTracker.js +146 -0
package/dist/tokenUsageTracker.js.map +1 -0
package/dist/tools/activityLog.d.ts +2 -0
package/dist/tools/addLinearComment.d.ts +1 -0
package/dist/tools/addLinearComment.js +4 -2
package/dist/tools/addLinearComment.js.map +1 -1
package/dist/tools/batchLsp.d.ts +3 -0
package/dist/tools/bridgeDoctor.d.ts +1 -0
package/dist/tools/bridgeDoctor.js +2 -2
package/dist/tools/bridgeDoctor.js.map +1 -1
package/dist/tools/bridgeStatus.d.ts +1 -0
package/dist/tools/cancelClaudeTask.d.ts +2 -0
package/dist/tools/cancelClaudeTask.js +1 -0
package/dist/tools/cancelClaudeTask.js.map +1 -1
package/dist/tools/checkDocumentDirty.d.ts +1 -0
package/dist/tools/clipboard.d.ts +2 -0
package/dist/tools/closeTabs.d.ts +2 -0
package/dist/tools/codeLens.d.ts +1 -0
package/dist/tools/contextBundle.d.ts +1 -0
package/dist/tools/createIssueFromAIComment.d.ts +1 -0
package/dist/tools/createLinearIssue.d.ts +1 -0
package/dist/tools/ctxGetTaskContext.d.ts +1 -0
package/dist/tools/ctxQueryTraces.d.ts +1 -0
package/dist/tools/ctxSaveTrace.d.ts +1 -0
package/dist/tools/debug.d.ts +4 -0
package/dist/tools/decorations.d.ts +2 -0
package/dist/tools/documentLinks.d.ts +1 -0
package/dist/tools/editText.d.ts +1 -0
package/dist/tools/enrichCommit.d.ts +1 -0
package/dist/tools/enrichStackTrace.d.ts +1 -0
package/dist/tools/explainDiagnostic.d.ts +1 -0
package/dist/tools/explainSymbol.d.ts +1 -0
package/dist/tools/fetchCalendarEvents.d.ts +1 -0
package/dist/tools/fetchGithubIssue.d.ts +1 -0
package/dist/tools/fetchGithubPR.d.ts +1 -0
package/dist/tools/fetchLinearIssue.d.ts +1 -0
package/dist/tools/fetchSentryIssue.d.ts +1 -0
package/dist/tools/fetchSlackProfile.d.ts +1 -0
package/dist/tools/fetchSlackProfile.js +4 -1
package/dist/tools/fetchSlackProfile.js.map +1 -1
package/dist/tools/fileOperations.d.ts +3 -0
package/dist/tools/fileWatcher.d.ts +2 -0
package/dist/tools/findFiles.d.ts +1 -0
package/dist/tools/findRelatedTests.d.ts +1 -0
package/dist/tools/fixAllLintErrors.d.ts +1 -0
package/dist/tools/foldingRanges.d.ts +1 -0
package/dist/tools/formatDocument.d.ts +1 -0
package/dist/tools/generateTests.d.ts +1 -0
package/dist/tools/getAIComments.d.ts +1 -0
package/dist/tools/getAnalyticsReport.d.ts +1 -0
package/dist/tools/getArchitectureContext.d.ts +1 -0
package/dist/tools/getBufferContent.d.ts +1 -0
package/dist/tools/getChangeImpact.d.ts +1 -0
package/dist/tools/getClaudeTaskStatus.d.ts +2 -0
package/dist/tools/getClaudeTaskStatus.js +1 -0
package/dist/tools/getClaudeTaskStatus.js.map +1 -1
package/dist/tools/getCodeCoverage.d.ts +1 -0
package/dist/tools/getCommitsForIssue.d.ts +1 -0
package/dist/tools/getConnectorStatus.d.ts +1 -0
package/dist/tools/getCurrentSelection.d.ts +2 -0
package/dist/tools/getDebugState.d.ts +1 -0
package/dist/tools/getDependencyTree.d.ts +1 -0
package/dist/tools/getDiagnostics.d.ts +1 -0
package/dist/tools/getDiffFromHandoff.d.ts +1 -0
package/dist/tools/getDocumentSymbols.d.ts +25 -0
package/dist/tools/getDocumentSymbols.js +74 -8
package/dist/tools/getDocumentSymbols.js.map +1 -1
package/dist/tools/getFileTree.d.ts +1 -0
package/dist/tools/getGitDiff.d.ts +1 -0
package/dist/tools/getGitHotspots.d.ts +1 -0
package/dist/tools/getGitLog.d.ts +1 -0
package/dist/tools/getGitStatus.d.ts +1 -0
package/dist/tools/getImportTree.d.ts +1 -0
package/dist/tools/getImportedSignatures.d.ts +1 -0
package/dist/tools/getOpenEditors.d.ts +1 -0
package/dist/tools/getPRTemplate.d.ts +1 -0
package/dist/tools/getProjectContext.d.ts +1 -0
package/dist/tools/getProjectInfo.d.ts +1 -0
package/dist/tools/getSecurityAdvisories.d.ts +1 -0
package/dist/tools/getSecurityAdvisories.js +10 -1
package/dist/tools/getSecurityAdvisories.js.map +1 -1
package/dist/tools/getSessionUsage.d.ts +4 -0
package/dist/tools/getSessionUsage.js +3 -0
package/dist/tools/getSessionUsage.js.map +1 -1
package/dist/tools/getSymbolHistory.d.ts +1 -0
package/dist/tools/getToolCapabilities.d.ts +1 -0
package/dist/tools/getTypeSignature.d.ts +1 -0
package/dist/tools/getWorkspaceFolders.d.ts +1 -0
package/dist/tools/getWorkspaceSettings.d.ts +1 -0
package/dist/tools/gitHistory.d.ts +2 -0
package/dist/tools/gitWrite.d.ts +11 -0
package/dist/tools/github/actions.d.ts +2 -0
package/dist/tools/github/actions.js +4 -2
package/dist/tools/github/actions.js.map +1 -1
package/dist/tools/github/composite.d.ts +342 -0
package/dist/tools/github/composite.js +343 -0
package/dist/tools/github/composite.js.map +1 -0
package/dist/tools/github/index.d.ts +1 -0
package/dist/tools/github/index.js +1 -0
package/dist/tools/github/index.js.map +1 -1
package/dist/tools/github/issues.d.ts +4 -0
package/dist/tools/github/issues.js +8 -4
package/dist/tools/github/issues.js.map +1 -1
package/dist/tools/github/pr.d.ts +7 -0
package/dist/tools/github/pr.js +50 -12
package/dist/tools/github/pr.js.map +1 -1
package/dist/tools/handoffNote.d.ts +4 -0
package/dist/tools/handoffNote.js +2 -0
package/dist/tools/handoffNote.js.map +1 -1
package/dist/tools/hoverAtCursor.d.ts +1 -0
package/dist/tools/httpClient.d.ts +2 -0
package/dist/tools/index.d.ts +8 -0
package/dist/tools/index.js +47 -8
package/dist/tools/index.js.map +1 -1
package/dist/tools/inlayHints.d.ts +1 -0
package/dist/tools/launchQuickTask.d.ts +2 -0
package/dist/tools/launchQuickTask.js +1 -0
package/dist/tools/launchQuickTask.js.map +1 -1
package/dist/tools/listClaudeTasks.d.ts +2 -0
package/dist/tools/listClaudeTasks.js +1 -0
package/dist/tools/listClaudeTasks.js.map +1 -1
package/dist/tools/listTerminals.d.ts +1 -0
package/dist/tools/lsp.d.ts +14 -0
package/dist/tools/navigateToSymbolByName.d.ts +1 -0
package/dist/tools/openDiff.d.ts +1 -0
package/dist/tools/openFile.d.ts +1 -0
package/dist/tools/openInBrowser.d.ts +1 -0
package/dist/tools/organizeImports.d.ts +1 -0
package/dist/tools/performanceReport.d.ts +1 -0
package/dist/tools/planPersistence.d.ts +5 -0
package/dist/tools/previewEdit.d.ts +1 -0
package/dist/tools/refactorAnalyze.d.ts +1 -0
package/dist/tools/refactorPreview.d.ts +2 -0
package/dist/tools/refactorPreview.js +1 -0
package/dist/tools/refactorPreview.js.map +1 -1
package/dist/tools/replaceBlock.d.ts +1 -0
package/dist/tools/resumeClaudeTask.d.ts +2 -0
package/dist/tools/resumeClaudeTask.js +1 -0
package/dist/tools/resumeClaudeTask.js.map +1 -1
package/dist/tools/runClaudeTask.d.ts +2 -0
package/dist/tools/runClaudeTask.js +1 -0
package/dist/tools/runClaudeTask.js.map +1 -1
package/dist/tools/runCommand.d.ts +1 -0
package/dist/tools/runCommand.js +5 -0
package/dist/tools/runCommand.js.map +1 -1
package/dist/tools/runTests.d.ts +1 -0
package/dist/tools/saveDocument.d.ts +1 -0
package/dist/tools/screenshotAndAnnotate.d.ts +1 -0
package/dist/tools/searchAndReplace.d.ts +1 -0
package/dist/tools/searchTools.d.ts +1 -0
package/dist/tools/searchTools.js +1 -1
package/dist/tools/searchTools.js.map +1 -1
package/dist/tools/searchWorkspace.d.ts +1 -0
package/dist/tools/selectionRanges.d.ts +1 -0
package/dist/tools/semanticTokens.d.ts +1 -0
package/dist/tools/setActiveWorkspaceFolder.d.ts +1 -0
package/dist/tools/signatureHelp.d.ts +1 -0
package/dist/tools/slackListChannels.d.ts +1 -0
package/dist/tools/slackListChannels.js.map +1 -1
package/dist/tools/slackPostMessage.d.ts +1 -0
package/dist/tools/slackPostMessage.js +11 -6
package/dist/tools/slackPostMessage.js.map +1 -1
package/dist/tools/terminal.d.ts +6 -0
package/dist/tools/terminal.js +4 -0
package/dist/tools/terminal.js.map +1 -1
package/dist/tools/testTraceToSource.d.ts +1 -0
package/dist/tools/testTraceToSource.js +2 -2
package/dist/tools/testTraceToSource.js.map +1 -1
package/dist/tools/transaction.d.ts +23 -0
package/dist/tools/transaction.js +29 -0
package/dist/tools/transaction.js.map +1 -1
package/dist/tools/typeHierarchy.d.ts +1 -0
package/dist/tools/updateLinearIssue.d.ts +1 -0
package/dist/tools/updateLinearIssue.js +20 -6
package/dist/tools/updateLinearIssue.js.map +1 -1
package/dist/tools/utils.d.ts +6 -0
package/dist/tools/utils.js +59 -0
package/dist/tools/utils.js.map +1 -1
package/dist/tools/vscodeCommands.d.ts +2 -0
package/dist/tools/vscodeTasks.d.ts +2 -0
package/dist/tools/workspaceSettings.d.ts +1 -0
package/dist/traceEncryption.d.ts +46 -0
package/dist/traceEncryption.js +124 -0
package/dist/traceEncryption.js.map +1 -0
package/dist/transport.d.ts +46 -1
package/dist/transport.js +173 -19
package/dist/transport.js.map +1 -1
package/package.json +30 -8
package/scripts/mcp-stdio-shim.cjs +19 -3
package/scripts/start-all.sh +34 -3
package/templates/automation-policies/recipe-authoring.json +25 -0
package/templates/automation-policy.example.json +6 -0
package/templates/co.patchwork-os.bridge.plist +34 -0
package/templates/policies/README.md +72 -0
package/templates/policies/conservative.json +14 -0
package/templates/policies/developer.json +14 -0
package/templates/policies/headless-ci.json +24 -0
package/templates/policies/personal-assistant.json +15 -0
package/templates/policies/regulated-industry.json +18 -0
package/templates/recipes/approval-queue-ui-test.yaml +205 -0
package/templates/recipes/lint-on-save.yaml +1 -2
package/templates/recipes/morning-brief-slack.yaml +57 -0
package/templates/recipes/morning-brief.yaml +2 -2
package/templates/recipes/project-health-check.yaml +50 -0
package/templates/recipes/webhook/README.md +70 -0
package/templates/recipes/webhook/capture-thought.yaml +26 -0
package/templates/recipes/webhook/customer-escalation.yaml +49 -0
package/templates/recipes/webhook/incident-intake.yaml +46 -0
package/templates/recipes/webhook/meeting-prep.yaml +48 -0
package/templates/recipes/webhook/morning-brief.yaml +57 -0

package/dist/commands/recipeInstall.js ADDED Viewed

@@ -0,0 +1,647 @@
+/**
+ * patchwork recipe install — download and install a recipe package.
+ * patchwork recipe list   — list installed recipe packages.
+ *
+ * Supports:
+ *   github:owner/repo
+ *   github:owner/repo/subdir
+ *   https://github.com/owner/repo
+ *   ./local/path
+ */
+import { cpSync, existsSync, mkdirSync, mkdtempSync, readdirSync, readFileSync, rmSync, statSync, unlinkSync, writeFileSync, } from "node:fs";
+import https from "node:https";
+import os from "node:os";
+import path from "node:path";
+import { disabledMarkerPath, isInstallDirDisabled, } from "../recipes/disabledMarkers.js";
+import { getManifestRecipeFiles, loadManifestFromDir, parseManifest, } from "../recipes/manifest.js";
+export const INSTALL_RECIPES_DIR = path.join(os.homedir(), ".patchwork", "recipes");
+/**
+ * Reject path components that aren't a single safe basename — used at every
+ * boundary where externally-sourced filenames are joined onto a trusted
+ * directory (manifest fields, GitHub API responses, CLI args).
+ *
+ * Rejects empty/".."/".", any path separator, and control chars (NUL/newline/tab).
+ * Exported for testing and reuse.
+ */
+export function isSafeBasename(name) {
+    if (typeof name !== "string" || name.length === 0)
+        return false;
+    if (name === "." || name === "..")
+        return false;
+    if (name.includes("/") || name.includes("\\"))
+        return false;
+    if (/[\x00-\x1F\x7F]/.test(name))
+        return false;
+    return true;
+}
+/**
+ * Parse a user-supplied source string into a typed InstallSource.
+ *
+ * Supported forms:
+ *   github:owner/repo
+ *   github:owner/repo@<ref>           — pin to branch, tag, or commit SHA
+ *   github:owner/repo/subdir
+ *   github:owner/repo/subdir@<ref>
+ *   gh:owner/repo[@<ref>]             — short alias for github:
+ *   https://github.com/owner/repo
+ *   https://github.com/owner/repo/tree/<ref>/subdir   — ref captured from URL
+ *   ./relative/path
+ *   /absolute/path
+ *
+ * `@<ref>` accepts any value that's valid as a git ref (branch, tag, SHA).
+ * Empty ref (`...@`) is rejected.
+ */
+export function parseInstallSource(source) {
+    // Local path: starts with . or /
+    if (source.startsWith("./") ||
+        source.startsWith("/") ||
+        source.startsWith("../")) {
+        return { type: "local", path: source };
+    }
+    // github:/gh: prefix
+    if (source.startsWith("github:")) {
+        return parseGithubShorthand(source.slice("github:".length));
+    }
+    if (source.startsWith("gh:")) {
+        return parseGithubShorthand(source.slice("gh:".length));
+    }
+    // Full GitHub URL — captures owner, repo, optional ref (tree/<ref>), optional subdir
+    const githubUrlMatch = source.match(/^https?:\/\/github\.com\/([^/]+)\/([^/]+?)(?:\.git)?(?:\/tree\/([^/]+)(?:\/(.+))?)?\/?$/);
+    if (githubUrlMatch) {
+        const [, owner, repo, ref, subdir] = githubUrlMatch;
+        if (!owner || !repo) {
+            throw new Error(`Invalid GitHub URL: ${source}`);
+        }
+        return {
+            type: "github",
+            owner,
+            repo,
+            ...(subdir ? { subdir } : {}),
+            ...(ref ? { ref } : {}),
+        };
+    }
+    throw new Error(`Unrecognized install source: "${source}"\n` +
+        `Supported: github:owner/repo[@ref], github:owner/repo/subdir[@ref], gh:owner/repo[@ref], https://github.com/owner/repo, ./local/path`);
+}
+// ---------------------------------------------------------------------
+// BEGIN A-PR2 EDIT BLOCK — `parseGithubShorthand` strict validation
+// (dogfood R2 M-2). Owner/repo segments are validated against GitHub's own
+// rules (alphanumeric or hyphen/dot/underscore, max 39 chars, must start
+// alphanumeric) so injection attempts via shorthand (`gh:foo@bar:baz/repo`,
+// `gh:owner/<repo>?evil=1`) are rejected before reaching the URL builder.
+// Refs reject userinfo (`@`) and port markers (`:`) — these would otherwise
+// land inside the constructed `https://github.com/.../tree/<ref>/...` URL.
+// ---------------------------------------------------------------------
+const GITHUB_OWNER_REPO_RE = /^[a-zA-Z0-9](?:[a-zA-Z0-9-._]{0,38})$/;
+function parseGithubShorthand(shorthand) {
+    // Extract trailing @<ref> if present. The ref is opaque to us — git accepts
+    // branches, tags, and commit SHAs in the same slot, and the GitHub API
+    // (which is what we ultimately call with this value) does too.
+    let ref;
+    const atIdx = shorthand.lastIndexOf("@");
+    if (atIdx !== -1) {
+        ref = shorthand.slice(atIdx + 1);
+        shorthand = shorthand.slice(0, atIdx);
+        if (!ref) {
+            throw new Error(`Invalid github shorthand: empty ref after "@" in "${shorthand}@"`);
+        }
+        // Reject embedded URL syntax that would corrupt the constructed
+        // https://github.com/<owner>/<repo>/tree/<ref> URL (R2 M-2).
+        if (/[@:?#\s]/.test(ref) || ref.includes("..")) {
+            throw new Error(`Invalid github shorthand: ref "${ref}" contains disallowed characters`);
+        }
+    }
+    // owner/repo or owner/repo/subdir (may have multiple path segments)
+    const parts = shorthand.split("/");
+    if (parts.length < 2) {
+        throw new Error(`Invalid github shorthand "${shorthand}": expected "owner/repo" or "owner/repo/subdir"`);
+    }
+    const [owner, repo, ...subdirParts] = parts;
+    if (!owner || !repo) {
+        throw new Error(`Invalid github shorthand: "${shorthand}"`);
+    }
+    if (!GITHUB_OWNER_REPO_RE.test(owner)) {
+        throw new Error(`Invalid github shorthand: owner "${owner}" is not a valid GitHub username`);
+    }
+    if (!GITHUB_OWNER_REPO_RE.test(repo)) {
+        throw new Error(`Invalid github shorthand: repo "${repo}" is not a valid GitHub repository name`);
+    }
+    // Subdir segments: each must be a safe path component (no traversal, no
+    // control chars). Reuses `isSafeBasename` for consistency with the post-fetch
+    // file boundary check.
+    for (const seg of subdirParts) {
+        if (!isSafeBasename(seg)) {
+            throw new Error(`Invalid github shorthand: subdir segment "${seg}" is unsafe`);
+        }
+    }
+    return {
+        type: "github",
+        owner,
+        repo,
+        ...(subdirParts.length > 0 ? { subdir: subdirParts.join("/") } : {}),
+        ...(ref ? { ref } : {}),
+    };
+}
+// END A-PR2 EDIT BLOCK
+// ============================================================================
+// Install name determination
+// ============================================================================
+/**
+ * Determine the install directory name from the manifest or source.
+ * - Manifest present: strip leading @ and replace / with -- for filesystem safety.
+ * - GitHub source (no manifest): "owner/repo" or "owner/repo/subdir".
+ * - Local source (no manifest): basename of the directory.
+ */
+export function determineInstallName(manifest, source) {
+    if (manifest) {
+        // Strip leading @ and replace "/" with "--" so it's a valid directory name
+        return manifest.name.replace(/^@/, "").replace(/\//g, "--");
+    }
+    if (source.type === "github") {
+        const base = `${source.owner}/${source.repo}`;
+        return source.subdir ? `${base}/${source.subdir}` : base;
+    }
+    return path.basename(path.resolve(source.path));
+}
+// ============================================================================
+// GitHub file fetching via API
+// ============================================================================
+// ---------------------------------------------------------------------
+// BEGIN A-PR2 EDIT BLOCK — `httpsGet` redirect chain hardening
+// (dogfood R2 I-2). Redirect targets must (1) be one of GitHub's known hosts
+// and (2) clear the SSRF guard. Hop count capped at 5 to bound the chain.
+// Origin is also validated up-front: this helper is reached only after
+// `parseGithubShorthand` / GitHub URL parsing, so all callers should already
+// be pointed at github.com / api.github.com / raw.githubusercontent.com.
+// ---------------------------------------------------------------------
+const GITHUB_REDIRECT_HOSTS = new Set([
+    "github.com",
+    "www.github.com",
+    "api.github.com",
+    "raw.githubusercontent.com",
+    "codeload.github.com",
+    "objects.githubusercontent.com",
+    "media.githubusercontent.com",
+]);
+const HTTPS_GET_MAX_REDIRECTS = 5;
+function isAllowedGithubHost(hostname) {
+    return GITHUB_REDIRECT_HOSTS.has(hostname.toLowerCase());
+}
+async function httpsGet(url, hops = 0) {
+    // Lazy-load the SSRF guard so test harnesses that mock https.get don't have
+    // to also stub DNS — the guard fast-paths public hostnames anyway.
+    const { isPrivateHost } = await import("../ssrfGuard.js");
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new Error(`Invalid URL: ${url}`);
+    }
+    if (parsed.protocol !== "https:") {
+        throw new Error(`Refusing non-https URL: ${url}`);
+    }
+    if (!isAllowedGithubHost(parsed.hostname)) {
+        throw new Error(`Refusing redirect to non-GitHub host "${parsed.hostname}"`);
+    }
+    if (isPrivateHost(parsed.hostname)) {
+        throw new Error(`Refusing redirect to private host "${parsed.hostname}"`);
+    }
+    return new Promise((resolve, reject) => {
+        const req = https.get(url, {
+            headers: {
+                "User-Agent": "patchwork-recipe-installer/1.0",
+                Accept: "application/vnd.github.v3+json",
+            },
+        }, (res) => {
+            // Follow redirects — bounded chain, allowlisted host, SSRF-guarded.
+            if (res.statusCode &&
+                res.statusCode >= 300 &&
+                res.statusCode < 400 &&
+                res.headers.location) {
+                if (hops >= HTTPS_GET_MAX_REDIRECTS) {
+                    reject(new Error(`Too many redirects (>${HTTPS_GET_MAX_REDIRECTS})`));
+                    return;
+                }
+                // Resolve relative redirects against the current URL so a relative
+                // `Location: /foo` doesn't get treated as an empty hostname.
+                let nextUrl;
+                try {
+                    nextUrl = new URL(res.headers.location, url);
+                }
+                catch {
+                    reject(new Error(`Invalid redirect location: "${res.headers.location}"`));
+                    return;
+                }
+                if (nextUrl.protocol !== "https:") {
+                    reject(new Error(`Refusing redirect to non-https protocol: "${nextUrl.protocol}"`));
+                    return;
+                }
+                httpsGet(nextUrl.toString(), hops + 1)
+                    .then(resolve)
+                    .catch(reject);
+                return;
+            }
+            if (res.statusCode && res.statusCode >= 400) {
+                reject(new Error(`HTTP ${res.statusCode} fetching ${url}`));
+                return;
+            }
+            const chunks = [];
+            res.on("data", (chunk) => chunks.push(chunk));
+            res.on("end", () => resolve(Buffer.concat(chunks)));
+            res.on("error", reject);
+        });
+        req.on("error", reject);
+        req.end();
+    });
+}
+async function listGitHubContents(owner, repo, dirPath, ref) {
+    const url = `https://api.github.com/repos/${owner}/${repo}/contents/${dirPath}?ref=${ref}`;
+    const body = await httpsGet(url);
+    const parsed = JSON.parse(body.toString("utf-8"));
+    if (!Array.isArray(parsed)) {
+        throw new Error(`Expected array from GitHub contents API, got: ${typeof parsed}`);
+    }
+    return parsed;
+}
+async function fetchGitHubFile(downloadUrl) {
+    return httpsGet(downloadUrl);
+}
+/**
+ * Download all .yaml/.yml files (and recipe.json if present) from a GitHub
+ * directory into `destDir`. Returns list of filenames written.
+ */
+async function downloadGitHubDir(owner, repo, dirPath, ref, destDir) {
+    const items = await listGitHubContents(owner, repo, dirPath, ref);
+    const written = [];
+    for (const item of items) {
+        if (item.type !== "file")
+            continue;
+        if (item.name !== "recipe.json" && !/\.ya?ml$/i.test(item.name)) {
+            continue;
+        }
+        if (!item.download_url)
+            continue;
+        // GitHub Contents API responses are not implicitly trusted: a hostile
+        // repo (or a redirect-to-attacker) could supply names like `../etc/x`.
+        // The existing extension filter above already blocks the most obvious
+        // payloads, but we explicitly reject anything that isn't a single
+        // basename so a future change to the filter doesn't reopen the gap.
+        if (!isSafeBasename(item.name)) {
+            continue;
+        }
+        const content = await fetchGitHubFile(item.download_url);
+        const destPath = path.join(destDir, item.name);
+        // Belt-and-suspenders: confirm the resolved write path lives inside destDir.
+        if (!path.resolve(destPath).startsWith(`${path.resolve(destDir)}${path.sep}`)) {
+            continue;
+        }
+        writeFileSync(destPath, content);
+        written.push(item.name);
+    }
+    return written;
+}
+/**
+ * Install a recipe package from a source into INSTALL_RECIPES_DIR.
+ * Returns metadata about what was installed.
+ */
+export async function runRecipeInstall(rawSource, options = {}) {
+    const source = parseInstallSource(rawSource);
+    const recipesDir = options.recipesDir ?? INSTALL_RECIPES_DIR;
+    // Stage into temp dir first
+    const tmpDir = mkdtempSync(path.join(os.tmpdir(), "patchwork-recipe-"));
+    try {
+        if (source.type === "local") {
+            await stageLocalSource(source, tmpDir);
+        }
+        else {
+            await stageGitHubSource(source, tmpDir);
+        }
+        // Read manifest if present
+        let manifest = null;
+        const manifestPath = path.join(tmpDir, "recipe.json");
+        if (existsSync(manifestPath)) {
+            manifest = parseManifest(readFileSync(manifestPath, "utf-8"));
+        }
+        // Determine which files to copy
+        let filesToCopy;
+        if (manifest) {
+            const declared = getManifestRecipeFiles(manifest);
+            // Include recipe.json + declared recipe files (that exist in tmpDir)
+            filesToCopy = ["recipe.json", ...declared].filter((f) => existsSync(path.join(tmpDir, f)));
+        }
+        else {
+            // No manifest: take all .yaml/.yml files
+            filesToCopy = readdirSync(tmpDir).filter((f) => /\.ya?ml$/i.test(f));
+        }
+        if (filesToCopy.length === 0) {
+            throw new Error(`No recipe files found in source "${rawSource}". ` +
+                `Expected .yaml/.yml files or a recipe.json manifest.`);
+        }
+        const installName = determineInstallName(manifest, source);
+        const installDir = path.join(recipesDir, installName);
+        // Reinstall correctness: detect whether this is an upgrade in place,
+        // and snapshot the existing enabled state so the upgrade doesn't
+        // silently re-disable a recipe the user explicitly opted into.
+        const isReinstall = existsSync(installDir);
+        const wasEnabled = isReinstall ? !isInstallDirDisabled(installDir) : false;
+        if (isReinstall) {
+            // Clear stale files from the previous version so files dropped from
+            // the new manifest don't linger. We rebuild the install dir wholesale
+            // rather than overlay the new files on top of the old.
+            try {
+                rmSync(installDir, { recursive: true, force: true });
+            }
+            catch {
+                // best-effort; mkdirSync below will throw with a clearer error
+            }
+        }
+        mkdirSync(installDir, { recursive: true });
+        // Copy files
+        for (const file of filesToCopy) {
+            const src = path.join(tmpDir, file);
+            const dest = path.join(installDir, file);
+            // Ensure subdirs exist (recipe.json could declare children in subdirs)
+            const destParent = path.dirname(dest);
+            if (!existsSync(destParent)) {
+                mkdirSync(destParent, { recursive: true });
+            }
+            cpSync(src, dest);
+        }
+        // Write the disabled-marker policy:
+        //   - Fresh install: start disabled (per the wave2 plan's safety story).
+        //   - Reinstall (upgrade in place): preserve whatever the user had set.
+        //     If the recipe was enabled before, leave it enabled; if disabled,
+        //     leave it disabled. Don't silently revoke an explicit user opt-in.
+        if (!isReinstall || !wasEnabled) {
+            writeFileSync(disabledMarkerPath(installDir), "");
+        }
+        return {
+            name: installName,
+            version: manifest?.version,
+            installDir,
+            filesInstalled: filesToCopy,
+            manifest,
+        };
+    }
+    finally {
+        try {
+            rmSync(tmpDir, { recursive: true, force: true });
+        }
+        catch {
+            // best-effort cleanup
+        }
+    }
+}
+async function stageLocalSource(source, tmpDir) {
+    const resolvedPath = path.resolve(source.path);
+    if (!existsSync(resolvedPath)) {
+        throw new Error(`Local path does not exist: ${resolvedPath}`);
+    }
+    if (!statSync(resolvedPath).isDirectory()) {
+        throw new Error(`Local path is not a directory: ${resolvedPath}`);
+    }
+    cpSync(resolvedPath, tmpDir, { recursive: true });
+}
+async function stageGitHubSource(source, tmpDir) {
+    const ref = source.ref ?? "main";
+    const dirPath = source.subdir ?? "";
+    try {
+        await downloadGitHubDir(source.owner, source.repo, dirPath, ref, tmpDir);
+    }
+    catch (err) {
+        // If main branch fails, try master
+        if (ref === "main") {
+            try {
+                await downloadGitHubDir(source.owner, source.repo, dirPath, "master", tmpDir);
+                return;
+            }
+            catch {
+                // fall through to original error
+            }
+        }
+        throw err;
+    }
+}
+/**
+ * Returns true if the install dir does not contain the disabled marker.
+ * Recipes installed before this marker existed have no marker and are
+ * therefore considered enabled — preserves backwards compatibility.
+ */
+export function isRecipeEnabled(installDir) {
+    return !isInstallDirDisabled(installDir);
+}
+/**
+ * Locate an installed recipe directory by name. Returns null if not found.
+ *
+ * Validates `name` is a safe basename to defend against `recipe enable
+ * ../../../etc/foo` and similar — even though the on-disk effect would be
+ * limited to the `.disabled` filename, an arbitrary-path file write under
+ * the user's privilege is still a real attack surface.
+ */
+function findInstalledRecipeDir(name, recipesDir) {
+    if (!isSafeBasename(name)) {
+        throw new Error(`Invalid recipe name "${name}" — must be a single directory name without path separators or control characters.`);
+    }
+    const direct = path.join(recipesDir, name);
+    // Defense-in-depth: even with the basename check above, confirm the resolved
+    // path lives under recipesDir. Symlinks inside recipesDir could in principle
+    // escape, so this catches that too.
+    const resolvedRoot = path.resolve(recipesDir);
+    const resolvedDir = path.resolve(direct);
+    if (!resolvedDir.startsWith(`${resolvedRoot}${path.sep}`)) {
+        throw new Error(`Resolved recipe path escapes recipes directory: "${name}"`);
+    }
+    if (existsSync(direct) && statSync(direct).isDirectory()) {
+        return direct;
+    }
+    return null;
+}
+/**
+ * Resolve an install-dir-name (the directory `runRecipeInstall` created) to
+ * the YAML entrypoint inside it. Used by `recipe run <name>` so the user can
+ * pass the name they see in `recipe list` rather than having to dig into the
+ * install directory layout.
+ *
+ * Resolution order:
+ *   1. `recipe.json` manifest's `recipes.main`, if the manifest exists and
+ *      the file it points at exists on disk.
+ *   2. First `*.yaml` / `*.yml` in the install dir.
+ *
+ * Returns null if `name` doesn't correspond to an install dir, or the dir
+ * exists but contains no resolvable entrypoint. Path-traversal `name` values
+ * (e.g. `../../etc`) throw via the underlying `findInstalledRecipeDir` —
+ * same defence as enable/disable/uninstall.
+ */
+export function findInstalledRecipeEntrypoint(name, options = {}) {
+    const recipesDir = options.recipesDir ?? INSTALL_RECIPES_DIR;
+    const installDir = findInstalledRecipeDir(name, recipesDir);
+    if (!installDir)
+        return null;
+    const manifestPath = path.join(installDir, "recipe.json");
+    if (existsSync(manifestPath)) {
+        try {
+            const m = JSON.parse(readFileSync(manifestPath, "utf-8"));
+            if (m.recipes?.main && isSafeBasename(m.recipes.main)) {
+                const candidate = path.join(installDir, m.recipes.main);
+                if (existsSync(candidate))
+                    return candidate;
+            }
+        }
+        catch {
+            // Malformed manifest → fall through to first-yaml lookup. The
+            // scheduler does the same; surfacing the parse error here would
+            // shadow the top-level "recipe not found" error from the CLI.
+        }
+    }
+    try {
+        for (const entry of readdirSync(installDir)) {
+            if (/\.ya?ml$/i.test(entry)) {
+                return path.join(installDir, entry);
+            }
+        }
+    }
+    catch {
+        // unreadable
+    }
+    return null;
+}
+/**
+ * Enable a recipe — removes the .disabled marker so triggers can fire.
+ * Idempotent: enabling an already-enabled recipe is a no-op.
+ */
+export function runRecipeEnable(name, options = {}) {
+    const recipesDir = options.recipesDir ?? INSTALL_RECIPES_DIR;
+    const installDir = findInstalledRecipeDir(name, recipesDir);
+    if (!installDir) {
+        throw new Error(`No installed recipe named "${name}". Run \`patchwork recipe list\` to see installed recipes.`);
+    }
+    const markerPath = disabledMarkerPath(installDir);
+    if (!existsSync(markerPath)) {
+        return { name, installDir, alreadyEnabled: true };
+    }
+    unlinkSync(markerPath);
+    return { name, installDir, alreadyEnabled: false };
+}
+/**
+ * Disable a recipe — writes the .disabled marker so triggers stop firing.
+ * Idempotent: disabling an already-disabled recipe is a no-op.
+ */
+export function runRecipeDisable(name, options = {}) {
+    const recipesDir = options.recipesDir ?? INSTALL_RECIPES_DIR;
+    const installDir = findInstalledRecipeDir(name, recipesDir);
+    if (!installDir) {
+        throw new Error(`No installed recipe named "${name}". Run \`patchwork recipe list\` to see installed recipes.`);
+    }
+    const markerPath = disabledMarkerPath(installDir);
+    if (existsSync(markerPath)) {
+        return { name, installDir, alreadyDisabled: true };
+    }
+    writeFileSync(markerPath, "");
+    return { name, installDir, alreadyDisabled: false };
+}
+/**
+ * Uninstall a recipe — removes its install directory entirely.
+ *
+ * Returns `{ ok: false, error }` when the recipe isn't found rather than
+ * throwing, so the CLI can surface a clean error message instead of a
+ * stack trace. Path-traversal attempts in `name` still throw via
+ * `findInstalledRecipeDir`'s validator (HIGH-2 hardening from #46).
+ */
+export function runRecipeUninstall(name, options = {}) {
+    const recipesDir = options.recipesDir ?? INSTALL_RECIPES_DIR;
+    const installDir = findInstalledRecipeDir(name, recipesDir);
+    if (!installDir) {
+        return {
+            ok: false,
+            error: `No installed recipe named "${name}". Run \`patchwork recipe list\` to see installed recipes.`,
+        };
+    }
+    rmSync(installDir, { recursive: true, force: true });
+    return { ok: true, installDir };
+}
+export function listInstalledRecipes(options = {}) {
+    const recipesDir = options.recipesDir ?? INSTALL_RECIPES_DIR;
+    if (!existsSync(recipesDir)) {
+        return [];
+    }
+    const entries = [];
+    function scanDir(dir, namePrefix) {
+        const items = readdirSync(dir);
+        for (const item of items) {
+            const itemPath = path.join(dir, item);
+            if (!statSync(itemPath).isDirectory())
+                continue;
+            const entryName = namePrefix ? `${namePrefix}/${item}` : item;
+            const manifest = loadManifestFromDir(itemPath);
+            if (manifest) {
+                entries.push({
+                    name: entryName,
+                    version: manifest.version,
+                    description: manifest.description,
+                    connectors: manifest.connectors,
+                    mainRecipe: manifest.recipes.main,
+                    hasManifest: true,
+                    enabled: isRecipeEnabled(itemPath),
+                });
+            }
+            else {
+                const yamlFiles = readdirSync(itemPath).filter((f) => /\.ya?ml$/i.test(f));
+                if (yamlFiles.length > 0) {
+                    entries.push({
+                        name: entryName,
+                        yamlFiles,
+                        hasManifest: false,
+                        enabled: isRecipeEnabled(itemPath),
+                    });
+                }
+                else {
+                    // Recurse one level for namespaced dirs like "owner/repo"
+                    if (!namePrefix) {
+                        scanDir(itemPath, item);
+                    }
+                }
+            }
+        }
+    }
+    scanDir(recipesDir, "");
+    return entries.sort((a, b) => a.name.localeCompare(b.name));
+}
+// ============================================================================
+// CLI output helpers
+// ============================================================================
+export function printInstallResult(result) {
+    const versionStr = result.version ? `@${result.version}` : "";
+    console.log(`✓ Installed ${result.name}${versionStr} to ${result.installDir}`);
+    if (result.manifest?.connectors && result.manifest.connectors.length > 0) {
+        console.log(`  Requires connectors: ${result.manifest.connectors.join(", ")}`);
+    }
+    console.log(`  Status: disabled (run \`patchwork recipe enable ${result.name}\` to activate scheduled triggers)`);
+    const mainRecipe = result.manifest?.recipes.main ?? result.filesInstalled[0];
+    if (mainRecipe) {
+        console.log(`  Run with: patchwork recipe run ${path.join(result.installDir, mainRecipe)}`);
+    }
+}
+export function printInstalledList(entries) {
+    if (entries.length === 0) {
+        console.log("No recipes installed. Use `patchwork recipe install <source>` to install.");
+        return;
+    }
+    const maxName = Math.max(...entries.map((e) => e.name.length), 4);
+    const maxVersion = Math.max(...entries.map((e) => (e.version ?? "—").length), 7);
+    const header = `${"Name".padEnd(maxName)}  ${"Version".padEnd(maxVersion)}  Status    Description / Files`;
+    console.log(header);
+    console.log("-".repeat(Math.min(header.length, 100)));
+    for (const entry of entries) {
+        const version = (entry.version ?? "—").padEnd(maxVersion);
+        const status = (entry.enabled ? "enabled" : "disabled").padEnd(8);
+        const detail = entry.hasManifest
+            ? (entry.description ?? "")
+            : `[${(entry.yamlFiles ?? []).join(", ")}]`;
+        console.log(`${entry.name.padEnd(maxName)}  ${version}  ${status}  ${detail}`);
+        if (entry.connectors && entry.connectors.length > 0) {
+            console.log(`${"".padEnd(maxName)}  ${"".padEnd(maxVersion)}  ${"".padEnd(8)}  connectors: ${entry.connectors.join(", ")}`);
+        }
+    }
+}
+//# sourceMappingURL=recipeInstall.js.map