patchwork-os 0.2.0-beta.2 → 0.2.0-beta.4

package/dist/recipeRoutes.js

@@ -188,7 +188,11 @@ export function readBodyWithCap(req, max) {
         const onEnd = () => {
             if (aborted)
                 return;
-            resolve({ ok: true, body: Buffer.concat(chunks).toString("utf-8") });
+            const bytes = Buffer.concat(chunks);
+            // `bytes` is the raw on-the-wire body; `body` is the utf-8 decode used
+            // by JSON parsers. HMAC consumers must use `bytes` to avoid the
+            // utf-8 round-trip changing the signed payload.
+            resolve({ ok: true, body: bytes.toString("utf-8"), bytes });
         };
         const onError = () => {
             if (aborted)
@@ -254,6 +258,24 @@ function respondInvalidJson(res) {
     res.writeHead(400, { "Content-Type": "application/json" });
     res.end(JSON.stringify({ ok: false, error: "Invalid JSON body" }));
 }
+/**
+ * Best-effort fire of the recipe-changed notification. Wraps the
+ * callback in try/catch + console.error so a misbehaving notifier
+ * (most likely scheduler.start() throwing) cannot turn a successful
+ * disk-write into a failed-looking HTTP response. Used by install /
+ * save / delete / archive / duplicate / setEnabled / saveContent
+ * routes after their respective success paths.
+ */
+function fireOnRecipesChanged(deps) {
+    if (!deps.onRecipesChangedFn)
+        return;
+    try {
+        deps.onRecipesChangedFn();
+    }
+    catch (err) {
+        console.error(`[recipeRoutes] onRecipesChangedFn threw:`, err);
+    }
+}
 /**
  * Try to handle a recipe / run-audit / template route. Returns true if
  * the route was dispatched (caller should `return` from the request
@@ -295,7 +317,7 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                     res.writeHead(503, { "Content-Type": "application/json" });
                     res.end(JSON.stringify({
                         ok: false,
-                        error: "Recipe execution unavailable — requires --claude-driver subprocess",
+                        error: "Recipe execution unavailable — requires --driver subprocess",
                     }));
                     return;
                 }
@@ -347,7 +369,7 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                     res.writeHead(503, { "Content-Type": "application/json" });
                     res.end(JSON.stringify({
                         ok: false,
-                        error: "Recipe execution unavailable — requires --claude-driver subprocess",
+                        error: "Recipe execution unavailable — requires --driver subprocess",
                     }));
                     return;
                 }
@@ -383,6 +405,7 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
             const trigger = sp.get("trigger");
             const status = sp.get("status");
             const recipe = sp.get("recipe");
+            const manualRunId = sp.get("manualRunId");
             const limit = limitRaw ? Number.parseInt(limitRaw, 10) : Number.NaN;
             const after = afterRaw ? Number.parseInt(afterRaw, 10) : Number.NaN;
             const runs = deps.runsFn?.({
@@ -390,6 +413,7 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                 ...(trigger && { trigger }),
                 ...(status && { status }),
                 ...(recipe && { recipe }),
+                ...(manualRunId && { manualRunId }),
                 ...(Number.isFinite(after) && { after }),
             }) ?? [];
             res.writeHead(200, { "Content-Type": "application/json" });
@@ -400,6 +424,53 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
         }
         return true;
     }
+    // GET /runs/halt-summary — aggregated halt categories over recent runs.
+    // Drives the dashboard /runs page header widget that answers "is the
+    // haltReason work surfacing real signal, or is everything 'unknown'?".
+    if (parsedUrl.pathname === "/runs/halt-summary" && req.method === "GET") {
+        try {
+            const sp = parsedUrl.searchParams;
+            const sinceMsRaw = sp.get("sinceMs");
+            const limitRaw = sp.get("limit");
+            const recipe = sp.get("recipe");
+            const sinceMs = sinceMsRaw ? Number.parseInt(sinceMsRaw, 10) : Number.NaN;
+            const limit = limitRaw ? Number.parseInt(limitRaw, 10) : Number.NaN;
+            const summary = deps.haltSummaryFn?.({
+                ...(Number.isFinite(sinceMs) && { sinceMs }),
+                ...(Number.isFinite(limit) && { limit }),
+                ...(recipe && { recipe }),
+            }) ?? { total: 0, byCategory: {}, recent: [] };
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify(summary));
+        }
+        catch (err) {
+            respond500(res, err);
+        }
+        return true;
+    }
+    // GET /runs/judge-summary — PR3b sibling of /runs/halt-summary.
+    // Same query shape (sinceMs, limit, recipe), returns JudgeSummary.
+    if (parsedUrl.pathname === "/runs/judge-summary" && req.method === "GET") {
+        try {
+            const sp = parsedUrl.searchParams;
+            const sinceMsRaw = sp.get("sinceMs");
+            const limitRaw = sp.get("limit");
+            const recipe = sp.get("recipe");
+            const sinceMs = sinceMsRaw ? Number.parseInt(sinceMsRaw, 10) : Number.NaN;
+            const limit = limitRaw ? Number.parseInt(limitRaw, 10) : Number.NaN;
+            const summary = deps.judgeSummaryFn?.({
+                ...(Number.isFinite(sinceMs) && { sinceMs }),
+                ...(Number.isFinite(limit) && { limit }),
+                ...(recipe && { recipe }),
+            }) ?? { total: 0, byVerdict: {}, recent: [] };
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify(summary));
+        }
+        catch (err) {
+            respond500(res, err);
+        }
+        return true;
+    }
     // GET /runs/:seq — single run detail (includes stepResults if present)
     const runDetailMatch = req.method === "GET" ? /^\/runs\/(\d+)$/.exec(parsedUrl.pathname) : null;
     if (runDetailMatch?.[1]) {
@@ -540,7 +611,7 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                 res.writeHead(503, { "Content-Type": "application/json" });
                 res.end(JSON.stringify({
                     ok: false,
-                    error: "Recipe generation unavailable — requires --claude-driver subprocess",
+                    error: "Recipe generation unavailable — requires --driver subprocess",
                     unavailable: true,
                 }));
                 return;
@@ -591,6 +662,8 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                     return;
                 }
                 const result = deps.saveRecipeFn(draft);
+                if (result.ok)
+                    fireOnRecipesChanged(deps);
                 res.writeHead(result.ok ? 201 : 400, {
                     "Content-Type": "application/json",
                 });
@@ -670,6 +743,11 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                     return;
                 }
                 const result = deps.setRecipeEnabledFn(name, body.enabled);
+                // Enable/disable changes which cron triggers should fire — the
+                // RecipeScheduler honours the disabled set on every start(), so
+                // re-priming after a toggle picks up the change without a restart.
+                if (result.ok)
+                    fireOnRecipesChanged(deps);
                 res.writeHead(result.ok ? 200 : 400, {
                     "Content-Type": "application/json",
                 });
@@ -806,6 +884,11 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                     return;
                 }
                 const result = deps.saveRecipeContentFn(name, body.content);
+                // Editing recipe YAML can change cron schedule, webhook path,
+                // or trigger type entirely — re-prime the scheduler so the new
+                // shape takes effect without a bridge restart.
+                if (result.ok)
+                    fireOnRecipesChanged(deps);
                 res.writeHead(result.ok ? 200 : 400, {
                     "Content-Type": "application/json",
                 });
@@ -828,6 +911,10 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
             return true;
         }
         const result = deps.deleteRecipeContentFn(name);
+        // Deleting a cron recipe leaves an orphaned interval in the scheduler
+        // until the next start() — re-prime so it goes away.
+        if (result.ok)
+            fireOnRecipesChanged(deps);
         const status = result.ok
             ? 200
             : result.error === "Recipe not found"
@@ -847,6 +934,10 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
             return true;
         }
         const result = deps.archiveRecipeFn(name);
+        // Archiving moves the recipe under .archive/ where the scheduler
+        // ignores it — same orphan-interval cleanup needed as for delete.
+        if (result.ok)
+            fireOnRecipesChanged(deps);
         const status = result.ok
             ? 200
             : result.error === "Recipe not found"
@@ -866,6 +957,10 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
             return true;
         }
         const result = deps.duplicateRecipeFn(name);
+        // Duplication adds a new recipe file to the dir — re-prime so any
+        // cron trigger inside the duplicate starts firing immediately.
+        if (result.ok)
+            fireOnRecipesChanged(deps);
         const status = result.ok
             ? 201
             : result.error === "Recipe not found"
@@ -901,6 +996,10 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                 const result = await deps.promoteRecipeVariantFn(variantName, targetName, {
                     force: force === true,
                 });
+                // Promotion overwrites the canonical file with the variant's
+                // contents — same scheduler refresh story as save/edit.
+                if (result.ok)
+                    fireOnRecipesChanged(deps);
                 const httpStatus = result.ok
                     ? 200
                     : result.targetExists
@@ -993,27 +1092,30 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                 // -----------------------------------------------------------------
                 // BUNDLE INSTALL DISPATCH (#130 PR A).
                 //
-                // `github:patchworkos/recipes/bundles/<name>` installs every recipe
+                // `github:<owner>/<repo>/bundles/<name>` installs every recipe
                 // listed in the bundle's `patchwork-bundle.json`. Plugin (`plugin`)
                 // and policy template (`policy_template`) declared in the manifest
                 // are surfaced as advisory-only — wiring those needs separate
                 // decisions (npm-install surface, policy application UX) tracked
-                // outside this PR. See the #130 scoping comment.
+                // outside this PR.
+                //
+                // Org allowlist (#audit-thread): historically the path was hard-
+                // coded to `patchworkos/recipes`. Now any allowlisted org/repo
+                // can host a bundle; parse + validate via the shared helper so
+                // single-recipe and bundle install share one source-of-truth.
                 // -----------------------------------------------------------------
-                const bundlePrefix = "github:patchworkos/recipes/bundles/";
-                if (source.startsWith(bundlePrefix)) {
-                    const bundleName = source.slice(bundlePrefix.length);
-                    const { isSafeBasename } = await import("./commands/recipeInstall.js");
-                    if (!isSafeBasename(bundleName)) {
-                        res.writeHead(400, { "Content-Type": "application/json" });
-                        res.end(JSON.stringify({
-                            ok: false,
-                            error: "Invalid bundle name in source",
-                            code: "invalid_bundle_name",
-                        }));
-                        return;
-                    }
-                    const manifestUrl = `https://raw.githubusercontent.com/patchworkos/recipes/main/bundles/${bundleName}/patchwork-bundle.json`;
+                const bundleParse = source.startsWith("github:")
+                    ? await (async () => {
+                        const { parseGithubInstallSource } = await import("./recipes/githubInstallSource.js");
+                        return parseGithubInstallSource(source);
+                    })()
+                    : null;
+                if (bundleParse?.ok && bundleParse.parsed.kind === "bundle") {
+                    const { buildGithubRawUrl } = await import("./recipes/githubInstallSource.js");
+                    const bundleName = bundleParse.parsed.name;
+                    const bundleOwner = bundleParse.parsed.owner;
+                    const bundleRepo = bundleParse.parsed.repo;
+                    const manifestUrl = buildGithubRawUrl(bundleParse.parsed);
                     const ctl = new AbortController();
                     const timeout = setTimeout(() => ctl.abort(), 30_000);
                     let manifestRes;
@@ -1072,6 +1174,10 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                         }));
                         return;
                     }
+                    // Validate each declared recipe basename to block traversal +
+                    // junk segments. `isSafeBasename` lives in the legacy recipe-
+                    // install command but the predicate is the right shape here.
+                    const { isSafeBasename } = await import("./commands/recipeInstall.js");
                     if (!Array.isArray(manifest.recipes) ||
                         manifest.recipes.length === 0 ||
                         !manifest.recipes.every((r) => typeof r === "string" && isSafeBasename(r))) {
@@ -1093,7 +1199,10 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                     const recipesDir = path.join(os.homedir(), ".patchwork", "recipes");
                     mkdirSync(recipesDir, { recursive: true });
                     for (const r of manifest.recipes) {
-                        const recipeUrl = `https://raw.githubusercontent.com/patchworkos/recipes/main/recipes/${r}/${r}.yaml`;
+                        // Bundle's manifest is allowed to declare recipes that
+                        // live in the same repo as the bundle. Build the URL with
+                        // the parsed owner/repo, not the hard-coded original.
+                        const recipeUrl = `https://raw.githubusercontent.com/${bundleOwner}/${bundleRepo}/main/recipes/${r}/${r}.yaml`;
                         const recipeCtl = new AbortController();
                         const recipeTimeout = setTimeout(() => recipeCtl.abort(), 30_000);
                         try {
@@ -1155,6 +1264,14 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                     // 200 if any recipe installed; 502 otherwise. Always include both
                     // arrays so callers (CLI + dashboard) can render partial-success.
                     const status = installed.length > 0 ? 200 : 502;
+                    // Notify the scheduler so cron-trigger recipes in the bundle
+                    // start firing without a bridge restart. Fired once per bundle
+                    // (not per recipe inside) since scheduler.start() reads the
+                    // whole recipes dir anyway. Guarded by the partial-success
+                    // check — no point waking up the scheduler for a 0-installed
+                    // failure.
+                    if (installed.length > 0)
+                        fireOnRecipesChanged(deps);
                     res.writeHead(status, { "Content-Type": "application/json" });
                     res.end(JSON.stringify({
                         ok: installed.length > 0,
@@ -1166,24 +1283,40 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                     }));
                     return;
                 }
-                const githubPrefix = "github:patchworkos/recipes/recipes/";
                 let fetchUrl;
                 let recipeName;
-                if (source.startsWith(githubPrefix)) {
-                    recipeName = source.slice(githubPrefix.length);
-                    // The constructed URL is internal — recipeName must be a safe
-                    // single-segment so we don't end up encoding `../etc/passwd` into
-                    // the path. Reuse the strict basename predicate from `recipeInstall`.
-                    const { isSafeBasename } = await import("./commands/recipeInstall.js");
-                    if (!isSafeBasename(recipeName)) {
+                if (source.startsWith("github:")) {
+                    // Parse the new generalised shape (any allowlisted org/repo)
+                    // instead of only `github:patchworkos/recipes/recipes/<name>`.
+                    // Distinguishes bad shape (400) from not-on-allowlist (403)
+                    // so operators can spot a config error vs. a typo.
+                    const { parseGithubInstallSource, buildGithubRawUrl } = await import("./recipes/githubInstallSource.js");
+                    const parsed = parseGithubInstallSource(source);
+                    if (!parsed.ok) {
+                        const status = parsed.code === "not_allowlisted" ? 403 : 400;
+                        res.writeHead(status, { "Content-Type": "application/json" });
+                        res.end(JSON.stringify({
+                            ok: false,
+                            error: parsed.error,
+                            code: parsed.code,
+                        }));
+                        return;
+                    }
+                    // Bundle shape on /recipes/install (single-recipe path) is a
+                    // mistake — surface it explicitly rather than silently fetching
+                    // an unrelated URL. Bundle installs have their own code path
+                    // above this block.
+                    if (parsed.parsed.kind === "bundle") {
                         res.writeHead(400, { "Content-Type": "application/json" });
                         res.end(JSON.stringify({
                             ok: false,
-                            error: "Invalid recipe name in source",
+                            error: "Bundle source on single-recipe install. Use the bundle install path.",
+                            code: "bad_shape",
                         }));
                         return;
                     }
-                    fetchUrl = `https://raw.githubusercontent.com/patchworkos/recipes/main/recipes/${recipeName}/${recipeName}.yaml`;
+                    recipeName = parsed.parsed.name;
+                    fetchUrl = buildGithubRawUrl(parsed.parsed);
                 }
                 else if (source.startsWith("https://")) {
                     // Non-github source: must clear the env-var allowlist AND the SSRF
@@ -1337,7 +1470,46 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                     const installResult = installRecipeFromFile(tmpFile, {
                         recipesDir,
                     });
-                    result = { action: installResult.action, name: recipeName };
+                    // Soft preflight: detect which connectors the recipe uses
+                    // and surface the unconfigured ones as a warning. The recipe
+                    // is already on disk — this is a hint for the dashboard to
+                    // prompt "you'll need to connect Slack + Gmail to run this",
+                    // not a gate on the install itself. Defensive: any failure
+                    // here MUST NOT roll the install back, so the whole block is
+                    // wrapped in try/catch.
+                    let missingConnectors;
+                    try {
+                        const { readFileSync } = await import("node:fs");
+                        const installedJson = readFileSync(installResult.installedPath, "utf-8");
+                        const recipe = JSON.parse(installedJson);
+                        if (Array.isArray(recipe.steps)) {
+                            const { detectRequiredConnectors, findMissingConnectors } = await import("./recipes/connectorPreflight.js");
+                            const required = detectRequiredConnectors(recipe);
+                            if (required.length > 0) {
+                                const { handleConnectionsList } = await import("./connectors/gmail.js");
+                                const connsResult = await handleConnectionsList();
+                                let connections = [];
+                                try {
+                                    const body = JSON.parse(connsResult.body);
+                                    connections = body.connectors ?? [];
+                                }
+                                catch {
+                                    /* malformed body — treat as no connections */
+                                }
+                                const missing = findMissingConnectors(required, connections);
+                                if (missing.length > 0)
+                                    missingConnectors = missing;
+                            }
+                        }
+                    }
+                    catch (preflightErr) {
+                        console.warn(`[recipes/install] connector preflight failed (non-blocking):`, preflightErr);
+                    }
+                    result = {
+                        action: installResult.action,
+                        name: recipeName,
+                        ...(missingConnectors ? { missingConnectors } : {}),
+                    };
                 }
                 finally {
                     try {
@@ -1347,11 +1519,42 @@ export function tryHandleRecipeRoute(req, res, parsedUrl, deps) {
                         // best-effort cleanup
                     }
                 }
+                // Notify the scheduler so the new recipe's cron/webhook trigger
+                // starts firing without a bridge restart. The recipe file is
+                // already on disk (`writeFileSync` above), so the next
+                // `scheduler.start()` will pick it up via its directory scan.
+                // Errors here are logged but never surface to the caller — the
+                // install itself succeeded; a scheduler restart bug must not
+                // make the response look failed.
+                fireOnRecipesChanged(deps);
                 res.writeHead(200, { "Content-Type": "application/json" });
                 res.end(JSON.stringify({ ok: true, ...result }));
             }
             catch (err) {
-                // Truly unexpected — installer crash, manifest validation throw, etc.
+                // Distinguish "the recipe YAML is malformed" (user-actionable, 400)
+                // from "the installer itself crashed" (server bug, 500). Before this
+                // every parser error came back as the same opaque 500 — dashboards
+                // surfaced "Internal server error" with no way to know what was wrong.
+                const errName = err instanceof Error ? err.name : "";
+                const errMsg = err instanceof Error ? err.message : String(err);
+                const isParseError = errName === "RecipeParseError" ||
+                    // js-yaml / the `yaml` package both throw YAMLException / YAMLParseError.
+                    errName === "YAMLException" ||
+                    errName === "YAMLParseError" ||
+                    /yaml/i.test(errName);
+                if (isParseError) {
+                    // Return only the first line of the parser message — strips any
+                    // embedded file path or stack frame that downstream parsers
+                    // sometimes include (CodeQL: js/stack-trace-exposure).
+                    const safeMsg = errMsg.split("\n", 1)[0]?.slice(0, 500) ?? "invalid recipe";
+                    res.writeHead(400, { "Content-Type": "application/json" });
+                    res.end(JSON.stringify({
+                        ok: false,
+                        error: safeMsg,
+                        code: "invalid_recipe",
+                    }));
+                    return;
+                }
                 console.error(`[recipes/install] internal install error:`, err);
                 res.writeHead(500, { "Content-Type": "application/json" });
                 res.end(JSON.stringify({