quorumkit-engine 3.0.0

package/RELEASING.md

@@ -0,0 +1,151 @@
+# QuorumKit Engine — Release Procedure
+
+> **Audience:** maintainers cutting a release of `engine/`. Contributors should not need to read this.
+
+This document is the operational counterpart to `engine/SECURITY.md` and
+the authoritative procedure referenced by FR-010, FR-028, SEC-MED-004,
+and SC-009 in `specs/047-repo-topology/spec.md`.
+
+The engine ships through **two channels**, both released atomically from
+the same `engine/` source on every signed `v*` tag:
+
+1. **GitHub Action ref** — consumers pin via
+   `uses: dmitry-nalivaika/quorumkit/engine@vX.Y.Z` (or `@vX` for floating major).
+2. **npm package `quorumkit-engine`** — published with `--provenance` via
+   OIDC trusted publishing (no `NPM_TOKEN`).
+
+---
+
+## 1. Release prerequisites (one-time setup)
+
+| Setup task | Where | Who |
+|---|---|---|
+| Maintainer GPG key registered with GitHub & in the local keyring | `gpg --import` + `git config user.signingkey <FPR>` + `gpg --export <FPR>` uploaded to GitHub | Maintainer |
+| `release` GitHub Environment with required-reviewer protection rule | Repo Settings → Environments → `release` | Maintainer (admin) |
+| npm "Trusted Publisher" mapping for `quorumkit-engine` | <https://www.npmjs.com/package/quorumkit-engine/access> → Trusted Publishers → add this repo + workflow `engine-release.yml` | Maintainer + npm package owner |
+| Branch-protection on `main` requires PR + verify-mirror green | Repo Settings → Branches → `main` | Maintainer (admin) |
+
+If any of these are missing, the release workflow fails fast — you never
+publish a half-configured artefact by accident.
+
+---
+
+## 2. Release procedure (per release)
+
+```bash
+# 1. Make sure you are on a clean main with the new engine source committed.
+git checkout main && git pull --ff-only
+bash installer/verify-mirror.sh                       # M1–M9 must be green
+(cd engine/orchestrator && npm test)                  # all engine tests pass
+(cd engine && npm ci --ignore-scripts && npm run build)
+git status                                            # MUST be clean (dist/ in sync)
+
+# 2. Bump quorumkit.yml (T-25) and CHANGELOG.md (T-24) in a release PR. Get review
+#    + Security Agent sign-off. Merge.
+
+# 3. Cut a SIGNED tag at the merge commit on main.
+git tag -s v3.0.0 -m "QuorumKit v3.0.0 — three-zone topology + engine distribution"
+git push origin v3.0.0
+
+# 4. The engine-release.yml workflow auto-runs:
+#       a. git verify-tag — refuses unsigned tags
+#       b. rebuild engine/dist/ via ncc — refuses tag → bundle drift
+#       c. npm publish --provenance — OIDC, no NPM_TOKEN
+#       d. github-script creates the GitHub Release with auto-notes
+#    The 'release' Environment requires a maintainer reviewer click before
+#    step (c) runs — that is the supply-chain gate.
+```
+
+A successful run produces:
+
+- A GitHub Release at <https://github.com/dmitry-nalivaika/quorumkit/releases/tag/vX.Y.Z>.
+- An npm package at <https://www.npmjs.com/package/quorumkit-engine/v/X.Y.Z>
+  whose page shows the **"Built and signed on GitHub Actions"** provenance
+  badge with a link to the workflow run that produced it.
+- A signed git tag verifiable with `git verify-tag vX.Y.Z`.
+
+---
+
+## 3. Verifying a release as a downstream user
+
+```bash
+# Action ref (what consumer workflows pin):
+gh api repos/dmitry-nalivaika/quorumkit/git/refs/tags/vX.Y.Z
+
+# Tag signature:
+git fetch --tags
+git verify-tag vX.Y.Z
+
+# npm provenance:
+npm view quorumkit-engine@X.Y.Z --json | jq '.dist'
+# Expect: dist.attestations.provenance is present and signed by the
+#         GitHub Actions OIDC issuer for this repository.
+```
+
+The maintainer's GPG public key fingerprint is published at
+`docs/architecture/adr-047-action-runtime.md` §Verifying-key. Rotate the
+fingerprint there — and only there — when the maintainer's signing key
+changes.
+
+---
+
+## 4. Floating major-version tag (`v3`)
+
+After every patch / minor release on the `v3.x` series, fast-forward the
+floating `v3` tag so consumers pinned to `@v3` automatically receive the
+update:
+
+```bash
+git tag -fs v3 -m "Track v3.0.1"   # signed, force-update
+git push --force origin v3
+```
+
+Floating tags are **only** acceptable for first-party QuorumKit Actions inside
+`templates/github/workflows/`. Third-party Actions remain SHA-pinned per
+FR-031 / mirror gate M9 — Dependabot rotates them.
+
+---
+
+## 5. Rollback
+
+If a release ships a regression:
+
+1. **Yank the npm version** (does not delete; warns installers):
+   ```bash
+   npm deprecate quorumkit-engine@X.Y.Z "Yanked — see #<issue>; upgrade to X.Y.Z+1"
+   ```
+2. **Re-publish the prior known-good** as the latest dist-tag:
+   ```bash
+   npm dist-tag add quorumkit-engine@X.Y.(Z-1) latest
+   ```
+3. **Move the floating major tag back** so consumers pinned to `@v3`
+   pick up the rollback on their next workflow run:
+   ```bash
+   git tag -fs v3 -m "Rollback to vX.Y.(Z-1)" <good-commit-sha>
+   git push --force origin v3
+   ```
+4. Open an incident issue with the `incident` label so the Incident Agent
+   timestamps the postmortem (per `.apm/agents/incident-agent.md`).
+5. Cut a fixed `vX.Y.(Z+1)` per §2 once the regression is patched.
+
+`npm unpublish` is **forbidden** — it breaks reproducibility for any
+consumer who already pinned to the bad version. Always deprecate + supersede.
+
+---
+
+## 6. Disaster recovery — fallback NPM token (SEC-HIGH-001)
+
+If npm trusted publishing is unavailable (e.g. a registry-side outage or
+the maintainer needs to publish from an air-gapped host), and only then,
+a fallback token MAY be used under the following constraints:
+
+- **Granular**, package-scoped (`quorumkit-engine` only), publish-only.
+- **≤90-day expiry** — never rotated to a longer lifetime.
+- Stored in the `release` GitHub Environment **only**; never in repo
+  secrets, never in `.env`, never in a maintainer's shell history.
+- Rotation owner: the maintainer named in `quorumkit.yml` `owner.npm`.
+- Each use of the fallback MUST be paired with a public Security Agent
+  comment on the corresponding incident issue.
+
+Removing the fallback token after the trusted-publishing path is restored
+is the responsibility of the same maintainer.

package/SECURITY.md

@@ -0,0 +1,82 @@
+# QuorumKit Engine — Security & Permissions
+
+> **Audience:** consumer-repo maintainers wiring `uses: dmitry-nalivaika/quorumkit/engine@<sha>` into a workflow, and QuorumKit contributors changing engine behaviour.
+
+This document is the security contract of the QuorumKit engine Action. It is
+authoritative for FR-014, ADR-047 amendment §4, and SEC-MED-001. Every
+permission the engine consumes MUST appear in the table below with a
+written justification; reviewers reject changes that broaden the table
+without a paired spec amendment.
+
+---
+
+## 1. Default permission posture
+
+The engine declares **zero** permissions in `engine/action.yml`. Permissions
+are granted at the **call site** by each consumer workflow. The minimum
+viable token for a feature pipeline is:
+
+```yaml
+permissions:
+  contents: read         # default — required for actions/checkout
+  issues: write          # post audit comments, update labels
+  pull-requests: write   # comment on PRs and update review state
+  actions: read          # read workflow_run payloads
+```
+
+The engine **MUST NOT** be invoked with `permissions: write-all`.
+`installer/init.sh --upgrade` (T-20) refuses to broaden the consumer's
+existing `permissions:` block.
+
+---
+
+## 2. Per-scope justification table
+
+| Scope                  | Default access | Why the engine needs it                                                                                                                | When to omit                                                  |
+| ---------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| `contents: read`       | required       | `actions/checkout` reads the consumer repo to load `.apm/pipelines/`, `.apm/agents/`, and other SoT files.                              | never — without this the engine cannot start.                 |
+| `contents: write`      | **off**        | Only enable for consumer pipelines that include a step writing files via the orchestrator (e.g. dashboard regen). Most pipelines don't. | default — keep `contents: read`.                              |
+| `issues: write`        | required       | Post audit comments (FR-026, ADR-002), `<QUORUMKIT-LIVE-STATUS>` updates, and label changes that drive the state machine.                     | only if the consumer does not use issue-driven pipelines.     |
+| `pull-requests: write` | required       | Comment on PR threads, update review labels, and post timeline reconstructions.                                                          | only if the consumer disables PR-triggered pipelines.         |
+| `actions: read`        | required       | Read `workflow_run` payloads to recover issue context (ADR-007 §6) and to re-correlate audit comments after agent failures.             | only if the pipeline never depends on `workflow_run` events.  |
+| `actions: write`       | **off**        | Never required by the engine itself. Forbid in consumer workflows unless a custom step explicitly needs `gh workflow run` capability.    | always — no engine code path requests it.                     |
+| `id-token: write`      | release-only   | Used **only** by the engine's own release workflow (`engine-release.yml`) for OIDC-trusted npm publishing. Never granted to consumer workflows. | always for consumers.                                       |
+| `packages: read/write` | **off**        | The engine does not pull or push packages from `ghcr.io`.                                                                                | always — keep off.                                           |
+| `deployments: write`   | **off**        | The engine never creates a Deployment resource.                                                                                          | always — keep off.                                           |
+| `security-events: write` | **off**       | Code scanning / Dependabot is enforced by `dependabot.yml` and the GitHub-hosted scanners, not by the engine.                            | always — keep off.                                           |
+
+---
+
+## 3. Threat model snapshot (SEC-MED-001 / SEC-HIGH-001)
+
+| Threat                                                          | Mitigation                                                                                                                                       | Tracked in                            |
+| --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
+| Compromised third-party `uses:` ref                             | All third-party Actions SHA-pinned (FR-031, M9 mirror gate). Dependabot opens PRs for tag→SHA rotation.                                            | `installer/verify-mirror.sh` M9       |
+| Untrusted YAML in `.apm/pipelines/**` deserialising arbitrary code | `yaml.load` pinned to `CORE_SCHEMA`; tag-aware loaders banned. Negative test: `engine/tests/api-version.test.js` `!!js/function` case.            | FR-013, T-10                          |
+| Pipeline declares `apiVersion` newer than the pinned engine     | `assertApiVersionSupported` fails fast with a remediation message naming both versions.                                                          | FR-013, T-10                          |
+| Workflow run with `permissions: write-all` (CWE-732 over-grant) | `installer/init.sh --upgrade` refuses to widen `permissions:` blocks; engine itself requests nothing.                                            | FR-024, SEC-MED-002, T-20             |
+| Long-lived `NPM_TOKEN` in repo secrets                          | Release workflow uses **OIDC trusted publishing + `npm publish --provenance`**; no `NPM_TOKEN` ever written to env.                              | SEC-HIGH-001, T-12                    |
+| Tampered release artefact                                       | Signed `v*` tags + SLSA build provenance attached by `npm publish --provenance`. Verifying key documented in `engine/RELEASING.md`.              | SC-009, SEC-MED-004, T-12, T-23       |
+| Engine-bundle drift (unreviewed `dist/` change)                 | `engine-build-gate.yml` rebuilds via `ncc` on every PR touching `engine/**` and fails if `git diff --quiet engine/dist/` is non-empty.            | FR-009, T-09                          |
+
+---
+
+## 4. Reporting a vulnerability
+
+Use GitHub's private vulnerability reporting on this repository
+(<https://github.com/dmitry-nalivaika/quorumkit/security>) — do **not** open a
+public issue. The Security Agent owns triage SLA and CVE assignment per
+`SECURITY.md` at the repo root.
+
+---
+
+## 5. Change-control rules
+
+1. **Adding a permission scope to the table above** requires a paired
+   spec change (`specs/047-repo-topology/spec.md` or a successor) and
+   Security Agent sign-off on the PR.
+2. **Removing a scope** requires a deprecation note in `CHANGELOG.md`
+   and a major-version bump if any documented consumer pipeline used it.
+3. **Tag-aware YAML loading is forbidden** — any reintroduction of
+   `yaml.load(raw)` without `{ schema: yaml.CORE_SCHEMA }` (or stricter)
+   is a Security Agent veto.

package/action.yml

@@ -0,0 +1,25 @@
+# =============================================================================
+# QuorumKit Engine — Composite GitHub Action (Issue #47, ADR-047 amendment §1)
+#
+# Runtime: Node 20 (FR-008, AR-D §6).
+# Bundle:  dist/index.js — produced by `npm run build` (ncc) and committed
+#          (FR-009). CI re-runs the build and fails if `git diff --quiet
+#          dist/` is non-empty (engine-build-gate workflow).
+#
+# Inputs: none — the engine reads everything from the GitHub event payload
+#         and the consumer-side `.apm/` SoT directory (ADR-006 §3).
+# Permissions: declared per-call by the consumer workflow; this Action does
+#              NOT request any. The minimum-viable scope is `contents: read`
+#              + `issues: write` + `pull-requests: write` (engine/SECURITY.md).
+# =============================================================================
+name: 'QuorumKit Engine'
+description: 'Run the QuorumKit autonomous-agent orchestrator on a GitHub event payload.'
+author: 'QuorumKit contributors'
+
+branding:
+  icon: 'cpu'
+  color: 'purple'
+
+runs:
+  using: 'node20'
+  main: 'dist/index.js'

package/dist/212.index.js

@@ -0,0 +1,171 @@
+export const id = 212;
+export const ids = [212,563];
+export const modules = {
+
+/***/ 3563:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+__webpack_require__.r(__webpack_exports__);
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   isRetryable: () => (/* binding */ isRetryable),
+/* harmony export */   withRetry: () => (/* binding */ withRetry)
+/* harmony export */ });
+/**
+ * runtimes/_retry.js
+ * Bounded exponential-backoff retry helper shared by all runtime adapters
+ * (ADR-007 §8, FR-030).
+ *
+ * Policy (defaults): 3 attempts, base 2 s, jitter ±25 %, max wait 30 s total.
+ * Retries are triggered by network errors, HTTP 5xx, and HTTP 429 (rate-limit).
+ * Non-retryable errors are rethrown immediately.
+ *
+ * Returns the function's resolved value plus the number of retries used,
+ * so the caller can record `runtime_retries` in the audit comment without
+ * counting the invocation as a separate loop-budget iteration.
+ */
+
+const DEFAULT_OPTS = Object.freeze({
+  maxAttempts: 3,
+  baseMs: 2_000,
+  maxTotalMs: 30_000,
+  jitter: 0.25,
+});
+
+/**
+ * Determine whether an error is retryable.
+ * @param {any} err
+ * @returns {boolean}
+ */
+function isRetryable(err) {
+  if (!err) return false;
+  // Octokit / fetch error styles
+  if (err.status === 429) return true;
+  if (typeof err.status === 'number' && err.status >= 500 && err.status < 600) return true;
+  // Node fetch network errors
+  const code = err.code ?? err.cause?.code;
+  if (code && /^(ECONNRESET|ETIMEDOUT|ENETUNREACH|EAI_AGAIN|UND_ERR_SOCKET)$/.test(code)) return true;
+  if (typeof err.message === 'string' && /timeout|network/i.test(err.message)) return true;
+  return false;
+}
+
+/**
+ * Run `fn` with bounded exponential backoff.
+ *
+ * @template T
+ * @param {() => Promise<T>} fn
+ * @param {object} [options]
+ * @param {object} [options.clock] - injectable clock { now(): number, sleep(ms): Promise<void> }
+ * @returns {Promise<{ value: T, retries: number }>}
+ */
+async function withRetry(fn, options = {}) {
+  const opts = { ...DEFAULT_OPTS, ...options };
+  const clock = options.clock ?? defaultClock;
+
+  const start = clock.now();
+  let attempt = 0;
+  let lastError;
+
+  while (attempt < opts.maxAttempts) {
+    try {
+      const value = await fn();
+      return { value, retries: attempt };
+    } catch (err) {
+      lastError = err;
+      attempt += 1;
+      if (!isRetryable(err) || attempt >= opts.maxAttempts) break;
+
+      const elapsed = clock.now() - start;
+      if (elapsed >= opts.maxTotalMs) break;
+
+      const exp = Math.pow(2, attempt - 1) * opts.baseMs;
+      const jitter = exp * opts.jitter * (Math.random() * 2 - 1);
+      const wait = Math.max(0, Math.min(exp + jitter, opts.maxTotalMs - elapsed));
+      await clock.sleep(wait);
+    }
+  }
+
+  throw lastError;
+}
+
+const defaultClock = {
+  now: () => Date.now(),
+  sleep: ms => new Promise(r => setTimeout(r, ms)),
+};
+
+
+/***/ }),
+
+/***/ 1212:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+__webpack_require__.r(__webpack_exports__);
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   KIND: () => (/* binding */ KIND),
+/* harmony export */   invoke: () => (/* binding */ invoke),
+/* harmony export */   requiredPermissions: () => (/* binding */ requiredPermissions)
+/* harmony export */ });
+/* harmony import */ var _retry_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(3563);
+/**
+ * runtimes/claude.js
+ * Adapter for the Claude (Anthropic) runtime kind (ADR-005, ADR-002).
+ *
+ * Dispatches the agent's Claude workflow file (`agent-<slug>.yml`) through
+ * the supplied client. Mirrors copilot.js with a smaller required-permissions
+ * set (no `models:` scope — Claude calls go to api.anthropic.com).
+ */
+
+
+
+const KIND = 'claude';
+
+const requiredPermissions = Object.freeze({
+  contents: 'read',
+  issues: 'write',
+  'pull-requests': 'write',
+});
+
+function resolveCredential(runtime, env = process.env) {
+  const ref = runtime.credential_ref;
+  if (!ref) {
+    const e = new Error('runtime-credential-missing');
+    e.code = 'runtime-credential-missing';
+    e.credential_ref = '(none declared)';
+    throw e;
+  }
+  const value = env[ref];
+  if (!value) {
+    const e = new Error('runtime-credential-missing');
+    e.code = 'runtime-credential-missing';
+    e.credential_ref = ref;
+    throw e;
+  }
+  return value;
+}
+
+async function invoke(context) {
+  const env = context.env ?? process.env;
+  resolveCredential(context.runtime, env);
+
+  const workflow = `agent-${context.agent}.yml`;
+  const dispatchRef = context.ref ?? 'main';
+  const inputs = {
+    issue_number: String(context.issueNumber),
+    run_id: context.runId ?? '',
+    step: context.step ?? '',
+    iteration: String(context.iteration ?? 1),
+    runtime: context.runtimeName ?? '',
+  };
+
+  const { retries } = await (0,_retry_js__WEBPACK_IMPORTED_MODULE_0__.withRetry)(
+    () => context.client.triggerWorkflow(context.owner, context.repo, workflow, dispatchRef, inputs),
+    { clock: context.clock }
+  );
+  return { dispatched: true, retries, workflow };
+}
+
+
+/***/ })
+
+};
+
+//# sourceMappingURL=212.index.js.map

package/dist/212.index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"212.index.js","mappings":";;;;;;;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;;;;;;;;;;;;;AChFA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","sources":[".././orchestrator/runtimes/_retry.js",".././orchestrator/runtimes/claude.js"],"sourcesContent":["/**\n * runtimes/_retry.js\n * Bounded exponential-backoff retry helper shared by all runtime adapters\n * (ADR-007 §8, FR-030).\n *\n * Policy (defaults): 3 attempts, base 2 s, jitter ±25 %, max wait 30 s total.\n * Retries are triggered by network errors, HTTP 5xx, and HTTP 429 (rate-limit).\n * Non-retryable errors are rethrown immediately.\n *\n * Returns the function's resolved value plus the number of retries used,\n * so the caller can record `runtime_retries` in the audit comment without\n * counting the invocation as a separate loop-budget iteration.\n */\n\nconst DEFAULT_OPTS = Object.freeze({\n  maxAttempts: 3,\n  baseMs: 2_000,\n  maxTotalMs: 30_000,\n  jitter: 0.25,\n});\n\n/**\n * Determine whether an error is retryable.\n * @param {any} err\n * @returns {boolean}\n */\nexport function isRetryable(err) {\n  if (!err) return false;\n  // Octokit / fetch error styles\n  if (err.status === 429) return true;\n  if (typeof err.status === 'number' && err.status >= 500 && err.status < 600) return true;\n  // Node fetch network errors\n  const code = err.code ?? err.cause?.code;\n  if (code && /^(ECONNRESET|ETIMEDOUT|ENETUNREACH|EAI_AGAIN|UND_ERR_SOCKET)$/.test(code)) return true;\n  if (typeof err.message === 'string' && /timeout|network/i.test(err.message)) return true;\n  return false;\n}\n\n/**\n * Run `fn` with bounded exponential backoff.\n *\n * @template T\n * @param {() => Promise<T>} fn\n * @param {object} [options]\n * @param {object} [options.clock] - injectable clock { now(): number, sleep(ms): Promise<void> }\n * @returns {Promise<{ value: T, retries: number }>}\n */\nexport async function withRetry(fn, options = {}) {\n  const opts = { ...DEFAULT_OPTS, ...options };\n  const clock = options.clock ?? defaultClock;\n\n  const start = clock.now();\n  let attempt = 0;\n  let lastError;\n\n  while (attempt < opts.maxAttempts) {\n    try {\n      const value = await fn();\n      return { value, retries: attempt };\n    } catch (err) {\n      lastError = err;\n      attempt += 1;\n      if (!isRetryable(err) || attempt >= opts.maxAttempts) break;\n\n      const elapsed = clock.now() - start;\n      if (elapsed >= opts.maxTotalMs) break;\n\n      const exp = Math.pow(2, attempt - 1) * opts.baseMs;\n      const jitter = exp * opts.jitter * (Math.random() * 2 - 1);\n      const wait = Math.max(0, Math.min(exp + jitter, opts.maxTotalMs - elapsed));\n      await clock.sleep(wait);\n    }\n  }\n\n  throw lastError;\n}\n\nconst defaultClock = {\n  now: () => Date.now(),\n  sleep: ms => new Promise(r => setTimeout(r, ms)),\n};\n","/**\n * runtimes/claude.js\n * Adapter for the Claude (Anthropic) runtime kind (ADR-005, ADR-002).\n *\n * Dispatches the agent's Claude workflow file (`agent-<slug>.yml`) through\n * the supplied client. Mirrors copilot.js with a smaller required-permissions\n * set (no `models:` scope — Claude calls go to api.anthropic.com).\n */\n\nimport { withRetry } from './_retry.js';\n\nexport const KIND = 'claude';\n\nexport const requiredPermissions = Object.freeze({\n  contents: 'read',\n  issues: 'write',\n  'pull-requests': 'write',\n});\n\nfunction resolveCredential(runtime, env = process.env) {\n  const ref = runtime.credential_ref;\n  if (!ref) {\n    const e = new Error('runtime-credential-missing');\n    e.code = 'runtime-credential-missing';\n    e.credential_ref = '(none declared)';\n    throw e;\n  }\n  const value = env[ref];\n  if (!value) {\n    const e = new Error('runtime-credential-missing');\n    e.code = 'runtime-credential-missing';\n    e.credential_ref = ref;\n    throw e;\n  }\n  return value;\n}\n\nexport async function invoke(context) {\n  const env = context.env ?? process.env;\n  resolveCredential(context.runtime, env);\n\n  const workflow = `agent-${context.agent}.yml`;\n  const dispatchRef = context.ref ?? 'main';\n  const inputs = {\n    issue_number: String(context.issueNumber),\n    run_id: context.runId ?? '',\n    step: context.step ?? '',\n    iteration: String(context.iteration ?? 1),\n    runtime: context.runtimeName ?? '',\n  };\n\n  const { retries } = await withRetry(\n    () => context.client.triggerWorkflow(context.owner, context.repo, workflow, dispatchRef, inputs),\n    { clock: context.clock }\n  );\n  return { dispatched: true, retries, workflow };\n}\n"],"names":[],"sourceRoot":""}

package/dist/563.index.js

@@ -0,0 +1,100 @@
+export const id = 563;
+export const ids = [563];
+export const modules = {
+
+/***/ 3563:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+__webpack_require__.r(__webpack_exports__);
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   isRetryable: () => (/* binding */ isRetryable),
+/* harmony export */   withRetry: () => (/* binding */ withRetry)
+/* harmony export */ });
+/**
+ * runtimes/_retry.js
+ * Bounded exponential-backoff retry helper shared by all runtime adapters
+ * (ADR-007 §8, FR-030).
+ *
+ * Policy (defaults): 3 attempts, base 2 s, jitter ±25 %, max wait 30 s total.
+ * Retries are triggered by network errors, HTTP 5xx, and HTTP 429 (rate-limit).
+ * Non-retryable errors are rethrown immediately.
+ *
+ * Returns the function's resolved value plus the number of retries used,
+ * so the caller can record `runtime_retries` in the audit comment without
+ * counting the invocation as a separate loop-budget iteration.
+ */
+
+const DEFAULT_OPTS = Object.freeze({
+  maxAttempts: 3,
+  baseMs: 2_000,
+  maxTotalMs: 30_000,
+  jitter: 0.25,
+});
+
+/**
+ * Determine whether an error is retryable.
+ * @param {any} err
+ * @returns {boolean}
+ */
+function isRetryable(err) {
+  if (!err) return false;
+  // Octokit / fetch error styles
+  if (err.status === 429) return true;
+  if (typeof err.status === 'number' && err.status >= 500 && err.status < 600) return true;
+  // Node fetch network errors
+  const code = err.code ?? err.cause?.code;
+  if (code && /^(ECONNRESET|ETIMEDOUT|ENETUNREACH|EAI_AGAIN|UND_ERR_SOCKET)$/.test(code)) return true;
+  if (typeof err.message === 'string' && /timeout|network/i.test(err.message)) return true;
+  return false;
+}
+
+/**
+ * Run `fn` with bounded exponential backoff.
+ *
+ * @template T
+ * @param {() => Promise<T>} fn
+ * @param {object} [options]
+ * @param {object} [options.clock] - injectable clock { now(): number, sleep(ms): Promise<void> }
+ * @returns {Promise<{ value: T, retries: number }>}
+ */
+async function withRetry(fn, options = {}) {
+  const opts = { ...DEFAULT_OPTS, ...options };
+  const clock = options.clock ?? defaultClock;
+
+  const start = clock.now();
+  let attempt = 0;
+  let lastError;
+
+  while (attempt < opts.maxAttempts) {
+    try {
+      const value = await fn();
+      return { value, retries: attempt };
+    } catch (err) {
+      lastError = err;
+      attempt += 1;
+      if (!isRetryable(err) || attempt >= opts.maxAttempts) break;
+
+      const elapsed = clock.now() - start;
+      if (elapsed >= opts.maxTotalMs) break;
+
+      const exp = Math.pow(2, attempt - 1) * opts.baseMs;
+      const jitter = exp * opts.jitter * (Math.random() * 2 - 1);
+      const wait = Math.max(0, Math.min(exp + jitter, opts.maxTotalMs - elapsed));
+      await clock.sleep(wait);
+    }
+  }
+
+  throw lastError;
+}
+
+const defaultClock = {
+  now: () => Date.now(),
+  sleep: ms => new Promise(r => setTimeout(r, ms)),
+};
+
+
+/***/ })
+
+};
+
+//# sourceMappingURL=563.index.js.map

package/dist/563.index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"563.index.js","mappings":";;;;;;;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","sources":[".././orchestrator/runtimes/_retry.js"],"sourcesContent":["/**\n * runtimes/_retry.js\n * Bounded exponential-backoff retry helper shared by all runtime adapters\n * (ADR-007 §8, FR-030).\n *\n * Policy (defaults): 3 attempts, base 2 s, jitter ±25 %, max wait 30 s total.\n * Retries are triggered by network errors, HTTP 5xx, and HTTP 429 (rate-limit).\n * Non-retryable errors are rethrown immediately.\n *\n * Returns the function's resolved value plus the number of retries used,\n * so the caller can record `runtime_retries` in the audit comment without\n * counting the invocation as a separate loop-budget iteration.\n */\n\nconst DEFAULT_OPTS = Object.freeze({\n  maxAttempts: 3,\n  baseMs: 2_000,\n  maxTotalMs: 30_000,\n  jitter: 0.25,\n});\n\n/**\n * Determine whether an error is retryable.\n * @param {any} err\n * @returns {boolean}\n */\nexport function isRetryable(err) {\n  if (!err) return false;\n  // Octokit / fetch error styles\n  if (err.status === 429) return true;\n  if (typeof err.status === 'number' && err.status >= 500 && err.status < 600) return true;\n  // Node fetch network errors\n  const code = err.code ?? err.cause?.code;\n  if (code && /^(ECONNRESET|ETIMEDOUT|ENETUNREACH|EAI_AGAIN|UND_ERR_SOCKET)$/.test(code)) return true;\n  if (typeof err.message === 'string' && /timeout|network/i.test(err.message)) return true;\n  return false;\n}\n\n/**\n * Run `fn` with bounded exponential backoff.\n *\n * @template T\n * @param {() => Promise<T>} fn\n * @param {object} [options]\n * @param {object} [options.clock] - injectable clock { now(): number, sleep(ms): Promise<void> }\n * @returns {Promise<{ value: T, retries: number }>}\n */\nexport async function withRetry(fn, options = {}) {\n  const opts = { ...DEFAULT_OPTS, ...options };\n  const clock = options.clock ?? defaultClock;\n\n  const start = clock.now();\n  let attempt = 0;\n  let lastError;\n\n  while (attempt < opts.maxAttempts) {\n    try {\n      const value = await fn();\n      return { value, retries: attempt };\n    } catch (err) {\n      lastError = err;\n      attempt += 1;\n      if (!isRetryable(err) || attempt >= opts.maxAttempts) break;\n\n      const elapsed = clock.now() - start;\n      if (elapsed >= opts.maxTotalMs) break;\n\n      const exp = Math.pow(2, attempt - 1) * opts.baseMs;\n      const jitter = exp * opts.jitter * (Math.random() * 2 - 1);\n      const wait = Math.max(0, Math.min(exp + jitter, opts.maxTotalMs - elapsed));\n      await clock.sleep(wait);\n    }\n  }\n\n  throw lastError;\n}\n\nconst defaultClock = {\n  now: () => Date.now(),\n  sleep: ms => new Promise(r => setTimeout(r, ms)),\n};\n"],"names":[],"sourceRoot":""}