sentinelayer-cli 0.8.11 → 0.9.0

package/src/review/investor-dd-orchestrator.js

@@ -37,6 +37,8 @@ import {
 import { notifyRunCompleted } from "./investor-dd-notification.js";
 import { attachReproducibilityChain } from "./reproducibility-chain.js";
 import { renderInvestorDdHtml } from "./investor-dd-html-report.js";
+import { runDevTestBotPhase } from "./investor-dd-devtestbot.js";
+import { redactDdEmailError } from "./dd-report-email-client.js";
 
 const INVESTOR_DD_PERSONAS = Object.freeze([
   "security",
@@ -164,10 +166,95 @@ function buildSummaryMarkdown({ runId, summary, routing, byPersona }) {
     lines.push(`- **${sev}**: ${count}`);
   }
   lines.push("");
+  if (summary.devTestBot) {
+    lines.push("## devTestBot");
+    lines.push("");
+    lines.push(`- Skipped: ${summary.devTestBot.skipped ? "yes" : "no"}`);
+    lines.push(`- Subagents: ${summary.devTestBot.swarmCount || 0}`);
+    lines.push(`- Identities: ${summary.devTestBot.identityCount || 0}`);
+    lines.push(`- Findings: ${summary.devTestBot.findingCount || 0}`);
+    lines.push(`- Artifacts: ${summary.devTestBot.artifactRoot || "n/a"}`);
+    lines.push("");
+  }
   lines.push(`Total: ${allFindings.length}`);
   return lines.join("\n");
 }
 
+async function triggerReportEmail({ reportEmail, runResult, dryRun, emit }) {
+  const to = String(reportEmail?.to || "").trim();
+  if (!to) return null;
+
+  if (dryRun && reportEmail.skipWhenDryRun !== false) {
+    const result = { queued: false, skipped: true, runId: runResult.runId, to, code: "DD_EMAIL_DRY_RUN" };
+    emit({
+      type: "dd_email_skipped",
+      event: "dd_email_skipped",
+      runId: runResult.runId,
+      to,
+      reason: "dry_run",
+    });
+    return result;
+  }
+
+  const client = reportEmail.client;
+  if (!client || typeof client.send !== "function") {
+    const result = { queued: false, runId: runResult.runId, to, code: "DD_EMAIL_CLIENT_MISSING" };
+    emit({
+      type: "dd_email_error",
+      event: "dd_email_error",
+      runId: runResult.runId,
+      to,
+      code: result.code,
+      error: "DD report email client is not configured.",
+    });
+    return result;
+  }
+
+  try {
+    const result = await client.send({ runId: runResult.runId, to, run: runResult });
+    if (result?.queued) {
+      emit({
+        type: "dd_email_queued",
+        event: "dd_email_queued",
+        runId: String(result.runId || runResult.runId),
+        to: String(result.to || to),
+        messageId: result.messageId || "",
+        replay: Boolean(result.replay),
+        sent: result.sent !== false,
+      });
+      return result;
+    }
+
+    emit({
+      type: "dd_email_error",
+      event: "dd_email_error",
+      runId: runResult.runId,
+      to,
+      code: String(result?.code || "DD_EMAIL_FAILED"),
+      status: Number(result?.status || 0),
+      error: redactDdEmailError(result?.error || "DD report email request failed."),
+    });
+    return result || { queued: false, runId: runResult.runId, to };
+  } catch (err) {
+    const result = {
+      queued: false,
+      runId: runResult.runId,
+      to,
+      code: "DD_EMAIL_EXCEPTION",
+      error: redactDdEmailError(err instanceof Error ? err.message : String(err)),
+    };
+    emit({
+      type: "dd_email_error",
+      event: "dd_email_error",
+      runId: runResult.runId,
+      to,
+      code: result.code,
+      error: result.error,
+    });
+    return result;
+  }
+}
+
 /**
  * Run the investor-DD orchestration end to end.
  *
@@ -183,6 +270,10 @@ function buildSummaryMarkdown({ runId, summary, routing, byPersona }) {
  * @param {object} [params.liveValidator.devTestBot]    - DevTestBot client.
  * @param {object} [params.liveValidator.aidenid]       - AIdenID client.
  * @param {number} [params.liveValidator.maxInteractions]
+ * @param {object|false} [params.devTestBot]     - Automated devTestBot phase config.
+ * @param {object|null} [params.reportEmail]     - Optional API-side report email trigger.
+ * @param {string} [params.reportEmail.to]
+ * @param {object} [params.reportEmail.client]   - { send({ runId, to, run }) }.
  * @param {object} [params.notification]         - Optional notification config.
  * @param {string} [params.notification.notifyEmail]
  * @param {object} [params.notification.emailClient]
@@ -198,6 +289,8 @@ export async function runInvestorDd({
   dryRun = false,
   compliancePacks = COMPLIANCE_PACK_CATALOG,
   liveValidator = null,
+  devTestBot = {},
+  reportEmail = null,
   notification = null,
 } = {}) {
   if (!rootPath) throw new TypeError("runInvestorDd requires rootPath");
@@ -207,6 +300,10 @@ export async function runInvestorDd({
   const artifactBase = outputDir
     ? path.resolve(outputDir, runId, INVESTOR_DD_ARTIFACT_SUBDIR)
     : path.resolve(rootPath, ".sentinelayer", "runs", runId, INVESTOR_DD_ARTIFACT_SUBDIR);
+  const runRoot = path.dirname(artifactBase);
+  const outputRoot = outputDir
+    ? path.resolve(outputDir)
+    : path.resolve(rootPath, ".sentinelayer");
   await fsp.mkdir(artifactBase, { recursive: true });
 
   const streamPath = path.join(artifactBase, "stream.ndjson");
@@ -244,9 +341,11 @@ export async function runInvestorDd({
   let terminationReason = "ok";
   let reconciliationAvailable = false;
   let compliance = null;
+  let devTestBotPhase = null;
+  let budgetState = null;
 
   if (!dryRun) {
-    const budgetState = createBudgetState({
+    budgetState = createBudgetState({
       maxUsd: resolvedBudget.maxCostUsd,
       maxRuntimeMs: resolvedBudget.maxRuntimeMinutes * 60_000,
     });
@@ -274,6 +373,20 @@ export async function runInvestorDd({
       totalGaps: compliance.totalGaps,
     });
 
+    devTestBotPhase = await runDevTestBotPhase({
+      runId,
+      rootPath,
+      outputRoot,
+      runRoot,
+      artifactDir: artifactBase,
+      files,
+      findings,
+      budget: budgetState,
+      options: devTestBot === false ? { enabled: false } : devTestBot || {},
+      onEvent: emit,
+    });
+    findings.push(...(devTestBotPhase.findings || []));
+
     // Live-web validation (Jules): optional; only runs when both
     // devTestBot + aidenid clients are supplied (pluggable contracts).
     if (
@@ -346,6 +459,16 @@ export async function runInvestorDd({
       ? { totalCovered: compliance.totalCovered, totalGaps: compliance.totalGaps }
       : null,
     reconciliation: reconciliationAvailable,
+    devTestBot: devTestBotPhase
+      ? {
+          skipped: Boolean(devTestBotPhase.skipped),
+          reason: devTestBotPhase.reason || "",
+          identityCount: devTestBotPhase.plan?.identityCount || devTestBotPhase.identities?.length || 0,
+          swarmCount: devTestBotPhase.plan?.swarmCount || devTestBotPhase.subagents?.length || 0,
+          findingCount: devTestBotPhase.findingCount || 0,
+          artifactRoot: devTestBotPhase.artifactRoot || "",
+        }
+      : null,
   };
   await writeJson(path.join(artifactBase, "summary.json"), summary);
 
@@ -369,6 +492,17 @@ export async function runInvestorDd({
     durationSeconds,
     terminationReason,
   });
+
+  const runResult = { runId, artifactDir: artifactBase, summary, findings, devTestBot: devTestBotPhase };
+  if (reportEmail) {
+    runResult.reportEmail = await triggerReportEmail({
+      reportEmail,
+      runResult,
+      dryRun,
+      emit,
+    });
+  }
+
   await streamHandle.close();
 
   const artifactFiles = await fsp.readdir(artifactBase);
@@ -385,8 +519,6 @@ export async function runInvestorDd({
   }
   await writeJson(path.join(artifactBase, "manifest.json"), manifest);
 
-  const runResult = { runId, artifactDir: artifactBase, summary, findings };
-
   // Fire-and-forget notification dispatch (email + dashboard). Failures
   // are non-fatal — the report is already persisted to disk + manifest.
   if (notification && (notification.emailClient || notification.dashboardClient)) {

package/src/review/omargate-cache.js

@@ -0,0 +1,285 @@
+import fsp from "node:fs/promises";
+import path from "node:path";
+
+import { resolveOutputRoot } from "../config/service.js";
+
+const CACHE_SCHEMA_VERSION = "1.0.0";
+const CACHE_KIND = "omargate-deterministic-cache";
+const LATEST_INDEX_NAME = "latest-omargate.json";
+
+function normalizeString(value) {
+  return String(value || "").trim();
+}
+
+function normalizeTargetPath(value) {
+  return path.resolve(String(value || "."));
+}
+
+function normalizeSummary(value = {}) {
+  const summary = value && typeof value === "object" ? value : {};
+  const P0 = Math.max(0, Math.floor(Number(summary.P0 || 0)));
+  const P1 = Math.max(0, Math.floor(Number(summary.P1 || 0)));
+  const P2 = Math.max(0, Math.floor(Number(summary.P2 || 0)));
+  const P3 = Math.max(0, Math.floor(Number(summary.P3 || 0)));
+  return {
+    P0,
+    P1,
+    P2,
+    P3,
+    blocking: summary.blocking === undefined ? P0 > 0 || P1 > 0 : Boolean(summary.blocking),
+  };
+}
+
+function sanitizeRunId(value) {
+  const normalized = normalizeString(value);
+  if (!normalized) {
+    return "";
+  }
+  return normalized.replace(/[^A-Za-z0-9._-]/g, "-").replace(/^-+|-+$/g, "");
+}
+
+function isSafeRequestedRunId(requested, sanitized) {
+  return Boolean(requested) && requested === sanitized && sanitized !== "." && sanitized !== "..";
+}
+
+function deterministicCachePath(outputRoot, runId) {
+  return path.join(outputRoot, "runs", runId, "deterministic.json");
+}
+
+async function readJsonFile(filePath) {
+  const content = await fsp.readFile(filePath, "utf-8");
+  return JSON.parse(content);
+}
+
+function isCacheForTarget(cache, normalizedTargetPath) {
+  const cacheTarget = normalizeString(cache?.targetPath);
+  if (!cacheTarget) {
+    return false;
+  }
+  return path.resolve(cacheTarget) === normalizedTargetPath;
+}
+
+function buildMissingResult({ outputRoot, requested = "latest", reason = "not_found" } = {}) {
+  return {
+    found: false,
+    requested,
+    reason,
+    outputRoot,
+  };
+}
+
+async function loadCacheFile({ filePath, outputRoot, requested, normalizedTargetPath }) {
+  let cache;
+  try {
+    cache = await readJsonFile(filePath);
+  } catch {
+    return buildMissingResult({
+      outputRoot,
+      requested,
+      reason: "malformed_or_missing_cache",
+    });
+  }
+
+  if (cache?.kind !== CACHE_KIND) {
+    return buildMissingResult({
+      outputRoot,
+      requested,
+      reason: "invalid_cache_kind",
+    });
+  }
+  if (!isCacheForTarget(cache, normalizedTargetPath)) {
+    return buildMissingResult({
+      outputRoot,
+      requested,
+      reason: "target_mismatch",
+    });
+  }
+
+  return {
+    found: true,
+    requested,
+    runId: normalizeString(cache.runId),
+    artifactPath: filePath,
+    outputRoot,
+    cache,
+  };
+}
+
+async function loadLatestFromIndex({ outputRoot, normalizedTargetPath }) {
+  const latestPath = path.join(outputRoot, "runs", LATEST_INDEX_NAME);
+  let index;
+  try {
+    index = await readJsonFile(latestPath);
+  } catch {
+    return null;
+  }
+
+  const runId = sanitizeRunId(index?.runId);
+  if (!runId || !isCacheForTarget(index, normalizedTargetPath)) {
+    return null;
+  }
+  const artifactPath = normalizeString(index.artifactPath) || deterministicCachePath(outputRoot, runId);
+  const loaded = await loadCacheFile({
+    filePath: artifactPath,
+    outputRoot,
+    requested: "latest",
+    normalizedTargetPath,
+  });
+  return loaded.found ? loaded : null;
+}
+
+async function loadLatestByScanning({ outputRoot, normalizedTargetPath }) {
+  const runsDir = path.join(outputRoot, "runs");
+  let entries = [];
+  try {
+    entries = await fsp.readdir(runsDir, { withFileTypes: true });
+  } catch {
+    return null;
+  }
+
+  const candidates = [];
+  for (const entry of entries) {
+    if (!entry.isDirectory()) {
+      continue;
+    }
+    const runId = sanitizeRunId(entry.name);
+    if (!isSafeRequestedRunId(entry.name, runId)) {
+      continue;
+    }
+    const artifactPath = deterministicCachePath(outputRoot, runId);
+    try {
+      const stat = await fsp.stat(artifactPath);
+      candidates.push({ runId, artifactPath, mtimeMs: Number(stat.mtimeMs || 0) });
+    } catch {
+      // Ignore incomplete run directories.
+    }
+  }
+
+  candidates.sort((left, right) => right.mtimeMs - left.mtimeMs);
+  for (const candidate of candidates) {
+    const loaded = await loadCacheFile({
+      filePath: candidate.artifactPath,
+      outputRoot,
+      requested: "latest",
+      normalizedTargetPath,
+    });
+    if (loaded.found) {
+      return loaded;
+    }
+  }
+  return null;
+}
+
+export async function writeOmarGateDeterministicCache({
+  targetPath,
+  outputDir = "",
+  runId,
+  deterministic = {},
+  reportPath = "",
+} = {}) {
+  const normalizedTargetPath = normalizeTargetPath(targetPath);
+  const outputRoot = await resolveOutputRoot({
+    cwd: normalizedTargetPath,
+    outputDirOverride: outputDir,
+    env: process.env,
+  });
+  const normalizedRunId = sanitizeRunId(runId || deterministic?.runId);
+  if (!normalizedRunId) {
+    throw new Error("OmarGate deterministic cache requires a runId.");
+  }
+
+  const runDirectory = path.join(outputRoot, "runs", normalizedRunId);
+  const artifactPath = path.join(runDirectory, "deterministic.json");
+  const latestPath = path.join(outputRoot, "runs", LATEST_INDEX_NAME);
+  await fsp.mkdir(runDirectory, { recursive: true });
+
+  const cache = {
+    schemaVersion: CACHE_SCHEMA_VERSION,
+    kind: CACHE_KIND,
+    runId: normalizedRunId,
+    targetPath: normalizedTargetPath,
+    generatedAt: new Date().toISOString(),
+    deterministicRunId: normalizeString(deterministic?.runId),
+    mode: normalizeString(deterministic?.mode) || "full",
+    summary: normalizeSummary(deterministic?.summary),
+    findings: Array.isArray(deterministic?.findings) ? deterministic.findings : [],
+    scope: deterministic?.scope && typeof deterministic.scope === "object" ? deterministic.scope : {},
+    layers: deterministic?.layers && typeof deterministic.layers === "object" ? deterministic.layers : {},
+    metadata: deterministic?.metadata && typeof deterministic.metadata === "object" ? deterministic.metadata : {},
+    artifacts: deterministic?.artifacts && typeof deterministic.artifacts === "object" ? deterministic.artifacts : {},
+    source: {
+      command: "/omargate deep",
+      reportPath: normalizeString(reportPath),
+    },
+  };
+  await fsp.writeFile(artifactPath, `${JSON.stringify(cache, null, 2)}\n`, "utf-8");
+  await fsp.writeFile(
+    latestPath,
+    `${JSON.stringify(
+      {
+        schemaVersion: CACHE_SCHEMA_VERSION,
+        kind: "omargate-latest-index",
+        runId: normalizedRunId,
+        targetPath: normalizedTargetPath,
+        artifactPath,
+        updatedAt: cache.generatedAt,
+      },
+      null,
+      2
+    )}\n`,
+    "utf-8"
+  );
+
+  return {
+    runId: normalizedRunId,
+    outputRoot,
+    runDirectory,
+    artifactPath,
+    latestPath,
+    cache,
+  };
+}
+
+export async function loadOmarGateDeterministicCache({
+  targetPath,
+  outputDir = "",
+  runIdOrLatest = "latest",
+} = {}) {
+  const normalizedTargetPath = normalizeTargetPath(targetPath);
+  const outputRoot = await resolveOutputRoot({
+    cwd: normalizedTargetPath,
+    outputDirOverride: outputDir,
+    env: process.env,
+  });
+  const requested = normalizeString(runIdOrLatest) || "latest";
+
+  if (requested.toLowerCase() === "latest") {
+    const latestFromIndex = await loadLatestFromIndex({
+      outputRoot,
+      normalizedTargetPath,
+    });
+    if (latestFromIndex) {
+      return latestFromIndex;
+    }
+    const latestFromScan = await loadLatestByScanning({
+      outputRoot,
+      normalizedTargetPath,
+    });
+    return latestFromScan || buildMissingResult({ outputRoot, requested, reason: "not_found" });
+  }
+
+  const runId = sanitizeRunId(requested);
+  if (!isSafeRequestedRunId(requested, runId)) {
+    return buildMissingResult({
+      outputRoot,
+      requested,
+      reason: "invalid_run_id",
+    });
+  }
+  return loadCacheFile({
+    filePath: deterministicCachePath(outputRoot, runId),
+    outputRoot,
+    requested,
+    normalizedTargetPath,
+  });
+}