shipsafe-routeforge 0.1.0

package/bin/routeforge.mjs

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+import { createCLI } from "../src/cli.mjs";
+createCLI().parseAsync(process.argv);

package/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "shipsafe-routeforge",
+  "version": "0.1.0",
+  "description": "RouteForge CLI \u2014 init and manage your GitLab AI safety gate",
+  "bin": {
+    "routeforge": "./bin/routeforge.mjs"
+  },
+  "type": "module",
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest"
+  },
+  "dependencies": {
+    "commander": "^12.1.0",
+    "ora": "^8.0.1",
+    "chalk": "^5.3.0",
+    "open": "^10.1.0",
+    "node-fetch": "^3.3.2"
+  },
+  "devDependencies": {
+    "@types/node": "^20.14.0",
+    "typescript": "^5.4.5",
+    "vitest": "^1.6.0"
+  }
+}

package/src/cli.mjs

@@ -0,0 +1,30 @@
+import { Command } from "commander";
+import chalk from "chalk";
+import ora from "ora";
+import { initCommand } from "./commands/init.mjs";
+import { statusCommand } from "./commands/status.mjs";
+
+export function createCLI() {
+  const program = new Command();
+
+  program
+    .name("routeforge")
+    .description(chalk.hex("#F97316")("RouteForge") + " — AI safety gate for GitLab MRs")
+    .version("0.1.0");
+
+  program
+    .command("init")
+    .description("Initialize RouteForge: OAuth flow, store secrets, deploy to Cloud Run")
+    .option("--project <id>", "GCP project ID")
+    .option("--gitlab-project <id>", "GitLab project ID", "82762386")
+    .option("--client-id <id>", "GitLab OAuth Application ID (from gitlab.com/-/profile/applications)")
+    .action(initCommand);
+
+  program
+    .command("status")
+    .description("Show recent verdicts from the RouteForge agent")
+    .option("--limit <n>", "Number of verdicts to show", "10")
+    .action(statusCommand);
+
+  return program;
+}

package/src/commands/init.mjs

@@ -0,0 +1,85 @@
+import chalk from "chalk";
+import ora from "ora";
+import open from "open";
+
+/**
+ * npx routeforge init
+ *
+ * 1. Start local callback server on :9876
+ * 2. Open GitLab OAuth URL in browser
+ * 3. Capture token from callback
+ * 4. Store token in GCP Secret Manager via gcloud CLI
+ * 5. Print next steps (deploy webhook URL to GitLab)
+ */
+export async function initCommand(options) {
+  const gcpProject = options.project;
+  const gitlabProject = options.gitlabProject;
+  const clientId = options.clientId;
+
+  if (!gcpProject) {
+    console.error(chalk.red("Error: --project <gcp-project-id> is required"));
+    process.exit(1);
+  }
+
+  if (!clientId) {
+    console.error(chalk.red("Error: --client-id <gitlab-oauth-app-id> is required"));
+    console.error(chalk.yellow("Create one at: https://gitlab.com/-/profile/applications"));
+    console.error(chalk.yellow("  Redirect URI: http://localhost:9876/callback"));
+    console.error(chalk.yellow("  Scopes: read_api read_repository"));
+    process.exit(1);
+  }
+
+  console.log(chalk.hex("#F97316").bold("\nRouteForge init\n"));
+
+  const spinner = ora("Starting OAuth callback server on :9876...").start();
+
+  try {
+    // Dynamic import to avoid top-level await issues
+    const { startOAuthFlow } = await import("../oauth.mjs");
+    spinner.succeed("Callback server ready");
+
+    spinner.start("Opening GitLab OAuth consent page...");
+    const authUrl = buildAuthUrl(gitlabProject, clientId);
+    await open(authUrl);
+    spinner.succeed("Browser opened — complete the GitLab OAuth flow");
+
+    spinner.start("Waiting for OAuth callback...");
+    const token = await startOAuthFlow(clientId);
+    spinner.succeed("OAuth token received");
+
+    spinner.start("Storing token in GCP Secret Manager...");
+    await storeSecret(gcpProject, "GITLAB_MCP_OAUTH_TOKEN", token);
+    spinner.succeed("Secret stored: GITLAB_MCP_OAUTH_TOKEN");
+
+    console.log(chalk.green("\n✓ RouteForge initialized successfully!\n"));
+    console.log("Next steps:");
+    console.log(
+      "  1. Deploy to Cloud Run:  " +
+        chalk.cyan(`gcloud run deploy routeforge --project ${gcpProject}`)
+    );
+    console.log(
+      "  2. Add webhook in GitLab: Settings → Webhooks → <Cloud Run URL>/webhooks/gitlab"
+    );
+    console.log("  3. Set X-Gitlab-Token to the value of GITLAB_WEBHOOK_SECRET in Secret Manager\n");
+  } catch (err) {
+    spinner.fail(`Init failed: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+function buildAuthUrl(gitlabProjectId, clientId) {
+  const params = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: "http://localhost:9876/callback",
+    response_type: "code",
+    scope: "mcp api read_api read_repository",
+    state: "routeforge-init",
+  });
+  return `https://gitlab.com/oauth/authorize?${params}`;
+}
+
+async function storeSecret(gcpProject, secretId, value) {
+  const { execSync } = await import("child_process");
+  const cmd = `printf '%s' '${value}' | gcloud secrets versions add ${secretId} --data-file=- --project=${gcpProject}`;
+  execSync(cmd, { stdio: "pipe" });
+}

package/src/commands/status.mjs

@@ -0,0 +1,30 @@
+import chalk from "chalk";
+
+export async function statusCommand(options) {
+  const limit = parseInt(options.limit, 10);
+  const baseUrl = process.env.ROUTEFORGE_URL || "http://localhost:8080";
+
+  try {
+    const resp = await fetch(`${baseUrl}/verdicts?limit=${limit}`);
+    if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+    const verdicts = await resp.json();
+
+    console.log(chalk.hex("#F97316").bold("\nRouteForge — Recent Verdicts\n"));
+
+    if (!verdicts.length) {
+      console.log(chalk.gray("No verdicts yet."));
+      return;
+    }
+
+    for (const v of verdicts) {
+      const icon = v.verdict === "BLOCK" ? chalk.red("🚫 BLOCK") : chalk.green("✅ PASS");
+      const conf = chalk.gray(`(${Math.round(v.confidence * 100)}%)`);
+      console.log(`  MR !${v.mr_iid}  ${icon} ${conf}  ${v.mr_title}`);
+    }
+    console.log();
+  } catch (err) {
+    console.error(chalk.red(`Error: ${err.message}`));
+    console.error(chalk.gray("Set ROUTEFORGE_URL env var to your Cloud Run service URL"));
+    process.exit(1);
+  }
+}

package/src/oauth.mjs

@@ -0,0 +1,63 @@
+import http from "http";
+
+/**
+ * Spin up a localhost:9876 server, wait for GitLab OAuth callback,
+ * exchange code for token, return token string.
+ */
+export function startOAuthFlow(clientId) {
+  return new Promise((resolve, reject) => {
+    const server = http.createServer(async (req, res) => {
+      const url = new URL(req.url, "http://localhost:9876");
+      if (url.pathname !== "/callback") {
+        res.end("Not found");
+        return;
+      }
+
+      const code = url.searchParams.get("code");
+      if (!code) {
+        res.end("Missing code");
+        reject(new Error("No OAuth code in callback"));
+        server.close();
+        return;
+      }
+
+      try {
+        const token = await exchangeCode(code, clientId);
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end("<h2>RouteForge authorized ✓ — you can close this tab.</h2>");
+        resolve(token);
+      } catch (err) {
+        res.writeHead(500);
+        res.end("Token exchange failed");
+        reject(err);
+      } finally {
+        server.close();
+      }
+    });
+
+    server.listen(9876, "127.0.0.1", () => {});
+    server.on("error", reject);
+
+    // Timeout after 5 minutes
+    setTimeout(() => {
+      server.close();
+      reject(new Error("OAuth flow timed out after 5 minutes"));
+    }, 5 * 60 * 1000);
+  });
+}
+
+async function exchangeCode(code, clientId) {
+  const resp = await fetch("https://gitlab.com/oauth/token", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      client_id: clientId,
+      code,
+      grant_type: "authorization_code",
+      redirect_uri: "http://localhost:9876/callback",
+    }),
+  });
+  if (!resp.ok) throw new Error(`Token exchange failed: HTTP ${resp.status}`);
+  const data = await resp.json();
+  return data.access_token;
+}