shipwright-cli 3.0.0 → 3.2.0

package/scripts/lib/daemon-dispatch.sh

@@ -282,7 +282,30 @@ daemon_reap_completed() {
 
         # Check if process is still running
         if kill -0 "$pid" 2>/dev/null; then
-            continue
+            # Guard against PID reuse: if job has been running > 6 hours and
+            # the process tree doesn't contain sw-pipeline/sw-loop, it's stale
+            local _started_at _start_e _age_s
+            _started_at=$(echo "$job" | jq -r '.started_at // empty')
+            if [[ -n "$_started_at" ]]; then
+                _start_e=$(TZ=UTC date -j -f "%Y-%m-%dT%H:%M:%SZ" "$_started_at" +%s 2>/dev/null || date -d "$_started_at" +%s 2>/dev/null || echo "0")
+                _age_s=$(( $(now_epoch) - ${_start_e:-0} ))
+                if [[ "$_age_s" -gt 21600 ]]; then  # 6 hours
+                    # Verify this PID is actually our pipeline (not a reused PID)
+                    local _proc_cmd
+                    _proc_cmd=$(ps -p "$pid" -o command= 2>/dev/null || true)
+                    if [[ -z "$_proc_cmd" ]] || ! echo "$_proc_cmd" | grep -qE 'sw-pipeline|sw-loop|claude' 2>/dev/null; then
+                        daemon_log WARN "Stale job #${issue_num}: PID $pid running ${_age_s}s but not a pipeline process — force-reaping"
+                        emit_event "daemon.stale_dead" "issue=$issue_num" "pid=$pid" "elapsed_s=$_age_s"
+                        # Fall through to reap logic
+                    else
+                        continue
+                    fi
+                else
+                    continue
+                fi
+            else
+                continue
+            fi
         fi
 
         # Process is dead — determine exit code

package/scripts/lib/daemon-patrol.sh

@@ -3,6 +3,28 @@
 [[ -n "${_DAEMON_PATROL_LOADED:-}" ]] && return 0
 _DAEMON_PATROL_LOADED=1
 
+# ─── Decision Engine Signal Mode ─────────────────────────────────────────────
+# When DECISION_ENGINE_ENABLED=true, patrol writes candidates to the pending
+# signals file instead of creating GitHub issues directly. The decision engine
+# collects, scores, and acts on these signals with tiered autonomy.
+SIGNALS_PENDING_FILE="${HOME}/.shipwright/signals/pending.jsonl"
+
+_patrol_emit_signal() {
+    local id="$1" signal="$2" category="$3" title="$4" description="$5"
+    local risk="${6:-50}" confidence="${7:-0.80}" dedup_key="$8"
+    mkdir -p "$(dirname "$SIGNALS_PENDING_FILE")"
+    local ts
+    ts=$(now_iso)
+    local candidate
+    candidate=$(jq -n \
+        --arg id "$id" --arg signal "$signal" --arg category "$category" \
+        --arg title "$title" --arg desc "$description" \
+        --argjson risk "$risk" --arg conf "$confidence" \
+        --arg dedup "$dedup_key" --arg ts "$ts" \
+        '{id:$id, signal:$signal, category:$category, title:$title, description:$desc, evidence:{}, risk_score:$risk, confidence:$conf, dedup_key:$dedup, collected_at:$ts}')
+    echo "$candidate" >> "$SIGNALS_PENDING_FILE"
+}
+
 patrol_build_labels() {
     local check_label="$1"
     local labels="${PATROL_LABEL},${check_label}"
@@ -76,8 +98,16 @@ daemon_patrol() {
                     findings=$((findings + 1))
                     emit_event "patrol.finding" "check=security" "severity=$severity" "package=$name"
 
-                    # Check if issue already exists
-                    if [[ "$NO_GITHUB" != "true" ]] && [[ "$dry_run" != "true" ]]; then
+                    # Route to decision engine or create issue directly
+                    if [[ "${DECISION_ENGINE_ENABLED:-false}" == "true" ]]; then
+                        local _cat="security_patch"
+                        [[ "$severity" == "critical" ]] && _cat="security_critical"
+                        _patrol_emit_signal "sec-${name}" "security" "$_cat" \
+                            "Security: ${title} in ${name}" \
+                            "Fix ${severity} vulnerability in ${name}" \
+                            "$([[ "$severity" == "critical" ]] && echo 80 || echo 50)" \
+                            "0.95" "security:${name}:${title}"
+                    elif [[ "$NO_GITHUB" != "true" ]] && [[ "$dry_run" != "true" ]]; then
                         local existing
                         existing=$(gh issue list --label "$PATROL_LABEL" --label "security" \
                             --search "Security: $name" --json number -q 'length' 2>/dev/null || echo "0")
@@ -202,8 +232,13 @@ Auto-detected by \`shipwright daemon patrol\`." \
                     fi
                 done < <(echo "$outdated_json" | jq -c 'to_entries[]' 2>/dev/null)
 
-                # Create a single issue for all stale deps
-                if [[ "$findings" -gt 0 ]] && [[ "$NO_GITHUB" != "true" ]] && [[ "$dry_run" != "true" ]]; then
+                # Route to decision engine or create issue
+                if [[ "$findings" -gt 0 ]] && [[ "${DECISION_ENGINE_ENABLED:-false}" == "true" ]]; then
+                    _patrol_emit_signal "deps-stale-${findings}" "deps" "deps_major" \
+                        "Update ${findings} stale dependencies" \
+                        "Packages 2+ major versions behind" \
+                        45 "0.90" "deps:stale:${findings}"
+                elif [[ "$findings" -gt 0 ]] && [[ "$NO_GITHUB" != "true" ]] && [[ "$dry_run" != "true" ]]; then
                     local existing
                     existing=$(gh issue list --label "$PATROL_LABEL" --label "dependencies" \
                         --search "Stale dependencies" --json number -q 'length' 2>/dev/null || echo "0")
@@ -814,12 +849,12 @@ Auto-detected by \`shipwright daemon patrol\` on $(now_iso)." \
             if [[ ! -f "$scripts_dir/sw-${name}-test.sh" ]]; then
                 # Count usage across other scripts
                 local usage_count
-                usage_count=$(grep -rl "sw-${name}" "$scripts_dir"/sw-*.sh 2>/dev/null | grep -cv "$basename" 2>/dev/null || echo "0")
+                usage_count=$(grep -rl "sw-${name}" "$scripts_dir"/sw-*.sh 2>/dev/null | grep -cv "$basename" 2>/dev/null || true)
                 usage_count=${usage_count:-0}
 
                 local line_count
-                line_count=$(wc -l < "$script" 2>/dev/null | tr -d ' ' || echo "0")
-                line_count=${line_count:-0}
+                line_count=$(wc -l < "$script" 2>/dev/null | tr -d ' ' || true)
+                line_count="${line_count:-0}"
 
                 untested_entries="${untested_entries}${usage_count}|${basename}|${line_count}\n"
                 findings=$((findings + 1))

package/scripts/lib/daemon-poll.sh

@@ -1196,6 +1196,23 @@ daemon_poll_loop() {
                 daemon_patrol --once || daemon_log WARN "daemon_patrol failed — continuing"
                 LAST_PATROL_EPOCH=$now_e
             fi
+
+            # Decision engine cycle (if enabled)
+            local _decision_enabled
+            _decision_enabled=$(policy_get ".decision.enabled" "false" 2>/dev/null || echo "false")
+            if [[ "$_decision_enabled" == "true" ]]; then
+                local _decision_interval
+                _decision_interval=$(policy_get ".decision.cycle_interval_seconds" "1800" 2>/dev/null || echo "1800")
+                local _last_decision_epoch="${_LAST_DECISION_EPOCH:-0}"
+                if [[ $((now_e - _last_decision_epoch)) -ge "$_decision_interval" ]]; then
+                    daemon_log INFO "Running decision engine cycle"
+                    if [[ -f "$SCRIPT_DIR/sw-decide.sh" ]]; then
+                        DECISION_ENGINE_ENABLED=true bash "$SCRIPT_DIR/sw-decide.sh" run --once 2>/dev/null || \
+                            daemon_log WARN "Decision engine cycle failed — continuing"
+                    fi
+                    _LAST_DECISION_EPOCH=$now_e
+                fi
+            fi
         fi
 
         # ── Adaptive poll interval: adjust sleep based on queue state ──

package/scripts/lib/daemon-state.sh

@@ -390,6 +390,16 @@ init_state() {
             atomic_write_state "$init_json"
         ) 200>"$lock_file"
     else
+        # Validate existing state file JSON before using it
+        if ! jq '.' "$STATE_FILE" >/dev/null 2>&1; then
+            daemon_log WARN "Corrupted state file detected — backing up and resetting"
+            cp "$STATE_FILE" "${STATE_FILE}.corrupted.$(date +%s)" 2>/dev/null || true
+            rm -f "$STATE_FILE"
+            # Re-initialize as fresh state (recursive call with file removed)
+            init_state
+            return
+        fi
+
         # Update PID and start time in existing state
         locked_state_update \
             --arg pid "$$" \
@@ -448,6 +458,13 @@ get_active_count() {
         echo 0
         return
     fi
+    # Validate state file JSON before parsing (mid-flight corruption check)
+    if ! jq empty "$STATE_FILE" 2>/dev/null; then
+        daemon_log WARN "State file corrupted mid-flight — backing up and resetting"
+        cp "$STATE_FILE" "${STATE_FILE}.corrupted.$(date +%s)" 2>/dev/null || true
+        init_state
+        return
+    fi
     jq -r '.active_jobs | length' "$STATE_FILE" 2>/dev/null || echo 0
 }
 

package/scripts/lib/daemon-triage.sh

@@ -250,7 +250,7 @@ select_pipeline_template() {
         _dora_events=$(tail -500 "${EVENTS_FILE:-$HOME/.shipwright/events.jsonl}" \
             | grep '"type":"pipeline.completed"' 2>/dev/null \
             | tail -5 || true)
-        _dora_total=$(echo "$_dora_events" | grep -c '.' 2>/dev/null || echo "0")
+        _dora_total=$(echo "$_dora_events" | grep -c '.' 2>/dev/null || true)
         _dora_total="${_dora_total:-0}"
         if [[ "$_dora_total" -ge 3 ]]; then
             _dora_failures=$(echo "$_dora_events" | grep -c '"result":"failure"' 2>/dev/null || true)

package/scripts/lib/decide-autonomy.sh

@@ -0,0 +1,295 @@
+# decide-autonomy.sh — Tier enforcement & rate limiting for the decision engine
+# Source from sw-decide.sh. Requires helpers.sh, policy.sh.
+[[ -n "${_DECIDE_AUTONOMY_LOADED:-}" ]] && return 0
+_DECIDE_AUTONOMY_LOADED=1
+
+# ─── State ────────────────────────────────────────────────────────────────────
+DECISIONS_DIR="${HOME}/.shipwright/decisions"
+HALT_FILE="${DECISIONS_DIR}/halt.json"
+LAST_DECISION_FILE="${DECISIONS_DIR}/last-decision.json"
+OUTCOMES_FILE="${DECISIONS_DIR}/outcomes.jsonl"
+
+_ensure_decisions_dir() {
+    mkdir -p "$DECISIONS_DIR"
+}
+
+_daily_log_file() {
+    echo "${DECISIONS_DIR}/daily-log-$(date -u +%Y-%m-%d).jsonl"
+}
+
+# ─── Tier Configuration ──────────────────────────────────────────────────────
+
+TIERS_DATA=""
+CATEGORY_RULES=""
+TIER_LIMITS=""
+
+autonomy_load_tiers() {
+    local tiers_path="${TIERS_FILE:-}"
+    if [[ -z "$tiers_path" ]]; then
+        # Try repo-relative, then policy
+        local repo_dir="${_REPO_DIR:-$(git rev-parse --show-toplevel 2>/dev/null || echo '.')}"
+        tiers_path="${repo_dir}/config/decision-tiers.json"
+        if [[ ! -f "$tiers_path" ]]; then
+            tiers_path=$(policy_get ".decision.tiers_file" "config/decision-tiers.json")
+            [[ "$tiers_path" != /* ]] && tiers_path="${repo_dir}/${tiers_path}"
+        fi
+    fi
+
+    if [[ ! -f "$tiers_path" ]]; then
+        return 1
+    fi
+
+    TIERS_FILE="$tiers_path"
+    TIERS_DATA=$(cat "$tiers_path")
+    CATEGORY_RULES=$(echo "$TIERS_DATA" | jq -c '.category_rules // {}')
+    TIER_LIMITS=$(echo "$TIERS_DATA" | jq -c '.limits // {}')
+    return 0
+}
+
+# ─── Tier Resolution ─────────────────────────────────────────────────────────
+
+autonomy_resolve_tier() {
+    local category="$1"
+    if [[ -z "$CATEGORY_RULES" ]]; then
+        echo "draft"
+        return
+    fi
+    local tier
+    tier=$(echo "$CATEGORY_RULES" | jq -r --arg cat "$category" '.[$cat].tier // "draft"')
+    echo "${tier:-draft}"
+}
+
+autonomy_get_labels() {
+    local tier="$1"
+    if [[ -z "$TIERS_DATA" ]]; then
+        echo ""
+        return
+    fi
+    echo "$TIERS_DATA" | jq -r --arg t "$tier" '.tiers[$t].labels // [] | join(",")'
+}
+
+autonomy_get_template() {
+    local tier="$1"
+    if [[ -z "$TIERS_DATA" ]]; then
+        echo "standard"
+        return
+    fi
+    local tmpl
+    tmpl=$(echo "$TIERS_DATA" | jq -r --arg t "$tier" '.tiers[$t].pipeline_template // "standard"')
+    [[ "$tmpl" == "null" ]] && tmpl=""
+    echo "$tmpl"
+}
+
+# ─── Budget Checks ───────────────────────────────────────────────────────────
+
+autonomy_check_budget() {
+    local tier="$1"
+    _ensure_decisions_dir
+
+    local daily_log
+    daily_log=$(_daily_log_file)
+
+    # Count today's issues created
+    local today_count=0
+    if [[ -f "$daily_log" ]]; then
+        today_count=$(jq -s '[.[] | select(.action == "issue_created" or .action == "draft_written")] | length' "$daily_log" 2>/dev/null || echo "0")
+    fi
+
+    local max_issues
+    max_issues=$(echo "${TIER_LIMITS:-{}}" | jq -r '.max_issues_per_day // 15')
+
+    if [[ "$today_count" -ge "$max_issues" ]]; then
+        return 1
+    fi
+
+    # Check cost budget
+    local max_cost
+    max_cost=$(echo "${TIER_LIMITS:-{}}" | jq -r '.max_cost_per_day_usd // 25')
+    local today_cost=0
+    if [[ -f "$daily_log" ]]; then
+        today_cost=$(jq -s '[.[] | .estimated_cost_usd // 0] | add // 0' "$daily_log" 2>/dev/null || echo "0")
+    fi
+
+    # Only check cost for auto tier (propose/draft are cheap)
+    if [[ "$tier" == "auto" ]]; then
+        local cost_exceeded
+        cost_exceeded=$(echo "$today_cost $max_cost" | awk '{print ($1 >= $2) ? "true" : "false"}')
+        if [[ "$cost_exceeded" == "true" ]]; then
+            return 1
+        fi
+    fi
+
+    return 0
+}
+
+# ─── Rate Limiting ────────────────────────────────────────────────────────────
+
+autonomy_check_rate_limit() {
+    [[ ! -f "$LAST_DECISION_FILE" ]] && return 0
+
+    local last_epoch
+    last_epoch=$(jq -r '.epoch // 0' "$LAST_DECISION_FILE" 2>/dev/null || echo "0")
+    local now_e
+    now_e=$(now_epoch)
+
+    local cooldown
+    cooldown=$(echo "${TIER_LIMITS:-{}}" | jq -r '.cooldown_seconds // 300')
+
+    local elapsed=$((now_e - last_epoch))
+    if [[ "$elapsed" -lt "$cooldown" ]]; then
+        return 1
+    fi
+    return 0
+}
+
+# ─── Halt Management ─────────────────────────────────────────────────────────
+
+autonomy_check_halt() {
+    [[ -f "$HALT_FILE" ]] && return 1
+    return 0
+}
+
+autonomy_halt() {
+    _ensure_decisions_dir
+    local reason="${1:-manual halt}"
+    local tmp
+    tmp=$(mktemp)
+    jq -n --arg reason "$reason" --arg ts "$(now_iso)" --argjson epoch "$(now_epoch)" \
+        '{halted: true, reason: $reason, halted_at: $ts, epoch: $epoch}' > "$tmp" && mv "$tmp" "$HALT_FILE"
+    emit_event "decision.halted" "reason=$reason"
+}
+
+autonomy_resume() {
+    if [[ -f "$HALT_FILE" ]]; then
+        rm -f "$HALT_FILE"
+        emit_event "decision.resumed"
+    fi
+}
+
+# ─── Consecutive Failure Tracking ─────────────────────────────────────────────
+
+autonomy_check_consecutive_failures() {
+    _ensure_decisions_dir
+    local daily_log
+    daily_log=$(_daily_log_file)
+    [[ ! -f "$daily_log" ]] && return 0
+
+    local max_consecutive
+    max_consecutive=$(echo "${TIER_LIMITS:-{}}" | jq -r '.halt_after_consecutive_failures // 3')
+
+    # Get the last N decisions and check if all failed
+    local recent
+    recent=$(jq -s --argjson n "$max_consecutive" '. | reverse | .[:$n]' "$daily_log" 2>/dev/null || echo '[]')
+    local count
+    count=$(echo "$recent" | jq 'length' 2>/dev/null || echo "0")
+    [[ "$count" -lt "$max_consecutive" ]] && return 0
+
+    local all_failed
+    all_failed=$(echo "$recent" | jq --argjson n "$max_consecutive" \
+        '[.[] | select(.outcome == "failure")] | length == $n' 2>/dev/null || echo "false")
+
+    if [[ "$all_failed" == "true" ]]; then
+        autonomy_halt "Halted: ${max_consecutive} consecutive failures"
+        return 1
+    fi
+    return 0
+}
+
+# ─── Risk Ceiling ─────────────────────────────────────────────────────────────
+
+autonomy_check_risk_ceiling() {
+    local category="$1"
+    local risk_score="$2"
+    [[ -z "$CATEGORY_RULES" ]] && return 0
+
+    local ceiling
+    ceiling=$(echo "$CATEGORY_RULES" | jq -r --arg cat "$category" '.[$cat].risk_ceiling // 100')
+
+    if [[ "$risk_score" -gt "$ceiling" ]]; then
+        return 1
+    fi
+    return 0
+}
+
+# ─── Decision Recording ──────────────────────────────────────────────────────
+
+autonomy_record_decision() {
+    local decision_json="$1"
+    _ensure_decisions_dir
+
+    local daily_log
+    daily_log=$(_daily_log_file)
+
+    # Append to daily log (atomic via tmp + append)
+    echo "$decision_json" >> "$daily_log"
+
+    # Update last-decision pointer
+    local tmp
+    tmp=$(mktemp)
+    echo "$decision_json" | jq '. + {epoch: (now | floor)}' > "$tmp" && mv "$tmp" "$LAST_DECISION_FILE"
+
+    # Rotate old daily logs (keep 30 days)
+    find "$DECISIONS_DIR" -name "daily-log-*.jsonl" -mtime +30 -delete 2>/dev/null || true
+}
+
+autonomy_record_outcome() {
+    local decision_id="$1"
+    local result="$2"
+    local detail="${3:-}"
+    _ensure_decisions_dir
+
+    local outcome
+    outcome=$(jq -n \
+        --arg id "$decision_id" \
+        --arg result "$result" \
+        --arg detail "$detail" \
+        --arg ts "$(now_iso)" \
+        '{decision_id: $id, result: $result, detail: $detail, recorded_at: $ts}')
+
+    echo "$outcome" >> "$OUTCOMES_FILE"
+
+    # Update daily log entry with outcome
+    local daily_log
+    daily_log=$(_daily_log_file)
+    if [[ -f "$daily_log" ]]; then
+        local tmp
+        tmp=$(mktemp)
+        jq --arg id "$decision_id" --arg res "$result" \
+            'if .id == $id then . + {outcome: $res} else . end' \
+            "$daily_log" > "$tmp" && mv "$tmp" "$daily_log" || rm -f "$tmp"
+    fi
+}
+
+# ─── Daily Summary ────────────────────────────────────────────────────────────
+
+autonomy_daily_summary() {
+    _ensure_decisions_dir
+    local daily_log
+    daily_log=$(_daily_log_file)
+
+    if [[ ! -f "$daily_log" ]]; then
+        jq -n '{date: (now | strftime("%Y-%m-%d")), total: 0, auto: 0, propose: 0, draft: 0, budget_remaining: {issues: 15, cost_usd: 25}}'
+        return
+    fi
+
+    local max_issues max_cost
+    max_issues=$(echo "${TIER_LIMITS:-{}}" | jq -r '.max_issues_per_day // 15')
+    max_cost=$(echo "${TIER_LIMITS:-{}}" | jq -r '.max_cost_per_day_usd // 25')
+
+    jq -s --argjson mi "$max_issues" --arg mc "$max_cost" '
+        {
+            date: (now | strftime("%Y-%m-%d")),
+            total: length,
+            auto: [.[] | select(.tier == "auto")] | length,
+            propose: [.[] | select(.tier == "propose")] | length,
+            draft: [.[] | select(.tier == "draft")] | length,
+            successes: [.[] | select(.outcome == "success")] | length,
+            failures: [.[] | select(.outcome == "failure")] | length,
+            budget_remaining: {
+                issues: ($mi - length),
+                cost_usd: ($mc - ([.[] | .estimated_cost_usd // 0] | add // 0))
+            },
+            halted: false
+        }
+    ' "$daily_log" 2>/dev/null || echo '{}'
+}