sinapse-ai 7.7.3 → 7.7.4

package/bin/utils/collab-start.js

@@ -0,0 +1,267 @@
+'use strict';
+
+const { execFileSync, execSync } = require('child_process');
+const path = require('path');
+
+function execGit(command) {
+  return execSync(command, {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  }).trim();
+}
+
+function safeExec(command) {
+  try {
+    return execGit(command);
+  } catch {
+    return '';
+  }
+}
+
+function parseArgs(argv) {
+  const parsed = {
+    adoptCurrent: false,
+    check: false,
+    type: 'feat',
+    owner: null,
+    storyId: null,
+    slug: null,
+  };
+
+  for (const arg of argv) {
+    if (arg === '--adopt-current') {
+      parsed.adoptCurrent = true;
+      continue;
+    }
+    if (arg === '--check') {
+      parsed.check = true;
+      continue;
+    }
+    if (arg.startsWith('--type=')) {
+      parsed.type = arg.split('=')[1] || parsed.type;
+      continue;
+    }
+    if (arg.startsWith('--owner=')) {
+      parsed.owner = arg.split('=')[1] || null;
+      continue;
+    }
+    if (!parsed.storyId) {
+      parsed.storyId = arg;
+      continue;
+    }
+    if (!parsed.slug) {
+      parsed.slug = arg;
+    }
+  }
+
+  return parsed;
+}
+
+function resolveDefaultBranch() {
+  try {
+    const remoteHead = execGit('git symbolic-ref --short refs/remotes/origin/HEAD');
+    return remoteHead.replace(/^origin\//, '');
+  } catch {
+    return 'main';
+  }
+}
+
+function getCurrentBranch() {
+  return execGit('git rev-parse --abbrev-ref HEAD');
+}
+
+function getStatusLines() {
+  const output = safeExec('git status --porcelain');
+  return output ? output.split('\n').filter(Boolean) : [];
+}
+
+function sanitizeSegment(value) {
+  return String(value || '')
+    .trim()
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, '-')
+    .replace(/^-+|-+$/g, '')
+    .replace(/-{2,}/g, '-');
+}
+
+function detectOwnerPrefix(explicitOwner) {
+  if (explicitOwner) {
+    return sanitizeSegment(explicitOwner) || 'dev';
+  }
+
+  const rawSignals = [
+    safeExec('git config user.name'),
+    safeExec('git config user.email'),
+    process.env.USERNAME || '',
+    process.env.USER || '',
+  ]
+    .join(' ')
+    .toLowerCase();
+
+  if (/(caio|imori)/.test(rawSignals)) {
+    return 'caio';
+  }
+
+  if (/(matheus|soier|sawyer)/.test(rawSignals)) {
+    return 'soier';
+  }
+
+  return 'dev';
+}
+
+function buildWorkItemSlug(storyId, slug) {
+  const sanitizedStory = sanitizeSegment(storyId);
+  const sanitizedSlug = sanitizeSegment(slug || storyId);
+  if (!sanitizedSlug) {
+    return sanitizedStory;
+  }
+  if (!sanitizedStory) {
+    return sanitizedSlug;
+  }
+  return sanitizedSlug.startsWith(`${sanitizedStory}-`) || sanitizedSlug === sanitizedStory
+    ? sanitizedSlug
+    : `${sanitizedStory}-${sanitizedSlug}`;
+}
+
+function buildBranchName({ owner, type, storyId, slug }) {
+  return `${owner}/${sanitizeSegment(type) || 'feat'}/${buildWorkItemSlug(storyId, slug)}`;
+}
+
+function buildWorktreePath(worktreeKey) {
+  return path.join(process.cwd(), '.sinapse', 'worktrees', worktreeKey);
+}
+
+function ensureReadyDefaultBranch(defaultBranch) {
+  const branchName = getCurrentBranch();
+  const statusLines = getStatusLines();
+
+  if (branchName !== defaultBranch) {
+    throw new Error(
+      `Run collab:start from a clean '${defaultBranch}' checkout. Current branch: '${branchName}'.`,
+    );
+  }
+
+  if (statusLines.length > 0) {
+    throw new Error(
+      `Working tree is dirty on '${defaultBranch}'. Commit or stash your changes before opening a new worktree.`,
+    );
+  }
+}
+
+function ensureOnDefaultBranch(defaultBranch) {
+  const branchName = getCurrentBranch();
+  if (branchName !== defaultBranch) {
+    throw new Error(
+      `Run this command from '${defaultBranch}'. Current branch: '${branchName}'.`,
+    );
+  }
+}
+
+function ensureUpToDate(defaultBranch) {
+  execFileSync('git', ['fetch', 'origin'], {
+    stdio: ['ignore', 'ignore', 'pipe'],
+  });
+
+  const localSha = safeExec(`git rev-parse ${defaultBranch}`);
+  const remoteSha = safeExec(`git rev-parse origin/${defaultBranch}`);
+
+  if (localSha && remoteSha && localSha !== remoteSha) {
+    execFileSync('git', ['pull', '--ff-only', 'origin', defaultBranch], {
+      stdio: 'inherit',
+    });
+  }
+}
+
+function createWorktree({ branchName, defaultBranch, worktreePath }) {
+  execFileSync('git', ['worktree', 'add', worktreePath, '-b', branchName, defaultBranch], {
+    stdio: 'inherit',
+  });
+}
+
+function adoptCurrentWorkspace(branchName) {
+  execFileSync('git', ['checkout', '-b', branchName], {
+    stdio: 'inherit',
+  });
+}
+
+function runCheck() {
+  const defaultBranch = resolveDefaultBranch();
+  const currentBranch = getCurrentBranch();
+  const statusLines = getStatusLines();
+  const owner = detectOwnerPrefix(null);
+
+  console.log(`Default branch: ${defaultBranch}`);
+  console.log(`Current branch: ${currentBranch}`);
+  console.log(`Detected maintainer prefix: ${owner}`);
+  console.log(`Working tree clean: ${statusLines.length === 0 ? 'yes' : 'no'}`);
+}
+
+function main() {
+  const args = parseArgs(process.argv.slice(2));
+  if (args.check) {
+    runCheck();
+    return;
+  }
+
+  if (!args.storyId) {
+    console.error(
+      'Usage: npm run collab:start -- <story-id> <slug> [--type=feat] [--owner=caio] [--adopt-current]',
+    );
+    process.exit(1);
+  }
+
+  const defaultBranch = resolveDefaultBranch();
+  const owner = detectOwnerPrefix(args.owner);
+  const branchName = buildBranchName({
+    owner,
+    type: args.type,
+    storyId: args.storyId,
+    slug: args.slug,
+  });
+  const worktreeKey = sanitizeSegment(branchName.replace(/\//g, '-'));
+  const worktreePath = buildWorktreePath(worktreeKey);
+
+  try {
+    if (args.adoptCurrent) {
+      ensureOnDefaultBranch(defaultBranch);
+      adoptCurrentWorkspace(branchName);
+    } else {
+      ensureReadyDefaultBranch(defaultBranch);
+      ensureUpToDate(defaultBranch);
+      createWorktree({ branchName, defaultBranch, worktreePath });
+    }
+  } catch (error) {
+    console.error('');
+    console.error(`collab:start failed: ${error.message}`);
+    console.error('');
+    process.exit(1);
+  }
+
+  console.log('');
+  if (args.adoptCurrent) {
+    console.log('Current workspace adopted into a safe maintainer branch.');
+    console.log(`Branch: ${branchName}`);
+    console.log('');
+    console.log('Continue working in the current directory, now outside main.');
+  } else {
+    console.log('Safe maintainer workspace created.');
+    console.log(`Branch:   ${branchName}`);
+    console.log(`Worktree: ${worktreePath}`);
+    console.log('');
+    console.log(`Next step: cd "${worktreePath}"`);
+  }
+  console.log('');
+}
+
+module.exports = {
+  buildBranchName,
+  buildWorkItemSlug,
+  detectOwnerPrefix,
+  parseArgs,
+  resolveDefaultBranch,
+  sanitizeSegment,
+};
+
+if (require.main === module) {
+  main();
+}

package/bin/utils/git-branch-guard.js

@@ -0,0 +1,76 @@
+'use strict';
+
+const { execSync } = require('child_process');
+
+function execGit(command, options = {}) {
+  return execSync(command, {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+    ...options,
+  }).trim();
+}
+
+function resolveDefaultBranch() {
+  try {
+    const remoteHead = execGit('git symbolic-ref --short refs/remotes/origin/HEAD');
+    return remoteHead.replace(/^origin\//, '');
+  } catch {
+    return 'main';
+  }
+}
+
+function getCurrentBranch() {
+  return execGit('git rev-parse --abbrev-ref HEAD');
+}
+
+function getStagedFiles() {
+  try {
+    const output = execGit('git diff --cached --name-only');
+    return output ? output.split('\n').filter(Boolean) : [];
+  } catch {
+    return [];
+  }
+}
+
+function shouldBlockCommit({ branchName, defaultBranch, stagedFiles }) {
+  const protectedBranches = new Set([defaultBranch, 'master']);
+  return Boolean(stagedFiles.length) && (protectedBranches.has(branchName) || branchName === 'HEAD');
+}
+
+function main() {
+  const defaultBranch = resolveDefaultBranch();
+  const branchName = getCurrentBranch();
+  const stagedFiles = getStagedFiles();
+
+  if (!shouldBlockCommit({ branchName, defaultBranch, stagedFiles })) {
+    process.exit(0);
+  }
+
+  console.error('');
+  console.error('Git Branch Guard: commit blocked.');
+  console.error('');
+  if (branchName === 'HEAD') {
+    console.error('You are in detached HEAD state. Create an isolated branch or worktree first.');
+  } else {
+    console.error(`Commits are blocked on the protected branch '${branchName}'.`);
+  }
+  console.error('');
+  console.error('Start a safe maintainer workspace first:');
+  console.error('  npm run collab:start -- <story-id> <slug>');
+  console.error('');
+  console.error('Example:');
+  console.error('  npm run collab:start -- 7.7.4 codex-collab-hardening');
+  console.error('');
+  process.exit(1);
+}
+
+module.exports = {
+  getCurrentBranch,
+  getStagedFiles,
+  resolveDefaultBranch,
+  shouldBlockCommit,
+};
+
+if (require.main === module) {
+  main();
+}

package/bin/utils/pre-push-safety.js

@@ -0,0 +1,110 @@
+'use strict';
+
+const { execFileSync, execSync, spawnSync } = require('child_process');
+const fs = require('fs');
+
+function execGit(command) {
+  return execSync(command, {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  }).trim();
+}
+
+function resolveDefaultBranch() {
+  try {
+    const remoteHead = execGit('git symbolic-ref --short refs/remotes/origin/HEAD');
+    return remoteHead.replace(/^origin\//, '');
+  } catch {
+    return 'main';
+  }
+}
+
+function getCurrentBranch() {
+  return execGit('git rev-parse --abbrev-ref HEAD');
+}
+
+function parsePushRefs(stdinBuffer) {
+  const payload = stdinBuffer.toString('utf8').trim();
+  if (!payload) {
+    return [];
+  }
+
+  return payload
+    .split('\n')
+    .filter(Boolean)
+    .map((line) => {
+      const [localRef, localSha, remoteRef, remoteSha] = line.trim().split(/\s+/);
+      return { localRef, localSha, remoteRef, remoteSha };
+    });
+}
+
+function isProtectedPushTarget(remoteRef, defaultBranch) {
+  return remoteRef === `refs/heads/${defaultBranch}` || remoteRef === 'refs/heads/master';
+}
+
+function branchContainsRemoteDefault(defaultBranch) {
+  const result = spawnSync('git', ['merge-base', '--is-ancestor', `origin/${defaultBranch}`, 'HEAD'], {
+    stdio: 'ignore',
+  });
+  return result.status === 0;
+}
+
+function fetchRemoteDefault(defaultBranch) {
+  execFileSync('git', ['fetch', 'origin', defaultBranch, '--quiet'], {
+    stdio: ['ignore', 'ignore', 'pipe'],
+  });
+}
+
+function main() {
+  const defaultBranch = resolveDefaultBranch();
+  const branchName = getCurrentBranch();
+  const refs = parsePushRefs(fs.readFileSync(0));
+
+  if (branchName === defaultBranch || branchName === 'master') {
+    console.error('');
+    console.error(`Pre-push Safety: push blocked on protected branch '${branchName}'.`);
+    console.error('Open a feature branch or worktree first.');
+    console.error('');
+    process.exit(1);
+  }
+
+  if (refs.some((ref) => isProtectedPushTarget(ref.remoteRef, defaultBranch))) {
+    console.error('');
+    console.error(`Pre-push Safety: direct push to '${defaultBranch}' is blocked.`);
+    console.error('Open a pull request instead.');
+    console.error('');
+    process.exit(1);
+  }
+
+  try {
+    fetchRemoteDefault(defaultBranch);
+  } catch {
+    console.error('');
+    console.error(`Pre-push Safety: could not fetch origin/${defaultBranch}.`);
+    console.error('Sync with the remote before pushing.');
+    console.error('');
+    process.exit(1);
+  }
+
+  if (!branchContainsRemoteDefault(defaultBranch)) {
+    console.error('');
+    console.error(`Pre-push Safety: your branch is missing commits from origin/${defaultBranch}.`);
+    console.error(`Merge or rebase origin/${defaultBranch} before pushing.`);
+    console.error('');
+    process.exit(1);
+  }
+
+  process.exit(0);
+}
+
+module.exports = {
+  branchContainsRemoteDefault,
+  getCurrentBranch,
+  isProtectedPushTarget,
+  parsePushRefs,
+  resolveDefaultBranch,
+};
+
+if (require.main === module) {
+  main();
+}

package/bin/utils/staged-secret-scan.js

@@ -0,0 +1,108 @@
+'use strict';
+
+const { execFileSync, execSync } = require('child_process');
+
+const BLOCKED_ENV_FILE_PATTERN = /(^|\/)\.env(\..+)?$/i;
+const SAFE_ENV_FILE_PATTERN = /(^|\/)\.env\.(example|sample|template)$/i;
+const SECRET_PATTERNS = [
+  { label: 'private key', pattern: /BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY/ },
+  { label: 'generic private key', pattern: /BEGIN PRIVATE KEY/ },
+  { label: 'GitHub personal token', pattern: /\bgh[pousr]_[A-Za-z0-9]{20,}\b/ },
+  { label: 'GitHub fine-grained token', pattern: /\bgithub_pat_[A-Za-z0-9_]{20,}\b/ },
+  { label: 'OpenAI key', pattern: /\bsk-(proj-)?[A-Za-z0-9_-]{20,}\b/ },
+  { label: 'AWS access key', pattern: /\bAKIA[0-9A-Z]{16}\b/ },
+  { label: 'Google API key', pattern: /\bAIza[0-9A-Za-z\-_]{35}\b/ },
+  { label: 'Slack token', pattern: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/ },
+];
+
+function getStagedFiles() {
+  try {
+    const output = execSync('git diff --cached --name-only --diff-filter=ACMR', {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'pipe'],
+    }).trim();
+    return output ? output.split('\n').filter(Boolean) : [];
+  } catch {
+    return [];
+  }
+}
+
+function isBlockedEnvFile(filePath) {
+  return BLOCKED_ENV_FILE_PATTERN.test(filePath) && !SAFE_ENV_FILE_PATTERN.test(filePath);
+}
+
+function readStagedFile(filePath) {
+  try {
+    return execFileSync('git', ['show', `:${filePath}`], {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'pipe'],
+      maxBuffer: 5 * 1024 * 1024,
+    });
+  } catch {
+    return '';
+  }
+}
+
+function findSecretMatches(content) {
+  const matches = [];
+  for (const descriptor of SECRET_PATTERNS) {
+    if (descriptor.pattern.test(content)) {
+      matches.push(descriptor.label);
+    }
+  }
+  return matches;
+}
+
+function scanStagedFiles(files) {
+  const findings = [];
+
+  for (const filePath of files) {
+    if (isBlockedEnvFile(filePath)) {
+      findings.push({ filePath, reason: 'environment file' });
+      continue;
+    }
+
+    const content = readStagedFile(filePath);
+    const matches = findSecretMatches(content);
+    for (const match of matches) {
+      findings.push({ filePath, reason: match });
+    }
+  }
+
+  return findings;
+}
+
+function main() {
+  const stagedFiles = getStagedFiles();
+  if (stagedFiles.length === 0) {
+    process.exit(0);
+  }
+
+  const findings = scanStagedFiles(stagedFiles);
+  if (findings.length === 0) {
+    process.exit(0);
+  }
+
+  console.error('');
+  console.error('Staged Secret Scan: commit blocked.');
+  console.error('');
+  for (const finding of findings) {
+    console.error(`- ${finding.filePath}: ${finding.reason}`);
+  }
+  console.error('');
+  console.error('Remove the sensitive content before committing.');
+  console.error('');
+  process.exit(1);
+}
+
+module.exports = {
+  SECRET_PATTERNS,
+  findSecretMatches,
+  getStagedFiles,
+  isBlockedEnvFile,
+  scanStagedFiles,
+};
+
+if (require.main === module) {
+  main();
+}