skimpyclaw 0.3.14 → 0.4.0

package/dist/code-agents/worktrees.js

@@ -0,0 +1,116 @@
+import { execFileSync } from 'child_process';
+import { existsSync, mkdirSync, realpathSync } from 'fs';
+import { homedir } from 'os';
+import { basename, join, relative, resolve } from 'path';
+export function normalizeWorktreeRequest(value) {
+    if (value === true || value === false || value === 'auto')
+        return value;
+    if (typeof value !== 'string')
+        return undefined;
+    const normalized = value.trim().toLowerCase();
+    if (['true', 'yes', 'on', '1'].includes(normalized))
+        return true;
+    if (['false', 'no', 'off', '0'].includes(normalized))
+        return false;
+    if (normalized === 'auto')
+        return 'auto';
+    return undefined;
+}
+export function shouldAutoWorktreeTask(task) {
+    return /\b(rebase|review|re-review|pr review|pull request|compare|diff)\b/i.test(task)
+        || /https?:\/\/[^\s]+\/pull\/\d+/i.test(task);
+}
+export function shouldUseCodeAgentWorktree(task, request, config) {
+    if (request === false)
+        return false;
+    if (request === true)
+        return true;
+    if (config?.enabled === false || config?.mode === 'off')
+        return false;
+    if (config?.mode === 'always')
+        return true;
+    return shouldAutoWorktreeTask(task);
+}
+function expandWorktreeRoot(root) {
+    const raw = root?.trim() || '~/.skimpyclaw/worktrees';
+    if (raw === '~')
+        return homedir();
+    if (raw.startsWith('~/'))
+        return join(homedir(), raw.slice(2));
+    return raw.replace(/\$\{HOME\}/g, homedir());
+}
+function slug(value) {
+    return value.replace(/[^a-zA-Z0-9._-]+/g, '-').replace(/^-+|-+$/g, '') || 'repo';
+}
+function git(args, cwd) {
+    return execFileSync('git', ['-C', cwd, ...args], {
+        encoding: 'utf-8',
+        stdio: ['ignore', 'pipe', 'pipe'],
+    }).trim();
+}
+export function findGitRoot(workdir) {
+    try {
+        return git(['rev-parse', '--show-toplevel'], workdir);
+    }
+    catch {
+        return null;
+    }
+}
+export function prepareCodeAgentWorktree(options) {
+    const sourceWorkdir = realpathSync(resolve(options.sourceWorkdir));
+    const rawGitRoot = findGitRoot(sourceWorkdir);
+    if (!rawGitRoot) {
+        if (options.required) {
+            throw new Error(`Cannot create worktree: ${sourceWorkdir} is not inside a git repository.`);
+        }
+        return undefined;
+    }
+    const gitRoot = realpathSync(rawGitRoot);
+    const worktreeRef = git(['rev-parse', '--verify', 'HEAD'], gitRoot);
+    const root = resolve(expandWorktreeRoot(options.config?.root));
+    const worktreePath = join(root, slug(basename(gitRoot)), options.id);
+    if (existsSync(worktreePath)) {
+        throw new Error(`Cannot create worktree: ${worktreePath} already exists.`);
+    }
+    mkdirSync(join(root, slug(basename(gitRoot))), { recursive: true });
+    git(['worktree', 'add', '--detach', worktreePath, worktreeRef], gitRoot);
+    const rel = relative(gitRoot, sourceWorkdir);
+    const runWorkdir = rel && !rel.startsWith('..') && rel !== '.'
+        ? join(worktreePath, rel)
+        : worktreePath;
+    return { sourceWorkdir, worktreePath, runWorkdir, worktreeRef, gitRoot };
+}
+export function cleanupCodeAgentWorktree(options) {
+    const at = new Date().toISOString();
+    const path = options.worktreePath;
+    if (!path)
+        return { status: 'skipped', reason: 'no worktree', at };
+    if (options.config?.cleanup === false) {
+        return { status: 'preserved', path, reason: 'cleanup disabled', at };
+    }
+    if (!existsSync(path))
+        return { status: 'skipped', path, reason: 'already removed', at };
+    try {
+        const worktreeRoot = realpathSync(path);
+        const status = git(['status', '--porcelain'], worktreeRoot);
+        if (status.trim()) {
+            return { status: 'preserved', path, reason: 'worktree has uncommitted changes', at };
+        }
+        const currentRef = git(['rev-parse', '--verify', 'HEAD'], worktreeRoot);
+        if (options.worktreeRef && currentRef !== options.worktreeRef) {
+            return { status: 'preserved', path, reason: 'worktree HEAD changed', at };
+        }
+        const sourceGitRoot = options.sourceWorkdir ? findGitRoot(options.sourceWorkdir) : null;
+        const controller = sourceGitRoot || worktreeRoot;
+        git(['worktree', 'remove', '--force', worktreeRoot], controller);
+        return { status: 'removed', path, at };
+    }
+    catch (err) {
+        return {
+            status: 'failed',
+            path,
+            reason: err instanceof Error ? err.message : String(err),
+            at,
+        };
+    }
+}

package/dist/config.d.ts

@@ -18,10 +18,8 @@ export declare function listMemoryFiles(agentId: string): {
     size: number;
 }[];
 /**
- * Resolve allowed paths for a given context. Priority:
- * 1. Explicit toolConfig.allowedPaths (if provided)
- * 2. Config top-level allowedPaths
- * 3. Fallback: ~/.skimpyclaw only
+ * Resolve allowed paths for a given context. Named project paths are always
+ * appended so channel-level tool overrides cannot accidentally hide them.
  */
 export declare function resolveAllowedPaths(config: Config, overridePaths?: string[]): string[];
 export declare function readMemoryFile(agentId: string, filename: string): string;

package/dist/config.js

@@ -1,26 +1,126 @@
 // Config loader with environment variable expansion
-import { readFileSync, writeFileSync, existsSync, readdirSync, statSync } from 'fs';
+import { readFileSync, writeFileSync, existsSync, readdirSync, statSync, chmodSync, mkdirSync } from 'fs';
 import { randomUUID } from 'crypto';
 import { homedir } from 'os';
 import { join, basename } from 'path';
 import dotenv from 'dotenv';
+import { getSecureValue, setSecureValue, requireSecureStore } from './secure-store.js';
 const CONFIG_PATH = join(homedir(), '.skimpyclaw', 'config.json');
+const CONFIG_DIR = join(homedir(), '.skimpyclaw');
 const ENV_PATH = join(homedir(), '.skimpyclaw', '.env');
+const CONFIG_SECRET_SERVICE = 'skimpyclaw-config';
 let envLoaded = false;
+const keychainCache = new Map();
+const SECRET_KEY_PATTERN = /(api.?key|token|secret|password|auth.?token|private.?key)/i;
+let warnedSecureStoreUnavailable = false;
 function ensureEnvLoaded() {
     if (envLoaded)
         return;
     dotenv.config({ path: ENV_PATH });
     envLoaded = true;
 }
+function resolveKeychainReference(raw) {
+    const [service, ...accountParts] = raw.split('/');
+    const account = accountParts.join('/');
+    if (!service || !account) {
+        throw new Error(`[config] Invalid keychain reference: ${raw} (expected service/account)`);
+    }
+    const cacheKey = `${service}/${account}`;
+    const cached = keychainCache.get(cacheKey);
+    if (cached !== undefined) {
+        return cached;
+    }
+    const value = getSecureValue(service, account);
+    if (value === null) {
+        throw new Error(`[config] Keychain secret not found for ${cacheKey}. Re-run setup or add it with: security add-generic-password -U -s ${service} -a ${account} -w '<secret>'`);
+    }
+    keychainCache.set(cacheKey, value);
+    return value;
+}
+function expandStringReferences(value) {
+    return value.replace(/\$\{([^}]+)\}/g, (_, token) => {
+        if (token.startsWith('KEYCHAIN:')) {
+            return resolveKeychainReference(token.slice('KEYCHAIN:'.length));
+        }
+        if (process.env[token] === undefined) {
+            console.warn(`[config] env var \${${token}} is not set`);
+        }
+        return process.env[token] || '';
+    });
+}
+function isSecureReference(value) {
+    return value.startsWith('${') && value.endsWith('}');
+}
+function shouldSecureField(path) {
+    const key = path[path.length - 1] || '';
+    return SECRET_KEY_PATTERN.test(key);
+}
+function sanitizeKeychainAccount(path) {
+    return path.join('.').replace(/[^\w.-]/g, '_');
+}
+function migratePlaintextSecrets(obj, path = []) {
+    if (Array.isArray(obj)) {
+        let migrated = 0;
+        const mapped = obj.map((item, index) => {
+            const result = migratePlaintextSecrets(item, [...path, String(index)]);
+            migrated += result.migrated;
+            return result.value;
+        });
+        return { value: mapped, migrated };
+    }
+    if (obj && typeof obj === 'object') {
+        const result = {};
+        let migrated = 0;
+        for (const [key, value] of Object.entries(obj)) {
+            const migratedValue = migratePlaintextSecrets(value, [...path, key]);
+            result[key] = migratedValue.value;
+            migrated += migratedValue.migrated;
+        }
+        return { value: result, migrated };
+    }
+    if (typeof obj !== 'string') {
+        return { value: obj, migrated: 0 };
+    }
+    if (!shouldSecureField(path)) {
+        return { value: obj, migrated: 0 };
+    }
+    const trimmed = obj.trim();
+    if (!trimmed || trimmed === '[REDACTED]' || isSecureReference(trimmed)) {
+        return { value: obj, migrated: 0 };
+    }
+    if (process.platform !== 'darwin') {
+        if (!warnedSecureStoreUnavailable) {
+            warnedSecureStoreUnavailable = true;
+            console.warn('[config] Secure secret migration requires macOS Keychain. Plaintext values are preserved on this platform.');
+        }
+        return { value: obj, migrated: 0 };
+    }
+    requireSecureStore('Config secret migration');
+    const account = sanitizeKeychainAccount(path);
+    setSecureValue(CONFIG_SECRET_SERVICE, account, obj);
+    return {
+        value: `\${KEYCHAIN:${CONFIG_SECRET_SERVICE}/${account}}`,
+        migrated: 1,
+    };
+}
+function writeConfigFile(rawConfig) {
+    mkdirSync(CONFIG_DIR, { recursive: true });
+    writeFileSync(CONFIG_PATH, JSON.stringify(rawConfig, null, 2), { encoding: 'utf-8', mode: 0o600 });
+    chmodSync(CONFIG_PATH, 0o600);
+}
+function loadAndMaybeMigrateRawConfig() {
+    const raw = readFileSync(CONFIG_PATH, 'utf-8');
+    const parsed = JSON.parse(raw);
+    const migrated = migratePlaintextSecrets(parsed);
+    if (migrated.migrated > 0) {
+        writeConfigFile(migrated.value);
+        console.log(`[config] Migrated ${migrated.migrated} plaintext secret(s) to macOS Keychain`);
+    }
+    return migrated.value;
+}
 function expandEnvVars(obj) {
     if (typeof obj === 'string') {
-        return obj.replace(/\$\{(\w+)\}/g, (_, key) => {
-            if (process.env[key] === undefined) {
-                console.warn(`[config] env var \${${key}} is not set`);
-            }
-            return process.env[key] || '';
-        });
+        return expandStringReferences(obj);
     }
     if (Array.isArray(obj)) {
         return obj.map(expandEnvVars);
@@ -39,8 +139,7 @@ export function loadConfig() {
     if (!existsSync(CONFIG_PATH)) {
         throw new Error(`Config not found: ${CONFIG_PATH}\nRun 'pnpm run setup' to create one.`);
     }
-    const raw = readFileSync(CONFIG_PATH, 'utf-8');
-    const parsed = JSON.parse(raw);
+    const parsed = loadAndMaybeMigrateRawConfig();
     return expandEnvVars(parsed);
 }
 export function loadRawConfig() {
@@ -48,8 +147,7 @@ export function loadRawConfig() {
     if (!existsSync(CONFIG_PATH)) {
         throw new Error(`Config not found: ${CONFIG_PATH}\nRun 'pnpm run setup' to create one.`);
     }
-    const raw = readFileSync(CONFIG_PATH, 'utf-8');
-    return JSON.parse(raw);
+    return loadAndMaybeMigrateRawConfig();
 }
 export function getConfigPath() {
     return CONFIG_PATH;
@@ -70,7 +168,8 @@ export function getSessionsDir() {
     return join(homedir(), '.skimpyclaw', 'sessions');
 }
 export function saveConfig(config) {
-    writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), 'utf-8');
+    const migrated = migratePlaintextSecrets(config);
+    writeConfigFile(migrated.value);
 }
 /**
  * Ensures the config has a dashboard token. If not, generates one and saves it.
@@ -81,11 +180,12 @@ export function ensureDashboardToken(config) {
         return config.dashboard.token;
     }
     const token = randomUUID();
-    // Read raw config to preserve env var references, then add the token
+    // Read raw config to preserve env var references, then add the token.
+    // loadRawConfig() already runs migratePlaintextSecrets(), so no need to run it again.
     const raw = loadRawConfig();
     raw.dashboard = raw.dashboard || {};
     raw.dashboard.token = token;
-    writeFileSync(CONFIG_PATH, JSON.stringify(raw, null, 2), 'utf-8');
+    writeConfigFile(raw);
     // Update the in-memory config too
     if (!config.dashboard) {
         config.dashboard = {};
@@ -110,17 +210,17 @@ export function listMemoryFiles(agentId) {
     }).sort((a, b) => b.date.localeCompare(a.date));
 }
 /**
- * Resolve allowed paths for a given context. Priority:
- * 1. Explicit toolConfig.allowedPaths (if provided)
- * 2. Config top-level allowedPaths
- * 3. Fallback: ~/.skimpyclaw only
+ * Resolve allowed paths for a given context. Named project paths are always
+ * appended so channel-level tool overrides cannot accidentally hide them.
  */
 export function resolveAllowedPaths(config, overridePaths) {
-    if (overridePaths?.length)
-        return overridePaths;
-    if (config.allowedPaths?.length)
-        return config.allowedPaths;
-    return [join(homedir(), '.skimpyclaw')];
+    const basePaths = overridePaths?.length
+        ? overridePaths
+        : config.allowedPaths?.length
+            ? config.allowedPaths
+            : [join(homedir(), '.skimpyclaw')];
+    const projectPaths = Object.values(config.projects || {});
+    return [...new Set([...basePaths, ...projectPaths])];
 }
 export function readMemoryFile(agentId, filename) {
     if (!isValidAgentId(agentId)) {

package/dist/cron.d.ts

@@ -13,6 +13,7 @@ export declare function getCronRunStatus(): {
     running: string[];
     recent: CronLogEntry[];
 };
+export declare function isRetryableCronAgentError(err: unknown): boolean;
 export declare function initCron(config: Config): void;
 /**
  * Parse dual-output format with ---VOICE--- and ---TEXT--- delimiters.
@@ -23,12 +24,6 @@ export declare function parseDualOutput(response: string): {
     voice: string | null;
     text: string;
 };
-/**
- * Post-run guard for the pr-review cron job.
- * Validates that the agent actually used code_with_agent when PRs were found.
- * Non-throwing — logs a warning and returns an alert message (or null if OK).
- */
-export declare function validatePrReviewOutput(output: string): string | null;
 export declare function getCronJobs(): {
     id: string;
     name: string;