solo-cto-agent 1.2.0 → 1.3.1

package/CHANGELOG.md

@@ -1,5 +1,42 @@
 # Changelog
 
+## v1.3.0 (2026-04-17)
+
+**Theme**: Tier 3 deep integration features — plugin registry search, setup automation, type system enhancements.
+
+### Highlights
+* `solo-cto-agent plugin search <query>` — search npm registry for plugins with "solo-cto-agent-plugin" keyword
+* setup.sh enhancements: `--include-benchmarks` flag to deploy dashboard.html, auto-detection of Cursor/Windsurf editors
+* Auto-copy of editor-specific docs (docs/cursor.md, docs/windsurf.md) based on detected environment
+* Enhanced TypeScript definitions: BenchmarkMetrics, BenchmarkDiffResult, PluginSearchResult, HistoryEntry
+* Full test coverage for plugin search, CLI subcommands, and new features
+
+### New: Plugin Search
+* `solo-cto-agent plugin search <query>` fetches from npm registry with fallback to helpful error messages
+* `--json` flag for programmatic consumption
+* Graceful handling of network failures with user-friendly messages
+* Integration with plugin-manager.js for unified plugin experience
+
+### New: Setup.sh Enhancements
+* `--include-benchmarks` flag copies benchmarks/dashboard.html to orchestrator directory
+* Auto-detection of Cursor editor (checks ~/.cursor/ directory)
+* Auto-detection of Windsurf editor (checks ~/.windsurf/ directory)
+* Automatic copy of editor-specific documentation to CLAUDE_DIR/docs/
+* Enhanced summary output showing detected editor and installed features
+
+### Enhanced Types
+* `BenchmarkMetrics`: Matches metrics-latest.json shape (name, description, value, unit, timestamp)
+* `BenchmarkDiffResult`: For --diff output (baseline, current, delta, percentChange)
+* `PluginSearchResult`: npm registry search results (name, version, description, author, links)
+* `HistoryEntry`: For benchmarks/history/*.json (timestamp, metrics[], changes[])
+
+### Tests
+* `tests/plugin-search.test.mjs` — 10 new tests for registry search with HTTP mocking
+* Updated CLI tests for `plugin search` and `plugin list` subcommands
+* All existing tests pass with version bump
+
+---
+
 ## v1.2.0 (2026-04-17)
 
 **Theme**: Public release polish + cowork-main Phase 2/3 + dual-agent metrics.
@@ -82,7 +119,43 @@ non-interactive verify in CI, and tear it all down with one command.
 
 ---
 
-## Unreleased — Toolkit upgrade: per-tool entry points + examples/
+## Unreleased
+
+* chore: vscode extension packaging verified (icon, license, gitignore)
+
+* fix: routine.js readTier import from personalization (not core)
+
+* fix: resolve 2 hanging tests + add vitest timeout config
+
+* feat: P3 — GitHub Actions marketplace, VS Code extension, npm release prep
+
+* feat: P2 — type sync, template validation CI, migration guide
+
+* feat: P1 — cowork-engine split, plugin install, template-audit --apply
+
+* security: add API key masking + diff secret detection (P0)
+
+* feat: add `setup --central` for centralized workflow architecture
+
+* feat(tier3): plugin registry search, setup.sh enhancement, v1.3.0 (#100)
+
+* feat: Tier 2 — metrics history, benchmark diff/trend, enhanced validation (#99)
+
+* feat: Tier 1 — benchmark CLI, docs, expanded error catalog (#98)
+
+* feat: /prs, /dashboard commands + natural language (T3) (#104)
+
+* fix: align HTTP timeout with Telegram long-poll timeout (#103)
+
+* fix: delete webhook before getUpdates polling (#102)
+
+* feat: telegram-bot callback handler + remove experimental gate (#101)
+
+* fix: create local ref for base branch in solo-cto-review template
+
+* chore: anonymize personal info and internal project names
+
+* release: v1.2.0 — public release polish — Toolkit upgrade: per-tool entry points + examples/
 
 **Theme**: repositioning from "skill pack" to "toolkit" by splitting the
 docs surface along tool boundaries and filling `examples/` with real

package/action.yml

@@ -0,0 +1,101 @@
+name: "Solo CTO Agent — AI Code Review"
+description: "CTO-level AI code review with dual-agent cross-check (Claude + OpenAI), secret detection, and circuit breakers."
+author: "seunghunbae-3svs"
+
+branding:
+  icon: "shield"
+  color: "purple"
+
+inputs:
+  anthropic_api_key:
+    description: "Anthropic API key for Claude reviews"
+    required: true
+  openai_api_key:
+    description: "OpenAI API key for dual-agent cross-review (optional — enables Tier 2+)"
+    required: false
+  tier:
+    description: "Agent tier: maker | builder | cto"
+    required: false
+    default: "builder"
+  mode:
+    description: "Review mode: review | dual-review | deep-review"
+    required: false
+    default: "review"
+  target_branch:
+    description: "Base branch for diff comparison"
+    required: false
+    default: "main"
+  redact:
+    description: "Redact secrets from diff before sending to AI (true/false)"
+    required: false
+    default: "true"
+  fail_on:
+    description: "Fail the check if verdict is REQUEST_CHANGES or BLOCKER found (true/false)"
+    required: false
+    default: "false"
+  extra_args:
+    description: "Additional CLI arguments passed to solo-cto-agent"
+    required: false
+    default: ""
+
+outputs:
+  verdict:
+    description: "Review verdict: APPROVE | REQUEST_CHANGES | COMMENT | UNKNOWN"
+  issues_count:
+    description: "Number of issues found"
+  summary:
+    description: "One-line review summary"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: "20"
+
+    - name: Install solo-cto-agent
+      shell: bash
+      run: npm install -g solo-cto-agent@latest
+
+    - name: Run review
+      id: review
+      shell: bash
+      env:
+        ANTHROPIC_API_KEY: ${{ inputs.anthropic_api_key }}
+        OPENAI_API_KEY: ${{ inputs.openai_api_key }}
+        SOLO_CTO_TIER: ${{ inputs.tier }}
+      run: |
+        REVIEW_CMD="${{ inputs.mode }}"
+        ARGS="--branch --target ${{ inputs.target_branch }} --json"
+
+        if [ "${{ inputs.redact }}" = "true" ]; then
+          ARGS="$ARGS --redact"
+        fi
+
+        if [ -n "${{ inputs.extra_args }}" ]; then
+          ARGS="$ARGS ${{ inputs.extra_args }}"
+        fi
+
+        # Run review and capture output
+        OUTPUT=$(solo-cto-agent $REVIEW_CMD $ARGS 2>&1) || true
+        echo "$OUTPUT"
+
+        # Parse JSON output for verdict and issues count
+        VERDICT=$(echo "$OUTPUT" | grep -o '"verdict":"[^"]*"' | head -1 | cut -d'"' -f4)
+        ISSUES=$(echo "$OUTPUT" | grep -o '"issues":\[[^]]*\]' | head -1 | grep -o '"severity"' | wc -l)
+        SUMMARY=$(echo "$OUTPUT" | grep -o '"summary":"[^"]*"' | head -1 | cut -d'"' -f4)
+
+        echo "verdict=${VERDICT:-UNKNOWN}" >> $GITHUB_OUTPUT
+        echo "issues_count=${ISSUES:-0}" >> $GITHUB_OUTPUT
+        echo "summary=${SUMMARY:-No summary}" >> $GITHUB_OUTPUT
+
+    - name: Check fail condition
+      if: inputs.fail_on == 'true'
+      shell: bash
+      run: |
+        VERDICT="${{ steps.review.outputs.verdict }}"
+        if [ "$VERDICT" = "REQUEST_CHANGES" ]; then
+          echo "::error::Review verdict is REQUEST_CHANGES — failing check."
+          exit 1
+        fi

package/bin/central-setup.js

@@ -0,0 +1,352 @@
+#!/usr/bin/env node
+/* eslint-disable no-console */
+/**
+ * central-setup.js
+ *
+ * Sets up centralized workflow architecture:
+ *   - Orchestrator repo: cross-repo workflows (telegram-bot-runner, telegram-digest)
+ *   - Product repos: repo-local workflows only (solo-cto-review, telegram-notify, solo-cto-pipeline)
+ *   - Disables cross-repo workflows if found in product repos (prevents notification spam)
+ *
+ * Usage:
+ *   solo-cto-agent setup --central --org <owner> --orchestrator <repo> --repos <repo1,repo2,...>
+ *   GITHUB_TOKEN=... solo-cto-agent setup --central
+ */
+
+const https = require("https");
+const fs = require("fs");
+const path = require("path");
+
+// ─── Constants ────────────────────────────────────
+
+const CROSS_REPO_WORKFLOWS = ["telegram-bot-runner.yml", "telegram-digest.yml"];
+const REPO_LOCAL_WORKFLOWS = [
+  "solo-cto-review.yml",
+  "solo-cto-pipeline.yml",
+  "telegram-notify.yml",
+];
+
+const TEMPLATES_DIR = path.join(__dirname, "..", "templates");
+
+// ─── GitHub API Helper ─────────────────────────────
+
+function githubRequest(method, reqPath, token, body = null) {
+  return new Promise((resolve, reject) => {
+    const options = {
+      hostname: "api.github.com",
+      port: 443,
+      path: reqPath,
+      method,
+      headers: {
+        "User-Agent": "solo-cto-agent/central-setup",
+        Authorization: `token ${token}`,
+        Accept: "application/vnd.github.v3+json",
+      },
+    };
+
+    if (body) {
+      const bodyStr = JSON.stringify(body);
+      options.headers["Content-Type"] = "application/json";
+      options.headers["Content-Length"] = Buffer.byteLength(bodyStr);
+    }
+
+    const req = https.request(options, (res) => {
+      let data = "";
+      res.on("data", (chunk) => (data += chunk));
+      res.on("end", () => {
+        try {
+          resolve({ status: res.statusCode, data: JSON.parse(data) });
+        } catch {
+          resolve({ status: res.statusCode, data });
+        }
+      });
+    });
+
+    req.on("error", reject);
+    if (body) req.write(JSON.stringify(body));
+    req.end();
+  });
+}
+
+// ─── Core Logic ────────────────────────────────────
+
+/**
+ * Get workflow IDs for a repo, filtered by name list
+ */
+async function getWorkflowsByName(token, owner, repo, nameFilter) {
+  const resp = await githubRequest(
+    "GET",
+    `/repos/${owner}/${repo}/actions/workflows`,
+    token
+  );
+  if (resp.status !== 200) return [];
+
+  return (resp.data.workflows || []).filter((w) => {
+    const filename = w.path.split("/").pop();
+    return nameFilter.includes(filename);
+  });
+}
+
+/**
+ * Disable a workflow by ID
+ */
+async function disableWorkflow(token, owner, repo, workflowId) {
+  const resp = await githubRequest(
+    "PUT",
+    `/repos/${owner}/${repo}/actions/workflows/${workflowId}/disable`,
+    token
+  );
+  // 204 = success, 403 = already disabled
+  return resp.status === 204 || resp.status === 403;
+}
+
+/**
+ * Enable a workflow by ID
+ */
+async function enableWorkflow(token, owner, repo, workflowId) {
+  const resp = await githubRequest(
+    "PUT",
+    `/repos/${owner}/${repo}/actions/workflows/${workflowId}/enable`,
+    token
+  );
+  return resp.status === 204 || resp.status === 403;
+}
+
+/**
+ * Upload a workflow file to a repo via GitHub Contents API
+ */
+async function uploadWorkflow(token, owner, repo, filename, content, message) {
+  const apiPath = `/repos/${owner}/${repo}/contents/.github/workflows/${filename}`;
+
+  // Check if file exists (need sha for update)
+  let sha = null;
+  const check = await githubRequest("GET", apiPath, token);
+  if (check.status === 200 && check.data.sha) {
+    sha = check.data.sha;
+  }
+
+  const body = {
+    message,
+    content: Buffer.from(content).toString("base64"),
+  };
+  if (sha) body.sha = sha;
+
+  const resp = await githubRequest("PUT", apiPath, token, body);
+  return resp.status === 200 || resp.status === 201;
+}
+
+/**
+ * Read a template file, replacing placeholders
+ */
+function readTemplate(templatePath, replacements = {}) {
+  let content = fs.readFileSync(templatePath, "utf8");
+  for (const [key, value] of Object.entries(replacements)) {
+    content = content.replace(new RegExp(escapeRegExp(key), "g"), value);
+  }
+  return content;
+}
+
+function escapeRegExp(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+// ─── Main ──────────────────────────────────────────
+
+async function centralSetup({
+  org,
+  orchestrator = "dual-agent-review-orchestrator",
+  repos = [],
+  token,
+  dryRun = false,
+}) {
+  if (!token) {
+    console.error("❌ GITHUB_TOKEN required.");
+    process.exit(1);
+  }
+  if (!org) {
+    console.error("❌ --org required (your GitHub username or org).");
+    process.exit(1);
+  }
+
+  console.log("");
+  console.log("╔══════════════════════════════════════════════════╗");
+  console.log("║  solo-cto-agent — Central Control Setup          ║");
+  console.log("╠══════════════════════════════════════════════════╣");
+  console.log(`║  Org:          ${org.padEnd(34)}║`);
+  console.log(`║  Orchestrator: ${orchestrator.padEnd(34)}║`);
+  console.log(`║  Products:     ${(repos.join(", ") || "(auto-detect)").padEnd(34).slice(0, 34)}║`);
+  console.log("╚══════════════════════════════════════════════════╝");
+  console.log("");
+
+  const results = { orchestrator: [], products: [], disabled: [] };
+
+  // ──────────────────────────────────────────────
+  // Step 1: Orchestrator — ensure cross-repo workflows exist + active
+  // ──────────────────────────────────────────────
+  console.log("━━━ Step 1: Orchestrator repo ━━━");
+
+  for (const wfFile of CROSS_REPO_WORKFLOWS) {
+    const templatePath = path.join(
+      TEMPLATES_DIR,
+      "central",
+      ".github",
+      "workflows",
+      wfFile
+    );
+
+    if (!fs.existsSync(templatePath)) {
+      console.log(`⚠️  Template not found: ${wfFile} (skip)`);
+      continue;
+    }
+
+    const replacements = {
+      "{{GITHUB_OWNER}}": org,
+      "{{ORCHESTRATOR_REPO}}": orchestrator,
+      "{{MANAGED_REPOS}}": repos.map((r) => `${org}/${r}`).join(" "),
+    };
+
+    const content = readTemplate(templatePath, replacements);
+
+    if (dryRun) {
+      console.log(`  [DRY] Would upload ${wfFile} to ${org}/${orchestrator}`);
+    } else {
+      const ok = await uploadWorkflow(
+        token,
+        org,
+        orchestrator,
+        wfFile,
+        content,
+        `chore: centralize ${wfFile} (solo-cto-agent setup --central)`
+      );
+      console.log(
+        ok
+          ? `  ✅ ${wfFile} → ${org}/${orchestrator}`
+          : `  ❌ Failed: ${wfFile}`
+      );
+      results.orchestrator.push({ file: wfFile, ok });
+    }
+  }
+
+  // Ensure they're enabled
+  const orchWorkflows = await getWorkflowsByName(
+    token,
+    org,
+    orchestrator,
+    CROSS_REPO_WORKFLOWS
+  );
+  for (const wf of orchWorkflows) {
+    if (wf.state !== "active") {
+      if (!dryRun) await enableWorkflow(token, org, orchestrator, wf.id);
+      console.log(`  🔄 Enabled: ${wf.name}`);
+    }
+  }
+
+  // ──────────────────────────────────────────────
+  // Step 2: Product repos — disable cross-repo workflows
+  // ──────────────────────────────────────────────
+  console.log("\n━━━ Step 2: Product repos — disable duplicates ━━━");
+
+  // Auto-detect repos if none specified
+  let productRepos = repos;
+  if (productRepos.length === 0) {
+    console.log("  Auto-detecting repos with cross-repo workflows...");
+    const allRepos = await githubRequest(
+      "GET",
+      `/users/${org}/repos?per_page=100&sort=updated`,
+      token
+    );
+    if (allRepos.status === 200) {
+      for (const r of allRepos.data) {
+        if (r.name === orchestrator || r.fork || r.archived) continue;
+        const crossWfs = await getWorkflowsByName(
+          token,
+          org,
+          r.name,
+          CROSS_REPO_WORKFLOWS
+        );
+        if (crossWfs.some((w) => w.state === "active")) {
+          productRepos.push(r.name);
+        }
+      }
+    }
+    if (productRepos.length > 0) {
+      console.log(
+        `  Found ${productRepos.length}: ${productRepos.join(", ")}`
+      );
+    }
+  }
+
+  for (const repo of productRepos) {
+    const crossWfs = await getWorkflowsByName(
+      token,
+      org,
+      repo,
+      CROSS_REPO_WORKFLOWS
+    );
+
+    for (const wf of crossWfs) {
+      if (wf.state === "active") {
+        if (dryRun) {
+          console.log(`  [DRY] Would disable ${wf.name} in ${repo}`);
+        } else {
+          const ok = await disableWorkflow(token, org, repo, wf.id);
+          console.log(
+            ok
+              ? `  ✅ Disabled ${wf.name} in ${repo}`
+              : `  ❌ Failed to disable ${wf.name} in ${repo}`
+          );
+          results.disabled.push({ repo, workflow: wf.name, ok });
+        }
+      } else {
+        console.log(`  ⏭️  ${wf.name} in ${repo} — already disabled`);
+      }
+    }
+  }
+
+  // ──────────────────────────────────────────────
+  // Step 3: Summary
+  // ──────────────────────────────────────────────
+  console.log("\n━━━ Summary ━━━");
+  console.log("");
+  console.log("  Architecture:");
+  console.log(`    Central (${orchestrator}):`);
+  console.log("      ├─ telegram-bot-runner.yml  (every 15min)");
+  console.log("      └─ telegram-digest.yml      (every 30min)");
+  console.log("    Product repos:");
+  console.log("      ├─ solo-cto-review.yml      (PR review)");
+  console.log("      ├─ solo-cto-pipeline.yml    (orchestration)");
+  console.log("      └─ telegram-notify.yml      (per-repo events)");
+  console.log("");
+  console.log("  Cross-repo workflows are centralized. No more duplicate notifications.");
+  console.log("");
+
+  // Secrets reminder
+  console.log("  ⚠️  Required secrets in orchestrator repo:");
+  console.log("    - TELEGRAM_BOT_TOKEN");
+  console.log("    - TELEGRAM_CHAT_ID");
+  console.log("    - ORCHESTRATOR_PAT (repo + workflow scopes)");
+  console.log("");
+
+  return results;
+}
+
+// ─── CLI Entry ─────────────────────────────────────
+
+if (require.main === module) {
+  const args = process.argv.slice(2);
+  const getArg = (name) => {
+    const idx = args.indexOf(name);
+    return idx >= 0 && args[idx + 1] ? args[idx + 1] : null;
+  };
+
+  centralSetup({
+    org: getArg("--org") || process.env.GITHUB_ORG || "",
+    orchestrator:
+      getArg("--orchestrator") || "dual-agent-review-orchestrator",
+    repos: getArg("--repos") ? getArg("--repos").split(",") : [],
+    token: process.env.GITHUB_TOKEN || "",
+    dryRun: args.includes("--dry-run"),
+  });
+}
+
+module.exports = { centralSetup };