thevoidforge 21.0.0

package/dist/wizard/api/prd.js

@@ -0,0 +1,363 @@
+import { request as httpsRequest } from 'node:https';
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { addRoute } from '../router.js';
+import { vaultGet } from '../lib/vault.js';
+import { getSessionPassword } from './credentials.js';
+import { resolveModelWithLimits } from '../lib/anthropic.js';
+import { parseFrontmatter, validateFrontmatter } from '../lib/frontmatter.js';
+import { parseJsonBody } from '../lib/body-parser.js';
+import { listTemplates, getTemplate } from '../lib/templates.js';
+import { sendJson } from '../lib/http-helpers.js';
+/**
+ * Extract the prompt from inside the outer ``` fence after "## The Prompt".
+ * Tracks fence nesting so inner ```yaml / ``` pairs don't end extraction early.
+ */
+function extractFencedPrompt(markdown) {
+    const promptIdx = markdown.indexOf('## The Prompt');
+    if (promptIdx === -1)
+        return markdown;
+    const afterHeading = markdown.slice(promptIdx);
+    // Find the opening fence (a line that is exactly ```)
+    const openMatch = afterHeading.match(/\n```\s*\n/);
+    if (!openMatch || openMatch.index === undefined)
+        return markdown;
+    const contentStart = promptIdx + openMatch.index + openMatch[0].length;
+    const lines = markdown.slice(contentStart).split('\n');
+    const resultLines = [];
+    let depth = 0;
+    for (const line of lines) {
+        // Opening fence: ```something or just ```
+        if (/^```\S/.test(line)) {
+            depth++;
+            resultLines.push(line);
+            continue;
+        }
+        // Closing fence: exactly ```
+        if (/^```\s*$/.test(line)) {
+            if (depth > 0) {
+                depth--;
+                resultLines.push(line);
+                continue;
+            }
+            // depth === 0 means this closes the outer fence
+            break;
+        }
+        resultLines.push(line);
+    }
+    return resultLines.join('\n').trim();
+}
+// POST /api/prd/validate — validate PRD content
+addRoute('POST', '/api/prd/validate', async (req, res) => {
+    const body = await parseJsonBody(req);
+    if (!body.content || typeof body.content !== 'string') {
+        sendJson(res, 400, { error: 'content is required' });
+        return;
+    }
+    const { frontmatter } = parseFrontmatter(body.content);
+    const errors = validateFrontmatter(frontmatter);
+    sendJson(res, 200, {
+        valid: errors.length === 0,
+        errors,
+        frontmatter,
+    });
+});
+// POST /api/prd/generate — generate PRD from idea using Claude
+addRoute('POST', '/api/prd/generate', async (req, res) => {
+    const body = await parseJsonBody(req);
+    if (!body.idea || typeof body.idea !== 'string') {
+        sendJson(res, 400, { error: 'idea is required' });
+        return;
+    }
+    const password = getSessionPassword();
+    if (!password) {
+        sendJson(res, 401, { error: 'Vault is locked. Unlock with your password first.' });
+        return;
+    }
+    const apiKey = await vaultGet(password, 'anthropic-api-key');
+    if (!apiKey) {
+        sendJson(res, 400, { error: 'Anthropic API key not configured. Complete step 1 first.' });
+        return;
+    }
+    // Load the PRD generator prompt
+    const promptPath = join(import.meta.dirname, '..', '..', 'docs', 'methods', 'PRD_GENERATOR.md');
+    let generatorPrompt;
+    try {
+        generatorPrompt = await readFile(promptPath, 'utf-8');
+    }
+    catch {
+        sendJson(res, 500, { error: 'Could not load PRD generator prompt' });
+        return;
+    }
+    // Extract prompt from inside the outer ``` fence block after "## The Prompt"
+    const basePrompt = extractFencedPrompt(generatorPrompt);
+    // Build the idea with any preferences
+    let userIdea = body.idea;
+    const prefs = [];
+    if (body.name)
+        prefs.push(`Project name: ${body.name}`);
+    if (body.framework)
+        prefs.push(`Framework preference: ${body.framework}`);
+    if (body.database)
+        prefs.push(`Database preference: ${body.database}`);
+    if (body.deploy)
+        prefs.push(`Deploy target: ${body.deploy}`);
+    if (prefs.length > 0) {
+        userIdea += '\n\nPreferences:\n' + prefs.join('\n');
+    }
+    // Resolve the best available model with its max output capacity
+    const { id: model, maxTokens } = await resolveModelWithLimits(apiKey);
+    // Stream response via SSE
+    res.writeHead(200, {
+        'Content-Type': 'text/event-stream',
+        'Cache-Control': 'no-cache',
+        'Connection': 'keep-alive',
+    });
+    const postData = JSON.stringify({
+        model,
+        max_tokens: maxTokens,
+        stream: true,
+        messages: [
+            {
+                role: 'user',
+                content: `${basePrompt}\n\nTHE PRODUCT IDEA:\n${userIdea}`,
+            },
+        ],
+    });
+    let clientDisconnected = false;
+    /** Safe write — no-op if client already disconnected */
+    function sseWrite(chunk) {
+        if (clientDisconnected || res.writableEnded)
+            return;
+        try {
+            res.write(chunk);
+        }
+        catch {
+            clientDisconnected = true;
+        }
+    }
+    function sseEnd() {
+        if (clientDisconnected || res.writableEnded)
+            return;
+        try {
+            res.end();
+        }
+        catch { /* already closed */ }
+    }
+    req.on('close', () => {
+        clientDisconnected = true;
+        clearInterval(keepaliveTimer);
+        apiReq.destroy();
+    });
+    // SSE keepalive — prevents proxy/VPN/browser timeout during generation
+    const keepaliveTimer = setInterval(() => {
+        sseWrite(': keepalive\n\n');
+    }, 15000);
+    const apiReq = httpsRequest({
+        hostname: 'api.anthropic.com',
+        path: '/v1/messages',
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'x-api-key': apiKey,
+            'anthropic-version': '2023-06-01',
+            'Content-Length': Buffer.byteLength(postData),
+        },
+        timeout: 120000,
+    }, (apiRes) => {
+        if (apiRes.statusCode !== 200) {
+            let errBody = '';
+            apiRes.on('data', (chunk) => { errBody += chunk.toString(); });
+            apiRes.on('end', () => {
+                clearInterval(keepaliveTimer);
+                sseWrite(`data: ${JSON.stringify({ error: `API error: ${apiRes.statusCode}` })}\n\n`);
+                sseWrite('data: [DONE]\n\n');
+                sseEnd();
+            });
+            return;
+        }
+        let buffer = '';
+        let stopReason = null;
+        apiRes.on('data', (chunk) => {
+            buffer += chunk.toString();
+            const lines = buffer.split('\n');
+            buffer = lines.pop() ?? '';
+            for (const line of lines) {
+                if (!line.startsWith('data: '))
+                    continue;
+                const data = line.slice(6);
+                if (data === '[DONE]')
+                    continue;
+                try {
+                    const event = JSON.parse(data);
+                    if (event.type === 'content_block_delta' && event.delta?.text) {
+                        sseWrite(`data: ${JSON.stringify({ text: event.delta.text })}\n\n`);
+                    }
+                    if (event.type === 'message_delta' && event.delta?.stop_reason) {
+                        stopReason = event.delta.stop_reason;
+                    }
+                }
+                catch {
+                    // Skip unparseable chunks
+                }
+            }
+        });
+        apiRes.on('end', () => {
+            clearInterval(keepaliveTimer);
+            if (stopReason === 'max_tokens') {
+                sseWrite(`data: ${JSON.stringify({ truncated: true })}\n\n`);
+            }
+            sseWrite('data: [DONE]\n\n');
+            sseEnd();
+        });
+    });
+    apiReq.on('error', (err) => {
+        clearInterval(keepaliveTimer);
+        sseWrite(`data: ${JSON.stringify({ error: 'Generation failed' })}\n\n`);
+        sseWrite('data: [DONE]\n\n');
+        sseEnd();
+    });
+    apiReq.write(postData);
+    apiReq.end();
+});
+// POST /api/prd/env-requirements — parse PRD for project-specific credentials
+addRoute('POST', '/api/prd/env-requirements', async (req, res) => {
+    const body = await parseJsonBody(req);
+    if (!body.content || typeof body.content !== 'string') {
+        sendJson(res, 400, { error: 'content is required' });
+        return;
+    }
+    const groups = parseEnvRequirements(body.content);
+    sendJson(res, 200, { groups });
+});
+/**
+ * Env vars that are auto-generated, infrastructure, or app config — never collect from user.
+ * These are either provisioned by the deploy pipeline, generated at build time,
+ * or derived from project config. Generic across all projects.
+ */
+const SKIP_VARS = new Set([
+    // App config (derived from project setup)
+    'NODE_ENV', 'PORT',
+    'NEXT_PUBLIC_APP_URL', 'NEXT_PUBLIC_APP_NAME',
+    // Infrastructure (provisioned by deploy pipeline)
+    'DATABASE_URL', 'REDIS_URL', 'REDIS_PASSWORD',
+    // Secrets (auto-generated at build time)
+    'SESSION_SECRET', 'SESSION_COOKIE_NAME', 'SESSION_TTL_DAYS',
+    'CSRF_SECRET',
+    // Storage (provisioned by deploy pipeline)
+    'S3_ENDPOINT', 'S3_ACCESS_KEY', 'S3_SECRET_KEY', 'S3_BUCKET_NAME',
+    'S3_REGION', 'S3_PUBLIC_URL',
+]);
+/** Prefixes that indicate feature flags — always skip. */
+const SKIP_PREFIXES = ['ENABLE_'];
+function parseEnvRequirements(prdContent) {
+    // Find the env vars section — look for a block with multiple VAR="value" lines
+    const lines = prdContent.split('\n');
+    const groups = [];
+    let currentGroup = null;
+    for (const line of lines) {
+        // Detect section headers like "# ─── WhatsApp Business API ───────"
+        const headerMatch = line.match(/^#\s*[─\-]+\s*(.+?)\s*[─\-]*$/);
+        if (headerMatch) {
+            const name = headerMatch[1].trim();
+            currentGroup = { name, fields: [] };
+            groups.push(currentGroup);
+            continue;
+        }
+        // Detect env var assignments: VAR_NAME="value" or VAR_NAME=value
+        const varMatch = line.match(/^([A-Z][A-Z0-9_]+)=["']?(.*?)["']?\s*(?:#.*)?$/);
+        if (!varMatch || !currentGroup)
+            continue;
+        const [, key, rawValue] = varMatch;
+        // Skip auto-generated / infrastructure / tuning vars
+        if (SKIP_VARS.has(key))
+            continue;
+        if (SKIP_PREFIXES.some((p) => key.startsWith(p)))
+            continue;
+        const value = rawValue.trim();
+        // Skip tuning params — values that are purely numeric, boolean, or duration-like
+        // These are config knobs, not API credentials (e.g., MAX_RETRIES="5", TIMEOUT_MS="30000")
+        if (/^\d+$/.test(value) || value === 'true' || value === 'false')
+            continue;
+        // Skip if the value looks like a real config URL (not a placeholder)
+        const isApiUrl = key.endsWith('_API_URL') || key.endsWith('_URL');
+        if (isApiUrl && value.startsWith('http'))
+            continue;
+        // Only collect vars that look like they need user-provided values
+        // (empty, placeholder prefixes, or common API key patterns)
+        const isPlaceholder = !value
+            || value.includes('your-')
+            || value.includes('your_')
+            || /^(sk-|pk\.|AIza|re_|ghp_)/.test(value)
+            || value.endsWith('...')
+            || value.startsWith('Bearer ');
+        if (!isPlaceholder && value.length > 0)
+            continue;
+        // Determine if this is a secret field
+        const secretPatterns = ['KEY', 'SECRET', 'TOKEN', 'PASSWORD'];
+        const isSecret = secretPatterns.some((p) => key.includes(p));
+        // Generate human-readable label from var name
+        const label = key
+            .replace(/_/g, ' ')
+            .replace(/\b\w/g, (c) => c.toUpperCase())
+            .replace(/\bApi\b/g, 'API')
+            .replace(/\bUrl\b/g, 'URL')
+            .replace(/\bId\b/g, 'ID')
+            .replace(/\bSdk\b/g, 'SDK')
+            .replace(/\bApp\b/g, 'App');
+        currentGroup.fields.push({
+            key,
+            label,
+            placeholder: value || key.toLowerCase().replace(/_/g, '-'),
+            secret: isSecret,
+        });
+    }
+    // Filter out empty groups
+    return groups.filter((g) => g.fields.length > 0);
+}
+// GET /api/prd/template — return the PRD template
+addRoute('GET', '/api/prd/template', async (_req, res) => {
+    const templatePath = join(import.meta.dirname, '..', '..', 'docs', 'PRD.md');
+    try {
+        const content = await readFile(templatePath, 'utf-8');
+        sendJson(res, 200, { content });
+    }
+    catch {
+        sendJson(res, 500, { error: 'Could not load PRD template' });
+    }
+});
+// GET /api/prd/prompt — return the PRD generator prompt for use with other AIs
+addRoute('GET', '/api/prd/prompt', async (_req, res) => {
+    const promptPath = join(import.meta.dirname, '..', '..', 'docs', 'methods', 'PRD_GENERATOR.md');
+    try {
+        const content = await readFile(promptPath, 'utf-8');
+        sendJson(res, 200, { prompt: extractFencedPrompt(content) });
+    }
+    catch {
+        sendJson(res, 500, { error: 'Could not load PRD generator prompt' });
+    }
+});
+// GET /api/prd/templates — list available project templates
+addRoute('GET', '/api/prd/templates', async (_req, res) => {
+    sendJson(res, 200, { templates: listTemplates() });
+});
+// GET /api/prd/templates/:id — get a specific template's full PRD content
+addRoute('GET', '/api/prd/templates/get', async (req, res) => {
+    const url = new URL(req.url || '', 'http://localhost');
+    const id = url.searchParams.get('id');
+    if (!id) {
+        sendJson(res, 400, { error: 'id query parameter is required' });
+        return;
+    }
+    const template = getTemplate(id);
+    if (!template) {
+        sendJson(res, 404, { error: `Template not found: ${id}` });
+        return;
+    }
+    // Build a complete PRD with frontmatter
+    const frontmatterYaml = Object.entries(template.frontmatter)
+        .map(([k, v]) => `${k}: "${v}"`)
+        .join('\n');
+    const prd = `\`\`\`yaml\nname: "[PROJECT_NAME]"\n${frontmatterYaml}\n\`\`\`\n\n---\n\n${template.prdSections}`;
+    sendJson(res, 200, { template: { ...template, prd } });
+});

package/dist/wizard/api/project.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/wizard/api/project.js

@@ -0,0 +1,239 @@
+import { mkdir, readFile, writeFile, copyFile, readdir, stat } from 'node:fs/promises';
+import { join, resolve } from 'node:path';
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import { addRoute } from '../router.js';
+import { parseJsonBody } from '../lib/body-parser.js';
+import { addProject } from '../lib/project-registry.js';
+import { validateSession, parseSessionCookie, getClientIp, isRemoteMode } from '../lib/tower-auth.js';
+import { sendJson } from '../lib/http-helpers.js';
+const execFileAsync = promisify(execFile);
+const SCAFFOLD_DIR = resolve(import.meta.dirname, '..', '..');
+function sanitizeDirName(name) {
+    return name
+        .toLowerCase()
+        .replace(/[^a-z0-9\-_]/g, '-')
+        .replace(/-+/g, '-')
+        .replace(/^-|-$/g, '');
+}
+// POST /api/project/validate — validate project config
+addRoute('POST', '/api/project/validate', async (req, res) => {
+    const body = await parseJsonBody(req);
+    const errors = [];
+    if (!body.name || body.name.trim().length === 0) {
+        errors.push('Project name is required');
+    }
+    if (!body.directory || body.directory.trim().length === 0) {
+        errors.push('Project directory is required');
+    }
+    else {
+        const dir = resolve(body.directory);
+        try {
+            const s = await stat(dir);
+            if (s.isDirectory()) {
+                const entries = await readdir(dir);
+                if (entries.length > 0) {
+                    errors.push('Directory already exists and is not empty');
+                }
+            }
+        }
+        catch {
+            // Directory doesn't exist — that's fine
+        }
+    }
+    const suggestedDir = body.name
+        ? resolve(process.cwd(), '..', sanitizeDirName(body.name))
+        : undefined;
+    sendJson(res, 200, { valid: errors.length === 0, errors, suggestedDir });
+});
+/** Recursively copy a directory, excluding specified paths */
+async function copyDir(src, dest, exclude = []) {
+    await mkdir(dest, { recursive: true });
+    const entries = await readdir(src, { withFileTypes: true });
+    for (const entry of entries) {
+        const srcPath = join(src, entry.name);
+        const destPath = join(dest, entry.name);
+        // Check exclusions
+        const relative = srcPath.slice(SCAFFOLD_DIR.length + 1);
+        if (exclude.some(ex => relative.startsWith(ex))) {
+            continue;
+        }
+        if (entry.isDirectory()) {
+            await copyDir(srcPath, destPath, exclude);
+        }
+        else {
+            await copyFile(srcPath, destPath);
+        }
+    }
+}
+// POST /api/project/create — create the project
+addRoute('POST', '/api/project/create', async (req, res) => {
+    const raw = await parseJsonBody(req);
+    if (typeof raw !== 'object' || raw === null) {
+        sendJson(res, 400, { error: 'Request body must be a JSON object' });
+        return;
+    }
+    const body = raw;
+    if (typeof body.name !== 'string' || body.name.trim().length === 0 ||
+        typeof body.directory !== 'string' || body.directory.trim().length === 0) {
+        sendJson(res, 400, { error: 'name and directory are required strings' });
+        return;
+    }
+    // Coerce optional fields to safe strings (strip newlines for .env injection prevention)
+    const safeName = String(body.name).replace(/[\r\n]/g, ' ').trim();
+    const safeDir = String(body.directory).trim();
+    const safeDescription = typeof body.description === 'string' ? body.description.replace(/[\r\n]/g, ' ').trim() : '';
+    const safeDomain = typeof body.domain === 'string' ? body.domain.replace(/[\r\n]/g, '').trim() : '';
+    const safeHostname = typeof body.hostname === 'string' ? body.hostname.replace(/[\r\n]/g, '').trim() : '';
+    const safeDeploy = typeof body.deploy === 'string' ? body.deploy.replace(/[\r\n]/g, '').trim() : '';
+    const safePrd = typeof body.prd === 'string' ? body.prd : '';
+    const projectDir = resolve(safeDir);
+    try {
+        // Create project directory
+        await mkdir(projectDir, { recursive: true });
+        // Copy CLAUDE.md
+        await copyFile(join(SCAFFOLD_DIR, 'CLAUDE.md'), join(projectDir, 'CLAUDE.md'));
+        // Copy docs/
+        await copyDir(join(SCAFFOLD_DIR, 'docs'), join(projectDir, 'docs'));
+        // Copy .claude/
+        const claudeDir = join(SCAFFOLD_DIR, '.claude');
+        try {
+            await copyDir(claudeDir, join(projectDir, '.claude'));
+        }
+        catch {
+            // .claude dir might not exist
+        }
+        // Copy .gitignore
+        try {
+            await copyFile(join(SCAFFOLD_DIR, '.gitignore'), join(projectDir, '.gitignore'));
+        }
+        catch {
+            // OK
+        }
+        // Create logs directory with build-state.md
+        await mkdir(join(projectDir, 'logs'), { recursive: true });
+        const buildState = `# Build State
+
+**Project:** ${safeName}
+**Current Phase:** 0 (not started)
+**Last Updated:** ${new Date().toISOString()}
+**Active Agent:** None
+
+## Phase Status
+| Phase | Status | Gate Passed |
+|-------|--------|-------------|
+| 0-13 | not started | — |
+
+## Current Blockers
+- None — ready to start. Run /build to begin.
+
+## Next Steps
+1. Review docs/PRD.md
+2. Run /build to start Phase 0
+`;
+        await writeFile(join(projectDir, 'logs', 'build-state.md'), buildState);
+        // Replace placeholder in CLAUDE.md
+        const claudeMdPath = join(projectDir, 'CLAUDE.md');
+        let claudeMd = await readFile(claudeMdPath, 'utf-8');
+        claudeMd = claudeMd.replace(/\[PROJECT_NAME\]/g, safeName);
+        if (safeDescription) {
+            claudeMd = claudeMd.replace(/\[ONE_LINE_DESCRIPTION\]/g, safeDescription);
+        }
+        if (safeDomain) {
+            claudeMd = claudeMd.replace(/\[DOMAIN\]/g, safeDomain);
+        }
+        await writeFile(claudeMdPath, claudeMd);
+        // Write PRD if provided
+        if (safePrd) {
+            await writeFile(join(projectDir, 'docs', 'PRD.md'), safePrd);
+        }
+        // Create .env from template (newlines stripped from values to prevent injection)
+        const deployLine = safeDeploy ? `\n# Deploy target: ${safeDeploy}\nDEPLOY_TARGET=${safeDeploy}\n` : '';
+        const hostnameLine = safeHostname ? `\n# DNS hostname (Cloudflare)\nHOSTNAME=${safeHostname}\n` : '';
+        const envContent = `# ${safeName} — Environment Variables
+# Generated by VoidForge wizard on ${new Date().toISOString()}
+${deployLine}${hostnameLine}
+# Add your environment variables here
+# NODE_ENV=development
+`;
+        await writeFile(join(projectDir, '.env'), envContent);
+        // Initialize git repo
+        try {
+            await execFileAsync('git', ['init'], { cwd: projectDir });
+            await execFileAsync('git', ['add', '-A'], { cwd: projectDir });
+            await execFileAsync('git', ['commit', '-m', `Initial commit: ${safeName} via VoidForge`], { cwd: projectDir });
+        }
+        catch (err) {
+            // Git init is best-effort
+            console.warn('Git initialization warning:', err);
+        }
+        // Register in project registry for The Lobby
+        try {
+            await addProject({
+                name: safeName,
+                directory: projectDir,
+                deployTarget: safeDeploy || 'unknown',
+                deployUrl: safeHostname ? `https://${safeHostname}` : '',
+                sshHost: '',
+                framework: 'unknown',
+                database: 'none',
+                createdAt: new Date().toISOString(),
+                lastBuildPhase: 0,
+                lastDeployAt: '',
+                healthCheckUrl: '',
+                monthlyCost: 0,
+                owner: (() => {
+                    if (!isRemoteMode())
+                        return 'local';
+                    const token = parseSessionCookie(req.headers.cookie);
+                    const ip = getClientIp(req);
+                    const session = token ? validateSession(token, ip) : null;
+                    return session?.username ?? '';
+                })(),
+                access: [],
+                linkedProjects: [],
+            });
+        }
+        catch {
+            // Registry write is best-effort — don't fail project creation
+        }
+        // Write .voidforge marker file for CLI compatibility
+        try {
+            const { createMarker, writeMarker } = await import('../lib/marker.js');
+            const marker = createMarker('21.0.0', 'full');
+            await writeMarker(projectDir, marker);
+        }
+        catch {
+            // Marker write is best-effort — don't fail project creation
+        }
+        sendJson(res, 200, {
+            created: true,
+            directory: projectDir,
+            files: [
+                'CLAUDE.md',
+                '.claude/commands/',
+                '.claude/settings.json',
+                'docs/PRD.md',
+                'docs/methods/',
+                'docs/patterns/',
+                'docs/LESSONS.md',
+                'logs/build-state.md',
+                '.env',
+                '.gitignore',
+            ],
+        });
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : 'Failed to create project';
+        console.error('Project creation error:', message);
+        sendJson(res, 500, { error: 'Failed to create project' });
+    }
+});
+// GET /api/project/defaults — return default values
+addRoute('GET', '/api/project/defaults', async (_req, res) => {
+    const homeDir = process.env['HOME'] ?? '/tmp';
+    sendJson(res, 200, {
+        baseDir: resolve(homeDir, 'Projects'),
+        scaffoldDir: SCAFFOLD_DIR,
+    });
+});

package/dist/wizard/api/projects.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Projects API — Multi-project CRUD for The Lobby.
+ * Endpoints: list, get, import, delete, access management.
+ * All queries filtered by per-project access control (v7.0).
+ */
+export {};