thumbgate 1.0.0 → 1.2.0

package/scripts/changeset-check.js

@@ -0,0 +1,372 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('node:fs');
+const path = require('node:path');
+const { execFileSync } = require('node:child_process');
+
+const PROJECT_ROOT = path.join(__dirname, '..');
+const CHANGESET_DIR = path.join(PROJECT_ROOT, '.changeset');
+const DEFAULT_PACKAGE_NAME = 'thumbgate';
+const MIN_SUMMARY_LENGTH = 20;
+const RELEASE_TYPES = new Set(['major', 'minor', 'patch']);
+const RELEASE_RELEVANT_FILES = new Set([
+  'README.md',
+  'package.json',
+  'package-lock.json',
+  'server.json',
+]);
+const RELEASE_RELEVANT_PREFIXES = [
+  '.claude-plugin/',
+  '.cursor-plugin/',
+  '.well-known/',
+  'adapters/',
+  'bin/',
+  'config/',
+  'plugins/',
+  'public/',
+  'scripts/',
+  'src/',
+  'workers/',
+];
+
+function parseArgs(argv = process.argv.slice(2)) {
+  const options = {};
+  for (const arg of argv) {
+    if (arg.startsWith('--base=')) {
+      options.baseRef = arg.slice('--base='.length);
+    } else if (arg.startsWith('--since=')) {
+      options.baseRef = arg.slice('--since='.length);
+    }
+  }
+  return options;
+}
+
+function isChangesetMarkdownFile(relPath) {
+  return relPath.startsWith('.changeset/')
+    && relPath.endsWith('.md')
+    && path.basename(relPath) !== 'README.md';
+}
+
+function isReleaseRelevantFile(relPath) {
+  const normalized = String(relPath || '').trim().replaceAll('\\', '/');
+  if (!normalized || isChangesetMarkdownFile(normalized)) {
+    return false;
+  }
+  if (normalized.startsWith('docs/')
+    || normalized.startsWith('proof/')
+    || normalized.startsWith('tests/')
+    || normalized.startsWith('.github/')) {
+    return false;
+  }
+  if (RELEASE_RELEVANT_FILES.has(normalized)) {
+    return true;
+  }
+  return RELEASE_RELEVANT_PREFIXES.some((prefix) => normalized.startsWith(prefix));
+}
+
+function isVersionedReleaseChangeSet(changedFiles = []) {
+  const normalizedFiles = changedFiles.map((file) => String(file || '').trim().replaceAll('\\', '/'));
+  return normalizedFiles.includes('package.json')
+    && normalizedFiles.includes('CHANGELOG.md')
+    && normalizedFiles.some(isChangesetMarkdownFile);
+}
+
+function splitChangesetDocument(content) {
+  const normalized = String(content || '').replaceAll('\r\n', '\n');
+  const lines = normalized.split('\n');
+  if (lines[0]?.trim() !== '---') {
+    return null;
+  }
+
+  const closingIndex = lines.findIndex((line, index) => index > 0 && line.trim() === '---');
+  if (closingIndex === -1) {
+    return null;
+  }
+
+  return {
+    frontmatterLines: lines.slice(1, closingIndex),
+    summary: lines.slice(closingIndex + 1).join('\n').trim(),
+  };
+}
+
+function stripWrappingQuotes(value) {
+  const text = String(value || '').trim();
+  if (text.length >= 2 && ((text.startsWith('"') && text.endsWith('"')) || (text.startsWith('\'') && text.endsWith('\'')))) {
+    return text.slice(1, -1).trim();
+  }
+  return text;
+}
+
+function parseReleaseLine(line) {
+  const normalized = String(line || '').trim();
+  if (!normalized) {
+    return null;
+  }
+
+  const separatorIndex = normalized.indexOf(':');
+  if (separatorIndex <= 0 || separatorIndex === normalized.length - 1) {
+    return null;
+  }
+
+  const packageName = stripWrappingQuotes(normalized.slice(0, separatorIndex));
+  const releaseType = normalized.slice(separatorIndex + 1).trim();
+  if (!packageName || !RELEASE_TYPES.has(releaseType)) {
+    return null;
+  }
+
+  return {
+    packageName,
+    releaseType,
+  };
+}
+
+function parseChangesetMarkdown(content) {
+  const document = splitChangesetDocument(content);
+  if (!document) {
+    return {
+      releases: {},
+      summary: '',
+      errors: ['missing frontmatter'],
+    };
+  }
+
+  const summary = document.summary;
+  const releases = {};
+  const errors = [];
+  const lines = document.frontmatterLines.map((line) => line.trim()).filter(Boolean);
+
+  for (const line of lines) {
+    const entry = parseReleaseLine(line);
+    if (!entry) {
+      errors.push(`invalid frontmatter line: ${line}`);
+      continue;
+    }
+    releases[entry.packageName] = entry.releaseType;
+  }
+
+  if (!summary) {
+    errors.push('missing summary');
+  } else if (summary.length < MIN_SUMMARY_LENGTH) {
+    errors.push(`summary must be at least ${MIN_SUMMARY_LENGTH} characters`);
+  }
+
+  if (Object.keys(releases).length === 0) {
+    errors.push('missing release entries');
+  }
+
+  return {
+    releases,
+    summary,
+    errors,
+  };
+}
+
+function collectChangesets({
+  dir = CHANGESET_DIR,
+  packageName = DEFAULT_PACKAGE_NAME,
+} = {}) {
+  if (!fs.existsSync(dir)) {
+    return [];
+  }
+
+  return fs.readdirSync(dir)
+    .filter((name) => name.endsWith('.md') && name !== 'README.md')
+    .sort()
+    .map((name) => {
+      const filePath = path.join(dir, name);
+      const parsed = parseChangesetMarkdown(fs.readFileSync(filePath, 'utf8'));
+      const releaseType = parsed.releases[packageName] || null;
+      const errors = [...parsed.errors];
+      if (!releaseType) {
+        errors.push(`missing ${packageName} release entry`);
+      }
+      return {
+        file: path.posix.join('.changeset', name),
+        releaseType,
+        summary: parsed.summary,
+        errors,
+        validForPackage: errors.length === 0,
+      };
+    });
+}
+
+function evaluateChangesetRequirement({
+  changedFiles = [],
+  changesets = [],
+} = {}) {
+  const relevantFiles = changedFiles.filter(isReleaseRelevantFile);
+  const required = relevantFiles.length > 0;
+  const validChangesets = changesets.filter((entry) => entry.validForPackage);
+  const invalidChangesets = changesets.filter((entry) => !entry.validForPackage);
+  const versionedRelease = isVersionedReleaseChangeSet(changedFiles);
+
+  if (!required) {
+    return {
+      ok: true,
+      required: false,
+      relevantFiles,
+      validChangesets,
+      invalidChangesets,
+      reason: 'No release-relevant changes detected. Changeset not required.',
+    };
+  }
+
+  if (validChangesets.length > 0) {
+    return {
+      ok: true,
+      required: true,
+      relevantFiles,
+      validChangesets,
+      invalidChangesets,
+      reason: `Found ${validChangesets.length} valid changeset file(s) for release-relevant changes.`,
+    };
+  }
+
+  if (versionedRelease) {
+    return {
+      ok: true,
+      required: true,
+      relevantFiles,
+      validChangesets,
+      invalidChangesets,
+      reason: 'Release PR already consumed pending changesets into versioned artifacts.',
+    };
+  }
+
+  return {
+    ok: false,
+    required: true,
+    relevantFiles,
+    validChangesets,
+    invalidChangesets,
+    reason: 'Release-relevant changes require at least one valid .changeset entry for thumbgate.',
+  };
+}
+
+function runGitCommand(args, {
+  cwd = PROJECT_ROOT,
+  runner = execFileSync,
+} = {}) {
+  return String(runner('git', args, {
+    cwd,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe'],
+  }) || '').trim();
+}
+
+function resolveBaseRef({
+  args = parseArgs(),
+  env = process.env,
+  cwd = PROJECT_ROOT,
+  runner = execFileSync,
+} = {}) {
+  const explicitBase = String(args.baseRef || '').trim();
+  const baseRef = explicitBase
+    || String(env.CHANGESET_BASE_REF || '').trim()
+    || String(env.GITHUB_BASE_REF || '').trim()
+    || (env.GITHUB_EVENT_NAME === 'merge_group' ? 'origin/main' : '');
+
+  if (!baseRef) {
+    return null;
+  }
+
+  const candidates = [baseRef];
+  if (!baseRef.startsWith('origin/')) {
+    candidates.push(`origin/${baseRef}`);
+  }
+
+  for (const candidate of candidates) {
+    try {
+      runGitCommand(['rev-parse', '--verify', candidate], { cwd, runner });
+      return candidate;
+    } catch {}
+  }
+
+  return candidates.at(-1);
+}
+
+function getChangedFiles({
+  baseRef,
+  cwd = PROJECT_ROOT,
+  runner = execFileSync,
+} = {}) {
+  if (!baseRef) {
+    return [];
+  }
+
+  const mergeBase = runGitCommand(['merge-base', 'HEAD', baseRef], { cwd, runner });
+  const output = runGitCommand(['diff', '--name-only', '--diff-filter=ACDMRTUXB', `${mergeBase}...HEAD`], { cwd, runner });
+  return output ? output.split('\n').map((line) => line.trim()).filter(Boolean) : [];
+}
+
+function formatFailure(result) {
+  const lines = [result.reason, ''];
+  if (result.relevantFiles.length > 0) {
+    lines.push('Release-relevant files:');
+    result.relevantFiles.forEach((file) => lines.push(`- ${file}`));
+    lines.push('');
+  }
+  if (result.invalidChangesets.length > 0) {
+    lines.push('Invalid changesets:');
+    result.invalidChangesets.forEach((entry) => {
+      lines.push(`- ${entry.file}: ${entry.errors.join('; ')}`);
+    });
+    lines.push('');
+  }
+  lines.push('Run `npm run changeset` and add a release note for thumbgate before merging.');
+  return lines.join('\n');
+}
+
+function runCli({
+  cwd = PROJECT_ROOT,
+  env = process.env,
+  runner = execFileSync,
+} = {}) {
+  const baseRef = resolveBaseRef({ env, cwd, runner });
+  if (!baseRef) {
+    const result = {
+      ok: true,
+      skipped: true,
+      reason: 'No base ref detected. Skipping changeset check outside PR or merge-group context.',
+    };
+    console.log(result.reason);
+    return result;
+  }
+
+  const changedFiles = getChangedFiles({ baseRef, cwd, runner });
+  const changesets = collectChangesets();
+  const result = evaluateChangesetRequirement({ changedFiles, changesets });
+  if (result.ok) {
+    console.log(result.reason);
+    return result;
+  }
+
+  console.error(formatFailure(result));
+  process.exitCode = 1;
+  return result;
+}
+
+if (require.main === module) {
+  runCli();
+}
+
+module.exports = {
+  CHANGESET_DIR,
+  DEFAULT_PACKAGE_NAME,
+  MIN_SUMMARY_LENGTH,
+  RELEASE_RELEVANT_FILES,
+  RELEASE_RELEVANT_PREFIXES,
+  collectChangesets,
+  evaluateChangesetRequirement,
+  formatFailure,
+  getChangedFiles,
+  isChangesetMarkdownFile,
+  isReleaseRelevantFile,
+  isVersionedReleaseChangeSet,
+  parseArgs,
+  parseChangesetMarkdown,
+  resolveBaseRef,
+  runCli,
+  runGitCommand,
+};

package/scripts/check-congruence.js

@@ -11,9 +11,8 @@ const fs = require('fs');
 const path = require('path');
 const {
   collectLocalGitHubAboutErrors,
-  compareGitHubAbout,
-  fetchLiveGitHubAbout,
   loadGitHubAboutConfig,
+  verifyLiveGitHubAbout,
 } = require('./github-about');
 const {
   PRODUCTHUNT_URL,
@@ -295,8 +294,12 @@ async function main() {
 
   if (checkLiveGitHubAbout) {
     try {
-      const liveAbout = await fetchLiveGitHubAbout({ root: ROOT, repo: githubAbout.repo });
-      errors.push(...compareGitHubAbout(githubAbout, liveAbout, `Live GitHub About (${githubAbout.repo})`));
+      const liveCheck = await verifyLiveGitHubAbout({
+        expected: githubAbout,
+        repo: githubAbout.repo,
+        root: ROOT,
+      });
+      errors.push(...liveCheck.errors);
     } catch (error) {
       errors.push(`Unable to verify live GitHub About: ${error.message}`);
     }

package/scripts/computer-use-firewall.js

@@ -3,6 +3,7 @@
 
 const fs = require('fs');
 const path = require('path');
+const { buildDockerSandboxPlan } = require('./docker-sandbox-planner');
 
 /**
  * Computer-Use Action Firewall — normalizes OpenAI Responses API
@@ -129,13 +130,13 @@ function evaluateAction(action, preset = 'dev-sandbox', customRules = []) {
   const normalized = action.type ? action : normalizeAction(action);
   const presetConfig = PRESETS[preset];
   if (!presetConfig) {
-    return {
+    return attachExecutionSurface({
       decision: 'deny',
       reason: `Unknown preset: ${preset}`,
       preset,
       riskLevel: normalized.riskLevel,
       auditEntry: createAuditEntry(normalized, { decision: 'deny', reason: `Unknown preset: ${preset}`, preset }),
-    };
+    }, normalized);
   }
 
   // Custom rules override preset defaults
@@ -143,81 +144,108 @@ function evaluateAction(action, preset = 'dev-sandbox', customRules = []) {
     if (rule.action === normalized.type) {
       const decision = rule.decision || 'deny';
       const reason = rule.reason || `Custom rule override for ${normalized.type}`;
-      return {
+      return attachExecutionSurface({
         decision,
         reason,
         preset,
         riskLevel: normalized.riskLevel,
         auditEntry: createAuditEntry(normalized, { decision, reason, preset }),
-      };
+      }, normalized);
     }
   }
 
   // Check dangerous shell patterns (always deny)
   const dangerousMatch = matchesDangerousPattern(normalized);
   if (dangerousMatch) {
-    return {
+    return attachExecutionSurface({
       decision: 'deny',
       reason: `Dangerous shell pattern detected: ${dangerousMatch}`,
       preset,
       riskLevel: 'critical',
       auditEntry: createAuditEntry(normalized, { decision: 'deny', reason: `Dangerous shell pattern: ${dangerousMatch}`, preset }),
-    };
+    }, normalized);
   }
 
   // Check secret patterns (always deny)
   const secretMatch = matchesSecretPattern(normalized);
   if (secretMatch) {
-    return {
+    return attachExecutionSurface({
       decision: 'deny',
       reason: `Secret pattern detected in content: ${secretMatch}`,
       preset,
       riskLevel: 'critical',
       auditEntry: createAuditEntry(normalized, { decision: 'deny', reason: `Secret pattern: ${secretMatch}`, preset }),
-    };
+    }, normalized);
   }
 
   // Evaluate against preset
   if (presetConfig.deny.includes(normalized.type)) {
-    return {
+    return attachExecutionSurface({
       decision: 'deny',
       reason: `Action ${normalized.type} denied by ${preset} preset`,
       preset,
       riskLevel: normalized.riskLevel,
       auditEntry: createAuditEntry(normalized, { decision: 'deny', reason: `Denied by preset`, preset }),
-    };
+    }, normalized);
   }
 
   if (presetConfig.requireApproval.includes(normalized.type)) {
-    return {
+    return attachExecutionSurface({
       decision: 'require-approval',
       reason: `Action ${normalized.type} requires approval in ${preset} preset`,
       preset,
       riskLevel: normalized.riskLevel,
       auditEntry: createAuditEntry(normalized, { decision: 'require-approval', reason: `Requires approval`, preset }),
-    };
+    }, normalized);
   }
 
   if (presetConfig.allow.includes(normalized.type)) {
-    return {
+    return attachExecutionSurface({
       decision: 'allow',
       reason: `Action ${normalized.type} allowed by ${preset} preset`,
       preset,
       riskLevel: normalized.riskLevel,
       auditEntry: createAuditEntry(normalized, { decision: 'allow', reason: `Allowed by preset`, preset }),
-    };
+    }, normalized);
   }
 
   // Default: unknown actions require approval
-  return {
+  return attachExecutionSurface({
     decision: 'require-approval',
     reason: `Action ${normalized.type} not in preset; defaulting to require-approval`,
     preset,
     riskLevel: normalized.riskLevel,
     auditEntry: createAuditEntry(normalized, { decision: 'require-approval', reason: `Not in preset`, preset }),
+  }, normalized);
+}
+
+function attachExecutionSurface(result, action) {
+  const executionSurface = buildDockerSandboxPlan({
+    toolName: action.type === 'shell.exec' ? 'Bash' : 'Write',
+    actionType: action.type,
+    command: action.type === 'shell.exec' ? action.target : '',
+    repoPath: action.args.repoPath || action.args.cwd || '',
+    affectedFiles: action.type.startsWith('file.') && action.target ? [action.target] : [],
+    riskBand: toSandboxRiskBand(action.riskLevel),
+    requiresNetwork: ['upload', 'download', 'message.send'].includes(action.type),
+  });
+
+  if (!executionSurface.shouldSandbox) {
+    return result;
+  }
+
+  return {
+    ...result,
+    executionSurface,
   };
 }
 
+function toSandboxRiskBand(riskLevel) {
+  if (riskLevel === 'high') return 'high';
+  if (riskLevel === 'medium') return 'medium';
+  return 'low';
+}
+
 function createAuditEntry(action, decision) {
   return {
     timestamp: action.timestamp || new Date().toISOString(),
@@ -247,4 +275,6 @@ module.exports = {
   loadConfig,
   matchesDangerousPattern,
   matchesSecretPattern,
+  attachExecutionSurface,
+  toSandboxRiskBand,
 };