tlc-claude-code 2.0.1 → 2.2.0

package/server/lib/command-runner.js

@@ -0,0 +1,159 @@
+/**
+ * Command Runner — execute TLC commands via container, Claude Code, or queue
+ * Phase 80 Task 8
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { execSync, spawn } = require('child_process');
+
+const VALID_COMMANDS = ['build', 'deploy', 'test', 'plan', 'verify', 'review', 'status'];
+
+/**
+ * Create command runner
+ * @param {Object} [options]
+ * @param {Function} [options._checkDocker] - Check if tlc-standalone image exists
+ * @param {Function} [options._checkClaude] - Check if Claude Code is running
+ * @returns {Object} Command runner API
+ */
+function createCommandRunner(options = {}) {
+  const checkDocker = options._checkDocker || defaultCheckDocker;
+  const checkClaude = options._checkClaude || defaultCheckClaude;
+
+  async function defaultCheckDocker() {
+    try {
+      execSync('docker image inspect tlc-standalone 2>/dev/null', { stdio: 'pipe' });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+
+  function defaultCheckClaude() {
+    try {
+      const result = execSync('pgrep -f "claude" 2>/dev/null', { stdio: 'pipe' });
+      return result.toString().trim().length > 0;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Detect best execution method
+   * @param {string} projectPath
+   * @returns {Promise<string>} 'container' | 'claude-code' | 'queue'
+   */
+  async function detectExecutionMethod(projectPath) {
+    if (await checkDocker()) return 'container';
+    if (checkClaude()) return 'claude-code';
+    return 'queue';
+  }
+
+  /**
+   * Execute command via Docker container
+   * @param {string} projectPath
+   * @param {string} command
+   * @param {Function} onOutput
+   * @returns {Promise<{ exitCode: number }>}
+   */
+  async function executeViaContainer(projectPath, command, onOutput) {
+    return new Promise((resolve, reject) => {
+      const proc = spawn('docker', [
+        'run', '--rm',
+        '-v', `${projectPath}:/project`,
+        '-w', '/project',
+        'tlc-standalone',
+        'tlc', command,
+      ]);
+
+      proc.stdout.on('data', (data) => onOutput && onOutput(data.toString()));
+      proc.stderr.on('data', (data) => onOutput && onOutput(data.toString()));
+      proc.on('close', (code) => resolve({ exitCode: code }));
+      proc.on('error', (err) => reject(err));
+    });
+  }
+
+  /**
+   * Queue command as task in PLAN.md
+   * @param {string} projectPath
+   * @param {string} command
+   */
+  async function queueCommand(projectPath, command) {
+    const timestamp = new Date().toISOString();
+    const entry = `\n### Queued: tlc ${command}\n_Queued at ${timestamp}_\n`;
+
+    // Find most recent plan file
+    const planDir = path.join(projectPath, '.planning', 'phases');
+    if (fs.existsSync(planDir)) {
+      const plans = fs.readdirSync(planDir).filter(f => f.endsWith('-PLAN.md')).sort((a, b) => {
+        const numA = parseInt(a.match(/^(\d+)/)?.[1] || '0', 10);
+        const numB = parseInt(b.match(/^(\d+)/)?.[1] || '0', 10);
+        return numA - numB;
+      });
+      if (plans.length > 0) {
+        const planPath = path.join(planDir, plans[plans.length - 1]);
+        fs.appendFileSync(planPath, entry);
+      }
+    }
+
+    // Log to history
+    logCommand(projectPath, { command, timestamp, method: 'queue' });
+
+    return { queued: true, method: 'queue', command };
+  }
+
+  /**
+   * Log a command to history
+   */
+  function logCommand(projectPath, entry) {
+    const histPath = path.join(projectPath, '.tlc', 'command-history.json');
+    const dir = path.dirname(histPath);
+    if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+
+    let history = [];
+    try {
+      if (fs.existsSync(histPath)) {
+        history = JSON.parse(fs.readFileSync(histPath, 'utf8'));
+      }
+    } catch {}
+    history.push(entry);
+    // Keep last 100
+    if (history.length > 100) history = history.slice(-100);
+    fs.writeFileSync(histPath, JSON.stringify(history, null, 2));
+  }
+
+  /**
+   * Get command history for a project
+   * @param {string} projectPath
+   * @returns {Array}
+   */
+  function getCommandHistory(projectPath) {
+    const histPath = path.join(projectPath, '.tlc', 'command-history.json');
+    try {
+      if (fs.existsSync(histPath)) {
+        return JSON.parse(fs.readFileSync(histPath, 'utf8'));
+      }
+    } catch {}
+    return [];
+  }
+
+  /**
+   * Validate command type
+   * @param {string} command
+   * @returns {boolean}
+   */
+  function validateCommand(command) {
+    if (!command || typeof command !== 'string') return false;
+    return VALID_COMMANDS.includes(command);
+  }
+
+  return {
+    detectExecutionMethod,
+    executeViaContainer,
+    queueCommand,
+    getCommandHistory,
+    validateCommand,
+  };
+}
+
+module.exports = { createCommandRunner };

package/server/lib/command-runner.test.js

@@ -0,0 +1,92 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import fs from 'fs';
+import path from 'path';
+import os from 'os';
+
+const { createCommandRunner } = await import('./command-runner.js');
+
+describe('CommandRunner', () => {
+  let runner;
+  let tempDir;
+
+  beforeEach(() => {
+    tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cmd-runner-test-'));
+    runner = createCommandRunner({
+      _checkDocker: vi.fn().mockResolvedValue(false),
+      _checkClaude: vi.fn().mockReturnValue(false),
+    });
+  });
+
+  afterEach(() => {
+    fs.rmSync(tempDir, { recursive: true, force: true });
+  });
+
+  describe('detectExecutionMethod', () => {
+    it('returns container when tlc-standalone image exists', async () => {
+      const r = createCommandRunner({
+        _checkDocker: vi.fn().mockResolvedValue(true),
+        _checkClaude: vi.fn().mockReturnValue(false),
+      });
+      const method = await r.detectExecutionMethod(tempDir);
+      expect(method).toBe('container');
+    });
+
+    it('returns claude-code when Claude Code process running', async () => {
+      const r = createCommandRunner({
+        _checkDocker: vi.fn().mockResolvedValue(false),
+        _checkClaude: vi.fn().mockReturnValue(true),
+      });
+      const method = await r.detectExecutionMethod(tempDir);
+      expect(method).toBe('claude-code');
+    });
+
+    it('returns queue as fallback', async () => {
+      const method = await runner.detectExecutionMethod(tempDir);
+      expect(method).toBe('queue');
+    });
+  });
+
+  describe('queueCommand', () => {
+    it('appends task to PLAN.md', async () => {
+      const planDir = path.join(tempDir, '.planning', 'phases');
+      fs.mkdirSync(planDir, { recursive: true });
+      fs.writeFileSync(path.join(planDir, '1-PLAN.md'), '# Phase 1\n');
+
+      const result = await runner.queueCommand(tempDir, 'build');
+      expect(result.queued).toBe(true);
+      expect(result.method).toBe('queue');
+    });
+  });
+
+  describe('getCommandHistory', () => {
+    it('returns recent commands', () => {
+      const histDir = path.join(tempDir, '.tlc');
+      fs.mkdirSync(histDir, { recursive: true });
+      fs.writeFileSync(path.join(histDir, 'command-history.json'), JSON.stringify([
+        { command: 'build', timestamp: '2026-02-18T00:00:00Z', method: 'queue' },
+      ]));
+
+      const history = runner.getCommandHistory(tempDir);
+      expect(history).toHaveLength(1);
+      expect(history[0].command).toBe('build');
+    });
+
+    it('returns empty array when no history', () => {
+      const history = runner.getCommandHistory(tempDir);
+      expect(history).toEqual([]);
+    });
+  });
+
+  describe('validateCommand', () => {
+    it('accepts valid commands', () => {
+      expect(runner.validateCommand('build')).toBe(true);
+      expect(runner.validateCommand('deploy')).toBe(true);
+      expect(runner.validateCommand('test')).toBe(true);
+    });
+
+    it('rejects invalid commands', () => {
+      expect(runner.validateCommand('')).toBe(false);
+      expect(runner.validateCommand(null)).toBe(false);
+    });
+  });
+});

package/server/lib/cost-tracker.test.js

@@ -151,21 +151,58 @@ describe('Cost Tracker', () => {
 
   describe('getWeeklyCost', () => {
     it('aggregates days in week', () => {
-      // Record costs for multiple days
+      // Use explicit UTC day strings for Mon–Fri of the current UTC week so
+      // the recorded entries are immune to local-vs-UTC boundary differences.
+      // We record two entries and then recompute the expected weekly total using
+      // the same week-window logic the implementation uses, so the assertion is
+      // always self-consistent regardless of timezone or day-of-week.
       const now = new Date();
-      const today = now.toISOString().split('T')[0];
-
-      recordCost(tracker, {
-        agentId: 'agent-1',
-        sessionId: 'session-1',
-        model: 'claude-3-opus',
-        provider: 'anthropic',
-        cost: 1.00,
-        timestamp: now.toISOString(),
-      });
+      const weekStart = new Date(now);
+      weekStart.setDate(now.getDate() - now.getDay());
+      weekStart.setHours(0, 0, 0, 0);
+
+      // Pick up to two UTC day strings from the past 7 days that fall within
+      // the implementation's [weekStart, now] window so we always have at
+      // least one in-range day (or zero if the implementation window is empty,
+      // in which case the expected total is also 0).
+      const candidateDays = [];
+      for (let offset = 1; offset <= 6; offset++) {
+        const d = new Date(now);
+        d.setUTCDate(now.getUTCDate() - offset);
+        d.setUTCHours(12, 0, 0, 0); // noon UTC avoids any day-rollover at midnight
+        const dayStr = d.toISOString().split('T')[0];
+        const dayDate = new Date(dayStr);
+        if (dayDate >= weekStart && dayDate <= now) {
+          candidateDays.push(dayStr);
+          if (candidateDays.length >= 2) break;
+        }
+      }
+
+      // Always record one entry for the exact current moment so that entry is
+      // trivially <= now; whether it passes the weekStart check determines the
+      // expected total.
+      const nowDayStr = now.toISOString().split('T')[0];
+
+      const allDays = [...new Set([...candidateDays, nowDayStr])];
+      let expectedTotal = 0;
+      for (const dayStr of allDays) {
+        const dayDate = new Date(dayStr);
+        const cost = 1.00;
+        recordCost(tracker, {
+          agentId: 'agent-1',
+          sessionId: 'session-1',
+          model: 'claude-3-opus',
+          provider: 'anthropic',
+          cost,
+          timestamp: `${dayStr}T12:00:00.000Z`,
+        });
+        if (dayDate >= weekStart && dayDate <= now) {
+          expectedTotal += cost;
+        }
+      }
 
       const weeklyCost = getWeeklyCost(tracker);
-      assert.ok(weeklyCost >= 1.00);
+      assert.strictEqual(weeklyCost, expectedTotal);
     });
   });
 

package/server/lib/deploy/runners/dependency-runner.js

@@ -0,0 +1,106 @@
+/**
+ * Dependency Runner
+ *
+ * Scans project dependencies using npm audit.
+ * Returns findings with severity, package name, and fix availability.
+ */
+
+import { execFile as defaultExecFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import fs from 'node:fs';
+import path from 'node:path';
+
+const execFileAsync = promisify(defaultExecFile);
+
+/** Severity levels ordered from lowest to highest */
+const SEVERITY_ORDER = ['info', 'low', 'moderate', 'high', 'critical'];
+
+/**
+ * Check if a severity meets or exceeds the threshold
+ * @param {string} severity - The vulnerability severity
+ * @param {string} threshold - The minimum severity to fail on
+ * @returns {boolean} True if severity >= threshold
+ */
+function meetsThreshold(severity, threshold) {
+  return SEVERITY_ORDER.indexOf(severity) >= SEVERITY_ORDER.indexOf(threshold);
+}
+
+/**
+ * Create a dependency scanning runner
+ * @param {Object} [deps] - Injectable dependencies for testing
+ * @param {Function} [deps.exec] - Command executor (replaces execFile)
+ * @param {Object} [deps.fs] - File system module
+ * @param {string} [deps.severityThreshold] - Minimum severity to fail on (default: 'high')
+ * @returns {Function} Runner function: (projectPath, options) => { passed, findings, error? }
+ */
+export function createDependencyRunner(deps = {}) {
+  const {
+    exec: execFn,
+    fs: fsMod = fs,
+    severityThreshold = 'high',
+  } = deps;
+
+  return async (projectPath, options = {}) => {
+    // Check if package.json exists
+    const pkgPath = path.join(projectPath, 'package.json');
+    if (!fsMod.existsSync(pkgPath)) {
+      return { passed: true, findings: [] };
+    }
+
+    let stdout;
+    try {
+      if (execFn) {
+        // Injected exec for testing
+        const result = await execFn('npm', ['audit', '--json'], { cwd: projectPath });
+        stdout = result.stdout;
+      } else {
+        // Real exec
+        try {
+          const result = await execFileAsync('npm', ['audit', '--json'], { cwd: projectPath });
+          stdout = result.stdout;
+        } catch (execErr) {
+          // npm audit exits with code 1 when vulnerabilities found — that's expected
+          if (execErr.stdout) {
+            stdout = execErr.stdout;
+          } else {
+            throw execErr;
+          }
+        }
+      }
+    } catch (err) {
+      return { passed: false, findings: [], error: err.message };
+    }
+
+    // Parse the JSON output
+    let auditData;
+    try {
+      auditData = JSON.parse(stdout);
+    } catch {
+      return { passed: false, findings: [], error: 'Failed to parse npm audit output' };
+    }
+
+    const vulnerabilities = auditData.vulnerabilities || {};
+    const findings = [];
+    let hasFailingSeverity = false;
+
+    for (const [name, vuln] of Object.entries(vulnerabilities)) {
+      const finding = {
+        severity: vuln.severity,
+        package: vuln.name || name,
+        title: vuln.title || 'Unknown vulnerability',
+        url: vuln.url || '',
+        fixAvailable: Boolean(vuln.fixAvailable),
+      };
+      findings.push(finding);
+
+      if (meetsThreshold(vuln.severity, severityThreshold)) {
+        hasFailingSeverity = true;
+      }
+    }
+
+    return {
+      passed: !hasFailingSeverity,
+      findings,
+    };
+  };
+}

package/server/lib/deploy/runners/dependency-runner.test.js

@@ -0,0 +1,148 @@
+/**
+ * Dependency Runner Tests
+ */
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { createDependencyRunner } from './dependency-runner.js';
+
+describe('dependency-runner', () => {
+  let execMock;
+  let fsMock;
+  let runner;
+
+  beforeEach(() => {
+    execMock = vi.fn();
+    fsMock = { existsSync: vi.fn().mockReturnValue(true) };
+    runner = createDependencyRunner({ exec: execMock, fs: fsMock });
+  });
+
+  it('passes when npm audit returns no vulnerabilities', async () => {
+    execMock.mockResolvedValue({
+      stdout: JSON.stringify({ vulnerabilities: {} }),
+      exitCode: 0,
+    });
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(true);
+    expect(result.findings).toEqual([]);
+  });
+
+  it('fails when npm audit finds high-severity vulnerability', async () => {
+    execMock.mockResolvedValue({
+      stdout: JSON.stringify({
+        vulnerabilities: {
+          'bad-pkg': {
+            name: 'bad-pkg',
+            severity: 'high',
+            title: 'Prototype Pollution',
+            url: 'https://npmjs.com/advisories/123',
+            fixAvailable: true,
+          },
+        },
+      }),
+      exitCode: 1,
+    });
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings).toHaveLength(1);
+    expect(result.findings[0].severity).toBe('high');
+    expect(result.findings[0].package).toBe('bad-pkg');
+    expect(result.findings[0].title).toBe('Prototype Pollution');
+  });
+
+  it('passes when only low/moderate vulnerabilities found', async () => {
+    execMock.mockResolvedValue({
+      stdout: JSON.stringify({
+        vulnerabilities: {
+          'ok-pkg': {
+            name: 'ok-pkg',
+            severity: 'moderate',
+            title: 'ReDoS',
+            url: 'https://npmjs.com/advisories/456',
+            fixAvailable: true,
+          },
+        },
+      }),
+      exitCode: 1,
+    });
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(true);
+    expect(result.findings).toHaveLength(1);
+  });
+
+  it('fails when critical vulnerability found', async () => {
+    execMock.mockResolvedValue({
+      stdout: JSON.stringify({
+        vulnerabilities: {
+          'evil-pkg': {
+            name: 'evil-pkg',
+            severity: 'critical',
+            title: 'RCE',
+            url: 'https://npmjs.com/advisories/789',
+            fixAvailable: false,
+          },
+        },
+      }),
+      exitCode: 1,
+    });
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.findings[0].severity).toBe('critical');
+  });
+
+  it('handles missing package.json', async () => {
+    fsMock.existsSync.mockReturnValue(false);
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(true);
+    expect(result.findings).toEqual([]);
+  });
+
+  it('handles npm audit JSON parse error', async () => {
+    execMock.mockResolvedValue({
+      stdout: 'not valid json',
+      exitCode: 1,
+    });
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.error).toBeDefined();
+  });
+
+  it('handles npm audit process error', async () => {
+    execMock.mockRejectedValue(new Error('npm not found'));
+
+    const result = await runner('/test/project', {});
+    expect(result.passed).toBe(false);
+    expect(result.error).toContain('npm not found');
+  });
+
+  it('respects configurable severity threshold', async () => {
+    execMock.mockResolvedValue({
+      stdout: JSON.stringify({
+        vulnerabilities: {
+          'bad-pkg': {
+            name: 'bad-pkg',
+            severity: 'high',
+            title: 'Prototype Pollution',
+            url: 'https://npmjs.com/advisories/123',
+            fixAvailable: true,
+          },
+        },
+      }),
+      exitCode: 1,
+    });
+
+    const lenientRunner = createDependencyRunner({
+      exec: execMock,
+      fs: fsMock,
+      severityThreshold: 'critical',
+    });
+
+    const result = await lenientRunner('/test/project', {});
+    expect(result.passed).toBe(true);
+    expect(result.findings).toHaveLength(1);
+  });
+});