vibe-forge 0.8.1 → 0.8.3

package/{bin → src}/lib/daemon/notifications.sh

@@ -1,273 +1,273 @@
-#!/usr/bin/env bash
-#
-# bin/lib/daemon/notifications.sh
-#
-# Daemon notification functions - pending task alerts, attention signals,
-# system toasts, and Heimdall escalation handling
-#
-# Dependencies: colors.sh, constants.sh
-# Globals required: FORGE_ROOT, NOTIFY_FILE, NOTIFIED_FILE, LOG_FILE,
-#                   TASKS_PENDING, TASKS_NEEDS_CHANGES, TASKS_ATTENTION
-
-# Prevent double-sourcing
-[[ -n "${_DAEMON_NOTIFICATIONS_LOADED:-}" ]] && return 0
-_DAEMON_NOTIFICATIONS_LOADED=1
-
-# Node.js frontmatter helper (RT-20260405-001 MEDIUM-5: replaces grep/cut YAML parsing)
-FRONTMATTER_JS="${FRONTMATTER_JS:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/frontmatter.js}"
-
-# Parse a single frontmatter field from a markdown file.
-_notif_fm_field() {
-    node "$FRONTMATTER_JS" "$1" "$2" 2>/dev/null | sed -n "s/^${2}=//p"
-}
-
-# SECURITY: Sanitize message for safe use in shell commands
-# Removes/escapes characters that could cause command injection
-sanitize_notification_message() {
-    local msg="$1"
-    # Remove null bytes
-    msg="${msg//$'\0'/}"
-    # Remove characters that could escape out of string contexts
-    # PowerShell: $, `, ', ", (), {}
-    # osascript: ', ", \, $
-    # We allow: alphanumeric, spaces, periods, commas, colons, hyphens, underscores
-    msg=$(echo "$msg" | tr -cd 'a-zA-Z0-9 .,;:!?_-')
-    # Limit length to prevent buffer issues
-    msg="${msg:0:200}"
-    echo "$msg"
-}
-
-notify() {
-    local message="$1"
-    local urgency="${2:-normal}"  # normal or urgent
-    local timestamp
-    timestamp=$(date -Iseconds)
-
-    # SECURITY: Sanitize before logging to prevent ANSI escape injection and
-    # control-character log poisoning. sanitize_notification_message() strips
-    # everything except alphanumeric, spaces, and safe punctuation.
-    local safe_message
-    safe_message=$(sanitize_notification_message "$message")
-
-    # Log to notifications file
-    echo "[$timestamp] $safe_message" >> "$NOTIFY_FILE"
-
-    # Log to main log
-    echo "[$timestamp] NOTIFY: $safe_message" >> "$LOG_FILE"
-
-    # Terminal bell (works in most terminals)
-    printf '\a'
-
-    # System toast notification for urgent messages
-    if [[ "$urgency" == "urgent" ]]; then
-        send_system_notification "$safe_message"
-    fi
-}
-
-# Send system-level notification (platform-specific)
-send_system_notification() {
-    local message="$1"
-    local title="Vibe Forge"
-
-    # SECURITY: Sanitize message to prevent command injection
-    message=$(sanitize_notification_message "$message")
-
-    case "$(uname -s)" in
-        MINGW*|MSYS*|CYGWIN*)
-            # Windows: Use PowerShell toast notification
-            # SECURITY: Message is sanitized above, title is hardcoded
-            powershell.exe -NoProfile -Command "
-                \$null = [Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime]
-                \$template = [Windows.UI.Notifications.ToastNotificationManager]::GetTemplateContent([Windows.UI.Notifications.ToastTemplateType]::ToastText02)
-                \$textNodes = \$template.GetElementsByTagName('text')
-                \$textNodes.Item(0).AppendChild(\$template.CreateTextNode('$title')) | Out-Null
-                \$textNodes.Item(1).AppendChild(\$template.CreateTextNode('$message')) | Out-Null
-                \$toast = [Windows.UI.Notifications.ToastNotification]::new(\$template)
-                [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier('Vibe Forge').Show(\$toast)
-            " 2>/dev/null &
-            ;;
-        Darwin)
-            # macOS: Use osascript
-            # SECURITY: Message is sanitized above
-            osascript -e "display notification \"$message\" with title \"$title\"" 2>/dev/null &
-            ;;
-        Linux)
-            # Linux: Use notify-send if available
-            # SECURITY: notify-send handles escaping, but message is sanitized anyway
-            if command -v notify-send &>/dev/null; then
-                notify-send "$title" "$message" 2>/dev/null &
-            fi
-            ;;
-    esac
-}
-
-check_new_pending_tasks() {
-    # Create notified file if it doesn't exist
-    touch "$NOTIFIED_FILE"
-
-    # Check for new pending tasks
-    for task in "$FORGE_ROOT/$TASKS_PENDING"/*.md; do
-        if [[ -f "$task" && ! -L "$task" ]]; then
-            local filename
-            filename=$(basename "$task")
-
-            # Check if we've already notified about this task
-            if ! grep -qF "$filename" "$NOTIFIED_FILE" 2>/dev/null; then
-                # Extract task info from frontmatter safely
-                local task_id task_title assigned_to
-
-                task_id=$(_notif_fm_field "$task" "id")
-                task_title=$(_notif_fm_field "$task" "title")
-                assigned_to=$(_notif_fm_field "$task" "assigned_to")
-
-                # Use filename as fallback
-                task_id="${task_id:-$filename}"
-                task_title="${task_title:-New task}"
-
-                # Notify
-                if [[ -n "$assigned_to" ]]; then
-                    notify "New task for $assigned_to: $task_title ($task_id)"
-                else
-                    notify "New pending task: $task_title ($task_id)"
-                fi
-
-                # Mark as notified (atomic append)
-                echo "$filename" >> "$NOTIFIED_FILE"
-            fi
-        fi
-    done
-
-    # Also check needs-changes for tasks that need rework
-    for task in "$FORGE_ROOT/$TASKS_NEEDS_CHANGES"/*.md; do
-        if [[ -f "$task" && ! -L "$task" ]]; then
-            local filename
-            filename=$(basename "$task")
-            local notified_key="needs-changes:$filename"
-
-            if ! grep -qF "$notified_key" "$NOTIFIED_FILE" 2>/dev/null; then
-                local task_id assigned_to
-                task_id=$(_notif_fm_field "$task" "id")
-                assigned_to=$(_notif_fm_field "$task" "assigned_to")
-
-                task_id="${task_id:-$filename}"
-
-                if [[ -n "$assigned_to" ]]; then
-                    notify "Task needs changes ($assigned_to): $task_id"
-                else
-                    notify "Task needs changes: $task_id"
-                fi
-
-                echo "$notified_key" >> "$NOTIFIED_FILE"
-            fi
-        fi
-    done
-}
-
-check_attention_needed() {
-    # Check for workers needing attention (urgent notifications)
-    if [[ ! -d "$FORGE_ROOT/$TASKS_ATTENTION" ]]; then
-        return 0
-    fi
-
-    for attention_file in "$FORGE_ROOT/$TASKS_ATTENTION"/*.md; do
-        if [[ -f "$attention_file" && ! -L "$attention_file" ]]; then
-            local filename
-            filename=$(basename "$attention_file")
-            local notified_key="attention:$filename"
-
-            if ! grep -qF "$notified_key" "$NOTIFIED_FILE" 2>/dev/null; then
-                # Extract attention info
-                local agent issue
-                agent=$(_notif_fm_field "$attention_file" "agent")
-                issue=$(node "$FRONTMATTER_JS" --section "$attention_file" "Issue" 2>/dev/null)
-                [[ -z "$issue" ]] && issue=$(grep -m1 "^##" "$attention_file" 2>/dev/null | sed 's/^## *//' | head -c 200)
-
-                agent="${agent:-Unknown}"
-                issue="${issue:-Needs attention}"
-
-                # Ring bell multiple times for attention
-                printf '\a\a\a'
-
-                # Send urgent notification with toast
-                notify "🔔 $agent needs help: $issue" "urgent"
-
-                echo "$notified_key" >> "$NOTIFIED_FILE"
-            fi
-        fi
-    done
-}
-
-# check_heimdall_escalations INBOX_DIR
-# Scans the lab worker inbox for .escalation signal files written by Heimdall
-# when a worker accumulates too many policy violations (Gjallarhorn sounded).
-# Writes an escalation handoff for lab sentinel to route to human review.
-check_heimdall_escalations() {
-    local inbox_dir="$1"
-
-    [[ -d "$inbox_dir" ]] || return 0
-
-    # shopt -s globstar needed for **; fall back to find for compatibility
-    local escalation_files
-    mapfile -t escalation_files < <(find "$inbox_dir" -name "*.escalation" -type f 2>/dev/null)
-
-    for escalation_file in "${escalation_files[@]}"; do
-        [[ -f "$escalation_file" ]] || continue
-
-        local story_id agent_dir agent handoff_dir
-        story_id=$(basename "$escalation_file" .escalation)
-        agent_dir=$(dirname "$escalation_file")
-        agent=$(basename "$agent_dir")
-
-        # Read escalation JSON for violation details
-        local violations last_reason
-        # SECURITY: Pass file path as argv, not string interpolation, to prevent
-        # code injection via crafted filenames (RT-20260405-001 HIGH-1)
-        violations=$(node -e "try{const d=JSON.parse(require('fs').readFileSync(process.argv[1],'utf8'));console.log(d.violations||'?')}catch(e){console.log('?')}" -- "$escalation_file" 2>/dev/null)
-        last_reason=$(node -e "try{const d=JSON.parse(require('fs').readFileSync(process.argv[1],'utf8'));console.log(d.last_reason||'')}catch(e){console.log('')}" -- "$escalation_file" 2>/dev/null)
-
-        echo "[$(date -Iseconds)] HEIMDALL SOUNDED: $agent/$story_id ($violations violations) -- writing escalation handoff" >> "$LOG_FILE"
-
-        # Write escalation handoff for lab sentinel
-        # Lab sentinel routes escalations to human review on next cycle
-        local handoff_dir="$FORGE_ROOT/_vibe-chain-output/handoffs"
-        if [[ -d "$handoff_dir" ]]; then
-            local handoff_file="$handoff_dir/${story_id}-worker-escalation.md"
-            cat > "$handoff_file" << HANDOFF
----
-type: worker-escalation
-story: "$story_id"
-from: forge-daemon
-to: human
-created: $(date -Iseconds)
-status: pending
-agent: "$agent"
-violations: $violations
----
-
-## Heimdall Escalation
-
-Worker \`$agent\` accumulated $violations policy violations on story \`$story_id\`.
-The worker has been halted for this story. Human review required before resubmitting.
-
-## Last Violation
-
-$last_reason
-
-## Audit Log
-
-Full violation history: \`_vibe-chain-output/heimdall-audit.log\`
-
-## Action Required
-
-Review the audit log and decide:
-- Fix the story spec and resubmit
-- Manually complete the work
-- Cancel the story
-HANDOFF
-            echo "[$(date -Iseconds)] Escalation handoff written: $handoff_file" >> "$LOG_FILE"
-        fi
-
-        # Mark escalation as processed so it is not re-processed next cycle
-        mv "$escalation_file" "${escalation_file}.processed" 2>/dev/null || true
-    done
-}
+#!/usr/bin/env bash
+#
+# src/lib/daemon/notifications.sh
+#
+# Daemon notification functions - pending task alerts, attention signals,
+# system toasts, and Heimdall escalation handling
+#
+# Dependencies: colors.sh, constants.sh
+# Globals required: FORGE_ROOT, NOTIFY_FILE, NOTIFIED_FILE, LOG_FILE,
+#                   TASKS_PENDING, TASKS_NEEDS_CHANGES, TASKS_ATTENTION
+
+# Prevent double-sourcing
+[[ -n "${_DAEMON_NOTIFICATIONS_LOADED:-}" ]] && return 0
+_DAEMON_NOTIFICATIONS_LOADED=1
+
+# Node.js frontmatter helper (RT-20260405-001 MEDIUM-5: replaces grep/cut YAML parsing)
+FRONTMATTER_JS="${FRONTMATTER_JS:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/frontmatter.js}"
+
+# Parse a single frontmatter field from a markdown file.
+_notif_fm_field() {
+    node "$FRONTMATTER_JS" "$1" "$2" 2>/dev/null | sed -n "s/^${2}=//p"
+}
+
+# SECURITY: Sanitize message for safe use in shell commands
+# Removes/escapes characters that could cause command injection
+sanitize_notification_message() {
+    local msg="$1"
+    # Remove null bytes
+    msg="${msg//$'\0'/}"
+    # Remove characters that could escape out of string contexts
+    # PowerShell: $, `, ', ", (), {}
+    # osascript: ', ", \, $
+    # We allow: alphanumeric, spaces, periods, commas, colons, hyphens, underscores
+    msg=$(echo "$msg" | tr -cd 'a-zA-Z0-9 .,;:!?_-')
+    # Limit length to prevent buffer issues
+    msg="${msg:0:200}"
+    echo "$msg"
+}
+
+notify() {
+    local message="$1"
+    local urgency="${2:-normal}"  # normal or urgent
+    local timestamp
+    timestamp=$(date -Iseconds)
+
+    # SECURITY: Sanitize before logging to prevent ANSI escape injection and
+    # control-character log poisoning. sanitize_notification_message() strips
+    # everything except alphanumeric, spaces, and safe punctuation.
+    local safe_message
+    safe_message=$(sanitize_notification_message "$message")
+
+    # Log to notifications file
+    echo "[$timestamp] $safe_message" >> "$NOTIFY_FILE"
+
+    # Log to main log
+    echo "[$timestamp] NOTIFY: $safe_message" >> "$LOG_FILE"
+
+    # Terminal bell (works in most terminals)
+    printf '\a'
+
+    # System toast notification for urgent messages
+    if [[ "$urgency" == "urgent" ]]; then
+        send_system_notification "$safe_message"
+    fi
+}
+
+# Send system-level notification (platform-specific)
+send_system_notification() {
+    local message="$1"
+    local title="Vibe Forge"
+
+    # SECURITY: Sanitize message to prevent command injection
+    message=$(sanitize_notification_message "$message")
+
+    case "$(uname -s)" in
+        MINGW*|MSYS*|CYGWIN*)
+            # Windows: Use PowerShell toast notification
+            # SECURITY: Message is sanitized above, title is hardcoded
+            powershell.exe -NoProfile -Command "
+                \$null = [Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime]
+                \$template = [Windows.UI.Notifications.ToastNotificationManager]::GetTemplateContent([Windows.UI.Notifications.ToastTemplateType]::ToastText02)
+                \$textNodes = \$template.GetElementsByTagName('text')
+                \$textNodes.Item(0).AppendChild(\$template.CreateTextNode('$title')) | Out-Null
+                \$textNodes.Item(1).AppendChild(\$template.CreateTextNode('$message')) | Out-Null
+                \$toast = [Windows.UI.Notifications.ToastNotification]::new(\$template)
+                [Windows.UI.Notifications.ToastNotificationManager]::CreateToastNotifier('Vibe Forge').Show(\$toast)
+            " 2>/dev/null &
+            ;;
+        Darwin)
+            # macOS: Use osascript
+            # SECURITY: Message is sanitized above
+            osascript -e "display notification \"$message\" with title \"$title\"" 2>/dev/null &
+            ;;
+        Linux)
+            # Linux: Use notify-send if available
+            # SECURITY: notify-send handles escaping, but message is sanitized anyway
+            if command -v notify-send &>/dev/null; then
+                notify-send "$title" "$message" 2>/dev/null &
+            fi
+            ;;
+    esac
+}
+
+check_new_pending_tasks() {
+    # Create notified file if it doesn't exist
+    touch "$NOTIFIED_FILE"
+
+    # Check for new pending tasks
+    for task in "$FORGE_ROOT/$TASKS_PENDING"/*.md; do
+        if [[ -f "$task" && ! -L "$task" ]]; then
+            local filename
+            filename=$(basename "$task")
+
+            # Check if we've already notified about this task
+            if ! grep -qF "$filename" "$NOTIFIED_FILE" 2>/dev/null; then
+                # Extract task info from frontmatter safely
+                local task_id task_title assigned_to
+
+                task_id=$(_notif_fm_field "$task" "id")
+                task_title=$(_notif_fm_field "$task" "title")
+                assigned_to=$(_notif_fm_field "$task" "assigned_to")
+
+                # Use filename as fallback
+                task_id="${task_id:-$filename}"
+                task_title="${task_title:-New task}"
+
+                # Notify
+                if [[ -n "$assigned_to" ]]; then
+                    notify "New task for $assigned_to: $task_title ($task_id)"
+                else
+                    notify "New pending task: $task_title ($task_id)"
+                fi
+
+                # Mark as notified (atomic append)
+                echo "$filename" >> "$NOTIFIED_FILE"
+            fi
+        fi
+    done
+
+    # Also check needs-changes for tasks that need rework
+    for task in "$FORGE_ROOT/$TASKS_NEEDS_CHANGES"/*.md; do
+        if [[ -f "$task" && ! -L "$task" ]]; then
+            local filename
+            filename=$(basename "$task")
+            local notified_key="needs-changes:$filename"
+
+            if ! grep -qF "$notified_key" "$NOTIFIED_FILE" 2>/dev/null; then
+                local task_id assigned_to
+                task_id=$(_notif_fm_field "$task" "id")
+                assigned_to=$(_notif_fm_field "$task" "assigned_to")
+
+                task_id="${task_id:-$filename}"
+
+                if [[ -n "$assigned_to" ]]; then
+                    notify "Task needs changes ($assigned_to): $task_id"
+                else
+                    notify "Task needs changes: $task_id"
+                fi
+
+                echo "$notified_key" >> "$NOTIFIED_FILE"
+            fi
+        fi
+    done
+}
+
+check_attention_needed() {
+    # Check for workers needing attention (urgent notifications)
+    if [[ ! -d "$FORGE_ROOT/$TASKS_ATTENTION" ]]; then
+        return 0
+    fi
+
+    for attention_file in "$FORGE_ROOT/$TASKS_ATTENTION"/*.md; do
+        if [[ -f "$attention_file" && ! -L "$attention_file" ]]; then
+            local filename
+            filename=$(basename "$attention_file")
+            local notified_key="attention:$filename"
+
+            if ! grep -qF "$notified_key" "$NOTIFIED_FILE" 2>/dev/null; then
+                # Extract attention info
+                local agent issue
+                agent=$(_notif_fm_field "$attention_file" "agent")
+                issue=$(node "$FRONTMATTER_JS" --section "$attention_file" "Issue" 2>/dev/null)
+                [[ -z "$issue" ]] && issue=$(grep -m1 "^##" "$attention_file" 2>/dev/null | sed 's/^## *//' | head -c 200)
+
+                agent="${agent:-Unknown}"
+                issue="${issue:-Needs attention}"
+
+                # Ring bell multiple times for attention
+                printf '\a\a\a'
+
+                # Send urgent notification with toast
+                notify "🔔 $agent needs help: $issue" "urgent"
+
+                echo "$notified_key" >> "$NOTIFIED_FILE"
+            fi
+        fi
+    done
+}
+
+# check_heimdall_escalations INBOX_DIR
+# Scans the lab worker inbox for .escalation signal files written by Heimdall
+# when a worker accumulates too many policy violations (Gjallarhorn sounded).
+# Writes an escalation handoff for lab sentinel to route to human review.
+check_heimdall_escalations() {
+    local inbox_dir="$1"
+
+    [[ -d "$inbox_dir" ]] || return 0
+
+    # shopt -s globstar needed for **; fall back to find for compatibility
+    local escalation_files
+    mapfile -t escalation_files < <(find "$inbox_dir" -name "*.escalation" -type f 2>/dev/null)
+
+    for escalation_file in "${escalation_files[@]}"; do
+        [[ -f "$escalation_file" ]] || continue
+
+        local story_id agent_dir agent handoff_dir
+        story_id=$(basename "$escalation_file" .escalation)
+        agent_dir=$(dirname "$escalation_file")
+        agent=$(basename "$agent_dir")
+
+        # Read escalation JSON for violation details
+        local violations last_reason
+        # SECURITY: Pass file path as argv, not string interpolation, to prevent
+        # code injection via crafted filenames (RT-20260405-001 HIGH-1)
+        violations=$(node -e "try{const d=JSON.parse(require('fs').readFileSync(process.argv[1],'utf8'));console.log(d.violations||'?')}catch(e){console.log('?')}" -- "$escalation_file" 2>/dev/null)
+        last_reason=$(node -e "try{const d=JSON.parse(require('fs').readFileSync(process.argv[1],'utf8'));console.log(d.last_reason||'')}catch(e){console.log('')}" -- "$escalation_file" 2>/dev/null)
+
+        echo "[$(date -Iseconds)] HEIMDALL SOUNDED: $agent/$story_id ($violations violations) -- writing escalation handoff" >> "$LOG_FILE"
+
+        # Write escalation handoff for lab sentinel
+        # Lab sentinel routes escalations to human review on next cycle
+        local handoff_dir="$FORGE_ROOT/_vibe-chain-output/handoffs"
+        if [[ -d "$handoff_dir" ]]; then
+            local handoff_file="$handoff_dir/${story_id}-worker-escalation.md"
+            cat > "$handoff_file" << HANDOFF
+---
+type: worker-escalation
+story: "$story_id"
+from: forge-daemon
+to: human
+created: $(date -Iseconds)
+status: pending
+agent: "$agent"
+violations: $violations
+---
+
+## Heimdall Escalation
+
+Worker \`$agent\` accumulated $violations policy violations on story \`$story_id\`.
+The worker has been halted for this story. Human review required before resubmitting.
+
+## Last Violation
+
+$last_reason
+
+## Audit Log
+
+Full violation history: \`_vibe-chain-output/heimdall-audit.log\`
+
+## Action Required
+
+Review the audit log and decide:
+- Fix the story spec and resubmit
+- Manually complete the work
+- Cancel the story
+HANDOFF
+            echo "[$(date -Iseconds)] Escalation handoff written: $handoff_file" >> "$LOG_FILE"
+        fi
+
+        # Mark escalation as processed so it is not re-processed next cycle
+        mv "$escalation_file" "${escalation_file}.processed" 2>/dev/null || true
+    done
+}