xtrm-tools 2.4.3 → 2.4.6

package/config/pi/extensions/main-guard.ts

@@ -1,122 +0,0 @@
-import type { ExtensionAPI, ToolCallEvent } from "@mariozechner/pi-coding-agent";
-import { isToolCallEventType } from "@mariozechner/pi-coding-agent";
-import { SubprocessRunner, EventAdapter, Logger } from "./core/lib";
-import { SAFE_BASH_PREFIXES, DANGEROUS_BASH_PATTERNS } from "./core/guard-rules";
-
-const logger = new Logger({ namespace: "main-guard" });
-
-export default function (pi: ExtensionAPI) {
-	const getProtectedBranches = (): string[] => {
-		const env = process.env.MAIN_GUARD_PROTECTED_BRANCHES;
-		if (env) return env.split(",").map(b => b.trim()).filter(Boolean);
-		return ["main", "master"];
-	};
-
-	const getCurrentBranch = async (cwd: string): Promise<string | null> => {
-		const result = await SubprocessRunner.run("git", ["branch", "--show-current"], { cwd });
-		if (result.code === 0) return result.stdout;
-		return null;
-	};
-
-	const protectedPaths = [".env", ".git/", "node_modules/"];
-
-	pi.on("tool_call", async (event, ctx) => {
-		const cwd = ctx.cwd || process.cwd();
-		
-		// 1. Safety Check: Protected Paths (Global)
-		if (EventAdapter.isMutatingFileTool(event)) {
-			const path = EventAdapter.extractPathFromToolInput(event, cwd);
-			if (path && protectedPaths.some((p) => path.includes(p))) {
-				const reason = `Path "${path}" is protected. Edits to sensitive system files are restricted.`;
-				if (ctx.hasUI) {
-					ctx.ui.notify(`Safety: Blocked edit to protected path`, "error");
-				}
-				return { block: true, reason };
-			}
-		}
-
-		// 2. Safety Check: Dangerous Commands (Global)
-		if (isToolCallEventType("bash", event)) {
-			const cmd = event.input.command.trim();
-			const dangerousRegexes = DANGEROUS_BASH_PATTERNS.map((pattern) => new RegExp(pattern));
-			const dangerousMatch = dangerousRegexes.some((rx) => rx.test(cmd));
-			if (dangerousMatch && !cmd.includes("--help")) {
-				if (ctx.hasUI) {
-					const ok = await ctx.ui.confirm("Dangerous Command", `Allow execution of: ${cmd}?`);
-					if (!ok) return { block: true, reason: "Blocked by user confirmation" };
-				} else {
-					return { block: true, reason: "Dangerous command blocked in non-interactive mode" };
-				}
-			}
-		}
-
-		// 3. Main-Guard: Branch Protection
-		const protectedBranches = getProtectedBranches();
-		const branch = await getCurrentBranch(cwd);
-
-		if (branch && protectedBranches.includes(branch)) {
-			// A. Mutating File Tools on Main
-			if (EventAdapter.isMutatingFileTool(event)) {
-				const reason = `On protected branch '${branch}' — start on a feature branch and claim an issue.\n  git checkout -b feature/<name>\n  bd update <id> --claim\n`;
-				if (ctx.hasUI) {
-					ctx.ui.notify(`Main-Guard: Blocked edit on ${branch}`, "error");
-				}
-				return { block: true, reason };
-			}
-
-			// B. Bash Commands on Main
-			if (isToolCallEventType("bash", event)) {
-				const cmd = event.input.command.trim();
-
-				// Emergency override
-				if (process.env.MAIN_GUARD_ALLOW_BASH === "1") return undefined;
-
-				// Enforce squash-only PR merges
-				if (/^gh\s+pr\s+merge\b/.test(cmd)) {
-					if (!/--squash\b/.test(cmd)) {
-						const reason = "Squash only: use `gh pr merge --squash` (or MAIN_GUARD_ALLOW_BASH=1)";
-						return { block: true, reason };
-					}
-					return undefined;
-				}
-
-				// Safe allowlist
-				const safePrefixRegexes = SAFE_BASH_PREFIXES.map((prefix) =>
-					new RegExp(`^${prefix.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\b`),
-				);
-				const safeResetRegexes = protectedBranches.map((b) => new RegExp(`^git\\s+reset\\s+--hard\\s+origin/${b}\\b`));
-				const SAFE_BASH_PATTERNS = [...safePrefixRegexes, ...safeResetRegexes];
-
-				if (SAFE_BASH_PATTERNS.some(p => p.test(cmd))) {
-					return undefined;
-				}
-
-				// Specific blocks
-				if (/\bgit\s+commit\b/.test(cmd)) {
-					return { block: true, reason: `No commits on '${branch}' — use a feature branch.\n  git checkout -b feature/<name>\n  bd update <id> --claim\n` };
-				}
-
-				if (/\bgit\s+push\b/.test(cmd)) {
-					const tokens = cmd.split(/\s+/);
-					const lastToken = tokens[tokens.length - 1];
-					const explicitProtected = protectedBranches.some(b => lastToken === b || lastToken.endsWith(`:${b}`));
-					const impliedProtected = tokens.length <= 3 && protectedBranches.includes(branch);
-					
-					if (explicitProtected || impliedProtected) {
-						return { block: true, reason: `No direct push to '${branch}' — push a feature branch and open a PR.` };
-					}
-					return undefined;
-				}
-
-				// Default deny
-				const reason = `Bash restricted on '${branch}'. Allowed: git status/log/diff/pull/stash, gh, bd.\n  Exit: git checkout -b feature/<name>\n  Then: bd update <id> --claim\n  Override: MAIN_GUARD_ALLOW_BASH=1 <cmd>\n`;
-				if (ctx.hasUI) {
-					ctx.ui.notify("Main-Guard: Command blocked", "error");
-				}
-				return { block: true, reason };
-			}
-		}
-
-		return undefined;
-	});
-}

package/hooks/session-state.mjs

@@ -1,138 +0,0 @@
-#!/usr/bin/env node
-
-import { execSync } from 'node:child_process';
-import { existsSync, readFileSync, writeFileSync } from 'node:fs';
-import path from 'node:path';
-
-export const SESSION_STATE_FILE = '.xtrm-session-state.json';
-
-export const SESSION_PHASES = [
-  'claimed',
-  'phase1-done',
-  'waiting-merge',
-  'conflicting',
-  'pending-cleanup',
-  'merged',
-  'cleanup-done',
-];
-
-const ALLOWED_TRANSITIONS = {
-  claimed: ['phase1-done', 'waiting-merge', 'conflicting', 'pending-cleanup', 'cleanup-done'],
-  'phase1-done': ['waiting-merge', 'conflicting', 'pending-cleanup', 'cleanup-done'],
-  'waiting-merge': ['conflicting', 'pending-cleanup', 'merged', 'cleanup-done'],
-  conflicting: ['waiting-merge', 'pending-cleanup', 'merged', 'cleanup-done'],
-  'pending-cleanup': ['waiting-merge', 'conflicting', 'merged', 'cleanup-done'],
-  merged: ['cleanup-done'],
-  'cleanup-done': [],
-};
-
-function nowIso() {
-  return new Date().toISOString();
-}
-
-function isValidPhase(phase) {
-  return typeof phase === 'string' && SESSION_PHASES.includes(phase);
-}
-
-function normalizeState(state) {
-  if (!state || typeof state !== 'object') throw new Error('Invalid session state payload');
-  if (!state.issueId || !state.branch || !state.worktreePath) {
-    throw new Error('Session state requires issueId, branch, and worktreePath');
-  }
-  if (!isValidPhase(state.phase)) throw new Error(`Invalid phase: ${String(state.phase)}`);
-
-  return {
-    issueId: String(state.issueId),
-    branch: String(state.branch),
-    worktreePath: String(state.worktreePath),
-    prNumber: state.prNumber ?? null,
-    prUrl: state.prUrl ?? null,
-    phase: state.phase,
-    conflictFiles: Array.isArray(state.conflictFiles) ? state.conflictFiles.map(String) : [],
-    startedAt: state.startedAt || nowIso(),
-    lastChecked: nowIso(),
-  };
-}
-
-function canTransition(from, to) {
-  if (!isValidPhase(from) || !isValidPhase(to)) return false;
-  if (from === to) return true;
-  return (ALLOWED_TRANSITIONS[from] || []).includes(to);
-}
-
-function findAncestorStateFile(startCwd) {
-  let current = path.resolve(startCwd || process.cwd());
-  for (;;) {
-    const candidate = path.join(current, SESSION_STATE_FILE);
-    if (existsSync(candidate)) return candidate;
-    const parent = path.dirname(current);
-    if (parent === current) return null;
-    current = parent;
-  }
-}
-
-function findRepoRoot(cwd) {
-  try {
-    return execSync('git rev-parse --show-toplevel', {
-      encoding: 'utf8',
-      cwd,
-      stdio: ['pipe', 'pipe', 'pipe'],
-      timeout: 5000,
-    }).trim();
-  } catch {
-    return null;
-  }
-}
-
-export function findSessionStateFile(startCwd) {
-  return findAncestorStateFile(startCwd);
-}
-
-export function readSessionState(startCwd) {
-  const filePath = findSessionStateFile(startCwd);
-  if (!filePath) return null;
-
-  try {
-    const parsed = JSON.parse(readFileSync(filePath, 'utf8'));
-    const state = normalizeState(parsed);
-    return { ...state, _filePath: filePath };
-  } catch {
-    return null;
-  }
-}
-
-export function resolveSessionStatePath(cwd) {
-  const existing = findSessionStateFile(cwd);
-  if (existing) return existing;
-
-  const repoRoot = findRepoRoot(cwd);
-  if (repoRoot) return path.join(repoRoot, SESSION_STATE_FILE);
-  return path.join(cwd, SESSION_STATE_FILE);
-}
-
-export function writeSessionState(state, opts = {}) {
-  const cwd = opts.cwd || process.cwd();
-  const filePath = opts.filePath || resolveSessionStatePath(cwd);
-  const normalized = normalizeState(state);
-  writeFileSync(filePath, JSON.stringify(normalized, null, 2) + '\n', 'utf8');
-  return filePath;
-}
-
-export function updateSessionPhase(startCwd, nextPhase, patch = {}) {
-  if (!isValidPhase(nextPhase)) throw new Error(`Invalid phase: ${String(nextPhase)}`);
-  const existing = readSessionState(startCwd);
-  if (!existing) throw new Error('Session state file not found');
-  if (!canTransition(existing.phase, nextPhase)) {
-    throw new Error(`Invalid phase transition: ${existing.phase} -> ${nextPhase}`);
-  }
-
-  const nextState = {
-    ...existing,
-    ...patch,
-    phase: nextPhase,
-  };
-
-  delete nextState._filePath;
-  const filePath = writeSessionState(nextState, { filePath: existing._filePath, cwd: startCwd });
-  return { ...nextState, _filePath: filePath };
-}