mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-22 04:38:24 +08:00
7ca04d8ef0
* fix(gstack-paths): guard CLAUDE_PLUGIN_DATA against cross-plugin contamination (#1569) gstack-paths previously trusted CLAUDE_PLUGIN_DATA as a fallback for GSTACK_STATE_ROOT whenever GSTACK_HOME was unset. When another plugin (e.g. Codex) persists its own CLAUDE_PLUGIN_DATA into the session env via CLAUDE_ENV_FILE, gstack picked it up and wrote checkpoints, analytics, and learnings into that plugin's directory. Anyone with the Codex plugin installed alongside gstack hit this silently. Fix: guard the CLAUDE_PLUGIN_DATA branch so it only fires when CLAUDE_PLUGIN_ROOT confirms we're running as the gstack plugin (path contains "gstack"). Skill installs fall through to \$HOME/.gstack. Contributed by @ElliotDrel via #1570. Closes #1569. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(gbrain-sync): sourceLocalPath handles wrapped {sources:[...]} shape from gbrain v0.20+ gbrain v0.20+ changed `gbrain sources list --json` to return {sources: [...]} instead of a flat array. sourceLocalPath crashed upstream with `list.find is not a function` on every /sync-gbrain invocation against modern gbrain. Accept both shapes for forward/backward compat, matching probeSource/sourcePageCount in lib/gbrain-sources.ts. Contributed by @jakehann11 via #1571. Closes #1567. Supersedes #1564 (@tonyjzhou, same fix, different shape — credit retained). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(brain-context-load): probe gbrain via execFile, not shell builtin (#1559) gbrainAvailable() used `execFileSync("command", ["-v", "gbrain"])`, which fails in any environment where the `command` builtin isn't on the spawned process's PATH (most non-interactive shells). The probe then reported gbrain as missing even when it was installed, and context-load silently skipped vector/list queries. Fix: probe `gbrain --version` directly with a 500ms timeout (matching the rest of the file's MCP_TIMEOUT_MS). Same semantics, works everywhere execFile works. Contributed by @jbetala7 via #1560. Closes #1559. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(gbrain-doctor): pin schema_version:2 doctor parse path (#1418) Adds an exec-path regression test that runs a fake gbrain shim emitting the v0.25+ doctor JSON shape (schema_version: 2, status: "warnings", exit 1 for health_score < 100, no top-level `engine` field). Confirms freshDetectEngineTier recovers stdout from the non-zero exit and falls back to GBRAIN_HOME/config.json for the engine label. The pre-existing test for #1415 only stripped gbrain from PATH; this test exercises the actual doctor parse path, closing the gap that codex's plan review flagged. Also documents the schema_version separation in lib/gbrain-local-status.ts: the local CacheEntry stays at version 1, distinct from the doctor-output schema_version which we accept across versions in gstack-memory-helpers. Closes #1418 (credit @mvanhorn for surfacing the doctor + schema_v2 collapse). The fix landed pre-emptively in v1.29.x; this commit pins it with a stronger test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(memory-ingest): pin put_page regression + scrub stale name from --help and comments (#1346) #1346 reported that gstack-memory-ingest still called the renamed gbrain put_page subcommand on gbrain v0.18+. The actual code migrated to `gbrain put` and later to batch `gbrain import <dir>` before this report landed — only documentation lag remained. This commit: - Updates the --help string ("Skip gbrain put calls (still updates state file)") so user-facing docs match the shipped subcommand - Updates two inline comments that still referenced the old name - Adds test/memory-ingest-no-put_page.test.ts: a regression pin that strips comments from bin/gstack-memory-ingest.ts and fails the build if "put_page" appears in any active code or string literal, plus a sanity check that the file still calls a supported gbrain page-write verb (put or import) Closes #1346. Reporter @kylma-code surfaced the doc lag; the original code migration credit is on the v1.27.x wave. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(resolvers): rewrite all gbrain put_page instructions to canonical put <slug> scripts/resolvers/gbrain.ts emitted user-facing copy-paste instructions using the renamed `gbrain put_page` subcommand across 10 skills (office-hours, investigate, plan-ceo-review, retro, plan-eng-review, ship, cso, design-consultation, fallback, entity-stub). Every gstack user copying those snippets hit "unknown command: put_page" on gbrain v0.18+. This commit: - Rewrites all 10 instruction templates to use `gbrain put <slug> --content "$(cat <<EOF...EOF)"` with title/tags moved into YAML frontmatter inside --content, matching the v0.18+ subcommand shape - Updates README.md and USING_GBRAIN_WITH_GSTACK.md "common commands" table to reference `gbrain put` and `gbrain get` - Adds test/resolvers-gbrain-put-rewrite.test.ts pinning two invariants: (a) resolver source ships only canonical instructions, (b) every tracked SKILL.md file is free of `gbrain put_page` CHANGELOG entries are deliberately left untouched (historical record). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(build): extract package.json build to scripts/build.sh for Windows Bun compat (#1538, #1537, #1530, #1457, #1561) Bun's Windows shell parser rejects multiple constructs the inline package.json build chain used: brace groups `{ cmd; }`, subshells with redirection `( git ... ) > path/.version`, and (in Bun 1.3.x) subshells near redirections in general. Every Windows install + every auto-upgrade since v1.34.2.0 has failed on `bun run build`. Extracts the build chain to scripts/build.sh and the .version writes to scripts/write-version-files.sh. POSIX-portable, no Bun shell parsing involved. Also adds Windows-specific bun.exe handling for non-ASCII PATHs (a separate Windows footgun where Bun's --compile fails when the binary lives under a path with non-ASCII chars). Updates test/build-script-shell-compat.test.ts to assert the new shape: no subshells with redirections anywhere in the build chain, and build delegates to scripts/build.sh which delegates .version writes. Contributed by @Charlie-El via #1544. Supersedes #1531 (@scarson, fixed in build helper), #1480 (@mikepsinn, partial overlap), #1460 (@realcarsonterry, brace-group fix subsumed) — credit retained. Closes #1538, #1537, #1530, #1457, #1561. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(windows): .exe glob in .gitignore + .exe extension resolution in find-browse (#1554) bun build --compile on Windows appends .exe to the output filename, producing browse.exe instead of browse. find-browse's existsSync probe only checked the bare path and returned null on Windows even when the binary was correctly built. .gitignore similarly only excluded the bare bin/gstack-global-discover path, leaving the .exe variant tracked. This commit: - .gitignore: changes `bin/gstack-global-discover` → `bin/gstack-global-discover*` so the Windows .exe variant is ignored - browse/src/find-browse.ts: adds isExecutable + findExecutable helpers that fall back to .exe/.cmd/.bat probing on Windows, mirroring the same helper already in make-pdf/src/browseClient.ts and pdftotext.ts Contributed by @Mike-E-Log via #1554. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * ci(windows): add fresh-install E2E gate that runs bun run build on windows-latest Adds .github/workflows/windows-setup-e2e.yml as the gate that catches Bun shell-parser regressions in the build chain before they reach users. Triggers on PRs touching package.json, scripts/build.sh, scripts/write-version-files.sh, setup, browse cli/find-browse, or gstack-paths. What it verifies: 1. bun run build completes on Windows (the previously-broken path that #1538/#1537/#1530/#1457/#1561 reported) 2. All compiled binaries land on disk (browse.exe, find-browse.exe, design.exe, gstack-global-discover.exe) 3. find-browse resolves to the .exe variant on Windows (regression gate for #1554) 4. gstack-paths returns non-empty GSTACK_STATE_ROOT/PLAN_ROOT/TMP_ROOT on Windows (regression gate for #1570) Complements the existing windows-free-tests.yml (curated unit subset); this new workflow exercises the install path itself. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(codex): move diff scope into prompt instead of --base (Codex CLI 0.130+ argv conflict) (#1209) Codex CLI ≥ 0.130.0 rejects passing a custom prompt and --base together (mutually exclusive at argv level). Every /codex review, /review, and /ship structured Codex review call ended with an argv error before the model ran. Fix: scope the diff in prompt text using "Run git diff origin/<base>...HEAD 2>/dev/null || git diff <base>...HEAD" instead of `--base <base>`. Preserves the filesystem boundary instruction across all invocations and keeps Codex's review prompt tuning. Touches: - codex/SKILL.md.tmpl + regenerated codex/SKILL.md - scripts/resolvers/review.ts + regenerated review/SKILL.md, ship/SKILL.md - test/gen-skill-docs.test.ts: new regression that fails if any of the five known files still contain the prompt+--base shape - test/skill-validation.test.ts: corresponding negative + positive pin on the rendered SKILL.md files Contributed by @jbetala7 via #1209. Closes #1479. Supersedes #1527 (@mvanhorn — same intent, different patch shape, CONFLICTING) and #1449 (@Gujiassh — broader refactor, CONFLICTING). Credit retained in CHANGELOG. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(review): diff from git merge-base, not git diff origin/<base> (#1492) git diff origin/<base> shows everything since the common ancestor in both directions — it includes commits that landed on origin/<base> after this branch was created as deletions. That made /review and /ship's pre-landing structured review report inflated diff totals and flagged "removed" code that was actually still present in the working tree. Fix: compute DIFF_BASE via git merge-base origin/<base> HEAD and diff the working tree against that point. Same coverage of uncommitted edits, no phantom deletions from out-of-order base advancement. Applies to /review's Step 1 (diff existence check), Step 3 (get the diff), the build-on-intent scope-creep check, the structured review DIFF_INS/DIFF_DEL stats, and the Claude adversarial subagent prompt. Same change flows into ship/SKILL.md via the shared resolver. Touches: - review/SKILL.md.tmpl + regenerated review/SKILL.md, ship/SKILL.md - scripts/resolvers/review.ts - scripts/resolvers/review-army.ts Contributed by @mvanhorn via #1492. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(codex): pin filesystem-boundary preservation across all codex review surfaces (#1503, #1522) #1503 reported that the bare codex review --base path stripped the filesystem boundary instruction, letting Codex spend tokens reading .claude/skills/ and agents/. #1522 proposed adding a skill-path detector that switched to the custom-instructions route when the diff touched skill files. After C10 (#1209) restructured codex review to always carry the boundary in the prompt (the prompt+--base argv conflict forced the restructure), the skill-path detector becomes redundant — every default call already preserves the boundary. This commit pins the post-#1209 invariant with a test that fails the build if any future refactor strips the boundary from codex/SKILL.md, review/SKILL.md, or ship/SKILL.md. Closes #1503 by regression test. #1522 (@genisis0x) is superseded by #1209 (the prompt rewrite covers its safety concern); credit retained in CHANGELOG. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(skills): use command -v instead of which for codex detection (#1197) `which` is not on PATH in every shell — some Windows shells, BusyBox- only containers, and minimal CI images all fail when skills probe codex availability via `which codex`. `command -v` is a POSIX builtin and always available where the skill is running. Touched: - codex/SKILL.md.tmpl: CODEX_BIN=$(command -v codex || echo "") - scripts/resolvers/review.ts and scripts/resolvers/design.ts: 3 + 3 sites each rewritten to `command -v codex >/dev/null 2>&1` - Regenerated all 10 affected SKILL.md files (codex, review, ship, design-consultation, design-review, office-hours, plan-ceo-review, plan-design-review, plan-devex-review, plan-eng-review) - test/skill-validation.test.ts: updated pin + defensive regression test that fails if `which codex` returns to codex/SKILL.md - test/skill-e2e-plan.test.ts: updated summary regex Contributed by @mvanhorn via #1197. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(codex): surface non-zero exits so wrappers stop reading as silent stalls (#1467, #1327) When codex exits non-zero (parse errors, arg-shape breaks, model API errors that propagate as non-zero status), the calling agent previously saw an empty output and burned 30-60 minutes misdiagnosing as a silent model/API stall. The hang-detection block only caught exit 124 (the timeout-wrapper signal). Adds elif blocks in all four codex invocation sites (Review default, Challenge, Consult new-session, Consult resume) that: - Echo "[codex exit N] <stderr first line>" to stdout - Indent the first 20 stderr lines for inline context - Log codex_nonzero_exit telemetry tagged with the call site Contributed by @genisis0x via #1467. Closes #1327. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(design): disclose OpenAI key source + warn on cwd .env match (#1278, closes #1248) The design binary previously called process.env.OPENAI_API_KEY without checking where the key came from. If a user ran $D inside someone else's project that had OPENAI_API_KEY in its .env, the resulting generation billed that project's account. Silent and irreversible. Fix: resolveApiKeyInfo() returns both the key and its source. When the env-var path matches an OPENAI_API_KEY entry in the current directory's .env, .env.<NODE_ENV>, or .env.local file, we set a warning. requireApiKey() prints "Using OpenAI key from <source>" plus the warning before the run — never the key itself. Adds 6 unit tests covering: config-vs-env precedence, env-only (no match), env+cwd .env match, quoted/exported values, value-mismatch (no false positive), and the no-leak invariant for requireApiKey stderr output. Contributed by @jbetala7 via #1278. Closes #1248. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(browse): guard full-page screenshots against Anthropic vision API >2000px brick (#1214) Full-page screenshots of tall pages routinely exceeded 2000px on the longest dimension, silently bricking the agent's session: the resulting base64 reached the Anthropic vision API which rejected the oversized image, leaving the agent burning turns on a useless blob with no stderr trace from the browse side. Adds browse/src/screenshot-size-guard.ts as a shared helper: - guardScreenshotBuffer(buf) → downscales in-memory if max(w,h) > 2000 - guardScreenshotPath(path) → file-mode variant that rewrites in place - Aspect ratio preserved via sharp's resize fit:inside - Stderr diagnostic on any downscale so callers can see when it fired - Lazy sharp import so non-screenshot paths pay no startup cost Wires the guard into all three full-page callsites codex review flagged: - browse/src/snapshot.ts: annotated + heatmap fullPage captures - browse/src/meta-commands.ts: screenshot command (path + base64 fullPage modes) plus the responsive 3-viewport sweep - browse/src/write-commands.ts: prettyscreenshot fullPage path Covers seven unit cases (pass-through, downscale, aspect ratio, exactly-2000px edge, file-mode rewrite) plus a static invariant test that fails the build if any of the three callsites stops importing the guard. Closes #1214. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(security): add Node sidecar entry for L4 prompt-injection classifier (#1370) The L4 TestSavant classifier in browse/src/security-classifier.ts can't be imported into the compiled browse server (onnxruntime-node dlopen fails from Bun's compile extract dir per CLAUDE.md). The agent that used to host it (sidebar-agent.ts) was removed when the PTY proved out — leaving the classifier file shipped but with zero callers. Exactly the gap codex flagged in #1370. Adds browse/src/security-sidecar-entry.ts: a Node script that runs the classifier as a subprocess of the browse server. It reads NDJSON requests from stdin and writes id-correlated NDJSON responses to stdout, supporting: - op: "scan-page-content" — full L4 classifier scan - op: "ping" — liveness probe for the client's health check - op: "status" — classifier readiness (used by /pty-inject-scan to surface l4 { available: bool } in its response) Plus browse/src/find-security-sidecar.ts: a resolver that locates node + the bundled JS entry (browse/dist/security-sidecar.js, built in a follow-up package.json change) or falls back to the dev TS entry. Returns null cleanly when node isn't on PATH so the calling endpoint can degrade per D7 (extension WARN + user confirm). C17 of the security-stack wave. C18 adds the IPC client + lifecycle management; C19 wires the endpoint; C20 routes the extension through it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(security): sidecar IPC client with lifecycle + circuit breaker (#1370) Adds browse/src/security-sidecar-client.ts to manage the Node L4 classifier subprocess from the compiled browse server: - Lazy spawn on first scan; reuses the same process across requests - Id-correlated request/response via NDJSON over stdio - 5s default per-scan timeout; 64KB payload cap (short-circuits before spawn so oversized requests don't waste a process) - 3-in-10-minutes respawn cap → trips circuit breaker; subsequent scans throw immediately so the /pty-inject-scan endpoint can surface l4 { available: false } to the extension and degrade to WARN+confirm - process.on('exit') sends SIGTERM to the child for clean teardown - isSidecarAvailable() lets the endpoint probe before scan calls so the response shape reflects degraded mode honestly Unit tests cover the payload cap, the availability probe, and the breaker-doesn't-crash invariant under repeated rejected calls. C18 of the security-stack wave. C19 adds POST /pty-inject-scan; C20 routes the extension through it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(security): add POST /pty-inject-scan endpoint for pre-PTY-inject scans (#1370) The sidebar's gstackInjectToTerminal callers (toolbar Cleanup, Inspector "Send to Code") were piping page-derived text directly into the live claude PTY with ZERO classifier processing — the gap codex flagged in #1370. The documented sidebar security stack had a hole the size of every Cleanup-button click. Adds POST /pty-inject-scan to browse/src/server.ts: - Local-only binding (NOT in TUNNEL_PATHS — tunnel attempts get the general 404 path; never reaches the scan logic) - Root-token auth via existing validateAuth() — 401 on unauth - 64KB request cap → 413 + payload-too-large body - 5s scan timeout via sidecar client - URL-blocklist forced to BLOCK in PTY context (page-derived REPL input is higher-risk than ordinary tool output) - L4 ML classifier via the sidecar when available; degrades to WARN per D7 when sidecar is unavailable - Response goes through JSON.stringify(..., sanitizeReplacer) per v1.38.0.0 Unicode-egress hardening - Imports only from security-sidecar-client.ts, never directly from security-classifier.ts (which would brick the compiled Bun binary) Seven static-invariant tests pin the POST verb, auth gate, 64KB cap, tunnel-listener exclusion, sanitizeReplacer wrapping, l4 availability shape, and the no-direct-classifier-import rule. C19 of the security-stack wave. C20 routes the extension through it; C21 adds the invariant AST check. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(extension): route gstackInjectToTerminal through /pty-inject-scan (#1370) Closes the documented-vs-shipped gap codex flagged in #1370. The sidebar's two PTY-injection call sites (Inspector "Send to Code" and toolbar Cleanup) now pre-scan via the new /pty-inject-scan endpoint before writing to the live claude REPL. Adds window.gstackScanForPTYInject(text, origin) to extension/sidepanel-terminal.js: - Async, returns { allow, verdict, reasons, l4 } - POST to /pty-inject-scan with the existing root-token auth - WARN+confirm on scan failure (network down, sidecar absent, etc.) rather than silent PASS — D7 honest-degradation gstackInjectToTerminal stays synchronous, returns boolean. Per D6: keeping the inject sync means existing `const ok = ...?.()` callers don't break, and the invariant test in test/extension-pty-inject-invariant.test.ts can statically pin that every call goes through the scan first. extension/sidepanel.js call sites updated: - inspectorSendBtn click → await scan, BLOCK drops + WARN prompts via window.confirm, PASS injects silently - runCleanup() → same flow. Static cleanup prompt always PASSes but still routes through scan to honor the invariant. C20 of the security-stack wave. C21 adds the static invariant test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(security): invariant — extension PTY inject must be scan-gated (#1370) Static-analysis invariant test that fails the build if any extension/*.js path calls window.gstackInjectToTerminal without a preceding window.gstackScanForPTYInject in the same enclosing function. Closes the documented-vs-shipped gap codex demanded a machine check on. Rules: - Rule 1: any file that calls inject must also reference scan - Rule 2: in the enclosing function (function declaration, arrow, async (), event handler), a scan call must appear before the inject call by source position - Exemption: sidepanel-terminal.js (the file that DEFINES the inject function) is exempt from Rule 2 since the definition is not a call Plus two structural checks: - sidepanel-terminal.js defines both the inject and scan functions - inject stays SYNCHRONOUS (no `async` modifier) per D6 — async would silently break the `const ok = ...?.()` pattern at every caller C21 of the security-stack wave. The sidecar architecture (#1370) is complete: server-side L1-L3 + L4-via-sidecar (C17+C18+C19), extension pre-scan wiring (C20), and now the regression gate (C21). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * feat(browse): opt-in extended stealth mode with 6 detection-vector patches (#1112) Rebases @garrytan's PR #1112 (Apr 2026, abandoned) onto the current browse/src/stealth.ts contract. The existing minimal "codex narrowed" stealth (webdriver-mask + AutomationControlled launch arg) stays the default. PR #1112's six additional patches are added behind an opt-in GSTACK_STEALTH=extended env flag. Extended-mode patches (applied AFTER the default mask, in order): 1. delete navigator.webdriver from prototype (not just the getter — detectors check `"webdriver" in navigator`) 2. WebGL renderer spoof to Apple M1 Pro (SwiftShader was the #1 software-GPU tell in containers) 3. navigator.plugins returns a PluginArray-prototype-passing array with MimeType objects and namedItem() 4. window.chrome populated with chrome.app, chrome.runtime, chrome.loadTimes(), chrome.csi() with realistic shapes 5. navigator.mediaDevices backfilled when headless drops it 6. CDP cdc_*-prefixed window globals cleared Why opt-in: the default mode's contract is fingerprint CONSISTENCY, which protects against detectors that flag spoofing mismatch. Extended mode actively lies about the environment; sites that reflect on these properties can break. Users who hit detection in default mode can flip GSTACK_STEALTH=extended for SannySoft 100% pass-rate. Twenty unit tests pin the env-flag semantics, all six patches' code presence, and the applyStealth wiring order. Live SannySoft pass-rate verification stays in the periodic-tier E2E suite. Contributed by @garrytan via #1112 (rebased — original PR opened before the codex-narrowed minimum landed; rebase preserves the narrowed default while adding the SannySoft-passing path as opt-in). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(fixtures): regenerate ship-SKILL.md golden baselines after C10-C13 + C16 templates Updates the three ship-SKILL.md golden baselines (claude, codex, factory hosts) to match the new shape produced by: - C10 #1209 codex argv (prompt + diff scope, no --base) - C11 #1492 merge-base diff (DIFF_BASE= preamble) - C13 #1197 command -v for codex detection - C12 + boundary preservation per regen-enforcing test Per CLAUDE.md SKILL.md workflow: edit the .tmpl, run gen:skill-docs, commit the regenerated outputs together. Goldens are part of the regen contract — without this commit, test/host-config.test.ts' golden-baseline checks fail with the diff codex review surfaced. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(release): v1.41.0.0 — Daegu wave (24 bisect commits, 14 user-facing fixes) Bumps VERSION 1.40.0.0 → 1.41.0.0. CHANGELOG entry follows the release-summary format in CLAUDE.md: two-line headline, lead paragraph, "The numbers that matter" table, "What this means for builders" closer, then itemized Added/Changed/Fixed/For contributors with inline credit to every PR author and original issue reporter. Scale-aware bump per CLAUDE.md: 24 commits, ~6000 LOC net, substantial new capability across security (PTY sidecar wiring), install (Windows build chain), compat (gbrain 0.18-0.35, Codex CLI 0.130+), and quality (screenshot guard, design key disclosure, extended stealth opt-in). MINOR is the right call. Closes for users: #1567, #1559, #1569, #1346, #1418, #1538, #1537, #1530, #1457, #1561, #1554, #1479, #1503, #1248, #1214, #1370, #1327, #1193 pattern, #1152 pattern. Credit retained inline. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(find-browse): resolve source-checkout layout <git-root>/browse/dist/browse[.exe] windows-setup-e2e.yml runs `bun browse/src/find-browse.ts` against a freshly-built repo where binaries land at browse/dist/browse.exe (no .claude/skills/gstack/ install layout). The previous markers chain only matched .codex/.agents/.claude prefixed paths, so find-browse exited "not found" even when the binary was present. Adds a source-checkout fallback after the marker scan: if no installed layout resolves but <git-root>/browse/dist/browse[.exe] exists, return that. Three real callers hit this path: - gstack repo dev workflow before `./setup` runs - windows-setup-e2e.yml CI (the breakage that surfaced this) - make-pdf consumers running from a sibling source checkout Smoke-verified: a fresh git repo with browse/dist/browse on disk now resolves through the source-checkout branch (was returning null before this commit). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(release): bump v1.41.0.0 → v1.42.0.0 to clear queue collision with #1574 The version-gate workflow flagged a collision: PR #1574 (garrytan/colombo-v3) already claims v1.41.0.0, and #1592 (fix/audit-critical-high-bugs) claims v1.41.1.0. Per CLAUDE.md's workspace-aware ship rule, queue-advancing past a claimed version within the same bump level is permitted — MINOR work landing on top of a queued MINOR still reads as MINOR relative to main. Util's suggested next slot is v1.42.0.0; taking it. CHANGELOG entry header bumped + dated 2026-05-19; entry body unchanged (same wave content, same credit list). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
943 lines
38 KiB
TypeScript
943 lines
38 KiB
TypeScript
#!/usr/bin/env bun
|
|
/**
|
|
* gstack-gbrain-sync — V1 unified sync verb.
|
|
*
|
|
* Orchestrates three storage tiers per plan §"Storage tiering":
|
|
*
|
|
* 1. Code (current repo) → `gbrain sources add` (idempotent via
|
|
* lib/gbrain-sources.ts) + `gbrain sync
|
|
* --strategy code` (incremental) or
|
|
* `gbrain reindex-code --yes` (--full).
|
|
* NEVER `gbrain import` (markdown only).
|
|
* 2. Transcripts + curated memory → gstack-memory-ingest (typed put_page)
|
|
* 3. Curated artifacts to git → gstack-brain-sync (existing pipeline)
|
|
*
|
|
* Modes:
|
|
* --incremental (default) — mtime fast-path; runs all 3 stages with cache hits
|
|
* --full — first-run; full walk + reindex; honest budget per ED2
|
|
* --dry-run — preview what would sync; no writes anywhere (incl. state file)
|
|
*
|
|
* Concurrency safety per /plan-eng-review D1:
|
|
* - Lock file at ~/.gstack/.sync-gbrain.lock (PID + start ts).
|
|
* - Stale-lock takeover after 5 min (process death).
|
|
* - State file written via tmp+rename for atomicity.
|
|
* - Lock released in finally; SIGINT/SIGTERM trapped for cleanup.
|
|
*
|
|
* --watch (V1.5 P0 TODO): file-watcher daemon. NOTE: gbrain v0.25.1 already
|
|
* ships `gbrain sync --watch [--interval N]` and `gbrain sync --install-cron`;
|
|
* when revisited, /sync-gbrain --watch wires through to the gbrain CLI rather
|
|
* than building a gstack-side daemon.
|
|
*/
|
|
|
|
import { existsSync, statSync, mkdirSync, writeFileSync, readFileSync, unlinkSync, renameSync } from "fs";
|
|
import { join, dirname } from "path";
|
|
import { execSync, spawnSync } from "child_process";
|
|
import { homedir, hostname } from "os";
|
|
import { createHash } from "crypto";
|
|
|
|
import "../lib/conductor-env-shim";
|
|
import { detectEngineTier, withErrorContext, canonicalizeRemote } from "../lib/gstack-memory-helpers";
|
|
import { ensureSourceRegistered, sourcePageCount } from "../lib/gbrain-sources";
|
|
import { localEngineStatus, type LocalEngineStatus } from "../lib/gbrain-local-status";
|
|
import { buildGbrainEnv, spawnGbrain, execGbrainJson } from "../lib/gbrain-exec";
|
|
|
|
// ── Types ──────────────────────────────────────────────────────────────────
|
|
|
|
type Mode = "incremental" | "full" | "dry-run";
|
|
|
|
interface CliArgs {
|
|
mode: Mode;
|
|
quiet: boolean;
|
|
noCode: boolean;
|
|
noMemory: boolean;
|
|
noBrainSync: boolean;
|
|
codeOnly: boolean;
|
|
}
|
|
|
|
interface CodeStageDetail {
|
|
source_id?: string;
|
|
source_path?: string;
|
|
page_count?: number | null;
|
|
last_imported?: string;
|
|
status?: "ok" | "skipped" | "failed";
|
|
}
|
|
|
|
interface StageResult {
|
|
name: string;
|
|
ran: boolean;
|
|
ok: boolean;
|
|
duration_ms: number;
|
|
summary: string;
|
|
/** Stage-specific structured detail. Code stage carries source_id + page_count. */
|
|
detail?: CodeStageDetail;
|
|
}
|
|
|
|
// ── Constants ──────────────────────────────────────────────────────────────
|
|
|
|
const HOME = homedir();
|
|
const GSTACK_HOME = process.env.GSTACK_HOME || join(HOME, ".gstack");
|
|
const STATE_PATH = join(GSTACK_HOME, ".gbrain-sync-state.json");
|
|
const LOCK_PATH = join(GSTACK_HOME, ".sync-gbrain.lock");
|
|
const STALE_LOCK_MS = 5 * 60 * 1000;
|
|
|
|
// ── CLI ────────────────────────────────────────────────────────────────────
|
|
|
|
function printUsage(): void {
|
|
console.error(`Usage: gstack-gbrain-sync [--incremental|--full|--dry-run] [options]
|
|
|
|
Modes:
|
|
--incremental Default. mtime fast-path; ~50ms steady-state.
|
|
--full First-run; full walk + reindex. Honest ~25-35 min for big Macs (ED2).
|
|
--dry-run Preview what would sync; no writes anywhere.
|
|
|
|
Options:
|
|
--quiet Suppress per-stage output.
|
|
--no-code Skip the cwd code-import stage.
|
|
--no-memory Skip the gstack-memory-ingest stage (transcripts + artifacts).
|
|
--no-brain-sync Skip the gstack-brain-sync git pipeline stage.
|
|
--code-only Only run the code-import stage (alias for --no-memory --no-brain-sync).
|
|
--help This text.
|
|
|
|
Stages run in order: code → memory ingest → curated git push.
|
|
Each stage failure is non-fatal; subsequent stages still run.
|
|
`);
|
|
}
|
|
|
|
function parseArgs(): CliArgs {
|
|
const args = process.argv.slice(2);
|
|
let mode: Mode = "incremental";
|
|
let quiet = false;
|
|
let noCode = false;
|
|
let noMemory = false;
|
|
let noBrainSync = false;
|
|
let codeOnly = false;
|
|
|
|
for (let i = 0; i < args.length; i++) {
|
|
const a = args[i];
|
|
switch (a) {
|
|
case "--incremental": mode = "incremental"; break;
|
|
case "--full": mode = "full"; break;
|
|
case "--dry-run": mode = "dry-run"; break;
|
|
case "--quiet": quiet = true; break;
|
|
case "--no-code": noCode = true; break;
|
|
case "--no-memory": noMemory = true; break;
|
|
case "--no-brain-sync": noBrainSync = true; break;
|
|
case "--code-only":
|
|
codeOnly = true;
|
|
noMemory = true;
|
|
noBrainSync = true;
|
|
break;
|
|
case "--help":
|
|
case "-h":
|
|
printUsage();
|
|
process.exit(0);
|
|
default:
|
|
console.error(`Unknown argument: ${a}`);
|
|
printUsage();
|
|
process.exit(1);
|
|
}
|
|
}
|
|
|
|
return { mode, quiet, noCode, noMemory, noBrainSync, codeOnly };
|
|
}
|
|
|
|
// ── Helpers ────────────────────────────────────────────────────────────────
|
|
|
|
function repoRoot(): string | null {
|
|
try {
|
|
const out = execSync("git rev-parse --show-toplevel", { encoding: "utf-8", timeout: 2000 });
|
|
return out.trim();
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
function originUrl(): string | null {
|
|
try {
|
|
const out = execSync("git remote get-url origin", { encoding: "utf-8", timeout: 2000 });
|
|
return out.trim();
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Derive a host- and worktree-aware source id for the cwd code corpus.
|
|
*
|
|
* Pattern: `gstack-code-<slug>-<hostpathhash8>` where slug comes from origin
|
|
* (org/repo) and hostpathhash8 is the first 8 hex chars of
|
|
* sha1(`${hostname}::${absolute repo path}`). Folding hostname into the hash
|
|
* keeps Conductor worktrees of the same repo as distinct sources on one host
|
|
* AND keeps two machines that share an absolute layout (e.g. chezmoi-managed
|
|
* home dirs against a federated brain) from colliding on each other.
|
|
*
|
|
* Falls back to the repo basename when there is no origin (local repo).
|
|
*
|
|
* `GSTACK_HOSTNAME` env override is honored for deterministic tests; in
|
|
* production paths it is unset and `os.hostname()` is used.
|
|
*
|
|
* gbrain enforces source ids to be 1-32 lowercase alnum chars with
|
|
* optional interior hyphens. `constrainSourceId` handles the 32-char cap
|
|
* with a hashed-tail fallback when the combined slug exceeds budget.
|
|
*/
|
|
function deriveCodeSourceId(repoPath: string): string {
|
|
const host = process.env.GSTACK_HOSTNAME || hostname();
|
|
const hostPathHash = createHash("sha1").update(`${host}::${repoPath}`).digest("hex").slice(0, 8);
|
|
const remote = canonicalizeRemote(originUrl());
|
|
if (remote) {
|
|
const segs = remote.split("/").filter(Boolean);
|
|
const slugSource = segs.slice(-2).join("-");
|
|
const fullId = constrainSourceId("gstack-code", `${slugSource}-${hostPathHash}`);
|
|
// If the org+repo+hostpathhash fits cleanly (suffix preserved), use it.
|
|
if (fullId.endsWith(`-${hostPathHash}`)) return fullId;
|
|
// Otherwise drop the org prefix and retry with just repo+hostpathhash so
|
|
// the repo name stays readable. If that still doesn't fit,
|
|
// constrainSourceId falls back to a deterministic hash-only form.
|
|
const repoOnly = segs[segs.length - 1] || "repo";
|
|
return constrainSourceId("gstack-code", `${repoOnly}-${hostPathHash}`);
|
|
}
|
|
const base = repoPath.split("/").pop() || "repo";
|
|
return constrainSourceId("gstack-code", `${base}-${hostPathHash}`);
|
|
}
|
|
|
|
/**
|
|
* Pre-pathhash source id, kept for orphan detection only.
|
|
*
|
|
* Earlier /sync-gbrain versions registered `gstack-code-<slug>` (no pathhash
|
|
* suffix). On a multi-worktree repo, those collapsed onto a single source id
|
|
* with last-sync-wins semantics. The new path-keyed id leaves the legacy
|
|
* source orphaned in the brain — federated cross-source search would return
|
|
* stale duplicate hits. We remove the legacy id once, on the first new-format
|
|
* sync from any worktree of this repo, so users don't accumulate orphans.
|
|
*/
|
|
function deriveLegacyCodeSourceId(repoPath: string): string {
|
|
const remote = canonicalizeRemote(originUrl());
|
|
if (remote) {
|
|
const segs = remote.split("/").filter(Boolean);
|
|
const slugSource = segs.slice(-2).join("-");
|
|
return constrainSourceId("gstack-code", slugSource);
|
|
}
|
|
const base = repoPath.split("/").pop() || "repo";
|
|
return constrainSourceId("gstack-code", base);
|
|
}
|
|
|
|
/**
|
|
* Pre-#1468 path-only-hash source id, kept for hostname-fold migration only.
|
|
*
|
|
* Before the hostname fold, `deriveCodeSourceId` hashed only the absolute
|
|
* repo path: `gstack-code-<slug>-<sha1(path).slice(0,8)>`. After #1468 the
|
|
* hash key is `${hostname}::${path}`, so every existing user's brain has a
|
|
* legacy id that no longer matches what `deriveCodeSourceId` produces. We
|
|
* detect this form once, attempt rename-in-place if the gbrain CLI supports
|
|
* `sources rename`, and otherwise clean up after the new source successfully
|
|
* syncs. Distinct from `deriveLegacyCodeSourceId` (pre-pathhash v1.x form);
|
|
* both probes run.
|
|
*/
|
|
export function derivePathOnlyHashLegacyId(repoPath: string): string {
|
|
const pathHash = createHash("sha1").update(repoPath).digest("hex").slice(0, 8);
|
|
const remote = canonicalizeRemote(originUrl());
|
|
if (remote) {
|
|
const segs = remote.split("/").filter(Boolean);
|
|
const slugSource = segs.slice(-2).join("-");
|
|
return constrainSourceId("gstack-code", `${slugSource}-${pathHash}`);
|
|
}
|
|
const base = repoPath.split("/").pop() || "repo";
|
|
return constrainSourceId("gstack-code", `${base}-${pathHash}`);
|
|
}
|
|
|
|
/**
|
|
* Feature-check whether the installed gbrain CLI ships `sources rename <old> <new>`.
|
|
*
|
|
* Per the v1.40.0.0 design review: probing `gbrain sources rename --help` and
|
|
* matching for the exact argument shape catches the case where gbrain's
|
|
* `sources` parent help mentions a `rename` subcommand but the CLI doesn't
|
|
* accept the `<old> <new>` form (or vice versa). Cached for the lifetime
|
|
* of the process. As of gbrain 0.35.0.0 this command does not exist, so the
|
|
* function returns false and the migration path falls back to register-new
|
|
* + sync-OK + remove-old.
|
|
*/
|
|
let _gbrainSupportsRenameCache: boolean | null = null;
|
|
export function _resetGbrainSupportsRenameCache(): void {
|
|
_gbrainSupportsRenameCache = null;
|
|
}
|
|
function gbrainSupportsSourcesRename(env?: NodeJS.ProcessEnv): boolean {
|
|
if (_gbrainSupportsRenameCache !== null) return _gbrainSupportsRenameCache;
|
|
try {
|
|
const r = spawnGbrain(["sources", "rename", "--help"], {
|
|
timeout: 5_000,
|
|
baseEnv: env,
|
|
});
|
|
const out = `${r.stdout || ""}\n${r.stderr || ""}`;
|
|
// Match the exact argument shape: `rename <old> <new>` (with literal
|
|
// angle brackets in usage strings) or `rename OLD NEW`.
|
|
const exact = /sources\s+rename\s+<old>\s+<new>/i.test(out)
|
|
|| /sources\s+rename\s+OLD\s+NEW/.test(out)
|
|
|| /sources\s+rename\s+<oldId>\s+<newId>/i.test(out);
|
|
_gbrainSupportsRenameCache = exact && r.status === 0;
|
|
} catch {
|
|
_gbrainSupportsRenameCache = false;
|
|
}
|
|
return _gbrainSupportsRenameCache;
|
|
}
|
|
|
|
/**
|
|
* Look up a source's `local_path` from `gbrain sources list --json`.
|
|
* Returns null when the source is absent or the listing fails.
|
|
*
|
|
* `env` is the environment passed to the spawned `gbrain` process; defaults
|
|
* to `process.env`. Tests inject a PATH that points at a gbrain shim so the
|
|
* helper can be exercised without a real gbrain CLI.
|
|
*
|
|
* Shape note: `gbrain sources list --json` returns `{sources: [...]}` (v0.20+);
|
|
* older versions returned a flat array. Accept both for forward/backward compat
|
|
* (mirrors `probeSource`/`sourcePageCount` in lib/gbrain-sources.ts).
|
|
*/
|
|
export function sourceLocalPath(sourceId: string, env?: NodeJS.ProcessEnv): string | null {
|
|
const raw = execGbrainJson<unknown>(
|
|
["sources", "list", "--json"],
|
|
{ baseEnv: env },
|
|
);
|
|
if (!raw) return null;
|
|
const list: Array<{ id?: string; local_path?: string }> = Array.isArray(raw)
|
|
? (raw as Array<{ id?: string; local_path?: string }>)
|
|
: ((raw as { sources?: Array<{ id?: string; local_path?: string }> }).sources ?? []);
|
|
const found = list.find((s) => s.id === sourceId);
|
|
return found?.local_path ?? null;
|
|
}
|
|
|
|
/** Result of `planHostnameFoldMigration` — informs `runCodeImport` of next steps. */
|
|
export type HostnameFoldMigration =
|
|
| { kind: "none"; reason: "ids-match" | "no-legacy-source" }
|
|
| { kind: "skipped-path-drift"; oldId: string; oldPath: string; currentPath: string }
|
|
| { kind: "renamed"; oldId: string; newId: string }
|
|
| { kind: "pending-cleanup"; oldId: string };
|
|
|
|
/**
|
|
* Decide how to migrate from the pre-#1468 path-only-hash source id to the
|
|
* new hostname-fold id.
|
|
*
|
|
* Order:
|
|
* 1. If old == new → no-op.
|
|
* 2. Look up old source's local_path. Absent → no legacy source to migrate.
|
|
* 3. local_path != currentRoot → user moved the repo or two machines share a
|
|
* hash slot. Skip migration; let the user clean up manually. We will NOT
|
|
* rename or remove anything; the new source is registered alongside.
|
|
* 4. Otherwise: feature-check `gbrain sources rename`. If supported and the
|
|
* rename call exits 0 → renamed, pages preserved.
|
|
* 5. Else: pending-cleanup. Caller registers + syncs new source first; only
|
|
* after sync succeeds with a non-zero page count does it remove the old.
|
|
* This avoids a data-loss window where the old source is gone before the
|
|
* new one is verifiably populated.
|
|
*/
|
|
export function planHostnameFoldMigration(
|
|
currentRoot: string,
|
|
newSourceId: string,
|
|
legacyPathHashId: string,
|
|
env?: NodeJS.ProcessEnv,
|
|
): HostnameFoldMigration {
|
|
if (legacyPathHashId === newSourceId) {
|
|
return { kind: "none", reason: "ids-match" };
|
|
}
|
|
const oldPath = sourceLocalPath(legacyPathHashId, env);
|
|
if (oldPath === null) {
|
|
return { kind: "none", reason: "no-legacy-source" };
|
|
}
|
|
if (oldPath !== currentRoot) {
|
|
return {
|
|
kind: "skipped-path-drift",
|
|
oldId: legacyPathHashId,
|
|
oldPath,
|
|
currentPath: currentRoot,
|
|
};
|
|
}
|
|
if (gbrainSupportsSourcesRename(env)) {
|
|
const r = spawnGbrain(["sources", "rename", legacyPathHashId, newSourceId], { baseEnv: env });
|
|
if (r.status === 0) {
|
|
return { kind: "renamed", oldId: legacyPathHashId, newId: newSourceId };
|
|
}
|
|
// Rename failed at runtime — fall through to cleanup path.
|
|
}
|
|
return { kind: "pending-cleanup", oldId: legacyPathHashId };
|
|
}
|
|
|
|
/**
|
|
* Remove an orphaned source. Called only after new-source sync verifies pages
|
|
* exist, so the old source is provably redundant before deletion.
|
|
*
|
|
* Flag note: existing call sites used `--confirm-destructive` here and
|
|
* `--yes` in `lib/gbrain-sources.ts` — gbrain 0.35.0.0 accepts neither
|
|
* deterministically (the subcommand surface help is generic). We pass
|
|
* `--confirm-destructive` to match the existing call site convention; the
|
|
* flag-helper centralization in commit 4 (lib/gbrain-exec.ts) will resolve
|
|
* the inconsistency across the codebase.
|
|
*/
|
|
export function removeOrphanedSource(oldId: string, env?: NodeJS.ProcessEnv): boolean {
|
|
const r = spawnGbrain(["sources", "remove", oldId, "--confirm-destructive"], { baseEnv: env });
|
|
return r.status === 0;
|
|
}
|
|
|
|
/**
|
|
* Build a gbrain-valid source id (1-32 lowercase alnum + interior hyphens). Sanitizes
|
|
* `raw`, prefixes with `prefix`, and falls back to a hashed-tail form when total length
|
|
* would exceed 32 chars.
|
|
*
|
|
* Truncation cuts on hyphen boundaries (whole-word units) from the right, never
|
|
* mid-word. Inputs like "drummerms-av-sow-wiz-skill-270c0001" produce
|
|
* "${prefix}-270c0001-<hash>", not "${prefix}-kill-270c0001-<hash>".
|
|
*/
|
|
function constrainSourceId(prefix: string, raw: string): string {
|
|
const MAX = 32;
|
|
const slug = raw.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
|
|
// Empty slug after sanitize (e.g. raw was all non-alnum like "___") would
|
|
// produce "${prefix}-" which fails gbrain's validator on the trailing
|
|
// hyphen. Fall back to a deterministic hash of the original input so the
|
|
// result is stable across runs of the same repo.
|
|
if (!slug) {
|
|
const hash = createHash("sha1").update(raw || "_empty").digest("hex").slice(0, 6);
|
|
return `${prefix}-${hash}`;
|
|
}
|
|
const full = `${prefix}-${slug}`;
|
|
if (full.length <= MAX) return full;
|
|
const hash = createHash("sha1").update(slug).digest("hex").slice(0, 6);
|
|
// Total budget: prefix + "-" + tail + "-" + hash
|
|
const tailBudget = MAX - prefix.length - 2 - hash.length;
|
|
if (tailBudget < 1) return `${prefix}-${hash}`;
|
|
// Cut on hyphen boundaries instead of mid-word. Walk tokens from the right,
|
|
// accumulating until adding the next token would exceed tailBudget. This
|
|
// preserves readable suffixes (pathhash, repo name) and avoids embarrassing
|
|
// mid-word artifacts like "skill" → "kill".
|
|
const tokens = slug.split("-").filter(Boolean);
|
|
const kept: string[] = [];
|
|
let len = 0;
|
|
for (let i = tokens.length - 1; i >= 0; i--) {
|
|
const add = kept.length === 0 ? tokens[i].length : tokens[i].length + 1;
|
|
if (len + add > tailBudget) break;
|
|
kept.unshift(tokens[i]);
|
|
len += add;
|
|
}
|
|
const tail = kept.join("-");
|
|
return tail ? `${prefix}-${tail}-${hash}` : `${prefix}-${hash}`;
|
|
}
|
|
|
|
// ── Lock file (D1) ─────────────────────────────────────────────────────────
|
|
|
|
interface LockInfo {
|
|
pid: number;
|
|
started_at: string;
|
|
}
|
|
|
|
function acquireLock(): boolean {
|
|
mkdirSync(GSTACK_HOME, { recursive: true });
|
|
if (existsSync(LOCK_PATH)) {
|
|
// Check if stale.
|
|
try {
|
|
const stat = statSync(LOCK_PATH);
|
|
const ageMs = Date.now() - stat.mtimeMs;
|
|
if (ageMs > STALE_LOCK_MS) {
|
|
// Stale; take over.
|
|
unlinkSync(LOCK_PATH);
|
|
} else {
|
|
return false;
|
|
}
|
|
} catch {
|
|
// Cannot stat; bail conservatively.
|
|
return false;
|
|
}
|
|
}
|
|
const info: LockInfo = { pid: process.pid, started_at: new Date().toISOString() };
|
|
try {
|
|
writeFileSync(LOCK_PATH, JSON.stringify(info), { encoding: "utf-8", flag: "wx" });
|
|
return true;
|
|
} catch {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
function releaseLock(): void {
|
|
try {
|
|
if (!existsSync(LOCK_PATH)) return;
|
|
const raw = readFileSync(LOCK_PATH, "utf-8");
|
|
const info = JSON.parse(raw) as LockInfo;
|
|
if (info.pid === process.pid) {
|
|
unlinkSync(LOCK_PATH);
|
|
}
|
|
} catch {
|
|
// Best-effort cleanup.
|
|
}
|
|
}
|
|
|
|
// ── Stage runners ──────────────────────────────────────────────────────────
|
|
|
|
/**
|
|
* Build a SKIP result for the code/memory stage when the local engine is
|
|
* not in 'ok' state (per plan D12). Surface the status verbatim so the
|
|
* verdict block tells the user exactly what's wrong without re-probing.
|
|
*
|
|
* Reasons mapped to user-actionable summaries:
|
|
* no-cli → "gbrain CLI not on PATH; install via /setup-gbrain"
|
|
* missing-config → "no local engine; run /setup-gbrain to add local PGLite"
|
|
* broken-config → "config file at ~/.gbrain/config.json is malformed; see /setup-gbrain Step 1.5"
|
|
* broken-db → "config points at unreachable DB; see /setup-gbrain Step 1.5"
|
|
*/
|
|
function skipStageForLocalStatus(
|
|
stage: "code" | "memory",
|
|
status: LocalEngineStatus,
|
|
t0: number,
|
|
): StageResult {
|
|
const reasons: Record<Exclude<LocalEngineStatus, "ok">, string> = {
|
|
"no-cli": "gbrain CLI not on PATH; install via /setup-gbrain",
|
|
"missing-config":
|
|
"no local engine; run /setup-gbrain to add local PGLite for code search",
|
|
"broken-config":
|
|
"config at ~/.gbrain/config.json is malformed; see /setup-gbrain Step 1.5",
|
|
"broken-db":
|
|
"config points at unreachable DB; see /setup-gbrain Step 1.5",
|
|
};
|
|
const reason = reasons[status as Exclude<LocalEngineStatus, "ok">];
|
|
return {
|
|
name: stage,
|
|
ran: false,
|
|
ok: true, // SKIP (per D12) — not a stage failure, just an unsatisfied prerequisite
|
|
duration_ms: Date.now() - t0,
|
|
summary: `skipped — local engine ${status} — ${reason}`,
|
|
};
|
|
}
|
|
|
|
|
|
async function runCodeImport(args: CliArgs): Promise<StageResult> {
|
|
const t0 = Date.now();
|
|
const root = repoRoot();
|
|
if (!root) {
|
|
return { name: "code", ran: false, ok: true, duration_ms: 0, summary: "skipped (not in git repo)" };
|
|
}
|
|
|
|
const sourceId = deriveCodeSourceId(root);
|
|
|
|
// dry-run preview always shows the would-do steps, regardless of local
|
|
// engine state. Useful for "what would /sync-gbrain do" without probing
|
|
// the engine.
|
|
if (args.mode === "dry-run") {
|
|
return {
|
|
name: "code",
|
|
ran: false,
|
|
ok: true,
|
|
duration_ms: 0,
|
|
summary: `would: gbrain sources add ${sourceId} --path ${root} --federated; gbrain sync --strategy code --source ${sourceId}; gbrain sources attach ${sourceId}`,
|
|
detail: { source_id: sourceId, source_path: root, status: "skipped" },
|
|
};
|
|
}
|
|
|
|
// Split-engine pre-flight (per plan D12): when local engine is not ok, SKIP
|
|
// code stage cleanly. Brain-sync stage still runs because it doesn't depend
|
|
// on local engine. The /sync-gbrain Step 1.5 pre-flight surfaces the user
|
|
// remediation message; this skip just keeps the orchestrator from crashing
|
|
// when the local DB is dead. Skipped on --dry-run (above) since dry-run
|
|
// never actually probes anything.
|
|
const localStatus = localEngineStatus({ noCache: false });
|
|
if (localStatus !== "ok") {
|
|
return skipStageForLocalStatus("code", localStatus, t0);
|
|
}
|
|
|
|
// Step 0a: Best-effort cleanup of pre-pathhash legacy source (v1.x form).
|
|
// Earlier /sync-gbrain versions registered `gstack-code-<slug>` (no path
|
|
// suffix). On a multi-worktree repo, those collapsed onto a single id
|
|
// with last-sync-wins. Federated search would return stale duplicate
|
|
// hits forever if we left the orphan in place. Remove the legacy id once
|
|
// here so users don't accumulate orphans.
|
|
// Failure is non-fatal — we still register the new id below.
|
|
// gbrainEnv seeds DATABASE_URL from gbrain's config so this stage works
|
|
// inside Next.js / Prisma / Rails projects with their own .env.local
|
|
// (codex review #7 — bug fix is wider than #1508 as filed).
|
|
const gbrainEnv = buildGbrainEnv({ announce: !args.quiet });
|
|
const legacyId = deriveLegacyCodeSourceId(root);
|
|
let legacyRemoved = false;
|
|
if (legacyId !== sourceId) {
|
|
const rm = spawnGbrain(["sources", "remove", legacyId, "--confirm-destructive"], {
|
|
timeout: 30_000,
|
|
baseEnv: gbrainEnv,
|
|
});
|
|
// Treat absent-source as success (clean state). gbrain emits "not found" on
|
|
// missing id; treat any non-zero exit without "not found" as a soft fail.
|
|
if (rm.status === 0) legacyRemoved = true;
|
|
}
|
|
|
|
// Step 0b: Hostname-fold migration (#1414).
|
|
// Before #1468 the source id hashed only the absolute repo path. After the
|
|
// hostname fold, every existing user has a legacy id that no longer matches
|
|
// what deriveCodeSourceId produces. Try rename-in-place first (preserves
|
|
// pages); fall back to register-new → sync-OK → remove-old. Path-drift
|
|
// (user moved the repo, etc.) skips migration with a warning.
|
|
const pathOnlyHashLegacyId = derivePathOnlyHashLegacyId(root);
|
|
const migration = planHostnameFoldMigration(root, sourceId, pathOnlyHashLegacyId, gbrainEnv);
|
|
if (migration.kind === "skipped-path-drift" && !args.quiet) {
|
|
console.error(
|
|
`[sync:code] hostname-fold migration skipped: legacy source ${migration.oldId} `
|
|
+ `points at ${migration.oldPath}, current repo is ${migration.currentPath}. `
|
|
+ `Clean up manually with: gbrain sources remove ${migration.oldId} --confirm-destructive`,
|
|
);
|
|
} else if (migration.kind === "renamed" && !args.quiet) {
|
|
console.error(`[sync:code] hostname-fold migration: renamed ${migration.oldId} → ${migration.newId} (pages preserved)`);
|
|
}
|
|
|
|
// Step 1: Ensure source registered (idempotent). Single source of truth in lib —
|
|
// no synchronous duplicate here (per /codex review #12).
|
|
let registered = false;
|
|
try {
|
|
const result = await ensureSourceRegistered(sourceId, root, { federated: true, env: gbrainEnv });
|
|
registered = result.changed;
|
|
} catch (err) {
|
|
return {
|
|
name: "code",
|
|
ran: true,
|
|
ok: false,
|
|
duration_ms: Date.now() - t0,
|
|
summary: `source registration failed: ${(err as Error).message}`,
|
|
detail: { source_id: sourceId, source_path: root, status: "failed" },
|
|
};
|
|
}
|
|
|
|
// Step 2: Run sync or reindex.
|
|
const syncArgs = args.mode === "full"
|
|
? ["reindex-code", "--source", sourceId, "--yes"]
|
|
: ["sync", "--strategy", "code", "--source", sourceId];
|
|
|
|
const syncResult = spawnGbrain(syncArgs, {
|
|
stdio: args.quiet ? ["ignore", "ignore", "ignore"] : ["ignore", "inherit", "inherit"],
|
|
timeout: 35 * 60 * 1000,
|
|
baseEnv: gbrainEnv,
|
|
});
|
|
|
|
if (syncResult.status !== 0) {
|
|
return {
|
|
name: "code",
|
|
ran: true,
|
|
ok: false,
|
|
duration_ms: Date.now() - t0,
|
|
summary: `gbrain ${syncArgs.join(" ")} exited ${syncResult.status}`,
|
|
detail: { source_id: sourceId, source_path: root, status: "failed" },
|
|
};
|
|
}
|
|
|
|
// Step 3: Pin this worktree's CWD to the source via .gbrain-source. Subsequent
|
|
// gbrain code-def / code-refs / code-callers calls from anywhere under <root>
|
|
// route to this source by default — no --source flag needed.
|
|
//
|
|
// If attach fails the whole flow has a silent correctness problem: sync
|
|
// succeeded but unqualified `gbrain code-def` from this worktree will hit
|
|
// the wrong/default source. Treat it as a stage failure (ok=false) so the
|
|
// verdict block surfaces ERR and the user knows to retry rather than
|
|
// trusting stale results.
|
|
const attach = spawnGbrain(["sources", "attach", sourceId], {
|
|
timeout: 10_000,
|
|
cwd: root,
|
|
baseEnv: gbrainEnv,
|
|
});
|
|
const pageCount = sourcePageCount(sourceId, gbrainEnv);
|
|
|
|
// Step 4: Deferred hostname-fold cleanup.
|
|
// Only remove the pre-#1468 path-only-hash source NOW that the new source
|
|
// has registered + synced + has pages. Removing before sync would create a
|
|
// data-loss window if sync failed; removing without a page-count check would
|
|
// wipe pages when sync silently no-op'd. This is the codex-review-flagged
|
|
// safety: register → sync → verify → THEN delete.
|
|
let hostnameLegacyRemoved = false;
|
|
if (migration.kind === "pending-cleanup" && pageCount !== null && pageCount > 0) {
|
|
hostnameLegacyRemoved = removeOrphanedSource(migration.oldId, gbrainEnv);
|
|
if (hostnameLegacyRemoved && !args.quiet) {
|
|
console.error(`[sync:code] hostname-fold migration: removed legacy ${migration.oldId} after new source sync verified (page_count=${pageCount})`);
|
|
}
|
|
}
|
|
|
|
const legacyParts: string[] = [];
|
|
if (legacyRemoved) legacyParts.push(`removed legacy ${legacyId}`);
|
|
if (migration.kind === "renamed") legacyParts.push(`renamed ${migration.oldId}→${migration.newId}`);
|
|
if (hostnameLegacyRemoved) legacyParts.push(`removed pre-hostname-fold ${migration.kind === "pending-cleanup" ? migration.oldId : ""}`);
|
|
const legacyNote = legacyParts.length > 0 ? `, ${legacyParts.join(", ")}` : "";
|
|
const baseSummary = `${registered ? "registered + " : ""}synced ${sourceId} (page_count=${pageCount ?? "unknown"}${legacyNote})`;
|
|
|
|
if (attach.status !== 0) {
|
|
const reason = (attach.stderr || attach.stdout || "").trim().split("\n").pop() || `exit ${attach.status}`;
|
|
return {
|
|
name: "code",
|
|
ran: true,
|
|
ok: false,
|
|
duration_ms: Date.now() - t0,
|
|
summary: `${baseSummary}; attach FAILED (${reason}) — code-def queries from this worktree will hit the default source until /sync-gbrain succeeds`,
|
|
detail: {
|
|
source_id: sourceId,
|
|
source_path: root,
|
|
page_count: pageCount,
|
|
last_imported: new Date().toISOString(),
|
|
status: "failed",
|
|
},
|
|
};
|
|
}
|
|
|
|
// v1.29.0.0 changelog promised the per-worktree pin would be ignored in the
|
|
// consuming repo, but the change actually only added .gbrain-source to
|
|
// gstack's own .gitignore. Without the consumer-side entry, the pin gets
|
|
// committed and breaks the per-worktree promise: Conductor sibling worktrees
|
|
// step on each other's pin every time anyone commits (#1384).
|
|
ensureGbrainSourceGitignored(root);
|
|
|
|
return {
|
|
name: "code",
|
|
ran: true,
|
|
ok: true,
|
|
duration_ms: Date.now() - t0,
|
|
summary: baseSummary,
|
|
detail: {
|
|
source_id: sourceId,
|
|
source_path: root,
|
|
page_count: pageCount,
|
|
last_imported: new Date().toISOString(),
|
|
status: "ok",
|
|
},
|
|
};
|
|
}
|
|
|
|
/**
|
|
* Ensure `.gbrain-source` is listed in the consumer repo's `.gitignore`.
|
|
*
|
|
* Idempotent: only appends when the entry is not already present (matched on
|
|
* trimmed lines so a leading/trailing whitespace difference doesn't add a
|
|
* second copy). Wraps writes in try/catch so a read-only checkout or weird
|
|
* perms logs a warning and lets the rest of the sync continue.
|
|
*/
|
|
export function ensureGbrainSourceGitignored(root: string): void {
|
|
const gitignorePath = join(root, ".gitignore");
|
|
try {
|
|
let existing = "";
|
|
try {
|
|
existing = readFileSync(gitignorePath, "utf-8");
|
|
} catch {
|
|
// No .gitignore yet — we'll create it.
|
|
}
|
|
const alreadyIgnored = existing
|
|
.split("\n")
|
|
.some((line) => line.trim() === ".gbrain-source");
|
|
if (alreadyIgnored) {
|
|
return;
|
|
}
|
|
const sep = existing.length > 0 && !existing.endsWith("\n") ? "\n" : "";
|
|
writeFileSync(gitignorePath, existing + sep + ".gbrain-source\n");
|
|
} catch (err) {
|
|
const msg = err instanceof Error ? err.message : String(err);
|
|
console.warn(
|
|
`[sync:code] could not add .gbrain-source to ${gitignorePath}: ${msg}`,
|
|
);
|
|
}
|
|
}
|
|
|
|
function runMemoryIngest(args: CliArgs): StageResult {
|
|
const t0 = Date.now();
|
|
|
|
if (args.mode === "dry-run") {
|
|
return { name: "memory", ran: false, ok: true, duration_ms: 0, summary: "would: gstack-memory-ingest --probe" };
|
|
}
|
|
|
|
// Split-engine pre-flight (per plan D12). gstack-memory-ingest shells out
|
|
// to `gbrain import` which targets the LOCAL engine. When that engine is
|
|
// not ok, SKIP cleanly so brain-sync (the only stage that doesn't depend
|
|
// on local engine) still runs.
|
|
const localStatus = localEngineStatus({ noCache: false });
|
|
if (localStatus !== "ok") {
|
|
return skipStageForLocalStatus("memory", localStatus, t0);
|
|
}
|
|
|
|
const ingestPath = join(import.meta.dir, "gstack-memory-ingest.ts");
|
|
const ingestArgs = ["run", ingestPath];
|
|
if (args.mode === "full") ingestArgs.push("--bulk");
|
|
else ingestArgs.push("--incremental");
|
|
if (args.quiet) ingestArgs.push("--quiet");
|
|
|
|
// Thread the seeded env into the bun grandchild (codex review #7 — the
|
|
// .env.local footgun affects gstack-memory-ingest.ts too, not just the
|
|
// direct gbrain spawns in this file). The grandchild calls gbrain import
|
|
// internally and must see the DATABASE_URL from gbrain's own config.
|
|
const result = spawnSync("bun", ingestArgs, {
|
|
encoding: "utf-8",
|
|
timeout: 35 * 60 * 1000,
|
|
env: buildGbrainEnv({ announce: false }),
|
|
});
|
|
|
|
// D6: parse [memory-ingest] lines from the child's stderr. ERR-prefixed
|
|
// lines indicate a system-level failure (gbrain crashed or CLI missing)
|
|
// and the child exits non-zero. Per-file failures are summarized in the
|
|
// last non-ERR [memory-ingest] line but do NOT make the verdict ERR.
|
|
const stderrLines = (result.stderr || "").split("\n");
|
|
const memLines = stderrLines.filter((l) => l.includes("[memory-ingest]"));
|
|
const errLine = memLines.find((l) => l.includes("[memory-ingest] ERR"));
|
|
const lastMemLine = memLines.slice(-1)[0];
|
|
const rawSummary = errLine || lastMemLine || "ingest pass complete";
|
|
// Strip the "[memory-ingest] " prefix and any leading "ERR: " for cleaner
|
|
// verdict output. The orchestrator's own formatStage will prefix with OK/ERR.
|
|
const summary = rawSummary
|
|
.replace(/^.*\[memory-ingest\]\s*/, "")
|
|
.replace(/^ERR:\s*/, "");
|
|
|
|
const ok = result.status === 0;
|
|
return {
|
|
name: "memory",
|
|
ran: true,
|
|
ok,
|
|
duration_ms: Date.now() - t0,
|
|
summary: ok
|
|
? summary
|
|
: `${summary}${result.status === null ? " (killed by signal / timeout)" : ` (exit ${result.status})`}`,
|
|
};
|
|
}
|
|
|
|
function runBrainSyncPush(args: CliArgs): StageResult {
|
|
const t0 = Date.now();
|
|
|
|
if (args.mode === "dry-run") {
|
|
return { name: "brain-sync", ran: false, ok: true, duration_ms: 0, summary: "would: gstack-brain-sync --discover-new --once" };
|
|
}
|
|
|
|
const brainSyncPath = join(import.meta.dir, "gstack-brain-sync");
|
|
if (!existsSync(brainSyncPath)) {
|
|
return { name: "brain-sync", ran: false, ok: true, duration_ms: 0, summary: "skipped (gstack-brain-sync not installed)" };
|
|
}
|
|
|
|
spawnSync(brainSyncPath, ["--discover-new"], {
|
|
stdio: args.quiet ? ["ignore", "ignore", "ignore"] : ["ignore", "inherit", "inherit"],
|
|
timeout: 60 * 1000,
|
|
});
|
|
const result = spawnSync(brainSyncPath, ["--once"], {
|
|
stdio: args.quiet ? ["ignore", "ignore", "ignore"] : ["ignore", "inherit", "inherit"],
|
|
timeout: 60 * 1000,
|
|
});
|
|
|
|
return {
|
|
name: "brain-sync",
|
|
ran: true,
|
|
ok: result.status === 0,
|
|
duration_ms: Date.now() - t0,
|
|
summary: result.status === 0 ? "curated artifacts pushed" : `gstack-brain-sync exited ${result.status}`,
|
|
};
|
|
}
|
|
|
|
// ── State file ─────────────────────────────────────────────────────────────
|
|
|
|
interface SyncState {
|
|
schema_version: 1;
|
|
last_writer: string;
|
|
last_sync?: string;
|
|
last_full_sync?: string;
|
|
last_stages?: StageResult[];
|
|
}
|
|
|
|
function loadSyncState(): SyncState {
|
|
if (!existsSync(STATE_PATH)) {
|
|
return { schema_version: 1, last_writer: "gstack-gbrain-sync" };
|
|
}
|
|
try {
|
|
const raw = JSON.parse(readFileSync(STATE_PATH, "utf-8")) as SyncState;
|
|
if (raw.schema_version === 1) return raw;
|
|
} catch {
|
|
// fall through
|
|
}
|
|
return { schema_version: 1, last_writer: "gstack-gbrain-sync" };
|
|
}
|
|
|
|
/**
|
|
* Atomic state file write per /plan-eng-review D1: write tmp file then rename.
|
|
* rename(2) is atomic on POSIX filesystems.
|
|
*/
|
|
function saveSyncState(state: SyncState): void {
|
|
try {
|
|
mkdirSync(dirname(STATE_PATH), { recursive: true });
|
|
const tmp = `${STATE_PATH}.tmp.${process.pid}`;
|
|
writeFileSync(tmp, JSON.stringify(state, null, 2), "utf-8");
|
|
renameSync(tmp, STATE_PATH);
|
|
} catch {
|
|
// non-fatal
|
|
}
|
|
}
|
|
|
|
// ── Output ─────────────────────────────────────────────────────────────────
|
|
|
|
function formatStage(s: StageResult): string {
|
|
const status = !s.ran ? "SKIP" : s.ok ? "OK" : "ERR";
|
|
const dur = s.duration_ms > 0 ? ` (${(s.duration_ms / 1000).toFixed(1)}s)` : "";
|
|
return ` ${status.padEnd(5)} ${s.name.padEnd(12)} ${s.summary}${dur}`;
|
|
}
|
|
|
|
// ── Main ───────────────────────────────────────────────────────────────────
|
|
|
|
async function main(): Promise<void> {
|
|
const args = parseArgs();
|
|
|
|
if (!args.quiet) {
|
|
const engine = detectEngineTier();
|
|
console.error(`[gbrain-sync] mode=${args.mode} engine=${engine.engine}`);
|
|
}
|
|
|
|
// Acquire lock (skip on dry-run since dry-run never writes).
|
|
const needsLock = args.mode !== "dry-run";
|
|
let haveLock = false;
|
|
if (needsLock) {
|
|
haveLock = acquireLock();
|
|
if (!haveLock) {
|
|
console.error(
|
|
`[gbrain-sync] another /sync-gbrain is running (lock at ${LOCK_PATH}). ` +
|
|
`If that process died, the lock auto-clears after 5 min, or remove it manually.`
|
|
);
|
|
process.exit(2);
|
|
}
|
|
}
|
|
|
|
const cleanup = () => {
|
|
if (haveLock) releaseLock();
|
|
};
|
|
process.on("SIGINT", () => { cleanup(); process.exit(130); });
|
|
process.on("SIGTERM", () => { cleanup(); process.exit(143); });
|
|
|
|
let exitCode = 0;
|
|
try {
|
|
const state = loadSyncState();
|
|
const stages: StageResult[] = [];
|
|
|
|
if (!args.noCode) {
|
|
stages.push(await withErrorContext("sync:code", () => runCodeImport(args), "gstack-gbrain-sync"));
|
|
}
|
|
if (!args.noMemory) {
|
|
stages.push(await withErrorContext("sync:memory", () => runMemoryIngest(args), "gstack-gbrain-sync"));
|
|
}
|
|
if (!args.noBrainSync) {
|
|
stages.push(await withErrorContext("sync:brain-sync", () => runBrainSyncPush(args), "gstack-gbrain-sync"));
|
|
}
|
|
|
|
if (args.mode !== "dry-run") {
|
|
state.last_sync = new Date().toISOString();
|
|
if (args.mode === "full") state.last_full_sync = state.last_sync;
|
|
state.last_stages = stages;
|
|
saveSyncState(state);
|
|
}
|
|
|
|
if (!args.quiet || args.mode === "dry-run") {
|
|
console.log(`\ngstack-gbrain-sync (${args.mode}):`);
|
|
for (const s of stages) console.log(formatStage(s));
|
|
const okCount = stages.filter((s) => s.ok).length;
|
|
const errCount = stages.filter((s) => !s.ok && s.ran).length;
|
|
console.log(`\n ${okCount} ok, ${errCount} error, ${stages.length - okCount - errCount} skipped`);
|
|
}
|
|
|
|
const anyError = stages.some((s) => s.ran && !s.ok);
|
|
exitCode = anyError ? 1 : 0;
|
|
} finally {
|
|
cleanup();
|
|
}
|
|
|
|
process.exit(exitCode);
|
|
}
|
|
|
|
if (import.meta.main) {
|
|
main().catch((err) => {
|
|
console.error(`gstack-gbrain-sync fatal: ${err instanceof Error ? err.message : String(err)}`);
|
|
releaseLock();
|
|
process.exit(1);
|
|
});
|
|
}
|