Commit Graph

664 Commits

  • test: cover error/fallback branches for codex-worktree + opencode adapters
    Lift global branch coverage past the 80% gate (was 79.53%). Adds error
    and fallback path tests: missing-session/unknown-id throws, findRolloutById/
    findSessionInfoById, direct file targets, objective truncation, model
    fallbacks, corrupt-line skip, mtime activity fallback, and the real
    resolveGitBranch path outside a repo.
    
    codex-worktree.js branch 52.8%->78.3%; global branch 80.04%.
  • feat: add opencode session adapter + allow empty intent objective
    Adds the fourth session adapter (after dmux-tmux, claude-history,
    codex-worktree), normalizing OpenCode sessions into ecc.session.v1.
    
    Reads ~/.local/share/opencode/storage: session/<project>/ses_*.json
    for metadata (id, directory, title, version, projectID, time) and
    message/<session>/msg_*.json to extract the model (modelID/providerID
    from the first assistant message). Derives objective from the session
    title, treating the auto-generated "New session - <date>" title as no
    objective. Recency-based active/recorded state.
    
    Schema: relax intent.objective from non-empty to allow empty string
    (ensureStringAllowEmpty). Sessions legitimately have no objective yet
    (fresh/auto-titled), and claude-history already emitted "" via
    metadata.title fallback. This fixes a latent over-strict validation.
    
    - scripts/lib/session-adapters/opencode.js: adapter + storage parser
    - canonical-session.js: normalizeOpencodeSession + ensureStringAllowEmpty
    - registry.js: register adapter + opencode target type
    - tests/lib/session-adapters-opencode.test.js: 5 tests
    
    Tests: opencode 5/0, codex 4/0, session-adapters 14/0,
    control-pane-state 10/0, session-inspect 8/0, control-pane 12/0.
    Smoke-tested on a real OpenCode session (140 messages, gpt-5.3-codex).
  • feat: add codex-worktree session adapter
    Adds the third session adapter (after dmux-tmux and claude-history),
    normalizing Codex rollout sessions into the harness-neutral
    ecc.session.v1 snapshot. Reads ~/.codex/sessions rollout JSONL,
    derives objective (skipping the AGENTS.md preamble + leading message
    UUID), model, originator, worktree cwd, and best-effort git branch.
    
    This is step 1 of ECC-2.0-SESSION-ADAPTER-DISCOVERY (move the
    abstraction beyond tmux + Claude-history) and supports the
    wrap/adapt control-pane strategy: ECC reads sessions from any
    harness rather than owning one UX.
    
    - scripts/lib/session-adapters/codex-worktree.js: adapter + rollout parser
    - canonical-session.js: normalizeCodexWorktreeSession
    - registry.js: register adapter, codex/codex-worktree target types
    - tests/lib/session-adapters-codex.test.js: 4 tests (unit + registry routing)
  • feat: add dynamic workflow team orchestration surface
    Adds dynamic workflow/team orchestration skills, the content pack, and control-pane work-item/Kanban state DB support. Includes reviewer hardening for state-db CLI validation, optional state DB failure handling, and mergeStateStatus projection.
  • feat: add ECC2 local control pane (#2131)
    * feat: add ECC2 local control pane
    
    * fix: refresh control pane package locks
    
    * test: harden control pane coverage
    
    * test: allow portable control pane shutdown
    
    * test: retry local control pane fetches
    
    * fix: harden control pane error handling
    
    * fix: wrap control pane metadata
  • docs(i18n): add German localization scout (#2029)
    Adds de-DE docs, installer wiring, and locale tests. Pre-validated on current main with install manifest checks, markdownlint, locale-install tests, and ECC 2.0 release-surface tests.
  • fix(hooks): prefer fresh harness cost cache (#2054)
    Uses a fresh harness cost cache when available and keeps transcript pricing as the fallback. Focused cost-tracker tests passed locally before merge.
  • fix(install-targets): validate compiled OpenCode plugin before install (#2041)
    Fail fast when the OpenCode home install is attempted from a source checkout without the compiled .opencode/dist payload. PR had the full CI matrix green.
  • Sync Marketplace Pro readback release gate (#2019)
    * docs: sync marketplace pro readback gate
    
    * docs: refresh operator dashboard after readback sync
    
    * docs: sanitize marketplace readback summary
    
    * docs: refresh operator dashboard after marketplace readback
  • test(install-targets): add positive rules assertion to claude-project foreign-path test
    Addresses CodeRabbit review: the negative-only assertions could have
    passed on an empty plan. Add a positive assertion that the non-foreign
    'rules' path is still planned under .claude/rules/ecc so regression to
    zero ops would fail loudly.
  • feat(install-targets): add claude-project (per-project Claude Code) adapter
    Completes the install-target matrix for Claude Code. Until now, ECC's
    Claude support was home-scope only (~/.claude/) via the `claude` target.
    This adds a project-scope counterpart (./.claude/) via a new
    `claude-project` target so teams can install ECC per-repo without
    contaminating ~/.claude/ — matching the existing project-scope adapters
    for Cursor, Antigravity, Gemini, CodeBuddy, Joycode, and Zed.
    
    Symmetric with `claude`:
    - Same namespace under rules/ecc and skills/ecc
    - Same docs/<locale> handling for --locale
    - Same hooks placeholder substitution for hooks.json
    - Reuses claude-home's destination-mapping logic 1:1
    
    Use cases:
    - Monorepos with multiple Flow-managed projects
    - Teams that want ECC scoped per-project without touching ~/.claude/
    - Per-project skill/rule isolation when global install isn't desirable
    
    No breaking change: existing --target claude continues to route to
    claude-home (user-scope) unchanged. New target is opt-in.
    
    Tests
    -----
    - 4 new tests in tests/lib/install-targets.test.js
      (root resolution, lookup-by-id, plan parity with claude, foreign-path filtering)
    - All install-target regression guards (schema enum / SUPPORTED_INSTALL_TARGETS)
      still pass
    - End-to-end smoke: `--target claude-project --profile minimal --dry-run`
      emits 359 ops with destinations rooted at <projectRoot>/.claude/ (parity
      with --target claude which emits 359 ops rooted at ~/.claude/)
  • feat: extend harness audit integration scoring (#1990)
    Salvages the useful harness-audit scoring work from #1989 while preserving the current hook registry and newer plugin install detection. Adds GitHub integration checks, conditional deploy-provider categories, dynamic applicable category metadata, and CODEOWNERS coverage.
  • docs: define ECC 2.0 hypergrowth release lane
    Refresh the active 2.0 release surface for the affaan-m/ECC repo identity, update package/plugin/workflow launch metadata, and add an operator command center for release video, partner, sponsor, consulting, and social launch execution.
  • fix(hooks): avoid escaped quotes in plugin bootstrap
    Generate the inline hook root resolver with single-quoted JavaScript literals so Windows Git Bash does not choke on nested escaped double quotes before Node starts. Refresh hooks.json and add regression coverage for parsed hook commands and installed hook manifests.
  • test(lib): make concurrent-write test actually concurrent + use regex matcher for assert.throws
    Two round-1 review findings in `tests/lib/session-bridge.test.js`,
    both about test correctness rather than the underlying fix:
    
    1. **greptile P1 + coderabbitai Major + cubic P2 (all three): concurrent-write test ran sequentially.**
    
       The test spawned two child processes with two consecutive
       `spawnSync` calls. Because `spawnSync` blocks until the child
       exits, the second writer started *after* the first finished —
       the two writers never overlapped, so the rename race the fix
       targets was never actually exercised. The test would have passed
       with the old broken `${target}.tmp` suffix.
    
       Fix: introduce a one-off "race runner" helper that runs inside
       its own subprocess and uses async `spawn` to start both writers
       simultaneously. The runner waits for both to exit (the event
       loop is local to the runner subprocess, so this stays compatible
       with the synchronous test harness used elsewhere in this file)
       and reports both exit codes plus stderrs on stdout. The test
       then calls the runner via `spawnSync` and parses the result.
       Both writer children now overlap for the duration of their 200
       `writeBridgeAtomic` calls each, which is enough wall time to
       reliably trigger the rename race against the pre-fix code.
    
       Verified: with the fixed `${target}.${pid}.${nonce}.tmp` suffix,
       the test passes; with the old fixed `${target}.tmp` suffix
       reintroduced, it fails as expected (one writer hits ENOENT on
       roughly half its rename calls).
    
    2. **greptile P2 + cubic P3: `assert.throws` used a string as the second argument.**
    
       Node deprecated passing a string as the second argument to
       `assert.throws` years ago: the string is silently treated as
       the assertion failure message (what to print when the function
       does *not* throw) rather than as an error matcher. The check
       passed for any thrown error, not just the rename failure.
    
       Fix: pass a regex matcher as the second arg and keep the
       explanatory text as the third. The regex matches `EISDIR`,
       `EPERM`, `ENOTDIR`, or `ENOENT` because `renameSync` of a
       regular tmp file onto an existing directory raises different
       codes on Linux / macOS / BSD — making the matcher portable
       across CI runners.
    
    Test count unchanged at 14; `npm test` green; `npm run lint` clean.
    
    The two helper files (`tests/__tmp_bridge_writer.js`,
    `tests/__tmp_bridge_race_runner.js`) are written and unlinked
    inside the test's try/finally so they never persist beyond the
    test run.
  • test(lib): concurrent writeBridgeAtomic + tmp-cleanup regression
    Two regression tests pin down the previous two commits' atomic-rename
    fixes:
    
    1. **concurrent writes don't throw ENOENT or corrupt the file** —
       spawns two child Node processes (`tests/__tmp_bridge_writer.js`
       created in-test, cleaned up in finally) that each call
       `writeBridgeAtomic(sid, …)` 200 times against the same session
       ID with independent payloads. Asserts both subprocesses exit 0
       (the previous implementation produced ENOENT on roughly 50% of
       rename calls, all swallowed by the in-test catch) and the final
       bridge file is parseable JSON belonging to one of the two writers
       (last-writer-wins is fine; the contract is *no corruption* and
       *no rename ENOENT*, not data preservation).
    
    2. **tmp file cleanup on rename failure** — pre-creates a directory
       at the target bridge path so `renameSync(tmp, target)` fails,
       calls `writeBridgeAtomic`, asserts the call throws AND that no
       tmp file with the writer's `pid.<nonce>.tmp` prefix is left
       behind in `os.tmpdir()`. The previous code had no cleanup; the
       fix's `try/catch + unlinkSync` keeps tmpdir from accumulating
       orphan files across repeated rename failures.
    
    The first test deliberately writes independent payloads from each
    subprocess so this regression doesn't try to claim a property the
    fix doesn't actually deliver (read-modify-write race in the caller
    is a separate issue and out of scope per PR body).
    
    Test count: 12 → 14 in `tests/lib/session-bridge.test.js`;
    `npm test` green; `npm run lint` clean.
  • test(ci): regression coverage for newly-covered invisible code points
    9 new test cases pin down the two previous commits' denylist
    extensions. Each verifies both detection (validator exit non-zero +
    the expected `dangerous-invisible U+<HEX>` line on stderr) and,
    where applicable, `--write` sanitization.
    
    Coverage:
    
    Tag block (commit 1):
    - U+E0041 TAG LATIN CAPITAL LETTER A — the range's printable ASCII
      shadow; this is the byte sequence demonstrated in published ASCII
      smuggling proofs of concept.
    - U+E007F CANCEL TAG — the range end.
    
    Other invisibles (commit 2):
    - U+180E MONGOLIAN VOWEL SEPARATOR
    - U+115F HANGUL CHOSEONG FILLER
    - U+1160 HANGUL JUNGSEONG FILLER
    - U+2061 FUNCTION APPLICATION (range start)
    - U+2064 INVISIBLE PLUS (range end)
    - U+3164 HANGUL FILLER
    
    Detection table is data-driven (one loop, one assertion per row) so
    adding the next invisible to the denylist also gets a paired
    regression test by simply appending to NEWLY_COVERED_RANGES.
    
    Plus a `--write` integration test:
    - writes a markdown file containing both Tag block (5 chars) and
      U+180E, runs `--write`, asserts both removed and surrounding text
      preserved character-for-character ('# Title\n\nBenigntext.\n').
    - re-runs the validator without `--write` and asserts exit 0,
      confirming the sanitizer's output is idempotent under the
      extended denylist.
    
    Test count: 5 → 14 in this file; full `yarn test` green; `yarn lint`
    clean.