UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

271 lines 12 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
/** * Shadow Resolver * * Implements the override / shadow-resolution policy from * `.aiwg/architecture/adr-override-shadow-policy.md` (#1041) for project-local * artifact bundles deployed via `aiwg use` / `aiwg refresh`. * * Resolves the seven cases from ADR §4: * * 1. No collision — deploy normally * 2. Non-safety-critical shadow — deploy + warn * 3. Safety-critical shadow with `overrides:` declaration — deploy + prominent warn * 4. Safety-critical shadow without `overrides:` — REFUSE * 5. Phantom override (declared override has no upstream match) — REFUSE * 6. Two project-local bundles export the same id — REFUSE both * 7. git-installed source collides with project-local — same as 2/3/4 against cache * * Inputs: the project-local bundles (from `discoverProjectLocalBundles`) and * an upstream registry (from `buildUpstreamRegistry`). Outputs a per-artifact * verdict that the deployment pipeline consumes to decide what to write to * provider paths. * * @implements #1036 */ import { readdir, readFile, stat } from 'fs/promises'; import { join, basename } from 'path'; const ARTIFACT_DIRS = { agents: 'agent', skills: 'skill', rules: 'rule', commands: 'command', }; const FRONTMATTER_RE = /^---\s*\n([\s\S]*?)\n---/; const ID_LINE_RE = /^id\s*:\s*['"]?([^'"\n]+?)['"]?\s*$/m; const NAME_LINE_RE = /^name\s*:\s*['"]?([^'"\n]+?)['"]?\s*$/m; function parseId(raw) { const m = FRONTMATTER_RE.exec(raw); if (!m) return {}; return { id: ID_LINE_RE.exec(m[1])?.[1]?.trim(), name: NAME_LINE_RE.exec(m[1])?.[1]?.trim(), }; } /** Enumerate the artifacts a project-local bundle would deploy by walking its * source `agents/`, `skills/`, `rules/`, `commands/` subdirs — same pattern as * `deployOneProjectLocalBundle` and `countBundleSourceArtifacts` in use.ts. */ export async function enumerateBundleArtifacts(bundlePath) { const out = []; for (const [dirName, type] of Object.entries(ARTIFACT_DIRS)) { const artifactDir = join(bundlePath, dirName); let entries; try { entries = await readdir(artifactDir); } catch { continue; } if (type === 'skill') { for (const entry of entries) { const skillDir = join(artifactDir, entry); try { const st = await stat(skillDir); if (!st.isDirectory()) continue; } catch { continue; } let id = entry; try { const skillMd = await readFile(join(skillDir, 'SKILL.md'), 'utf-8'); const fm = parseId(skillMd); id = fm.name ?? fm.id ?? entry; } catch { // No SKILL.md — fall back to dir name } out.push({ id, type, sourcePath: skillDir }); } continue; } for (const entry of entries) { if (!entry.endsWith('.md')) continue; if (entry === 'README.md' || entry === 'RULES-INDEX.md' || entry === 'INDEX.md') continue; const filePath = join(artifactDir, entry); let id = basename(entry, '.md'); try { const raw = await readFile(filePath, 'utf-8'); const fm = parseId(raw); id = fm.id ?? fm.name ?? id; } catch { // Read failure — fall back to filename } out.push({ id, type, sourcePath: filePath }); } } return out; } /** Resolve overrides + shadows for a set of project-local bundles against an * upstream registry. Pure function — no filesystem side effects beyond reading * the bundle artifact files for id extraction. */ export async function resolveShadows(bundles, upstream, options = {}) { const strictPhantomOverrides = options.strictPhantomOverrides ?? true; const resolutions = []; const blockedBundleIds = new Set(); // Pre-pass: case 6 — duplicate project-local bundle ids (cross-bundle, by // artifact id+type). Discovery already rejects same-type duplicate bundle // ids (#1041 §4 case 6 at the bundle level); here we additionally guard // against two distinct bundles exporting an artifact with the same id+type. const projectLocalArtifacts = new Map(); // Enumerate every artifact in every bundle once. const enumerated = []; for (const bundle of bundles) { const arts = await enumerateBundleArtifacts(bundle.bundlePath); enumerated.push({ bundle, arts }); for (const art of arts) { const key = `${art.type}:${art.id}`; const list = projectLocalArtifacts.get(key) ?? []; list.push({ bundle, art }); projectLocalArtifacts.set(key, list); } } for (const { bundle, arts } of enumerated) { const declaredOverrides = new Set(bundle.manifest.overrides ?? []); // Case 5 pre-pass: validate every declared override resolves to *some* // upstream artifact (any type). Phantom overrides refuse the bundle. for (const overrideId of declaredOverrides) { if (!upstream.byId.has(overrideId)) { resolutions.push({ bundleId: bundle.id, bundleLocalPath: bundle.localPath, artifactId: overrideId, artifactType: 'rule', // unknown — picked nominal type for surface artifactSourcePath: bundle.manifestPath, verdict: 'refuse-phantom', message: `Phantom override: '${overrideId}' declared in ${bundle.manifestPath} but no upstream artifact has that id.`, blocking: strictPhantomOverrides, prominent: false, }); if (strictPhantomOverrides) blockedBundleIds.add(bundle.id); } } for (const art of arts) { const key = `${art.type}:${art.id}`; // Case 6 — duplicate project-local artifact id+type across bundles const projectLocalGroup = projectLocalArtifacts.get(key) ?? []; if (projectLocalGroup.length > 1) { const others = projectLocalGroup .filter((p) => p.bundle.id !== bundle.id) .map((p) => p.bundle.localPath); resolutions.push({ bundleId: bundle.id, bundleLocalPath: bundle.localPath, artifactId: art.id, artifactType: art.type, artifactSourcePath: art.sourcePath, verdict: 'refuse-duplicate', message: `Duplicate project-local ${art.type} '${art.id}' also exported by: ${others.join(', ')}`, blocking: true, prominent: false, }); blockedBundleIds.add(bundle.id); continue; } const upstreamMatch = upstream.byKey.get(key); // Case 1 — no collision if (!upstreamMatch) { resolutions.push({ bundleId: bundle.id, bundleLocalPath: bundle.localPath, artifactId: art.id, artifactType: art.type, artifactSourcePath: art.sourcePath, verdict: 'deploy', message: '', blocking: false, prominent: false, }); continue; } const acknowledged = declaredOverrides.has(art.id); if (upstreamMatch.safetyCritical) { if (acknowledged) { // Case 3 — safety-critical with explicit override resolutions.push({ bundleId: bundle.id, bundleLocalPath: bundle.localPath, artifactId: art.id, artifactType: art.type, artifactSourcePath: art.sourcePath, upstream: upstreamMatch, verdict: 'deploy-acknowledged', message: `SAFETY-CRITICAL SHADOW: ${art.type} '${art.id}' overridden by ${art.sourcePath}.\n` + ` Acknowledge: this disables upstream safeguard at ${upstreamMatch.sourcePath}.\n` + ` Use 'aiwg doctor' to review all active shadows.`, blocking: false, prominent: true, }); } else { // Case 4 — refuse resolutions.push({ bundleId: bundle.id, bundleLocalPath: bundle.localPath, artifactId: art.id, artifactType: art.type, artifactSourcePath: art.sourcePath, upstream: upstreamMatch, verdict: 'refuse-unsafe', message: `Refused to shadow safety-critical upstream ${art.type} '${art.id}'. ` + `Add 'overrides: ["${art.id}"]' to ${bundle.manifestPath} to authorize the override.`, blocking: true, prominent: true, }); blockedBundleIds.add(bundle.id); } continue; } // Case 2 — non-safety shadow const sourceLabel = upstreamMatch.source === 'cache' ? 'git-installed' : 'bundled'; resolutions.push({ bundleId: bundle.id, bundleLocalPath: bundle.localPath, artifactId: art.id, artifactType: art.type, artifactSourcePath: art.sourcePath, upstream: upstreamMatch, verdict: 'deploy-with-warning', message: `Shadow: ${art.type} '${art.id}' — project-local at ${art.sourcePath} ` + `overrides ${sourceLabel} at ${upstreamMatch.sourcePath}`, blocking: false, prominent: false, }); } } const shadows = resolutions.filter((r) => r.upstream !== undefined); return { resolutions, blockedBundleIds, shadows }; } /** Format a multi-resolution summary suitable for stderr or doctor output. */ export function formatShadowReport(result) { if (result.resolutions.length === 0) return ''; const lines = []; const blockers = result.resolutions.filter((r) => r.blocking); const warnings = result.resolutions.filter((r) => !r.blocking && (r.verdict === 'deploy-with-warning' || r.verdict === 'deploy-acknowledged')); if (blockers.length > 0) { lines.push('── Project-local shadow resolution: blocked artifacts ──'); for (const r of blockers) { lines.push(` ✗ [${r.verdict}] ${r.bundleId} :: ${r.artifactType}/${r.artifactId}`); for (const ml of r.message.split('\n')) lines.push(` ${ml}`); } lines.push(''); } if (warnings.length > 0) { lines.push('── Project-local shadows ──'); for (const r of warnings) { const marker = r.prominent ? '!!' : '⚠'; lines.push(` ${marker} [${r.verdict}] ${r.bundleId} :: ${r.artifactType}/${r.artifactId}`); for (const ml of r.message.split('\n')) lines.push(` ${ml}`); } } return lines.join('\n'); } //# sourceMappingURL=shadow-resolver.js.map