Commit Graph

34 Commits

Author SHA1 Message Date
harshitsinghbhandari 5e1414e7ad feat(power): prevent macOS idle sleep while AO is running (#1072)
Add idle sleep prevention on macOS using `caffeinate -i -w <pid>` to keep
the Mac awake while AO is running, enabling remote dashboard access (e.g.,
via Tailscale) without the machine going to sleep.

Changes:
- Add `preventIdleSleep()` helper in packages/cli/src/lib/prevent-sleep.ts
- Add `power.preventIdleSleep` config option (defaults to true on macOS)
- Wire sleep prevention into `ao start` command
- Add tests for the helper function and config validation
- Document the feature in README and example config

Note: Lid-close sleep is enforced by macOS hardware and cannot be prevented
by userspace assertions. Use clamshell mode for that use case.

Closes #1072

Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-11 00:11:45 +05:30
harshitsinghbhandari f154f87add fix: merge upstream main and resolve conflicts for cursor agent
- Resolve @composio → @aoagents package renaming conflicts
- Add cursor agent to BUILTIN_PLUGINS in plugin-registry.ts
- Add cursor agent to AGENT_PLUGINS in detect-agent.ts
- Add cursor agent import and registration in plugins.ts
- Add cursor agent dependency and import in web services.ts
- Update cursor plugin package naming to @aoagents/ao-plugin-agent-cursor
- Add cursor agent to changeset linked group
- Fix test imports to use new @aoagents package naming

Co-Authored-By: Claude <noreply@anthropic.com>
2026-04-10 11:48:27 +05:30
harshitsinghbhandari 8f92f791b0 docs: add cursor to changesets config and documentation
- Add @composio/ao-plugin-agent-cursor to linked version group in .changeset/config.json
- Update README.md plugin architecture table to include cursor
- Update config.md reference to include cursor in agent options

This ensures the cursor plugin versions in lockstep with other built-in plugins
and is properly documented for users.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-09 21:58:35 +05:30
yyovil d1e81e1567 added the shield badge for current version 2026-04-01 22:41:38 +05:30
Dhruv Sharma 7445e134c4 add plugin spec and update docs 2026-03-31 04:02:25 +05:30
suraj_markup a99aedf9a8
Merge pull request #537 from suraj-markup/feat/onboarding-improvements
feat: zero-friction onboarding — ao start does everything
2026-03-19 07:52:31 +05:30
suraj-markup 78a4233282 docs: simplify install to a single npm command
One command to install: npm install -g @composio/ao
Permission fix and source install tucked into a <details> block.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 07:27:30 +05:30
suraj-markup bce49a1981 docs: move CLI reference out of README, focus on user experience
The README should sell the experience, not list CLI flags. Humans
interact with `ao start` and the dashboard — the CLI is primarily
used by the orchestrator agent internally.

- Move full CLI reference to docs/CLI.md with clear sections:
  "commands humans use" vs "commands the orchestrator agent uses"
- Rewrite README to focus on install → start → done flow
- Remove CLI and Maintenance sections from README
- Simplify "How It Works" to describe the system, not CLI commands
- Add CLI Reference to Documentation table
- Collapse source install into <details> to reduce noise

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 07:23:32 +05:30
suraj-markup 4fcdc674d4 Rename npm package from @composio/agent-orchestrator to @composio/ao
Users can now install with:
  npm install -g @composio/ao

Instead of the longer:
  npm install -g @composio/agent-orchestrator

- Rename packages/agent-orchestrator → packages/ao
- Update package.json name and directory field
- Update all references in README, SETUP.md, changeset config, and CLI error messages

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 02:17:02 +05:30
suraj-markup 9f89efa061 docs: update README and SETUP.md for new onboarding flow
- README: restructure Quick Start with clear Option A (npm) and Option B
  (source) sections, each showing the full flow from install to first spawn
- README: clarify that `ao` is the CLI command after npm install
- README: add `ao stop`, `ao batch-spawn`, and `--agent` flag to CLI reference
- README: note that `ao start` auto-generates config
- SETUP.md: replace stale `ao init` wizard docs (13-prompt flow no longer
  exists) with `ao start` auto-detection docs
- SETUP.md: update minimal config (remove dataDir/worktreeDir — auto-managed)
- SETUP.md: fix all `ao spawn <project> <issue>` to `ao spawn <issue>`
- SETUP.md: update troubleshooting for auto-port-finding and config creation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-19 02:12:11 +05:30
suraj_markup 178af32682
Merge pull request #463 from suraj-markup/feat/onboarding-improvements
feat: reduce onboarding friction — auto-init, add-project, dashboard publishing, error hardening
2026-03-19 01:21:34 +05:30
suraj-markup 0b1bd49940 Address PR review comments: unused import, stop orphan, docs accuracy
- Remove unused getCallerType import from start.ts
- Fix ao stop orphaning dashboard: always run stopDashboard via lsof
  after killing parent PID, since SIGTERM may not propagate to child
- Revert spawn single-project special case back to always matching
  project ID (backward compat)
- Update README: replace ao init --interactive and ao add-project
  references with ao start equivalents, update spawn syntax

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-17 13:44:29 +05:30
prateek 21d48c9bcc
docs: update Discord invite link (#475) 2026-03-15 14:20:11 +05:30
suraj-markup 14fa726551 Publish ao-web on npm, harden error handling, deduplicate code
- Publish @composio/ao-web dashboard as npm package (removed private flag,
  added files field, production entry point, node-pty made optional)
- CLI auto-detects dev vs production mode for dashboard startup
- Use local next binary instead of npx in production start-all.ts
- findWebDir() throws with install-specific guidance instead of returning
  broken path
- Fix CI-silent failure: setup.sh and ao-update.sh exit 1 on non-interactive
  npm link failure
- Deduplicate detectDefaultBranch into shared cli/lib/git-utils.ts
- Add EACCES permission guidance to README.md and SETUP.md
- Move resolveProjectIdForSessionId to @composio/ao-core
- Update design doc with problems #8-13, changes #9-12, known limitations
  section, and expanded test plan

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-14 19:01:49 +05:30
suraj-markup fa6c475d48 docs: add design doc for onboarding improvements, update README
- Add design doc covering all changes, UX impact, and new flow
- Update README: add ao init, ao add-project, ao start to Quick Start and CLI sections
- Remove --auto flag from README examples (now the default)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 20:55:50 +05:30
Andrés Kaminker b064925621
docs: add CONTRIBUTING.md, expand development guide, fix broken CLAUDE.md links (#448)
* docs: add CONTRIBUTING.md, expand development guide, fix broken CLAUDE.md links

- Add CONTRIBUTING.md covering bug reports, dev setup, plugin development, PR process
- Expand docs/DEVELOPMENT.md into a comprehensive architecture + conventions reference
  (architecture overview, plugin pattern with full example, spawn flow, TypeScript and
  shell command conventions, key design decisions, common dev tasks)
- Update README.md docs table to reference docs/DEVELOPMENT.md instead of gitignored CLAUDE.md
- Fix broken CLAUDE.md links in SETUP.md to point to docs/DEVELOPMENT.md

CLAUDE.md is gitignored (personal agent config) so links to it were always broken.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs: document ao update workflow and fix guide links

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Harsh <harshb012@gmail.com>
2026-03-12 22:32:33 +05:30
Harsh Batheja 3d518aed2f
feat: add doctor and update maintenance tooling (#437)
* feat: add ao doctor maintenance checks

* feat: add ao update refresh script

* feat: add shared CLI script runner

* feat: add doctor and update CLI commands

* docs: document doctor and update commands

* fix: harden maintenance safety checks

* fix: harden ao update behavior

* fix: strip inline comments from doctor config values
2026-03-12 20:59:22 +05:30
prateek 7e80c8db15
docs: add Discord community link to README (#419) 2026-03-10 22:36:57 +05:30
Sujay Choubey 17c79b21a0 Add Composio banner to README 2026-03-03 22:43:23 +05:30
prateek 80a1d59999
feat: add `ao start <url>` one-command project onboarding (#267)
* feat: add `ao start <url>` one-command project onboarding

When `ao start` receives a repo URL instead of a project ID, it now:
1. Parses the URL (supports GitHub, GitLab, Bitbucket — HTTPS and SSH)
2. Clones the repo (or reuses if already present with matching remote)
3. Auto-generates agent-orchestrator.yaml with sensible defaults:
   - SCM/tracker plugins inferred from URL host
   - Default branch detected from local refs
   - Project type detected (language, package manager)
   - Post-create install commands set based on package manager
4. Starts the orchestrator + dashboard as usual

New core module `config-generator.ts` handles URL parsing, SCM detection,
project info detection, and config generation. All logic is in core (not
CLI) for reusability. 36 unit tests cover URL parsing, SCM detection,
default branch detection, project info, config generation, and clone
target resolution.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address bugbot review feedback

1. Non-JS postCreate fix: Only set postCreate install commands for JS
   package managers (pnpm/yarn/bun/npm). Rust/Go/Python projects no
   longer get an incorrect "npm install" command.

2. Deduplicate startup logic: Extract shared `runStartup()` helper used
   by both URL-mode and normal-mode start flows. Eliminates ~100 lines
   of duplicated dashboard+orchestrator startup code.

3. SSH URL matching: Normalize SSH URLs to HTTPS format in
   `isRepoAlreadyCloned()` so repos cloned via SSH
   (git@github.com:owner/repo) are correctly detected as matching.

4. SCM/tracker always explicit: Always set scm and tracker fields in
   generated config so `applyProjectDefaults()` doesn't silently
   override with github defaults for non-GitHub repos.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: sanitize repo names for project IDs and session prefixes

Address remaining bugbot comments:
- Add sanitizeProjectId() to handle dots/special chars in repo names
  (e.g. "my.app" → "my-app" instead of failing Zod validation)
- Preserve original case for generateSessionPrefix() so CamelCase
  detection works (e.g. "DevOS" → prefix "dos", not "dev")
- Strip invalid chars before prefix generation to prevent dots
  leaking into sessionPrefix

Also update README and SETUP docs with `ao start <url>` quick
onboarding flow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: auto-open browser to orchestrator page on `ao start`

Opens the orchestrator session page (/sessions/{id}) instead of the
root dashboard, since the Kanban board is empty on first startup
with no worker sessions yet.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: replace fixed 3s delay with port polling for browser open

Poll the dashboard port via TCP connection attempts (300ms intervals,
30s timeout) instead of a hardcoded setTimeout. Opens the browser only
once the server is actually accepting connections — deterministic
regardless of how long Next.js takes to compile.

Applied to both `ao start` and `ao dashboard` commands.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test: add CLI tests for start/stop commands

12 new tests covering:
- Project resolution: single project, explicit arg, missing project,
  multi-project ambiguity, empty config
- URL argument: reuse existing clone, git clone flow, existing config
  detection, clone failure error handling
- Port polling: waitForPortAndOpen polls isPortAvailable before opening
  browser (proves deterministic behavior vs fixed delay)
- Stop command: session kill + dashboard stop, graceful missing session

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: deduplicate waitForPortAndOpen into shared utility

Move waitForPortAndOpen to lib/web-dir.ts (alongside isPortAvailable)
so both start.ts and dashboard.ts share a single cancellation-aware
implementation. start.ts now uses AbortSignal like dashboard.ts —
polling stops immediately if the dashboard process exits early.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-03 13:52:49 +05:30
prateek 3028cff4ab
docs: add spacing between demo button and article section (#215)
Merge the two centered divs into one and add <br><br><br> between
the demo CTA button and the article screenshot below it.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 03:27:45 +05:30
prateek 4fb0b4c75a
docs: fix button spacing with inline br tags (no blank lines) (#214)
GitHub collapses <br> surrounded by blank lines in HTML blocks.
Placing <br><br> on the same line without surrounding blank lines
keeps them in raw HTML mode where they render correctly.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 03:26:14 +05:30
prateek 61a87a5385
docs: reduce spacing between screenshots and buttons (#213)
Replace <p>&nbsp;</p> (too much margin) with a 1px transparent GIF
at height=8 for precise, subtle spacing.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 03:23:18 +05:30
prateek 548d479f22
docs: add vertical spacing between screenshots and CTA buttons (#212)
GitHub markdown collapses <br> inside <div> blocks. Use <p>&nbsp;</p>
which GitHub reliably renders as vertical space.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 03:21:46 +05:30
prateek 7cbeb92c0b
Make 'See it in action' heading bigger (#211)
* docs: make "See it in action" heading bigger (h2)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: add vertical spacing between screenshots and buttons

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 03:14:47 +05:30
prateek 001d411219
Vibrant 3D gradient CTA buttons for README (#209)
* docs: add demo video and article links to README

Add tweet screenshot for the video demo prominently after the intro,
and link to the full article thread. Replaces the TODO placeholder.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: use article screenshot for README article link

Replace text-only article link with clickable screenshot showing
the article title, preview image, and engagement stats.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: replace demo video screenshot with higher quality version

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: vibrant 3D gradient CTA buttons for README

- Replace flat black shields.io badges with custom SVG buttons
- Purple gradient for "Watch the Demo" with play icon
- Coral gradient for "Read the Full Article" with book icon
- Both have 3D shine effect (top highlight, bottom shadow)
- High contrast on both GitHub light and dark mode
- Update article screenshot with cleaner version
- Images remain clickable (already wrapped in <a> tags)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: remove white borders from CTA buttons

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: use manually captured PNG buttons instead of SVGs

Playwright screenshots introduce 1-2px border artifacts on SVG img
elements (microsoft/playwright#35014). Use clean manually-captured
PNG screenshots instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 03:11:44 +05:30
prateek 2c6f9e56b3
Update article screenshot and make CTA buttons prominent (#208)
* docs: add demo video and article links to README

Add tweet screenshot for the video demo prominently after the intro,
and link to the full article thread. Replaces the TODO placeholder.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: use article screenshot for README article link

Replace text-only article link with clickable screenshot showing
the article title, preview image, and engagement stats.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: replace demo video screenshot with higher quality version

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: update article screenshot and make CTAs more prominent

- Replace article screenshot with cleaner version showing title/preview
- Replace small <sub> text links with shields.io badge-style buttons
  for "Watch the demo on X" and "Read the full article on X"

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 02:50:26 +05:30
prateek a98c5a1e30
Add demo video and article links to README (#206)
* docs: add demo video and article links to README

Add tweet screenshot for the video demo prominently after the intro,
and link to the full article thread. Replaces the TODO placeholder.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: use article screenshot for README article link

Replace text-only article link with clickable screenshot showing
the article title, preview image, and engagement stats.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: replace demo video screenshot with higher quality version

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 02:45:40 +05:30
sujayjayjay c820728ec3
docs: README update (#156)
Clearer H1 and tagline.

- H1 now describes what the project is (orchestration layer for parallel agents)
- Tagline calls out git worktree isolation and autonomous CI/review handling

No structural changes.

Co-authored-by: Sujay Choubey <sujaychoubey@Sujays-MacBook-Pro-4.local>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-23 19:37:43 +05:30
prateek ade1322371
docs: redesign README based on competitive research (#132)
* docs: redesign README based on 16-repo competitive research

Restructured README following patterns from lazygit, starship, Aider,
Swarm, LangGraph, and other high-star projects. Key changes:

- Centered hero with one-line tagline and custom metric badges
- Quick Start within first 20 lines (code-first)
- "How It Works" with numbered flow instead of abstract description
- Plugin architecture table (our differentiator) kept prominent
- Config example showing the reactions system (the "aha" feature)
- "Why Agent Orchestrator?" competitive positioning section
- Reduced from 234 to ~130 lines — link to docs for depth

Research artifacts: github.com/ComposioHQ/agent-orchestrator/releases/tag/metrics-v1

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use valid HTML structure for README hero section

Replace invalid <h1> inside <p> with <div> + markdown heading.
Drop dynamic stars badge (shields.io intermittently fails).
Use markdown badge syntax instead of raw HTML img tags.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: remove unrelated scm-github changes from PR

These files were accidentally included from pre-existing unstaged
changes on main. Restoring to main state so PR only contains README.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add GitHub stars badge to README

Follow the standard pattern used by popular open-source projects
(CrewAI, lazygit, starship, etc.) using shields.io dynamic badge.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 03:23:02 +05:30
prateek 450507193e
docs: update port references to reflect configurability (#122)
All docs now mention that the dashboard port (default 3000) is
configurable via `port:` in agent-orchestrator.yaml. Fixes incorrect
port 9847 references in SETUP.md, adds multi-project port guidance,
and documents terminal port auto-detection.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 07:37:00 +05:30
prateek 599710296d
fix: migrate to hash-based project isolation architecture
Complete migration to hash-based directory structure for project isolation. All bugbot issues resolved.
2026-02-18 00:19:55 +05:30
prateek eaea131af9
feat: seamless onboarding with enhanced documentation (#66)
* feat: implement seamless onboarding with enhanced documentation

- Add comprehensive README.md (18KB) with quick start, core concepts, and FAQ
- Add detailed SETUP.md (16.5KB) with prerequisites, integration guides, and troubleshooting
- Add examples/ directory with 5 ready-to-use config templates:
  - simple-github.yaml: Minimal GitHub setup
  - linear-team.yaml: Linear integration
  - multi-project.yaml: Multiple repos
  - auto-merge.yaml: Aggressive automation
  - codex-integration.yaml: Using Codex agent

- Add environment detection (git repo, remote, branch, auth status)
- Auto-fill prompts with smart defaults from detected environment
- Add prerequisite validation (git, tmux, gh CLI)
- Show actionable next steps and warnings
- Parse owner/repo from git remote automatically
- Detect LINEAR_API_KEY and SLACK_WEBHOOK_URL in environment
- Prompt for Linear team ID when Linear tracker selected

- Format all files with Prettier for consistency

Reduces onboarding time from 30+ minutes to ~5 minutes:
1. Install CLI: `npm install -g @composio/ao-cli`
2. Run init: `ao init` (auto-detects everything)
3. Spawn agent: `ao spawn my-project ISSUE-123`

Users no longer need to:
- Manually parse git remote URLs
- Look up current branch names
- Remember YAML syntax
- Search for Linear team IDs
- Debug missing prerequisites

-  pnpm build - All packages compile
-  pnpm typecheck - No TypeScript errors
-  pnpm lint - No new linting issues
-  pnpm format - All files formatted

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* docs: update installation instructions to reflect npm not yet published

Package is not published to npm yet, so users must build from source.
Updated README.md and SETUP.md to:
- Make 'build from source' the primary installation method
- Add note that npm publishing is coming soon
- Include pnpm as a prerequisite

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* feat: add ao init --auto --smart for zero-config setup

Implements intelligent config generation with project type detection.

## What's New

### ao init --auto
- Zero prompts - auto-generates config with smart defaults
- Detects: git repo, remote, branch, languages, frameworks, tools
- Generates project-specific agentRules based on detected tech stack

### Project Detection
- Languages: TypeScript, JavaScript, Python, Go, Rust
- Frameworks: React, Next.js, Vue, Express, FastAPI, Django, Flask
- Tools: pnpm workspaces, test frameworks
- Package managers: pnpm, yarn, npm

### Rule Templates
Created templates for:
- base.md - Universal best practices
- typescript.md - TS strict mode, ESM, type imports
- javascript.md - Modern ES6+ patterns
- react.md - Hooks, composition, best practices
- nextjs.md - App Router, Server Components
- python.md - Type hints, PEP 8
- go.md - Error handling, defer patterns
- pnpm-workspaces.md - Monorepo commands

### Example Output

```bash
ao init --auto

# Detects:
# ✓ TypeScript + pnpm workspaces
# ✓ React + Next.js
# ✓ Vitest

# Generates:
agentRules: |
  Always run tests before pushing.
  Use TypeScript strict mode.
  Use ESM modules with .js extensions.
  Use React best practices (hooks, composition).
  Before pushing: pnpm build && pnpm typecheck && pnpm lint && pnpm test
```

## Benefits

- **5 seconds** instead of 5 minutes
- **Zero config knowledge** required
- **Context-aware rules** tailored to your stack
- **Still customizable** - edit the generated config

## Future: --smart (AI-powered)

Flag added but not yet implemented. Will use Claude Code to:
- Analyze CLAUDE.md, CONTRIBUTING.md
- Read CI/CD config
- Generate custom rules based on project patterns

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: detect repo default branch instead of current branch

Fixes Bugbot issue: "Current branch wrongly suggested as default base branch"

## Problem

detectEnvironment was using `git branch --show-current` to suggest
defaultBranch in the config. If a user ran `ao init` while on a feature
branch like `feat/my-work`, the wizard would suggest that feature branch
as the default, causing agents to branch from the wrong base.

## Solution

Added detectDefaultBranch() function with 3 fallback methods:
1. git symbolic-ref refs/remotes/origin/HEAD (most reliable)
2. GitHub API via gh CLI (if ownerRepo known)
3. Check common branch names: main, master, next, develop

Now EnvironmentInfo tracks both:
- currentBranch: The checked-out branch (for display only)
- defaultBranch: The repo's base branch (for config)

## Testing

Tested on feat/seamless-onboarding branch:
- Current branch: feat/seamless-onboarding (displayed)
- Default branch: main (correctly detected for config)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: prevent duplicate framework detection in Python projects

Fixes Bugbot issue: "Duplicate frameworks when multiple Python config files exist"

## Problem

When both requirements.txt and pyproject.toml exist and mention the same
framework (e.g., FastAPI), the detection loop added it to the frameworks
array twice, causing duplicate rules in the generated config.

## Solution

Added addFramework() helper that checks if framework already exists before
adding to the array. Also prevents pytest from being set multiple times as
testFramework.

## Testing

Verified with test repo containing both files with FastAPI:
- Before: Would add 'fastapi' twice
- After: Only adds 'fastapi' once ✓

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: address Bugbot review comments

- Remove redundant conditional in --smart flag (both branches were identical)
- Include templates directory in npm package files

* fix: add existence check for base.md template file

Add existsSync guard before reading base.md to handle missing templates gracefully, consistent with other template file reads.

* fix: use direct tool invocation instead of which command

Replace 'which' with direct tool invocation (tmux -V, gh --version)
for better portability on minimal Linux systems where 'which' may
not be installed.

* fix: address Bugbot review comments

- Simplify gh auth status check to rely on exit code instead of output string
- Remove async from synchronous functions (detectProjectType, generateRulesFromTemplates)

* feat: add setup script for one-command installation

Add scripts/setup.sh that:
- Installs pnpm if not present
- Installs dependencies
- Builds all packages
- Links CLI globally

Updated README with simplified setup instructions using the script.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: correct npm link command in setup script

Remove incorrect -g flag from npm link command. The correct syntax is to cd into the package directory and run npm link without flags.

* fix: address Bugbot review comments on init command

- Validate --smart flag requires --auto (prevents silent ignore)
- Fix path validation to check user-specified path (not CWD)

These fixes address medium and low severity issues found by Cursor Bugbot
in PR #66 review.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* docs: add DirectTerminal troubleshooting and fix setup script

- Add TROUBLESHOOTING.md documenting node-pty posix_spawnp error
- Update setup.sh to rebuild node-pty from source (fixes DirectTerminal)
- Ensures seamless onboarding with working terminal out-of-the-box

Resolves DirectTerminal WebSocket failures from incompatible prebuilt binaries.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: resolve variable scope issue in init command validation

- Move path variable outside if block to fix TypeScript scope error
- Only validate path existence if projectId is provided
- Use inline tilde expansion instead of missing expandHome import

Fixes build error that prevented setup.sh from completing.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: automate node-pty rebuild to eliminate terminal issues

- Add postinstall hook to automatically rebuild node-pty after pnpm install
- Create scripts/rebuild-node-pty.js for automatic rebuild with error handling
- Remove manual node-pty rebuild from setup.sh (now automatic)

This ensures DirectTerminal works correctly on every installation without
manual intervention. Fixes posix_spawnp errors from incompatible prebuilt
binaries across different systems and installations.

Resolves issue where users would encounter blank terminals after setup.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* docs: update TROUBLESHOOTING with automatic node-pty rebuild

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* docs: add comprehensive README with quick start guide

- 3-line magical setup: clone → setup → init → start
- Architecture overview with plugin slots table
- Usage examples and auto-reaction configuration
- Links to detailed docs (SETUP.md, TROUBLESHOOTING.md, examples/)
- Philosophy: push not pull, amplify judgment

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: resolve ESLint errors in rebuild-node-pty script

- Add scripts directory configuration to eslint.config.js
- Configure Node.js globals (console, process) for scripts
- Remove unused error variable from catch block

Fixes lint CI failure.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: warn when auto mode uses placeholder repo value

- Detect when 'owner/repo' placeholder is used in --auto mode
- Show warning: 'Could not detect GitHub repository'
- Update next steps to emphasize editing config when placeholder used
- Prevents silent failures when spawning agents with invalid repo

Addresses Bugbot review comment about silent placeholder values.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-16 22:22:13 +05:30
prateek 66005c05c5
feat: implement comprehensive security audit and secret leak prevention (#67)
* feat: implement comprehensive security audit and secret leak prevention

## Changes

### Security Infrastructure
- Add Gitleaks configuration (.gitleaks.toml) for secret scanning
- Add pre-commit hook via Husky to block secret commits
- Add GitHub Actions security workflow (gitleaks, dependency review, npm audit)
- Update .gitignore to exclude secret files and credentials

### Documentation
- Create SECURITY.md with security policy and best practices
- Create README.md with project overview and security section
- Create docs/DEVELOPMENT.md with developer guide
- Create docs/SECURITY-AUDIT-SUMMARY.md with full audit report

### Dependencies
- Add husky@^9.1.7 for git hooks

## Audit Results

-  Current codebase: 0 secrets found (1.47 MB scanned)
- ⚠️ Git history: 1 historical secret (OpenClaw token, documented in SECURITY.md)
-  All test files use dummy values
-  All example configs use environment variables

## Security Features

1. **Pre-commit Hook**: Scans staged files, blocks secrets before commit
2. **CI/CD Pipeline**: Scans full git history on every push/PR
3. **Automated Scanning**: Weekly scheduled scans for new vulnerabilities
4. **Comprehensive Docs**: Security policy, best practices, developer guide

## Testing

```bash
# Scan current files
gitleaks detect --no-git

# Test pre-commit hook
echo "token=ghp_fake" > test.txt
git add test.txt
git commit -m "test"  # Should be blocked
```

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: make dependency-review job non-blocking

The dependency-review action requires GitHub Advanced Security which may
not be available on all repositories. Adding continue-on-error to prevent
workflow failure when this feature is unavailable.

The check will still run and provide useful information when available,
but won't block the PR if the repository doesn't have Advanced Security.

* feat: add workflow_dispatch trigger to security workflow

Allows manual triggering of security scans for testing and re-running.

* fix: address Cursor Bugbot security review comments

Fixes all high, medium, and low severity issues identified by Cursor Bugbot:

**High Severity:**
- Redact OpenClaw token from documentation (replace with 1af5c4f...872)
- Fix pre-commit hook to FAIL (exit 1) when gitleaks is not installed
  - Previously silently skipped scanning (exit 0) providing false sense of security
- Fix bashism in pre-commit hook: replace &> with > /dev/null 2>&1 (POSIX compliant)

**Medium Severity:**
- Remove overly broad gitignore patterns (*.sql, *.db, *.sqlite)
  - These would block legitimate SQL migration files and database schemas
  - Keep focus on actual credential files only

**Low Severity:**
- Remove author email (samvit@hotmail.com) from audit documentation

All issues now resolved. Pre-commit hook will properly block commits when
gitleaks is missing, ensuring consistent secret scanning enforcement.

* fix: comment out dependency-review job requiring Dependency graph

The dependency-review GitHub Action requires 'Dependency graph' to be
enabled in repository settings. Since this feature may not be available
or configured on all repositories, commenting out this job to prevent
workflow failures.

To re-enable:
1. Go to Settings > Code security and analysis
2. Enable 'Dependency graph'
3. Uncomment the dependency-review job in this workflow

The npm-audit job provides similar dependency vulnerability scanning
and doesn't require special GitHub features.

* feat: re-enable dependency-review job after Dependency graph enabled

Now that Dependency graph is enabled in repo settings, uncomment the
dependency-review job to scan PRs for vulnerable dependencies.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-16 10:33:50 +05:30