* fix Next.js build warnings, pin flatted override, regenerate lockfile
* fix ignoreDuringBuilds, add ao-core to serverExternalPackages, clean dist-server in prebuild
* fix ESLint plugin detection, remove ao-core from transpilePackages, suppress plugin-registry webpack warning
* fix(web): restore ao-core to transpilePackages, document overrides, fix dev:optimized cleanup
Move @aoagents/ao-core back to transpilePackages only. dist/ is gitignored so fresh
checkout has no dist/index.js; serverExternalPackages causes a hard crash at runtime.
Client components (SessionDetail, ProjectSidebar, sessions/[id]/page) also import
@aoagents/ao-core/types which serverExternalPackages does not cover.
Keep @composio/core in serverExternalPackages only with comment explaining it is an
optional transitive dep via tracker-linear dynamic import.
Add _overrides_rationale to document axios (SSRF CVE-2023-45857) and flatted
(prototype-pollution) security pins in root package.json.
Fix dev:optimized to clean both .next and dist-server, matching what prebuild does.
* fix: webpackIgnore dynamic imports in plugin-registry fixes#1056
* fix: move Next.js ESLint config to packages/web for build-time detection fixes#1058
* fix: remove scope creep and phantom agent-soma from lockfile
- remove agent-soma importer block from pnpm-lock.yaml
- remove @composio/core from serverExternalPackages
- remove redundant exprContextCritical webpack override
- remove flatted override and _overrides_rationale
- align @next/eslint-plugin-next to ^15.5.15
* fix: replace rm -rf with rimraf for cross-platform compatibility
* fix: use rimraf in clean script and sort devDependencies
* fix: add postcss.config.mjs to web ESLint ignores
* fix: restore no-console exemption for web package in root ESLint config
Address Copilot review feedback on PR #117:
- lifecycle-manager: replace string-matching guards (`metadata["role"]`,
`session.id.endsWith("-orchestrator")`) with the authoritative
`lifecycle.session.kind !== "orchestrator"` check. The previous guard
missed numbered orchestrator IDs like `${prefix}-orchestrator-1`, which
could let a fresh agent report incorrectly override an orchestrator
session's status.
- orchestrator-prompt: reword the "Explicit Agent Reports" section to stop
promising automatic surfacing in status/dashboard. CLI/UI display work
is not part of this PR; the prompt now describes reports as a hint to
lifecycle inference and explicitly notes SCM/runtime truth still wins.
Co-Authored-By: Claude <noreply@anthropic.com>
Address Copilot review feedback on PR #117:
- Drop the `done` alias from `INPUT_ALIASES`. Agents cannot self-report the
terminal `done` state (AO owns that transition via SCM ground truth), so
silently aliasing `done` → `completed` contradicted the prompts and
weakened the reserved-transition boundary.
- Tighten `validateAgentReportTransition` to reject ALL reports when
`session.state === "done"`. Previously `completed` slipped through, but
`completed` maps to `idle` and would have re-opened a terminal session,
contradicting the function's own doc comment.
- Reject future timestamps in `isAgentReportFresh`. A skewed/future
`agentReportedAt` would otherwise yield a negative delta that satisfies
`<= windowMs`, making the report appear "fresh" indefinitely and
overriding stronger inference signals.
Tests updated:
- Replace done→completed alias assertion with explicit null expectation.
- Expand `done`-state rejection test to cover `completed` and `needs_input`.
- Add freshness test for future-dated timestamps.
Co-Authored-By: Claude <noreply@anthropic.com>
Introduce an explicit reporting channel so worker agents can self-declare
their workflow phase (started/working/waiting/needs-input/fixing-ci/
addressing-reviews/completed). Fresh reports are trusted over weak inference
but runtime death, activity-based waiting_input, and SCM ground truth still
take precedence.
- Add `applyAgentReport`, validator, canonical mapping, and freshness helper
in `packages/core/src/agent-report.ts`.
- Wire the fallback into `determineStatus` just before the idle-beyond-
threshold promotion, skipping orchestrator and terminal sessions.
- Add `ao acknowledge` and `ao report <state>` CLI commands. Both resolve
the session from `AO_SESSION_ID` when no argument is passed.
- Teach the base agent prompt and orchestrator prompt about the new
reporting commands.
- Ship unit tests covering normalization, mapping, transition validation,
metadata persistence, freshness, and first-start behavior.
Stage 3 of the state-machine redesign (see aa-2/state-machine-redesign-
rollout-plan.md).
- New repo-utils.ts with extractOwnerRepo() and isValidRepoString()
shared across detectEnvironment, autoCreateConfig, addProjectToConfig
- Remote regex now supports GitLab subgroup paths (group/subgroup/repo)
- Repo validation accepts multi-segment paths (owner/repo and deeper)
- Updated prompt text to mention group/subgroup/repo format
- Updated ProjectConfig.repo docstring to be provider-neutral
- Tests import from shared helpers instead of duplicating regex
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@clack/prompts text() can return undefined when submitted with just
the placeholder value. Guard with typeof check in promptText and
defensive (entered || "") in both callers to prevent .trim() crash.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- detect-env: test GitHub/GitLab HTTPS/SSH remote extraction, unknown
hosts returning null, missing remote, and non-git directories
- repo-validation: test the anchored regex accepts owner/repo, rejects
empty, lone slash, missing segments, whitespace, and nested paths
- config-validation: test SCM/tracker inference skipped when repo is
missing or has no slash, and inferred correctly with owner/repo
- scm-webhooks: test eventMatchesProject returns false when project
has no repo configured
- orchestrator-prompt: existing test covers repo:undefined → "not configured"
- prompt-builder: existing test covers BASE_AGENT_PROMPT_NO_REPO selection
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Anchor repo validation regex with $ to reject trailing junk like
"acme/repo extra" or "acme/repo#frag" — both prompt locations
- Widen detectEnvironment and addProjectToConfig remote regex to
match gitlab.com in addition to github.com, so GitLab repos get
auto-detected owner/repo instead of silently skipping it
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
afterEach calls vi.restoreAllMocks() which restores the top-level mock
to the real function. Use vi.spyOn on the module namespace instead of
vi.mocked on the destructured import so the mock survives restoration.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The test has no ownerRepo detected, which triggers the interactive
repo prompt. Mock isHumanCaller to false so the prompt is skipped
in the non-interactive test environment.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Fix ao start <path> regression: when target path differs from cwd,
run autoCreateConfig on the target (which is a git repo) instead of
cwd (which may not be). Removes the double-create pattern that added
a second project entry.
2. Gate remaining PR/CI sections in orchestrator-prompt: PR Takeover,
PR Review Flow, Bulk Issue Processing, and Monitoring Progress
details are now wrapped in project.repo checks so repo-less projects
don't get contradictory instructions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Move ensureGit() after path dedup check so already-registered paths
return early without requiring git
- Use realpathSync for canonical path comparison (resolves symlinks,
case variants, trailing slashes)
- Bail out with error when both SIGTERM and SIGKILL fail to stop AO
instead of unconditionally unregistering a live instance
- Rewrite path-dedup test to exercise the path-arg branch via
AO_CONFIG_PATH, covering addProjectToConfig's dedup lines
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Address review feedback from @illegalcall:
1. Fix canProbeRuntimeIdentity in determineStatus() — the previous
guard (hasPersistedRuntimeIdentity || status !== spawning) was
ineffective because spawn writes runtimeHandle to metadata before
leaving "spawning" status. Simplified to just check status !== spawning.
2. Guard getActivityState exited→killed transition — agent plugins
return "exited" before the process starts, so spawning sessions
were being marked killed via the agent activity path too.
3. Add lifecycle-manager tests covering both paths: runtime.isAlive
false with persisted handle, and agent reporting "exited" activity
during spawning.
Refs #1035
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The test was mocking detectEnvironment with isGitRepo: false, which now
correctly triggers the fail-fast error for non-git directories. Updated
to isGitRepo: true since the test is verifying config generation
defaults, not non-git behavior.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. prompt-builder: gate PR/CI instructions on project.repo — use
trimmed BASE_AGENT_PROMPT_NO_REPO when no remote configured
2. orchestrator-prompt: gate Quick Start and Available Commands
sections on project.repo — omit issue/PR commands when absent
3. types.ts: add changeset (minor for ao-core) with migration note
4. config.ts: consistent includes("/") guard for tracker inference
5. start.ts: fail fast with clear error when run in non-git directory
6. start.ts: stricter repo validation regex (requires non-empty
segments on both sides of slash)
7. start.ts: addProjectToConfig now prompts for repo like
autoCreateConfig does, with matching warning message
8. scm-webhooks.ts: pre-filter projects without repo in
findWebhookProjects to skip unnecessary SCM plugin lookups
9. lifecycle-manager.ts: fix GitLab subgroup split — use lastIndexOf
to correctly handle group/subgroup/repo paths
Closes#1154
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>