tooling: soup build/verify stack + Windows estate scripts#61
Conversation
Jun-22 dogfood recovery scripts were referenced in driver-soup.md and feature-work-lifecycle.md but never landed on origin/main during salvage. Adds build-web atomic path, promotion stamp helpers, web/dist verify, Windows production-mutation guard, and mirror-main PR discipline note. Co-authored-by: Cursor <cursoragent@cursor.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a3d40daf65
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| CMD=$(printf '%s' "$INPUT" | jq -r ' | ||
| [ | ||
| .command, | ||
| .input.command, | ||
| .tool_input.command, | ||
| .input.cmd, | ||
| .tool_input.cmd | ||
| ] |
There was a problem hiding this comment.
Parse top-level cmd before allowing hook input
When a hook payload supplies the shell text as top-level cmd, this extractor leaves CMD empty and the guard immediately returns allow, so an SSH production mutation such as {"cmd":"ssh server 'kill ... hapi-hub :3006'"} bypasses the new muzzle entirely. The Windows twin already accepts top-level cmd; add .cmd here or fail closed when parsing succeeds but no supported command field is found.
Useful? React with 👍 / 👎.
| (.agentSessionId // "") as $aid | ||
| | $aid != $agent | ||
| and ($aid | startswith($agent) | not) | ||
| and ($agent | startswith($aid) | not) | ||
| ) |
There was a problem hiding this comment.
Keep sessions with missing agent IDs in drain count
When PATIENT_EXCLUDE_AGENT is set, any WORKING session without agentSessionId gets $aid == ""; because every string starts with the empty string, $agent | startswith($aid) is true and this predicate drops that unrelated session from the drain set. In patient-drain callers this can report zero blocking work and proceed with a stack switch while a session that lacks an agent id is still running; only run the reverse prefix check when $aid is non-empty.
Useful? React with 👍 / 👎.
| const plugins = (base.plugins ?? []).filter((p) => { | ||
| const name = p?.name ?? '' | ||
| return !name.includes('vite-plugin-pwa') && name !== 'vite:pwa' | ||
| }) |
There was a problem hiding this comment.
Flatten Vite plugins before dropping PWA
With the current web/vite.config.ts, the VitePWA(...) entry is a nested array of plugins, so this filter sees that array as one item, gets an empty name, and keeps the whole PWA plugin set. That means the “strip VitePWA” soup-build path still runs the injectManifest stage it is meant to avoid under memory pressure; flatten the plugin list (or otherwise inspect nested entries) before filtering by name.
Useful? React with 👍 / 👎.
| ) | ||
| } | ||
| } | ||
| ($hookDoc | ConvertTo-Json -Depth 6) | Set-Content -Encoding UTF8 (Join-Path $cursor 'hooks.json') |
There was a problem hiding this comment.
Merge workspace hooks instead of replacing them
When the installer reaches the workspace deploy step, this writes a brand-new .cursor/hooks.json and discards any existing workspace hooks, even though the top-level installer promises to preserve unrelated hooks. On a workspace that already has a beforeShellExecution hook, refreshing the muzzle silently disables that hook; mirror the merge logic used for the user-level hooks instead of overwriting the file.
Useful? React with 👍 / 👎.
| fi | ||
|
|
||
| # Driver tree destruction / sneak promote | ||
| if printf '%s' "$lc" | grep -qE 'git reset --hard.*(driver|hapi/driver)|embeddedassets.*driver|cp -r.*embeddedassets'; then |
There was a problem hiding this comment.
Catch resets after changing into driver
When the command first changes into the driver tree and then resets, e.g. cd ~/coding/hapi/driver && git reset --hard, this pattern does not match because it only catches git reset --hard followed later by driver or hapi/driver. That is a common form of the destructive driver reset the guard is meant to block, so those production mutations still pass; also match chained cd/cwd forms.
Useful? React with 👍 / 👎.
|
|
||
| # Returns 0 when port is free OR owned correctly by systemd hub on expected tree. | ||
| # Prints human-readable errors to stderr and returns 1 on rogue ownership. | ||
| hub_port_guard_assert_production() { |
There was a problem hiding this comment.
Wire the port guard into activation paths
Repo-wide search shows hub_port_guard_assert_production is only defined in this new file and is not sourced by hapi-watch-activate-driver, hapi-use-worktree, or hapi-use-driver, so the rogue-listener check never runs before activation despite the guard's stated purpose. Wire this function into the activation/restart paths; otherwise a manual hub on :3006 can still block systemd unnoticed.
Useful? React with 👍 / 👎.
|
|
||
| HAPI_PROMOTION_FILE="${HAPI_PROMOTION_FILE:-$HOME/.hapi/driver-promotion.json}" | ||
|
|
||
| driver_promotion_stamp() { |
There was a problem hiding this comment.
Stamp and check promotions from real callers
Repo-wide search shows driver_promotion_stamp and driver_promotion_check are only defined here; hapi-driver-rebuild --verify never records a verified SHA and hapi-use-driver never checks one before switching. As a result, the new promotion contract is inert and live stack switches remain possible without the verified build this helper is supposed to require.
Useful? React with 👍 / 👎.
Summary
origin/mainafter the Jun-22 salvage (hapi-driver-build-web,hapi-verify-web-dist,lib/build-web-atomic.sh, promotion stamp helpers, etc.).docs/operator/windows-estate-agents.md.docs/tooling/mirror-main-layout.md: forkmainchanges land via PR only, not direct push.Supersedes the intent of closed #60 (blocked on
docs/plans/leakage). Tooling-only.Test plan
bash -non new shell scriptsMade with Cursor