mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-02 11:45:20 +02:00
Garry Tan
9dbaf906cf
* feat(gbrain-sync): queue primitives + writer shims
Adds bin/gstack-brain-enqueue (atomic append to sync queue) and
bin/gstack-jsonl-merge (git merge driver, ts-sort with SHA-256 fallback).
Wires one backgrounded enqueue call into learnings-log, timeline-log,
review-log, and developer-profile --migrate. question-log and
question-preferences stay local per Codex v2 decision.
gstack-config gains gbrain_sync_mode (off/artifacts-only/full) and
gbrain_sync_mode_prompted keys, plus GSTACK_HOME env alignment so
tests don't leak into real ~/.gstack/config.yaml.
* feat(gbrain-sync): --once drain + secret scan + push
bin/gstack-brain-sync is the core sync binary. Subcommands: --once
(drain queue, allowlist-filter, privacy-class-filter, secret-scan
staged diff, commit with template, push with fetch+merge retry),
--status, --skip-file <path>, --drop-queue --yes, --discover-new
(cursor-based detection of artifact writes that skip the shim).
Secret regex families: AWS keys, GitHub tokens (ghp_/gho_/ghu_/ghs_/
ghr_/github_pat_), OpenAI sk-, PEM blocks, JWTs, bearer-token-in-JSON.
On hit: unstage, preserve queue, print remediation hint (--skip-file
or edit), exit clean. No daemon — invoked by preamble at skill
boundaries.
* feat(gbrain-sync): init, restore, uninstall, consumer registry
bin/gstack-brain-init: idempotent first-run. git init ~/.gstack/,
.gitignore=*, canonical .brain-allowlist + .brain-privacy-map.json,
pre-commit secret-scan hook (defense-in-depth), merge driver registration
via git config, gh repo create --private OR arbitrary --remote <url>,
initial push, ~/.gstack-brain-remote.txt for new-machine discovery,
GBrain consumer registration via HTTP POST.
bin/gstack-brain-restore: safe new-machine bootstrap. Refuses clobber
of existing allowlisted files, clones to staging, rsync-copies tracked
files, re-registers merge drivers (required — not cloned from remote),
rehydrates consumers.json, prompts for per-consumer tokens.
bin/gstack-brain-uninstall: clean off-ramp. Removes .git + .brain-*
files + consumers.json + config keys. Preserves user data (learnings,
plans, retros, profile). Optional --delete-remote for GitHub repos.
bin/gstack-brain-consumer + bin/gstack-brain-reader (symlink alias):
registry management. Internal 'consumer' term; user-facing 'reader'
per DX review decision.
* feat(gbrain-sync): preamble block — privacy gate + boundary sync
scripts/resolvers/preamble/generate-brain-sync-block.ts emits bash that
runs at every skill invocation:
- Detects ~/.gstack-brain-remote.txt on machines without local .git
and surfaces a restore-available hint (does NOT auto-run restore).
- Runs gstack-brain-sync --once at skill start to drain any pending
writes (and at skill end via prose instruction).
- Once-per-day auto-pull (cached via .brain-last-pull) for append-only
JSONL files.
- Emits BRAIN_SYNC: status line every skill run.
Also emits prose for the host LLM to fire the one-time privacy
stop-gate (full / artifacts-only / off) when gbrain is detected and
gbrain_sync_mode_prompted is false. Wired into preamble.ts composition.
* test(gbrain-sync): 27-test consolidated suite
test/brain-sync.test.ts covers:
- Config: validation, defaults, GSTACK_HOME env isolation
- Enqueue: no-op gates, skip list, concurrent atomicity, JSON escape
- JSONL merge driver: 3-way + ts-sort + SHA-256 fallback
- Init + sync: canonical file creation, merge driver registration,
push-reject + fetch+merge retry path
- Init refuses different remote (idempotency)
- Cross-machine restore round-trip (machine A write → machine B sees)
- Secret scan across all 6 regex families (AWS, GH, OpenAI, PEM, JWT,
bearer-JSON). --skip-file unblock remediation
- Uninstall removes sync config, preserves user data
- --discover-new idempotence via mtime+size cursor
Behaviors verified via integration smokes during implementation. Known
follow-up: bun-test 5s default timeout needs 30s wrapper for
spawnSync-heavy tests.
* docs(gbrain-sync): user guide + error lookup + README section
docs/gbrain-sync.md: setup walkthrough, privacy modes, cross-machine
workflow, secret protection, two-machine conflict handling, uninstall,
troubleshooting reference.
docs/gbrain-sync-errors.md: problem/cause/fix index for every
user-visible error. Patterned on Rust's error docs + Stripe's API
error reference.
README.md: 'Cross-machine memory with GBrain sync' section near the
top (discovery moment), plus docs-table entry.
* chore: bump version and changelog (v1.7.0.0)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* chore: regenerate SKILL.md files for gbrain-sync preamble block
Re-runs bun run gen:skill-docs after adding generateBrainSyncBlock
to scripts/resolvers/preamble.ts in a2aa8a07. CI check-freshness
caught the drift. All 36 SKILL.md files regenerated with the new
skill-start bash block + privacy-gate prose + skill-end sync
instructions baked in.
* fix(test): session-awareness reads AskUserQuestion Format from a Tier 2+ SKILL.md
The test was reading ROOT/SKILL.md (browse skill, Tier 1) which never
contained '## AskUserQuestion Format' — that section is only emitted
for Tier 2+ skills by scripts/resolvers/preamble.ts. As a result the
agent was prompted with an empty format guide and only emitted
'RECOMMENDATION' intermittently, making the test flaky.
Pre-existing on main (same ROOT/SKILL.md shape there) — surfaced now
because the agent run didn't hit the RECOMMENDATION/recommend/option a
fallback strings in this particular attempt.
Fix: read from office-hours/SKILL.md (Tier 3, always has the section)
with a fallback that scans for the first top-level skill dir whose
SKILL.md contains the header. Future template moves won't break this
test again.
* chore: bump to v1.9.0.0 for gbrain-sync landing
Changes just the VERSION + package.json + CHANGELOG header (1.7.0.0 → 1.9.0.0
and date 2026-04-22 → 2026-04-23). No code changes. User call: land gbrain-sync
as a bigger-signal release above main's 1.6.4.0, skipping 1.8.0.0.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
197 lines
5.5 KiB
Bash
Executable File
197 lines
5.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# gstack-brain-consumer — manage the consumer (reader) registry.
|
|
#
|
|
# Consumer = a reader that ingests the gstack-brain git repo as a source of
|
|
# session memory. v1 primary consumer is GBrain; later versions can register
|
|
# Codex, OpenClaw, or third-party readers.
|
|
#
|
|
# NOTE ON NAMING: internally this helper uses "consumer" (correct data-model
|
|
# term). User-facing copy and the alias `gstack-brain-reader` use "reader"
|
|
# (matches user mental model: "what's reading my brain?").
|
|
#
|
|
# Usage:
|
|
# gstack-brain-consumer add <name> --ingest-url <url> --token <token>
|
|
# gstack-brain-consumer list
|
|
# gstack-brain-consumer remove <name>
|
|
# gstack-brain-consumer test <name>
|
|
#
|
|
# Env:
|
|
# GSTACK_HOME — override ~/.gstack
|
|
|
|
set -euo pipefail
|
|
|
|
GSTACK_HOME="${GSTACK_HOME:-$HOME/.gstack}"
|
|
CONSUMERS_FILE="$GSTACK_HOME/consumers.json"
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
CONFIG_BIN="$SCRIPT_DIR/gstack-config"
|
|
|
|
ensure_file() {
|
|
mkdir -p "$GSTACK_HOME"
|
|
if [ ! -f "$CONSUMERS_FILE" ]; then
|
|
echo '{"consumers": []}' > "$CONSUMERS_FILE"
|
|
fi
|
|
}
|
|
|
|
get_remote_url() {
|
|
git -C "$GSTACK_HOME" remote get-url origin 2>/dev/null || echo ""
|
|
}
|
|
|
|
sub_add() {
|
|
local name="" url="" token=""
|
|
local positional=""
|
|
while [ $# -gt 0 ]; do
|
|
case "$1" in
|
|
--ingest-url) url="$2"; shift 2 ;;
|
|
--token) token="$2"; shift 2 ;;
|
|
--) shift; break ;;
|
|
-*) echo "Unknown flag: $1" >&2; exit 1 ;;
|
|
*) positional="$1"; shift ;;
|
|
esac
|
|
done
|
|
name="$positional"
|
|
if [ -z "$name" ] || [ -z "$url" ]; then
|
|
echo "Usage: gstack-brain-consumer add <name> --ingest-url <url> [--token <token>]" >&2
|
|
exit 1
|
|
fi
|
|
ensure_file
|
|
# Upsert in consumers.json, store token in gstack-config under `<name>_token`.
|
|
python3 - "$CONSUMERS_FILE" "$name" "$url" <<'PYEOF'
|
|
import sys, json
|
|
path, name, url = sys.argv[1:4]
|
|
try:
|
|
with open(path) as f:
|
|
data = json.load(f)
|
|
except Exception:
|
|
data = {"consumers": []}
|
|
entry = {"name": name, "ingest_url": url, "status": "unknown", "token_ref": f"{name}_token"}
|
|
cs = data.setdefault("consumers", [])
|
|
for i, c in enumerate(cs):
|
|
if c.get("name") == name:
|
|
cs[i] = entry
|
|
break
|
|
else:
|
|
cs.append(entry)
|
|
with open(path, "w") as f:
|
|
json.dump(data, f, indent=2)
|
|
f.write("\n")
|
|
print(f"registered consumer: {name}")
|
|
PYEOF
|
|
if [ -n "$token" ]; then
|
|
"$CONFIG_BIN" set "${name}_token" "$token"
|
|
echo "token stored: gstack-config get ${name}_token to retrieve"
|
|
fi
|
|
# Attempt registration with remote (HTTP POST).
|
|
sub_test "$name"
|
|
}
|
|
|
|
sub_list() {
|
|
if [ ! -f "$CONSUMERS_FILE" ]; then
|
|
echo '{"consumers": []}'
|
|
return 0
|
|
fi
|
|
cat "$CONSUMERS_FILE"
|
|
}
|
|
|
|
sub_remove() {
|
|
local name="${1:-}"
|
|
if [ -z "$name" ]; then
|
|
echo "Usage: gstack-brain-consumer remove <name>" >&2
|
|
exit 1
|
|
fi
|
|
ensure_file
|
|
python3 - "$CONSUMERS_FILE" "$name" <<'PYEOF'
|
|
import sys, json
|
|
path, name = sys.argv[1:3]
|
|
try:
|
|
with open(path) as f:
|
|
data = json.load(f)
|
|
except Exception:
|
|
data = {"consumers": []}
|
|
before = len(data.get("consumers", []))
|
|
data["consumers"] = [c for c in data.get("consumers", []) if c.get("name") != name]
|
|
after = len(data["consumers"])
|
|
with open(path, "w") as f:
|
|
json.dump(data, f, indent=2)
|
|
f.write("\n")
|
|
print(f"removed: {before - after} entry(ies)")
|
|
PYEOF
|
|
}
|
|
|
|
sub_test() {
|
|
local name="${1:-}"
|
|
if [ -z "$name" ]; then
|
|
echo "Usage: gstack-brain-consumer test <name>" >&2
|
|
exit 1
|
|
fi
|
|
ensure_file
|
|
# Look up the consumer by name.
|
|
local info
|
|
info=$(python3 - "$CONSUMERS_FILE" "$name" <<'PYEOF'
|
|
import sys, json
|
|
path, name = sys.argv[1:3]
|
|
try:
|
|
with open(path) as f:
|
|
data = json.load(f)
|
|
except Exception:
|
|
data = {"consumers": []}
|
|
for c in data.get("consumers", []):
|
|
if c.get("name") == name:
|
|
print(c.get("ingest_url", ""))
|
|
sys.exit(0)
|
|
sys.exit(1)
|
|
PYEOF
|
|
) || { echo "No such consumer: $name" >&2; exit 1; }
|
|
|
|
local url="$info"
|
|
local token
|
|
token=$("$CONFIG_BIN" get "${name}_token" 2>/dev/null || echo "")
|
|
if [ -z "$url" ] || [ -z "$token" ]; then
|
|
echo "consumer '$name': url or token missing; cannot test"
|
|
return 0
|
|
fi
|
|
local repo_url
|
|
repo_url=$(get_remote_url)
|
|
echo "Testing $name at ${url%/}/ingest-repo ..."
|
|
local resp
|
|
resp=$(curl -sS -X POST "${url%/}/ingest-repo" \
|
|
-H "Authorization: Bearer $token" \
|
|
-H "Content-Type: application/json" \
|
|
--data "{\"repo_url\":\"$repo_url\"}" \
|
|
-w "\n%{http_code}" 2>&1 || echo -e "\ncurl-error")
|
|
local code
|
|
code=$(echo "$resp" | tail -1)
|
|
if [ "$code" = "200" ] || [ "$code" = "201" ] || [ "$code" = "204" ]; then
|
|
echo "ok (HTTP $code)"
|
|
# Update status in consumers.json.
|
|
python3 - "$CONSUMERS_FILE" "$name" "ok" <<'PYEOF'
|
|
import sys, json
|
|
path, name, status = sys.argv[1:4]
|
|
with open(path) as f: data = json.load(f)
|
|
for c in data.get("consumers", []):
|
|
if c.get("name") == name:
|
|
c["status"] = status
|
|
with open(path, "w") as f: json.dump(data, f, indent=2); f.write("\n")
|
|
PYEOF
|
|
else
|
|
echo "failed (HTTP $code)"
|
|
python3 - "$CONSUMERS_FILE" "$name" "error" <<'PYEOF'
|
|
import sys, json
|
|
path, name, status = sys.argv[1:4]
|
|
with open(path) as f: data = json.load(f)
|
|
for c in data.get("consumers", []):
|
|
if c.get("name") == name:
|
|
c["status"] = status
|
|
with open(path, "w") as f: json.dump(data, f, indent=2); f.write("\n")
|
|
PYEOF
|
|
fi
|
|
}
|
|
|
|
case "${1:-}" in
|
|
add) shift; sub_add "$@" ;;
|
|
list) sub_list ;;
|
|
remove) shift; sub_remove "$@" ;;
|
|
test) shift; sub_test "$@" ;;
|
|
--help|-h|"") sed -n '2,20p' "$0" | sed 's/^# \{0,1\}//' ;;
|
|
*) echo "Unknown subcommand: $1" >&2; exit 1 ;;
|
|
esac
|