feat: add vibe-core orchestration and CLI integration #77
Conversation
Add foundational utility module for vibe functionality: - HTTP fetch with timeout and retry logic - Exponential backoff for transient failures - URL validation and security checks - Verbose logging utilities - Error handling with error-causes This is the first module in the vibe command implementation, providing shared functionality for authentication, file handling, code generation, and publishing modules. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add authentication module for Vibecodr API access: - PKCE (Proof Key for Code Exchange) flow support - Token storage with secure file permissions - Automatic token refresh with configurable buffer - Windows permission remediation for credential files - Session state management Depends on: vibe-utils Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add file handling and prompt construction modules: vibe-files: - File validation with size and type checks - Bundle collection with glob patterns - Security filtering for sensitive files - HTML/JavaScript entry point detection vibe-prompt: - AI prompt template construction - Context aggregation for code generation - Structured prompt formatting Depends on: vibe-utils (paralleldrive#73) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add API discovery, code generation, and publishing modules: jiron-discovery: - API contract discovery from Jiron endpoints - Schema extraction and validation - Endpoint metadata collection vibe-generate: - AI-powered code generation - Template-based output formatting - Multi-file generation support vibe-publish: - Capsule packaging and upload - Authentication retry with token refresh - Progress tracking and error handling Depends on: vibe-utils (paralleldrive#73), vibe-auth (paralleldrive#74), vibe-prompt (paralleldrive#75) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add orchestration layer and CLI support for vibe command: vibe-core: - Main orchestration module coordinating all vibe operations - Authentication flow management - File collection and validation - Code generation and publishing pipeline CLI integration: - Add --vibe, --title, --prompt options to aidd CLI - Validation and error handling for vibe options - Help text and usage examples Also includes: - Windows permission remediation documentation - Updated cli-vibes reference implementation Depends on: paralleldrive#73, paralleldrive#74, paralleldrive#75, paralleldrive#76 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e8e63ecaf6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // Can come from direct 429 response (err.status) or from exhausted retries (err.cause?.lastStatus) | ||
| const isRateLimited = | ||
| err.status === 429 || | ||
| (err.cause?.code === "FETCH_RETRY_EXHAUSTED" && | ||
| err.cause?.lastStatus === 429); |
There was a problem hiding this comment.
This rate‑limit branch only checks err.cause?.code === "FETCH_RETRY_EXHAUSTED", but fetchWithRetry throws the FETCH_RETRY_EXHAUSTED error directly (with lastStatus on the same error object). When retries are exhausted after repeated 429s, this condition never matches, so the error falls through as FILE_UPLOAD_ERROR instead of RATE_LIMITED and callers can’t back off. Consider checking err.code/err.lastStatus (or copying those fields into the cause) so exhausted 429s are classified correctly.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Summary
P2: Rate limit detection (VALIDATED - Not a bug)
The code at lines 369-370 is correct. The error-causes library places properties in err.cause, so checking err.cause?.code === "FETCH_RETRY_EXHAUSTED" and err.cause?.lastStatus === 429 is the proper way to detect rate limits from exhausted retries.
lib/vibe-publish.js
Outdated
| throw createError({ | ||
| ...PublishFailed, | ||
| message: `Publish failed: ${err.message}`, | ||
| cause: err, | ||
| title, |
There was a problem hiding this comment.
publishVibe wraps all errors into PUBLISH_FAILED without copying HTTP status/body. withAuthRetry relies on isAuthError(err) which checks the top‑level err.status/err.body, so if the API returns 401 (expired token) inside publishVibe, the status stays on the inner fetchJson error and the auth‑refresh retry won’t run. This makes token refresh unreliable for real expirations. Propagate status/body onto the outer error (or avoid wrapping auth errors) so isAuthError can detect 401s.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
P1: Auth status preservation (FIXED)
This was a confirmed bug. When publishVibe wrapped errors, the HTTP status was buried at err.cause.cause.status instead of being accessible at err.status, breaking isAuthError detection for 401s.
Fix applied to 4 locations:
- createCapsule (lib/vibe-publish.js:208)
- uploadFile (lib/vibe-publish.js:391)
- publishCapsule (lib/vibe-publish.js:491)
- publishVibe (lib/vibe-publish.js:743)
Each now preserves status and body on the wrapped error:
if (err.status !== undefined) wrappedErr.status = err.status;
if (err.body !== undefined) wrappedErr.body = err.body;
Test added: "preserves HTTP 401 status for isAuthError detection" in the partial failure scenarios.
Two security fixes for vibe-utils: 1. fetchWithTimeout - AbortSignal combination (P2) - Previously overwrote caller-provided signals with timeout signal - Now uses AbortSignal.any() to combine timeout and external signals - External cancellation (user abort) is now properly respected - Distinguishes timeout aborts from external aborts in error handling 2. isPathSafe - UNC path detection (P2) - Previously only checked for Unix and Windows drive letter absolute paths - UNC paths like \server\share bypassed validation - Now detects UNC paths (\\) as absolute paths and rejects them Both fixes include comprehensive test coverage. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Extends absolute path detection to catch single-backslash root-relative paths like \Windows\System32 which resolve to the current drive's root on Windows. Previous check only caught: - Unix absolute: /etc/passwd - Drive letter: C:\Windows - UNC paths: \server\share Now also catches: - Root-relative: \Windows\System32 - Any path starting with backslash TDD approach: tests written first (RED), then implementation (GREEN). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Error wrapping was losing HTTP status (like 401) making isAuthError detection fail. The fix ensures status and body are copied to the outer error in createCapsule, uploadFile, publishCapsule, and publishVibe. This allows withAuthRetry to properly detect 401 errors and trigger token refresh even when errors are wrapped. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
SECURITY: Prevent credential exfiltration via malicious apiBase. The exchangeForVibecodrToken function now validates apiBase against trusted origins before sending the Clerk access token. A tampered apiBase (from CLI args, env vars, or config file) could have allowed an attacker to steal the access token. Changes: - Add validateApiBase call before token exchange - Add SecurityBlockError type for security validation failures - Ensure security errors propagate directly (not wrapped as AUTH_EXPIRED) - Add test for malicious apiBase rejection Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1 participant
Summary
vibe-coreorchestration module coordinating all vibe operations--vibe,--title,--promptoptions into aidd CLIPR 5 of 5 - Vibe Command Implementation (FINAL)
Series:
Usage
After merging all PRs:
Test plan
🤖 Generated with Claude Code