aristo-cli 0.2.1

Aristo CLI binary (the `aristo` command).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310

//! `aristo init` — bootstrap a project for Aristo.
//!
//! Creates the four state files (`aristo.toml`, `.aristo/index.toml`,
//! `.aristo/specs/`, `.aristo/doc/`) and installs the pre-commit hook
//! (when `.git/hooks/` exists). CI workflows are opt-in: `--ci` writes the
//! lite PR gate, `--ci-verify` also writes the nightly verify workflow.
//!
//! Per `docs/diagrams/02-state-map.mmd` `w_init`, this is the only writer
//! of the index file's initial empty state — every read command can
//! safely assume `.aristo/index.toml` exists once `aristo init` has run.

use std::collections::BTreeMap;
use std::fs;
use std::path::Path;

use aristo_core::config::ConfigFile;
use aristo_core::index::{IndexFile, Meta};

use crate::{CliError, CliResult};

/// The shipped pre-commit hook (slice 21).
///
/// Runs three steps in order:
///
/// 1. `aristo stamp` — refresh `.aristo/index.toml` against
///    currently-staged source.
/// 2. `aristo doc` — regenerate `.aristo/doc/<id>.md` files so they
///    stay in sync with the index (CI's `doc --check` gate fails
///    without this step on every annotation-text edit).
/// 3. `aristo lint --check` — fail-fast on annotation quality
///    issues. Mirrors J6's default `pre_commit = "check"` mode.
///
/// `aristo` must be on `PATH` for the hook to execute — `cargo install
/// aristo-cli` satisfies this for end users. The hook echoes each command
/// to stderr before running so commit-time output makes the gate
/// visible in the user's terminal.
///
/// The `-e` shell option propagates any non-zero exit from `stamp`,
/// `doc`, or `lint --check` as the hook's exit code, which aborts the
/// commit.
const PRE_COMMIT_HOOK: &str = "\
#!/usr/bin/env bash
# Aristo pre-commit hook. Installed by `aristo init`.
# Refreshes .aristo/index.toml + .aristo/doc/<id>.md files, then runs
# lint --check on the index. Non-zero exit aborts the commit.
set -e

echo \"-> aristo stamp\" >&2
aristo stamp >&2

echo \"-> aristo doc\" >&2
aristo doc >&2

echo \"-> aristo lint --check\" >&2
aristo lint --check >&2
";

const GH_WORKFLOW_STARTER: &str = "\
# Aristo lite PR gate (starter; edit freely). Generated by `aristo init --ci`.
#
# Runs the cheap, local annotation checks — stamp/lint/doc --check — via the
# shared aristo-action. No token needed; runs entirely on the runner.
#
# Heavy canon verification (`aristo verify`) is a separate workflow: run
# `aristo init --ci-verify` to also generate aristo-verify.yml.
name: aristo
on: [push, pull_request]
jobs:
  aristo:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aretta-ai/aristo-action@v1
        with:
          checks: stamp, lint, doc
";

const GH_VERIFY_WORKFLOW: &str = "\
# Aristo heavy verification (starter; edit freely).
# Generated by `aristo init --ci-verify`.
#
# Runs `aristo verify` (server-side canon conformance) for the bound
# annotations in .aristo/index.toml. Manual + nightly.
#
# Setup: add a repository secret ARETTA_TOKEN (your arta_* token; paid tier).
# NOT on pull_request — verify needs the checked-out commit pushed to origin.
name: aristo verify
on:
  workflow_dispatch:
  schedule:
    - cron: '0 7 * * *' # nightly at 07:00 UTC
jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aretta-ai/aristo-action@v1
        with:
          checks: verify
          aretta-token: ${{ secrets.ARETTA_TOKEN }}
";

#[aristo::intent(
    "A second invocation never errors and never overwrites existing \
     files. Each pre-existing artifact is noted; only missing ones get \
     created.",
    verify = "test",
    id = "init_is_idempotent"
)]
pub(crate) fn run(_force: bool, ci: bool, ci_verify: bool) -> CliResult<()> {
    let cwd = std::env::current_dir()?;
    let mut any_change = false;

    // 1. aristo.toml at the workspace root.
    create_or_note_file(
        &cwd.join("aristo.toml"),
        "aristo.toml",
        serialize_default_config,
        &mut any_change,
    )?;

    // 2. .aristo/ directory must exist before its children.
    let aristo_dir = cwd.join(".aristo");
    fs::create_dir_all(&aristo_dir)?;

    // 3. .aristo/index.toml — meta-only header, zero entries.
    create_or_note_file_custom_msg(
        &aristo_dir.join("index.toml"),
        "ok: created .aristo/index.toml (empty; 0 annotations)",
        "note: .aristo/index.toml already exists — leaving as-is.",
        serialize_initial_index,
        &mut any_change,
    )?;

    // 4. .aristo/specs/
    create_or_note_dir(&aristo_dir.join("specs"), ".aristo/specs/", &mut any_change)?;

    // 5. .aristo/doc/
    create_or_note_dir(&aristo_dir.join("doc"), ".aristo/doc/", &mut any_change)?;

    // 6. .git/hooks/pre-commit — only when this is a git repo. We don't
    //    create .git/ ourselves; users who don't use git get a clean
    //    skip with no diagnostic noise.
    let hook_dir = cwd.join(".git").join("hooks");
    if hook_dir.is_dir() {
        let hook_path = hook_dir.join("pre-commit");
        if hook_path.exists() {
            println!("note: pre-commit hook already installed.");
        } else {
            fs::write(&hook_path, PRE_COMMIT_HOOK)?;
            make_executable(&hook_path)?;
            println!("ok: installed pre-commit hook (.git/hooks/pre-commit)");
            any_change = true;
        }
    }

    // 7. CI workflows — opt-in. `--ci` writes the lite PR gate; `--ci-verify`
    //    additionally writes the nightly/manual verify workflow (and implies
    //    the lite gate). Default `init` writes nothing under .github/.
    let workflows_dir = cwd.join(".github").join("workflows");
    if ci || ci_verify {
        create_or_note_file_custom_msg(
            &workflows_dir.join("aristo.yml"),
            "ok: wrote .github/workflows/aristo.yml (lite PR gate; edit freely)",
            "note: .github/workflows/aristo.yml already exists.",
            || Ok(GH_WORKFLOW_STARTER.to_string()),
            &mut any_change,
        )?;
    }
    if ci_verify {
        create_or_note_file_custom_msg(
            &workflows_dir.join("aristo-verify.yml"),
            "ok: wrote .github/workflows/aristo-verify.yml (heavy verify; needs ARETTA_TOKEN secret; edit freely)",
            "note: .github/workflows/aristo-verify.yml already exists.",
            || Ok(GH_VERIFY_WORKFLOW.to_string()),
            &mut any_change,
        )?;
        print_verify_token_help(&cwd);
    }

    if !any_change {
        println!("ok: nothing to do.");
    }

    Ok(())
}

fn create_or_note_file<F>(
    path: &Path,
    label: &str,
    content_fn: F,
    any_change: &mut bool,
) -> CliResult<()>
where
    F: FnOnce() -> CliResult<String>,
{
    create_or_note_file_custom_msg(
        path,
        &format!("ok: created {label}"),
        &format!("note: {label} already exists — leaving as-is."),
        content_fn,
        any_change,
    )
}

fn create_or_note_file_custom_msg<F>(
    path: &Path,
    created_msg: &str,
    exists_msg: &str,
    content_fn: F,
    any_change: &mut bool,
) -> CliResult<()>
where
    F: FnOnce() -> CliResult<String>,
{
    if path.exists() {
        println!("{exists_msg}");
    } else {
        let content = content_fn()?;
        if let Some(parent) = path.parent() {
            fs::create_dir_all(parent)?;
        }
        fs::write(path, content)?;
        println!("{created_msg}");
        *any_change = true;
    }
    Ok(())
}

fn create_or_note_dir(path: &Path, label: &str, any_change: &mut bool) -> CliResult<()> {
    if path.exists() {
        println!("note: {label} already exists.");
    } else {
        fs::create_dir(path)?;
        println!("ok: created {label}");
        *any_change = true;
    }
    Ok(())
}

/// After `--ci-verify` writes the verify workflow, point the user at the exact
/// GitHub secrets page + how to grab their token. The workflow is inert until
/// `ARETTA_TOKEN` is set, so this guidance is the difference between "wrote a
/// file" and "actually set up".
fn print_verify_token_help(cwd: &Path) {
    println!();
    println!("Next — the verify workflow needs an ARETTA_TOKEN secret on this repo:");
    match aristo_core::auth::derive_repo_full_name(cwd) {
        Ok(repo) => println!(
            "  1. Add the secret: https://github.com/{repo}/settings/secrets/actions/new  (name: ARETTA_TOKEN)"
        ),
        Err(_) => println!(
            "  1. Add the secret under Settings -> Secrets and variables -> Actions -> New repository secret  (name: ARETTA_TOKEN)"
        ),
    }
    println!(
        "  2. Token value:    `aristo auth token` prints yours — pipe to your clipboard, e.g. `aristo auth token | pbcopy`"
    );
    println!("                     ...or `aristo auth login` to mint a new one.");
}

fn serialize_default_config() -> CliResult<String> {
    let cfg = ConfigFile::default();
    toml::to_string_pretty(&cfg).map_err(|e| {
        CliError::Io(std::io::Error::other(format!(
            "serializing aristo.toml: {e}"
        )))
    })
}

fn serialize_initial_index() -> CliResult<String> {
    let index = IndexFile {
        meta: Meta {
            schema_version: 1,
            generated_by: Some(format!("aristo init {}", env!("CARGO_PKG_VERSION"))),
            generated_at: Some(now_rfc3339()),
            source_root: None,
        },
        entries: BTreeMap::new(),
    };
    toml::to_string_pretty(&index).map_err(|e| {
        CliError::Io(std::io::Error::other(format!(
            "serializing .aristo/index.toml: {e}"
        )))
    })
}

fn now_rfc3339() -> String {
    use time::format_description::well_known::Rfc3339;
    use time::OffsetDateTime;
    OffsetDateTime::now_utc()
        .format(&Rfc3339)
        .unwrap_or_else(|_| "1970-01-01T00:00:00Z".to_string())
}

#[cfg(unix)]
fn make_executable(path: &Path) -> CliResult<()> {
    use std::os::unix::fs::PermissionsExt;
    let mut perms = fs::metadata(path)?.permissions();
    perms.set_mode(0o755);
    fs::set_permissions(path, perms)?;
    Ok(())
}

#[cfg(not(unix))]
fn make_executable(_path: &Path) -> CliResult<()> {
    // Windows + non-unix: hook execution semantics differ; skipping the
    // permission bit is harmless. Cross-platform hook portability is post-MVP.
    Ok(())
}