6 Commits

Author SHA1 Message Date
cyph3rasi 58fcbd5fe2 Harden Windows installer release discovery 2026-07-12 02:00:25 +00:00
Hop 74ba06de91 Publish only user prompts with their own proposal outcomes
Hop-State: A_06FN72NMB1DRV5SV2T6YWPR
Hop-Proposal: R_06FN72K60164AV77NA2QP5G
Hop-Task: T_06FN6ZVNS25H7V4BRG743PG
Hop-Attempt: AT_06FN6ZVNS0W32KK9YQCRG88
2026-07-11 16:37:06 -07:00
Hop 074e849d84 Publish Hop's portable prompt record history with the repository
Hop-State: A_06FN6Y387QJN3F2MET3MACG
Hop-Proposal: R_06FN6Y1C6P8WK8AEVGGZHQ0
Hop-Task: T_06FN6XEKNY7YGPFTHZE3DM0
Hop-Attempt: AT_06FN6XEKNZMZE18CGY1Z2Y0
2026-07-11 16:17:07 -07:00
Hop e5bb6a5600 Fix portable prompt record export command routing
Hop-State: A_06FN6WBVEZC485TNKJEW7T0
Hop-Proposal: R_06FN6WAJ8346WS9XJEJY32R
Hop-Task: T_06FN6VQSN9Z7GEWHBVEFAJG
Hop-Attempt: AT_06FN6VQSN9TK8EEXTFR77ZG
2026-07-11 16:09:33 -07:00
Hop a74f420307 Publish immutable portable prompt records without exposing Hop runtime files
Hop-State: A_06FN6TVSHKAXPT37Z25BN38
Hop-Proposal: R_06FN6TSP5HXV3S320BV6TN8
Hop-Task: T_06FN6RMF4VPW419BR2ZD9Q0
Hop-Attempt: AT_06FN6RMF4V18KAM05RFZ8ER
2026-07-11 16:03:00 -07:00
Hop 853acec229 Require user-provisioned release credentials
Hop-State: A_06FN6KM758JV6S44F6CA6W0
Hop-Proposal: R_06FN6KJWAY5XWVMCVQHCXKR
Hop-Task: T_06FN6GZKFMRV2HP5N7XMNSR
Hop-Attempt: AT_06FN6GZKFP22ZCFRXGB7V00
2026-07-11 15:31:23 -07:00
36 changed files with 818 additions and 123 deletions
+5 -1
View File
@@ -1,7 +1,11 @@
.DS_Store
# Hop's local state and isolated workspaces.
/.hop/
# Hop's database and disposable workspaces stay local. Its immutable prompt
# records are intentionally versioned with the repository.
/.hop/*
!/.hop/records/
!/.hop/records/**
# Local build and verification artifacts.
/hop
@@ -0,0 +1,16 @@
{
"id": "P_06FN3MBF9ABQ6NTST1B7GZ0",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN3MBF9ABQ6NTST1B7GZ0",
"prompt": "what? wtf? i need it in the right folder how do i do that",
"agent_name": "codex",
"status": "completed",
"created_at": "2026-07-11T15:35:07.850559Z",
"metadata": {
"source_tree": "012d4872472b5c8621c6ef3cedd50509e09e7aa6",
"git_commit": "a70773826f67e30e57b7c0a0419e3b601674632f",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,16 @@
{
"id": "P_06FN4EVBXYRV3MQJE7FXJ9R",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN4EVBXYRV3MQJE7FXJ9R",
"prompt": "so.. i can have multiple agents working on the same codebase at the same time and it should be fine?",
"agent_name": "codex",
"status": "completed",
"created_at": "2026-07-11T17:30:53.807892Z",
"metadata": {
"source_tree": "22e1b6bfde927afbe0622a552cfe6703fed85f3f",
"git_commit": "dcad0b49f3e5cde9cffd3ea23f50088e6ba4c617",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,16 @@
{
"id": "P_06FN4K2V1S84CQ0XFJDQRQG",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN4K2V1S84CQ0XFJDQRQG",
"prompt": "hop is broken. \"I updated the reference to v=3, but Hop blocked landing because another recent task also changed hop-home.css, creating an overlap. That stylesheet conflict needs to be resolved before I can safely apply the cache-busting fix.\" this is fucking horse shit. the agent should intelligently resolve the conflict",
"agent_name": "codex",
"status": "completed",
"created_at": "2026-07-11T17:49:23.598284Z",
"metadata": {
"source_tree": "22e1b6bfde927afbe0622a552cfe6703fed85f3f",
"git_commit": "94d2ac053cd45d514d586764836ee46eb26c2af2",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,16 @@
{
"id": "P_06FN4ZBB60PW23320GTM4T8",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN4ZBB60PW23320GTM4T8",
"prompt": "now i want to publish this as a real product people can use. how will people install it? by cloning a git repo and running some commands? can you update the readme with clear installation/getting started instructions, and create the wiki pages as well",
"agent_name": "codex",
"status": "completed",
"created_at": "2026-07-11T18:42:58.992885Z",
"metadata": {
"source_tree": "8e3074490c46530db90e20242bd16000aee239d0",
"git_commit": "56fe10e4deb1d42626d0a5dfc4f1446987338019",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,16 @@
{
"id": "P_06FN4ZY663SBZ8CDXP9YPF8",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN4ZY663SBZ8CDXP9YPF8",
"prompt": "wait? should we create a packaged release? HELLO IM ASKING YOU WHATS THE BEST IMPLEMENTATION FOR A POLISHED PRODUCT NOT TO JUST WORK WITH HOWEVER IT IS NOW JSUT BECAUSE",
"agent_name": "codex",
"status": "completed",
"created_at": "2026-07-11T18:45:33.360226Z",
"metadata": {
"source_tree": "8e3074490c46530db90e20242bd16000aee239d0",
"git_commit": "422e59ec24e57ddb0d3df46199c4f16bf428371e",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,16 @@
{
"id": "P_06FN5172P0R8W5XZ1CHK8N0",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN5172P0R8W5XZ1CHK8N0",
"prompt": "i wont be hosting this on github, ill be hosting it on githop.xyz which is a custom gitea. the site isnt live yet but its done",
"agent_name": "codex",
"status": "completed",
"created_at": "2026-07-11T18:51:08.33613Z",
"metadata": {
"source_tree": "7879aa3466a9b33dcebbe8c1c9873334976577e5",
"git_commit": "f434be463cc2940449970408924e653161dc9ac8",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,16 @@
{
"id": "P_06FN572J3TK7PBAZVM7HSVG",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN572J3TK7PBAZVM7HSVG",
"prompt": "can you publish it under GnosysLabsLLC/Hop .. i have added my SSH key to githop so you should be able to",
"agent_name": "codex",
"status": "completed",
"created_at": "2026-07-11T19:16:44.190798Z",
"metadata": {
"source_tree": "a91a4bd37315fa30673005970ce750755e9582be",
"git_commit": "e13e291812530b2dee72d0caec1e5974a87fbf47",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,16 @@
{
"id": "P_06FN57YDR2V5WBGFMNBYN48",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN57YDR2V5WBGFMNBYN48",
"prompt": "sorry actually its https://githop.xyz/org/GnosysLabs/Hop",
"agent_name": "codex",
"status": "completed",
"created_at": "2026-07-11T19:20:32.448864Z",
"metadata": {
"source_tree": "a91a4bd37315fa30673005970ce750755e9582be",
"git_commit": "020f15acdb2ae92f5fb80e431485a6ff8ea8025a",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,16 @@
{
"id": "P_06FN58K0XX5MSYB34619NX0",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN58K0XX5MSYB34619NX0",
"prompt": "i turned off the proxy? does that make it work",
"agent_name": "codex",
"status": "completed",
"created_at": "2026-07-11T19:23:21.19964Z",
"metadata": {
"source_tree": "a91a4bd37315fa30673005970ce750755e9582be",
"git_commit": "ad1055c4f4e79f0a0efa9e39c2d6dd8ca5c1b219",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,16 @@
{
"id": "P_06FN58Y686QH957QKXDC820",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN58Y686QH957QKXDC820",
"prompt": "why would you have to put port 22? thats not how it works with github. wtf?",
"agent_name": "codex",
"status": "completed",
"created_at": "2026-07-11T19:24:52.673537Z",
"metadata": {
"source_tree": "a91a4bd37315fa30673005970ce750755e9582be",
"git_commit": "092fec93f02614e919b8a75392044f86703d2293",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,16 @@
{
"id": "P_06FN596K5H32W6J8X4NNS4R",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN596K5H32W6J8X4NNS4R",
"prompt": "no thats gucking dumb i want it to work with the base url? so wtf do i need to do? go into the vps and make it fucking work",
"agent_name": "codex",
"status": "completed",
"created_at": "2026-07-11T19:26:01.516159Z",
"metadata": {
"source_tree": "a91a4bd37315fa30673005970ce750755e9582be",
"git_commit": "c88206ebec78fd2abff1b971188a520ba39dedfa",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,16 @@
{
"id": "P_06FN5E0MF7G4PQ12VZTMB9G",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN5E0MF7G4PQ12VZTMB9G",
"prompt": "idk what this is, im going to disable the actions thing on our instance we dont have the server resources for i\n\nAttachment: /var/folders/58/b6yn15tx3jb7_6lw9m67f89m0000gn/T/TemporaryItems/NSIRD_screencaptureui_4Rixx8/Screenshot 2026-07-11 at 12.45.33PM.png",
"agent_name": "codex",
"status": "completed",
"created_at": "2026-07-11T19:47:03.417913Z",
"metadata": {
"source_tree": "52869fbc4277ef5d2db2794c6d7867d6c23c423c",
"git_commit": "c77bf19172e2fed26b577183282c27ce341c80d4",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
File diff suppressed because one or more lines are too long
@@ -0,0 +1,17 @@
{
"id": "P_06FN5JNW8825596P3JQACJG",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN5J8NBKM5ES4ZMD5Y1CR",
"state_id": "P_06FN5JNW8825596P3JQACJG",
"prompt": "\"Hop correctly detected that this long-running tasks original workspace was based on an older accepted tree. It has created a reconciliation workspace; Im preserving the current product code and applying only the README/wiki cleanup there, then Ill revalidate and land it automatically.\" WHY DOES THIS HAPPEN WITH EVERY SINGLE FUCKING REQUEST?",
"agent_name": "codex",
"status": "accepted",
"response_summary": "Reconcile concise README with current accepted product",
"created_at": "2026-07-11T20:07:26.01873Z",
"metadata": {
"source_tree": "2c8e849cbf49c422470f5857fda59a1aaf9ac2eb",
"git_commit": "240d7927e029adfc01c0a83622a8720963a3cbec",
"attempt_head": "R_06FN5JXX64P7BMT8Q98HHE8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,17 @@
{
"id": "P_06FN5M2868H466RPTMYQ3B0",
"task_id": "T_06FN3MBF98GWD4NA5PA1RWG",
"attempt_id": "AT_06FN3MBF98FBDSE1BZDP5DG",
"state_id": "P_06FN5M2868H466RPTMYQ3B0",
"prompt": "ok please fix it",
"agent_name": "codex",
"status": "completed",
"response_summary": "Roll completed agent sessions onto the latest accepted state",
"created_at": "2026-07-11T20:13:29.522241Z",
"metadata": {
"source_tree": "4dae249394e559de9d1d86b76b5bcb1b551cc109",
"git_commit": "4e5aa7120134cb7a017685e50c3ec8d1534ad816",
"attempt_head": "R_06FN5TJRZC3APECRM9VM2A8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,17 @@
{
"id": "P_06FN63779989R5PFV1QF8TR",
"task_id": "T_06FN637799RW5Q7WH9H6PJR",
"attempt_id": "AT_06FN63779BJRBK1VFQ94GRR",
"state_id": "P_06FN63779989R5PFV1QF8TR",
"prompt": "does our installer install the skill in .agents so it works with any agent? and, why is the readme so specific to codex? it should work with any agent",
"agent_name": "codex",
"status": "accepted",
"response_summary": "Install portable agent-neutral Hop skill and documentation",
"created_at": "2026-07-11T21:19:42.41027Z",
"metadata": {
"source_tree": "fcc3f3c78f5bbf6fae43651a99019e833bd88530",
"git_commit": "2f00b2dd3f8bc5e4c261563a9ac063d1716f0d47",
"attempt_head": "R_06FN69VET1STZNKPWK913K8",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,17 @@
{
"id": "P_06FN6BNGRJKMV6THWMBFVM8",
"task_id": "T_06FN6BNGRHYXR3WCQBDNVNR",
"attempt_id": "AT_06FN6BNGRKX5FS7MJ6VN8Z8",
"state_id": "P_06FN6BNGRJKMV6THWMBFVM8",
"prompt": "we will do MIT license, and, do I just post the token here or what?",
"agent_name": "codex",
"status": "accepted",
"response_summary": "License Hop under MIT",
"created_at": "2026-07-11T21:56:36.676853Z",
"metadata": {
"source_tree": "8423d5eeffbb7d7e3b416139417c06a552beca7d",
"git_commit": "68d8bf2f7d4e064ba21fb6dcd4fb72b01fd8722f",
"attempt_head": "R_06FN6C531M6TX6KCGEMG4E0",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,17 @@
{
"id": "P_06FN6CFVXS0Q22MHZRR17PR",
"task_id": "T_06FN6CFVXVVAP1KZAJ2X62R",
"attempt_id": "AT_06FN6CFVXTRZ8ZDG28QR5Z0",
"state_id": "P_06FN6CFVXS0Q22MHZRR17PR",
"prompt": "before we do that, i think we should set up hop to push after every commit, my logic is taking the most steps out of the users need to do manually as possible, so having it auto push would alliviate manual work",
"agent_name": "codex",
"status": "accepted",
"response_summary": "Automatically push every accepted Hop transition",
"created_at": "2026-07-11T22:00:12.526502Z",
"metadata": {
"source_tree": "996e9d600f0b31af0db77ff6794370758544a417",
"git_commit": "9a3a6d152b93df531cc21753e5564045db4b75b2",
"attempt_head": "R_06FN6FDTK9G17RXFFT82ZYR",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,16 @@
{
"id": "P_06FN6GZKFM9KAYSX7A6TXP8",
"task_id": "T_06FN6GZKFMRV2HP5N7XMNSR",
"attempt_id": "AT_06FN6GZKFP22ZCFRXGB7V00",
"state_id": "P_06FN6GZKFM9KAYSX7A6TXP8",
"prompt": "lets finish what we were doing then investigate that, i have added the key to the keychain",
"agent_name": "codex",
"status": "accepted",
"created_at": "2026-07-11T22:19:50.013492Z",
"metadata": {
"source_tree": "3b5d48444b5e5290839774d383a7498d0190e708",
"git_commit": "7139b9e1a7e52e8748c130dc366472c9f10cb04e",
"attempt_head": "R_06FN6KJWAY5XWVMCVQHCXKR",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,17 @@
{
"id": "P_06FN6JQ4DBZHXABYYCA61E8",
"task_id": "T_06FN6GZKFMRV2HP5N7XMNSR",
"attempt_id": "AT_06FN6GZKFP22ZCFRXGB7V00",
"state_id": "P_06FN6JQ4DBZHXABYYCA61E8",
"prompt": "why is it creating tokens? is there something in hop encouraging that behavior? i dont like that",
"agent_name": "codex",
"status": "accepted",
"response_summary": "Require user-provisioned release credentials",
"created_at": "2026-07-11T22:27:24.906795Z",
"metadata": {
"source_tree": "3b5d48444b5e5290839774d383a7498d0190e708",
"git_commit": "531775df8be5e87e57832473fc6a7ad8342b9b91",
"attempt_head": "R_06FN6KJWAY5XWVMCVQHCXKR",
"attempt_head_kind": "proposal"
}
}
@@ -0,0 +1,17 @@
{
"id": "P_06FN72497T1AVJAQC7X7860",
"task_id": "T_06FN6ZVNS25H7V4BRG743PG",
"attempt_id": "AT_06FN6ZVNS0W32KK9YQCRG88",
"state_id": "P_06FN72497T1AVJAQC7X7860",
"prompt": "we dont need to show internal agent instructions at all. also why do all the agent responses say \"Roll completed agent sessions onto the latest accepted state\"",
"agent_name": "codex",
"status": "proposed",
"response_summary": "Publish only user prompts with their own proposal outcomes",
"created_at": "2026-07-11T23:34:44.798223Z",
"metadata": {
"source_tree": "a7f12a311a193987f0691cd61e7d7efd313a61d0",
"git_commit": "61fef5fbb2288dfeb5fc02675644f2780b9305d4",
"attempt_head": "C_06FN72ADQRWFSQ8TP9Q9SY0",
"attempt_head_kind": "checkpoint"
}
}
+10
View File
@@ -0,0 +1,10 @@
{
"prompt_ids": [
"P_06FN3SFFTFGNMTA6219GNX0",
"P_06FN5WHD61PV5ZABVFXDXS8",
"P_06FN6RMF4VH728C9Q6GTQNR",
"P_06FN6VQSN9P8R8NGASJQG7R",
"P_06FN6XEKNYR6BP9GQF78MVG",
"P_06FN6ZVNS3EYMSG7D7J17E8"
]
}
+24
View File
@@ -8,6 +8,7 @@ import (
"fmt"
"io"
"os"
"path/filepath"
"runtime/debug"
"strings"
)
@@ -24,6 +25,7 @@ Usage:
hop accept STATE [-- COMMAND [ARG...]]
hop land STATE [-- COMMAND [ARG...]]
hop refresh PROPOSAL
hop export [--output PATH]
hop sync
hop push
hop status
@@ -213,6 +215,28 @@ func RunCLIWithInput(args []string, stdin io.Reader, stdout, stderr io.Writer) i
fmt.Fprintf(stdout, "Created checkpoint %s · tree %s\n", state.ID, shortHash(state.SourceTree))
}
case "export":
fs := flag.NewFlagSet("export", flag.ContinueOnError)
fs.SetOutput(stderr)
output := fs.String("output", "", "write the portable prompt ledger beneath this directory")
if err := fs.Parse(commandArgs); err != nil || len(fs.Args()) != 0 {
if err == nil {
fmt.Fprintln(stderr, "usage: hop export [--output PATH]")
}
return 2
}
ledger, err := service.ExportPromptLedger(ctx, *output)
if err != nil {
return printCLIError(err, jsonOutput, stdout, stderr)
}
value = ledger
if !jsonOutput {
root := *output
if root == "" {
root = service.Root
}
fmt.Fprintf(stdout, "Exported %d prompt records to %s\n", len(ledger.Prompts), filepath.Join(root, ".hop", "records", "prompts"))
}
case "check":
stateID, argv, ok := splitCommand(commandArgs)
if !ok {
+22
View File
@@ -83,3 +83,25 @@ func TestDistributionDoesNotRequireGiteaActions(t *testing.T) {
t.Fatal("release checklist still depends on a Gitea Actions workflow")
}
}
func TestReleaseWorkflowRequiresPreProvisionedCredential(t *testing.T) {
root := filepath.Clean(filepath.Join("..", ".."))
script, err := os.ReadFile(filepath.Join(root, "scripts", "release-local.sh"))
if err != nil {
t.Fatal(err)
}
if !strings.Contains(string(script), "pre-existing scoped GITEA_TOKEN") {
t.Fatal("release script does not require a pre-provisioned credential")
}
if strings.Contains(string(script), "/tokens") {
t.Fatal("release script must not manage provider tokens")
}
checklist, err := os.ReadFile(filepath.Join(root, "wiki", "Release-Checklist.md"))
if err != nil {
t.Fatal(err)
}
if !strings.Contains(string(checklist), "must never create, rotate, list,") ||
!strings.Contains(string(checklist), "or revoke account tokens") {
t.Fatal("release checklist does not forbid agent token management")
}
}
+19 -18
View File
@@ -5,7 +5,6 @@ import (
"context"
"errors"
"fmt"
"io"
"os"
"os/exec"
"path/filepath"
@@ -110,8 +109,8 @@ func EnsureRepository(path string) (*Repository, error) {
return NewGitStore().Ensure(context.Background(), path)
}
// OpenRepository opens the repository containing path and adds .hop/ to its
// per-repository exclude file.
// OpenRepository opens the repository containing path and keeps Hop's local
// runtime private while leaving its portable record ledger versionable.
func OpenRepository(path string) (*Repository, error) {
return NewGitStore().Open(context.Background(), path)
}
@@ -255,8 +254,9 @@ func (r *Repository) GitDir() string { return r.gitDir }
// worktrees.
func (r *Repository) CommonGitDir() string { return r.commonGitDir }
// EnsureHopExcluded adds .hop/ to .git/info/exclude without changing tracked
// files or the repository's public .gitignore.
// EnsureHopExcluded keeps the SQLite cache and disposable workspaces private
// without excluding .hop/records. The records directory is intentionally
// versionable so a repository can carry Hop's portable causal history.
func (r *Repository) EnsureHopExcluded() error {
infoDir := filepath.Join(r.commonGitDir, "info")
if err := os.MkdirAll(infoDir, 0o755); err != nil {
@@ -267,26 +267,27 @@ func (r *Repository) EnsureHopExcluded() error {
if err != nil && !errors.Is(err, os.ErrNotExist) {
return fmt.Errorf("read Git exclude file: %w", err)
}
lines := make([]string, 0)
for _, line := range strings.Split(string(contents), "\n") {
if strings.TrimSuffix(line, "\r") == ".hop/" {
return nil
continue // Migrate the legacy blanket exclusion.
}
lines = append(lines, line)
}
file, err := os.OpenFile(excludePath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o644)
if err != nil {
return fmt.Errorf("open Git exclude file: %w", err)
}
defer file.Close()
if len(contents) > 0 && contents[len(contents)-1] != '\n' {
if _, err := io.WriteString(file, "\n"); err != nil {
return fmt.Errorf("complete Git exclude line: %w", err)
updated := strings.Join(lines, "\n")
if !strings.Contains(updated, ".hop/*\n") {
if updated != "" && !strings.HasSuffix(updated, "\n") {
updated += "\n"
}
updated += "# Hop local runtime; .hop/records is intentionally versioned.\n.hop/*\n!.hop/records/\n!.hop/records/**\n"
}
if _, err := io.WriteString(file, ".hop/\n"); err != nil {
return fmt.Errorf("exclude .hop directory: %w", err)
if updated == string(contents) {
return nil
}
return file.Sync()
if err := os.WriteFile(excludePath, []byte(updated), 0o644); err != nil {
return fmt.Errorf("write Git exclude file: %w", err)
}
return nil
}
// Head returns the current HEAD commit. exists is false for an unborn branch.
+220
View File
@@ -0,0 +1,220 @@
package hop
import (
"context"
"encoding/json"
"fmt"
"os"
"path/filepath"
"strings"
"time"
)
// PortablePromptLedger is the versioned, repository-safe subset of Hop's
// local state. It deliberately excludes SQLite, workspace paths, check output,
// and every other machine-local runtime detail.
type PortablePromptLedger struct {
SchemaVersion int `json:"schema_version"`
GeneratedAt time.Time `json:"generated_at"`
Prompts []PortablePromptRecord `json:"prompts"`
}
type PortablePromptRecord struct {
ID string `json:"id"`
TaskID string `json:"task_id,omitempty"`
AttemptID string `json:"attempt_id,omitempty"`
StateID string `json:"state_id"`
Prompt string `json:"prompt"`
AgentName string `json:"agent_name,omitempty"`
Status string `json:"status"`
ResponseSummary string `json:"response_summary,omitempty"`
CreatedAt time.Time `json:"created_at"`
CompletedAt *time.Time `json:"completed_at,omitempty"`
Metadata PortablePromptMetadata `json:"metadata"`
}
type PortablePromptMetadata struct {
SourceTree string `json:"source_tree"`
GitCommit string `json:"git_commit"`
AttemptHead string `json:"attempt_head,omitempty"`
AttemptHeadKind string `json:"attempt_head_kind,omitempty"`
}
type promptExportOptions struct {
AttemptIDs []string
PublishableOnly bool
Status string
ResponseSummary string
Overwrite bool
}
type suppressedPromptManifest struct {
PromptIDs []string `json:"prompt_ids"`
}
// ExportPromptLedger writes immutable prompt files beneath
// .hop/records/prompts. Passing attemptIDs restricts the export to those
// attempts, which keeps concurrent proposals from writing the same files.
func (s *Service) ExportPromptLedger(ctx context.Context, destinationRoot string, attemptIDs ...string) (PortablePromptLedger, error) {
return s.exportPromptLedger(ctx, destinationRoot, promptExportOptions{AttemptIDs: attemptIDs, PublishableOnly: true})
}
func (s *Service) exportPromptLedger(ctx context.Context, destinationRoot string, options promptExportOptions) (PortablePromptLedger, error) {
if destinationRoot == "" {
destinationRoot = s.Root
}
graph, err := s.Store.Graph(ctx, "")
if err != nil {
return PortablePromptLedger{}, err
}
suppressed, err := loadSuppressedPromptIDs(destinationRoot)
if err != nil {
return PortablePromptLedger{}, err
}
ledger := PortablePromptLedger{
SchemaVersion: 1,
GeneratedAt: time.Now().UTC(),
Prompts: make([]PortablePromptRecord, 0),
}
wantedAttempts := make(map[string]struct{}, len(options.AttemptIDs))
for _, attemptID := range options.AttemptIDs {
wantedAttempts[attemptID] = struct{}{}
}
lastPromptByAttempt := make(map[string]string)
for _, row := range graph {
if row.State.Kind == StatePrompt && row.State.Prompt != "" && row.State.AttemptID != "" {
lastPromptByAttempt[row.State.AttemptID] = row.State.ID
}
}
for _, row := range graph {
state := row.State
if state.Kind != StatePrompt || state.Prompt == "" {
continue
}
if _, hidden := suppressed[state.ID]; hidden {
continue
}
if _, reconciliation := decodeReconciliationConflicts(state.Summary); reconciliation || strings.HasPrefix(state.Prompt, "Resolve proposal ") {
continue
}
if len(wantedAttempts) > 0 {
if _, wanted := wantedAttempts[state.AttemptID]; !wanted {
continue
}
}
if state.AttemptID == "" {
continue
}
attempt, err := s.Store.GetAttempt(ctx, state.AttemptID)
if err != nil {
return PortablePromptLedger{}, fmt.Errorf("read attempt for prompt %s: %w", state.ID, err)
}
var head State
if attempt.HeadStateID != "" {
head, err = s.Store.GetState(ctx, attempt.HeadStateID)
if err != nil {
return PortablePromptLedger{}, fmt.Errorf("read attempt head for prompt %s: %w", state.ID, err)
}
}
if options.PublishableOnly && head.Kind != StateProposal && head.Kind != StateAccepted {
continue
}
record := PortablePromptRecord{
ID: state.ID,
TaskID: state.TaskID,
AttemptID: state.AttemptID,
StateID: state.ID,
Prompt: state.Prompt,
AgentName: state.Agent,
Status: attempt.Status,
CreatedAt: state.CreatedAt,
Metadata: PortablePromptMetadata{
SourceTree: state.SourceTree,
GitCommit: state.GitCommit,
},
}
record.Metadata.AttemptHead = attempt.HeadStateID
record.Metadata.AttemptHeadKind = string(head.Kind)
if lastPromptByAttempt[state.AttemptID] == state.ID {
record.ResponseSummary = head.Summary
if options.ResponseSummary != "" {
record.ResponseSummary = options.ResponseSummary
}
}
if options.Status != "" {
record.Status = options.Status
}
if head.Kind == StateAccepted || head.Kind == StateFailed || head.Kind == StateCancelled {
completedAt := head.CreatedAt
record.CompletedAt = &completedAt
}
ledger.Prompts = append(ledger.Prompts, record)
}
outputDir := filepath.Join(destinationRoot, ".hop", "records", "prompts")
if err := os.MkdirAll(outputDir, 0o755); err != nil {
return PortablePromptLedger{}, fmt.Errorf("create prompt ledger directory: %w", err)
}
for _, record := range ledger.Prompts {
outputPath := filepath.Join(outputDir, record.ID+".json")
_, statErr := os.Stat(outputPath)
if statErr == nil && !options.Overwrite {
continue // Prompt records are immutable once published.
}
if statErr != nil && !os.IsNotExist(statErr) {
return PortablePromptLedger{}, fmt.Errorf("inspect prompt record %s: %w", record.ID, statErr)
}
contents, err := json.MarshalIndent(record, "", " ")
if err != nil {
return PortablePromptLedger{}, fmt.Errorf("encode prompt record %s: %w", record.ID, err)
}
temporary, err := os.CreateTemp(outputDir, ".prompt-*.tmp")
if err != nil {
return PortablePromptLedger{}, fmt.Errorf("create prompt record %s: %w", record.ID, err)
}
temporaryPath := temporary.Name()
if _, err := temporary.Write(append(contents, '\n')); err != nil {
_ = temporary.Close()
_ = os.Remove(temporaryPath)
return PortablePromptLedger{}, fmt.Errorf("write prompt record %s: %w", record.ID, err)
}
if err := temporary.Chmod(0o644); err != nil {
_ = temporary.Close()
_ = os.Remove(temporaryPath)
return PortablePromptLedger{}, fmt.Errorf("set prompt record permissions for %s: %w", record.ID, err)
}
if err := temporary.Close(); err != nil {
_ = os.Remove(temporaryPath)
return PortablePromptLedger{}, fmt.Errorf("close prompt record %s: %w", record.ID, err)
}
if err := os.Rename(temporaryPath, outputPath); err != nil {
_ = os.Remove(temporaryPath)
return PortablePromptLedger{}, fmt.Errorf("publish prompt record %s: %w", record.ID, err)
}
}
return ledger, nil
}
func loadSuppressedPromptIDs(destinationRoot string) (map[string]struct{}, error) {
path := filepath.Join(destinationRoot, ".hop", "records", "suppressed.json")
contents, err := os.ReadFile(path)
if os.IsNotExist(err) {
return map[string]struct{}{}, nil
}
if err != nil {
return nil, fmt.Errorf("read suppressed prompt manifest: %w", err)
}
var manifest suppressedPromptManifest
if err := json.Unmarshal(contents, &manifest); err != nil {
return nil, fmt.Errorf("decode suppressed prompt manifest: %w", err)
}
result := make(map[string]struct{}, len(manifest.PromptIDs))
for _, id := range manifest.PromptIDs {
if !strings.HasPrefix(id, "P_") {
return nil, fmt.Errorf("invalid suppressed prompt ID %q", id)
}
result[id] = struct{}{}
}
return result, nil
}
+32 -8
View File
@@ -33,8 +33,10 @@ func InitProject(ctx context.Context, path string) (*Service, State, error) {
if err != nil {
return nil, State{}, err
}
if len(trackedHopPaths) > 0 {
return nil, State{}, fmt.Errorf("cannot initialize Hop: .hop is already tracked as project source (for example %s)", trackedHopPaths[0])
for _, trackedPath := range trackedHopPaths {
if !strings.HasPrefix(filepath.ToSlash(trackedPath), ".hop/records/") {
return nil, State{}, fmt.Errorf("cannot initialize Hop: local .hop runtime path is already tracked (for example %s)", trackedPath)
}
}
hopDir := filepath.Join(root, ".hop")
if err := os.MkdirAll(filepath.Join(hopDir, "workspaces"), 0o755); err != nil {
@@ -549,6 +551,10 @@ func (s *Service) Propose(ctx context.Context, stateID, summary string) (Proposa
if err != nil {
return ProposalResult{}, err
}
if strings.TrimSpace(summary) == "" {
summary = task.Title
}
summary, _ = RedactPromptSecrets(summary)
reconciliationPrompt, reconciliation, err := s.Store.ReconciliationPromptForAttempt(ctx, attempt.ID)
if err != nil {
return ProposalResult{}, err
@@ -565,12 +571,12 @@ func (s *Service) Propose(ctx context.Context, stateID, summary string) (Proposa
if err != nil {
return ProposalResult{}, err
}
commit, tree, err := workspaceRepo.Snapshot(ctx, "hop: proposal\n")
_, validationTree, err := workspaceRepo.Snapshot(ctx, "hop: proposal validation tree\n")
if err != nil {
return ProposalResult{}, err
}
if reconciliation {
unresolved, err := unresolvedReconciliationMarkers(ctx, workspaceRepo, tree, reconciliationConflicts)
unresolved, err := unresolvedReconciliationMarkers(ctx, workspaceRepo, validationTree, reconciliationConflicts)
if err != nil {
return ProposalResult{}, err
}
@@ -578,7 +584,7 @@ func (s *Service) Propose(ctx context.Context, stateID, summary string) (Proposa
return ProposalResult{}, fmt.Errorf("reconciliation still contains merge markers in: %s", strings.Join(unresolved, ", "))
}
}
checks, err := s.Store.ListChecks(ctx, attempt.ID, tree)
checks, err := s.Store.ListChecks(ctx, attempt.ID, validationTree)
if err != nil {
return ProposalResult{}, err
}
@@ -594,10 +600,15 @@ func (s *Service) Propose(ctx context.Context, stateID, summary string) (Proposa
return ProposalResult{}, fmt.Errorf("reconciliation must pass hop check on the resolved tree before proposing")
}
}
if strings.TrimSpace(summary) == "" {
summary = task.Title
if _, err := s.exportPromptLedger(ctx, attempt.Workspace, promptExportOptions{
AttemptIDs: []string{attempt.ID}, Status: "proposed", ResponseSummary: summary,
}); err != nil {
return ProposalResult{}, err
}
commit, tree, err := workspaceRepo.Snapshot(ctx, "hop: proposal\n")
if err != nil {
return ProposalResult{}, err
}
summary, _ = RedactPromptSecrets(summary)
canonicalAnchorID := attempt.BaseStateID
if reconciliation && reconciliationPrompt.CanonicalAnchorID != "" {
canonicalAnchorID = reconciliationPrompt.CanonicalAnchorID
@@ -726,6 +737,8 @@ func (s *Service) accept(ctx context.Context, proposalID string, checkCommand []
if err != nil {
return AcceptResult{}, err
}
proposalPaths = withoutPortableHopRecords(proposalPaths)
currentPaths = withoutPortableHopRecords(currentPaths)
finalTree := proposal.SourceTree
if current.SourceTree != base.SourceTree {
var mergeConflicts []string
@@ -875,6 +888,17 @@ func (s *Service) accept(ctx context.Context, proposalID string, checkCommand []
return result, nil
}
func withoutPortableHopRecords(paths []string) []string {
filtered := make([]string, 0, len(paths))
for _, path := range paths {
if strings.HasPrefix(path, ".hop/records/") {
continue
}
filtered = append(filtered, path)
}
return filtered
}
func (s *Service) attachAutomaticPush(ctx context.Context, result *AcceptResult) {
pushCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
defer cancel()
+117 -4
View File
@@ -73,8 +73,8 @@ func TestInitRefusesAUserTrackedHopDirectory(t *testing.T) {
writeTestFile(t, filepath.Join(root, ".hop", "user-owned.txt"), "do not overwrite\n")
runGitTest(t, root, "add", "-f", ".hop/user-owned.txt")
_, _, err := InitProject(context.Background(), root)
if err == nil || !strings.Contains(err.Error(), ".hop is already tracked") {
t.Fatalf("InitProject error = %v, want tracked .hop refusal", err)
if err == nil || !strings.Contains(err.Error(), "local .hop runtime path is already tracked") {
t.Fatalf("InitProject error = %v, want tracked local-runtime refusal", err)
}
contents, readErr := os.ReadFile(filepath.Join(root, ".hop", "user-owned.txt"))
if readErr != nil || string(contents) != "do not overwrite\n" {
@@ -82,6 +82,27 @@ func TestInitRefusesAUserTrackedHopDirectory(t *testing.T) {
}
}
func TestInitAllowsTrackedPortableHopRecords(t *testing.T) {
root := t.TempDir()
runGitTest(t, root, "init", "--quiet")
writeTestFile(t, filepath.Join(root, ".hop", "records", "prompts.json"), `{"schema_version":1,"prompts":[]}`+"\n")
runGitTest(t, root, "add", "-f", ".hop/records/prompts.json")
service, _, err := InitProject(context.Background(), root)
if err != nil {
t.Fatalf("InitProject error = %v", err)
}
t.Cleanup(func() { _ = service.Close() })
exclude, err := os.ReadFile(filepath.Join(root, ".git", "info", "exclude"))
if err != nil {
t.Fatal(err)
}
if strings.Contains(string(exclude), "\n.hop/\n") || !strings.Contains(string(exclude), "!.hop/records/**") {
t.Fatalf("portable ledger is not allowed by exclude file:\n%s", exclude)
}
}
func TestConcurrentFirstBeginsInitializeExactlyOnce(t *testing.T) {
t.Setenv("HOP_ROOT", "")
root := t.TempDir()
@@ -207,8 +228,78 @@ func TestConcurrentInitInExistingGitRepository(t *testing.T) {
if err != nil {
t.Fatal(err)
}
if count := strings.Count(string(exclude), ".hop/\n"); count != 1 {
t.Fatalf("concurrent initialization wrote .hop/ exclusion %d times", count)
if count := strings.Count(string(exclude), ".hop/*\n"); count != 1 {
t.Fatalf("concurrent initialization wrote .hop/* exclusion %d times", count)
}
}
func TestProposeExportsPortablePromptLedger(t *testing.T) {
ctx := context.Background()
service, _ := newTestProject(t, map[string]string{"base.txt": "base\n"})
result, err := service.CreatePrompt(ctx, "Publish a portable prompt ledger", "", "codex")
if err != nil {
t.Fatal(err)
}
writeTestFile(t, filepath.Join(result.Workspace, "feature.txt"), "done\n")
proposal, err := service.Propose(ctx, result.Prompt.ID, "Publish the ledger")
if err != nil {
t.Fatal(err)
}
materialized := filepath.Join(t.TempDir(), "proposal")
if _, err := service.Repo.AddDetachedWorktree(ctx, materialized, proposal.Proposal.GitCommit); err != nil {
t.Fatal(err)
}
t.Cleanup(func() { _ = service.Repo.RemoveWorktree(ctx, materialized, true) })
contents, err := os.ReadFile(filepath.Join(materialized, ".hop", "records", "prompts", result.Prompt.ID+".json"))
if err != nil {
t.Fatal(err)
}
var record PortablePromptRecord
if err := json.Unmarshal(contents, &record); err != nil {
t.Fatal(err)
}
if record.ID != result.Prompt.ID || record.Prompt != "Publish a portable prompt ledger" || record.Status != "proposed" || record.ResponseSummary != "Publish the ledger" {
t.Fatalf("unexpected portable prompt record: %#v", record)
}
}
func TestExportOmitsActiveInternalAttempt(t *testing.T) {
ctx := context.Background()
service, _ := newTestProject(t, map[string]string{"base.txt": "base\n"})
if _, err := service.CreatePrompt(ctx, "Read-only internal audit", "", "codex"); err != nil {
t.Fatal(err)
}
ledger, err := service.ExportPromptLedger(ctx, service.Root)
if err != nil {
t.Fatal(err)
}
if len(ledger.Prompts) != 0 {
t.Fatalf("exported active internal prompts: %#v", ledger.Prompts)
}
}
func TestProposeRespectsSuppressedPromptManifest(t *testing.T) {
ctx := context.Background()
service, _ := newTestProject(t, map[string]string{"base.txt": "base\n"})
result, err := service.CreatePrompt(ctx, "Internal controller instruction", "", "codex")
if err != nil {
t.Fatal(err)
}
manifest := fmt.Sprintf("{\"prompt_ids\":[%q]}\n", result.Prompt.ID)
writeTestFile(t, filepath.Join(result.Workspace, ".hop", "records", "suppressed.json"), manifest)
writeTestFile(t, filepath.Join(result.Workspace, "feature.txt"), "done\n")
proposal, err := service.Propose(ctx, result.Prompt.ID, "Apply the user-facing change")
if err != nil {
t.Fatal(err)
}
materialized := filepath.Join(t.TempDir(), "proposal")
if _, err := service.Repo.AddDetachedWorktree(ctx, materialized, proposal.Proposal.GitCommit); err != nil {
t.Fatal(err)
}
t.Cleanup(func() { _ = service.Repo.RemoveWorktree(ctx, materialized, true) })
if _, err := os.Stat(filepath.Join(materialized, ".hop", "records", "prompts", result.Prompt.ID+".json")); !errors.Is(err, os.ErrNotExist) {
t.Fatalf("suppressed prompt was published: %v", err)
}
}
@@ -293,6 +384,28 @@ func TestCLIJSONWorkflow(t *testing.T) {
}
}
func TestCLIExportOmitsActivePromptRecords(t *testing.T) {
t.Setenv("HOP_ROOT", "")
root := t.TempDir()
writeTestFile(t, filepath.Join(root, "base.txt"), "base\n")
previousDirectory, err := os.Getwd()
if err != nil {
t.Fatal(err)
}
if err := os.Chdir(root); err != nil {
t.Fatal(err)
}
t.Cleanup(func() { _ = os.Chdir(previousDirectory) })
runCLIJSONTest(t, []string{"init", "--json"})
runCLIJSONTest(t, []string{"begin", "--agent", "codex", "--json", "Publish prompt records"})
runCLIJSONTest(t, []string{"export", "--output", ".", "--json"})
entries, err := filepath.Glob(filepath.Join(root, ".hop", "records", "prompts", "P_*.json"))
if err != nil || len(entries) != 0 {
t.Fatalf("portable prompt records = %v, err=%v", entries, err)
}
}
func TestCLIBeginAutoInitializesAndContinuesCodexSession(t *testing.T) {
t.Setenv("HOP_ROOT", "")
root := t.TempDir()
-87
View File
@@ -1,87 +0,0 @@
[CmdletBinding()]
param(
[string]$GiteaUrl = $(if ($env:HOP_GITEA_URL) { $env:HOP_GITEA_URL } else { "https://githop.xyz" }),
[string]$Repository = $(if ($env:HOP_REPOSITORY) { $env:HOP_REPOSITORY } else { "GnosysLabs/Hop" }),
[string]$Version = $(if ($env:HOP_VERSION) { $env:HOP_VERSION } else { "latest" }),
[string]$InstallDir = $(if ($env:HOP_INSTALL_DIR) { $env:HOP_INSTALL_DIR } else { Join-Path $env:LOCALAPPDATA "Programs\Hop" }),
[switch]$SkipSkill,
[switch]$SkipPath
)
$ErrorActionPreference = "Stop"
$GiteaUrl = $GiteaUrl.TrimEnd("/")
switch ([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture.ToString()) {
"X64" { $arch = "amd64" }
"Arm64" { $arch = "arm64" }
default { throw "Unsupported Windows architecture: $($_)" }
}
$asset = "hop_windows_${arch}.zip"
if ($Version -eq "latest") {
# Gitea's /releases/latest endpoint omits prereleases. Select the newest
# published release so the normal installer also works during Hop's alpha.
$releases = @(Invoke-RestMethod -Uri "$GiteaUrl/api/v1/repos/$Repository/releases?draft=false&page=1&limit=1")
$latestRelease = $releases | Select-Object -First 1
$tag = $latestRelease.tag_name
if (-not $tag) { throw "Could not determine the latest published release" }
} else {
$tag = if ($Version.StartsWith("v")) { $Version } else { "v$Version" }
}
if ($tag -notmatch '^[A-Za-z0-9._-]+$') {
throw "Release API returned an unsafe tag: $tag"
}
$releaseUrl = "$GiteaUrl/$Repository/releases/download/$tag"
$tempDir = Join-Path ([System.IO.Path]::GetTempPath()) ("hop-install-" + [guid]::NewGuid())
New-Item -ItemType Directory -Path $tempDir | Out-Null
try {
$archivePath = Join-Path $tempDir $asset
$checksumsPath = Join-Path $tempDir "checksums.txt"
Write-Host "Downloading $asset..."
Invoke-WebRequest -UseBasicParsing -Uri "$releaseUrl/$asset" -OutFile $archivePath
Invoke-WebRequest -UseBasicParsing -Uri "$releaseUrl/checksums.txt" -OutFile $checksumsPath
$escapedAsset = [regex]::Escape($asset)
$checksumLine = Get-Content $checksumsPath | Where-Object { $_ -match "^([a-fA-F0-9]{64})\s+\*?$escapedAsset$" } | Select-Object -First 1
if (-not $checksumLine) { throw "checksums.txt does not contain $asset" }
$expected = ([regex]::Match($checksumLine, "^[a-fA-F0-9]{64}")).Value.ToLowerInvariant()
$actual = (Get-FileHash -Algorithm SHA256 $archivePath).Hash.ToLowerInvariant()
if ($actual -ne $expected) { throw "Checksum verification failed for $asset" }
$extractPath = Join-Path $tempDir "archive"
Expand-Archive -Path $archivePath -DestinationPath $extractPath
$binary = Join-Path $extractPath "hop.exe"
if (-not (Test-Path $binary)) { throw "Release archive does not contain hop.exe" }
New-Item -ItemType Directory -Force -Path $InstallDir | Out-Null
$installedBinary = Join-Path $InstallDir "hop.exe"
Copy-Item -Force $binary $installedBinary
if (-not $SkipPath) {
$userPath = [Environment]::GetEnvironmentVariable("Path", "User")
$pathEntries = @($userPath -split ";" | Where-Object { $_ })
if ($pathEntries -notcontains $InstallDir) {
$newUserPath = (($pathEntries + $InstallDir) -join ";")
[Environment]::SetEnvironmentVariable("Path", $newUserPath, "User")
Write-Host "Added $InstallDir to your user PATH."
}
if (($env:Path -split ";") -notcontains $InstallDir) {
$env:Path = "$InstallDir;$env:Path"
}
}
if (-not $SkipSkill) {
& $installedBinary skill install --force
if ($LASTEXITCODE -ne 0) {
throw "Hop skill installation failed with exit code $LASTEXITCODE"
}
}
Write-Host "Installed $(& $installedBinary version)"
Write-Host "Binary: $installedBinary"
if (-not $SkipSkill) {
Write-Host "Restart any open agent application, then use it normally in any Git repository."
}
} finally {
Remove-Item -Recurse -Force -ErrorAction SilentlyContinue $tempDir
}
+1 -1
View File
@@ -33,7 +33,7 @@ done
if [ "$mode" = --publish ]; then
[ -f LICENSE ] || fail "LICENSE is required before publishing"
[ -n "${GITEA_TOKEN:-}" ] || fail "set a scoped GITEA_TOKEN in the local environment"
[ -n "${GITEA_TOKEN:-}" ] || fail "provide a pre-existing scoped GITEA_TOKEN through the local secret store"
[ -z "$(git status --porcelain)" ] || fail "the Git worktree must be clean"
tag=$(git describe --tags --exact-match HEAD 2>/dev/null) ||
fail "HEAD must have an exact release tag"
+5
View File
@@ -73,6 +73,11 @@ variable or secret-manager name instead.
- Do not run `git commit`, `git checkout`, `git switch`, `git branch`,
`git rebase`, `git reset`, `git stash`, `git worktree`, or `git push`.
- Do not stage files. Hop captures every nonignored workspace change.
- Never create, rotate, enumerate, revoke, or paste account access tokens
through a provider website or API. For release or publishing work, use only a
credential the user has already provisioned in an OS secret store or supplied
through the runtime's secret mechanism. If it is missing, stop and ask the
user to provision it; do not call a token-management endpoint.
- Give a subagent project-changing work only after creating a distinct Hop
prompt/attempt for that delegation.
- Never discard either side of concurrent work. Let Hop perform its three-way
+9
View File
@@ -158,6 +158,15 @@ sanitizer replaces detected credential values before any durable write and
returns only typed redaction counts. Do not place the value in any later
command, summary, output, or source file.
## Account credential boundary
Hop never creates, rotates, lists, or revokes provider access tokens. Agents
must not use account token-management APIs or settings pages as a shortcut for
publishing work. A release or publishing task may use only a pre-existing
credential the user deliberately provisioned through an OS secret store or the
runtime's secret mechanism. When that credential is absent or invalid, stop and
ask the user to replace it; never mint a task-named token.
## Exit codes
| Code | Meaning |
+1
View File
@@ -34,6 +34,7 @@ release.
|---|---|
| `hop accept PROPOSAL [-- COMMAND...]` | Accept internally without changing visible files |
| `hop sync` | Materialize the current accepted tree from a safe accepted ancestor |
| `hop export [--output PATH]` | Write immutable, repository-safe prompt records to `.hop/records/prompts/` |
| `hop push` | Retry publishing the current accepted commit to its inferred upstream |
| `hop undo` | Create a forward-only acceptance that restores the previous accepted tree |
| `hop doctor [--repair]` | Validate database/object/ref consistency |
+7 -3
View File
@@ -12,8 +12,11 @@ The canonical repository is `githop.xyz/GnosysLabs/Hop`.
- Configure `origin` as `https://githop.xyz/GnosysLabs/Hop.git`.
- Keep Gitea Actions disabled when the instance does not have dedicated runner
capacity; Hop's release process does not depend on it.
- Create a narrowly scoped maintainer access token that can write releases.
Export it as `GITEA_TOKEN` only for the local publish command, then unset it.
- Provision a narrowly scoped maintainer access token outside the agent session
and store it in the operating system's secret store. Agents and release
scripts may use that existing credential, but must never create, rotate, list,
or revoke account tokens through Gitea's website or API. Export it as
`GITEA_TOKEN` only for the local publish command, then unset it.
- When upgrading GoReleaser, update its pinned version and four archive
checksums in `scripts/release-local.sh` from the official checksum file.
- Permit release attachment MIME types for `.tar.gz`, `.zip`, and `.txt` in
@@ -49,7 +52,8 @@ default skill destinations while preserving unrelated user files.
injected into the binaries automatically.
2. Run `scripts/release-local.sh --snapshot` and inspect the artifacts.
3. Create a signed semantic-version tag such as `v0.1.0-alpha.1` and push it.
4. Export a locally stored, scoped token: `export GITEA_TOKEN=...`.
4. Read a pre-provisioned, locally stored scoped token into `GITEA_TOKEN`.
Do not generate a task-specific token from an agent session.
5. Run `scripts/release-local.sh --publish`. It reruns race tests, vet, installer
checks, builds six platform archives, generates `checksums.txt`, and uploads
a draft without executing build work on the Gitea server.
+3 -1
View File
@@ -38,7 +38,9 @@ public key independently. Checksum signing is listed as a launch gate in the
Release builds execute on a maintainer machine, not on the Gitea server. Use a
trusted, patched machine; keep the release token out of shell history and source
files; scope it to the Hop repository; export it only for the publish command;
and unset it immediately afterward. Releases upload as drafts for review.
and unset it immediately afterward. Releases upload as drafts for review. The
token must be provisioned by the user outside the agent session: Hop and its
agents never create, rotate, list, or revoke provider account tokens.
## Filesystem safety