Support Copilot Spaces in ai-tools (#58845)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: sarahs

src/ai-tools/lib/auth-utils.ts

@@ -0,0 +1,25 @@
+import { execSync } from 'child_process'
+
+/**
+ * Ensure GitHub token is available, exiting process if not found
+ */
+export function ensureGitHubToken(): void {
+  if (!process.env.GITHUB_TOKEN) {
+    try {
+      const token = execSync('gh auth token', { encoding: 'utf8' }).trim()
+      if (token) {
+        process.env.GITHUB_TOKEN = token
+        return
+      }
+    } catch {
+      // gh CLI not available or not authenticated
+    }
+
+    console.warn(`🔑 A token is needed to run this script. Please do one of the following and try again:
+
+1. Add a GITHUB_TOKEN to a local .env file.
+2. Install https://cli.github.com and authenticate via 'gh auth login'.
+    `)
+    process.exit(1)
+  }
+}

src/ai-tools/lib/call-models-api.ts

@@ -1,4 +1,6 @@
 const modelsCompletionsEndpoint = 'https://models.github.ai/inference/chat/completions'
+const API_TIMEOUT_MS = 180000 // 3 minutes
+const DEFAULT_MODEL = 'openai/gpt-4o'
 
 interface ChatMessage {
   role: string
@@ -42,16 +44,16 @@ export async function callModelsApi(
 
   // Set default model if none specified
   if (!promptWithContent.model) {
-    promptWithContent.model = 'openai/gpt-4o'
+    promptWithContent.model = DEFAULT_MODEL
     if (verbose) {
-      console.log('⚠️  No model specified, using default: openai/gpt-4o')
+      console.log(`⚠️  No model specified, using default: ${DEFAULT_MODEL}`)
     }
   }
 
   try {
     // Create an AbortController for timeout handling
     const controller = new AbortController()
-    const timeoutId = setTimeout(() => controller.abort(), 180000) // 3 minutes
+    const timeoutId = setTimeout(() => controller.abort(), API_TIMEOUT_MS)
 
     const startTime = Date.now()
     if (verbose) {
@@ -123,7 +125,7 @@ export async function callModelsApi(
   } catch (error) {
     if (error instanceof Error) {
       if (error.name === 'AbortError') {
-        throw new Error('API call timed out after 3 minutes')
+        throw new Error(`API call timed out after ${API_TIMEOUT_MS / 1000} seconds`)
       }
       console.error('Error calling GitHub Models REST API:', error.message)
     }

src/ai-tools/lib/file-utils.ts

@@ -0,0 +1,161 @@
+import fs from 'fs'
+import path from 'path'
+import yaml from 'js-yaml'
+import readFrontmatter from '@/frame/lib/read-frontmatter'
+import { schema } from '@/frame/lib/frontmatter'
+
+const MAX_DIRECTORY_DEPTH = 20
+
+/**
+ * Enhanced recursive markdown file finder with symlink, depth, and root path checks
+ */
+export function findMarkdownFiles(
+  dir: string,
+  rootDir: string,
+  depth: number = 0,
+  maxDepth: number = MAX_DIRECTORY_DEPTH,
+  visited: Set<string> = new Set(),
+): string[] {
+  const markdownFiles: string[] = []
+  let realDir: string
+  try {
+    realDir = fs.realpathSync(dir)
+  } catch {
+    // If we can't resolve real path, skip this directory
+    return []
+  }
+  // Prevent escaping root directory
+  if (!realDir.startsWith(rootDir)) {
+    return []
+  }
+  // Prevent symlink loops
+  if (visited.has(realDir)) {
+    return []
+  }
+  visited.add(realDir)
+  // Prevent excessive depth
+  if (depth > maxDepth) {
+    return []
+  }
+  let entries: fs.Dirent[]
+  try {
+    entries = fs.readdirSync(realDir, { withFileTypes: true })
+  } catch {
+    // If we can't read directory, skip
+    return []
+  }
+  for (const entry of entries) {
+    const fullPath = path.join(realDir, entry.name)
+    let realFullPath: string
+    try {
+      realFullPath = fs.realpathSync(fullPath)
+    } catch {
+      continue
+    }
+    // Prevent escaping root directory for files
+    if (!realFullPath.startsWith(rootDir)) {
+      continue
+    }
+    if (entry.isDirectory()) {
+      markdownFiles.push(...findMarkdownFiles(realFullPath, rootDir, depth + 1, maxDepth, visited))
+    } else if (entry.isFile() && entry.name.endsWith('.md')) {
+      markdownFiles.push(realFullPath)
+    }
+  }
+  return markdownFiles
+}
+
+interface FrontmatterProperties {
+  intro?: string
+  [key: string]: unknown
+}
+
+/**
+ * Function to merge new frontmatter properties into existing file while preserving formatting.
+ * Uses surgical replacement to only modify the specific field(s) being updated,
+ * preserving all original YAML formatting for unchanged fields.
+ */
+export function mergeFrontmatterProperties(filePath: string, newPropertiesYaml: string): string {
+  const content = fs.readFileSync(filePath, 'utf8')
+  const parsed = readFrontmatter(content)
+
+  if (parsed.errors && parsed.errors.length > 0) {
+    throw new Error(
+      `Failed to parse frontmatter: ${parsed.errors.map((e) => e.message).join(', ')}`,
+    )
+  }
+
+  if (!parsed.content) {
+    throw new Error('Failed to parse content from file')
+  }
+
+  try {
+    // Clean up the AI response - remove markdown code blocks if present
+    let cleanedYaml = newPropertiesYaml.trim()
+    cleanedYaml = cleanedYaml.replace(/^```ya?ml\s*\n/i, '')
+    cleanedYaml = cleanedYaml.replace(/\n```\s*$/i, '')
+    cleanedYaml = cleanedYaml.trim()
+
+    const newProperties = yaml.load(cleanedYaml) as FrontmatterProperties
+
+    // Security: Validate against prototype pollution using the official frontmatter schema
+    const allowedKeys = Object.keys(schema.properties)
+
+    const sanitizedProperties = Object.fromEntries(
+      Object.entries(newProperties).filter(([key]) => {
+        if (allowedKeys.includes(key)) {
+          return true
+        }
+        console.warn(`Filtered out potentially unsafe frontmatter key: ${key}`)
+        return false
+      }),
+    )
+
+    // Split content into lines for surgical replacement
+    const lines = content.split('\n')
+    let inFrontmatter = false
+    let frontmatterEndIndex = -1
+
+    // Find frontmatter boundaries
+    for (let i = 0; i < lines.length; i++) {
+      if (lines[i].trim() === '---') {
+        if (!inFrontmatter) {
+          inFrontmatter = true
+        } else {
+          frontmatterEndIndex = i
+          break
+        }
+      }
+    }
+
+    // Replace each field value while preserving everything else
+    for (const [key, value] of Object.entries(sanitizedProperties)) {
+      const formattedValue = typeof value === 'string' ? `'${value.replace(/'/g, "''")}'` : value
+
+      // Find the line with this field
+      for (let i = 1; i < frontmatterEndIndex; i++) {
+        const line = lines[i]
+        if (line.startsWith(`${key}:`)) {
+          // Simple replacement: keep the field name and spacing, replace the value
+          const colonIndex = line.indexOf(':')
+          const leadingSpace = line.substring(colonIndex + 1, colonIndex + 2) // Usually a space
+          lines[i] = `${key}:${leadingSpace}${formattedValue}`
+
+          // Remove any continuation lines (multi-line values)
+          const j = i + 1
+          while (j < frontmatterEndIndex && lines[j].startsWith('  ')) {
+            lines.splice(j, 1)
+            frontmatterEndIndex--
+          }
+          break
+        }
+      }
+    }
+
+    return lines.join('\n')
+  } catch (error) {
+    console.error('Failed to parse AI response as YAML:')
+    console.error('Raw AI response:', JSON.stringify(newPropertiesYaml))
+    throw new Error(`Failed to parse new frontmatter properties: ${error}`)
+  }
+}

src/ai-tools/lib/prompt-utils.ts

@@ -0,0 +1,112 @@
+import { fileURLToPath } from 'url'
+import fs from 'fs'
+import yaml from 'js-yaml'
+import path from 'path'
+import { callModelsApi } from '@/ai-tools/lib/call-models-api'
+
+export interface PromptMessage {
+  content: string
+  role: string
+}
+
+export interface PromptData {
+  messages: PromptMessage[]
+  model?: string
+  temperature?: number
+  max_tokens?: number
+}
+
+/**
+ * Get the prompts directory path
+ */
+export function getPromptsDir(): string {
+  const __dirname = path.dirname(fileURLToPath(import.meta.url))
+  return path.join(__dirname, '../prompts')
+}
+
+/**
+ * Dynamically discover available editor types from prompt files
+ */
+export function getAvailableEditorTypes(promptDir: string): string[] {
+  const editorTypes: string[] = []
+
+  try {
+    const promptFiles = fs.readdirSync(promptDir)
+    for (const file of promptFiles) {
+      if (file.endsWith('.md')) {
+        const editorName = path.basename(file, '.md')
+        editorTypes.push(editorName)
+      }
+    }
+  } catch {
+    console.warn('Could not read prompts directory, using empty editor types')
+  }
+
+  return editorTypes
+}
+
+/**
+ * Get formatted description of available refinement types
+ */
+export function getRefinementDescriptions(editorTypes: string[]): string {
+  return editorTypes.join(', ')
+}
+
+/**
+ * Call an editor with the given content and options
+ */
+export async function callEditor(
+  editorType: string,
+  content: string,
+  promptDir: string,
+  writeMode: boolean,
+  verbose = false,
+  promptContent?: string, // Optional: use this instead of reading from file
+): Promise<string> {
+  let markdownPrompt: string
+
+  if (promptContent) {
+    // Use provided prompt content (e.g., from Copilot Space)
+    markdownPrompt = promptContent
+  } else {
+    // Read from file
+    const markdownPromptPath = path.join(promptDir, `${editorType}.md`)
+
+    if (!fs.existsSync(markdownPromptPath)) {
+      throw new Error(`Prompt file not found: ${markdownPromptPath}`)
+    }
+
+    markdownPrompt = fs.readFileSync(markdownPromptPath, 'utf8')
+  }
+  const promptTemplatePath = path.join(promptDir, 'prompt-template.yml')
+
+  const prompt = yaml.load(fs.readFileSync(promptTemplatePath, 'utf8')) as PromptData
+
+  // Validate the prompt template has required properties
+  if (!prompt.messages || !Array.isArray(prompt.messages)) {
+    throw new Error('Invalid prompt template: missing or invalid messages array')
+  }
+
+  for (const msg of prompt.messages) {
+    msg.content = msg.content.replace('{{markdownPrompt}}', markdownPrompt)
+    msg.content = msg.content.replace('{{input}}', content)
+    // Replace writeMode template variable with simple string replacement
+    msg.content = msg.content.replace(
+      /<!-- IF_WRITE_MODE -->/g,
+      writeMode ? '' : '<!-- REMOVE_START -->',
+    )
+    msg.content = msg.content.replace(
+      /<!-- ELSE_WRITE_MODE -->/g,
+      writeMode ? '<!-- REMOVE_START -->' : '',
+    )
+    msg.content = msg.content.replace(
+      /<!-- END_WRITE_MODE -->/g,
+      writeMode ? '' : '<!-- REMOVE_END -->',
+    )
+
+    // Remove sections marked for removal
+    msg.content = msg.content.replace(/<!-- REMOVE_START -->[\s\S]*?<!-- REMOVE_END -->/g, '')
+  }
+
+  return callModelsApi(prompt, verbose)
+}