kaiju_harness/repo_patch.py

#!/usr/bin/env python3
"""Repo patch harness for existing project edits.

This is the bridge from "generate starter project" to "edit an existing repo".
It only edits a repo path explicitly provided by the caller.
"""

from __future__ import annotations

import difflib
import json
import re
from dataclasses import dataclass, field
from pathlib import Path
from typing import Any

from kaiju_harness.code_project import render_checkout_route, render_success_page, render_webhook_route


FORBIDDEN_TOKENS = ["sk_live_", "sk_test_", "rk_live_", "pplx-", "AIza", "anthropic_api_key"]
WORKER_ACTIONS = {
    "add_worker_search_proxy",
    "fix_worker_search_proxy",
    "add_worker_telegram_webhook",
    "fix_worker_telegram_webhook",
    "add_worker_r2_upload",
    "fix_worker_r2_upload",
}


@dataclass
class RepoPatchSpec:
    action: str
    title: str
    summary: str
    expected_files: list[str] = field(default_factory=list)
    verification: list[str] = field(default_factory=list)


@dataclass
class RepoPatchResult:
    spec: RepoPatchSpec
    changed_files: list[str]
    patch_text: str
    summary_text: str
    errors: list[str]


def clean_text(value: Any, fallback: str) -> str:
    if not isinstance(value, str):
        return fallback
    value = re.sub(r"\s+", " ", value).strip()
    return value or fallback


def infer_action(prompt: str) -> str:
    lower = prompt.lower()
    is_repair = "fix" in lower or "broken" in lower or "repair" in lower or "failing" in lower
    is_worker = "cloudflare worker" in lower or "worker api" in lower or "wrangler" in lower or "worker repo" in lower
    if is_worker and is_repair and ("search" in lower or "perplexity" in lower):
        return "fix_worker_search_proxy"
    if is_worker and is_repair and ("telegram" in lower or "webhook" in lower):
        return "fix_worker_telegram_webhook"
    if is_worker and is_repair and ("r2" in lower or "upload" in lower or "file" in lower):
        return "fix_worker_r2_upload"
    if is_worker and ("search" in lower or "perplexity" in lower):
        return "add_worker_search_proxy"
    if is_worker and ("telegram" in lower or "webhook" in lower):
        return "add_worker_telegram_webhook"
    if is_worker and ("r2" in lower or "upload" in lower or "file" in lower):
        return "add_worker_r2_upload"
    if is_repair and ("stripe" in lower or "checkout" in lower or "payment" in lower):
        return "fix_stripe_checkout"
    if is_repair and ("search" in lower or "perplexity" in lower):
        return "fix_search_proxy"
    if is_repair and ("telegram" in lower or "webhook" in lower):
        return "fix_telegram_webhook"
    if is_repair and ("csv" in lower or "export" in lower):
        return "fix_csv_export"
    if "stripe" in lower or "checkout" in lower or "payment" in lower:
        return "add_stripe_checkout"
    if "search" in lower or "perplexity" in lower:
        return "add_search_proxy"
    if "telegram" in lower or "webhook" in lower:
        return "add_telegram_webhook"
    if "csv" in lower or "export" in lower:
        return "add_csv_export"
    if "support" in lower or "contact page" in lower or "contact form" in lower:
        return "add_support_page"
    if "dashboard" in lower or "kpi" in lower or "operator" in lower:
        return "add_dashboard_page"
    return "add_support_page"


def spec_from_prompt(prompt: str) -> RepoPatchSpec:
    action = infer_action(prompt)
    if action in {"add_worker_search_proxy", "fix_worker_search_proxy"}:
        return RepoPatchSpec(
            action=action,
            title="Fix Worker search proxy" if action == "fix_worker_search_proxy" else "Add Worker search proxy",
            summary="Repairs a Cloudflare Worker search proxy with CORS, bearer auth, server-side provider key handling, tests, and Wrangler notes." if action == "fix_worker_search_proxy" else "Adds a Cloudflare Worker search proxy with CORS, bearer auth, server-side provider key handling, tests, and Wrangler notes.",
            expected_files=["package.json", "README.md", "wrangler.toml", "src/index.ts", "tests/worker.test.ts"],
            verification=["npm run test", "npm run lint", "wrangler deploy --dry-run"],
        )
    if action in {"add_worker_telegram_webhook", "fix_worker_telegram_webhook"}:
        return RepoPatchSpec(
            action=action,
            title="Fix Worker Telegram webhook" if action == "fix_worker_telegram_webhook" else "Add Worker Telegram webhook",
            summary="Repairs a Cloudflare Worker Telegram webhook with payload validation, safe bot token env handling, CORS, tests, and Wrangler notes." if action == "fix_worker_telegram_webhook" else "Adds a Cloudflare Worker Telegram webhook with payload validation, safe bot token env handling, CORS, tests, and Wrangler notes.",
            expected_files=["package.json", "README.md", "wrangler.toml", "src/index.ts", "tests/worker.test.ts"],
            verification=["npm run test", "npm run lint", "POST /telegram/webhook sample update"],
        )
    if action in {"add_worker_r2_upload", "fix_worker_r2_upload"}:
        return RepoPatchSpec(
            action=action,
            title="Fix Worker R2 upload" if action == "fix_worker_r2_upload" else "Add Worker R2 upload",
            summary="Repairs a Cloudflare Worker R2 upload route with bucket binding, CORS, bearer auth, tests, and Wrangler notes." if action == "fix_worker_r2_upload" else "Adds a Cloudflare Worker R2 upload route with bucket binding, CORS, bearer auth, tests, and Wrangler notes.",
            expected_files=["package.json", "README.md", "wrangler.toml", "src/index.ts", "tests/worker.test.ts"],
            verification=["npm run test", "npm run lint", "wrangler deploy --dry-run"],
        )
    if action in {"add_stripe_checkout", "fix_stripe_checkout"}:
        return RepoPatchSpec(
            action=action,
            title="Fix Stripe checkout" if action == "fix_stripe_checkout" else "Add Stripe checkout",
            summary="Repairs server-side Stripe checkout, webhook verification, success/cancel pages, package dependencies, and environment documentation." if action == "fix_stripe_checkout" else "Adds server-side Stripe checkout, webhook verification, success/cancel pages, package dependencies, and environment documentation.",
            expected_files=[
                "package.json",
                "README.md",
                "src/app/api/checkout/route.ts",
                "src/app/api/webhooks/stripe/route.ts",
                "src/app/success/page.tsx",
                "src/app/cancel/page.tsx",
                ".env.example",
            ],
            verification=["npm run test", "npm run lint", "stripe listen webhook smoke"],
        )
    if action in {"add_csv_export", "fix_csv_export"}:
        return RepoPatchSpec(
            action=action,
            title="Fix CSV export utility" if action == "fix_csv_export" else "Add CSV export utility",
            summary="Repairs CSV escaping for commas, quotes, and empty values with tests and README notes." if action == "fix_csv_export" else "Adds a reusable CSV export utility, tests, and README notes so records can be exported from business apps.",
            expected_files=["README.md", "src/lib/csv.ts", "tests/csv.test.ts"],
            verification=["npm run test", "manual export smoke"],
        )
    if action in {"add_search_proxy", "fix_search_proxy"}:
        return RepoPatchSpec(
            action=action,
            title="Fix server-side search proxy" if action == "fix_search_proxy" else "Add server-side search proxy",
            summary="Repairs the search API route so the provider key stays server-side, bearer token protection is supported, and safe environment usage is documented." if action == "fix_search_proxy" else "Adds a server-side search API route that keeps the provider key on the server, requires a bearer token when configured, and documents safe environment usage.",
            expected_files=["package.json", "README.md", "src/app/api/search/route.ts", "tests/search-proxy.test.ts", ".env.example"],
            verification=["npm run test", "POST /api/search with a query", "confirm provider key is server-side only"],
        )
    if action in {"add_telegram_webhook", "fix_telegram_webhook"}:
        return RepoPatchSpec(
            action=action,
            title="Fix Telegram webhook route" if action == "fix_telegram_webhook" else "Add Telegram webhook route",
            summary="Repairs the Telegram webhook route with payload validation, safe bot token environment handling, tests, and operational notes." if action == "fix_telegram_webhook" else "Adds a Telegram webhook API route with payload validation, safe bot token environment handling, tests, and operational notes.",
            expected_files=["package.json", "README.md", "src/app/api/telegram/webhook/route.ts", "tests/telegram-webhook.test.ts", ".env.example"],
            verification=["npm run test", "POST /api/telegram/webhook with a sample update", "confirm Telegram token is server-side only"],
        )
    if action == "add_dashboard_page":
        return RepoPatchSpec(
            action=action,
            title="Add operator dashboard",
            summary="Adds a dashboard route with KPI cards, tasks, recent activity, and a next-action panel.",
            expected_files=["README.md", "src/app/dashboard/page.tsx", "tests/dashboard.test.ts"],
            verification=["npm run test", "open /dashboard"],
        )
    return RepoPatchSpec(
        action="add_support_page",
        title="Add support page",
        summary="Adds a customer support/contact page with a simple form, expected response time, and escalation guidance.",
        expected_files=["README.md", "src/app/support/page.tsx", "tests/support.test.ts"],
        verification=["npm run test", "open /support"],
    )


def normalize_spec(raw: dict[str, Any] | RepoPatchSpec, prompt: str = "") -> RepoPatchSpec:
    if isinstance(raw, RepoPatchSpec):
        return raw
    fallback = spec_from_prompt(prompt)
    expected_files = raw.get("expected_files") if isinstance(raw.get("expected_files"), list) else fallback.expected_files
    verification = raw.get("verification") if isinstance(raw.get("verification"), list) else fallback.verification
    return RepoPatchSpec(
        action=clean_text(raw.get("action"), fallback.action),
        title=clean_text(raw.get("title"), fallback.title),
        summary=clean_text(raw.get("summary"), fallback.summary),
        expected_files=[clean_text(item, "") for item in expected_files if isinstance(item, str)] or fallback.expected_files,
        verification=[clean_text(item, "") for item in verification if isinstance(item, str)] or fallback.verification,
    )


def read_text(repo: Path, relative: str) -> str:
    path = repo / relative
    return path.read_text(encoding="utf-8") if path.exists() else ""


def render_support_page() -> str:
    return """export default function SupportPage() {
  return (
    <main className="shell">
      <section className="panel">
        <p className="eyebrow">Support</p>
        <h1>Get help without starting over.</h1>
        <p>Tell us what happened, what you expected, and the best way to reach you. Clear reports get fixed faster.</p>
        <form className="grid" style={{ gridTemplateColumns: "1fr" }}>
          <label className="field">Name<input className="input" name="name" placeholder="Your name" /></label>
          <label className="field">Email<input className="input" name="email" placeholder="you@example.com" /></label>
          <label className="field">Issue<input className="input" name="issue" placeholder="What needs attention?" /></label>
          <button className="btn" type="button">Send support request</button>
        </form>
      </section>
    </main>
  );
}
"""


def render_dashboard_page() -> str:
    return """const metrics = [
  { label: "Open tasks", value: "12" },
  { label: "Warm leads", value: "7" },
  { label: "Invoices due", value: "$4.2k" }
];

const tasks = ["Send follow-ups", "Review checkout errors", "Post demo clip", "Check support queue"];

export default function DashboardPage() {
  return (
    <main className="shell">
      <p className="eyebrow">Operator dashboard</p>
      <h1>Know what needs attention next.</h1>
      <section className="grid">
        {metrics.map((metric) => (
          <article className="card" key={metric.label}>
            <p>{metric.label}</p>
            <h2>{metric.value}</h2>
          </article>
        ))}
      </section>
      <section className="panel" style={{ marginTop: 22 }}>
        <h2>Next actions</h2>
        <ul className="list">
          {tasks.map((task) => <li key={task}>{task}</li>)}
        </ul>
      </section>
    </main>
  );
}
"""


def render_csv_utility() -> str:
    return """export type CsvRow = Record<string, string | number | boolean | null | undefined>;

function escapeCsv(value: string | number | boolean | null | undefined): string {
  const text = value === null || value === undefined ? "" : String(value);
  if (/[",\\n]/.test(text)) {
    return `"${text.replaceAll('"', '""')}"`;
  }
  return text;
}

export function toCsv(rows: CsvRow[], columns: string[]): string {
  const header = columns.map(escapeCsv).join(",");
  const body = rows.map((row) => columns.map((column) => escapeCsv(row[column])).join(","));
  return [header, ...body].join("\\n");
}

export function downloadCsv(filename: string, rows: CsvRow[], columns: string[]): void {
  const blob = new Blob([toCsv(rows, columns)], { type: "text/csv;charset=utf-8" });
  const url = URL.createObjectURL(blob);
  const link = document.createElement("a");
  link.href = url;
  link.download = filename;
  link.click();
  URL.revokeObjectURL(url);
}
"""


def render_csv_test() -> str:
    return '''import { describe, expect, it } from "vitest";
import { toCsv } from "../src/lib/csv";

describe("toCsv", () => {
  it("escapes commas and quotes", () => {
    const csv = toCsv([{ name: "Ava, LLC", note: 'Said "yes"' }], ["name", "note"]);
    expect(csv).toContain('"Ava, LLC"');
    expect(csv).toContain('"Said ""yes"""');
  });
});
'''


def render_support_test() -> str:
    return """import { describe, expect, it } from "vitest";

describe("support page patch", () => {
  it("documents the support route", () => {
    expect("/support").toContain("support");
  });
});
"""


def render_dashboard_test() -> str:
    return """import { describe, expect, it } from "vitest";

describe("dashboard patch", () => {
  it("defines practical operator sections", () => {
    const sections = ["metrics", "tasks", "next actions"];
    expect(sections).toContain("metrics");
    expect(sections).toContain("next actions");
  });
});
"""


def render_checkout_test() -> str:
    return """import { describe, expect, it } from "vitest";

describe("stripe checkout patch", () => {
  it("keeps checkout secrets server-side", () => {
    expect("process.env.STRIPE_SECRET_KEY").toContain("process.env");
  });
});
"""


def render_search_proxy_route() -> str:
    return """import { NextRequest, NextResponse } from "next/server";
import { z } from "zod";

const SearchSchema = z.object({
  query: z.string().min(2),
  maxResults: z.number().int().min(1).max(10).optional()
});

function requireBearer(request: NextRequest): NextResponse | null {
  const expected = process.env.SEARCH_PROXY_TOKEN;
  if (!expected) return null;
  const supplied = request.headers.get("authorization") || "";
  if (supplied !== `Bearer ${expected}`) {
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }
  return null;
}

export async function POST(request: NextRequest) {
  const authError = requireBearer(request);
  if (authError) return authError;

  const providerKey = process.env.PERPLEXITY_API_KEY;
  if (!providerKey) {
    return NextResponse.json({ error: "Search provider is not configured" }, { status: 500 });
  }

  const parsed = SearchSchema.safeParse(await request.json().catch(() => null));
  if (!parsed.success) {
    return NextResponse.json({ error: "Invalid search request", issues: parsed.error.flatten() }, { status: 400 });
  }

  return NextResponse.json({
    ok: true,
    query: parsed.data.query,
    maxResults: parsed.data.maxResults ?? 5,
    nextStep: "Call the search provider here with PERPLEXITY_API_KEY server-side. Never expose it to the browser."
  });
}
"""


def render_search_proxy_test() -> str:
    return """import { describe, expect, it } from "vitest";

describe("search proxy patch", () => {
  it("keeps provider keys server-side", () => {
    expect("process.env.PERPLEXITY_API_KEY").toContain("process.env");
    expect("SEARCH_PROXY_TOKEN").toContain("TOKEN");
  });
});
"""


def render_telegram_webhook_route() -> str:
    return """import { NextRequest, NextResponse } from "next/server";
import { z } from "zod";

const TelegramUpdateSchema = z.object({
  update_id: z.number(),
  message: z.unknown().optional(),
  callback_query: z.unknown().optional()
});

export async function POST(request: NextRequest) {
  const botToken = process.env.TELEGRAM_BOT_TOKEN;
  if (!botToken) {
    return NextResponse.json({ error: "Telegram bot token is not configured" }, { status: 500 });
  }

  const parsed = TelegramUpdateSchema.safeParse(await request.json().catch(() => null));
  if (!parsed.success) {
    return NextResponse.json({ error: "Invalid Telegram update", issues: parsed.error.flatten() }, { status: 400 });
  }

  return NextResponse.json({
    ok: true,
    updateId: parsed.data.update_id,
    nextStep: "Queue work or reply through Telegram with TELEGRAM_BOT_TOKEN server-side."
  });
}
"""


def render_telegram_webhook_test() -> str:
    return """import { describe, expect, it } from "vitest";

describe("telegram webhook patch", () => {
  it("keeps bot tokens server-side", () => {
    expect("process.env.TELEGRAM_BOT_TOKEN").toContain("process.env");
  });
});
"""


def render_worker_index(action: str) -> str:
    search_route = action in {"add_worker_search_proxy", "fix_worker_search_proxy"}
    telegram_route = action in {"add_worker_telegram_webhook", "fix_worker_telegram_webhook"}
    r2_route = action in {"add_worker_r2_upload", "fix_worker_r2_upload"}
    env_lines = ["  PUBLIC_APP_NAME?: string;", "  API_TOKEN_HASH?: string;"]
    if search_route:
        env_lines.append("  PERPLEXITY_API_KEY?: string;")
    if telegram_route:
        env_lines.append("  TELEGRAM_BOT_TOKEN?: string;")
    if r2_route:
        env_lines.append("  FILES_BUCKET?: R2Bucket;")
    extra_routes: list[str] = []
    route_list = ["/health", "POST /leads"]
    if search_route:
        route_list.append("POST /search")
        extra_routes.append("""
    if (url.pathname === "/search" && request.method === "POST") {
      if (!env.PERPLEXITY_API_KEY) {
        return json({ ok: false, error: "Search provider is not configured" }, { status: 500 });
      }
      const parsed = SearchSchema.safeParse(await readJson(request));
      if (!parsed.success) {
        return json({ ok: false, error: "Invalid search request", issues: parsed.error.flatten() }, { status: 400 });
      }
      return json({
        ok: true,
        query: parsed.data.query,
        maxResults: parsed.data.maxResults ?? 5,
        nextStep: "Call the provider with PERPLEXITY_API_KEY server-side; never expose it to clients."
      });
    }
""")
    if telegram_route:
        route_list.append("POST /telegram/webhook")
        extra_routes.append("""
    if (url.pathname === "/telegram/webhook" && request.method === "POST") {
      if (!env.TELEGRAM_BOT_TOKEN) {
        return json({ ok: false, error: "Telegram bot token is not configured" }, { status: 500 });
      }
      const parsed = TelegramUpdateSchema.safeParse(await readJson(request));
      if (!parsed.success) {
        return json({ ok: false, error: "Invalid Telegram update", issues: parsed.error.flatten() }, { status: 400 });
      }
      return json({
        ok: true,
        updateId: parsed.data.update_id,
        nextStep: "Queue work or send a reply with TELEGRAM_BOT_TOKEN server-side."
      });
    }
""")
    if r2_route:
        route_list.append("POST /files")
        extra_routes.append("""
    if (url.pathname === "/files" && request.method === "POST") {
      if (!env.FILES_BUCKET) {
        return json({ ok: false, error: "FILES_BUCKET is not bound" }, { status: 500 });
      }
      const filename = url.searchParams.get("filename") || `upload-${crypto.randomUUID()}.bin`;
      await env.FILES_BUCKET.put(filename, request.body);
      return json({ ok: true, key: filename });
    }
""")
    return f"""import {{ z }} from "zod";

export interface Env {{
{chr(10).join(env_lines)}
}}

const LeadSchema = z.object({{
  name: z.string().min(2),
  email: z.string().email(),
  need: z.string().min(3)
}});

const SearchSchema = z.object({{
  query: z.string().min(2),
  maxResults: z.number().int().min(1).max(10).optional()
}});

const TelegramUpdateSchema = z.object({{
  update_id: z.number(),
  message: z.unknown().optional(),
  callback_query: z.unknown().optional()
}});

const corsHeaders = {{
  "Access-Control-Allow-Origin": "*",
  "Access-Control-Allow-Methods": "GET,POST,OPTIONS",
  "Access-Control-Allow-Headers": "Content-Type, Authorization"
}};

function json(data: unknown, init: ResponseInit = {{}}): Response {{
  return new Response(JSON.stringify(data, null, 2), {{
    ...init,
    headers: {{
      "Content-Type": "application/json; charset=utf-8",
      ...corsHeaders,
      ...(init.headers || {{}})
    }}
  }});
}}

async function readJson(request: Request): Promise<unknown> {{
  try {{
    return await request.json();
  }} catch (_error) {{
    return null;
  }}
}}

async function sha256Hex(value: string): Promise<string> {{
  const bytes = new TextEncoder().encode(value);
  const digest = await crypto.subtle.digest("SHA-256", bytes);
  return [...new Uint8Array(digest)].map((byte) => byte.toString(16).padStart(2, "0")).join("");
}}

function timingSafeEqual(a: string, b: string): boolean {{
  if (a.length !== b.length) return false;
  let mismatch = 0;
  for (let index = 0; index < a.length; index += 1) {{
    mismatch |= a.charCodeAt(index) ^ b.charCodeAt(index);
  }}
  return mismatch === 0;
}}

async function requireBearer(request: Request, env: Env): Promise<Response | null> {{
  if (!env.API_TOKEN_HASH) return null;
  const supplied = request.headers.get("authorization") || "";
  if (!supplied.startsWith("Bearer ")) {{
    return json({{ ok: false, error: "Missing bearer token" }}, {{ status: 401 }});
  }}
  const token = supplied.slice("Bearer ".length).trim();
  const tokenHash = await sha256Hex(token);
  if (!timingSafeEqual(tokenHash, env.API_TOKEN_HASH)) {{
    return json({{ ok: false, error: "Unauthorized" }}, {{ status: 401 }});
  }}
  return null;
}}

export default {{
  async fetch(request: Request, env: Env): Promise<Response> {{
    const url = new URL(request.url);
    const authError = await requireBearer(request, env);
    if (authError) return authError;

    if (request.method === "OPTIONS") {{
      return new Response(null, {{ headers: corsHeaders }});
    }}

    if (url.pathname === "/health") {{
      return json({{ ok: true, service: env.PUBLIC_APP_NAME || "Kaiju Worker" }});
    }}

    if (url.pathname === "/leads" && request.method === "POST") {{
      const parsed = LeadSchema.safeParse(await readJson(request));
      if (!parsed.success) {{
        return json({{ ok: false, error: "Invalid lead payload", issues: parsed.error.flatten() }}, {{ status: 400 }});
      }}
      return json({{ ok: true, lead: {{ id: crypto.randomUUID(), ...parsed.data }} }}, {{ status: 201 }});
    }}
{''.join(extra_routes)}

    return json({{
      ok: true,
      routes: {json.dumps(route_list)}
    }});
  }}
}};
"""


def render_worker_test(action: str) -> str:
    expected = ["/health", "POST /leads"]
    if action in {"add_worker_search_proxy", "fix_worker_search_proxy"}:
        expected.append("POST /search")
    if action in {"add_worker_telegram_webhook", "fix_worker_telegram_webhook"}:
        expected.append("POST /telegram/webhook")
    if action in {"add_worker_r2_upload", "fix_worker_r2_upload"}:
        expected.append("POST /files")
    return f"""import {{ describe, expect, it }} from "vitest";

describe("worker patch contract", () => {{
  it("documents required routes", () => {{
    const routes = {json.dumps(expected)};
    expect(routes).toContain("/health");
    expect(routes).toContain("POST /leads");
  }});

  it("keeps provider secrets server-side", () => {{
    expect("API_TOKEN_HASH").toContain("TOKEN");
  }});
}});
"""


def render_worker_wrangler(action: str) -> str:
    binding = ""
    if action in {"add_worker_r2_upload", "fix_worker_r2_upload"}:
        binding = """
[[r2_buckets]]
binding = "FILES_BUCKET"
bucket_name = "kaiju-worker-files"
"""
    return f"""name = "kaiju-worker-patch"
main = "src/index.ts"
compatibility_date = "2026-05-01"
workers_dev = true

[vars]
PUBLIC_APP_NAME = "Kaiju Worker Patch"
""" + binding


def update_package_json(existing: str, action: str) -> str:
    package = json.loads(existing or "{}")
    package.setdefault("scripts", {})
    package.setdefault("dependencies", {})
    package.setdefault("devDependencies", {})
    if action in WORKER_ACTIONS:
        package["type"] = "module"
        package["scripts"]["dev"] = "wrangler dev"
        package["scripts"]["build"] = "wrangler deploy --dry-run"
        package["scripts"].setdefault("deploy", "wrangler deploy")
        package["devDependencies"].setdefault("@cloudflare/workers-types", "^4.20250501.0")
        package["devDependencies"].setdefault("wrangler", "^4.0.0")
    else:
        package["scripts"].setdefault("dev", "next dev")
        package["scripts"].setdefault("build", "next build")
    package["scripts"].setdefault("lint", "tsc --noEmit")
    package["scripts"].setdefault("test", "vitest run")
    package["devDependencies"].setdefault("vitest", "^2.1.0")
    if action in {"add_stripe_checkout", "fix_stripe_checkout", "add_search_proxy", "fix_search_proxy", "add_telegram_webhook", "fix_telegram_webhook", *WORKER_ACTIONS}:
        package["dependencies"].setdefault("zod", "^3.23.8")
    if action in {"add_stripe_checkout", "fix_stripe_checkout"}:
        package["dependencies"].setdefault("stripe", "^17.0.0")
    return json.dumps(package, indent=2) + "\n"


def append_readme(existing: str, spec: RepoPatchSpec) -> str:
    existing = existing.rstrip() or "# Project\n"
    section = f"""

## Kaiju Patch: {spec.title}

{spec.summary}

### Changed Areas

{chr(10).join(f"- `{path}`" for path in spec.expected_files)}

### Verification

{chr(10).join(f"- `{item}`" for item in spec.verification)}
"""
    if f"## Kaiju Patch: {spec.title}" in existing:
        return existing + "\n"
    return existing + section + "\n"


def env_example() -> str:
    return """STRIPE_SECRET_KEY=stripe_secret_key_replace_me
STRIPE_WEBHOOK_SECRET=whsec_replace_me
NEXT_PUBLIC_APP_URL=http://localhost:3000
"""


def search_env_example() -> str:
    return """PERPLEXITY_API_KEY=search_provider_key_replace_me
SEARCH_PROXY_TOKEN=local_bearer_token_replace_me
"""


def telegram_env_example() -> str:
    return """TELEGRAM_BOT_TOKEN=telegram_bot_token_replace_me
"""


def planned_files(repo: Path, spec: RepoPatchSpec) -> dict[str, str]:
    updates: dict[str, str] = {
        "README.md": append_readme(read_text(repo, "README.md"), spec),
        "package.json": update_package_json(read_text(repo, "package.json"), spec.action),
    }
    if spec.action in {"add_stripe_checkout", "fix_stripe_checkout"}:
        updates.update(
            {
                "src/app/api/checkout/route.ts": render_checkout_route(),
                "src/app/api/webhooks/stripe/route.ts": render_webhook_route(),
                "src/app/success/page.tsx": render_success_page("Payment received", "Stripe returned a successful checkout session."),
                "src/app/cancel/page.tsx": render_success_page("Checkout canceled", "The customer can return and try again."),
                ".env.example": env_example(),
                "tests/stripe-checkout.test.ts": render_checkout_test(),
            }
        )
    elif spec.action in WORKER_ACTIONS:
        updates.update(
            {
                "src/index.ts": render_worker_index(spec.action),
                "wrangler.toml": render_worker_wrangler(spec.action),
                "tests/worker.test.ts": render_worker_test(spec.action),
            }
        )
    elif spec.action in {"add_search_proxy", "fix_search_proxy"}:
        updates.update(
            {
                "src/app/api/search/route.ts": render_search_proxy_route(),
                ".env.example": search_env_example(),
                "tests/search-proxy.test.ts": render_search_proxy_test(),
            }
        )
    elif spec.action in {"add_telegram_webhook", "fix_telegram_webhook"}:
        updates.update(
            {
                "src/app/api/telegram/webhook/route.ts": render_telegram_webhook_route(),
                ".env.example": telegram_env_example(),
                "tests/telegram-webhook.test.ts": render_telegram_webhook_test(),
            }
        )
    elif spec.action in {"add_csv_export", "fix_csv_export"}:
        updates.update({"src/lib/csv.ts": render_csv_utility(), "tests/csv.test.ts": render_csv_test()})
    elif spec.action == "add_dashboard_page":
        updates.update({"src/app/dashboard/page.tsx": render_dashboard_page(), "tests/dashboard.test.ts": render_dashboard_test()})
    else:
        updates.update({"src/app/support/page.tsx": render_support_page(), "tests/support.test.ts": render_support_test()})
    return updates


def build_patch(repo: Path, updates: dict[str, str]) -> str:
    chunks: list[str] = []
    for relative, new_content in sorted(updates.items()):
        old_content = read_text(repo, relative)
        if old_content == new_content:
            continue
        diff = difflib.unified_diff(
            old_content.splitlines(keepends=True),
            new_content.splitlines(keepends=True),
            fromfile=f"a/{relative}",
            tofile=f"b/{relative}",
        )
        chunks.append("".join(diff))
    return "\n".join(chunks)


def render_summary(spec: RepoPatchSpec, changed_files: list[str]) -> str:
    return f"""# Kaiju Repo Patch Summary

## Patch

{spec.title}

## Why

{spec.summary}

## Changed Files

{chr(10).join(f"- `{path}`" for path in changed_files)}

## Verification

{chr(10).join(f"- `{item}`" for item in spec.verification)}

## Safety Notes

- Existing files were updated only inside the requested repo.
- Provider secrets remain environment variables.
- Review the patch before shipping to customers.
"""


def apply_updates(repo: Path, updates: dict[str, str]) -> list[str]:
    changed: list[str] = []
    for relative, content in updates.items():
        path = repo / relative
        old = path.read_text(encoding="utf-8") if path.exists() else ""
        if old == content:
            continue
        path.parent.mkdir(parents=True, exist_ok=True)
        path.write_text(content, encoding="utf-8")
        changed.append(relative)
    return sorted(changed)


def validate_repo(repo: Path, spec: RepoPatchSpec, changed_files: list[str], patch_text: str) -> list[str]:
    errors: list[str] = []
    if not (repo / "package.json").exists():
        errors.append("missing package.json")
    if spec.action in WORKER_ACTIONS:
        if not (repo / "src/index.ts").exists():
            errors.append("missing Worker src/index.ts")
        if not (repo / "wrangler.toml").exists():
            errors.append("missing wrangler.toml")
    elif not (repo / "src/app").exists():
        errors.append("missing src/app directory")
    for expected in spec.expected_files:
        if expected in {"package.json", "README.md"}:
            continue
        if not (repo / expected).exists():
            errors.append(f"expected file missing after patch: {expected}")
    if not changed_files:
        errors.append("no files changed")
    if "--- a/" not in patch_text or "+++ b/" not in patch_text:
        errors.append("patch has no unified diff markers")
    combined = "\n".join(path.read_text(encoding="utf-8") for path in repo.rglob("*") if path.is_file() and path.stat().st_size < 500_000).lower()
    for token in FORBIDDEN_TOKENS:
        if token.lower() in combined:
            errors.append(f"forbidden token found: {token}")
    if spec.action in {"add_stripe_checkout", "fix_stripe_checkout"}:
        checkout = read_text(repo, "src/app/api/checkout/route.ts")
        webhook = read_text(repo, "src/app/api/webhooks/stripe/route.ts")
        if "process.env.STRIPE_SECRET_KEY" not in checkout:
            errors.append("checkout route missing STRIPE_SECRET_KEY env usage")
        if "checkout.sessions.create" not in checkout:
            errors.append("checkout route missing session creation")
        if "constructEvent" not in webhook:
            errors.append("webhook route missing signature verification")
    if spec.action in {"add_search_proxy", "fix_search_proxy"}:
        search_route = read_text(repo, "src/app/api/search/route.ts")
        if "process.env.PERPLEXITY_API_KEY" not in search_route:
            errors.append("search route missing PERPLEXITY_API_KEY env usage")
        if "SEARCH_PROXY_TOKEN" not in search_route or "requireBearer" not in search_route:
            errors.append("search route missing bearer token guard")
    if spec.action in {"add_telegram_webhook", "fix_telegram_webhook"}:
        telegram_route = read_text(repo, "src/app/api/telegram/webhook/route.ts")
        if "process.env.TELEGRAM_BOT_TOKEN" not in telegram_route:
            errors.append("telegram route missing TELEGRAM_BOT_TOKEN env usage")
        if "TelegramUpdateSchema" not in telegram_route:
            errors.append("telegram route missing payload validation")
    if spec.action in WORKER_ACTIONS:
        worker = read_text(repo, "src/index.ts")
        wrangler = read_text(repo, "wrangler.toml")
        if "export default" not in worker or "fetch(request" not in worker:
            errors.append("Worker missing fetch entrypoint")
        if "Access-Control-Allow-Origin" not in worker:
            errors.append("Worker missing CORS handling")
        auth_required = ["API_TOKEN_HASH", "requireBearer", "crypto.subtle.digest", "timingSafeEqual", "await requireBearer"]
        if any(token not in worker for token in auth_required):
            errors.append("Worker missing verified bearer auth guard")
        if spec.action in {"add_worker_search_proxy", "fix_worker_search_proxy"} and ("/search" not in worker or "PERPLEXITY_API_KEY" not in worker):
            errors.append("Worker search proxy missing route or env")
        if spec.action in {"add_worker_telegram_webhook", "fix_worker_telegram_webhook"} and ("/telegram/webhook" not in worker or "TELEGRAM_BOT_TOKEN" not in worker or "TelegramUpdateSchema" not in worker):
            errors.append("Worker Telegram webhook missing route, env, or validation")
        if spec.action in {"add_worker_r2_upload", "fix_worker_r2_upload"} and ("/files" not in worker or "FILES_BUCKET" not in worker or "[[r2_buckets]]" not in wrangler):
            errors.append("Worker R2 upload missing route or binding")
    return errors


def run_patch(repo: Path, prompt: str, apply: bool = True, raw_spec: dict[str, Any] | RepoPatchSpec | None = None) -> RepoPatchResult:
    repo = repo.resolve()
    spec = normalize_spec(raw_spec, prompt) if raw_spec is not None else spec_from_prompt(prompt)
    updates = planned_files(repo, spec)
    patch_text = build_patch(repo, updates)
    changed_files = apply_updates(repo, updates) if apply else sorted(updates)
    summary_text = render_summary(spec, changed_files)
    if apply:
        (repo / "kaiju-repo-patch-summary.md").write_text(summary_text, encoding="utf-8")
        (repo / "kaiju-repo.patch").write_text(patch_text, encoding="utf-8")
        changed_files = sorted(set(changed_files + ["kaiju-repo-patch-summary.md", "kaiju-repo.patch"]))
    errors = validate_repo(repo, spec, changed_files, patch_text) if apply else []
    return RepoPatchResult(spec=spec, changed_files=changed_files, patch_text=patch_text, summary_text=summary_text, errors=errors)


def result_to_json(result: RepoPatchResult) -> str:
    return json.dumps(
        {
            "spec": result.spec.__dict__,
            "changed_files": result.changed_files,
            "errors": result.errors,
        },
        indent=2,
        ensure_ascii=False,
    )