badMade · badMade · May 26, 2026
diff --git a/.github/self-heal-schedule.yml b/.github/self-heal-schedule.yml
@@ -0,0 +1,3 @@
+schedule: "0 0 * * *" # AUTO-UPDATED
+rationale: "Initial bootstrap schedule based on standard repository defaults. Telemetry pipeline will dynamically tune this shortly."
+last_updated: "2024-05-26T00:00:00.000Z"
diff --git a/.github/workflows/compute-schedule.yml b/.github/workflows/compute-schedule.yml
@@ -0,0 +1,98 @@
+name: Compute Self-Heal Schedule
+
+on:
+  schedule:
+    - cron: "0 0 * * 0" # Runs weekly to evaluate cadence
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+
+concurrency:
+  group: compute-schedule-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  compute:
+    name: Re-evaluate Cadence
+    runs-on: ubuntu-latest
+    if: github.ref_name == github.event.repository.default_branch
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Compute optimal schedule
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Re-evaluate schedule based on repository telemetry.
+          # Edits .github/self-heal-schedule.yml safely using js-yaml.
+          node scripts/compute_schedule.mjs
+
+      - name: Apply schedule to self-heal.yml workflow
+        run: |
+          if ! git diff --quiet .github/self-heal-schedule.yml; then
+            NEW_CRON=$(grep -E '^schedule:' .github/self-heal-schedule.yml | awk -F'"' '{print $2}')
+            if [ -n "$NEW_CRON" ]; then
+              sed -i "s|cron: \".*\" # AUTO-UPDATED|cron: \"$NEW_CRON\" # AUTO-UPDATED|" .github/workflows/self-heal.yml
+            fi
+          fi
+
+      - name: Check for duplicate open schedule PRs
+        id: pr-check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          OPEN_PR_COUNT=$(gh pr list --label "self-heal-schedule" --state open --json number | jq length)
+          if [ "$OPEN_PR_COUNT" -gt 0 ]; then
+            echo "duplicate_found=true" >> $GITHUB_OUTPUT
+            echo "A schedule update PR is already open. Skipping."
+          else
+            echo "duplicate_found=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create Schedule Update PR
+        if: steps.pr-check.outputs.duplicate_found == 'false'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if git diff --quiet; then
+            echo "Schedule is already optimal. No changes needed."
+            exit 0
+          fi
+
+          BRANCH_NAME="selfheal-schedule-$(date +%Y%m%d%H%M%S)"
+          git checkout -b "$BRANCH_NAME"
+
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          git add .github/self-heal-schedule.yml .github/workflows/self-heal.yml
+          git commit -m "Auto-adjust: Update self-healing cadence"
+          git push origin "$BRANCH_NAME"
+
+          gh pr create \
+            --title "[Self-Heal Schedule] Update cadence" \
+            --body "### Automated Cadence Adjustment ⏱️🔄
+
+            Based on recent repository activity telemetry, the autonomous system has computed a new optimal schedule for the self-healing CI pipeline.
+
+            This ensures the pipeline runs frequently during periods of high activity, and enters a dormant, low-cost state during quiet periods.
+
+            *You may safely merge this to apply the new schedule.*" \
+            --label "self-heal-schedule,automation"
diff --git a/.github/workflows/self-heal.yml b/.github/workflows/self-heal.yml
@@ -0,0 +1,156 @@
+name: Self-Heal Pipeline
+
+on:
+  schedule:
+    - cron: "0 0 * * *" # AUTO-UPDATED: Replaced by compute_schedule.mjs dynamically
+  workflow_run:
+    workflows: ["ci"]
+    types: [completed]
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+
+concurrency:
+  group: selfheal-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  repair:
+    name: Autonomous Codebase Repair
+    runs-on: ubuntu-latest
+    if: >
+      !startsWith(github.ref_name, 'selfheal-') &&
+      (
+        github.event_name == 'workflow_dispatch' ||
+        github.event_name == 'schedule' ||
+        (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'failure')
+      )
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'npm'
+
+      - name: Check for duplicate open self-heal PRs
+        id: pr-check
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Cleanup stale PRs first (older than 7 days)
+          STALE_DATE=$(date -d "7 days ago" +%Y-%m-%d)
+          STALE_PRS=$(gh pr list --label "self-heal" --search "created:<$STALE_DATE" --json number --jq '.[].number')
+          for pr in $STALE_PRS; do
+            gh pr close "$pr" --comment "Auto-closing stale self-heal PR to make room for fresh attempts."
+          done
+
+          # Check recent PRs
+          RECENT_DATE=$(date -d "1 day ago" +%Y-%m-%dT%H:%M:%SZ)
+          OPEN_PR_COUNT=$(gh pr list --label "self-heal" --state open --search "created:>$RECENT_DATE" --json number | jq length)
+          if [ "$OPEN_PR_COUNT" -gt 0 ]; then
+            echo "duplicate_found=true" >> $GITHUB_OUTPUT
+            echo "A self-healing PR was opened recently. Skipping to avoid duplicate triggers."
+          else
+            echo "duplicate_found=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Initial pre-healthcheck
+        if: steps.pr-check.outputs.duplicate_found == 'false'
+        id: pre
+        run: node scripts/healthcheck.mjs > pre-check.log 2>&1 || echo "Pre-check failed, continuing to repair..."
+
+      - name: Execute self-healing repairs
+        if: steps.pr-check.outputs.duplicate_found == 'false'
+        id: heal
+        run: |
+          # This runs steps and exits 0 only if it results in healthy+diff.
+          # If it can't fix it, it will exit non-zero.
+          node scripts/self_heal.mjs > repair.log 2>&1
+
+      - name: Verify post-healthcheck
+        if: steps.pr-check.outputs.duplicate_found == 'false' && success()
+        id: post
+        run: node scripts/healthcheck.mjs > post-check.log 2>&1
+
+      - name: Verify entropy / no secrets in diff
+        if: steps.pr-check.outputs.duplicate_found == 'false' && steps.post.outcome == 'success'
+        run: |
+          # Stage safe files first to allow accurate diff scanning
+          for path in package.json package-lock.json tsconfig.json; do
+            git add "$path" 2>/dev/null || true
+          done
+          git add "src/**/*.ts" 2>/dev/null || true
+          git add "src/**/*.mjs" 2>/dev/null || true
+          git add "tests/**/*.ts" 2>/dev/null || true
+          git add "**/__snapshots__/*" 2>/dev/null || true
+
+          # Check for high-entropy strings indicating possible secrets
+          if git diff --staged | grep -iE 'apikey|api_key|token|secret|password|bearer'; then
+            echo "::error::Detected potential secrets in the diff. Aborting."
+            exit 1
+          fi
+
+      - name: Upload Logs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: self-heal-logs
+          path: |
+            pre-check.log
+            repair.log
+            post-check.log
+          retention-days: 7
+
+      - name: Create Self-Heal PR
+        if: steps.pr-check.outputs.duplicate_found == 'false' && steps.post.outcome == 'success'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Determine title based on trigger
+          if [ "${{ github.event_name }}" == "schedule" ]; then
+            TITLE="[Self-Heal Scheduled] Drift fixes"
+            TRIGGER="Scheduled background drift detection."
+          elif [ "${{ github.event_name }}" == "workflow_run" ]; then
+            TITLE="[Self-Heal Reactive] CI fix"
+            TRIGGER="Reactive self-repair following a CI failure."
+          else
+            TITLE="[Self-Heal Manual] Repair"
+            TRIGGER="Manual dispatch."
+          fi
+
+          BRANCH_NAME="selfheal-$(date +%Y%m%d%H%M%S)"
+          git checkout -b "$BRANCH_NAME"
+
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          git commit -m "Auto-repair: Format, typings, snapshots, and lockfiles"
+          git push origin "$BRANCH_NAME"
+
+          gh pr create \
+            --title "$TITLE" \
+            --body "### Autonomous Codebase Repair 🤖✨
+
+            **Trigger:** $TRIGGER
+
+            This Pull Request was automatically generated by the self-healing CI pipeline. The pipeline successfully ran automated repair steps (like formatting, dependency re-resolution, and type syncing) to fix codebase drift.
+
+            Logs for the repair process can be found in the Actions tab.
+
+            **Reviewer Checklist:**
+            - [ ] Verify that no logic was inadvertently modified.
+            - [ ] Verify no secrets were added.
+            - [ ] Verify all checks pass successfully.
+
+            *Powered by Claude Code / Jules.*" \
+            --label "self-heal,automation"
diff --git a/SELF_HEAL_SETUP.md b/SELF_HEAL_SETUP.md
@@ -0,0 +1,46 @@
+# Self-Healing CI Pipeline Setup
+
+This repository is equipped with an automated self-healing CI pipeline designed to repair codebase drift, formatting issues, missing types, and outdated lockfiles autonomously.
+
+## Pipeline Overview
+
+The pipeline consists of three triggers, six idempotent repair steps, and a self-adjusting scheduler.
+
+### Triggers
+1. **Scheduled**: Runs proactively based on a cadence derived from repository activity telemetry.
+2. **Reactive (CI Failure)**: Automatically triggered if the main CI workflow (`ci`) fails.
+3. **Manual Dispatch**: Can be run manually at any time via GitHub Actions `workflow_dispatch`.
+
+### Idempotent Repair Steps
+The `scripts/self_heal.mjs` script attempts the following sequential repairs:
+1. **Rebuild/Reinstall**: Clean dependency installation (`npm ci` or `pnpm install --frozen-lockfile`).
+2. **Lint/Format Auto-Fix**: Automatically fixes ESLint and Prettier errors.
+3. **Snapshot/Generated Updates**: Updates failing Vitest test snapshots.
+4. **Type Stubs Acquisition**: Uses `typesync` to fetch missing TypeScript definitions.
+5. **Dependency Re-resolve**: Refreshes lockfiles for safety updates.
+6. **Static Asset Regeneration**: Updates generated docs or badges.
+
+After each step, a healthcheck (`scripts/healthcheck.mjs`) is run. If the codebase becomes healthy *and* a file diff exists, the script halts and prepares a Pull Request.
+
+## Self-Scheduling
+
+The system autonomously manages its own scheduled cadence using `scripts/compute_schedule.mjs`.
+
+- A rolling telemetry lookback window checks PR merge frequency and CI failure rates via the GitHub API.
+- The workflow categorizes repository activity into tiers (high, active, standard, low-churn, dormant).
+- It generates an optimized cron expression and updates `.github/self-heal-schedule.yml` via its own Pull Request (`compute-schedule.yml` workflow).
+
+### Manual Override
+
+If you wish to force a specific schedule and prevent the self-adjuster from changing it:
+1. Edit `.github/self-heal-schedule.yml`.
+2. Update the `schedule` string.
+3. You must keep the `# AUTO-UPDATED` comment marker exactly inline with the `schedule:` key if manual override falls back to automated tuning later.
+4. (Optional) Disable the `compute-schedule.yml` GitHub Actions workflow entirely.
+
+## Reviewer Checklist for Self-Heal PRs
+When reviewing an automated self-heal PR, verify:
+- [ ] Only intended repair types (formatting, snapshots, lockfiles, types) are included.
+- [ ] No application source code or test logic was structurally altered.
+- [ ] No secrets or PII were inadvertently included in the diff.
+- [ ] The pipeline successfully exited with a `0` code during final validation.
diff --git a/eslint.config.mjs b/eslint.config.mjs
@@ -0,0 +1,42 @@
+import eslint from '@eslint/js';
+import tseslint from 'typescript-eslint';
+
+export default tseslint.config(
+  {
+    ignores: ['build/**', 'dist/**', 'coverage/**', 'bin/**']
+  },
+  eslint.configs.recommended,
+  ...tseslint.configs.recommended,
+  {
+    languageOptions: {
+      globals: {
+        console: 'readonly',
+        process: 'readonly',
+        global: 'readonly',
+        Headers: 'readonly',
+        setTimeout: 'readonly',
+        clearTimeout: 'readonly',
+        fetch: 'readonly',
+        URL: 'readonly',
+        FormData: 'readonly',
+        Buffer: 'readonly'
+      }
+    },
+    rules: {
+      '@typescript-eslint/no-explicit-any': 'off',
+      '@typescript-eslint/no-unused-vars': 'off',
+      '@typescript-eslint/ban-ts-comment': 'off',
+      '@typescript-eslint/no-unused-expressions': 'off',
+      'no-undef': 'off',
+      'no-redeclare': 'off',
+      '@typescript-eslint/no-this-alias': 'off',
+      'no-empty': 'off',
+      'no-cond-assign': 'off',
+      'no-unsafe-finally': 'off',
+      'no-control-regex': 'off',
+      'no-useless-escape': 'off',
+      'no-fallthrough': 'off',
+      'prefer-const': 'off'
+    }
+  }
+);