chore(cron): add commit-freshness monitor + harden daily sync

OhadPerryBoomi · claude · OhadPerryBoomi · commit 8dc2dd1a9236 · 2026-06-07T13:36:37.000+03:00
Add scripts/monitor-commit-freshness.sh (LaunchAgent com.user.complexity-monitor,
daily 13:00): checks the GitHub *remote* main tip age and alerts via
terminal-notifier if older than MAX_AGE_HOURS (default 36). Watches the remote,
not local, because the sync keeps committing locally even when its push is dead
— which is exactly how a stranded-push regression hid for ~7 days.

Harden scripts/launchd-sync.sh:
- self-locate REPO_DIR from the script path instead of a hardcoded dir (a
  hardcoded path is how a stale ~/dev copy ended up committing into ~/Documents)
- log to ~/Library/Logs (not TCC-protected ~/Documents, whose launchd append
  intermittently failed with EINTR)
- push to the named 'origin' remote via a one-shot HTTP auth header so the
  origin/main tracking ref advances (the old ad-hoc token URL left git status
  perpetually "ahead N"); token injected transiently, never persisted

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/scripts/launchd-sync.sh b/scripts/launchd-sync.sh
@@ -12,8 +12,14 @@ export TIKTOKEN_CACHE_DIR="/Users/ohadperry/.cache/tiktoken-persistent"
 export SSL_CERT_FILE="/Users/ohadperry/.ssl/combined_certs.pem"
 export REQUESTS_CA_BUNDLE="/Users/ohadperry/.ssl/combined_certs.pem"
 
-REPO_DIR="/Users/ohadperry/Documents/Dev/complexity-analyzer"
-LOG_FILE="$REPO_DIR/logs/launchd-sync.log"
+# Self-locating: operate on the repo this script actually lives in, never a
+# hardcoded path. (A hardcoded REPO_DIR is how an old ~/dev copy ended up
+# committing into ~/Documents/Dev — see scripts/monitor-commit-freshness.sh.)
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+# Log to ~/Library/Logs (NOT ~/Documents — that path is TCC-protected and the
+# launchd append intermittently fails with EINTR / "Interrupted system call").
+LOG_FILE="$HOME/Library/Logs/complexity-sync.log"
 TOKEN_FILE="$HOME/.config/gh-token"
 
 cd "$REPO_DIR"
@@ -55,12 +61,16 @@ if [ -n "$changed_files" ]; then
   /usr/bin/git add $changed_files
   /usr/bin/git commit -m "chore: daily sync — $labeled new PRs labeled, $jira_new jira features added (total PRs: $total)" >> "$LOG_FILE" 2>&1
 
-  # Push using token from file — osxkeychain credential helper is unreliable
-  # from launchd. Fall back to origin remote if token file missing.
+  # Push to the NAMED 'origin' remote so the local origin/main tracking ref
+  # advances (an ad-hoc token URL pushes fine but leaves `git status` stuck at
+  # "ahead N" forever). osxkeychain is unavailable under launchd, so the token
+  # is injected as a one-shot HTTP Authorization header — never persisted to
+  # .git/config and not embedded in the remote URL.
   if [ -r "$TOKEN_FILE" ]; then
     GH_TOKEN_VALUE=$(tr -d '\n\r' < "$TOKEN_FILE")
-    PUSH_URL="https://x-access-token:${GH_TOKEN_VALUE}@github.com/RiveryIO/complexity-analyzer.git"
-    if /usr/bin/git push "$PUSH_URL" main >> "$LOG_FILE" 2>&1; then
+    AUTH_B64=$(printf 'x-access-token:%s' "$GH_TOKEN_VALUE" | base64 | tr -d '\n')
+    if /usr/bin/git -c "http.https://github.com/.extraheader=AUTHORIZATION: basic ${AUTH_B64}" \
+         push origin main >> "$LOG_FILE" 2>&1; then
       push_status="pushed"
     else
       push_status="push-failed"
diff --git a/scripts/monitor-commit-freshness.sh b/scripts/monitor-commit-freshness.sh
@@ -0,0 +1,86 @@
+#!/bin/bash
+# monitor-commit-freshness.sh — alert if RiveryIO/complexity-analyzer's GitHub
+# `main` branch has not received a commit within MAX_AGE_HOURS.
+#
+# WHY THE REMOTE, NOT LOCAL: the daily sync (com.user.complexity-sync) keeps
+# committing locally even when its `git push` is broken, so the local repo
+# always looks "fresh". Only the *remote* tip reveals a dead push. This is
+# exactly the failure that hid for 7 days in June 2026 (the gh token in
+# ~/.config/gh-token expired and every scheduled push silently 403'd).
+#
+# Exit codes: 0 = fresh, 1 = stale (alerted), 2 = could not verify (alerted).
+set -u
+
+export PATH="/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin"
+
+# Same CA bundle the sync job uses (corporate TLS interception). git needs
+# GIT_SSL_CAINFO; without it https to github fails under launchd.
+CA_BUNDLE="/Users/ohadperry/.ssl/combined_certs.pem"
+[ -r "$CA_BUNDLE" ] && export GIT_SSL_CAINFO="$CA_BUNDLE"
+
+REPO_DIR="/Users/ohadperry/Documents/Dev/complexity-analyzer"
+REMOTE_HOST_PATH="github.com/RiveryIO/complexity-analyzer.git"
+BRANCH="main"
+TOKEN_FILE="$HOME/.config/gh-token"
+# Library/Logs is NOT TCC-protected like ~/Documents, so launchd appends here
+# reliably (the sync job's ~/Documents log intermittently hits EINTR).
+LOG_FILE="$HOME/Library/Logs/complexity-monitor.log"
+MAX_AGE_HOURS="${MAX_AGE_HOURS:-36}"
+NOTIFIER="/opt/homebrew/bin/terminal-notifier"
+
+log() { echo "$(date '+%Y-%m-%d %H:%M:%S'): $*" >> "$LOG_FILE"; }
+
+notify() { # $1 = subtitle, $2 = message
+  [ -x "$NOTIFIER" ] && "$NOTIFIER" \
+    -title "⚠️ complexity-analyzer not pushing" \
+    -subtitle "$1" \
+    -message "$2" \
+    -group "complexity-monitor" \
+    -sound default >/dev/null 2>&1
+}
+
+cd "$REPO_DIR" 2>/dev/null || { log "FATAL: cannot cd to $REPO_DIR"; notify "Monitor error" "Cannot access $REPO_DIR"; exit 2; }
+
+# Authenticated URL — the osxkeychain helper is unavailable under launchd, so we
+# use the same token file the sync job pushes with.
+if [ -r "$TOKEN_FILE" ]; then
+  TOKEN=$(tr -d '\n\r' < "$TOKEN_FILE")
+  REMOTE_URL="https://x-access-token:${TOKEN}@${REMOTE_HOST_PATH}"
+else
+  REMOTE_URL="https://${REMOTE_HOST_PATH}"
+fi
+
+# Remote tip SHA, without mutating any local ref.
+REMOTE_SHA=$(/usr/bin/git ls-remote "$REMOTE_URL" "refs/heads/$BRANCH" 2>>"$LOG_FILE" | cut -f1)
+if [ -z "$REMOTE_SHA" ]; then
+  log "UNVERIFIED: ls-remote returned nothing (expired token or no network?)"
+  notify "Cannot verify remote" "ls-remote failed — token expired or offline?"
+  exit 2
+fi
+
+# The remote tip is normally already an ancestor of local main, so read its date
+# locally without fetching; otherwise fetch just that branch into FETCH_HEAD.
+COMMIT_EPOCH=$(/usr/bin/git log -1 --format=%ct "$REMOTE_SHA" 2>/dev/null)
+if [ -z "$COMMIT_EPOCH" ]; then
+  /usr/bin/git fetch --quiet "$REMOTE_URL" "$BRANCH" 2>>"$LOG_FILE" \
+    && COMMIT_EPOCH=$(/usr/bin/git log -1 --format=%ct FETCH_HEAD 2>/dev/null)
+fi
+if [ -z "$COMMIT_EPOCH" ]; then
+  log "UNVERIFIED: resolved remote tip $REMOTE_SHA but could not read its commit date"
+  notify "Cannot verify remote" "Got SHA ${REMOTE_SHA:0:7} but no commit date"
+  exit 2
+fi
+
+NOW=$(date +%s)
+AGE_HOURS=$(( (NOW - COMMIT_EPOCH) / 3600 ))
+SHORT_SHA=${REMOTE_SHA:0:7}
+COMMIT_WHEN=$(date -r "$COMMIT_EPOCH" '+%Y-%m-%d %H:%M')
+
+if [ "$AGE_HOURS" -gt "$MAX_AGE_HOURS" ]; then
+  log "STALE: GitHub $BRANCH tip $SHORT_SHA is ${AGE_HOURS}h old (> ${MAX_AGE_HOURS}h), last commit $COMMIT_WHEN"
+  notify "No push for ${AGE_HOURS}h" "GitHub $BRANCH @ $SHORT_SHA, last commit $COMMIT_WHEN"
+  exit 1
+fi
+
+log "OK: GitHub $BRANCH tip $SHORT_SHA is ${AGE_HOURS}h old (<= ${MAX_AGE_HOURS}h), last commit $COMMIT_WHEN"
+exit 0
