sxn 0.2.0

data/lib/sxn/security/secure_path_validator.rb

@@ -0,0 +1,258 @@
+# frozen_string_literal: true
+
+require "pathname"
+
+module Sxn
+  module Security
+    # SecurePathValidator provides security controls for file system path operations.
+    # It prevents directory traversal attacks, validates paths stay within project boundaries,
+    # checks for dangerous symlinks, and ensures no ".." components in paths.
+    #
+    # @example
+    #   validator = SecurePathValidator.new("/path/to/project")
+    #   validator.validate_path("config/database.yml")  # => "/path/to/project/config/database.yml"
+    #   validator.validate_path("../etc/passwd")        # => raises PathValidationError
+    #
+    class SecurePathValidator
+      # @param project_root [String] The absolute path to the project root directory
+      # @raise [ArgumentError] if project_root is nil, empty, or not an absolute path
+      def initialize(project_root)
+        raise ArgumentError, "Project root cannot be nil or empty" if project_root.nil? || project_root.empty?
+
+        # Resolve relative paths to absolute paths
+        absolute_root = if Pathname.new(project_root).absolute?
+                          project_root
+                        else
+                          File.expand_path(project_root)
+                        end
+
+        @project_root = File.realpath(absolute_root)
+        @project_root_pathname = Pathname.new(@project_root)
+      rescue Errno::ENOENT
+        raise PathValidationError, "Project root does not exist: #{project_root}"
+      end
+
+      # Validates that a path is safe and within project boundaries
+      #
+      # @param path [String] The path to validate (can be relative or absolute)
+      # @param allow_creation [Boolean] Whether to allow validation of non-existent paths
+      # @return [String] The absolute, validated path
+      # @raise [PathValidationError] if the path is unsafe or outside project boundaries
+      def validate_path(path, allow_creation: false)
+        raise ArgumentError, "Path cannot be nil or empty" if path.nil? || (path.respond_to?(:empty?) && path.empty?)
+        raise ArgumentError, "Path must be a string" unless path.is_a?(String)
+
+        # Check for dangerous patterns in the raw path
+        validate_path_components!(path)
+
+        # Convert to absolute path relative to project root
+        absolute_path = if Pathname.new(path).absolute?
+                          path
+                        else
+                          File.join(@project_root, path)
+                        end
+
+        # Normalize the path and check boundaries
+        normalized_path = if File.exist?(absolute_path)
+                            File.realpath(absolute_path)
+                          elsif allow_creation
+                            # For non-existent paths, we need to validate the normalized path manually
+                            normalize_path_manually(absolute_path)
+                          else
+                            # If file doesn't exist and creation isn't allowed, use realpath which will fail
+                            File.realpath(absolute_path)
+                          end
+
+        validate_within_boundaries!(normalized_path)
+        validate_symlink_safety!(normalized_path) if File.exist?(normalized_path)
+
+        normalized_path
+      end
+
+      # Validates a source and destination pair for file operations
+      #
+      # @param source [String] The source path
+      # @param destination [String] The destination path
+      # @param allow_creation [Boolean] Whether to allow validation of non-existent destination
+      # @return [Array<String>] Array containing [validated_source, validated_destination]
+      # @raise [PathValidationError] if either path is unsafe
+      def validate_file_operation(source, destination, allow_creation: true)
+        validated_source = validate_path(source, allow_creation: false)
+        validated_destination = validate_path(destination, allow_creation: allow_creation)
+
+        # Additional checks for file operations
+        raise PathValidationError, "Source cannot be a directory: #{source}" if File.exist?(validated_source) && File.directory?(validated_source)
+
+        [validated_source, validated_destination]
+      end
+
+      # Checks if a path is within the project boundaries without full validation
+      #
+      # @param path [String] The path to check
+      # @return [Boolean] true if the path appears to be within boundaries
+      def within_boundaries?(path)
+        return false if path.nil? || path.empty?
+
+        begin
+          validate_path(path, allow_creation: true)
+          true
+        rescue PathValidationError
+          false
+        end
+      end
+
+      # Returns the project root path
+      #
+      # @return [String] The absolute project root path
+      attr_reader :project_root
+
+      private
+
+      # Validates individual path components for dangerous patterns
+      def validate_path_components!(path)
+        # Check for null bytes (directory traversal in some filesystems)
+        if path.include?("\x00")
+          # Also check if it contains directory traversal
+          if path.include?("../") || path.include?("..\\") || path.include?("..")
+            raise PathValidationError, "Path contains directory traversal sequences: #{path}"
+          end
+
+          raise PathValidationError, "Path contains null bytes: #{path}"
+
+        end
+
+        # Check for obvious directory traversal attempts
+        if path.include?("../") || path.include?("..\\") || path == ".."
+          raise PathValidationError, "Path contains directory traversal sequences: #{path}"
+        end
+
+        # Check for other dangerous patterns
+        dangerous_patterns = [
+          %r{/\.\.(?:/|\z)},     # /../ or /.. at end
+          %r{\A\.\.(?:/|\z)},    # ../ or .. at start
+          %r{//+} # multiple slashes (potential bypass)
+        ]
+
+        dangerous_patterns.each do |pattern|
+          raise PathValidationError, "Path contains dangerous pattern: #{path}" if path.match?(pattern)
+        end
+      end
+
+      # Validates that a normalized path is within project boundaries
+      def validate_within_boundaries!(absolute_path)
+        absolute_pathname = Pathname.new(absolute_path)
+
+        # Check if the path is under the project root
+        begin
+          relative_path = absolute_pathname.relative_path_from(@project_root_pathname)
+
+          # relative_path_from raises ArgumentError if paths don't share a common ancestor
+          # Additional check: ensure the relative path doesn't start with ../
+          if relative_path.to_s.start_with?("../") || relative_path.to_s == ".."
+            raise PathValidationError, "Path is outside project boundaries: #{absolute_path}"
+          end
+        rescue ArgumentError
+          # This means the paths don't share a common ancestor
+          raise PathValidationError, "Path is outside project boundaries: #{absolute_path}"
+        end
+      end
+
+      # Validates symlink safety to prevent symlink attacks
+      def validate_symlink_safety!(path)
+        # Convert path to Pathname for manipulation
+        pathname = Pathname.new(path)
+
+        # For absolute paths, we need to check each component from the path itself
+        # For relative paths, build from project root
+        if pathname.absolute?
+          # Ensure both paths are resolved consistently to avoid symlink resolution issues
+          resolved_path = File.exist?(path) ? File.realpath(path) : path
+          resolved_pathname = Pathname.new(resolved_path)
+          project_root_pathname = Pathname.new(@project_root)
+
+          # Make path relative to project root to get the components to check
+          begin
+            relative_path = resolved_pathname.relative_path_from(project_root_pathname)
+            path_parts = relative_path.each_filename.to_a
+            current_path = Pathname.new(@project_root)
+          rescue ArgumentError
+            # Path is not within project boundaries, but this should have been caught earlier
+            raise PathValidationError, "Path is outside project boundaries: #{path}"
+          end
+        else
+          # For relative paths, use them directly
+          path_parts = pathname.each_filename.to_a
+          current_path = Pathname.new(@project_root)
+        end
+
+        path_parts.each do |part|
+          current_path = current_path.join(part)
+
+          next unless current_path.symlink?
+
+          target = current_path.readlink
+
+          # If symlink target is absolute, validate it
+          if target.absolute?
+            # Resolve absolute symlink targets to handle symlink chains
+            resolved_absolute = File.exist?(target.to_s) ? File.realpath(target.to_s) : target.to_s
+            validate_within_boundaries!(resolved_absolute)
+          else
+            # If relative, resolve relative to symlink location and validate
+            resolved_target = current_path.dirname.join(target).cleanpath
+            # Ensure consistent path resolution by using realpath if the target exists
+            final_target = File.exist?(resolved_target.to_s) ? File.realpath(resolved_target.to_s) : resolved_target.to_s
+            validate_within_boundaries!(final_target)
+          end
+        end
+      end
+
+      # Manually normalize a path without requiring it to exist
+      def normalize_path_manually(path)
+        # Convert to Pathname for easier manipulation
+        pathname = Pathname.new(path)
+
+        # Special check for the dangerous traversal case we need to catch:
+        # Paths like "/a/../../../etc/passwd" where we have more .. than directories to back out of
+
+        # First, let's check the cleaned path to see if it results in something that goes outside the root
+        cleaned = pathname.cleanpath
+
+        # For absolute paths, check for dangerous traversal patterns
+        if pathname.absolute?
+          # Use cleanpath first to see what the path actually resolves to
+          cleaned = pathname.cleanpath
+
+          # If cleanpath results in going to parent of root, check if it's truly dangerous
+          if cleaned.to_s == "/"
+            # This is fine - just resolves to root
+          else
+            # Now simulate the original path resolution to detect dangerous traversal
+            parts = path.split(File::SEPARATOR).reject { |p| p.empty? || p == "." }
+            stack = []
+            exceeded_root = false
+
+            parts.each do |part|
+              if part == ".."
+                if stack.empty?
+                  # This would go above root, track it
+                  exceeded_root = true
+                else
+                  stack.pop
+                end
+              else
+                stack << part
+              end
+            end
+
+            # Only raise error if we exceeded root AND there are still meaningful path components
+            raise PathValidationError, "path traversal detected: #{path}" if exceeded_root && !stack.empty?
+          end
+        end
+
+        # For all paths, use cleanpath for the actual normalization
+        cleaned.to_s
+      end
+    end
+  end
+end

data/lib/sxn/security.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require_relative "security/secure_path_validator"
+require_relative "security/secure_command_executor"
+require_relative "security/secure_file_copier"
+
+module Sxn
+  # Security namespace provides components for secure file operations,
+  # command execution, path validation, and audit logging.
+  #
+  # This module follows Ruby gem best practices by using explicit requires
+  # instead of autoload for better loading performance and dependency clarity.
+  module Security
+  end
+end

data/lib/sxn/templates/common/gitignore.liquid

@@ -0,0 +1,99 @@
+# Session-specific .gitignore for {{ session.name }}
+# This file contains patterns specific to this development session
+
+# Session metadata
+.sxn/
+session-info.md
+*.session.log
+
+# Temporary files created during development
+*.tmp
+*.temp
+.temp/
+temp/
+
+# IDE and editor files
+.vscode/settings.json
+.idea/workspace.xml
+*.swp
+*.swo
+*~
+.DS_Store
+
+# OS-specific files
+Thumbs.db
+.Spotlight-V100
+.Trashes
+
+# Development logs
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+
+# Environment files (session-specific)
+.env.{{ session.name }}
+.env.local.{{ session.name }}
+
+{% if project.type == "rails" %}
+# Rails session-specific ignores
+/log/*.log
+/tmp/cache/
+/tmp/pids/
+/tmp/sockets/
+/vendor/bundle
+.bundle/
+{% endif %}
+
+{% if project.type == "javascript" or project.type == "typescript" or project.type == "nodejs" %}
+# Node.js session-specific ignores
+node_modules/
+.npm/
+.pnpm-store/
+.yarn/cache/
+.yarn/unplugged/
+.yarn/build-state.yml
+.yarn/install-state.gz
+.next/
+.nuxt/
+dist/
+build/
+{% endif %}
+
+# Database files (session-specific)
+{% if project.type == "rails" %}
+/db/*.sqlite3
+/db/*.sqlite3-*
+{% endif %}
+*.db
+*.sqlite
+*.sqlite3
+
+# Coverage reports
+coverage/
+.nyc_output/
+.coverage/
+
+# Dependency directories
+vendor/
+bower_components/
+
+# Optional npm cache directory
+.npm
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# Session-specific backup files
+*.{{ session.name }}.backup
+backup.{{ session.name }}/

data/lib/sxn/templates/common/session-info.md.liquid

@@ -0,0 +1,58 @@
+# Session: {{session.name}}
+
+## Session Details
+- **Name**: {{session.name}}
+- **Created**: {{session.created_at | date: "%Y-%m-%d %H:%M:%S"}}
+- **Updated**: {{session.updated_at | date: "%Y-%m-%d %H:%M:%S"}}
+- **Status**: {{session.status}}
+- **Path**: `{{session.path}}`
+{% if session.linear_task %}- **Linear Task**: {{session.linear_task}}{% endif %}
+{% if session.description %}- **Description**: {{session.description}}{% endif %}
+
+## Worktrees
+
+{% if session.worktrees %}
+{% for worktree in session.worktrees %}
+### {{worktree.name}}
+- **Path**: `{{worktree.path}}`
+- **Branch**: `{{worktree.branch}}`
+- **Created**: {{worktree.created_at | date: "%Y-%m-%d %H:%M:%S"}}
+{% endfor %}
+{% else %}
+No worktrees configured for this session.
+{% endif %}
+
+## Environment
+
+- **User**: {{user.username}}
+- **Home Directory**: {{user.home}}
+- **Ruby**: {{environment.ruby.version}}
+{% if environment.node.version %}- **Node.js**: {{environment.node.version}}{% endif %}
+{% if environment.python.version %}- **Python**: {{environment.python.version}}{% endif %}
+
+## Session Commands
+
+```bash
+# List all sessions
+sxn list
+
+# Switch to this session
+sxn use {{session.name}}
+
+# Add a new worktree
+sxn worktree add <project-name> <branch-name>
+
+# Remove session
+sxn remove {{session.name}}
+```
+
+{% if session.tags %}
+## Tags
+{% for tag in session.tags %}
+- {{tag}}
+{% endfor %}
+{% endif %}
+
+---
+
+*Session information generated at {{timestamp}}*

data/lib/sxn/templates/errors.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require_relative "../errors"
+
+module Sxn
+  module Templates
+    module Errors
+      # Base class for template-related errors
+      class TemplateError < Sxn::Error; end
+
+      # Raised when template syntax is invalid
+      class TemplateSyntaxError < TemplateError; end
+
+      # Raised when template processing fails
+      class TemplateProcessingError < TemplateError; end
+
+      # Raised when template file is not found
+      class TemplateNotFoundError < TemplateError; end
+
+      # Raised when template exceeds size limits
+      class TemplateTooLargeError < TemplateError; end
+
+      # Raised when template processing times out
+      class TemplateTimeoutError < TemplateError; end
+
+      # Raised when template contains security violations
+      class TemplateSecurityError < TemplateError; end
+
+      # Raised when template rendering encounters errors
+      class TemplateRenderError < TemplateError; end
+
+      # Raised when template variable collection fails
+      class TemplateVariableError < TemplateError; end
+    end
+  end
+end

data/lib/sxn/templates/javascript/README.md.liquid

@@ -0,0 +1,59 @@
+# {{project.name}} - JavaScript Development Session
+
+## Project Information
+- **Session Name**: {{session.name}}
+- **Project Type**: {{project.type | capitalize}}
+- **Package Manager**: {{project.package_manager | default: 'npm'}}
+- **Node.js Version**: {{environment.node.version | default: 'Not detected'}}
+
+## Available Scripts
+
+{% if project.scripts %}
+{% for script in project.scripts %}
+- `{{script[0]}}`: {{script[1]}}
+{% endfor %}
+{% else %}
+No scripts found in package.json
+{% endif %}
+
+## Dependencies
+
+{% if project.dependencies %}
+### Production Dependencies
+{% for dep in project.dependencies %}
+- {{dep}}
+{% endfor %}
+{% endif %}
+
+{% if project.dev_dependencies %}
+### Development Dependencies
+{% for dep in project.dev_dependencies %}
+- {{dep}}
+{% endfor %}
+{% endif %}
+
+## Getting Started
+
+```bash
+# Use the correct Node.js version
+nvm use {{environment.node.version | default: '18.0.0'}}
+
+# Install dependencies
+{{project.package_manager | default: 'npm'}} install
+
+# Start development server
+{{project.package_manager | default: 'npm'}} run dev
+```
+
+## Cursor Rules Integration
+
+This project uses cursor rules for enhanced development:
+
+```javascript
+mcp__cursor_rules__get_contextual_rules({ context: "frontend_internationalization" })
+mcp__cursor_rules__get_contextual_rules({ context: "cli_development" })
+```
+
+---
+
+*Session: {{session.name}} | Created: {{session.created_at | date: "%Y-%m-%d %H:%M:%S"}}*