@axiomatic-labs/claudeflow 2.0.24 → 2.0.25

package/lib/auth.js

@@ -1,15 +1,34 @@
 const { execSync } = require('child_process');
 
+const VALID_TOKEN_PATTERNS = [
+  /^ghp_[A-Za-z0-9_]+$/,       // Personal access token
+  /^gho_[A-Za-z0-9_]+$/,       // OAuth token
+  /^ghu_[A-Za-z0-9_]+$/,       // User-to-server token
+  /^ghs_[A-Za-z0-9_]+$/,       // Server-to-server token
+  /^github_pat_[A-Za-z0-9_]+$/,// Fine-grained PAT
+  /^[0-9a-f]{40}$/,            // Classic 40-char hex token
+];
+
+function sanitizeToken(raw) {
+  if (!raw || typeof raw !== 'string') return null;
+  const clean = raw.replace(/[\x00-\x1F\x7F]/g, '').trim();
+  if (!clean) return null;
+  if (!VALID_TOKEN_PATTERNS.some((re) => re.test(clean))) return null;
+  return clean;
+}
+
 function getGitHubToken() {
   // Try gh CLI first
   try {
-    const token = execSync('gh auth token', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+    const raw = execSync('gh auth token', { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const token = sanitizeToken(raw);
     if (token) return token;
   } catch {}
 
   // Fall back to GITHUB_TOKEN env var
   if (process.env.GITHUB_TOKEN) {
-    return process.env.GITHUB_TOKEN;
+    const token = sanitizeToken(process.env.GITHUB_TOKEN);
+    if (token) return token;
   }
 
   return null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@axiomatic-labs/claudeflow",
-  "version": "2.0.24",
+  "version": "2.0.25",
   "description": "Claudeflow — AI-powered development toolkit for Claude Code. Skills, agents, hooks, and quality gates that ship production apps.",
   "bin": {
     "claudeflow": "./bin/cli.js"