@controlvector/cv-agent 1.9.0 → 1.9.2

package/dist/bundle.cjs

@@ -3847,10 +3847,10 @@ async function runSetup() {
     console.log(`    ${source_default.cyan("a")} \u2014 Initialize a new project here: ${cwd}`);
     console.log(`    ${source_default.cyan("b")} \u2014 Clone an existing repo from CV-Hub`);
     console.log();
-    const choice = await new Promise((resolve) => {
+    const choice = await new Promise((resolve2) => {
       rl.question("  Choose [a/b]: ", (answer) => {
         rl.close();
-        resolve(answer.trim().toLowerCase() || "a");
+        resolve2(answer.trim().toLowerCase() || "a");
       });
     });
     if (choice === "b" && token) {
@@ -3878,10 +3878,10 @@ async function runSetup() {
             });
             console.log();
             const rl2 = readline.createInterface({ input: process.stdin, output: process.stdout });
-            const selection = await new Promise((resolve) => {
+            const selection = await new Promise((resolve2) => {
               rl2.question(`  Select a repo [1-${displayRepos.length}]: `, (answer) => {
                 rl2.close();
-                resolve(answer.trim());
+                resolve2(answer.trim());
               });
             });
             const idx = parseInt(selection, 10) - 1;
@@ -3929,6 +3929,41 @@ async function runSetup() {
   } else {
     console.log(source_default.green("  \u2713") + " CLAUDE.md present");
   }
+  const gitignorePath = (0, import_node_path.join)(cwd, ".gitignore");
+  const CREDENTIAL_PATTERNS = [
+    "# Credentials and secrets (auto-added by cv-agent)",
+    ".env",
+    ".env.*",
+    ".claude/",
+    ".claude.json",
+    ".credentials*",
+    "*.pem",
+    "*.key",
+    ".ssh/",
+    ".gnupg/",
+    ".npm/",
+    ".config/",
+    ".zsh_history",
+    ".bash_history",
+    ".zsh_sessions/",
+    "node_modules/",
+    ".DS_Store"
+  ];
+  try {
+    let gitignoreContent = "";
+    if ((0, import_node_fs.existsSync)(gitignorePath)) {
+      gitignoreContent = (0, import_node_fs.readFileSync)(gitignorePath, "utf-8");
+    }
+    const missing = CREDENTIAL_PATTERNS.filter((p) => !gitignoreContent.includes(p));
+    if (missing.length > 0) {
+      const addition = (gitignoreContent && !gitignoreContent.endsWith("\n") ? "\n" : "") + missing.join("\n") + "\n";
+      (0, import_node_fs.writeFileSync)(gitignorePath, gitignoreContent + addition);
+      console.log(source_default.green("  \u2713") + " .gitignore updated with credential protection");
+    } else {
+      console.log(source_default.green("  \u2713") + " .gitignore has credential protection");
+    }
+  } catch {
+  }
   if (!hasCVDir) {
     (0, import_node_fs.mkdirSync)((0, import_node_path.join)(cwd, ".cv"), { recursive: true });
   }
@@ -4015,10 +4050,10 @@ async function runSetup() {
   if (!agentRunning) {
     const readline = await import("node:readline");
     const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-    const answer = await new Promise((resolve) => {
+    const answer = await new Promise((resolve2) => {
       rl.question("  Start the CV-Agent daemon? (Y/n): ", (a) => {
         rl.close();
-        resolve(a.trim().toLowerCase() || "y");
+        resolve2(a.trim().toLowerCase() || "y");
       });
     });
     if (answer === "y" || answer === "yes" || answer === "") {
@@ -4558,11 +4593,78 @@ async function writeConfig(config) {
 
 // src/commands/git-safety.ts
 var import_node_child_process3 = require("node:child_process");
+var import_node_fs2 = require("node:fs");
+var import_node_path2 = require("node:path");
+var import_node_os3 = require("node:os");
+var DANGEROUS_PATTERNS = [
+  ".claude/",
+  ".claude.json",
+  ".credentials",
+  ".zsh_history",
+  ".bash_history",
+  ".zsh_sessions/",
+  ".ssh/",
+  ".gnupg/",
+  ".npm/",
+  ".config/",
+  ".CFUserTextEncoding",
+  "Library/",
+  "Applications/",
+  ".Trash/",
+  ".DS_Store",
+  "node_modules/",
+  ".env",
+  ".env.local",
+  ".env.production"
+];
 function git(cmd, cwd) {
   return (0, import_node_child_process3.execSync)(cmd, { cwd, encoding: "utf8", timeout: 3e4 }).trim();
 }
+function checkWorkspaceSafety(workspaceRoot) {
+  const resolved = (0, import_node_path2.resolve)(workspaceRoot);
+  const home = (0, import_node_path2.resolve)((0, import_node_os3.homedir)());
+  if (resolved === home) {
+    return `Workspace is user HOME directory (${home}). Refusing to auto-commit to prevent indexing personal files.`;
+  }
+  if (home.startsWith(resolved + "/")) {
+    return `Workspace (${resolved}) is a parent of HOME. Refusing to auto-commit.`;
+  }
+  if (!(0, import_node_fs2.existsSync)((0, import_node_path2.join)(resolved, ".git"))) {
+    return `No .git directory in ${resolved}. Not a git repository.`;
+  }
+  return null;
+}
+function filterDangerousFiles(statusLines) {
+  const safe = [];
+  const blocked = [];
+  for (const line of statusLines) {
+    const filePath = line.substring(3).trim();
+    const isDangerous = DANGEROUS_PATTERNS.some(
+      (pattern) => filePath.startsWith(pattern) || filePath.includes("/" + pattern)
+    );
+    if (isDangerous) {
+      blocked.push(filePath);
+    } else {
+      safe.push(line);
+    }
+  }
+  return { safe, blocked };
+}
 function gitSafetyNet(workspaceRoot, taskTitle, taskId, branch) {
   const targetBranch = branch || "main";
+  const safetyError = checkWorkspaceSafety(workspaceRoot);
+  if (safetyError) {
+    console.log(`  [git-safety] BLOCKED: ${safetyError}`);
+    return {
+      hadChanges: false,
+      filesAdded: 0,
+      filesModified: 0,
+      filesDeleted: 0,
+      pushed: false,
+      skipped: true,
+      skipReason: safetyError
+    };
+  }
   try {
     let statusOutput;
     try {
@@ -4570,8 +4672,8 @@ function gitSafetyNet(workspaceRoot, taskTitle, taskId, branch) {
     } catch {
       return { hadChanges: false, filesAdded: 0, filesModified: 0, filesDeleted: 0, pushed: false, error: "git status failed" };
     }
-    const lines = statusOutput.split("\n").filter(Boolean);
-    if (lines.length === 0) {
+    const allLines = statusOutput.split("\n").filter(Boolean);
+    if (allLines.length === 0) {
       try {
         const unpushed = git(`git log origin/${targetBranch}..HEAD --oneline 2>/dev/null`, workspaceRoot);
         if (unpushed) {
@@ -4583,8 +4685,16 @@ function gitSafetyNet(workspaceRoot, taskTitle, taskId, branch) {
       }
       return { hadChanges: false, filesAdded: 0, filesModified: 0, filesDeleted: 0, pushed: false };
     }
+    const { safe: safeLines, blocked } = filterDangerousFiles(allLines);
+    if (blocked.length > 0) {
+      console.log(`  [git-safety] Blocked ${blocked.length} sensitive file(s) from staging: ${blocked.slice(0, 5).join(", ")}${blocked.length > 5 ? "..." : ""}`);
+    }
+    if (safeLines.length === 0) {
+      console.log(`  [git-safety] All ${allLines.length} changed files were blocked by safety filter`);
+      return { hadChanges: false, filesAdded: 0, filesModified: 0, filesDeleted: 0, pushed: false };
+    }
     let added = 0, modified = 0, deleted = 0;
-    for (const line of lines) {
+    for (const line of safeLines) {
       const code = line.substring(0, 2);
       if (code.includes("?")) added++;
       else if (code.includes("D")) deleted++;
@@ -4592,9 +4702,15 @@ function gitSafetyNet(workspaceRoot, taskTitle, taskId, branch) {
       else added++;
     }
     console.log(
-      `  [git-safety] ${lines.length} uncommitted changes (${added} new, ${modified} modified, ${deleted} deleted) \u2014 committing now`
+      `  [git-safety] ${safeLines.length} safe changes (${added} new, ${modified} modified, ${deleted} deleted) \u2014 committing now`
     );
-    git("git add -A", workspaceRoot);
+    for (const line of safeLines) {
+      const filePath = line.substring(3).trim();
+      try {
+        git(`git add -- ${JSON.stringify(filePath)}`, workspaceRoot);
+      } catch {
+      }
+    }
     const shortId = taskId.substring(0, 8);
     const commitMsg = `task: ${taskTitle} [${shortId}]
 
@@ -4655,8 +4771,8 @@ Files: ${added} added, ${modified} modified, ${deleted} deleted`;
 
 // src/commands/deploy-manifest.ts
 var import_node_child_process4 = require("node:child_process");
-var import_node_fs2 = require("node:fs");
-var import_node_path2 = require("node:path");
+var import_node_fs3 = require("node:fs");
+var import_node_path3 = require("node:path");
 function exec(cmd, cwd, timeoutMs = 3e5, env2) {
   try {
     const stdout = (0, import_node_child_process4.execSync)(cmd, {
@@ -4699,10 +4815,10 @@ function getHeadCommit(cwd) {
   }
 }
 function loadDeployManifest(workspaceRoot) {
-  const manifestPath = (0, import_node_path2.join)(workspaceRoot, ".cva", "deploy.json");
-  if (!(0, import_node_fs2.existsSync)(manifestPath)) return null;
+  const manifestPath = (0, import_node_path3.join)(workspaceRoot, ".cva", "deploy.json");
+  if (!(0, import_node_fs3.existsSync)(manifestPath)) return null;
   try {
-    const raw = (0, import_node_fs2.readFileSync)(manifestPath, "utf8");
+    const raw = (0, import_node_fs3.readFileSync)(manifestPath, "utf8");
     const manifest = JSON.parse(raw);
     if (!manifest.version || manifest.version < 1) {
       console.log("  [deploy] Invalid manifest version");
@@ -4727,7 +4843,7 @@ async function postTaskDeploy(workspaceRoot, taskId, log) {
       console.log(`  [deploy] Building: ${buildStep.name}`);
       log("lifecycle", `Building: ${buildStep.name}`);
       const start = Date.now();
-      const cwd = (0, import_node_path2.join)(workspaceRoot, buildStep.working_dir || ".");
+      const cwd = (0, import_node_path3.join)(workspaceRoot, buildStep.working_dir || ".");
       const timeoutMs = (buildStep.timeout_seconds || 300) * 1e3;
       const result = exec(buildStep.command, cwd, timeoutMs);
       if (!result.ok) {
@@ -4818,7 +4934,7 @@ async function rollback(workspaceRoot, targetCommit, manifest, log) {
   }
   if (manifest.build?.steps) {
     for (const step of manifest.build.steps) {
-      exec(step.command, (0, import_node_path2.join)(workspaceRoot, step.working_dir || "."), (step.timeout_seconds || 300) * 1e3);
+      exec(step.command, (0, import_node_path3.join)(workspaceRoot, step.working_dir || "."), (step.timeout_seconds || 300) * 1e3);
     }
   }
   if (manifest.service?.restart_command) {
@@ -4976,6 +5092,22 @@ Target repository: ${task.owner}/${task.repo}
 `;
   prompt += `
 
+## Security \u2014 NEVER Commit Secrets
+`;
+  prompt += `Do NOT add, commit, or push any of the following:
+`;
+  prompt += `- API keys, tokens, passwords, or credentials
+`;
+  prompt += `- .env files, .credentials files, .claude/ directory
+`;
+  prompt += `- SSH keys (.ssh/), GPG keys (.gnupg/)
+`;
+  prompt += `- Shell history (.zsh_history, .bash_history)
+`;
+  prompt += `If you need to reference an API key, use an environment variable placeholder.
+`;
+  prompt += `
+
 ---
 `;
   prompt += `When complete, provide a brief summary of what you accomplished.
@@ -5054,7 +5186,7 @@ async function launchAutoApproveMode(prompt, options) {
   let fullOutput = "";
   let lastProgressBytes = 0;
   const runOnce = (inputPrompt, isContinue) => {
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve2, reject) => {
       const args = isContinue ? ["-p", inputPrompt, "--continue", "--allowedTools", ...ALLOWED_TOOLS] : ["-p", inputPrompt, "--allowedTools", ...ALLOWED_TOOLS];
       if (sessionId && !isContinue) {
         args.push("--session-id", sessionId);
@@ -5153,7 +5285,7 @@ ${source_default.red("!")} Claude Code auth failure (stderr): "${authError}"`);
       });
       child.on("close", (code, signal) => {
         _activeChild = null;
-        resolve({
+        resolve2({
           exitCode: signal === "SIGKILL" ? 137 : code ?? 1,
           stderr,
           output: fullOutput,
@@ -5192,7 +5324,7 @@ ${source_default.red("!")} Claude Code auth failure (stderr): "${authError}"`);
   return result;
 }
 async function launchRelayMode(prompt, options) {
-  return new Promise((resolve, reject) => {
+  return new Promise((resolve2, reject) => {
     const child = (0, import_node_child_process5.spawn)("claude", [], {
       cwd: options.cwd,
       stdio: ["pipe", "pipe", "pipe"],
@@ -5385,9 +5517,9 @@ ${source_default.red("!")} Claude Code auth failure (stderr): "${authError}"`);
     child.on("close", (code, signal) => {
       _activeChild = null;
       if (signal === "SIGKILL") {
-        resolve({ exitCode: 137, stderr, output: fullOutput, authFailure });
+        resolve2({ exitCode: 137, stderr, output: fullOutput, authFailure });
       } else {
-        resolve({ exitCode: code ?? 1, stderr, output: fullOutput, authFailure });
+        resolve2({ exitCode: code ?? 1, stderr, output: fullOutput, authFailure });
       }
     });
     child.on("error", (err) => {
@@ -5488,14 +5620,45 @@ async function runAgent(options) {
     console.log();
     process.exit(1);
   }
+  if (process.env.CV_DEBUG) {
+    console.log(source_default.gray(`   PATH: ${process.env.PATH}`));
+    console.log(source_default.gray(`   HOME: ${process.env.HOME}`));
+    console.log(source_default.gray(`   SHELL: ${process.env.SHELL}`));
+  }
+  let claudeBinary = "claude";
   try {
     (0, import_node_child_process5.execSync)("claude --version", { stdio: "pipe", timeout: 5e3 });
   } catch {
-    console.log();
-    console.log(source_default.red("Claude Code CLI not found.") + " Install it first:");
-    console.log(`   ${source_default.cyan("npm install -g @anthropic-ai/claude-code")}`);
-    console.log();
-    process.exit(1);
+    const candidates = [
+      "/usr/local/bin/claude",
+      "/opt/homebrew/bin/claude",
+      `${process.env.HOME}/.npm-global/bin/claude`,
+      `${process.env.HOME}/.nvm/versions/node/*/bin/claude`
+    ];
+    let found = false;
+    for (const candidate of candidates) {
+      try {
+        const resolved = (0, import_node_child_process5.execSync)(`ls ${candidate} 2>/dev/null | head -1`, { encoding: "utf8", timeout: 3e3 }).trim();
+        if (resolved) {
+          (0, import_node_child_process5.execSync)(`${resolved} --version`, { stdio: "pipe", timeout: 5e3 });
+          claudeBinary = resolved;
+          found = true;
+          console.log(source_default.yellow("!") + ` Claude Code found at ${resolved} (not on PATH)`);
+          break;
+        }
+      } catch {
+      }
+    }
+    if (!found) {
+      console.log();
+      console.log(source_default.red("Claude Code CLI not found.") + " Install it first:");
+      console.log(`   ${source_default.cyan("npm install -g @anthropic-ai/claude-code")}`);
+      console.log();
+      console.log(source_default.gray(`   Current PATH: ${process.env.PATH}`));
+      console.log(source_default.gray("   If running via Launch Agent, ensure PATH includes the directory where claude is installed."));
+      console.log();
+      process.exit(1);
+    }
   }
   const { env: claudeEnv, usingApiKey } = await getClaudeEnv();
   const authCheck = await checkClaudeAuth();
@@ -5562,6 +5725,22 @@ async function runAgent(options) {
       } catch {
       }
     }
+    const gitignorePath = require("path").join(workingDir, ".gitignore");
+    try {
+      const fs3 = require("fs");
+      const credPatterns = ".env\n.env.*\n.claude/\n.claude.json\n.credentials*\n*.pem\n*.key\n.ssh/\n.gnupg/\n.npm/\n.config/\n.zsh_history\n.bash_history\nnode_modules/\n.DS_Store\n";
+      let existing = "";
+      try {
+        existing = fs3.readFileSync(gitignorePath, "utf-8");
+      } catch {
+      }
+      if (!existing.includes(".claude/")) {
+        const prefix = existing && !existing.endsWith("\n") ? "\n" : "";
+        fs3.writeFileSync(gitignorePath, existing + prefix + "# Credentials (auto-added by cv-agent)\n" + credPatterns);
+        console.log(source_default.gray("   Bootstrap: .gitignore credential protection added"));
+      }
+    } catch {
+    }
     const cvDir = require("path").join(workingDir, ".cv");
     if (!require("fs").existsSync(cvDir)) {
       try {
@@ -6049,7 +6228,7 @@ async function promptForToken() {
     input: process.stdin,
     output: process.stdout
   });
-  return new Promise((resolve) => {
+  return new Promise((resolve2) => {
     rl.question("Enter your CV-Hub PAT token: ", (answer) => {
       rl.close();
       const token = answer.trim();
@@ -6057,7 +6236,7 @@ async function promptForToken() {
         console.log(source_default.red("No token provided."));
         process.exit(1);
       }
-      resolve(token);
+      resolve2(token);
     });
   });
 }
@@ -6336,7 +6515,7 @@ function statusCommand() {
 
 // src/index.ts
 var program2 = new Command();
-program2.name("cva").description('CV-Hub Agent \u2014 bridges Claude Code with CV-Hub task dispatch.\n\nRun "cva setup" to get started.').version(true ? "1.9.0" : "1.6.0");
+program2.name("cva").description('CV-Hub Agent \u2014 bridges Claude Code with CV-Hub task dispatch.\n\nRun "cva setup" to get started.').version(true ? "1.9.2" : "1.6.0");
 program2.addCommand(setupCommand());
 program2.addCommand(agentCommand());
 program2.addCommand(authCommand());