@evolve.labs/devflow 0.8.3 → 0.9.0

package/lib/constants.js

@@ -1,6 +1,6 @@
 const path = require('node:path');
 
-const VERSION = '0.8.3';
+const VERSION = '0.9.0';
 
 // Root of the installed npm package (where source files live)
 const PACKAGE_ROOT = path.resolve(__dirname, '..');

package/lib/web.js

@@ -49,15 +49,27 @@ async function webCommand(options) {
     process.exit(1);
   }
 
-  // 5. Start the web server
+  // 5. Validate port
+  const portNum = parseInt(port, 10);
+  if (isNaN(portNum) || portNum < 1 || portNum > 65535) {
+    console.error(`Invalid port: ${port}`);
+    process.exit(1);
+  }
+
+  // 6. Start the web server
   const isDev = options.dev || false;
   const cmd = isDev ? 'dev' : 'start';
 
-  // Build first if not dev mode and .next doesn't exist
+  // Build first if not dev mode and no valid production build exists
   if (!isDev) {
-    const nextDir = path.join(webDir, '.next');
-    if (!fs.existsSync(nextDir)) {
-      console.log('Building web dashboard...');
+    const buildIdPath = path.join(webDir, '.next', 'BUILD_ID');
+    if (!fs.existsSync(buildIdPath)) {
+      console.log('Building web dashboard (first run, may take a minute)...');
+      // Remove stale .next directory if it exists without BUILD_ID
+      const nextDir = path.join(webDir, '.next');
+      if (fs.existsSync(nextDir)) {
+        fs.rmSync(nextDir, { recursive: true, force: true });
+      }
       try {
         execSync('npx next build --webpack', {
           cwd: webDir,
@@ -91,12 +103,12 @@ async function webCommand(options) {
   // Open browser after a short delay (unless --no-open)
   if (options.open !== false) {
     setTimeout(() => {
-      const url = `http://localhost:${port}`;
+      const url = `http://localhost:${portNum}`;
       try {
         const openCmd = process.platform === 'darwin' ? 'open'
           : process.platform === 'win32' ? 'start'
           : 'xdg-open';
-        execSync(`${openCmd} ${url}`, { stdio: 'ignore' });
+        execSync(`${openCmd} ${JSON.stringify(url)}`, { stdio: 'ignore' });
       } catch {
         console.log(`Open your browser at: ${url}`);
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evolve.labs/devflow",
-  "version": "0.8.3",
+  "version": "0.9.0",
   "description": "Multi-agent system for software development with Claude Code. 6 specialized agents (Strategist, Architect, System Designer, Builder, Guardian, Chronicler) as slash commands.",
   "keywords": [
     "claude-code",

package/web/app/api/autopilot/terminal-execute/route.ts

@@ -42,6 +42,12 @@ export async function POST(req: NextRequest) {
     return NextResponse.json({ error: 'Missing required fields' }, { status: 400 });
   }
 
+  // Sanitize sessionId to prevent path traversal
+  const safeSessionId = sessionId.replace(/[^a-zA-Z0-9_-]/g, '');
+  if (!safeSessionId || safeSessionId !== sessionId) {
+    return NextResponse.json({ error: 'Invalid sessionId format' }, { status: 400 });
+  }
+
   if (!isValidAgent(agent)) {
     return NextResponse.json({ error: `Unknown agent: ${agent}` }, { status: 400 });
   }
@@ -66,10 +72,10 @@ export async function POST(req: NextRequest) {
 
   // Write prompt to temp file (avoid shell escaping issues)
   const tmpDir = os.tmpdir();
-  const tmpFile = path.join(tmpDir, `devflow-autopilot-${sessionId}-${agent}-${Date.now()}.md`);
+  const tmpFile = path.join(tmpDir, `devflow-autopilot-${safeSessionId}-${agent}-${Date.now()}.md`);
 
   try {
-    await fs.writeFile(tmpFile, fullPrompt, 'utf-8');
+    await fs.writeFile(tmpFile, fullPrompt, { encoding: 'utf-8', mode: 0o600 });
 
     // Arm the collector before writing the command
     const collectorPromise = ptyManager.armAutopilotCollector(sessionId, timeoutMs + 5000);

package/web/lib/ptyManager.ts

@@ -1,5 +1,6 @@
 import * as pty from 'node-pty';
 import { EventEmitter } from 'events';
+import { existsSync } from 'fs';
 import { PHASE_DONE_REGEX } from '@/lib/autopilotConstants';
 
 interface TerminalSession {
@@ -16,21 +17,42 @@ interface AutopilotCollector {
   timeout: NodeJS.Timeout;
 }
 
+/**
+ * Detect the best available shell for the current platform.
+ */
+function detectShell(): string {
+  if (process.platform === 'win32') return 'powershell.exe';
+
+  // Try SHELL env var first
+  const envShell = process.env.SHELL;
+  if (envShell && existsSync(envShell)) return envShell;
+
+  // Fallback chain for Unix-like systems
+  const candidates = ['/bin/zsh', '/bin/bash', '/bin/sh'];
+  for (const candidate of candidates) {
+    if (existsSync(candidate)) return candidate;
+  }
+
+  return '/bin/sh';
+}
+
 class PtyManager extends EventEmitter {
   private sessions: Map<string, TerminalSession> = new Map();
   private outputBuffers: Map<string, string[]> = new Map();
   private autopilotCollectors: Map<string, AutopilotCollector> = new Map();
 
   createSession(id: string, cwd: string, cols: number = 80, rows: number = 24): TerminalSession {
-    // Determine shell based on platform
-    const shell = process.platform === 'win32' ? 'powershell.exe' : process.env.SHELL || '/bin/zsh';
+    const shell = detectShell();
     const shellArgs = process.platform === 'win32' ? [] : ['-l'];
 
+    // Validate cwd exists, fallback to home directory
+    const safeCwd = existsSync(cwd) ? cwd : process.env.HOME || '/tmp';
+
     const ptyProcess = pty.spawn(shell, shellArgs, {
       name: 'xterm-256color',
       cols,
       rows,
-      cwd,
+      cwd: safeCwd,
       env: {
         ...process.env,
         TERM: 'xterm-256color',

package/web/package.json

@@ -1,6 +1,6 @@
 {
   "name": "devflow-ide",
-  "version": "0.7.0",
+  "version": "0.9.0",
   "private": true,
   "scripts": {
     "dev": "./node_modules/.bin/next dev",
@@ -36,8 +36,6 @@
     "simple-git": "^3.30.0",
     "sonner": "^2.0.7",
     "tailwind-merge": "^2.5.5",
-    "xterm": "^5.3.0",
-    "xterm-addon-fit": "^0.8.0",
     "zustand": "^5.0.2"
   },
   "devDependencies": {