@evolve.labs/devflow 0.8.3 → 0.9.1

package/lib/constants.js

@@ -1,6 +1,6 @@
 const path = require('node:path');
 
-const VERSION = '0.8.3';
+const VERSION = '0.9.1';
 
 // Root of the installed npm package (where source files live)
 const PACKAGE_ROOT = path.resolve(__dirname, '..');

package/lib/web.js

@@ -1,17 +1,80 @@
 const { execSync, spawn } = require('node:child_process');
 const path = require('node:path');
 const fs = require('node:fs');
-const { PACKAGE_ROOT } = require('./constants');
+const os = require('node:os');
+const { PACKAGE_ROOT, VERSION, WEB_COPY_DIRS, WEB_COPY_FILES } = require('./constants');
+
+/**
+ * When installed via npm, the web/ directory lives inside node_modules.
+ * Next.js/SWC does not properly compile TypeScript files within node_modules,
+ * so we copy the source to ~/.devflow/_web/ (a normal directory) and run from there.
+ */
+function resolveWebDir() {
+  const packageWebDir = path.join(PACKAGE_ROOT, 'web');
+
+  if (!fs.existsSync(packageWebDir)) {
+    return null;
+  }
+
+  // If not inside node_modules, use directly (dev mode / cloned repo)
+  if (!PACKAGE_ROOT.includes('node_modules')) {
+    return packageWebDir;
+  }
+
+  // Running from npm install — copy source to local cache
+  const cacheDir = path.join(os.homedir(), '.devflow', '_web');
+  const versionFile = path.join(cacheDir, '.devflow-version');
+  const cachedVersion = fs.existsSync(versionFile)
+    ? fs.readFileSync(versionFile, 'utf-8').trim()
+    : '';
+
+  if (cachedVersion === VERSION && fs.existsSync(path.join(cacheDir, 'package.json'))) {
+    return cacheDir;
+  }
+
+  console.log('Setting up web dashboard files...');
+
+  // Clean previous cache
+  if (fs.existsSync(cacheDir)) {
+    fs.rmSync(cacheDir, { recursive: true, force: true });
+  }
+  fs.mkdirSync(cacheDir, { recursive: true });
+
+  // Copy source directories
+  for (const dir of WEB_COPY_DIRS) {
+    const srcDir = path.join(PACKAGE_ROOT, dir);
+    const destDir = path.join(cacheDir, dir.replace(/^web\//, ''));
+    if (fs.existsSync(srcDir)) {
+      fs.cpSync(srcDir, destDir, { recursive: true });
+    }
+  }
+
+  // Copy individual files
+  for (const file of WEB_COPY_FILES) {
+    const srcFile = path.join(PACKAGE_ROOT, file);
+    const destFile = path.join(cacheDir, file.replace(/^web\//, ''));
+    if (fs.existsSync(srcFile)) {
+      const destDir = path.dirname(destFile);
+      fs.mkdirSync(destDir, { recursive: true });
+      fs.copyFileSync(srcFile, destFile);
+    }
+  }
+
+  // Write version marker
+  fs.writeFileSync(versionFile, VERSION);
+
+  return cacheDir;
+}
 
 /**
  * devflow web - Start the DevFlow Web Dashboard
  */
 async function webCommand(options) {
   const port = options.port || '3000';
-  const webDir = path.join(PACKAGE_ROOT, 'web');
+  const webDir = resolveWebDir();
 
   // 1. Verify web/ directory exists
-  if (!fs.existsSync(webDir)) {
+  if (!webDir) {
     console.error('Error: Web IDE files not found.');
     console.error('Re-install devflow with: npm install -g @evolve.labs/devflow');
     process.exit(1);
@@ -49,15 +112,27 @@ async function webCommand(options) {
     process.exit(1);
   }
 
-  // 5. Start the web server
+  // 5. Validate port
+  const portNum = parseInt(port, 10);
+  if (isNaN(portNum) || portNum < 1 || portNum > 65535) {
+    console.error(`Invalid port: ${port}`);
+    process.exit(1);
+  }
+
+  // 6. Start the web server
   const isDev = options.dev || false;
   const cmd = isDev ? 'dev' : 'start';
 
-  // Build first if not dev mode and .next doesn't exist
+  // Build first if not dev mode and no valid production build exists
   if (!isDev) {
-    const nextDir = path.join(webDir, '.next');
-    if (!fs.existsSync(nextDir)) {
-      console.log('Building web dashboard...');
+    const buildIdPath = path.join(webDir, '.next', 'BUILD_ID');
+    if (!fs.existsSync(buildIdPath)) {
+      console.log('Building web dashboard (first run, may take a minute)...');
+      // Remove stale .next directory if it exists without BUILD_ID
+      const nextDir = path.join(webDir, '.next');
+      if (fs.existsSync(nextDir)) {
+        fs.rmSync(nextDir, { recursive: true, force: true });
+      }
       try {
         execSync('npx next build --webpack', {
           cwd: webDir,
@@ -91,12 +166,12 @@ async function webCommand(options) {
   // Open browser after a short delay (unless --no-open)
   if (options.open !== false) {
     setTimeout(() => {
-      const url = `http://localhost:${port}`;
+      const url = `http://localhost:${portNum}`;
       try {
         const openCmd = process.platform === 'darwin' ? 'open'
           : process.platform === 'win32' ? 'start'
           : 'xdg-open';
-        execSync(`${openCmd} ${url}`, { stdio: 'ignore' });
+        execSync(`${openCmd} ${JSON.stringify(url)}`, { stdio: 'ignore' });
       } catch {
         console.log(`Open your browser at: ${url}`);
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evolve.labs/devflow",
-  "version": "0.8.3",
+  "version": "0.9.1",
   "description": "Multi-agent system for software development with Claude Code. 6 specialized agents (Strategist, Architect, System Designer, Builder, Guardian, Chronicler) as slash commands.",
   "keywords": [
     "claude-code",

package/web/app/api/autopilot/terminal-execute/route.ts

@@ -42,6 +42,12 @@ export async function POST(req: NextRequest) {
     return NextResponse.json({ error: 'Missing required fields' }, { status: 400 });
   }
 
+  // Sanitize sessionId to prevent path traversal
+  const safeSessionId = sessionId.replace(/[^a-zA-Z0-9_-]/g, '');
+  if (!safeSessionId || safeSessionId !== sessionId) {
+    return NextResponse.json({ error: 'Invalid sessionId format' }, { status: 400 });
+  }
+
   if (!isValidAgent(agent)) {
     return NextResponse.json({ error: `Unknown agent: ${agent}` }, { status: 400 });
   }
@@ -66,10 +72,10 @@ export async function POST(req: NextRequest) {
 
   // Write prompt to temp file (avoid shell escaping issues)
   const tmpDir = os.tmpdir();
-  const tmpFile = path.join(tmpDir, `devflow-autopilot-${sessionId}-${agent}-${Date.now()}.md`);
+  const tmpFile = path.join(tmpDir, `devflow-autopilot-${safeSessionId}-${agent}-${Date.now()}.md`);
 
   try {
-    await fs.writeFile(tmpFile, fullPrompt, 'utf-8');
+    await fs.writeFile(tmpFile, fullPrompt, { encoding: 'utf-8', mode: 0o600 });
 
     // Arm the collector before writing the command
     const collectorPromise = ptyManager.armAutopilotCollector(sessionId, timeoutMs + 5000);

package/web/lib/ptyManager.ts

@@ -1,5 +1,6 @@
 import * as pty from 'node-pty';
 import { EventEmitter } from 'events';
+import { existsSync } from 'fs';
 import { PHASE_DONE_REGEX } from '@/lib/autopilotConstants';
 
 interface TerminalSession {
@@ -16,21 +17,42 @@ interface AutopilotCollector {
   timeout: NodeJS.Timeout;
 }
 
+/**
+ * Detect the best available shell for the current platform.
+ */
+function detectShell(): string {
+  if (process.platform === 'win32') return 'powershell.exe';
+
+  // Try SHELL env var first
+  const envShell = process.env.SHELL;
+  if (envShell && existsSync(envShell)) return envShell;
+
+  // Fallback chain for Unix-like systems
+  const candidates = ['/bin/zsh', '/bin/bash', '/bin/sh'];
+  for (const candidate of candidates) {
+    if (existsSync(candidate)) return candidate;
+  }
+
+  return '/bin/sh';
+}
+
 class PtyManager extends EventEmitter {
   private sessions: Map<string, TerminalSession> = new Map();
   private outputBuffers: Map<string, string[]> = new Map();
   private autopilotCollectors: Map<string, AutopilotCollector> = new Map();
 
   createSession(id: string, cwd: string, cols: number = 80, rows: number = 24): TerminalSession {
-    // Determine shell based on platform
-    const shell = process.platform === 'win32' ? 'powershell.exe' : process.env.SHELL || '/bin/zsh';
+    const shell = detectShell();
     const shellArgs = process.platform === 'win32' ? [] : ['-l'];
 
+    // Validate cwd exists, fallback to home directory
+    const safeCwd = existsSync(cwd) ? cwd : process.env.HOME || '/tmp';
+
     const ptyProcess = pty.spawn(shell, shellArgs, {
       name: 'xterm-256color',
       cols,
       rows,
-      cwd,
+      cwd: safeCwd,
       env: {
         ...process.env,
         TERM: 'xterm-256color',

package/web/next.config.js

@@ -1,3 +1,5 @@
+const path = require('path');
+
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   // Enable React strict mode for better development experience
@@ -14,8 +16,14 @@ const nextConfig = {
   // Exclude native modules from client-side bundling
   serverExternalPackages: ['node-pty'],
 
-  // Webpack config for native modules
+  // Webpack config for native modules and path resolution
   webpack: (config, { isServer }) => {
+    // Ensure @/ alias resolves correctly even when running from node_modules
+    config.resolve.alias = {
+      ...config.resolve.alias,
+      '@': path.resolve(__dirname),
+    };
+
     if (!isServer) {
       // Don't bundle node-pty on client side
       config.resolve.fallback = {

package/web/package.json

@@ -1,6 +1,6 @@
 {
   "name": "devflow-ide",
-  "version": "0.7.0",
+  "version": "0.9.1",
   "private": true,
   "scripts": {
     "dev": "./node_modules/.bin/next dev",
@@ -36,8 +36,6 @@
     "simple-git": "^3.30.0",
     "sonner": "^2.0.7",
     "tailwind-merge": "^2.5.5",
-    "xterm": "^5.3.0",
-    "xterm-addon-fit": "^0.8.0",
     "zustand": "^5.0.2"
   },
   "devDependencies": {