npm - @ia-ccun/code-agent-cli - Versions diffs - 0.0.15 → 0.0.17 - Mend

@ia-ccun/code-agent-cli 0.0.15 → 0.0.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/scripts/postinstall.js CHANGED Viewed

@@ -81,20 +81,7 @@ if (!existsSync(agentDir)) {
   console.log(`✓ Created directory: ${agentDir}`);
 }
-// Force overwrite files (regardless of whether user has modified them)
-const forceOverwriteFiles = [
-  'extensions/working-msg.ts',
-  // 可以添加更多需要强制覆盖的文件，例如：
-  // 'extensions/custom.ts',
-  // 'SYSTEM.md',
-];
-function shouldForceOverwrite(dest) {
-  const relativePath = relative(agentDir, dest).replace(/\\/g, '/');
-  return forceOverwriteFiles.includes(relativePath);
-}
-// Function to copy directory recursively (only copy if destination doesn't exist, unless in force list)
+// Function to copy directory recursively (only copy if destination doesn't exist)
 function copyDirRecursive(src, dest) {
   const exists = existsSync(src);
   const stats = exists && statSync(src);
@@ -113,21 +100,41 @@ function copyDirRecursive(src, dest) {
       copyDirRecursive(srcPath, destPath);
     });
   } else {
-    // Copy if source exists AND (destination doesn't exist OR force overwrite)
-    if (exists && (!existsSync(dest) || shouldForceOverwrite(dest))) {
+    // Only copy if source exists AND destination doesn't exist (preserve user files)
+    if (exists && !existsSync(dest)) {
       // Ensure parent directory exists
       const parentDir = dirname(dest);
       if (!existsSync(parentDir)) {
         mkdirSync(parentDir, { recursive: true });
       }
-      const action = existsSync(dest) ? '↻ Updated' : '+ Added';
       copyFileSync(src, dest);
-      console.log(`  ${action}: ${relative(agentDir, dest)}`);
+      console.log(`  + Added: ${relative(agentDir, dest)}`);
     }
   }
 }
+// Force copy directory recursively (always overwrite destination)
+function forceCopyDirRecursive(src, dest) {
+  if (!existsSync(src)) return;
+  const stats = statSync(src);
+  if (stats.isDirectory()) {
+    if (!existsSync(dest)) {
+      mkdirSync(dest, { recursive: true });
+    }
+    readdirSync(src).forEach(file => {
+      forceCopyDirRecursive(join(src, file), join(dest, file));
+    });
+  } else {
+    const parentDir = dirname(dest);
+    if (!existsSync(parentDir)) {
+      mkdirSync(parentDir, { recursive: true });
+    }
+    copyFileSync(src, dest);
+  }
+}
 // Copy config.json if it doesn't exist
 const packageConfigFile = join(__dirname, '..', 'config.json');
 const userConfigFile = join(aicodeCliDir, 'config.json');
@@ -139,8 +146,58 @@ if (existsSync(packageConfigFile) && !existsSync(userConfigFile)) {
   console.log('⚠ config.json not found in package');
 }
-// Copy config/agent contents to ~/.aicode-cli/agent only if they don't exist (preserve user customizations)
+// ============================================================================
+// Files/folders that must be force-overwritten on every install
+// ============================================================================
 const packageConfigDir = join(__dirname, '..', 'config', 'agent');
+const FORCE_OVERWRITE_LIST = [
+  'extensions/working-msg.ts',
+  // Add more files or folders here to force overwrite on every install
+  // Examples:
+  // 'skills/some-skill',
+  // 'prompts/some-prompt.md',
+  // 'themes/dark.json',
+];
+// Function to force overwrite specific files/folders
+function forceOverwriteList(relativePaths) {
+  relativePaths.forEach(relativePath => {
+    const srcPath = join(packageConfigDir, relativePath);
+    const destPath = join(agentDir, relativePath);
+    if (existsSync(srcPath)) {
+      try {
+        const stats = statSync(srcPath);
+        if (stats.isDirectory()) {
+          // Force copy directory
+          if (!existsSync(destPath)) {
+            mkdirSync(destPath, { recursive: true });
+          }
+          forceCopyDirRecursive(srcPath, destPath);
+          console.log(`✓ Force overwritten (dir): ${relativePath}`);
+        } else {
+          // Force copy file
+          const parentDir = dirname(destPath);
+          if (!existsSync(parentDir)) {
+            mkdirSync(parentDir, { recursive: true });
+          }
+          copyFileSync(srcPath, destPath);
+          console.log(`✓ Force overwritten: ${relativePath}`);
+        }
+      } catch (e) {
+        console.log(`⚠ Could not force overwrite ${relativePath}: ${e.message}`);
+        if (e.stack) {
+          console.log(e.stack);
+        }
+      }
+    } else {
+      console.log(`⚠ Source path does not exist: ${relativePath}`);
+    }
+  });
+}
+// Copy config/agent contents to ~/.aicode-cli/agent only if they don't exist (preserve user customizations)
 if (existsSync(packageConfigDir)) {
   console.log(`📁 Syncing default config files to ${agentDir} (preserving user customizations)`);
@@ -148,6 +205,11 @@ if (existsSync(packageConfigDir)) {
   copyDirRecursive(packageConfigDir, agentDir);
   console.log('✓ Default config files synced successfully');
+  // Force overwrite specified files/folders
+  if (FORCE_OVERWRITE_LIST.length > 0) {
+    forceOverwriteList(FORCE_OVERWRITE_LIST);
+  }
   // Check for extensions
   const extensionsDir = join(agentDir, 'extensions');
   if (existsSync(extensionsDir)) {

package/config/agent/skills/github/SKILL.md DELETED Viewed

@@ -1,47 +0,0 @@
----
-name: github
-description: "Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries."
----
-# GitHub Skill
-Use the `gh` CLI to interact with GitHub. Always specify `--repo owner/repo` when not in a git directory, or use URLs directly.
-## Pull Requests
-Check CI status on a PR:
-```bash
-gh pr checks 55 --repo owner/repo
-```
-List recent workflow runs:
-```bash
-gh run list --repo owner/repo --limit 10
-```
-View a run and see which steps failed:
-```bash
-gh run view <run-id> --repo owner/repo
-```
-View logs for failed steps only:
-```bash
-gh run view <run-id> --repo owner/repo --log-failed
-```
-## API for Advanced Queries
-The `gh api` command is useful for accessing data not available through other subcommands.
-Get PR with specific fields:
-```bash
-gh api repos/owner/repo/pulls/55 --jq '.title, .state, .user.login'
-```
-## JSON Output
-Most commands support `--json` for structured output.  You can use `--jq` to filter:
-```bash
-gh issue list --repo owner/repo --json number,title --jq '.[] | "\(.number): \(.title)"'
-```

package/config/agent/skills/owasp/SKILL.md DELETED Viewed

@@ -1,169 +0,0 @@
----
-name: owasp
-description: |
-  OWASP security guidelines and Top 10 vulnerabilities
-  USE WHEN: user mentions "OWASP", "security audit", "vulnerability scan", asks about "injection", "XSS", "CSRF", "access control", "authentication security"
-  DO NOT USE FOR: OWASP Top 10:2025 specific - use `owasp-top-10` instead
-allowed-tools: Read, Grep, Glob
----
-# OWASP Security - Quick Reference
-## When to Use This Skill
-- Identify common vulnerabilities
-- Implement security controls
-- Code review for security issues
-## When NOT to Use This Skill
-- **OWASP Top 10:2025** - Use `owasp-top-10` skill for latest 2025 standards
-- **Secrets management** - Use `secrets-management` skill for credentials handling
-- **Supply chain security** - Use `supply-chain` skill for dependency issues
-- **JWT/OAuth security** - Use authentication skills for protocol-specific issues
-> **Deep Knowledge**: Use `mcp__documentation__fetch_docs` with technology: `owasp` for comprehensive documentation.
-## OWASP Top 10 (2021)
-### A01: Broken Access Control
-```java
-// BAD - Direct object reference
-@GetMapping("/users/{id}")
-public User getUser(@PathVariable Long id) {
-    return userRepository.findById(id);
-}
-// GOOD - Check authorization
-@GetMapping("/users/{id}")
-public User getUser(@PathVariable Long id, Authentication auth) {
-    User user = userRepository.findById(id);
-    if (!user.getId().equals(auth.getPrincipal().getId())) {
-        throw new AccessDeniedException("Not authorized");
-    }
-    return user;
-}
-```
-### A02: Cryptographic Failures
-```java
-// BAD - Weak hashing
-String hash = DigestUtils.md5Hex(password);
-// GOOD - Strong hashing with salt
-BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
-String hash = encoder.encode(password);
-```
-### A03: Injection
-```java
-// BAD - SQL Injection
-String query = "SELECT * FROM users WHERE name = '" + name + "'";
-// GOOD - Parameterized query
-@Query("SELECT u FROM User u WHERE u.name = :name")
-User findByName(@Param("name") String name);
-```
-### A04: Insecure Design
-- Threat modeling during design phase
-- Security requirements in user stories
-- Defense in depth architecture
-### A05: Security Misconfiguration
-```yaml
-# Spring Security - disable defaults carefully
-spring:
-  security:
-    headers:
-      content-security-policy: "default-src 'self'"
-      x-frame-options: DENY
-      x-content-type-options: nosniff
-```
-### A06: Vulnerable Components
-```bash
-# Check for vulnerabilities
-npm audit
-mvn dependency-check:check
-pip-audit
-```
-### A07: Auth Failures
-```java
-// Implement rate limiting
-@RateLimiter(name = "login", fallbackMethod = "loginFallback")
-public AuthResponse login(LoginRequest request) {
-    // ...
-}
-// Account lockout
-if (failedAttempts >= 5) {
-    lockAccount(user);
-}
-```
-### A08: Software Integrity
-- Verify signatures of dependencies
-- Use lock files (package-lock.json, pom.xml)
-- CI/CD pipeline security
-### A09: Logging Failures
-```java
-// Log security events
-log.info("Login attempt", Map.of(
-    "user", username,
-    "ip", request.getRemoteAddr(),
-    "success", authenticated
-));
-// DON'T log sensitive data
-log.info("Password: {}", password);  // NEVER!
-```
-### A10: SSRF
-```java
-// Validate URLs
-private boolean isAllowedUrl(String url) {
-    URL parsed = new URL(url);
-    return allowedHosts.contains(parsed.getHost());
-}
-```
-## Security Headers
-```java
-@Configuration
-public class SecurityConfig {
-    @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) {
-        return http
-            .headers(headers -> headers
-                .contentSecurityPolicy(csp -> csp.policyDirectives("default-src 'self'"))
-                .frameOptions(frame -> frame.deny())
-                .xssProtection(xss -> xss.disable())
-            )
-            .build();
-    }
-}
-```
-## Anti-Patterns
-| Anti-Pattern | Why It's Bad | Correct Approach |
-|--------------|--------------|------------------|
-| Direct object references without auth | IDOR vulnerability (A01) | Always verify ownership before access |
-| Using MD5/SHA1 for passwords | Easily cracked | Use bcrypt/argon2 with salt |
-| String concatenation in SQL | SQL injection | Use parameterized queries/ORMs |
-| Exposing stack traces in prod | Information disclosure | Generic error messages only |
-| No rate limiting on login | Brute force attacks | Implement rate limiting + account lockout |
-| Storing secrets in code | Credential exposure | Use environment variables/vaults |
-## Quick Troubleshooting
-| Issue | Likely Cause | Solution |
-|-------|--------------|----------|
-| 403 Forbidden on valid request | CORS misconfiguration | Check allowed origins in CORS config |
-| Session not persisting | SameSite cookie issue | Set `SameSite=Lax` or `None` with HTTPS |
-| JWT token rejected | Clock skew or expired | Add clock skew tolerance (5min) |
-| File upload fails | CSP blocking | Add upload domain to CSP directives |
-| API returns 401 unexpectedly | Missing/invalid Authorization header | Check Bearer token format |