@jgamaraalv/ts-dev-kit 3.1.2 → 3.1.3

package/.claude-plugin/marketplace.json

@@ -12,7 +12,7 @@
       "name": "ts-dev-kit",
       "source": "./",
       "description": "15 specialized agents and 22 skills for TypeScript fullstack development",
-      "version": "3.1.2",
+      "version": "3.1.3",
       "author": {
         "name": "jgamaraalv"
       },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "ts-dev-kit",
-  "version": "3.1.2",
+  "version": "3.1.3",
   "description": "15 specialized agents and 22 skills for TypeScript fullstack development with Fastify, Next.js, PostgreSQL, Redis, and more.",
   "author": {
     "name": "jgamaraalv",

package/CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.1.3] - 2026-02-27
+
+### Fixed
+
+- `/yolo` firewall script: revert to strict upstream reference (`set -euo pipefail`, no fallbacks) — remove `exec > >(tee ...)` that caused VS Code to hang with "Unable to resolve resource", remove `|| true` fallbacks that masked failures, remove `| tee` from `postStartCommand`; keep only the `sort -u` dedup fix for duplicate DNS IPs
+- `/yolo` SKILL.md: document critical anti-patterns (process substitution logging, loose error handling, piped postStartCommand)
+
 ## [3.1.2] - 2026-02-27
 
 ### Fixed

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jgamaraalv/ts-dev-kit",
-  "version": "3.1.2",
+  "version": "3.1.3",
   "description": "Claude Code plugin: 15 agents + 22 skills for TypeScript fullstack development",
   "author": "jgamaraalv",
   "license": "MIT",

package/skills/yolo/SKILL.md

@@ -252,14 +252,23 @@ Write the file using the reference firewall script. See [references/init-firewal
 
 Key security features:
 
+- `set -euo pipefail` — exits immediately on any error (strict mode)
 - Default-deny policy (DROP all INPUT, OUTPUT, FORWARD)
-- Whitelisted outbound only: npm registry, GitHub (dynamic IP fetch), Claude API, Sentry, StatsIG, VS Code marketplace
+- Whitelisted outbound only: npm registry, GitHub (dynamic IP fetch via `api.github.com/meta`), Claude API, Sentry, StatsIG, VS Code marketplace
 - DNS and SSH allowed
 - Localhost and host network allowed
+- Docker DNS rules preserved before flushing
+- Uses `ipset hash:net` for efficient CIDR matching (required — do NOT add fallback logic)
 - Startup verification: confirms `example.com` is blocked and `api.github.com` is reachable
-- Docker DNS rules preserved
-- Falls back to iptables-only rules if `ipset` kernel module is unavailable (common on Docker Desktop for Mac)
-- Full diagnostic log at `/tmp/firewall-init.log` for troubleshooting
+- Exits with error if any domain fails to resolve or any IP range is invalid
+
+**Critical anti-patterns to avoid in this script:**
+- Do NOT use `exec > >(tee ...)` for logging — process substitutions run via `sudo` never receive EOF, causing the script to hang indefinitely and VS Code to fail with "Unable to resolve resource"
+- Do NOT remove the `-e` flag from `set -euo pipefail` — silent error handling masks failures
+- Do NOT add `|| true` fallbacks for core iptables/ipset commands
+
+**Critical anti-pattern to avoid in `devcontainer.json`:**
+- Do NOT pipe `postStartCommand` through `tee` (e.g., `... | tee /tmp/firewall-init.log`) — this hides the script's real exit code and creates redundant I/O. The correct value is simply: `"postStartCommand": "sudo /usr/local/bin/init-firewall.sh"`
 
 ### Step 5 — Add `.devcontainer` to `.gitignore` (optional)
 

package/skills/yolo/references/devcontainer-json.md

@@ -57,7 +57,7 @@ Write this file to `.devcontainer/devcontainer.json`:
   },
   "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,consistency=delegated",
   "workspaceFolder": "/workspace",
-  "postStartCommand": "sudo /usr/local/bin/init-firewall.sh 2>&1 | tee /tmp/firewall-init.log",
+  "postStartCommand": "sudo /usr/local/bin/init-firewall.sh",
   "waitFor": "postStartCommand"
 }
 ```

package/skills/yolo/references/init-firewall.sh.md

@@ -4,279 +4,162 @@ Write this file to `.devcontainer/init-firewall.sh`:
 
 ```bash
 #!/bin/bash
-set -uo pipefail  # Strict vars and pipelines, but handle errors manually
-IFS=$'\n\t'
-
-LOG="/tmp/firewall-init.log"
-exec > >(tee -a "$LOG") 2>&1
-echo "=== Firewall init started at $(date -u) ==="
-
-# --- Diagnostics -----------------------------------------------------------
-echo "--- Pre-flight checks ---"
-HAVE_IPTABLES=false
-HAVE_IPSET=false
-
-if iptables -L -n >/dev/null 2>&1; then
-    HAVE_IPTABLES=true
-    echo "[OK] iptables is functional"
-else
-    echo "[FAIL] iptables is NOT functional — firewall cannot be configured"
-    echo "Hint: ensure --cap-add=NET_ADMIN is set in devcontainer.json runArgs"
-    exit 1
-fi
-
-if ipset list >/dev/null 2>&1 || ipset create _test hash:net 2>/dev/null; then
-    ipset destroy _test 2>/dev/null || true
-    HAVE_IPSET=true
-    echo "[OK] ipset is functional"
-else
-    echo "[WARN] ipset is NOT functional — falling back to iptables-only rules"
-fi
-
-if command -v dig >/dev/null 2>&1; then
-    echo "[OK] dig is available"
-else
-    echo "[WARN] dig not found — DNS resolution will use getent"
-fi
-
-if command -v aggregate >/dev/null 2>&1; then
-    echo "[OK] aggregate is available"
-else
-    echo "[WARN] aggregate not found — GitHub CIDRs will be added individually"
-fi
-
-# --- Helper: resolve domain to IPs ----------------------------------------
-resolve_domain() {
-    local domain="$1"
-    local ips=""
-    if command -v dig >/dev/null 2>&1; then
-        ips=$(dig +noall +answer +short A "$domain" 2>/dev/null | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | sort -u)
-    fi
-    if [ -z "$ips" ] && command -v getent >/dev/null 2>&1; then
-        ips=$(getent ahostsv4 "$domain" 2>/dev/null | awk '{print $1}' | sort -u | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$')
-    fi
-    echo "$ips"
-}
-
-# --- 1. Preserve Docker DNS -----------------------------------------------
-echo "--- Preserving Docker DNS rules ---"
-DOCKER_DNS_RULES=$(iptables-save -t nat 2>/dev/null | grep "127\.0\.0\.11" || true)
-
-# --- 2. Flush existing rules -----------------------------------------------
-echo "--- Flushing existing rules ---"
-iptables -F  || true
-iptables -X  || true
-iptables -t nat -F    || true
-iptables -t nat -X    || true
-iptables -t mangle -F || true
-iptables -t mangle -X || true
-if [ "$HAVE_IPSET" = true ]; then
-    ipset destroy allowed-domains 2>/dev/null || true
-fi
-
-# --- 3. Restore Docker DNS -------------------------------------------------
+set -euo pipefail  # Exit on error, undefined vars, and pipeline failures
+IFS=$'\n\t'       # Stricter word splitting
+
+# 1. Extract Docker DNS info BEFORE any flushing
+DOCKER_DNS_RULES=$(iptables-save -t nat | grep "127\.0\.0\.11" || true)
+
+# Flush existing rules and delete existing ipsets
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+ipset destroy allowed-domains 2>/dev/null || true
+
+# 2. Selectively restore ONLY internal Docker DNS resolution
 if [ -n "$DOCKER_DNS_RULES" ]; then
     echo "Restoring Docker DNS rules..."
     iptables -t nat -N DOCKER_OUTPUT 2>/dev/null || true
     iptables -t nat -N DOCKER_POSTROUTING 2>/dev/null || true
-    echo "$DOCKER_DNS_RULES" | while read -r rule; do
-        iptables -t nat $rule 2>/dev/null || true
-    done
+    echo "$DOCKER_DNS_RULES" | xargs -L 1 iptables -t nat
 else
     echo "No Docker DNS rules to restore"
 fi
 
-# --- 4. Base rules (DNS, SSH, localhost) ------------------------------------
-echo "--- Setting base rules ---"
-# Outbound DNS
+# First allow DNS and localhost before any restrictions
+# Allow outbound DNS
 iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
-iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
-# Inbound DNS responses
+# Allow inbound DNS responses
 iptables -A INPUT -p udp --sport 53 -j ACCEPT
-iptables -A INPUT -p tcp --sport 53 -j ACCEPT
-# Outbound SSH
+# Allow outbound SSH
 iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
+# Allow inbound SSH responses
 iptables -A INPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-# Localhost
+# Allow localhost
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
 
-# --- 5. Host network -------------------------------------------------------
-HOST_IP=$(ip route 2>/dev/null | grep default | head -1 | awk '{print $3}')
-if [ -n "$HOST_IP" ]; then
-    HOST_NETWORK=$(echo "$HOST_IP" | sed "s/\.[0-9]*$/.0\/16/")
-    echo "Host network: $HOST_NETWORK (via $HOST_IP)"
-    iptables -A INPUT -s "$HOST_NETWORK" -j ACCEPT
-    iptables -A OUTPUT -d "$HOST_NETWORK" -j ACCEPT
-else
-    echo "[WARN] Could not detect host IP — allowing RFC1918 ranges for Docker connectivity"
-    iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
-    iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT
-    iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
-    iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
-    iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
-    iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT
-fi
+# Create ipset with CIDR support
+ipset create allowed-domains hash:net
 
-# --- 6. Allowed domains ----------------------------------------------------
-ALLOWED_DOMAINS=(
-    "registry.npmjs.org"
-    "api.anthropic.com"
-    "sentry.io"
-    "statsig.anthropic.com"
-    "statsig.com"
-    "marketplace.visualstudio.com"
-    "vscode.blob.core.windows.net"
-    "update.code.visualstudio.com"
-)
+# Fetch GitHub meta information and aggregate + add their IP ranges
+echo "Fetching GitHub IP ranges..."
+gh_ranges=$(curl -s https://api.github.com/meta)
+if [ -z "$gh_ranges" ]; then
+    echo "ERROR: Failed to fetch GitHub IP ranges"
+    exit 1
+fi
 
-if [ "$HAVE_IPSET" = true ]; then
-    # ---- ipset mode (preferred) ----
-    echo "--- Building ipset allowlist ---"
-    ipset create allowed-domains hash:net
+if ! echo "$gh_ranges" | jq -e '.web and .api and .git' >/dev/null; then
+    echo "ERROR: GitHub API response missing required fields"
+    exit 1
+fi
 
-    # GitHub dynamic IPs
-    echo "Fetching GitHub IP ranges..."
-    gh_ranges=$(curl -sf --connect-timeout 10 https://api.github.com/meta 2>/dev/null || true)
-    if [ -n "$gh_ranges" ] && echo "$gh_ranges" | jq -e '.web and .api and .git' >/dev/null 2>&1; then
-        if command -v aggregate >/dev/null 2>&1; then
-            while read -r cidr; do
-                [[ "$cidr" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+$ ]] && ipset add allowed-domains "$cidr" 2>/dev/null || true
-            done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]' | aggregate -q 2>/dev/null)
-        else
-            while read -r cidr; do
-                [[ "$cidr" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+$ ]] && ipset add allowed-domains "$cidr" 2>/dev/null || true
-            done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]')
-        fi
-        echo "[OK] GitHub IP ranges added"
-    else
-        echo "[WARN] Could not fetch GitHub IPs — resolving github.com directly"
-        for gh_domain in "github.com" "api.github.com" "raw.githubusercontent.com" "objects.githubusercontent.com"; do
-            ips=$(resolve_domain "$gh_domain")
-            while read -r ip; do
-                [ -n "$ip" ] && ipset add allowed-domains "$ip" 2>/dev/null || true
-            done <<< "$ips"
-        done
+echo "Processing GitHub IPs..."
+while read -r cidr; do
+    if [[ ! "$cidr" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$ ]]; then
+        echo "ERROR: Invalid CIDR range from GitHub meta: $cidr"
+        exit 1
     fi
-
-    # Other allowed domains
-    for domain in "${ALLOWED_DOMAINS[@]}"; do
-        echo "Resolving $domain..."
-        ips=$(resolve_domain "$domain")
-        if [ -z "$ips" ]; then
-            echo "[WARN] Failed to resolve $domain — skipping"
-            continue
-        fi
-        while read -r ip; do
-            [ -n "$ip" ] && ipset add allowed-domains "$ip" 2>/dev/null || true
-        done <<< "$ips"
-    done
-
-    # Apply ipset match rule
-    iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
-
-else
-    # ---- iptables-only mode (fallback) ----
-    echo "--- Building iptables allowlist (no ipset) ---"
-
-    # GitHub IPs
-    echo "Fetching GitHub IP ranges..."
-    gh_ranges=$(curl -sf --connect-timeout 10 https://api.github.com/meta 2>/dev/null || true)
-    if [ -n "$gh_ranges" ] && echo "$gh_ranges" | jq -e '.web and .api and .git' >/dev/null 2>&1; then
-        while read -r cidr; do
-            [[ "$cidr" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+$ ]] && \
-                iptables -A OUTPUT -d "$cidr" -j ACCEPT 2>/dev/null || true
-        done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]')
-        echo "[OK] GitHub IP ranges added via iptables"
-    else
-        echo "[WARN] Could not fetch GitHub IPs — resolving github.com directly"
-        for gh_domain in "github.com" "api.github.com" "raw.githubusercontent.com" "objects.githubusercontent.com"; do
-            ips=$(resolve_domain "$gh_domain")
-            while read -r ip; do
-                [ -n "$ip" ] && iptables -A OUTPUT -d "$ip" -j ACCEPT 2>/dev/null || true
-            done <<< "$ips"
-        done
+    echo "Adding GitHub range $cidr"
+    ipset add allowed-domains "$cidr"
+done < <(echo "$gh_ranges" | jq -r '(.web + .api + .git)[]' | sort -u | aggregate -q)
+
+# Resolve and add other allowed domains
+for domain in \
+    "registry.npmjs.org" \
+    "api.anthropic.com" \
+    "sentry.io" \
+    "statsig.anthropic.com" \
+    "statsig.com" \
+    "marketplace.visualstudio.com" \
+    "vscode.blob.core.windows.net" \
+    "update.code.visualstudio.com"; do
+    echo "Resolving $domain..."
+    ips=$(dig +noall +answer A "$domain" | awk '$4 == "A" {print $5}' | sort -u)
+    if [ -z "$ips" ]; then
+        echo "ERROR: Failed to resolve $domain"
+        exit 1
     fi
 
-    # Other allowed domains
-    for domain in "${ALLOWED_DOMAINS[@]}"; do
-        echo "Resolving $domain..."
-        ips=$(resolve_domain "$domain")
-        if [ -z "$ips" ]; then
-            echo "[WARN] Failed to resolve $domain — skipping"
-            continue
+    while read -r ip; do
+        if [[ ! "$ip" =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+            echo "ERROR: Invalid IP from DNS for $domain: $ip"
+            exit 1
         fi
-        while read -r ip; do
-            [ -n "$ip" ] && iptables -A OUTPUT -d "$ip" -j ACCEPT 2>/dev/null || true
-        done <<< "$ips"
-    done
+        echo "Adding $ip for $domain"
+        ipset add allowed-domains "$ip"
+    done < <(echo "$ips")
+done
+
+# Get host IP from default route
+HOST_IP=$(ip route | grep default | cut -d" " -f3)
+if [ -z "$HOST_IP" ]; then
+    echo "ERROR: Failed to detect host IP"
+    exit 1
 fi
 
-# --- 7. Default-deny policies ----------------------------------------------
-echo "--- Applying default-deny policies ---"
+HOST_NETWORK=$(echo "$HOST_IP" | sed "s/\.[0-9]*$/.0\/24/")
+echo "Host network detected as: $HOST_NETWORK"
+
+# Set up remaining iptables rules
+iptables -A INPUT -s "$HOST_NETWORK" -j ACCEPT
+iptables -A OUTPUT -d "$HOST_NETWORK" -j ACCEPT
+
+# Set default policies to DROP first
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT DROP
 
-# Allow established connections
+# First allow established connections for already approved traffic
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
-# Reject everything else with immediate feedback
-iptables -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
+# Then allow only specific outbound traffic to allowed domains
+iptables -A OUTPUT -m set --match-set allowed-domains dst -j ACCEPT
 
-# --- 8. Verification -------------------------------------------------------
-echo "--- Verifying firewall ---"
-VERIFIED=true
+# Explicitly REJECT all other outbound traffic for immediate feedback
+iptables -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
 
+echo "Firewall configuration complete"
+echo "Verifying firewall rules..."
 if curl --connect-timeout 5 https://example.com >/dev/null 2>&1; then
-    echo "[FAIL] Firewall verification failed — reached https://example.com (should be blocked)"
-    VERIFIED=false
+    echo "ERROR: Firewall verification failed - was able to reach https://example.com"
+    exit 1
 else
-    echo "[OK] https://example.com is blocked as expected"
+    echo "Firewall verification passed - unable to reach https://example.com as expected"
 fi
 
-if curl --connect-timeout 5 https://api.github.com/zen >/dev/null 2>&1; then
-    echo "[OK] https://api.github.com is reachable as expected"
+# Verify GitHub API access
+if ! curl --connect-timeout 5 https://api.github.com/zen >/dev/null 2>&1; then
+    echo "ERROR: Firewall verification failed - unable to reach https://api.github.com"
+    exit 1
 else
-    echo "[WARN] https://api.github.com is not reachable — GitHub IPs may have changed"
-    echo "       Claude Code will still work, but git operations may fail"
+    echo "Firewall verification passed - able to reach https://api.github.com as expected"
 fi
+```
 
-if [ "$VERIFIED" = false ]; then
-    echo "=== FIREWALL VERIFICATION FAILED ==="
-    exit 1
-fi
+## Differences from the upstream Claude Code reference
 
-echo "=== Firewall configured successfully ==="
-echo "Mode: $([ "$HAVE_IPSET" = true ] && echo 'ipset' || echo 'iptables-only')"
-echo "Log: $LOG"
-```
+The only change from the [upstream reference](https://github.com/anthropics/claude-code/blob/main/.devcontainer/init-firewall.sh) is `| sort -u` added to two pipelines to deduplicate IPs before `ipset add`:
 
-## Key improvements over the original
+1. **GitHub CIDRs** (line with `aggregate -q`): `jq -r '...'[]' | sort -u | aggregate -q` — deduplicates before aggregation
+2. **Domain resolution** (line with `dig`): `awk ... | sort -u` — deduplicates IPs from DNS (e.g., `marketplace.visualstudio.com` returns the same IP twice)
 
-| Issue | Original behavior | Improved behavior |
-|-------|-------------------|-------------------|
-| Duplicate IPs from DNS | `ipset add` fatal error (exit 1) | Deduplicates via `sort -u` + `ipset add ... \|\| true` |
-| `ipset` not available | Fatal crash | Falls back to iptables-only rules |
-| `aggregate` not available | Fatal crash | Adds CIDRs individually without aggregation |
-| `dig` not available | Fatal crash | Falls back to `getent ahostsv4` |
-| GitHub API unreachable | Fatal crash | Resolves github.com/api.github.com directly |
-| Domain resolution fails | Fatal crash | Skips domain with warning, continues |
-| Host IP detection fails | Fatal crash | Allows all RFC1918 ranges as fallback |
-| Docker DNS restore fails | Silent + potential crash | Handles per-rule with `|| true` |
-| No diagnostic output | Blind exit code 1 | Full log at `/tmp/firewall-init.log` |
-| GitHub unreachable after setup | Fatal crash | Warning only (Claude API is the critical path) |
+Without deduplication, `ipset add` fails with `"Element cannot be added to the set: it's already added"` and `set -euo pipefail` terminates the script.
 
 ## Firewall rules summary
 
 | Rule | Direction | Purpose |
 |------|-----------|---------|
-| DNS (UDP/TCP 53) | Outbound | Domain name resolution |
+| DNS (UDP 53) | Outbound | Domain name resolution |
 | SSH (TCP 22) | Outbound | Git over SSH |
 | Localhost | Both | Container-internal communication |
 | Host network | Both | Docker host ↔ container communication |
-| GitHub IPs | Outbound | Git operations, GitHub API (dynamically fetched or resolved) |
+| GitHub IPs | Outbound | Git operations, GitHub API (dynamically fetched from api.github.com/meta) |
 | npm registry | Outbound | Package installation |
 | api.anthropic.com | Outbound | Claude API calls |
 | sentry.io | Outbound | Error reporting |
@@ -287,7 +170,7 @@ echo "Log: $LOG"
 ## Verification on startup
 
 The script verifies the firewall by:
-1. Confirming `https://example.com` is **blocked** (must fail — otherwise exit 1)
-2. Confirming `https://api.github.com` is **reachable** (warning only if it fails)
+1. Confirming `https://example.com` is **blocked** (should fail)
+2. Confirming `https://api.github.com` is **reachable** (should succeed)
 
-All output is logged to `/tmp/firewall-init.log` for debugging.
+If either check fails, the script exits with an error and the container will not start.