@jiggai/recipes 0.4.56 → 0.4.59

package/openclaw.plugin.json

@@ -2,7 +2,7 @@
   "id": "recipes",
   "name": "Recipes",
   "description": "Markdown recipes that scaffold agents and teams (workspace-local).",
-  "version": "0.4.56",
+  "version": "0.4.59",
   "configSchema": {
     "type": "object",
     "additionalProperties": false,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jiggai/recipes",
-  "version": "0.4.56",
+  "version": "0.4.59",
   "description": "ClawRecipes plugin for OpenClaw (markdown recipes -> scaffold agents/teams)",
   "main": "index.ts",
   "type": "commonjs",
@@ -13,7 +13,7 @@
       "pluginApiRange": ">=2026.3"
     },
     "build": {
-      "openclawVersion": "2026.3.28"
+      "openclawVersion": "2026.4.20"
     }
   },
   "publishConfig": {

package/recipes/default/swarm-orchestrator.md

@@ -542,6 +542,10 @@ templates:
       [[ "$1" =~ ^[a-z0-9][a-z0-9-]{0,62}$ ]]
     }
 
+    safe_ref() {
+      [[ "$1" =~ ^[A-Za-z0-9][A-Za-z0-9._/-]{0,199}$ ]]
+    }
+
     cmd="${1:-}"
     shift || true
 
@@ -559,7 +563,7 @@ templates:
         task_id=""
         spec_text=""
         spec_file_in=""
-        base_ref="${SWARM_BASE_REF}"
+        base_ref="${SWARM_BASE_REF:-}"
         branch=""
         tmux_session=""
         agent_kind="codex"
@@ -635,6 +639,14 @@ templates:
           echo "Worktree directory already exists: $worktree_dir" >&2
           exit 2
         fi
+        if ! safe_ref "$base_ref"; then
+          echo "invalid --base-ref: must match ^[A-Za-z0-9][A-Za-z0-9._/-]{0,199}$" >&2
+          exit 2
+        fi
+        if ! safe_ref "$branch"; then
+          echo "invalid --branch: must match ^[A-Za-z0-9][A-Za-z0-9._/-]{0,199}$" >&2
+          exit 2
+        fi
         git worktree add "$worktree_dir" -b "$branch" "$base_ref"
 
         # Start tmux session.

package/src/lib/workflows/workflow-node-executor.ts

@@ -13,7 +13,7 @@ import {
   asRecord, asString,
   ensureDir, fileExists,
   moveRunTicket, appendRunLog, nodeLabel,
-  loadNodeStatesFromRun, sanitizeDraftOnlyText, templateReplace,
+  loadNodeStatesFromRun, sanitizeDraftOnlyText, templateReplace, expandFileIncludes,
 } from './workflow-utils';
 
 export async function resolveApprovalBindingTarget(api: OpenClawPluginApi, bindingId: string): Promise<{ channel: string; target: string; accountId?: string }> {
@@ -180,7 +180,10 @@ export async function executeWorkflowNodes(opts: {
       }
       await ensureDir(path.dirname(nodeOutputAbs));
 
-      const prompt = promptTemplateInline ? promptTemplateInline : await readTextFile(promptPathAbs);
+      const promptRaw = promptTemplateInline ? promptTemplateInline : await readTextFile(promptPathAbs);
+      // Inline `{{file:<relative-path>}}` contents so LLM nodes can see workspace files
+      // they cannot fetch themselves (llm-task is one-shot, no tool loop).
+      const prompt = await expandFileIncludes(promptRaw, teamDir);
       const task = [
         `You are executing a workflow run for teamId=${teamId}.`,
         `Workflow: ${workflow.name ?? workflow.id ?? workflowFile}`,

package/src/lib/workflows/workflow-utils.ts

@@ -158,6 +158,81 @@ export function templateReplace(input: string, vars: Record<string, string>) {
   return out;
 }
 
+export const FILE_INCLUDE_MAX_BYTES_DEFAULT = 256 * 1024;
+
+/**
+ * Expand `{{file:<relative-path>}}` markers by inlining the contents of files
+ * under the team workspace. Intended for LLM prompts where the model cannot
+ * call a read_file tool itself (workflow llm-task is one-shot, no tool loop).
+ *
+ * Safety:
+ *  - paths are treated as RELATIVE TO teamDir
+ *  - rejects absolute paths, paths with `..`, and paths that escape teamDir (incl. via symlink)
+ *  - enforces a per-include byte cap (default 256KB)
+ *
+ * On any rejection the marker is replaced with a short `[[file-include …]]`
+ * note so the LLM sees the failure context instead of the pipeline blowing up.
+ */
+export async function expandFileIncludes(
+  input: string,
+  teamDir: string,
+  opts: { maxBytes?: number } = {},
+): Promise<string> {
+  const text = String(input ?? '');
+  const pattern = /\{\{\s*file:([^}]+?)\s*\}\}/g;
+  const matches = Array.from(text.matchAll(pattern));
+  if (!matches.length) return text;
+
+  const maxBytes = opts.maxBytes ?? FILE_INCLUDE_MAX_BYTES_DEFAULT;
+  const teamDirResolvedRaw = path.resolve(teamDir);
+  // Resolve symlinks on teamDir too so comparisons below are apples-to-apples.
+  // On macOS, os.tmpdir() returns /var/... but realpath yields /private/var/... .
+  let teamDirResolved = teamDirResolvedRaw;
+  try { teamDirResolved = await fs.realpath(teamDirResolvedRaw); } catch { /* fall back to resolved */ }
+  const teamDirPrefix = teamDirResolved + path.sep;
+
+  const resolved = new Map<string, string>();
+  for (const m of matches) {
+    const rawPath = m[1].trim();
+    if (resolved.has(rawPath)) continue;
+
+    if (!rawPath || path.isAbsolute(rawPath) || rawPath.split('/').includes('..')) {
+      resolved.set(rawPath, `[[file-include rejected: unsafe path "${rawPath}"]]`);
+      continue;
+    }
+
+    const candidate = path.resolve(teamDirResolved, rawPath);
+    if (candidate !== teamDirResolved && !candidate.startsWith(teamDirPrefix)) {
+      resolved.set(rawPath, `[[file-include rejected: outside team workspace "${rawPath}"]]`);
+      continue;
+    }
+
+    try {
+      const real = await fs.realpath(candidate);
+      if (real !== teamDirResolved && !real.startsWith(teamDirPrefix)) {
+        resolved.set(rawPath, `[[file-include rejected: symlink escapes team workspace "${rawPath}"]]`);
+        continue;
+      }
+      const stat = await fs.stat(real);
+      if (!stat.isFile()) {
+        resolved.set(rawPath, `[[file-include rejected: not a regular file "${rawPath}"]]`);
+        continue;
+      }
+      if (stat.size > maxBytes) {
+        resolved.set(rawPath, `[[file-include rejected: "${rawPath}" size ${stat.size}B exceeds ${maxBytes}B cap]]`);
+        continue;
+      }
+      const content = await fs.readFile(real, 'utf8');
+      resolved.set(rawPath, content);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      resolved.set(rawPath, `[[file-include failed: "${rawPath}" — ${msg}]]`);
+    }
+  }
+
+  return text.replace(pattern, (_full, raw) => resolved.get(String(raw).trim()) ?? '');
+}
+
 export function sanitizeDraftOnlyText(text: string): string {
   // Back-compat: older workflow nodes mention 'draft only'.
   // New canonical sanitizer also strips other internal-only disclaimer lines.

package/src/lib/workflows/workflow-worker.ts

@@ -22,7 +22,7 @@ import {
   moveRunTicket, appendRunLog, writeRunFile, loadRunFile,
   runFilePathFor, nodeLabel,
   loadNodeStatesFromRun, pickNextRunnableNodeIndex,
-  sanitizeDraftOnlyText, templateReplace,
+  sanitizeDraftOnlyText, templateReplace, expandFileIncludes,
 } from './workflow-utils';
 
 /**
@@ -780,7 +780,10 @@ export async function runWorkflowWorkerTick(api: OpenClawPluginApi, opts: {
       const promptRaw = promptTemplateInline ? promptTemplateInline : await readTextFile(promptPathAbs);
 
       const vars = await buildTemplateVars(teamDir, runsDir, runId, workflowFile, workflow);
-      const prompt = templateReplace(promptRaw, vars);
+      const promptVarsResolved = templateReplace(promptRaw, vars);
+      // Inline `{{file:<relative-path>}}` contents so LLM nodes can see workspace files
+      // they cannot fetch themselves (llm-task is one-shot, no tool loop).
+      const prompt = await expandFileIncludes(promptVarsResolved, teamDir);
 
       // Build output format instructions from outputFields when defined
       const nodeConfig = asRecord((node as unknown as Record<string, unknown>)['config']);
@@ -1240,7 +1243,8 @@ export async function runWorkflowWorkerTick(api: OpenClawPluginApi, opts: {
       const vars = await buildTemplateVars(teamDir, runsDir, task.runId, workflowFile, workflow);
       // Add node-level vars that templateReplace doesn't normally include
       vars['node.id'] = node.id;
-      const prompt = templateReplace(promptTemplateRaw, vars);
+      const promptVarsResolved = templateReplace(promptTemplateRaw, vars);
+      const prompt = await expandFileIncludes(promptVarsResolved, teamDir);
       const outputRelPath = templateReplace(outputPathRaw, vars);
 
       const defaultNodeOutputRel = path.join('node-outputs', `${String(nodeIdx).padStart(3, '0')}-${node.id}.json`);