@jojonax/codex-copilot 1.0.0 → 1.0.2

package/README.md

@@ -12,10 +12,10 @@ PRD → Tasks → CodeX Dev → PR → AI Review → Fix → Merge → Next Task
 
 ```bash
 # Install globally
-npm install -g codex-copilot
+npm install -g @jojonax/codex-copilot
 
 # Or run directly without installing
-npx codex-copilot
+npx @jojonax/codex-copilot
 
 # In your project directory:
 codex-copilot init    # Detect PRD, generate task queue
@@ -122,6 +122,13 @@ CodeX develops feature
 - [ ] GitHub Action for fully server-side automation
 - [ ] Support for monorepo / multi-package projects
 
+## Contributing
+
+1. Fork the repo
+2. Create a feature branch (`git checkout -b feat/awesome`)
+3. Commit your changes (`git commit -m 'feat: add awesome feature'`)
+4. Push and open a PR
+
 ## License
 
 MIT © Jonas Qin

package/bin/cli.js

@@ -10,8 +10,7 @@
  *   codex-copilot reset         # 重置状态（重新开始）
  */
 
-import { fileURLToPath } from 'url';
-import { dirname, resolve } from 'path';
+import { resolve } from 'path';
 import { existsSync } from 'fs';
 
 import { init } from '../src/commands/init.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jojonax/codex-copilot",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "PRD-driven automated development orchestrator for CodeX / Cursor",
   "bin": {
     "codex-copilot": "./bin/cli.js"

package/src/commands/init.js

@@ -7,9 +7,8 @@
  * 4. 创建 .codex-copilot/ 目录结构
  */
 
-import { mkdirSync, writeFileSync, readFileSync, existsSync, copyFileSync } from 'fs';
-import { resolve, dirname } from 'path';
-import { fileURLToPath } from 'url';
+import { mkdirSync, writeFileSync, readFileSync, existsSync } from 'fs';
+import { resolve } from 'path';
 import { execSync } from 'child_process';
 import { detectPRD, readPRD } from '../utils/detect-prd.js';
 import { log } from '../utils/logger.js';
@@ -17,8 +16,6 @@ import { ask, confirm, select, closePrompt } from '../utils/prompt.js';
 import { git } from '../utils/git.js';
 import { github } from '../utils/github.js';
 
-const __dirname = dirname(fileURLToPath(import.meta.url));
-
 export async function init(projectDir) {
   log.title('📋 初始化 Codex-Copilot');
   log.blank();
@@ -66,6 +63,12 @@ export async function init(projectDir) {
     log.warn('未自动检测到 PRD 文档');
     const manualPath = await ask('请输入 PRD 文件路径（相对或绝对路径）:');
     prdPath = resolve(projectDir, manualPath);
+    // 防止路径穿越：确保 PRD 路径在项目目录内或是绝对路径
+    if (!prdPath.startsWith(resolve(projectDir)) && !manualPath.startsWith('/')) {
+      log.error('PRD 路径不在项目目录内');
+      closePrompt();
+      process.exit(1);
+    }
     if (!existsSync(prdPath)) {
       log.error(`文件不存在: ${prdPath}`);
       closePrompt();
@@ -187,8 +190,7 @@ export async function init(projectDir) {
     if (autoparse) {
       log.step('调用 CodeX CLI 拆解 PRD...');
       try {
-        const { execSync } = await import('child_process');
-        execSync(`codex -q "${parsePrompt.slice(0, 2000)}"`, {
+        execSync(`codex -q --file .codex-copilot/parse-prd-prompt.md`, {
           cwd: projectDir,
           stdio: 'inherit',
         });
@@ -204,7 +206,8 @@ export async function init(projectDir) {
 
 function checkCodexCLI() {
   try {
-    execSync('which codex', { stdio: 'pipe' });
+    const cmd = process.platform === 'win32' ? 'where codex' : 'which codex';
+    execSync(cmd, { stdio: 'pipe' });
     return true;
   } catch {
     return false;

package/src/commands/run.js

@@ -6,6 +6,7 @@
 
 import { readFileSync, writeFileSync, existsSync } from 'fs';
 import { resolve } from 'path';
+import { execSync } from 'child_process';
 import { log, progressBar } from '../utils/logger.js';
 import { git } from '../utils/git.js';
 import { github } from '../utils/github.js';
@@ -24,10 +25,27 @@ export async function run(projectDir) {
   const statePath = resolve(projectDir, '.codex-copilot/state.json');
   const configPath = resolve(projectDir, '.codex-copilot/config.json');
 
-  const tasks = readJSON(tasksPath);
-  let state = readJSON(statePath);
+  let tasks;
+  let state;
+  try {
+    tasks = readJSON(tasksPath);
+    state = readJSON(statePath);
+  } catch (err) {
+    log.error(`读取任务/状态文件失败: ${err.message}`);
+    log.warn('文件可能已损坏，请运行 codex-copilot reset');
+    closePrompt();
+    process.exit(1);
+  }
   const config = existsSync(configPath) ? readJSON(configPath) : {};
 
+  // 校验 tasks.json 结构
+  if (!tasks.tasks || !Array.isArray(tasks.tasks) || !tasks.total) {
+    log.error('tasks.json 格式无效: 缺少 tasks 数组或 total 字段');
+    log.warn('请重新运行 codex-copilot init 并让 CodeX 重新生成 tasks.json');
+    closePrompt();
+    process.exit(1);
+  }
+
   const baseBranch = config.base_branch || 'main';
   const maxReviewRounds = config.max_review_rounds || 2;
   const pollInterval = config.review_poll_interval || 60;
@@ -78,7 +96,7 @@ export async function run(projectDir) {
     });
 
     // ===== 阶段 4: 合并 =====
-    await mergePhase(projectDir, task, prInfo);
+    await mergePhase(projectDir, task, prInfo, baseBranch);
 
     // 更新任务状态
     task.status = 'completed';
@@ -113,22 +131,14 @@ async function developPhase(projectDir, task, baseBranch) {
   const devPrompt = buildDevPrompt(task);
 
   // 检查是否有 CodeX CLI
-  let codexAvailable = false;
-  try {
-    const { execSync } = await import('child_process');
-    execSync('which codex', { stdio: 'pipe' });
-    codexAvailable = true;
-  } catch {}
+  const codexAvailable = isCodexAvailable();
 
   if (codexAvailable) {
     log.info('检测到 CodeX CLI，自动执行...');
     const autoRun = await confirm('自动调用 CodeX 开发？');
     if (autoRun) {
       try {
-        const { execSync } = await import('child_process');
-        // 将 prompt 写入临时文件
         const promptPath = resolve(projectDir, '.codex-copilot/_current_prompt.md');
-        const { writeFileSync } = await import('fs');
         writeFileSync(promptPath, devPrompt);
         execSync(`codex -q --file .codex-copilot/_current_prompt.md`, {
           cwd: projectDir,
@@ -154,17 +164,12 @@ async function developPhase(projectDir, task, baseBranch) {
 
   // 同时将 Prompt 保存到文件，方便复制
   const promptPath = resolve(projectDir, '.codex-copilot/_current_prompt.md');
-  const { writeFileSync: ws } = await import('fs');
-  ws(promptPath, devPrompt);
+  writeFileSync(promptPath, devPrompt);
   log.dim(`Prompt 已保存到 .codex-copilot/_current_prompt.md (可直接复制文件内容)`);
   log.blank();
 
-  // 尝试复制到剪贴板
-  try {
-    const { execSync } = await import('child_process');
-    execSync(`echo '${devPrompt.replace(/'/g, "\\'")}' | pbcopy`, { stdio: 'pipe' });
-    log.info('📋 已复制到剪贴板！直接到 CodeX 中粘贴即可');
-  } catch {}
+  // 尝试复制到剪贴板（通过 stdin 传入，避免 shell 注入）
+  copyToClipboard(devPrompt);
 
   await ask('CodeX 开发完成后按 Enter 继续...');
 }
@@ -201,14 +206,20 @@ async function prPhase(projectDir, task, baseBranch) {
     // PR 可能已存在
     log.warn(`创建 PR 异常: ${err.message}`);
     const prNumber = await ask('请输入已存在的 PR 编号:');
-    return { number: parseInt(prNumber), url: '' };
+    const parsed = parseInt(prNumber, 10);
+    if (isNaN(parsed) || parsed <= 0) {
+      log.error('无效的 PR 编号');
+      throw new Error('无效的 PR 编号');
+    }
+    return { number: parsed, url: '' };
   }
 }
 
 // ──────────────────────────────────────────────
 // 阶段 3: Review 循环
 // ──────────────────────────────────────────────
-async function reviewLoop(projectDir, task, prInfo, { maxRounds, pollInterval, waitTimeout }) {
+async function reviewLoop(projectDir, task, prInfo, { maxRounds: _maxRounds, pollInterval, waitTimeout }) {
+  let maxRounds = _maxRounds;
   log.step('阶段 3/4: 等待 Review');
 
   for (let round = 1; round <= maxRounds; round++) {
@@ -287,7 +298,7 @@ async function waitForReview(projectDir, prNumber, pollInterval, timeout) {
     const hasNewReview = currentReviews.length > startReviewCount;
     const hasBotComment = currentComments.some(c =>
       (c.user?.type === 'Bot' || c.user?.login?.includes('bot')) &&
-      new Date(c.created_at) > new Date(Date.now() - elapsed * 1000)
+      new Date(c.created_at).getTime() > (Date.now() - elapsed * 1000)
     );
 
     if (hasNewReview || hasBotComment) {
@@ -320,22 +331,15 @@ ${feedback}
 
   // 保存到文件并提示用户
   const promptPath = resolve(projectDir, '.codex-copilot/_current_prompt.md');
-  const { writeFileSync } = await import('fs');
   writeFileSync(promptPath, fixPrompt);
 
   // 尝试 CodeX CLI
-  let codexAvailable = false;
-  try {
-    const { execSync } = await import('child_process');
-    execSync('which codex', { stdio: 'pipe' });
-    codexAvailable = true;
-  } catch {}
+  const codexAvailable = isCodexAvailable();
 
   if (codexAvailable) {
     const autoFix = await confirm('自动调用 CodeX 修复？');
     if (autoFix) {
       try {
-        const { execSync } = await import('child_process');
         execSync(`codex -q --file .codex-copilot/_current_prompt.md`, {
           cwd: projectDir,
           stdio: 'inherit',
@@ -353,11 +357,7 @@ ${feedback}
   log.dim(`Review 修复 Prompt 已保存到 .codex-copilot/_current_prompt.md`);
   log.dim('请将文件内容粘贴到 CodeX 执行');
 
-  try {
-    const { execSync } = await import('child_process');
-    execSync(`cat .codex-copilot/_current_prompt.md | pbcopy`, { cwd: projectDir, stdio: 'pipe' });
-    log.info('📋 已复制到剪贴板');
-  } catch {}
+  copyToClipboard(fixPrompt);
 
   await ask('CodeX 修复完成后按 Enter 继续...');
 }
@@ -365,7 +365,7 @@ ${feedback}
 // ──────────────────────────────────────────────
 // 阶段 4: 合并
 // ──────────────────────────────────────────────
-async function mergePhase(projectDir, task, prInfo) {
+async function mergePhase(projectDir, task, prInfo, baseBranch) {
   log.step('阶段 4/4: 合并 PR');
 
   const doMerge = await confirm(`合并 PR #${prInfo.number}？`);
@@ -384,9 +384,7 @@ async function mergePhase(projectDir, task, prInfo) {
   }
 
   // 切回主分支
-  const configPath = resolve(projectDir, '.codex-copilot/config.json');
-  const config = JSON.parse(readFileSync(configPath, 'utf-8'));
-  git.checkoutMain(projectDir, config.base_branch || 'main');
+  git.checkoutMain(projectDir, baseBranch);
 }
 
 function buildDevPrompt(task) {
@@ -411,3 +409,20 @@ ${task.acceptance.map(a => `- ${a}`).join('\n')}
 function sleep(ms) {
   return new Promise(resolve => setTimeout(resolve, ms));
 }
+
+function isCodexAvailable() {
+  try {
+    const cmd = process.platform === 'win32' ? 'where codex' : 'which codex';
+    execSync(cmd, { stdio: 'pipe' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function copyToClipboard(text) {
+  try {
+    execSync('pbcopy', { input: text, stdio: ['pipe', 'pipe', 'pipe'] });
+    log.info('📋 已复制到剪贴板');
+  } catch {}
+}

package/src/commands/status.js

@@ -10,8 +10,15 @@ export async function status(projectDir) {
   const tasksPath = resolve(projectDir, '.codex-copilot/tasks.json');
   const statePath = resolve(projectDir, '.codex-copilot/state.json');
 
-  const tasks = JSON.parse(readFileSync(tasksPath, 'utf-8'));
-  const state = JSON.parse(readFileSync(statePath, 'utf-8'));
+  let tasks, state;
+  try {
+    tasks = JSON.parse(readFileSync(tasksPath, 'utf-8'));
+    state = JSON.parse(readFileSync(statePath, 'utf-8'));
+  } catch (err) {
+    log.error(`读取文件失败: ${err.message}`);
+    log.warn('文件可能已损坏，请运行 codex-copilot reset');
+    return;
+  }
 
   log.title(`📊 项目: ${tasks.project}`);
   log.blank();

package/src/utils/detect-prd.js

@@ -4,7 +4,7 @@
  */
 
 import { readdirSync, readFileSync, statSync } from 'fs';
-import { resolve, basename, extname } from 'path';
+import { resolve, extname, relative } from 'path';
 import { log } from './logger.js';
 
 // PRD 文件名匹配模式（优先级由高到低）
@@ -89,7 +89,7 @@ function scanDir(dir, projectDir, candidates, depth) {
     if (score > 0) {
       candidates.push({
         path: fullPath,
-        relativePath: fullPath.replace(projectDir + '/', ''),
+        relativePath: relative(projectDir, fullPath),
         name: entry.name,
         score,
       });

package/src/utils/git.js

@@ -17,6 +17,15 @@ function execSafe(cmd, cwd) {
   }
 }
 
+// 校验分支名，防止 shell 注入
+function validateBranch(name) {
+  if (!name || typeof name !== 'string') throw new Error('分支名不能为空');
+  if (/[;&|`$(){}\[\]!\\<>"'\s]/.test(name)) {
+    throw new Error(`分支名包含不安全字符: ${name}`);
+  }
+  return name;
+}
+
 /**
  * 检查 git 仓库是否干净
  */
@@ -47,6 +56,8 @@ export function getRepoInfo(cwd) {
  * 切换到目标分支（如不存在则创建）
  */
 export function checkoutBranch(cwd, branch, baseBranch = 'main') {
+  validateBranch(branch);
+  validateBranch(baseBranch);
   const current = currentBranch(cwd);
   if (current === branch) return;
 
@@ -71,14 +82,19 @@ export function commitAll(cwd, message) {
     log.dim('没有变更需要提交');
     return false;
   }
-  exec(`git commit -m "${message}"`, cwd);
+  exec(`git commit -m ${shellEscape(message)}`, cwd);
   return true;
 }
 
+function shellEscape(str) {
+  return `'${str.replace(/'/g, "'\\''")}'`
+}
+
 /**
  * 推送分支
  */
 export function pushBranch(cwd, branch) {
+  validateBranch(branch);
   exec(`git push origin ${branch} --force-with-lease`, cwd);
 }
 
@@ -86,6 +102,7 @@ export function pushBranch(cwd, branch) {
  * 切回主分支
  */
 export function checkoutMain(cwd, baseBranch = 'main') {
+  validateBranch(baseBranch);
   execSafe(`git checkout ${baseBranch}`, cwd);
 }
 

package/src/utils/github.js

@@ -11,7 +11,16 @@ function gh(cmd, cwd) {
 
 function ghJSON(cmd, cwd) {
   const output = gh(cmd, cwd);
-  return output ? JSON.parse(output) : null;
+  if (!output) return null;
+  try {
+    return JSON.parse(output);
+  } catch {
+    return null;
+  }
+}
+
+function shellEscape(str) {
+  return `'${str.replace(/'/g, "'\\''")}'`
 }
 
 /**
@@ -31,7 +40,7 @@ export function checkGhAuth() {
  */
 export function createPR(cwd, { title, body, base = 'main', head }) {
   const output = gh(
-    `pr create --title "${title}" --body "${body}" --base ${base} --head ${head}`,
+    `pr create --title ${shellEscape(title)} --body ${shellEscape(body)} --base ${base} --head ${head}`,
     cwd
   );
   // 从输出中提取 PR URL 和编号
@@ -52,7 +61,8 @@ export function createPR(cwd, { title, body, base = 'main', head }) {
  */
 export function getReviews(cwd, prNumber) {
   try {
-    return ghJSON(`api repos/{owner}/{repo}/pulls/${prNumber}/reviews`, cwd) || [];
+    const num = validatePRNumber(prNumber);
+    return ghJSON(`api repos/{owner}/{repo}/pulls/${num}/reviews`, cwd) || [];
   } catch {
     return [];
   }
@@ -63,7 +73,8 @@ export function getReviews(cwd, prNumber) {
  */
 export function getReviewComments(cwd, prNumber) {
   try {
-    return ghJSON(`api repos/{owner}/{repo}/pulls/${prNumber}/comments`, cwd) || [];
+    const num = validatePRNumber(prNumber);
+    return ghJSON(`api repos/{owner}/{repo}/pulls/${num}/comments`, cwd) || [];
   } catch {
     return [];
   }
@@ -74,7 +85,8 @@ export function getReviewComments(cwd, prNumber) {
  */
 export function getIssueComments(cwd, prNumber) {
   try {
-    return ghJSON(`api repos/{owner}/{repo}/issues/${prNumber}/comments`, cwd) || [];
+    const num = validatePRNumber(prNumber);
+    return ghJSON(`api repos/{owner}/{repo}/issues/${num}/comments`, cwd) || [];
   } catch {
     return [];
   }
@@ -99,7 +111,18 @@ export function getLatestReviewState(cwd, prNumber) {
  * 合并 PR
  */
 export function mergePR(cwd, prNumber, method = 'squash') {
-  gh(`pr merge ${prNumber} --${method} --delete-branch`, cwd);
+  const num = validatePRNumber(prNumber);
+  const validMethods = ['squash', 'merge', 'rebase'];
+  if (!validMethods.includes(method)) {
+    throw new Error(`无效的合并方式: ${method}`);
+  }
+  gh(`pr merge ${num} --${method} --delete-branch`, cwd);
+}
+
+function validatePRNumber(prNumber) {
+  const num = parseInt(prNumber, 10);
+  if (isNaN(num) || num <= 0) throw new Error(`无效的 PR 编号: ${prNumber}`);
+  return num;
 }
 
 /**

package/src/utils/logger.js

@@ -28,6 +28,11 @@ export const log = {
  */
 export function progressBar(current, total, label = '') {
   const width = 30;
+  if (total <= 0) {
+    const bar = '░'.repeat(width);
+    console.log(`  ${COLORS.cyan}[${bar}]${COLORS.reset} 0% ${label}`);
+    return;
+  }
   const filled = Math.round((current / total) * width);
   const bar = '█'.repeat(filled) + '░'.repeat(width - filled);
   const pct = Math.round((current / total) * 100);