npm - @jojonax/codex-copilot - Versions diffs - 1.0.1 → 1.0.2 - Mend

@jojonax/codex-copilot 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@jojonax/codex-copilot",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "PRD-driven automated development orchestrator for CodeX / Cursor",
   "bin": {
     "codex-copilot": "./bin/cli.js"

package/src/commands/init.js CHANGED Viewed

@@ -8,8 +8,7 @@
  */
 import { mkdirSync, writeFileSync, readFileSync, existsSync } from 'fs';
-import { resolve, dirname } from 'path';
-import { fileURLToPath } from 'url';
+import { resolve } from 'path';
 import { execSync } from 'child_process';
 import { detectPRD, readPRD } from '../utils/detect-prd.js';
 import { log } from '../utils/logger.js';
@@ -17,8 +16,6 @@ import { ask, confirm, select, closePrompt } from '../utils/prompt.js';
 import { git } from '../utils/git.js';
 import { github } from '../utils/github.js';
-const __dirname = dirname(fileURLToPath(import.meta.url));
 export async function init(projectDir) {
   log.title('📋 初始化 Codex-Copilot');
   log.blank();
@@ -66,6 +63,12 @@ export async function init(projectDir) {
     log.warn('未自动检测到 PRD 文档');
     const manualPath = await ask('请输入 PRD 文件路径（相对或绝对路径）:');
     prdPath = resolve(projectDir, manualPath);
+    // 防止路径穿越：确保 PRD 路径在项目目录内或是绝对路径
+    if (!prdPath.startsWith(resolve(projectDir)) && !manualPath.startsWith('/')) {
+      log.error('PRD 路径不在项目目录内');
+      closePrompt();
+      process.exit(1);
+    }
     if (!existsSync(prdPath)) {
       log.error(`文件不存在: ${prdPath}`);
       closePrompt();
@@ -187,8 +190,7 @@ export async function init(projectDir) {
     if (autoparse) {
       log.step('调用 CodeX CLI 拆解 PRD...');
       try {
-        const { execSync } = await import('child_process');
-        execSync(`codex -q "${parsePrompt.slice(0, 2000)}"`, {
+        execSync(`codex -q --file .codex-copilot/parse-prd-prompt.md`, {
           cwd: projectDir,
           stdio: 'inherit',
         });
@@ -204,7 +206,8 @@ export async function init(projectDir) {
 function checkCodexCLI() {
   try {
-    execSync('which codex', { stdio: 'pipe' });
+    const cmd = process.platform === 'win32' ? 'where codex' : 'which codex';
+    execSync(cmd, { stdio: 'pipe' });
     return true;
   } catch {
     return false;

package/src/commands/run.js CHANGED Viewed

@@ -25,10 +25,27 @@ export async function run(projectDir) {
   const statePath = resolve(projectDir, '.codex-copilot/state.json');
   const configPath = resolve(projectDir, '.codex-copilot/config.json');
-  const tasks = readJSON(tasksPath);
-  let state = readJSON(statePath);
+  let tasks;
+  let state;
+  try {
+    tasks = readJSON(tasksPath);
+    state = readJSON(statePath);
+  } catch (err) {
+    log.error(`读取任务/状态文件失败: ${err.message}`);
+    log.warn('文件可能已损坏，请运行 codex-copilot reset');
+    closePrompt();
+    process.exit(1);
+  }
   const config = existsSync(configPath) ? readJSON(configPath) : {};
+  // 校验 tasks.json 结构
+  if (!tasks.tasks || !Array.isArray(tasks.tasks) || !tasks.total) {
+    log.error('tasks.json 格式无效: 缺少 tasks 数组或 total 字段');
+    log.warn('请重新运行 codex-copilot init 并让 CodeX 重新生成 tasks.json');
+    closePrompt();
+    process.exit(1);
+  }
   const baseBranch = config.base_branch || 'main';
   const maxReviewRounds = config.max_review_rounds || 2;
   const pollInterval = config.review_poll_interval || 60;
@@ -79,7 +96,7 @@ export async function run(projectDir) {
     });
     // ===== 阶段 4: 合并 =====
-    await mergePhase(projectDir, task, prInfo);
+    await mergePhase(projectDir, task, prInfo, baseBranch);
     // 更新任务状态
     task.status = 'completed';
@@ -189,7 +206,12 @@ async function prPhase(projectDir, task, baseBranch) {
     // PR 可能已存在
     log.warn(`创建 PR 异常: ${err.message}`);
     const prNumber = await ask('请输入已存在的 PR 编号:');
-    return { number: parseInt(prNumber), url: '' };
+    const parsed = parseInt(prNumber, 10);
+    if (isNaN(parsed) || parsed <= 0) {
+      log.error('无效的 PR 编号');
+      throw new Error('无效的 PR 编号');
+    }
+    return { number: parsed, url: '' };
   }
 }
@@ -276,7 +298,7 @@ async function waitForReview(projectDir, prNumber, pollInterval, timeout) {
     const hasNewReview = currentReviews.length > startReviewCount;
     const hasBotComment = currentComments.some(c =>
       (c.user?.type === 'Bot' || c.user?.login?.includes('bot')) &&
-      new Date(c.created_at) > new Date(Date.now() - elapsed * 1000)
+      new Date(c.created_at).getTime() > (Date.now() - elapsed * 1000)
     );
     if (hasNewReview || hasBotComment) {
@@ -343,7 +365,7 @@ ${feedback}
 // ──────────────────────────────────────────────
 // 阶段 4: 合并
 // ──────────────────────────────────────────────
-async function mergePhase(projectDir, task, prInfo) {
+async function mergePhase(projectDir, task, prInfo, baseBranch) {
   log.step('阶段 4/4: 合并 PR');
   const doMerge = await confirm(`合并 PR #${prInfo.number}？`);
@@ -362,9 +384,7 @@ async function mergePhase(projectDir, task, prInfo) {
   }
   // 切回主分支
-  const configPath = resolve(projectDir, '.codex-copilot/config.json');
-  const config = JSON.parse(readFileSync(configPath, 'utf-8'));
-  git.checkoutMain(projectDir, config.base_branch || 'main');
+  git.checkoutMain(projectDir, baseBranch);
 }
 function buildDevPrompt(task) {
@@ -392,7 +412,8 @@ function sleep(ms) {
 function isCodexAvailable() {
   try {
-    execSync('which codex', { stdio: 'pipe' });
+    const cmd = process.platform === 'win32' ? 'where codex' : 'which codex';
+    execSync(cmd, { stdio: 'pipe' });
     return true;
   } catch {
     return false;

package/src/commands/status.js CHANGED Viewed

@@ -10,8 +10,15 @@ export async function status(projectDir) {
   const tasksPath = resolve(projectDir, '.codex-copilot/tasks.json');
   const statePath = resolve(projectDir, '.codex-copilot/state.json');
-  const tasks = JSON.parse(readFileSync(tasksPath, 'utf-8'));
-  const state = JSON.parse(readFileSync(statePath, 'utf-8'));
+  let tasks, state;
+  try {
+    tasks = JSON.parse(readFileSync(tasksPath, 'utf-8'));
+    state = JSON.parse(readFileSync(statePath, 'utf-8'));
+  } catch (err) {
+    log.error(`读取文件失败: ${err.message}`);
+    log.warn('文件可能已损坏，请运行 codex-copilot reset');
+    return;
+  }
   log.title(`📊 项目: ${tasks.project}`);
   log.blank();

package/src/utils/detect-prd.js CHANGED Viewed

@@ -4,7 +4,7 @@
  */
 import { readdirSync, readFileSync, statSync } from 'fs';
-import { resolve, extname } from 'path';
+import { resolve, extname, relative } from 'path';
 import { log } from './logger.js';
 // PRD 文件名匹配模式（优先级由高到低）
@@ -89,7 +89,7 @@ function scanDir(dir, projectDir, candidates, depth) {
     if (score > 0) {
       candidates.push({
         path: fullPath,
-        relativePath: fullPath.replace(projectDir + '/', ''),
+        relativePath: relative(projectDir, fullPath),
         name: entry.name,
         score,
       });

package/src/utils/git.js CHANGED Viewed

@@ -17,6 +17,15 @@ function execSafe(cmd, cwd) {
   }
 }
+// 校验分支名，防止 shell 注入
+function validateBranch(name) {
+  if (!name || typeof name !== 'string') throw new Error('分支名不能为空');
+  if (/[;&|`$(){}\[\]!\\<>"'\s]/.test(name)) {
+    throw new Error(`分支名包含不安全字符: ${name}`);
+  }
+  return name;
+}
 /**
  * 检查 git 仓库是否干净
  */
@@ -47,6 +56,8 @@ export function getRepoInfo(cwd) {
  * 切换到目标分支（如不存在则创建）
  */
 export function checkoutBranch(cwd, branch, baseBranch = 'main') {
+  validateBranch(branch);
+  validateBranch(baseBranch);
   const current = currentBranch(cwd);
   if (current === branch) return;
@@ -83,6 +94,7 @@ function shellEscape(str) {
  * 推送分支
  */
 export function pushBranch(cwd, branch) {
+  validateBranch(branch);
   exec(`git push origin ${branch} --force-with-lease`, cwd);
 }
@@ -90,6 +102,7 @@ export function pushBranch(cwd, branch) {
  * 切回主分支
  */
 export function checkoutMain(cwd, baseBranch = 'main') {
+  validateBranch(baseBranch);
   execSafe(`git checkout ${baseBranch}`, cwd);
 }

package/src/utils/github.js CHANGED Viewed

@@ -11,7 +11,12 @@ function gh(cmd, cwd) {
 function ghJSON(cmd, cwd) {
   const output = gh(cmd, cwd);
-  return output ? JSON.parse(output) : null;
+  if (!output) return null;
+  try {
+    return JSON.parse(output);
+  } catch {
+    return null;
+  }
 }
 function shellEscape(str) {
@@ -56,7 +61,8 @@ export function createPR(cwd, { title, body, base = 'main', head }) {
  */
 export function getReviews(cwd, prNumber) {
   try {
-    return ghJSON(`api repos/{owner}/{repo}/pulls/${prNumber}/reviews`, cwd) || [];
+    const num = validatePRNumber(prNumber);
+    return ghJSON(`api repos/{owner}/{repo}/pulls/${num}/reviews`, cwd) || [];
   } catch {
     return [];
   }
@@ -67,7 +73,8 @@ export function getReviews(cwd, prNumber) {
  */
 export function getReviewComments(cwd, prNumber) {
   try {
-    return ghJSON(`api repos/{owner}/{repo}/pulls/${prNumber}/comments`, cwd) || [];
+    const num = validatePRNumber(prNumber);
+    return ghJSON(`api repos/{owner}/{repo}/pulls/${num}/comments`, cwd) || [];
   } catch {
     return [];
   }
@@ -78,7 +85,8 @@ export function getReviewComments(cwd, prNumber) {
  */
 export function getIssueComments(cwd, prNumber) {
   try {
-    return ghJSON(`api repos/{owner}/{repo}/issues/${prNumber}/comments`, cwd) || [];
+    const num = validatePRNumber(prNumber);
+    return ghJSON(`api repos/{owner}/{repo}/issues/${num}/comments`, cwd) || [];
   } catch {
     return [];
   }
@@ -103,7 +111,18 @@ export function getLatestReviewState(cwd, prNumber) {
  * 合并 PR
  */
 export function mergePR(cwd, prNumber, method = 'squash') {
-  gh(`pr merge ${prNumber} --${method} --delete-branch`, cwd);
+  const num = validatePRNumber(prNumber);
+  const validMethods = ['squash', 'merge', 'rebase'];
+  if (!validMethods.includes(method)) {
+    throw new Error(`无效的合并方式: ${method}`);
+  }
+  gh(`pr merge ${num} --${method} --delete-branch`, cwd);
+}
+function validatePRNumber(prNumber) {
+  const num = parseInt(prNumber, 10);
+  if (isNaN(num) || num <= 0) throw new Error(`无效的 PR 编号: ${prNumber}`);
+  return num;
 }
 /**

package/src/utils/logger.js CHANGED Viewed

@@ -28,6 +28,11 @@ export const log = {
  */
 export function progressBar(current, total, label = '') {
   const width = 30;
+  if (total <= 0) {
+    const bar = '░'.repeat(width);
+    console.log(`  ${COLORS.cyan}[${bar}]${COLORS.reset} 0% ${label}`);
+    return;
+  }
   const filled = Math.round((current / total) * width);
   const bar = '█'.repeat(filled) + '░'.repeat(width - filled);
   const pct = Math.round((current / total) * 100);