npm - @nalvietnam/avatar-cli - Versions diffs - 1.6.4 → 1.7.1 - Mend

@nalvietnam/avatar-cli 1.6.4 → 1.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js +142 -15
package/dist/index.js.map +1 -1
package/dist/lib/print-welcome-screen.js +1 -1
package/dist/lib/print-welcome-screen.js.map +1 -1
package/dist/templates/gitignore.tpl +5 -0
package/package.json +1 -1
package/src/templates/gitignore.tpl +5 -0

package/dist/index.js CHANGED Viewed

@@ -761,6 +761,14 @@ async function writeClaudeSettings(workspacePath, input6) {
 // src/lib/run-ai-setup-phase.ts
 var SUBSCRIPTION_DEFAULT_MODEL = "sonnet";
+function warnAboutPlaintextSecret(providerLabel) {
+  log.warn(
+    `\u{1F512} ${providerLabel} key \u0111\xE3 l\u01B0u PLAINTEXT v\xE0o .claude/settings.json.
+   File n\xE0y \u0111\u01B0\u1EE3c gitignore t\u1EEB Avatar v1.7.0, nh\u01B0ng workspace c\u0169 c\xF3 th\u1EC3 CH\u01AFA.
+   Ki\u1EC3m tra: grep '.claude/settings.json' .gitignore
+   N\u1EBFu ch\u01B0a c\xF3 \u2192 TH\xCAM NGAY, tr\xE1nh leak key khi commit/push.`
+  );
+}
 async function runAiSetupPhase(args) {
   try {
     log.info("Setup AI provider cho workspace...");
@@ -819,6 +827,7 @@ async function runAiSetupPhase(args) {
           `provider=llmlite,result=ok,model=${llmConfig.model},base=${llmConfig.baseUrl}`
         );
         log.success(`AI ready \xB7 LLMLite \xB7 model=${llmConfig.model} \xB7 ${llmConfig.baseUrl}`);
+        warnAboutPlaintextSecret("LLMLite");
         return { ok: true, provider: "llmlite", model: llmConfig.model };
       }
       case "anthropic": {
@@ -836,6 +845,7 @@ async function runAiSetupPhase(args) {
         log.success(
           `AI ready \xB7 Anthropic Direct \xB7 model=${anthropicConfig.model} \xB7 ${anthropicConfig.baseUrl}`
         );
+        warnAboutPlaintextSecret("Anthropic Direct API");
         return { ok: true, provider: "anthropic", model: anthropicConfig.model };
       }
       case "use-global": {
@@ -1291,9 +1301,13 @@ async function listTags(cwd = process.cwd()) {
   const result = await git(cwd).tags();
   return result.all;
 }
-async function latestTag(cwd = process.cwd()) {
-  const tags = await listTags(cwd);
-  return tags.length > 0 ? tags[tags.length - 1] ?? null : null;
+async function tagAtHead(cwd = process.cwd()) {
+  try {
+    const result = await git(cwd).raw(["describe", "--tags", "--exact-match", "HEAD"]);
+    return result.trim() || null;
+  } catch {
+    return null;
+  }
 }
 async function currentCommitSha(cwd = process.cwd()) {
   const result = await git(cwd).revparse(["HEAD"]);
@@ -1494,11 +1508,12 @@ async function runChecks(cwd) {
     });
   }
   const gitignorePath = join11(cwd, ".gitignore");
+  let gitignoreContent = "";
   if (gitRepo) {
     let gitignoreOk = false;
     if (await pathExists(gitignorePath)) {
-      const content = await fs6.readFile(gitignorePath, "utf8");
-      gitignoreOk = content.includes(".claude/_pending/");
+      gitignoreContent = await fs6.readFile(gitignorePath, "utf8");
+      gitignoreOk = gitignoreContent.includes(".claude/_pending/");
     }
     checks.push({
       name: ".gitignore Avatar entries",
@@ -1506,6 +1521,66 @@ async function runChecks(cwd) {
       detail: gitignoreOk ? "c\xF3 .claude/_pending/, .claude/_backup/" : "thi\u1EBFu entries",
       fixable: false
     });
+    const settingsGitignored = gitignoreContent.includes(".claude/settings.json") || gitignoreContent.includes("/.claude/settings.json") || gitignoreContent.includes(".claude/*.json");
+    checks.push({
+      name: "\u{1F512} settings.json gitignored",
+      status: settingsGitignored ? "ok" : "fail",
+      detail: settingsGitignored ? "an to\xE0n \u2014 settings.json kh\xF4ng commit nh\u1EA7m" : "CRITICAL: settings.json ch\u1EE9a API key \u2014 ch\u1EA1y 'avatar doctor --fix' \u0111\u1EC3 add gitignore",
+      fixable: !settingsGitignored,
+      fix: settingsGitignored ? void 0 : async () => {
+        const addition = "\n# Avatar v1.7.0 \u2014 Security: settings.json ch\u1EE9a raw API key, KH\xD4NG commit.\n.claude/settings.json\n.claude/settings.json.backup-*\n";
+        await fs6.appendFile(gitignorePath, addition);
+      }
+    });
+  }
+  const pythonCheck = spawnSync6("which", ["python"]);
+  const python3Check = spawnSync6("which", ["python3"]);
+  const hasPython = pythonCheck.status === 0;
+  const hasPython3 = python3Check.status === 0;
+  if (hasPython3 && !hasPython) {
+    checks.push({
+      name: "Python binary alias",
+      status: "warn",
+      detail: `Ch\u1EC9 c\xF3 python3 (modern macOS). Pack scripts th\u01B0\u1EDDng ref 'python' \u2192 suggest: ln -s ${python3Check.stdout.toString().trim()} ~/.local/bin/python`,
+      fixable: false
+    });
+  } else if (hasPython) {
+    checks.push({
+      name: "Python binary",
+      status: "ok",
+      detail: `python: ${pythonCheck.stdout.toString().trim()}`,
+      fixable: false
+    });
+  } else if (hasPython3) {
+    checks.push({
+      name: "Python binary",
+      status: "ok",
+      detail: `python3: ${python3Check.stdout.toString().trim()}`,
+      fixable: false
+    });
+  }
+  const settingsPath = join11(cwd, ".claude", "settings.json");
+  if (await pathExists(settingsPath)) {
+    try {
+      const settingsRaw = await fs6.readFile(settingsPath, "utf8");
+      const settings = JSON.parse(settingsRaw);
+      if (settings.statusLine?.command) {
+        const cmd = settings.statusLine.command.trim();
+        const match = cmd.match(/^(node|python|python3|bash|sh)\s+([^\s]+)/);
+        if (match) {
+          const refFile = match[2];
+          const fullPath = refFile.startsWith("/") ? refFile : join11(cwd, refFile);
+          const fileExists = await pathExists(fullPath);
+          checks.push({
+            name: "statusLine command",
+            status: fileExists ? "ok" : "fail",
+            detail: fileExists ? `ref OK: ${refFile}` : `BROKEN: settings.json ref '${refFile}' nh\u01B0ng file kh\xF4ng t\u1ED3n t\u1EA1i. Strip field statusLine ho\u1EB7c fix path.`,
+            fixable: false
+          });
+        }
+      }
+    } catch {
+    }
   }
   const which = spawnSync6("which", ["claude"]);
   const hasClaudeCli = which.status === 0;
@@ -2359,6 +2434,31 @@ async function ensureTeamPackAccessWithRetry(args) {
   }
 }
+// src/lib/pick-latest-stable-semver-tag.ts
+var SEMVER_REGEX3 = /^v?(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?$/;
+function parseSemVerTag(tag) {
+  const match = tag.match(SEMVER_REGEX3);
+  if (!match) return null;
+  const [, major, minor, patch, prerelease] = match;
+  return {
+    raw: tag,
+    major: Number.parseInt(major ?? "0", 10),
+    minor: Number.parseInt(minor ?? "0", 10),
+    patch: Number.parseInt(patch ?? "0", 10),
+    prerelease: prerelease ?? null
+  };
+}
+function pickLatestStableSemVerTag(tags, includePrerelease = false) {
+  const parsed = tags.map(parseSemVerTag).filter((t) => t !== null).filter((t) => includePrerelease || t.prerelease === null);
+  if (parsed.length === 0) return null;
+  parsed.sort((a, b) => {
+    if (a.major !== b.major) return a.major - b.major;
+    if (a.minor !== b.minor) return a.minor - b.minor;
+    return a.patch - b.patch;
+  });
+  return parsed[parsed.length - 1]?.raw ?? null;
+}
 // src/lib/resolve-team-pack-repo-url.ts
 var ORG_DEFAULT = "git@github.com:nalvn/team-ai-pack.git";
 function resolveTeamPackRepoUrl() {
@@ -2405,7 +2505,9 @@ async function addTeamPackSubmodule(projectRoot, tag, ssoEmail) {
   }
   let target = tag ?? null;
   if (!target) {
-    target = await latestTag(join16(projectRoot, TEAM_PACK_RELATIVE_PATH));
+    const submoduleDir = join16(projectRoot, TEAM_PACK_RELATIVE_PATH);
+    const allTags = await listTags(submoduleDir);
+    target = pickLatestStableSemVerTag(allTags);
   }
   if (target) {
     await checkoutTagInSubmodule(TEAM_PACK_RELATIVE_PATH, target, projectRoot);
@@ -2414,7 +2516,7 @@ async function addTeamPackSubmodule(projectRoot, tag, ssoEmail) {
 }
 async function readPinnedPackVersion(projectRoot) {
   const submoduleRoot = join16(projectRoot, TEAM_PACK_RELATIVE_PATH);
-  const tag = await latestTag(submoduleRoot);
+  const tag = await tagAtHead(submoduleRoot);
   if (tag) return tag;
   const sha = await currentCommitSha(submoduleRoot);
   return sha.slice(0, 7);
@@ -3097,6 +3199,16 @@ function linkExistingRemoteToWorkspace(args) {
 // src/lib/merge-pack-settings-into-project-settings.ts
 import { promises as fs9 } from "fs";
 import { join as join17 } from "path";
+async function isStatusLineCommandResolvable(workspacePath, command) {
+  const trimmed = command.trim();
+  const match = trimmed.match(/^(node|python|python3|bash|sh)\s+([^\s]+)/);
+  if (!match) {
+    return true;
+  }
+  const filePath = match[2];
+  const fullPath = filePath.startsWith("/") ? filePath : join17(workspacePath, filePath);
+  return await pathExists(fullPath);
+}
 function backupFilename(originalPath) {
   const d = /* @__PURE__ */ new Date();
   const stamp = `${d.getFullYear().toString().slice(-2) + String(d.getMonth() + 1).padStart(2, "0") + String(d.getDate()).padStart(2, "0")}-${String(d.getHours()).padStart(2, "0")}${String(d.getMinutes()).padStart(2, "0")}`;
@@ -3157,8 +3269,18 @@ async function mergePackSettingsIntoProjectSettings(workspacePath) {
   const changes = [];
   const merged = { ...userSettings };
   if (packTemplate.statusLine && !userSettings.statusLine) {
-    merged.statusLine = packTemplate.statusLine;
-    changes.push("statusLine added");
+    const statusLineOk = await isStatusLineCommandResolvable(
+      workspacePath,
+      packTemplate.statusLine.command
+    );
+    if (statusLineOk) {
+      merged.statusLine = packTemplate.statusLine;
+      changes.push("statusLine added");
+    } else {
+      changes.push(
+        `statusLine SKIPPED (file ref '${packTemplate.statusLine.command}' kh\xF4ng t\u1ED3n t\u1EA1i)`
+      );
+    }
   }
   if (typeof packTemplate.includeCoAuthoredBy === "boolean" && typeof userSettings.includeCoAuthoredBy !== "boolean") {
     merged.includeCoAuthoredBy = packTemplate.includeCoAuthoredBy;
@@ -4545,9 +4667,11 @@ async function listCommitsBetween(packDir, fromSha, toRef) {
   }
 }
 async function buildSyncPreview(packDir, claudeDir, targetVersion) {
+  const currentTagOrNull = await tagAtHead(packDir);
   const currentSha = await currentCommitSha(packDir);
-  const currentVersion = currentSha.slice(0, 7);
-  const target = targetVersion ?? await latestTag(packDir) ?? "HEAD";
+  const currentVersion = currentTagOrNull ?? currentSha.slice(0, 7);
+  const allTags = await listTags(packDir);
+  const target = targetVersion ?? pickLatestStableSemVerTag(allTags) ?? "HEAD";
   const commits = await listCommitsBetween(packDir, currentSha, target);
   const mountStatuses = [];
   for (const dir of TEAM_PACK_MOUNT_DIRS) {
@@ -4584,10 +4708,13 @@ async function syncAction(opts) {
       `Kh\xF4ng fetch \u0111\u01B0\u1EE3c tags t\u1EEB origin (${err instanceof Error ? err.message : err}). S\u1EBD d\xF9ng tag local hi\u1EC7n c\xF3.`
     );
   }
-  const targetVersion = opts.version ?? await latestTag(packDir);
+  const allTags = await listTags(packDir);
+  const targetVersion = opts.version ?? pickLatestStableSemVerTag(allTags);
   if (!targetVersion) {
     log.error(
-      "Kh\xF4ng t\xECm th\u1EA5y tag n\xE0o trong team-ai-pack submodule. Pass --version <tag> r\xF5 r\xE0ng, ho\u1EB7c ki\u1EC3m tra repo c\xF3 tag \u0111\u01B0\u1EE3c kh\xF4ng."
+      `Kh\xF4ng t\xECm th\u1EA5y stable SemVer tag (vMAJOR.MINOR.PATCH) trong team-ai-pack submodule.
+  Tags hi\u1EC7n c\xF3: ${allTags.length > 0 ? allTags.join(", ") : "(none)"}
+  Pass --version <tag> r\xF5 r\xE0ng, ho\u1EB7c tag pack theo SemVer convention.`
     );
     process.exit(1);
     return;
@@ -4840,7 +4967,7 @@ async function removeSubmoduleEntry(gitmodulesPath, submodulePath) {
 }
 // src/commands/uninstall.ts
-var CLI_VERSION = "1.6.4";
+var CLI_VERSION = "1.7.1";
 function registerUninstallCommand(program2) {
   program2.command("uninstall").description("G\u1EE1 Avatar kh\u1ECFi project \u2014 backup t\u1EF1 \u0111\u1ED9ng (M11)").option("--yes", "Skip confirm prompt").option("--no-backup", "Kh\xF4ng t\u1EA1o backup tr\u01B0\u1EDBc khi x\xF3a (nguy hi\u1EC3m)").option("--keep-submodule", "Gi\u1EEF submodule .claude/pack/").option("--keep-hooks", "Gi\u1EEF git hooks post-merge, pre-push").option("--dry-run", "Hi\u1EC3n th\u1ECB danh s\xE1ch s\u1EBD x\xF3a, kh\xF4ng th\u1EF1c thi").action(async (opts) => {
     try {
@@ -4922,7 +5049,7 @@ function printUninstallSuccessBox(backupPath) {
 }
 // src/index.ts
-var CLI_VERSION2 = "1.6.4";
+var CLI_VERSION2 = "1.7.1";
 var program = new Command();
 program.name("avatar").description("AI harness CLI for NAL Vietnam engineering").version(CLI_VERSION2, "-v, --version", "Hi\u1EC3n th\u1ECB phi\xEAn b\u1EA3n Avatar CLI").addHelpText(
   "beforeAll",